@clf wrote:
这里我有2个问题,相关,所以我都放在一起问了:
问题一:
在静态分析的时候,有几个类的所有方法都没办法F5,报错如下:
IDA版本:7.0
Arch:ARM64在ARM64的时候,伪代码是这样的:
id __cdecl -[xxx xxx](xxx *self, SEL a2, id a3, id a4, id a5, id a6, int a7, int a8, id *a9)
{
sub_1012A5738();
return (id)sub_1012A5738();
}汇编如下:
__text:00000001012A5730 var_10 = -0x10
__text:00000001012A5730
__text:00000001012A5730 000 STP X0, X30, [SP,#var_10]!
__text:00000001012A5734 000 BL sub_1012A5738
char *sub_1012A5738()
{
return sub_1012A5758;
}汇编如下:
__text:00000001012A5758 000 ADR X0, sub_1012A5758
__text:00000001012A576C 010 MOV X30, X0
__text:00000001012A5770 000 RET然后sub_1012A5758就没办法编译进去了。
另外我尝试了ARMV7:
id __cdecl -[xxx xxx](xxx *self, SEL a2, id a3, id a4, id a5, id a6, int a7, int a8, id *a9)
{
sub_10BC39C((int)self, (int)a2, (int)a3, (int)a4);
}汇编如下:
__text:010BC370 var_4 = -4
__text:010BC370
__text:010BC370 PUSH {R0-R2,LR}
__text:010BC372 ADR R1, sub_10BC390
__text:010BC374 MOVS R1, R1
__text:010BC376 SUBS R1, #5
__text:010BC378 MOVS R0, R0
__text:010BC37A MOVS R0, R1
__text:010BC37C MOVS R2, R2
__text:010BC37E ADDS R0, #0x12
__text:010BC380 STR R0, [SP,#0x10+var_4]
__text:010BC382 POP {R0-R2,PC}
void __fastcall __noreturn sub_10BC39C(int a1, int a2, int a3, int a4)
{
int v4; // r4
int v5; // r5
int v6; // r6
int v7; // r7
int i; // r0
int v9; // r3
int v10; // r9
int v11; // r3
int v12; // r12
int v13; // r1
int v14; // [sp+0h] [bp-Ch]
int v15; // [sp+4h] [bp-8h]v14 = a1;
v15 = a2;
for ( i = 8; ; i = 10 )
{
sub_109F4A0(i, a2, a3, a4, v14, v15);
a3 = v6 << 10;
v6 = v5 << 25;
HIWORD(v9) = 595;
v10 = *(_DWORD *)(v7 - 24) + 1400;
v11 = *(_DWORD *)(v9 + 17548280);
v12 = *(_DWORD *)(v7 - 260);
*(_DWORD *)(v7 - 276) = v4 << 27;
*(_DWORD *)(v7 - 280) = v13;
a2 = v11;
v4 = v7 - 256;
a4 = *(_DWORD *)(v7 - 276);
}
}
汇编如下:
__text:010BC39C sub_10BC39C
__text:010BC39C PUSH {R0,R1,LR}
__text:010BC39E MOVW R0, #8
__text:010BC3A2 NOP
__text:010BC3A4
__text:010BC3A4 loc_10BC3A4 ; CODE XREF: sub_10BC39C+90↓j
__text:010BC3A4 BLX sub_109F4A0
__text:010BC3A8 MOVS R0, R1
__text:010BC3AA MOVS R0, R0
__text:010BC3AC LSLS R0, R1, #1
__text:010BC3AE MOVS R0, R0
__text:010BC3B0 LSLS R0, R1, #2
__text:010BC3B2 MOVS R0, R0
__text:010BC3B4 LSLS R0, R7, #2
__text:010BC3B6 MOVS R0, R0
__text:010BC3B8 LSLS R4, R4, #4
__text:010BC3BA MOVS R0, R0
__text:010BC3BC LSLS R2, R0, #5
__text:010BC3BE MOVS R0, R0
__text:010BC3C0 LSLS R2, R0, #7
__text:010BC3C2 MOVS R0, R0
__text:010BC3C4 LSLS R2, R2, #7
__text:010BC3C6 MOVS R0, R0
__text:010BC3C8 LSLS R4, R4, #7
__text:010BC3CA MOVS R0, R0
__text:010BC3CC LSLS R0, R1, #9
__text:010BC3CE MOVS R0, R0
__text:010BC3D0 LSLS R2, R6, #0xA
__text:010BC3D2 MOVS R0, R0
__text:010BC3D4 LSLS R6, R4, #0xC
__text:010BC3D6 MOVS R0, R0
__text:010BC3D8 LSLS R0, R4, #0xE
__text:010BC3DA MOVS R0, R0
__text:010BC3DC LSLS R0, R4, #0x10
__text:010BC3DE MOVS R0, R0
__text:010BC3E0 LSLS R4, R0, #0x13
__text:010BC3E2 MOVS R0, R0
__text:010BC3E4 LSLS R4, R4, #0x15
__text:010BC3E6 MOVS R0, R0
__text:010BC3E8 LSLS R6, R4, #0x17
__text:010BC3EA MOVS R0, R0
__text:010BC3EC LSLS R6, R5, #0x19
__text:010BC3EE MOVS R0, R0
__text:010BC3F0 MOVT.W R3, #0x253
__text:010BC3F4 ADD R3, PC
__text:010BC3F6 LDR.W R9, [R7,#-0x18]
__text:010BC3FA ADD.W R9, R9, #0x578
__text:010BC3FE LDR R3, [R3]
__text:010BC400 SUB SP, SP, #4
__text:010BC402 SUB.W R4, R7, #0x100
__text:010BC406 LDR.W R12, [R4,#-4]
__text:010BC40A SUB.W R4, R7, #0x100
__text:010BC40E STR.W R0, [R4,#-0x14]
__text:010BC412 MOV R0, R12
__text:010BC414 SUB.W R4, R7, #0x100
__text:010BC418 STR.W R1, [R4,#-0x18]
__text:010BC41C MOV R1, R3
__text:010BC41E SUB.W R4, R7, #0x100
__text:010BC422 LDR.W R3, [R4,#-0x14]
__text:010BC426 PUSH {R0,R1,LR}
__text:010BC428 MOVW R0, #0xA
__text:010BC42C BL loc_10BC3A4
int __fastcall sub_109F4A0(int a1, int a2, int a3, int a4, int a5, int a6)
{
int v6; // lr
int (__fastcall *v7)(int, int, int, int, int, int, _DWORD); // r1v7 = (int (__fastcall )(int, int, int, int, int, int, _DWORD))((_DWORD *)((v6 & 0xFFFFFFFE) + 4 * a1) + v6);
return v7(a5, a6, a3, a4, a5, a6, v7);
}汇编如下:
__text:0109F4A0 arg_8 = 8
__text:0109F4A0
__text:0109F4A0 BIC R1, LR, #1
__text:0109F4A4 LDR R1, [R1,R0,LSL#2]
__text:0109F4A8 ADD R1, R1, LR
__text:0109F4AC LDR LR, [SP,#arg_8]
__text:0109F4B0 STR R1, [SP,#arg_8]
__text:0109F4B4 LDMFD SP!, {R0,R1,PC}看起来是比ARM64的清晰了,但感觉分析的不对。
参考这个链接说是sp堆栈不平衡,但是还是没解决这个问题,使用hopper也尝试过,也是没办法编译成伪代码,请问各位大佬有没有什么可解办法?跪谢!
问题二;
鉴于问题一的方法,ida分析的汇编代码和动态调试lldb的代码不一致
同一方法lldb显示:
0x101389730 <+0>: stp x0, x30, [sp, #-0x10]!
0x101389734 <+4>: bl 0x101389738 ; <+8>
0x101389738 <+8>: adr x0, #0x20 ; <+40>
0x10138973c <+12>: mov x30, x0
0x101389740 <+16>: ret
0x101389744 <+20>: .long 0x45454b61 ; unknown opcode
0x101389748 <+24>: .long 0x09304b09 ; unknown opcode
0x10138974c <+28>: stxrb w16, w14, [x26]
0x101389750 <+32>: .long 0x631a1260 ; unknown opcode
0x101389754 <+36>: .long 0x57194603 ; unknown opcode
0x101389758 <+40>: ldp x0, x30, [sp], #0x10
0x10138975c <+44>: stp x0, x30, [sp, #-0x10]!
0x101389760 <+48>: ldr w0, 0x101389768 ; <+56>
0x101389764 <+52>: bl 0x10136280c ; +[AnangkeStateFactory createAnangkeState] + 184
0x101389768 <+56>: .long 0x00000006 ; unknown opcode
0x10138976c <+60>: .long 0x00000044 ; unknown opcode
0x101389770 <+64>: .long 0x000000a8 ; unknown opcode
0x101389774 <+68>: .long 0x00000104 ; unknown opcode
0x101389778 <+72>: .long 0x00000160 ; unknown opcode
0x10138977c <+76>: .long 0x00000178 ; unknown opcode
0x101389780 <+80>: .long 0x00000194 ; unknown opcode
0x101389784 <+84>: .long 0x000001b0 ; unknown opcode
0x101389788 <+88>: .long 0x00000224 ; unknown opcode
0x10138978c <+92>: .long 0x000002c0 ; unknown opcode
0x101389790 <+96>: .long 0x0000034c ; unknown opcode
0x101389794 <+100>: .long 0x000003d8 ; unknown opcode
0x101389798 <+104>: .long 0x00000474 ; unknown opcode
0x10138979c <+108>: .long 0x00000510 ; unknown opcode
0x1013897a0 <+112>: .long 0x000005f0 ; unknown opcode
0x1013897a4 <+116>: .long 0x0000067c ; unknown opcode
0x1013897a8 <+120>: .long 0x00000748 ; unknown opcode
0x1013897ac <+124>: ldp x0, x30, [sp], #0x10
后面还有一些省略了
…xcode版本:9.4.1
这种看起来是解析错误了。。。。翻看论坛是混淆了ARM和THUMB指令。
尝试了disass -A thumbv7。。。以及换了xcode的版本为8.3都无解,还请各位大佬指教下!感激不尽!
Posts: 1
Participants: 1