-
-
[原创]某加固so层脱壳
-
发表于: 2025-2-12 13:52
-
加固版本:2025/2/11 最新免费版
第一步 :使用frida(最好魔改 不然有检测) 查看加载的so文件
打印出来所有加载的so文件了:
[Calvin designers::com.calvin.check_tset ]-> dlopen: /data/data/com.calvin.check_tset/.jiagu/libjiagu_64.so
dlopen: liblog.so
dlopen: libz.so
dlopen: libc.so
dlopen: libm.so
dlopen: libstdc++.so
dlopen: libdl.so
dlopen: libjiagu_64.so
dlopen: libjiagu_64.so
dlopen: libart.so
dlopen: libjiagu_64.so
dlopen: libjiagu_64.so
dlopen: libjiagu_64.so
dlopen: libjiagu_64.so
dlopen: libjiagu_64.so
dlopen: libjiagu_64.so
dlopen: libjgdtc.so
dlopen: /data/app/gUGk1sgfebPev2a5rxao2w==/com.calvin.check_tset-Kj54dsV2miW8iYUVx-eTmA==/lib/arm64/libcheck_tset.so
dlopen: /vendor/lib64/hw/android.hardware.graphics.mapper@4.0-impl-qti-display.so
dlopen: /vendor/lib64/hw/gralloc.lito.so
dlopen: libadreno_app_profiles.so
dlopen: libEGL_adreno.so
dlopen: /vendor/lib64/hw/android.hardware.graphics.mapper@4.0-impl-qti-display.so
dlopen: libadreno_utils.so
dlopen: libandroid.so
一眼观望全部so文件 , 接下来 把要分析的so文件 dump下来 看看 怎么回事
dump 下来的so是需要修复滴 使用so_fixer
修复完毕后 就可以显示 全部的符号信息了
现在 我们需要了解程序运行 调用的流程 也就是 函数 trace
这里使用 oacia 佬的方案
打印 so函数的流程:
call1:JNI_OnLoad
call2:j_interpreter_wrap_int64_t
call3:interpreter_wrap_int64_t
call4:_Znwm
call5:sub_1362C
call6:_Znam
call7:sub_10F54
call8:memset
call9:sub_9C50
call10:sub_E114
call11:calloc
call12:malloc
call13:free
call14:sub_E37C
call15:_ZdaPv
call16:sub_C680
call17:sub_CB38
call18:sub_9800
call19:sub_97DC
call20:sub_CCA8
call21:sub_C86C
call22:sub_993C
call23:sub_1591C
call24:sub_16094
call25:sub_16160
call26:sub_15C94
call27:sub_16954
call28:sub_15D14
call29:sub_159F0
call30:sub_1595C
call31:sub_9778
call32:sub_CB90
call33:sub_CD8C
call34:sub_CAD8
call35:sub_91E0
call36:dladdr
call37:strstr
call38:setenv
call39:_Z9__arm_a_1P7_JavaVMP7_JNIEnvPvRi
call40:sub_9CD0
call41:sub_9814
call42:sub_10698
call43:j__ZdlPv_1
call44:_ZdlPv
call45:sub_9558
call46:sub_7D00 //这里存在 so字符串
call47:__strncpy_chk2
call48:sub_5ACC
call49:sub_5F30
call50:sub_46A0
call51:sub_5B14
call52:_ZN9__arm_c_19__arm_c_0Ev
call53:sub_A228
call54:sub_9844
call55:sub_97BC
call56:sub_CF24
call57:sub_5E70
call58:sub_5F7C
call59:memcpy
call60:sub_6084 //疑似 加密函数
call61:sub_5974
call62:j__ZdlPv_3
call63:j__ZdlPv_2
call64:j__ZdlPv_0
call65:sub_A1DC
call66:sub_9908
call67:sub_59CC
call68:sub_5A24 //疑似 rc4
call69:sub_9E58
call70:sub_307C
call71:uncompress //经典解压环节
call72:sub_CBF4
call73:sub_4538 // 这里好像 linker load
call74:sub_4D34
call75:sub_4DAC
call76:sub_543C //这里存在 异或加密
call77:sub_4F84
call78:sub_5140 // 存在 内存拷贝 权限修改
call79:mprotect
call80:__strlen_chk
call81:strncpy
call82:sub_379C // linker 加载
call83:dlopen
call84:sub_446C // 这里纯在 将 内存 区域 清零
call85:sub_3B54 // 链接有关
call86:sub_3D08 // 这里出现一些 疑似奇怪的检测
call87:sub_30B4
call88:dlsym
call89:strcmp
call90:sub_57A0 // 这里也是修改内存权限 为 可执行吧?
call91:sub_4D78
call92:sub_5D28
call93:sub_7E38
call94:sub_47BC
call95:sub_7F64
call96:sub_8854
call97:sub_8BE0
call98:sub_8138
call99:interpreter_wrap_int64_t_bridge
call100:sub_9BD8
call101:sub_15C0C
call102:puts
call103:_Z9__arm_a_2PcmS_Rii
这里 我一个步骤一个步骤的看 发现函数 sub_9558() 调用 kill() 自己 进程
第一个函数 :
字符串为加密 我们编写frida 打印一下
发现 frida 未打印 这个函数也未运行那就不管啦
在 sub_7D00 函数 里面居然出现了 so 这个字符串
在之后 还遇到 一道类似加密算法的sub_6084函数:
//继续按照trace流程 观察 代码 (找到能看懂的部分 就行)
发现一个类似 rc4 初始化算法的 部分 :
这里大致把能看懂的 打了注释 整个流程已经了解的差不多了
现在我们要解密 so文件 就需要深入的了解 自实现linker加载so 的原理
参考: https://bbs.kanxue.com/thread-282316.htm
流程大概是这样
这个加固 把流程 已经混淆,我们需要 找到 关键函数 dump下来 才能完成修复
这里 与 刚刚那个so linker项目 里面的预链接 相似
这里可以推断出 dynamic
而这里我们需要一个so info 的结构体 oacia佬的文章里 823K9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6G2j5h3y4A6j5g2)9J5k6h3c8W2N6W2)9J5c8U0x3$3x3q4)9J5k6r3A6A6j5h3N6#2i4K6u0r3 拿来就用
而且 推断出 大致结构体 :
这个结构的 不是准确的,只推断出 phdr phnum dynamic plt_rela_ plt_rela_count_ rela_ rela_count_ base
这几个变量的值 是确定的 其他的并不准确。
在 hook 预链接函数 处 进行dump
将 dump 下的 组件 copy还原回去
细节修复 plt 与 got
因为 我们在 链接前 dump的 所以无需修复 还原 即可 用ida 使用
我也是成功 恢复了 so文件中的 符号
希望版主大大 加个精华, 小弟大三,想在简历里添加一笔 看雪有精华 文章!
参考: 59eK9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6G2j5h3y4A6j5g2)9J5k6h3c8W2N6W2)9J5c8U0x3$3x3q4)9J5k6r3A6A6j5h3N6#2i4K6u0r3
v4 = sub_6F9C();if ( (v4 & 1) != 0 ){v5 = getpid();v4 = kill(v5, 9);}v6 = sub_70A8(v4);v7 = sub_7204(v6);if ( (v7 & 1) != 0 ){v8 = getpid();v7 = kill(v8, 9);}result = sub_70A8(v7);v1 = qword_276180;v4 = sub_6F9C();if ( (v4 & 1) != 0 ){v5 = getpid();v4 = kill(v5, 9);}v6 = sub_70A8(v4);v7 = sub_7204(v6);if ( (v7 & 1) != 0 ){v8 = getpid();v7 = kill(v8, 9);}result = sub_70A8(v7);v1 = qword_276180;FILE *sub_6F9C(){ FILE *result; // x0 FILE *v1; // x19 char s[512]; // [xsp+8h] [xbp-248h] BYREF char v3[16]; // [xsp+208h] [xbp-48h] BYREF char filename[24]; // [xsp+218h] [xbp-38h] BYREF _ReadStatusReg(ARM64_SYSREG(3, 3, 13, 0, 2)); *(_QWORD *)&filename[6] = '\xA5\xD5\xC6\xD1\x8A\xD1\xC0\xCB'; *(_QWORD *)filename = '\xC0\xCB\x8A\xC6\xCA\xD7\xD5\x8A'; *(_QWORD *)&v3[6] = 0xA5E49DE1909F9595LL; *(_QWORD *)v3 = 0x9595959595959595LL; sub_6554(filename, 14LL); sub_6554(v3, 14LL); memset(s, 0, sizeof(s)); result = fopen(filename, "r"); if ( result ) { v1 = result; while ( !feof(v1) ) { fgets(s, 512, v1); if ( strstr(s, v3) ) { fclose(v1); return (FILE *)(&dword_0 + 1); } memset(s, 0, sizeof(s)); } fclose(v1); return 0LL; } return result;}FILE *sub_6F9C(){ FILE *result; // x0 FILE *v1; // x19 char s[512]; // [xsp+8h] [xbp-248h] BYREF char v3[16]; // [xsp+208h] [xbp-48h] BYREF char filename[24]; // [xsp+218h] [xbp-38h] BYREF _ReadStatusReg(ARM64_SYSREG(3, 3, 13, 0, 2)); *(_QWORD *)&filename[6] = '\xA5\xD5\xC6\xD1\x8A\xD1\xC0\xCB'; *(_QWORD *)filename = '\xC0\xCB\x8A\xC6\xCA\xD7\xD5\x8A'; *(_QWORD *)&v3[6] = 0xA5E49DE1909F9595LL; *(_QWORD *)v3 = 0x9595959595959595LL; sub_6554(filename, 14LL); sub_6554(v3, 14LL); memset(s, 0, sizeof(s)); result = fopen(filename, "r"); if ( result ) { v1 = result; while ( !feof(v1) ) { fgets(s, 512, v1); if ( strstr(s, v3) ) { fclose(v1); return (FILE *)(&dword_0 + 1); } memset(s, 0, sizeof(s)); } fclose(v1); return 0LL; } return result;}__int64 sub_7D00(){ __int64 v0; // x19 _QWORD v2[7]; // [xsp+10h] [xbp-140h] BYREF _QWORD v3[2]; // [xsp+48h] [xbp-108h] BYREF __int128 v4; // [xsp+58h] [xbp-F8h] _OWORD v5[8]; // [xsp+68h] [xbp-E8h] BYREF __int128 v6; // [xsp+E8h] [xbp-68h] __int128 v7; // [xsp+F8h] [xbp-58h] __int128 v8; // [xsp+108h] [xbp-48h] __int128 v9; // [xsp+118h] [xbp-38h] _ReadStatusReg(ARM64_SYSREG(3, 3, 13, 0, 2)); v8 = 0u; v9 = 0u; v6 = 0u; v7 = 0u; memset(v5, 0, sizeof(v5)); v4 = 0u; _strncpy_chk2((char *)v5 + 4, "*.so", 128LL, 188LL, 5LL); v3[0] = &qword_2D260; v3[1] = 752309LL; *(_QWORD *)&v7 = off_2D178; LODWORD(v5[0]) = 1; *((_QWORD *)&v6 + 1) = &qword_E5178; DWORD2(v9) = 1; *((_QWORD *)&v7 + 1) = 0x400000002LL; LODWORD(v8) = 5; *((_QWORD *)&v8 + 1) = 0LL; *(_QWORD *)&v9 = 0LL; sub_5ACC(v2); v2[0] = (char *)off_2CF48 + 16; v0 = 0LL; if ( (sub_5F30(v2, (char *)&qword_E4D10 + 5, 1062LL) & 1) != 0 ) { v0 = sub_46A0(v3, v2); if ( *((_QWORD *)&v8 + 1) ) free(*((void **)&v8 + 1)); } sub_5D28(v2); return v0;}__int64 sub_7D00(){ __int64 v0; // x19 _QWORD v2[7]; // [xsp+10h] [xbp-140h] BYREF _QWORD v3[2]; // [xsp+48h] [xbp-108h] BYREF __int128 v4; // [xsp+58h] [xbp-F8h] _OWORD v5[8]; // [xsp+68h] [xbp-E8h] BYREF __int128 v6; // [xsp+E8h] [xbp-68h] __int128 v7; // [xsp+F8h] [xbp-58h] __int128 v8; // [xsp+108h] [xbp-48h] __int128 v9; // [xsp+118h] [xbp-38h] _ReadStatusReg(ARM64_SYSREG(3, 3, 13, 0, 2)); v8 = 0u; v9 = 0u; v6 = 0u; v7 = 0u; memset(v5, 0, sizeof(v5)); v4 = 0u; _strncpy_chk2((char *)v5 + 4, "*.so", 128LL, 188LL, 5LL); v3[0] = &qword_2D260; v3[1] = 752309LL; *(_QWORD *)&v7 = off_2D178; LODWORD(v5[0]) = 1; *((_QWORD *)&v6 + 1) = &qword_E5178; DWORD2(v9) = 1; *((_QWORD *)&v7 + 1) = 0x400000002LL; LODWORD(v8) = 5; *((_QWORD *)&v8 + 1) = 0LL; *(_QWORD *)&v9 = 0LL; sub_5ACC(v2); v2[0] = (char *)off_2CF48 + 16; v0 = 0LL; if ( (sub_5F30(v2, (char *)&qword_E4D10 + 5, 1062LL) & 1) != 0 ) { v0 = sub_46A0(v3, v2); if ( *((_QWORD *)&v8 + 1) ) free(*((void **)&v8 + 1)); } sub_5D28(v2); return v0;}_BYTE *__fastcall sub_6084(__int64 a1){ unsigned int v2; // w20 _BYTE *result; // x0 _BYTE *v4; // x10 unsigned int v5; // w8 int v6; // w11 int v7; // [xsp+8h] [xbp-48h] int v8; // [xsp+Ch] [xbp-44h] int v9; // [xsp+10h] [xbp-40h] int v10; // [xsp+14h] [xbp-3Ch] int v11; // [xsp+18h] [xbp-38h] int v12; // [xsp+1Ch] [xbp-34h] int v13; // [xsp+20h] [xbp-30h] int v14; // [xsp+24h] [xbp-2Ch] __int64 v15; // [xsp+28h] [xbp-28h] v15 = *(_QWORD *)(_ReadStatusReg(ARM64_SYSREG(3, 3, 13, 0, 2)) + 40); v2 = *(_DWORD *)(a1 + 4); result = (_BYTE *)operator new[](v2); v4 = *(_BYTE **)(a1 + 8); v5 = 0; v6 = 7; *(_QWORD *)(a1 + 24) = result; do { *(&v7 + v6) = ((unsigned __int8)(*v4 ^ (*v4 >> 2) ^ (*v4 >> 4)) ^ (*v4 >> 6)) & 1; if ( v6 ) { --v6; } else { ++v5; v6 = 7; *result++ = ((_BYTE)v13 << 6) + ((_BYTE)v14 << 7) + 32 * v12 + 16 * v11 + 8 * v10 + 4 * v9 + 2 * v8 + v7; v4 = *(_BYTE **)(a1 + 8); v2 = *(_DWORD *)(a1 + 4); } *(_QWORD *)(a1 + 8) = ++v4; } while ( v5 <= v2 - 1 ); return result;_BYTE *__fastcall sub_6084(__int64 a1){ unsigned int v2; // w20 _BYTE *result; // x0 _BYTE *v4; // x10 unsigned int v5; // w8 int v6; // w11 int v7; // [xsp+8h] [xbp-48h] int v8; // [xsp+Ch] [xbp-44h] int v9; // [xsp+10h] [xbp-40h] int v10; // [xsp+14h] [xbp-3Ch] int v11; // [xsp+18h] [xbp-38h] int v12; // [xsp+1Ch] [xbp-34h] int v13; // [xsp+20h] [xbp-30h] int v14; // [xsp+24h] [xbp-2Ch] __int64 v15; // [xsp+28h] [xbp-28h] v15 = *(_QWORD *)(_ReadStatusReg(ARM64_SYSREG(3, 3, 13, 0, 2)) + 40); v2 = *(_DWORD *)(a1 + 4); result = (_BYTE *)operator new[](v2); v4 = *(_BYTE **)(a1 + 8); v5 = 0; v6 = 7; *(_QWORD *)(a1 + 24) = result; do { *(&v7 + v6) = ((unsigned __int8)(*v4 ^ (*v4 >> 2) ^ (*v4 >> 4)) ^ (*v4 >> 6)) & 1; if ( v6 ) { --v6; } else { ++v5; v6 = 7; *result++ = ((_BYTE)v13 << 6) + ((_BYTE)v14 << 7) + 32 * v12 + 16 * v11 + 8 * v10 + 4 * v9 + 2 * v8 + v7; v4 = *(_BYTE **)(a1 + 8); v2 = *(_DWORD *)(a1 + 4); } *(_QWORD *)(a1 + 8) = ++v4; } while ( v5 <= v2 - 1 ); return result;_BYTE *__fastcall sub_5A24(_BYTE *result, int a2, __int64 a3){ __int64 v3; // x9 char v4; // w11 unsigned __int8 v5; // w10 unsigned __int8 v6; // w11 char v7; // w13 _ReadStatusReg(ARM64_SYSREG(3, 3, 13, 0, 2)); if ( a2 >= 1 ) { v3 = (unsigned int)a2; do { v4 = *(_BYTE *)(a3 + 257); --v3; v5 = *(_BYTE *)(a3 + 256) + 2; *(_BYTE *)(a3 + 256) = v5; v6 = *(_BYTE *)(a3 + v5) + v4 + 1; *(_BYTE *)(a3 + 257) = v6; v7 = *(_BYTE *)(a3 + v5); *(_BYTE *)(a3 + v5) = *(_BYTE *)(a3 + v6); *(_BYTE *)(a3 + v6) = v7; *result++ ^= *(_BYTE *)(a3 + (unsigned __int8)(*(_BYTE *)(a3 + *(unsigned __int8 *)(a3 + 257)) + *(_BYTE *)(a3 + *(unsigned __int8 *)(a3 + 256)))); } while ( v3 ); } return result;}_BYTE *__fastcall sub_5A24(_BYTE *result, int a2, __int64 a3){ __int64 v3; // x9 char v4; // w11 unsigned __int8 v5; // w10 unsigned __int8 v6; // w11 char v7; // w13 _ReadStatusReg(ARM64_SYSREG(3, 3, 13, 0, 2)); if ( a2 >= 1 ) { v3 = (unsigned int)a2; do { v4 = *(_BYTE *)(a3 + 257); --v3; v5 = *(_BYTE *)(a3 + 256) + 2; *(_BYTE *)(a3 + 256) = v5; v6 = *(_BYTE *)(a3 + v5) + v4 + 1; *(_BYTE *)(a3 + 257) = v6; v7 = *(_BYTE *)(a3 + v5); *(_BYTE *)(a3 + v5) = *(_BYTE *)(a3 + v6); *(_BYTE *)(a3 + v6) = v7; *result++ ^= *(_BYTE *)(a3 + (unsigned __int8)(*(_BYTE *)(a3 + *(unsigned __int8 *)(a3 + 257)) + *(_BYTE *)(a3 + *(unsigned __int8 *)(a3 + 256)))); } while ( v3 ); } return result;}// 1. 讀取so文件if(!Read(path, fd, 0, sb.st_size)){ LOGD("Read so failed"); munmap(start_addr_, sb.st_size); close(fd);}// 2. 載入soif(!Load()) { LOGD("Load so failed"); munmap(start_addr_, sb.st_size); close(fd);}// 使被加載的so有執行權限, 否則在調用.init_array時會報錯mprotect(reinterpret_cast<void *>(load_bias_), sb.st_size, PROT_READ | PROT_WRITE | PROT_EXEC);// 3. 預鏈接, 主要處理 .dynamic節si_->prelink_image();// 4. 正式鏈接, 在這裡處理重定位的信息si_->link_image();// 5. 調用.init和.init_arraysi_->call_constructors();// 1. 讀取so文件if(!Read(path, fd, 0, sb.st_size)){ LOGD("Read so failed"); munmap(start_addr_, sb.st_size); close(fd);}// 2. 載入soif(!Load()) { LOGD("Load so failed"); munmap(start_addr_, sb.st_size); close(fd);}// 使被加載的so有執行權限, 否則在調用.init_array時會報錯mprotect(reinterpret_cast<void *>(load_bias_), sb.st_size, PROT_READ | PROT_WRITE | PROT_EXEC);// 3. 預鏈接, 主要處理 .dynamic節si_->prelink_image();// 4. 正式鏈接, 在這裡處理重定位的信息si_->link_image();// 5. 調用.init和.init_arraysi_->call_constructors();void *__fastcall sub_379C(__int64 a1){ unsigned int v2; // w8 __int64 v3; // x20 unsigned __int64 *v4; // x11 __int64 v5; // x13 void *result; // x0 __int64 v7; // x13 __int64 v8; // x14 __int64 v9; // x15 __int64 v10; // x16 __int64 v11; // x16 unsigned __int64 v12; // t1 unsigned __int64 v13; // t1 unsigned __int64 v14; // t1 unsigned __int64 v15; // t1 unsigned __int64 v16; // t1 unsigned __int64 v17; // t1 unsigned __int64 v18; // t1 unsigned __int64 v19; // t1 unsigned __int64 v20; // t1 unsigned __int64 v21; // t1 unsigned __int64 v22; // t1 __int64 v23; // x13 __int64 v24; // x14 __int64 v25; // x15 unsigned __int64 v26; // t1 unsigned __int64 v27; // t1 unsigned __int64 v28; // t1 unsigned __int64 v29; // t1 unsigned __int64 v30; // t1 unsigned int v31; // w23 _QWORD *v32; // x24 __int64 v33; // x8 const char *v34; // x20 __int64 v35; // x9 v2 = 0; _ReadStatusReg(ARM64_SYSREG(3, 3, 13, 0, 2)); v3 = *(_QWORD *)(a1 + 256); v4 = (unsigned __int64 *)(v3 + 8); while ( 2 ) { v5 = *(v4 - 1); result = 0LL; switch ( v5 ) { case 0LL: if ( !*(_QWORD *)(a1 + 272) || !*(_QWORD *)a1 ) return 0LL; *(_DWORD *)(a1 + 456) = v2; result = calloc(1uLL, 144LL * v2); *(_QWORD *)(a1 + 464) = result; if ( !result ) return result; v31 = 0; v32 = (_QWORD *)(v3 + 8); break; case 1LL: ++v2; v4 += 2; continue; case 2LL: v19 = *v4; v4 += 2; *(_QWORD *)(a1 + 296) = v19 / 0x18; continue; case 3LL: case 14LL: case 15LL: case 19LL: case 21LL: case 24LL: case 29LL: case 31LL: goto LABEL_2; case 4LL: *(_BYTE *)(a1 + 40) = 1; v23 = *(_QWORD *)(a1 + 400); v24 = *(unsigned int *)(*v4 + v23); *(_QWORD *)(a1 + 8) = v24; v25 = *(unsigned int *)(*v4 + v23 + 4); v23 += 8LL; *(_QWORD *)(a1 + 24) = v25; *(_QWORD *)(a1 + 16) = v23 + *v4; v26 = *v4; v4 += 2; *(_QWORD *)(a1 + 32) = v23 + 4 * v24 + v26; continue; case 5LL: v22 = *v4; v4 += 2; *(_QWORD *)(a1 + 272) = v22 + *(_QWORD *)(a1 + 400); continue; case 6LL: v21 = *v4; v4 += 2; *(_QWORD *)a1 = v21 + *(_QWORD *)(a1 + 400); continue; case 7LL: if ( *(_BYTE *)(a1 + 280) ) goto LABEL_2; v15 = *v4; v4 += 2; *(_QWORD *)(a1 + 304) = v15 + *(_QWORD *)(a1 + 400); continue; case 8LL: v20 = *v4; v4 += 2; *(_QWORD *)(a1 + 312) = v20 / 0x18; continue; case 9LL: case 11LL: if ( *v4 != 24 ) return 0LL; goto LABEL_2; case 10LL: v17 = *v4; v4 += 2; *(_QWORD *)(a1 + 448) = v17; continue; case 12LL: v18 = *v4; v4 += 2; *(_QWORD *)(a1 + 368) = v18 + *(_QWORD *)(a1 + 400); continue; case 13LL: v14 = *v4; v4 += 2; *(_QWORD *)(a1 + 376) = v14 + *(_QWORD *)(a1 + 400); continue; case 16LL: goto LABEL_31; case 17LL: case 18LL: case 22LL: return result; case 20LL: if ( *v4 != 7 ) return 0LL; goto LABEL_2; case 23LL: if ( *(_BYTE *)(a1 + 280) ) goto LABEL_2; v29 = *v4; v4 += 2; *(_QWORD *)(a1 + 288) = v29 + *(_QWORD *)(a1 + 400); continue; case 25LL: v13 = *v4; v4 += 2; *(_QWORD *)(a1 + 336) = v13 + *(_QWORD *)(a1 + 400); continue; case 26LL: v28 = *v4; v4 += 2; *(_QWORD *)(a1 + 352) = v28 + *(_QWORD *)(a1 + 400); continue; case 27LL: v16 = *v4; v4 += 2; *(_QWORD *)(a1 + 344) = (unsigned int)v16 >> 3; continue; case 28LL: v12 = *v4; v4 += 2; *(_QWORD *)(a1 + 360) = (unsigned int)v12 >> 3; continue; case 30LL: if ( (*v4 & 4) != 0 ) return 0LL; if ( (*v4 & 2) != 0 )LABEL_31: *(_BYTE *)(a1 + 408) = 1;LABEL_2: v4 += 2; continue; case 32LL: v27 = *v4; v4 += 2; *(_QWORD *)(a1 + 320) = v27 + *(_QWORD *)(a1 + 400); continue; case 33LL: v30 = *v4; v4 += 2; *(_QWORD *)(a1 + 328) = (unsigned int)v30 >> 3; continue; default: if ( v5 != 1879047925 ) goto LABEL_2; *(_BYTE *)(a1 + 41) = 1; v7 = *(_QWORD *)(a1 + 400); v8 = *(unsigned int *)(*v4 + v7); *(_QWORD *)(a1 + 48) = v8; v9 = *(unsigned int *)(*v4 + v7 + 8); *(_DWORD *)(a1 + 72) = v9; *(_DWORD *)(a1 + 76) = *(_DWORD *)(*v4 + v7 + 12); v10 = v7 + *v4 + 16; *(_QWORD *)(a1 + 80) = v10; v11 = v10 + 8 * v9; *(_QWORD *)(a1 + 56) = v11; *(_QWORD *)(a1 + 64) = v11 + 4 * v8 - 4LL * *(unsigned int *)(*v4 + v7 + 4); if ( (((_DWORD)v9 - 1) & (unsigned int)v9) != 0 ) return 0LL; *(_DWORD *)(a1 + 72) = v9 - 1; v4 += 2; continue; } break; } while ( 1 ) { v33 = *(v32 - 1); if ( v33 == 1 ) break; if ( !v33 ) return &dword_0 + 1;LABEL_37: v32 += 2; } v34 = (const char *)(*(_QWORD *)(a1 + 272) + *v32); if ( _strlen_chk(v34, 0xFFFFFFFFFFFFFFFFLL) <= 0x80 && v31 < *(_DWORD *)(a1 + 456) ) { strncpy((char *)(*(_QWORD *)(a1 + 464) + 144LL * v31 + 8), v34, 0x7FuLL); result = dlopen(v34, 2); if ( !result ) return result; v35 = 144LL * v31; *(_QWORD *)(*(_QWORD *)(a1 + 464) + v35) = result; ++v31; *(_QWORD *)(*(_QWORD *)(a1 + 464) + v35 + 136) = 0LL; goto LABEL_37; } return 0LL;}void *__fastcall sub_379C(__int64 a1){ unsigned int v2; // w8 __int64 v3; // x20 unsigned __int64 *v4; // x11 __int64 v5; // x13 void *result; // x0 __int64 v7; // x13 __int64 v8; // x14 __int64 v9; // x15 __int64 v10; // x16 __int64 v11; // x16 unsigned __int64 v12; // t1 unsigned __int64 v13; // t1 unsigned __int64 v14; // t1 unsigned __int64 v15; // t1 unsigned __int64 v16; // t1 unsigned __int64 v17; // t1 unsigned __int64 v18; // t1 unsigned __int64 v19; // t1 unsigned __int64 v20; // t1 unsigned __int64 v21; // t1 unsigned __int64 v22; // t1 __int64 v23; // x13 __int64 v24; // x14 __int64 v25; // x15 unsigned __int64 v26; // t1 unsigned __int64 v27; // t1 unsigned __int64 v28; // t1 unsigned __int64 v29; // t1 unsigned __int64 v30; // t1 unsigned int v31; // w23 _QWORD *v32; // x24 __int64 v33; // x8 const char *v34; // x20 __int64 v35; // x9 v2 = 0; _ReadStatusReg(ARM64_SYSREG(3, 3, 13, 0, 2)); v3 = *(_QWORD *)(a1 + 256); v4 = (unsigned __int64 *)(v3 + 8); while ( 2 ) { v5 = *(v4 - 1); result = 0LL; switch ( v5 ) { case 0LL: if ( !*(_QWORD *)(a1 + 272) || !*(_QWORD *)a1 ) return 0LL; *(_DWORD *)(a1 + 456) = v2; result = calloc(1uLL, 144LL * v2); *(_QWORD *)(a1 + 464) = result; if ( !result ) return result; v31 = 0; v32 = (_QWORD *)(v3 + 8); break; case 1LL: ++v2; v4 += 2; continue; case 2LL: v19 = *v4; v4 += 2; *(_QWORD *)(a1 + 296) = v19 / 0x18; continue; case 3LL: case 14LL: case 15LL: case 19LL: case 21LL: case 24LL: case 29LL: case 31LL: goto LABEL_2; case 4LL: *(_BYTE *)(a1 + 40) = 1; v23 = *(_QWORD *)(a1 + 400); v24 = *(unsigned int *)(*v4 + v23); *(_QWORD *)(a1 + 8) = v24; v25 = *(unsigned int *)(*v4 + v23 + 4); v23 += 8LL; *(_QWORD *)(a1 + 24) = v25; *(_QWORD *)(a1 + 16) = v23 + *v4; v26 = *v4; v4 += 2; *(_QWORD *)(a1 + 32) = v23 + 4 * v24 + v26; continue; case 5LL: v22 = *v4;
|
|
|---|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
牛的
|
