闲着没事,看到有新游出来,于是简单的分析学习一下。
由于时间和水平有限,本文会存在诸多不足,欢迎补充指正。
样本:xqtd
加固:mtp
工具:ida、010、jadx、frida
libtprt.so简单处理
寄存器间接跳转
import idautils
import idc
import idaapi
import ida_ua
from keystone import *
g_reg = [0] * 40
reg_base = 129
g_cond_info = list()
ldr_reg = -1
add_reg = -1
ks = keystone.Ks(keystone.KS_ARCH_ARM64, keystone.KS_MODE_LITTLE_ENDIAN)
def get_opcode(ea):
opcode = None
disasm = idc.GetDisasm(ea)
if disasm.find('LT') != -1:
opcode = 'blt'
elif disasm.find('EQ') != -1:
opcode = 'beq'
elif disasm.find('CC') != -1:
opcode = 'bcc'
elif disasm.find('GT') != -1:
opcode = 'bgt'
elif disasm.find('NE') != -1:
opcode = 'bne'
elif disasm.find('GE') != -1:
opcode = 'bge'
elif disasm.find('HI') != -1:
opcode = 'bhi'
return opcode
def do_patch(patch_1, patch_2, opcode, cond_jmp_addr, uncond_jmp_addr):
print("patch_1=0x%x patch_1=0x%x opcode=%s cond_jmp_addr=0x%x uncond_jmp_addr=0x%x" % (patch_1, patch_2, opcode, cond_jmp_addr, uncond_jmp_addr))
jump_offset = " ({:d})".format(cond_jmp_addr - patch_1)
repair_opcode = opcode + jump_offset
encoding, count = ks.asm(repair_opcode)
idaapi.patch_byte(patch_1, encoding[0])
idaapi.patch_byte(patch_1 + 1, encoding[1])
idaapi.patch_byte(patch_1 + 2, encoding[2])
idaapi.patch_byte(patch_1 + 3, encoding[3])
jump_offset = " ({:d})".format(uncond_jmp_addr - patch_2)
repair_opcode = 'b' + jump_offset
encoding, count = ks.asm(repair_opcode)
idaapi.patch_byte(patch_2, encoding[0])
idaapi.patch_byte(patch_2 + 1, encoding[1])
idaapi.patch_byte(patch_2 + 2, encoding[2])
idaapi.patch_byte(patch_2 + 3, encoding[3])
def do_deobf(ea):
# 获取跳转条件
opcode = get_opcode(ea)
if opcode is None:
print("opcode:unknown opcode 0x%x" % ea)
return ea
# 获取跳转信息
cond_reg = -1
uncond_reg = -1
cond_data = -1
uncond_data = -1
mnem = idc.ida_ua.ua_mnem(ea)
if mnem == 'CSEL':
cond_reg = idc.get_operand_value(ea, 1)
uncond_reg = idc.get_operand_value(ea, 2)
elif mnem == 'CSET':
cond_data = 1
uncond_data = 0
ea = idc.next_head(ea)
# 获取LDR寄存器
ldr_reg = -1
lsl_value = -1
mnem = idc.ida_ua.ua_mnem(ea)
if mnem == 'LSL':
lsl_value = idc.get_operand_value(ea, 2)
ea = idc.next_head(ea)
mnem = idc.ida_ua.ua_mnem(ea)
if mnem != 'LDR':
print("LDR:0x%x -> %s" % (ea, mnem))
return ea
operand_type = idc.get_operand_type(ea, 1)
if operand_type == idc.o_phrase:
insn = ida_ua.insn_t()
ida_ua.decode_insn(insn, ea)
ldr_reg = insn.Op2.reg
if lsl_value == -1:
lsl_value = insn.Op2.value
else:
return ea
ea = idc.next_head(ea)
# 获取ADD寄存器
mnem = idc.ida_ua.ua_mnem(ea)
if mnem == 'MOV':
ea = idc.next_head(ea)
mnem = idc.ida_ua.ua_mnem(ea)
if mnem != 'ADD':
print("ADD:0x%x -> %s" % (ea, mnem))
return ea
op_3 = idc.print_operand(ea, 2)
op_3 = op_3[1:]
ea = idc.next_head(ea)
# 进行patch
mnem = idc.ida_ua.ua_mnem(ea)
if mnem != 'BR':
print("BR:0x%x -> %s" % (ea, mnem))
return ea
#print('1 = %d 2 = %d 3 = 0x%x' % (g_reg[ldr_reg - reg_base], g_reg[cond_reg - reg_base], g_reg[int(op_3)]))
if cond_data != -1 and uncond_data != -1:
print(lsl_value)
cond_jmp_addr = (idc.get_qword(g_reg[ldr_reg - reg_base] + (cond_data << lsl_value)) + g_reg[int(op_3)]) & 0xffffffffffffffff
uncond_jmp_addr = (idc.get_qword(g_reg[ldr_reg - reg_base] + (uncond_data << lsl_value)) + g_reg[int(op_3)]) & 0xffffffffffffffff
else:
cond_jmp_addr = (idc.get_qword(g_reg[ldr_reg - reg_base] + (g_reg[cond_reg - reg_base] << lsl_value)) + g_reg[int(op_3)]) & 0xffffffffffffffff
uncond_jmp_addr = (idc.get_qword(g_reg[ldr_reg - reg_base] + (g_reg[uncond_reg - reg_base] << lsl_value)) + g_reg[int(op_3)]) & 0xffffffffffffffff
do_patch(idc.prev_head(ea), ea, opcode, cond_jmp_addr, uncond_jmp_addr)
return ea
def deobf(ea):
off_reg = -1
off_data = -1
while True:
mnem = idc.ida_ua.ua_mnem(ea)
if mnem == 'RET':
break
elif mnem == 'MOV':
op_1_type = idc.get_operand_type(ea, 0)
op_2_type = idc.get_operand_type(ea, 1)
if (op_1_type == idc.o_reg) and (op_2_type == idc.o_imm):
op_1 = idc.get_operand_value(ea, 0)
op_2 = idc.get_operand_value(ea, 1)
g_reg[op_1 - reg_base] = op_2
elif mnem == 'MOVK':
op_1_type = idc.get_operand_type(ea, 0)
op_2_type = idc.get_operand_type(ea, 1)
op_3_type = idc.get_operand_type(ea, 2)
if (op_1_type == idc.o_reg) and (op_2_type == idc.o_imm):
op_1 = idc.get_operand_value(ea, 0)
op_2 = idc.get_operand_value(ea, 1)
g_reg[op_1 - reg_base] = (op_2 << 16) | (g_reg[op_1 - reg_base] & 0xffff)
elif mnem == 'ADRP':
op_1 = idc.get_operand_value(ea, 0)
op_2 = idc.get_operand_value(ea, 1)
off_reg = op_1
off_data = op_2
elif mnem == 'ADD':
op_1 = idc.get_operand_value(ea, 0)
op_2 = idc.get_operand_value(ea, 1)
op_3 = idc.get_operand_value(ea, 2)
op_3_type = idc.get_operand_type(ea, 2)
if (op_1 == off_reg) and (op_2 == off_reg) and (op_3_type == idc.o_imm):
off_data = off_data + op_3
ldr_reg = off_reg - reg_base
g_reg[ldr_reg] = off_data
elif (mnem == 'CSEL') or (mnem == 'CSINC') or (mnem == 'CSET') or (mnem == 'CINC'):
ea = do_deobf(ea)
continue
ea = idc.next_head(ea)
def test():
for i in range(len(g_reg)):
print("%d:0x%x" % (i, g_reg[i]))
def main():
ea = idc.get_screen_ea()
func = idaapi.get_func(ea)
ea = func.start_ea
print("start deobf fun:0x%x" %(ea))
deobf(ea)
print("deobf ok!")
pass
if __name__ == "__main__":
main()
字符串解密
libtprt.so中,部分字符串的解密,都是同一个算法,写了个简单脚本libtersafe2.so中其实也是一样的
import idautils
import idc
import idaapi
decrypt_fun_list = dict()
def get_code_refs_to_list(addr):
result = list(idautils.CodeRefsTo(addr, True))
return result
def do_decrypt(src_addr, dst_addr, offset, eor_data, add_data, call_addr):
flag = idc.get_wide_byte(src_addr)
str_len = flag ^ (idc.get_wide_byte(src_addr + 1))
final_str = ''
for i in range(str_len):
v4 = idc.get_wide_byte(src_addr + 2 + i)
v5 = (flag + i) ^ eor_data
final_str += chr((v4 ^ flag) & 0xff)
flag = v5 + add_data
decrypt_fun_list[call_addr] = final_str + " " + str(hex(offset))
print('decrypt_addr=0x%x offset=0x%x, final_str=%s' % (call_addr, offset, final_str))
def decrpt_str():
decrypt_fun_list.clear()
tmp_list = [7, 6, 5, 4, 3, 2, 1]
fun_list = get_code_refs_to_list(0x106C54)
if not fun_list:
return
for i in range(len(fun_list)):
call_addr = fun_list[i]
call_addr_start = idc.get_func_attr(call_addr, idc.FUNCATTR_START)
caller_fun_list = get_code_refs_to_list(call_addr_start)
for j in range(len(caller_fun_list)):
call_decryptStr_addr = caller_fun_list[j]
arg_addr = idc.prev_head(call_decryptStr_addr)
mnem = idc.ida_ua.ua_mnem(arg_addr)
register = idc.get_operand_value(arg_addr, 0)
while True:
if (register == 129) and (mnem == 'MOV'):
break
arg_addr = idc.prev_head(arg_addr)
mnem = idc.ida_ua.ua_mnem(arg_addr)
register = idc.get_operand_value(arg_addr, 0)
offset = idc.get_operand_value(arg_addr, 1)
if offset == 0xa0:
offset = 0
src_addr = 0x1250D8 + offset
dst_addr = 0x15E778 + offset
index = offset % 100
eor_data = index
add_data = tmp_list[(index % 7)]
do_decrypt(src_addr, dst_addr, offset, eor_data, add_data, call_decryptStr_addr)
pass
def main():
decrpt_str()
if __name__ == "__main__":
main()
- 解密结果,还是暴露了不少关键信息的
ollvm混淆
- 不算太严重,不是很影响分析,也就没有处理,将就着看了
libtprt.so检测
hook检测
- 在
0xB1484中会对代码段计算crc32并进行比较
- 从
0x5e0f0到0x11fb90,大小0xc1aa0
- 修改返回结果为0来过掉检测
- 在
sub_9AAFC中获取linker64的路径,通过解析文件格式获取符号的地址
- 在方法
sub_F5AC0:对文件中和内存中方法的前32个字节进行比较
- 获取的符号如下
__loader_dlopen
__loader_android_dlopen_ext
rtld_db_dlactivity //在非调试模式下为空函数,如果程序被调试则会被修改为对应的断点指令
- 在方法
sub_B4BC0反射调用来了findClass
cc/binmt/signature/PmsHookApplication
com/cloudinject/feature/App
np/manager/FuckSign
bin/mt/apksignaturekillerplus/HookApplication
emulator检测
/init.vbox86.rc
/dev/socket/genyd
/data/data/com.tencent.tinput
init.android_x86.rc
ueventd.android_x86.rc
/system/framework/x86
Seccomp-BPF检测
- 在
sub_AA338打开了/proc/self/status,获取了Seccomp对应的值
- 其中
sub_A9EB0方法返回值即Seccomp对应的值
debugger检测
-
在方法sub_DCCE8反射获取ADB_ENABLED
-
在方法sub_DD468反射获取android.hardware.usb.action.USB_STATE
-
在方法sub_98B34遍历maps查找libjdwp.so
-
在方法sub_985D4反射调用isDebuggerConnected
-
在方法sub_9843C使用socket连接了127.0.0.1:23946
-
在方法sub_F0DAC打开了/proc/%d/status,获取了TracerPid
-
在方法sub_9BE6C中创建了线程,并调用gettimeofday获取了线程创建前后的时间差
frida检测
-
在方法sub_98B34遍历maps查找frida-gadget、frida-agent
-
在方法sub_994A8使用socket连接了127.0.0.1:27402
-
使用strong-frida编译修改的frida,需要修改对应的端口
-
同时,在frida中,将对应的hook检测过掉,就可以正常的对libtprt.so进行hook
libtersafe2.so的简单分析
字符串解密
import idautils
import idc
import idaapi
decrypt_fun_list = dict()
def get_code_refs_to_list(addr):
result = list(idautils.CodeRefsTo(addr, True))
return result
def do_decrypt(src_addr, dst_addr, offset, eor_data, add_data, call_addr):
flag = idc.get_wide_byte(src_addr)
str_len = flag ^ (idc.get_wide_byte(src_addr + 1))
final_str = ''
for i in range(str_len):
v10 = idc.get_wide_byte(src_addr + 2 + i) ^ flag
flag = ((i + flag) ^ eor_data) + add_data
final_str += chr(v10 & 0xff)
decrypt_fun_list[call_addr] = final_str + " " + str(hex(offset))
print('call_addr=0x%x, offset=0x%x, eor_data=0x%x, add_data=0x%x, final_str=%s' % (call_addr, offset, eor_data, add_data, final_str))
def decrpt_str():
decrypt_fun_list.clear()
tmp_list = [7, 6, 5, 4, 3, 2, 1]
fun_list = get_code_refs_to_list(0x27E724)
if not fun_list:
return
for i in range(len(fun_list)):
arg_addr = fun_list[i]
call_addr = arg_addr
fun_start = idc.get_func_attr(arg_addr, idc.FUNCATTR_START)
mnem = idc.ida_ua.ua_mnem(arg_addr)
register = idc.get_operand_value(arg_addr, 0)
while arg_addr >= fun_start:
if (register == 129) and (mnem == 'MOV'):
offset = idc.get_operand_value(arg_addr, 1)
break
arg_addr = idc.prev_head(arg_addr)
mnem = idc.ida_ua.ua_mnem(arg_addr)
register = idc.get_operand_value(arg_addr, 0)
if offset == 0xa0:
offset = 0
index = offset % 100
eor_data = index
add_data = tmp_list[(index % 7)]
# src = 0x3880E4 dst = 0x4C9B78
src_addr = 0x3880E4 + offset
dst_addr = 0x4C9B78 + offset
do_decrypt(src_addr, dst_addr, offset, eor_data, add_data, call_addr)
def main():
decrpt_str()
if __name__ == "__main__":
main()
- 字符串暴露出了很多关键信息
相关的检测和脚本
__int64 __fastcall sub_26A218(__int64 result)
{
v1 = result;
if ( !*(_QWORD *)(result + 8) )
{
v11 = sub_27E724(0x1ADE);
v12 = 0;
v13[0] = (__int64)sub_26E5D8;
v13[1] = sub_27E724(0x1AEB);
v14 = 0;
v15 = sub_26E644;
v16 = sub_27E724(0x1AF9);
v17 = 0;
v18 = sub_26E700;
v19 = sub_27E724(0x147E);
v20 = 13;
v21 = sub_26B698;
v22 = sub_27E724(5260);
v23 = 11;
v24 = sub_26B398;
v25 = sub_27E724(5266);
v26 = 4;
v27 = sub_26B714;
v28 = sub_27E724(5276);
v29 = 4;
v30 = sub_26B748;
v31 = sub_27E724(5286);
v32 = 2;
v33 = sub_26B76C;
v34 = sub_27E724(5299);
v35 = 3;
v36 = sub_26B79C;
v37 = sub_27E724(5312);
v38 = 3;
v39 = &sub_26B824;
v40 = sub_27E724(5322);
v41 = 14;
v42 = sub_26CC04;
v43 = sub_27E724(5330);
v44 = 3;
v45 = &sub_26B8A0;
v46 = sub_27E724(5341);
v47 = 3;
v48 = sub_26B918;
v49 = sub_27E724(5356);
v50 = 5;
v51 = sub_26BB7C;
v52 = sub_27E724(5370);
v53 = 3;
v54 = sub_26BACC;
v55 = sub_27E724(5384);
v56 = 4;
v57 = sub_26BD10;
v58 = sub_27E724(5398);
v59 = 4;
v60 = sub_26BDE8;
v61 = sub_27E724(5413);
v62 = 5;
v63 = sub_26BEBC;
v64 = sub_27E724(5428);
v65 = 5;
v66 = sub_26BF74;
v67 = sub_27E724(5443);
v68 = 5;
v69 = sub_26C02C;
v70 = sub_27E724(5458);
v71 = 2;
v72 = sub_26C0E4;
v73 = sub_27E724(5465);
v74 = 3;
v75 = sub_26C128;
v76 = sub_27E724(5478);
v77 = 3;
v78 = sub_26C208;
v79 = sub_27E724(5491);
v80 = 3;
v81 = sub_26C1C8;
v82 = sub_27E724(5504);
v83 = 3;
v84 = sub_26C248;
v85 = sub_27E724(5521);
v86 = 3;
v87 = sub_26C288;
v88 = sub_27E724(5539);
v89 = 3;
v90 = sub_26C338;
v91 = sub_27E724(5553);
v92 = 3;
v93 = sub_26C3AC;
v94 = sub_27E724(5566);
v95 = 3;
v96 = sub_26C45C;
v97 = sub_27E724(5579);
v98 = 3;
v99 = sub_26C404;
v100 = sub_27E724(5592);
v101 = 3;
v102 = sub_26B934;
v103 = sub_27E724(5605);
v104 = 3;
v105 = sub_26B9BC;
v106 = sub_27E724(5618);
v107 = 3;
v108 = sub_26BA44;
v109 = sub_27E724(5631);
v110 = 17;
v111 = sub_26CC54;
v112 = sub_27E724(5645);
v113 = 18;
v114 = sub_26CC98;
v115 = sub_27E724(5661);
v116 = 19;
v117 = sub_26CCF4;
v118 = sub_27E724(5681);
v119 = 15;
v120 = sub_26C4B4;
v121 = sub_27E724(5700);
v122 = 20;
v123 = sub_26CD64;
v124 = sub_27E724(5713);
v125 = 3;
v126 = sub_26CE88;
v127 = sub_27E724(5730);
v128 = 3;
v129 = sub_26CF3C;
v130 = sub_27E724(0x1678);
v131 = 3;
v132 = sub_26CFF0;
v133 = sub_27E724(5768);
v134 = 6;
v135 = sub_26D08C;
v136 = sub_27E724(5780);
v137 = 6;
v138 = sub_26D1C8;
v139 = sub_27E724(5796);
v140 = 7;
v141 = sub_26D334;
v142 = sub_27E724(5809);
v143 = 7;
v144 = sub_26D33C;
v145 = sub_27E724(6915);
v146 = 2;
v147 = sub_26D344;
v148 = sub_27E724(5826);
v149 = 2;
v150 = sub_26D3B8;
v151 = sub_27E724(5840);
v152 = 2;
v153 = sub_26D3E8;
v154 = sub_27E724(5858);
v155 = 1;
v156 = sub_26DA50;
v157 = sub_27E724(5870);
v158 = 1;
v159 = sub_26DA5C;
v160 = sub_27E724(5882);
v161 = 7;
v162 = sub_26DC8C;
v163 = sub_27E724(5897);
v164 = 7;
v165 = sub_26DC94;
v166 = sub_27E724(5916);
v167 = 3;
v168 = sub_26DC9C;
v169 = sub_27E724(6460);
v170 = 3;
v171 = sub_26DCB8;
v172 = sub_27E724(6669);
v173 = 1;
v174 = sub_26C598;
v175 = sub_27E724(5934);
v176 = 15;
v177 = sub_26C5C4;
v178 = sub_27E724(5949);
v179 = 7;
v180 = sub_26E1B0;
v181 = sub_27E724(5974);
v182 = 7;
v183 = sub_26E1B8;
v184 = sub_27E724(6003);
v185 = 1;
v186 = sub_26C5B4;
v187 = sub_27E724(6012);
v188 = 1;
v189 = sub_26C5BC;
v190 = sub_27E724(6021);
v191 = 15;
v192 = sub_26C5DC;
v193 = sub_27E724(6032);
v194 = 15;
v195 = sub_26C660;
v196 = sub_27E724(6042);
v197 = 14;
v198 = sub_26C6E4;
v199 = sub_27E724(6058);
v200 = 3;
v201 = sub_26C780;
v202 = sub_27E724(6388);
v203 = 3;
v204 = sub_26C7D4;
v205 = sub_27E724(6074);
v206 = 15;
v207 = sub_26D418;
v208 = sub_27E724(6085);
v209 = 5;
v210 = sub_26D5AC;
v211 = sub_27E724(6098);
v212 = 5;
v213 = sub_26D5EC;
v214 = sub_27E724(6115);
v215 = 5;
v216 = sub_26D62C;
v217 = sub_27E724(6129);
v218 = 5;
v219 = sub_26D704;
v220 = sub_27E724(6143);
v221 = 5;
v222 = sub_26D6C0;
v223 = sub_27E724(6157);
v224 = 3;
v225 = sub_26D748;
v226 = sub_27E724(6175);
v227 = 5;
v228 = sub_26D870;
v229 = sub_27E724(6194);
v230 = 5;
v231 = sub_26D8B0;
v232 = sub_27E724(6368);
v233 = 1;
v234 = sub_26E1C0;
v235 = sub_27E724(6378);
v236 = 2;
v237 = &sub_26E1D8;
v238 = sub_27E724(6482);
v239 = 1;
v240 = sub_26DE88;
v241 = sub_27E724(6506);
v242 = 3;
v243 = sub_26E264;
v244 = sub_27E724(6533);
v245 = 2;
v246 = &sub_26E360;
v247 = sub_27E724(6561);
v248 = 2;
v249 = &sub_26E3C8;
v250 = sub_27E724(6590);
v251 = 1;
v252 = sub_26E430;
v253 = sub_27E724(6604);
v254 = 1;
v255 = sub_26E438;
v256 = sub_27E724(6628);
v257 = 1;
v258 = sub_26E450;
v259 = sub_27E724(6647);
v260 = 2;
v261 = sub_26E46C;
v262 = sub_27E724(6783);
v263 = 1;
v264 = sub_26E538;
v265 = sub_27E724(6802);
v266 = 3;
v267 = &sub_26E540;
v268 = sub_27E724(6823);
v269 = 1;
v270 = sub_26E5BC;
v271 = sub_27E724(6274);
v272 = 5;
v273 = sub_26C828;
v274 = sub_27E724(6292);
v275 = 1;
v276 = sub_26C8C4;
v277 = sub_27E724(6302);
v278 = 1;
v279 = sub_26C8E0;
v280 = sub_27E724(6312);
v281 = 3;
v282 = sub_26C8FC;
v283 = sub_27E724(6326);
v284 = 3;
v285 = sub_26C97C;
v286 = sub_27E724(6340);
v287 = 4;
v288 = sub_26CA00;
v289 = sub_27E724(6929);
v290 = 3;
v291 = sub_26CA44;
v292 = sub_27E724(6939);
v293 = 3;
v294 = sub_26CAC4;
v295 = sub_27E724(6949);
v296 = 4;
v297 = sub_26CB48;
v298 = sub_27E724(6357);
v299 = 2;
v300 = &sub_26CB90;
v301 = sub_27E724(6405);
v302 = 3;
v303 = sub_26DD1C;
v304 = sub_27E724(6428);
v305 = 3;
v306 = sub_26DD7C;
v307 = sub_27E724(6442);
v308 = 3;
v309 = sub_26DE00;
v310 = sub_27E724(6695);
v311 = 1;
v312 = sub_26DE08;
v313 = sub_27E724(6714);
v314 = 1;
v315 = sub_26DE38;
v316 = sub_27E724(6733);
v317 = 1;
v318 = sub_26DE68;
v319 = sub_27E724(6766);
v320 = 1;
v321 = sub_26DE84;
v322 = sub_27E724(6836);
v323 = 3;
v324 = &sub_26DF54;
v325 = sub_27E724(6851);
v326 = 4;
v327 = &sub_26DFBC;
v328 = sub_27E724(6962);
v329 = 14;
v330 = sub_26E044;
v331 = sub_27E724(6978);
v332 = 5;
v2 = 0LL;
v333 = sub_26E058;
do
{
v3 = *(unsigned __int8 **)((char *)&v11 + v2 * 8);
v4 = strlen_sub_2398FC((__int64)v3);
v5 = crc32_sub_22B670(v3, v4);
v6 = v13[v2];
v7 = *(_OWORD *)((char *)&v11 + v2 * 8);
v8 = v5;
v10 = v6;
v9 = v7;
result = sub_26B030(v1, &v8);
v2 += 3LL;
}
while ( v2 != 324 );
}
return result;
}
- 在方法
sub_268F9C对自定义的脚本进行语法解析,如果是方法,找到对应的模拟方法的Hander,计算方法名crc,通过crc查找上面表中对应的方法地址并执行
sub_268F9C onEnter: 0 1 2 3 4 5 6 7 8 9 A B C D E F 0123456789ABCDEF
b400007137d6b058 6d 6f 64 75 6c 65 5f 65 78 69 73 74 73 28 22 6c module_exists("l
b400007137d6b068 69 62 68 6f 75 64 69 6e 69 5f 34 31 35 63 2e 73 ibhoudini_415c.s
b400007137d6b078 6f 22 29 00 00 00 00 00 00 00 00 00 00 00 00 00 o").............
b400007137d6b088 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
b400007137d6b098 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
b400007137d6b0a8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
b400007137d6b0b8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
b400007137d6b0c8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
b400007137d6b0d8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
b400007137d6b0e8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
b400007137d6b0f8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
b400007137d6b108 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
b400007137d6b118 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
b400007137d6b128 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
b400007137d6b138 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
b400007137d6b148 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
libtersafe2 base: 0x753bc01000
sub_22B670 onEnter: 0 1 2 3 4 5 6 7 8 9 A B C D E F 0123456789ABCDEF
753bc27000 1f 28 00 71 20 04 00 54 7f 04 00 f1 61 00 00 54 .(.q ..T....a..T
753bc27010 1f 28 00 71 ad 03 00 54 7f 04 00 f1 f3 d7 9f 1a .(.q...T........
753bc27020 53 00 00 35 23 03 00 b5 1f 50 00 71 13 00 80 52 S..5#....P.q...R
753bc27030 c0 02 00 54 e0 03 01 aa 61 1b 00 f0 21 e0 26 91 ...T....a...!.&.
753bc27040 f5 03 02 aa 86 7a 0a 94 00 01 00 b4 61 1b 00 f0 .....z......a...
753bc27050 62 1b 00 f0 21 00 27 91 42 20 27 91 7e 4c 0a 94 b...!.'.B '.~L..
753bc27060 80 02 02 39 09 00 00 14 61 1b 00 f0 e0 03 15 aa ...9....a.......
753bc27070 21 60 27 91 7a 4b 0a 94 f3 03 00 2a 60 00 00 35 !`'.zK.....*`..5
753bc27080 20 00 80 52 80 02 02 39 e0 03 13 2a f5 13 40 f9 ..R...9...*..@.
753bc27090 f3 53 41 a9 fd 7b c3 a8 c0 03 5f d6 1f 08 40 71 .SA..{...._...@q
753bc270a0 00 0b 00 54 08 05 00 54 1f 00 01 71 e1 03 00 2a ...T...T...q...*
753bc270b0 20 0c 00 54 48 02 00 54 1f 10 00 71 a0 09 00 54 ..TH..T...q...T
753bc270c0 c8 00 00 54 00 04 00 51 21 00 80 52 1f 04 00 71 ...T...Q!..R...q
753bc270d0 29 0b 00 54 57 00 00 14 1f 40 00 71 01 02 80 52 )..TW....@.q...R
753bc270e0 a0 0a 00 54 1f 80 00 71 01 04 80 52 40 0a 00 54 ...T...q...R@..T
753bc270f0 1f 20 00 71 e1 09 00 54 3e 00 00 14 1f 00 08 71 . .q...T>......q 0x340000
- 在方法
sub_22B6AC对代码段每0x1000大小做一次crc校验
libtersafe2 base: 0x753bc01000
sub_22B6AC onEnter: 0 1 2 3 4 5 6 7 8 9 A B C D E F 0123456789ABCDEF
753bc27000 1f 28 00 71 20 04 00 54 7f 04 00 f1 61 00 00 54 .(.q ..T....a..T
753bc27010 1f 28 00 71 ad 03 00 54 7f 04 00 f1 f3 d7 9f 1a .(.q...T........
753bc27020 53 00 00 35 23 03 00 b5 1f 50 00 71 13 00 80 52 S..5#....P.q...R
753bc27030 c0 02 00 54 e0 03 01 aa 61 1b 00 f0 21 e0 26 91 ...T....a...!.&.
753bc27040 f5 03 02 aa 86 7a 0a 94 00 01 00 b4 61 1b 00 f0 .....z......a...
753bc27050 62 1b 00 f0 21 00 27 91 42 20 27 91 7e 4c 0a 94 b...!.'.B '.~L..
753bc27060 80 02 02 39 09 00 00 14 61 1b 00 f0 e0 03 15 aa ...9....a.......
753bc27070 21 60 27 91 7a 4b 0a 94 f3 03 00 2a 60 00 00 35 !`'.zK.....*`..5
753bc27080 20 00 80 52 80 02 02 39 e0 03 13 2a f5 13 40 f9 ..R...9...*..@.
753bc27090 f3 53 41 a9 fd 7b c3 a8 c0 03 5f d6 1f 08 40 71 .SA..{...._...@q
753bc270a0 00 0b 00 54 08 05 00 54 1f 00 01 71 e1 03 00 2a ...T...T...q...*
753bc270b0 20 0c 00 54 48 02 00 54 1f 10 00 71 a0 09 00 54 ..TH..T...q...T
753bc270c0 c8 00 00 54 00 04 00 51 21 00 80 52 1f 04 00 71 ...T...Q!..R...q
753bc270d0 29 0b 00 54 57 00 00 14 1f 40 00 71 01 02 80 52 )..TW....@.q...R
753bc270e0 a0 0a 00 54 1f 80 00 71 01 04 80 52 40 0a 00 54 ...T...q...R@..T
753bc270f0 1f 20 00 71 e1 09 00 54 3e 00 00 14 1f 00 08 71 . .q...T>......q 0x1000 0xffffffff
sub_22B6AC onEnter: 0xa92ef9dc
sub_22B6AC onEnter: 0 1 2 3 4 5 6 7 8 9 A B C D E F 0123456789ABCDEF
753bc28000 ff 83 00 d1 fd 7b 01 a9 fd 43 00 91 c8 24 00 f0 .....{...C...$..
753bc28010 00 41 22 91 47 7a 02 94 c8 23 00 f0 08 e9 47 f9 .A".Gz...#....G.
753bc28020 c0 24 00 f0 01 40 22 91 e0 23 00 90 02 f4 43 f9 .$...@"..#....C.
753bc28030 e0 03 08 aa b7 f7 ff 97 a0 c3 1f b8 fd 7b 41 a9 .............{A.
753bc28040 ff 83 00 91 c0 03 5f d6 ff 83 00 d1 fd 7b 01 a9 ......_......{..
753bc28050 fd 43 00 91 c8 24 00 f0 00 01 23 91 35 7a 02 94 .C...$....#.5z..
753bc28060 c8 23 00 f0 08 e9 47 f9 c0 24 00 f0 01 00 23 91 .#....G..$....#.
753bc28070 e0 23 00 90 02 f4 43 f9 e0 03 08 aa a5 f7 ff 97 .#....C.........
753bc28080 a0 c3 1f b8 fd 7b 41 a9 ff 83 00 91 c0 03 5f d6 .....{A......._.
753bc28090 ff 83 00 d1 fd 7b 01 a9 fd 43 00 91 c8 24 00 f0 .....{...C...$..
753bc280a0 00 c1 23 91 23 7a 02 94 c8 23 00 f0 08 e9 47 f9 ..#.#z...#....G.
753bc280b0 c0 24 00 f0 01 c0 23 91 e0 23 00 90 02 f4 43 f9 .$....#..#....C.
753bc280c0 e0 03 08 aa 93 f7 ff 97 a0 c3 1f b8 fd 7b 41 a9 .............{A.
753bc280d0 ff 83 00 91 c0 03 5f d6 ff 83 00 d1 fd 7b 01 a9 ......_......{..
753bc280e0 fd 43 00 91 c8 24 00 f0 00 81 24 91 90 e6 01 94 .C...$....$.....
753bc280f0 e8 23 00 90 08 41 44 f9 c0 24 00 f0 00 80 24 91 .#...AD..$....$. 0x1000 0xa92ef9dc
sub_22B6AC onEnter: 0x66073cb2
sub_22B6AC onEnter: 0 1 2 3 4 5 6 7 8 9 A B C D E F 0123456789ABCDEF
753bc29000 fd 43 00 91 f3 24 00 d0 73 02 11 91 e0 03 13 aa .C...$..s.......
753bc29010 dc 2d 08 94 c0 23 00 f0 c2 23 00 f0 00 c4 41 f9 .-...#...#....A.
753bc29020 42 f4 43 f9 fd 7b 41 a9 e1 03 13 aa f3 07 42 f8 B.C..{A.......B.
753bc29030 b8 f3 ff 17 f3 0f 1e f8 fd 7b 01 a9 fd 43 00 91 .........{...C..
753bc29040 f3 24 00 d0 73 42 26 91 e0 03 13 aa 89 2d 08 94 .$..sB&......-..
753bc29050 c0 23 00 f0 c2 23 00 f0 00 14 40 f9 42 f4 43 f9 .#...#....@.B.C.
753bc29060 fd 7b 41 a9 e1 03 13 aa f3 07 42 f8 a9 f3 ff 17 .{A.......B.....
753bc29070 f3 0f 1e f8 fd 7b 01 a9 fd 43 00 91 40 6a 81 52 .....{...C..@j.R
753bc29080 a9 59 09 94 13 25 00 b0 73 22 2a 91 60 02 00 f9 .Y...%..s"*.`...
753bc29090 21 e7 08 94 48 12 00 f0 08 b1 23 91 60 a2 00 a9 !...H.....#.`...
753bc290a0 20 6b 81 52 a0 59 09 94 60 0e 00 f9 1c e7 08 94 k.R.Y..`.......
753bc290b0 48 12 00 f0 08 21 28 91 60 22 02 a9 e0 6c 81 52 H....!(.`"...l.R
753bc290c0 99 59 09 94 60 1a 00 f9 17 e7 08 94 48 12 00 f0 .Y..`.......H...
753bc290d0 08 81 36 91 60 a2 03 a9 e0 6e 81 52 92 59 09 94 ..6.`....n.R.Y..
753bc290e0 60 26 00 f9 12 e7 08 94 68 12 00 90 08 41 08 91 `&......h....A..
753bc290f0 60 22 05 a9 e0 70 81 52 8b 59 09 94 60 32 00 f9 `"...p.R.Y..`2.. 0x1000 0x66073cb2
sub_22B6AC onEnter: 0x30aa1225
- 通过frida和解密出来的字符串,很多关键点都可以快速定位了
记得比较流水账,大佬们将就看。
发表于 2023-6-1 20:01
收藏
淘帖
有用
分享到朋友圈
