首页
社区
课程
招聘
[分享][分享][分享]脱壳纪事——梆梆加固
发表于: 2023-7-31 00:49 9321

[分享][分享][分享]脱壳纪事——梆梆加固

2023-7-31 00:49
9321

分析如下:{

init_proc{

            粗略的用JEB过了下xml中的application,可以确定该加固App第一个加载自身lib目录下的solibSecShell.so,如下图:

                    

        使用IDA加载libSecShell.so发现除去init_proc函数外其他重要函数(如:init_arraryjni_onLoad)都无法正常分析,该情况下便只有调试运行App

             

位于jhj_copyData函数头部偏移0xC4的函数中可以很清楚的观察到通过中断方式调用mmap2函数申请映射内存空间,(在整个init_proc函数的执行期间该函数总共被调用了两次)

 

                继续分析jhj_Decode函数,位于函数头部偏移0x174c处的函数中通过中断的方式调用mprotect函数(共计调用三次),如下图:

内部有两个解密并修复数据的函数,分别位于偏移0xC10BC处的函数(命名为:jhj_DecryptByteCode和位于偏移0xC0918处的函数(命名为:jhj_DecryptByteCode2),解密之后dump修复即可,如下:

                        // offset 0xc10bc 0xFFCDF2B0

                        // DecryptByteCode(dst, 0x64895, src, &local)//

                        int __fastcall jhj_DecryptByteCode(int a1, unsigned int a2, int a3, _DWORD *a4)

                        {

                          int v4; // r5

                          unsigned int v5; // r7

                          unsigned int v6; // r12

                          int v7; // r4

                          bool v8; // zf

                          char v9; // r6

                          int i; // r6

                          bool v11; // zf

                          int v12; // r4

                          bool v13; // zf

                          unsigned int v14; // r8

                          unsigned int v15; // r4

                          int v16; // r6

                          int v17; // r6

                          bool v18; // zf

                          int v19; // r6

                          int v20; // r6

                          unsigned int v21; // r8

                          bool v22; // zf

                          int v23; // r6

                          unsigned int v24; // r7

                          bool v25; // zf

                          int v26; // r6

                          int v27; // r6

                          int v28; // r6

                          bool v29; // zf

                          int v30; // r4

                          bool v31; // zf

                          unsigned int v32; // r8

                          int v33; // r6

                          int v34; // r8

                          _BYTE *v35; // r6

                          int v36; // r9

                          _BYTE *v37; // r10

                          int v38; // r5

                          char v39; // t1

                         

                          v4 = 0;

                          v5 = 1;

                          v6 = 0;

                          v7 = 0;

                          while ( 1 )

                          {

                            while ( 1 )

                            {

                              v8 = (v7 & 0x7F) == 0;

                              if ( (v7 & 0x7F) != 0 )

                                v7 *= 2;

                              else

                                v7 = *(unsigned __int8 *)(a1 + v6);

                              if ( v8 )

                              {

                                v7 = 2 * v7 + 1;

                                ++v6;

                              }

                              if ( (v7 & 0x100) == 0 )

                                break;

                              v9 = *(_BYTE *)(a1 + v6++);

                              *(_BYTE *)(a3 + v4++) = v9;

                            }

                            for ( i = 1; ; i = v20 + ((unsigned int)(v7 << 23) >> 31) )

                            {

                              v11 = (v7 & 0x7F) == 0;

                              if ( (v7 & 0x7F) != 0 )

                                v12 = 2 * v7;

                              else

                                v12 = *(unsigned __int8 *)(a1 + v6);

                              if ( v11 )

                              {

                                v12 = 2 * v12 + 1;

                                ++v6;

                              }

                              v13 = (v12 & 0x7F) == 0;

                              v14 = v12 << 23;

                              if ( (v12 & 0x7F) != 0 )

                                v15 = 2 * v12;

                              else

                                v15 = *(unsigned __int8 *)(a1 + v6);

                              if ( v13 )

                                v15 = 2 * v15 + 1;

                              v16 = 2 * i;

                              if ( v13 )

                                ++v6;

                              v17 = v16 + (v14 >> 31);

                              if ( (v15 & 0x100) != 0 )

                                break;

                              v18 = (v15 & 0x7F) == 0;

                              if ( (v15 & 0x7F) == 0 )

                                v15 = *(unsigned __int8 *)(a1 + v6);

                              v19 = v17 + 0x7FFFFFFF;

                              v7 = 2 * v15;

                              if ( v18 )

                                ++v7;

                              v20 = 2 * v19;

                              if ( v18 )

                                ++v6;

                            }

                            v21 = v6;

                            if ( v17 != 2 )

                              break;

                            v22 = (v15 & 0x7F) == 0;

                            if ( (v15 & 0x7F) != 0 )

                              v15 *= 2;

                            else

                              v15 = *(unsigned __int8 *)(a1 + v6);

                            if ( v22 )

                              v15 = 2 * v15 + 1;

                            if ( v22 )

                              ++v6;

                            v23 = (v15 >> 8) & 1;

                        LABEL_41:

                            v25 = (v15 & 0x7F) == 0;

                            if ( (v15 & 0x7F) != 0 )

                              v7 = 2 * v15;

                            else

                              v7 = *(unsigned __int8 *)(a1 + v6);

                            if ( v25 )

                              v7 = 2 * v7 + 1;

                            v26 = 2 * v23;

                            if ( v25 )

                              ++v6;

                            v27 = v26 + ((unsigned int)(v7 << 23) >> 31);

                            if ( !v27 )

                            {

                              v28 = 1;

                              do

                              {

                                v29 = (v7 & 0x7F) == 0;

                                if ( (v7 & 0x7F) != 0 )

                                  v30 = 2 * v7;

                                else

                                  v30 = *(unsigned __int8 *)(a1 + v6);

                                if ( v29 )

                                {

                                  v30 = 2 * v30 + 1;

                                  ++v6;

                                }

                                v31 = (v30 & 0x7F) == 0;

                                v32 = v30 << 23;

                                if ( (v30 & 0x7F) != 0 )

                                  v7 = 2 * v30;

                                else

                                  v7 = *(unsigned __int8 *)(a1 + v6);

                                if ( v31 )

                                  v7 = 2 * v7 + 1;

                                v33 = 2 * v28;

                                if ( v31 )

                                  ++v6;

                                v28 = v33 + (v32 >> 31);

                              }

                              while ( (v7 & 0x100) == 0 );

                              v27 = v28 + 2;

                            }

                            if ( v5 > 0x500 )

                              v34 = v27 + 1;

                            else

                              v34 = v27;

                            v35 = (_BYTE *)(a3 + v4 - v5);

                            *(_BYTE *)(a3 + v4) = *v35;

                            v36 = v4 + 1;

                            v37 = &v35[v34];

                            v38 = a3 + v4;

                            do

                            {

                              v39 = *++v35;

                              *(_BYTE *)++v38 = v39;

                            }

                            while ( v35 != v37 );

                            v4 = v36 + v34;

                          }

                          v24 = *(unsigned __int8 *)(a1 + v6++) + ((v17 + 16777213) << 8);

                          if ( v24 != -1 )

                          {

                            v23 = !(*(_BYTE *)(a1 + v21) & 1);

                            v5 = (v24 >> 1) + 1;

                            goto LABEL_41;

                          }

                          *a4 = v4;

                          if ( v6 == a2 )

                            return 0;

                          if ( v6 >= a2 )

                            return -201;

                          return -205;

                        }

 

// 参数为soBase 和 偏移D4D4是头表结束的位置)

int __fastcall jhj_DecryptByteCode2(int result, int a2)

{

  int v2; // r4

  unsigned int v3; // r12

  int v4; // r6

  int v5; // r7

  int v6; // r5

  int v7; // r2

  unsigned int v8; // r5

  int v9; // r3

  int v10; // r6

  unsigned int v11; // r1

 

  v2 = *(_DWORD *)(result + a2 + 8);

  v3 = *(_DWORD *)(result + a2 + 12);

  v4 = *(_DWORD *)(result + a2 + 16);

  v5 = *(_DWORD *)(result + a2 + 20);

  v6 = *(_DWORD *)(result + a2 + 24);

  if ( *(_DWORD *)(result + a2) == 2146926590 )

  {

    result += *(_DWORD *)(result + a2 + 4);

    v7 = 0;

    v8 = v3 + 4 * v6;

    v9 = 0;

    v10 = v5 + v4;

    while ( v9 != v2 )

    {

      v11 = *(_DWORD *)(result + 8 * v9);

      if ( v11 >= v3 && v11 < v8 )

        *(_DWORD *)(result + 8 * v9) = v10 + 4 * v7++;

      ++v9;

    }

  }

  return result;

}

}

 

init_array:{

让我关注的init_array函数只是动态获取了libc中的api地址,除此之外并无看到做特殊的处理,所以直接跳到jni_onLoad

}

 

jni_onLoader:{

此处开始才是关键所在,在偏移:0x15194处的函数中格式化了字符串并对其调用access函数进行处理,这也是"assets/classes0.jar" 字符串首次出现在该函数,该函数执行完毕就执行

is_magisk_check_process(_JNIEnv *,_jclass *) is_miuiinstaller_process(_JNIEnv *,_jclass *),根据两个函数的返回值执行不同的分支,如下图:

分支1,两个函数中任何一个返回值为1的情况,在位于偏移:0x16028处注册com/SecShell/SecShell/Hjni函数,注册的函数如下:

Classcom/SecShell/SecShell/HFunctionNameattachSignature(Landroid/app/Application;Landroid/content/Context;)Voffset0x26FAC

Classcom/SecShell/SecShell/HFunctionNamebSignature(Landroid/content/Context;Landroid/app/Application;)Voffset0x17334

Classcom/SecShell/SecShell/HFunctionNamecSignature()Voffset0x18094

Classcom/SecShell/SecShell/HFunctionNamedSignature(Ljava/lang/String;)Ljava/lang/String;offset0x1BF5C

Classcom/SecShell/SecShell/HFunctionNameeSignature(Ljava/lang/Object;Ljava/util/List;Ljava/lang/String;)[Ljava/lang/Object;offset0x21ED8

Classcom/SecShell/SecShell/HFunctionNamefSignature()[Ljava/lang/String;offset0x1A2F0

Classcom/SecShell/SecShell/HFunctionNamegSignature()[Ljava/lang/String;offset0x19E98

Classcom/SecShell/SecShell/HFunctionNamehSignature()[Ljava/lang/String;offset0x19888

Classcom/SecShell/SecShell/HFunctionNamenSignature()[Ljava/lang/String;offset0x1938C

Classcom/SecShell/SecShell/HFunctionNamejSignature()[Ljava/lang/String;offset0x19120

Classcom/SecShell/SecShell/HFunctionNamekSignature()Ljava/lang/String;offset0x18FC8

Classcom/SecShell/SecShell/HFunctionNamelSignature()Ljava/lang/String;offset0x18F68

Classcom/SecShell/SecShell/HFunctionNamemSignature()Ljava/lang/String;offset0x18F18

Classcom/SecShell/SecShell/HFunctionNamebbSignature(Landroid/content/Context;Landroid/app/Application;Landroid/app/Application;)Voffset1758C

Classcom/SecShell/SecShell/HFunctionNameoSignature(Landroid/content/Context;)Ioffset0x17D9C,源导出名为:check_root

Classcom/SecShell/SecShell/HFunctionNamepSignature()Voffset0x12294,源导出名为:root_kill

Classcom/SecShell/SecShell/HFunctionNameqSignature()Ioffset0x159C4,源导出名为:is_magisk_check_process

Classcom/SecShell/SecShell/HFunctionNamemuSignature()Ioffset0x15AC0源导出名为:is_miuiinstaller_process

该分支中注册完jni函数后便结束了对jni_Onload函数的调用

 

分支2,两个函数的返回值都为0的情况:

同样也注册了上述的com/SecShell/SecShell/Hjni函数,但在偏移0x4D7DC处的函数内对libcapi进行了hookIDA F5伪代码如下:

int __fastcall jhj_HookLibcFunction(int result, int a2, int a3)

{

  int v3; // r4

  int v5; // r9

  int v6; // r5

  int v7; // r8

  int v8; // r2

  int **v9; // r3

  int v10; // r0

  int v11; // r2

  unsigned int v12; // r5

  int v13; // r2

  _DWORD *v14; // [sp+0h] [bp-E0h]

  char v15[4]; // [sp+14h] [bp-CCh] BYREF

  int v16; // [sp+18h] [bp-C8h]

  char v17[2]; // [sp+1Ch] [bp-C4h] BYREF

  char v18[4]; // [sp+1Eh] [bp-C2h] BYREF

  char v19[20]; // [sp+24h] [bp-BCh] BYREF

  char v20[28]; // [sp+38h] [bp-A8h] BYREF

  char v21[32]; // [sp+54h] [bp-8Ch] BYREF

  int v22[16]; // [sp+74h] [bp-6Ch] BYREF

  int v23; // [sp+B4h] [bp-2Ch]

 

  v5 = result;

  v14 = off_A2984;

  v6 = 0;

  v7 = 31101;

  v23 = *(_DWORD *)off_A2984;

  v8 = 0;

  v9 = off_AC224;

LABEL_2:

  if ( v6 != 8 )

  {

    while ( 1 )

    {

      switch ( v6 )

      {

        case 0:

          off_AC22C[0] = sub_4C1E0(v15, v5, v8, (int)v9);

          jhj_pthread_mutex_init((int)&dword_AC218, 0);

          v6 = 3;

          result = jhj_pthread_mutex_init((int)&dword_AC220, 0);

          continue;

        case 1:

          jhj_HookLibcApi(v3, (int)"pread64", (int)jhj_hookpread64, &off_AC244);

          result = jhj_HookLibcApi(v3, (int)"ftruncate64", (int)jhj_hookftruncate64, &off_AC234);

          if ( a3 )

            v6 = 5;

          else

            v6 = 8;

          goto LABEL_2;

        case 2:

          jhj_HookLibcApi(v3, (int)"write", (int)jhj_hookwrite, &off_AC24C);

          jhj_HookLibcApi(v3, (int)"read", (int)jhj_hookread, &off_AC240);

          jhj_HookLibcApi(v3, (int)"munmap", (int)jhj_hookmunmap, &off_AC228);

          v6 = 1;

          result = jhj_HookLibcApi(v3, (int)"msync", (int)jhj_hookmsync, off_AC230);

          continue;

        case 3:

          sub_4BE78(100000, -1);

          v3 = jhj_dlopen((int)"libc.so", 0);

          jhj_HookLibcApi(v3, (int)"__open", (int)jhj_hook__open, &off_AC23C);

          v6 = 7;

          result = jhj_HookLibcApi(v3, (int)"__openat", (int)jhj_hook__openat, &off_AC238);

          continue;

        case 4:

          v10 = sub_4BAA4();

          v6 = 2;

          result = jhj_HooArtFunction(v10, (int)sub_4B664, off_AC224);

          continue;

        case 5:

          result = pFB65A3D3038290551DF5BDF56A950A91(result);

          goto LABEL_28;

        case 6:

          v12 = v7 - 151 * ((unsigned int)(55554 * v7) >> 23);

          v22[0] = -1465444864;

          v22[1] = 10598315;

          v9 = (int **)(133 - v12);

          while ( v9 != (int **)((char *)&dword_0 + 1) )

          {

            if ( !v9 )

            {

              v7 = 4361;

              jhj_DecrypBytes((int)v22, 5, 210);

              result = jhj_HookLibcApi(v3, (int)v22, (int)sub_4B664, off_AC224);

              break;

            }

          }

          v6 = 135 - v12;

          goto LABEL_2;

        case 7:

          jhj_HookLibcApi(v3, (int)"__mmap2", (int)jhj_hook__mmap2, &off_AC248);

          v16 = 0;

          jhj_memset(v19, 0, 19);

          v19[2] = -75;

          v19[4] = -23;

          v19[6] = -75;

          v19[5] = -73;

          v19[8] = -93;

          v19[9] = -78;

          v19[12] = -23;

          v19[10] = -92;

          v19[13] = -86;

          v19[11] = -77;

          v19[15] = -93;

          v19[3] = -88;

          v19[7] = -88;

          v19[14] = -88;

          v19[1] = 40;

          v19[16] = -94;

          v19[17] = -85;

          jhj_DecrypBytes((int)v19, 16, 239);

          jhj_GetSystemProperty((int)v19, v21, v11);

          result = jhj_strstr(v21, "Pixelbook");

          if ( result )

            goto LABEL_24;

          jhj_memset(v20, 0, 26);

          v20[3] = -2;

          v20[1] = 124;

          v20[5] = -31;

          v20[2] = -29;

          v20[6] = -29;

          v20[7] = -2;

          v20[11] = -27;

          v20[8] = -11;

          v20[15] = -1;

          v20[9] = -28;

          v20[16] = -28;

          v20[17] = -9;

          v20[20] = -27;

          v20[21] = -28;

          v20[22] = -29;

          v20[23] = -12;

          v20[24] = -29;

          v20[10] = -14;

          v20[19] = -14;

          v20[4] = -65;

          v20[12] = -65;

          v20[13] = -4;

          v20[14] = -16;

          v20[18] = -16;

          jhj_DecrypBytes((int)v20, 23, 237);

          jhj_GetSystemProperty((int)v20, v22, v13);

          result = jhj_memset(v17, 0, 7);

          v9 = 0;

          v17[1] = -26;

          qmemcpy(v18, ")*(>", sizeof(v18));

          v8 = 62;

          while ( 2 )

          {

            if ( v9 == (int **)((char *)&dword_0 + 1) )

            {

              v7 = 13421;

              v9 = (int **)*pEB77A6F897F9B354B0478926205A1AC5_ptr;

              if ( (int)*pEB77A6F897F9B354B0478926205A1AC5_ptr <= 28 )

                v6 = 6;

              else

                v6 = 4;

              goto LABEL_2;

            }

            if ( v9 != (int **)((char *)&dword_0 + 2) )

            {

              jhj_DecrypBytes((int)v17, 4, 156);

              result = jhj_strcmp((int)v22, (int)v17);

              if ( result )

                v9 = (int **)(&dword_0 + 1);

              else

                v9 = (int **)(&dword_0 + 2);

              continue;

            }

            break;

          }

LABEL_24:

          v6 = 4;

          v7 = 13421;

          break;

        default:

          goto LABEL_2;

      }

    }

  }

LABEL_28:

  if ( v23 != *v14 )

    return jhj__stack_chk_fail(result);

  return result;

}

并对art::OatFileManager::OpenDexFilesFromOatart::ArtDexFileLoader::Open(std::string const&,unsigned int,art::MemMap &&,bool,bool,std::string*)一同进hook

 

位于偏移:0x1E21C处反射调用getClassLoader获取了当前壳的ClassLoader并配合之前上述创建的jstring对象反射调用com.SecShell.SecShell.H中的

public static void f(ClassLoader arg6, "/data/user/0/com.fy.qqkp.new.mi/.cache/classes.jar", "/data/user/0/com.fy.qqkp.new.mi/.cache")方法和反射调用ff方法

 

反调试、注入、hook的处理也位于jni_onLoader中,如下:

偏移:0x59B08处的函数在循环判断当前进程的所有线程中的status文件中的Name是否跟frida相关(标识符:gmaingum-js-loop)如果所属的线程的Status文件中的Namegmaingum-js-loop

且判断当前进程的/proc/pid/fd中是否包含了linjector,两个判断条件只有满足一个那么直接跳转偏移:0x5F518处的函数进行关闭自身进程,相关代码如下(相关链接:[原创] frida常用检测点及其原理--一把梭方案-Android安全-看雪-安全社区|安全招聘|kanxue.com):

.text&ARM.extab:00059CB0 25 AD                         ADD             R5, SP, #0x300+var_26C

.text&ARM.extab:00059CB2 00 21                         MOVS            R1, #0

.text&ARM.extab:00059CB4 0E 22                         MOVS            R2, #0xE

.text&ARM.extab:00059CB6 28 46                         MOV             R0, R5

.text&ARM.extab:00059CB8 B6 F7 76 EB                   BLX             jhj_memset

.text&ARM.extab:00059CB8

.text&ARM.extab:00059CBC E3 22                         MOVS            R2, #0xE3

.text&ARM.extab:00059CBE 0B 21                         MOVS            R1, #0xB

.text&ARM.extab:00059CC0 AA 71                         STRB            R2, [R5,#6]

.text&ARM.extab:00059CC2 28 46                         MOV             R0, R5

.text&ARM.extab:00059CC4 FA 22                         MOVS            R2, #0xFA

.text&ARM.extab:00059CC6 EA 71                         STRB            R2, [R5,#7]

.text&ARM.extab:00059CC8 EC 22                         MOVS            R2, #0xEC

.text&ARM.extab:00059CCA 65 23                         MOVS            R3, #0x65 ; 'e'

.text&ARM.extab:00059CCC 6B 70                         STRB            R3, [R5,#1]

.text&ARM.extab:00059CCE EE 23                         MOVS            R3, #0xEE

.text&ARM.extab:00059CD0 AB 70                         STRB            R3, [R5,#2]

.text&ARM.extab:00059CD2 FC 23                         MOVS            R3, #0xFC

.text&ARM.extab:00059CD4 EB 70                         STRB            R3, [R5,#3]

.text&ARM.extab:00059CD6 E4 23                         MOVS            R3, #0xE4

.text&ARM.extab:00059CD8 2B 71                         STRB            R3, [R5,#4]

.text&ARM.extab:00059CDA A4 23                         MOVS            R3, #0xA4

.text&ARM.extab:00059CDC 6B 71                         STRB            R3, [R5,#5]

.text&ARM.extab:00059CDE 2B 72                         STRB            R3, [R5,#8]

.text&ARM.extab:00059CE0 E5 23                         MOVS            R3, #0xE5

.text&ARM.extab:00059CE2 6B 72                         STRB            R3, [R5,#9]

.text&ARM.extab:00059CE4 E6 23                         MOVS            R3, #0xE6

.text&ARM.extab:00059CE6 AB 72                         STRB            R3, [R5,#0xA]

.text&ARM.extab:00059CE8 EB 72                         STRB            R3, [R5,#0xB]

.text&ARM.extab:00059CEA F9 23                         MOVS            R3, #0xF9

.text&ARM.extab:00059CEC 2B 73                         STRB            R3, [R5,#0xC]

.text&ARM.extab:00059CEE FF F7 C7 FD                   BL              jhj_DecryptString4 ; 解密得到字符串"gum-js-loop"

.text&ARM.extab:00059CEE                                                             ; gum-js-loopFrida Gadget中的一个模块,用于在JavaScript代码中创建一个循环。

.text&ARM.extab:00059CEE                                                             ; Frida是一款功能强大的动态二进制分析工具,允许你在运行时对应用程序进行操作和监视。

.text&ARM.extab:00059CEE

.text&ARM.extab:00059CF2 23 AB                         ADD             R3, SP, #0x300+var_274

.text&ARM.extab:00059CF4 4F F0 00 0C                   MOV.W           R12, #0

.text&ARM.extab:00059CF8 72 22                         MOVS            R2, #0x72 ; 'r'

.text&ARM.extab:00059CFA CD F8 8C C0                   STR.W           R12, [SP,#0x300+var_274]

.text&ARM.extab:00059CFE CD F8 90 C0                   STR.W           R12, [SP,#0x300+var_270]

.text&ARM.extab:00059D02 18 46                         MOV             R0, R3

.text&ARM.extab:00059D04 8D F8 8D 20                   STRB.W          R2, [SP,#0x300+var_274+1]

.text&ARM.extab:00059D08 05 21                         MOVS            R1, #5

.text&ARM.extab:00059D0A D6 22                         MOVS            R2, #0xD6

.text&ARM.extab:00059D0C 8D F8 8E 20                   STRB.W          R2, [SP,#0x300+var_274+2]

.text&ARM.extab:00059D10 DC 22                         MOVS            R2, #0xDC

.text&ARM.extab:00059D12 8D F8 8F 20                   STRB.W          R2, [SP,#0x300+var_274+3]

.text&ARM.extab:00059D16 D0 22                         MOVS            R2, #0xD0

.text&ARM.extab:00059D18 8D F8 90 20                   STRB.W          R2, [SP,#0x300+var_270]

.text&ARM.extab:00059D1C D8 22                         MOVS            R2, #0xD8

.text&ARM.extab:00059D1E 8D F8 91 20                   STRB.W          R2, [SP,#0x300+var_270+1]

.text&ARM.extab:00059D22 DF 22                         MOVS            R2, #0xDF

.text&ARM.extab:00059D24 8D F8 92 20                   STRB.W          R2, [SP,#0x300+var_270+2]

.text&ARM.extab:00059D28 C3 22                         MOVS            R2, #0xC3

.text&ARM.extab:00059D2A CD F8 14 C0                   STR.W           R12, [SP,#0x300+var_2EC]

.text&ARM.extab:00059D2E 04 93                         STR             R3, [SP,#0x300+var_2F0]

.text&ARM.extab:00059D30 FF F7 A6 FD                   BL              jhj_DecryptString4 ; 解密得到字符串"gmain"

.text&ARM.extab:00059D30

.text&ARM.extab:00059D34 38 46                         MOV             R0, R7

.text&ARM.extab:00059D36 29 46                         MOV             R1, R5

.text&ARM.extab:00059D38 FF F7 FA FB                   BL              jhj_IsFridaThreadAnd_FD_IsHavelinjector ; 该函数的参数1tasktid->status文件中的Name

.text&ARM.extab:00059D38                                                             ; 参数二为具有frida标识的特征,该处为:gum-js-loop

.text&ARM.extab:00059D38

.text&ARM.extab:00059D3C 04 9B                         LDR             R3, [SP,#0x300+var_2F0]

.text&ARM.extab:00059D3E DD F8 14 C0                   LDR.W           R12, [SP,#0x300+var_2EC]

.text&ARM.extab:00059D42 78 B9                         CBNZ            R0, loc_59D64

.text&ARM.extab:00059D42

.text&ARM.extab:00059D44 38 46                         MOV             R0, R7

.text&ARM.extab:00059D46 19 46                         MOV             R1, R3

.text&ARM.extab:00059D48 FF F7 F2 FB                   BL              jhj_IsFridaThreadAnd_FD_IsHavelinjector ; 该函数的参数1tasktid->status文件中的Name

.text&ARM.extab:00059D48                                                             ; 参数二为具有frida标识的特征,该处为:gmain

 

偏移:0x601AA处调用pthread_create创建新线程1并在线程回调中进行如下反调试:

偏移:0x5F608处的函数在检测/proc/pid/status中的StateTracerPid属性(先检测State后检测TracerPid),两者如果都符合那么该函数直接返回1,否则0

.text&ARM.extab:0005F608                               EXPORT jhj_CheckPidStatus

.text&ARM.extab:0005F608                               jhj_CheckPidStatus            ; CODE XREF: .text&ARM.extab:00060130↓p

.text&ARM.extab:0005F608                                                             ; DATA XREF: LOAD:0000232C↑o

.text&ARM.extab:0005F608

.text&ARM.extab:0005F608                               var_9F0= -0x9F0

.text&ARM.extab:0005F608                               var_9EC= -0x9EC

.text&ARM.extab:0005F608                               var_9E8= -0x9E8

.text&ARM.extab:0005F608                               var_9E4= -0x9E4

.text&ARM.extab:0005F608                               var_9DC= -0x9DC

.text&ARM.extab:0005F608                               var_9D8= -0x9D8

.text&ARM.extab:0005F608                               var_9D4= -0x9D4

.text&ARM.extab:0005F608                               var_9D0= -0x9D0

.text&ARM.extab:0005F608                               var_9CC= -0x9CC

.text&ARM.extab:0005F608                               var_9C0= -0x9C0

.text&ARM.extab:0005F608                               var_9B4= -0x9B4

.text&ARM.extab:0005F608                               var_9A4= -0x9A4

.text&ARM.extab:0005F608                               var_994= -0x994

.text&ARM.extab:0005F608                               var_980= -0x980

.text&ARM.extab:0005F608                               var_96C= -0x96C

.text&ARM.extab:0005F608                               var_92C= -0x92C

.text&ARM.extab:0005F608                               var_82C= -0x82C

.text&ARM.extab:0005F608                               var_42C= -0x42C

.text&ARM.extab:0005F608                               var_2C= -0x2C

.text&ARM.extab:0005F608

.text&ARM.extab:0005F608                               ; __unwind { // 417B6000

.text&ARM.extab:0005F608 2D E9 F0 4F                   PUSH.W          {R4-R11,LR}

.text&ARM.extab:0005F60C AD F6 CC 1D                   SUBW            SP, SP, #0x9CC

.text&ARM.extab:0005F610 C8 4E                         LDR             R6, =(off_A2984 - 0x5F61C)

.text&ARM.extab:0005F612 17 AC                         ADD             R4, SP, #0x9F0+var_994

.text&ARM.extab:0005F614 80 46                         MOV             R8, R0

.text&ARM.extab:0005F616 00 21                         MOVS            R1, #0

.text&ARM.extab:0005F618 7E 44                         ADD             R6, PC        ; off_A2984

.text&ARM.extab:0005F61A 36 68                         LDR             R6, [R6]

.text&ARM.extab:0005F61C 20 46                         MOV             R0, R4

.text&ARM.extab:0005F61E 13 22                         MOVS            R2, #0x13

.text&ARM.extab:0005F620 0D F1 C4 0A                   ADD.W           R10, SP, #0x9F0+var_92C

.text&ARM.extab:0005F624 33 68                         LDR             R3, [R6]

.text&ARM.extab:0005F626 4F F0 08 0B                   MOV.W           R11, #8

.text&ARM.extab:0005F62A 09 25                         MOVS            R5, #9

.text&ARM.extab:0005F62C 0E 27                         MOVS            R7, #0xE

.text&ARM.extab:0005F62E 4F F0 00 09                   MOV.W           R9, #0

.text&ARM.extab:0005F632 CD F8 C4 39                   STR.W           R3, [SP,#0x9F0+var_2C]

.text&ARM.extab:0005F636 B0 F7 B8 EE                   BLX             jhj_memset

.text&ARM.extab:0005F636

.text&ARM.extab:0005F63A 0B 22                         MOVS            R2, #0xB

.text&ARM.extab:0005F63C 20 46                         MOV             R0, R4

.text&ARM.extab:0005F63E E2 70                         STRB            R2, [R4,#3]

.text&ARM.extab:0005F640 10 21                         MOVS            R1, #0x10

.text&ARM.extab:0005F642 14 22                         MOVS            R2, #0x14

.text&ARM.extab:0005F644 62 71                         STRB            R2, [R4,#5]

.text&ARM.extab:0005F646 18 22                         MOVS            R2, #0x18

.text&ARM.extab:0005F648 A2 71                         STRB            R2, [R4,#6]

.text&ARM.extab:0005F64A 5E 22                         MOVS            R2, #0x5E ; '^'

.text&ARM.extab:0005F64C 22 72                         STRB            R2, [R4,#8]

.text&ARM.extab:0005F64E 17 22                         MOVS            R2, #0x17

.text&ARM.extab:0005F650 62 72                         STRB            R2, [R4,#9]

.text&ARM.extab:0005F652 1F 22                         MOVS            R2, #0x1F

.text&ARM.extab:0005F654 A2 72                         STRB            R2, [R4,#0xA]

.text&ARM.extab:0005F656 1A 22                         MOVS            R2, #0x1A

.text&ARM.extab:0005F658 A2 73                         STRB            R2, [R4,#0xE]

.text&ARM.extab:0005F65A E1 22                         MOVS            R2, #0xE1

.text&ARM.extab:0005F65C 9A 23                         MOVS            R3, #0x9A

.text&ARM.extab:0005F65E 25 71                         STRB            R5, [R4,#4]

.text&ARM.extab:0005F660 63 70                         STRB            R3, [R4,#1]

.text&ARM.extab:0005F662 54 23                         MOVS            R3, #0x54 ; 'T'

.text&ARM.extab:0005F664 84 F8 0C B0                   STRB.W          R11, [R4,#0xC]

.text&ARM.extab:0005F668 A3 70                         STRB            R3, [R4,#2]

.text&ARM.extab:0005F66A E3 71                         STRB            R3, [R4,#7]

.text&ARM.extab:0005F66C E3 72                         STRB            R3, [R4,#0xB]

.text&ARM.extab:0005F66E 0F 23                         MOVS            R3, #0xF

.text&ARM.extab:0005F670 27 74                         STRB            R7, [R4,#0x10]

.text&ARM.extab:0005F672 63 73                         STRB            R3, [R4,#0xD]

.text&ARM.extab:0005F674 E3 73                         STRB            R3, [R4,#0xF]

.text&ARM.extab:0005F676 84 F8 11 B0                   STRB.W          R11, [R4,#0x11]

.text&ARM.extab:0005F67A FF F7 5D FF                   BL              jhj_DecryptString5 ; 解密得到字符串"/proc/%ld/status"

.text&ARM.extab:0005F67A

.text&ARM.extab:0005F67E 22 46                         MOV             R2, R4

.text&ARM.extab:0005F680 06 AC                         ADD             R4, SP, #0x9F0+var_9D8

.text&ARM.extab:0005F682 43 46                         MOV             R3, R8

.text&ARM.extab:0005F684 50 46                         MOV             R0, R10

.text&ARM.extab:0005F686 4F F4 80 71                   MOV.W           R1, #0x100

.text&ARM.extab:0005F68A DF F8 AC 82                   LDR.W           R8, =(g_func_map_ptr - 0x5F6B0)

.text&ARM.extab:0005F68E 39 F0 23 FC                   BL              jhj_format1   ; 格式化字符串"/proc/pid/status"

.text&ARM.extab:0005F68E

.text&ARM.extab:0005F692 01 21                         MOVS            R1, #1

.text&ARM.extab:0005F694 D6 22                         MOVS            R2, #0xD6

.text&ARM.extab:0005F696 20 46                         MOV             R0, R4

.text&ARM.extab:0005F698 CD F8 18 90                   STR.W           R9, [SP,#0x9F0+var_9D8]

.text&ARM.extab:0005F69C 5A 23                         MOVS            R3, #0x5A ; 'Z'

.text&ARM.extab:0005F69E 8D F8 19 30                   STRB.W          R3, [SP,#0x9F0+var_9D8+1]

.text&ARM.extab:0005F6A2 FE 23                         MOVS            R3, #0xFE

.text&ARM.extab:0005F6A4 8D F8 1A 30                   STRB.W          R3, [SP,#0x9F0+var_9D8+2]

.text&ARM.extab:0005F6A8 FF F7 46 FF                   BL              jhj_DecryptString5 ; 解密得到字符串"r"

.text&ARM.extab:0005F6A8

.text&ARM.extab:0005F6AC F8 44                         ADD             R8, PC        ; g_func_map_ptr

.text&ARM.extab:0005F6AE D8 F8 00 80                   LDR.W           R8, [R8]      ; g_func_map

.text&ARM.extab:0005F6B2 50 46                         MOV             R0, R10

.text&ARM.extab:0005F6B4 21 46                         MOV             R1, R4

.text&ARM.extab:0005F6B6 D8 F8 00 30                   LDR.W           R3, [R8]

.text&ARM.extab:0005F6BA 98 47                         BLX             R3            ; dword_0 ; fopen("/proc/pid/status", "r")

.text&ARM.extab:0005F6BA

.text&ARM.extab:0005F6BC 01 96                         STR             R6, [SP,#0x9F0+var_9EC]

.text&ARM.extab:0005F6BE 82 46                         MOV             R10, R0

.text&ARM.extab:0005F6C0 00 28                         CMP             R0, #0

.text&ARM.extab:0005F6C2 00 F0 28 81                   BEQ.W           loc_5F916

.text&ARM.extab:0005F6C2

.text&ARM.extab:0005F6C6 0F AC                         ADD             R4, SP, #0x9F0+var_9B4

.text&ARM.extab:0005F6C8 05 AB                         ADD             R3, SP, #0x9F0+var_9DC

.text&ARM.extab:0005F6CA 09 AE                         ADD             R6, SP, #0x9F0+var_9CC

.text&ARM.extab:0005F6CC 49 46                         MOV             R1, R9

.text&ARM.extab:0005F6CE 0D 22                         MOVS            R2, #0xD

.text&ARM.extab:0005F6D0 20 46                         MOV             R0, R4

.text&ARM.extab:0005F6D2 C3 F8 00 90                   STR.W           R9, [R3]

.text&ARM.extab:0005F6D6 00 93                         STR             R3, [SP,#0x9F0+var_9F0]

.text&ARM.extab:0005F6D8 B0 F7 66 EE                   BLX             jhj_memset

.text&ARM.extab:0005F6D8

.text&ARM.extab:0005F6DC C8 22                         MOVS            R2, #0xC8

.text&ARM.extab:0005F6DE 0A 21                         MOVS            R1, #0xA

.text&ARM.extab:0005F6E0 22 71                         STRB            R2, [R4,#4]

.text&ARM.extab:0005F6E2 20 46                         MOV             R0, R4

.text&ARM.extab:0005F6E4 CA 22                         MOVS            R2, #0xCA

.text&ARM.extab:0005F6E6 62 71                         STRB            R2, [R4,#5]

.text&ARM.extab:0005F6E8 CC 22                         MOVS            R2, #0xCC

.text&ARM.extab:0005F6EA A2 71                         STRB            R2, [R4,#6]

.text&ARM.extab:0005F6EC DC 22                         MOVS            R2, #0xDC

.text&ARM.extab:0005F6EE 75 23                         MOVS            R3, #0x75 ; 'u'

.text&ARM.extab:0005F6F0 63 70                         STRB            R3, [R4,#1]

.text&ARM.extab:0005F6F2 FD 23                         MOVS            R3, #0xFD

.text&ARM.extab:0005F6F4 A3 70                         STRB            R3, [R4,#2]

.text&ARM.extab:0005F6F6 DB 23                         MOVS            R3, #0xDB

.text&ARM.extab:0005F6F8 E3 70                         STRB            R3, [R4,#3]

.text&ARM.extab:0005F6FA E3 71                         STRB            R3, [R4,#7]

.text&ARM.extab:0005F6FC F9 23                         MOVS            R3, #0xF9

.text&ARM.extab:0005F6FE 23 72                         STRB            R3, [R4,#8]

.text&ARM.extab:0005F700 C0 23                         MOVS            R3, #0xC0

.text&ARM.extab:0005F702 63 72                         STRB            R3, [R4,#9]

.text&ARM.extab:0005F704 CD 23                         MOVS            R3, #0xCD

.text&ARM.extab:0005F706 A3 72                         STRB            R3, [R4,#0xA]

.text&ARM.extab:0005F708 93 23                         MOVS            R3, #0x93

.text&ARM.extab:0005F70A E3 72                         STRB            R3, [R4,#0xB]

.text&ARM.extab:0005F70C FF F7 14 FF                   BL              jhj_DecryptString5 ; 解密得到字符串"TracerPid"

.text&ARM.extab:0005F70C

.text&ARM.extab:0005F710 2A 46                         MOV             R2, R5

.text&ARM.extab:0005F712 49 46                         MOV             R1, R9

.text&ARM.extab:0005F714 13 AD                         ADD             R5, SP, #0x9F0+var_9A4

.text&ARM.extab:0005F716 30 46                         MOV             R0, R6

.text&ARM.extab:0005F718 B0 F7 46 EE                   BLX             jhj_memset

.text&ARM.extab:0005F718

.text&ARM.extab:0005F71C 0C 22                         MOVS            R2, #0xC

.text&ARM.extab:0005F71E 06 21                         MOVS            R1, #6

.text&ARM.extab:0005F720 32 71                         STRB            R2, [R6,#4]

.text&ARM.extab:0005F722 30 46                         MOV             R0, R6

.text&ARM.extab:0005F724 57 22                         MOVS            R2, #0x57 ; 'W'

.text&ARM.extab:0005F726 F2 71                         STRB            R2, [R6,#7]

.text&ARM.extab:0005F728 BB 22                         MOVS            R2, #0xBB

.text&ARM.extab:0005F72A 86 F8 06 B0                   STRB.W          R11, [R6,#6]

.text&ARM.extab:0005F72E D6 23                         MOVS            R3, #0xD6

.text&ARM.extab:0005F730 73 70                         STRB            R3, [R6,#1]

.text&ARM.extab:0005F732 3E 23                         MOVS            R3, #0x3E ; '>'

.text&ARM.extab:0005F734 B3 70                         STRB            R3, [R6,#2]

.text&ARM.extab:0005F736 19 23                         MOVS            R3, #0x19

.text&ARM.extab:0005F738 F3 70                         STRB            R3, [R6,#3]

.text&ARM.extab:0005F73A 73 71                         STRB            R3, [R6,#5]

.text&ARM.extab:0005F73C 02 93                         STR             R3, [SP,#0x9F0+var_9E8]

.text&ARM.extab:0005F73E FF F7 FB FE                   BL              jhj_DecryptString5 ; 解密得到字符串"State:"

.text&ARM.extab:0005F73E

.text&ARM.extab:0005F742 3A 46                         MOV             R2, R7

.text&ARM.extab:0005F744 49 46                         MOV             R1, R9

.text&ARM.extab:0005F746 28 46                         MOV             R0, R5

.text&ARM.extab:0005F748 0C AF                         ADD             R7, SP, #0x9F0+var_9C0

.text&ARM.extab:0005F74A B0 F7 2E EE                   BLX             jhj_memset

.text&ARM.extab:0005F74A

.text&ARM.extab:0005F74E 5E 23                         MOVS            R3, #0x5E ; '^'

.text&ARM.extab:0005F750 2B 71                         STRB            R3, [R5,#4]

.text&ARM.extab:0005F752 A2 22                         MOVS            R2, #0xA2

.text&ARM.extab:0005F754 02 9B                         LDR             R3, [SP,#0x9F0+var_9E8]

.text&ARM.extab:0005F756 0B 21                         MOVS            R1, #0xB

.text&ARM.extab:0005F758 6A 70                         STRB            R2, [R5,#1]

.text&ARM.extab:0005F75A 28 46                         MOV             R0, R5

.text&ARM.extab:0005F75C 22 22                         MOVS            R2, #0x22 ; '"'

.text&ARM.extab:0005F75E AA 70                         STRB            R2, [R5,#2]

.text&ARM.extab:0005F760 56 22                         MOVS            R2, #0x56 ; 'V'

.text&ARM.extab:0005F762 EA 70                         STRB            R2, [R5,#3]

.text&ARM.extab:0005F764 05 22                         MOVS            R2, #5

.text&ARM.extab:0005F766 6A 71                         STRB            R2, [R5,#5]

.text&ARM.extab:0005F768 12 22                         MOVS            R2, #0x12

.text&ARM.extab:0005F76A EA 72                         STRB            R2, [R5,#0xB]

.text&ARM.extab:0005F76C 5F 22                         MOVS            R2, #0x5F ; '_'

.text&ARM.extab:0005F76E 2A 73                         STRB            R2, [R5,#0xC]

.text&ARM.extab:0005F770 D4 22                         MOVS            R2, #0xD4

.text&ARM.extab:0005F772 4F F0 02 0C                   MOV.W           R12, #2

.text&ARM.extab:0005F776 EB 71                         STRB            R3, [R5,#7]

.text&ARM.extab:0005F778 06 23                         MOVS            R3, #6

.text&ARM.extab:0005F77A 85 F8 06 C0                   STRB.W          R12, [R5,#6]

.text&ARM.extab:0005F77E CD F8 0C C0                   STR.W           R12, [SP,#0x9F0+var_9E4]

.text&ARM.extab:0005F782 2B 72                         STRB            R3, [R5,#8]

.text&ARM.extab:0005F784 6B 72                         STRB            R3, [R5,#9]

.text&ARM.extab:0005F786 02 93                         STR             R3, [SP,#0x9F0+var_9E8]

.text&ARM.extab:0005F788 13 23                         MOVS            R3, #0x13

.text&ARM.extab:0005F78A AB 72                         STRB            R3, [R5,#0xA]

.text&ARM.extab:0005F78C FF F7 D4 FE                   BL              jhj_DecryptString5 ; 解密得到字符串"T (stopped)"

.text&ARM.extab:0005F78C

.text&ARM.extab:0005F790 49 46                         MOV             R1, R9

.text&ARM.extab:0005F792 0B 22                         MOVS            R2, #0xB

.text&ARM.extab:0005F794 38 46                         MOV             R0, R7

.text&ARM.extab:0005F796 B0 F7 08 EE                   BLX             jhj_memset

.text&ARM.extab:0005F796

.text&ARM.extab:0005F79A DD F8 0C C0                   LDR.W           R12, [SP,#0x9F0+var_9E4]

.text&ARM.extab:0005F79E 0D 23                         MOVS            R3, #0xD

.text&ARM.extab:0005F7A0 BB 71                         STRB            R3, [R7,#6]

.text&ARM.extab:0005F7A2 02 9B                         LDR             R3, [SP,#0x9F0+var_9E8]

.text&ARM.extab:0005F7A4 59 46                         MOV             R1, R11

.text&ARM.extab:0005F7A6 0D F1 70 0B                   ADD.W           R11, SP, #0x9F0+var_980

.text&ARM.extab:0005F7AA B0 22                         MOVS            R2, #0xB0

.text&ARM.extab:0005F7AC 38 46                         MOV             R0, R7

.text&ARM.extab:0005F7AE 7A 70                         STRB            R2, [R7,#1]

.text&ARM.extab:0005F7B0 47 22                         MOVS            R2, #0x47 ; 'G'

.text&ARM.extab:0005F7B2 BA 70                         STRB            R2, [R7,#2]

.text&ARM.extab:0005F7B4 15 22                         MOVS            R2, #0x15

.text&ARM.extab:0005F7B6 FA 70                         STRB            R2, [R7,#3]

.text&ARM.extab:0005F7B8 DF 22                         MOVS            R2, #0xDF

.text&ARM.extab:0005F7BA 87 F8 05 C0                   STRB.W          R12, [R7,#5]

.text&ARM.extab:0005F7BE FB 71                         STRB            R3, [R7,#7]

.text&ARM.extab:0005F7C0 0A 23                         MOVS            R3, #0xA

.text&ARM.extab:0005F7C2 3B 72                         STRB            R3, [R7,#8]

.text&ARM.extab:0005F7C4 46 23                         MOVS            R3, #0x46 ; 'F'

.text&ARM.extab:0005F7C6 7B 72                         STRB            R3, [R7,#9]

.text&ARM.extab:0005F7C8 FF F7 B6 FE                   BL              jhj_DecryptString5 ; 解密得到字符串"(zombie)"

.text&ARM.extab:0005F7C8

.text&ARM.extab:0005F7CC 49 46                         MOV             R1, R9

.text&ARM.extab:0005F7CE 13 22                         MOVS            R2, #0x13

.text&ARM.extab:0005F7D0 58 46                         MOV             R0, R11

.text&ARM.extab:0005F7D2 0D F5 E2 79                   ADD.W           R9, SP, #0x9F0+var_82C

.text&ARM.extab:0005F7D6 B0 F7 E8 ED                   BLX             jhj_memset

.text&ARM.extab:0005F7D6

.text&ARM.extab:0005F7DA 80 22                         MOVS            R2, #0x80

.text&ARM.extab:0005F7DC 88 21                         MOVS            R1, #0x88

.text&ARM.extab:0005F7DE 8B F8 03 20                   STRB.W          R2, [R11,#3]

.text&ARM.extab:0005F7E2 8B F8 04 10                   STRB.W          R1, [R11,#4]

.text&ARM.extab:0005F7E6 58 46                         MOV             R0, R11

.text&ARM.extab:0005F7E8 D2 21                         MOVS            R1, #0xD2

.text&ARM.extab:0005F7EA 8B F8 0C 20                   STRB.W          R2, [R11,#0xC]

.text&ARM.extab:0005F7EE 8B F8 06 10                   STRB.W          R1, [R11,#6]

.text&ARM.extab:0005F7F2 D3 22                         MOVS            R2, #0xD3

.text&ARM.extab:0005F7F4 C1 21                         MOVS            R1, #0xC1

.text&ARM.extab:0005F7F6 8B F8 07 10                   STRB.W          R1, [R11,#7]

.text&ARM.extab:0005F7FA C3 21                         MOVS            R1, #0xC3

.text&ARM.extab:0005F7FC 8B F8 08 10                   STRB.W          R1, [R11,#8]

.text&ARM.extab:0005F800 C9 21                         MOVS            R1, #0xC9

.text&ARM.extab:0005F802 8B F8 09 10                   STRB.W          R1, [R11,#9]

.text&ARM.extab:0005F806 CE 21                         MOVS            R1, #0xCE

.text&ARM.extab:0005F808 8B F8 0A 10                   STRB.W          R1, [R11,#0xA]

.text&ARM.extab:0005F80C C7 21                         MOVS            R1, #0xC7

.text&ARM.extab:0005F80E 8B F8 0B 10                   STRB.W          R1, [R11,#0xB]

.text&ARM.extab:0005F812 10 21                         MOVS            R1, #0x10

.text&ARM.extab:0005F814 73 23                         MOVS            R3, #0x73 ; 's'

.text&ARM.extab:0005F816 8B F8 0D 20                   STRB.W          R2, [R11,#0xD]

.text&ARM.extab:0005F81A 8B F8 01 30                   STRB.W          R3, [R11,#1]

.text&ARM.extab:0005F81E D4 23                         MOVS            R3, #0xD4

.text&ARM.extab:0005F820 8B F8 02 30                   STRB.W          R3, [R11,#2]

.text&ARM.extab:0005F824 8B F8 05 30                   STRB.W          R3, [R11,#5]

.text&ARM.extab:0005F828 8B F8 0E 30                   STRB.W          R3, [R11,#0xE]

.text&ARM.extab:0005F82C CF 23                         MOVS            R3, #0xCF

.text&ARM.extab:0005F82E 8B F8 0F 30                   STRB.W          R3, [R11,#0xF]

.text&ARM.extab:0005F832 D0 23                         MOVS            R3, #0xD0

.text&ARM.extab:0005F834 8B F8 10 30                   STRB.W          R3, [R11,#0x10]

.text&ARM.extab:0005F838 89 23                         MOVS            R3, #0x89

.text&ARM.extab:0005F83A 8B F8 11 30                   STRB.W          R3, [R11,#0x11]

.text&ARM.extab:0005F83E FF F7 7B FE                   BL              jhj_DecryptString5 ; 解密得到字符串"t (tracing stop)"

.text&ARM.extab:0005F83E

.text&ARM.extab:0005F842

.text&ARM.extab:0005F842                               loc_5F842                     ; CODE XREF: jhj_CheckPidStatus+25E↓j

.text&ARM.extab:0005F842                                                             ; jhj_CheckPidStatus+288↓j

.text&ARM.extab:0005F842 D8 F8 08 30                   LDR.W           R3, [R8,#(off_AB7EC - 0xAB7E4)]

.text&ARM.extab:0005F846 48 46                         MOV             R0, R9

.text&ARM.extab:0005F848 4F F4 80 61                   MOV.W           R1, #0x400

.text&ARM.extab:0005F84C 52 46                         MOV             R2, R10

.text&ARM.extab:0005F84E 98 47                         BLX             R3            ; dword_0 ; fgets

.text&ARM.extab:0005F84E

.text&ARM.extab:0005F850 00 28                         CMP             R0, #0

.text&ARM.extab:0005F852 54 D0                         BEQ             loc_5F8FE

.text&ARM.extab:0005F852

.text&ARM.extab:0005F854 30 46                         MOV             R0, R6

.text&ARM.extab:0005F856 B0 F7 84 ED                   BLX             jhj_strlen

.text&ARM.extab:0005F856

.text&ARM.extab:0005F85A 31 46                         MOV             R1, R6

.text&ARM.extab:0005F85C 02 46                         MOV             R2, R0

.text&ARM.extab:0005F85E 48 46                         MOV             R0, R9

.text&ARM.extab:0005F860 B0 F7 78 ED                   BLX             jhj_strncmp

.text&ARM.extab:0005F860

.text&ARM.extab:0005F864 00 28                         CMP             R0, #0

.text&ARM.extab:0005F866 EC D1                         BNE             loc_5F842

.text&ARM.extab:0005F866

.text&ARM.extab:0005F868 48 46                         MOV             R0, R9

.text&ARM.extab:0005F86A 29 46                         MOV             R1, R5

.text&ARM.extab:0005F86C B0 F7 EE EF                   BLX             jhj_strcasestr ; 查找字符串且不分大小写

.text&ARM.extab:0005F86C                                                             ; 此处查找的字串为"T (stopped)"

.text&ARM.extab:0005F86C

.text&ARM.extab:0005F870 78 B9                         CBNZ            R0, loc_5F892

.text&ARM.extab:0005F870

.text&ARM.extab:0005F872 48 46                         MOV             R0, R9

.text&ARM.extab:0005F874 39 46                         MOV             R1, R7

.text&ARM.extab:0005F876 B0 F7 EA EF                   BLX             jhj_strcasestr ; 此处需要查找的字符串为"(zombie)"

.text&ARM.extab:0005F876

.text&ARM.extab:0005F87A 50 B9                         CBNZ            R0, loc_5F892

.text&ARM.extab:0005F87A

.text&ARM.extab:0005F87C 48 46                         MOV             R0, R9

.text&ARM.extab:0005F87E 59 46                         MOV             R1, R11

.text&ARM.extab:0005F880 B0 F7 E4 EF                   BLX             jhj_strcasestr ; 此处需要查找的字符串为"t (tracing stop)"

.text&ARM.extab:0005F880

.text&ARM.extab:0005F884 28 B9                         CBNZ            R0, loc_5F892

.text&ARM.extab:0005F884

.text&ARM.extab:0005F886 2D 4B                         LDR             R3, =(p3906CEE43A636FED71D0E81D64568947_ptr - 0x5F88C)

.text&ARM.extab:0005F888 7B 44                         ADD             R3, PC        ; p3906CEE43A636FED71D0E81D64568947_ptr

.text&ARM.extab:0005F88A 1B 68                         LDR             R3, [R3]      ; p3906CEE43A636FED71D0E81D64568947

.text&ARM.extab:0005F88C 1B 68                         LDR             R3, [R3]

.text&ARM.extab:0005F88E 00 2B                         CMP             R3, #0

.text&ARM.extab:0005F890 D7 D1                         BNE             loc_5F842

.text&ARM.extab:0005F890

.text&ARM.extab:0005F892

.text&ARM.extab:0005F892                               loc_5F892                     ; CODE XREF: jhj_CheckPidStatus+268↑j

.text&ARM.extab:0005F892                                                             ; jhj_CheckPidStatus+272↑j

.text&ARM.extab:0005F892                                                             ; jhj_CheckPidStatus+27C↑j

.text&ARM.extab:0005F892 0D F2 C4 55                   ADDW            R5, SP, #0x9F0+var_42C

.text&ARM.extab:0005F892

.text&ARM.extab:0005F896

.text&ARM.extab:0005F896                               loc_5F896                     ; CODE XREF: jhj_CheckPidStatus+2B0↓j

.text&ARM.extab:0005F896 D8 F8 08 30                   LDR.W           R3, [R8,#(off_AB7EC - 0xAB7E4)]

.text&ARM.extab:0005F89A 28 46                         MOV             R0, R5

.text&ARM.extab:0005F89C 4F F4 80 61                   MOV.W           R1, #0x400

.text&ARM.extab:0005F8A0 52 46                         MOV             R2, R10

.text&ARM.extab:0005F8A2 98 47                         BLX             R3            ; dword_0 ; fgets

.text&ARM.extab:0005F8A2

.text&ARM.extab:0005F8A4 40 B3                         CBZ             R0, loc_5F8F8

.text&ARM.extab:0005F8A4

.text&ARM.extab:0005F8A6 20 46                         MOV             R0, R4

.text&ARM.extab:0005F8A8 B0 F7 5A ED                   BLX             jhj_strlen

.text&ARM.extab:0005F8A8

.text&ARM.extab:0005F8AC 21 46                         MOV             R1, R4

.text&ARM.extab:0005F8AE 02 46                         MOV             R2, R0

.text&ARM.extab:0005F8B0 28 46                         MOV             R0, R5

.text&ARM.extab:0005F8B2 B0 F7 50 ED                   BLX             jhj_strncmp

.text&ARM.extab:0005F8B2

.text&ARM.extab:0005F8B6 00 28                         CMP             R0, #0

.text&ARM.extab:0005F8B8 ED D1                         BNE             loc_5F896

.text&ARM.extab:0005F8B8

.text&ARM.extab:0005F8BA 07 AC                         ADD             R4, SP, #0x9F0+var_9D4

.text&ARM.extab:0005F8BC 07 90                         STR             R0, [SP,#0x9F0+var_9D4]

.text&ARM.extab:0005F8BE 08 90                         STR             R0, [SP,#0x9F0+var_9D0]

.text&ARM.extab:0005F8C0 0D 22                         MOVS            R2, #0xD

.text&ARM.extab:0005F8C2 05 21                         MOVS            R1, #5

.text&ARM.extab:0005F8C4 8D F8 1F 20                   STRB.W          R2, [SP,#0x9F0+var_9D4+3]

.text&ARM.extab:0005F8C8 20 46                         MOV             R0, R4

.text&ARM.extab:0005F8CA 5E 22                         MOVS            R2, #0x5E ; '^'

.text&ARM.extab:0005F8CC 8D F8 20 20                   STRB.W          R2, [SP,#0x9F0+var_9D0]

.text&ARM.extab:0005F8D0 A0 22                         MOVS            R2, #0xA0

.text&ARM.extab:0005F8D2 DE 23                         MOVS            R3, #0xDE

.text&ARM.extab:0005F8D4 8D F8 1D 30                   STRB.W          R3, [SP,#0x9F0+var_9D4+1]

.text&ARM.extab:0005F8D8 5B 23                         MOVS            R3, #0x5B ; '['

.text&ARM.extab:0005F8DA 8D F8 1E 30                   STRB.W          R3, [SP,#0x9F0+var_9D4+2]

.text&ARM.extab:0005F8DE 8D F8 21 30                   STRB.W          R3, [SP,#0x9F0+var_9D0+1]

.text&ARM.extab:0005F8E2 1A 23                         MOVS            R3, #0x1A

.text&ARM.extab:0005F8E4 8D F8 22 30                   STRB.W          R3, [SP,#0x9F0+var_9D0+2]

.text&ARM.extab:0005F8E8 FF F7 26 FE                   BL              jhj_DecryptString5 ; 解密得到字符串"%s %d"

.text&ARM.extab:0005F8E8

.text&ARM.extab:0005F8EC 28 46                         MOV             R0, R5

.text&ARM.extab:0005F8EE 21 46                         MOV             R1, R4

.text&ARM.extab:0005F8F0 21 AA                         ADD             R2, SP, #0x9F0+var_96C

.text&ARM.extab:0005F8F2 00 9B                         LDR             R3, [SP,#0x9F0+var_9F0]

.text&ARM.extab:0005F8F4 B0 F7 54 EE                   BLX             jhj_sscanf

.text&ARM.extab:0005F8F4

.text&ARM.extab:0005F8F8

.text&ARM.extab:0005F8F8                               loc_5F8F8                     ; CODE XREF: jhj_CheckPidStatus+29C↑j

.text&ARM.extab:0005F8F8 00 9B                         LDR             R3, [SP,#0x9F0+var_9F0]

.text&ARM.extab:0005F8FA 1C 68                         LDR             R4, [R3]

.text&ARM.extab:0005F8FC 0C B9                         CBNZ            R4, loc_5F902

.text&ARM.extab:0005F8FC

.text&ARM.extab:0005F8FE

.text&ARM.extab:0005F8FE                               loc_5F8FE                     ; CODE XREF: jhj_CheckPidStatus+24A↑j

.text&ARM.extab:0005F8FE 00 24                         MOVS            R4, #0

.text&ARM.extab:0005F900 04 E0                         B               loc_5F90C

.text&ARM.extab:0005F900

.text&ARM.extab:0005F902                               ; ---------------------------------------------------------------------------

.text&ARM.extab:0005F902

.text&ARM.extab:0005F902                               loc_5F902                     ; CODE XREF: jhj_CheckPidStatus+2F4↑j

.text&ARM.extab:0005F902 B0 F7 B8 ED                   BLX             jhj_getpid

.text&ARM.extab:0005F902

.text&ARM.extab:0005F906 24 1A                         SUBS            R4, R4, R0

.text&ARM.extab:0005F908 18 BF                         IT NE

.text&ARM.extab:0005F90A 01 24                         MOVNE           R4, #1

.text&ARM.extab:0005F90A

.text&ARM.extab:0005F90C

.text&ARM.extab:0005F90C                               loc_5F90C                     ; CODE XREF: jhj_CheckPidStatus+2F8↑j

.text&ARM.extab:0005F90C D8 F8 04 30                   LDR.W           R3, [R8,#(off_AB7E8 - 0xAB7E4)]

.text&ARM.extab:0005F910 50 46                         MOV             R0, R10

.text&ARM.extab:0005F912 98 47                         BLX             R3            ; dword_0 ; fclose

.text&ARM.extab:0005F912

.text&ARM.extab:0005F914 00 E0                         B               loc_5F918

.text&ARM.extab:0005F914

.text&ARM.extab:0005F916                               ; ---------------------------------------------------------------------------

.text&ARM.extab:0005F916

.text&ARM.extab:0005F916                               loc_5F916                     ; CODE XREF: jhj_CheckPidStatus+BA↑j

.text&ARM.extab:0005F916 04 46                         MOV             R4, R0

.text&ARM.extab:0005F916

.text&ARM.extab:0005F918

.text&ARM.extab:0005F918                               loc_5F918                     ; CODE XREF: jhj_CheckPidStatus+30C↑j

.text&ARM.extab:0005F918 01 9B                         LDR             R3, [SP,#0x9F0+var_9EC]

.text&ARM.extab:0005F91A 20 46                         MOV             R0, R4

.text&ARM.extab:0005F91C DD F8 C4 29                   LDR.W           R2, [SP,#0x9F0+var_2C]

.text&ARM.extab:0005F920 1B 68                         LDR             R3, [R3]

.text&ARM.extab:0005F922 9A 42                         CMP             R2, R3

.text&ARM.extab:0005F924 01 D0                         BEQ             loc_5F92A

.text&ARM.extab:0005F924

.text&ARM.extab:0005F926 B0 F7 10 ED                   BLX             jhj__stack_chk_fail

.text&ARM.extab:0005F926

.text&ARM.extab:0005F92A

.text&ARM.extab:0005F92A                               loc_5F92A                     ; CODE XREF: jhj_CheckPidStatus+31C↑j

.text&ARM.extab:0005F92A 0D F6 CC 1D                   ADDW            SP, SP, #0x9CC

.text&ARM.extab:0005F92E BD E8 F0 8F                   POP.W           {R4-R11,PC}

 

偏移:0x5FAD4处的函数检查了该进程每个线程的status文件只要发现了调试的踪迹则直接返回1

.text&ARM.extab:0005FAD4                               jhj_CheckAllTidStatus         ; CODE XREF: .text&ARM.extab:00060068↓p

.text&ARM.extab:0005FAD4                                                             ; DATA XREF: LOAD:0000235C↑o

.text&ARM.extab:0005FAD4                               ; __unwind { // 417B6000

.text&ARM.extab:0005FAD4 DF F8 44 25                   LDR.W           R2, =(off_A2984 - 0x5FAE2)

.text&ARM.extab:0005FAD8 00 21                         MOVS            R1, #0

.text&ARM.extab:0005FADA 2D E9 F0 4F                   PUSH.W          {R4-R11,LR}

.text&ARM.extab:0005FADE 7A 44                         ADD             R2, PC        ; off_A2984

.text&ARM.extab:0005FAE0 12 68                         LDR             R2, [R2]

.text&ARM.extab:0005FAE2 AD F6 14 3D                   SUBW            SP, SP, #0xB14

.text&ARM.extab:0005FAE6 13 68                         LDR             R3, [R2]

.text&ARM.extab:0005FAE8 0D F5 43 7A                   ADD.W           R10, SP, #0x30C

.text&ARM.extab:0005FAEC 04 90                         STR             R0, [SP,#0x10]

.text&ARM.extab:0005FAEE 0C 91                         STR             R1, [SP,#0x30]

.text&ARM.extab:0005FAF0 CD F8 0C 3B                   STR.W           R3, [SP,#0xB0C]

.text&ARM.extab:0005FAF4 0B 91                         STR             R1, [SP,#0x2C]

.text&ARM.extab:0005FAF6 0B 9B                         LDR             R3, [SP,#0x2C]

.text&ARM.extab:0005FAF8 07 92                         STR             R2, [SP,#0x1C]

.text&ARM.extab:0005FAF8

.text&ARM.extab:0005FAFA

.text&ARM.extab:0005FAFA                               loc_5FAFA                     ; CODE XREF: .text&ARM.extab:0005FFFE↓j

.text&ARM.extab:0005FAFA 0C AB                         ADD             R3, SP, #0x30 ; '0'

.text&ARM.extab:0005FAFC 19 68                         LDR             R1, [R3]

.text&ARM.extab:0005FAFC

.text&ARM.extab:0005FAFE

.text&ARM.extab:0005FAFE                               loc_5FAFE                     ; CODE XREF: .text&ARM.extab:0005FB06↓j

.text&ARM.extab:0005FAFE 01 29                         CMP             R1, #1

.text&ARM.extab:0005FB00 00 F0 87 82                   BEQ.W           loc_60012

.text&ARM.extab:0005FB00

.text&ARM.extab:0005FB04 00 29                         CMP             R1, #0

.text&ARM.extab:0005FB06 FA D1                         BNE             loc_5FAFE

.text&ARM.extab:0005FB06

.text&ARM.extab:0005FB08 22 AC                         ADD             R4, SP, #0x88

.text&ARM.extab:0005FB0A 12 22                         MOVS            R2, #0x12

.text&ARM.extab:0005FB0C 20 46                         MOV             R0, R4

.text&ARM.extab:0005FB0E B0 F7 4C EC                   BLX             jhj_memset

.text&ARM.extab:0005FB0E

.text&ARM.extab:0005FB12 30 23                         MOVS            R3, #0x30 ; '0'

.text&ARM.extab:0005FB14 63 70                         STRB            R3, [R4,#1]

.text&ARM.extab:0005FB16 A5 23                         MOVS            R3, #0xA5

.text&ARM.extab:0005FB18 A3 70                         STRB            R3, [R4,#2]

.text&ARM.extab:0005FB1A FA 22                         MOVS            R2, #0xFA

.text&ARM.extab:0005FB1C E3 71                         STRB            R3, [R4,#7]

.text&ARM.extab:0005FB1E E3 72                         STRB            R3, [R4,#0xB]

.text&ARM.extab:0005FB20 23 74                         STRB            R3, [R4,#0x10]

.text&ARM.extab:0005FB22 03 23                         MOVS            R3, #3

.text&ARM.extab:0005FB24 E2 70                         STRB            R2, [R4,#3]

.text&ARM.extab:0005FB26 F8 22                         MOVS            R2, #0xF8

.text&ARM.extab:0005FB28 22 71                         STRB            R2, [R4,#4]

.text&ARM.extab:0005FB2A E5 22                         MOVS            R2, #0xE5

.text&ARM.extab:0005FB2C 62 71                         STRB            R2, [R4,#5]

.text&ARM.extab:0005FB2E E9 22                         MOVS            R2, #0xE9

.text&ARM.extab:0005FB30 A2 71                         STRB            R2, [R4,#6]

.text&ARM.extab:0005FB32 AF 22                         MOVS            R2, #0xAF

.text&ARM.extab:0005FB34 22 72                         STRB            R2, [R4,#8]

.text&ARM.extab:0005FB36 E6 22                         MOVS            R2, #0xE6

.text&ARM.extab:0005FB38 62 72                         STRB            R2, [R4,#9]

.text&ARM.extab:0005FB3A EE 22                         MOVS            R2, #0xEE

.text&ARM.extab:0005FB3C A2 72                         STRB            R2, [R4,#0xA]

.text&ARM.extab:0005FB3E FE 22                         MOVS            R2, #0xFE

.text&ARM.extab:0005FB40 22 73                         STRB            R2, [R4,#0xC]

.text&ARM.extab:0005FB42 EB 22                         MOVS            R2, #0xEB

.text&ARM.extab:0005FB44 62 73                         STRB            R2, [R4,#0xD]

.text&ARM.extab:0005FB46 F9 22                         MOVS            R2, #0xF9

.text&ARM.extab:0005FB48 A2 73                         STRB            R2, [R4,#0xE]

.text&ARM.extab:0005FB4A E1 22                         MOVS            R2, #0xE1

.text&ARM.extab:0005FB4C E2 73                         STRB            R2, [R4,#0xF]

.text&ARM.extab:0005FB4C

.text&ARM.extab:0005FB4E

.text&ARM.extab:0005FB4E                               def_5FB58                     ; CODE XREF: .text&ARM.extab:0005FB56↓j

.text&ARM.extab:0005FB4E                                                             ; .text&ARM.extab:0005FB7A↓j

.text&ARM.extab:0005FB4E                                                             ; .text&ARM.extab:0005FFEC↓j

.text&ARM.extab:0005FB4E 07 2B                         CMP             R3, #7        ; jumptable 0005FB58 default case

.text&ARM.extab:0005FB50 00 F0 53 82                   BEQ.W           loc_5FFFA

.text&ARM.extab:0005FB50

.text&ARM.extab:0005FB54

.text&ARM.extab:0005FB54                               loc_5FB54                     ; CODE XREF: .text&ARM.extab:0005FF76↓j

.text&ARM.extab:0005FB54                                                             ; .text&ARM.extab:0005FFF4↓j

.text&ARM.extab:0005FB54                                                             ; .text&ARM.extab:0005FFF8↓j

.text&ARM.extab:0005FB54 06 2B                         CMP             R3, #6        ; switch 7 cases

.text&ARM.extab:0005FB56 FA D8                         BHI             def_5FB58     ; jumptable 0005FB58 default case

.text&ARM.extab:0005FB56

.text&ARM.extab:0005FB58 DF E8 13 F0                   TBH.W           [PC,R3,LSL#1] ; switch jump

.text&ARM.extab:0005FB58

.text&ARM.extab:0005FB58                               ; ---------------------------------------------------------------------------

.text&ARM.extab:0005FB5C 07 00                         jpt_5FB58 DCW 7               ; jump table for switch statement

.text&ARM.extab:0005FB5E 2F 02                         DCW 0x22F

.text&ARM.extab:0005FB60 49 02                         DCW 0x249

.text&ARM.extab:0005FB62 34 02                         DCW 0x234

.text&ARM.extab:0005FB64 0E 02                         DCW 0x20E

.text&ARM.extab:0005FB66 52 02                         DCW 0x252

.text&ARM.extab:0005FB68 10 00                         DCW 0x10

.text&ARM.extab:0005FB6A                               ; ---------------------------------------------------------------------------

.text&ARM.extab:0005FB6A

.text&ARM.extab:0005FB6A                               loc_5FB6A                     ; CODE XREF: .text&ARM.extab:0005FB58↑j

.text&ARM.extab:0005FB6A 02 98                         LDR             R0, [SP,#8]   ; jumptable 0005FB58 case 0

.text&ARM.extab:0005FB6C B0 F7 76 EC                   BLX             jhj_readdir64

.text&ARM.extab:0005FB6C

.text&ARM.extab:0005FB70 05 90                         STR             R0, [SP,#0x14]

.text&ARM.extab:0005FB72 00 28                         CMP             R0, #0

.text&ARM.extab:0005FB74 14 BF                         ITE NE

.text&ARM.extab:0005FB76 06 23                         MOVNE           R3, #6

.text&ARM.extab:0005FB78 01 23                         MOVEQ           R3, #1

.text&ARM.extab:0005FB7A E8 E7                         B               def_5FB58     ; jumptable 0005FB58 default case

.text&ARM.extab:0005FB7A

.text&ARM.extab:0005FB7C                               ; ---------------------------------------------------------------------------

.text&ARM.extab:0005FB7C

.text&ARM.extab:0005FB7C                               loc_5FB7C                     ; CODE XREF: .text&ARM.extab:0005FB58↑j

.text&ARM.extab:0005FB7C 0F A8                         ADD             R0, SP, #0x3C ; '<' ; jumptable 0005FB58 case 6

.text&ARM.extab:0005FB7E 05 9B                         LDR             R3, [SP,#0x14]

.text&ARM.extab:0005FB80 92 22                         MOVS            R2, #0x92

.text&ARM.extab:0005FB82 01 21                         MOVS            R1, #1

.text&ARM.extab:0005FB84 00 24                         MOVS            R4, #0

.text&ARM.extab:0005FB86 03 F1 13 0B                   ADD.W           R11, R3, #0x13

.text&ARM.extab:0005FB8A 04 60                         STR             R4, [R0]

.text&ARM.extab:0005FB8C F4 23                         MOVS            R3, #0xF4

.text&ARM.extab:0005FB8E 43 70                         STRB            R3, [R0,#1]

.text&ARM.extab:0005FB90 48 23                         MOVS            R3, #0x48 ; 'H'

.text&ARM.extab:0005FB92 83 70                         STRB            R3, [R0,#2]

.text&ARM.extab:0005FB94 FF F7 D0 FC                   BL              jhj_DecryptString5 ; 解密得到字符串"."

.text&ARM.extab:0005FB94

.text&ARM.extab:0005FB98 01 23                         MOVS            R3, #1

.text&ARM.extab:0005FB9A 11 94                         STR             R4, [SP,#0x44]

.text&ARM.extab:0005FB9C B2 22                         MOVS            R2, #0xB2

.text&ARM.extab:0005FB9E 8D F8 48 40                   STRB.W          R4, [SP,#0x48]

.text&ARM.extab:0005FBA2 8D F8 45 20                   STRB.W          R2, [SP,#0x45]

.text&ARM.extab:0005FBA6 4B 22                         MOVS            R2, #0x4B ; 'K'

.text&ARM.extab:0005FBA8 8D F8 46 20                   STRB.W          R2, [SP,#0x46]

.text&ARM.extab:0005FBAC 8D F8 47 20                   STRB.W          R2, [SP,#0x47]

.text&ARM.extab:0005FBAC

.text&ARM.extab:0005FBB0

.text&ARM.extab:0005FBB0                               loc_5FBB0                     ; CODE XREF: .text&ARM.extab:0005FF26↓j

.text&ARM.extab:0005FBB0                                                             ; .text&ARM.extab:0005FF3A↓j

.text&ARM.extab:0005FBB0                                                             ; .text&ARM.extab:0005FF68↓j

.text&ARM.extab:0005FBB0                                                             ; .text&ARM.extab:0005FF6C↓j

.text&ARM.extab:0005FBB0                                                             ; .text&ARM.extab:0005FF70↓j

.text&ARM.extab:0005FBB0 5A 1E                         SUBS            R2, R3, #1

.text&ARM.extab:0005FBB0

.text&ARM.extab:0005FBB2

.text&ARM.extab:0005FBB2                               def_5FBBC                     ; CODE XREF: .text&ARM.extab:0005FBBA↓j

.text&ARM.extab:0005FBB2 07 2B                         CMP             R3, #7        ; jumptable 0005FBBC default case

.text&ARM.extab:0005FBB4 00 F0 1F 82                   BEQ.W           loc_5FFF6     ; jumptable 0005FBBC cases 1,5

.text&ARM.extab:0005FBB4

.text&ARM.extab:0005FBB8 05 2A                         CMP             R2, #5        ; switch 6 cases

.text&ARM.extab:0005FBBA FA D8                         BHI             def_5FBBC     ; jumptable 0005FBBC default case

.text&ARM.extab:0005FBBA

.text&ARM.extab:0005FBBC DF E8 12 F0                   TBH.W           [PC,R2,LSL#1] ; switch jump

.text&ARM.extab:0005FBBC

.text&ARM.extab:0005FBBC                               ; ---------------------------------------------------------------------------

.text&ARM.extab:0005FBC0 BE 01                         jpt_5FBBC DCW 0x1BE           ; jump table for switch statement

.text&ARM.extab:0005FBC2 1B 02                         DCW 0x21B

.text&ARM.extab:0005FBC4 06 00                         DCW 6

.text&ARM.extab:0005FBC6 B4 01                         DCW 0x1B4

.text&ARM.extab:0005FBC8 D9 01                         DCW 0x1D9

.text&ARM.extab:0005FBCA 1B 02                         DCW 0x21B

.text&ARM.extab:0005FBCC                               ; ---------------------------------------------------------------------------

.text&ARM.extab:0005FBCC

.text&ARM.extab:0005FBCC                               loc_5FBCC                     ; CODE XREF: .text&ARM.extab:0005FBBC↑j

.text&ARM.extab:0005FBCC 2C AD                         ADD             R5, SP, #0xB0 ; jumptable 0005FBBC case 2

.text&ARM.extab:0005FBCE 00 21                         MOVS            R1, #0

.text&ARM.extab:0005FBD0 1C 22                         MOVS            R2, #0x1C

.text&ARM.extab:0005FBD2 BF 27                         MOVS            R7, #0xBF

.text&ARM.extab:0005FBD4 28 46                         MOV             R0, R5

.text&ARM.extab:0005FBD6 F6 26                         MOVS            R6, #0xF6

.text&ARM.extab:0005FBD8 B0 F7 E6 EB                   BLX             jhj_memset

.text&ARM.extab:0005FBD8

.text&ARM.extab:0005FBDC FE 20                         MOVS            R0, #0xFE

.text&ARM.extab:0005FBDE FB 21                         MOVS            R1, #0xFB

.text&ARM.extab:0005FBE0 A8 72                         STRB            R0, [R5,#0xA]

.text&ARM.extab:0005FBE2 69 73                         STRB            R1, [R5,#0xD]

.text&ARM.extab:0005FBE4 EA 22                         MOVS            R2, #0xEA

.text&ARM.extab:0005FBE6 E8 74                         STRB            R0, [R5,#0x13]

.text&ARM.extab:0005FBE8 28 46                         MOV             R0, R5

.text&ARM.extab:0005FBEA EA 70                         STRB            R2, [R5,#3]

.text&ARM.extab:0005FBEC E8 22                         MOVS            R2, #0xE8

.text&ARM.extab:0005FBEE E9 75                         STRB            R1, [R5,#0x17]

.text&ARM.extab:0005FBF0 19 21                         MOVS            R1, #0x19

.text&ARM.extab:0005FBF2 2A 71                         STRB            R2, [R5,#4]

.text&ARM.extab:0005FBF4 F5 22                         MOVS            R2, #0xF5

.text&ARM.extab:0005FBF6 6A 71                         STRB            R2, [R5,#5]

.text&ARM.extab:0005FBF8 F9 22                         MOVS            R2, #0xF9

.text&ARM.extab:0005FBFA AA 71                         STRB            R2, [R5,#6]

.text&ARM.extab:0005FBFC EE 22                         MOVS            R2, #0xEE

.text&ARM.extab:0005FBFE 2A 73                         STRB            R2, [R5,#0xC]

.text&ARM.extab:0005FC00 4F F0 F1 0E                   MOV.W           LR, #0xF1

.text&ARM.extab:0005FC04 AA 75                         STRB            R2, [R5,#0x16]

.text&ARM.extab:0005FC06 E9 24                         MOVS            R4, #0xE9

.text&ARM.extab:0005FC08 2A 76                         STRB            R2, [R5,#0x18]

.text&ARM.extab:0005FC0A A7 22                         MOVS            R2, #0xA7

.text&ARM.extab:0005FC0C 85 F8 0F E0                   STRB.W          LR, [R5,#0xF]

.text&ARM.extab:0005FC10 3D 23                         MOVS            R3, #0x3D ; '='

.text&ARM.extab:0005FC12 2F 72                         STRB            R7, [R5,#8]

.text&ARM.extab:0005FC14 0D F5 03 78                   ADD.W           R8, SP, #0x20C

.text&ARM.extab:0005FC18 6B 70                         STRB            R3, [R5,#1]

.text&ARM.extab:0005FC1A B5 23                         MOVS            R3, #0xB5

.text&ARM.extab:0005FC1C 6E 72                         STRB            R6, [R5,#9]

.text&ARM.extab:0005FC1E AB 70                         STRB            R3, [R5,#2]

.text&ARM.extab:0005FC20 EB 71                         STRB            R3, [R5,#7]

.text&ARM.extab:0005FC22 EB 72                         STRB            R3, [R5,#0xB]

.text&ARM.extab:0005FC24 2B 74                         STRB            R3, [R5,#0x10]

.text&ARM.extab:0005FC26 6F 74                         STRB            R7, [R5,#0x11]

.text&ARM.extab:0005FC28 10 AF                         ADD             R7, SP, #0x40 ; '@'

.text&ARM.extab:0005FC2A AE 74                         STRB            R6, [R5,#0x12]

.text&ARM.extab:0005FC2C 00 26                         MOVS            R6, #0

.text&ARM.extab:0005FC2E 2B 75                         STRB            R3, [R5,#0x14]

.text&ARM.extab:0005FC30 EF 23                         MOVS            R3, #0xEF

.text&ARM.extab:0005FC32 AC 73                         STRB            R4, [R5,#0xE]

.text&ARM.extab:0005FC34 6B 76                         STRB            R3, [R5,#0x19]

.text&ARM.extab:0005FC36 6C 75                         STRB            R4, [R5,#0x15]

.text&ARM.extab:0005FC38 AC 76                         STRB            R4, [R5,#0x1A]

.text&ARM.extab:0005FC3A FF F7 7D FC                   BL              jhj_DecryptString5 ; 解密得到字符串"/proc/%ld/task/%ld/status"

.text&ARM.extab:0005FC3A

.text&ARM.extab:0005FC3E 06 9B                         LDR             R3, [SP,#0x18]

.text&ARM.extab:0005FC40 2A 46                         MOV             R2, R5

.text&ARM.extab:0005FC42 4F F4 80 71                   MOV.W           R1, #0x100

.text&ARM.extab:0005FC46 40 46                         MOV             R0, R8

.text&ARM.extab:0005FC48 F5 4D                         LDR             R5, =(g_func_map_ptr - 0x5FC6E)

.text&ARM.extab:0005FC4A 00 93                         STR             R3, [SP]

.text&ARM.extab:0005FC4C 04 9B                         LDR             R3, [SP,#0x10]

.text&ARM.extab:0005FC4E 39 F0 43 F9                   BL              jhj_format1   ; 格式化字符串"/proc/pid/task/%ld/status"

.text&ARM.extab:0005FC4E

.text&ARM.extab:0005FC52 38 46                         MOV             R0, R7

.text&ARM.extab:0005FC54 01 21                         MOVS            R1, #1

.text&ARM.extab:0005FC56 F8 22                         MOVS            R2, #0xF8

.text&ARM.extab:0005FC58 10 96                         STR             R6, [SP,#0x40]

.text&ARM.extab:0005FC5A 67 23                         MOVS            R3, #0x67 ; 'g'

.text&ARM.extab:0005FC5C 8D F8 41 30                   STRB.W          R3, [SP,#0x41]

.text&ARM.extab:0005FC60 ED 23                         MOVS            R3, #0xED

.text&ARM.extab:0005FC62 8D F8 42 30                   STRB.W          R3, [SP,#0x42]

.text&ARM.extab:0005FC66 FF F7 67 FC                   BL              jhj_DecryptString5 ; 解密得到字符串"r"

.text&ARM.extab:0005FC66

.text&ARM.extab:0005FC6A 7D 44                         ADD             R5, PC        ; g_func_map_ptr

.text&ARM.extab:0005FC6C 2D 68                         LDR             R5, [R5]      ; g_func_map

.text&ARM.extab:0005FC6E 39 46                         MOV             R1, R7

.text&ARM.extab:0005FC70 40 46                         MOV             R0, R8

.text&ARM.extab:0005FC72 2B 68                         LDR             R3, [R5]

.text&ARM.extab:0005FC74 98 47                         BLX             R3            ; dword_0 ; fopen

.text&ARM.extab:0005FC74

.text&ARM.extab:0005FC76 07 46                         MOV             R7, R0

.text&ARM.extab:0005FC78 00 28                         CMP             R0, #0

.text&ARM.extab:0005FC7A 00 F0 53 81                   BEQ.W           loc_5FF24

.text&ARM.extab:0005FC7A

.text&ARM.extab:0005FC7E 0D F1 68 09                   ADD.W           R9, SP, #0x68 ; 'h'

.text&ARM.extab:0005FC82 4F F0 0D 08                   MOV.W           R8, #0xD

.text&ARM.extab:0005FC86 31 46                         MOV             R1, R6

.text&ARM.extab:0005FC88 42 46                         MOV             R2, R8

.text&ARM.extab:0005FC8A 48 46                         MOV             R0, R9

.text&ARM.extab:0005FC8C B0 F7 8C EB                   BLX             jhj_memset

.text&ARM.extab:0005FC8C

.text&ARM.extab:0005FC90 15 22                         MOVS            R2, #0x15

.text&ARM.extab:0005FC92 04 21                         MOVS            R1, #4

.text&ARM.extab:0005FC94 89 F8 03 20                   STRB.W          R2, [R9,#3]

.text&ARM.extab:0005FC98 89 F8 05 10                   STRB.W          R1, [R9,#5]

.text&ARM.extab:0005FC9C 48 46                         MOV             R0, R9

.text&ARM.extab:0005FC9E 89 F8 07 20                   STRB.W          R2, [R9,#7]

.text&ARM.extab:0005FCA2 02 21                         MOVS            R1, #2

.text&ARM.extab:0005FCA4 37 22                         MOVS            R2, #0x37 ; '7'

.text&ARM.extab:0005FCA6 89 F8 06 10                   STRB.W          R1, [R9,#6]

.text&ARM.extab:0005FCAA 89 F8 08 20                   STRB.W          R2, [R9,#8]

.text&ARM.extab:0005FCAE 0A 21                         MOVS            R1, #0xA

.text&ARM.extab:0005FCB0 03 22                         MOVS            R2, #3

.text&ARM.extab:0005FCB2 89 F8 0A 20                   STRB.W          R2, [R9,#0xA]

.text&ARM.extab:0005FCB6 CE 22                         MOVS            R2, #0xCE

.text&ARM.extab:0005FCB8 A9 23                         MOVS            R3, #0xA9

.text&ARM.extab:0005FCBA 89 F8 01 30                   STRB.W          R3, [R9,#1]

.text&ARM.extab:0005FCBE 33 23                         MOVS            R3, #0x33 ; '3'

.text&ARM.extab:0005FCC0 89 F8 02 30                   STRB.W          R3, [R9,#2]

.text&ARM.extab:0005FCC4 06 23                         MOVS            R3, #6

.text&ARM.extab:0005FCC6 89 F8 04 30                   STRB.W          R3, [R9,#4]

.text&ARM.extab:0005FCCA 09 93                         STR             R3, [SP,#0x24]

.text&ARM.extab:0005FCCC 0E 23                         MOVS            R3, #0xE

.text&ARM.extab:0005FCCE 89 F8 09 30                   STRB.W          R3, [R9,#9]

.text&ARM.extab:0005FCD2 5D 23                         MOVS            R3, #0x5D ; ']'

.text&ARM.extab:0005FCD4 89 F8 0B 30                   STRB.W          R3, [R9,#0xB]

.text&ARM.extab:0005FCD8 FF F7 2E FC                   BL              jhj_DecryptString5 ; 解密得到字符串"TracerPid:"

.text&ARM.extab:0005FCD8

.text&ARM.extab:0005FCDC 13 A8                         ADD             R0, SP, #0x4C ; 'L'

.text&ARM.extab:0005FCDE 6A 22                         MOVS            R2, #0x6A ; 'j'

.text&ARM.extab:0005FCE0 05 21                         MOVS            R1, #5

.text&ARM.extab:0005FCE2 4F F0 DD 09                   MOV.W           R9, #0xDD

.text&ARM.extab:0005FCE6 06 60                         STR             R6, [R0]

.text&ARM.extab:0005FCE8 46 60                         STR             R6, [R0,#4]

.text&ARM.extab:0005FCEA 42 70                         STRB            R2, [R0,#1]

.text&ARM.extab:0005FCEC E4 22                         MOVS            R2, #0xE4

.text&ARM.extab:0005FCEE 44 71                         STRB            R4, [R0,#5]

.text&ARM.extab:0005FCF0 17 AC                         ADD             R4, SP, #0x5C ; '\'

.text&ARM.extab:0005FCF2 02 71                         STRB            R2, [R0,#4]

.text&ARM.extab:0005FCF4 B7 22                         MOVS            R2, #0xB7

.text&ARM.extab:0005FCF6 82 71                         STRB            R2, [R0,#6]

.text&ARM.extab:0005FCF8 E7 22                         MOVS            R2, #0xE7

.text&ARM.extab:0005FCFA 80 F8 02 90                   STRB.W          R9, [R0,#2]

.text&ARM.extab:0005FCFE 80 F8 03 90                   STRB.W          R9, [R0,#3]

.text&ARM.extab:0005FD02 FF F7 19 FC                   BL              jhj_DecryptString5 ; 解密得到字符串"PPid:"

.text&ARM.extab:0005FD02

.text&ARM.extab:0005FD06 4F F0 09 0C                   MOV.W           R12, #9

.text&ARM.extab:0005FD0A 20 46                         MOV             R0, R4

.text&ARM.extab:0005FD0C 62 46                         MOV             R2, R12

.text&ARM.extab:0005FD0E 31 46                         MOV             R1, R6

.text&ARM.extab:0005FD10 CD F8 20 C0                   STR.W           R12, [SP,#0x20]

.text&ARM.extab:0005FD14 B0 F7 48 EB                   BLX             jhj_memset

.text&ARM.extab:0005FD14

.text&ARM.extab:0005FD18 09 9B                         LDR             R3, [SP,#0x24]

.text&ARM.extab:0005FD1A 20 46                         MOV             R0, R4

.text&ARM.extab:0005FD1C 84 F8 01 80                   STRB.W          R8, [R4,#1]

.text&ARM.extab:0005FD20 96 22                         MOVS            R2, #0x96

.text&ARM.extab:0005FD22 A4 21                         MOVS            R1, #0xA4

.text&ARM.extab:0005FD24 A2 70                         STRB            R2, [R4,#2]

.text&ARM.extab:0005FD26 21 71                         STRB            R1, [R4,#4]

.text&ARM.extab:0005FD28 B1 22                         MOVS            R2, #0xB1

.text&ARM.extab:0005FD2A E2 70                         STRB            R2, [R4,#3]

.text&ARM.extab:0005FD2C 19 46                         MOV             R1, R3

.text&ARM.extab:0005FD2E 62 71                         STRB            R2, [R4,#5]

.text&ARM.extab:0005FD30 A0 22                         MOVS            R2, #0xA0

.text&ARM.extab:0005FD32 A2 71                         STRB            R2, [R4,#6]

.text&ARM.extab:0005FD34 FF 22                         MOVS            R2, #0xFF

.text&ARM.extab:0005FD36 E2 71                         STRB            R2, [R4,#7]

.text&ARM.extab:0005FD38 1E AC                         ADD             R4, SP, #0x78 ; 'x'

.text&ARM.extab:0005FD3A C8 22                         MOVS            R2, #0xC8

.text&ARM.extab:0005FD3C FF F7 FC FB                   BL              jhj_DecryptString5 ; 解密得到字符串"State:"

.text&ARM.extab:0005FD3C

.text&ARM.extab:0005FD40 20 46                         MOV             R0, R4

.text&ARM.extab:0005FD42 31 46                         MOV             R1, R6

.text&ARM.extab:0005FD44 0E 22                         MOVS            R2, #0xE

.text&ARM.extab:0005FD46 B0 F7 30 EB                   BLX             jhj_memset

.text&ARM.extab:0005FD46

.text&ARM.extab:0005FD4A DD F8 20 C0                   LDR.W           R12, [SP,#0x20]

.text&ARM.extab:0005FD4E 84 F8 08 80                   STRB.W          R8, [R4,#8]

.text&ARM.extab:0005FD52 20 46                         MOV             R0, R4

.text&ARM.extab:0005FD54 84 F8 09 80                   STRB.W          R8, [R4,#9]

.text&ARM.extab:0005FD58 9B 23                         MOVS            R3, #0x9B

.text&ARM.extab:0005FD5A 84 F8 06 C0                   STRB.W          R12, [R4,#6]

.text&ARM.extab:0005FD5E 0B 21                         MOVS            R1, #0xB

.text&ARM.extab:0005FD60 63 70                         STRB            R3, [R4,#1]

.text&ARM.extab:0005FD62 29 23                         MOVS            R3, #0x29 ; ')'

.text&ARM.extab:0005FD64 A3 70                         STRB            R3, [R4,#2]

.text&ARM.extab:0005FD66 5D 23                         MOVS            R3, #0x5D ; ']'

.text&ARM.extab:0005FD68 E3 70                         STRB            R3, [R4,#3]

.text&ARM.extab:0005FD6A 55 23                         MOVS            R3, #0x55 ; 'U'

.text&ARM.extab:0005FD6C 23 71                         STRB            R3, [R4,#4]

.text&ARM.extab:0005FD6E 0E 23                         MOVS            R3, #0xE

.text&ARM.extab:0005FD70 63 71                         STRB            R3, [R4,#5]

.text&ARM.extab:0005FD72 12 23                         MOVS            R3, #0x12

.text&ARM.extab:0005FD74 E3 71                         STRB            R3, [R4,#7]

.text&ARM.extab:0005FD76 18 23                         MOVS            R3, #0x18

.text&ARM.extab:0005FD78 A3 72                         STRB            R3, [R4,#0xA]

.text&ARM.extab:0005FD7A 19 23                         MOVS            R3, #0x19

.text&ARM.extab:0005FD7C E3 72                         STRB            R3, [R4,#0xB]

.text&ARM.extab:0005FD7E 54 23                         MOVS            R3, #0x54 ; 'T'

.text&ARM.extab:0005FD80 23 73                         STRB            R3, [R4,#0xC]

.text&ARM.extab:0005FD82 27 AC                         ADD             R4, SP, #0x9C

.text&ARM.extab:0005FD84 E6 22                         MOVS            R2, #0xE6

.text&ARM.extab:0005FD86 FF F7 D7 FB                   BL              jhj_DecryptString5 ; 解密得到字符串"T (stopped)"

.text&ARM.extab:0005FD86

.text&ARM.extab:0005FD8A 31 46                         MOV             R1, R6

.text&ARM.extab:0005FD8C 13 22                         MOVS            R2, #0x13

.text&ARM.extab:0005FD8E 20 46                         MOV             R0, R4

.text&ARM.extab:0005FD90 B0 F7 0A EB                   BLX             jhj_memset

.text&ARM.extab:0005FD90

.text&ARM.extab:0005FD94 9A 22                         MOVS            R2, #0x9A

.text&ARM.extab:0005FD96 92 21                         MOVS            R1, #0x92

.text&ARM.extab:0005FD98 E2 70                         STRB            R2, [R4,#3]

.text&ARM.extab:0005FD9A 21 71                         STRB            R1, [R4,#4]

.text&ARM.extab:0005FD9C 20 46                         MOV             R0, R4

.text&ARM.extab:0005FD9E C8 21                         MOVS            R1, #0xC8

.text&ARM.extab:0005FDA0 22 73                         STRB            R2, [R4,#0xC]

.text&ARM.extab:0005FDA2 A1 71                         STRB            R1, [R4,#6]

.text&ARM.extab:0005FDA4 C9 22                         MOVS            R2, #0xC9

.text&ARM.extab:0005FDA6 DB 21                         MOVS            R1, #0xDB

.text&ARM.extab:0005FDA8 62 73                         STRB            R2, [R4,#0xD]

.text&ARM.extab:0005FDAA E1 71                         STRB            R1, [R4,#7]

.text&ARM.extab:0005FDAC B0 22                         MOVS            R2, #0xB0

.text&ARM.extab:0005FDAE D9 21                         MOVS            R1, #0xD9

.text&ARM.extab:0005FDB0 21 72                         STRB            R1, [R4,#8]

.text&ARM.extab:0005FDB2 D3 21                         MOVS            R1, #0xD3

.text&ARM.extab:0005FDB4 61 72                         STRB            R1, [R4,#9]

.text&ARM.extab:0005FDB6 D4 21                         MOVS            R1, #0xD4

.text&ARM.extab:0005FDB8 A1 72                         STRB            R1, [R4,#0xA]

.text&ARM.extab:0005FDBA 10 21                         MOVS            R1, #0x10

.text&ARM.extab:0005FDBC 0A 23                         MOVS            R3, #0xA

.text&ARM.extab:0005FDBE 84 F8 0B 90                   STRB.W          R9, [R4,#0xB]

.text&ARM.extab:0005FDC2 63 70                         STRB            R3, [R4,#1]

.text&ARM.extab:0005FDC4 CE 23                         MOVS            R3, #0xCE

.text&ARM.extab:0005FDC6 A3 70                         STRB            R3, [R4,#2]

.text&ARM.extab:0005FDC8 63 71                         STRB            R3, [R4,#5]

.text&ARM.extab:0005FDCA A3 73                         STRB            R3, [R4,#0xE]

.text&ARM.extab:0005FDCC D5 23                         MOVS            R3, #0xD5

.text&ARM.extab:0005FDCE E3 73                         STRB            R3, [R4,#0xF]

.text&ARM.extab:0005FDD0 CA 23                         MOVS            R3, #0xCA

.text&ARM.extab:0005FDD2 23 74                         STRB            R3, [R4,#0x10]

.text&ARM.extab:0005FDD4 93 23                         MOVS            R3, #0x93

.text&ARM.extab:0005FDD6 63 74                         STRB            R3, [R4,#0x11]

.text&ARM.extab:0005FDD8 FF F7 AE FB                   BL              jhj_DecryptString5 ; 解密得到字符串"t (tracing stop)"

.text&ARM.extab:0005FDD8

.text&ARM.extab:0005FDDC

.text&ARM.extab:0005FDDC                               loc_5FDDC                     ; CODE XREF: .text&ARM.extab:0005FE32↓j

.text&ARM.extab:0005FDDC 17 AC                         ADD             R4, SP, #0x5C ; '\'

.text&ARM.extab:0005FDDC

.text&ARM.extab:0005FDDE

.text&ARM.extab:0005FDDE                               loc_5FDDE                     ; CODE XREF: .text&ARM.extab:0005FE02↓j

.text&ARM.extab:0005FDDE AB 68                         LDR             R3, [R5,#(off_AB7EC - 0xAB7E4)]

.text&ARM.extab:0005FDE0 50 46                         MOV             R0, R10

.text&ARM.extab:0005FDE2 4F F4 80 61                   MOV.W           R1, #0x400

.text&ARM.extab:0005FDE6 3A 46                         MOV             R2, R7

.text&ARM.extab:0005FDE8 98 47                         BLX             R3            ; dword_0 ; fgets

.text&ARM.extab:0005FDE8

.text&ARM.extab:0005FDEA 00 28                         CMP             R0, #0

.text&ARM.extab:0005FDEC 00 F0 95 80                   BEQ.W           loc_5FF1A

.text&ARM.extab:0005FDEC

.text&ARM.extab:0005FDF0 20 46                         MOV             R0, R4

.text&ARM.extab:0005FDF2 B0 F7 B6 EA                   BLX             jhj_strlen

.text&ARM.extab:0005FDF2

.text&ARM.extab:0005FDF6 21 46                         MOV             R1, R4

.text&ARM.extab:0005FDF8 02 46                         MOV             R2, R0

.text&ARM.extab:0005FDFA 50 46                         MOV             R0, R10

.text&ARM.extab:0005FDFC B0 F7 AA EA                   BLX             jhj_strncmp

.text&ARM.extab:0005FDFC

.text&ARM.extab:0005FE00 00 28                         CMP             R0, #0

.text&ARM.extab:0005FE02 EC D1                         BNE             loc_5FDDE

.text&ARM.extab:0005FE02

.text&ARM.extab:0005FE04 50 46                         MOV             R0, R10

.text&ARM.extab:0005FE06 1E A9                         ADD             R1, SP, #0x78 ; 'x'

.text&ARM.extab:0005FE08 B0 F7 20 ED                   BLX             jhj_strcasestr

.text&ARM.extab:0005FE08

.text&ARM.extab:0005FE0C 30 B1                         CBZ             R0, loc_5FE1C

.text&ARM.extab:0005FE0C

.text&ARM.extab:0005FE0E

.text&ARM.extab:0005FE0E                               loc_5FE0E                     ; CODE XREF: .text&ARM.extab:0005FE26↓j

.text&ARM.extab:0005FE0E                                                             ; .text&ARM.extab:0005FE34↓j

.text&ARM.extab:0005FE0E 00 23                         MOVS            R3, #0

.text&ARM.extab:0005FE10 0D F2 0C 74                   ADDW            R4, SP, #0x70C

.text&ARM.extab:0005FE14 0D 93                         STR             R3, [SP,#0x34]

.text&ARM.extab:0005FE16 13 AE                         ADD             R6, SP, #0x4C ; 'L'

.text&ARM.extab:0005FE18 0E 93                         STR             R3, [SP,#0x38]

.text&ARM.extab:0005FE1A 0C E0                         B               loc_5FE36

.text&ARM.extab:0005FE1A

.text&ARM.extab:0005FE1C                               ; ---------------------------------------------------------------------------

.text&ARM.extab:0005FE1C

.text&ARM.extab:0005FE1C                               loc_5FE1C                     ; CODE XREF: .text&ARM.extab:0005FE0C↑j

.text&ARM.extab:0005FE1C 50 46                         MOV             R0, R10

.text&ARM.extab:0005FE1E 27 A9                         ADD             R1, SP, #0x9C

.text&ARM.extab:0005FE20 B0 F7 14 ED                   BLX             jhj_strcasestr

.text&ARM.extab:0005FE20

.text&ARM.extab:0005FE24 00 28                         CMP             R0, #0

.text&ARM.extab:0005FE26 F2 D1                         BNE             loc_5FE0E

.text&ARM.extab:0005FE26

.text&ARM.extab:0005FE28 7E 4B                         LDR             R3, =(p3906CEE43A636FED71D0E81D64568947_ptr - 0x5FE2E)

.text&ARM.extab:0005FE2A 7B 44                         ADD             R3, PC        ; p3906CEE43A636FED71D0E81D64568947_ptr

.text&ARM.extab:0005FE2C 1B 68                         LDR             R3, [R3]      ; p3906CEE43A636FED71D0E81D64568947

.text&ARM.extab:0005FE2E 1B 68                         LDR             R3, [R3]

.text&ARM.extab:0005FE30 00 2B                         CMP             R3, #0

.text&ARM.extab:0005FE32 D3 D1                         BNE             loc_5FDDC

.text&ARM.extab:0005FE32

.text&ARM.extab:0005FE34 EB E7                         B               loc_5FE0E

.text&ARM.extab:0005FE34

.text&ARM.extab:0005FE36                               ; ---------------------------------------------------------------------------

.text&ARM.extab:0005FE36

.text&ARM.extab:0005FE36                               loc_5FE36                     ; CODE XREF: .text&ARM.extab:0005FE1A↑j

.text&ARM.extab:0005FE36                                                             ; .text&ARM.extab:0005FE56↓j

.text&ARM.extab:0005FE36 AB 68                         LDR             R3, [R5,#(off_AB7EC - 0xAB7E4)]

.text&ARM.extab:0005FE38 20 46                         MOV             R0, R4

.text&ARM.extab:0005FE3A 4F F4 80 61                   MOV.W           R1, #0x400

.text&ARM.extab:0005FE3E 3A 46                         MOV             R2, R7

.text&ARM.extab:0005FE40 98 47                         BLX             R3            ; dword_0

.text&ARM.extab:0005FE40

.text&ARM.extab:0005FE42 40 B3                         CBZ             R0, loc_5FE96

.text&ARM.extab:0005FE42

.text&ARM.extab:0005FE44 30 46                         MOV             R0, R6

.text&ARM.extab:0005FE46 B0 F7 8C EA                   BLX             jhj_strlen

.text&ARM.extab:0005FE46

.text&ARM.extab:0005FE4A 31 46                         MOV             R1, R6

.text&ARM.extab:0005FE4C 02 46                         MOV             R2, R0

.text&ARM.extab:0005FE4E 20 46                         MOV             R0, R4

.text&ARM.extab:0005FE50 B0 F7 80 EA                   BLX             jhj_strncmp

.text&ARM.extab:0005FE50

.text&ARM.extab:0005FE54 00 28                         CMP             R0, #0

.text&ARM.extab:0005FE56 EE D1                         BNE             loc_5FE36

.text&ARM.extab:0005FE56

.text&ARM.extab:0005FE58 15 AE                         ADD             R6, SP, #0x54 ; 'T'

.text&ARM.extab:0005FE5A 15 90                         STR             R0, [SP,#0x54]

.text&ARM.extab:0005FE5C 16 90                         STR             R0, [SP,#0x58]

.text&ARM.extab:0005FE5E 09 22                         MOVS            R2, #9

.text&ARM.extab:0005FE60 05 21                         MOVS            R1, #5

.text&ARM.extab:0005FE62 8D F8 57 20                   STRB.W          R2, [SP,#0x57]

.text&ARM.extab:0005FE66 30 46                         MOV             R0, R6

.text&ARM.extab:0005FE68 5A 22                         MOVS            R2, #0x5A ; 'Z'

.text&ARM.extab:0005FE6A 8D F8 58 20                   STRB.W          R2, [SP,#0x58]

.text&ARM.extab:0005FE6E F1 22                         MOVS            R2, #0xF1

.text&ARM.extab:0005FE70 8B 23                         MOVS            R3, #0x8B

.text&ARM.extab:0005FE72 8D F8 55 30                   STRB.W          R3, [SP,#0x55]

.text&ARM.extab:0005FE76 5F 23                         MOVS            R3, #0x5F ; '_'

.text&ARM.extab:0005FE78 8D F8 56 30                   STRB.W          R3, [SP,#0x56]

.text&ARM.extab:0005FE7C 8D F8 59 30                   STRB.W          R3, [SP,#0x59]

.text&ARM.extab:0005FE80 1E 23                         MOVS            R3, #0x1E

.text&ARM.extab:0005FE82 8D F8 5A 30                   STRB.W          R3, [SP,#0x5A]

.text&ARM.extab:0005FE86 FF F7 57 FB                   BL              jhj_DecryptString5 ; 解密得到字符串"%s %d"

.text&ARM.extab:0005FE86

.text&ARM.extab:0005FE8A 20 46                         MOV             R0, R4

.text&ARM.extab:0005FE8C 31 46                         MOV             R1, R6

.text&ARM.extab:0005FE8E 33 AA                         ADD             R2, SP, #0xCC

.text&ARM.extab:0005FE90 0E AB                         ADD             R3, SP, #0x38 ; '8'

.text&ARM.extab:0005FE92 B0 F7 86 EB                   BLX             jhj_sscanf

.text&ARM.extab:0005FE92

.text&ARM.extab:0005FE96

.text&ARM.extab:0005FE96                               loc_5FE96                     ; CODE XREF: .text&ARM.extab:0005FE42↑j

.text&ARM.extab:0005FE96 0D F2 0C 74                   ADDW            R4, SP, #0x70C

.text&ARM.extab:0005FE9A 1A AE                         ADD             R6, SP, #0x68 ; 'h'

.text&ARM.extab:0005FE9A

.text&ARM.extab:0005FE9C

.text&ARM.extab:0005FE9C                               loc_5FE9C                     ; CODE XREF: .text&ARM.extab:0005FEBC↓j

.text&ARM.extab:0005FE9C AB 68                         LDR             R3, [R5,#(off_AB7EC - 0xAB7E4)]

.text&ARM.extab:0005FE9E 20 46                         MOV             R0, R4

.text&ARM.extab:0005FEA0 4F F4 80 61                   MOV.W           R1, #0x400

.text&ARM.extab:0005FEA4 3A 46                         MOV             R2, R7

.text&ARM.extab:0005FEA6 98 47                         BLX             R3            ; dword_0

.text&ARM.extab:0005FEA6

.text&ARM.extab:0005FEA8 40 B3                         CBZ             R0, loc_5FEFC

.text&ARM.extab:0005FEA8

.text&ARM.extab:0005FEAA 30 46                         MOV             R0, R6

.text&ARM.extab:0005FEAC B0 F7 58 EA                   BLX             jhj_strlen

.text&ARM.extab:0005FEAC

.text&ARM.extab:0005FEB0 31 46                         MOV             R1, R6

.text&ARM.extab:0005FEB2 02 46                         MOV             R2, R0

.text&ARM.extab:0005FEB4 20 46                         MOV             R0, R4

.text&ARM.extab:0005FEB6 B0 F7 4E EA                   BLX             jhj_strncmp

.text&ARM.extab:0005FEB6

.text&ARM.extab:0005FEBA 00 28                         CMP             R0, #0

.text&ARM.extab:0005FEBC EE D1                         BNE             loc_5FE9C

.text&ARM.extab:0005FEBC

.text&ARM.extab:0005FEBE 15 AE                         ADD             R6, SP, #0x54 ; 'T'

.text&ARM.extab:0005FEC0 15 90                         STR             R0, [SP,#0x54]

.text&ARM.extab:0005FEC2 16 90                         STR             R0, [SP,#0x58]

.text&ARM.extab:0005FEC4 C3 22                         MOVS            R2, #0xC3

.text&ARM.extab:0005FEC6 05 21                         MOVS            R1, #5

.text&ARM.extab:0005FEC8 8D F8 57 20                   STRB.W          R2, [SP,#0x57]

.text&ARM.extab:0005FECC 30 46                         MOV             R0, R6

.text&ARM.extab:0005FECE 90 22                         MOVS            R2, #0x90

.text&ARM.extab:0005FED0 8D F8 58 20                   STRB.W          R2, [SP,#0x58]

.text&ARM.extab:0005FED4 E8 22                         MOVS            R2, #0xE8

.text&ARM.extab:0005FED6 58 23                         MOVS            R3, #0x58 ; 'X'

.text&ARM.extab:0005FED8 8D F8 55 30                   STRB.W          R3, [SP,#0x55]

.text&ARM.extab:0005FEDC 95 23                         MOVS            R3, #0x95

.text&ARM.extab:0005FEDE 8D F8 56 30                   STRB.W          R3, [SP,#0x56]

.text&ARM.extab:0005FEE2 8D F8 59 30                   STRB.W          R3, [SP,#0x59]

.text&ARM.extab:0005FEE6 D4 23                         MOVS            R3, #0xD4

.text&ARM.extab:0005FEE8 8D F8 5A 30                   STRB.W          R3, [SP,#0x5A]

.text&ARM.extab:0005FEEC FF F7 24 FB                   BL              jhj_DecryptString5 ; 解密得到字符串"%s %d"

.text&ARM.extab:0005FEEC

.text&ARM.extab:0005FEF0 20 46                         MOV             R0, R4

.text&ARM.extab:0005FEF2 31 46                         MOV             R1, R6

.text&ARM.extab:0005FEF4 33 AA                         ADD             R2, SP, #0xCC

.text&ARM.extab:0005FEF6 0D AB                         ADD             R3, SP, #0x34 ; '4'

.text&ARM.extab:0005FEF8 B0 F7 52 EB                   BLX             jhj_sscanf

.text&ARM.extab:0005FEF8

.text&ARM.extab:0005FEFC

.text&ARM.extab:0005FEFC                               loc_5FEFC                     ; CODE XREF: .text&ARM.extab:0005FEA8↑j

.text&ARM.extab:0005FEFC 0D AC                         ADD             R4, SP, #0x34 ; '4'

.text&ARM.extab:0005FEFE 26 68                         LDR             R6, [R4]

.text&ARM.extab:0005FF00 0E B9                         CBNZ            R6, loc_5FF06

.text&ARM.extab:0005FF00

.text&ARM.extab:0005FF02

.text&ARM.extab:0005FF02                               loc_5FF02                     ; CODE XREF: .text&ARM.extab:0005FF0C↓j

.text&ARM.extab:0005FF02 00 26                         MOVS            R6, #0

.text&ARM.extab:0005FF04 0A E0                         B               loc_5FF1C

.text&ARM.extab:0005FF04

.text&ARM.extab:0005FF06                               ; ---------------------------------------------------------------------------

.text&ARM.extab:0005FF06

.text&ARM.extab:0005FF06                               loc_5FF06                     ; CODE XREF: .text&ARM.extab:0005FF00↑j

.text&ARM.extab:0005FF06 B0 F7 B6 EA                   BLX             jhj_getpid

.text&ARM.extab:0005FF06

.text&ARM.extab:0005FF0A 86 42                         CMP             R6, R0

.text&ARM.extab:0005FF0C F9 D0                         BEQ             loc_5FF02

.text&ARM.extab:0005FF0C

.text&ARM.extab:0005FF0E 23 68                         LDR             R3, [R4]

.text&ARM.extab:0005FF10 0E 9E                         LDR             R6, [SP,#0x38]

.text&ARM.extab:0005FF12 9E 1B                         SUBS            R6, R3, R6

.text&ARM.extab:0005FF14 18 BF                         IT NE

.text&ARM.extab:0005FF16 01 26                         MOVNE           R6, #1

.text&ARM.extab:0005FF18 00 E0                         B               loc_5FF1C

.text&ARM.extab:0005FF18

.text&ARM.extab:0005FF1A                               ; ---------------------------------------------------------------------------

.text&ARM.extab:0005FF1A

.text&ARM.extab:0005FF1A                               loc_5FF1A                     ; CODE XREF: .text&ARM.extab:0005FDEC↑j

.text&ARM.extab:0005FF1A 06 46                         MOV             R6, R0

.text&ARM.extab:0005FF1A

.text&ARM.extab:0005FF1C

.text&ARM.extab:0005FF1C                               loc_5FF1C                     ; CODE XREF: .text&ARM.extab:0005FF04↑j

.text&ARM.extab:0005FF1C                                                             ; .text&ARM.extab:0005FF18↑j

.text&ARM.extab:0005FF1C 6B 68                         LDR             R3, [R5,#(off_AB7E8 - 0xAB7E4)]

.text&ARM.extab:0005FF1E 38 46                         MOV             R0, R7

.text&ARM.extab:0005FF20 98 47                         BLX             R3            ; dword_0

.text&ARM.extab:0005FF20

.text&ARM.extab:0005FF22 16 BB                         CBNZ            R6, loc_5FF6A

.text&ARM.extab:0005FF22

.text&ARM.extab:0005FF24

.text&ARM.extab:0005FF24                               loc_5FF24                     ; CODE XREF: .text&ARM.extab:0005FC7A↑j

.text&ARM.extab:0005FF24 07 23                         MOVS            R3, #7

.text&ARM.extab:0005FF26 43 E6                         B               loc_5FBB0

.text&ARM.extab:0005FF26

.text&ARM.extab:0005FF28                               ; ---------------------------------------------------------------------------

.text&ARM.extab:0005FF28

.text&ARM.extab:0005FF28                               loc_5FF28                     ; CODE XREF: .text&ARM.extab:0005FBBC↑j

.text&ARM.extab:0005FF28 58 46                         MOV             R0, R11       ; jumptable 0005FBBC case 3

.text&ARM.extab:0005FF2A B0 F7 AE EC                   BLX             jhj_atol

.text&ARM.extab:0005FF2A

.text&ARM.extab:0005FF2E 04 9B                         LDR             R3, [SP,#0x10]

.text&ARM.extab:0005FF30 06 90                         STR             R0, [SP,#0x18]

.text&ARM.extab:0005FF32 83 42                         CMP             R3, R0

.text&ARM.extab:0005FF34 0C BF                         ITE EQ

.text&ARM.extab:0005FF36 02 23                         MOVEQ           R3, #2

.text&ARM.extab:0005FF38 03 23                         MOVNE           R3, #3

.text&ARM.extab:0005FF3A 39 E6                         B               loc_5FBB0

.text&ARM.extab:0005FF3A

.text&ARM.extab:0005FF3C                               ; ---------------------------------------------------------------------------

.text&ARM.extab:0005FF3C

.text&ARM.extab:0005FF3C                               loc_5FF3C                     ; CODE XREF: .text&ARM.extab:0005FBBC↑j

.text&ARM.extab:0005FF3C 11 AC                         ADD             R4, SP, #0x44 ; 'D' ; jumptable 0005FBBC case 0

.text&ARM.extab:0005FF3E 02 21                         MOVS            R1, #2

.text&ARM.extab:0005FF40 D7 22                         MOVS            R2, #0xD7

.text&ARM.extab:0005FF42 20 46                         MOV             R0, R4

.text&ARM.extab:0005FF44 FF F7 F8 FA                   BL              jhj_DecryptString5 ; 解密得到字符串".."

.text&ARM.extab:0005FF44

.text&ARM.extab:0005FF48 BB F1 00 0F                   CMP.W           R11, #0

.text&ARM.extab:0005FF4C 0F D0                         BEQ             loc_5FF6E

.text&ARM.extab:0005FF4C

.text&ARM.extab:0005FF4E 58 46                         MOV             R0, R11

.text&ARM.extab:0005FF50 0F A9                         ADD             R1, SP, #0x3C ; '<'

.text&ARM.extab:0005FF52 B0 F7 54 EA                   BLX             jhj_strcmp

.text&ARM.extab:0005FF52

.text&ARM.extab:0005FF56 50 B1                         CBZ             R0, loc_5FF6E

.text&ARM.extab:0005FF56

.text&ARM.extab:0005FF58 58 46                         MOV             R0, R11

.text&ARM.extab:0005FF5A 21 46                         MOV             R1, R4

.text&ARM.extab:0005FF5C B0 F7 4E EA                   BLX             jhj_strcmp

.text&ARM.extab:0005FF5C

.text&ARM.extab:0005FF60 00 28                         CMP             R0, #0

.text&ARM.extab:0005FF62 0C BF                         ITE EQ

.text&ARM.extab:0005FF64 06 23                         MOVEQ           R3, #6

.text&ARM.extab:0005FF66 04 23                         MOVNE           R3, #4

.text&ARM.extab:0005FF68 22 E6                         B               loc_5FBB0

.text&ARM.extab:0005FF68

.text&ARM.extab:0005FF6A                               ; ---------------------------------------------------------------------------

.text&ARM.extab:0005FF6A

.text&ARM.extab:0005FF6A                               loc_5FF6A                     ; CODE XREF: .text&ARM.extab:0005FF22↑j

.text&ARM.extab:0005FF6A 05 23                         MOVS            R3, #5

.text&ARM.extab:0005FF6C 20 E6                         B               loc_5FBB0

.text&ARM.extab:0005FF6C

.text&ARM.extab:0005FF6E                               ; ---------------------------------------------------------------------------

.text&ARM.extab:0005FF6E

.text&ARM.extab:0005FF6E                               loc_5FF6E                     ; CODE XREF: .text&ARM.extab:0005FF4C↑j

.text&ARM.extab:0005FF6E                                                             ; .text&ARM.extab:0005FF56↑j

.text&ARM.extab:0005FF6E 06 23                         MOVS            R3, #6

.text&ARM.extab:0005FF70 1E E6                         B               loc_5FBB0

.text&ARM.extab:0005FF70

.text&ARM.extab:0005FF72                               ; ---------------------------------------------------------------------------

.text&ARM.extab:0005FF72

.text&ARM.extab:0005FF72                               loc_5FF72                     ; CODE XREF: .text&ARM.extab:0005FBBC↑j

.text&ARM.extab:0005FF72 01 23                         MOVS            R3, #1        ; jumptable 0005FBBC case 4

.text&ARM.extab:0005FF74 03 93                         STR             R3, [SP,#0xC]

.text&ARM.extab:0005FF76 ED E5                         B               loc_5FB54

.text&ARM.extab:0005FF76

.text&ARM.extab:0005FF78                               ; ---------------------------------------------------------------------------

.text&ARM.extab:0005FF78

.text&ARM.extab:0005FF78                               loc_5FF78                     ; CODE XREF: .text&ARM.extab:0005FB58↑j

.text&ARM.extab:0005FF78 0C 9B                         LDR             R3, [SP,#0x30] ; jumptable 0005FB58 case 4

.text&ARM.extab:0005FF7A 00 2B                         CMP             R3, #0

.text&ARM.extab:0005FF7C 3B DA                         BGE             loc_5FFF6     ; jumptable 0005FBBC cases 1,5

.text&ARM.extab:0005FF7C

.text&ARM.extab:0005FF7E 00 BF                         NOP

.text&ARM.extab:0005FF80 7E 73                         STRB            R6, [R7,#0xD]

.text&ARM.extab:0005FF82 05 43                         ORRS            R5, R0

.text&ARM.extab:0005FF84 F7 A5                         ADR             R5, byte_60364

.text&ARM.extab:0005FF86 B0 75                         STRB            R0, [R6,#0x16]

.text&ARM.extab:0005FF88 7D B3                         CBZ             R5, loc_5FFEA

.text&ARM.extab:0005FF88

.text&ARM.extab:0005FF8A C9 0A                         LSRS            R1, R1, #0xB

.text&ARM.extab:0005FF8C 59 AC                         ADD             R4, SP, #0x164

.text&ARM.extab:0005FF8E 4B 78                         LDRB            R3, [R1,#1]

.text&ARM.extab:0005FF90 89 34                         ADDS            R4, #0x89

.text&ARM.extab:0005FF92 BD C2                         STM             R2, {R0,R2-R5,R7}

.text&ARM.extab:0005FF94 EB 40                         LSRS            R3, R5

.text&ARM.extab:0005FF96 80 2C                         CMP             R4, #0x80

.text&ARM.extab:0005FF98 A1 7B                         LDRB            R1, [R4,#0xE]

.text&ARM.extab:0005FF9A 24 3B                         SUBS            R3, #0x24 ; '$'

.text&ARM.extab:0005FF9C 71 D6                         BVS             loc_60082

.text&ARM.extab:0005FF9C

.text&ARM.extab:0005FF9E 50 55                         STRB            R0, [R2,R5]

.text&ARM.extab:0005FF9E

.text&ARM.extab:0005FF9E                               ; ---------------------------------------------------------------------------

.text&ARM.extab:0005FFA0 68 B6 AA 39 76 4A 1B CD 2A 52+DCD 0x39AAB668, 0xCD1B4A76, 0x2986522A, 0x299C1ABC, 0x6B5921DE, 0x6DF3BB26

.text&ARM.extab:0005FFB8                               ; ---------------------------------------------------------------------------

.text&ARM.extab:0005FFB8 1D E0                         B               loc_5FFF6     ; jumptable 0005FBBC cases 1,5

.text&ARM.extab:0005FFB8

.text&ARM.extab:0005FFBA                               ; ---------------------------------------------------------------------------

.text&ARM.extab:0005FFBA

.text&ARM.extab:0005FFBA                               loc_5FFBA                     ; CODE XREF: .text&ARM.extab:0005FB58↑j

.text&ARM.extab:0005FFBA 02 98                         LDR             R0, [SP,#8]   ; jumptable 0005FB58 case 1

.text&ARM.extab:0005FFBC B0 F7 48 EA                   BLX             jhj_closedir

.text&ARM.extab:0005FFBC

.text&ARM.extab:0005FFC0 03 98                         LDR             R0, [SP,#0xC]

.text&ARM.extab:0005FFC2 1E E0                         B               loc_60002

.text&ARM.extab:0005FFC2

.text&ARM.extab:0005FFC4                               ; ---------------------------------------------------------------------------

.text&ARM.extab:0005FFC4

.text&ARM.extab:0005FFC4                               loc_5FFC4                     ; CODE XREF: .text&ARM.extab:0005FB58↑j

.text&ARM.extab:0005FFC4 22 AD                         ADD             R5, SP, #0x88 ; jumptable 0005FB58 case 3

.text&ARM.extab:0005FFC6 43 AC                         ADD             R4, SP, #0x10C

.text&ARM.extab:0005FFC8 0F 21                         MOVS            R1, #0xF

.text&ARM.extab:0005FFCA BA 22                         MOVS            R2, #0xBA

.text&ARM.extab:0005FFCC 28 46                         MOV             R0, R5

.text&ARM.extab:0005FFCE FF F7 B3 FA                   BL              jhj_DecryptString5 ; 解密得到字符串"/proc/%ld/task/"

.text&ARM.extab:0005FFCE

.text&ARM.extab:0005FFD2 29 46                         MOV             R1, R5

.text&ARM.extab:0005FFD4 04 9A                         LDR             R2, [SP,#0x10]

.text&ARM.extab:0005FFD6 20 46                         MOV             R0, R4

.text&ARM.extab:0005FFD8 38 F0 A2 FF                   BL              jhj_format    ; 得到格式化字符串"/proc/pid/task/"

.text&ARM.extab:0005FFD8

.text&ARM.extab:0005FFDC 20 46                         MOV             R0, R4

.text&ARM.extab:0005FFDE B0 F7 2C EA                   BLX             jhj_opendir

.text&ARM.extab:0005FFDE

.text&ARM.extab:0005FFE2 02 90                         STR             R0, [SP,#8]

.text&ARM.extab:0005FFE4 00 28                         CMP             R0, #0

.text&ARM.extab:0005FFE6 0C BF                         ITE EQ

.text&ARM.extab:0005FFE8 05 23                         MOVEQ           R3, #5

.text&ARM.extab:0005FFE8

.text&ARM.extab:0005FFEA

.text&ARM.extab:0005FFEA                               loc_5FFEA                     ; CODE XREF: .text&ARM.extab:0005FF88↑j

.text&ARM.extab:0005FFEA 02 23                         MOVNE           R3, #2

.text&ARM.extab:0005FFEC AF E5                         B               def_5FB58     ; jumptable 0005FB58 default case

.text&ARM.extab:0005FFEC

.text&ARM.extab:0005FFEE                               ; ---------------------------------------------------------------------------

.text&ARM.extab:0005FFEE

.text&ARM.extab:0005FFEE                               loc_5FFEE                     ; CODE XREF: .text&ARM.extab:0005FB58↑j

.text&ARM.extab:0005FFEE 00 23                         MOVS            R3, #0        ; jumptable 0005FB58 case 2

.text&ARM.extab:0005FFF0 03 93                         STR             R3, [SP,#0xC]

.text&ARM.extab:0005FFF2 04 23                         MOVS            R3, #4

.text&ARM.extab:0005FFF4 AE E5                         B               loc_5FB54

.text&ARM.extab:0005FFF4

.text&ARM.extab:0005FFF6                               ; ---------------------------------------------------------------------------

.text&ARM.extab:0005FFF6

.text&ARM.extab:0005FFF6                               loc_5FFF6                     ; CODE XREF: .text&ARM.extab:0005FBB4↑j

.text&ARM.extab:0005FFF6                                                             ; .text&ARM.extab:0005FBBC↑j

.text&ARM.extab:0005FFF6                                                             ; .text&ARM.extab:0005FF7C↑j

.text&ARM.extab:0005FFF6                                                             ; .text&ARM.extab:0005FFB8↑j

.text&ARM.extab:0005FFF6 00 23                         MOVS            R3, #0        ; jumptable 0005FBBC cases 1,5

.text&ARM.extab:0005FFF8 AC E5                         B               loc_5FB54

.text&ARM.extab:0005FFF8

.text&ARM.extab:0005FFFA                               ; ---------------------------------------------------------------------------

.text&ARM.extab:0005FFFA

.text&ARM.extab:0005FFFA                               loc_5FFFA                     ; CODE XREF: .text&ARM.extab:0005FB50↑j

.text&ARM.extab:0005FFFA 01 22                         MOVS            R2, #1

.text&ARM.extab:0005FFFC 0C 92                         STR             R2, [SP,#0x30]

.text&ARM.extab:0005FFFE 7C E5                         B               loc_5FAFA

.text&ARM.extab:0005FFFE

.text&ARM.extab:00060000                               ; ---------------------------------------------------------------------------

.text&ARM.extab:00060000

.text&ARM.extab:00060000                               loc_60000                     ; CODE XREF: .text&ARM.extab:0005FB58↑j

.text&ARM.extab:00060000 00 20                         MOVS            R0, #0        ; jumptable 0005FB58 case 5

.text&ARM.extab:00060000

.text&ARM.extab:00060002

.text&ARM.extab:00060002                               loc_60002                     ; CODE XREF: .text&ARM.extab:0005FFC2↑j

.text&ARM.extab:00060002 07 9B                         LDR             R3, [SP,#0x1C]

.text&ARM.extab:00060004 DD F8 0C 2B                   LDR.W           R2, [SP,#0xB0C]

.text&ARM.extab:00060008 1B 68                         LDR             R3, [R3]

.text&ARM.extab:0006000A 9A 42                         CMP             R2, R3

.text&ARM.extab:0006000C 02 D0                         BEQ             loc_60014

.text&ARM.extab:0006000C

.text&ARM.extab:0006000E B0 F7 9C E9                   BLX             jhj__stack_chk_fail

.text&ARM.extab:0006000E

.text&ARM.extab:00060012

.text&ARM.extab:00060012                               loc_60012                     ; CODE XREF: .text&ARM.extab:0005FB00↑j

.text&ARM.extab:00060012 FF DE                         UND             #0xFF

.text&ARM.extab:00060012

.text&ARM.extab:00060014                               ; ---------------------------------------------------------------------------

.text&ARM.extab:00060014

.text&ARM.extab:00060014                               loc_60014                     ; CODE XREF: .text&ARM.extab:0006000C↑j

.text&ARM.extab:00060014 0D F6 14 3D                   ADDW            SP, SP, #0xB14

.text&ARM.extab:00060018 BD E8 F0 8F                   POP.W           {R4-R11,PC}

 

偏移:0x59500处调用的pthread_create创建新线程2并在线程回调中进行如下反调试:

该线程2的回调函数中调用inotify系列api对虚拟文件进行监控

此外还创建了新的线程,子线程的线程回调偏移位于:0x58E19处的函数,并在子线程中调用sigaction,大胆猜测应该是线程2和其子线程互发信号相互确认

备注且调用sigaction函数的子线程代码只在调试中可见(其偏移为:0x2D94B3DC

 

偏移:0x7C04C处创建新的线程3,其线程回调函数的偏移:0x7BF09,此处调试线程回调会导致进程崩溃,先修改为nop00 BF)再修改r00,暂时先跳过,怀疑是其他的反调试手段在运行

(后续:将该线程Pass后,直至jni_onLoader结束并未发现其他的反调试,暂时没有好的解决方法,不知道有没有好心人告诉我如何解决)

}

 

获得dex{

dex都在assets目录下的classes0.jar(为加密状态,在测试机中的位置/data/user/0/com.fy.qqkp.newmi/.cache/classs.jar),

其解密的流程在jni_onLoader中的反射调用com.SecShell.SecShell.H中的public static void f(ClassLoader arg6, "/data/user/0/com.fy.qqkp.new.mi/.cache/classes.jar", "/data/user/0/com.fy.qqkp.new.mi/.cache")方法

其实也就是解密之后调用反射InMemoryDexClassLoader动态加载内存中dex文件罢了

 

其解密函数位于被hooklibc中的rep_read函数中,且该函数在调试设置断点时会弹出访问内存错误,怀疑是有新线程在循环检测该函数所在的内存区域

.text&ARM.extab:0004D210                               ; int __fastcall jhj_hookread(int, int, int)

.text&ARM.extab:0004D210                               jhj_hookread                  ; DATA XREF: jhj_HookLibcFunction+190↓o

.text&ARM.extab:0004D210                                                             ; jhj_HookLibcFunction+19A↓o

.text&ARM.extab:0004D210                                                             ; .text&ARM.extab:off_4DBCC↓o

.text&ARM.extab:0004D210                               ; __unwind { // 417B6000

.text&ARM.extab:0004D210 2D E9 F0 41                   PUSH.W          {R4-R8,LR}

.text&ARM.extab:0004D214 05 46                         MOV             R5, R0

.text&ARM.extab:0004D216 0C 46                         MOV             R4, R1

.text&ARM.extab:0004D218 17 46                         MOV             R7, R2

.text&ARM.extab:0004D21A FE F7 D1 F8                   BL              sub_4B3C0

.text&ARM.extab:0004D21A

.text&ARM.extab:0004D21E 80 46                         MOV             R8, R0

.text&ARM.extab:0004D220 E8 B1                         CBZ             R0, loc_4D25E

.text&ARM.extab:0004D220

.text&ARM.extab:0004D222 28 46                         MOV             R0, R5

.text&ARM.extab:0004D224 00 21                         MOVS            R1, #0

.text&ARM.extab:0004D226 01 22                         MOVS            R2, #1

.text&ARM.extab:0004D228 C3 F7 32 EA                   BLX             jhj_lseek

.text&ARM.extab:0004D228

.text&ARM.extab:0004D22C 12 4B                         LDR             R3, =(off_AC214 - 0x4D236)

.text&ARM.extab:0004D22E 21 46                         MOV             R1, R4

.text&ARM.extab:0004D230 3A 46                         MOV             R2, R7

.text&ARM.extab:0004D232 7B 44                         ADD             R3, PC        ; off_AC214

.text&ARM.extab:0004D234 DB 6A                         LDR             R3, [R3,#(off_AC240 - 0xAC214)]

.text&ARM.extab:0004D236 06 46                         MOV             R6, R0

.text&ARM.extab:0004D238 28 46                         MOV             R0, R5

.text&ARM.extab:0004D23A 98 47                         BLX             R3            ; dword_0 ; 跳转偏移:EEFC7000 - BE99A000 = 0x3062D000

.text&ARM.extab:0004D23A                                                             ; 动态解密的函数

.text&ARM.extab:0004D23A                                                             ; 该函数的作用就是将文件数据读取出来

.text&ARM.extab:0004D23A

.text&ARM.extab:0004D23C 05 1E                         SUBS            R5, R0, #0

.text&ARM.extab:0004D23E 17 DD                         BLE             loc_4D270

.text&ARM.extab:0004D23E

.text&ARM.extab:0004D240 D8 F8 04 30                   LDR.W           R3, [R8,#4]

.text&ARM.extab:0004D244 30 46                         MOV             R0, R6

.text&ARM.extab:0004D246 21 46                         MOV             R1, R4

.text&ARM.extab:0004D248 2A 46                         MOV             R2, R5

.text&ARM.extab:0004D24A 01 2B                         CMP             R3, #1

.text&ARM.extab:0004D24C 04 D0                         BEQ             loc_4D258

.text&ARM.extab:0004D24C

.text&ARM.extab:0004D24E 03 2B                         CMP             R3, #3

.text&ARM.extab:0004D250 02 D1                         BNE             loc_4D258

.text&ARM.extab:0004D250

.text&ARM.extab:0004D252 FF F7 D3 FB                   BL              sub_4C9FC

.text&ARM.extab:0004D252

.text&ARM.extab:0004D256 0B E0                         B               loc_4D270

.text&ARM.extab:0004D256

.text&ARM.extab:0004D258                               ; ---------------------------------------------------------------------------

.text&ARM.extab:0004D258

.text&ARM.extab:0004D258                               loc_4D258                     ; CODE XREF: jhj_hookread+3C↑j

.text&ARM.extab:0004D258                                                             ; jhj_hookread+40↑j

.text&ARM.extab:0004D258 FF F7 40 FF                   BL              jhj_DecryptBytes ; 第一个参数,文件偏移

.text&ARM.extab:0004D258                                                             ; 第二个参数,srcBuffer

.text&ARM.extab:0004D258                                                             ; 第三个参数,srcBufferSize

.text&ARM.extab:0004D258

.text&ARM.extab:0004D25C 08 E0                         B               loc_4D270     ; 断在此处,总共三个dexjar包真实大小6e1c1b

.text&ARM.extab:0004D25C

.text&ARM.extab:0004D25E                               ; ---------------------------------------------------------------------------

.text&ARM.extab:0004D25E

.text&ARM.extab:0004D25E                               loc_4D25E                     ; CODE XREF: jhj_hookread+10↑j

.text&ARM.extab:0004D25E 07 4B                         LDR             R3, =(off_AC214 - 0x4D26A)

.text&ARM.extab:0004D260 28 46                         MOV             R0, R5

.text&ARM.extab:0004D262 21 46                         MOV             R1, R4

.text&ARM.extab:0004D264 3A 46                         MOV             R2, R7

.text&ARM.extab:0004D266 7B 44                         ADD             R3, PC        ; off_AC214

.text&ARM.extab:0004D268 BD E8 F0 41                   POP.W           {R4-R8,LR}

.text&ARM.extab:0004D26C DB 6A                         LDR             R3, [R3,#(off_AC240 - 0xAC214)]

.text&ARM.extab:0004D26E 18 47                         BX              R3            ; dword_0

.text&ARM.extab:0004D26E

.text&ARM.extab:0004D270                               ; ---------------------------------------------------------------------------

.text&ARM.extab:0004D270

.text&ARM.extab:0004D270                               loc_4D270                     ; CODE XREF: jhj_hookread+2E↑j

.text&ARM.extab:0004D270                                                             ; jhj_hookread+46↑j

.text&ARM.extab:0004D270                                                             ; jhj_hookread+4C↑j

.text&ARM.extab:0004D270 28 46                         MOV             R0, R5

.text&ARM.extab:0004D272 BD E8 F0 81                   POP.W           {R4-R8,PC}

 

其解密的函数为jhj_DecryptBytes,如下:

text&ARM.extab:0004D0DC                               ; 第一个参数,文件偏移

.text&ARM.extab:0004D0DC                               ; 第二个参数,srcBuffer

.text&ARM.extab:0004D0DC                               ; 第三个参数,srcBufferSize

.text&ARM.extab:0004D0DC

.text&ARM.extab:0004D0DC                               ; unsigned int __fastcall jhj_DecryptBytes(unsigned int, char *, signed int)

.text&ARM.extab:0004D0DC                               EXPORT jhj_DecryptBytes

.text&ARM.extab:0004D0DC                               jhj_DecryptBytes              ; CODE XREF: .text&ARM.extab:0002623C↑p

.text&ARM.extab:0004D0DC                                                             ; .text&ARM.extab:0002686C↑p

.text&ARM.extab:0004D0DC                                                             ; jhj_hookread:loc_4D258↓p

.text&ARM.extab:0004D0DC                                                             ; jhj_hookpread64:loc_4D2B8↓p

.text&ARM.extab:0004D0DC                                                             ; jhj_hook__mmap2+C0↓p

.text&ARM.extab:0004D0DC                                                             ; pFD099753FE3C34335A32B92C8F00766D+2E↓p

.text&ARM.extab:0004D0DC                                                             ; DATA XREF: LOAD:stru_AFC↑o

.text&ARM.extab:0004D0DC

.text&ARM.extab:0004D0DC                               var_12C= -0x12C

.text&ARM.extab:0004D0DC                               var_128= -0x128

.text&ARM.extab:0004D0DC                               var_124= -0x124

.text&ARM.extab:0004D0DC                               var_24= -0x24

.text&ARM.extab:0004D0DC

.text&ARM.extab:0004D0DC                               ; __unwind { // 417B6000

.text&ARM.extab:0004D0DC 2D E9 F0 43                   PUSH.W          {R4-R9,LR}

.text&ARM.extab:0004D0E0 C5 B0                         SUB             SP, SP, #0x114

.text&ARM.extab:0004D0E2 DF F8 1C 91                   LDR.W           R9, =(off_A2984 - 0x4D0F2)

.text&ARM.extab:0004D0E6 0D F1 04 08                   ADD.W           R8, SP, #0x130+var_12C

.text&ARM.extab:0004D0EA 02 AE                         ADD             R6, SP, #0x130+var_128

.text&ARM.extab:0004D0EC 0D 46                         MOV             R5, R1

.text&ARM.extab:0004D0EE F9 44                         ADD             R9, PC        ; off_A2984

.text&ARM.extab:0004D0F0 D9 F8 00 90                   LDR.W           R9, [R9]

.text&ARM.extab:0004D0F4 11 46                         MOV             R1, R2

.text&ARM.extab:0004D0F6 42 46                         MOV             R2, R8

.text&ARM.extab:0004D0F8 00 24                         MOVS            R4, #0

.text&ARM.extab:0004D0FA D9 F8 00 30                   LDR.W           R3, [R9]

.text&ARM.extab:0004D0FE 07 46                         MOV             R7, R0

.text&ARM.extab:0004D100 01 94                         STR             R4, [SP,#0x130+var_12C]

.text&ARM.extab:0004D102 34 60                         STR             R4, [R6]

.text&ARM.extab:0004D104 43 93                         STR             R3, [SP,#0x130+var_24]

.text&ARM.extab:0004D106 33 46                         MOV             R3, R6

.text&ARM.extab:0004D108 FF F7 31 FA                   BL              sub_4C56E

.text&ARM.extab:0004D108

.text&ARM.extab:0004D10C D8 F8 00 00                   LDR.W           R0, [R8]

.text&ARM.extab:0004D110 CE 46                         MOV             LR, R9

.text&ARM.extab:0004D112 A0 42                         CMP             R0, R4

.text&ARM.extab:0004D114 50 DD                         BLE             loc_4D1B8

.text&ARM.extab:0004D114

.text&ARM.extab:0004D116 3B 4B                         LDR             R3, =(off_AC214 - 0x4D11E)

.text&ARM.extab:0004D118 22 46                         MOV             R2, R4

.text&ARM.extab:0004D11A 7B 44                         ADD             R3, PC        ; off_AC214

.text&ARM.extab:0004D11C D3 F8 18 80                   LDR.W           R8, [R3,#(off_AC22C - 0xAC214)]

.text&ARM.extab:0004D120 03 AB                         ADD             R3, SP, #0x130+var_124

.text&ARM.extab:0004D120

.text&ARM.extab:0004D122

.text&ARM.extab:0004D122                               loc_4D122                     ; CODE XREF: jhj_DecryptBytes+4E↓j

.text&ARM.extab:0004D122 D2 54                         STRB            R2, [R2,R3]

.text&ARM.extab:0004D124 01 32                         ADDS            R2, #1

.text&ARM.extab:0004D126 B2 F5 80 7F                   CMP.W           R2, #0x100

.text&ARM.extab:0004D12A FA D1                         BNE             loc_4D122

.text&ARM.extab:0004D12A

.text&ARM.extab:0004D12C 00 22                         MOVS            R2, #0

.text&ARM.extab:0004D12E 14 46                         MOV             R4, R2

.text&ARM.extab:0004D130 11 46                         MOV             R1, R2

.text&ARM.extab:0004D130

.text&ARM.extab:0004D132

.text&ARM.extab:0004D132                               loc_4D132                     ; CODE XREF: jhj_DecryptBytes+7E↓j

.text&ARM.extab:0004D132 13 F8 01 90                   LDRB.W          R9, [R3,R1]

.text&ARM.extab:0004D136 18 F8 02 C0                   LDRB.W          R12, [R8,R2]

.text&ARM.extab:0004D13A 01 32                         ADDS            R2, #1

.text&ARM.extab:0004D13C 0F 2A                         CMP             R2, #0xF

.text&ARM.extab:0004D13E CC 44                         ADD             R12, R9

.text&ARM.extab:0004D140 64 44                         ADD             R4, R12

.text&ARM.extab:0004D142 C8 BF                         IT GT

.text&ARM.extab:0004D144 00 22                         MOVGT           R2, #0

.text&ARM.extab:0004D146 E4 B2                         UXTB            R4, R4

.text&ARM.extab:0004D148 13 F8 04 C0                   LDRB.W          R12, [R3,R4]

.text&ARM.extab:0004D14C 03 F8 01 C0                   STRB.W          R12, [R3,R1]

.text&ARM.extab:0004D150 01 31                         ADDS            R1, #1

.text&ARM.extab:0004D152 B1 F5 80 7F                   CMP.W           R1, #0x100

.text&ARM.extab:0004D156 03 F8 04 90                   STRB.W          R9, [R3,R4]

.text&ARM.extab:0004D15A EA D1                         BNE             loc_4D132

.text&ARM.extab:0004D15A

.text&ARM.extab:0004D15C 00 24                         MOVS            R4, #0

.text&ARM.extab:0004D15E 21 46                         MOV             R1, R4

.text&ARM.extab:0004D160 22 46                         MOV             R2, R4

.text&ARM.extab:0004D160

.text&ARM.extab:0004D162

.text&ARM.extab:0004D162                               loc_4D162                     ; CODE XREF: jhj_DecryptBytes+A4↓j

.text&ARM.extab:0004D162 BC 42                         CMP             R4, R7

.text&ARM.extab:0004D164 0D D0                         BEQ             loc_4D182

.text&ARM.extab:0004D164

.text&ARM.extab:0004D166 01 32                         ADDS            R2, #1

.text&ARM.extab:0004D168 01 34                         ADDS            R4, #1

.text&ARM.extab:0004D16A D2 B2                         UXTB            R2, R2

.text&ARM.extab:0004D16C 13 F8 02 C0                   LDRB.W          R12, [R3,R2]

.text&ARM.extab:0004D170 61 44                         ADD             R1, R12

.text&ARM.extab:0004D172 C9 B2                         UXTB            R1, R1

.text&ARM.extab:0004D174 13 F8 01 80                   LDRB.W          R8, [R3,R1]

.text&ARM.extab:0004D178 03 F8 02 80                   STRB.W          R8, [R3,R2]

.text&ARM.extab:0004D17C 03 F8 01 C0                   STRB.W          R12, [R3,R1]

.text&ARM.extab:0004D180 EF E7                         B               loc_4D162

.text&ARM.extab:0004D180

.text&ARM.extab:0004D182                               ; ---------------------------------------------------------------------------

.text&ARM.extab:0004D182

.text&ARM.extab:0004D182                               loc_4D182                     ; CODE XREF: jhj_DecryptBytes+88↑j

.text&ARM.extab:0004D182 05 EB 00 0C                   ADD.W           R12, R5, R0

.text&ARM.extab:0004D186 2F 46                         MOV             R7, R5

.text&ARM.extab:0004D186

.text&ARM.extab:0004D188

.text&ARM.extab:0004D188                               loc_4D188                     ; CODE XREF: jhj_DecryptBytes+DA↓j

.text&ARM.extab:0004D188 01 32                         ADDS            R2, #1

.text&ARM.extab:0004D18A D2 B2                         UXTB            R2, R2

.text&ARM.extab:0004D18C 9C 5C                         LDRB            R4, [R3,R2]

.text&ARM.extab:0004D18E 21 44                         ADD             R1, R4

.text&ARM.extab:0004D190 C9 B2                         UXTB            R1, R1

.text&ARM.extab:0004D192 13 F8 01 80                   LDRB.W          R8, [R3,R1]

.text&ARM.extab:0004D196 03 F8 02 80                   STRB.W          R8, [R3,R2]

.text&ARM.extab:0004D19A 5C 54                         STRB            R4, [R3,R1]

.text&ARM.extab:0004D19C 13 F8 02 80                   LDRB.W          R8, [R3,R2]

.text&ARM.extab:0004D1A0 44 44                         ADD             R4, R8

.text&ARM.extab:0004D1A2 E4 B2                         UXTB            R4, R4

.text&ARM.extab:0004D1A4 13 F8 04 80                   LDRB.W          R8, [R3,R4]

.text&ARM.extab:0004D1A8 17 F8 01 4B                   LDRB.W          R4, [R7],#1

.text&ARM.extab:0004D1AC 67 45                         CMP             R7, R12

.text&ARM.extab:0004D1AE 88 EA 04 04                   EOR.W           R4, R8, R4

.text&ARM.extab:0004D1B2 07 F8 01 4C                   STRB.W          R4, [R7,#-1]

.text&ARM.extab:0004D1B6 E7 D1                         BNE             loc_4D188

.text&ARM.extab:0004D1B6

.text&ARM.extab:0004D1B8

.text&ARM.extab:0004D1B8                               loc_4D1B8                     ; CODE XREF: jhj_DecryptBytes+38↑j

.text&ARM.extab:0004D1B8 13 4B                         LDR             R3, =(p6185EAA3C139AC76EEFDBB2353E688AA_ptr - 0x4D1BE)

.text&ARM.extab:0004D1BA 7B 44                         ADD             R3, PC        ; p6185EAA3C139AC76EEFDBB2353E688AA_ptr

.text&ARM.extab:0004D1BC 1B 68                         LDR             R3, [R3]      ; p6185EAA3C139AC76EEFDBB2353E688AA

.text&ARM.extab:0004D1BE 1B 68                         LDR             R3, [R3]

.text&ARM.extab:0004D1C0 33 B9                         CBNZ            R3, loc_4D1D0

.text&ARM.extab:0004D1C0

.text&ARM.extab:0004D1C2 12 4B                         LDR             R3, =(p9D140C911F03767A451AB14CBC5BBAD7_ptr - 0x4D1C8)

.text&ARM.extab:0004D1C4 7B 44                         ADD             R3, PC        ; p9D140C911F03767A451AB14CBC5BBAD7_ptr

.text&ARM.extab:0004D1C6 1B 68                         LDR             R3, [R3]      ; p9D140C911F03767A451AB14CBC5BBAD7

.text&ARM.extab:0004D1C8 1B 68                         LDR             R3, [R3]

.text&ARM.extab:0004D1CA 93 F8 48 30                   LDRB.W          R3, [R3,#dword_48]

.text&ARM.extab:0004D1CE 63 B9                         CBNZ            R3, loc_4D1EA

.text&ARM.extab:0004D1CE

.text&ARM.extab:0004D1D0

.text&ARM.extab:0004D1D0                               loc_4D1D0                     ; CODE XREF: jhj_DecryptBytes+E4↑j

.text&ARM.extab:0004D1D0 31 68                         LDR             R1, [R6]

.text&ARM.extab:0004D1D2 00 29                         CMP             R1, #0

.text&ARM.extab:0004D1D4 09 DD                         BLE             loc_4D1EA

.text&ARM.extab:0004D1D4

.text&ARM.extab:0004D1D6 2B 18                         ADDS            R3, R5, R0

.text&ARM.extab:0004D1D8 18 46                         MOV             R0, R3

.text&ARM.extab:0004D1D8

.text&ARM.extab:0004D1DA

.text&ARM.extab:0004D1DA                               loc_4D1DA                     ; CODE XREF: jhj_DecryptBytes+10C↓j

.text&ARM.extab:0004D1DA 1A 78                         LDRB            R2, [R3]

.text&ARM.extab:0004D1DC 82 F0 AC 02                   EOR.W           R2, R2, #0xAC

.text&ARM.extab:0004D1E0 03 F8 01 2B                   STRB.W          R2, [R3],#1

.text&ARM.extab:0004D1E4 1A 1A                         SUBS            R2, R3, R0

.text&ARM.extab:0004D1E6 8A 42                         CMP             R2, R1

.text&ARM.extab:0004D1E8 F7 DB                         BLT             loc_4D1DA

.text&ARM.extab:0004D1E8

.text&ARM.extab:0004D1EA

.text&ARM.extab:0004D1EA                               loc_4D1EA                     ; CODE XREF: jhj_DecryptBytes+F2↑j

.text&ARM.extab:0004D1EA                                                             ; jhj_DecryptBytes+F8↑j

.text&ARM.extab:0004D1EA 43 9A                         LDR             R2, [SP,#0x130+var_24]

.text&ARM.extab:0004D1EC DE F8 00 30                   LDR.W           R3, [LR]

.text&ARM.extab:0004D1F0 9A 42                         CMP             R2, R3

.text&ARM.extab:0004D1F2 01 D0                         BEQ             loc_4D1F8

.text&ARM.extab:0004D1F2

.text&ARM.extab:0004D1F4 C3 F7 A8 E8                   BLX             jhj__stack_chk_fail

.text&ARM.extab:0004D1F4

.text&ARM.extab:0004D1F8

.text&ARM.extab:0004D1F8                               loc_4D1F8                     ; CODE XREF: jhj_DecryptBytes+116↑j

.text&ARM.extab:0004D1F8 45 B0                         ADD             SP, SP, #0x114

.text&ARM.extab:0004D1FA BD E8 F0 83                   POP.W           {R4-R9,PC}

}

 

最后:

重新组装后的apk其本身具有root和签名的检测,因测试机是自己编译的aosp所以过了root检测,只需要对签名检测做处理即可

}



[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)

最后于 2023-7-31 00:54 被樨下编辑 ,原因:
收藏
免费 3
支持
分享
最新回复 (5)
雪    币: 3535
活跃值: (31011)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
2
感谢分享
2023-7-31 09:09
1
雪    币: 6041
活跃值: (4970)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
3
感谢分享。目前排版有问题,可以考虑下以word文档形式放附件,阅读更容易些
2023-7-31 12:52
0
雪    币: 696
活跃值: (2433)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
4
感谢分享,能不能给一下样本
2023-7-31 15:49
0
雪    币: 228
能力值: ( LV1,RANK:0 )
在线值:
发帖
回帖
粉丝
5
ROOT 检测一般检测su之类 其实也好过,大佬研究过梆梆企业壳没有,可否加个联系方式一起交流下。
2023-9-27 13:48
0
雪    币: 220
能力值: ( LV1,RANK:0 )
在线值:
发帖
回帖
粉丝
6
梆梆免费壳都脱不动
2024-4-25 15:11
0
游客
登录 | 注册 方可回帖
返回
//