Shulou(Shulou.com)05/31 Report--

In this issue, the editor will bring you what is the analysis idea of CreakeMe in so static analysis. The article is rich in content and analyzes and narrates it from a professional point of view. I hope you can get something after reading this article.

Description

Get a CreakeMe and write an analytical train of thought. CreakMe mainly analyzes the contents of .so files, of course, a lot of learning Android reverse in the analysis of smali code has stopped. Further reverse learning begins when you come into contact with .so files, and of course you need to learn ARM assembly here. There is a lot of information about ARM compilation on the Internet, so I won't repeat it here.

Navigation

Please use: HAI manual

0x01 analysis logic 1. Initial interface

two。 Enter a number

3. Enter the character 4. Summary

Try to use App to draw these conclusions.

1. We need a key.

two。 This key is a number.

Logic Analysis of 0x02 java layer

Get the smali code in reverse.

Tool: Android Killer.

1. Logical analysis

Find the entrance MainActivity.

We see a piece of code here:

The purpose of this code is to call the so file library. We speculate that the App probably wrote the key key in the so file.

Let's move from the onClick method to the key point.

Here is the place to judge whether it is right or wrong, and here we see that if the values of v0 and v2 are not equal, jump. And here the value of v2 is 1.

Let's look up.

Here is a calling method.

Here we see that this is the method of the Native layer. And this method returns an int data, which is guessed to be 0 or 1. Another one here is that an int data is passed in, and according to our previous test, we know that this is what we entered from the input box.

two。 Logical graph guess

Monitor event-- enter key--key method to determine-- return 0 or 1

1 is right, 0 is error.

But we still haven't found the content of Key.

0x02 Native layer analysis

So reverse

Use tools: ida

1. Key method analysis

Find the key Key function.

Here you can see that ARM assembly is more difficult than smali in one degree or two degrees.

In order to improve our ability, we still analyze it sentence by sentence. If you are studying, please do not rely on F5.

PUSH {R7,LR}

Stack the R7 register and LR.

The meaning of R7 refers to the address of the previous saved stack frame and link register on the stack.

You may not know the role of LR here. To put it simply, one of the functions of LR is to save the return address of the subroutine. Another is that when an exception occurs, the value stored in LR is equal to the value of PC minus 4 when the exception occurs. LR is equivalent to a backup.

MOV R7, SP

The meaning here marks the end of the caller stack frame and the beginning of the callee stack frame. Now that the parameters are ready, we can begin to execute the program.

SUB SP, SP, # 0x20

This is to make room for subroutines.

At the end of the above three steps, the ARM call section ends.

MOV R3, R2

The value of R2 is given to R3.

MOV R12, R1

The value of R1 to R12

MOV LR, R0

R0=LR .

STR R0, [SP,#0x28+var_10] STR R1, [SP,#0x28+var_14] STR R2, [SP,#0x28+var_18]

If you look at these three sentences together, it means to put R0MagneR1MagneR2 on the stack. The positions are 18, 14, 14 and 10 respectively.

LDR R0, [SP,#0x28+var_18]

Take down the contents of position 10 on the stack and give it to the R0 register. The position of 10 on our stack is R2. It's equivalent to R0=R2.

MOVS R1, # 0x80

R1 is assigned a value of 80, where the difference between movs and mov is that movs will change the NMagazo C flag. Number0 stands for an integer or 0 for an integer or 0 for an integer. At this point, R1 is > 30, so N is 0. Z represents the result of the operation. If R1 is not 0, then the flag bit of zroom1th C is generally not changed by addition or subtraction.

STR R0, [SP,#0x28+var_1C]

Put the contents of R0 on stack C.

MOV R0, R1; int

The value of R1 is given to R0.

STR R3, [SP,#0x28+var_20]

The value of R3 was originally R2, which is put on stack 8 here.

STR.W R12, [SP,#0x28+var_24]

Put the value of R12 on stack 4.

W here is wide. Specifies that the assembler must select a 32-bit encoding mode for this instruction. If not, the assembler reports an error.

STR.W LR, [SP,#0x28+var_28]

LR is stored in stack 0

BLX j__Z2uri

Jump to j__Z2uri. The comment here is ur (int), indicating that the function prototype is ur (int).

LDR R1, [SP,#0x28+var_1C]

Here, put the contents of stack c into R1. At this time, we actually got the key that we entered.

CMP R1, R0

Then compare our key with R0, where R0 is the return result of the last ur.

BNE loc_4490

Different jump loc_4490

B loc_448A

Otherwise jump to loc_448A

Here we know that the key method is ur (int).

Finally, let's take a look at the flow chart.

Analysis of 2.ur (int) method

Seriously... It is really tiring to analyze this, but the progress is still very fast.

2.1 Analysis of the first paragraph PUSH {R7 PUSH LR} MOV R7, SPSUB SP, SP, # 0x28

As mentioned before, these three lines are equivalent to the preparatory stage of ARM.

MOV R1, R0STR R0, [SP,#0x30+var_C] LDR R0, [SP,#0x30+var_C] STR R0, [SP,#0x30+var_10]

The effect of this small part is that R1=R0, part of stack 24 is saved as R0, and R0 is re-copied to stack 20.

LDR R0, [SP,#0x30+var_C]

Take R0 off stack 24

STR R0, [SP,#0x30+var_14]

Then give the value of R0 to the position of stack 2C.

Here, let's take a look at the flow chart.

If you have analyzed the loop before, you will know that this must be a loop logic. And loops and if statements are nested in the loop.

MOVS R0, # 2

Assign the immediate count 2 to R0.

STR R0, [SP,#0x30+var_18]

Count 2 immediately to stack 18.

STR R1, [SP,#0x30+var_1C]

Our R1 was originally the value of R0, but now we give the value of R1 to stack 14.

B loc_42E2

Jump to loc_42E2 unconditionally.

The current position, to sum up, is equivalent to writing

I=2sp [5] = 128

Let's look at the loc_42E2 section.

LDR R0, [SP,#0x30+var_18]

Get the immediate count # 2 from stack 18. And give R0.

MULS R0, R0

Multiply the two understanding books. The current status is R0forth, R0forth, R0rem, R0re4.

LDR R1, [SP,#0x30+var_14]

Take the data out of stack 1C, where the data is previously stored in R0 and R0 is 128. Here is a little question, why not take the data from stack 14.

CMP R0, R1

Compare R0 and R1

BGT loc_433E

If greater than, jump to loc_433E

B loc_42EE

Otherwise jump to loc_42EE

At this time, let's take a look at the flow chart.

Mainly looking at the framed content, there is a branch that ends, which proves that this part is over.

And the other side will return loc_42E2, which shows what the situation is, this is a typical for loop.

If necessary later, comb through all possible state logic diagrams.

Let's first analyze the loc_42EE part.

LDR R0, [SP,#0x30+var_14]

Get the data from stack 1c. At this time, the data stored in stack 1c is 128. Hexadecimal is displayed as 80

LDR R1, [SP,#0x30+var_18]

When you get the data from the stack 18, the content stored in the stack 18 is 2.

BL sub_13FCC

Jump to sub_13FCC and save the address of the next entry. You can use mov PC,LR to return to the same place.

Let's first take a look at the subroutine sub_13FCC.

CMP R1, # 0

Compare R1 with the immediate count of 0. Let's determine the number of R1.

BEQ loc_13FBA

Jump to loc_13FBA if equal

PUSH.W {R0,R1,LR}

Put R0Magol R1 LRL into the stack.

BL sub_13F0C

Jump to sub_13F0C and save LR.

After that, there is a long list, and those who are interested here can continue to analyze it. It is directly stated here that the result is a residual operation on 128.

128% I

Let's go back to the previous ur method and continue the analysis.

CMP R1, # 0

Compare the results of our balances.

STR R0, [SP,#0x30+var_20]

Put the value of R0 on the stack 10. The value of R0 is 128.

BNE loc_4334

If it is not equal, jump to loc_4334.

B loc_42FE

Otherwise jump to loc_42FE

If you jump to loc_4334.

Go straight into the second cycle.

If you are jumping to loc_42FE, make a deeper judgment.

2.2 Summary

Generally speaking, this CreakMe is like this.

For (int I * I)

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.