首页
社区
课程
招聘
15
[原创]某加固so层脱壳
发表于: 2025-2-12 13:52 49815

[原创]某加固so层脱壳

2025-2-12 13:52
49815

加固版本:2025/2/11 最新免费版

第一步 :使用frida(最好魔改 不然有检测) 查看加载的so文件

打印出来所有加载的so文件了:

[Calvin designers::com.calvin.check_tset ]-> dlopen: /data/data/com.calvin.check_tset/.jiagu/libjiagu_64.so
dlopen: liblog.so
dlopen: libz.so
dlopen: libc.so
dlopen: libm.so
dlopen: libstdc++.so
dlopen: libdl.so
dlopen: libjiagu_64.so
dlopen: libjiagu_64.so
dlopen: libart.so
dlopen: libjiagu_64.so
dlopen: libjiagu_64.so
dlopen: libjiagu_64.so
dlopen: libjiagu_64.so
dlopen: libjiagu_64.so
dlopen: libjiagu_64.so
dlopen: libjgdtc.so
dlopen: /data/app/gUGk1sgfebPev2a5rxao2w==/com.calvin.check_tset-Kj54dsV2miW8iYUVx-eTmA==/lib/arm64/libcheck_tset.so
dlopen: /vendor/lib64/hw/android.hardware.graphics.mapper@4.0-impl-qti-display.so
dlopen: /vendor/lib64/hw/gralloc.lito.so
dlopen: libadreno_app_profiles.so
dlopen: libEGL_adreno.so
dlopen: /vendor/lib64/hw/android.hardware.graphics.mapper@4.0-impl-qti-display.so
dlopen: libadreno_utils.so
dlopen: libandroid.so

一眼观望全部so文件 , 接下来 把要分析的so文件 dump下来 看看 怎么回事

dump 下来的so是需要修复滴 使用so_fixer

https://github.com/F8LEFT/SoFixer

修复完毕后 就可以显示 全部的符号信息了

现在 我们需要了解程序运行 调用的流程 也就是 函数 trace

这里使用 oacia 佬的方案

https://github.com/oacia/stalker_trace_so

打印 so函数的流程:

call1:JNI_OnLoad
call2:j_interpreter_wrap_int64_t
call3:interpreter_wrap_int64_t
call4:_Znwm
call5:sub_1362C
call6:_Znam
call7:sub_10F54
call8:memset
call9:sub_9C50
call10:sub_E114
call11:calloc
call12:malloc
call13:free
call14:sub_E37C
call15:_ZdaPv
call16:sub_C680
call17:sub_CB38
call18:sub_9800
call19:sub_97DC
call20:sub_CCA8
call21:sub_C86C
call22:sub_993C
call23:sub_1591C
call24:sub_16094
call25:sub_16160
call26:sub_15C94
call27:sub_16954
call28:sub_15D14
call29:sub_159F0
call30:sub_1595C
call31:sub_9778
call32:sub_CB90
call33:sub_CD8C
call34:sub_CAD8
call35:sub_91E0
call36:dladdr
call37:strstr
call38:setenv
call39:_Z9__arm_a_1P7_JavaVMP7_JNIEnvPvRi
call40:sub_9CD0
call41:sub_9814
call42:sub_10698
call43:j__ZdlPv_1
call44:_ZdlPv
call45:sub_9558
call46:sub_7D00 //这里存在 so字符串
call47:__strncpy_chk2
call48:sub_5ACC
call49:sub_5F30
call50:sub_46A0
call51:sub_5B14
call52:_ZN9__arm_c_19__arm_c_0Ev
call53:sub_A228
call54:sub_9844
call55:sub_97BC
call56:sub_CF24
call57:sub_5E70
call58:sub_5F7C
call59:memcpy
call60:sub_6084 //疑似 加密函数
call61:sub_5974
call62:j__ZdlPv_3
call63:j__ZdlPv_2
call64:j__ZdlPv_0
call65:sub_A1DC
call66:sub_9908
call67:sub_59CC
call68:sub_5A24 //疑似 rc4
call69:sub_9E58
call70:sub_307C
call71:uncompress //经典解压环节
call72:sub_CBF4
call73:sub_4538 // 这里好像 linker load
call74:sub_4D34
call75:sub_4DAC
call76:sub_543C //这里存在 异或加密
call77:sub_4F84
call78:sub_5140 // 存在 内存拷贝 权限修改
call79:mprotect
call80:__strlen_chk
call81:strncpy
call82:sub_379C // linker 加载
call83:dlopen
call84:sub_446C // 这里纯在 将 内存 区域 清零
call85:sub_3B54 // 链接有关
call86:sub_3D08 // 这里出现一些 疑似奇怪的检测
call87:sub_30B4
call88:dlsym
call89:strcmp
call90:sub_57A0 // 这里也是修改内存权限 为 可执行吧?
call91:sub_4D78
call92:sub_5D28
call93:sub_7E38
call94:sub_47BC
call95:sub_7F64
call96:sub_8854
call97:sub_8BE0
call98:sub_8138
call99:interpreter_wrap_int64_t_bridge
call100:sub_9BD8
call101:sub_15C0C
call102:puts
call103:_Z9__arm_a_2PcmS_Rii

这里 我一个步骤一个步骤的看 发现函数 sub_9558() 调用 kill() 自己 进程

第一个函数 :

字符串为加密 我们编写frida 打印一下

发现 frida 未打印 这个函数也未运行那就不管啦

在 sub_7D00 函数 里面居然出现了 so 这个字符串

在之后 还遇到 一道类似加密算法的sub_6084函数:

//继续按照trace流程 观察 代码 (找到能看懂的部分 就行)

发现一个类似 rc4 初始化算法的 部分 :

这里大致把能看懂的 打了注释 整个流程已经了解的差不多了

现在我们要解密 so文件 就需要深入的了解 自实现linker加载so 的原理

参考: https://bbs.kanxue.com/thread-282316.htm

流程大概是这样

这个加固 把流程 已经混淆,我们需要 找到 关键函数 dump下来 才能完成修复

这里 与 刚刚那个so linker项目 里面的预链接 相似

这里可以推断出 dynamic

而这里我们需要一个so info 的结构体 oacia佬的文章里 https://oacia.dev/360-jiagu/ 拿来就用

而且 推断出 大致结构体 :

这个结构的 不是准确的,只推断出 phdr phnum dynamic plt_rela_ plt_rela_count_ rela_ rela_count_ base

这几个变量的值 是确定的 其他的并不准确。

在 hook 预链接函数 处 进行dump

将 dump 下的 组件 copy还原回去

细节修复 plt 与 got

因为 我们在 链接前 dump的 所以无需修复 还原 即可 用ida 使用

我也是成功 恢复了 so文件中的 符号

希望版主大大 加个精华, 小弟大三,想在简历里添加一笔 看雪有精华 文章!

参考: https://oacia.dev/360-jiagu/

v4 = sub_6F9C();
 
if ( (v4 & 1) != 0 )
 
{
 
v5 = getpid();
 
v4 = kill(v5, 9);
 
}
 
v6 = sub_70A8(v4);
 
v7 = sub_7204(v6);
 
if ( (v7 & 1) != 0 )
 
{
 
v8 = getpid();
 
v7 = kill(v8, 9);
 
}
 
result = sub_70A8(v7);
 
v1 = qword_276180;
v4 = sub_6F9C();
 
if ( (v4 & 1) != 0 )
 
{
 
v5 = getpid();
 
v4 = kill(v5, 9);
 
}
 
v6 = sub_70A8(v4);
 
v7 = sub_7204(v6);
 
if ( (v7 & 1) != 0 )
 
{
 
v8 = getpid();
 
v7 = kill(v8, 9);
 
}
 
result = sub_70A8(v7);
 
v1 = qword_276180;
FILE *sub_6F9C()
{
  FILE *result; // x0
  FILE *v1; // x19
  char s[512]; // [xsp+8h] [xbp-248h] BYREF
  char v3[16]; // [xsp+208h] [xbp-48h] BYREF
  char filename[24]; // [xsp+218h] [xbp-38h] BYREF
 
  _ReadStatusReg(ARM64_SYSREG(3, 3, 13, 0, 2));
  *(_QWORD *)&filename[6] = '\xA5\xD5\xC6\xD1\x8A\xD1\xC0\xCB';
  *(_QWORD *)filename = '\xC0\xCB\x8A\xC6\xCA\xD7\xD5\x8A';
  *(_QWORD *)&v3[6] = 0xA5E49DE1909F9595LL;
  *(_QWORD *)v3 = 0x9595959595959595LL;
  sub_6554(filename, 14LL);
  sub_6554(v3, 14LL);
  memset(s, 0, sizeof(s));
  result = fopen(filename, "r");
  if ( result )
  {
    v1 = result;
    while ( !feof(v1) )
    {
      fgets(s, 512, v1);
      if ( strstr(s, v3) )
      {
        fclose(v1);
        return (FILE *)(&dword_0 + 1);
      }
      memset(s, 0, sizeof(s));
    }
    fclose(v1);
    return 0LL;
  }
  return result;
}
FILE *sub_6F9C()
{
  FILE *result; // x0
  FILE *v1; // x19
  char s[512]; // [xsp+8h] [xbp-248h] BYREF
  char v3[16]; // [xsp+208h] [xbp-48h] BYREF
  char filename[24]; // [xsp+218h] [xbp-38h] BYREF
 
  _ReadStatusReg(ARM64_SYSREG(3, 3, 13, 0, 2));
  *(_QWORD *)&filename[6] = '\xA5\xD5\xC6\xD1\x8A\xD1\xC0\xCB';
  *(_QWORD *)filename = '\xC0\xCB\x8A\xC6\xCA\xD7\xD5\x8A';
  *(_QWORD *)&v3[6] = 0xA5E49DE1909F9595LL;
  *(_QWORD *)v3 = 0x9595959595959595LL;
  sub_6554(filename, 14LL);
  sub_6554(v3, 14LL);
  memset(s, 0, sizeof(s));
  result = fopen(filename, "r");
  if ( result )
  {
    v1 = result;
    while ( !feof(v1) )
    {
      fgets(s, 512, v1);
      if ( strstr(s, v3) )
      {
        fclose(v1);
        return (FILE *)(&dword_0 + 1);
      }
      memset(s, 0, sizeof(s));
    }
    fclose(v1);
    return 0LL;
  }
  return result;
}
__int64 sub_7D00()
{
  __int64 v0; // x19
  _QWORD v2[7]; // [xsp+10h] [xbp-140h] BYREF
  _QWORD v3[2]; // [xsp+48h] [xbp-108h] BYREF
  __int128 v4; // [xsp+58h] [xbp-F8h]
  _OWORD v5[8]; // [xsp+68h] [xbp-E8h] BYREF
  __int128 v6; // [xsp+E8h] [xbp-68h]
  __int128 v7; // [xsp+F8h] [xbp-58h]
  __int128 v8; // [xsp+108h] [xbp-48h]
  __int128 v9; // [xsp+118h] [xbp-38h]
 
  _ReadStatusReg(ARM64_SYSREG(3, 3, 13, 0, 2));
  v8 = 0u;
  v9 = 0u;
  v6 = 0u;
  v7 = 0u;
  memset(v5, 0, sizeof(v5));
  v4 = 0u;
  _strncpy_chk2((char *)v5 + 4, "*.so", 128LL, 188LL, 5LL);
  v3[0] = &qword_2D260;
  v3[1] = 752309LL;
  *(_QWORD *)&v7 = off_2D178;
  LODWORD(v5[0]) = 1;
  *((_QWORD *)&v6 + 1) = &qword_E5178;
  DWORD2(v9) = 1;
  *((_QWORD *)&v7 + 1) = 0x400000002LL;
  LODWORD(v8) = 5;
  *((_QWORD *)&v8 + 1) = 0LL;
  *(_QWORD *)&v9 = 0LL;
  sub_5ACC(v2);
  v2[0] = (char *)off_2CF48 + 16;
  v0 = 0LL;
  if ( (sub_5F30(v2, (char *)&qword_E4D10 + 5, 1062LL) & 1) != 0 )
  {
    v0 = sub_46A0(v3, v2);
    if ( *((_QWORD *)&v8 + 1) )
      free(*((void **)&v8 + 1));
  }
  sub_5D28(v2);
  return v0;
}
__int64 sub_7D00()
{
  __int64 v0; // x19
  _QWORD v2[7]; // [xsp+10h] [xbp-140h] BYREF
  _QWORD v3[2]; // [xsp+48h] [xbp-108h] BYREF
  __int128 v4; // [xsp+58h] [xbp-F8h]
  _OWORD v5[8]; // [xsp+68h] [xbp-E8h] BYREF
  __int128 v6; // [xsp+E8h] [xbp-68h]
  __int128 v7; // [xsp+F8h] [xbp-58h]
  __int128 v8; // [xsp+108h] [xbp-48h]
  __int128 v9; // [xsp+118h] [xbp-38h]
 
  _ReadStatusReg(ARM64_SYSREG(3, 3, 13, 0, 2));
  v8 = 0u;
  v9 = 0u;
  v6 = 0u;
  v7 = 0u;
  memset(v5, 0, sizeof(v5));
  v4 = 0u;
  _strncpy_chk2((char *)v5 + 4, "*.so", 128LL, 188LL, 5LL);
  v3[0] = &qword_2D260;
  v3[1] = 752309LL;
  *(_QWORD *)&v7 = off_2D178;
  LODWORD(v5[0]) = 1;
  *((_QWORD *)&v6 + 1) = &qword_E5178;
  DWORD2(v9) = 1;
  *((_QWORD *)&v7 + 1) = 0x400000002LL;
  LODWORD(v8) = 5;
  *((_QWORD *)&v8 + 1) = 0LL;
  *(_QWORD *)&v9 = 0LL;
  sub_5ACC(v2);
  v2[0] = (char *)off_2CF48 + 16;
  v0 = 0LL;
  if ( (sub_5F30(v2, (char *)&qword_E4D10 + 5, 1062LL) & 1) != 0 )
  {
    v0 = sub_46A0(v3, v2);
    if ( *((_QWORD *)&v8 + 1) )
      free(*((void **)&v8 + 1));
  }
  sub_5D28(v2);
  return v0;
}
_BYTE *__fastcall sub_6084(__int64 a1)
{
  unsigned int v2; // w20
  _BYTE *result; // x0
  _BYTE *v4; // x10
  unsigned int v5; // w8
  int v6; // w11
  int v7; // [xsp+8h] [xbp-48h]
  int v8; // [xsp+Ch] [xbp-44h]
  int v9; // [xsp+10h] [xbp-40h]
  int v10; // [xsp+14h] [xbp-3Ch]
  int v11; // [xsp+18h] [xbp-38h]
  int v12; // [xsp+1Ch] [xbp-34h]
  int v13; // [xsp+20h] [xbp-30h]
  int v14; // [xsp+24h] [xbp-2Ch]
  __int64 v15; // [xsp+28h] [xbp-28h]
 
  v15 = *(_QWORD *)(_ReadStatusReg(ARM64_SYSREG(3, 3, 13, 0, 2)) + 40);
  v2 = *(_DWORD *)(a1 + 4);
  result = (_BYTE *)operator new[](v2);
  v4 = *(_BYTE **)(a1 + 8);
  v5 = 0;
  v6 = 7;
  *(_QWORD *)(a1 + 24) = result;
  do
  {
    *(&v7 + v6) = ((unsigned __int8)(*v4 ^ (*v4 >> 2) ^ (*v4 >> 4)) ^ (*v4 >> 6)) & 1;
    if ( v6 )
    {
      --v6;
    }
    else
    {
      ++v5;
      v6 = 7;
      *result++ = ((_BYTE)v13 << 6) + ((_BYTE)v14 << 7) + 32 * v12 + 16 * v11 + 8 * v10 + 4 * v9 + 2 * v8 + v7;
      v4 = *(_BYTE **)(a1 + 8);
      v2 = *(_DWORD *)(a1 + 4);
    }
    *(_QWORD *)(a1 + 8) = ++v4;
  }
  while ( v5 <= v2 - 1 );
  return result;
_BYTE *__fastcall sub_6084(__int64 a1)
{
  unsigned int v2; // w20
  _BYTE *result; // x0
  _BYTE *v4; // x10
  unsigned int v5; // w8
  int v6; // w11
  int v7; // [xsp+8h] [xbp-48h]
  int v8; // [xsp+Ch] [xbp-44h]
  int v9; // [xsp+10h] [xbp-40h]
  int v10; // [xsp+14h] [xbp-3Ch]
  int v11; // [xsp+18h] [xbp-38h]
  int v12; // [xsp+1Ch] [xbp-34h]
  int v13; // [xsp+20h] [xbp-30h]
  int v14; // [xsp+24h] [xbp-2Ch]
  __int64 v15; // [xsp+28h] [xbp-28h]
 
  v15 = *(_QWORD *)(_ReadStatusReg(ARM64_SYSREG(3, 3, 13, 0, 2)) + 40);
  v2 = *(_DWORD *)(a1 + 4);
  result = (_BYTE *)operator new[](v2);
  v4 = *(_BYTE **)(a1 + 8);
  v5 = 0;
  v6 = 7;
  *(_QWORD *)(a1 + 24) = result;
  do
  {
    *(&v7 + v6) = ((unsigned __int8)(*v4 ^ (*v4 >> 2) ^ (*v4 >> 4)) ^ (*v4 >> 6)) & 1;
    if ( v6 )
    {
      --v6;
    }
    else
    {
      ++v5;
      v6 = 7;
      *result++ = ((_BYTE)v13 << 6) + ((_BYTE)v14 << 7) + 32 * v12 + 16 * v11 + 8 * v10 + 4 * v9 + 2 * v8 + v7;
      v4 = *(_BYTE **)(a1 + 8);
      v2 = *(_DWORD *)(a1 + 4);
    }
    *(_QWORD *)(a1 + 8) = ++v4;
  }
  while ( v5 <= v2 - 1 );
  return result;
_BYTE *__fastcall sub_5A24(_BYTE *result, int a2, __int64 a3)
{
  __int64 v3; // x9
  char v4; // w11
  unsigned __int8 v5; // w10
  unsigned __int8 v6; // w11
  char v7; // w13
 
  _ReadStatusReg(ARM64_SYSREG(3, 3, 13, 0, 2));
  if ( a2 >= 1 )
  {
    v3 = (unsigned int)a2;
    do
    {
      v4 = *(_BYTE *)(a3 + 257);
      --v3;
      v5 = *(_BYTE *)(a3 + 256) + 2;
      *(_BYTE *)(a3 + 256) = v5;
      v6 = *(_BYTE *)(a3 + v5) + v4 + 1;
      *(_BYTE *)(a3 + 257) = v6;
      v7 = *(_BYTE *)(a3 + v5);
      *(_BYTE *)(a3 + v5) = *(_BYTE *)(a3 + v6);
      *(_BYTE *)(a3 + v6) = v7;
      *result++ ^= *(_BYTE *)(a3
                            + (unsigned __int8)(*(_BYTE *)(a3 + *(unsigned __int8 *)(a3 + 257))
                                              + *(_BYTE *)(a3 + *(unsigned __int8 *)(a3 + 256))));
    }
    while ( v3 );
  }
  return result;
}
_BYTE *__fastcall sub_5A24(_BYTE *result, int a2, __int64 a3)
{
  __int64 v3; // x9
  char v4; // w11
  unsigned __int8 v5; // w10
  unsigned __int8 v6; // w11
  char v7; // w13
 
  _ReadStatusReg(ARM64_SYSREG(3, 3, 13, 0, 2));
  if ( a2 >= 1 )
  {
    v3 = (unsigned int)a2;
    do
    {
      v4 = *(_BYTE *)(a3 + 257);
      --v3;
      v5 = *(_BYTE *)(a3 + 256) + 2;
      *(_BYTE *)(a3 + 256) = v5;
      v6 = *(_BYTE *)(a3 + v5) + v4 + 1;
      *(_BYTE *)(a3 + 257) = v6;
      v7 = *(_BYTE *)(a3 + v5);
      *(_BYTE *)(a3 + v5) = *(_BYTE *)(a3 + v6);
      *(_BYTE *)(a3 + v6) = v7;
      *result++ ^= *(_BYTE *)(a3
                            + (unsigned __int8)(*(_BYTE *)(a3 + *(unsigned __int8 *)(a3 + 257))
                                              + *(_BYTE *)(a3 + *(unsigned __int8 *)(a3 + 256))));
    }
    while ( v3 );
  }
  return result;
}
// 1. 讀取so文件
if(!Read(path, fd, 0, sb.st_size)){
    LOGD("Read so failed");
    munmap(start_addr_, sb.st_size);
    close(fd);
}
// 2. 載入so
if(!Load()) {
    LOGD("Load so failed");
    munmap(start_addr_, sb.st_size);
    close(fd);
}
// 使被加載的so有執行權限, 否則在調用.init_array時會報錯
mprotect(reinterpret_cast<void *>(load_bias_), sb.st_size, PROT_READ | PROT_WRITE | PROT_EXEC);
// 3. 預鏈接, 主要處理 .dynamic節
si_->prelink_image();
// 4. 正式鏈接, 在這裡處理重定位的信息
si_->link_image();
// 5. 調用.init和.init_array
si_->call_constructors();
// 1. 讀取so文件
if(!Read(path, fd, 0, sb.st_size)){
    LOGD("Read so failed");
    munmap(start_addr_, sb.st_size);
    close(fd);
}
// 2. 載入so
if(!Load()) {
    LOGD("Load so failed");
    munmap(start_addr_, sb.st_size);
    close(fd);
}
// 使被加載的so有執行權限, 否則在調用.init_array時會報錯
mprotect(reinterpret_cast<void *>(load_bias_), sb.st_size, PROT_READ | PROT_WRITE | PROT_EXEC);
// 3. 預鏈接, 主要處理 .dynamic節
si_->prelink_image();
// 4. 正式鏈接, 在這裡處理重定位的信息
si_->link_image();
// 5. 調用.init和.init_array
si_->call_constructors();
void *__fastcall sub_379C(__int64 a1)
{
  unsigned int v2; // w8
  __int64 v3; // x20
  unsigned __int64 *v4; // x11
  __int64 v5; // x13
  void *result; // x0
  __int64 v7; // x13
  __int64 v8; // x14
  __int64 v9; // x15
  __int64 v10; // x16
  __int64 v11; // x16
  unsigned __int64 v12; // t1
  unsigned __int64 v13; // t1
  unsigned __int64 v14; // t1
  unsigned __int64 v15; // t1
  unsigned __int64 v16; // t1
  unsigned __int64 v17; // t1
  unsigned __int64 v18; // t1
  unsigned __int64 v19; // t1
  unsigned __int64 v20; // t1
  unsigned __int64 v21; // t1
  unsigned __int64 v22; // t1
  __int64 v23; // x13
  __int64 v24; // x14
  __int64 v25; // x15
  unsigned __int64 v26; // t1
  unsigned __int64 v27; // t1
  unsigned __int64 v28; // t1
  unsigned __int64 v29; // t1
  unsigned __int64 v30; // t1
  unsigned int v31; // w23
  _QWORD *v32; // x24
  __int64 v33; // x8
  const char *v34; // x20
  __int64 v35; // x9
 
  v2 = 0;
  _ReadStatusReg(ARM64_SYSREG(3, 3, 13, 0, 2));
  v3 = *(_QWORD *)(a1 + 256);
  v4 = (unsigned __int64 *)(v3 + 8);
  while ( 2 )
  {
    v5 = *(v4 - 1);
    result = 0LL;
    switch ( v5 )
    {
      case 0LL:
        if ( !*(_QWORD *)(a1 + 272) || !*(_QWORD *)a1 )
          return 0LL;
        *(_DWORD *)(a1 + 456) = v2;
        result = calloc(1uLL, 144LL * v2);
        *(_QWORD *)(a1 + 464) = result;
        if ( !result )
          return result;
        v31 = 0;
        v32 = (_QWORD *)(v3 + 8);
        break;
      case 1LL:
        ++v2;
        v4 += 2;
        continue;
      case 2LL:
        v19 = *v4;
        v4 += 2;
        *(_QWORD *)(a1 + 296) = v19 / 0x18;
        continue;
      case 3LL:
      case 14LL:
      case 15LL:
      case 19LL:
      case 21LL:
      case 24LL:
      case 29LL:
      case 31LL:
        goto LABEL_2;
      case 4LL:
        *(_BYTE *)(a1 + 40) = 1;
        v23 = *(_QWORD *)(a1 + 400);
        v24 = *(unsigned int *)(*v4 + v23);
        *(_QWORD *)(a1 + 8) = v24;
        v25 = *(unsigned int *)(*v4 + v23 + 4);
        v23 += 8LL;
        *(_QWORD *)(a1 + 24) = v25;
        *(_QWORD *)(a1 + 16) = v23 + *v4;
        v26 = *v4;
        v4 += 2;
        *(_QWORD *)(a1 + 32) = v23 + 4 * v24 + v26;
        continue;
      case 5LL:
        v22 = *v4;
        v4 += 2;
        *(_QWORD *)(a1 + 272) = v22 + *(_QWORD *)(a1 + 400);
        continue;
      case 6LL:
        v21 = *v4;
        v4 += 2;
        *(_QWORD *)a1 = v21 + *(_QWORD *)(a1 + 400);
        continue;
      case 7LL:
        if ( *(_BYTE *)(a1 + 280) )
          goto LABEL_2;
        v15 = *v4;
        v4 += 2;
        *(_QWORD *)(a1 + 304) = v15 + *(_QWORD *)(a1 + 400);
        continue;
      case 8LL:
        v20 = *v4;
        v4 += 2;
        *(_QWORD *)(a1 + 312) = v20 / 0x18;
        continue;
      case 9LL:
      case 11LL:
        if ( *v4 != 24 )
          return 0LL;
        goto LABEL_2;
      case 10LL:
        v17 = *v4;
        v4 += 2;
        *(_QWORD *)(a1 + 448) = v17;
        continue;
      case 12LL:
        v18 = *v4;
        v4 += 2;
        *(_QWORD *)(a1 + 368) = v18 + *(_QWORD *)(a1 + 400);
        continue;
      case 13LL:
        v14 = *v4;
        v4 += 2;
        *(_QWORD *)(a1 + 376) = v14 + *(_QWORD *)(a1 + 400);
        continue;
      case 16LL:
        goto LABEL_31;
      case 17LL:
      case 18LL:
      case 22LL:
        return result;
      case 20LL:
        if ( *v4 != 7 )
          return 0LL;
        goto LABEL_2;
      case 23LL:
        if ( *(_BYTE *)(a1 + 280) )
          goto LABEL_2;
        v29 = *v4;
        v4 += 2;
        *(_QWORD *)(a1 + 288) = v29 + *(_QWORD *)(a1 + 400);
        continue;
      case 25LL:
        v13 = *v4;
        v4 += 2;
        *(_QWORD *)(a1 + 336) = v13 + *(_QWORD *)(a1 + 400);
        continue;
      case 26LL:
        v28 = *v4;
        v4 += 2;
        *(_QWORD *)(a1 + 352) = v28 + *(_QWORD *)(a1 + 400);
        continue;
      case 27LL:
        v16 = *v4;
        v4 += 2;
        *(_QWORD *)(a1 + 344) = (unsigned int)v16 >> 3;
        continue;
      case 28LL:
        v12 = *v4;
        v4 += 2;
        *(_QWORD *)(a1 + 360) = (unsigned int)v12 >> 3;
        continue;
      case 30LL:
        if ( (*v4 & 4) != 0 )
          return 0LL;
        if ( (*v4 & 2) != 0 )
LABEL_31:
          *(_BYTE *)(a1 + 408) = 1;
LABEL_2:
        v4 += 2;
        continue;
      case 32LL:
        v27 = *v4;
        v4 += 2;
        *(_QWORD *)(a1 + 320) = v27 + *(_QWORD *)(a1 + 400);
        continue;
      case 33LL:
        v30 = *v4;
        v4 += 2;
        *(_QWORD *)(a1 + 328) = (unsigned int)v30 >> 3;
        continue;
      default:
        if ( v5 != 1879047925 )
          goto LABEL_2;
        *(_BYTE *)(a1 + 41) = 1;
        v7 = *(_QWORD *)(a1 + 400);
        v8 = *(unsigned int *)(*v4 + v7);
        *(_QWORD *)(a1 + 48) = v8;
        v9 = *(unsigned int *)(*v4 + v7 + 8);
        *(_DWORD *)(a1 + 72) = v9;
        *(_DWORD *)(a1 + 76) = *(_DWORD *)(*v4 + v7 + 12);
        v10 = v7 + *v4 + 16;
        *(_QWORD *)(a1 + 80) = v10;
        v11 = v10 + 8 * v9;
        *(_QWORD *)(a1 + 56) = v11;
        *(_QWORD *)(a1 + 64) = v11 + 4 * v8 - 4LL * *(unsigned int *)(*v4 + v7 + 4);
        if ( (((_DWORD)v9 - 1) & (unsigned int)v9) != 0 )
          return 0LL;
        *(_DWORD *)(a1 + 72) = v9 - 1;
        v4 += 2;
        continue;
    }
    break;
  }
  while ( 1 )
  {
    v33 = *(v32 - 1);
    if ( v33 == 1 )
      break;
    if ( !v33 )
      return &dword_0 + 1;
LABEL_37:
    v32 += 2;
  }
  v34 = (const char *)(*(_QWORD *)(a1 + 272) + *v32);
  if ( _strlen_chk(v34, 0xFFFFFFFFFFFFFFFFLL) <= 0x80 && v31 < *(_DWORD *)(a1 + 456) )
  {
    strncpy((char *)(*(_QWORD *)(a1 + 464) + 144LL * v31 + 8), v34, 0x7FuLL);
    result = dlopen(v34, 2);
    if ( !result )
      return result;
    v35 = 144LL * v31;
    *(_QWORD *)(*(_QWORD *)(a1 + 464) + v35) = result;
    ++v31;
    *(_QWORD *)(*(_QWORD *)(a1 + 464) + v35 + 136) = 0LL;
    goto LABEL_37;
  }
  return 0LL;
}
void *__fastcall sub_379C(__int64 a1)
{
  unsigned int v2; // w8
  __int64 v3; // x20
  unsigned __int64 *v4; // x11
  __int64 v5; // x13
  void *result; // x0
  __int64 v7; // x13
  __int64 v8; // x14
  __int64 v9; // x15
  __int64 v10; // x16
  __int64 v11; // x16
  unsigned __int64 v12; // t1
  unsigned __int64 v13; // t1
  unsigned __int64 v14; // t1
  unsigned __int64 v15; // t1
  unsigned __int64 v16; // t1
  unsigned __int64 v17; // t1
  unsigned __int64 v18; // t1
  unsigned __int64 v19; // t1
  unsigned __int64 v20; // t1
  unsigned __int64 v21; // t1
  unsigned __int64 v22; // t1
  __int64 v23; // x13
  __int64 v24; // x14
  __int64 v25; // x15
  unsigned __int64 v26; // t1
  unsigned __int64 v27; // t1
  unsigned __int64 v28; // t1
  unsigned __int64 v29; // t1
  unsigned __int64 v30; // t1
  unsigned int v31; // w23
  _QWORD *v32; // x24
  __int64 v33; // x8
  const char *v34; // x20
  __int64 v35; // x9
 
  v2 = 0;
  _ReadStatusReg(ARM64_SYSREG(3, 3, 13, 0, 2));
  v3 = *(_QWORD *)(a1 + 256);
  v4 = (unsigned __int64 *)(v3 + 8);
  while ( 2 )
  {
    v5 = *(v4 - 1);
    result = 0LL;
    switch ( v5 )
    {
      case 0LL:
        if ( !*(_QWORD *)(a1 + 272) || !*(_QWORD *)a1 )
          return 0LL;
        *(_DWORD *)(a1 + 456) = v2;
        result = calloc(1uLL, 144LL * v2);
        *(_QWORD *)(a1 + 464) = result;
        if ( !result )
          return result;
        v31 = 0;
        v32 = (_QWORD *)(v3 + 8);
        break;
      case 1LL:
        ++v2;
        v4 += 2;
        continue;
      case 2LL:
        v19 = *v4;
        v4 += 2;
        *(_QWORD *)(a1 + 296) = v19 / 0x18;
        continue;
      case 3LL:
      case 14LL:
      case 15LL:
      case 19LL:
      case 21LL:
      case 24LL:
      case 29LL:
      case 31LL:
        goto LABEL_2;
      case 4LL:
        *(_BYTE *)(a1 + 40) = 1;
        v23 = *(_QWORD *)(a1 + 400);
        v24 = *(unsigned int *)(*v4 + v23);
        *(_QWORD *)(a1 + 8) = v24;
        v25 = *(unsigned int *)(*v4 + v23 + 4);
        v23 += 8LL;
        *(_QWORD *)(a1 + 24) = v25;
        *(_QWORD *)(a1 + 16) = v23 + *v4;
        v26 = *v4;
        v4 += 2;
        *(_QWORD *)(a1 + 32) = v23 + 4 * v24 + v26;
        continue;
      case 5LL:
        v22 = *v4;

[注意]看雪招聘,专注安全领域的专业人才平台!

最后于 2025-2-12 13:53 被逆天而行编辑 ,原因: 修改标题
上传的附件:
收藏
免费 15
支持
分享
赞赏记录
参与人
雪币
留言
时间
r8e8cd8
你的分享对大家帮助很大,非常感谢!
2025-4-16 20:04
mb_mzboxhri
谢谢你的细致分析,受益匪浅!
2025-4-1 17:11
mb_ecuabpmq
非常支持你的观点!
2025-3-7 12:07
52niu
为你点赞!
2025-2-19 12:15
七星舞月
+1
这个讨论对我很有帮助,谢谢!
2025-2-19 11:00
Shangwendada
+1
为你点赞!
2025-2-18 15:57
wogao
+1
谢谢你的细致分析,受益匪浅!
2025-2-17 19:52
Fanoteria
这个讨论对我很有帮助,谢谢!
2025-2-17 12:42
sinker_
谢谢你的细致分析,受益匪浅!
2025-2-14 22:59
你瞒我瞒
期待更多优质内容的分享,论坛有你更精彩!
2025-2-14 14:25
mb_bkkdeflr
谢谢你的细致分析,受益匪浅!
2025-2-13 10:20
wuzhouzcx
这个讨论对我很有帮助,谢谢!
2025-2-13 09:21
ngiokweng
感谢你分享这么好的资源!
2025-2-12 15:37
zx_968369
+3
感谢你的积极参与,期待更多精彩内容!
2025-2-12 14:27
Ram98
你的分享对大家帮助很大,非常感谢!
2025-2-12 14:25
最新回复 (8)
雪    币: 102
活跃值: (2610)
能力值: ( LV4,RANK:50 )
在线值:
发帖
回帖
粉丝
2
mark
2025-2-14 11:51
0
雪    币: 57
活跃值: (2483)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
3
膜拜大佬出一篇分析native onCreate的文章
2025-2-14 14:04
0
雪    币: 101
活跃值: (197)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
4
2025-2-17 15:13
0
雪    币: 453
能力值: ( LV1,RANK:0 )
在线值:
发帖
回帖
粉丝
5
可以 接下来可以分析签名校验了
2025-2-21 18:11
0
雪    币: 143
活跃值: (2418)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
6
厉害了,我的盆友
2025-2-22 00:26
0
雪    币:
能力值: ( LV1,RANK:0 )
在线值:
发帖
回帖
粉丝
7
大佬,能否重新上传附件,现在下不了。
2025-2-25 21:43
0
雪    币: 111
活跃值: (40)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
8
学习了
2025-3-1 20:51
0
雪    币: 435
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
9
学到了!
2025-4-16 20:07
0
游客
登录 | 注册 方可回帖
返回

账号登录
验证码登录

忘记密码?
没有账号?立即免费注册