Create Time:2016.11.11
0x00 闲扯
用过JEB,IDA Pro,如果有跟着其它表哥自己脱过壳的那就更好了:),另外,既然都开始玩加固了,那么解压apk后的工程目录,smali语法等这种基础的东西就不再提了
0x01 样本初分析---classes.dex
0x02 样本初分析---libmobisec.so
使用IDA Pro载入libmobisec.so
加载起来还是很顺利的,并没有遇到"Binary Data is incorrect"之类的报错
File -> Load file -> Parse C header file
导入成功后会出现"Compilation successful"的MessageBox,点击OK就行
View -> Open subviews -> Structures
我们来学习一下NDK开发中的一些概念知识,虽然大家搞的都是脱壳,但是不一定每个同学都搞过NDK开发,所以我们来补一补这部分的知识,如果已经很清楚的同学就当复习吧,这部分的知识相当重要,Very Important
JNI:Java Native Interface,类似一种标准,提供了很多的API,使Java可以和C/C++进行通信
NDK:Native Development Kit,这是一套工具或者说是一套组件,实现用C/C++来开发Android Application
public class HelloJni extends Activity{ @Override public void onCreate(Bundle savedInstanceState){ super.onCreate(savedInstanceState); TextView tv = new TextView(this); tv.setText(stringFromJNI()); setContentView(tv); } public native String stringFromJNI(); static { System.loadLibrary("hello-jni"); }}
#include#include jstring Java_com_example_hellojni_HelloJni_stringFromJNI(JNIEnv* env, jobject thiz){ return (*env)->NewStringUTF(env, "Hello Castiel");}
jstring Java_com_example_hellojni_HelloJni_stringFromJNI(JNIEnv* env, jobject thiz)
typedef const struct JNINativeInterface* JNIEnv;
const struct JNINativeInterface** env;
struct JNINativeInterface { void* reserved0; void* reserved1; void* reserved2; void* reserved3; jint (*GetVersion)(JNIEnv *); jclass (*DefineClass)(JNIEnv*, const char*, jobject, const jbyte*, jsize); jclass (*FindClass)(JNIEnv*, const char*); jmethodID (*FromReflectedMethod)(JNIEnv*, jobject); jfieldID (*FromReflectedField)(JNIEnv*, jobject); /* spec doesn't show jboolean parameter */ jobject (*ToReflectedMethod)(JNIEnv*, jclass, jmethodID, jboolean); jclass (*GetSuperclass)(JNIEnv*, jclass); jboolean (*IsAssignableFrom)(JNIEnv*, jclass, jclass); ......};
typedef _JNIEnv JNIEnv;
struct _JNIEnv* env;
struct _JNIEnv { /* do not rename this; it does not seem to be entirely opaque */ const struct JNINativeInterface* functions;#if defined(__cplusplus) jint GetVersion() { return functions->GetVersion(this); } jclass DefineClass(const char *name, jobject loader, const jbyte* buf, jsize bufLen) { return functions->DefineClass(this, name, loader, buf, bufLen); } jclass FindClass(const char* name) { return functions->FindClass(this, name); } ......#endif /*__cplusplus*/};
const struct JNINativeInterface* functions;
return (*env)->NewStringUTF(env, "Hello Castiel"); //Creturn env->NewStringUTF("Hello Castiel"); //C++
public native String stringFromJNI(); //实例方法public static native String stringFromJNI(); //静态方法
jstring Java_com_example_hellojni_HelloJni_stringFromJNI(JNIEnv* env, jobject thiz) //实例方法jstring Java_com_example_hellojni_HelloJni_stringFromJNI(JNIEnv* env, jclass clazz) //静态方法
#ifdef HAVE_INTTYPES_H# include/* C99 */typedef uint8_t jboolean; /* unsigned 8 bits */typedef int8_t jbyte; /* signed 8 bits */typedef uint16_t jchar; /* unsigned 16 bits */typedef int16_t jshort; /* signed 16 bits */typedef int32_t jint; /* signed 32 bits */typedef int64_t jlong; /* signed 64 bits */typedef float jfloat; /* 32-bit IEEE 754 */typedef double jdouble; /* 64-bit IEEE 754 */#elsetypedef unsigned char jboolean; /* unsigned 8 bits */typedef signed char jbyte; /* signed 8 bits */typedef unsigned short jchar; /* unsigned 16 bits */typedef short jshort; /* signed 16 bits */typedef int jint; /* signed 32 bits */typedef long long jlong; /* signed 64 bits */typedef float jfloat; /* 32-bit IEEE 754 */typedef double jdouble; /* 64-bit IEEE 754 */#endif
#ifdef __cplusplus/* * Reference types, in C++ */class _jobject {};class _jclass : public _jobject {};class _jstring : public _jobject {};class _jarray : public _jobject {};class _jobjectArray : public _jarray {};class _jbooleanArray : public _jarray {};class _jbyteArray : public _jarray {};class _jcharArray : public _jarray {};class _jshortArray : public _jarray {};class _jintArray : public _jarray {};class _jlongArray : public _jarray {};class _jfloatArray : public _jarray {};class _jdoubleArray : public _jarray {};class _jthrowable : public _jobject {};typedef _jobject* jobject;typedef _jclass* jclass;typedef _jstring* jstring;typedef _jarray* jarray;typedef _jobjectArray* jobjectArray;typedef _jbooleanArray* jbooleanArray;typedef _jbyteArray* jbyteArray;typedef _jcharArray* jcharArray;typedef _jshortArray* jshortArray;typedef _jintArray* jintArray;typedef _jlongArray* jlongArray;typedef _jfloatArray* jfloatArray;typedef _jdoubleArray* jdoubleArray;typedef _jthrowable* jthrowable;typedef _jobject* jweak;#else /* not __cplusplus *//* * Reference types, in C. */typedef void* jobject;typedef jobject jclass;typedef jobject jstring;typedef jobject jarray;typedef jarray jobjectArray;typedef jarray jbooleanArray;typedef jarray jbyteArray;typedef jarray jcharArray;typedef jarray jshortArray;typedef jarray jintArray;typedef jarray jlongArray;typedef jarray jfloatArray;typedef jarray jdoubleArray;typedef jobject jthrowable;typedef jobject jweak;#endif /* not __cplusplus */
#if defined(__cplusplus)typedef _JNIEnv JNIEnv;typedef _JavaVM JavaVM;#elsetypedef const struct JNINativeInterface* JNIEnv;typedef const struct JNIInvokeInterface* JavaVM;#endif
/* * JNI invocation interface. */struct JNIInvokeInterface { void* reserved0; void* reserved1; void* reserved2; jint (*DestroyJavaVM)(JavaVM*); jint (*AttachCurrentThread)(JavaVM*, JNIEnv**, void*); jint (*DetachCurrentThread)(JavaVM*); jint (*GetEnv)(JavaVM*, void**, jint); jint (*AttachCurrentThreadAsDaemon)(JavaVM*, JNIEnv**, void*);};/* * C++ version. */struct _JavaVM { const struct JNIInvokeInterface* functions;#if defined(__cplusplus) jint DestroyJavaVM() { return functions->DestroyJavaVM(this); } jint AttachCurrentThread(JNIEnv** p_env, void* thr_args) { return functions->AttachCurrentThread(this, p_env, thr_args); } jint DetachCurrentThread() { return functions->DetachCurrentThread(this); } jint GetEnv(void** env, jint version) { return functions->GetEnv(this, env, version); } jint AttachCurrentThreadAsDaemon(JNIEnv** p_env, void* thr_args) { return functions->AttachCurrentThreadAsDaemon(this, p_env, thr_args); }#endif /*__cplusplus*/};
/** * Loads and links the dynamic library that is identified through the * specified path. This method is similar to {@link #loadLibrary(String)}, * but it accepts a full path specification whereas {@code loadLibrary} just * accepts the name of the library to load. * * @param pathName * the path of the file to be loaded. */public static void load(String pathName) { Runtime.getRuntime().load(pathName, VMStack.getCallingClassLoader());}/** * Loads and links the library with the specified name. The mapping of the * specified library name to the full path for loading the library is * implementation-dependent. * * @param libName * the name of the library to load. * @throws UnsatisfiedLinkError * if the library could not be loaded. */public static void loadLibrary(String libName) { Runtime.getRuntime().loadLibrary(libName, VMStack.getCallingClassLoader());}
/** * Loads and links the library with the specified name. The mapping of the * specified library name to the full path for loading the library is * implementation-dependent. * * @param libName * the name of the library to load. * @throws UnsatisfiedLinkError * if the library can not be loaded. */public void loadLibrary(String libName) { loadLibrary(libName, VMStack.getCallingClassLoader());}/* * Searches for a library, then loads and links it without security checks. */void loadLibrary(String libraryName, ClassLoader loader) { if (loader != null) { String filename = loader.findLibrary(libraryName); if (filename == null) { throw new UnsatisfiedLinkError("Couldn't load " + libraryName + " from loader " + loader + ": findLibrary returned null"); } String error = doLoad(filename, loader); if (error != null) { throw new UnsatisfiedLinkError(error); } return; } String filename = System.mapLibraryName(libraryName); Listcandidates = new ArrayList (); String lastError = null; for (String directory : mLibPaths) { String candidate = directory + filename; candidates.add(candidate); if (IoUtils.canOpenReadOnly(candidate)) { String error = doLoad(candidate, loader); if (error == null) { return; // We successfully loaded the library. Job done. } lastError = error; } } if (lastError != null) { throw new UnsatisfiedLinkError(lastError); } throw new UnsatisfiedLinkError("Library " + libraryName + " not found; tried " + candidates);}
protected String findLibrary(String libName) { return null;}
/* * Copyright (C) 2007 The Android Open Source Project * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. */package dalvik.system;/** * Provides a simple {@link ClassLoader} implementation that operates on a list * of files and directories in the local file system, but does not attempt to * load classes from the network. Android uses this class for its system class * loader and for its application class loader(s). */public class PathClassLoader extends BaseDexClassLoader { /** * Creates a {@code PathClassLoader} that operates on a given list of files * and directories. This method is equivalent to calling * {@link #PathClassLoader(String, String, ClassLoader)} with a * {@code null} value for the second argument (see description there). * * @param dexPath the list of jar/apk files containing classes and * resources, delimited by {@code File.pathSeparator}, which * defaults to {@code ":"} on Android * @param parent the parent class loader */ public PathClassLoader(String dexPath, ClassLoader parent) { super(dexPath, null, null, parent); } /** * Creates a {@code PathClassLoader} that operates on two given * lists of files and directories. The entries of the first list * should be one of the following: * *
- *
- JAR/ZIP/APK files, possibly containing a "classes.dex" file as * well as arbitrary resources. *
- Raw ".dex" files (not inside a zip file). *
@Overridepublic String findLibrary(String name) { return pathList.findLibrary(name);}
private String doLoad(String name, ClassLoader loader) { // Android apps are forked from the zygote, so they can't have a custom LD_LIBRARY_PATH, // which means that by default an app's shared library directory isn't on LD_LIBRARY_PATH. // The PathClassLoader set up by frameworks/base knows the appropriate path, so we can load // libraries with no dependencies just fine, but an app that has multiple libraries that // depend on each other needed to load them in most-dependent-first order. // We added API to Android's dynamic linker so we can update the library path used for // the currently-running process. We pull the desired path out of the ClassLoader here // and pass it to nativeLoad so that it can call the private dynamic linker API. // We didn't just change frameworks/base to update the LD_LIBRARY_PATH once at the // beginning because multiple apks can run in the same process and third party code can // use its own BaseDexClassLoader. // We didn't just add a dlopen_with_custom_LD_LIBRARY_PATH call because we wanted any // dlopen(3) calls made from a .so's JNI_OnLoad to work too. // So, find out what the native library search path is for the ClassLoader in question... String ldLibraryPath = null; if (loader != null && loader instanceof BaseDexClassLoader) { ldLibraryPath = ((BaseDexClassLoader) loader).getLdLibraryPath(); } // nativeLoad should be synchronized so there's only one LD_LIBRARY_PATH in use regardless // of how many ClassLoaders are in the system, but dalvik doesn't support synchronized // internal natives. synchronized (this) { return nativeLoad(name, loader, ldLibraryPath); }}
// TODO: should be synchronized, but dalvik doesn't support synchronized internal natives.private static native String nativeLoad(String filename, ClassLoader loader, String ldLibraryPath);
/* * static String nativeLoad(String filename, ClassLoader loader, String ldLibraryPath) * * Load the specified full path as a dynamic library filled with * JNI-compatible methods. Returns null on success, or a failure * message on failure. */static void Dalvik_java_lang_Runtime_nativeLoad(const u4* args, JValue* pResult){ StringObject* fileNameObj = (StringObject*) args[0]; Object* classLoader = (Object*) args[1]; StringObject* ldLibraryPathObj = (StringObject*) args[2]; assert(fileNameObj != NULL); char* fileName = dvmCreateCstrFromString(fileNameObj); if (ldLibraryPathObj != NULL) { char* ldLibraryPath = dvmCreateCstrFromString(ldLibraryPathObj); void* sym = dlsym(RTLD_DEFAULT, "android_update_LD_LIBRARY_PATH"); if (sym != NULL) { typedef void (*Fn)(const char*); Fn android_update_LD_LIBRARY_PATH = reinterpret_cast(sym); (*android_update_LD_LIBRARY_PATH)(ldLibraryPath); } else { ALOGE("android_update_LD_LIBRARY_PATH not found; .so dependencies will not work!"); } free(ldLibraryPath); } StringObject* result = NULL; char* reason = NULL; bool success = dvmLoadNativeCode(fileName, classLoader, &reason); if (!success) { const char* msg = (reason != NULL) ? reason : "unknown failure"; result = dvmCreateStringFromCstr(msg); dvmReleaseTrackedAlloc((Object*) result, NULL); } free(reason); free(fileName); RETURN_PTR(result);}
bool success = dvmLoadNativeCode(fileName, classLoader, &reason);
bool dvmLoadNativeCode(const char* pathName, Object* classLoader, char** detail){ SharedLib* pEntry; void* handle; bool verbose; /* reduce noise by not chattering about system libraries */ verbose = !!strncmp(pathName, "/system", sizeof("/system")-1); verbose = verbose && !!strncmp(pathName, "/vendor", sizeof("/vendor")-1); if (verbose) ALOGD("Trying to load lib %s %p", pathName, classLoader); *detail = NULL; pEntry = findSharedLibEntry(pathName); if (pEntry != NULL) { if (pEntry->classLoader != classLoader) { ALOGW("Shared lib '%s' already opened by CL %p; can't open in %p", pathName, pEntry->classLoader, classLoader); return false; } if (verbose) { ALOGD("Shared lib '%s' already loaded in same CL %p", pathName, classLoader); } if (!checkOnLoadResult(pEntry)) return false; return true; } Thread* self = dvmThreadSelf(); ThreadStatus oldStatus = dvmChangeStatus(self, THREAD_VMWAIT); handle = dlopen(pathName, RTLD_LAZY); dvmChangeStatus(self, oldStatus); if (handle == NULL) { *detail = strdup(dlerror()); ALOGE("dlopen(\"%s\") failed: %s", pathName, *detail); return false; } /* create a new entry */ SharedLib* pNewEntry; pNewEntry = (SharedLib*) calloc(1, sizeof(SharedLib)); pNewEntry->pathName = strdup(pathName); pNewEntry->handle = handle; pNewEntry->classLoader = classLoader; dvmInitMutex(&pNewEntry->onLoadLock); pthread_cond_init(&pNewEntry->onLoadCond, NULL); pNewEntry->onLoadThreadId = self->threadId; /* try to add it to the list */ SharedLib* pActualEntry = addSharedLibEntry(pNewEntry); if (pNewEntry != pActualEntry) { ALOGI("WOW: we lost a race to add a shared lib (%s CL=%p)", pathName, classLoader); freeSharedLibEntry(pNewEntry); return checkOnLoadResult(pActualEntry); } else { if (verbose) ALOGD("Added shared lib %s %p", pathName, classLoader); bool result = false; void* vonLoad; int version; vonLoad = dlsym(handle, "JNI_OnLoad"); if (vonLoad == NULL) { ALOGD("No JNI_OnLoad found in %s %p, skipping init", pathName, classLoader); result = true; } else { OnLoadFunc func = (OnLoadFunc)vonLoad; Object* prevOverride = self->classLoaderOverride; self->classLoaderOverride = classLoader; oldStatus = dvmChangeStatus(self, THREAD_NATIVE); if (gDvm.verboseJni) { ALOGI("[Calling JNI_OnLoad for \"%s\"]", pathName); } version = (*func)(gDvmJni.jniVm, NULL); dvmChangeStatus(self, oldStatus); self->classLoaderOverride = prevOverride; if (version == JNI_ERR) { *detail = strdup(StringPrintf("JNI_ERR returned from JNI_OnLoad in \"%s\"", pathName).c_str()); } else if (dvmIsBadJniVersion(version)) { *detail = strdup(StringPrintf("Bad JNI version returned from JNI_OnLoad in \"%s\": %d", pathName, version).c_str()); } else { result = true; } if (gDvm.verboseJni) { ALOGI("[Returned %s from JNI_OnLoad for \"%s\"]", (result ? "successfully" : "failure"), pathName); } } if (result) pNewEntry->onLoadResult = kOnLoadOkay; else pNewEntry->onLoadResult = kOnLoadFailed; pNewEntry->onLoadThreadId = 0; dvmLockMutex(&pNewEntry->onLoadLock); pthread_cond_broadcast(&pNewEntry->onLoadCond); dvmUnlockMutex(&pNewEntry->onLoadLock); return result; }}
/* * See if we've already loaded it. If we have, and the class loader * matches, return successfully without doing anything. */pEntry = findSharedLibEntry(pathName);if (pEntry != NULL) { if (pEntry->classLoader != classLoader) { ALOGW("Shared lib '%s' already opened by CL %p; can't open in %p", pathName, pEntry->classLoader, classLoader); return false; } if (verbose) { ALOGD("Shared lib '%s' already loaded in same CL %p", pathName, classLoader); } if (!checkOnLoadResult(pEntry)) return false; return true;}
Thread* self = dvmThreadSelf();ThreadStatus oldStatus = dvmChangeStatus(self, THREAD_VMWAIT);handle = dlopen(pathName, RTLD_LAZY);dvmChangeStatus(self, oldStatus);if (handle == NULL) { *detail = strdup(dlerror()); ALOGE("dlopen(\"%s\") failed: %s", pathName, *detail); return false;}
/* create a new entry */SharedLib* pNewEntry;pNewEntry = (SharedLib*) calloc(1, sizeof(SharedLib));pNewEntry->pathName = strdup(pathName);pNewEntry->handle = handle;pNewEntry->classLoader = classLoader;dvmInitMutex(&pNewEntry->onLoadLock);pthread_cond_init(&pNewEntry->onLoadCond, NULL);pNewEntry->onLoadThreadId = self->threadId;
/* try to add it to the list */SharedLib* pActualEntry = addSharedLibEntry(pNewEntry);
if (pNewEntry != pActualEntry) { ALOGI("WOW: we lost a race to add a shared lib (%s CL=%p)", pathName, classLoader); freeSharedLibEntry(pNewEntry); return checkOnLoadResult(pActualEntry);}
else { if (verbose) ALOGD("Added shared lib %s %p", pathName, classLoader); bool result = false; void* vonLoad; int version; vonLoad = dlsym(handle, "JNI_OnLoad"); if (vonLoad == NULL) { ALOGD("No JNI_OnLoad found in %s %p, skipping init", pathName, classLoader); result = true; } else { /* * Call JNI_OnLoad. We have to override the current class * loader, which will always be "null" since the stuff at the * top of the stack is around Runtime.loadLibrary(). (See * the comments in the JNI FindClass function.) */ OnLoadFunc func = (OnLoadFunc)vonLoad; Object* prevOverride = self->classLoaderOverride; self->classLoaderOverride = classLoader; oldStatus = dvmChangeStatus(self, THREAD_NATIVE); if (gDvm.verboseJni) { ALOGI("[Calling JNI_OnLoad for \"%s\"]", pathName); } version = (*func)(gDvmJni.jniVm, NULL); dvmChangeStatus(self, oldStatus); self->classLoaderOverride = prevOverride; if (version == JNI_ERR) { *detail = strdup(StringPrintf("JNI_ERR returned from JNI_OnLoad in \"%s\"", pathName).c_str()); } else if (dvmIsBadJniVersion(version)) { *detail = strdup(StringPrintf("Bad JNI version returned from JNI_OnLoad in \"%s\": %d", pathName, version).c_str()); /* * It's unwise to call dlclose() here, but we can mark it * as bad and ensure that future load attempts will fail. * * We don't know how far JNI_OnLoad got, so there could * be some partially-initialized stuff accessible through * newly-registered native method calls. We could try to * unregister them, but that doesn't seem worthwhile. */ } else { result = true; } if (gDvm.verboseJni) { ALOGI("[Returned %s from JNI_OnLoad for \"%s\"]", (result ? "successfully" : "failure"), pathName); } } if (result) pNewEntry->onLoadResult = kOnLoadOkay; else pNewEntry->onLoadResult = kOnLoadFailed; pNewEntry->onLoadThreadId = 0; /* * Broadcast a wakeup to anybody sleeping on the condition variable. */ dvmLockMutex(&pNewEntry->onLoadLock); pthread_cond_broadcast(&pNewEntry->onLoadCond); dvmUnlockMutex(&pNewEntry->onLoadLock); return result;}
vonLoad = dlsym(handle, "JNI_OnLoad");if (vonLoad == NULL) { ALOGD("No JNI_OnLoad found in %s %p, skipping init", pathName, classLoader); result = true;}
OnLoadFunc func = (OnLoadFunc)vonLoad;
version = (*func)(gDvmJni.jniVm, NULL);
JNIEXPORT jstring JNICALL native_hello(JNIEnv *env, jclass clazz){ printf("hello in c native code./n"); return (*env)->NewStringUTF(env, "hello world returned.");}#define JNIREG_CLASS "com/jni/JavaHello"/*** Table of methods associated with a single class.*/static JNINativeMethod gMethods[] = { { "hello", "()Ljava/lang/String;", (void*)native_hello },};/** Register several native methods for one class.*/static int registerNativeMethods(JNIEnv* env, const char* className, JNINativeMethod* gMethods, int numMethods){ jclass clazz; clazz = (*env)->FindClass(env, className); if (clazz == NULL) { return JNI_FALSE; } if ((*env)->RegisterNatives(env, clazz, gMethods, numMethods) < 0) { return JNI_FALSE; } return JNI_TRUE;}/** Register native methods for all classes we know about.*/static int registerNatives(JNIEnv* env){ if (!registerNativeMethods(env, JNIREG_CLASS, gMethods, sizeof(gMethods) / sizeof(gMethods[0]))) return JNI_FALSE; return JNI_TRUE;}/** Set some test stuff up.** Returns the JNI version on success, -1 on failure.*/JNIEXPORT jint JNICALL JNI_OnLoad(JavaVM* vm, void* reserved){ JNIEnv* env = NULL; jint result = -1; if ((*vm)->GetEnv(vm, (void**) &env, JNI_VERSION_1_4) != JNI_OK) { return -1; } assert(env != NULL); if (!registerNatives(env)) { return -1; } /* success -- return valid version number */ result = JNI_VERSION_1_4; return result;}
if ((*vm)->GetEnv(vm, (void**) &env, JNI_VERSION_1_4) != JNI_OK) { return -1;}
if (!registerNatives(env)) { return -1;}
/** Register native methods for all classes we know about.*/static int registerNatives(JNIEnv* env){ if (!registerNativeMethods(env, JNIREG_CLASS, gMethods, sizeof(gMethods) / sizeof(gMethods[0]))) return JNI_FALSE; return JNI_TRUE;}
/** Register several native methods for one class.*/static int registerNativeMethods(JNIEnv* env, const char* className, JNINativeMethod* gMethods, int numMethods){ jclass clazz; clazz = (*env)->FindClass(env, className); if (clazz == NULL) { return JNI_FALSE; } if ((*env)->RegisterNatives(env, clazz, gMethods, numMethods) < 0) { return JNI_FALSE; } return JNI_TRUE;}
#define JNIREG_CLASS "com/jni/JavaHello"
/*** Table of methods associated with a single class.*/static JNINativeMethod gMethods[] = { { "hello", "()Ljava/lang/String;", (void*)native_hello },};
JNIEXPORT jstring JNICALL native_hello(JNIEnv *env, jclass clazz){ printf("hello in c native code./n"); return (*env)->NewStringUTF(env, "hello world returned.");}
.init section和.init_array section下次再讲
刚刚我们已经知道JNI_OnLoad()方法第一个参数是JavaVM*类型,这里没有识别正确,我们来修正一下参数类型,在第一个参数的int上面右击,点击Set lvar type,下次直接用Y快捷键
signed int __fastcall JNI_OnLoad(JavaVM *vm, int a2){ const char *v2; // r1@2 const char *v3; // r2@2 signed int result; // r0@5 bool v5; // zf@6 int v6; // [sp+4h] [bp-Ch]@1 v6 = a2; if ( ((int (__cdecl *)(JavaVM *, int *))(*vm)->GetEnv)(vm, &v6) ) { v2 = "debug"; v3 = "Failed to get the environment";LABEL_5: _android_log_print(6, v2, v3); return -1; } if ( !(*(int (__cdecl **)(int))(*(_DWORD *)v6 + 24))(v6) ) { v2 = "debug"; v3 = "failed to get class reference"; goto LABEL_5; } v5 = (*(int (__cdecl **)(int))(*(_DWORD *)v6 + 860))(v6) == 0; result = 65542; if ( !v5 ) result = -1; return result;}
在GetEnv()方法上面右击,点击Force call type
JNIEnv* env = NULL;jint result = -1;if ((*vm)->GetEnv(vm, (void**) &env, JNI_VERSION_1_4) != JNI_OK) { return -1;}
if ( (*vm)->GetEnv(vm, (void **)&v6, 65542) ){ v2 = "debug"; v3 = "Failed to get the environment";LABEL_5: _android_log_print(6, v2, v3); return -1;}
signed int __fastcall JNI_OnLoad(JavaVM *vm, int a2){ const char *v2; // r1@2 const char *v3; // r2@2 signed int result; // r0@5 bool v5; // zf@6 JNIEnv *env; // [sp+4h] [bp-Ch]@1 env = (JNIEnv *)a2; if ( (*vm)->GetEnv(vm, (void **)&env, 65542) ) { v2 = "debug"; v3 = "Failed to get the environment";LABEL_5: _android_log_print(6, v2, v3); return -1; } if ( !((int (__cdecl *)(JNIEnv *))(*env)->FindClass)(env) ) { v2 = "debug"; v3 = "failed to get class reference"; goto LABEL_5; } v5 = ((int (__cdecl *)(JNIEnv *))(*env)->RegisterNatives)(env) == 0; result = 65542; if ( !v5 ) result = -1; return result;}
下面两个(*env)->的函数也需要Force call type,就是下面这个样子,首先执行FindClass()方法,然后执行RegisterNatives()动态注册native方法,可以看到最后那个参数是2,代表什么还记得吗?它表示要注册的native方法数量
signed int __fastcall JNI_OnLoad(JavaVM *vm, int a2){ const char *v2; // r1@2 const char *v3; // r2@2 jclass v4; // r1@3 signed int result; // r0@5 bool v6; // zf@6 JNIEnv *env; // [sp+4h] [bp-Ch]@1 env = (JNIEnv *)a2; if ( (*vm)->GetEnv(vm, (void **)&env, 65542) ) { v2 = "debug"; v3 = "Failed to get the environment";LABEL_5: _android_log_print(6, v2, v3); return -1; } v4 = (*env)->FindClass(env, "com/ali/mobisecenhance/StubApplication"); if ( !v4 ) { v2 = "debug"; v3 = "failed to get class reference"; goto LABEL_5; } v6 = (*env)->RegisterNatives(env, v4, (const JNINativeMethod *)off_54010, 2) == 0; result = 65542; if ( !v6 ) result = -1; return result;}
typedef struct { constchar*name; constchar* signature; void* fnPtr;} JNINativeMethod;
.data:00054010 gMethods DCD aAttachbasecont ; DATA XREF: JNI_OnLoad+44.data:00054010 ; .text:off_24784.data:00054010 ; "attachBaseContext".data:00054014 DCD aLandroidCont_1 ; "(Landroid/content/Context;)V".data:00054018 DCD sub_24D3C+1.data:0005401C DCD aOncreate ; "onCreate".data:00054020 DCD aV ; "()V".data:00054024 DCD sub_24498+1
int __fastcall attachBaseContext(ali *a1, int a2, int a3){ int v3; // r8@1 int v4; // r10@1 ali *v5; // r4@1 _JNIEnv *v6; // r1@1 int result; // r0@1 ali *v8; // r0@2 int v9; // r0@2 int v10; // r0@2 int v11; // r3@2 int v12; // r0@2 int v13; // r5@2 int v14; // r0@2 int v15; // r0@2 int v16; // r3@2 int v17; // r0@2 int v18; // r0@4 int v19; // r0@5 char *v20; // r0@9 int v21; // r0@6 int v22; // r3@13 int v23; // r0@13 int v24; // r3@15 int v25; // r0@15 int v26; // r3@15 int v27; // r8@15 const char *v28; // r0@16 const char *v29; // r5@16 size_t v30; // r0@16 int v31; // r5@17 int v32; // r8@17 int v33; // r0@17 int v34; // r0@17 int v35; // r5@17 const char *v36; // r1@18 const char *v37; // r2@18 int v38; // r0@19 ali *v39; // r0@20 int v40; // r4@22 unsigned __int64 v41; // r2@22 int v42; // [sp+8h] [bp-78h]@2 __int64 v43; // [sp+18h] [bp-68h]@17 char v44; // [sp+24h] [bp-5Ch]@6 char v45; // [sp+3Ch] [bp-44h]@2 char *v46; // [sp+4Ch] [bp-34h]@3 char *v47; // [sp+50h] [bp-30h]@3 int v48; // [sp+54h] [bp-2Ch]@1 v3 = a2; v4 = a3; v5 = a1; v48 = _stack_chk_guard; ((void (__fastcall *)(signed int, const char *, const char *))_android_log_print)(6, "debug", "in..."); result = ali::init_classes(v5, v6); if ( !result ) { v8 = (ali *)_JNIEnv::CallNonvirtualVoidMethod(v5, v3, ali::ContextWrapper, unk_54128); v42 = ali::NanoTime(v8); v9 = _JNIEnv::GetObjectClass(v5, v3); v10 = _JNIEnv::GetMethodID(v5, v9, "getFilesDir", "()Ljava/io/File;"); v12 = _JNIEnv::CallObjectMethod(v5, v3, v10, v11); v13 = v12; v14 = _JNIEnv::GetObjectClass(v5, v12); v15 = _JNIEnv::GetMethodID(v5, v14, "getAbsolutePath", "()Ljava/lang/String;"); v17 = _JNIEnv::CallObjectMethod(v5, v13, v15, v16); sub_247D8(&v45, v5, v17); if ( (_UNKNOWN *)&v45 != &ali::g_filePath ) std::string::_M_assign((std::string *)&ali::g_filePath, v47, v46); std::priv::_String_base>::_M_deallocate_block(&v45); _android_log_print(3, "debug", "global files path is %s"); v18 = _JNIEnv::CallObjectMethod(v5, v3, unk_541A4, 0xFFFFFC78); if ( ali::sdk_int <= 8 ) { v21 = _JNIEnv::GetObjectField(v5, v18, unk_5416C); sub_247D8(&v44, v5, v21); std::operator+ ,std::allocator >(&v45, &v44, "/lib"); if ( (_UNKNOWN *)&v45 != &ali::g_libPath ) std::string::_M_assign((std::string *)&ali::g_libPath, v47, v46); std::priv::_String_base >::_M_deallocate_block(&v45); v20 = &v44; } else { v19 = _JNIEnv::GetObjectField(v5, v18, unk_54170); sub_247D8(&v45, v5, v19); if ( (_UNKNOWN *)&v45 != &ali::g_libPath ) std::string::_M_assign((std::string *)&ali::g_libPath, v47, v46); v20 = &v45; } std::priv::_String_base >::_M_deallocate_block(v20); _android_log_print(3, "debug", "global native path is %s", unk_540D0, v4); v23 = _JNIEnv::CallObjectMethod(v5, v3, unk_541B0, v22); sub_247D8(&v45, v5, v23); if ( (_UNKNOWN *)&v45 != &ali::g_apkPath ) std::string::_M_assign((std::string *)&ali::g_apkPath, v47, v46); std::priv::_String_base >::_M_deallocate_block(&v45); setenv("APKPATH", dword_540B8, 1); _android_log_print(3, "debug", "global apk path is %s", dword_540B8); sub_24A64(v5, v3); v25 = _JNIEnv::CallObjectMethod(v5, v4, unk_541A0, v24); v27 = v25; if ( v25 ) { v28 = (const char *)(*(int (__fastcall **)(ali *, int, _DWORD))(*(_DWORD *)v5 + 676))(v5, v25, 0); v29 = v28; v30 = strlen(v28); std::string::_M_assign((std::string *)&ali::g_pkgName, v29, &v29[v30]); (*(void (__fastcall **)(ali *, int, const char *))(*(_DWORD *)v5 + 680))(v5, v27, v29); } v43 = 0LL; v31 = _JNIEnv::CallObjectMethod(v5, v4, unk_541A8, v26); parse_dex((_JNIEnv *)v5, &v43); replace_classloader_cookie(v5, v31, v43, HIDWORD(v43)); _android_log_print(3, "debug", "enter new application"); v32 = unk_54120; v33 = _JNIEnv::NewStringUTF((_JNIEnv *)v5, "android.app.Application"); v34 = _JNIEnv::CallObjectMethod(v5, v31, v32, v33); v35 = v34; if ( v34 ) { v38 = _JNIEnv::GetMethodID(v5, v34, " ", "()V"); dword_540A0 = _JNIEnv::NewObject(v5, v35, v38); _JNIEnv::CallVoidMethod(v5, dword_540A0, unk_54134); _JNIEnv::DeleteLocalRef(v5, v35); v36 = "debug"; v37 = "exit new application"; } else { v36 = "debug"; v37 = "can't findClass realAppClass"; } v39 = (ali *)_android_log_print(3, v36, v37); if ( dword_540A0 ) { v39 = (ali *)(*(int (__fastcall **)(ali *))(*(_DWORD *)v5 + 84))(v5); dword_540A0 = (int)v39; } v40 = ali::NanoTime(v39); _android_log_print(3, "debug", "##### attachBaseContext spent:"); ali::PrettyDuration((ali *)(v40 - v42), v41); result = _android_log_print(3, "debug", "exit attachBaseContext"); } if ( v48 != _stack_chk_guard ) _stack_chk_fail(result); return result;}
int __fastcall attachBaseContext(JNIEnv *a1, jobject *a2, jobject *a3){ jobject *jobj; // r8@1 jobject *context; // r10@1 JNIEnv *env; // r4@1 _JNIEnv *v6; // r1@1 int v7; // r2@1 int result; // r0@1 JNIEnv *v9; // r0@2 int v10; // r1@2 int v11; // r2@2 int v12; // r0@2 int v13; // r3@2 int v14; // r5@2 int v15; // r0@2 int v16; // r3@2 int v17; // r0@2 int v18; // r0@5 char *v19; // r0@9 int v20; // r0@6 int v21; // r3@13 int v22; // r0@13 int v23; // r3@15 void *v24; // r0@15 int v25; // r3@15 void *v26; // r8@15 const char *v27; // r0@16 const char *v28; // r5@16 size_t v29; // r0@16 int v30; // r5@17 int v31; // r8@17 int v32; // r0@17 int v33; // r5@17 const char *v34; // r1@18 const char *v35; // r2@18 int v36; // r0@19 JNIEnv *v37; // r0@20 int v38; // r2@20 int v39; // r1@20 int v40; // r4@22 unsigned __int64 v41; // r2@22 int v42; // [sp+8h] [bp-78h]@2 __int64 v43; // [sp+18h] [bp-68h]@17 char v44; // [sp+24h] [bp-5Ch]@6 char v45; // [sp+3Ch] [bp-44h]@2 char *v46; // [sp+4Ch] [bp-34h]@3 char *v47; // [sp+50h] [bp-30h]@3 int v48; // [sp+54h] [bp-2Ch]@1 jobj = a2; context = a3; env = a1; v48 = _stack_chk_guard; _android_log_print(6, "debug", "in..."); result = ali::init_classes((ali *)env, v6, v7); if ( !result ) { v9 = (JNIEnv *)_JNIEnv::CallNonvirtualVoidMethod(env, (int)jobj, ali::ContextWrapper, unk_54128); v42 = ali::NanoTime(v9, v10, v11); _JNIEnv::GetObjectClass(env); v12 = _JNIEnv::GetMethodID(env); v14 = _JNIEnv::CallObjectMethod(env, (int)jobj, v12, v13); _JNIEnv::GetObjectClass(env); v15 = _JNIEnv::GetMethodID(env); v17 = _JNIEnv::CallObjectMethod(env, v14, v15, v16); sub_247D8(&v45, env, v17); if ( (_UNKNOWN *)&v45 != &ali::g_filePath ) std::string::_M_assign((std::string *)&ali::g_filePath, v47, v46); std::priv::_String_base>::_M_deallocate_block(&v45); _android_log_print(3, "debug", "global files path is %s", unk_540E8, context); _JNIEnv::CallObjectMethod(env, (int)jobj, unk_541A4, -904); if ( ali::sdk_int <= 8 ) { v20 = _JNIEnv::GetObjectField(env); sub_247D8(&v44, env, v20); std::operator+ ,std::allocator >(&v45, &v44, "/lib"); if ( (_UNKNOWN *)&v45 != &ali::g_libPath ) std::string::_M_assign((std::string *)&ali::g_libPath, v47, v46); std::priv::_String_base >::_M_deallocate_block(&v45); v19 = &v44; } else { v18 = _JNIEnv::GetObjectField(env); sub_247D8(&v45, env, v18); if ( (_UNKNOWN *)&v45 != &ali::g_libPath ) std::string::_M_assign((std::string *)&ali::g_libPath, v47, v46); v19 = &v45; } std::priv::_String_base >::_M_deallocate_block(v19); _android_log_print(3, "debug", "global native path is %s", unk_540D0); v22 = _JNIEnv::CallObjectMethod(env, (int)jobj, unk_541B0, v21); sub_247D8(&v45, env, v22); if ( (_UNKNOWN *)&v45 != &ali::g_apkPath ) std::string::_M_assign((std::string *)&ali::g_apkPath, v47, v46); std::priv::_String_base >::_M_deallocate_block(&v45); setenv("APKPATH", dword_540B8, 1); _android_log_print(3, "debug", "global apk path is %s", dword_540B8); sub_24A64(env, jobj); v24 = (void *)_JNIEnv::CallObjectMethod(env, (int)context, unk_541A0, v23); v26 = v24; if ( v24 ) { v27 = (*env)->GetStringUTFChars(env, v24, 0); v28 = v27; v29 = strlen(v27); std::string::_M_assign((std::string *)&ali::g_pkgName, v28, &v28[v29]); (*env)->ReleaseStringUTFChars(env, v26, v28); } v43 = 0LL; v30 = _JNIEnv::CallObjectMethod(env, (int)context, unk_541A8, v25); parse_dex((_JNIEnv *)env, &v43); replace_classloader_cookie(env, v30, v43, HIDWORD(v43)); _android_log_print(3, "debug", "enter new application"); v31 = unk_54120; v32 = _JNIEnv::NewStringUTF((_JNIEnv *)env, "android.app.Application"); v33 = _JNIEnv::CallObjectMethod(env, v30, v31, v32); if ( v33 ) { v36 = _JNIEnv::GetMethodID(env); dword_540A0 = _JNIEnv::NewObject(env, v33, v36); _JNIEnv::CallVoidMethod(env, dword_540A0, unk_54134); _JNIEnv::DeleteLocalRef(env, v33); v34 = "debug"; v35 = "exit new application"; } else { v34 = "debug"; v35 = "can't findClass realAppClass"; } v37 = (JNIEnv *)_android_log_print(3, v34, v35); v39 = dword_540A0; if ( dword_540A0 ) { v37 = (JNIEnv *)(*env)->NewGlobalRef(env, (jobject)dword_540A0); dword_540A0 = (int)v37; } v40 = ali::NanoTime(v37, v39, v38); _android_log_print(3, "debug", "##### attachBaseContext spent:"); ali::PrettyDuration((ali *)(v40 - v42), v41); result = _android_log_print(3, "debug", "exit attachBaseContext"); } if ( v48 != _stack_chk_guard ) _stack_chk_fail(result); return result;}
jobj = a2;context = a3;env = a1;v48 = _stack_chk_guard;_android_log_print(6, "debug", "in...");result = ali::init_classes((ali *)env, v6, v7);
unsigned int __fastcall ali::init_classes(JNIEnv *this, _JNIEnv *a2, int a3){ JNIEnv *env1_1; // r4@1 const char *v4; // r1@2 const char *v5; // r2@2 _DWORD *v6; // r9@6 JNIEnv *v7; // r0@8 int v8; // r0@44 unsigned int v9; // r1@44 const char *v10; // r2@44 const char *v11; // r3@44 JNIEnv *v12; // r0@44 int v13; // r0@45 unsigned int v14; // r7@50 unsigned int v15; // r11@53 int v16; // r10@53 int v17; // r11@53 int v18; // r10@53 int v19; // r10@53 unsigned int v20; // r11@53 JNIEnv *v21; // ST00_4@53 int v22; // r10@53 int v23; // r9@53 unsigned int v24; // r9@53 int v25; // r8@53 int v26; // r9@53 int v27; // r8@53 JNIEnv *env1; // [sp+0h] [bp-30h]@1 _JNIEnv *env2; // [sp+4h] [bp-2Ch]@1 int v31; // [sp+8h] [bp-28h]@1 env1 = this; env2 = a2; v31 = a3; env1_1 = this; _android_log_print(3, "debug", "enter init classes"); if ( sub_26FDC(env1_1, (unsigned int *)&ali::VERSION, "android/os/Build$VERSION") ) { v4 = "debug"; v5 = "ERROR: class version"; } else { dword_541F4 = (*env1_1)->GetStaticFieldID(env1_1, ali::VERSION, "SDK_INT", "I"); ali::sdk_int = (*env1_1)->GetStaticIntField(env1_1, ali::VERSION, dword_541F4); if ( sub_26FDC(env1_1, &ali::ActivityThread, "android/app/ActivityThread") ) { v4 = "debug"; v5 = "ERROR; class ActivityThread"; } else { _android_log_print(3, "debug", "sdk_int is %d", ali::sdk_int, env1, env2, v31); if ( ali::sdk_int > 18 ) { unk_541DC = _JNIEnv::GetFieldID(env1_1, ali::ActivityThread, "mPackages", "Landroid/util/ArrayMap;"); v6 = &ali::ArrayMap; if ( sub_26FDC(env1_1, (unsigned int *)&ali::ArrayMap, "android/util/ArrayMap") ) { v4 = "debug"; v5 = "ERROR: ArrayMap"; goto LABEL_52; } v7 = env1_1; } else { unk_541DC = _JNIEnv::GetFieldID(env1_1, ali::ActivityThread, "mPackages", "Ljava/util/HashMap;"); v6 = &ali::HashMap; if ( sub_26FDC(env1_1, (unsigned int *)&ali::HashMap, "java/util/HashMap") ) { v4 = "debug"; v5 = "ERROR: HashMap"; goto LABEL_52; } v7 = env1_1; } v6[1] = _JNIEnv::GetMethodID(v7); unk_541E0 = _JNIEnv::GetFieldID( env1_1, ali::ActivityThread, "mBoundApplication", "Landroid/app/ActivityThread$AppBindData;"); unk_541E4 = _JNIEnv::GetFieldID(env1_1, ali::ActivityThread, "mInitialApplication", "Landroid/app/Application;"); unk_541E8 = _JNIEnv::GetFieldID(env1_1, ali::ActivityThread, "mAllApplications", "Ljava/util/ArrayList;"); unk_541EC = _JNIEnv::GetStaticMethodID( env1_1, ali::ActivityThread, "currentActivityThread", "()Landroid/app/ActivityThread;"); if ( sub_26FDC(env1_1, &ali::AppBindData, "android/app/ActivityThread$AppBindData") ) { v4 = "debug"; v5 = "ERROR: class AppBindData"; } else { unk_541C8 = _JNIEnv::GetFieldID(env1_1, ali::AppBindData, "info", "Landroid/app/LoadedApk;"); if ( sub_26FDC(env1_1, (unsigned int *)&ali::ArrayList, "java/util/ArrayList") ) { v4 = "debug"; v5 = "ERROR:class ArrayList"; } else { unk_541B8 = _JNIEnv::GetMethodID(env1_1); unk_541BC = _JNIEnv::GetMethodID(env1_1); unk_541C0 = _JNIEnv::GetMethodID(env1_1); if ( sub_26FDC(env1_1, (unsigned int *)&ali::Context, "android/content/Context") ) { v4 = "debug"; v5 = "ERROR: class Context"; } else { unk_541A0 = _JNIEnv::GetMethodID(env1_1); unk_541A4 = _JNIEnv::GetMethodID(env1_1); unk_541A8 = _JNIEnv::GetMethodID(env1_1); unk_541AC = _JNIEnv::GetMethodID(env1_1); unk_541B0 = _JNIEnv::GetMethodID(env1_1); if ( sub_26FDC(env1_1, (unsigned int *)&ali::WeakReference, "java/lang/ref/WeakReference") ) { v4 = "debug"; v5 = "ERROR: WeakReference"; } else { unk_54188 = _JNIEnv::GetMethodID(env1_1); if ( sub_26FDC(env1_1, &ali::LoadedApk, "android/app/LoadedApk") ) { v4 = "debug"; v5 = "ERROR: class LoadedApk"; } else { unk_5417C = _JNIEnv::GetFieldID(env1_1, ali::LoadedApk, "mClassLoader", "Ljava/lang/ClassLoader;"); unk_54180 = _JNIEnv::GetFieldID(env1_1, ali::LoadedApk, "mApplication", "Landroid/app/Application;"); if ( sub_26FDC(env1_1, &ali::ApplicationInfo, "android/content/pm/ApplicationInfo") ) { v4 = "debug"; v5 = "ERROR: class ApplicationInfo"; } else { unk_5416C = _JNIEnv::GetFieldID(env1_1, ali::ApplicationInfo, "dataDir", "Ljava/lang/String;"); unk_54170 = _JNIEnv::GetFieldID( env1_1, ali::ApplicationInfo, "nativeLibraryDir", "Ljava/lang/String;"); unk_54174 = _JNIEnv::GetFieldID(env1_1, ali::ApplicationInfo, "sourceDir", "Ljava/lang/String;"); if ( sub_26FDC(env1_1, (unsigned int *)&ali::Application, "android/app/Application") ) { v4 = "debug"; v5 = "ERROR: class Application"; } else { unk_54130 = _JNIEnv::GetMethodID(env1_1); unk_54134 = _JNIEnv::GetMethodID(env1_1); if ( sub_26FDC(env1_1, (unsigned int *)&ali::ContextWrapper, "android/content/ContextWrapper") ) { v4 = "debug"; v5 = "ERROR: class ContextWrapper"; } else { unk_54128 = _JNIEnv::GetMethodID(env1_1); _android_log_print(3, "debug", "PathClassLoader start"); if ( sub_26FDC(env1_1, &ali::PathClassLoader, "dalvik/system/PathClassLoader") ) { v4 = "debug"; v5 = "ERROR: PathClassLoader"; } else { if ( ali::sdk_int > 13 ) { if ( sub_26FDC(env1_1, &ali::BaseDexClassLoader, "dalvik/system/BaseDexClassLoader") ) { v4 = "debug"; v5 = "ERROR: BaseDexClassLoader"; goto LABEL_52; } unk_5415C = _JNIEnv::GetFieldID( env1_1, ali::BaseDexClassLoader, "pathList", "Ldalvik/system/DexPathList;"); if ( sub_26FDC(env1_1, &ali::DexPathList, "dalvik/system/DexPathList") ) { v4 = "debug"; v5 = "ERROR: class DexPathList"; goto LABEL_52; } unk_54154 = _JNIEnv::GetFieldID( env1_1, ali::DexPathList, "dexElements", "[Ldalvik/system/DexPathList$Element;"); if ( sub_26FDC(env1_1, &ali::Element, "dalvik/system/DexPathList$Element") ) { v4 = "debug"; v5 = "ERROR: class Element"; goto LABEL_52; } unk_54148 = _JNIEnv::GetFieldID(env1_1, ali::Element, "dexFile", "Ldalvik/system/DexFile;"); unk_5414C = _JNIEnv::GetFieldID(env1_1, ali::Element, "file", "Ljava/io/File;"); } else { unk_54164 = _JNIEnv::GetFieldID( env1_1, ali::PathClassLoader, "mDexs", "[Ldalvik/system/DexFile;"); } if ( sub_26FDC(env1_1, (unsigned int *)&ali::JFile, "java/io/File") ) { v4 = "debug"; v5 = "ERROR: class File"; } else { unk_54118 = _JNIEnv::GetMethodID(env1_1); _android_log_print(3, "debug", "PathClassLoader end"); if ( sub_26FDC(env1_1, &ali::JDexFile, "dalvik/system/DexFile") ) { v4 = "debug"; v5 = "ERROR: class DexFile"; } else { if ( ali::sdk_int > 19 ) { v13 = _JNIEnv::GetFieldID(env1_1, ali::JDexFile, "mCookie", "J"); v9 = ali::JDexFile; v10 = "openDexFile"; v11 = "(Ljava/lang/String;Ljava/lang/String;I)J"; unk_5413C = v13; v12 = env1_1; } else { v8 = _JNIEnv::GetFieldID(env1_1, ali::JDexFile, "mCookie", "I"); v9 = ali::JDexFile; v10 = "openDexFile"; v11 = "(Ljava/lang/String;Ljava/lang/String;I)I"; unk_5413C = v8; v12 = env1_1; } unk_54140 = _JNIEnv::GetStaticMethodID(v12, v9, v10, v11); if ( sub_26FDC(env1_1, (unsigned int *)&ali::ClassLoader, "java/lang/ClassLoader") ) { v4 = "debug"; v5 = "ERROR: class ClassLoader"; } else { unk_54120 = _JNIEnv::GetMethodID(env1_1); _android_log_print(3, "debug", "System start"); if ( sub_26FDC(env1_1, &ali::JSystem, "java/lang/System") ) { v4 = "debug"; v5 = "ERROR: class System"; } else { unk_541D4 = _JNIEnv::GetStaticMethodID( env1_1, ali::JSystem, "getProperty", "(Ljava/lang/String;)Ljava/lang/String;"); _android_log_print(3, "debug", "exit init classes normal"); _android_log_print(3, "debug", "SystemProperties start"); v14 = sub_26FDC(env1_1, &ali::SystemProperties, "android/os/SystemProperties"); if ( !v14 ) { unk_54110 = _JNIEnv::GetStaticMethodID( env1_1, ali::SystemProperties, "get", "(Ljava/lang/String;Ljava/lang/String;)Ljava/lang/String;"); _android_log_print(3, "debug", "exit init class normal"); v15 = ali::JSystem; v16 = unk_541D4; _JNIEnv::NewStringUTF((_JNIEnv *)env1_1, "java.vm.name"); v17 = _JNIEnv::CallStaticObjectMethod(env1_1, v15, v16); v18 = _JNIEnv::GetStringUTFChars(env1_1, v17, 0); _android_log_print(6, "debug", "------- vmNameStr:%s", v18); _JNIEnv::ReleaseStringUTFChars(env1_1, v17, v18); v19 = unk_54110; v20 = ali::SystemProperties; _JNIEnv::NewStringUTF((_JNIEnv *)env1_1, "persist.sys.dalvik.vm.lib"); v21 = (JNIEnv *)_JNIEnv::NewStringUTF((_JNIEnv *)env1_1, "Dalvik"); v22 = _JNIEnv::CallStaticObjectMethod(env1_1, v20, v19); v23 = _JNIEnv::GetStringUTFChars(env1_1, v22, 0); _android_log_print(6, "debug", "------- runtimeLig:%s", v23, v21); _JNIEnv::ReleaseStringUTFChars(env1_1, v22, v23); v24 = ali::JSystem; v25 = unk_541D4; _JNIEnv::NewStringUTF((_JNIEnv *)env1_1, "java.vm.version"); v26 = _JNIEnv::CallStaticObjectMethod(env1_1, v24, v25); v27 = _JNIEnv::GetStringUTFChars(env1_1, v26, 0); _android_log_print(6, "debug", "---- vmVersionStr:%s", v27); _JNIEnv::ReleaseStringUTFChars(env1_1, v26, v27); ali::isDalvik = 1; ali::isArt = 0; return v14; } v4 = "debug"; v5 = "ERROR: class SystemProperties"; } } } } } } } } } } } } } } }LABEL_52: _android_log_print(3, v4, v5); v14 = -1; _android_log_print(3, "debug", "exit init classes error"); return v14;}
_android_log_print(3, "debug", "enter init classes");if ( sub_26FDC(env1_2, (unsigned int *)&ali::VERSION, "android/os/Build$VERSION") ){ v4 = "debug"; v5 = "ERROR: class version";}else{}LABEL_52: _android_log_print(3, v4, v5); v14 = -1; _android_log_print(3, "debug", "exit init classes error"); return v14;}
unsigned int __fastcall sub_26FDC(JNIEnv *env1_1, unsigned int *a2, const char *a3){ unsigned int *v3; // r5@1 JNIEnv *env; // r4@1 jclass clazz; // r1@1 jobject v6; // r0@2 unsigned int result; // r0@2 v3 = a2; env = env1_1; clazz = (*env1_1)->FindClass(env1_1, a3); if ( clazz ) { v6 = (*env)->NewGlobalRef(env, clazz); *v3 = (unsigned int)v6; result = -(__clz((unsigned int)v6) >> 5); } else { result = -1; } return result;}
_JNIEnv::GetObjectClass(env, jobj);
jclass __fastcall _JNIEnv::GetObjectClass(JNIEnv *env, jobject *a2){ return (*env)->GetObjectClass(env, a2);}
jclass (*GetObjectClass)(JNIEnv*, jobject);
std::string::_M_assign((std::string *)&ali::g_filePath, v47, v46);
std::string *__fastcall std::string::_M_assign(std::string *this, const char *a2, const char *a3){ std::string *v3; // r4@1 int v4; // r3@1 size_t v5; // r5@1 void *v6; // r0@1 const char *v7; // r6@1 const char *v8; // r7@1 _BYTE *v9; // r6@2 _BYTE *v10; // r5@2 v3 = this; v4 = *(this + 4); v5 = a3 - a2; v6 = *(this + 5); v7 = a3; v8 = a2; if ( a3 - a2 > (v4 - v6) ) { std::__char_traits_base::move(v6, a2, v4 - v6); std::string::_M_append(v3, &v8[*(v3 + 4) - *(v3 + 5)], v7); } else { std::__char_traits_base ::move(v6, a2, v5); v9 = *(v3 + 4); v10 = (v5 + *(v3 + 5)); if ( v10 != v9 ) { std::__char_traits_base ::move(v10, *(v3 + 4), 1u); *(v3 + 4) -= v9 - v10; } } return v3;}
int __fastcall attachBaseContext(JNIEnv *a1, jobject *a2, jobject *a3){ _android_log_print(6, "debug", "in..."); if ( !result ) { _android_log_print(3, "debug", "global files path is %s", unk_540E8, context); _android_log_print(3, "debug", "global native path is %s", unk_540D0); _android_log_print(3, "debug", "global apk path is %s", dword_540B8); _android_log_print(3, "debug", "enter new application"); if ( v33 ) { v34 = "debug"; v35 = "exit new application"; } else { v34 = "debug"; v35 = "can't findClass realAppClass"; } v37 = (JNIEnv *)_android_log_print(3, v34, v35); _android_log_print(3, "debug", "##### attachBaseContext spent:"); }}
_android_log_print(3, "debug", "enter new application");
sub_24A64(env, jobj);v24 = _JNIEnv::CallObjectMethod(env, context, unk_541A0, v23);v26 = v24;if ( v24 ){ v27 = (*env)->GetStringUTFChars(env, v24, 0); v28 = v27; v29 = strlen(v27); std::string::_M_assign((std::string *)&ali::g_pkgName, v28, &v28[v29]); (*env)->ReleaseStringUTFChars(env, v26, v28);}v43 = 0LL;v30 = (jobject *)_JNIEnv::CallObjectMethod(env, context, unk_541A8, v25);parse_dex((_JNIEnv *)env, &v43);replace_classloader_cookie(env, v30, v43, HIDWORD(v43));_android_log_print(3, "debug", "enter new application");
parse_dex((_JNIEnv *)env, &v43);
signed int __fastcall parse_dex(_JNIEnv *a1, __int64 *a2){ int v2; // r7@3 char *v3; // r0@4 const char *v4; // r1@4 char *v5; // r0@6 char *v6; // r9@16 _BYTE *v7; // r3@17 int v8; // r2@17 int v9; // t1@19 int fd; // ST14_4@23 unsigned int v11; // r8@24 int v12; // r7@24 int v13; // r5@26 int v14; // r5@25 int v15; // r7@25 int v16; // r1@25 int v17; // r5@25 int v18; // ST04_4@27 int (__fastcall *v19)(int, signed int); // r5@27 int v20; // r5@27 unsigned __int8 *v21; // r8@27 const char *v22; // r3@27 char *v23; // r0@29 char *v24; // r0@28 char *v25; // r6@30 ali::EncFile *v26; // r7@30 int v27; // r0@31 int *v28; // r0@34 char *v29; // r0@34 int v30; // r10@35 void *v31; // r7@36 int (__fastcall *v32)(unsigned __int8 *, int, signed int *); // r9@36 int (__fastcall *v33)(_DWORD); // r7@36 const char *v34; // r1@37 const char *v35; // r2@37 int v36; // r9@38 signed int v37; // r7@38 _DWORD *v38; // r9@41 _BYTE *v39; // r5@41 unsigned __int8 *v40; // r3@41 void *v41; // r0@42 JNINativeMethod *v42; // r0@42 unsigned __int8 *v43; // r3@42 signed int v44; // r3@42 signed int result; // r0@44 _JNIEnv *env; // [sp+8h] [bp-2A0h]@1 __int64 *v47; // [sp+10h] [bp-298h]@1 int v48; // [sp+24h] [bp-284h]@30 unsigned __int8 *v49; // [sp+28h] [bp-280h]@30 unsigned __int8 *v50; // [sp+2Ch] [bp-27Ch]@30 void (__cdecl *v51)(const unsigned int *, jvalue *); // [sp+30h] [bp-278h]@42 char v52; // [sp+34h] [bp-274h]@3 signed int v53[2]; // [sp+38h] [bp-270h]@17 char s; // [sp+40h] [bp-268h]@23 char v55; // [sp+54h] [bp-254h]@2 int v56; // [sp+64h] [bp-244h]@23 int v57; // [sp+68h] [bp-240h]@23 char v58; // [sp+6Ch] [bp-23Ch]@2 const char *v59; // [sp+80h] [bp-228h]@2 char v60; // [sp+84h] [bp-224h]@2 const char *v61; // [sp+98h] [bp-210h]@25 char v62; // [sp+9Ch] [bp-20Ch]@27 unsigned int v63; // [sp+B0h] [bp-1F8h]@27 char v64; // [sp+B4h] [bp-1F4h]@3 char v65; // [sp+CCh] [bp-1DCh]@6 int v66; // [sp+E0h] [bp-1C8h]@23 char v67; // [sp+E4h] [bp-1C4h]@23 char v68; // [sp+FCh] [bp-1ACh]@23 const char *v69; // [sp+110h] [bp-198h]@23 char v70; // [sp+114h] [bp-194h]@23 char v71; // [sp+12Ch] [bp-17Ch]@23 const char *v72; // [sp+140h] [bp-168h]@23 char v73; // [sp+144h] [bp-164h]@23 char *v74; // [sp+154h] [bp-154h]@23 char *v75; // [sp+158h] [bp-150h]@23 char v76; // [sp+15Ch] [bp-14Ch]@23 char v77; // [sp+174h] [bp-134h]@23 char v78; // [sp+18Ch] [bp-11Ch]@23 char v79; // [sp+1A4h] [bp-104h]@23 char v80; // [sp+1BCh] [bp-ECh]@23 char v81; // [sp+1D4h] [bp-D4h]@23 char v82; // [sp+1ECh] [bp-BCh]@23 char v83; // [sp+204h] [bp-A4h]@23 char v84; // [sp+21Ch] [bp-8Ch]@23 char v85; // [sp+234h] [bp-74h]@17 int v86; // [sp+244h] [bp-64h]@17 _BYTE *v87; // [sp+248h] [bp-60h]@17 char v88; // [sp+24Ch] [bp-5Ch]@22 char v89; // [sp+264h] [bp-44h]@22 char *v90; // [sp+274h] [bp-34h]@22 char *v91; // [sp+278h] [bp-30h]@22 int v92; // [sp+27Ch] [bp-2Ch]@1 env = a1; v47 = a2; v92 = _stack_chk_guard; _android_log_print(3, "debug", "enter parse_dex"); if ( ali::isDalvik ) { v48 = 0; std::operator+,std::allocator >(&v89, &ali::g_filePath, "/cls.jar"); v25 = v91; v26 = operator new(0xCu); ali::EncFile::EncFile(v26, v25); v49 = 0; v50 = 0; if ( ali::sdk_int > 13 ) { v27 = ali::EncFile::openWithHeader(v26, &v49, &v48, 0x10u); v50 = v49 + 16; } else { v27 = ali::EncFile::open(v26, &v50, &v48); } if ( v50 == -1 ) { v28 = _errno(v27); v29 = strerror(*v28); _android_log_print(3, "debug", "mmap dex file :%s", v29);LABEL_45: v24 = &v89; goto LABEL_46; } v30 = *(v50 + 8); if ( ali::sdk_int > 13 ) { v41 = dlopen("libdvm.so", 1); v42 = dlsym(v41, "dvm_dalvik_system_DexFile"); v51 = 0; lookup(v42, "openDexFile", "([B)I", &v51); v43 = v49; *(v49 + 2) = v48; *&v52 = v43; (v51)(); v44 = v53[0]; *v47 = v53[0]; *(*(*(v44 + 8) + 4) + 32) = *(v44 + 16); *(*(*(v44 + 8) + 4) + 36) = v48; ali::EncFile::~EncFile(v26); operator delete(v26); } else { v31 = dlopen("libdvm.so", 1); v32 = dlsym(v31, "dvmDexFileOpenPartial"); v33 = dlsym(v31, "dexCreateClassLookup"); v53[0] = 0; if ( v32(v50, v30, v53) == -1 ) { v34 = "debug"; v35 = "dvmDexFileOpenPartial error";LABEL_40: _android_log_print(3, v34, v35); goto LABEL_45; } v36 = *v53[0]; *(v36 + 36) = v33(*v53[0]); v37 = v53[0]; if ( !*(*v53[0] + 36) ) { v34 = "debug"; v35 = "dexCreateClassLookup error"; goto LABEL_40; } v38 = malloc(0x2Cu); v39 = malloc(0x14u); strdup(&unk_4CEE9); v39[4] = 0; v39[5] = 0; *(v39 + 2) = 0; v40 = v50; *v39 = v39; *(v39 + 3) = v38; v38[10] = v37; *(v37 + 32) = v40; *(v37 + 36) = v48; *v47 = v39; } v23 = &v89; goto LABEL_44; } std::operator+ ,std::allocator >(&v55, &ali::g_filePath, "/cls.jar"); std::operator+ ,std::allocator >(&v58, &ali::g_filePath, "/cls.dex"); std::operator+ ,std::allocator >(&v60, &ali::g_filePath, "/fak.jar"); _android_log_print(3, "debug", "before oat gen"); if ( !access(v59, 0) ) goto LABEL_24; v2 = android_getCpuFamily(); std::string::string(&v64, "arm", &v52); if ( v2 == 1 ) { v3 = &v64; v4 = "arm";LABEL_5: std::string::operator=(v3, v4); goto LABEL_6; } if ( v2 == 2 ) { v3 = &v64; v4 = "x86"; goto LABEL_5; } if ( v2 == 3 || v2 == 6 ) { v3 = &v64; v4 = "mips"; goto LABEL_5; } if ( v2 == 4 ) { v3 = &v64; v4 = "arm64"; goto LABEL_5; } if ( v2 == 5 ) { v3 = &v64; v4 = "x86_64"; goto LABEL_5; }LABEL_6: std::operator+ ,std::allocator >(&v65, &ali::g_libPath, "/libhack.so"); v5 = getenv("LD_PRELOAD"); v6 = v5; if ( v5 ) { _android_log_print(3, "debug", "the system already define LD_PRELOAD=%s", v5); std::string::string(&v85, v6, v53); v7 = v87; v8 = v86; while ( v7 != v8 ) { v9 = *v7++; if ( v9 == 32 ) *(v7 - 1) = 58; } std::operator+ ,std::allocator >(&v88, &v85, ":"); std::operator+ ,std::allocator >(&v89, &v88, &v65); std::string::_M_assign(&v65, v91, v90); std::priv::_String_base >::_M_deallocate_block(&v89); std::priv::_String_base >::_M_deallocate_block(&v88); std::priv::_String_base >::_M_deallocate_block(&v85); } _android_log_print(3, "debug", "the new LD_PRELOAD is %s", v66); std::operator+ ,std::allocator >(&v67, &ali::g_filePath, "/juice.data"); std::operator+ ,std::allocator >(&v68, &ali::g_filePath, "/fak.jar"); fd = open(v69, 0); memset(&s, 0, 0x14u); sprintf(&s, "%d", fd); std::string::string(&v70, &s, v53); v74 = &v73; v75 = &v73; std::priv::_String_base >::_M_allocate_block(&v73, v56 - v57 + 10); *v74 = 0; std::string::_M_appendT (&v73); std::string::append(&v73, &v55); std::operator+ ,std::allocator >(&v76, &v73, " JUICE_FILE="); std::operator+ ,std::allocator >(&v77, &v76, &v67); std::operator+ ,std::allocator >(&v78, &v77, " LD_PRELOAD="); std::operator+ ,std::allocator >(&v79, &v78, &v65); std::operator+ ,std::allocator >( &v80, &v79, " /system/bin/dex2oat \t\t\t\t \t --runtime-arg -Xms64m \t\t\t\t\t --runtime-arg -Xmx64m \t\t\t\t" "\t --boot-image=/system/framework/boot.art --zip-fd="); std::operator+ ,std::allocator >(&v81, &v80, &v70); std::operator+ ,std::allocator >(&v82, &v81, "\t\t\t\t\t --zip-location="); std::operator+ ,std::allocator >(&v83, &v82, &v68); std::operator+ ,std::allocator >(&v84, &v83, "\t\t\t\t\t --oat-file="); std::operator+ ,std::allocator >(&v85, &v84, &v58); std::operator+ ,std::allocator >(&v71, &v85, " "); std::priv::_String_base >::_M_deallocate_block(&v85); std::priv::_String_base >::_M_deallocate_block(&v84); std::priv::_String_base >::_M_deallocate_block(&v83); std::priv::_String_base >::_M_deallocate_block(&v82); std::priv::_String_base >::_M_deallocate_block(&v81); std::priv::_String_base >::_M_deallocate_block(&v80); std::priv::_String_base >::_M_deallocate_block(&v79); std::priv::_String_base >::_M_deallocate_block(&v78); std::priv::_String_base >::_M_deallocate_block(&v77); std::priv::_String_base >::_M_deallocate_block(&v76); std::priv::_String_base >::_M_deallocate_block(&v73); _android_log_print(3, "debug", "cmd is %s", v72); system(v72); close(fd); std::priv::_String_base >::_M_deallocate_block(&v71); std::priv::_String_base >::_M_deallocate_block(&v70); std::priv::_String_base >::_M_deallocate_block(&v68); std::priv::_String_base >::_M_deallocate_block(&v67); std::priv::_String_base >::_M_deallocate_block(&v65); std::priv::_String_base >::_M_deallocate_block(&v64);LABEL_24: _android_log_print(3, "debug", "after oat gen"); v11 = ali::JDexFile; v12 = unk_54140; if ( ali::sdk_int <= 19 ) { v13 = _JNIEnv::NewStringUTF(env, v61); _JNIEnv::NewStringUTF(env, v59); v15 = _JNIEnv::CallStaticIntMethod(env, v11, v12, v13); v17 = 0; } else { v14 = _JNIEnv::NewStringUTF(env, v61); _JNIEnv::NewStringUTF(env, v59); v15 = _JNIEnv::CallStaticLongMethod(env, v11, v12, v14); v17 = v16; } v18 = v17; _android_log_print(3, "debug", "cookie is %llx"); *v47 = v15; *(v47 + 1) = v17; v19 = dlsym(0xFFFFFFFF, "_ZNK3art7DexFile12FindClassDefEt"); _android_log_print(3, "debug", "DexFile::FindClassDefFn is %p", v19, v15, v18); v20 = v19(v15, 1); _android_log_print(3, "debug", "call FindClassDefFn(%p,%d) => %p", v15, 1, v20); _android_log_print(3, "debug", "dex position is %p", v20 - 572); _android_log_print(3, "debug", "dex head is %08x %08x", *(v20 - 572), *(v20 - 568)); v21 = *(v20 - 540); _android_log_print(3, "debug", "dex size is %d", v21); MemEnableWrite((v20 - 572), &v21[v20 - 572]); std::operator+ ,std::allocator >(&v62, &ali::g_filePath, "/juice.data"); if ( !ali::dex_juicer_patch((v20 - 572), v21, v63, v22) ) { std::priv::_String_base >::_M_deallocate_block(&v62); std::priv::_String_base >::_M_deallocate_block(&v60); std::priv::_String_base >::_M_deallocate_block(&v58); v23 = &v55;LABEL_44: std::priv::_String_base >::_M_deallocate_block(v23); _android_log_print(3, "debug", "exit parse_dex"); result = 0; goto LABEL_47; } _android_log_print(6, "debug", "fail to patch dex"); std::priv::_String_base >::_M_deallocate_block(&v62); std::priv::_String_base >::_M_deallocate_block(&v60); std::priv::_String_base >::_M_deallocate_block(&v58); v24 = &v55;LABEL_46: std::priv::_String_base >::_M_deallocate_block(v24); _android_log_print(3, "debug", "exit parse_dex error"); result = -1;LABEL_47: if ( v92 != _stack_chk_guard ) _stack_chk_fail(result); return result;}
signed int __fastcall parse_dex(_JNIEnv *a1, __int64 *a2){ _android_log_print(3, "debug", "enter parse_dex"); if ( ali::isDalvik ) { if ( v50 == -1 ) { _android_log_print(3, "debug", "mmap dex file :%s", v29); LABEL_45: goto LABEL_46; } if ( ali::sdk_int > 13 ) {} else { if ( v32(v50, v30, v53) == -1 ) { v34 = "debug"; v35 = "dvmDexFileOpenPartial error"; LABEL_40: _android_log_print(3, v34, v35); goto LABEL_45; } if ( !*(*v53[0] + 36) ) { v34 = "debug"; v35 = "dexCreateClassLookup error"; goto LABEL_40; } } goto LABEL_44; } _android_log_print(3, "debug", "before oat gen");LABEL_6: if ( v5 ) { _android_log_print(3, "debug", "the system already define LD_PRELOAD=%s", v5); } _android_log_print(3, "debug", "the new LD_PRELOAD is %s", v66); _android_log_print(3, "debug", "cmd is %s", v72); LABEL_24: _android_log_print(3, "debug", "after oat gen"); _android_log_print(3, "debug", "cookie is %llx"); _android_log_print(3, "debug", "DexFile::FindClassDefFn is %p", v19, v15, v18); _android_log_print(3, "debug", "call FindClassDefFn(%p,%d) => %p", v15, 1, v20); _android_log_print(3, "debug", "dex position is %p", v20 - 572); _android_log_print(3, "debug", "dex head is %08x %08x", *(v20 - 572), *(v20 - 568)); _android_log_print(3, "debug", "dex size is %d", v21); if ( !ali::dex_juicer_patch((v20 - 572), v21, v63, v22) ) { LABEL_44: _android_log_print(3, "debug", "exit parse_dex"); goto LABEL_47; } _android_log_print(6, "debug", "fail to patch dex");LABEL_46: _android_log_print(3, "debug", "exit parse_dex error");LABEL_47:}
ali::isDalvik = 1;ali::isArt = 0;
signed int __fastcall parse_dex(_JNIEnv *a1, __int64 *a2){ env = a1; v47 = a2; v92 = _stack_chk_guard; _android_log_print(3, "debug", "enter parse_dex"); if ( ali::isDalvik ) { v48 = 0; std::operator+, std::allocator >(&v89, &ali::g_filePath, "/cls.jar"); v25 = v91; v26 = operator new('\f'); ali::EncFile::EncFile(v26, v25); v49 = 0; v50 = 0; if ( ali::sdk_int > 13 ) { v27 = ali::EncFile::openWithHeader(v26, &v49, &v48, 0x10u); v50 = v49 + 16; } else { v27 = ali::EncFile::open(v26, &v50, &v48); } v30 = *(v50 + 8); if ( ali::sdk_int > 13 ) { v41 = dlopen("libdvm.so", 1); v42 = dlsym(v41, "dvm_dalvik_system_DexFile"); v51 = 0; lookup(v42, "openDexFile", "([B)I", &v51); v43 = v49; *(v49 + 2) = v48; *&v52 = v43; (v51)(); v44 = v53[0]; *v47 = v53[0]; *(*(*(v44 + 8) + 4) + 32) = *(v44 + 16); *(*(*(v44 + 8) + 4) + 36) = v48; ali::EncFile::~EncFile(v26); operator delete(v26); } v23 = &v89; goto LABEL_44; }LABEL_44: std::priv::_String_base >::_M_deallocate_block(v23); _android_log_print(3, "debug", "exit parse_dex"); result = 0; goto LABEL_47;LABEL_47: if ( v92 != _stack_chk_guard ) _stack_chk_fail(result); return result;}
v27 = ali::EncFile::openWithHeader(v26, &v49, &v48, 0x10u);
v27 = ali::EncFile::open(v26, &v50, &v48);
int __fastcall ali::EncFile::openWithHeader(ali::EncFile *this, unsigned __int8 **a2, unsigned int *a3, unsigned int a4){ ali::EncFile *v4; // r5@1 unsigned __int8 **v5; // r11@1 unsigned int *v6; // r6@1 unsigned int v7; // r7@1 const char *v8; // r1@2 const char *v9; // r2@2 int v10; // r8@3 int v11; // r10@3 __blksize_t v13; // r3@6 ali *v14; // r4@6 JNIEnv *v15; // r0@6 int v16; // r1@6 int v17; // r2@6 signed __int64 v18; // ST18_8@6 unsigned int *v19; // r3@6 JNIEnv *v20; // r0@6 int v21; // r1@6 int v22; // r2@6 signed __int64 v23; // r0@6 int v24; // r8@6 int v25; // r3@6 char v26; // r2@7 unsigned __int64 v27; // r0@7 JNIEnv *v28; // r0@8 int v29; // r9@8 JNIEnv *v30; // ST24_4@8 int v31; // r1@8 int v32; // r2@8 signed __int64 v33; // r0@8 signed __int64 v34; // ST18_8@8 JNIEnv *v35; // r0@8 int v36; // r1@8 int v37; // r2@8 signed __int64 v38; // r0@8 size_t v39; // [sp+2Ch] [bp-9Ch]@8 int v40; // [sp+30h] [bp-98h]@8 struct stat buf; // [sp+38h] [bp-90h]@3 v4 = this; v5 = a2; v6 = a3; v7 = a4; if ( !*(this + 2) ) { v8 = "debug"; v9 = "file path is null";LABEL_5: _android_log_print(6, v8, v9); return 0; } v10 = open(*(this + 2), 0); v11 = fstat(v10, &buf); if ( v11 ) { v8 = "debug"; v9 = "fstat failed"; goto LABEL_5; } v13 = buf.st_blksize; *v6 = buf.st_blksize; *v4 = v13; v14 = mmap(0, *v6, 3, 2, v10, 0); *(v4 + 1) = v14; close(v10); v15 = _android_log_print( 3, "debug", "dex magic %c %c %c %c %c %c %c", *v14, *(v14 + 1), *(v14 + 2), *(v14 + 3), *(v14 + 4), *(v14 + 5), *(v14 + 6)); v18 = ali::NanoTime(v15, v16, v17); ali::decryptRc4(v14, v14, v6, v19); v23 = ali::NanoTime(v20, v21, v22); ali::PrettyDuration((v23 - v18), v23 - v18); _android_log_print(3, "debug", "decrypted len:%u", *v6); v24 = 0; _android_log_print( 3, "debug", "after decrypt dex magic %c %c %c %c %c %c %c", *v14, *(v14 + 1), *(v14 + 2), *(v14 + 3), *(v14 + 4), *(v14 + 5), *(v14 + 6)); v25 = v14 + 4; do { v26 = 8 * v11++; v27 = *(v25++ + 1) << v26; v24 += v27; } while ( v11 != 8 ); _android_log_print(3, "debug", "unpackSize: %u", v24); *v4 = v7 + v24; v28 = mmap(0, v7 + v24, 3, 34, -1, 0); *(v4 + 1) = v28; v29 = v28 + v7; v30 = v28; v33 = ali::NanoTime(v28, v31, v32); v39 = *v6; v34 = v33; v40 = v24; v35 = LzmaDecode(v29, &v40, v14 + 13, &v39); v38 = ali::NanoTime(v35, v36, v37); ali::PrettyDuration((v38 - v34), v38 - v34); munmap(v14, buf.st_blksize); _android_log_print( 3, "debug", "after uncompressed dex magic %c %c %c %c %c %c %c", *(v30 + v7), *(v29 + 1), *(v29 + 2), *(v29 + 3), *(v29 + 4), *(v29 + 5), *(v29 + 6)); *v6 = v24; if ( v5 ) *v5 = *(v4 + 1); return *(v4 + 1);}
0x03 动态调试libmobisec.so
C:\Users\wangz\Desktop>adb push android_server /data/local
C:\Users\wangz\Desktop>adb shellroot@jflte:/ #cd data/local
root@jflte:/data/local #chmod 777 android_server
C:\Users\wangz\Desktop>adb install jscrack.apk[100%] /data/local/tmp/jscrack.apkWARNING: linker: app_process has text relocations. This is wasting memory and is a security risk. Please fix.WARNING: linker: app_process has text relocations. This is wasting memory and is a security risk. Please fix. pkg: /data/local/tmp/jscrack.apkSuccess
root@jflte:/data/local # ./android_serverIDA Android 32-bit remote debug server(ST) v1.19. Hex-Rays (c) 2004-2015Listening on port #23946...
C:\Users\wangz>adb shellroot@jflte:/ # cat default.prop## ADDITIONAL_DEFAULT_PROPERTIES#ro.secure=0ro.allow.mock.location=0ro.debuggable=0ro.adb.secure=0persist.sys.usb.config=mtp,adbpersist.radio.add_power_save=1androidboot.selinux=0
root@jflte:/data # getprop ro.debuggable0
root@jflte:/data # ./mprop ro.debuggable 1......0001ffa0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................0001ffb0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................0001ffc0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................0001ffd0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................0001ffe0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................0001fff0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................patching it at:0xb6e48290[0xb6f8d288], value:[0x00000031 -> 0x00000031]patching it at:0xb6e4828c[0xb6f8d284], value:[0x01000000 -> 0x01000000]patched, reread: [0xb6f8d288] => 0x00000031patched, reread: [0xb6f8d284] => 0x01000000
root@jflte:/data # getprop ro.debuggable1
打开Android Device Monitor
C:\Users\wangz>adb forward tcp:23946 tcp:23946
C:\Users\wangz>adb shell am start -D -n com.ali.tg.testapp/com.ali.tg.testapp.MainActivityWARNING: linker: app_process has text relocations. This is wasting memory and is a security risk. Please fix.WARNING: linker: app_process has text relocations. This is wasting memory and is a security risk. Please fix.Starting: Intent { cmp=com.ali.tg.testapp/.MainActivity }
此时手机上应该出现Waiting For Debugger
C:\Users\wangz>jdb -connect com.sun.jdi.SocketAttach:port=8700,hostname=localhost
text:00026A84 01 F0 B4 FE BL _ZN3ali7EncFile14openWithHeaderEPPhPjj ; ali::EncFile::openWithHeader(uchar **,uint *,uint)
0x04 Dump源dex文件
auto fp, begin, end, dexbyte;fp = fopen("E:\\dump.dex", "wb");begin = 0x77841010;end = begin + 0x000941FC;for ( dexbyte = begin; dexbyte < end; dexbyte ++ )fputc(Byte(dexbyte), fp);
是在libdvm.so中,只需要在attach上进程后直接在加载的Module list里找到libdvm.so,然后找到dvmDexFileOpenPartial()
/* * Create a DexFile structure for a "partial" DEX. This is one that is in * the process of being optimized. The optimization header isn't finished * and we won't have any of the auxillary data tables, so we have to do * the initialization slightly differently. * * Returns nonzero on error. */int dvmDexFileOpenPartial(const void* addr, int len, DvmDex** ppDvmDex){ DvmDex* pDvmDex; DexFile* pDexFile; int parseFlags = kDexParseDefault; int result = -1; /* -- file is incomplete, new checksum has not yet been calculated if (gDvm.verifyDexChecksum) parseFlags |= kDexParseVerifyChecksum; */ pDexFile = dexFileParse((u1*)addr, len, parseFlags); if (pDexFile == NULL) { ALOGE("DEX parse failed"); goto bail; } pDvmDex = allocateAuxStructures(pDexFile); if (pDvmDex == NULL) { dexFileFree(pDexFile); goto bail; } pDvmDex->isMappedReadOnly = false; *ppDvmDex = pDvmDex; result = 0;bail: return result;}
0x05 修复Application
0x06 小结