Shulou(Shulou.com)05/31 Report--

This article shows you how to analyze so files in the reverse basis of Android. The content is concise and easy to understand, which will definitely brighten your eyes. I hope you can get something through the detailed introduction of this article.

Introduction to 0x00

In the analysis of so files, we need some logical implementation of ARM assembly.

In the code logic, only the if,switch, as well as the loop, is analyzed and created by a demo. It might be a lot of space.

Content

1.if logic NDK programming

ARM Analysis of 2.if Logic

3.switch logic NDK programming

ARM Analysis of 4.switch Logic

5. Cyclic logic NDK programming

6. ARM Analysis of cyclic Logic

0x01 if logic NDK programming

Demo uses the previous demo. If you are interested, you can check it out.

Blog navigation pokes here

Description

Demo mainly implements an input and then returns different contents according to the input. It is implemented in the Native layer.

The first step is function writing

First add a function, and then use ALT+Enter to create it automatically

The second step is automatic generation.

A function is automatically generated in the .cpp file

JNIEXPORT jstring JNICALLJava_com_example_hanlei_myapplication_MainActivity_panduan (JNIEnv * env, jobject instance, jint I) {/ / TODO return env- > NewStringUTF (returnValue);} the third step is to write c language code JNIEXPORT jstring JNICALLJava_com_example_hanlei_myapplication_MainActivity_panduan (JNIEnv * env, jobject instance, jint I) {if (iSuppli) {return env- > NewStringUTF ("I LOVE YOU!");} return env- > NewStringUTF ("Sorrry") } the fourth step is to write xml, the fifth step is to write logic.

This is the code of MainActivity.

Package com.example.hanlei.myapplication;import android.support.v7.app.AppCompatActivity;import android.os.Bundle;import android.view.View;import android.widget.EditText;import android.widget.TextView;public class MainActivity extends AppCompatActivity {private TextView tv;private EditText et; / / Used to load the 'native-lib' library on application startup. Static {System.loadLibrary ("native-lib");} @ Override protected void onCreate (Bundle savedInstanceState) {super.onCreate (savedInstanceState); setContentView (R.layout.activity_main); / / Example of a call to a native method tv = (TextView) findViewById (R.id.sample_text); et=findViewById (R.id.et) FindViewById (R.id.btn) .setOnClickListener (new View.OnClickListener () {@ Override public void onClick (View view) {tv.setText (panduan (Integer.parseInt (et.getText (). ToString ();}});} / * * A native method that is implemented by the 'native-lib' native library, * which is packaged with this application. * / public native String stringFromJNI (); public native String getHelloJni (); public native void updateFile (String path); public native String panduan (int I);}

This is the main code.

FindViewById (R.id.btn) .setOnClickListener (new View.OnClickListener () {@ Override public void onClick (View view) {tv.setText (panduan (Integer.parseInt (et.getText (). ToString ();}}); summary

It's very simple, but explain more.

Disassembly Analysis of 0x02 if Logic

Disassembly analysis is, of course, thrown into IDA for analysis.

The problem here is that only 32-bit IDA can use the F5 plug-in. I didn't know it before, but it was cheated for a long time.

I pretend I don't know the name of my function or something. Analyze it according to the process.

Originally, the first step was to have a trial, but I'll forget it when I try demo.

The first step is to decompile and find the function.

Decompilation, find Android Killer

Disassemble the function after it is found.

The second step is disassembly

Double-click to enter the function.

Step 3 F5 plug-in

The F5 plug-in is really easy to use, but we still focus on ARM.

The fourth step is ARM analysis

First, let's take a look at the flow chart.

You can see from the flowchart that this is a flowchart of if logic.

Let's look at the main code.

.text: 00004644 PUSH {R7,LR} .text: 00004646 MOV R7, SP.text:00004648 SUB SP, SP, # 0x20.text:0000464A MOV R3, R2.text:0000464C MOV R12 R1.text:0000464E MOV LR, R0.text:00004650 STR R0, [SP,#0x28+var_10] .text: 00004652 STR R1, [SP,#0x28+var_14] .text: 00004654 STR R2, [SP # 0x28+var_18] .text: 00004656 LDR R0, [SP,#0x28+var_18] .text: 00004658 CMP R0, # 1.text:0000465A STR R3, [SP,#0x28+var_1C]. Text:0000465C STR.W R12, [SP # 0x28+var_20] .text: 00004660 STR.W LR, [SP,#0x28+var_24] .text: 00004664 BNE loc_4676.text:00004666 B loc_4668PUSH {R7,LR}

PUSH means to go into the stack.

R7 is a general purpose register

LR is: R14: link register (LR) LR is a link register, which has a special purpose in the ARM processor. When a function is called, the return address, that is, the value of PC, is saved to LR (mov lr,pc).

So this sentence means to put R7 and LR into the stack.

MOV R7, SP

This sentence is easy to understand, is to give the value of sp to R7.

Delimit an area in the random access memory area as a stack area, and data can be sequentially stored (pushed) into this area, a process called push. Usually an adjustment is made with a pointer (stack pointer SP---Stack Pointer), and the SP always points to the data unit (top of the stack) where the last data pushed into the stack is located.

SUB SP, SP, # 0x20

SUB is a subtraction operation.

The simple translation is: sp=sp-#0x20

The # 0x20 here means hexadecimal.

MOV R3, R2

R3=R2

MOV R12, R1

R12=R1

MOV LR, R0

LR=R0

STR R0, [SP,#0x28+var_10]

STR {condition} source register

The STR instruction is used to transfer a 32-bit word data from the source register to memory. This instruction is commonly used in programming.

To translate is to send the data here in R0 to [SP,#0x28+var_10].

STR R1, [SP,#0x28+var_14]

The same principle

STR R2, [SP,#0x28+var_18]

The same principle

LDR R0, [SP,#0x28+var_18]

The LDR directive is used to load an immediate number or an address value into a specified register.

CMP R0, # 1

CMP is a comparison command. Compare R0 with # 1.

CF=1, because there is a loan.

OF=0, no overflow

SF=1, the result is negative

ZF=0, the result is not all zero

STR R3, [SP,#0x28+var_1C]

The data of [SP,#0x28+var_1C] is sent to R3

STR.W R12, [SP,#0x28+var_20]

W is wide. Specifies that the assembler must select a 32-bit encoding mode for this instruction. If not, the assembler reports an error.

STR.W LR, [SP,#0x28+var_24] BNE loc_4676

Bne: data jump instruction. The Z flag bit in the flag register is not equal to 00:00. Jump to the label after BNE.

In other words, when Z is not equal to 0, that is, it is not equal, it will jump to loc_4676.

B loc_4668

Unconditional jump

Yeah, I think I get it.

If you're not satisfied, jump here.

Loc_4668; CODE XREF: Java_com_example_hanlei_myapplication_MainActivity_panduan+22 ↑ j.text:00004668 LDR R0, [SP,#0x28+var_10]; this.text:0000466A LDR R1, = (aILoveYou-0x4670) .text:0000466C ADD R1, PC "I LOVE YOU!" .text: 0000466E BLX j__ZN7_JNIEnv12NewStringUTFEPKc; _ JNIEnv::NewStringUTF (char const*) .text:00004672 STR R0, [SP,#0x28+var_C] .text:00004674 B loc_4684

If satisfied, ask to jump here.

.text: 00004676.text:00004676 loc_4676; CODE XREF: Java_com_example_hanlei_myapplication_MainActivity_panduan+20 ↑ j.text:00004676 LDR R0, [SP,#0x28+var_10]; this.text:00004678 LDR R1, = (aSorrry-0x467E) .text:0000467A ADD R1, PC "Sorrry" .text: 0000467C BLX j__ZN7_JNIEnv12NewStringUTFEPKc; _ JNIEnv::NewStringUTF (char const*) .text:00004680 STR R0, [SP,#0x28+var_C] .text:00004682 B loc_4684

In the end, it comes down to this:

Oc_4684; CODE XREF: Java_com_example_hanlei_myapplication_MainActivity_panduan+30 ↑ j.text:00004684 Java_com_example_hanlei_myapplication_MainActivity_panduan+3E ↑ j.text:00004684 LDR R0, [SP,#0x28+var_C]. Text:00004686 ADD SP, SP,# 0x20.text:00004688 POP {R7,PC}

Many of them are brought with them, so draw the important things.

First of all, this parameter.

Call the parameters and compare them

Jump according to the register

0x03 switch Logic NDK programming description

Just use the last demo to make changes, and then modify the c language program directly.

C file writing JNIEXPORT jstring JNICALLJava_com_example_hanlei_myapplication_MainActivity_panduan (JNIEnv * env, jobject instance, jint I) {switch (I) {case 1: return env- > NewStringUTF ("Love"); break; case 2: return env- > NewStringUTF ("ZHUZHU"); break; case 3: return env- > NewStringUTF ("Life") Break;} return env- > NewStringUTF ("Sorrry");} Summary

Writing is still very simple, as long as you know the interface function, there is no difficulty in the early stage.

ARM Analysis of 0x04 switch Logic

Suspension: 02:29:01 on 15 February 2018

Reason: it's time to go to bed. Well, have a good sleep, and then get up and study.

Start time: 11:33:13, February 15, 2018

Reason: just finished lunch

Went directly to IDA for analysis. Text:00004644 _ _ unwind {. Text:00004644 PUSH {R7,LR} .text: 00004646 MOV R7, SP.text:00004648 SUB SP, SP, # 0x20.text:0000464A MOV R3, R2.text:0000464C MOV R12 R1.text:0000464E MOV LR, R0.text:00004650 STR R0, [SP,#0x28+var_10] .text: 00004652 STR R1, [SP,#0x28+var_14] .text: 00004654 STR R2, [SP # 0x28+var_18] .text: 00004656 LDR R0, [SP,#0x28+var_18] .text: 00004658 CMP R0, # 1.text:0000465A STR R3, [SP,#0x28+var_1C]. Text:0000465C STR.W R12, [SP # 0x28+var_20] .text: 00004660 STR.W LR, [SP,#0x28+var_24] .text: 00004664 STR R0, [SP,#0x28+var_28] .text: 00004666 BEQ loc_467A.text:00004668 B loc_466A logic diagram analysis

First of all, the ARM code, personally understood, is in the initialization process of the function and the parameters within the function, and can also be understood as building an environment or platform where our main ARM performs logical operations, and then there is a corresponding environment release.

Let's take a look at the main logical judgment part.

CMP R0, # 1

Compare with R0 and # 1.

BEQ loc_467A

The Z flag bit in the flag register is equal to 00:00, jump to the tag after BEQ.

And then it suddenly jumps.

Suddenly found that the logic of judgment is so simple, maybe I am too ignorant.

B loc_466A

Unconditionally jump to the next judgment.

I was thinking about how to implement multiple if, but now I find that I still run it on a block-by-block basis.

Now I know that studying 8086 in those two weeks is not in vain.

Loc_466A CODE XREF: Java_com_example_hanlei_myapplication_MainActivity_panduan+24 ↑ j.text:0000466A LDR R0, [SP,#0x28+var_28] .text: 0000466C CMP R0, # 2.text:0000466E BEQ loc_4688.text:00004670 B loc_4672.text:00004672 -text:00004672.text:00004672 loc_4672 CODE XREF: Java_com_example_hanlei_myapplication_MainActivity_panduan+2C ↑ j.text:00004672 LDR R0, [SP,#0x28+var_28] .text: 00004674 CMP R0, # 3.text:00004676 BEQ loc_4696.text:00004678 B loc_46A4.text:0000467A -text:0000467A.text:0000467A loc_467A CODE XREF: Java_com_example_hanlei_myapplication_MainActivity_panduan+22 ↑ j.text:0000467A LDR R0, [SP,#0x28+var_10]; this.text:0000467C LDR R1, = (aLove-0x4682) .text:0000467E ADD R1, PC; "Love" .text: 00004680 BLX j__ZN7_JNIEnv12NewStringUTFEPKc _ JNIEnv::NewStringUTF (char const*) .text:00004684 STR R0, [SP,#0x28+var_C] .text:00004686 B loc_46B2.text:00004688 -text:00004688.text:00004688 loc_4688 CODE XREF: Java_com_example_hanlei_myapplication_MainActivity_panduan+2A ↑ j.text:00004688 LDR R0, [SP,#0x28+var_10]; this.text:0000468A LDR R1, = (aZhuzhu-0x4690). Text:0000468C ADD R1, PC; "ZHUZHU" .text: 0000468E BLX j__ZN7_JNIEnv12NewStringUTFEPKc _ JNIEnv::NewStringUTF (char const*) .text:00004692 STR R0, [SP,#0x28+var_C] .text:00004694 B loc_46B2.text:00004696 -text:00004696.text:00004696 loc_4696 CODE XREF: Java_com_example_hanlei_myapplication_MainActivity_panduan+32 ↑ j.text:00004696 LDR R0, [SP,#0x28+var_10]; this.text:00004698 LDR R1, = (aLife-0x469E). Text:0000469A ADD R1, PC; "Life" .text: 0000469C BLX j__ZN7_JNIEnv12NewStringUTFEPKc _ JNIEnv::NewStringUTF (char const*) .text:000046A0 STR R0, [SP,#0x28+var_C]

This is the rest of the code logic, which you can analyze and use if you are interested.

I feel completely enlightened for the first time.

Then comes the circular logic.

0x05 cyclic Logic NDK programming

The steps are the same as before, I'm just changing the c code.

C code writing

Write a simple logic.

Is to judge prime numbers.

JNIEXPORT jstring JNICALLJava_com_example_hanlei_myapplication_MainActivity_panduan (JNIEnv * env, jobject instance, jint I) {int j; int NewStringUTF 1; if (iTunes 1) {return env- > NewStringUTF ("Sorrry");} if (iTune2) {return env- > NewStringUTF ("ZHUZHU I Love YOU");} for (ZHUZHU I Love YOU);} return env- > NewStringUTF ("Sorrry") } 0x06 cyclic logic ARM analysis opens the so file PUSH {R7 Magi LR} .text: 00004646 MOV R7, SP.text:00004648 SUB SP, SP, # 0x28.text:0000464A MOV R3, R2.text:0000464C MOV R12 with IDA R1.text:0000464E MOV LR, R0.text:00004650 STR R0, [SP,#0x30+var_10] .text: 00004652 STR R1, [SP,#0x30+var_14] .text: 00004654 STR R2, [SP # 0x30+var_18] .text: 00004656 MOVS R0, # 1.text:00004658 STR R0, [SP,#0x30+var_20] .text: 0000465A LDR R0, [SP,#0x30+var_18] .text: 0000465C CMP R0 # 1.text:0000465E STR R3, [SP,#0x30+var_24] .text: 00004660 STR.W R12, [SP,#0x30+var_28] .text: 00004664 STR.W LR, [SP # 0x30+var_2C]. Text:00004668 BNE loc_467A.text:0000466A B loc_466C

Here is the main part, similar to the beginning of main

Start logical analysis

This ARM code is just setting up the environment.

PUSH {R7,LR} .text: 00004646 MOV R7, SP.text:00004648 SUB SP, SP, # 0x28.text:0000464A MOV R3, R2.text:0000464C MOV R12, R1.text:0000464E MOV LR R0.text:00004650 STR R0, [SP,#0x30+var_10] .text: 00004652 STR R1, [SP,#0x30+var_14] .text: 00004654 STR R2, [SP,#0x30+var_18] MOVS R0, # 1

MOV generally does not affect CPSR, unless it executes something like MOV pc and lr, which is equivalent to BX lr in effect and may affect the T flag bit.

MOVS will always affect CPSR, including the NMagi Zpene C flag bit. When executing MOVS pc and lr, CPSR will be overwritten by SPSR (kernel state, there is no SPSR in USER and SYSTEM mode)

To put it simply, it is R0room1.

STR R0, [SP,#0x30+var_20]

Then store this value in [SP,#0x30+var_20] here.

LDR R0, [SP,#0x30+var_18]

Take out the value of [SP,#0x30+var_18] to R0

CMP R0, # 1

Then take it out and compare it.

STR R3, [SP,#0x30+var_24] .text: 00004660 STR.W R12, [SP,#0x30+var_28] .text: 00004664 STR.W LR, [SP,#0x30+var_2C]

In fact, I really don't know what it is. If anyone knows, you can tell me no. Anyway, I ignored it. Does not affect the analytical logic

BNE loc_467A

Bne: data jump instruction. The Z flag bit in the flag register is not equal to 00:00. Jump to the label after BNE.

If it is not equal to # 1, the jump will be made.

B loc_466C

If equal, an unconditional jump is performed.

Now let's take a look at the loc_466C block.

Loc_466C block analysis loc_466C; CODE XREF: Java_com_example_hanlei_myapplication_MainActivity_panduan+26 ↑ j.text:0000466C LDR R0, [SP,#0x30+var_10]; this.text:0000466E LDR R1, = (aSorrry-0x4674) .text:00004670 ADD R1, PC "Sorrry" .text: 00004672 BLX j__ZN7_JNIEnv12NewStringUTFEPKc; _ JNIEnv::NewStringUTF (char const*) .text:00004676 STR R0, [SP,#0x30+var_C] .text:00004678 B loc_46E4

Call the interface function and return a string. "Sorrry"

The program finally jumps to loc_46E4

Loc_46E4 block analysis loc_46E4; CODE XREF: Java_com_example_hanlei_myapplication_MainActivity_panduan+34 ↑ j.text:000046E4 Java_com_example_hanlei_myapplication_MainActivity_panduan+4A ↑ j.... text:000046E4 LDR R0, [SP,#0x30+var_C]. Text:000046E6 ADD SP, SP,# 0x28.text:000046E8 POP {R7,PC}

This is the part of dismantling the environment.

Loc_467A Block Analysis loc_467A CODE XREF: Java_com_example_hanlei_myapplication_MainActivity_panduan+24 ↑ j.text:0000467A LDR R0, [SP,#0x30+var_18] .text: 0000467C CMP R0, # 2.text:0000467E BNE loc_4690.text:00004680 B loc_4682

Let's look at the first sentence.

LDR R0, [SP,#0x30+var_18]

[SP,#0x30+var_18] the data here is given to R0

The data from [SP,#0x30+var_18] before is the data we entered.

CMP R0, # 2BNE loc_4690B loc_4682

If equal to # 2, jump to loc_4682, if not equal to # 2, jump to loc_4690. If equal, it will jump to loc_4682.

Loc_4682 block analysis loc_4682; CODE XREF: Java_com_example_hanlei_myapplication_MainActivity_panduan+3C ↑ j.text:00004682 LDR R0, [SP,#0x30+var_10]; this.text:00004684 LDR R1, = (aZhuzhuILoveYou-0x468A) .text:00004686 ADD R1, PC "ZHUZHU I Love YOU" .text: 00004688 BLX j__ZN7_JNIEnv12NewStringUTFEPKc; _ JNIEnv::NewStringUTF (char const*) .text:0000468C STR R0, [SP,#0x30+var_C] .text:0000468E B loc_46E4

This block returns the string "ZHUZHU I Love YOU" and then goes to loc_46E4 to restore the environment. The program is over.

Loc_4690 block

This is not equal to the jump at # 2

Loc_4690; CODE XREF: Java_com_example_hanlei_myapplication_MainActivity_panduan+3A ↑ j.text:00004690 MOVS R0, # 2.text:00004692 STR R0, [SP,#0x30+var_1C] .text:00004694 B loc_4696

Let's look at the first sentence.

MOVS R0, # 2

Give the value of # 2 to R0

STR R0, [SP,#0x30+var_1C]

Then give the value of R0 to the storage location [SP,#0x30+var_1C].

B loc_4696

Jump to the loc_4696 block.

Loc_4696 block analysis loc_4696; CODE XREF: Java_com_example_hanlei_myapplication_MainActivity_panduan+50 ↑ j.text:00004696 Java_com_example_hanlei_myapplication_MainActivity_panduan+7A ↓ j.text:00004696 LDR R0, [SP,#0x30+var_1C]. Text:00004698 LDR R1, [SP,#0x30+var_18] .text: 0000469A CMP R0 R1.text:0000469C BGE loc_46C0.text:0000469E B loc_46A0

The first sentence

LDR R0, [SP,#0x30+var_1C]

Take [SP,#0x30+var_1C] out to R0

LDR R1, [SP,#0x30+var_18]

Give the data of [SP,#0x30+var_18] to R1, and this [SP,#0x30+var_18] is the data we entered.

CMP R0, R1

Comparison between R0 and R1

BGE loc_46C0

Jump means that BGE is greater than or equal to jump. That is, when R0 > = R1, you jump to loc_46C0.

B loc_46A0

Jump to loc_46A0 in other cases

Loc_46C0 Block Analysis loc_46C0 CODE XREF: Java_com_example_hanlei_myapplication_MainActivity_panduan+58 ↑ j.text:000046C0 LDR R0, [SP,#0x30+var_20] .text: 000046C2 CMP R0, # 1.text:000046C4 BNE loc_46D6.text:000046C6 B loc_46C8 LDR R0, [SP # 0x30+var_20]

Give the value of [SP,#0x30+var_20] to R0

CMP R0, # 1

Then make a comparison.

BNE loc_46D6

Jump to loc_46D6,loc_46D6 and return sorry if it is not equal.

B loc_46C8

If equal, jump to loc_46C8 and return "ZHUZHU I Love YOU"

Loc_46A0 Block Analysis loc_46A0 CODE XREF: Java_com_example_hanlei_myapplication_MainActivity_panduan+5A ↑ j.text:000046A0 LDR R0, [SP,#0x30+var_18] .text: 000046A2 LDR R1, [SP,#0x30+var_1C]. Text:000046A4 BL sub_1422C.text:000046A8 CMP R1 # 0.text:000046AA STR R0, [SP,#0x30+var_30] .text: 000046AC BNE loc_46B6.text:000046AE B loc_46B0

The first sentence

LDR R0, [SP,#0x30+var_18]

Take the data of [SP,#0x30+var_18] to R0, and [SP,#0x30+var_18] is the input value.

LDR R1, [SP,#0x30+var_1C]

Remove the data from [SP,#0x30+var_1C] to R1, and [SP,#0x30+var_1C] is the data accessed in loc_4690, now # 2

BL sub_1422C

Jump to sub_1422C

Let's take a look at sub_1422C

Sub_1422C; CODE XREF: Java_com_example_hanlei_myapplication_MainActivity_panduan+60 ↑ p.text:0001422C.text:0001422C FUNCTION CHUNK AT .text: 0001421A SIZE 00000012 BYTES.text:0001422C.text:0001422C CMP R1, # 0.text:0001422E BEQ loc_1421A.text:00014230 PUSH.W {R0,R1,LR} .text: 00014234 BL sub_1416C.text:00014238 POP.W {R1 R2,LR} .text: 0001423C MUL.W R3, R2, R0.text:00014240 SUB.W R1, R1, R3.text:00014244 BX LR.text:00014244 End of function sub_1422CCMP R1, # 0

Compare R1 with 0, and the previous R1 is # 2

BEQ loc_1421A

If you are equal, you jump.

PUSH.W {R0,R1,LR}

Enter the stack

BL sub_1416C

Jump to sub_1416c

Sub_1416c

Sub_1416C CODE XREF: sub_1422C+8 ↓ p.text:0001416C EOR.W R12, R0, R1.text:00014170 IT MI.text:00014172 NEGMI R1, R1.text:00014174 SUBS R2, R1 # 1.text:00014176 BEQ loc_141EA.text:00014178 MOVS R3, R0.text:0001417A IT MI.text:0001417C NEGMI R3, R0.text:0001417E CMP R3 R1.text:00014180 BLS loc_141F4.text:00014182 TST R1, R2.text:00014184 BEQ loc_14204.text:00014186 CLZ.W R2, R1.text:0001418A CLZ.W R0 R3.text:0001418E SUB.W R0, R2, R0.text:00014192 MOV.W R2, # 1.text:00014196 LSL.W R1, R1, R0.text:0001419A LSL.W R2, R2, R0.text:0001419E MOV.W R0 # 0EOR.W R12, R0, R1

The logical XOR EOR (Exclusive OR) instruction performs a bitwise XOR operation on the values and values in the register, stores the execution result in the destination register, and updates the corresponding conditional flag bits in the CPSR according to the execution result of the instruction.

IT MISUBS R2, R1, # 1

S in SUBS means to write the carry result to CPSR

R2=R1-#1 and then write to CPSR

There's a lot more after that.

Let's keep looking.

Loc_46A0

BL sub_1422C

The logic of this sentence is to calculate the content after R1 is divisible.

CMP R1, # 0

Is the comparison equal?

BNE loc_46B6

Unequal jump to loc_46B6 module

If it's equal.

Loc_46B6 Module Analysis of loc_46B8 CODE XREF: Java_com_example_hanlei_myapplication_MainActivity_panduan:loc_46B6 ↑ j.text:000046B8 LDR R0, [SP,#0x30+var_1C]. Text:000046BA ADDS R0, # 1.text:000046BC STR R0, [SP # 0x30+var_1C]. Text:000046BE B loc_4696LDR R0, [SP,#0x30+var_1C] ADDS R0, # 1STR R0, [SP,#0x30+var_1C]

Take it out, put the variable + 1 and save it.

B loc_4696

Jump to loc_4696

This is the whole cycle.

# # loc_46B0 Module Analysis

Loc_46B0; CODE XREF: Java_com_example_hanlei_myapplication_MainActivity_panduan+6A ↑ j.text:000046B0 MOVS R0, # 0.text:000046B2 STR R0, [SP,#0x30+var_20] .text: 000046B4 B loc_46B6

This module is to change the value stored in [SP,#0x30+var_20] to # 0

And then continue to cycle.

The above content is how to analyze so files in the reverse basis of Android. Have you learned any knowledge or skills? If you want to learn more skills or enrich your knowledge reserve, you are welcome to follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.