加固版本:2025/2/11 最新免费版
第一步 :使用frida(最好魔改 不然有检测) 查看加载的so文件
打印出来所有加载的so文件了:
[Calvin designers::com.calvin.check_tset ]-> dlopen: /data/data/com.calvin.check_tset/.jiagu/libjiagu_64.so
dlopen: liblog.so
dlopen: libz.so
dlopen: libc.so
dlopen: libm.so
dlopen: libstdc++.so
dlopen: libdl.so
dlopen: libjiagu_64.so
dlopen: libjiagu_64.so
dlopen: libart.so
dlopen: libjiagu_64.so
dlopen: libjiagu_64.so
dlopen: libjiagu_64.so
dlopen: libjiagu_64.so
dlopen: libjiagu_64.so
dlopen: libjiagu_64.so
dlopen: libjgdtc.so
dlopen: /data/app/gUGk1sgfebPev2a5rxao2w==/com.calvin.check_tset-Kj54dsV2miW8iYUVx-eTmA==/lib/arm64/libcheck_tset.so
dlopen: /vendor/lib64/hw/android.hardware.graphics.mapper@4.0-impl-qti-display.so
dlopen: /vendor/lib64/hw/gralloc.lito.so
dlopen: libadreno_app_profiles.so
dlopen: libEGL_adreno.so
dlopen: /vendor/lib64/hw/android.hardware.graphics.mapper@4.0-impl-qti-display.so
dlopen: libadreno_utils.so
dlopen: libandroid.so
一眼观望全部so文件 , 接下来 把要分析的so文件 dump下来 看看 怎么回事
dump 下来的so是需要修复滴 使用so_fixer
https://github.com/F8LEFT/SoFixer
修复完毕后 就可以显示 全部的符号信息了
现在 我们需要了解程序运行 调用的流程 也就是 函数 trace
这里使用 oacia 佬的方案
https://github.com/oacia/stalker_trace_so
打印 so函数的流程:
call1:JNI_OnLoad
call2:j_interpreter_wrap_int64_t
call3:interpreter_wrap_int64_t
call4:_Znwm
call5:sub_1362C
call6:_Znam
call7:sub_10F54
call8:memset
call9:sub_9C50
call10:sub_E114
call11:calloc
call12:malloc
call13:free
call14:sub_E37C
call15:_ZdaPv
call16:sub_C680
call17:sub_CB38
call18:sub_9800
call19:sub_97DC
call20:sub_CCA8
call21:sub_C86C
call22:sub_993C
call23:sub_1591C
call24:sub_16094
call25:sub_16160
call26:sub_15C94
call27:sub_16954
call28:sub_15D14
call29:sub_159F0
call30:sub_1595C
call31:sub_9778
call32:sub_CB90
call33:sub_CD8C
call34:sub_CAD8
call35:sub_91E0
call36:dladdr
call37:strstr
call38:setenv
call39:_Z9__arm_a_1P7_JavaVMP7_JNIEnvPvRi
call40:sub_9CD0
call41:sub_9814
call42:sub_10698
call43:j__ZdlPv_1
call44:_ZdlPv
call45:sub_9558
call46:sub_7D00 //这里存在 so字符串
call47:__strncpy_chk2
call48:sub_5ACC
call49:sub_5F30
call50:sub_46A0
call51:sub_5B14
call52:_ZN9__arm_c_19__arm_c_0Ev
call53:sub_A228
call54:sub_9844
call55:sub_97BC
call56:sub_CF24
call57:sub_5E70
call58:sub_5F7C
call59:memcpy
call60:sub_6084 //疑似 加密函数
call61:sub_5974
call62:j__ZdlPv_3
call63:j__ZdlPv_2
call64:j__ZdlPv_0
call65:sub_A1DC
call66:sub_9908
call67:sub_59CC
call68:sub_5A24 //疑似 rc4
call69:sub_9E58
call70:sub_307C
call71:uncompress //经典解压环节
call72:sub_CBF4
call73:sub_4538 // 这里好像 linker load
call74:sub_4D34
call75:sub_4DAC
call76:sub_543C //这里存在 异或加密
call77:sub_4F84
call78:sub_5140 // 存在 内存拷贝 权限修改
call79:mprotect
call80:__strlen_chk
call81:strncpy
call82:sub_379C // linker 加载
call83:dlopen
call84:sub_446C // 这里纯在 将 内存 区域 清零
call85:sub_3B54 // 链接有关
call86:sub_3D08 // 这里出现一些 疑似奇怪的检测
call87:sub_30B4
call88:dlsym
call89:strcmp
call90:sub_57A0 // 这里也是修改内存权限 为 可执行吧?
call91:sub_4D78
call92:sub_5D28
call93:sub_7E38
call94:sub_47BC
call95:sub_7F64
call96:sub_8854
call97:sub_8BE0
call98:sub_8138
call99:interpreter_wrap_int64_t_bridge
call100:sub_9BD8
call101:sub_15C0C
call102:puts
call103:_Z9__arm_a_2PcmS_Rii
这里 我一个步骤一个步骤的看 发现函数 sub_9558() 调用 kill() 自己 进程
第一个函数 :
字符串为加密 我们编写frida 打印一下
发现 frida 未打印 这个函数也未运行那就不管啦
在 sub_7D00 函数 里面居然出现了 so 这个字符串
在之后 还遇到 一道类似加密算法的sub_6084函数:
//继续按照trace流程 观察 代码 (找到能看懂的部分 就行)
发现一个类似 rc4 初始化算法的 部分 :
这里大致把能看懂的 打了注释 整个流程已经了解的差不多了
现在我们要解密 so文件 就需要深入的了解 自实现linker加载so 的原理
参考: https://bbs.kanxue.com/thread-282316.htm
流程大概是这样
这个加固 把流程 已经混淆,我们需要 找到 关键函数 dump下来 才能完成修复
这里 与 刚刚那个so linker项目 里面的预链接 相似
这里可以推断出 dynamic
而这里我们需要一个so info 的结构体 oacia佬的文章里 https://oacia.dev/360-jiagu/ 拿来就用
而且 推断出 大致结构体 :
这个结构的 不是准确的,只推断出 phdr phnum dynamic plt_rela_ plt_rela_count_ rela_ rela_count_ base
这几个变量的值 是确定的 其他的并不准确。
在 hook 预链接函数 处 进行dump
将 dump 下的 组件 copy还原回去
细节修复 plt 与 got
因为 我们在 链接前 dump的 所以无需修复 还原 即可 用ida 使用
我也是成功 恢复了 so文件中的 符号

希望版主大大 加个精华, 小弟大三,想在简历里添加一笔 看雪有精华 文章!
参考: https://oacia.dev/360-jiagu/
v4 = sub_6F9C();
if
( (v4 & 1) != 0 )
{
v5 = getpid();
v4 = kill(v5, 9);
}
v6 = sub_70A8(v4);
v7 = sub_7204(v6);
if
( (v7 & 1) != 0 )
{
v8 = getpid();
v7 = kill(v8, 9);
}
result = sub_70A8(v7);
v1 = qword_276180;
v4 = sub_6F9C();
if
( (v4 & 1) != 0 )
{
v5 = getpid();
v4 = kill(v5, 9);
}
v6 = sub_70A8(v4);
v7 = sub_7204(v6);
if
( (v7 & 1) != 0 )
{
v8 = getpid();
v7 = kill(v8, 9);
}
result = sub_70A8(v7);
v1 = qword_276180;
FILE
*sub_6F9C()
{
FILE
*result;
FILE
*v1;
char
s[512];
char
v3[16];
char
filename[24];
_ReadStatusReg(ARM64_SYSREG(3, 3, 13, 0, 2));
*(_QWORD *)&filename[6] =
'\xA5\xD5\xC6\xD1\x8A\xD1\xC0\xCB'
;
*(_QWORD *)filename =
'\xC0\xCB\x8A\xC6\xCA\xD7\xD5\x8A'
;
*(_QWORD *)&v3[6] = 0xA5E49DE1909F9595LL;
*(_QWORD *)v3 = 0x9595959595959595LL;
sub_6554(filename, 14LL);
sub_6554(v3, 14LL);
memset
(s, 0,
sizeof
(s));
result =
fopen
(filename,
"r"
);
if
( result )
{
v1 = result;
while
( !
feof
(v1) )
{
fgets
(s, 512, v1);
if
(
strstr
(s, v3) )
{
fclose
(v1);
return
(
FILE
*)(&dword_0 + 1);
}
memset
(s, 0,
sizeof
(s));
}
fclose
(v1);
return
0LL;
}
return
result;
}
FILE
*sub_6F9C()
{
FILE
*result;
FILE
*v1;
char
s[512];
char
v3[16];
char
filename[24];
_ReadStatusReg(ARM64_SYSREG(3, 3, 13, 0, 2));
*(_QWORD *)&filename[6] =
'\xA5\xD5\xC6\xD1\x8A\xD1\xC0\xCB'
;
*(_QWORD *)filename =
'\xC0\xCB\x8A\xC6\xCA\xD7\xD5\x8A'
;
*(_QWORD *)&v3[6] = 0xA5E49DE1909F9595LL;
*(_QWORD *)v3 = 0x9595959595959595LL;
sub_6554(filename, 14LL);
sub_6554(v3, 14LL);
memset
(s, 0,
sizeof
(s));
result =
fopen
(filename,
"r"
);
if
( result )
{
v1 = result;
while
( !
feof
(v1) )
{
fgets
(s, 512, v1);
if
(
strstr
(s, v3) )
{
fclose
(v1);
return
(
FILE
*)(&dword_0 + 1);
}
memset
(s, 0,
sizeof
(s));
}
fclose
(v1);
return
0LL;
}
return
result;
}
__int64
sub_7D00()
{
__int64
v0;
_QWORD v2[7];
_QWORD v3[2];
__int128 v4;
_OWORD v5[8];
__int128 v6;
__int128 v7;
__int128 v8;
__int128 v9;
_ReadStatusReg(ARM64_SYSREG(3, 3, 13, 0, 2));
v8 = 0u;
v9 = 0u;
v6 = 0u;
v7 = 0u;
memset
(v5, 0,
sizeof
(v5));
v4 = 0u;
_strncpy_chk2((
char
*)v5 + 4,
"*.so"
, 128LL, 188LL, 5LL);
v3[0] = &qword_2D260;
v3[1] = 752309LL;
*(_QWORD *)&v7 = off_2D178;
LODWORD(v5[0]) = 1;
*((_QWORD *)&v6 + 1) = &qword_E5178;
DWORD2(v9) = 1;
*((_QWORD *)&v7 + 1) = 0x400000002LL;
LODWORD(v8) = 5;
*((_QWORD *)&v8 + 1) = 0LL;
*(_QWORD *)&v9 = 0LL;
sub_5ACC(v2);
v2[0] = (
char
*)off_2CF48 + 16;
v0 = 0LL;
if
( (sub_5F30(v2, (
char
*)&qword_E4D10 + 5, 1062LL) & 1) != 0 )
{
v0 = sub_46A0(v3, v2);
if
( *((_QWORD *)&v8 + 1) )
free
(*((
void
**)&v8 + 1));
}
sub_5D28(v2);
return
v0;
}
__int64
sub_7D00()
{
__int64
v0;
_QWORD v2[7];
_QWORD v3[2];
__int128 v4;
_OWORD v5[8];
__int128 v6;
__int128 v7;
__int128 v8;
__int128 v9;
_ReadStatusReg(ARM64_SYSREG(3, 3, 13, 0, 2));
v8 = 0u;
v9 = 0u;
v6 = 0u;
v7 = 0u;
memset
(v5, 0,
sizeof
(v5));
v4 = 0u;
_strncpy_chk2((
char
*)v5 + 4,
"*.so"
, 128LL, 188LL, 5LL);
v3[0] = &qword_2D260;
v3[1] = 752309LL;
*(_QWORD *)&v7 = off_2D178;
LODWORD(v5[0]) = 1;
*((_QWORD *)&v6 + 1) = &qword_E5178;
DWORD2(v9) = 1;
*((_QWORD *)&v7 + 1) = 0x400000002LL;
LODWORD(v8) = 5;
*((_QWORD *)&v8 + 1) = 0LL;
*(_QWORD *)&v9 = 0LL;
sub_5ACC(v2);
v2[0] = (
char
*)off_2CF48 + 16;
v0 = 0LL;
if
( (sub_5F30(v2, (
char
*)&qword_E4D10 + 5, 1062LL) & 1) != 0 )
{
v0 = sub_46A0(v3, v2);
if
( *((_QWORD *)&v8 + 1) )
free
(*((
void
**)&v8 + 1));
}
sub_5D28(v2);
return
v0;
}
_BYTE *__fastcall sub_6084(
__int64
a1)
{
unsigned
int
v2;
_BYTE *result;
_BYTE *v4;
unsigned
int
v5;
int
v6;
int
v7;
int
v8;
int
v9;
int
v10;
int
v11;
int
v12;
int
v13;
int
v14;
__int64
v15;
v15 = *(_QWORD *)(_ReadStatusReg(ARM64_SYSREG(3, 3, 13, 0, 2)) + 40);
v2 = *(_DWORD *)(a1 + 4);
result = (_BYTE *)operator
new
[](v2);
v4 = *(_BYTE **)(a1 + 8);
v5 = 0;
v6 = 7;
*(_QWORD *)(a1 + 24) = result;
do
{
*(&v7 + v6) = ((unsigned
__int8
)(*v4 ^ (*v4 >> 2) ^ (*v4 >> 4)) ^ (*v4 >> 6)) & 1;
if
( v6 )
{
--v6;
}
else
{
++v5;
v6 = 7;
*result++ = ((_BYTE)v13 << 6) + ((_BYTE)v14 << 7) + 32 * v12 + 16 * v11 + 8 * v10 + 4 * v9 + 2 * v8 + v7;
v4 = *(_BYTE **)(a1 + 8);
v2 = *(_DWORD *)(a1 + 4);
}
*(_QWORD *)(a1 + 8) = ++v4;
}
while
( v5 <= v2 - 1 );
return
result;
_BYTE *__fastcall sub_6084(
__int64
a1)
{
unsigned
int
v2;
_BYTE *result;
_BYTE *v4;
unsigned
int
v5;
int
v6;
int
v7;
int
v8;
int
v9;
int
v10;
int
v11;
int
v12;
int
v13;
int
v14;
__int64
v15;
v15 = *(_QWORD *)(_ReadStatusReg(ARM64_SYSREG(3, 3, 13, 0, 2)) + 40);
v2 = *(_DWORD *)(a1 + 4);
result = (_BYTE *)operator
new
[](v2);
v4 = *(_BYTE **)(a1 + 8);
v5 = 0;
v6 = 7;
*(_QWORD *)(a1 + 24) = result;
do
{
*(&v7 + v6) = ((unsigned
__int8
)(*v4 ^ (*v4 >> 2) ^ (*v4 >> 4)) ^ (*v4 >> 6)) & 1;
if
( v6 )
{
--v6;
}
else
{
++v5;
v6 = 7;
*result++ = ((_BYTE)v13 << 6) + ((_BYTE)v14 << 7) + 32 * v12 + 16 * v11 + 8 * v10 + 4 * v9 + 2 * v8 + v7;
v4 = *(_BYTE **)(a1 + 8);
v2 = *(_DWORD *)(a1 + 4);
}
*(_QWORD *)(a1 + 8) = ++v4;
}
while
( v5 <= v2 - 1 );
return
result;
_BYTE *__fastcall sub_5A24(_BYTE *result,
int
a2,
__int64
a3)
{
__int64
v3;
char
v4;
unsigned
__int8
v5;
unsigned
__int8
v6;
char
v7;
_ReadStatusReg(ARM64_SYSREG(3, 3, 13, 0, 2));
if
( a2 >= 1 )
{
v3 = (unsigned
int
)a2;
do
{
v4 = *(_BYTE *)(a3 + 257);
--v3;
v5 = *(_BYTE *)(a3 + 256) + 2;
*(_BYTE *)(a3 + 256) = v5;
v6 = *(_BYTE *)(a3 + v5) + v4 + 1;
*(_BYTE *)(a3 + 257) = v6;
v7 = *(_BYTE *)(a3 + v5);
*(_BYTE *)(a3 + v5) = *(_BYTE *)(a3 + v6);
*(_BYTE *)(a3 + v6) = v7;
*result++ ^= *(_BYTE *)(a3
+ (unsigned
__int8
)(*(_BYTE *)(a3 + *(unsigned
__int8
*)(a3 + 257))
+ *(_BYTE *)(a3 + *(unsigned
__int8
*)(a3 + 256))));
}
while
( v3 );
}
return
result;
}
_BYTE *__fastcall sub_5A24(_BYTE *result,
int
a2,
__int64
a3)
{
__int64
v3;
char
v4;
unsigned
__int8
v5;
unsigned
__int8
v6;
char
v7;
_ReadStatusReg(ARM64_SYSREG(3, 3, 13, 0, 2));
if
( a2 >= 1 )
{
v3 = (unsigned
int
)a2;
do
{
v4 = *(_BYTE *)(a3 + 257);
--v3;
v5 = *(_BYTE *)(a3 + 256) + 2;
*(_BYTE *)(a3 + 256) = v5;
v6 = *(_BYTE *)(a3 + v5) + v4 + 1;
*(_BYTE *)(a3 + 257) = v6;
v7 = *(_BYTE *)(a3 + v5);
*(_BYTE *)(a3 + v5) = *(_BYTE *)(a3 + v6);
*(_BYTE *)(a3 + v6) = v7;
*result++ ^= *(_BYTE *)(a3
+ (unsigned
__int8
)(*(_BYTE *)(a3 + *(unsigned
__int8
*)(a3 + 257))
+ *(_BYTE *)(a3 + *(unsigned
__int8
*)(a3 + 256))));
}
while
( v3 );
}
return
result;
}
if
(!Read(path, fd, 0, sb.st_size)){
LOGD(
"Read so failed"
);
munmap(start_addr_, sb.st_size);
close(fd);
}
if
(!Load()) {
LOGD(
"Load so failed"
);
munmap(start_addr_, sb.st_size);
close(fd);
}
mprotect(
reinterpret_cast
<
void
*>(load_bias_), sb.st_size, PROT_READ | PROT_WRITE | PROT_EXEC);
si_->prelink_image();
si_->link_image();
si_->call_constructors();
if
(!Read(path, fd, 0, sb.st_size)){
LOGD(
"Read so failed"
);
munmap(start_addr_, sb.st_size);
close(fd);
}
if
(!Load()) {
LOGD(
"Load so failed"
);
munmap(start_addr_, sb.st_size);
close(fd);
}
mprotect(
reinterpret_cast
<
void
*>(load_bias_), sb.st_size, PROT_READ | PROT_WRITE | PROT_EXEC);
si_->prelink_image();
si_->link_image();
si_->call_constructors();
void
*__fastcall sub_379C(
__int64
a1)
{
unsigned
int
v2;
__int64
v3;
unsigned
__int64
*v4;
__int64
v5;
void
*result;
__int64
v7;
__int64
v8;
__int64
v9;
__int64
v10;
__int64
v11;
unsigned
__int64
v12;
unsigned
__int64
v13;
unsigned
__int64
v14;
unsigned
__int64
v15;
unsigned
__int64
v16;
unsigned
__int64
v17;
unsigned
__int64
v18;
unsigned
__int64
v19;
unsigned
__int64
v20;
unsigned
__int64
v21;
unsigned
__int64
v22;
__int64
v23;
__int64
v24;
__int64
v25;
unsigned
__int64
v26;
unsigned
__int64
v27;
unsigned
__int64
v28;
unsigned
__int64
v29;
unsigned
__int64
v30;
unsigned
int
v31;
_QWORD *v32;
__int64
v33;
const
char
*v34;
__int64
v35;
v2 = 0;
_ReadStatusReg(ARM64_SYSREG(3, 3, 13, 0, 2));
v3 = *(_QWORD *)(a1 + 256);
v4 = (unsigned
__int64
*)(v3 + 8);
while
( 2 )
{
v5 = *(v4 - 1);
result = 0LL;
switch
( v5 )
{
case
0LL:
if
( !*(_QWORD *)(a1 + 272) || !*(_QWORD *)a1 )
return
0LL;
*(_DWORD *)(a1 + 456) = v2;
result =
calloc
(1uLL, 144LL * v2);
*(_QWORD *)(a1 + 464) = result;
if
( !result )
return
result;
v31 = 0;
v32 = (_QWORD *)(v3 + 8);
break
;
case
1LL:
++v2;
v4 += 2;
continue
;
case
2LL:
v19 = *v4;
v4 += 2;
*(_QWORD *)(a1 + 296) = v19 / 0x18;
continue
;
case
3LL:
case
14LL:
case
15LL:
case
19LL:
case
21LL:
case
24LL:
case
29LL:
case
31LL:
goto
LABEL_2;
case
4LL:
*(_BYTE *)(a1 + 40) = 1;
v23 = *(_QWORD *)(a1 + 400);
v24 = *(unsigned
int
*)(*v4 + v23);
*(_QWORD *)(a1 + 8) = v24;
v25 = *(unsigned
int
*)(*v4 + v23 + 4);
v23 += 8LL;
*(_QWORD *)(a1 + 24) = v25;
*(_QWORD *)(a1 + 16) = v23 + *v4;
v26 = *v4;
v4 += 2;
*(_QWORD *)(a1 + 32) = v23 + 4 * v24 + v26;
continue
;
case
5LL:
v22 = *v4;
v4 += 2;
*(_QWORD *)(a1 + 272) = v22 + *(_QWORD *)(a1 + 400);
continue
;
case
6LL:
v21 = *v4;
v4 += 2;
*(_QWORD *)a1 = v21 + *(_QWORD *)(a1 + 400);
continue
;
case
7LL:
if
( *(_BYTE *)(a1 + 280) )
goto
LABEL_2;
v15 = *v4;
v4 += 2;
*(_QWORD *)(a1 + 304) = v15 + *(_QWORD *)(a1 + 400);
continue
;
case
8LL:
v20 = *v4;
v4 += 2;
*(_QWORD *)(a1 + 312) = v20 / 0x18;
continue
;
case
9LL:
case
11LL:
if
( *v4 != 24 )
return
0LL;
goto
LABEL_2;
case
10LL:
v17 = *v4;
v4 += 2;
*(_QWORD *)(a1 + 448) = v17;
continue
;
case
12LL:
v18 = *v4;
v4 += 2;
*(_QWORD *)(a1 + 368) = v18 + *(_QWORD *)(a1 + 400);
continue
;
case
13LL:
v14 = *v4;
v4 += 2;
*(_QWORD *)(a1 + 376) = v14 + *(_QWORD *)(a1 + 400);
continue
;
case
16LL:
goto
LABEL_31;
case
17LL:
case
18LL:
case
22LL:
return
result;
case
20LL:
if
( *v4 != 7 )
return
0LL;
goto
LABEL_2;
case
23LL:
if
( *(_BYTE *)(a1 + 280) )
goto
LABEL_2;
v29 = *v4;
v4 += 2;
*(_QWORD *)(a1 + 288) = v29 + *(_QWORD *)(a1 + 400);
continue
;
case
25LL:
v13 = *v4;
v4 += 2;
*(_QWORD *)(a1 + 336) = v13 + *(_QWORD *)(a1 + 400);
continue
;
case
26LL:
v28 = *v4;
v4 += 2;
*(_QWORD *)(a1 + 352) = v28 + *(_QWORD *)(a1 + 400);
continue
;
case
27LL:
v16 = *v4;
v4 += 2;
*(_QWORD *)(a1 + 344) = (unsigned
int
)v16 >> 3;
continue
;
case
28LL:
v12 = *v4;
v4 += 2;
*(_QWORD *)(a1 + 360) = (unsigned
int
)v12 >> 3;
continue
;
case
30LL:
if
( (*v4 & 4) != 0 )
return
0LL;
if
( (*v4 & 2) != 0 )
LABEL_31:
*(_BYTE *)(a1 + 408) = 1;
LABEL_2:
v4 += 2;
continue
;
case
32LL:
v27 = *v4;
v4 += 2;
*(_QWORD *)(a1 + 320) = v27 + *(_QWORD *)(a1 + 400);
continue
;
case
33LL:
v30 = *v4;
v4 += 2;
*(_QWORD *)(a1 + 328) = (unsigned
int
)v30 >> 3;
continue
;
default
:
if
( v5 != 1879047925 )
goto
LABEL_2;
*(_BYTE *)(a1 + 41) = 1;
v7 = *(_QWORD *)(a1 + 400);
v8 = *(unsigned
int
*)(*v4 + v7);
*(_QWORD *)(a1 + 48) = v8;
v9 = *(unsigned
int
*)(*v4 + v7 + 8);
*(_DWORD *)(a1 + 72) = v9;
*(_DWORD *)(a1 + 76) = *(_DWORD *)(*v4 + v7 + 12);
v10 = v7 + *v4 + 16;
*(_QWORD *)(a1 + 80) = v10;
v11 = v10 + 8 * v9;
*(_QWORD *)(a1 + 56) = v11;
*(_QWORD *)(a1 + 64) = v11 + 4 * v8 - 4LL * *(unsigned
int
*)(*v4 + v7 + 4);
if
( (((_DWORD)v9 - 1) & (unsigned
int
)v9) != 0 )
return
0LL;
*(_DWORD *)(a1 + 72) = v9 - 1;
v4 += 2;
continue
;
}
break
;
}
while
( 1 )
{
v33 = *(v32 - 1);
if
( v33 == 1 )
break
;
if
( !v33 )
return
&dword_0 + 1;
LABEL_37:
v32 += 2;
}
v34 = (
const
char
*)(*(_QWORD *)(a1 + 272) + *v32);
if
( _strlen_chk(v34, 0xFFFFFFFFFFFFFFFFLL) <= 0x80 && v31 < *(_DWORD *)(a1 + 456) )
{
strncpy
((
char
*)(*(_QWORD *)(a1 + 464) + 144LL * v31 + 8), v34, 0x7FuLL);
result = dlopen(v34, 2);
if
( !result )
return
result;
v35 = 144LL * v31;
*(_QWORD *)(*(_QWORD *)(a1 + 464) + v35) = result;
++v31;
*(_QWORD *)(*(_QWORD *)(a1 + 464) + v35 + 136) = 0LL;
goto
LABEL_37;
}
return
0LL;
}
void
*__fastcall sub_379C(
__int64
a1)
{
unsigned
int
v2;
__int64
v3;
unsigned
__int64
*v4;
__int64
v5;
void
*result;
__int64
v7;
__int64
v8;
__int64
v9;
__int64
v10;
__int64
v11;
unsigned
__int64
v12;
unsigned
__int64
v13;
unsigned
__int64
v14;
unsigned
__int64
v15;
unsigned
__int64
v16;
unsigned
__int64
v17;
unsigned
__int64
v18;
unsigned
__int64
v19;
unsigned
__int64
v20;
unsigned
__int64
v21;
unsigned
__int64
v22;
__int64
v23;
__int64
v24;
__int64
v25;
unsigned
__int64
v26;
unsigned
__int64
v27;
unsigned
__int64
v28;
unsigned
__int64
v29;
unsigned
__int64
v30;
unsigned
int
v31;
_QWORD *v32;
__int64
v33;
const
char
*v34;
__int64
v35;
v2 = 0;
_ReadStatusReg(ARM64_SYSREG(3, 3, 13, 0, 2));
v3 = *(_QWORD *)(a1 + 256);
v4 = (unsigned
__int64
*)(v3 + 8);
while
( 2 )
{
v5 = *(v4 - 1);
result = 0LL;
switch
( v5 )
{
case
0LL:
if
( !*(_QWORD *)(a1 + 272) || !*(_QWORD *)a1 )
return
0LL;
*(_DWORD *)(a1 + 456) = v2;
result =
calloc
(1uLL, 144LL * v2);
*(_QWORD *)(a1 + 464) = result;
if
( !result )
return
result;
v31 = 0;
v32 = (_QWORD *)(v3 + 8);
break
;
case
1LL:
++v2;
v4 += 2;
continue
;
case
2LL:
v19 = *v4;
v4 += 2;
*(_QWORD *)(a1 + 296) = v19 / 0x18;
continue
;
case
3LL:
case
14LL:
case
15LL:
case
19LL:
case
21LL:
case
24LL:
case
29LL:
case
31LL:
goto
LABEL_2;
case
4LL:
*(_BYTE *)(a1 + 40) = 1;
v23 = *(_QWORD *)(a1 + 400);
v24 = *(unsigned
int
*)(*v4 + v23);
*(_QWORD *)(a1 + 8) = v24;
v25 = *(unsigned
int
*)(*v4 + v23 + 4);
v23 += 8LL;
*(_QWORD *)(a1 + 24) = v25;
*(_QWORD *)(a1 + 16) = v23 + *v4;
v26 = *v4;
v4 += 2;
*(_QWORD *)(a1 + 32) = v23 + 4 * v24 + v26;
continue
;
case
5LL:
v22 = *v4;
[注意]看雪招聘,专注安全领域的专业人才平台!
最后于 2025-2-12 13:53
被逆天而行编辑
,原因: 修改标题