Android / Mobile reverse communication group 963612891

Look at this first so library :

Drag in IDA Take a static look : I don't see much information , The reason is simple , Because it was dealt with ;

What shall I do? ? adopt 010 Make a pair so Simple modification :
Drag in IDA, use ELF.b Identify :

Recognition effect :

There's joint information in the head :

Modify the offset of the section first :

These three :

After saving , Then continue to drag in IDA: No exception found , Can recognize something :

Why can we succeed in this way ? Because after we get rid of the information about the section , He begins to parse the segment's information ;
See export function list , It is found that the function name has also been processed , however JNI_Load Still visible :

Double click here , You can still see some information ;

ctrl+S , Come here , to glance at :

click sub_1AD8: There's no information ~

direct F5, see JNI_Load Information about :

Change the parameters :

You can't see anything by clicking in and looking at the function below ;

Double click in
Keep following
Discovery is a switch loop ;

F5 once :

The branches are quite long , I can't see anything ; Direct dynamic analysis ;

Analysis of this function , The same in open Function down break :
F9 after , Load in this so:

linker Hypogyny :

libdvm Hypogyny :

F9 after ,linker Laceration :

F7 go in , Found nothing ;

continue F9linker Cut off , then F7:

F7 Go down , Found a function :

Enter later libdvm.so, And getenv of ;

When you get back , continue F7, Here's a function :

F7 go in : Follow me down :

After you come here :

F7 down , Here's a function ,

go in :F7 down , Find out it's a cycle : Always compare R2 and R3 Value of ;

F4 after F7 Go down , Here comes the jump table :

continue F7 down , Here we are case26 branch :

All the way F7 down , Here's a BLX function :

F7 down , synchronization R1 register ; Keyword eyes found ;

And down there's a cycle , Simultaneous synchronization R3 register , Is decrypting the string :

Down again , Another cycle : adopt R2 register

continue F7,

continue F8 down : Come here :

continue F7 down ; This is a cycle , Reading all the time , And then compare them all the time R0 Value of ;

If it's here BEQ Equal words , It's going to jump right here :

It's from linker reach JNI_Load, Description in linker There is no operation in it , therefore , You can change it , Directly in libdvm Where to find it JNI_onload Yes ;

Reuse a method , use open function , Back up ;
Jump to open function , then F2 Hypogyny , then F9 function , then Ctrl+F7 to flash back :
synchronization R0 window , It's here , Description is traversing tracepid,

Go back :

Go back :

Why did the program crash when I ran it again ?
The reason is that the program R0 Value of register :

What does this mean ?
Let's first 4A24 Convert to 10 Base :‭18980‬
Execute a adb command : This is the current as Process of ; It means that he has detected that we are debugging the program ;

So we need to get rid of this anti debugging :

in other words ,case26 Is the branch of anti debugging ;

Go back up after the change :

Go back , Here we are ;

continue Back up :
here R0 and 0 Compare , here R0 The value of is still as Process number of ;

If not equal , Just jump here

Click in , The discovery is kill:

Will come , Up p once , Is a function ,

go in :p once :
Obviously and this is the logic of anti debugging , There are more branch codes ;

How can we modify it , Just let this function return a fixed value ;
Before modifying the code , Zero this first ;

Synchronize the Disassembly window , Click here to display the corresponding hexadecimal below :

This is arm instructions ,
Execute modification order : Article 1 :

After selection 8 position ,F2 Make changes :

Continue to amend Article 2 :

Effect after modification :

After the reversal test , stay mmap Hypogyny :mmap Next breakpoint for tail ;

good ,F9 Run program : Make it mmap Function segment down ;

here mmap How to view it ? To level II F9 Run to mmap Function tail , then F7 Go on to the next step , It's where different function calls are made , encounter libdvm.so It doesn't matter ,h direct F9 Continue at mmap Squat down , Observe only jiagu.so;

Pay attention to the mmap Operation at : Not directly F9 Perform tail break from head , One step at a time , Coming in so One step and half , And then F9;
Continue with the above operation, which will appear here first apk information :

Continue , This is what happened :

continue : below R0 The window appears dey036;

Continue , Here comes the dex Relevant information :

Look at his address , We came to his section :

After you come here , These are the ones he decrypted dex

Here is this dex The size of the file :

After knowing the starting address and size , Using scripts :

dump It may take time ;

in other words , Occurrence of correlation dex When it comes to documents , If not too much information , We can ctrl+s View module information , Generally, he would dex Put relevant information in other areas ;

We usually decrypt it dex Put it in memory , For example, this is placed in debug inside :

good , find dump Documents coming out ;

Drag in jdax, This is the code ;

Let's take a look at the logic , It's all found , It shows that the shelling is very successful ;

Technology
©2019-2020 Toolsou All rights reserved,
@Repository The role of annotations mysql Modify primary key ( Essence )2020 year 6 month 26 day C# Class library Loop execution help class ( Essence )2020 year 7 month 12 day webpack Use of common plug-ins ( Essence )2020 year 7 month 15 day Wechat applet assembly Component Use of Map judge key Corresponding value Does the value exist -containsKey()Go language Array initialization and basic operations python in switch_to_alert Usage of be based on RK3399 PWM Drive development CCTV :Tiktok A lawsuit shows the attitude and determination of safeguarding rights