首页
社区
课程
招聘
[求助]初学逆向,遇到个so文件感觉无从下手
发表于: 2023-12-12 15:15 2781

[求助]初学逆向,遇到个so文件感觉无从下手

2023-12-12 15:15
2781

论坛泡久了对逆向有点上瘾,奈何技术储备太浅,面对so文件时感觉很无力,特来求助一下,寻找一下思路,希望大佬们能指明一条学习路线

1.首先打开的是JNI_OnLoad文件,点击进入了off_5F9E8

2.根据java中入口方法_de_intercept,传入的是一个Lokhttp3/Interceptor$Chain对象,选择了sub_5BE6C

3点开qword_64828,qword_64830,sub_2A3D8,感觉如同看天书,没有任何头绪
qword_64828,qword_64830的代码如下:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
  __int64 v5; // x21
  __int64 v6; // x0
  __int64 v7; // x20
  __int64 v8; // x21
  __int64 v9; // x23
  __int64 v10; // x24
  __int64 v11; // x0
  __int64 v12; // x0
  _BYTE v13[12]; // [xsp+0h] [xbp-1A70h] BYREF
  char v14[28]; // [xsp+Ch] [xbp-1A64h] BYREF
  char dest[6720]; // [xsp+28h] [xbp-1A48h] BYREF
  __int64 v16; // [xsp+1A68h] [xbp-8h]
 
  v16 = *(_ReadStatusReg(ARM64_SYSREG(3, 3, 13, 0, 2)) + 40);
  if ( !qword_64828 )
  {
    v1 = result;
    v2 = sub_5D63C();
    memcpy(dest, &unk_1A924, sizeof(dest));
    v3 = sub_2C368(v1, v2, dest, 6720LL, "/d1x4.dex");
    v4 = qword_64810;
    v5 = v3;
    v6 = (*(*v1 + 1336LL))(v1, "cn.fxlcy.mh.mp");
    v7 = sub_2A3D8(v1, v5, v4, v6);
    v8 = (*(*v1 + 264LL))(v1, v7, "<init>", "(Ljava/lang/String;Ljava/lang/String;Ljava/lang/String;)V");
    __strlcpy_chk(
      v14,
      "ys6n2GvmgEyB3rELDX1gaTBf2pnB3NI2BhMN63Lte/nviZdVsu0uef4n4+XNuMk0Xgo63WLSTk0qcWhIZGxuyeZGfDRw8QzRrZ8feIe4aYqt3ihhZJP20bqYrGX/+s8qcpvdzYsg0Tu26HqkKNQXH+fYWLuf1iY9GmJ/mgyZUOt6Lr6+AReTHSQmwOdZHabAigZiO8SfbFZiad7XVhoYffoJg8DvVuVC9PIaoo6jXNQsElc5XXOnXICzoK6llWoOW2wMB53UJrcaC5n/RiLx4xUjfk5HwZ4K2iI4w7O3M9cMwH6JG4Sd8aiHoQXP02d+bALgI9O4jCOS1gugvXIfvwIDAQAB",
      25LL,
      25LL);
    v14[24] = 0;
    __strlcpy_chk(
      v13,
      "2pnB3NI2BhMN63Lte/nviZdVsu0uef4n4+XNuMk0Xgo63WLSTk0qcWhIZGxuyeZGfDRw8QzRrZ8feIe4aYqt3ihhZJP20bqYrGX/+s8qcpvdzYsg0Tu26HqkKNQXH+fYWLuf1iY9GmJ/mgyZUOt6Lr6+AReTHSQmwOdZHabAigZiO8SfbFZiad7XVhoYffoJg8DvVuVC9PIaoo6jXNQsElc5XXOnXICzoK6llWoOW2wMB53UJrcaC5n/RiLx4xUjfk5HwZ4K2iI4w7O3M9cMwH6JG4Sd8aiHoQXP02d+bALgI9O4jCOS1gugvXIfvwIDAQAB",
      9LL,
      9LL);
    v13[8] = 0;
    v9 = (*(*v1 + 1336LL))(v1, v14);
    v10 = (*(*v1 + 1336LL))(v1, v13);
    v11 = (*(*v1 + 1336LL))(
            v1,
            "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAys6n2GvmgEyB3rELDX1gaTBf2pnB3NI2BhMN63Lte/nviZdVsu0uef4n4+XNuMk0"
            "Xgo63WLSTk0qcWhIZGxuyeZGfDRw8QzRrZ8feIe4aYqt3ihhZJP20bqYrGX/+s8qcpvdzYsg0Tu26HqkKNQXH+fYWLuf1iY9GmJ/mgyZUOt6"
            "Lr6+AReTHSQmwOdZHabAigZiO8SfbFZiad7XVhoYffoJg8DvVuVC9PIaoo6jXNQsElc5XXOnXICzoK6llWoOW2wMB53UJrcaC5n/RiLx4xUj"
            "fk5HwZ4K2iI4w7O3M9cMwH6JG4Sd8aiHoQXP02d+bALgI9O4jCOS1gugvXIfvwIDAQAB");
    v12 = sub_2C100(v1, v7, v8, v9, v10, v11);
    qword_64828 = (*(*v1 + 168LL))(v1, v12);
    qword_64830 = (*(*v1 + 264LL))(v1, v7, "i", "(Lokhttp3/Interceptor$Chain;)Lokhttp3/Response;");
    qword_64838 = (*(*v1 + 264LL))(v1, v7, "pps", "(Ljava/lang/String;Z)[Ljava/lang/String;");
    qword_64840 = (*(*v1 + 264LL))(v1, v7, "deb", "([B)[B");
    result = (*(*v1 + 1720LL))(v1, v7, off_5FB38, 2LL);
    if ( result )
      result = sub_5B59C();
    byte_64848 = 1;
  }
  return result;
}

sub_2A3D8代码如下:

1
2
3
4
5
6
7
8
9
10
11
12
13
__int64 sub_2A3D8(_JNIEnv *a1, void *a2, struct _jmethodID *a3, ...)
{
  jobject (__fastcall *CallObjectMethodV)(JNIEnv *, jobject, jmethodID, va_list); // x8
  gcc_va_list va1; // [xsp+B0h] [xbp-50h] BYREF
  gcc_va_list va; // [xsp+D8h] [xbp-28h] BYREF
  __int64 v7; // [xsp+F8h] [xbp-8h]
 
  va_start(va, a3);
  v7 = *(_ReadStatusReg(ARM64_SYSREG(3, 3, 13, 0, 2)) + 40);
  CallObjectMethodV = a1->functions->CallObjectMethodV;
  va_copy(va1, va);
  return CallObjectMethodV(&a1->functions, a2, a3, va1);
}

java入口文件代码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
package cn.fxlcy.anative;
 
import android.content.Context;
import androidx.annotation.Keep;
import java.io.IOException;
import okhttp3.Interceptor;
import okhttp3.Response;
 
/* loaded from: classes.dex */
public class Native {
    @Keep
    public static final Object ALOCK;
 
    /* renamed from: a  reason: collision with root package name */
    public static boolean f1145a;
 
    static {
        System.loadLibrary("fcore");
        f1145a = true;
        ALOCK = new Object();
    }
 
    public static native String _channel();
 
    public static native Response _de_intercept(Interceptor.Chain chain) throws IOException;
 
    public static Response a(Interceptor.Chain chain) throws IOException {
        try {
            if (f1145a) {
                synchronized (ALOCK) {
                    u_auth();
                }
                f1145a = false;
            }
            Response _de_intercept = _de_intercept(chain);
            return _de_intercept == null ? chain.proceed(chain.request()) : _de_intercept;
        } catch (Throwable th) {
            if (th instanceof IOException) {
                throw th;
            }
            throw new IOException(th);
        }
    }
 
    public static native byte[] de(byte[] bArr);
 
    public static native String[] dra(String str, boolean z);
 
    public static native String gpk();
 
    public static native String gqm();
 
    public static native void init(Context context);
 
    public static native long system_currentTimeSeconds();
 
    public static native void u_auth();
 
    public static native String url_auth(String str);
}

[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入!

上传的附件:
收藏
免费 0
支持
分享
最新回复 (2)
雪    币: 7166
活跃值: (3267)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
2

把那些Native函数的第一个参数类型设置成`JNIEnv*`就会清晰很多,比如`sub_2A3D8`它只是调用了`CallObjectMethodV`

至于`qword_64828`什么的,那是未初始化的全局变量,你可以按x找到写入的地方

2023-12-12 18:45
0
雪    币: 10
能力值: ( LV1,RANK:0 )
在线值:
发帖
回帖
粉丝
3
breaklink 把那些Native函数的第一个参数类型设置成`JNIEnv*`就会清晰很多,比如`sub_2A3D8`它只是调用了`CallObjectMethodV`至于`qword_64828`什么的,那是未初始 ...
大佬,那个JNIload的函数如何加载正确的结构体函数呢
2023-12-13 16:47
0
游客
登录 | 注册 方可回帖
返回
//