-
-
[原创]某加固so层脱壳
-
发表于: 2025-2-12 13:52
-
加固版本:2025/2/11 最新免费版
第一步 :使用frida(最好魔改 不然有检测) 查看加载的so文件
打印出来所有加载的so文件了:
[Calvin designers::com.calvin.check_tset ]-> dlopen: /data/data/com.calvin.check_tset/.jiagu/libjiagu_64.so
dlopen: liblog.so
dlopen: libz.so
dlopen: libc.so
dlopen: libm.so
dlopen: libstdc++.so
dlopen: libdl.so
dlopen: libjiagu_64.so
dlopen: libjiagu_64.so
dlopen: libart.so
dlopen: libjiagu_64.so
dlopen: libjiagu_64.so
dlopen: libjiagu_64.so
dlopen: libjiagu_64.so
dlopen: libjiagu_64.so
dlopen: libjiagu_64.so
dlopen: libjgdtc.so
dlopen: /data/app/gUGk1sgfebPev2a5rxao2w==/com.calvin.check_tset-Kj54dsV2miW8iYUVx-eTmA==/lib/arm64/libcheck_tset.so
dlopen: /vendor/lib64/hw/android.hardware.graphics.mapper@4.0-impl-qti-display.so
dlopen: /vendor/lib64/hw/gralloc.lito.so
dlopen: libadreno_app_profiles.so
dlopen: libEGL_adreno.so
dlopen: /vendor/lib64/hw/android.hardware.graphics.mapper@4.0-impl-qti-display.so
dlopen: libadreno_utils.so
dlopen: libandroid.so
一眼观望全部so文件 , 接下来 把要分析的so文件 dump下来 看看 怎么回事
dump 下来的so是需要修复滴 使用so_fixer
https://github.com/F8LEFT/SoFixer
修复完毕后 就可以显示 全部的符号信息了
现在 我们需要了解程序运行 调用的流程 也就是 函数 trace
这里使用 oacia 佬的方案
https://github.com/oacia/stalker_trace_so
打印 so函数的流程:
call1:JNI_OnLoad
call2:j_interpreter_wrap_int64_t
call3:interpreter_wrap_int64_t
call4:_Znwm
call5:sub_1362C
call6:_Znam
call7:sub_10F54
call8:memset
call9:sub_9C50
call10:sub_E114
call11:calloc
call12:malloc
call13:free
call14:sub_E37C
call15:_ZdaPv
call16:sub_C680
call17:sub_CB38
call18:sub_9800
call19:sub_97DC
call20:sub_CCA8
call21:sub_C86C
call22:sub_993C
call23:sub_1591C
call24:sub_16094
call25:sub_16160
call26:sub_15C94
call27:sub_16954
call28:sub_15D14
call29:sub_159F0
call30:sub_1595C
call31:sub_9778
call32:sub_CB90
call33:sub_CD8C
call34:sub_CAD8
call35:sub_91E0
call36:dladdr
call37:strstr
call38:setenv
call39:_Z9__arm_a_1P7_JavaVMP7_JNIEnvPvRi
call40:sub_9CD0
call41:sub_9814
call42:sub_10698
call43:j__ZdlPv_1
call44:_ZdlPv
call45:sub_9558
call46:sub_7D00 //这里存在 so字符串
call47:__strncpy_chk2
call48:sub_5ACC
call49:sub_5F30
call50:sub_46A0
call51:sub_5B14
call52:_ZN9__arm_c_19__arm_c_0Ev
call53:sub_A228
call54:sub_9844
call55:sub_97BC
call56:sub_CF24
call57:sub_5E70
call58:sub_5F7C
call59:memcpy
call60:sub_6084 //疑似 加密函数
call61:sub_5974
call62:j__ZdlPv_3
call63:j__ZdlPv_2
call64:j__ZdlPv_0
call65:sub_A1DC
call66:sub_9908
call67:sub_59CC
call68:sub_5A24 //疑似 rc4
call69:sub_9E58
call70:sub_307C
call71:uncompress //经典解压环节
call72:sub_CBF4
call73:sub_4538 // 这里好像 linker load
call74:sub_4D34
call75:sub_4DAC
call76:sub_543C //这里存在 异或加密
call77:sub_4F84
call78:sub_5140 // 存在 内存拷贝 权限修改
call79:mprotect
call80:__strlen_chk
call81:strncpy
call82:sub_379C // linker 加载
call83:dlopen
call84:sub_446C // 这里纯在 将 内存 区域 清零
call85:sub_3B54 // 链接有关
call86:sub_3D08 // 这里出现一些 疑似奇怪的检测
call87:sub_30B4
call88:dlsym
call89:strcmp
call90:sub_57A0 // 这里也是修改内存权限 为 可执行吧?
call91:sub_4D78
call92:sub_5D28
call93:sub_7E38
call94:sub_47BC
call95:sub_7F64
call96:sub_8854
call97:sub_8BE0
call98:sub_8138
call99:interpreter_wrap_int64_t_bridge
call100:sub_9BD8
call101:sub_15C0C
call102:puts
call103:_Z9__arm_a_2PcmS_Rii
这里 我一个步骤一个步骤的看 发现函数 sub_9558() 调用 kill() 自己 进程
第一个函数 :
字符串为加密 我们编写frida 打印一下
发现 frida 未打印 这个函数也未运行那就不管啦
在 sub_7D00 函数 里面居然出现了 so 这个字符串
在之后 还遇到 一道类似加密算法的sub_6084函数:
//继续按照trace流程 观察 代码 (找到能看懂的部分 就行)
发现一个类似 rc4 初始化算法的 部分 :
这里大致把能看懂的 打了注释 整个流程已经了解的差不多了
现在我们要解密 so文件 就需要深入的了解 自实现linker加载so 的原理
参考: https://bbs.kanxue.com/thread-282316.htm
流程大概是这样
这个加固 把流程 已经混淆,我们需要 找到 关键函数 dump下来 才能完成修复
这里 与 刚刚那个so linker项目 里面的预链接 相似
这里可以推断出 dynamic
而这里我们需要一个so info 的结构体 oacia佬的文章里 https://oacia.dev/360-jiagu/ 拿来就用
而且 推断出 大致结构体 :
这个结构的 不是准确的,只推断出 phdr phnum dynamic plt_rela_ plt_rela_count_ rela_ rela_count_ base
这几个变量的值 是确定的 其他的并不准确。
在 hook 预链接函数 处 进行dump
将 dump 下的 组件 copy还原回去
细节修复 plt 与 got
因为 我们在 链接前 dump的 所以无需修复 还原 即可 用ida 使用
我也是成功 恢复了 so文件中的 符号
希望版主大大 加个精华, 小弟大三,想在简历里添加一笔 看雪有精华 文章!
参考: https://oacia.dev/360-jiagu/
v4 = sub_6F9C();if ( (v4 & 1) != 0 )
{v5 = getpid();v4 = kill(v5, 9);}v6 = sub_70A8(v4);v7 = sub_7204(v6);if ( (v7 & 1) != 0 )
{v8 = getpid();v7 = kill(v8, 9);}result = sub_70A8(v7);v1 = qword_276180;v4 = sub_6F9C();if ( (v4 & 1) != 0 )
{v5 = getpid();v4 = kill(v5, 9);}v6 = sub_70A8(v4);v7 = sub_7204(v6);if ( (v7 & 1) != 0 )
{v8 = getpid();v7 = kill(v8, 9);}result = sub_70A8(v7);v1 = qword_276180;FILE *sub_6F9C()
{ FILE *result; // x0
FILE *v1; // x19
char s[512]; // [xsp+8h] [xbp-248h] BYREF
char v3[16]; // [xsp+208h] [xbp-48h] BYREF
char filename[24]; // [xsp+218h] [xbp-38h] BYREF
_ReadStatusReg(ARM64_SYSREG(3, 3, 13, 0, 2));
*(_QWORD *)&filename[6] = '\xA5\xD5\xC6\xD1\x8A\xD1\xC0\xCB';
*(_QWORD *)filename = '\xC0\xCB\x8A\xC6\xCA\xD7\xD5\x8A';
*(_QWORD *)&v3[6] = 0xA5E49DE1909F9595LL;
*(_QWORD *)v3 = 0x9595959595959595LL;
sub_6554(filename, 14LL);
sub_6554(v3, 14LL);
memset(s, 0, sizeof(s));
result = fopen(filename, "r");
if ( result )
{
v1 = result;
while ( !feof(v1) )
{
fgets(s, 512, v1);
if ( strstr(s, v3) )
{
fclose(v1);
return (FILE *)(&dword_0 + 1);
}
memset(s, 0, sizeof(s));
}
fclose(v1);
return 0LL;
}
return result;
}FILE *sub_6F9C()
{ FILE *result; // x0
FILE *v1; // x19
char s[512]; // [xsp+8h] [xbp-248h] BYREF
char v3[16]; // [xsp+208h] [xbp-48h] BYREF
char filename[24]; // [xsp+218h] [xbp-38h] BYREF
_ReadStatusReg(ARM64_SYSREG(3, 3, 13, 0, 2));
*(_QWORD *)&filename[6] = '\xA5\xD5\xC6\xD1\x8A\xD1\xC0\xCB';
*(_QWORD *)filename = '\xC0\xCB\x8A\xC6\xCA\xD7\xD5\x8A';
*(_QWORD *)&v3[6] = 0xA5E49DE1909F9595LL;
*(_QWORD *)v3 = 0x9595959595959595LL;
sub_6554(filename, 14LL);
sub_6554(v3, 14LL);
memset(s, 0, sizeof(s));
result = fopen(filename, "r");
if ( result )
{
v1 = result;
while ( !feof(v1) )
{
fgets(s, 512, v1);
if ( strstr(s, v3) )
{
fclose(v1);
return (FILE *)(&dword_0 + 1);
}
memset(s, 0, sizeof(s));
}
fclose(v1);
return 0LL;
}
return result;
}__int64 sub_7D00()
{ __int64 v0; // x19
_QWORD v2[7]; // [xsp+10h] [xbp-140h] BYREF
_QWORD v3[2]; // [xsp+48h] [xbp-108h] BYREF
__int128 v4; // [xsp+58h] [xbp-F8h]
_OWORD v5[8]; // [xsp+68h] [xbp-E8h] BYREF
__int128 v6; // [xsp+E8h] [xbp-68h]
__int128 v7; // [xsp+F8h] [xbp-58h]
__int128 v8; // [xsp+108h] [xbp-48h]
__int128 v9; // [xsp+118h] [xbp-38h]
_ReadStatusReg(ARM64_SYSREG(3, 3, 13, 0, 2));
v8 = 0u;
v9 = 0u;
v6 = 0u;
v7 = 0u;
memset(v5, 0, sizeof(v5));
v4 = 0u;
_strncpy_chk2((char *)v5 + 4, "*.so", 128LL, 188LL, 5LL);
v3[0] = &qword_2D260;
v3[1] = 752309LL;
*(_QWORD *)&v7 = off_2D178;
LODWORD(v5[0]) = 1;
*((_QWORD *)&v6 + 1) = &qword_E5178;
DWORD2(v9) = 1;
*((_QWORD *)&v7 + 1) = 0x400000002LL;
LODWORD(v8) = 5;
*((_QWORD *)&v8 + 1) = 0LL;
*(_QWORD *)&v9 = 0LL;
sub_5ACC(v2);
v2[0] = (char *)off_2CF48 + 16;
v0 = 0LL;
if ( (sub_5F30(v2, (char *)&qword_E4D10 + 5, 1062LL) & 1) != 0 )
{
v0 = sub_46A0(v3, v2);
if ( *((_QWORD *)&v8 + 1) )
free(*((void **)&v8 + 1));
}
sub_5D28(v2);
return v0;
}__int64 sub_7D00()
{ __int64 v0; // x19
_QWORD v2[7]; // [xsp+10h] [xbp-140h] BYREF
_QWORD v3[2]; // [xsp+48h] [xbp-108h] BYREF
__int128 v4; // [xsp+58h] [xbp-F8h]
_OWORD v5[8]; // [xsp+68h] [xbp-E8h] BYREF
__int128 v6; // [xsp+E8h] [xbp-68h]
__int128 v7; // [xsp+F8h] [xbp-58h]
__int128 v8; // [xsp+108h] [xbp-48h]
__int128 v9; // [xsp+118h] [xbp-38h]
_ReadStatusReg(ARM64_SYSREG(3, 3, 13, 0, 2));
v8 = 0u;
v9 = 0u;
v6 = 0u;
v7 = 0u;
memset(v5, 0, sizeof(v5));
v4 = 0u;
_strncpy_chk2((char *)v5 + 4, "*.so", 128LL, 188LL, 5LL);
v3[0] = &qword_2D260;
v3[1] = 752309LL;
*(_QWORD *)&v7 = off_2D178;
LODWORD(v5[0]) = 1;
*((_QWORD *)&v6 + 1) = &qword_E5178;
DWORD2(v9) = 1;
*((_QWORD *)&v7 + 1) = 0x400000002LL;
LODWORD(v8) = 5;
*((_QWORD *)&v8 + 1) = 0LL;
*(_QWORD *)&v9 = 0LL;
sub_5ACC(v2);
v2[0] = (char *)off_2CF48 + 16;
v0 = 0LL;
if ( (sub_5F30(v2, (char *)&qword_E4D10 + 5, 1062LL) & 1) != 0 )
{
v0 = sub_46A0(v3, v2);
if ( *((_QWORD *)&v8 + 1) )
free(*((void **)&v8 + 1));
}
sub_5D28(v2);
return v0;
}_BYTE *__fastcall sub_6084(__int64 a1)
{ unsigned int v2; // w20
_BYTE *result; // x0
_BYTE *v4; // x10
unsigned int v5; // w8
int v6; // w11
int v7; // [xsp+8h] [xbp-48h]
int v8; // [xsp+Ch] [xbp-44h]
int v9; // [xsp+10h] [xbp-40h]
int v10; // [xsp+14h] [xbp-3Ch]
int v11; // [xsp+18h] [xbp-38h]
int v12; // [xsp+1Ch] [xbp-34h]
int v13; // [xsp+20h] [xbp-30h]
int v14; // [xsp+24h] [xbp-2Ch]
__int64 v15; // [xsp+28h] [xbp-28h]
v15 = *(_QWORD *)(_ReadStatusReg(ARM64_SYSREG(3, 3, 13, 0, 2)) + 40);
v2 = *(_DWORD *)(a1 + 4);
result = (_BYTE *)operator new[](v2);
v4 = *(_BYTE **)(a1 + 8);
v5 = 0;
v6 = 7;
*(_QWORD *)(a1 + 24) = result;
do
{
*(&v7 + v6) = ((unsigned __int8)(*v4 ^ (*v4 >> 2) ^ (*v4 >> 4)) ^ (*v4 >> 6)) & 1;
if ( v6 )
{
--v6;
}
else
{
++v5;
v6 = 7;
*result++ = ((_BYTE)v13 << 6) + ((_BYTE)v14 << 7) + 32 * v12 + 16 * v11 + 8 * v10 + 4 * v9 + 2 * v8 + v7;
v4 = *(_BYTE **)(a1 + 8);
v2 = *(_DWORD *)(a1 + 4);
}
*(_QWORD *)(a1 + 8) = ++v4;
}
while ( v5 <= v2 - 1 );
return result;
_BYTE *__fastcall sub_6084(__int64 a1)
{ unsigned int v2; // w20
_BYTE *result; // x0
_BYTE *v4; // x10
unsigned int v5; // w8
int v6; // w11
int v7; // [xsp+8h] [xbp-48h]
int v8; // [xsp+Ch] [xbp-44h]
int v9; // [xsp+10h] [xbp-40h]
int v10; // [xsp+14h] [xbp-3Ch]
int v11; // [xsp+18h] [xbp-38h]
int v12; // [xsp+1Ch] [xbp-34h]
int v13; // [xsp+20h] [xbp-30h]
int v14; // [xsp+24h] [xbp-2Ch]
__int64 v15; // [xsp+28h] [xbp-28h]
v15 = *(_QWORD *)(_ReadStatusReg(ARM64_SYSREG(3, 3, 13, 0, 2)) + 40);
v2 = *(_DWORD *)(a1 + 4);
result = (_BYTE *)operator new[](v2);
v4 = *(_BYTE **)(a1 + 8);
v5 = 0;
v6 = 7;
*(_QWORD *)(a1 + 24) = result;
do
{
*(&v7 + v6) = ((unsigned __int8)(*v4 ^ (*v4 >> 2) ^ (*v4 >> 4)) ^ (*v4 >> 6)) & 1;
if ( v6 )
{
--v6;
}
else
{
++v5;
v6 = 7;
*result++ = ((_BYTE)v13 << 6) + ((_BYTE)v14 << 7) + 32 * v12 + 16 * v11 + 8 * v10 + 4 * v9 + 2 * v8 + v7;
v4 = *(_BYTE **)(a1 + 8);
v2 = *(_DWORD *)(a1 + 4);
}
*(_QWORD *)(a1 + 8) = ++v4;
}
while ( v5 <= v2 - 1 );
return result;
_BYTE *__fastcall sub_5A24(_BYTE *result, int a2, __int64 a3)
{ __int64 v3; // x9
char v4; // w11
unsigned __int8 v5; // w10
unsigned __int8 v6; // w11
char v7; // w13
_ReadStatusReg(ARM64_SYSREG(3, 3, 13, 0, 2));
if ( a2 >= 1 )
{
v3 = (unsigned int)a2;
do
{
v4 = *(_BYTE *)(a3 + 257);
--v3;
v5 = *(_BYTE *)(a3 + 256) + 2;
*(_BYTE *)(a3 + 256) = v5;
v6 = *(_BYTE *)(a3 + v5) + v4 + 1;
*(_BYTE *)(a3 + 257) = v6;
v7 = *(_BYTE *)(a3 + v5);
*(_BYTE *)(a3 + v5) = *(_BYTE *)(a3 + v6);
*(_BYTE *)(a3 + v6) = v7;
*result++ ^= *(_BYTE *)(a3
+ (unsigned __int8)(*(_BYTE *)(a3 + *(unsigned __int8 *)(a3 + 257))
+ *(_BYTE *)(a3 + *(unsigned __int8 *)(a3 + 256))));
}
while ( v3 );
}
return result;
}_BYTE *__fastcall sub_5A24(_BYTE *result, int a2, __int64 a3)
{ __int64 v3; // x9
char v4; // w11
unsigned __int8 v5; // w10
unsigned __int8 v6; // w11
char v7; // w13
_ReadStatusReg(ARM64_SYSREG(3, 3, 13, 0, 2));
if ( a2 >= 1 )
{
v3 = (unsigned int)a2;
do
{
v4 = *(_BYTE *)(a3 + 257);
--v3;
v5 = *(_BYTE *)(a3 + 256) + 2;
*(_BYTE *)(a3 + 256) = v5;
v6 = *(_BYTE *)(a3 + v5) + v4 + 1;
*(_BYTE *)(a3 + 257) = v6;
v7 = *(_BYTE *)(a3 + v5);
*(_BYTE *)(a3 + v5) = *(_BYTE *)(a3 + v6);
*(_BYTE *)(a3 + v6) = v7;
*result++ ^= *(_BYTE *)(a3
+ (unsigned __int8)(*(_BYTE *)(a3 + *(unsigned __int8 *)(a3 + 257))
+ *(_BYTE *)(a3 + *(unsigned __int8 *)(a3 + 256))));
}
while ( v3 );
}
return result;
}// 1. 讀取so文件if(!Read(path, fd, 0, sb.st_size)){
LOGD("Read so failed");
munmap(start_addr_, sb.st_size);
close(fd);
}// 2. 載入soif(!Load()) {
LOGD("Load so failed");
munmap(start_addr_, sb.st_size);
close(fd);
}// 使被加載的so有執行權限, 否則在調用.init_array時會報錯mprotect(reinterpret_cast<void *>(load_bias_), sb.st_size, PROT_READ | PROT_WRITE | PROT_EXEC);
// 3. 預鏈接, 主要處理 .dynamic節si_->prelink_image();// 4. 正式鏈接, 在這裡處理重定位的信息si_->link_image();// 5. 調用.init和.init_arraysi_->call_constructors();// 1. 讀取so文件if(!Read(path, fd, 0, sb.st_size)){
LOGD("Read so failed");
munmap(start_addr_, sb.st_size);
close(fd);
}// 2. 載入soif(!Load()) {
LOGD("Load so failed");
munmap(start_addr_, sb.st_size);
close(fd);
}// 使被加載的so有執行權限, 否則在調用.init_array時會報錯mprotect(reinterpret_cast<void *>(load_bias_), sb.st_size, PROT_READ | PROT_WRITE | PROT_EXEC);
// 3. 預鏈接, 主要處理 .dynamic節si_->prelink_image();// 4. 正式鏈接, 在這裡處理重定位的信息si_->link_image();// 5. 調用.init和.init_arraysi_->call_constructors();void *__fastcall sub_379C(__int64 a1)
{ unsigned int v2; // w8
__int64 v3; // x20
unsigned __int64 *v4; // x11
__int64 v5; // x13
void *result; // x0
__int64 v7; // x13
__int64 v8; // x14
__int64 v9; // x15
__int64 v10; // x16
__int64 v11; // x16
unsigned __int64 v12; // t1
unsigned __int64 v13; // t1
unsigned __int64 v14; // t1
unsigned __int64 v15; // t1
unsigned __int64 v16; // t1
unsigned __int64 v17; // t1
unsigned __int64 v18; // t1
unsigned __int64 v19; // t1
unsigned __int64 v20; // t1
unsigned __int64 v21; // t1
unsigned __int64 v22; // t1
__int64 v23; // x13
__int64 v24; // x14
__int64 v25; // x15
unsigned __int64 v26; // t1
unsigned __int64 v27; // t1
unsigned __int64 v28; // t1
unsigned __int64 v29; // t1
unsigned __int64 v30; // t1
unsigned int v31; // w23
_QWORD *v32; // x24
__int64 v33; // x8
const char *v34; // x20
__int64 v35; // x9
v2 = 0;
_ReadStatusReg(ARM64_SYSREG(3, 3, 13, 0, 2));
v3 = *(_QWORD *)(a1 + 256);
v4 = (unsigned __int64 *)(v3 + 8);
while ( 2 )
{
v5 = *(v4 - 1);
result = 0LL;
switch ( v5 )
{
case 0LL:
if ( !*(_QWORD *)(a1 + 272) || !*(_QWORD *)a1 )
return 0LL;
*(_DWORD *)(a1 + 456) = v2;
result = calloc(1uLL, 144LL * v2);
*(_QWORD *)(a1 + 464) = result;
if ( !result )
return result;
v31 = 0;
v32 = (_QWORD *)(v3 + 8);
break;
case 1LL:
++v2;
v4 += 2;
continue;
case 2LL:
v19 = *v4;
v4 += 2;
*(_QWORD *)(a1 + 296) = v19 / 0x18;
continue;
case 3LL:
case 14LL:
case 15LL:
case 19LL:
case 21LL:
case 24LL:
case 29LL:
case 31LL:
goto LABEL_2;
case 4LL:
*(_BYTE *)(a1 + 40) = 1;
v23 = *(_QWORD *)(a1 + 400);
v24 = *(unsigned int *)(*v4 + v23);
*(_QWORD *)(a1 + 8) = v24;
v25 = *(unsigned int *)(*v4 + v23 + 4);
v23 += 8LL;
*(_QWORD *)(a1 + 24) = v25;
*(_QWORD *)(a1 + 16) = v23 + *v4;
v26 = *v4;
v4 += 2;
*(_QWORD *)(a1 + 32) = v23 + 4 * v24 + v26;
continue;
case 5LL:
v22 = *v4;
v4 += 2;
*(_QWORD *)(a1 + 272) = v22 + *(_QWORD *)(a1 + 400);
continue;
case 6LL:
v21 = *v4;
v4 += 2;
*(_QWORD *)a1 = v21 + *(_QWORD *)(a1 + 400);
continue;
case 7LL:
if ( *(_BYTE *)(a1 + 280) )
goto LABEL_2;
v15 = *v4;
v4 += 2;
*(_QWORD *)(a1 + 304) = v15 + *(_QWORD *)(a1 + 400);
continue;
case 8LL:
v20 = *v4;
v4 += 2;
*(_QWORD *)(a1 + 312) = v20 / 0x18;
continue;
case 9LL:
case 11LL:
if ( *v4 != 24 )
return 0LL;
goto LABEL_2;
case 10LL:
v17 = *v4;
v4 += 2;
*(_QWORD *)(a1 + 448) = v17;
continue;
case 12LL:
v18 = *v4;
v4 += 2;
*(_QWORD *)(a1 + 368) = v18 + *(_QWORD *)(a1 + 400);
continue;
case 13LL:
v14 = *v4;
v4 += 2;
*(_QWORD *)(a1 + 376) = v14 + *(_QWORD *)(a1 + 400);
continue;
case 16LL:
goto LABEL_31;
case 17LL:
case 18LL:
case 22LL:
return result;
case 20LL:
if ( *v4 != 7 )
return 0LL;
goto LABEL_2;
case 23LL:
if ( *(_BYTE *)(a1 + 280) )
goto LABEL_2;
v29 = *v4;
v4 += 2;
*(_QWORD *)(a1 + 288) = v29 + *(_QWORD *)(a1 + 400);
continue;
case 25LL:
v13 = *v4;
v4 += 2;
*(_QWORD *)(a1 + 336) = v13 + *(_QWORD *)(a1 + 400);
continue;
case 26LL:
v28 = *v4;
v4 += 2;
*(_QWORD *)(a1 + 352) = v28 + *(_QWORD *)(a1 + 400);
continue;
case 27LL:
v16 = *v4;
v4 += 2;
*(_QWORD *)(a1 + 344) = (unsigned int)v16 >> 3;
continue;
case 28LL:
v12 = *v4;
v4 += 2;
*(_QWORD *)(a1 + 360) = (unsigned int)v12 >> 3;
continue;
case 30LL:
if ( (*v4 & 4) != 0 )
return 0LL;
if ( (*v4 & 2) != 0 )
LABEL_31: *(_BYTE *)(a1 + 408) = 1;
LABEL_2: v4 += 2;
continue;
case 32LL:
v27 = *v4;
v4 += 2;
*(_QWORD *)(a1 + 320) = v27 + *(_QWORD *)(a1 + 400);
continue;
case 33LL:
v30 = *v4;
v4 += 2;
*(_QWORD *)(a1 + 328) = (unsigned int)v30 >> 3;
continue;
default:
if ( v5 != 1879047925 )
goto LABEL_2;
*(_BYTE *)(a1 + 41) = 1;
v7 = *(_QWORD *)(a1 + 400);
v8 = *(unsigned int *)(*v4 + v7);
*(_QWORD *)(a1 + 48) = v8;
v9 = *(unsigned int *)(*v4 + v7 + 8);
*(_DWORD *)(a1 + 72) = v9;
*(_DWORD *)(a1 + 76) = *(_DWORD *)(*v4 + v7 + 12);
v10 = v7 + *v4 + 16;
*(_QWORD *)(a1 + 80) = v10;
v11 = v10 + 8 * v9;
*(_QWORD *)(a1 + 56) = v11;
*(_QWORD *)(a1 + 64) = v11 + 4 * v8 - 4LL * *(unsigned int *)(*v4 + v7 + 4);
if ( (((_DWORD)v9 - 1) & (unsigned int)v9) != 0 )
return 0LL;
*(_DWORD *)(a1 + 72) = v9 - 1;
v4 += 2;
continue;
}
break;
}
while ( 1 )
{
v33 = *(v32 - 1);
if ( v33 == 1 )
break;
if ( !v33 )
return &dword_0 + 1;
LABEL_37: v32 += 2;
}
v34 = (const char *)(*(_QWORD *)(a1 + 272) + *v32);
if ( _strlen_chk(v34, 0xFFFFFFFFFFFFFFFFLL) <= 0x80 && v31 < *(_DWORD *)(a1 + 456) )
{
strncpy((char *)(*(_QWORD *)(a1 + 464) + 144LL * v31 + 8), v34, 0x7FuLL);
result = dlopen(v34, 2);
if ( !result )
return result;
v35 = 144LL * v31;
*(_QWORD *)(*(_QWORD *)(a1 + 464) + v35) = result;
++v31;
*(_QWORD *)(*(_QWORD *)(a1 + 464) + v35 + 136) = 0LL;
goto LABEL_37;
}
return 0LL;
}void *__fastcall sub_379C(__int64 a1)
{ unsigned int v2; // w8
__int64 v3; // x20
unsigned __int64 *v4; // x11
__int64 v5; // x13
void *result; // x0
__int64 v7; // x13
__int64 v8; // x14
__int64 v9; // x15
__int64 v10; // x16
__int64 v11; // x16
unsigned __int64 v12; // t1
unsigned __int64 v13; // t1
unsigned __int64 v14; // t1
unsigned __int64 v15; // t1
unsigned __int64 v16; // t1
unsigned __int64 v17; // t1
unsigned __int64 v18; // t1
unsigned __int64 v19; // t1
unsigned __int64 v20; // t1
unsigned __int64 v21; // t1
unsigned __int64 v22; // t1
__int64 v23; // x13
__int64 v24; // x14
__int64 v25; // x15
unsigned __int64 v26; // t1
unsigned __int64 v27; // t1
unsigned __int64 v28; // t1
unsigned __int64 v29; // t1
unsigned __int64 v30; // t1
unsigned int v31; // w23
_QWORD *v32; // x24
__int64 v33; // x8
const char *v34; // x20
__int64 v35; // x9
v2 = 0;
_ReadStatusReg(ARM64_SYSREG(3, 3, 13, 0, 2));
v3 = *(_QWORD *)(a1 + 256);
v4 = (unsigned __int64 *)(v3 + 8);
while ( 2 )
{
v5 = *(v4 - 1);
result = 0LL;
switch ( v5 )
{
case 0LL:
if ( !*(_QWORD *)(a1 + 272) || !*(_QWORD *)a1 )
return 0LL;
*(_DWORD *)(a1 + 456) = v2;
result = calloc(1uLL, 144LL * v2);
*(_QWORD *)(a1 + 464) = result;
if ( !result )
return result;
v31 = 0;
v32 = (_QWORD *)(v3 + 8);
break;
case 1LL:
++v2;
v4 += 2;
continue;
case 2LL:
v19 = *v4;
v4 += 2;
*(_QWORD *)(a1 + 296) = v19 / 0x18;
continue;
case 3LL:
case 14LL:
case 15LL:
case 19LL:
case 21LL:
case 24LL:
case 29LL:
case 31LL:
goto LABEL_2;
case 4LL:
*(_BYTE *)(a1 + 40) = 1;
v23 = *(_QWORD *)(a1 + 400);
v24 = *(unsigned int *)(*v4 + v23);
*(_QWORD *)(a1 + 8) = v24;
v25 = *(unsigned int *)(*v4 + v23 + 4);
v23 += 8LL;
*(_QWORD *)(a1 + 24) = v25;
*(_QWORD *)(a1 + 16) = v23 + *v4;
v26 = *v4;
v4 += 2;
*(_QWORD *)(a1 + 32) = v23 + 4 * v24 + v26;
continue;
case 5LL:
v22 = *v4;
最后于 2025-2-12 13:53
被逆天而行编辑
,原因: 修改标题
赞赏记录
参与人
雪币
留言
时间
r8e8cd8
你的分享对大家帮助很大,非常感谢!
2025-4-16 20:04
mb_mzboxhri
谢谢你的细致分析,受益匪浅!
2025-4-1 17:11
mb_ecuabpmq
非常支持你的观点!
2025-3-7 12:07
52niu
为你点赞!
2025-2-19 12:15
七星舞月
+1
这个讨论对我很有帮助,谢谢!
2025-2-19 11:00
Shangwendada
+1
为你点赞!
2025-2-18 15:57
wogao
+1
谢谢你的细致分析,受益匪浅!
2025-2-17 19:52
Fanoteria
这个讨论对我很有帮助,谢谢!
2025-2-17 12:42
sinker_
谢谢你的细致分析,受益匪浅!
2025-2-14 22:59
你瞒我瞒
期待更多优质内容的分享,论坛有你更精彩!
2025-2-14 14:25
mb_bkkdeflr
谢谢你的细致分析,受益匪浅!
2025-2-13 10:20
wuzhouzcx
这个讨论对我很有帮助,谢谢!
2025-2-13 09:21
ngiokweng
感谢你分享这么好的资源!
2025-2-12 15:37
zx_968369
+3
感谢你的积极参与,期待更多精彩内容!
2025-2-12 14:27
Ram98
你的分享对大家帮助很大,非常感谢!
2025-2-12 14:25
|
|
|---|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
