爱加密加固产品原理分析_定制版 - 我是小三

2022-4-9 07:43:0 Author: www.cnblogs.com(查看原文) 阅读量:22 收藏
一、背景
二、整体框架
三、SO保护壳分析
四、DEX保护壳分析
五、Native原理分析
六、总结

一、背景

最近朋友让我帮忙对他们银行APP进行黑盒分析,检测其安全性,探未知程序漏洞与安全性测试,提升业务整体安全能力,我拿到APP后进行安装抓包后发现都是加密传输的,用JEB进行反编译找数据组合的地方,发现APP用某加固了,所以有了此文。

二、整体框架

主要对DEX整体加密、DEX代码分离运行时解密还原,java方法native化,大致框架如下图2-1所示:

            图2-1

三、SO保护壳分析

3.1、so层壳流程分析

壳入口点:
LOAD:C5FD5960                               EXPORT .init_proc
LOAD:C5FD5960                               .init_proc
LOAD:C5FD5960
LOAD:C5FD5960                               var_4= -4
LOAD:C5FD5960
LOAD:C5FD5960 C0 46                         NOP
LOAD:C5FD5962 FF B5                         PUSH            {R0-R7,LR}
LOAD:C5FD5964 00 A1 18 39                   ADRL            R1, 0xC5FD5950
LOAD:C5FD5968 0D 1C                         MOVS            R5, R1
LOAD:C5FD596A 0C 68                         LDR             R4, [R1]      ; off_C5FD5950
LOAD:C5FD596C 2D 1B                         SUBS            R5, R5, R4
LOAD:C5FD596E 4B 68                         LDR             R3, [R1,#(off_C5FD5954 - 0xC5FD5950)] ; ijiami
LOAD:C5FD5970 5B 19                         ADDS            R3, R3, R5
LOAD:C5FD5972 08 93                         STR             R3, [SP,#0x24+var_4]
LOAD:C5FD5974 C8 68                         LDR             R0, [R1,#(off_C5FD595C - 0xC5FD5950)]
LOAD:C5FD5976 40 19                         ADDS            R0, R0, R5
LOAD:C5FD5976
LOAD:C5FD5978
LOAD:C5FD5978                               loc_C5FD5978                  ; CODE XREF: sub_C5FD59DE+C↓j
LOAD:C5FD5978 8B 68                         LDR             R3, [R1,#(dword_C5FD5958 - 0xC5FD5950)]
LOAD:C5FD597A 5B 19                         ADDS            R3, R3, R5
LOAD:C5FD597C 18 21                         MOVS            R1, #0x18
LOAD:C5FD597E 09 18                         ADDS            R1, R1, R0
LOAD:C5FD5980 08 B4                         PUSH            {R3}
LOAD:C5FD5982 82 B0                         SUB             SP, SP, #8
LOAD:C5FD5984 00 B5                         PUSH            {LR}          ; sub_C5FD6104
LOAD:C5FD5986 4C 68                         LDR             R4, [R1,#(loc_C5F927C4 - 0xC5F927C0)]
LOAD:C5FD5988 0C 31                         ADDS            R1, #0xC
LOAD:C5FD598A 09 19                         ADDS            R1, R1, R4
LOAD:C5FD598C 00 F0 A0 F9                   BL              sub_C5FD5CD0  ; dword_C601B200
LOAD:C5FD598C
LOAD:C5FD5990 03 05                         LSLS            R3, R0, #0x14
LOAD:C5FD5992 1B 0D                         LSRS            R3, R3, #0x14 ; x.35
LOAD:C5FD5994 E4 18                         ADDS            R4, R4, R3
LOAD:C5FD5996 04 34                         ADDS            R4, #4
LOAD:C5FD5998 10 B4                         PUSH            {R4}
LOAD:C5FD599A C0 1A                         SUBS            R0, R0, R3
LOAD:C5FD599C 01 B4                         PUSH            {R0}
LOAD:C5FD599E E4 1A                         SUBS            R4, R4, R3
LOAD:C5FD59A0 C0 18                         ADDS            R0, R0, R3    ; off_C6012420
LOAD:C5FD59A2 9B 08                         LSRS            R3, R3, #2
LOAD:C5FD59A4 08 B4                         PUSH            {R3}          ; y.36
LOAD:C5FD59A6 00 00                         MOVS            R0, R0
LOAD:C5FD59A8 00 F0 19 F8                   BL              sub_C5FD59DE
LOAD:C5FD59A8
LOAD:C5FD59AC 1B 06                         LSLS            R3, R3, #0x18
LOAD:C5FD59AE 89 08                         LSRS            R1, R1, #2
LOAD:C5FD59B0 1B 0E                         LSRS            R3, R3, #0x18
LOAD:C5FD59B2 89 00                         LSLS            R1, R1, #2
LOAD:C5FD59B4 50 2B                         CMP             R3, #0x50 ; 'P'
LOAD:C5FD59B6 11 D1                         BNE             locret_C5FD59DC
LOAD:C5FD59B6
LOAD:C5FD59B8 0E E0                         B               loc_C5FD59D8
LOAD:C5FD59B8
LOAD:C5FD59BA
LOAD:C5FD59BA                               loc_C5FD59BA                  ; CODE XREF: .init_proc+7A↓j
LOAD:C5FD59BA 04 39                         SUBS            R1, #4
LOAD:C5FD59BC 42 58                         LDR             R2, [R0,R1]
LOAD:C5FD59BE 13 01                         LSLS            R3, R2, #4
LOAD:C5FD59C0 1B 0F                         LSRS            R3, R3, #0x1C
LOAD:C5FD59C2 0B 2B                         CMP             R3, #0xB
LOAD:C5FD59C4 08 D1                         BNE             loc_C5FD59D8
LOAD:C5FD59C4
LOAD:C5FD59C6 89 08                         LSRS            R1, R1, #2
LOAD:C5FD59C8 53 1A                         SUBS            R3, R2, R1
LOAD:C5FD59CA 89 00                         LSLS            R1, R1, #2
LOAD:C5FD59CC 12 0E                         LSRS            R2, R2, #0x18
LOAD:C5FD59CE 1B 02                         LSLS            R3, R3, #8
LOAD:C5FD59D0 12 06                         LSLS            R2, R2, #0x18
LOAD:C5FD59D2 1B 0A                         LSRS            R3, R3, #8
LOAD:C5FD59D4 1A 43                         ORRS            R2, R3
LOAD:C5FD59D6 42 50                         STR             R2, [R0,R1]
LOAD:C5FD59D6
LOAD:C5FD59D8
LOAD:C5FD59D8                               loc_C5FD59D8                  ; CODE XREF: .init_proc+58↑j
LOAD:C5FD59D8                                                             ; .init_proc+64↑j
LOAD:C5FD59D8 00 29                         CMP             R1, #0
LOAD:C5FD59DA EE D1                         BNE             loc_C5FD59BA
LOAD:C5FD59DA
LOAD:C5FD59DC
LOAD:C5FD59DC                               locret_C5FD59DC               ; CODE XREF: .init_proc+56↑j
LOAD:C5FD59DC 70 47                         BX              LR            ; sub_C5FD6104

从壳入口点特征可以大致判断出是UPX,我尝试通过upx -d进行脱壳出现异常,修改特征为upx!还是不能正常脱壳,应该是被变异了,考虑通过IDA进行动态调试脱壳。

dump so

将断点断在linker中调用壳入口的地方,启动调试,如图3-1所示:

            图3-1

壳执行完成将解压完代码在内存中dump出来,如图3-1-2所示

            图3-1-2

3.2、so层壳脱壳与修复

修复Elf32_Off、修复shdr、修复phdr、修复重定位,如图3-2所示:

            图3-2

修复后可以正常反编译,代码有ollvm混淆,字符串加密,如图3-2-1所示:

            图3-2-1

四、DEX保护壳分析

4.1、Jni_onLoad

Jni_onLoad主要就是动态注册几个Native方法,代码如下:

jint JNI_OnLoad(JavaVM *vm, void *reserved)
{
  _BOOL4 v2; // r2
  int v3; // r4
  int v4; // r3
  int v5; // r3
  int v6; // r2

  v3 = 0;
  v4 = 0;
  if ( 2 * *y_21_ptr[0] > 191 )
    v3 = 1;
  if ( *y_21_ptr[0] > 9 )
    v4 = 1;
  v5 = v4 & ((*x_20_ptr[0] - 1) * *x_20_ptr[0]);
  v2 = (*x_20_ptr[0] ^ *y_21_ptr[0]) < 130;
  v6 = (v2 & v3 | v5) ^ 1 | v2 & v3 ^ v5;
  while ( v6 != 1 )
    ;
  return RegisterNatives_sub_5252C((int)vm, reserved);
}

int __fastcall RegisterNatives_sub_5252C(JNIEnv *a1)
{
  jclass v2; // r8
  int v3; // r5
  int v4; // r3
  void ***v5; // r5
  jclass v6; // r6
  int v7; // r0
  int v8; // r5
  int v9; // r6
  int v10; // r1
  int v11; // r3
  int v12; // r1
  int v13; // r1
  _BOOL4 v14; // r2
  _BOOL4 v15; // r6
  int v16; // r5
  int v17; // r1
  int v18; // r3
  int v19; // r2
  jclass v21; // r8
  __int64 v22; // r0
  int v23; // r6
  __int64 v24; // r2
  int v25; // r1
  int v26; // r0
  int v27; // r6
  int v28; // r3
  int v29; // r6
  int v30; // r6
  int v31; // r3
  int v32; // r2
  int v33; // r0
  int v34; // r0
  int v35; // r0
  const char *funcname; // [sp+4h] [bp-74h] BYREF
  int *v37; // [sp+8h] [bp-70h]
  int (__fastcall *v38)(int, int, int, int); // [sp+Ch] [bp-6Ch]
  void *v39; // [sp+10h] [bp-68h]
  int *v40; // [sp+14h] [bp-64h]
  int (__fastcall *v41)(int, int, int, int); // [sp+18h] [bp-60h]
  int v42; // [sp+1Ch] [bp-5Ch]
  int *v43; // [sp+20h] [bp-58h]
  int (*v44)(); // [sp+24h] [bp-54h]
  int *v45; // [sp+28h] [bp-50h]
  int *v46; // [sp+2Ch] [bp-4Ch]
  int (*v47)(); // [sp+30h] [bp-48h]
  const char *funcname_1; // [sp+34h] [bp-44h]
  int *v49; // [sp+38h] [bp-40h]
  bool (*v50)(); // [sp+3Ch] [bp-3Ch]
  int v51; // [sp+40h] [bp-38h]
  int v52; // [sp+44h] [bp-34h]
  int (*v53)(); // [sp+48h] [bp-30h]
  int v54; // [sp+4Ch] [bp-2Ch]
  int v55; // [sp+50h] [bp-28h]
  int (*v56)(int, int, int, int, int); // [sp+54h] [bp-24h]
  int v57; // [sp+58h] [bp-20h]

  v57 = *(_DWORD *)_stack_chk_guard_ptr;
  if ( !(_BYTE)dword_C532E1E0 )
    sub_C52A6FA8(10);
  sub_C52A75BC(a1);
  sub_C52D37F4(a1);
  v2 = (*a1)->FindClass(a1, *((_DWORD *)(*off_C5325018)[93] + 1));
  if ( !v2 )
  {
    v14 = (*y_239_ptr[0] ^ *x_238_ptr[0]) < 234;
    v15 = 8 * *y_239_ptr[0] > 268;
    v16 = v15 ^ v14;
    v17 = 0;
    v18 = 0;
    v19 = !v14 && !v15;
    if ( *y_239_ptr[0] < 10 )
      v17 = 1;
    if ( !((*x_238_ptr[0] * (*x_238_ptr[0] - 1)) << 31) )
      v18 = 1;
    while ( !(v17 | v18 | v19 | v16) )
      ;
    return 255;
  }
  v3 = 0;
  v4 = 0;
  if ( *y_239_ptr[0] < 137 )
    v3 = 1;
  if ( !(((*x_238_ptr[0] - 1) * *x_238_ptr[0]) << 31) )
    v4 = 1;
  while ( (v4 | ((*x_238_ptr[0] ^ *y_239_ptr[0]) > 7) | v3) != 1 )
    ;
  v5 = off_C5325018;
  v6 = (*a1)->FindClass(a1, *(_DWORD *)(*off_C5325018)[93]);
  (*((void (__fastcall **)(JNIEnv *))(*v5)[4] + 25))(a1);
  if ( v6 )
  {
    funcname = "l";
    v38 = l_sub_3EDA8;
    v39 = &unk_C531D5EA;
    v41 = r_sub_40E14;
    v42 = (int)&dword_C532A248 + 1;
    v37 = &dword_C532A1F0;
    v40 = &dword_C532A1F0;
    v43 = &dword_C532A1F0;
    v44 = ra_sub_41368;
    v45 = &dword_C532A24C;
    v46 = &dword_C532A250;
    v47 = b2b_sub_416B4;
    funcname_1 = "m";
    v49 = &dword_C532A258;
    v50 = m_sub_41700;
    v51 = (int)&dword_C532A26C + 3;
    v52 = (int)&dword_C532A270 + 2;
    v53 = sa_nullsub_1;
    v54 = (int)&dword_C532A298 + 2;
    v55 = (int)&dword_C532A29C + 1;
    v56 = al_sub_41750;
    v7 = (*a1)->RegisterNatives(a1, v2, (const JNINativeMethod *)&funcname, 7);
    v8 = 0;
    v9 = 0;
    v10 = *x_238_ptr[0];
    if ( *y_239_ptr[0] < 21 )
      v8 = 1;
    v11 = (*x_238_ptr[0] - 1) * v10;
    v12 = ((v10 ^ *y_239_ptr[0]) > 80) | v8;
    if ( !(v11 << 31) )
      v9 = 1;
    v13 = v12 | v9;
    while ( v13 != 1 )
      ;
    if ( v7 <= -1 )
      return 255;
  }
  else
  {
    funcname = "l";
    v38 = l_sub_3EDA8;
    v39 = &unk_C531D5EA;
    v41 = r_sub_40E14;
    v42 = (int)&dword_C532A248 + 1;
    v37 = &dword_C532A1F0;
    v40 = &dword_C532A1F0;
    v43 = &dword_C532A1F0;
    v44 = ra_sub_41368;
    v45 = &dword_C532A24C;
    v46 = &dword_C532A250;
    v47 = b2b_sub_416B4;
    funcname_1 = "m";
    v49 = &dword_C532A258;
    v50 = m_sub_41700;
    v51 = (int)&dword_C532A26C + 3;
    v52 = (int)&dword_C532A270 + 2;
    v53 = sa_nullsub_1;
    if ( (*a1)->RegisterNatives(a1, v2, (const JNINativeMethod *)&funcname, 6) < 0 )
      return 255;
    while ( (*x_238_ptr[0] ^ *y_239_ptr[0]) <= 31
         && 2 * *y_239_ptr[0] >= 286
         && *y_239_ptr[0] >= 10
         && ((*x_238_ptr[0] - 1) * *x_238_ptr[0]) << 31 != 0 )
      ;
  }
  v21 = (*a1)->FindClass(a1, (char *)&aRr9Pm + 2);
  HIDWORD(v22) = *y_239_ptr[0];
  LODWORD(v22) = 0;
  v23 = (int)*off_C5325018;
  if ( *y_239_ptr[0] > 9 )
    LODWORD(v22) = 1;
  if ( 16 * HIDWORD(v22) > 354 && (HIDWORD(v22) ^ *x_238_ptr[0]) <= 19 )
  {
    HIDWORD(v22) = (((unsigned __int8)*x_238_ptr[0] - 1) * (unsigned __int8)*x_238_ptr[0]) & 1;
    if ( (unsigned int)v22 == HIDWORD(v22) )
    {
      if ( v22 )
        goto LABEL_39;
    }
  }
  while ( 1 )
  {
    (*(void (__fastcall **)(JNIEnv *))(*(_DWORD *)(v23 + 0x10) + 100))(a1);
    LODWORD(v24) = 0;
    v25 = *y_239_ptr[0];
    v26 = *x_238_ptr[0];
    if ( *y_239_ptr[0] > 9 )
      LODWORD(v24) = 1;
    if ( 16 * v25 < 121 )
      break;
    if ( (v25 ^ v26) > 195 )
      break;
    HIDWORD(v24) = (((_BYTE)v26 - 1) * (_BYTE)v26) & 1;
    if ( (unsigned int)v24 != HIDWORD(v24) || !v24 )
      break;
LABEL_39:
    (*(void (__fastcall **)(JNIEnv *))(*(_DWORD *)(v23 + 0x10) + 100))(a1);
  }
  if ( !v21 )
    goto LABEL_47;
  funcname = (char *)&dword_C532A21C + 3;
  v37 = (int *)((char *)&dword_C532A220 + 2);
  v38 = (int (__fastcall *)(int, int, int, int))off_C5325374;
  if ( (*a1)->RegisterNatives(a1, v21, (const JNINativeMethod *)&funcname, 1) < 0 )
    return 255;
  v27 = 0;
  v28 = 0;
  v26 = *x_238_ptr[0];
  v25 = *y_239_ptr[0];
  if ( *y_239_ptr[0] < 366 )
    v27 = 1;
  v29 = v27 | ((*y_239_ptr[0] ^ *x_238_ptr[0]) > 185);
  if ( !((*x_238_ptr[0] * (*x_238_ptr[0] - 1)) << 31) )
    v28 = 1;
  while ( (v28 | v29) != 1 )
    ;
LABEL_47:
  v30 = 0;
  v31 = 0;
  v32 = v26 * (v26 - 1);
  v33 = v26 ^ v25;
  if ( v25 <= 294 )
    v30 = 1;
  v34 = (v33 > 137) | v30;
  if ( !(v32 << 31) )
    v31 = 1;
  v35 = v34 | v31;
  while ( !v35 )
    ;
  return 1;
}

注册的native方法:

l(Landroid/app/Application;Ljava/lang/String;)Z
r(Landroid/app/Application;Ljava/lang/String;)Z
ra(Landroid/app/Application;Ljava/lang/String;)Z
b2b([BI)[B
m(Ljava/lang/String;I)V
sa(Ljava/lang/String;Ljava/lang/String;)V
al(Ljava/lang/ClassLoader;Landroid/content/pm/ApplicationInfo;Ljava/lang/String;Ljava/lang/String;)Ljava/lang/ClassLoader;

4.2、java层到native层

在壳的java层重写了android.app.AppComponentFactory类的几个关键方法,其中instantiateClassLoader是比较核心的,它最终会走到Native方法al中。

 @Override  // android.app.AppComponentFactory
    @TargetApi(29)
    public ClassLoader instantiateClassLoader(ClassLoader arg4, ApplicationInfo arg5) {
        if(!this.supportInstantiateClassLoader) {
            File v1 = new File(arg5.dataDir, "files");
            if(!v1.exists()) {
                v1.mkdirs();
            }

            S.p_solutePath = v1.getAbsolutePath();
            S.f_PackageCodePath = arg5.sourceDir;
            S.l(null);
            arg4 = N.al(arg4, arg5, this.packageName, this.orignAppName);  // 调用native方法
            arg5.className = this.orignAppName;
            this.supportInstantiateClassLoader = true;
        }

        if(S.l) {
            this.acf = this.getACF(arg4);
            return this.acf == null ? super.instantiateClassLoader(arg4, arg5) : this.acf.instantiateClassLoader(arg4, arg5);
        }

        return super.instantiateClassLoader(arg4, arg5);
    }

4.3、反调试

反射调用 isDebuggerConnected
.text&ARM.extab:C52C8060                               isDebuggerConnected_sub_C608A060
.text&ARM.extab:C52C8060                                                             ; CODE XREF: l_sub_3EDA8+33C↓p
.text&ARM.extab:C52C8060                                                             ; al_sub_41750+324↓p
.text&ARM.extab:C52C8060                                                             ; DATA XREF: l_sub_3EDA8+33A↓o
.text&ARM.extab:C52C8060                                                             ; al_sub_41750+322↓o
.text&ARM.extab:C52C8060                                                             ; .data:C5328140↓o
.text&ARM.extab:C52C8060
.text&ARM.extab:C52C8060                               var_18= -0x18
.text&ARM.extab:C52C8060                               var_C= -0xC
.text&ARM.extab:C52C8060
.text&ARM.extab:C52C8060                               ; __unwind {
.text&ARM.extab:C52C8060 80 B5                         PUSH            {R7,LR}
.text&ARM.extab:C52C8062 6F 46                         MOV             R7, SP
.text&ARM.extab:C52C8064 84 B0                         SUB             SP, SP, #0x10
.text&ARM.extab:C52C8066 28 48                         LDR             R0, =(__stack_chk_guard_ptr - 0xC52C806E)
.text&ARM.extab:C52C8068 28 49                         LDR             R1, =(off_C5325018 - 0xC52C8072)
.text&ARM.extab:C52C806A 78 44                         ADD             R0, PC        ; __stack_chk_guard_ptr
.text&ARM.extab:C52C806C 28 4A                         LDR             R2, =(aAndroidOsDebug - 0xC52C8078) ; "+\x1C\x10I\x1A1\fx3 o\x1B(&/(J"
.text&ARM.extab:C52C806E 79 44                         ADD             R1, PC        ; off_C5325018
.text&ARM.extab:C52C8070 28 4B                         LDR             R3, =(byte_C5328846 - 0xC52C807C)
.text&ARM.extab:C52C8072 00 68                         LDR             R0, [R0]
.text&ARM.extab:C52C8074 7A 44                         ADD             R2, PC        ; "+\x1C\x10I\x1A1\fx3 o\x1B(&/(J"
.text&ARM.extab:C52C8076 09 68                         LDR             R1, [R1]      ; off_C5326004
.text&ARM.extab:C52C8078 7B 44                         ADD             R3, PC        ; byte_C5328846
.text&ARM.extab:C52C807A 00 68                         LDR             R0, [R0]
.text&ARM.extab:C52C807C 03 90                         STR             R0, [SP,#0x18+var_C]
.text&ARM.extab:C52C807E 09 68                         LDR             R1, [R1]      ; off_C532DDC0
.text&ARM.extab:C52C8080 88 68                         LDR             R0, [R1,#(off_C532DDC8 - 0xC532DDC0)]
.text&ARM.extab:C52C8082 09 69                         LDR             R1, [R1,#(off_C532DDD0 - 0xC532DDC0)] ; off_C53266C4
.text&ARM.extab:C52C8084 D1 F8 38 C0                   LDR.W           R12, [R1,#0x38] ; CallStaticBooleanMethodV_isDebuggerConnected_sub_C609F484
.text&ARM.extab:C52C8088 23 49                         LDR             R1, =(aIsdebuggerconn - 0xC52C808E) ; "#\x010^\x17-\x0F09!\x030#*?,>\x17\x10;"
.text&ARM.extab:C52C808A 79 44                         ADD             R1, PC        ; "#\x010^\x17-\x0F09!\x030#*?,>\x17\x10;"
.text&ARM.extab:C52C808C 00 91                         STR             R1, [SP,#0x18+var_18]
.text&ARM.extab:C52C808E 79 1F                         SUBS            R1, R7, #5    ; isDebuggerConnected
.text&ARM.extab:C52C8090 E0 47                         BLX             R12           ; CallStaticBooleanMethodV
.text&ARM.extab:C52C8090
.text&ARM.extab:C52C8092 20 B1                         CBZ             R0, loc_C52C809E
.text&ARM.extab:C52C8092
.text&ARM.extab:C52C8094 17 F8 05 0C                   LDRB.W          R0, [R7,#-5]
.text&ARM.extab:C52C8098 08 B1                         CBZ             R0, loc_C52C809E
.text&ARM.extab:C52C8098
.text&ARM.extab:C52C809A 01 20                         MOVS            R0, #1
.text&ARM.extab:C52C809C 28 E0                         B               loc_C52C80F0

检测模拟器

.text&ARM.extab:C52C45A0                               check_qemu_anitdbg_sub_C60B05A0
.text&ARM.extab:C52C45A0
.text&ARM.extab:C52C45A0                               var_40= -0x40
.text&ARM.extab:C52C45A0                               var_38= -0x38
.text&ARM.extab:C52C45A0                               var_2C= -0x2C
.text&ARM.extab:C52C45A0                               var_28= -0x28
.text&ARM.extab:C52C45A0                               anonymous_0= -0x24
.text&ARM.extab:C52C45A0                               var_20= -0x20
.text&ARM.extab:C52C45A0
.text&ARM.extab:C52C45A0                               ; __unwind {
.text&ARM.extab:C52C45A0 F0 B5                         PUSH            {R4-R7,LR}
.text&ARM.extab:C52C45A2 03 AF                         ADD             R7, SP, #0xC
.text&ARM.extab:C52C45A4 2D E9 00 0F                   PUSH.W          {R8-R11}
.text&ARM.extab:C52C45A8 89 B0                         SUB             SP, SP, #0x24
.text&ARM.extab:C52C45AA 80 46                         MOV             R8, R0
.text&ARM.extab:C52C45AC DF F8 E8 07                   LDR.W           R0, =(x.196_ptr - 0xC52C45BA)
.text&ARM.extab:C52C45B0 DF F8 E8 17                   LDR.W           R1, =(y.197_ptr - 0xC52C45C4)
.text&ARM.extab:C52C45B4 00 24                         MOVS            R4, #0
.text&ARM.extab:C52C45B6 78 44                         ADD             R0, PC        ; x.196_ptr
.text&ARM.extab:C52C45B8 DF F8 E4 27                   LDR.W           R2, =(__stack_chk_guard_ptr - 0xC52C45C8)
.text&ARM.extab:C52C45BC DF F8 E4 37                   LDR.W           R3, =(off_C5325018 - 0xC52C45CA)
.text&ARM.extab:C52C45C0 79 44                         ADD             R1, PC        ; y.197_ptr
.text&ARM.extab:C52C45C2 00 68                         LDR             R0, [R0]      ; x.196
.text&ARM.extab:C52C45C4 7A 44                         ADD             R2, PC        ; __stack_chk_guard_ptr
.text&ARM.extab:C52C45C6 7B 44                         ADD             R3, PC        ; off_C5325018
.text&ARM.extab:C52C45C8 09 68                         LDR             R1, [R1]      ; y.197
.text&ARM.extab:C52C45CA 12 68                         LDR             R2, [R2]
.text&ARM.extab:C52C45CC 00 25                         MOVS            R5, #0
.text&ARM.extab:C52C45CE 06 68                         LDR             R6, [R0]
.text&ARM.extab:C52C45D0 18 68                         LDR             R0, [R3]      ; off_C5326004
.text&ARM.extab:C52C45D2 73 1E                         SUBS            R3, R6, #1
.text&ARM.extab:C52C45D4 09 68                         LDR             R1, [R1]
.text&ARM.extab:C52C45D6 73 43                         MULS            R3, R6
.text&ARM.extab:C52C45D8 00 68                         LDR             R0, [R0]      ; off_C532DDC0
.text&ARM.extab:C52C45DA 12 68                         LDR             R2, [R2]
.text&ARM.extab:C52C45DC 08 92                         STR             R2, [SP,#0x40+var_20]
.text&ARM.extab:C52C45DE 61 29                         CMP             R1, #0x61 ; 'a'
.text&ARM.extab:C52C45E0 81 EA 06 02                   EOR.W           R2, R1, R6
.text&ARM.extab:C52C45E4 C8 BF                         IT GT
.text&ARM.extab:C52C45E6 01 24                         MOVGT           R4, #1
.text&ARM.extab:C52C45E8 62 2A                         CMP             R2, #0x62 ; 'b'
.text&ARM.extab:C52C45EA 4F F0 00 06                   MOV.W           R6, #0
.text&ARM.extab:C52C45EE B8 BF                         IT LT
.text&ARM.extab:C52C45F0 01 26                         MOVLT           R6, #1
.text&ARM.extab:C52C45F2 09 29                         CMP             R1, #9
.text&ARM.extab:C52C45F4 C8 BF                         IT GT
.text&ARM.extab:C52C45F6 01 25                         MOVGT           R5, #1
.text&ARM.extab:C52C45F8 26 40                         ANDS            R6, R4
.text&ARM.extab:C52C45FA 2B 40                         ANDS            R3, R5
.text&ARM.extab:C52C45FC 86 EA 03 05                   EOR.W           R5, R6, R3
.text&ARM.extab:C52C4600 1E 43                         ORRS            R6, R3
.text&ARM.extab:C52C4602 86 F0 01 06                   EOR.W           R6, R6, #1
.text&ARM.extab:C52C4606 2E 43                         ORRS            R6, R5
.text&ARM.extab:C52C4606
.text&ARM.extab:C52C4608 01 2E                         CMP             R6, #1
.text&ARM.extab:C52C460A FD D1                         BNE             loc_C52C4608
.text&ARM.extab:C52C460A
.text&ARM.extab:C52C460C 90 F8 7C 60                   LDRB.W          R6, [R0,#(dword_C532DE3C - 0xC532DDC0)]
.text&ARM.extab:C52C4610 00 2E                         CMP             R6, #0
.text&ARM.extab:C52C4612 00 F0 BD 80                   BEQ.W           loc_C52C4790
.text&ARM.extab:C52C4612
.text&ARM.extab:C52C4616 88 00                         LSLS            R0, R1, #2
.text&ARM.extab:C52C4618 16 28                         CMP             R0, #0x16
.text&ARM.extab:C52C461A 4F F0 00 00                   MOV.W           R0, #0
.text&ARM.extab:C52C461E 4F F0 00 01                   MOV.W           R1, #0
.text&ARM.extab:C52C4622 C8 BF                         IT GT
.text&ARM.extab:C52C4624 01 20                         MOVGT           R0, #1
.text&ARM.extab:C52C4626 EA 2A                         CMP             R2, #0xEA
.text&ARM.extab:C52C4628 B8 BF                         IT LT
.text&ARM.extab:C52C462A 01 21                         MOVLT           R1, #1
.text&ARM.extab:C52C462C 08 40                         ANDS            R0, R1
.text&ARM.extab:C52C462E 98 42                         CMP             R0, R3
.text&ARM.extab:C52C4630 02 D1                         BNE             loc_C52C4638
.text&ARM.extab:C52C4630
.text&ARM.extab:C52C4632 18 43                         ORRS            R0, R3
.text&ARM.extab:C52C4634 40 F0 E0 80                   BNE.W           loc_C52C47F8
.text&ARM.extab:C52C4634
.text&ARM.extab:C52C4638
.text&ARM.extab:C52C4638                               loc_C52C4638 
.text&ARM.extab:C52C4638 DF F8 6C 17                   LDR.W           R1, =(aDevQemuPipe - 0xC52C4646) ; "e\x16\x11MZ)\r:)\f06=!Z"
.text&ARM.extab:C52C463C 00 24                         MOVS            R4, #0
.text&ARM.extab:C52C463E DF F8 6C 07                   LDR.W           R0, =(aDevSocketQemud - 0xC52C4648) ; "e\x16\x11MZ+\a4764p<!7:.r"
.text&ARM.extab:C52C4642 79 44                         ADD             R1, PC        ; "e\x16\x11MZ)\r:)\f06=!Z"
.text&ARM.extab:C52C4644 78 44                         ADD             R0, PC        ; "e\x16\x11MZ+\a4764p<!7:.r" ; name
.text&ARM.extab:C52C4646 CD E9 06 01                   STRD.W          R0, R1, [SP,#0x40+var_28]
.text&ARM.extab:C52C464A 00 21                         MOVS            R1, #0        ; type
.text&ARM.extab:C52C464C E1 F7 3A E9                   BLX             access        ; /dev/socket/qemud
.text&ARM.extab:C52C464C
.text&ARM.extab:C52C4650 01 30                         ADDS            R0, #1
.text&ARM.extab:C52C4652 00 F0 E6 80                   BEQ.W           loc_C52C4822
.text&ARM.extab:C52C4652
.text&ARM.extab:C52C4656
.text&ARM.extab:C52C4656                               loc_C52C4656  
.text&ARM.extab:C52C4656 4F F0 01 0C                   MOV.W           R12, #1
.text&ARM.extab:C52C4656
.text&ARM.extab:C52C465A
.text&ARM.extab:C52C465A                               loc_C52C465A 
.text&ARM.extab:C52C465A DF F8 54 07                   LDR.W           R0, =(x.196_ptr - 0xC52C4668)
.text&ARM.extab:C52C465E 00 25                         MOVS            R5, #0
.text&ARM.extab:C52C4660 DF F8 50 17                   LDR.W           R1, =(y.197_ptr - 0xC52C466A)
.text&ARM.extab:C52C4664 78 44                         ADD             R0, PC        ; x.196_ptr
.text&ARM.extab:C52C4666 79 44                         ADD             R1, PC        ; y.197_ptr
.text&ARM.extab:C52C4668 00 68                         LDR             R0, [R0]      ; x.196
.text&ARM.extab:C52C466A 09 68                         LDR             R1, [R1]      ; y.197
.text&ARM.extab:C52C466C 00 68                         LDR             R0, [R0]
.text&ARM.extab:C52C466E 09 68                         LDR             R1, [R1]
.text&ARM.extab:C52C4670 42 1E                         SUBS            R2, R0, #1
.text&ARM.extab:C52C4672 81 EA 00 03                   EOR.W           R3, R1, R0
.text&ARM.extab:C52C4676 42 43                         MULS            R2, R0
.text&ARM.extab:C52C4678 13 2B                         CMP             R3, #0x13
.text&ARM.extab:C52C467A 4F F0 00 00                   MOV.W           R0, #0
.text&ARM.extab:C52C467E 4F EA 01 16                   MOV.W           R6, R1,LSL#4
.text&ARM.extab:C52C4682 C8 BF                         IT GT
.text&ARM.extab:C52C4684 01 20                         MOVGT           R0, #1
.text&ARM.extab:C52C4686 B6 F5 B2 7F                   CMP.W           R6, #0x164
.text&ARM.extab:C52C468A 4F F0 00 06                   MOV.W           R6, #0
.text&ARM.extab:C52C468E D8 BF                         IT LE
.text&ARM.extab:C52C4690 01 26                         MOVLE           R6, #1
.text&ARM.extab:C52C4692 0A 29                         CMP             R1, #0xA
.text&ARM.extab:C52C4694 46 EA 00 06                   ORR.W           R6, R6, R0
.text&ARM.extab:C52C4698 B8 BF                         IT LT
.text&ARM.extab:C52C469A 01 25                         MOVLT           R5, #1
.text&ARM.extab:C52C469C 12 F0 01 02                   ANDS.W          R2, R2, #1
.text&ARM.extab:C52C46A0 4F F0 00 00                   MOV.W           R0, #0
.text&ARM.extab:C52C46A4 08 BF                         IT EQ
.text&ARM.extab:C52C46A6 01 20                         MOVEQ           R0, #1
.text&ARM.extab:C52C46A8 09 29                         CMP             R1, #9
.text&ARM.extab:C52C46AA C8 BF                         IT GT
.text&ARM.extab:C52C46AC 01 24                         MOVGT           R4, #1
.text&ARM.extab:C52C46AE 14 40                         ANDS            R4, R2
.text&ARM.extab:C52C46B0 94 EA 06 0F                   TEQ.W           R4, R6
.text&ARM.extab:C52C46B4 1E BF                         ITTT NE
.text&ARM.extab:C52C46B6 28 43                         ORRNE           R0, R5
.text&ARM.extab:C52C46B8 30 40                         ANDNE           R0, R6
.text&ARM.extab:C52C46BA 01 28                         CMPNE           R0, #1
.text&ARM.extab:C52C46BC 40 F0 9C 80                   BNE.W           loc_C52C47F8
.text&ARM.extab:C52C46BC
.text&ARM.extab:C52C46C0 E4 2B                         CMP             R3, #0xE4
.text&ARM.extab:C52C46C2 4F F0 00 03                   MOV.W           R3, #0
.text&ARM.extab:C52C46C6 4F EA 41 06                   MOV.W           R6, R1,LSL#1
.text&ARM.extab:C52C46CA C8 BF                         IT GT
.text&ARM.extab:C52C46CC 01 23                         MOVGT           R3, #1
.text&ARM.extab:C52C46CE 86 2E                         CMP             R6, #0x86
.text&ARM.extab:C52C46D0 4F F0 00 06                   MOV.W           R6, #0
.text&ARM.extab:C52C46D4 B8 BF                         IT LT
.text&ARM.extab:C52C46D6 01 26                         MOVLT           R6, #1
.text&ARM.extab:C52C46D8 00 20                         MOVS            R0, #0
.text&ARM.extab:C52C46DA 09 29                         CMP             R1, #9
.text&ARM.extab:C52C46DC C8 BF                         IT GT
.text&ARM.extab:C52C46DE 01 20                         MOVGT           R0, #1
.text&ARM.extab:C52C46E0 00 2A                         CMP             R2, #0
.text&ARM.extab:C52C46E2 18 BF                         IT NE
.text&ARM.extab:C52C46E4 01 22                         MOVNE           R2, #1
.text&ARM.extab:C52C46E6 80 EA 02 01                   EOR.W           R1, R0, R2
.text&ARM.extab:C52C46EA 10 43                         ORRS            R0, R2
.text&ARM.extab:C52C46EC 80 F0 01 00                   EOR.W           R0, R0, #1
.text&ARM.extab:C52C46F0 33 43                         ORRS            R3, R6
.text&ARM.extab:C52C46F2 08 43                         ORRS            R0, R1
.text&ARM.extab:C52C46F4 18 43                         ORRS            R0, R3
.text&ARM.extab:C52C46F4
.text&ARM.extab:C52C46F6
.text&ARM.extab:C52C46F6                               loc_C52C46F6 
.text&ARM.extab:C52C46F6 01 28                         CMP             R0, #1
.text&ARM.extab:C52C46F8 FD D1                         BNE             loc_C52C46F6
.text&ARM.extab:C52C46F8
.text&ARM.extab:C52C46FA BC F1 00 0F                   CMP.W           R12, #0
.text&ARM.extab:C52C46FE 79 D1                         BNE             loc_C52C47F4
.text&ARM.extab:C52C46FE
.text&ARM.extab:C52C4700 DF F8 C0 06                   LDR.W           R0, =(aProcTtyDrivers - 0xC52C470C) ; "e\x02\x06T\x16w\x1C#%|$-$2?=9r"
.text&ARM.extab:C52C4704 DF F8 C0 16                   LDR.W           R1, =(aR - 0xC52C4712) ; "r"
.text&ARM.extab:C52C4708 78 44                         ADD             R0, PC        ; "e\x02\x06T\x16w\x1C#%|$-$2?=9r" ; filename
.text&ARM.extab:C52C470A CD F8 14 80                   STR.W           R8, [SP,#0x40+var_2C]
.text&ARM.extab:C52C470E 79 44                         ADD             R1, PC        ; "r" ; modes
.text&ARM.extab:C52C4710 E1 F7 BA E8                   BLX             fopen         ; /proc/tty/drivers
.text&ARM.extab:C52C4710
.text&ARM.extab:C52C4714 83 46                         MOV             R11, R0
.text&ARM.extab:C52C4716 BB F1 00 0F                   CMP.W           R11, #0
.text&ARM.extab:C52C471A 2F D0                         BEQ             loc_C52C477C
.text&ARM.extab:C52C471A
.text&ARM.extab:C52C471C 42 F2 94 00                   MOVW            R0, #0x2094   ; size
.text&ARM.extab:C52C4720 E1 F7 8E E8                   BLX             malloc
.text&ARM.extab:C52C4720
.text&ARM.extab:C52C4724 06 46                         MOV             R6, R0
.text&ARM.extab:C52C4726 42 F2 14 00                   MOVW            R0, #0x2014
.text&ARM.extab:C52C472A 06 EB 00 08                   ADD.W           R8, R6, R0
.text&ARM.extab:C52C472E 42 F2 04 00                   MOVW            R0, #0x2004
.text&ARM.extab:C52C4732 06 EB 00 09                   ADD.W           R9, R6, R0
.text&ARM.extab:C52C4736 06 F5 80 54                   ADD.W           R4, R6, #0x1000
.text&ARM.extab:C52C473A 06 F5 00 5A                   ADD.W           R10, R6, #0x2000
.text&ARM.extab:C52C473A
.text&ARM.extab:C52C473E
.text&ARM.extab:C52C473E                               loc_C52C473E                  ; CODE XREF: check_qemu_anitdbg_sub_C60B05A0+1CE↓j
.text&ARM.extab:C52C473E DF F8 24 17                   LDR.W           R1, =(byte_C532821D - 0xC52C474C)
.text&ARM.extab:C52C4742 58 46                         MOV             R0, R11       ; stream
.text&ARM.extab:C52C4744 32 46                         MOV             R2, R6
.text&ARM.extab:C52C4746 23 46                         MOV             R3, R4
.text&ARM.extab:C52C4748 79 44                         ADD             R1, PC        ; byte_C532821D ; format
.text&ARM.extab:C52C474A CD E9 00 A9                   STRD.W          R10, R9, [SP,#0x40+var_40]
.text&ARM.extab:C52C474E CD F8 08 80                   STR.W           R8, [SP,#0x40+var_38]
.text&ARM.extab:C52C4752 E1 F7 20 EA                   BLX             fscanf
.text&ARM.extab:C52C4752
.text&ARM.extab:C52C4756 DF F8 10 17                   LDR.W           R1, =(dword_C532822C - 0xC52C4766)
.text&ARM.extab:C52C475A 05 46                         MOV             R5, R0
.text&ARM.extab:C52C475C 30 46                         MOV             R0, R6        ; s1
.text&ARM.extab:C52C475E 4F F4 80 52                   MOV.W           R2, #0x1000   ; n
.text&ARM.extab:C52C4762 79 44                         ADD             R1, PC        ; dword_C532822C ; s2
.text&ARM.extab:C52C4764 E1 F7 78 E8                   BLX             strncmp
.text&ARM.extab:C52C4764
.text&ARM.extab:C52C4768 00 28                         CMP             R0, #0
.text&ARM.extab:C52C476A 43 D0                         BEQ             loc_C52C47F4
.text&ARM.extab:C52C476A
.text&ARM.extab:C52C476C 68 1C                         ADDS            R0, R5, #1
.text&ARM.extab:C52C476E E6 D1                         BNE             loc_C52C473E
.text&ARM.extab:C52C476E
.text&ARM.extab:C52C4770 30 46                         MOV             R0, R6        ; ptr
.text&ARM.extab:C52C4772 E1 F7 42 E8                   BLX             free
.text&ARM.extab:C52C4772
.text&ARM.extab:C52C4776 58 46                         MOV             R0, R11       ; stream
.text&ARM.extab:C52C4778 E1 F7 9E E8                   BLX             fclose
.text&ARM.extab:C52C4778
.text&ARM.extab:C52C477C
.text&ARM.extab:C52C477C                               loc_C52C477C 
.text&ARM.extab:C52C477C 01 F0 18 FB                   BL              check_qemu_sub_C60B1DB0
.text&ARM.extab:C52C477C
.text&ARM.extab:C52C4780 C0 BB                         CBNZ            R0, loc_C52C47F4
.text&ARM.extab:C52C4780
.text&ARM.extab:C52C4782 DF F8 48 06                   LDR.W           R0, =(off_C5325018 - 0xC52C478E)
.text&ARM.extab:C52C4786 DD F8 14 80                   LDR.W           R8, [SP,#0x40+var_2C]
.text&ARM.extab:C52C478A 78 44                         ADD             R0, PC        ; off_C5325018
.text&ARM.extab:C52C478C 00 68                         LDR             R0, [R0]      ; off_C5326004
.text&ARM.extab:C52C478E 00 68                         LDR             R0, [R0]      ; off_C532DDC0
.text&ARM.extab:C52C478E
.text&ARM.extab:C52C4790
.text&ARM.extab:C52C4790                               loc_C52C4790  
.text&ARM.extab:C52C4790 90 F8 FC 10                   LDRB.W          R1, [R0,#(dword_C532DEBC - 0xC532DDC0)]
.text&ARM.extab:C52C4794 00 29                         CMP             R1, #0
.text&ARM.extab:C52C4796 00 F0 90 82                   BEQ.W           loc_C52C4CBA
.text&ARM.extab:C52C4796
.text&ARM.extab:C52C479A DF F8 34 16                   LDR.W           R1, =(x.196_ptr - 0xC52C47A8)
.text&ARM.extab:C52C479E 00 26                         MOVS            R6, #0
.text&ARM.extab:C52C47A0 DF F8 30 26                   LDR.W           R2, =(y.197_ptr - 0xC52C47AA)
.text&ARM.extab:C52C47A4 79 44                         ADD             R1, PC        ; x.196_ptr
.text&ARM.extab:C52C47A6 7A 44                         ADD             R2, PC        ; y.197_ptr
.text&ARM.extab:C52C47A8 09 68                         LDR             R1, [R1]      ; x.196
.text&ARM.extab:C52C47AA 12 68                         LDR             R2, [R2]      ; y.197
.text&ARM.extab:C52C47AC 09 68                         LDR             R1, [R1]
.text&ARM.extab:C52C47AE 12 68                         LDR             R2, [R2]
.text&ARM.extab:C52C47B0 4B 1E                         SUBS            R3, R1, #1
.text&ARM.extab:C52C47B2 4B 43                         MULS            R3, R1
.text&ARM.extab:C52C47B4 51 40                         EORS            R1, R2
.text&ARM.extab:C52C47B6 92 29                         CMP             R1, #0x92
.text&ARM.extab:C52C47B8 4F F0 00 01                   MOV.W           R1, #0
.text&ARM.extab:C52C47BC 4F EA C2 05                   MOV.W           R5, R2,LSL#3
.text&ARM.extab:C52C47C0 C8 BF                         IT GT
.text&ARM.extab:C52C47C2 01 21                         MOVGT           R1, #1
.text&ARM.extab:C52C47C4 B5 F5 E4 7F                   CMP.W           R5, #0x1C8
.text&ARM.extab:C52C47C8 4F F0 00 05                   MOV.W           R5, #0
.text&ARM.extab:C52C47CC B8 BF                         IT LT
.text&ARM.extab:C52C47CE 01 25                         MOVLT           R5, #1
.text&ARM.extab:C52C47D0 0A 2A                         CMP             R2, #0xA
.text&ARM.extab:C52C47D2 4F F0 00 02                   MOV.W           R2, #0
.text&ARM.extab:C52C47D6 41 EA 05 01                   ORR.W           R1, R1, R5
.text&ARM.extab:C52C47DA B8 BF                         IT LT
.text&ARM.extab:C52C47DC 01 22                         MOVLT           R2, #1
.text&ARM.extab:C52C47DE DB 07                         LSLS            R3, R3, #0x1F
.text&ARM.extab:C52C47E0 08 BF                         IT EQ
.text&ARM.extab:C52C47E2 01 26                         MOVEQ           R6, #1
.text&ARM.extab:C52C47E4 32 43                         ORRS            R2, R6
.text&ARM.extab:C52C47E6 11 43                         ORRS            R1, R2
.text&ARM.extab:C52C47E6
.text&ARM.extab:C52C47E8
.text&ARM.extab:C52C47E8                               loc_C52C47E8 
.text&ARM.extab:C52C47E8 01 29                         CMP             R1, #1
.text&ARM.extab:C52C47EA FD D1                         BNE             loc_C52C47E8
.text&ARM.extab:C52C47EA
.text&ARM.extab:C52C47EC 80 6B                         LDR             R0, [R0,#(off_C532DDF8 - 0xC532DDC0)] ; off_C532812C
.text&ARM.extab:C52C47EE 40 6A                         LDR             R0, [R0,#0x24] ; sub_C52C9AF8
.text&ARM.extab:C52C47F0 80 47                         BLX             R0
.text&ARM.extab:C52C47F0
.text&ARM.extab:C52C47F2 30 B3                         CBZ             R0, loc_C52C4842
.text&ARM.extab:C52C47F2
.text&ARM.extab:C52C47F4
.text&ARM.extab:C52C47F4                               loc_C52C47F4
.text&ARM.extab:C52C47F4 01 20                         MOVS            R0, #1
.text&ARM.extab:C52C47F6 C1 E2                         B               loc_C52C4D7C
.text&ARM.extab:C52C47F6
.text&ARM.extab:C52C47F8
.text&ARM.extab:C52C47F8                               loc_C52C47F8 
.text&ARM.extab:C52C47F8 DF F8 BC 15                   LDR.W           R1, =(aDevQemuPipe - 0xC52C4804) ; "e\x16\x11MZ)\r:)\f06=!Z"
.text&ARM.extab:C52C47FC DF F8 BC 05                   LDR.W           R0, =(aDevSocketQemud - 0xC52C4806) ; "e\x16\x11MZ+\a4764p<!7:.r"
.text&ARM.extab:C52C4800 79 44                         ADD             R1, PC        ; "e\x16\x11MZ)\r:)\f06=!Z"
.text&ARM.extab:C52C4802 78 44                         ADD             R0, PC        ; "e\x16\x11MZ+\a4764p<!7:.r" ; name
.text&ARM.extab:C52C4804 CD E9 06 01                   STRD.W          R0, R1, [SP,#0x40+var_28]
.text&ARM.extab:C52C4808 00 21                         MOVS            R1, #0        ; type
.text&ARM.extab:C52C480A E1 F7 5C E8                   BLX             access
.text&ARM.extab:C52C480A
.text&ARM.extab:C52C480E 01 30                         ADDS            R0, #1
.text&ARM.extab:C52C4810 7F F4 12 AF                   BNE.W           loc_C52C4638
.text&ARM.extab:C52C4810
.text&ARM.extab:C52C4814 DF F8 A8 05                   LDR.W           R0, =(aDevQemuPipe - 0xC52C481E) ; "e\x16\x11MZ)\r:)\f06=!Z"
.text&ARM.extab:C52C4818 00 21                         MOVS            R1, #0        ; type
.text&ARM.extab:C52C481A 78 44                         ADD             R0, PC        ; "e\x16\x11MZ)\r:)\f06=!Z" ; name
.text&ARM.extab:C52C481C E1 F7 52 E8                   BLX             access
.text&ARM.extab:C52C481C
.text&ARM.extab:C52C4820 0A E7                         B               loc_C52C4638
.text&ARM.extab:C52C4820
.text&ARM.extab:C52C4822
.text&ARM.extab:C52C4822                               loc_C52C4822   
.text&ARM.extab:C52C4822 06 AE                         ADD             R6, SP, #0x40+var_28
.text&ARM.extab:C52C4824 01 25                         MOVS            R5, #1
.text&ARM.extab:C52C4824
.text&ARM.extab:C52C4826
.text&ARM.extab:C52C4826                               loc_C52C4826 
.text&ARM.extab:C52C4826 01 2D                         CMP             R5, #1
.text&ARM.extab:C52C4828 08 D8                         BHI             loc_C52C483C
.text&ARM.extab:C52C4828
.text&ARM.extab:C52C482A 56 F8 25 00                   LDR.W           R0, [R6,R5,LSL#2] ; name
.text&ARM.extab:C52C482E 00 21                         MOVS            R1, #0        ; type
.text&ARM.extab:C52C4830 E1 F7 48 E8                   BLX             access        ; /dev/qemu_pipe
.text&ARM.extab:C52C4830
.text&ARM.extab:C52C4834 01 35                         ADDS            R5, #1
.text&ARM.extab:C52C4836 01 30                         ADDS            R0, #1
.text&ARM.extab:C52C4838 F5 D0                         BEQ             loc_C52C4826
.text&ARM.extab:C52C4838

检测特征:

init.svc.qemud
init.svc.qemu-props
qemu.hw.mainkeys
qemu.sf.fake_camera
qemu.sf.lcd_density
ro.bootloader
ro.bootmode

检测脱壳机与frida

.text&ARM.extab:C52C60B8                               check_frida_Youpk_sub_C60B20B8
.text&ARM.extab:C52C60B8
.text&ARM.extab:C52C60B8                               var_9C= -0x9C
.text&ARM.extab:C52C60B8                               var_98= -0x98
.text&ARM.extab:C52C60B8                               var_14= -0x14
.text&ARM.extab:C52C60B8
.text&ARM.extab:C52C60B8                               ; __unwind {
.text&ARM.extab:C52C60B8 F0 B5                         PUSH            {R4-R7,LR}
.text&ARM.extab:C52C60BA 03 AF                         ADD             R7, SP, #0xC
.text&ARM.extab:C52C60BC 4D F8 04 BD                   PUSH.W          {R11}
.text&ARM.extab:C52C60C0 A4 B0                         SUB             SP, SP, #0x90
.text&ARM.extab:C52C60C2 98 48                         LDR             R0, =(__stack_chk_guard_ptr - 0xC52C60CE)
.text&ARM.extab:C52C60C4 00 22                         MOVS            R2, #0
.text&ARM.extab:C52C60C6 98 49                         LDR             R1, =(aDataDexname - 0xC52C60D0) ; "e\x16\x15O\x14w\f2$=!2(D"
.text&ARM.extab:C52C60C8 00 23                         MOVS            R3, #0
.text&ARM.extab:C52C60CA 78 44                         ADD             R0, PC        ; __stack_chk_guard_ptr
.text&ARM.extab:C52C60CC 79 44                         ADD             R1, PC        ; "e\x16\x15O\x14w\f2$=!2(D"
.text&ARM.extab:C52C60CE 00 68                         LDR             R0, [R0]
.text&ARM.extab:C52C60D0 00 68                         LDR             R0, [R0]
.text&ARM.extab:C52C60D2 23 90                         STR             R0, [SP,#0xA0+var_14]
.text&ARM.extab:C52C60D4 6F F0 63 00                   MOV             R0, #0xFFFFFF9C
.text&ARM.extab:C52C60D8 80 B4                         PUSH            {R7}
.text&ARM.extab:C52C60DA 40 F2 4E 17                   MOVW            R7, #0x14E    ; __NR_faccessat
.text&ARM.extab:C52C60DE 00 DF                         SVC             0
.text&ARM.extab:C52C60E0 80 BC                         POP             {R7}
.text&ARM.extab:C52C60E2 10 F5 80 5F                   CMN.W           R0, #0x1000
.text&ARM.extab:C52C60E6 15 D9                         BLS             loc_C52C6114
.text&ARM.extab:C52C60E6
.text&ARM.extab:C52C60E8 90 49                         LDR             R1, =(off_C5325018 - 0xC52C60F0)
.text&ARM.extab:C52C60EA 45 42                         NEGS            R5, R0
.text&ARM.extab:C52C60EC 79 44                         ADD             R1, PC        ; off_C5325018
.text&ARM.extab:C52C60EE 0E 68                         LDR             R6, [R1]      ; off_C5326004
.text&ARM.extab:C52C60F0 DF F7 1E EC                   BLX             __errno
.text&ARM.extab:C52C60F0
.text&ARM.extab:C52C60F4 04 46                         MOV             R4, R0
.text&ARM.extab:C52C60F6 8E 49                         LDR             R1, =(aCnYoulorUnpack - 0xC52C6100) ; ")\x1C[B\x1A-\x048.|\x151=%9$/\x00t"
.text&ARM.extab:C52C60F8 25 60                         STR             R5, [R4]
.text&ARM.extab:C52C60FA 30 68                         LDR             R0, [R6]      ; off_C532DDC0
.text&ARM.extab:C52C60FC 79 44                         ADD             R1, PC        ; ")\x1C[B\x1A-\x048.|\x151=%9$/\x00t"
.text&ARM.extab:C52C60FE 80 68                         LDR             R0, [R0,#(off_C532DDC8 - 0xC532DDC0)]
.text&ARM.extab:C52C6100 02 68                         LDR             R2, [R0]
.text&ARM.extab:C52C6102 92 69                         LDR             R2, [R2,#0x18]
.text&ARM.extab:C52C6104 90 47                         BLX             R2
.text&ARM.extab:C52C6104
.text&ARM.extab:C52C6106 31 68                         LDR             R1, [R6]      ; off_C532DDC0
.text&ARM.extab:C52C6108 05 46                         MOV             R5, R0
.text&ARM.extab:C52C610A 88 68                         LDR             R0, [R1,#(off_C532DDC8 - 0xC532DDC0)]
.text&ARM.extab:C52C610C 09 69                         LDR             R1, [R1,#(off_C532DDD0 - 0xC532DDC0)] ; off_C53266C4
.text&ARM.extab:C52C610E 49 6E                         LDR             R1, [R1,#0x64] ; ExceptionClear_sub_C609E948
.text&ARM.extab:C52C6110 88 47                         BLX             R1            ; off_C5323DD0
.text&ARM.extab:C52C6110
.text&ARM.extab:C52C6112 75 B1                         CBZ             R5, loc_C52C6132
.text&ARM.extab:C52C6112
.text&ARM.extab:C52C6114
.text&ARM.extab:C52C6114 01 25                         MOVS            R5, #1
.text&ARM.extab:C52C6114
.text&ARM.extab:C52C6116
.text&ARM.extab:C52C6116                               loc_C52C6116                  ; CODE XREF: check_frida_Youpk_sub_C60B20B8+9C↓j
.text&ARM.extab:C52C6116                                                             ; check_frida_Youpk_sub_C60B20B8+BA↓j
.text&ARM.extab:C52C6116                                                             ; check_frida_Youpk_sub_C60B20B8+26A↓j
.text&ARM.extab:C52C6116 A1 48                         LDR             R0, =(__stack_chk_guard_ptr - 0xC52C611E)
.text&ARM.extab:C52C6118 23 99                         LDR             R1, [SP,#0xA0+var_14]
.text&ARM.extab:C52C611A 78 44                         ADD             R0, PC        ; __stack_chk_guard_ptr
.text&ARM.extab:C52C611C 00 68                         LDR             R0, [R0]
.text&ARM.extab:C52C611E 00 68                         LDR             R0, [R0]
.text&ARM.extab:C52C6120 40 1A                         SUBS            R0, R0, R1
.text&ARM.extab:C52C6122 01 BF                         ITTTT EQ
.text&ARM.extab:C52C6124 28 46                         MOVEQ           R0, R5
.text&ARM.extab:C52C6126 24 B0                         ADDEQ           SP, SP, #0x90
.text&ARM.extab:C52C6128 5D F8 04 BB                   POPEQ.W         {R11}
.text&ARM.extab:C52C612C F0 BD                         POPEQ           {R4-R7,PC}
.text&ARM.extab:C52C612C
.text&ARM.extab:C52C612E DF F7 6A EB                   BLX             __stack_chk_fail
.text&ARM.extab:C52C612E
.text&ARM.extab:C52C6132 
.text&ARM.extab:C52C6132
.text&ARM.extab:C52C6132                               loc_C52C6132                  ; CODE XREF: check_frida_Youpk_sub_C60B20B8+5A↑j
.text&ARM.extab:C52C6132 80 48                         LDR             R0, =(off_C5325018 - 0xC52C6138)
.text&ARM.extab:C52C6134 78 44                         ADD             R0, PC        ; off_C5325018
.text&ARM.extab:C52C6136 00 68                         LDR             R0, [R0]      ; off_C5326004
.text&ARM.extab:C52C6138 00 68                         LDR             R0, [R0]      ; off_C532DDC0
.text&ARM.extab:C52C613A 41 6F                         LDR             R1, [R0,#(dword_C532DE34 - 0xC532DDC0)]
.text&ARM.extab:C52C613C 18 29                         CMP             R1, #0x18
.text&ARM.extab:C52C613E 19 DB                         BLT             loc_C52C6174
.text&ARM.extab:C52C613E
.text&ARM.extab:C52C6140 00 68                         LDR             R0, [R0]      ; off_C5326504
.text&ARM.extab:C52C6142 01 22                         MOVS            R2, #1
.text&ARM.extab:C52C6144 7D 49                         LDR             R1, =(_ZN3art8Unpacker12dumpAllDexesEv - 0xC52C614E) ; "\x15(:\b\x14*\x1Co\t=0>./?={@\x10N\x18("...
.text&ARM.extab:C52C6146 01 25                         MOVS            R5, #1
.text&ARM.extab:C52C6148 C3 68                         LDR             R3, [R0,#0xC] ; Find_Func_sub_C60985B8
.text&ARM.extab:C52C614A 79 44                         ADD             R1, PC        ; "\x15(:\b\x14*\x1Co\t=0>./?={@\x10N\x18("...
.text&ARM.extab:C52C614C 7A 48                         LDR             R0, =(byte_C5328177 - 0xC52C6152)
.text&ARM.extab:C52C614E 78 44                         ADD             R0, PC        ; byte_C5328177
.text&ARM.extab:C52C6150 98 47                         BLX             R3            ; Find_Func_sub_C60985B8
.text&ARM.extab:C52C6150
.text&ARM.extab:C52C6152 00 28                         CMP             R0, #0
.text&ARM.extab:C52C6154 DF D1                         BNE             loc_C52C6116
.text&ARM.extab:C52C6154
.text&ARM.extab:C52C6156 7A 48                         LDR             R0, =(off_C5325018 - 0xC52C6162)
.text&ARM.extab:C52C6158 01 22                         MOVS            R2, #1
.text&ARM.extab:C52C615A 7B 49                         LDR             R1, =(aZn3art4aupk13a - 0xC52C6164) ; "\x15(:\b\x14*\x1Cc\x1D&04|w;::\x195I"...
.text&ARM.extab:C52C615C 01 25                         MOVS            R5, #1
.text&ARM.extab:C52C615E 78 44                         ADD             R0, PC        ; off_C5325018
.text&ARM.extab:C52C6160 79 44                         ADD             R1, PC        ; "\x15(:\b\x14*\x1Cc\x1D&04|w;::\x195I"...
.text&ARM.extab:C52C6162 00 68                         LDR             R0, [R0]      ; off_C5326004
.text&ARM.extab:C52C6164 00 68                         LDR             R0, [R0]      ; off_C532DDC0
.text&ARM.extab:C52C6166 00 68                         LDR             R0, [R0]      ; off_C5326504
.text&ARM.extab:C52C6168 C3 68                         LDR             R3, [R0,#0xC] ; Find_Func_sub_C60985B8
.text&ARM.extab:C52C616A 76 48                         LDR             R0, =(byte_C5328177 - 0xC52C6170)
.text&ARM.extab:C52C616C 78 44                         ADD             R0, PC        ; byte_C5328177
.text&ARM.extab:C52C616E 98 47                         BLX             R3            ; Find_Func_sub_C60985B8
.text&ARM.extab:C52C616E
.text&ARM.extab:C52C6170 00 28                         CMP             R0, #0
.text&ARM.extab:C52C6172 D0 D1                         BNE             loc_C52C6116
.text&ARM.extab:C52C6172
.text&ARM.extab:C52C6174
.text&ARM.extab:C52C6174                               loc_C52C6174   
.text&ARM.extab:C52C6174 75 49                         LDR             R1, =(aDataLocalTmpUn - 0xC52C6182) ; "e\x16\x15O\x14w\x048?2,p9)*`?\x1C\x04Z"...
.text&ARM.extab:C52C6176 6F F0 63 00                   MOV             R0, #0xFFFFFF9C
.text&ARM.extab:C52C617A 00 22                         MOVS            R2, #0
.text&ARM.extab:C52C617C 00 23                         MOVS            R3, #0
.text&ARM.extab:C52C617E 79 44                         ADD             R1, PC        ; "e\x16\x15O\x14w\x048?2,p9)*`?\x1C\x04Z"...
.text&ARM.extab:C52C6180 4F F2 00 05 CF F6 FF 75       MOV             R5, #0xFFFFF000
.text&ARM.extab:C52C6188 80 B4                         PUSH            {R7}
.text&ARM.extab:C52C618A 40 F2 4E 17                   MOVW            R7, #0x14E    ; __NR_faccessat
.text&ARM.extab:C52C618E 00 DF                         SVC             0             ; /data/local/tmp/unpacker.config
.text&ARM.extab:C52C6190 80 BC                         POP             {R7}
.text&ARM.extab:C52C6192 A8 42                         CMP             R0, R5
.text&ARM.extab:C52C6194 BE D9                         BLS             loc_C52C6114
.text&ARM.extab:C52C6194
.text&ARM.extab:C52C6196 6E 49                         LDR             R1, =(aDataLocalTmpAu - 0xC52C61A4) ; "e\x16\x15O\x14w\x048?2,p9)*`+\a\x04P[;"...
.text&ARM.extab:C52C6198 40 42                         NEGS            R0, R0
.text&ARM.extab:C52C619A 20 60                         STR             R0, [R4]
.text&ARM.extab:C52C619C 6F F0 63 00                   MOV             R0, #0xFFFFFF9C
.text&ARM.extab:C52C61A0 79 44                         ADD             R1, PC        ; "e\x16\x15O\x14w\x048?2,p9)*`+\a\x04P[;"...
.text&ARM.extab:C52C61A2 00 22                         MOVS            R2, #0
.text&ARM.extab:C52C61A4 00 23                         MOVS            R3, #0
.text&ARM.extab:C52C61A6 80 B4                         PUSH            {R7}
.text&ARM.extab:C52C61A8 40 F2 4E 17                   MOVW            R7, #0x14E    ; __NR_faccessat
.text&ARM.extab:C52C61AC 00 DF                         SVC             0             ; /data/local/tmp/aupk.config
.text&ARM.extab:C52C61AE 80 BC                         POP             {R7}
.text&ARM.extab:C52C61B0 A8 42                         CMP             R0, R5
.text&ARM.extab:C52C61B2 AF D9                         BLS             loc_C52C6114
.text&ARM.extab:C52C61B2
.text&ARM.extab:C52C61B4 67 49                         LDR             R1, =(aDataFart - 0xC52C61C2) ; "e\x16\x15O\x14w\x0E6.'@"
.text&ARM.extab:C52C61B6 40 42                         NEGS            R0, R0
.text&ARM.extab:C52C61B8 20 60                         STR             R0, [R4]
.text&ARM.extab:C52C61BA 6F F0 63 00                   MOV             R0, #0xFFFFFF9C
.text&ARM.extab:C52C61BE 79 44                         ADD             R1, PC        ; "e\x16\x15O\x14w\x0E6.'@"
.text&ARM.extab:C52C61C0 00 22                         MOVS            R2, #0
.text&ARM.extab:C52C61C2 00 23                         MOVS            R3, #0
.text&ARM.extab:C52C61C4 80 B4                         PUSH            {R7}
.text&ARM.extab:C52C61C6 40 F2 4E 17                   MOVW            R7, #0x14E    ; __NR_faccessat
.text&ARM.extab:C52C61CA 00 DF                         SVC             0             ; /data/fart
.text&ARM.extab:C52C61CC 80 BC                         POP             {R7}
.text&ARM.extab:C52C61CE A8 42                         CMP             R0, R5
.text&ARM.extab:C52C61D0 A0 D9                         BLS             loc_C52C6114
.text&ARM.extab:C52C61D0
.text&ARM.extab:C52C61D2 61 4A                         LDR             R2, =(aDataLocalTmpRe - 0xC52C61DC) ; "e\x16\x15O\x14w\x048?2,p9)*`8\x17Z]\a1"...
.text&ARM.extab:C52C61D4 40 42                         NEGS            R0, R0
.text&ARM.extab:C52C61D6 61 49                         LDR             R1, =(aReFridaServer - 0xC52C61E0) ; "8\x17Z]\a1\f6r %-;!(O"
.text&ARM.extab:C52C61D8 7A 44                         ADD             R2, PC        ; "e\x16\x15O\x14w\x048?2,p9)*`8\x17Z]\a1"...
.text&ARM.extab:C52C61DA 20 60                         STR             R0, [R4]
.text&ARM.extab:C52C61DC 79 44                         ADD             R1, PC        ; "8\x17Z]\a1\f6r %-;!(O" ; needle
.text&ARM.extab:C52C61DE 10 46                         MOV             R0, R2        ; haystack
.text&ARM.extab:C52C61E0 DF F7 5E EB                   BLX             strstr
.text&ARM.extab:C52C61E0
.text&ARM.extab:C52C61E4 00 28                         CMP             R0, #0
.text&ARM.extab:C52C61E6 95 D0                         BEQ             loc_C52C6114
.text&ARM.extab:C52C61E6
.text&ARM.extab:C52C61E8 5D 48                         LDR             R0, =(off_C5325018 - 0xC52C61EE)
.text&ARM.extab:C52C61EA 78 44                         ADD             R0, PC        ; off_C5325018
.text&ARM.extab:C52C61EC 00 68                         LDR             R0, [R0]      ; off_C5326004
.text&ARM.extab:C52C61EE 00 68                         LDR             R0, [R0]      ; off_C532DDC0
.text&ARM.extab:C52C61F0 41 6F                         LDR             R1, [R0,#(dword_C532DE34 - 0xC532DDC0)]
.text&ARM.extab:C52C61F2 18 29                         CMP             R1, #0x18
.text&ARM.extab:C52C61F4 08 DB                         BLT             loc_C52C6208
.text&ARM.extab:C52C61F4
.text&ARM.extab:C52C61F6 00 68                         LDR             R0, [R0]      ; off_C5326504
.text&ARM.extab:C52C61F8 00 22                         MOVS            R2, #0
.text&ARM.extab:C52C61FA 5D 49                         LDR             R1, =(myfartInvoke - 0xC52C6202) ; "'\v\x12Z\a,!9*<+:M"
.text&ARM.extab:C52C61FC C3 68                         LDR             R3, [R0,#0xC] ; Find_Func_sub_C60985B8
.text&ARM.extab:C52C61FE 79 44                         ADD             R1, PC        ; "'\v\x12Z\a,!9*<+:M"
.text&ARM.extab:C52C6200 5A 48                         LDR             R0, =(byte_C5328177 - 0xC52C6206)
.text&ARM.extab:C52C6202 78 44                         ADD             R0, PC        ; byte_C5328177
.text&ARM.extab:C52C6204 98 47                         BLX             R3            ; Find_Func_sub_C60985B8
.text&ARM.extab:C52C6204
.text&ARM.extab:C52C6206 09 E0                         B               loc_C52C621C
.text&ARM.extab:C52C6206
.text&ARM.extab:C52C6208 
.text&ARM.extab:C52C6208
.text&ARM.extab:C52C6208                               loc_C52C6208 
.text&ARM.extab:C52C6208 56 48                         LDR             R0, =(byte_C5328177 - 0xC52C6210)
.text&ARM.extab:C52C620A 00 21                         MOVS            R1, #0        ; mode
.text&ARM.extab:C52C620C 78 44                         ADD             R0, PC        ; byte_C5328177 ; file
.text&ARM.extab:C52C620E DF F7 0C EB                   BLX             dlopen
.text&ARM.extab:C52C620E
.text&ARM.extab:C52C6212 30 B1                         CBZ             R0, loc_C52C6222
.text&ARM.extab:C52C6212
.text&ARM.extab:C52C6214 54 49                         LDR             R1, =(myfartInvoke - 0xC52C621A) ; "'\v\x12Z\a,!9*<+:M"
.text&ARM.extab:C52C6216 79 44                         ADD             R1, PC        ; "'\v\x12Z\a,!9*<+:M" ; name
.text&ARM.extab:C52C6218 DF F7 0C EB                   BLX             dlsym
.text&ARM.extab:C52C6218
.text&ARM.extab:C52C621C
.text&ARM.extab:C52C621C                               loc_C52C621C 
.text&ARM.extab:C52C621C 00 28                         CMP             R0, #0
.text&ARM.extab:C52C621E 7F F4 79 AF                   BNE.W           loc_C52C6114
.text&ARM.extab:C52C621E
.text&ARM.extab:C52C6222
.text&ARM.extab:C52C6222                               loc_C52C6222
.text&ARM.extab:C52C6222 54 48                         LDR             R0, =(off_C5325018 - 0xC52C6228)
.text&ARM.extab:C52C6224 78 44                         ADD             R0, PC        ; off_C5325018
.text&ARM.extab:C52C6226 00 68                         LDR             R0, [R0]      ; off_C5326004
.text&ARM.extab:C52C6228 00 68                         LDR             R0, [R0]      ; off_C532DDC0
.text&ARM.extab:C52C622A 90 F8 FA 10                   LDRB.W          R1, [R0,#(dword_C532DEB8+2 - 0xC532DDC0)]
.text&ARM.extab:C52C622E 00 29                         CMP             R1, #0
.text&ARM.extab:C52C6230 6D D0                         BEQ             loc_C52C630E
.text&ARM.extab:C52C6230
.text&ARM.extab:C52C6232 02 A8                         ADD             R0, SP, #0xA0+var_98
.text&ARM.extab:C52C6234 80 21                         MOVS            R1, #0x80
.text&ARM.extab:C52C6236 DF F7 CE EA                   BLX             __aeabi_memclr8
.text&ARM.extab:C52C6236
.text&ARM.extab:C52C623A 4F 48                         LDR             R0, =(x.216_ptr - 0xC52C6246)
.text&ARM.extab:C52C623C 00 26                         MOVS            R6, #0
.text&ARM.extab:C52C623E 4F 49                         LDR             R1, =(y.217_ptr - 0xC52C6248)
.text&ARM.extab:C52C6240 00 23                         MOVS            R3, #0
.text&ARM.extab:C52C6242 78 44                         ADD             R0, PC        ; x.216_ptr
.text&ARM.extab:C52C6244 79 44                         ADD             R1, PC        ; y.217_ptr
.text&ARM.extab:C52C6246 00 68                         LDR             R0, [R0]      ; x.216
.text&ARM.extab:C52C6248 09 68                         LDR             R1, [R1]      ; y.217
.text&ARM.extab:C52C624A 00 68                         LDR             R0, [R0]
.text&ARM.extab:C52C624C 09 68                         LDR             R1, [R1]
.text&ARM.extab:C52C624E 42 1E                         SUBS            R2, R0, #1
.text&ARM.extab:C52C6250 09 29                         CMP             R1, #9
.text&ARM.extab:C52C6252 C8 BF                         IT GT
.text&ARM.extab:C52C6254 01 26                         MOVGT           R6, #1
.text&ARM.extab:C52C6256 42 43                         MULS            R2, R0
.text&ARM.extab:C52C6258 48 40                         EORS            R0, R1
.text&ARM.extab:C52C625A 67 28                         CMP             R0, #0x67 ; 'g'
.text&ARM.extab:C52C625C 4F F0 00 00                   MOV.W           R0, #0
.text&ARM.extab:C52C6260 4F EA 01 11                   MOV.W           R1, R1,LSL#4
.text&ARM.extab:C52C6264 C8 BF                         IT GT
.text&ARM.extab:C52C6266 01 20                         MOVGT           R0, #1
.text&ARM.extab:C52C6268 B1 F5 AF 7F                   CMP.W           R1, #0x15E
.text&ARM.extab:C52C626C D8 BF                         IT LE
.text&ARM.extab:C52C626E 01 23                         MOVLE           R3, #1
.text&ARM.extab:C52C6270 02 F0 01 02                   AND.W           R2, R2, #1
.text&ARM.extab:C52C6274 18 43                         ORRS            R0, R3
.text&ARM.extab:C52C6276 86 EA 02 05                   EOR.W           R5, R6, R2
.text&ARM.extab:C52C627A 32 43                         ORRS            R2, R6
.text&ARM.extab:C52C627C 82 F0 01 02                   EOR.W           R2, R2, #1
.text&ARM.extab:C52C6280 2A 43                         ORRS            R2, R5
.text&ARM.extab:C52C6282 10 43                         ORRS            R0, R2
.text&ARM.extab:C52C6282
.text&ARM.extab:C52C6284
.text&ARM.extab:C52C6284                               loc_C52C6284 
.text&ARM.extab:C52C6284 01 28                         CMP             R0, #1
.text&ARM.extab:C52C6286 FD D1                         BNE             loc_C52C6284
.text&ARM.extab:C52C6286
.text&ARM.extab:C52C6288 3D 48                         LDR             R0, =(unk_C53284EF - 0xC52C6290)
.text&ARM.extab:C52C628A 02 A9                         ADD             R1, SP, #0xA0+var_98
.text&ARM.extab:C52C628C 78 44                         ADD             R0, PC        ; unk_C53284EF
.text&ARM.extab:C52C628E FF F7 51 FE                   BL              system_property_get_sub_C60B1F34
.text&ARM.extab:C52C628E
.text&ARM.extab:C52C6292 3C 49                         LDR             R1, =(x.216_ptr - 0xC52C629C)
.text&ARM.extab:C52C6294 00 26                         MOVS            R6, #0
.text&ARM.extab:C52C6296 3C 4A                         LDR             R2, =(y.217_ptr - 0xC52C629E)
.text&ARM.extab:C52C6298 79 44                         ADD             R1, PC        ; x.216_ptr
.text&ARM.extab:C52C629A 7A 44                         ADD             R2, PC        ; y.217_ptr
.text&ARM.extab:C52C629C 09 68                         LDR             R1, [R1]      ; x.216
.text&ARM.extab:C52C629E 12 68                         LDR             R2, [R2]      ; y.217
.text&ARM.extab:C52C62A0 09 68                         LDR             R1, [R1]
.text&ARM.extab:C52C62A2 12 68                         LDR             R2, [R2]
.text&ARM.extab:C52C62A4 4B 1E                         SUBS            R3, R1, #1
.text&ARM.extab:C52C62A6 4B 43                         MULS            R3, R1
.text&ARM.extab:C52C62A8 51 40                         EORS            R1, R2
.text&ARM.extab:C52C62AA 0A 29                         CMP             R1, #0xA
.text&ARM.extab:C52C62AC 4F F0 00 01                   MOV.W           R1, #0
.text&ARM.extab:C52C62B0 4F EA 42 05                   MOV.W           R5, R2,LSL#1
.text&ARM.extab:C52C62B4 C8 BF                         IT GT
.text&ARM.extab:C52C62B6 01 21                         MOVGT           R1, #1
.text&ARM.extab:C52C62B8 E7 2D                         CMP             R5, #0xE7
.text&ARM.extab:C52C62BA 4F F0 00 05                   MOV.W           R5, #0
.text&ARM.extab:C52C62BE B8 BF                         IT LT
.text&ARM.extab:C52C62C0 01 25                         MOVLT           R5, #1
.text&ARM.extab:C52C62C2 0A 2A                         CMP             R2, #0xA
.text&ARM.extab:C52C62C4 4F F0 00 02                   MOV.W           R2, #0
.text&ARM.extab:C52C62C8 41 EA 05 01                   ORR.W           R1, R1, R5
.text&ARM.extab:C52C62CC B8 BF                         IT LT
.text&ARM.extab:C52C62CE 01 22                         MOVLT           R2, #1
.text&ARM.extab:C52C62D0 DB 07                         LSLS            R3, R3, #0x1F
.text&ARM.extab:C52C62D2 08 BF                         IT EQ
.text&ARM.extab:C52C62D4 01 26                         MOVEQ           R6, #1
.text&ARM.extab:C52C62D6 32 43                         ORRS            R2, R6
.text&ARM.extab:C52C62D8 11 43                         ORRS            R1, R2
.text&ARM.extab:C52C62D8
.text&ARM.extab:C52C62DA
.text&ARM.extab:C52C62DA                               loc_C52C62DA 
.text&ARM.extab:C52C62DA 01 29                         CMP             R1, #1
.text&ARM.extab:C52C62DC FD D1                         BNE             loc_C52C62DA
.text&ARM.extab:C52C62DC
.text&ARM.extab:C52C62DE 01 28                         CMP             R0, #1
.text&ARM.extab:C52C62E0 07 DB                         BLT             loc_C52C62F2
.text&ARM.extab:C52C62E0
.text&ARM.extab:C52C62E2 2A 49                         LDR             R1, =(dword_C5328508+2 - 0xC52C62EA)
.text&ARM.extab:C52C62E4 02 A8                         ADD             R0, SP, #0xA0+var_98
.text&ARM.extab:C52C62E6 79 44                         ADD             R1, PC        ; dword_C5328508
.text&ARM.extab:C52C62E8 1A F0 B3 FC                   BL              strstr_sub_C60AAC52
.text&ARM.extab:C52C62E8
.text&ARM.extab:C52C62EC 00 28                         CMP             R0, #0
.text&ARM.extab:C52C62EE 7F F4 11 AF                   BNE.W           loc_C52C6114
.text&ARM.extab:C52C62EE
.text&ARM.extab:C52C62F2
.text&ARM.extab:C52C62F2                               loc_C52C62F2 
.text&ARM.extab:C52C62F2 27 48                         LDR             R0, =(off_C5325018 - 0xC52C62FE)
.text&ARM.extab:C52C62F4 00 21                         MOVS            R1, #0
.text&ARM.extab:C52C62F6 27 4A                         LDR             R2, =(sub_C52C63A0+1 - 0xC52C6300)
.text&ARM.extab:C52C62F8 00 23                         MOVS            R3, #0
.text&ARM.extab:C52C62FA 78 44                         ADD             R0, PC        ; off_C5325018
.text&ARM.extab:C52C62FC 7A 44                         ADD             R2, PC        ; sub_C52C63A0
.text&ARM.extab:C52C62FE 04 68                         LDR             R4, [R0]      ; off_C5326004
.text&ARM.extab:C52C6300 20 68                         LDR             R0, [R4]      ; off_C532DDC0
.text&ARM.extab:C52C6302 D0 F8 98 01                   LDR.W           R0, [R0,#(off_C532DF58 - 0xC532DDC0)]
.text&ARM.extab:C52C6306 06 68                         LDR             R6, [R0]
.text&ARM.extab:C52C6308 01 A8                         ADD             R0, SP, #0xA0+var_9C
.text&ARM.extab:C52C630A B0 47                         BLX             R6
.text&ARM.extab:C52C630A
.text&ARM.extab:C52C630C 20 68                         LDR             R0, [R4]      ; off_C532DDC0
.text&ARM.extab:C52C630C
.text&ARM.extab:C52C630E
.text&ARM.extab:C52C630E                               loc_C52C630E                  ; CODE XREF: check_frida_Youpk_sub_C60B20B8+178↑j
.text&ARM.extab:C52C630E D0 F8 98 01                   LDR.W           R0, [R0,#(off_C532DF58 - 0xC532DDC0)]
.text&ARM.extab:C52C6312 00 21                         MOVS            R1, #0
.text&ARM.extab:C52C6314 20 4A                         LDR             R2, =(T2_Check_frida_sub_C6087910+1 - 0xC52C6320) ; POP {R4-R7,PC}
.text&ARM.extab:C52C6316 00 23                         MOVS            R3, #0
.text&ARM.extab:C52C6318 00 25                         MOVS            R5, #0
.text&ARM.extab:C52C631A 06 68                         LDR             R6, [R0]
.text&ARM.extab:C52C631C 7A 44                         ADD             R2, PC        ; T2_Check_frida_sub_C6087910 ; POP {R4-R7,PC}
.text&ARM.extab:C52C631E 01 A8                         ADD             R0, SP, #0xA0+var_9C
.text&ARM.extab:C52C6320 B0 47                         BLX             R6            ; pthread_create
.text&ARM.extab:C52C6320
.text&ARM.extab:C52C6322 F8 E6                         B               loc_C52C6116

检测特征:

_ZN3art8Unpacker12dumpAllDexesEv
_ZN3art4Aupk13aupkArtMethodE

re.frida.server
/data/local/tmp/re.frida.server

检测调试器进程状态与调试端口

.text&ARM.extab:C52C42EC                               anitdbg1_sub_2F2EC
.text&ARM.extab:C52C42EC
.text&ARM.extab:C52C42EC                               var_120= -0x120
.text&ARM.extab:C52C42EC                               s= -0xA0
.text&ARM.extab:C52C42EC                               var_20= -0x20
.text&ARM.extab:C52C42EC
.text&ARM.extab:C52C42EC                               ; __unwind {
.text&ARM.extab:C52C42EC F0 B5                         PUSH            {R4-R7,LR}
.text&ARM.extab:C52C42EE 03 AF                         ADD             R7, SP, #0xC
.text&ARM.extab:C52C42F0 2D E9 00 0F                   PUSH.W          {R8-R11}
.text&ARM.extab:C52C42F4 E1 B0                         SUB             SP, SP, #0x184
.text&ARM.extab:C52C42F6 7B 48                         LDR             R0, =(__stack_chk_guard_ptr - 0xC52C42FE)
.text&ARM.extab:C52C42F8 80 21                         MOVS            R1, #0x80
.text&ARM.extab:C52C42FA 78 44                         ADD             R0, PC        ; __stack_chk_guard_ptr
.text&ARM.extab:C52C42FC 00 68                         LDR             R0, [R0]
.text&ARM.extab:C52C42FE 00 68                         LDR             R0, [R0]
.text&ARM.extab:C52C4300 60 90                         STR             R0, [SP,#0x1A0+var_20]
.text&ARM.extab:C52C4302 40 A8                         ADD             R0, SP, #0x1A0+s
.text&ARM.extab:C52C4304 E1 F7 66 EA                   BLX             __aeabi_memclr8
.text&ARM.extab:C52C4304
.text&ARM.extab:C52C4308 20 A8                         ADD             R0, SP, #0x1A0+var_120
.text&ARM.extab:C52C430A 80 21                         MOVS            R1, #0x80
.text&ARM.extab:C52C430C E1 F7 62 EA                   BLX             __aeabi_memclr8
.text&ARM.extab:C52C430C
.text&ARM.extab:C52C4310 68 46                         MOV             R0, SP
.text&ARM.extab:C52C4312 80 21                         MOVS            R1, #0x80
.text&ARM.extab:C52C4314 E1 F7 5E EA                   BLX             __aeabi_memclr8
.text&ARM.extab:C52C4314
.text&ARM.extab:C52C4318 73 48                         LDR             R0, =(aProcSelfStatus - 0xC52C4326) ; "e\x02\x06T\x16w\x1B205o,9%.:9r"
.text&ARM.extab:C52C431A 00 21                         MOVS            R1, #0
.text&ARM.extab:C52C431C 4F F4 80 72                   MOV.W           R2, #0x100
.text&ARM.extab:C52C4320 00 23                         MOVS            R3, #0
.text&ARM.extab:C52C4322 78 44                         ADD             R0, PC        ; "e\x02\x06T\x16w\x1B205o,9%.:9r"
.text&ARM.extab:C52C4324 80 B4                         PUSH            {R7}
.text&ARM.extab:C52C4326 4F F0 05 07                   MOV.W           R7, #5        ; __NR_open
.text&ARM.extab:C52C432A 00 DF                         SVC             0
.text&ARM.extab:C52C432C 80 BC                         POP             {R7}
.text&ARM.extab:C52C432E 04 46                         MOV             R4, R0
.text&ARM.extab:C52C4330 14 F5 80 5F                   CMN.W           R4, #0x1000
.text&ARM.extab:C52C4334 31 D9                         BLS             loc_C52C439A
.text&ARM.extab:C52C4334
.text&ARM.extab:C52C4336 74 48                         LDR             R0, =(x.174_ptr - 0xC52C433E)
.text&ARM.extab:C52C4338 74 49                         LDR             R1, =(y.175_ptr - 0xC52C4340)
.text&ARM.extab:C52C433A 78 44                         ADD             R0, PC        ; x.174_ptr
.text&ARM.extab:C52C433C 79 44                         ADD             R1, PC        ; y.175_ptr
.text&ARM.extab:C52C433E 00 68                         LDR             R0, [R0]      ; x.174
.text&ARM.extab:C52C4340 09 68                         LDR             R1, [R1]      ; y.175
.text&ARM.extab:C52C4342 00 68                         LDR             R0, [R0]
.text&ARM.extab:C52C4344 09 68                         LDR             R1, [R1]
.text&ARM.extab:C52C4346 46 1E                         SUBS            R6, R0, #1
.text&ARM.extab:C52C4348 81 EA 00 02                   EOR.W           R2, R1, R0
.text&ARM.extab:C52C434C 70 43                         MULS            R0, R6
.text&ARM.extab:C52C434E A3 2A                         CMP             R2, #0xA3
.text&ARM.extab:C52C4350 4F F0 00 02                   MOV.W           R2, #0
.text&ARM.extab:C52C4354 4F EA 41 06                   MOV.W           R6, R1,LSL#1
.text&ARM.extab:C52C4358 B8 BF                         IT LT
.text&ARM.extab:C52C435A 01 22                         MOVLT           R2, #1
.text&ARM.extab:C52C435C B6 F5 A7 7F                   CMP.W           R6, #0x14E
.text&ARM.extab:C52C4360 4F F0 00 06                   MOV.W           R6, #0
.text&ARM.extab:C52C4364 C8 BF                         IT GT
.text&ARM.extab:C52C4366 01 26                         MOVGT           R6, #1
.text&ARM.extab:C52C4368 09 29                         CMP             R1, #9
.text&ARM.extab:C52C436A C8 BF                         IT GT
.text&ARM.extab:C52C436C 01 23                         MOVGT           R3, #1
.text&ARM.extab:C52C436E 00 F0 01 00                   AND.W           R0, R0, #1
.text&ARM.extab:C52C4372 86 EA 02 05                   EOR.W           R5, R6, R2
.text&ARM.extab:C52C4376 32 43                         ORRS            R2, R6
.text&ARM.extab:C52C4378 83 EA 00 01                   EOR.W           R1, R3, R0
.text&ARM.extab:C52C437C 18 43                         ORRS            R0, R3
.text&ARM.extab:C52C437E 82 F0 01 02                   EOR.W           R2, R2, #1
.text&ARM.extab:C52C4382 80 F0 01 00                   EOR.W           R0, R0, #1
.text&ARM.extab:C52C4386 2A 43                         ORRS            R2, R5
.text&ARM.extab:C52C4388 08 43                         ORRS            R0, R1
.text&ARM.extab:C52C438A 10 43                         ORRS            R0, R2
.text&ARM.extab:C52C438A
.text&ARM.extab:C52C438C
.text&ARM.extab:C52C438C                               loc_C52C438C                  ; CODE XREF: anitdbg1_sub_2F2EC+A2↓j
.text&ARM.extab:C52C438C 01 28                         CMP             R0, #1
.text&ARM.extab:C52C438E FD D1                         BNE             loc_C52C438C
.text&ARM.extab:C52C438E
.text&ARM.extab:C52C4390 64 42                         NEGS            R4, R4
.text&ARM.extab:C52C4392 E1 F7 CE EA                   BLX             __errno
.text&ARM.extab:C52C4392
.text&ARM.extab:C52C4396 04 60                         STR             R4, [R0]
.text&ARM.extab:C52C4398 81 E0                         B               loc_C52C449E
.text&ARM.extab:C52C4398
.text&ARM.extab:C52C439A
.text&ARM.extab:C52C439A                               loc_C52C439A                  ; CODE XREF: anitdbg1_sub_2F2EC+48↑j
.text&ARM.extab:C52C439A 00 2C                         CMP             R4, #0
.text&ARM.extab:C52C439C C0 F2 7F 80                   BLT.W           loc_C52C449E
.text&ARM.extab:C52C439C
.text&ARM.extab:C52C43A0 40 A9                         ADD             R1, SP, #0x1A0+s
.text&ARM.extab:C52C43A2 20 46                         MOV             R0, R4
.text&ARM.extab:C52C43A4 80 22                         MOVS            R2, #0x80
.text&ARM.extab:C52C43A6 FF F7 A1 FA                   BL              read_sub_C60848EC
.text&ARM.extab:C52C43A6
.text&ARM.extab:C52C43AA 01 28                         CMP             R0, #1
.text&ARM.extab:C52C43AC 39 DB                         BLT             loc_C52C4422
.text&ARM.extab:C52C43AC
.text&ARM.extab:C52C43AE DF F8 3C 81                   LDR.W           R8, =(aPoqn1h - 0xC52C43C2) ; ":.POQN1h"
.text&ARM.extab:C52C43B2 40 AE                         ADD             R6, SP, #0x1A0+s
.text&ARM.extab:C52C43B4 DF F8 38 91                   LDR.W           R9, =(byte_C532816A - 0xC52C43C8)
.text&ARM.extab:C52C43B8 20 AD                         ADD             R5, SP, #0x1A0+var_120
.text&ARM.extab:C52C43BA DF F8 38 A1                   LDR.W           R10, =(aPoqn1h - 0xC52C43CA) ; ":.POQN1h"
.text&ARM.extab:C52C43BE F8 44                         ADD             R8, PC        ; ":.POQN1h"
.text&ARM.extab:C52C43C0 DF F8 34 B1                   LDR.W           R11, =(dword_C532816C+1 - 0xC52C43CC)
.text&ARM.extab:C52C43C4 F9 44                         ADD             R9, PC        ; byte_C532816A
.text&ARM.extab:C52C43C6 FA 44                         ADD             R10, PC       ; ":.POQN1h"
.text&ARM.extab:C52C43C8 FB 44                         ADD             R11, PC       ; dword_C532816C
.text&ARM.extab:C52C43C8
.text&ARM.extab:C52C43CA
.text&ARM.extab:C52C43CA                               loc_C52C43CA                  ; CODE XREF: anitdbg1_sub_2F2EC+134↓j
.text&ARM.extab:C52C43CA 30 46                         MOV             R0, R6        ; s
.text&ARM.extab:C52C43CC 41 46                         MOV             R1, R8        ; delim
.text&ARM.extab:C52C43CE E1 F7 28 EB                   BLX             strtok
.text&ARM.extab:C52C43CE
.text&ARM.extab:C52C43D2 02 46                         MOV             R2, R0
.text&ARM.extab:C52C43D4 00 2A                         CMP             R2, #0
.text&ARM.extab:C52C43D6 15 D0                         BEQ             loc_C52C4404
.text&ARM.extab:C52C43D6
.text&ARM.extab:C52C43D8 28 46                         MOV             R0, R5        ; s
.text&ARM.extab:C52C43DA 49 46                         MOV             R1, R9        ; format
.text&ARM.extab:C52C43DC E1 F7 00 EA                   BLX             sprintf
.text&ARM.extab:C52C43DC
.text&ARM.extab:C52C43E0 00 20                         MOVS            R0, #0        ; s
.text&ARM.extab:C52C43E2 51 46                         MOV             R1, R10       ; delim
.text&ARM.extab:C52C43E4 E1 F7 1C EB                   BLX             strtok
.text&ARM.extab:C52C43E4
.text&ARM.extab:C52C43E8 02 46                         MOV             R2, R0
.text&ARM.extab:C52C43EA 5A B1                         CBZ             R2, loc_C52C4404
.text&ARM.extab:C52C43EA
.text&ARM.extab:C52C43EC 49 49                         LDR             R1, =(byte_C532816A - 0xC52C43F4)
.text&ARM.extab:C52C43EE 68 46                         MOV             R0, SP        ; s
.text&ARM.extab:C52C43F0 79 44                         ADD             R1, PC        ; byte_C532816A ; format
.text&ARM.extab:C52C43F2 E1 F7 F6 E9                   BLX             sprintf
.text&ARM.extab:C52C43F2
.text&ARM.extab:C52C43F6 28 46                         MOV             R0, R5
.text&ARM.extab:C52C43F8 59 46                         MOV             R1, R11
.text&ARM.extab:C52C43FA 80 22                         MOVS            R2, #0x80
.text&ARM.extab:C52C43FC 1C F0 60 FC                   BL              sub_C52E0CC0
.text&ARM.extab:C52C43FC
.text&ARM.extab:C52C4400 00 28                         CMP             R0, #0
.text&ARM.extab:C52C4402 5A D0                         BEQ             loc_C52C44BA
.text&ARM.extab:C52C4402
.text&ARM.extab:C52C4404
.text&ARM.extab:C52C4404                               loc_C52C4404                  ; CODE XREF: anitdbg1_sub_2F2EC+EA↑j
.text&ARM.extab:C52C4404                                                             ; anitdbg1_sub_2F2EC+FE↑j
.text&ARM.extab:C52C4404 30 46                         MOV             R0, R6
.text&ARM.extab:C52C4406 80 21                         MOVS            R1, #0x80
.text&ARM.extab:C52C4408 E1 F7 E4 E9                   BLX             __aeabi_memclr8
.text&ARM.extab:C52C4408
.text&ARM.extab:C52C440C 28 46                         MOV             R0, R5
.text&ARM.extab:C52C440E 80 21                         MOVS            R1, #0x80
.text&ARM.extab:C52C4410 E1 F7 E0 E9                   BLX             __aeabi_memclr8
.text&ARM.extab:C52C4410
.text&ARM.extab:C52C4414 20 46                         MOV             R0, R4
.text&ARM.extab:C52C4416 31 46                         MOV             R1, R6
.text&ARM.extab:C52C4418 80 22                         MOVS            R2, #0x80
.text&ARM.extab:C52C441A FF F7 67 FA                   BL              read_sub_C60848EC
.text&ARM.extab:C52C441A
.text&ARM.extab:C52C441E 00 28                         CMP             R0, #0
.text&ARM.extab:C52C4420 D3 DC                         BGT             loc_C52C43CA
.text&ARM.extab:C52C4420
.text&ARM.extab:C52C4422
.text&ARM.extab:C52C4422                               loc_C52C4422                  ; CODE XREF: anitdbg1_sub_2F2EC+C0↑j
.text&ARM.extab:C52C4422 00 25                         MOVS            R5, #0
.text&ARM.extab:C52C4422
.text&ARM.extab:C52C4424
.text&ARM.extab:C52C4424                               loc_C52C4424                  ; CODE XREF: anitdbg1_sub_2F2EC+1D6↓j
.text&ARM.extab:C52C4424 01 2C                         CMP             R4, #1
.text&ARM.extab:C52C4426 A4 BF                         ITT GE
.text&ARM.extab:C52C4428 20 46                         MOVGE           R0, R4
.text&ARM.extab:C52C442A FF F7 23 FB                   BLGE            close_sub_C6084A74
.text&ARM.extab:C52C442A
.text&ARM.extab:C52C442E 01 2D                         CMP             R5, #1
.text&ARM.extab:C52C4430 52 DB                         BLT             loc_C52C44D8
.text&ARM.extab:C52C4430
.text&ARM.extab:C52C4432 32 48                         LDR             R0, =(off_C5325018 - 0xC52C4438)
.text&ARM.extab:C52C4434 78 44                         ADD             R0, PC        ; off_C5325018
.text&ARM.extab:C52C4436 00 68                         LDR             R0, [R0]      ; off_C5326004
.text&ARM.extab:C52C4438 00 68                         LDR             R0, [R0]      ; off_C532DDC0
.text&ARM.extab:C52C443A D0 F8 94 01                   LDR.W           R0, [R0,#(dword_C532DF54 - 0xC532DDC0)]
.text&ARM.extab:C52C443E A8 42                         CMP             R0, R5
.text&ARM.extab:C52C4440 48 D0                         BEQ             loc_C52C44D4
.text&ARM.extab:C52C4440
.text&ARM.extab:C52C4442 80 B4                         PUSH            {R7}
.text&ARM.extab:C52C4444 4F F0 14 07                   MOV.W           R7, #0x14
.text&ARM.extab:C52C4448 00 DF                         SVC             0
.text&ARM.extab:C52C444A 80 BC                         POP             {R7}
.text&ARM.extab:C52C444C 4F F2 00 08 CF F6 FF 78       MOV             R8, #0xFFFFF000
.text&ARM.extab:C52C4454 04 46                         MOV             R4, R0
.text&ARM.extab:C52C4456 44 45                         CMP             R4, R8
.text&ARM.extab:C52C4458 05 D9                         BLS             loc_C52C4466
.text&ARM.extab:C52C4458

过反调试的方法就是直接path返回。

4.4、解密指令资源

读取ijiami.ajm
.text&ARM.extab:C52B9E3C                               Read_ijiami.ajm_sub_C2167E3C
.text&ARM.extab:C52B9E3C
.text&ARM.extab:C52B9E3C                               var_128= -0x128
.text&ARM.extab:C52B9E3C                               var_120= -0x120
.text&ARM.extab:C52B9E3C                               var_1C= -0x1C
.text&ARM.extab:C52B9E3C
.text&ARM.extab:C52B9E3C                               ; __unwind {
.text&ARM.extab:C52B9E3C F0 B5                         PUSH            {R4-R7,LR}
.text&ARM.extab:C52B9E3E 03 AF                         ADD             R7, SP, #0xC
.text&ARM.extab:C52B9E40 2D E9 00 0B                   PUSH.W          {R8,R9,R11}
.text&ARM.extab:C52B9E44 C4 B0                         SUB             SP, SP, #0x110
.text&ARM.extab:C52B9E46 81 46                         MOV             R9, R0
.text&ARM.extab:C52B9E48 1D 48                         LDR             R0, =(__stack_chk_guard_ptr - 0xC52B9E52)
.text&ARM.extab:C52B9E4A 02 AC                         ADD             R4, SP, #0x128+var_120
.text&ARM.extab:C52B9E4C 0E 46                         MOV             R6, R1
.text&ARM.extab:C52B9E4E 78 44                         ADD             R0, PC        ; __stack_chk_guard_ptr
.text&ARM.extab:C52B9E50 4F F4 80 71                   MOV.W           R1, #0x100
.text&ARM.extab:C52B9E54 90 46                         MOV             R8, R2
.text&ARM.extab:C52B9E56 00 68                         LDR             R0, [R0]
.text&ARM.extab:C52B9E58 00 68                         LDR             R0, [R0]
.text&ARM.extab:C52B9E5A 43 90                         STR             R0, [SP,#0x128+var_1C]
.text&ARM.extab:C52B9E5C 20 46                         MOV             R0, R4
.text&ARM.extab:C52B9E5E EB F7 BA EC                   BLX             __aeabi_memclr8
.text&ARM.extab:C52B9E5E
.text&ARM.extab:C52B9E62 18 48                         LDR             R0, =(off_C5325018 - 0xC52B9E6A)
.text&ARM.extab:C52B9E64 18 49                         LDR             R1, =(dword_C5326A88 - 0xC52B9E6C)
.text&ARM.extab:C52B9E66 78 44                         ADD             R0, PC        ; off_C5325018
.text&ARM.extab:C52B9E68 79 44                         ADD             R1, PC        ; dword_C5326A88 ; format
.text&ARM.extab:C52B9E6A 05 68                         LDR             R5, [R0]      ; off_C5326004
.text&ARM.extab:C52B9E6C 28 68                         LDR             R0, [R5]      ; off_C532DDC0
.text&ARM.extab:C52B9E6E D0 F8 74 01                   LDR.W           R0, [R0,#(off_C532DF34 - 0xC532DDC0)]
.text&ARM.extab:C52B9E72 82 69                         LDR             R2, [R0,#0x18]
.text&ARM.extab:C52B9E74 20 46                         MOV             R0, R4        ; s
.text&ARM.extab:C52B9E76 EB F7 B4 EC                   BLX             sprintf
.text&ARM.extab:C52B9E76
.text&ARM.extab:C52B9E7A 2A 68                         LDR             R2, [R5]      ; off_C532DDC0
.text&ARM.extab:C52B9E7C 92 F8 FE 00                   LDRB.W          R0, [R2,#(dword_C532DEBC+2 - 0xC532DDC0)]
.text&ARM.extab:C52B9E80 30 B1                         CBZ             R0, loc_C52B9E90
.text&ARM.extab:C52B9E80
.text&ARM.extab:C52B9E82 02 A9                         ADD             R1, SP, #0x128+var_120
.text&ARM.extab:C52B9E84 48 46                         MOV             R0, R9
.text&ARM.extab:C52B9E86 32 46                         MOV             R2, R6
.text&ARM.extab:C52B9E88 43 46                         MOV             R3, R8
.text&ARM.extab:C52B9E8A 00 F0 21 F8                   BL              read_apk_sub_C6083ED0
.text&ARM.extab:C52B9E8A
.text&ARM.extab:C52B9E8E 0A E0                         B               loc_C52B9EA6
.text&ARM.extab:C52B9E8E
.text&ARM.extab:C52B9E90
.text&ARM.extab:C52B9E90                               loc_C52B9E90  
.text&ARM.extab:C52B9E90 90 68                         LDR             R0, [R2,#(off_C532DDC8 - 0xC532DDC0)]
.text&ARM.extab:C52B9E92 D2 F8 94 10                   LDR.W           R1, [R2,#(dword_C532DE54 - 0xC532DDC0)]
.text&ARM.extab:C52B9E96 D2 F8 74 21                   LDR.W           R2, [R2,#(off_C532DF34 - 0xC532DDC0)]
.text&ARM.extab:C52B9E9A 93 69                         LDR             R3, [R2,#0x18]
.text&ARM.extab:C52B9E9C 4A 46                         MOV             R2, R9
.text&ARM.extab:C52B9E9E CD E9 00 68                   STRD.W          R6, R8, [SP,#0x128+var_128]
.text&ARM.extab:C52B9EA2 00 F0 89 F9                   BL              AAssetManager_read_sub_C52BA1B8
.text&ARM.extab:C52B9EA2
.text&ARM.extab:C52B9EA6
.text&ARM.extab:C52B9EA6                               loc_C52B9EA6  
.text&ARM.extab:C52B9EA6 09 49                         LDR             R1, =(__stack_chk_guard_ptr - 0xC52B9EAE)
.text&ARM.extab:C52B9EA8 43 9A                         LDR             R2, [SP,#0x128+var_1C]
.text&ARM.extab:C52B9EAA 79 44                         ADD             R1, PC        ; __stack_chk_guard_ptr
.text&ARM.extab:C52B9EAC 09 68                         LDR             R1, [R1]
.text&ARM.extab:C52B9EAE 09 68                         LDR             R1, [R1]
.text&ARM.extab:C52B9EB0 89 1A                         SUBS            R1, R1, R2
.text&ARM.extab:C52B9EB2 02 BF                         ITTT EQ
.text&ARM.extab:C52B9EB4 44 B0                         ADDEQ           SP, SP, #0x110
.text&ARM.extab:C52B9EB6 BD E8 00 0B                   POPEQ.W         {R8,R9,R11}
.text&ARM.extab:C52B9EBA F0 BD                         POPEQ           {R4-R7,PC}

解密解析指令

.text&ARM.extab:C52E924E 09 9D                         LDR             R5, [SP,#0x48+ptr]
.text&ARM.extab:C52E9250 4F F4 80 62                   MOV.W           R2, #0x400
.text&ARM.extab:C52E9254 05 F1 18 09                   ADD.W           R9, R5, #0x18
.text&ARM.extab:C52E9258 D5 E9 04 16                   LDRD.W          R1, R6, [R5,#0x10]
.text&ARM.extab:C52E925C 48 46                         MOV             R0, R9
.text&ARM.extab:C52E925E 00 F0 E5 F8                   BL              Dec_ijiami.ajm_sub_C219742C ;解密数据
.text&ARM.extab:C52E925E
.text&ARM.extab:C52E9262 06 F1 18 00                   ADD.W           R0, R6, #0x18
.text&ARM.extab:C52E9266 4F F4 80 51                   MOV.W           R1, #0x1000
.text&ARM.extab:C52E926A F7 F7 C9 FD                   BL              getsize_sub_C218EE00
.text&ARM.extab:C52E926A
.text&ARM.extab:C52E926E 01 46                         MOV             R1, R0        ; len
.text&ARM.extab:C52E9270 00 20                         MOVS            R0, #0
.text&ARM.extab:C52E9272 CD E9 00 40                   STRD.W          R4, R0, [SP,#0x48+fd] ; fd
.text&ARM.extab:C52E9276 00 20                         MOVS            R0, #0        ; addr
.text&ARM.extab:C52E9278 03 22                         MOVS            R2, #3        ; prot
.text&ARM.extab:C52E927A 21 23                         MOVS            R3, #0x21 ; '!' ; flags
.text&ARM.extab:C52E927C BC F7 9A EB                   BLX             mmap
.text&ARM.extab:C52E927C
.text&ARM.extab:C52E9280 07 96                         STR             R6, [SP,#0x48+var_2C]
.text&ARM.extab:C52E9282 80 46                         MOV             R8, R0
.text&ARM.extab:C52E9284 2B 69                         LDR             R3, [R5,#0x10]
.text&ARM.extab:C52E9286 08 F1 18 00                   ADD.W           R0, R8, #0x18
.text&ARM.extab:C52E928A 07 A9                         ADD             R1, SP, #0x48+var_2C
.text&ARM.extab:C52E928C 4A 46                         MOV             R2, R9
.text&ARM.extab:C52E928E 05 F0 7C EF                   BLX             Dec_Parse_sub_C219D188 ; 解析解密后的指令格式,R0:返回地址,R2:解密后的数据,R3:解密后数据大小
.text&ARM.extab:C52E928E
.text&ARM.extab:C52E9292 00 28                         CMP             R0, #0
.text&ARM.extab:C52E9294 40 F0 A2 80                   BNE.W           loc_C52E93DC
.text&ARM.extab:C52E9294
.text&ARM.extab:C52E9298 09 9C                         LDR             R4, [SP,#0x48+ptr]
.text&ARM.extab:C52E929A 40 46                         MOV             R0, R8
.text&ARM.extab:C52E929C 18 22                         MOVS            R2, #0x18
.text&ARM.extab:C52E929E 21 46                         MOV             R1, R4
.text&ARM.extab:C52E92A0 BC F7 94 EB                   BLX             __aeabi_memcpy
.text&ARM.extab:C52E92A0
.text&ARM.extab:C52E92A4 24 B1                         CBZ             R4, loc_C52E92B0
.text&ARM.extab:C52E92A4
.text&ARM.extab:C52E92A6 20 46                         MOV             R0, R4        ; ptr
.text&ARM.extab:C52E92A8 BC F7 A6 EA                   BLX             free
.text&ARM.extab:C52E92A8
.text&ARM.extab:C52E92AC 00 20                         MOVS            R0, #0
.text&ARM.extab:C52E92AE 09 90                         STR             R0, [SP,#0x48+ptr]
.text&ARM.extab:C52E92AE
.text&ARM.extab:C52E92B0
.text&ARM.extab:C52E92B0                               loc_C52E92B0
.text&ARM.extab:C52E92B0 D8 F8 0C 00                   LDR.W           R0, [R8,#0xC]
.text&ARM.extab:C52E92B4 00 24                         MOVS            R4, #0
.text&ARM.extab:C52E92B6 00 28                         CMP             R0, #0
.text&ARM.extab:C52E92B8 00 F0 90 80                   BEQ.W           loc_C52E93DC
.text&ARM.extab:C52E92B8
.text&ARM.extab:C52E92BC 51 48                         LDR             R0, =(x.49_ptr - 0xC52E92C6)
.text&ARM.extab:C52E92BE D8 F8 08 A0                   LDR.W           R10, [R8,#8]
.text&ARM.extab:C52E92C2 78 44                         ADD             R0, PC        ; x.49_ptr
.text&ARM.extab:C52E92C4 00 68                         LDR             R0, [R0]      ; x.49
.text&ARM.extab:C52E92C6 06 90                         STR             R0, [SP,#0x48+var_30]
.text&ARM.extab:C52E92C8 4F 48                         LDR             R0, =(y.50_ptr - 0xC52E92CE)
.text&ARM.extab:C52E92CA 78 44                         ADD             R0, PC        ; y.50_ptr
.text&ARM.extab:C52E92CC 00 68                         LDR             R0, [R0]      ; y.50
.text&ARM.extab:C52E92CE 05 90                         STR             R0, [SP,#0x48+var_34]
.text&ARM.extab:C52E92D0 4E 48                         LDR             R0, =(off_C5325018 - 0xC52E92D6)
.text&ARM.extab:C52E92D2 78 44                         ADD             R0, PC        ; off_C5325018
.text&ARM.extab:C52E92D4 00 68                         LDR             R0, [R0]      ; off_C5326004
.text&ARM.extab:C52E92D6 04 90                         STR             R0, [SP,#0x48+var_38]
.text&ARM.extab:C52E92D8 4D 48                         LDR             R0, =(off_C5325018 - 0xC52E92DE)
.text&ARM.extab:C52E92DA 78 44                         ADD             R0, PC        ; off_C5325018
.text&ARM.extab:C52E92DC D0 F8 00 B0                   LDR.W           R11, [R0]     ; off_C5326004
.text&ARM.extab:C52E92E0 4C 48                         LDR             R0, =(off_C5325018 - 0xC52E92E6)
.text&ARM.extab:C52E92E2 78 44                         ADD             R0, PC        ; off_C5325018
.text&ARM.extab:C52E92E4 00 68                         LDR             R0, [R0]      ; off_C5326004
.text&ARM.extab:C52E92E6 03 90                         STR             R0, [SP,#0x48+var_3C]
.text&ARM.extab:C52E92E6
.text&ARM.extab:C52E92E8
.text&ARM.extab:C52E92E8                               loc_C52E92E8  
.text&ARM.extab:C52E92E8 06 98                         LDR             R0, [SP,#0x48+var_30]
.text&ARM.extab:C52E92EA 00 26                         MOVS            R6, #0
.text&ARM.extab:C52E92EC 00 68                         LDR             R0, [R0]
.text&ARM.extab:C52E92EE 41 1E                         SUBS            R1, R0, #1
.text&ARM.extab:C52E92F0 01 FB 00 F2                   MUL.W           R2, R1, R0
.text&ARM.extab:C52E92F4 05 99                         LDR             R1, [SP,#0x48+var_34]
.text&ARM.extab:C52E92F6 09 68                         LDR             R1, [R1]
.text&ARM.extab:C52E92F8 09 29                         CMP             R1, #9
.text&ARM.extab:C52E92FA 02 F0 01 03                   AND.W           R3, R2, #1
.text&ARM.extab:C52E92FE C8 BF                         IT GT
.text&ARM.extab:C52E9300 01 26                         MOVGT           R6, #1
.text&ARM.extab:C52E9302 8D 00                         LSLS            R5, R1, #2
.text&ARM.extab:C52E9304 86 EA 03 02                   EOR.W           R2, R6, R3
.text&ARM.extab:C52E9308 1E 43                         ORRS            R6, R3
.text&ARM.extab:C52E930A 86 F0 01 06                   EOR.W           R6, R6, #1
.text&ARM.extab:C52E930E 16 43                         ORRS            R6, R2
.text&ARM.extab:C52E9310 81 EA 00 02                   EOR.W           R2, R1, R0
.text&ARM.extab:C52E9314 8A 2A                         CMP             R2, #0x8A
.text&ARM.extab:C52E9316 4F F0 00 00                   MOV.W           R0, #0
.text&ARM.extab:C52E931A C8 BF                         IT GT
.text&ARM.extab:C52E931C 01 20                         MOVGT           R0, #1
.text&ARM.extab:C52E931E B5 F5 F8 7F                   CMP.W           R5, #0x1F0
.text&ARM.extab:C52E9322 4F F0 00 05                   MOV.W           R5, #0
.text&ARM.extab:C52E9326 B8 BF                         IT LT
.text&ARM.extab:C52E9328 01 25                         MOVLT           R5, #1
.text&ARM.extab:C52E932A 5A F8 08 90                   LDR.W           R9, [R10,R8]
.text&ARM.extab:C52E932E 28 43                         ORRS            R0, R5
.text&ARM.extab:C52E9330 30 43                         ORRS            R0, R6
.text&ARM.extab:C52E9332 0A EB 08 06                   ADD.W           R6, R10, R8
.text&ARM.extab:C52E9332
.text&ARM.extab:C52E9336
.text&ARM.extab:C52E9336                               loc_C52E9336                  ; CODE XREF: Read_ijiami.ajm_sub_C2197218+120↓j
.text&ARM.extab:C52E9336 01 28                         CMP             R0, #1
.text&ARM.extab:C52E9338 FD D1                         BNE             loc_C52E9336
.text&ARM.extab:C52E9338
.text&ARM.extab:C52E933A 38 48                         LDR             R0, =(dword_C532E200 - 0xC52E9340)
.text&ARM.extab:C52E933C 78 44                         ADD             R0, PC        ; dword_C532E200
.text&ARM.extab:C52E933E 00 68                         LDR             R0, [R0]
.text&ARM.extab:C52E9340 38 BB                         CBNZ            R0, loc_C52E9392
.text&ARM.extab:C52E9340
.text&ARM.extab:C52E9342 00 2B                         CMP             R3, #0
.text&ARM.extab:C52E9344 4F F0 00 00                   MOV.W           R0, #0
.text&ARM.extab:C52E9348 08 BF                         IT EQ
.text&ARM.extab:C52E934A 01 20                         MOVEQ           R0, #1
.text&ARM.extab:C52E934C 0A 29                         CMP             R1, #0xA
.text&ARM.extab:C52E934E 4F F0 00 03                   MOV.W           R3, #0
.text&ARM.extab:C52E9352 4F EA C1 01                   MOV.W           R1, R1,LSL#3
.text&ARM.extab:C52E9356 B8 BF                         IT LT
.text&ARM.extab:C52E9358 01 23                         MOVLT           R3, #1
.text&ARM.extab:C52E935A 10 2A                         CMP             R2, #0x10
.text&ARM.extab:C52E935C 4F F0 00 02                   MOV.W           R2, #0
.text&ARM.extab:C52E9360 40 EA 03 00                   ORR.W           R0, R0, R3
.text&ARM.extab:C52E9364 C8 BF                         IT GT
.text&ARM.extab:C52E9366 01 22                         MOVGT           R2, #1
.text&ARM.extab:C52E9368 70 29                         CMP             R1, #0x70 ; 'p'
.text&ARM.extab:C52E936A 4F F0 00 01                   MOV.W           R1, #0
.text&ARM.extab:C52E936E B8 BF                         IT LT
.text&ARM.extab:C52E9370 01 21                         MOVLT           R1, #1
.text&ARM.extab:C52E9372 11 43                         ORRS            R1, R2
.text&ARM.extab:C52E9374 08 43                         ORRS            R0, R1
.text&ARM.extab:C52E9374
.text&ARM.extab:C52E9376
.text&ARM.extab:C52E9376                               loc_C52E9376                  ; CODE XREF: Read_ijiami.ajm_sub_C2197218+160↓j
.text&ARM.extab:C52E9376 01 28                         CMP             R0, #1
.text&ARM.extab:C52E9378 FD D1                         BNE             loc_C52E9376
.text&ARM.extab:C52E9378
.text&ARM.extab:C52E937A 04 98                         LDR             R0, [SP,#0x48+var_38]
.text&ARM.extab:C52E937C 00 21                         MOVS            R1, #0        ; char **
.text&ARM.extab:C52E937E 10 22                         MOVS            R2, #0x10     ; int
.text&ARM.extab:C52E9380 00 68                         LDR             R0, [R0]
.text&ARM.extab:C52E9382 D0 F8 B4 00                   LDR.W           R0, [R0,#0xB4]
.text&ARM.extab:C52E9386 1C 30                         ADDS            R0, #0x1C     ; char *
.text&ARM.extab:C52E9388 BC F7 CA EC                   BLX             strtol
.text&ARM.extab:C52E9388
.text&ARM.extab:C52E938C 24 49                         LDR             R1, =(dword_C532E200 - 0xC52E9392)
.text&ARM.extab:C52E938E 79 44                         ADD             R1, PC        ; dword_C532E200
.text&ARM.extab:C52E9390 08 60                         STR             R0, [R1]
.text&ARM.extab:C52E9390
.text&ARM.extab:C52E9392
.text&ARM.extab:C52E9392                               loc_C52E9392                  ; CODE XREF: Read_ijiami.ajm_sub_C2197218+128↑j
.text&ARM.extab:C52E9392 A9 EB 00 01                   SUB.W           R1, R9, R0
.text&ARM.extab:C52E9396 31 60                         STR             R1, [R6]
.text&ARM.extab:C52E9398 DB F8 00 00                   LDR.W           R0, [R11]     ; off_C532DDC0
.text&ARM.extab:C52E939C C2 6B                         LDR             R2, [R0,#(off_C532DDFC - 0xC532DDC0)] ; off_C5326420
.text&ARM.extab:C52E939E 21 48                         LDR             R0, =(dword_C532E200 - 0xC52E93A4)
.text&ARM.extab:C52E93A0 78 44                         ADD             R0, PC        ; dword_C532E200
.text&ARM.extab:C52E93A2 12 69                         LDR             R2, [R2,#0x10] ; getDecCode_sub_C20E39D2 ; R0:解密指令解析格式后地址指针,R1:Debug info
.text&ARM.extab:C52E93A4 C0 68                         LDR             R0, [R0,#(dword_C532E20C - 0xC532E200)]
.text&ARM.extab:C52E93A6 90 47                         BLX             R2            ; getDecCode_sub_C20E39D2 ; R0:解密指令解析格式后地址指针,R1:Debug info
.text&ARM.extab:C52E93A6
.text&ARM.extab:C52E93A8 68 B9                         CBNZ            R0, loc_C52E93C6
.text&ARM.extab:C52E93A8
.text&ARM.extab:C52E93AA 03 98                         LDR             R0, [SP,#0x48+var_3C]
.text&ARM.extab:C52E93AC 31 68                         LDR             R1, [R6]
.text&ARM.extab:C52E93AE 00 68                         LDR             R0, [R0]
.text&ARM.extab:C52E93B0 C2 6B                         LDR             R2, [R0,#0x3C]
.text&ARM.extab:C52E93B2 1D 48                         LDR             R0, =(dword_C532E200 - 0xC52E93B8)
.text&ARM.extab:C52E93B4 78 44                         ADD             R0, PC        ; dword_C532E200
.text&ARM.extab:C52E93B6 D3 68                         LDR             R3, [R2,#0xC]
.text&ARM.extab:C52E93B8 32 46                         MOV             R2, R6
.text&ARM.extab:C52E93BA C0 68                         LDR             R0, [R0,#(dword_C532E20C - 0xC532E200)]
.text&ARM.extab:C52E93BC 98 47                         BLX             R3
.text&ARM.extab:C52E93BC
.text&ARM.extab:C52E93BE B0 68                         LDR             R0, [R6,#8]
.text&ARM.extab:C52E93C0 50 44                         ADD             R0, R10
.text&ARM.extab:C52E93C2 00 F1 0C 0A                   ADD.W           R10, R0, #0xC
.text&ARM.extab:C52E93C2
.text&ARM.extab:C52E93C6
.text&ARM.extab:C52E93C6                               loc_C52E93C6 
.text&ARM.extab:C52E93C6 D8 F8 0C 00                   LDR.W           R0, [R8,#0xC]
.text&ARM.extab:C52E93CA 01 34                         ADDS            R4, #1
.text&ARM.extab:C52E93CC 84 42                         CMP             R4, R0
.text&ARM.extab:C52E93CE 8B D3                         BCC             loc_C52E92E8
.text&ARM.extab:C52E93CE
.text&ARM.extab:C52E93D0 09 98                         LDR             R0, [SP,#0x48+ptr] ; ptr
.text&ARM.extab:C52E93D2 00 28                         CMP             R0, #0
.text&ARM.extab:C52E93D4 18 BF                         IT NE
.text&ARM.extab:C52E93D6 BC F7 10 EA                   BLXNE           free
.text&ARM.extab:C52E93D6

4.5、hook关键方法

hook类加载方法
art::ClassLinker::LoadMethod
art::DexFileVerifier::Verify

.text&ARM.extab:C52BE1A8                               loc_C52BE1A8 
.text&ARM.extab:C52BE1A8 01 28                         CMP             R0, #1
.text&ARM.extab:C52BE1AA FD D1                         BNE             loc_C52BE1A8
.text&ARM.extab:C52BE1AA
.text&ARM.extab:C52BE1AC 2A 48                         LDR             R0, =(off_C5325018 - 0xC52BE1B2)
.text&ARM.extab:C52BE1AE 78 44                         ADD             R0, PC        ; off_C5325018
.text&ARM.extab:C52BE1B0 00 68                         LDR             R0, [R0]      ; off_C5326004
.text&ARM.extab:C52BE1B2 00 68                         LDR             R0, [R0]      ; off_C532DDC0
.text&ARM.extab:C52BE1B4 90 F8 70 10                   LDRB.W          R1, [R0,#(dword_C532DE30 - 0xC532DDC0)]
.text&ARM.extab:C52BE1B8 A1 B1                         CBZ             R1, loc_C52BE1E4
.text&ARM.extab:C52BE1B8
.text&ARM.extab:C52BE1BA 28 48                         LDR             R0, =(aDexlibaocSo+3 - 0xC52BE1C2) ; "\x1D1:2*0v\x1E\x1A2"
.text&ARM.extab:C52BE1BC 00 21                         MOVS            R1, #0        ; mode
.text&ARM.extab:C52BE1BE 78 44                         ADD             R0, PC        ; "\x1D1:2*0v\x1E\x1A2" ; file
.text&ARM.extab:C52BE1C0 E7 F7 32 EB                   BLX             dlopen        ; dexlibaoc.so
.text&ARM.extab:C52BE1C0
.text&ARM.extab:C52BE1C4 58 B1                         CBZ             R0, Hook_Func_LoadMethod_loc_C60B21DE
.text&ARM.extab:C52BE1C4
.text&ARM.extab:C52BE1C6 E7 F7 DA EC                   BLX             dlclose
.text&ARM.extab:C52BE1C6
.text&ARM.extab:C52BE1CA 25 48                         LDR             R0, =(off_C5325018 - 0xC52BE1D0)
.text&ARM.extab:C52BE1CC 78 44                         ADD             R0, PC        ; off_C5325018
.text&ARM.extab:C52BE1CE 00 68                         LDR             R0, [R0]      ; off_C5326004
.text&ARM.extab:C52BE1D0 00 68                         LDR             R0, [R0]      ; off_C532DDC0
.text&ARM.extab:C52BE1D2 40 6F                         LDR             R0, [R0,#(dword_C532DE34 - 0xC532DDC0)]
.text&ARM.extab:C52BE1D4 16 28                         CMP             R0, #0x16
.text&ARM.extab:C52BE1D6 02 DC                         BGT             Hook_Func_LoadMethod_loc_C60B21DE
.text&ARM.extab:C52BE1D6
.text&ARM.extab:C52BE1D8 01 F0 5E F9                   BL              sub_C52BF498
.text&ARM.extab:C52BE1D8
.text&ARM.extab:C52BE1DC 2E E0                         B               loc_C52BE23C
.text&ARM.extab:C52BE1DE
.text&ARM.extab:C52BE1DE                               Hook_Func_LoadMethod_loc_C60B21DE
.text&ARM.extab:C52BE1DE FD F7 39 F9                   BL              Hook_Func_LoadMethod_sub_C60AF454 ;hook类加载方法
.text&ARM.extab:C52BE1DE
.text&ARM.extab:C52BE1E2 2B E0                         B               loc_C52BE23C
.text&ARM.extab:C52BE1E2
.text&ARM.extab:C52BE1E4
.text&ARM.extab:C52BE1E4                               loc_C52BE1E4 
.text&ARM.extab:C52BE1E4 80 6F                         LDR             R0, [R0,#(off_C532DE38 - 0xC532DDC0)] ; sub_C52A9400
.text&ARM.extab:C52BE1E6 80 47                         BLX             R0            ; dword_C5295000
.text&ARM.extab:C52BE1E6
.text&ARM.extab:C52BE1E8 30 B3                         CBZ             R0, loc_C52BE238
.text&ARM.extab:C52BE1E8
.text&ARM.extab:C52BE1EA 1E 48                         LDR             R0, =(off_C5325018 - 0xC52BE1F2)
.text&ARM.extab:C52BE1EC 1E 4E                         LDR             R6, =(dword_C5327B64 - 0xC52BE1F8)
.text&ARM.extab:C52BE1EE 78 44                         ADD             R0, PC        ; off_C5325018
.text&ARM.extab:C52BE1F0 1E 49                         LDR             R1, =(dword_C5327B74+2 - 0xC52BE1FC)
.text&ARM.extab:C52BE1F2 1F 4A                         LDR             R2, =(sub_C52BE944+1 - 0xC52BE200)
.text&ARM.extab:C52BE1F4 7E 44                         ADD             R6, PC        ; dword_C5327B64
.text&ARM.extab:C52BE1F6 05 68                         LDR             R5, [R0]      ; off_C5326004
.text&ARM.extab:C52BE1F8 79 44                         ADD             R1, PC        ; dword_C5327B74
.text&ARM.extab:C52BE1FA 1E 4B                         LDR             R3, =(off_C532DFEC - 0xC52BE204)
.text&ARM.extab:C52BE1FC 7A 44                         ADD             R2, PC        ; sub_C52BE944
.text&ARM.extab:C52BE1FE 28 68                         LDR             R0, [R5]      ; off_C532DDC0
.text&ARM.extab:C52BE200 7B 44                         ADD             R3, PC        ; off_C532DFEC
.text&ARM.extab:C52BE202 00 68                         LDR             R0, [R0]      ; off_C5326504
.text&ARM.extab:C52BE204 04 68                         LDR             R4, [R0]      ; hook_func_sub_C609ABB8
.text&ARM.extab:C52BE206 30 46                         MOV             R0, R6
.text&ARM.extab:C52BE208 A0 47                         BLX             R4            ; hook_func_sub_C609ABB8
.text&ARM.extab:C52BE208
.text&ARM.extab:C52BE20A 28 68                         LDR             R0, [R5]      ; off_C532DDC0
.text&ARM.extab:C52BE20C 1A 49                         LDR             R1, =(dword_C5327B98 - 0xC52BE216)
.text&ARM.extab:C52BE20E 1B 4A                         LDR             R2, =(sub_C52BE9A4+1 - 0xC52BE21A)
.text&ARM.extab:C52BE210 00 68                         LDR             R0, [R0]      ; off_C5326504
.text&ARM.extab:C52BE212 79 44                         ADD             R1, PC        ; dword_C5327B98
.text&ARM.extab:C52BE214 1A 4B                         LDR             R3, =(off_C532DFF0 - 0xC52BE21E)
.text&ARM.extab:C52BE216 7A 44                         ADD             R2, PC        ; sub_C52BE9A4
.text&ARM.extab:C52BE218 04 68                         LDR             R4, [R0]      ; hook_func_sub_C609ABB8
.text&ARM.extab:C52BE21A 7B 44                         ADD             R3, PC        ; off_C532DFF0
.text&ARM.extab:C52BE21C 30 46                         MOV             R0, R6
.text&ARM.extab:C52BE21E A0 47                         BLX             R4            ; hook_func_sub_C609ABB8
.text&ARM.extab:C52BE21E
.text&ARM.extab:C52BE220 28 68                         LDR             R0, [R5]      ; off_C532DDC0
.text&ARM.extab:C52BE222 18 49                         LDR             R1, =(dword_C5327BA4+3 - 0xC52BE22C)
.text&ARM.extab:C52BE224 18 4A                         LDR             R2, =(sub_C52BE9C0+1 - 0xC52BE230)
.text&ARM.extab:C52BE226 00 68                         LDR             R0, [R0]      ; off_C5326504
.text&ARM.extab:C52BE228 79 44                         ADD             R1, PC        ; dword_C5327BA4
.text&ARM.extab:C52BE22A 18 4B                         LDR             R3, =(off_C532DFF4 - 0xC52BE234)
.text&ARM.extab:C52BE22C 7A 44                         ADD             R2, PC        ; sub_C52BE9C0
.text&ARM.extab:C52BE22E 05 68                         LDR             R5, [R0]      ; hook_func_sub_C609ABB8
.text&ARM.extab:C52BE230 7B 44                         ADD             R3, PC        ; off_C532DFF4
.text&ARM.extab:C52BE232 30 46                         MOV             R0, R6
.text&ARM.extab:C52BE234 A8 47                         BLX             R5            ; hook_func_sub_C609ABB8
.text&ARM.extab:C52BE234
.text&ARM.extab:C52BE236 01 E0                         B               loc_C52BE23C
.text&ARM.extab:C52BE236
.text&ARM.extab:C52BE238
.text&ARM.extab:C52BE238                               loc_C52BE238  
.text&ARM.extab:C52BE238 FC F7 5E FE                   BL              sub_C52BAEF8
.text&ARM.extab:C52BE238
.text&ARM.extab:C52BE23C
.text&ARM.extab:C52BE23C                               loc_C52BE23C                  ; CODE XREF: init_proc_sub_C608813C+10↑j
.text&ARM.extab:C52BE23C                                                             ; init_proc_sub_C608813C+A0↑j
.text&ARM.extab:C52BE23C                                                             ; init_proc_sub_C608813C+A6↑j
.text&ARM.extab:C52BE23C                                                             ; init_proc_sub_C608813C+FA↑j
.text&ARM.extab:C52BE23C 00 20                         MOVS            R0, #0
.text&ARM.extab:C52BE23E 5D F8 04 BB                   POP.W           {R11}
.text&ARM.extab:C52BE242 F0 BD                         POP             {R4-R7,PC}

4.6、读取DEX资源文件解密并加载DEX

读取ijiami.dat并解密出dex
.text&ARM.extab:C52DA440                               read_ijiami.dat_sub_C60CE440 
.text&ARM.extab:C52DA440

.text&ARM.extab:C52DA440
.text&ARM.extab:C52DA440                               ; __unwind {
.text&ARM.extab:C52DA440 F0 B5                         PUSH            {R4-R7,LR}
.text&ARM.extab:C52DA442 03 AF                         ADD             R7, SP, #0xC
.text&ARM.extab:C52DA444 2D E9 00 0F                   PUSH.W          {R8-R11}
.text&ARM.extab:C52DA448 AD F5 0B 7D                   SUB.W           SP, SP, #0x22C
.text&ARM.extab:C52DA44C B0 48                         LDR             R0, =(__stack_chk_guard_ptr - 0xC52DA458)
.text&ARM.extab:C52DA44E 0A AC                         ADD             R4, SP, #0x248+var_220
.text&ARM.extab:C52DA450 4F F4 00 71                   MOV.W           R1, #0x200
.text&ARM.extab:C52DA454 78 44                         ADD             R0, PC        ; __stack_chk_guard_ptr
.text&ARM.extab:C52DA456 00 68                         LDR             R0, [R0]
.text&ARM.extab:C52DA458 00 68                         LDR             R0, [R0]
.text&ARM.extab:C52DA45A 8A 90                         STR             R0, [SP,#0x248+var_20]
.text&ARM.extab:C52DA45C 00 20                         MOVS            R0, #0
.text&ARM.extab:C52DA45E 07 90                         STR             R0, [SP,#0x248+var_22C]
.text&ARM.extab:C52DA460 20 46                         MOV             R0, R4
.text&ARM.extab:C52DA462 CB F7 B8 E9                   BLX             __aeabi_memclr8
.text&ARM.extab:C52DA462
.text&ARM.extab:C52DA466 AB 48                         LDR             R0, =(off_C5325018 - 0xC52DA46E)
.text&ARM.extab:C52DA468 AB 49                         LDR             R1, =(dword_C532B01C+2 - 0xC52DA470)
.text&ARM.extab:C52DA46A 78 44                         ADD             R0, PC        ; off_C5325018
.text&ARM.extab:C52DA46C 79 44                         ADD             R1, PC        ; dword_C532B01C ; format
.text&ARM.extab:C52DA46E 00 68                         LDR             R0, [R0]      ; off_C5326004
.text&ARM.extab:C52DA470 00 68                         LDR             R0, [R0]      ; off_C532DDC0
.text&ARM.extab:C52DA472 D0 F8 80 20                   LDR.W           R2, [R0,#(dword_C532DE40 - 0xC532DDC0)]
.text&ARM.extab:C52DA476 D0 F8 B4 00                   LDR.W           R0, [R0,#(off_C532DE74 - 0xC532DDC0)]
.text&ARM.extab:C52DA47A 00 F1 10 03                   ADD.W           R3, R0, #0x10
.text&ARM.extab:C52DA47E 20 46                         MOV             R0, R4        ; s
.text&ARM.extab:C52DA480 CB F7 AE E9                   BLX             sprintf
.text&ARM.extab:C52DA480
.text&ARM.extab:C52DA484 08 A9                         ADD             R1, SP, #0x248+var_228
.text&ARM.extab:C52DA486 09 AA                         ADD             R2, SP, #0x248+var_224
.text&ARM.extab:C52DA488 07 AB                         ADD             R3, SP, #0x248+var_22C
.text&ARM.extab:C52DA48A 20 46                         MOV             R0, R4
.text&ARM.extab:C52DA48C 00 F0 58 F9                   BL              read_ijiami.dat_sub_C60CE740
.text&ARM.extab:C52DA48C
.text&ARM.extab:C52DA490 00 28                         CMP             R0, #0
.text&ARM.extab:C52DA492 00 F0 08 81                   BEQ.W           loc_C52DA6A6
.text&ARM.extab:C52DA492
.text&ARM.extab:C52DA496 DD F8 24 80                   LDR.W           R8, [SP,#0x248+var_224]
.text&ARM.extab:C52DA49A DD E9 07 10                   LDRD.W          R1, R0, [SP,#0x248+var_22C]
.text&ARM.extab:C52DA49E 00 F1 28 05                   ADD.W           R5, R0, #0x28 ; '('
.text&ARM.extab:C52DA4A2 00 20                         MOVS            R0, #0
.text&ARM.extab:C52DA4A4 A8 F1 28 04                   SUB.W           R4, R8, #0x28 ; '('
.text&ARM.extab:C52DA4A8 03 29                         CMP             R1, #3
.text&ARM.extab:C52DA4AA 08 95                         STR             R5, [SP,#0x248+var_228]
.text&ARM.extab:C52DA4AC 09 94                         STR             R4, [SP,#0x248+var_224]
.text&ARM.extab:C52DA4AE 08 BF                         IT EQ
.text&ARM.extab:C52DA4B0 01 20                         MOVEQ           R0, #1
.text&ARM.extab:C52DA4B2 02 29                         CMP             R1, #2
.text&ARM.extab:C52DA4B4 4F F0 00 01                   MOV.W           R1, #0
.text&ARM.extab:C52DA4B8 08 BF                         IT EQ
.text&ARM.extab:C52DA4BA 01 21                         MOVEQ           R1, #1
.text&ARM.extab:C52DA4BC 91 EA 00 0F                   TEQ.W           R1, R0
.text&ARM.extab:C52DA4C0 04 D1                         BNE             loc_C52DA4CC
.text&ARM.extab:C52DA4C0
.text&ARM.extab:C52DA4C2 08 A8                         ADD             R0, SP, #0x248+var_228
.text&ARM.extab:C52DA4C4 21 46                         MOV             R1, R4
.text&ARM.extab:C52DA4C6 01 22                         MOVS            R2, #1
.text&ARM.extab:C52DA4C8 00 F0 72 FA                   BL              DecDex_sub_C60CE9B0 ; 解密出dex明文
.text&ARM.extab:C52DA4C8
.text&ARM.extab:C52DA4CC
.text&ARM.extab:C52DA4CC                               loc_C52DA4CC  
.text&ARM.extab:C52DA4CC 93 48                         LDR             R0, =(x.304_ptr - 0xC52DA4D8)
.text&ARM.extab:C52DA4CE 00 26                         MOVS            R6, #0
.text&ARM.extab:C52DA4D0 93 49                         LDR             R1, =(y.305_ptr - 0xC52DA4DA)
.text&ARM.extab:C52DA4D2 00 23                         MOVS            R3, #0
.text&ARM.extab:C52DA4D4 78 44                         ADD             R0, PC        ; x.304_ptr
.text&ARM.extab:C52DA4D6 79 44                         ADD             R1, PC        ; y.305_ptr
.text&ARM.extab:C52DA4D8 00 68                         LDR             R0, [R0]      ; x.304
.text&ARM.extab:C52DA4DA 09 68                         LDR             R1, [R1]      ; y.305
.text&ARM.extab:C52DA4DC 00 68                         LDR             R0, [R0]
.text&ARM.extab:C52DA4DE 09 68                         LDR             R1, [R1]
.text&ARM.extab:C52DA4E0 42 1E                         SUBS            R2, R0, #1
.text&ARM.extab:C52DA4E2 B1 F5 95 7F                   CMP.W           R1, #0x12A
.text&ARM.extab:C52DA4E6 B8 BF                         IT LT
.text&ARM.extab:C52DA4E8 01 26                         MOVLT           R6, #1
.text&ARM.extab:C52DA4EA 42 43                         MULS            R2, R0
.text&ARM.extab:C52DA4EC 48 40                         EORS            R0, R1
.text&ARM.extab:C52DA4EE 3B 28                         CMP             R0, #0x3B ; ';'
.text&ARM.extab:C52DA4F0 4F F0 00 00                   MOV.W           R0, #0
.text&ARM.extab:C52DA4F4 C8 BF                         IT GT
.text&ARM.extab:C52DA4F6 01 20                         MOVGT           R0, #1
.text&ARM.extab:C52DA4F8 30 43                         ORRS            R0, R6
.text&ARM.extab:C52DA4FA D1 07                         LSLS            R1, R2, #0x1F
.text&ARM.extab:C52DA4FC 08 BF                         IT EQ
.text&ARM.extab:C52DA4FE 01 23                         MOVEQ           R3, #1
.text&ARM.extab:C52DA500 18 43                         ORRS            R0, R3
.text&ARM.extab:C52DA500
.text&ARM.extab:C52DA502
.text&ARM.extab:C52DA502                               loc_C52DA502
.text&ARM.extab:C52DA502 01 28                         CMP             R0, #1
.text&ARM.extab:C52DA504 FD D1                         BNE             loc_C52DA502
.text&ARM.extab:C52DA504
.text&ARM.extab:C52DA506 87 48                         LDR             R0, =(off_C5325018 - 0xC52DA50C)
.text&ARM.extab:C52DA508 78 44                         ADD             R0, PC        ; off_C5325018
.text&ARM.extab:C52DA50A 00 68                         LDR             R0, [R0]      ; off_C5326004
.text&ARM.extab:C52DA50C D0 F8 00 A0                   LDR.W           R10, [R0]     ; off_C532DDC0
.text&ARM.extab:C52DA510 08 EB 05 00                   ADD.W           R0, R8, R5
.text&ARM.extab:C52DA514 50 F8 2C 6C                   LDR.W           R6, [R0,#-0x2C]
.text&ARM.extab:C52DA518 CA F8 D4 60                   STR.W           R6, [R10,#(dword_C532DE94 - 0xC532DDC0)]
.text&ARM.extab:C52DA51C 01 2E                         CMP             R6, #1
.text&ARM.extab:C52DA51E C0 F2 C2 80                   BLT.W           loc_C52DA6A6
.text&ARM.extab:C52DA51E
.text&ARM.extab:C52DA522 81 48                         LDR             R0, =(x.306_ptr - 0xC52DA52C)
.text&ARM.extab:C52DA524 A4 EB C6 02                   SUB.W           R2, R4, R6,LSL#3
.text&ARM.extab:C52DA528 78 44                         ADD             R0, PC        ; x.306_ptr
.text&ARM.extab:C52DA52A 00 68                         LDR             R0, [R0]      ; x.306
.text&ARM.extab:C52DA52C 01 90                         STR             R0, [SP,#0x248+var_244]
.text&ARM.extab:C52DA52E 7F 48                         LDR             R0, =(y.307_ptr - 0xC52DA534)
.text&ARM.extab:C52DA530 78 44                         ADD             R0, PC        ; y.307_ptr
.text&ARM.extab:C52DA532 00 68                         LDR             R0, [R0]      ; y.307
.text&ARM.extab:C52DA534 00 90                         STR             R0, [SP,#0x248+var_248]
.text&ARM.extab:C52DA536 7E 48                         LDR             R0, =(off_C5325018 - 0xC52DA53C)
.text&ARM.extab:C52DA538 78 44                         ADD             R0, PC        ; off_C5325018
.text&ARM.extab:C52DA53A 00 68                         LDR             R0, [R0]      ; off_C5326004
.text&ARM.extab:C52DA53C 03 90                         STR             R0, [SP,#0x248+var_23C]
.text&ARM.extab:C52DA53C
.text&ARM.extab:C52DA53E
.text&ARM.extab:C52DA53E                               loc_C52DA53E  
.text&ARM.extab:C52DA53E 51 59                         LDR             R1, [R2,R5]
.text&ARM.extab:C52DA540 DA F8 98 00                   LDR.W           R0, [R10,#0x98]
.text&ARM.extab:C52DA544 06 92                         STR             R2, [SP,#0x248+var_230]
.text&ARM.extab:C52DA546 01 EB 05 0B                   ADD.W           R11, R1, R5
.text&ARM.extab:C52DA54A 08 B1                         CBZ             R0, loc_C52DA550
.text&ARM.extab:C52DA54A
.text&ARM.extab:C52DA54C 84 6D                         LDR             R4, [R0,#0x58]
.text&ARM.extab:C52DA54E 12 E0                         B               loc_C52DA576
.text&ARM.extab:C52DA54E
.text&ARM.extab:C52DA550
.text&ARM.extab:C52DA550                               loc_C52DA550  
.text&ARM.extab:C52DA550 01 98                         LDR             R0, [SP,#0x248+var_244]
.text&ARM.extab:C52DA552 00 9A                         LDR             R2, [SP,#0x248+var_248]
.text&ARM.extab:C52DA554 02 96                         STR             R6, [SP,#0x248+var_240]
.text&ARM.extab:C52DA556 00 68                         LDR             R0, [R0]
.text&ARM.extab:C52DA558 D2 F8 00 90                   LDR.W           R9, [R2]
.text&ARM.extab:C52DA55C 41 1E                         SUBS            R1, R0, #1
.text&ARM.extab:C52DA55E 89 EA 00 04                   EOR.W           R4, R9, R0
.text&ARM.extab:C52DA562 41 43                         MULS            R1, R0
.text&ARM.extab:C52DA564 11 F0 01 08                   ANDS.W          R8, R1, #1
.text&ARM.extab:C52DA568 1C D0                         BEQ             loc_C52DA5A4
.text&ARM.extab:C52DA568
.text&ARM.extab:C52DA56A B9 F1 1D 0F                   CMP.W           R9, #0x1D
.text&ARM.extab:C52DA56E 19 DB                         BLT             loc_C52DA5A4
.text&ARM.extab:C52DA56E
.text&ARM.extab:C52DA570 99 2C                         CMP             R4, #0x99
.text&ARM.extab:C52DA572 29 DB                         BLT             loc_C52DA5C8
.text&ARM.extab:C52DA572
.text&ARM.extab:C52DA574 16 E0                         B               loc_C52DA5A4
.text&ARM.extab:C52DA574
.text&ARM.extab:C52DA576
.text&ARM.extab:C52DA576                               loc_C52DA576
.text&ARM.extab:C52DA576 85 6C                         LDR             R5, [R0,#0x48]
.text&ARM.extab:C52DA578 69 1C                         ADDS            R1, R5, #1
.text&ARM.extab:C52DA57A 81 64                         STR             R1, [R0,#0x48]
.text&ARM.extab:C52DA57C 60 20                         MOVS            R0, #0x60 ; '`' ; size
.text&ARM.extab:C52DA57E CB F7 60 E9                   BLX             malloc
.text&ARM.extab:C52DA57E
.text&ARM.extab:C52DA582 02 2E                         CMP             R6, #2
.text&ARM.extab:C52DA584 4F F0 00 01                   MOV.W           R1, #0
.text&ARM.extab:C52DA588 44 F8 25 00                   STR.W           R0, [R4,R5,LSL#2]
.text&ARM.extab:C52DA58C C0 E9 0A B1                   STRD.W          R11, R1, [R0,#0x28]
.text&ARM.extab:C52DA590 C0 F2 89 80                   BLT.W           loc_C52DA6A6
.text&ARM.extab:C52DA590
.text&ARM.extab:C52DA594 03 98                         LDR             R0, [SP,#0x248+var_23C]
.text&ARM.extab:C52DA596 01 3E                         SUBS            R6, #1
.text&ARM.extab:C52DA598 06 9A                         LDR             R2, [SP,#0x248+var_230]
.text&ARM.extab:C52DA59A 08 9D                         LDR             R5, [SP,#0x248+var_228]
.text&ARM.extab:C52DA59C 08 32                         ADDS            R2, #8
.text&ARM.extab:C52DA59E D0 F8 00 A0                   LDR.W           R10, [R0]
.text&ARM.extab:C52DA5A2 CC E7                         B               loc_C52DA53E
.text&ARM.extab:C52DA5A2
.text&ARM.extab:C52DA5A4
.text&ARM.extab:C52DA5A4                               loc_C52DA5A4  
.text&ARM.extab:C52DA5A4 60 20                         MOVS            R0, #0x60 ; '`' ; size
.text&ARM.extab:C52DA5A6 CB F7 4C E9                   BLX             malloc
.text&ARM.extab:C52DA5A6
.text&ARM.extab:C52DA5AA 4F EA 89 01                   MOV.W           R1, R9,LSL#2
.text&ARM.extab:C52DA5AE B1 F5 F5 7F                   CMP.W           R1, #0x1EA
.text&ARM.extab:C52DA5B2 CA F8 98 00                   STR.W           R0, [R10,#0x98]
.text&ARM.extab:C52DA5B6 0D DB                         BLT             loc_C52DA5D4
.text&ARM.extab:C52DA5B6
.text&ARM.extab:C52DA5B8 E0 2C                         CMP             R4, #0xE0
.text&ARM.extab:C52DA5BA 0B DC                         BGT             loc_C52DA5D4
.text&ARM.extab:C52DA5BA
.text&ARM.extab:C52DA5BC B9 F1 0A 0F                   CMP.W           R9, #0xA
.text&ARM.extab:C52DA5C0 08 DB                         BLT             loc_C52DA5D4
.text&ARM.extab:C52DA5C0
.text&ARM.extab:C52DA5C2 B8 F1 00 0F                   CMP.W           R8, #0
.text&ARM.extab:C52DA5C6 05 D0                         BEQ             loc_C52DA5D4
.text&ARM.extab:C52DA5C6
.text&ARM.extab:C52DA5C8
.text&ARM.extab:C52DA5C8                               loc_C52DA5C8                  ; CODE XREF: read_ijiami.dat_sub_C60CE440+132↑j
.text&ARM.extab:C52DA5C8 60 20                         MOVS            R0, #0x60 ; '`' ; size
.text&ARM.extab:C52DA5CA CB F7 3A E9                   BLX             malloc
.text&ARM.extab:C52DA5CA
.text&ARM.extab:C52DA5CE CA F8 98 00                   STR.W           R0, [R10,#0x98]
.text&ARM.extab:C52DA5D2 E7 E7                         B               loc_C52DA5A4

这时候dump出内存中的dex大部分的方法指令被抽了,还有部分是被native。如图4-6-1所示:

            图4-6-1

内存中加载dex

int __fastcall sub_C60E5120(int a1, int a2)
{

  v4 = *y_156_ptr[0];
  v5 = *x_155_ptr[0];
  v91 = *_stack_chk_guard_ptr[0];
  v6 = (v4 ^ v5) < 177;
  v7 = 4 * v4 > 198;
  if ( v4 >= 10 && (((_BYTE)v5 * ((_BYTE)v5 - 1)) & 1) != 0 && v7 == v6 && v6 | v7 )
    goto LABEL_8;
  while ( 1 )
  {
    v85 = 0;
    v8 = (*(int (__fastcall **)(int, char *))(*(_DWORD *)a1 + 24))(a1, (char *)&MEMORY[0xC532C1A8] + 3);
    ((void (__fastcall *)(void **))(*off_C5325018)[4][25])((*off_C5325018)[2]);
    v9 = *y_156_ptr[0];
    v10 = *y_156_ptr[0] ^ *x_155_ptr[0];
    v11 = ((*x_155_ptr[0] - 1) * *x_155_ptr[0]) & 1;
    if ( !v11 || v9 < 130 || v10 >= 172 )
      break;
LABEL_8:
    (*(void (__fastcall **)(int, char *))(*(_DWORD *)a1 + 24))(a1, (char *)&MEMORY[0xC532C1A8] + 3);
    ((void (__fastcall *)(void **))(*off_C5325018)[4][25])((*off_C5325018)[2]);
  }
  if ( !v8 )
  {
    v16 = v10 > 149;
    v17 = v9 < 141;
    v18 = 0;
    v19 = 0;
    if ( v17 )
      v18 = 1;
    v20 = v18 | v16;
    if ( !v11 )
      v19 = 1;
    while ( !(v19 | v20) )
      ;
    return 0;
  }
  v12 = off_C5325018;
  v13 = NewObjectArray_sub_C60E4734(a1, (*off_C5325018)[53], v8, 0);
  v14 = (void (__fastcall *)(char *))(*v12)[4][24];
  v90 = v13;
  v14((char *)&MEMORY[0xC532C1BC] + 3);
  v15 = *y_156_ptr[0];
  if ( 2 * *y_156_ptr[0] >= 211
    && (v15 ^ *x_155_ptr[0]) <= 89
    && v15 >= 10
    && ((((unsigned __int8)*x_155_ptr[0] - 1) * (unsigned __int8)*x_155_ptr[0]) & 1) != 0 )
  {
    goto LABEL_27;
  }
  while ( 1 )
  {
    v22 = ((int (__fastcall *)(int))(*off_C5325018)[4][21])(a1);
    v23 = 0;
    v24 = *y_156_ptr[0];
    v25 = *x_155_ptr[0] ^ *y_156_ptr[0];
    if ( *y_156_ptr[0] > 9 )
      v23 = 1;
    v26 = ((*x_155_ptr[0] - 1) * *x_155_ptr[0]) & 1;
    if ( 2 * v24 <= 444 || v25 > 204 || v23 != v26 || !(v23 | v26) )
      break;
LABEL_27:
    ((void (__fastcall *)(int))(*off_C5325018)[4][21])(a1);
  }
  v27 = 0;
  v28 = 0;
  if ( !v26 )
    v27 = 1;
  if ( v24 < 10 )
    v28 = 1;
  v29 = v27 | v28;
  v30 = v25 > 65;
  v31 = 0;
  v32 = 0;
  if ( 8 * v24 < 23 )
    v31 = 1;
  if ( v24 > 9 )
    v32 = 1;
  v33 = (v26 != 0) & (unsigned __int8)v32 ^ (v30 | v31) ^ 1 | v29 & (v30 | v31);
  while ( v33 != 1 )
    ;
  if ( !v22 )
    return 0;
  ((void (__fastcall *)(void **))(*off_C5325018)[4][25])((*off_C5325018)[2]);
  if ( !v90 )
  {
    v48 = 0;
    v49 = 0;
    v50 = *x_155_ptr[0];
    v51 = *y_156_ptr[0];
    if ( *y_156_ptr[0] > 9 )
      v48 = 1;
    v52 = (*x_155_ptr[0] - 1) * v50;
    v17 = (v50 ^ v51) <= 196;
    v53 = 0;
    v54 = 16 * v51;
    if ( !v17 )
      v53 = 1;
    if ( v54 <= 260 )
      v49 = 1;
    v55 = v53 | v49 | (v52 & 1 | v48) ^ 1 | v48 ^ v52 & 1;
    while ( !v55 )
      ;
    return 0;
  }
  v34 = 0;
  v86 = &v85;
  v87 = v22;
  v88 = a2;
  v89 = v8;
  v35 = x_155_ptr[0];
  v36 = y_156_ptr[0];
  v37 = off_C5325018;
  while ( 1 )
  {
    v39 = *v35;
    v40 = 0;
    v41 = *v36;
    if ( *v36 <= 410 )
      v40 = 1;
    v42 = v41 ^ v39;
    v43 = v40 | ((v41 ^ v39) > 88);
    v44 = ((*v35 - 1) * v39) & 1;
    while ( ((v44 == 0) | v43) != 1 )
      ;
    v45 = *v37;
    if ( v34 >= (int)(*v37)[53] )
      break;
    v38 = NewDirectByteBuffer_sub_C60E46A8(a1);
    SetObjectArrayElement_sub_C60E57B4(a1, v90, v34, v38);
    (*(void (__fastcall **)(int, int))(*(_DWORD *)a1 + 92))(a1, v38);
    ++v34;
  }
  v46 = v41 > 9;
  v47 = v44 != 0;
  if ( 8 * v41 >= 360 && v42 <= 84 && v46 == v47 && v47 | v46 )
    goto LABEL_80;
  while ( 1 )
  {
    ((void (__fastcall *)(char *))v45[4][24])((char *)&MEMORY[0xC532C1BC] + 3);
    v56 = (*x_155_ptr[0] ^ *y_156_ptr[0]) > 149 || *y_156_ptr[0] <= 486;
    v57 = ((*(_BYTE *)x_155_ptr[0] - 1) * *(_BYTE *)x_155_ptr[0]) & 1;
    v58 = (*y_156_ptr[0] > 9) & v57;
    v59 = v58 == v56;
    if ( v58 != v56 )
      v59 = ((unsigned __int8)v56 & (*y_156_ptr[0] < 10 || v57 == 0)) == 1;
    if ( v59 )
      break;
LABEL_80:
    ((void (__fastcall *)(char *))v45[4][24])((char *)&MEMORY[0xC532C1BC] + 3);
  }
  v60 = v86;
  v61 = v87;
  v62 = ((int (__fastcall *)(int, int *, char *, char *, int *))(*off_C5325018)[4][16])(
          a1,
          v86,
          (char *)&MEMORY[0xC532C1E0] + 1,
          (char *)&MEMORY[0xC532C1F8] + 3,
          &makeInMemoryDexElements);
  v63 = v89;
  if ( v62 == 1 && *v60 && dexElements_sub_C84EA7C0(a1, v88) != 1 )
    return 0;
  v64 = 0;
  v65 = 0;
  v66 = 0;
  v67 = *x_155_ptr[0];
  v68 = *y_156_ptr[0];
  if ( *y_156_ptr[0] >= 496 )
    v64 = 1;
  v69 = (*x_155_ptr[0] - 1) * v67;
  v70 = v67 ^ v68;
  if ( v70 < 60 )
    v65 = 1;
  v71 = v64 ^ v65 | (v64 | v65) ^ 1;
  if ( (v69 & 1) == 0 )
    v66 = 1;
  v72 = v66 | (v68 < 10) | v71;
  while ( v72 != 1 )
    ;
  v73 = (*off_C5325018)[2];
  if ( (v69 & 1) != 0 && v68 >= 73 && v70 < 195 )
    goto LABEL_92;
  while ( 1 )
  {
    (*((void (__fastcall **)(void **, int))*v73 + 23))(v73, v63);
    v74 = 0;
    v75 = (*x_155_ptr[0] ^ *y_156_ptr[0]) > 176 || 16 * *y_156_ptr[0] < 51;
    v76 = ((*(_BYTE *)x_155_ptr[0] - 1) * *(_BYTE *)x_155_ptr[0]) & 1;
    v77 = (*y_156_ptr[0] > 9) & v76;
    v78 = v77 == v75;
    if ( v77 != v75 )
      v78 = ((unsigned __int8)v75 & (*y_156_ptr[0] < 10 || v76 == 0)) == 1;
    if ( v78 )
      break;
LABEL_92:
    (*((void (__fastcall **)(void **, int))*v73 + 23))(v73, v63);
  }
  v79 = off_C5325018;
  (*((void (__fastcall **)(void **, int))*(*off_C5325018)[2] + 23))((*off_C5325018)[2], v90);
  (*((void (__fastcall **)(void **, int))*(*v79)[2] + 23))((*v79)[2], v61);
  v80 = 0;
  v81 = *y_156_ptr[0];
  v83 = ((*x_155_ptr[0] - 1) * *x_155_ptr[0]) & 1;
  if ( !v83 )
    v80 = 1;
  if ( v81 > 9 )
    v74 = 1;
  v82 = (*x_155_ptr[0] ^ *y_156_ptr[0]) > 57 || 16 * *y_156_ptr[0] < 386;
  v84 = v82 ^ v74 & v83 ^ 1 | ((v81 < 10) | v80) & v82;
  while ( v84 != 1 )
    ;
  return 1;
}

4.7、方法指令还原

判断是否为要修复
.text&ARM.extab:C52BDA04                               hook_ClassLinker_LoadMethod_sub_C52BDA04
.text&ARM.extab:C52BDA04
.text&ARM.extab:C52BDA04                               var_28= -0x28
.text&ARM.extab:C52BDA04                               var_24= -0x24
.text&ARM.extab:C52BDA04                               var_20= -0x20
.text&ARM.extab:C52BDA04
.text&ARM.extab:C52BDA04                               ; __unwind {
.text&ARM.extab:C52BDA04 F0 B5                         PUSH            {R4-R7,LR}
.text&ARM.extab:C52BDA06 03 AF                         ADD             R7, SP, #0xC
.text&ARM.extab:C52BDA08 2D E9 00 0F                   PUSH.W          {R8-R11}
.text&ARM.extab:C52BDA0C 83 B0                         SUB             SP, SP, #0xC
.text&ARM.extab:C52BDA0E 83 46                         MOV             R11, R0
.text&ARM.extab:C52BDA10 4E 48                         LDR             R0, =(__stack_chk_guard_ptr - 0xC52BDA1A)
.text&ARM.extab:C52BDA12 01 AA                         ADD             R2, SP, #0x28+var_24
.text&ARM.extab:C52BDA14 00 26                         MOVS            R6, #0
.text&ARM.extab:C52BDA16 78 44                         ADD             R0, PC        ; __stack_chk_guard_ptr
.text&ARM.extab:C52BDA18 00 68                         LDR             R0, [R0]
.text&ARM.extab:C52BDA1A 00 68                         LDR             R0, [R0]
.text&ARM.extab:C52BDA1C 02 90                         STR             R0, [SP,#0x28+var_20]
.text&ARM.extab:C52BDA1E 58 46                         MOV             R0, R11
.text&ARM.extab:C52BDA20 01 96                         STR             R6, [SP,#0x28+var_24]
.text&ARM.extab:C52BDA22 00 F0 A3 F8                   BL              GetMothedAddress_sub_C84B7B6C
.text&ARM.extab:C52BDA22
.text&ARM.extab:C52BDA26 04 46                         MOV             R4, R0
.text&ARM.extab:C52BDA28 00 2C                         CMP             R4, #0
.text&ARM.extab:C52BDA2A 00 F0 82 80                   BEQ.W           loc_C52BDB32
.text&ARM.extab:C52BDA2A
.text&ARM.extab:C52BDA2E A0 46                         MOV             R8, R4
.text&ARM.extab:C52BDA30 00 20                         MOVS            R0, #0
.text&ARM.extab:C52BDA32 58 F8 08 5F                   LDR.W           R5, [R8,#8]!  ; Debug info
.text&ARM.extab:C52BDA36 B5 F1 82 6F                   CMP.W           R5, #0x4100000
.text&ARM.extab:C52BDA3A C8 BF                         IT GT
.text&ARM.extab:C52BDA3C 01 20                         MOVGT           R0, #1
.text&ARM.extab:C52BDA3E B5 F1 40 7F                   CMP.W           R5, #0x3000000
.text&ARM.extab:C52BDA42 B8 BF                         IT LT
.text&ARM.extab:C52BDA44 01 26                         MOVLT           R6, #1
.text&ARM.extab:C52BDA46 96 EA 00 0F                   TEQ.W           R6, R0
.text&ARM.extab:C52BDA4A 72 D1                         BNE             loc_C52BDB32
修复指令

根据Debug info定位到指令,获取指令解密

.text&ARM.extab:C52AA9D2                               getDecCode_sub_C20E39D2
.text&ARM.extab:C52AA9D2                               ; __unwind {
.text&ARM.extab:C52AA9D2 F0 B5                         PUSH            {R4-R7,LR}
.text&ARM.extab:C52AA9D4 03 AF                         ADD             R7, SP, #0xC
.text&ARM.extab:C52AA9D6 4D F8 04 8D                   PUSH.W          {R8}
.text&ARM.extab:C52AA9DA 80 46                         MOV             R8, R0
.text&ARM.extab:C52AA9DC 0C 46                         MOV             R4, R1
.text&ARM.extab:C52AA9DE D8 F8 08 10                   LDR.W           R1, [R8,#8]
.text&ARM.extab:C52AA9E2 20 46                         MOV             R0, R4
.text&ARM.extab:C52AA9E4 88 47                         BLX             R1
.text&ARM.extab:C52AA9E4
.text&ARM.extab:C52AA9E6 6F EA 40 23                   MVN.W           R3, R0,LSL#9  ; Debug info
.text&ARM.extab:C52AA9EA 18 44                         ADD             R0, R3        ; Debuginfo+Debuginfo<<9
.text&ARM.extab:C52AA9EC D8 E9 00 12                   LDRD.W          R1, R2, [R8]
.text&ARM.extab:C52AA9F0 80 EA 90 30                   EOR.W           R0, R0, R0,LSR#14
.text&ARM.extab:C52AA9F4 00 EB 00 10                   ADD.W           R0, R0, R0,LSL#4
.text&ARM.extab:C52AA9F8 80 EA 90 26                   EOR.W           R6, R0, R0,LSR#10
.text&ARM.extab:C52AA9FC 50 1E                         SUBS            R0, R2, #1
.text&ARM.extab:C52AA9FE 30 40                         ANDS            R0, R6
.text&ARM.extab:C52AAA00 51 F8 20 50                   LDR.W           R5, [R1,R0,LSL#2]
.text&ARM.extab:C52AAA04 0C E0                         B               loc_C52AAA20
.text&ARM.extab:C52AAA04
.text&ARM.extab:C52AAA06
.text&ARM.extab:C52AAA06                               loc_C52AAA06                  ; CODE XREF: getDecCode_sub_C20E39D2+50↓j
.text&ARM.extab:C52AAA06 28 68                         LDR             R0, [R5]      ; 取解密后指令中的Debug info
.text&ARM.extab:C52AAA08 A0 42                         CMP             R0, R4        ; 判断被抽取指令与解密后指令中的Debug info是否相同
.text&ARM.extab:C52AAA0A 0D D0                         BEQ             loc_C52AAA28  ; 取解密后指令地址
.text&ARM.extab:C52AAA0A
.text&ARM.extab:C52AAA0C 69 68                         LDR             R1, [R5,#4]
.text&ARM.extab:C52AAA0E B1 42                         CMP             R1, R6
.text&ARM.extab:C52AAA10 05 D1                         BNE             loc_C52AAA1E
.text&ARM.extab:C52AAA10
.text&ARM.extab:C52AAA12 D8 F8 0C 20                   LDR.W           R2, [R8,#0xC]
.text&ARM.extab:C52AAA16 21 46                         MOV             R1, R4
.text&ARM.extab:C52AAA18 90 47                         BLX             R2
.text&ARM.extab:C52AAA18
.text&ARM.extab:C52AAA1A 01 28                         CMP             R0, #1
.text&ARM.extab:C52AAA1C 04 D0                         BEQ             loc_C52AAA28  ; 取解密后指令地址
.text&ARM.extab:C52AAA1C
.text&ARM.extab:C52AAA1E
.text&ARM.extab:C52AAA1E                               loc_C52AAA1E 
.text&ARM.extab:C52AAA1E ED 68                         LDR             R5, [R5,#0xC]
.text&ARM.extab:C52AAA1E
.text&ARM.extab:C52AAA20
.text&ARM.extab:C52AAA20                               loc_C52AAA20
.text&ARM.extab:C52AAA20 00 2D                         CMP             R5, #0
.text&ARM.extab:C52AAA22 F0 D1                         BNE             loc_C52AAA06  ; 取解密后指令中的Debug info
.text&ARM.extab:C52AAA22
.text&ARM.extab:C52AAA24 00 20                         MOVS            R0, #0
.text&ARM.extab:C52AAA26 00 E0                         B               loc_C52AAA2A
.text&ARM.extab:C52AAA26
.text&ARM.extab:C52AAA28
.text&ARM.extab:C52AAA28                               loc_C52AAA28 
.text&ARM.extab:C52AAA28                                                             ; getDecCode_sub_C20E39D2+4A↑j
.text&ARM.extab:C52AAA28 A8 68                         LDR             R0, [R5,#8]   ; 取解密后指令地址
.text&ARM.extab:C52AAA28
.text&ARM.extab:C52AAA2A
.text&ARM.extab:C52AAA2A                               loc_C52AAA2A  
.text&ARM.extab:C52AAA2A 5D F8 04 8B                   POP.W           {R8}
.text&ARM.extab:C52AAA2E F0 BD                         POP             {R4-R7,PC}

修复指令

.text&ARM.extab:C52E7F34                               ; r0:解密后方法指令,R1:方法地址
.text&ARM.extab:C52E7F34                               Fix_Method_sub_C2195F34  
.text&ARM.extab:C52E7F34
.text&ARM.extab:C52E7F34                               var_20= -0x20
.text&ARM.extab:C52E7F34
.text&ARM.extab:C52E7F34                               ; __unwind {
.text&ARM.extab:C52E7F34 F0 B5                         PUSH            {R4-R7,LR}
.text&ARM.extab:C52E7F36 03 AF                         ADD             R7, SP, #0xC
.text&ARM.extab:C52E7F38 2D E9 00 0F                   PUSH.W          {R8-R11}
.text&ARM.extab:C52E7F3C 81 B0                         SUB             SP, SP, #4
.text&ARM.extab:C52E7F3E 8F 4A                         LDR             R2, =(x.27_ptr - 0xC52E7F4A)
.text&ARM.extab:C52E7F40 00 25                         MOVS            R5, #0
.text&ARM.extab:C52E7F42 8F 4B                         LDR             R3, =(y.28_ptr - 0xC52E7F4C)
.text&ARM.extab:C52E7F44 00 24                         MOVS            R4, #0
.text&ARM.extab:C52E7F46 7A 44                         ADD             R2, PC        ; x.27_ptr
.text&ARM.extab:C52E7F48 7B 44                         ADD             R3, PC        ; y.28_ptr
.text&ARM.extab:C52E7F4A 12 68                         LDR             R2, [R2]      ; x.27
.text&ARM.extab:C52E7F4C 1B 68                         LDR             R3, [R3]      ; y.28
.text&ARM.extab:C52E7F4E 16 68                         LDR             R6, [R2]
.text&ARM.extab:C52E7F50 1A 68                         LDR             R2, [R3]
.text&ARM.extab:C52E7F52 73 1E                         SUBS            R3, R6, #1
.text&ARM.extab:C52E7F54 82 EA 06 0E                   EOR.W           LR, R2, R6
.text&ARM.extab:C52E7F58 03 FB 06 FC                   MUL.W           R12, R3, R6
.text&ARM.extab:C52E7F5C 13 01                         LSLS            R3, R2, #4
.text&ARM.extab:C52E7F5E A1 2B                         CMP             R3, #0xA1
.text&ARM.extab:C52E7F60 C8 BF                         IT GT
.text&ARM.extab:C52E7F62 01 25                         MOVGT           R5, #1
.text&ARM.extab:C52E7F64 BE F1 6E 0F                   CMP.W           LR, #0x6E ; 'n'
.text&ARM.extab:C52E7F68 4F F0 00 06                   MOV.W           R6, #0
.text&ARM.extab:C52E7F6C B8 BF                         IT LT
.text&ARM.extab:C52E7F6E 01 26                         MOVLT           R6, #1
.text&ARM.extab:C52E7F70 09 2A                         CMP             R2, #9
.text&ARM.extab:C52E7F72 06 EA 05 06                   AND.W           R6, R6, R5
.text&ARM.extab:C52E7F76 4F F0 00 05                   MOV.W           R5, #0
.text&ARM.extab:C52E7F7A C8 BF                         IT GT
.text&ARM.extab:C52E7F7C 01 25                         MOVGT           R5, #1
.text&ARM.extab:C52E7F7E 0C F0 01 03                   AND.W           R3, R12, #1
.text&ARM.extab:C52E7F82 1D 40                         ANDS            R5, R3
.text&ARM.extab:C52E7F84 0A 2A                         CMP             R2, #0xA
.text&ARM.extab:C52E7F86 86 EA 05 0C                   EOR.W           R12, R6, R5
.text&ARM.extab:C52E7F8A 45 EA 06 05                   ORR.W           R5, R5, R6
.text&ARM.extab:C52E7F8E 4F F0 00 06                   MOV.W           R6, #0
.text&ARM.extab:C52E7F92 85 F0 01 05                   EOR.W           R5, R5, #1
.text&ARM.extab:C52E7F96 B8 BF                         IT LT
.text&ARM.extab:C52E7F98 01 26                         MOVLT           R6, #1
.text&ARM.extab:C52E7F9A 00 2B                         CMP             R3, #0
.text&ARM.extab:C52E7F9C 08 BF                         IT EQ
.text&ARM.extab:C52E7F9E 01 24                         MOVEQ           R4, #1
.text&ARM.extab:C52E7FA0 45 EA 0C 05                   ORR.W           R5, R5, R12
.text&ARM.extab:C52E7FA4 26 43                         ORRS            R6, R4
.text&ARM.extab:C52E7FA4
.text&ARM.extab:C52E7FA6
.text&ARM.extab:C52E7FA6                               loc_C52E7FA6 
.text&ARM.extab:C52E7FA6 01 2D                         CMP             R5, #1
.text&ARM.extab:C52E7FA8 FD D1                         BNE             loc_C52E7FA6
.text&ARM.extab:C52E7FA8
.text&ARM.extab:C52E7FAA BE F1 B9 0F                   CMP.W           LR, #0xB9
.text&ARM.extab:C52E7FAE 4F F0 00 05                   MOV.W           R5, #0
.text&ARM.extab:C52E7FB2 4F F0 00 03                   MOV.W           R3, #0
.text&ARM.extab:C52E7FB6 C8 BF                         IT GT
.text&ARM.extab:C52E7FB8 01 25                         MOVGT           R5, #1
.text&ARM.extab:C52E7FBA D2 00                         LSLS            R2, R2, #3
.text&ARM.extab:C52E7FBC E4 2A                         CMP             R2, #0xE4
.text&ARM.extab:C52E7FBE B8 BF                         IT LT
.text&ARM.extab:C52E7FC0 01 23                         MOVLT           R3, #1
.text&ARM.extab:C52E7FC2 43 EA 05 02                   ORR.W           R2, R3, R5
.text&ARM.extab:C52E7FC6 32 43                         ORRS            R2, R6
.text&ARM.extab:C52E7FC6
.text&ARM.extab:C52E7FC8
.text&ARM.extab:C52E7FC8                               loc_C52E7FC8 
.text&ARM.extab:C52E7FC8 01 2A                         CMP             R2, #1
.text&ARM.extab:C52E7FCA FD D1                         BNE             loc_C52E7FC8
.text&ARM.extab:C52E7FCA
.text&ARM.extab:C52E7FCC 82 68                         LDR             R2, [R0,#8]   ; 取解密后的方法指令长度
.text&ARM.extab:C52E7FCE 00 2A                         CMP             R2, #0
.text&ARM.extab:C52E7FD0 00 F0 CE 80                   BEQ.W           loc_C52E8170
.text&ARM.extab:C52E7FD0
.text&ARM.extab:C52E7FD4 6B 4B                         LDR             R3, =(x.27_ptr - 0xC52E7FDC)
.text&ARM.extab:C52E7FD6 00 22                         MOVS            R2, #0
.text&ARM.extab:C52E7FD8 7B 44                         ADD             R3, PC        ; x.27_ptr
.text&ARM.extab:C52E7FDA 1B 68                         LDR             R3, [R3]      ; x.27
.text&ARM.extab:C52E7FDC 00 93                         STR             R3, [SP,#0x20+var_20]
.text&ARM.extab:C52E7FDE 6A 4B                         LDR             R3, =(y.28_ptr - 0xC52E7FE4)
.text&ARM.extab:C52E7FE0 7B 44                         ADD             R3, PC        ; y.28_ptr
.text&ARM.extab:C52E7FE2 D3 F8 00 E0                   LDR.W           LR, [R3]      ; y.28
.text&ARM.extab:C52E7FE2
.text&ARM.extab:C52E7FE6
.text&ARM.extab:C52E7FE6                               loc_C52E7FE6  
.text&ARM.extab:C52E7FE6 83 18                         ADDS            R3, R0, R2    ; base++
.text&ARM.extab:C52E7FE8 93 F8 0C A0                   LDRB.W          R10, [R3,#0xC] ; 取指令
.text&ARM.extab:C52E7FEC BA F1 00 0F                   CMP.W           R10, #0
.text&ARM.extab:C52E7FF0 67 D0                         BEQ             loc_C52E80C2
.text&ARM.extab:C52E7FF0
.text&ARM.extab:C52E7FF2 00 9B                         LDR             R3, [SP,#0x20+var_20]
.text&ARM.extab:C52E7FF4 00 26                         MOVS            R6, #0
.text&ARM.extab:C52E7FF6 DE F8 00 50                   LDR.W           R5, [LR]
.text&ARM.extab:C52E7FFA 1B 68                         LDR             R3, [R3]
.text&ARM.extab:C52E7FFC 09 2D                         CMP             R5, #9
.text&ARM.extab:C52E7FFE C8 BF                         IT GT
.text&ARM.extab:C52E8000 01 26                         MOVGT           R6, #1
.text&ARM.extab:C52E8002 AA 2D                         CMP             R5, #0xAA
.text&ARM.extab:C52E8004 A3 F1 01 04                   SUB.W           R4, R3, #1
.text&ARM.extab:C52E8008 85 EA 03 0C                   EOR.W           R12, R5, R3
.text&ARM.extab:C52E800C 4F EA C5 08                   MOV.W           R8, R5,LSL#3
.text&ARM.extab:C52E8010 03 FB 04 F4                   MUL.W           R4, R3, R4
.text&ARM.extab:C52E8014 4F F0 00 03                   MOV.W           R3, #0
.text&ARM.extab:C52E8018 04 F0 01 0B                   AND.W           R11, R4, #1
.text&ARM.extab:C52E801C 86 EA 0B 04                   EOR.W           R4, R6, R11
.text&ARM.extab:C52E8020 46 EA 0B 06                   ORR.W           R6, R6, R11
.text&ARM.extab:C52E8024 86 F0 01 06                   EOR.W           R6, R6, #1
.text&ARM.extab:C52E8028 44 EA 06 04                   ORR.W           R4, R4, R6
.text&ARM.extab:C52E802C 4F F0 00 06                   MOV.W           R6, #0
.text&ARM.extab:C52E8030 B8 BF                         IT LT
.text&ARM.extab:C52E8032 01 26                         MOVLT           R6, #1
.text&ARM.extab:C52E8034 BC F1 E6 0F                   CMP.W           R12, #0xE6
.text&ARM.extab:C52E8038 C8 BF                         IT GT
.text&ARM.extab:C52E803A 01 23                         MOVGT           R3, #1
.text&ARM.extab:C52E803C 0A 2D                         CMP             R5, #0xA
.text&ARM.extab:C52E803E 43 EA 06 03                   ORR.W           R3, R3, R6
.text&ARM.extab:C52E8042 4F F0 00 06                   MOV.W           R6, #0
.text&ARM.extab:C52E8046 43 EA 04 03                   ORR.W           R3, R3, R4
.text&ARM.extab:C52E804A 4F F0 00 04                   MOV.W           R4, #0
.text&ARM.extab:C52E804E B8 BF                         IT LT
.text&ARM.extab:C52E8050 01 24                         MOVLT           R4, #1
.text&ARM.extab:C52E8052 BB F1 00 0F                   CMP.W           R11, #0
.text&ARM.extab:C52E8056 08 BF                         IT EQ
.text&ARM.extab:C52E8058 01 26                         MOVEQ           R6, #1
.text&ARM.extab:C52E805A 44 EA 06 09                   ORR.W           R9, R4, R6
.text&ARM.extab:C52E805A
.text&ARM.extab:C52E805E
.text&ARM.extab:C52E805E                               loc_C52E805E  
.text&ARM.extab:C52E805E 01 2B                         CMP             R3, #1
.text&ARM.extab:C52E8060 FD D1                         BNE             loc_C52E805E
.text&ARM.extab:C52E8060
.text&ARM.extab:C52E8062 BA F1 FF 0F                   CMP.W           R10, #0xFF    ; 判断指令是否为0xFF
.text&ARM.extab:C52E8066 2E D0                         BEQ             loc_C52E80C6
.text&ARM.extab:C52E8066
.text&ARM.extab:C52E8068 BC F1 BF 0F                   CMP.W           R12, #0xBF
.text&ARM.extab:C52E806C 4F F0 00 04                   MOV.W           R4, #0
.text&ARM.extab:C52E8070 C8 BF                         IT GT
.text&ARM.extab:C52E8072 01 24                         MOVGT           R4, #1
.text&ARM.extab:C52E8074 6B 00                         LSLS            R3, R5, #1
.text&ARM.extab:C52E8076 B3 F5 B2 7F                   CMP.W           R3, #0x164
.text&ARM.extab:C52E807A 4F F0 00 06                   MOV.W           R6, #0
.text&ARM.extab:C52E807E B8 BF                         IT LT
.text&ARM.extab:C52E8080 01 26                         MOVLT           R6, #1
.text&ARM.extab:C52E8082 34 43                         ORRS            R4, R6
.text&ARM.extab:C52E8084 44 EA 09 04                   ORR.W           R4, R4, R9
.text&ARM.extab:C52E8084
.text&ARM.extab:C52E8088
.text&ARM.extab:C52E8088                               loc_C52E8088  
.text&ARM.extab:C52E8088 01 2C                         CMP             R4, #1
.text&ARM.extab:C52E808A FD D1                         BNE             loc_C52E8088
.text&ARM.extab:C52E808A
.text&ARM.extab:C52E808C BC F1 A6 0F                   CMP.W           R12, #0xA6
.text&ARM.extab:C52E8090 4F F0 00 04                   MOV.W           R4, #0
.text&ARM.extab:C52E8094 B8 BF                         IT LT
.text&ARM.extab:C52E8096 01 24                         MOVLT           R4, #1
.text&ARM.extab:C52E8098 B3 F5 F8 7F                   CMP.W           R3, #0x1F0
.text&ARM.extab:C52E809C 4F F0 00 03                   MOV.W           R3, #0
.text&ARM.extab:C52E80A0 C8 BF                         IT GT
.text&ARM.extab:C52E80A2 01 23                         MOVGT           R3, #1
.text&ARM.extab:C52E80A4 83 EA 04 06                   EOR.W           R6, R3, R4
.text&ARM.extab:C52E80A8 23 43                         ORRS            R3, R4
.text&ARM.extab:C52E80AA 83 F0 01 03                   EOR.W           R3, R3, #1
.text&ARM.extab:C52E80AE 33 43                         ORRS            R3, R6
.text&ARM.extab:C52E80B0 43 EA 09 03                   ORR.W           R3, R3, R9
.text&ARM.extab:C52E80B0
.text&ARM.extab:C52E80B4
.text&ARM.extab:C52E80B4                               loc_C52E80B4 
.text&ARM.extab:C52E80B4 01 2B                         CMP             R3, #1
.text&ARM.extab:C52E80B6 FD D1                         BNE             loc_C52E80B4
.text&ARM.extab:C52E80B6
.text&ARM.extab:C52E80B8 BA F1 23 0F                   CMP.W           R10, #0x23 ; '#' ; 判断指令是否为0x23
.text&ARM.extab:C52E80BC 05 D1                         BNE             loc_C52E80CA
.text&ARM.extab:C52E80BC
.text&ARM.extab:C52E80BE 23 23                         MOVS            R3, #0x23 ; '#'
.text&ARM.extab:C52E80C0 50 E0                         B               loc_C52E8164  ; 写指令
.text&ARM.extab:C52E80C0
.text&ARM.extab:C52E80C2
.text&ARM.extab:C52E80C2                               loc_C52E80C2  
.text&ARM.extab:C52E80C2 00 23                         MOVS            R3, #0
.text&ARM.extab:C52E80C4 4E E0                         B               loc_C52E8164  ; 写指令
.text&ARM.extab:C52E80C4
.text&ARM.extab:C52E80C6
.text&ARM.extab:C52E80C6                               loc_C52E80C6 
.text&ARM.extab:C52E80C6 FF 23                         MOVS            R3, #0xFF
.text&ARM.extab:C52E80C8 4C E0                         B               loc_C52E8164  ; 写指令
.text&ARM.extab:C52E80C8
.text&ARM.extab:C52E80CA
.text&ARM.extab:C52E80CA                               loc_C52E80CA  
.text&ARM.extab:C52E80CA BC F1 46 0F                   CMP.W           R12, #0x46 ; 'F'
.text&ARM.extab:C52E80CE 4F F0 00 03                   MOV.W           R3, #0
.text&ARM.extab:C52E80D2 C8 BF                         IT GT
.text&ARM.extab:C52E80D4 01 23                         MOVGT           R3, #1
.text&ARM.extab:C52E80D6 B8 F5 FA 7F                   CMP.W           R8, #0x1F4
.text&ARM.extab:C52E80DA 4F F0 00 04                   MOV.W           R4, #0
.text&ARM.extab:C52E80DE B8 BF                         IT LT
.text&ARM.extab:C52E80E0 01 24                         MOVLT           R4, #1
.text&ARM.extab:C52E80E2 23 43                         ORRS            R3, R4
.text&ARM.extab:C52E80E4 43 EA 09 03                   ORR.W           R3, R3, R9
.text&ARM.extab:C52E80E4
.text&ARM.extab:C52E80E8
.text&ARM.extab:C52E80E8                               loc_C52E80E8 
.text&ARM.extab:C52E80E8 01 2B                         CMP             R3, #1
.text&ARM.extab:C52E80EA FD D1                         BNE             loc_C52E80E8
.text&ARM.extab:C52E80EA
.text&ARM.extab:C52E80EC BC F1 13 0F                   CMP.W           R12, #0x13
.text&ARM.extab:C52E80F0 4F F0 00 03                   MOV.W           R3, #0
.text&ARM.extab:C52E80F4 4F EA 05 14                   MOV.W           R4, R5,LSL#4
.text&ARM.extab:C52E80F8 C8 BF                         IT GT
.text&ARM.extab:C52E80FA 01 23                         MOVGT           R3, #1
.text&ARM.extab:C52E80FC B4 F5 95 7F                   CMP.W           R4, #0x12A
.text&ARM.extab:C52E8100 4F F0 00 04                   MOV.W           R4, #0
.text&ARM.extab:C52E8104 B8 BF                         IT LT
.text&ARM.extab:C52E8106 01 24                         MOVLT           R4, #1
.text&ARM.extab:C52E8108 23 43                         ORRS            R3, R4
.text&ARM.extab:C52E810A 43 EA 09 03                   ORR.W           R3, R3, R9
.text&ARM.extab:C52E810A
.text&ARM.extab:C52E810E
.text&ARM.extab:C52E810E                               loc_C52E810E 
.text&ARM.extab:C52E810E 01 2B                         CMP             R3, #1
.text&ARM.extab:C52E8110 FD D1                         BNE             loc_C52E810E
.text&ARM.extab:C52E8110
.text&ARM.extab:C52E8112 BA F1 DC 0F                   CMP.W           R10, #0xDC    ; 判断指令是否为0xDC
.text&ARM.extab:C52E8116 01 D1                         BNE             loc_C52E811C
.text&ARM.extab:C52E8116
.text&ARM.extab:C52E8118 DC 23                         MOVS            R3, #0xDC
.text&ARM.extab:C52E811A 23 E0                         B               loc_C52E8164  ; 写指令
.text&ARM.extab:C52E811A
.text&ARM.extab:C52E811C
.text&ARM.extab:C52E811C                               loc_C52E811C 
.text&ARM.extab:C52E811C B8 F1 71 0F                   CMP.W           R8, #0x71 ; 'q'
.text&ARM.extab:C52E8120 4F F0 00 03                   MOV.W           R3, #0
.text&ARM.extab:C52E8124 C8 BF                         IT GT
.text&ARM.extab:C52E8126 01 23                         MOVGT           R3, #1
.text&ARM.extab:C52E8128 BC F1 D8 0F                   CMP.W           R12, #0xD8
.text&ARM.extab:C52E812C 4F F0 00 06                   MOV.W           R6, #0
.text&ARM.extab:C52E8130 B8 BF                         IT LT
.text&ARM.extab:C52E8132 01 26                         MOVLT           R6, #1
.text&ARM.extab:C52E8134 09 2D                         CMP             R5, #9
.text&ARM.extab:C52E8136 03 EA 06 03                   AND.W           R3, R3, R6
.text&ARM.extab:C52E813A 4F F0 00 06                   MOV.W           R6, #0
.text&ARM.extab:C52E813E C8 BF                         IT GT
.text&ARM.extab:C52E8140 01 26                         MOVGT           R6, #1
.text&ARM.extab:C52E8142 BB F1 00 0F                   CMP.W           R11, #0
.text&ARM.extab:C52E8146 18 BF                         IT NE
.text&ARM.extab:C52E8148 4F F0 01 0B                   MOVNE.W         R11, #1
.text&ARM.extab:C52E814C 06 EA 0B 06                   AND.W           R6, R6, R11
.text&ARM.extab:C52E8150 83 EA 06 05                   EOR.W           R5, R3, R6
.text&ARM.extab:C52E8154 33 43                         ORRS            R3, R6
.text&ARM.extab:C52E8156 83 F0 01 03                   EOR.W           R3, R3, #1
.text&ARM.extab:C52E815A 2B 43                         ORRS            R3, R5
.text&ARM.extab:C52E815A
.text&ARM.extab:C52E815C
.text&ARM.extab:C52E815C                               loc_C52E815C 
.text&ARM.extab:C52E815C 01 2B                         CMP             R3, #1
.text&ARM.extab:C52E815E FD D1                         BNE             loc_C52E815C
.text&ARM.extab:C52E815E
.text&ARM.extab:C52E8160 6F EA 0A 03                   MVN.W           R3, R10       ; 解密指令 R10按位取反
.text&ARM.extab:C52E8160
.text&ARM.extab:C52E8164
.text&ARM.extab:C52E8164                               loc_C52E8164 
.text&ARM.extab:C52E8164 8B 54                         STRB            R3, [R1,R2]   ; 写指令
.text&ARM.extab:C52E8166 01 32                         ADDS            R2, #1
.text&ARM.extab:C52E8168 83 68                         LDR             R3, [R0,#8]   ; 取指令长度
.text&ARM.extab:C52E816A 9A 42                         CMP             R2, R3        ; 判断是否结束
.text&ARM.extab:C52E816C FF F4 3B AF                   BCC.W           loc_C52E7FE6  ; base++
.text&ARM.extab:C52E816C
.text&ARM.extab:C52E8170
.text&ARM.extab:C52E8170                               loc_C52E8170 
.text&ARM.extab:C52E8170 01 20                         MOVS            R0, #1
.text&ARM.extab:C52E8172 01 B0                         ADD             SP, SP, #4
.text&ARM.extab:C52E8174 BD E8 00 0F                   POP.W           {R8-R11}
.text&ARM.extab:C52E8178 F0 BD                         POP             {R4-R7,PC}

被抽走后的指令存储格式:

6C C6 FF 03   37 1E 38 00  08 00 00 00   xxxxxxx
Debug info                 指令长度      指令

五、Native原理分析

主要是通过解析smali代码进行了通过JNI反射调用等价的语义转换,转为了C代码,执行时通过FindClass、GetStaticMethodID、GetMethodID、CallxxxMethod。

我是通过JNItrace来分析,如图5-1所示:

  

            图5-1

六、总结

壳整体是指令抽取加方法native化二者结合,所有被抽走的指令还原后dump出来也能分析出80%左右的代码,其它被native化的用JNItrace配合分析,所以用该加固方案客户端代码安全性一般。接下来就可以继续进行APP渗透分析。

欢迎关注公众号


文章来源: https://www.cnblogs.com/2014asm/p/16120746.html
如有侵权请联系:admin#unsafe.sh