[求助]初学逆向，遇到个so文件感觉无从下手-茶余饭后-看雪-安全社区|安全招聘|kanxue.com

[求助]初学逆向，遇到个so文件感觉无从下手

2023-12-12 15:15 2313

[求助]初学逆向，遇到个so文件感觉无从下手

雪花一号

2023-12-12 15:15

2313

论坛泡久了对逆向有点上瘾，奈何技术储备太浅，面对so文件时感觉很无力，特来求助一下，寻找一下思路，希望大佬们能指明一条学习路线

1.首先打开的是JNI_OnLoad文件，点击进入了off_5F9E8

2.根据java中入口方法_de_intercept，传入的是一个Lokhttp3/Interceptor$Chain对象，选择了sub_5BE6C

3点开qword_64828，qword_64830，sub_2A3D8，感觉如同看天书，没有任何头绪
qword_64828，qword_64830的代码如下：

  __int64 v5; // x21
  __int64 v6; // x0
  __int64 v7; // x20
  __int64 v8; // x21
  __int64 v9; // x23
  __int64 v10; // x24
  __int64 v11; // x0
  __int64 v12; // x0
  _BYTE v13[12]; // [xsp+0h] [xbp-1A70h] BYREF
  char v14[28]; // [xsp+Ch] [xbp-1A64h] BYREF
  char dest[6720]; // [xsp+28h] [xbp-1A48h] BYREF
  __int64 v16; // [xsp+1A68h] [xbp-8h]
 
  v16 = *(_ReadStatusReg(ARM64_SYSREG(3, 3, 13, 0, 2)) + 40);
  if ( !qword_64828 )
  {
    v1 = result;
    v2 = sub_5D63C();
    memcpy(dest, &unk_1A924, sizeof(dest));
    v3 = sub_2C368(v1, v2, dest, 6720LL, "/d1x4.dex");
    v4 = qword_64810;
    v5 = v3;
    v6 = (*(*v1 + 1336LL))(v1, "cn.fxlcy.mh.mp");
    v7 = sub_2A3D8(v1, v5, v4, v6);
    v8 = (*(*v1 + 264LL))(v1, v7, "<init>", "(Ljava/lang/String;Ljava/lang/String;Ljava/lang/String;)V");
    __strlcpy_chk(
      v14,
      "ys6n2GvmgEyB3rELDX1gaTBf2pnB3NI2BhMN63Lte/nviZdVsu0uef4n4+XNuMk0Xgo63WLSTk0qcWhIZGxuyeZGfDRw8QzRrZ8feIe4aYqt3ihhZJP20bqYrGX/+s8qcpvdzYsg0Tu26HqkKNQXH+fYWLuf1iY9GmJ/mgyZUOt6Lr6+AReTHSQmwOdZHabAigZiO8SfbFZiad7XVhoYffoJg8DvVuVC9PIaoo6jXNQsElc5XXOnXICzoK6llWoOW2wMB53UJrcaC5n/RiLx4xUjfk5HwZ4K2iI4w7O3M9cMwH6JG4Sd8aiHoQXP02d+bALgI9O4jCOS1gugvXIfvwIDAQAB",
      25LL,
      25LL);
    v14[24] = 0;
    __strlcpy_chk(
      v13,
      "2pnB3NI2BhMN63Lte/nviZdVsu0uef4n4+XNuMk0Xgo63WLSTk0qcWhIZGxuyeZGfDRw8QzRrZ8feIe4aYqt3ihhZJP20bqYrGX/+s8qcpvdzYsg0Tu26HqkKNQXH+fYWLuf1iY9GmJ/mgyZUOt6Lr6+AReTHSQmwOdZHabAigZiO8SfbFZiad7XVhoYffoJg8DvVuVC9PIaoo6jXNQsElc5XXOnXICzoK6llWoOW2wMB53UJrcaC5n/RiLx4xUjfk5HwZ4K2iI4w7O3M9cMwH6JG4Sd8aiHoQXP02d+bALgI9O4jCOS1gugvXIfvwIDAQAB",
      9LL,
      9LL);
    v13[8] = 0;
    v9 = (*(*v1 + 1336LL))(v1, v14);
    v10 = (*(*v1 + 1336LL))(v1, v13);
    v11 = (*(*v1 + 1336LL))(
            v1,
            "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAys6n2GvmgEyB3rELDX1gaTBf2pnB3NI2BhMN63Lte/nviZdVsu0uef4n4+XNuMk0"
            "Xgo63WLSTk0qcWhIZGxuyeZGfDRw8QzRrZ8feIe4aYqt3ihhZJP20bqYrGX/+s8qcpvdzYsg0Tu26HqkKNQXH+fYWLuf1iY9GmJ/mgyZUOt6"
            "Lr6+AReTHSQmwOdZHabAigZiO8SfbFZiad7XVhoYffoJg8DvVuVC9PIaoo6jXNQsElc5XXOnXICzoK6llWoOW2wMB53UJrcaC5n/RiLx4xUj"
            "fk5HwZ4K2iI4w7O3M9cMwH6JG4Sd8aiHoQXP02d+bALgI9O4jCOS1gugvXIfvwIDAQAB");
    v12 = sub_2C100(v1, v7, v8, v9, v10, v11);
    qword_64828 = (*(*v1 + 168LL))(v1, v12);
    qword_64830 = (*(*v1 + 264LL))(v1, v7, "i", "(Lokhttp3/Interceptor$Chain;)Lokhttp3/Response;");
    qword_64838 = (*(*v1 + 264LL))(v1, v7, "pps", "(Ljava/lang/String;Z)[Ljava/lang/String;");
    qword_64840 = (*(*v1 + 264LL))(v1, v7, "deb", "([B)[B");
    result = (*(*v1 + 1720LL))(v1, v7, off_5FB38, 2LL);
    if ( result )
      result = sub_5B59C();
    byte_64848 = 1;
  }
  return result;
}

sub_2A3D8代码如下：

__int64 sub_2A3D8(_JNIEnv *a1, void *a2, struct _jmethodID *a3, ...)
{
  jobject (__fastcall *CallObjectMethodV)(JNIEnv *, jobject, jmethodID, va_list); // x8
  gcc_va_list va1; // [xsp+B0h] [xbp-50h] BYREF
  gcc_va_list va; // [xsp+D8h] [xbp-28h] BYREF
  __int64 v7; // [xsp+F8h] [xbp-8h]
 
  va_start(va, a3);
  v7 = *(_ReadStatusReg(ARM64_SYSREG(3, 3, 13, 0, 2)) + 40);
  CallObjectMethodV = a1->functions->CallObjectMethodV;
  va_copy(va1, va);
  return CallObjectMethodV(&a1->functions, a2, a3, va1);
}

java入口文件代码

package cn.fxlcy.anative;
 
import android.content.Context;
import androidx.annotation.Keep;
import java.io.IOException;
import okhttp3.Interceptor;
import okhttp3.Response;
 
/* loaded from: classes.dex */
public class Native {
    @Keep
    public static final Object ALOCK;
 
    /* renamed from: a  reason: collision with root package name */
    public static boolean f1145a;
 
    static {
        System.loadLibrary("fcore");
        f1145a = true;
        ALOCK = new Object();
    }
 
    public static native String _channel();
 
    public static native Response _de_intercept(Interceptor.Chain chain) throws IOException;
 
    public static Response a(Interceptor.Chain chain) throws IOException {
        try {
            if (f1145a) {
                synchronized (ALOCK) {
                    u_auth();
                }
                f1145a = false;
            }
            Response _de_intercept = _de_intercept(chain);
            return _de_intercept == null ? chain.proceed(chain.request()) : _de_intercept;
        } catch (Throwable th) {
            if (th instanceof IOException) {
                throw th;
            }
            throw new IOException(th);
        }
    }
 
    public static native byte[] de(byte[] bArr);
 
    public static native String[] dra(String str, boolean z);
 
    public static native String gpk();
 
    public static native String gqm();
 
    public static native void init(Context context);
 
    public static native long system_currentTimeSeconds();
 
    public static native void u_auth();
 
    public static native String url_auth(String str);
}

[培训]内核驱动高级班，冲击BAT一流互联网大厂工作，每周日13:00-18:00直播授课

#其他

上传的附件：

libfcore.so （396.08kb，8次下载）

收藏・1

点赞・0

打赏

最新回复 (2)
breaklink 雪币： 6134 活跃值： (2307) 能力值： ( LV2，RANK：10 ) 在线值：发帖 0 回帖 49 粉丝 1 关注私信	breaklink 2023-12-12 18:45 2 楼 0 把那些Native函数的第一个参数类型设置成`JNIEnv*`就会清晰很多，比如`sub_2A3D8`它只是调用了`CallObjectMethodV` 至于`qword_64828`什么的，那是未初始化的全局变量，你可以按x找到写入的地方
mb_ldbucrik 雪币： 6 能力值： ( LV1，RANK：0 ) 在线值：发帖 0 回帖 94 粉丝 1 关注私信	mb_ldbucrik 2023-12-13 16:47 3 楼 0 breaklink 把那些Native函数的第一个参数类型设置成`JNIEnv*`就会清晰很多，比如`sub_2A3D8`它只是调用了`CallObjectMethodV`至于`qword_64828`什么的，那是未初始 ... 大佬，那个JNIload的函数如何加载正确的结构体函数呢
	游客登录 \| 注册方可回帖　回帖　表情雪币赚取及消费高级回复