目录:一、产品基本介绍二、产品整体框架三、JAVA与JNI初始化四、VM虚拟机基本逻辑五、环境检测与设备信息采集六、加密流程分析七、加密漏洞还原与中人间攻击过程八、总结
一、产品基本介绍
产品应用场景主要用于营销活动反作弊、渠道推广反作弊、交易安全保护、账户安全保护、接口安全保护。渠道买量、应用推广、小程序推广。
产品功能:
虚假行为分析
从设备与账户维度进行聚类关联分析、行为异常分析,甄别虚假作弊用户、IP、设备,锁定源头风险。
终端风险感知
有效识别模拟器、群控、作弊设备、模拟器、农场工具。
大数据关联分析
结合渠道大数据与风险数据,筛选出可疑对象和目标,通过特定业务判断完成风险环形数据,支持算法模型的嵌入。
二、产品整体框架
2.1、产品使用步骤
2.1.1. 前端接入:根据前端类型选择对应 SDK 进行接入,支持 Android App、iOS iApp、小程 序(头条小程序、微信小程序、支付宝小程序)、WEB/WAP/H5。
2.1.2. 接入验证:前后端接入完成后,联合客户端、服务端进行整体联调。
2.1.3. 运行APP成功返回blackbox设备指纹。
2.2、整体对接数据流程时序图
2.3、产品整体架构
接入产品逆向分析还原出基本的产品架构,如图2-3所示
图2-3
三、JAVA与JNI初始化
3.1、在应用启动的时候,比如在应用的首页 Activity 的 onCreate 方法中调用以下方法:
// FMAgent.ENV_SANDBOX 表示沙盒环境// FMAgent.ENV_PRODUCTION 表示生产环境FMAgent.initWithCallback(this, FMAgent.ENV_PRODUCTION, new FMCallback() {@Overridepublic void onEvent(String s) {tdBlackbox = s;Log.e(TAG,"blackbox:"+tdBlackbox);runOnUiThread(new Runnable() {@Overridepublic void run() {tv1.setText("blackbox内容是:"+tdBlackbox);}});}});
3.2、加载SO
JSONObject v6 = null;try {if(Build.VERSION.SDK_INT >= 17) {System.loadLibrary("tdvm");}System.loadLibrary("tongdun");goto label_405;}catch(Throwable v6_1) {}
3.3、执行NI_OnLoad注册Native方法
.text:000000709EAE5E4C RegisterNatives_sub_786D163E4C.text:000000709EAE5E4C.text:000000709EAE5E4C var_38= -0x38.text:000000709EAE5E4C var_2C= -0x2C.text:000000709EAE5E4C var_28= -0x28.text:000000709EAE5E4C var_20= -0x20.text:000000709EAE5E4C var_18= -0x18.text:000000709EAE5E4C var_10= -0x10.text:000000709EAE5E4C.text:000000709EAE5E4C ; __unwind { // 1000.text:000000709EAE5E4C FF 03 01 D1 SUB SP, SP, #0x40.text:000000709EAE5E50 FE 1B 00 F9 STR X30, [SP,#0x40+var_10].text:000000709EAE5E54 E1 17 00 F9 STR X1, [SP,#0x40+var_18].text:000000709EAE5E58 E2 13 00 F9 STR X2, [SP,#0x40+var_20].text:000000709EAE5E5C E3 0F 00 F9 STR X3, [SP,#0x40+var_28].text:000000709EAE5E60 E4 17 00 B9 STR W4, [SP,#0x40+var_2C].text:000000709EAE5E64 E1 17 40 F9 LDR X1, [SP,#0x40+var_18].text:000000709EAE5E68 E2 13 40 F9 LDR X2, [SP,#0x40+var_20].text:000000709EAE5E6C E3 0F 40 F9 LDR X3, [SP,#0x40+var_28].text:000000709EAE5E70 E4 17 40 B9 LDR W4, [SP,#0x40+var_2C].text:000000709EAE5E74 E0 07 00 F9 STR X0, [SP,#0x40+var_38].text:000000709EAE5E78 E0 03 01 AA MOV X0, X1.text:000000709EAE5E7C E1 03 02 AA MOV X1, X2.text:000000709EAE5E80 E2 03 03 AA MOV X2, X3.text:000000709EAE5E84 E3 03 04 2A MOV W3, W4.text:000000709EAE5E88 E8 07 40 F9 LDR X8, [SP,#0x40+var_38].text:000000709EAE5E8C 00 01 3F D6 BLR X8 ; RegisterNatives.text:000000709EAE5E8C.text:000000709EAE5E90 FE 1B 40 F9 LDR X30, [SP,#0x40+var_10].text:000000709EAE5E94 FF 03 01 91 ADD SP, SP, #0x40 ; '@'.text:000000709EAE5E98 C0 03 5F D6 RET//native方法getData2, signature: (Ljava/lang/String;)[Btongdun, signature: (Landroid/content/Context;)Vtongdun2, signature: (Landroid/content/Context;)VXOnEvent, signature: (Landroid/content/Context;)Ljava/lang/String;onSensorChanged, signature: (Landroid/hardware/SensorManager;Lcn/tongdun/android/shell/common/s;Landroid/hardware/SensorEvent;)V
3.4、整体流程如图3-4所示
图3-4
四、VM虚拟机基本逻辑
4.1、VM逻辑主要在模块libtdvm.so中,该模块导出两个方法:
td_eea7e05642c04e240c51 //解压解密VMBycodetd_b13d6928ba611f6a6e37 //解析执行VMBycode
libtongdun.so模块中的大部分方法都会调用上面两个方法,传入vmbycode解析执行。
4.2、VM流程与分析思路
td_eea7e05642c04e240c51方法解压解密后VMBycode后进入VM,代码如下:
.text:000000709EA954F0 EnterVM_sub_709EA954F0.text:000000709EA954F0.text:000000709EA954F0 var_AC= -0xAC.text:000000709EA954F0 databass= -0xA8.text:000000709EA954F0 bycode= -0xA0.text:000000709EA954F0 var_98= -0x98.text:000000709EA954F0 var_90= -0x90.text:000000709EA954F0 var_88= -0x88.text:000000709EA954F0 var_80= -0x80.text:000000709EA954F0 databass1= -0x78.text:000000709EA954F0 var_70= -0x70.text:000000709EA954F0 var_68= -0x68.text:000000709EA954F0 var_60= -0x60.text:000000709EA954F0 var_50= -0x50.text:000000709EA954F0 var_40= -0x40.text:000000709EA954F0 var_30= -0x30.text:000000709EA954F0 var_20= -0x20.text:000000709EA954F0 var_10= -0x10.text:000000709EA954F0 var_s0= 0.text:000000709EA954F0.text:000000709EA954F0 ; __unwind {.text:000000709EA954F0 FF 03 03 D1 SUB SP, SP, #0xC0.text:000000709EA954F4 E8 2B 00 FD STR D8, [SP,#0xB0+var_60].text:000000709EA954F8 FC 6F 06 A9 STP X28, X27, [SP,#0xB0+var_50].text:000000709EA954FC FA 67 07 A9 STP X26, X25, [SP,#0xB0+var_40].text:000000709EA95500 F8 5F 08 A9 STP X24, X23, [SP,#0xB0+var_30].text:000000709EA95504 F6 57 09 A9 STP X22, X21, [SP,#0xB0+var_20].text:000000709EA95508 F4 4F 0A A9 STP X20, X19, [SP,#0xB0+var_10].text:000000709EA9550C FD 7B 0B A9 STP X29, X30, [SP,#0xB0+var_s0].text:000000709EA95510 FD C3 02 91 ADD X29, SP, #0xB0.text:000000709EA95514 48 D0 3B D5 MRS X8, #3, c13, c0, #2.text:000000709EA95518 08 15 40 F9 LDR X8, [X8,#0x28].text:000000709EA9551C F3 03 00 AA MOV X19, X0.text:000000709EA95520 E8 27 00 F9 STR X8, [SP,#0xB0+var_68].text:000000709EA95524 68 02 40 F9 LDR X8, [X19].text:000000709EA95528 69 0A 40 F9 LDR X9, [X19,#0x10].text:000000709EA9552C 1F 01 09 EB CMP X8, X9.text:000000709EA95530 6A 1C 01 54 B.GE loc_709EA978BC.text:000000709EA95530.text:000000709EA95534 7C 16 40 F9 LDR X28, [X19,#0x28] ; 解压后bycode.text:000000709EA95538 77 02 40 F9 LDR X23, [X19].text:000000709EA9553C 09 02 A0 52 09 21 83 72 MOV W9, #0x101908.text:000000709EA95544 3A 00 00 D0 ADRP X26, #jpt_709EA958A0@PAGE.text:000000709EA95548 FB 00 00 B0 ADRP X27, #dword_709EAB2008@PAGE.text:000000709EA9554C 5A 43 3B 91 ADD X26, X26, #jpt_709EA958A0@PAGEOFF.text:000000709EA95550 2D 00 09 8B ADD X13, X1, X9.text:000000709EA95554 FC 37 01 A9 STP X28, X13, [SP,#0xB0+bycode].text:000000709EA95558 C8 00 00 14 B dsp_loc_786D55A878 ; 取解压后VMbycode
解析VMbycode执行对应的Hnadle:
.text:000000709EA95878 dsp_loc_786D55A878.text:000000709EA95878 15 69 7C B8 LDR W21, [X8,X28] ; 取解压后VMbycode.text:000000709EA9587C A8 72 19 53 UBFX W8, W21, #0x19, #4.text:000000709EA95880 08 11 00 51 SUB W8, W8, #4 ; switch 12 cases.text:000000709EA95884 75 3E 00 B9 STR W21, [X19,#0x3C].text:000000709EA95888 B7 01 00 F9 STR X23, [X13].text:000000709EA9588C 77 0B 00 B9 STR W23, [X27,#dword_709EAB2008@PAGEOFF].text:000000709EA95890 1F 2D 00 71 CMP W8, #0xB.text:000000709EA95894 68 00 01 54 B.HI dsp_def_786E9038A0.text:000000709EA95894.text:000000709EA95898 48 7B A8 B8 LDRSW X8, [X26,X8,LSL#2].text:000000709EA9589C 08 01 1A 8B ADD X8, X8, X26.text:000000709EA958A0 00 01 1F D6 BR X8 ; switch jump
4.3、常见Handle一览
常见的算术运算
.text:000000709EA93DD8 ADD_sub_709EA93DD8.text:000000709EA93DD8 ; __unwind {.text:000000709EA93DD8 68 00 02 0B ADD W8, W3, W2.text:000000709EA93DDC 28 00 00 B9 STR W8, [X1].text:000000709EA93DE0 C0 03 5F D6 RET
.text:000000709EA93E08 SUB_sub_709EA93E08.text:000000709EA93E08 ; __unwind {.text:000000709EA93E08 48 00 03 4B SUB W8, W2, W3.text:000000709EA93E0C 28 00 00 B9 STR W8, [X1].text:000000709EA93E10 C0 03 5F D6 RET
.text:000000709EA93E20 AND_sub_709EA93E20.text:000000709EA93E20 ; __unwind {.text:000000709EA93E20 68 00 02 0A AND W8, W3, W2.text:000000709EA93E24 28 00 00 B9 STR W8, [X1].text:000000709EA93E28 C0 03 5F D6 RET
.text:000000709EA93E44 EOR_sub_786E901E44.text:000000709EA93E44 ; __unwind {.text:000000709EA93E44 68 00 02 4A EOR W8, W3, W2.text:000000709EA93E48 28 00 00 B9 STR W8, [X1].text:000000709EA93E4C C0 03 5F D6 RET
.text:000000709EA93FAC MUL_sub_709EA93FAC.text:000000709EA93FAC ; __unwind {.text:000000709EA93FAC 68 7C 02 1B MUL W8, W3, W2.text:000000709EA93FB0 28 00 00 B9 STR W8, [X1].text:000000709EA93FB4 C0 03 5F D6 RET
.text:000000709EA97B60 getdatabas_sub_786E905B60.text:000000709EA97B60.text:000000709EA97B60 var_20= -0x20.text:000000709EA97B60 var_18= -0x18.text:000000709EA97B60 var_C= -0xC.text:000000709EA97B60 var_8= -8.text:000000709EA97B60 var_s0= 0.text:000000709EA97B60.text:000000709EA97B60 ; __unwind {.text:000000709EA97B60 FF C3 00 D1 SUB SP, SP, #0x30.text:000000709EA97B64 FD 7B 02 A9 STP X29, X30, [SP,#0x20+var_s0].text:000000709EA97B68 FD 83 00 91 ADD X29, SP, #0x20.text:000000709EA97B6C 49 D0 3B D5 MRS X9, #3, c13, c0, #2.text:000000709EA97B70 29 15 40 F9 LDR X9, [X9,#0x28].text:000000709EA97B74 E8 03 00 AA MOV X8, X0.text:000000709EA97B78 E0 03 1F AA MOV X0, XZR.text:000000709EA97B7C A9 83 1F F8 STUR X9, [X29,#var_8].text:000000709EA97B80 FF 03 00 F9 STR XZR, [SP,#0x20+var_20].text:000000709EA97B84 3F 7C 00 71 CMP W1, #0x1F.text:000000709EA97B88 E0 02 00 54 B.EQ loc_709EA97BE4.text:000000709EA97B88.text:000000709EA97B8C 3F 74 00 71 CMP W1, #0x1D.text:000000709EA97B90 E1 00 00 54 B.NE loc_709EA97BAC.text:000000709EA97B90.text:000000709EA97B94 00 21 40 F9 LDR X0, [X8,#0x40].text:000000709EA97B98 E8 03 00 32 MOV W8, #1.text:000000709EA97B9C A8 43 1F B8 STUR W8, [X29,#var_C].text:000000709EA97BA0 E8 03 00 91 MOV X8, SP.text:000000709EA97BA4 E8 07 00 F9 STR X8, [SP,#0x20+var_18].text:000000709EA97BA8 0A 00 00 14 B loc_709EA97BD0.text:000000709EA97BA8.text:000000709EA97BAC loc_709EA97BAC.text:000000709EA97BAC 00 21 40 F9 LDR X0, [X8,#0x40].text:000000709EA97BB0 3F 78 00 71 CMP W1, #0x1E.text:000000709EA97BB4 61 00 00 54 B.NE loc_709EA97BC0.text:000000709EA97BB4.text:000000709EA97BB8 E8 03 1F 32 MOV W8, #2.text:000000709EA97BBC 02 00 00 14 B loc_709EA97BC4.text:000000709EA97BBC.text:000000709EA97BC0.text:000000709EA97BC0 loc_709EA97BC0.text:000000709EA97BC0 28 1C 03 11 ADD W8, W1, #0xC7.text:000000709EA97BC0.text:000000709EA97BC4.text:000000709EA97BC4 loc_709EA97BC4.text:000000709EA97BC4 E9 03 00 91 MOV X9, SP.text:000000709EA97BC8 A8 43 1F B8 STUR W8, [X29,#var_C].text:000000709EA97BCC E9 07 00 F9 STR X9, [SP,#0x20+var_18].text:000000709EA97BCC.text:000000709EA97BD0.text:000000709EA97BD0 loc_709EA97BD0.text:000000709EA97BD0 A1 33 00 D1 SUB X1, X29, #-var_C.text:000000709EA97BD4 E2 23 00 91 ADD X2, SP, #0x20+var_18.text:000000709EA97BD8 E3 03 00 32 MOV W3, #1.text:000000709EA97BDC 2A EF FF 97 BL getdatabasse_sub_786E901884.text:000000709EA97BDC.text:000000709EA97BE0 E0 03 40 F9 LDR X0, [SP,#0x20+var_20].text:000000709EA97BE0.text:000000709EA97BE4.text:000000709EA97BE4 loc_709EA97BE4.text:000000709EA97BE4 48 D0 3B D5 MRS X8, #3, c13, c0, #2.text:000000709EA97BE8 08 15 40 F9 LDR X8, [X8,#0x28].text:000000709EA97BEC A9 83 5F F8 LDUR X9, [X29,#var_8].text:000000709EA97BF0 1F 01 09 EB CMP X8, X9.text:000000709EA97BF4 81 00 00 54 B.NE loc_709EA97C04.text:000000709EA97BF4.text:000000709EA97BF8 FD 7B 42 A9 LDP X29, X30, [SP,#0x20+var_s0].text:000000709EA97BFC FF C3 00 91 ADD SP, SP, #0x30 ; '0'.text:000000709EA97C00 C0 03 5F D6 RET
以上Handle都是加密时要用到的。
4.4、眺出VM调用其它模块的Handle
.text:000000709EA936C0 call_loc_709EA936C0.text:000000709EA936C0 FF 03 02 D1 SUB SP, SP, #0x80.text:000000709EA936C4 20 01 3F D6 BLR X9 ; 调用tongdun.so.text:000000709EA936C4.text:000000709EA936C8 FF 03 02 91 ADD SP, SP, #0x80.text:000000709EA936CC E8 E3 40 B9 LDR W8, [SP,#0x2E0+var_200].text:000000709EA936D0 48 00 00 35 CBNZ W8, loc_709EA936D8.text:000000709EA936D0.text:000000709EA936D4 5F 00 00 14 B loc_709EA93850
如果不还原算法的话调试时重点关注这个Handle就能大致分析清楚整体的逻辑。如果要做算法还原就得分析每一个Handle。
五、环境检测与设备信息采集
5.1、随机数AES加密存放本地
如果是第一次运行APP判断本地是否有随机数ID,如果没有就生成用AES加密存放在三个地方做为钉子文件:
SharedPreferences td-client-id-3/data/user/0/包名/files/.td-3/storage/emulated/0/.td-3KEYkey bs3ggr0ismnzmdwxkacrq88xs9uj3l06 ykj314o0nd8423k2cimo5fvx0k234sc5 phx7ryl7sjppatga3nfl1caircw6ct79
AES加密是反射调用JAVA实现:
.text:000000709EB4EA6C ; R1:原数据,R2:key.text:000000709EB4EA6C AES_sub_786D1CCA6C.text:000000709EB4EA6C var_CC= -0xCC.text:000000709EB4EA6C anonymous_1= -0xC8.text:000000709EB4EA6C anonymous_2= -0xC0.text:000000709EB4EA6C anonymous_3= -0xB8.text:000000709EB4EA6C anonymous_4= -0xB0.text:000000709EB4EA6C anonymous_5= -0xA8.text:000000709EB4EA6C anonymous_6= -0xA0.text:000000709EB4EA6C anonymous_7= -0x98.text:000000709EB4EA6C anonymous_8= -0x90.text:000000709EB4EA6C anonymous_9= -0x88.text:000000709EB4EA6C anonymous_10= -0x80.text:000000709EB4EA6C anonymous_11= -0x78.text:000000709EB4EA6C anonymous_12= -0x70.text:000000709EB4EA6C anonymous_13= -0x68.text:000000709EB4EA6C anonymous_14= -0x60.text:000000709EB4EA6C anonymous_15= -0x58.text:000000709EB4EA6C anonymous_16= -0x50.text:000000709EB4EA6C anonymous_17= -0x48.text:000000709EB4EA6C anonymous_18= -0x40.text:000000709EB4EA6C anonymous_19= -0x38.text:000000709EB4EA6C anonymous_20= -0x30.text:000000709EB4EA6C anonymous_21= -0x28.text:000000709EB4EA6C anonymous_22= -0x20.text:000000709EB4EA6C anonymous_23= -0x18.text:000000709EB4EA6C var_10= -0x10.text:000000709EB4EA6C var_s0= 0.text:000000709EB4EA6C.text:000000709EB4EA6C ; __unwind { // 1000.text:000000709EB4EA6C FC 0F 1E F8 STR X28, [SP,#-0x10+var_10]!.text:000000709EB4EA70 FD 7B 01 A9 STP X29, X30, [SP,#0x10+var_s0].text:000000709EB4EA74 FD 43 00 91 ADD X29, SP, #0x10.text:000000709EB4EA78 FF 43 08 D1 SUB SP, SP, #0x210.text:000000709EB4EA7C A8 83 03 D1 SUB X8, X29, #-(var_E5+5).text:000000709EB4EA80 00 2D 00 F9 STR X0, [X8,#0x58].text:000000709EB4EA84 01 29 00 F9 STR X1, [X8,#0x50].text:000000709EB4EA88 02 25 00 F9 STR X2, [X8,#0x48].text:000000709EB4EA8C 03 21 00 F9 STR X3, [X8,#0x40].text:000000709EB4EA90 00 29 40 F9 LDR X0, [X8,#0x50].text:000000709EB4EA94 00 35 00 F9 STR X0, [X8,#0x68].text:000000709EB4EA98 89 5F 89 52 49 A1+MOV W9, #0xB50A4AFC.text:000000709EB4EA98 B6 72.text:000000709EB4EAA0 E9 AF 00 B9 STR W9, [SP,#0x220+var_174].text:000000709EB4EAA4 E8 53 00 F9 STR X8, [SP,#0x220+var_180].text:000000709EB4EAA8 01 00 00 14 B loc_709EB4EAAC.text:000000709EB4EAA8.text:000000709EB4EAAC.text:000000709EB4EAAC loc_709EB4EAAC.text:000000709EB4EAAC E8 AF 40 B9 LDR W8, [SP,#0x220+var_174].text:000000709EB4EAB0 E9 03 08 2A MOV W9, W8.text:000000709EB4EAB4 4A 7D 9C 52 0A 0F+MOV W10, #0x8878E3EA.text:000000709EB4EAB4 B1 72.text:000000709EB4EABC 08 01 0A 6B SUBS W8, W8, W10.text:000000709EB4EAC0 E9 9F 00 B9 STR W9, [SP,#0x220+var_184].text:000000709EB4EAC4 E8 9B 00 B9 STR W8, [SP,#0x220+var_188].text:000000709EB4EAC8 00 07 00 54 B.EQ loc_709EB4EBA8.text:000000709EB4EAC8.text:000000709EB4EACC 01 00 00 14 B loc_709EB4EAD0.text:000000709EB4EACC.text:000000709EB4EAD0.text:000000709EB4EAD0 loc_709EB4EAD0.text:000000709EB4EAD0 88 5D 86 52 A8 84+MOV W8, #0x9C2532EC.text:000000709EB4EAD0 B3 72.text:000000709EB4EAD8 E9 9F 40 B9 LDR W9, [SP,#0x220+var_184].text:000000709EB4EADC 28 01 08 6B SUBS W8, W9, W8.text:000000709EB4EAE0 E8 97 00 B9 STR W8, [SP,#0x220+var_18C].text:000000709EB4EAE4 80 3B 00 54 B.EQ loc_709EB4F254.text:000000709EB4EAE4.text:000000709EB4EAE8 01 00 00 14 B loc_709EB4EAEC.text:000000709EB4EAE8.text:000000709EB4EAEC.text:000000709EB4EAEC loc_709EB4EAEC.text:000000709EB4EAEC 88 5F 89 52 48 A1+MOV W8, #0xB50A4AFC.text:000000709EB4EAEC B6 72.text:000000709EB4EAF4 E9 9F 40 B9 LDR W9, [SP,#0x220+var_184].text:000000709EB4EAF8 28 01 08 6B SUBS W8, W9, W8.text:000000709EB4EAFC E8 93 00 B9 STR W8, [SP,#0x220+var_190].text:000000709EB4EB00 E0 03 00 54 B.EQ loc_709EB4EB7C.text:000000709EB4EB00.text:000000709EB4EB04 01 00 00 14 B loc_709EB4EB08.text:000000709EB4EB04.text:000000709EB4EB08.text:000000709EB4EB08 loc_709EB4EB08.text:000000709EB4EB08 A8 61 87 52 48 30+MOV W8, #0xB9823B0D.text:000000709EB4EB08 B7 72.text:000000709EB4EB10 E9 9F 40 B9 LDR W9, [SP,#0x220+var_184].text:000000709EB4EB14 28 01 08 6B SUBS W8, W9, W8.text:000000709EB4EB18 E8 8F 00 B9 STR W8, [SP,#0x220+var_194].text:000000709EB4EB1C E0 38 00 54 B.EQ loc_709EB4F238.text:000000709EB4EB1C.text:000000709EB4EB20 01 00 00 14 B loc_709EB4EB24.text:000000709EB4EB20.text:000000709EB4EB24.text:000000709EB4EB24 loc_709EB4EB24.text:000000709EB4EB24 88 3C 99 52 48 99+MOV W8, #0xCCCAC9E4.text:000000709EB4EB24 B9 72.text:000000709EB4EB2C E9 9F 40 B9 LDR W9, [SP,#0x220+var_184].text:000000709EB4EB30 28 01 08 6B SUBS W8, W9, W8.text:000000709EB4EB34 E8 8B 00 B9 STR W8, [SP,#0x220+var_198].text:000000709EB4EB38 E0 04 00 54 B.EQ loc_709EB4EBD4.text:000000709EB4EB38.text:000000709EB4EB3C 01 00 00 14 B loc_709EB4EB40.text:000000709EB4EB3C.text:000000709EB4EB40.text:000000709EB4EB40 loc_709EB4EB40.text:000000709EB4EB40 A8 C9 8A 52 E8 1C+MOV W8, #0x48E7564D.text:000000709EB4EB40 A9 72.text:000000709EB4EB48 E9 9F 40 B9 LDR W9, [SP,#0x220+var_184].text:000000709EB4EB4C 28 01 08 6B SUBS W8, W9, W8.text:000000709EB4EB50 E8 87 00 B9 STR W8, [SP,#0x220+var_19C].text:000000709EB4EB54 E0 40 00 54 B.EQ loc_709EB4F370.text:000000709EB4EB54.text:000000709EB4EB58 01 00 00 14 B loc_709EB4EB5C.text:000000709EB4EB58.text:000000709EB4EB5C.text:000000709EB4EB5C loc_709EB4EB5C.text:000000709EB4EB5C 08 81 97 52 28 4C+MOV W8, #0x5A61BC08.text:000000709EB4EB5C AB 72.text:000000709EB4EB64 E9 9F 40 B9 LDR W9, [SP,#0x220+var_184].text:000000709EB4EB68 28 01 08 6B SUBS W8, W9, W8.text:000000709EB4EB6C E8 83 00 B9 STR W8, [SP,#0x220+var_1A0].text:000000709EB4EB70 E0 40 00 54 B.EQ loc_709EB4F38C.text:000000709EB4EB70.text:000000709EB4EB74 01 00 00 14 B loc_709EB4EB78.text:000000709EB4EB74.text:000000709EB4EB78.text:000000709EB4EB78 loc_709EB4EB78.text:000000709EB4EB78 0B 02 00 14 B loc_709EB4F3A4.text:000000709EB4EB78.text:000000709EB4EB7C.text:000000709EB4EB7C loc_709EB4EB7C.text:000000709EB4EB7C E8 53 40 F9 LDR X8, [SP,#0x220+var_180].text:000000709EB4EB80 09 35 40 F9 LDR X9, [X8,#0x68].text:000000709EB4EB84 29 01 00 F1 SUBS X9, X9, #0.text:000000709EB4EB88 AA C9 8A 52 EA 1C+MOV W10, #0x48E7564D.text:000000709EB4EB88 A9 72.text:000000709EB4EB90 4B 7D 9C 52 0B 0F+MOV W11, #0x8878E3EA.text:000000709EB4EB90 B1 72.text:000000709EB4EB98 6A 11 8A 1A CSEL W10, W11, W10, NE.text:000000709EB4EB9C EA AF 00 B9 STR W10, [SP,#0x220+var_174].text:000000709EB4EBA0 E9 3F 00 F9 STR X9, [SP,#0x220+var_1A8].text:000000709EB4EBA4 00 02 00 14 B loc_709EB4F3A4.text:000000709EB4EBA4.text:000000709EB4EBA8.text:000000709EB4EBA8 loc_709EB4EBA8.text:000000709EB4EBA8 E8 53 40 F9 LDR X8, [SP,#0x220+var_180].text:000000709EB4EBAC 09 25 40 F9 LDR X9, [X8,#0x48].text:000000709EB4EBB0 29 01 00 F1 SUBS X9, X9, #0.text:000000709EB4EBB4 AA C9 8A 52 EA 1C+MOV W10, #0x48E7564D.text:000000709EB4EBB4 A9 72.text:000000709EB4EBBC 8B 3C 99 52 4B 99+MOV W11, #0xCCCAC9E4.text:000000709EB4EBBC B9 72.text:000000709EB4EBC4 6A 11 8A 1A CSEL W10, W11, W10, NE.text:000000709EB4EBC8 EA AF 00 B9 STR W10, [SP,#0x220+var_174].text:000000709EB4EBCC E9 3B 00 F9 STR X9, [SP,#0x220+var_1B0].text:000000709EB4EBD0 F5 01 00 14 B loc_709EB4F3A4.text:000000709EB4EBD0.text:000000709EB4EBD4.text:000000709EB4EBD4 loc_709EB4EBD4.text:000000709EB4EBD4 88 03 00 D0 08 81+ADRL X8, td_8162780960521470701 ; "AES".text:000000709EB4EBD4 39 91.text:000000709EB4EBDC E9 53 40 F9 LDR X9, [SP,#0x220+var_180].text:000000709EB4EBE0 28 1D 00 F9 STR X8, [X9,#0x38].text:000000709EB4EBE4 88 03 00 D0 08 91+ADRL X8, td_18178131887862966684 ; "AES/ECB/PKCS5Padding".text:000000709EB4EBE4 39 91.text:000000709EB4EBEC 28 19 00 F9 STR X8, [X9,#0x30].text:000000709EB4EBF0 20 2D 40 F9 LDR X0, [X9,#0x58].text:000000709EB4EBF4 21 1D 40 F9 LDR X1, [X9,#0x38].text:000000709EB4EBF8 BB 68 00 94 BL NewStringUTF_sub_786D1E6EE4.text:000000709EB4EBF8.text:000000709EB4EBFC E8 53 40 F9 LDR X8, [SP,#0x220+var_180].text:000000709EB4EC00 00 15 00 F9 STR X0, [X8,#0x28].text:000000709EB4EC04 00 2D 40 F9 LDR X0, [X8,#0x58].text:000000709EB4EC08 01 19 40 F9 LDR X1, [X8,#0x30].text:000000709EB4EC0C B6 68 00 94 BL NewStringUTF_sub_786D1E6EE4.text:000000709EB4EC0C.text:000000709EB4EC10 E8 53 40 F9 LDR X8, [SP,#0x220+var_180].text:000000709EB4EC14 00 11 00 F9 STR X0, [X8,#0x20].text:000000709EB4EC18 00 2D 40 F9 LDR X0, [X8,#0x58].text:000000709EB4EC1C EA 03 1B 32 MOV W10, #0x20 ; ' '.text:000000709EB4EC20 E1 03 0A 2A MOV W1, W10.text:000000709EB4EC24 EA 6F 00 B9 STR W10, [SP,#0x220+var_1B4].text:000000709EB4EC28 98 69 00 94 BL NewByteArray_sub_786D1E7288.text:000000709EB4EC28.text:000000709EB4EC2C E8 53 40 F9 LDR X8, [SP,#0x220+var_180].text:000000709EB4EC30 00 0D 00 F9 STR X0, [X8,#0x18].text:000000709EB4EC34 00 2D 40 F9 LDR X0, [X8,#0x58].text:000000709EB4EC38 01 0D 40 F9 LDR X1, [X8,#0x18].text:000000709EB4EC3C 04 25 40 F9 LDR X4, [X8,#0x48].text:000000709EB4EC40 EA 03 1F 2A MOV W10, WZR.text:000000709EB4EC44 E2 03 0A 2A MOV W2, W10.text:000000709EB4EC48 E3 6F 40 B9 LDR W3, [SP,#0x220+var_1B4].text:000000709EB4EC4C EA 6B 00 B9 STR W10, [SP,#0x220+var_1B8].text:000000709EB4EC50 BC 69 00 94 BL SetByteArrayRegion_sub_786D1E7340.text:000000709EB4EC50.text:000000709EB4EC54 E8 53 40 F9 LDR X8, [SP,#0x220+var_180].text:000000709EB4EC58 00 29 40 F9 LDR X0, [X8,#0x50] ; s.text:000000709EB4EC5C DD 45 FE 97 BL .strlen.text:000000709EB4EC5C.text:000000709EB4EC60 EA 03 00 2A MOV W10, W0.text:000000709EB4EC64 AA 43 13 B8 STUR W10, [X29,#var_CC].text:000000709EB4EC68 E8 53 40 F9 LDR X8, [SP,#0x220+var_180].text:000000709EB4EC6C 00 2D 40 F9 LDR X0, [X8,#0x58].text:000000709EB4EC70 A1 43 53 B8 LDUR W1, [X29,#var_CC].text:000000709EB4EC74 85 69 00 94 BL NewByteArray_sub_786D1E7288.text:000000709EB4EC74.text:000000709EB4EC78 E8 53 40 F9 LDR X8, [SP,#0x220+var_180].text:000000709EB4EC7C 00 05 00 F9 STR X0, [X8,#8].text:000000709EB4EC80 00 2D 40 F9 LDR X0, [X8,#0x58].text:000000709EB4EC84 01 05 40 F9 LDR X1, [X8,#8].text:000000709EB4EC88 A3 43 53 B8 LDUR W3, [X29,#var_CC].text:000000709EB4EC8C 04 29 40 F9 LDR X4, [X8,#0x50].text:000000709EB4EC90 E2 6B 40 B9 LDR W2, [SP,#0x220+var_1B8].text:000000709EB4EC94 AB 69 00 94 BL SetByteArrayRegion_sub_786D1E7340.text:000000709EB4EC94.text:000000709EB4EC98 E8 53 40 F9 LDR X8, [SP,#0x220+var_180].text:000000709EB4EC9C 09 2D 40 F9 LDR X9, [X8,#0x58].text:000000709EB4ECA0 CA 14 80 52 MOV W10, #0xA6.text:000000709EB4ECA4 AA 03 10 38 STURB W10, [X29,#var_100].text:000000709EB4ECA8 CA 02 80 52 MOV W10, #0x16.text:000000709EB4ECAC AA 13 10 38 STURB W10, [X29,#var_FF].text:000000709EB4ECB0 E2 0C 80 52 MOV W2, #0x67 ; 'g'.text:000000709EB4ECB4 A2 23 10 38 STURB W2, [X29,#var_FE].text:000000709EB4ECB8 AA 33 10 38 STURB W10, [X29,#var_FD].text:000000709EB4ECBC EA 10 80 52 MOV W10, #0x87.text:000000709EB4ECC0 AA 43 10 38 STURB W10, [X29,#var_FC].text:000000709EB4ECC4 4A 1E 80 52 MOV W10, #0xF2.text:000000709EB4ECC8 AA 53 10 38 STURB W10, [X29,#var_FB].text:000000709EB4ECCC C2 06 80 52 MOV W2, #0x36 ; '6'.text:000000709EB4ECD0 A2 63 10 38 STURB W2, [X29,#var_FA].text:000000709EB4ECD4 E3 04 80 52 MOV W3, #0x27 ; '''.text:000000709EB4ECD8 A3 73 10 38 STURB W3, [X29,#var_F9].text:000000709EB4ECDC EB 12 80 52 MOV W11, #0x97.text:000000709EB4ECE0 AB 83 10 38 STURB W11, [X29,#var_F8].text:000000709EB4ECE4 EC 0B 00 32 MOV W12, #7.text:000000709EB4ECE8 AC 93 10 38 STURB W12, [X29,#var_F7].text:000000709EB4ECEC ED 08 80 52 MOV W13, #0x47 ; 'G'.text:000000709EB4ECF0 AD A3 10 38 STURB W13, [X29,#var_F6].text:000000709EB4ECF4 CE 1E 80 52 MOV W14, #0xF6.text:000000709EB4ECF8 AE B3 10 38 STURB W14, [X29,#var_F5].text:000000709EB4ECFC AA C3 10 38 STURB W10, [X29,#var_F4].text:000000709EB4ED00 EE 06 80 52 MOV W14, #0x37 ; '7'.text:000000709EB4ED04 AE D3 10 38 STURB W14, [X29,#var_F3].text:000000709EB4ED08 AC E3 10 38 STURB W12, [X29,#var_F2].text:000000709EB4ED0C CE 0A 80 52 MOV W14, #0x56 ; 'V'.text:000000709EB4ED10 AE F3 10 38 STURB W14, [X29,#var_F1].text:000000709EB4ED14 A2 03 11 38 STURB W2, [X29,#var_F0].text:000000709EB4ED18 AA 13 11 38 STURB W10, [X29,#var_EF].text:000000709EB4ED1C AA 06 80 52 MOV W10, #0x35 ; '5'.text:000000709EB4ED20 AA 23 11 38 STURB W10, [X29,#var_EE].text:000000709EB4ED24 AE 33 11 38 STURB W14, [X29,#var_ED].text:000000709EB4ED28 A2 43 11 38 STURB W2, [X29,#var_EC].text:000000709EB4ED2C A3 53 11 38 STURB W3, [X29,#var_EB].text:000000709EB4ED30 AE 63 11 38 STURB W14, [X29,#var_EA].text:000000709EB4ED34 AD 73 11 38 STURB W13, [X29,#var_E9].text:000000709EB4ED38 8D 16 80 52 MOV W13, #0xB4.text:000000709EB4ED3C AD 83 11 38 STURB W13, [X29,#var_E8].text:000000709EB4ED40 AE 93 11 38 STURB W14, [X29,#var_E7].text:000000709EB4ED44 AB A3 11 38 STURB W11, [X29,#var_E6].text:000000709EB4ED48 AA B3 11 38 STURB W10, [X29,#var_E5].text:000000709EB4ED4C AC C3 11 38 STURB W12, [X29,#var_E5+1].text:000000709EB4ED50 AE D3 11 38 STURB W14, [X29,#var_E5+2].text:000000709EB4ED54 A2 E3 11 38 STURB W2, [X29,#var_E5+3].text:000000709EB4ED58 EA 6B 40 B9 LDR W10, [SP,#0x220+var_1B8].text:000000709EB4ED5C AA F3 11 38 STURB W10, [X29,#var_E5+4].text:000000709EB4ED60 A0 03 04 D1 SUB X0, X29, #-var_100.text:000000709EB4ED64 00 3D 00 F9 STR X0, [X8,#0x78].text:000000709EB4ED68 00 3D 40 F9 LDR X0, [X8,#0x78].text:000000709EB4ED6C 00 39 00 F9 STR X0, [X8,#0x70].text:000000709EB4ED70 E9 33 00 F9 STR X9, [SP,#0x220+var_1C0].text:000000709EB4ED74 01 00 00 14 B loc_709EB4ED78.text:000000709EB4ED74.text:000000709EB4ED78.text:000000709EB4ED78 loc_709EB4ED78.text:000000709EB4ED78 E8 53 40 F9 LDR X8, [SP,#0x220+var_180].text:000000709EB4ED7C 09 3D 40 F9 LDR X9, [X8,#0x78].text:000000709EB4ED80 2A 01 40 39 LDRB W10, [X9].text:000000709EB4ED84 8A 01 00 34 CBZ W10, loc_709EB4EDB4.text:000000709EB4ED84.text:000000709EB4ED88 01 00 00 14 B loc_709EB4ED8C.text:000000709EB4ED8C.text:000000709EB4ED8C loc_709EB4ED8C.text:000000709EB4ED8C E8 53 40 F9 LDR X8, [SP,#0x220+var_180].text:000000709EB4ED90 09 3D 40 F9 LDR X9, [X8,#0x78].text:000000709EB4ED94 2A 01 40 39 LDRB W10, [X9].text:000000709EB4ED98 4B 7D 04 53 LSR W11, W10, #4.text:000000709EB4ED9C 4B 1D 1C 33 BFI W11, W10, #4, #8.text:000000709EB4EDA0 2B 01 00 39 STRB W11, [X9].text:000000709EB4EDA4 09 3D 40 F9 LDR X9, [X8,#0x78].text:000000709EB4EDA8 29 05 00 91 ADD X9, X9, #1.text:000000709EB4EDAC 09 3D 00 F9 STR X9, [X8,#0x78].text:000000709EB4EDB0 F2 FF FF 17 B loc_709EB4ED78.text:000000709EB4EDB0.text:000000709EB4EDB4.text:000000709EB4EDB4 loc_709EB4EDB4.text:000000709EB4EDB4 E8 53 40 F9 LDR X8, [SP,#0x220+var_180].text:000000709EB4EDB8 01 39 40 F9 LDR X1, [X8,#0x70].text:000000709EB4EDBC E0 33 40 F9 LDR X0, [SP,#0x220+var_1C0].text:000000709EB4EDC0 8E 69 00 94 BL FindClass_sub_786D1E73F8.text:000000709EB4EDC0.text:000000709EB4EDC4 E8 53 40 F9 LDR X8, [SP,#0x220+var_180].text:000000709EB4EDC8 00 01 00 F9 STR X0, [X8].text:000000709EB4EDCC 00 2D 40 F9 LDR X0, [X8,#0x58].text:000000709EB4EDD0 01 01 40 F9 LDR X1, [X8].text:000000709EB4EDD4 04 0D 40 F9 LDR X4, [X8,#0x18].text:000000709EB4EDD8 05 15 40 F9 LDR X5, [X8,#0x28].text:000000709EB4EDDC 42 01 00 D0 42 98+ADRL X2, td_9741829121851609613 ; "<init>".text:000000709EB4EDDC 32 91.text:000000709EB4EDE4 43 01 00 D0 63 B4+ADRL X3, td_1727475097158774760 ; "([BLjava/lang/String;)V".text:000000709EB4EDE4 32 91.text:000000709EB4EDEC B3 01 00 94 BL CallVoidMethod_sub_786D1CD4B8.text:000000709EB4EDEC.text:000000709EB4EDF0 E0 8F 00 F9 STR X0, [SP,#0x220+var_108].text:000000709EB4EDF4 E8 53 40 F9 LDR X8, [SP,#0x220+var_180].text:000000709EB4EDF8 00 2D 40 F9 LDR X0, [X8,#0x58].text:000000709EB4EDFC C9 14 80 52 MOV W9, #0xA6.text:000000709EB4EE00 E9 F3 03 39 STRB W9, [SP,#0xFC].text:000000709EB4EE04 C9 02 80 52 MOV W9, #0x16.text:000000709EB4EE08 E9 F7 03 39 STRB W9, [SP,#0xFD].text:000000709EB4EE0C EA 0C 80 52 MOV W10, #0x67 ; 'g'.text:000000709EB4EE10 EA FB 03 39 STRB W10, [SP,#0xFE].text:000000709EB4EE14 E9 FF 03 39 STRB W9, [SP,#0x220+var_121].text:000000709EB4EE18 E9 10 80 52 MOV W9, #0x87.text:000000709EB4EE1C E9 03 04 39 STRB W9, [SP,#0x220+var_120].text:000000709EB4EE20 49 1E 80 52 MOV W9, #0xF2.text:000000709EB4EE24 E9 07 04 39 STRB W9, [SP,#0x220+var_11F].text:000000709EB4EE28 CA 06 80 52 MOV W10, #0x36 ; '6'.text:000000709EB4EE2C EA 0B 04 39 STRB W10, [SP,#0x220+var_11E].text:000000709EB4EE30 EA 04 80 52 MOV W10, #0x27 ; '''.text:000000709EB4EE34 EA 0F 04 39 STRB W10, [SP,#0x220+var_11D].text:000000709EB4EE38 EB 12 80 52 MOV W11, #0x97.text:000000709EB4EE3C EB 13 04 39 STRB W11, [SP,#0x220+var_11C].text:000000709EB4EE40 EB 0B 00 32 MOV W11, #7.text:000000709EB4EE44 EB 17 04 39 STRB W11, [SP,#0x220+var_11B].text:000000709EB4EE48 EC 08 80 52 MOV W12, #0x47 ; 'G'.text:000000709EB4EE4C EC 1B 04 39 STRB W12, [SP,#0x220+var_11A].text:000000709EB4EE50 CC 1E 80 52 MOV W12, #0xF6.text:000000709EB4EE54 EC 1F 04 39 STRB W12, [SP,#0x220+var_119].text:000000709EB4EE58 E9 23 04 39 STRB W9, [SP,#0x220+var_118].text:000000709EB4EE5C 89 06 80 52 MOV W9, #0x34 ; '4'.text:000000709EB4EE60 E9 27 04 39 STRB W9, [SP,#0x220+var_117].text:000000709EB4EE64 C9 12 80 52 MOV W9, #0x96.text:000000709EB4EE68 E9 2B 04 39 STRB W9, [SP,#0x220+var_116].text:000000709EB4EE6C EB 2F 04 39 STRB W11, [SP,#0x220+var_115].text:000000709EB4EE70 C9 10 80 52 MOV W9, #0x86.text:000000709EB4EE74 E9 33 04 39 STRB W9, [SP,#0x220+var_114].text:000000709EB4EE78 C9 0A 80 52 MOV W9, #0x56 ; 'V'.text:000000709EB4EE7C E9 37 04 39 STRB W9, [SP,#0x220+var_113].text:000000709EB4EE80 EA 3B 04 39 STRB W10, [SP,#0x220+var_113+1].text:000000709EB4EE84 E9 03 1F 2A MOV W9, WZR.text:000000709EB4EE88 E9 3F 04 39 STRB W9, [SP,#0x220+var_113+2].text:000000709EB4EE8C E1 F3 03 91 ADD X1, SP, #0xFC.text:000000709EB4EE90 01 65 00 F9 STR X1, [X8,#0xC8].text:000000709EB4EE94 01 65 40 F9 LDR X1, [X8,#0xC8].text:000000709EB4EE98 01 61 00 F9 STR X1, [X8,#0xC0].text:000000709EB4EE9C E0 2F 00 F9 STR X0, [SP,#0x220+var_1C8].text:000000709EB4EEA0 01 00 00 14 B loc_709EB4EEA4.text:000000709EB4EEA0.text:000000709EB4EEA4.text:000000709EB4EEA4 loc_709EB4EEA4.text:000000709EB4EEA4 E8 53 40 F9 LDR X8, [SP,#0x220+var_180].text:000000709EB4EEA8 09 65 40 F9 LDR X9, [X8,#0xC8].text:000000709EB4EEAC 2A 01 40 39 LDRB W10, [X9].text:000000709EB4EEB0 8A 01 00 34 CBZ W10, loc_709EB4EEE0.text:000000709EB4EEB0.text:000000709EB4EEB4 01 00 00 14 B loc_709EB4EEB8.text:000000709EB4EEB4.text:000000709EB4EEB8.text:000000709EB4EEB8 loc_709EB4EEB8.text:000000709EB4EEB8 E8 53 40 F9 LDR X8, [SP,#0x220+var_180].text:000000709EB4EEBC 09 65 40 F9 LDR X9, [X8,#0xC8].text:000000709EB4EEC0 2A 01 40 39 LDRB W10, [X9].text:000000709EB4EEC4 4B 7D 04 53 LSR W11, W10, #4.text:000000709EB4EEC8 4B 1D 1C 33 BFI W11, W10, #4, #8.text:000000709EB4EECC 2B 01 00 39 STRB W11, [X9].text:000000709EB4EED0 09 65 40 F9 LDR X9, [X8,#0xC8].text:000000709EB4EED4 29 05 00 91 ADD X9, X9, #1.text:000000709EB4EED8 09 65 00 F9 STR X9, [X8,#0xC8].text:000000709EB4EEDC F2 FF FF 17 B loc_709EB4EEA4.text:000000709EB4EEE0.text:000000709EB4EEE0 loc_709EB4EEE0.text:000000709EB4EEE0 E8 53 40 F9 LDR X8, [SP,#0x220+var_180].text:000000709EB4EEE4 01 61 40 F9 LDR X1, [X8,#0xC0].text:000000709EB4EEE8 04 11 40 F9 LDR X4, [X8,#0x20].text:000000709EB4EEEC 02 03 00 B0 42 D0+ADRL X2, td_4822081916216048550 ; "getInstance".text:000000709EB4EEEC 11 91.text:000000709EB4EEF4 03 03 00 B0 63 BC+ADRL X3, td_12347290237301947307 ; "(Ljava/lang/String;)Ljavax/crypto/Ciphe"....text:000000709EB4EEF4 12 91.text:000000709EB4EEFC E0 2F 40 F9 LDR X0, [SP,#0x220+var_1C8].text:000000709EB4EF00 80 01 00 94 BL CallVoidMethod_sub_786D1CD500.text:000000709EB4EF00.text:000000709EB4EF04 E0 8B 00 F9 STR X0, [SP,#0x220+var_113+3].text:000000709EB4EF08 E8 53 40 F9 LDR X8, [SP,#0x220+var_180].text:000000709EB4EF0C 00 2D 40 F9 LDR X0, [X8,#0x58].text:000000709EB4EF10 E1 8B 40 F9 LDR X1, [SP,#0x220+var_113+3].text:000000709EB4EF14 C9 12 80 52 MOV W9, #0x96.text:000000709EB4EF18 E9 D3 03 39 STRB W9, [SP,#0x220+var_12E+2].text:000000709EB4EF1C CA 1C 80 52 MOV W10, #0xE6.text:000000709EB4EF20 EA D7 03 39 STRB W10, [SP,#0x220+var_12E+3].text:000000709EB4EF24 E9 DB 03 39 STRB W9, [SP,#0x220+var_12E+4].text:000000709EB4EF28 E9 08 80 52 MOV W9, #0x47 ; 'G'.text:000000709EB4EF2C E9 DF 03 39 STRB W9, [SP,#0x220+var_12E+5].text:000000709EB4EF30 E9 03 1F 2A MOV W9, WZR.text:000000709EB4EF34 E9 E3 03 39 STRB W9, [SP,#0x220+var_12E+6].text:000000709EB4EF38 E2 D3 03 91 ADD X2, SP, #0x220+var_12E+2.text:000000709EB4EF3C 02 5D 00 F9 STR X2, [X8,#0xB8].text:000000709EB4EF40 02 5D 40 F9 LDR X2, [X8,#0xB8].text:000000709EB4EF44 02 59 00 F9 STR X2, [X8,#0xB0].text:000000709EB4EF48 E0 2B 00 F9 STR X0, [SP,#0x220+var_1D0].text:000000709EB4EF4C E1 27 00 F9 STR X1, [SP,#0x220+var_1D8].text:000000709EB4EF50 01 00 00 14 B loc_709EB4EF54.text:000000709EB4EF50.text:000000709EB4EF54.text:000000709EB4EF54 loc_709EB4EF54.text:000000709EB4EF54 E8 53 40 F9 LDR X8, [SP,#0x220+var_180].text:000000709EB4EF58 09 5D 40 F9 LDR X9, [X8,#0xB8].text:000000709EB4EF5C 2A 01 40 39 LDRB W10, [X9].text:000000709EB4EF60 8A 01 00 34 CBZ W10, loc_709EB4EF90.text:000000709EB4EF60.text:000000709EB4EF64 01 00 00 14 B loc_709EB4EF68.text:000000709EB4EF64.text:000000709EB4EF68.text:000000709EB4EF68 loc_709EB4EF68.text:000000709EB4EF68 E8 53 40 F9 LDR X8, [SP,#0x220+var_180].text:000000709EB4EF6C 09 5D 40 F9 LDR X9, [X8,#0xB8].text:000000709EB4EF70 2A 01 40 39 LDRB W10, [X9].text:000000709EB4EF74 4B 7D 04 53 LSR W11, W10, #4.text:000000709EB4EF78 4B 1D 1C 33 BFI W11, W10, #4, #8.text:000000709EB4EF7C 2B 01 00 39 STRB W11, [X9].text:000000709EB4EF80 09 5D 40 F9 LDR X9, [X8,#0xB8].text:000000709EB4EF84 29 05 00 91 ADD X9, X9, #1.text:000000709EB4EF88 09 5D 00 F9 STR X9, [X8,#0xB8].text:000000709EB4EF8C F2 FF FF 17 B loc_709EB4EF54.text:000000709EB4EF8C.text:000000709EB4EF90.text:000000709EB4EF90 loc_709EB4EF90.text:000000709EB4EF90 E8 53 40 F9 LDR X8, [SP,#0x220+var_180].text:000000709EB4EF94 09 59 40 F9 LDR X9, [X8,#0xB0].text:000000709EB4EF98 4A 10 80 52 MOV W10, #0x82.text:000000709EB4EF9C EA 73 03 39 STRB W10, [SP,#0x220+var_144].text:000000709EB4EFA0 8A 12 80 52 MOV W10, #0x94.text:000000709EB4EFA4 EA 77 03 39 STRB W10, [SP,#0x220+var_143].text:000000709EB4EFA8 8A 18 80 52 MOV W10, #0xC4.text:000000709EB4EFAC EA 7B 03 39 STRB W10, [SP,#0x220+var_142].text:000000709EB4EFB0 CA 14 80 52 MOV W10, #0xA6.text:000000709EB4EFB4 EA 7F 03 39 STRB W10, [SP,#0x220+var_141].text:000000709EB4EFB8 CA 02 80 52 MOV W10, #0x16.text:000000709EB4EFBC EA 83 03 39 STRB W10, [SP,#0x220+var_140].text:000000709EB4EFC0 EB 0C 80 52 MOV W11, #0x67 ; 'g'.text:000000709EB4EFC4 EB 87 03 39 STRB W11, [SP,#0x220+var_13F].text:000000709EB4EFC8 EA 8B 03 39 STRB W10, [SP,#0x220+var_13E].text:000000709EB4EFCC 4A 1E 80 52 MOV W10, #0xF2.text:000000709EB4EFD0 EA 8F 03 39 STRB W10, [SP,#0x220+var_13D].text:000000709EB4EFD4 EB 06 80 52 MOV W11, #0x37 ; '7'.text:000000709EB4EFD8 EB 93 03 39 STRB W11, [SP,#0x220+var_13C].text:000000709EB4EFDC CB 0A 80 52 MOV W11, #0x56 ; 'V'.text:000000709EB4EFE0 EB 97 03 39 STRB W11, [SP,#0x220+var_13B].text:000000709EB4EFE4 CC 06 80 52 MOV W12, #0x36 ; '6'.text:000000709EB4EFE8 EC 9B 03 39 STRB W12, [SP,#0x220+var_13A].text:000000709EB4EFEC EC 0A 80 52 MOV W12, #0x57 ; 'W'.text:000000709EB4EFF0 EC 9F 03 39 STRB W12, [SP,#0x220+var_139].text:000000709EB4EFF4 EC 04 80 52 MOV W12, #0x27 ; '''.text:000000709EB4EFF8 EC A3 03 39 STRB W12, [SP,#0x220+var_138].text:000000709EB4EFFC CC 12 80 52 MOV W12, #0x96.text:000000709EB4F000 EC A7 03 39 STRB W12, [SP,#0x220+var_137].text:000000709EB4F004 EC 08 80 52 MOV W12, #0x47 ; 'G'.text:000000709EB4F008 EC AB 03 39 STRB W12, [SP,#0x220+var_136].text:000000709EB4F00C EC 12 80 52 MOV W12, #0x97.text:000000709EB4F010 EC AF 03 39 STRB W12, [SP,#0x220+var_135].text:000000709EB4F014 EA B3 03 39 STRB W10, [SP,#0x220+var_134].text:000000709EB4F018 8A 16 80 52 MOV W10, #0xB4.text:000000709EB4F01C EA B7 03 39 STRB W10, [SP,#0x220+var_133].text:000000709EB4F020 EB BB 03 39 STRB W11, [SP,#0x220+var_132].text:000000709EB4F024 EC BF 03 39 STRB W12, [SP,#0x220+var_131].text:000000709EB4F028 6A 16 80 52 MOV W10, #0xB3.text:000000709EB4F02C EA C3 03 39 STRB W10, [SP,#0x220+var_130].text:000000709EB4F030 4A 12 80 52 MOV W10, #0x92.text:000000709EB4F034 EA C7 03 39 STRB W10, [SP,#0x220+var_12F].text:000000709EB4F038 AA 0C 80 52 MOV W10, #0x65 ; 'e'.text:000000709EB4F03C EA CB 03 39 STRB W10, [SP,#0x220+var_12E].text:000000709EB4F040 EA 03 1F 2A MOV W10, WZR.text:000000709EB4F044 EA CF 03 39 STRB W10, [SP,#0x220+var_12E+1].text:000000709EB4F048 ED 73 03 91 ADD X13, SP, #0x220+var_144.text:000000709EB4F04C 0D 55 00 F9 STR X13, [X8,#0xA8].text:000000709EB4F050 0D 55 40 F9 LDR X13, [X8,#0xA8].text:000000709EB4F054 0D 51 00 F9 STR X13, [X8,#0xA0].text:000000709EB4F058 E9 23 00 F9 STR X9, [SP,#0x220+var_1E0].text:000000709EB4F05C 01 00 00 14 B loc_709EB4F060.text:000000709EB4F060.text:000000709EB4F060 loc_709EB4F060.text:000000709EB4F060 E8 53 40 F9 LDR X8, [SP,#0x220+var_180].text:000000709EB4F064 09 55 40 F9 LDR X9, [X8,#0xA8].text:000000709EB4F068 2A 01 40 39 LDRB W10, [X9].text:000000709EB4F06C 8A 01 00 34 CBZ W10, loc_709EB4F09C.text:000000709EB4F06C.text:000000709EB4F070 01 00 00 14 B loc_709EB4F074.text:000000709EB4F074.text:000000709EB4F074 loc_709EB4F074.text:000000709EB4F074 E8 53 40 F9 LDR X8, [SP,#0x220+var_180].text:000000709EB4F078 09 55 40 F9 LDR X9, [X8,#0xA8].text:000000709EB4F07C 2A 01 40 39 LDRB W10, [X9].text:000000709EB4F080 4B 7D 04 53 LSR W11, W10, #4.text:000000709EB4F084 4B 1D 1C 33 BFI W11, W10, #4, #8.text:000000709EB4F088 2B 01 00 39 STRB W11, [X9].text:000000709EB4F08C 09 55 40 F9 LDR X9, [X8,#0xA8].text:000000709EB4F090 29 05 00 91 ADD X9, X9, #1.text:000000709EB4F094 09 55 00 F9 STR X9, [X8,#0xA8].text:000000709EB4F098 F2 FF FF 17 B loc_709EB4F060.text:000000709EB4F09C.text:000000709EB4F09C loc_709EB4F09C.text:000000709EB4F09C E8 53 40 F9 LDR X8, [SP,#0x220+var_180].text:000000709EB4F0A0 03 51 40 F9 LDR X3, [X8,#0xA0].text:000000709EB4F0A4 E5 8F 40 F9 LDR X5, [SP,#0x220+var_108].text:000000709EB4F0A8 E4 03 00 32 MOV W4, #1.text:000000709EB4F0AC E0 2B 40 F9 LDR X0, [SP,#0x220+var_1D0].text:000000709EB4F0B0 E1 27 40 F9 LDR X1, [SP,#0x220+var_1D8].text:000000709EB4F0B4 E2 23 40 F9 LDR X2, [SP,#0x220+var_1E0].text:000000709EB4F0B8 22 01 00 94 BL CallVoidMethod_sub_786D1CD540.text:000000709EB4F0B8.text:000000709EB4F0BC E8 53 40 F9 LDR X8, [SP,#0x220+var_180].text:000000709EB4F0C0 01 2D 40 F9 LDR X1, [X8,#0x58].text:000000709EB4F0C4 E2 8B 40 F9 LDR X2, [SP,#0x220+var_113+3].text:000000709EB4F0C8 C4 08 80 52 MOV W4, #0x46 ; 'F'.text:000000709EB4F0CC E4 23 03 39 STRB W4, [SP,#0x220+var_15B+3].text:000000709EB4F0D0 C4 1E 80 52 MOV W4, #0xF6.text:000000709EB4F0D4 E4 27 03 39 STRB W4, [SP,#0x220+var_15B+4].text:000000709EB4F0D8 84 0C 80 52 MOV W4, #0x64 ; 'd'.text:000000709EB4F0DC E4 2B 03 39 STRB W4, [SP,#0x220+var_15B+5].text:000000709EB4F0E0 C4 12 80 52 MOV W4, #0x96.text:000000709EB4F0E4 E4 2F 03 39 STRB W4, [SP,#0x220+var_15B+6].text:000000709EB4F0E8 C4 1C 80 52 MOV W4, #0xE6.text:000000709EB4F0EC E4 33 03 39 STRB W4, [SP,#0x220+var_15B+7].text:000000709EB4F0F0 C4 02 80 52 MOV W4, #0x16.text:000000709EB4F0F4 E4 37 03 39 STRB W4, [SP,#0x220+var_153].text:000000709EB4F0F8 C4 18 80 52 MOV W4, #0xC6.text:000000709EB4F0FC E4 3B 03 39 STRB W4, [SP,#0x220+var_152].text:000000709EB4F100 E4 03 1F 2A MOV W4, WZR.text:000000709EB4F104 E4 3F 03 39 STRB W4, [SP,#0x220+var_151].text:000000709EB4F108 E3 23 03 91 ADD X3, SP, #0x220+var_15B+3.text:000000709EB4F10C 03 4D 00 F9 STR X3, [X8,#0x98].text:000000709EB4F110 03 4D 40 F9 LDR X3, [X8,#0x98].text:000000709EB4F114 03 49 00 F9 STR X3, [X8,#0x90].text:000000709EB4F118 E0 3F 00 B9 STR W0, [SP,#0x220+var_1E4].text:000000709EB4F11C E1 1B 00 F9 STR X1, [SP,#0x220+var_1F0].text:000000709EB4F120 E2 17 00 F9 STR X2, [SP,#0x220+var_1F8].text:000000709EB4F124 01 00 00 14 B loc_709EB4F128.text:000000709EB4F124.text:000000709EB4F128.text:000000709EB4F128 loc_709EB4F128.text:000000709EB4F128 ; AES_sub_786D1CCA6C+6F4↓j.text:000000709EB4F128 E8 53 40 F9 LDR X8, [SP,#0x220+var_180].text:000000709EB4F12C 09 4D 40 F9 LDR X9, [X8,#0x98].text:000000709EB4F130 2A 01 40 39 LDRB W10, [X9].text:000000709EB4F134 8A 01 00 34 CBZ W10, loc_709EB4F164.text:000000709EB4F134.text:000000709EB4F138 01 00 00 14 B loc_709EB4F13C.text:000000709EB4F138.text:000000709EB4F13C.text:000000709EB4F13C loc_709EB4F13C.text:000000709EB4F13C E8 53 40 F9 LDR X8, [SP,#0x220+var_180].text:000000709EB4F140 09 4D 40 F9 LDR X9, [X8,#0x98].text:000000709EB4F144 2A 01 40 39 LDRB W10, [X9].text:000000709EB4F148 4B 7D 04 53 LSR W11, W10, #4.text:000000709EB4F14C 4B 1D 1C 33 BFI W11, W10, #4, #8.text:000000709EB4F150 2B 01 00 39 STRB W11, [X9].text:000000709EB4F154 09 4D 40 F9 LDR X9, [X8,#0x98].text:000000709EB4F158 29 05 00 91 ADD X9, X9, #1.text:000000709EB4F15C 09 4D 00 F9 STR X9, [X8,#0x98].text:000000709EB4F160 F2 FF FF 17 B loc_709EB4F128.text:000000709EB4F160.text:000000709EB4F164.text:000000709EB4F164 loc_709EB4F164.text:000000709EB4F164 E8 53 40 F9 LDR X8, [SP,#0x220+var_180].text:000000709EB4F168 09 49 40 F9 LDR X9, [X8,#0x90].text:000000709EB4F16C 4A 10 80 52 MOV W10, #0x82.text:000000709EB4F170 EA 03 03 39 STRB W10, [SP,#0x220+var_160].text:000000709EB4F174 AA 16 80 52 MOV W10, #0xB5.text:000000709EB4F178 EA 07 03 39 STRB W10, [SP,#0x220+var_15F].text:000000709EB4F17C 8B 04 80 52 MOV W11, #0x24 ; '$'.text:000000709EB4F180 EB 0B 03 39 STRB W11, [SP,#0x220+var_15E].text:000000709EB4F184 4C 12 80 52 MOV W12, #0x92.text:000000709EB4F188 EC 0F 03 39 STRB W12, [SP,#0x220+var_15D].text:000000709EB4F18C EA 13 03 39 STRB W10, [SP,#0x220+var_15C].text:000000709EB4F190 EB 17 03 39 STRB W11, [SP,#0x220+var_15B].text:000000709EB4F194 EA 03 1F 2A MOV W10, WZR.text:000000709EB4F198 EA 1B 03 39 STRB W10, [SP,#0x220+var_15B+1].text:000000709EB4F19C ED 03 03 91 ADD X13, SP, #0x220+var_160.text:000000709EB4F1A0 0D 45 00 F9 STR X13, [X8,#0x88].text:000000709EB4F1A4 0D 45 40 F9 LDR X13, [X8,#0x88].text:000000709EB4F1A8 0D 41 00 F9 STR X13, [X8,#0x80].text:000000709EB4F1AC E9 13 00 F9 STR X9, [SP,#0x220+var_200].text:000000709EB4F1B0 01 00 00 14 B loc_709EB4F1B4.text:000000709EB4F1B0.text:000000709EB4F1B4.text:000000709EB4F1B4 loc_709EB4F1B4.text:000000709EB4F1B4 E8 53 40 F9 LDR X8, [SP,#0x220+var_180].text:000000709EB4F1B8 09 45 40 F9 LDR X9, [X8,#0x88].text:000000709EB4F1BC 2A 01 40 39 LDRB W10, [X9].text:000000709EB4F1C0 8A 01 00 34 CBZ W10, loc_709EB4F1F0.text:000000709EB4F1C0.text:000000709EB4F1C4 01 00 00 14 B loc_709EB4F1C8.text:000000709EB4F1C4.text:000000709EB4F1C8.text:000000709EB4F1C8 loc_709EB4F1C8.text:000000709EB4F1C8 E8 53 40 F9 LDR X8, [SP,#0x220+var_180].text:000000709EB4F1CC 09 45 40 F9 LDR X9, [X8,#0x88].text:000000709EB4F1D0 2A 01 40 39 LDRB W10, [X9].text:000000709EB4F1D4 4B 7D 04 53 LSR W11, W10, #4.text:000000709EB4F1D8 4B 1D 1C 33 BFI W11, W10, #4, #8.text:000000709EB4F1DC 2B 01 00 39 STRB W11, [X9].text:000000709EB4F1E0 09 45 40 F9 LDR X9, [X8,#0x88].text:000000709EB4F1E4 29 05 00 91 ADD X9, X9, #1.text:000000709EB4F1E8 09 45 00 F9 STR X9, [X8,#0x88].text:000000709EB4F1EC F2 FF FF 17 B loc_709EB4F1B4.text:000000709EB4F1EC.text:000000709EB4F1F0.text:000000709EB4F1F0 loc_709EB4F1F0.text:000000709EB4F1F0 E8 53 40 F9 LDR X8, [SP,#0x220+var_180].text:000000709EB4F1F4 03 41 40 F9 LDR X3, [X8,#0x80].text:000000709EB4F1F8 04 05 40 F9 LDR X4, [X8,#8].text:000000709EB4F1FC E0 1B 40 F9 LDR X0, [SP,#0x220+var_1F0].text:000000709EB4F200 E1 17 40 F9 LDR X1, [SP,#0x220+var_1F8].text:000000709EB4F204 E2 13 40 F9 LDR X2, [SP,#0x220+var_200].text:000000709EB4F208 E0 00 00 94 BL CallVoidMethod_sub_786D1CD588.text:000000709EB4F208.text:000000709EB4F20C E0 6B 00 F9 STR X0, [SP,#0x220+var_150].text:000000709EB4F210 E8 6B 40 F9 LDR X8, [SP,#0x220+var_150].text:000000709EB4F214 08 01 00 F1 SUBS X8, X8, #0.text:000000709EB4F218 89 5D 86 52 A9 84+MOV W9, #0x9C2532EC.text:000000709EB4F218 B3 72.text:000000709EB4F220 AA 61 87 52 4A 30+MOV W10, #0xB9823B0D.text:000000709EB4F220 B7 72.text:000000709EB4F228 49 01 89 1A CSEL W9, W10, W9, EQ.text:000000709EB4F22C E9 AF 00 B9 STR W9, [SP,#0x220+var_174].text:000000709EB4F230 E8 0F 00 F9 STR X8, [SP,#0x220+var_208].text:000000709EB4F234 5C 00 00 14 B loc_709EB4F3A4.text:000000709EB4F234.text:000000709EB4F238.text:000000709EB4F238 loc_709EB4F238.text:000000709EB4F238 E8 03 1F AA MOV X8, XZR.text:000000709EB4F23C E9 53 40 F9 LDR X9, [SP,#0x220+var_180].text:000000709EB4F240 28 31 00 F9 STR X8, [X9,#0x60].text:000000709EB4F244 0A 81 97 52 2A 4C+MOV W10, #0x5A61BC08.text:000000709EB4F244 AB 72.text:000000709EB4F24C EA AF 00 B9 STR W10, [SP,#0x220+var_174].text:000000709EB4F250 55 00 00 14 B loc_709EB4F3A4.text:000000709EB4F250.text:000000709EB4F254.text:000000709EB4F254 loc_709EB4F254.text:000000709EB4F254 E8 53 40 F9 LDR X8, [SP,#0x220+var_180].text:000000709EB4F258 00 2D 40 F9 LDR X0, [X8,#0x58].text:000000709EB4F25C E1 6B 40 F9 LDR X1, [SP,#0x220+var_150].text:000000709EB4F260 A3 67 00 94 BL GetArrayLength_sub_786D1E70EC.text:000000709EB4F260.text:000000709EB4F264 E0 BF 00 B9 STR W0, [SP,#0x220+var_164].text:000000709EB4F268 E0 BF 40 B9 LDR W0, [SP,#0x220+var_164].text:000000709EB4F26C 00 04 00 11 ADD W0, W0, #1.text:000000709EB4F270 E1 03 00 2A MOV W1, W0.text:000000709EB4F274 20 7C 40 93 SXTW X0, W1 ; size.text:000000709EB4F278 26 44 FE 97 BL .malloc.text:000000709EB4F278.text:000000709EB4F27C E0 5B 00 F9 STR X0, [SP,#0x220+var_170].text:000000709EB4F280 E0 5B 40 F9 LDR X0, [SP,#0x220+var_170] ; void *.text:000000709EB4F284 E9 BF 40 B9 LDR W9, [SP,#0x220+var_164].text:000000709EB4F288 29 05 00 11 ADD W9, W9, #1.text:000000709EB4F28C E1 03 09 2A MOV W1, W9.text:000000709EB4F290 22 7C 40 93 SXTW X2, W1 ; size_t.text:000000709EB4F294 E9 03 1F 2A MOV W9, WZR.text:000000709EB4F298 E1 03 09 2A MOV W1, W9 ; int.text:000000709EB4F29C E9 17 00 B9 STR W9, [SP,#0x220+var_20C].text:000000709EB4F2A0 B4 44 FE 97 BL .memset.text:000000709EB4F2A0.text:000000709EB4F2A4 E8 53 40 F9 LDR X8, [SP,#0x220+var_180].text:000000709EB4F2A8 02 2D 40 F9 LDR X2, [X8,#0x58].text:000000709EB4F2AC E1 6B 40 F9 LDR X1, [SP,#0x220+var_150].text:000000709EB4F2B0 E3 BF 40 B9 LDR W3, [SP,#0x220+var_164].text:000000709EB4F2B4 E4 5B 40 F9 LDR X4, [SP,#0x220+var_170].text:000000709EB4F2B8 E0 07 00 F9 STR X0, [SP,#0x220+var_218].text:000000709EB4F2BC E0 03 02 AA MOV X0, X2.text:000000709EB4F2C0 E2 17 40 B9 LDR W2, [SP,#0x220+var_20C].text:000000709EB4F2C4 07 68 00 94 BL GetByteArrayRegion_sub_786D1E72E0.text:000000709EB4F2C4.text:000000709EB4F2C8 E9 BF 40 B9 LDR W9, [SP,#0x220+var_164].text:000000709EB4F2CC E8 53 40 F9 LDR X8, [SP,#0x220+var_180].text:000000709EB4F2D0 00 21 40 F9 LDR X0, [X8,#0x40].text:000000709EB4F2D4 09 00 00 B9 STR W9, [X0].text:000000709EB4F2D8 00 2D 40 F9 LDR X0, [X8,#0x58].text:000000709EB4F2DC 01 15 40 F9 LDR X1, [X8,#0x28].text:000000709EB4F2E0 AA 64 00 94 BL DeleteLocalRef_sub_786D1E6588.text:000000709EB4F2E0.text:000000709EB4F2E4 E8 53 40 F9 LDR X8, [SP,#0x220+var_180].text:000000709EB4F2E8 00 2D 40 F9 LDR X0, [X8,#0x58].text:000000709EB4F2EC 01 11 40 F9 LDR X1, [X8,#0x20].text:000000709EB4F2F0 A6 64 00 94 BL DeleteLocalRef_sub_786D1E6588.text:000000709EB4F2F0.text:000000709EB4F2F4 E8 53 40 F9 LDR X8, [SP,#0x220+var_180].text:000000709EB4F2F8 00 2D 40 F9 LDR X0, [X8,#0x58].text:000000709EB4F2FC 01 0D 40 F9 LDR X1, [X8,#0x18].text:000000709EB4F300 A2 64 00 94 BL DeleteLocalRef_sub_786D1E6588.text:000000709EB4F300.text:000000709EB4F304 E8 53 40 F9 LDR X8, [SP,#0x220+var_180].text:000000709EB4F308 00 2D 40 F9 LDR X0, [X8,#0x58].text:000000709EB4F30C 01 05 40 F9 LDR X1, [X8,#8].text:000000709EB4F310 9E 64 00 94 BL DeleteLocalRef_sub_786D1E6588.text:000000709EB4F310.text:000000709EB4F314 E8 53 40 F9 LDR X8, [SP,#0x220+var_180].text:000000709EB4F318 00 2D 40 F9 LDR X0, [X8,#0x58].text:000000709EB4F31C 01 01 40 F9 LDR X1, [X8].text:000000709EB4F320 9A 64 00 94 BL DeleteLocalRef_sub_786D1E6588.text:000000709EB4F320.text:000000709EB4F324 E8 53 40 F9 LDR X8, [SP,#0x220+var_180].text:000000709EB4F328 00 2D 40 F9 LDR X0, [X8,#0x58].text:000000709EB4F32C E1 8F 40 F9 LDR X1, [SP,#0x220+var_108].text:000000709EB4F330 96 64 00 94 BL DeleteLocalRef_sub_786D1E6588.text:000000709EB4F330.text:000000709EB4F334 E8 53 40 F9 LDR X8, [SP,#0x220+var_180].text:000000709EB4F338 00 2D 40 F9 LDR X0, [X8,#0x58].text:000000709EB4F33C E1 8B 40 F9 LDR X1, [SP,#0x220+var_113+3].text:000000709EB4F340 92 64 00 94 BL DeleteLocalRef_sub_786D1E6588.text:000000709EB4F340.text:000000709EB4F344 E8 53 40 F9 LDR X8, [SP,#0x220+var_180].text:000000709EB4F348 00 2D 40 F9 LDR X0, [X8,#0x58].text:000000709EB4F34C E1 6B 40 F9 LDR X1, [SP,#0x220+var_150].text:000000709EB4F350 8E 64 00 94 BL DeleteLocalRef_sub_786D1E6588.text:000000709EB4F350.text:000000709EB4F354 E8 5B 40 F9 LDR X8, [SP,#0x220+var_170].text:000000709EB4F358 E0 53 40 F9 LDR X0, [SP,#0x220+var_180].text:000000709EB4F35C 08 30 00 F9 STR X8, [X0,#0x60].text:000000709EB4F360 09 81 97 52 29 4C+MOV W9, #0x5A61BC08.text:000000709EB4F360 AB 72.text:000000709EB4F368 E9 AF 00 B9 STR W9, [SP,#0x220+var_174].text:000000709EB4F36C 0E 00 00 14 B loc_709EB4F3A4.text:000000709EB4F370.text:000000709EB4F370 loc_709EB4F370.text:000000709EB4F370 E8 03 1F AA MOV X8, XZR.text:000000709EB4F374 E9 53 40 F9 LDR X9, [SP,#0x220+var_180].text:000000709EB4F378 28 31 00 F9 STR X8, [X9,#0x60].text:000000709EB4F37C 0A 81 97 52 2A 4C+MOV W10, #0x5A61BC08.text:000000709EB4F37C AB 72.text:000000709EB4F384 EA AF 00 B9 STR W10, [SP,#0x220+var_174].text:000000709EB4F388 07 00 00 14 B loc_709EB4F3A4.text:000000709EB4F388.text:000000709EB4F38C loc_709EB4F38C.text:000000709EB4F38C E8 53 40 F9 LDR X8, [SP,#0x220+var_180].text:000000709EB4F390 00 31 40 F9 LDR X0, [X8,#0x60].text:000000709EB4F394 FF 43 08 91 ADD SP, SP, #0x210.text:000000709EB4F398 FD 7B 41 A9 LDP X29, X30, [SP,#0x10+var_s0].text:000000709EB4F39C FC 07 42 F8 LDR X28, [SP+0x10+var_10],#0x20.text:000000709EB4F3A0 C0 03 5F D6 RET.text:000000709EB4F3A0
如果本地有存放就读取与设备信息一起上报服务器。
5.2、检测系统环境风险
检测多开:
读取maps查找是否有对应的包名特征
//特征com.bly.dkplatcom.lbe.parallelcom.excelliance.dualaidio.va.exposedcom.lody.virtualcom.qihoo.magicio.virtualappcom.deniu.multixposedcom.android.fcameracom.bly.dkplatcom.lbe.parallelcom.excelliance.dualaidio.va.exposedcom.lody.virtual.text:000000709EB69F20.text:000000709EB69F20 ; 检测多开.text:000000709EB69F20 check_dkplat_sub_7363EE8F20.text:000000709EB69F20.text:000000709EB69F20 anonymous_0= -0x8C4.text:000000709EB69F20 anonymous_1= -0x8C0.text:000000709EB69F20 anonymous_2= -0x8BC.text:000000709EB69F20 anonymous_3= -0x8B8.text:000000709EB69F20 anonymous_4= -0x8B4.text:000000709EB69F20 anonymous_5= -0x8B0.text:000000709EB69F20 anonymous_6= -0x8A4.text:000000709EB69F20 anonymous_7= -0x8A0.text:000000709EB69F20 anonymous_8= -0x898.text:000000709EB69F20 anonymous_9= -0x88C.text:000000709EB69F20 anonymous_10= -0x888.text:000000709EB69F20 anonymous_11= -0x880.text:000000709EB69F20 var_87C= -0x87C.text:000000709EB69F20 var_878= -0x878.text:000000709EB69F20 anonymous_12= -0x870.text:000000709EB69F20 anonymous_13= -0x868.text:000000709EB69F20 var_60= -0x60.text:000000709EB69F20 var_54= -0x54.text:000000709EB69F20 var_50= -0x50.text:000000709EB69F20 anonymous_14= -0x42.text:000000709EB69F20 var_38= -0x38.text:000000709EB69F20 var_30= -0x30.text:000000709EB69F20 var_28= -0x28.text:000000709EB69F20 var_20= -0x20.text:000000709EB69F20 var_18= -0x18.text:000000709EB69F20 var_10= -0x10.text:000000709EB69F20 var_s0= 0.text:000000709EB69F20.text:000000709EB69F20 ; __unwind { // 1000.text:000000709EB69F20 FC 4F BE A9 STP X28, X19, [SP,#-0x10+var_10]!.text:000000709EB69F24 FD 7B 01 A9 STP X29, X30, [SP,#0x10+var_s0].text:000000709EB69F28 FD 43 00 91 ADD X29, SP, #0x10.text:000000709EB69F2C FF 03 23 D1 SUB SP, SP, #0x8C0.text:000000709EB69F30 F3 03 00 91 MOV X19, SP.text:000000709EB69F34 A8 01 80 12 MOV W8, #0xFFFFFFF2.text:000000709EB69F38 E9 03 40 B2 MOV X9, #1.text:000000709EB69F3C EA 0B 00 32 MOV W10, #7.text:000000709EB69F40 EB 04 80 52 MOV W11, #0x27 ; '''.text:000000709EB69F44 2C 01 80 12 MOV W12, #0xFFFFFFF6.text:000000709EB69F48 CD 06 80 52 MOV W13, #0x36 ; '6'.text:000000709EB69F4C EE 06 80 52 MOV W14, #0x37 ; '7'.text:000000709EB69F50 CF 0A 80 52 MOV W15, #0x56 ; 'V'.text:000000709EB69F54 30 07 80 12 MOV W16, #0xFFFFFFC6.text:000000709EB69F58 D1 0C 80 52 MOV W17, #0x66 ; 'f'.text:000000709EB69F5C 32 05 80 12 MOV W18, #0xFFFFFFD6.text:000000709EB69F60 C3 02 80 52 MOV W3, #0x16.text:000000709EB69F64 04 00 80 52 MOV W4, #0.text:000000709EB69F68 05 00 80 D2 MOV X5, #0.text:000000709EB69F6C E6 03 00 32 MOV W6, #1.text:000000709EB69F70 A7 43 01 D1 SUB X7, X29, #-var_50.text:000000709EB69F74 A0 83 1D F8 STUR X0, [X29,#var_28].text:000000709EB69F78 A1 03 1D F8 STUR X1, [X29,#var_30].text:000000709EB69F7C A2 83 1C F8 STUR X2, [X29,#var_38].text:000000709EB69F80 E0 03 07 AA MOV X0, X7.text:000000709EB69F84 08 00 00 39 STRB W8, [X0].text:000000709EB69F88 01 00 09 8B ADD X1, X0, X9.text:000000709EB69F8C 0A 04 00 39 STRB W10, [X0,#1].text:000000709EB69F90 20 00 09 8B ADD X0, X1, X9.text:000000709EB69F94 2B 04 00 39 STRB W11, [X1,#1].text:000000709EB69F98 01 00 09 8B ADD X1, X0, X9.text:000000709EB69F9C 0C 04 00 39 STRB W12, [X0,#1].text:000000709EB69FA0 20 00 09 8B ADD X0, X1, X9.text:000000709EB69FA4 2D 04 00 39 STRB W13, [X1,#1].text:000000709EB69FA8 01 00 09 8B ADD X1, X0, X9.text:000000709EB69FAC 08 04 00 39 STRB W8, [X0,#1].text:000000709EB69FB0 20 00 09 8B ADD X0, X1, X9.text:000000709EB69FB4 2E 04 00 39 STRB W14, [X1,#1].text:000000709EB69FB8 01 00 09 8B ADD X1, X0, X9.text:000000709EB69FBC 0F 04 00 39 STRB W15, [X0,#1].text:000000709EB69FC0 20 00 09 8B ADD X0, X1, X9.text:000000709EB69FC4 30 04 00 39 STRB W16, [X1,#1].text:000000709EB69FC8 01 00 09 8B ADD X1, X0, X9.text:000000709EB69FCC 11 04 00 39 STRB W17, [X0,#1].text:000000709EB69FD0 20 00 09 8B ADD X0, X1, X9.text:000000709EB69FD4 28 04 00 39 STRB W8, [X1,#1].text:000000709EB69FD8 01 00 09 8B ADD X1, X0, X9.text:000000709EB69FDC 12 04 00 39 STRB W18, [X0,#1].text:000000709EB69FE0 20 00 09 8B ADD X0, X1, X9.text:000000709EB69FE4 23 04 00 39 STRB W3, [X1,#1].text:000000709EB69FE8 01 00 09 8B ADD X1, X0, X9.text:000000709EB69FEC 0A 04 00 39 STRB W10, [X0,#1].text:000000709EB69FF0 29 00 09 8B ADD X9, X1, X9.text:000000709EB69FF4 2E 04 00 39 STRB W14, [X1,#1].text:000000709EB69FF8 24 05 00 39 STRB W4, [X9,#1].text:000000709EB69FFC A7 83 1E F8 STUR X7, [X29,#var_18].text:000000709EB6A000 A9 83 5E F8 LDUR X9, [X29,#var_18].text:000000709EB6A004 A9 03 1E F8 STUR X9, [X29,#var_20].text:000000709EB6A008 65 2E 00 F9 STR X5, [X19,#0x8D0+var_878].text:000000709EB6A00C 66 56 00 B9 STR W6, [X19,#0x8D0+var_87C].text:000000709EB6A00C.text:000000709EB6A010.text:000000709EB6A010 loc_709EB6A010.text:000000709EB6A010 08 00 80 52 MOV W8, #0.text:000000709EB6A014 A9 83 5E F8 LDUR X9, [X29,#var_18].text:000000709EB6A018 2A 01 40 39 LDRB W10, [X9].text:000000709EB6A01C 4A 1D 00 53 UXTB W10, W10.text:000000709EB6A020 EB 1F 00 32 MOV W11, #0xFF.text:000000709EB6A024 08 01 0B 0A AND W8, W8, W11.text:000000709EB6A028 5F 01 08 6B CMP W10, W8.text:000000709EB6A02C E8 07 9F 1A CSET W8, NE.text:000000709EB6A030 48 00 00 37 TBNZ W8, #0, loc_709EB6A038.text:000000709EB6A030.text:000000709EB6A034 16 00 00 14 B loc_709EB6A08C.text:000000709EB6A034.text:000000709EB6A038.text:000000709EB6A038 loc_709EB6A038.text:000000709EB6A038 E8 0F 1C 32 MOV W8, #0xF0.text:000000709EB6A03C E9 0F 00 32 MOV W9, #0xF.text:000000709EB6A040 EA 03 1E 32 MOV W10, #4.text:000000709EB6A044 EB 03 40 B2 MOV X11, #1.text:000000709EB6A048 AC 83 5E F8 LDUR X12, [X29,#var_18].text:000000709EB6A04C 8D 01 40 39 LDRB W13, [X12].text:000000709EB6A050 AD 1D 00 53 UXTB W13, W13.text:000000709EB6A054 AD 29 CA 1A ASR W13, W13, W10.text:000000709EB6A058 A9 01 09 0A AND W9, W13, W9.text:000000709EB6A05C AC 83 5E F8 LDUR X12, [X29,#var_18].text:000000709EB6A060 8D 01 40 39 LDRB W13, [X12].text:000000709EB6A064 AD 1D 00 53 UXTB W13, W13.text:000000709EB6A068 AA 21 CA 1A LSL W10, W13, W10.text:000000709EB6A06C 48 01 08 0A AND W8, W10, W8.text:000000709EB6A070 28 01 08 2A ORR W8, W9, W8.text:000000709EB6A074 AC 83 5E F8 LDUR X12, [X29,#var_18].text:000000709EB6A078 88 01 00 39 STRB W8, [X12].text:000000709EB6A07C AC 83 5E F8 LDUR X12, [X29,#var_18].text:000000709EB6A080 8B 01 0B 8B ADD X11, X12, X11.text:000000709EB6A084 AB 83 1E F8 STUR X11, [X29,#var_18].text:000000709EB6A088 E2 FF FF 17 B loc_709EB6A010.text:000000709EB6A088.text:000000709EB6A08C loc_709EB6A08C.text:000000709EB6A08C 48 19 97 52 A8 CA+MOV W8, #0x9E55B8CA.text:000000709EB6A08C B3 72.text:000000709EB6A094 E9 F7 7E B2 MOV X9, #0xFFFFFFFFFFFFFFFC.text:000000709EB6A098 EA 03 00 32 MOV W10, #1.text:000000709EB6A09C EB 03 75 B2 MOV X11, #0x800.text:000000709EB6A0A0 01 00 80 52 MOV W1, #0.text:000000709EB6A0A4 AC 03 5E F8 LDUR X12, [X29,#var_20].text:000000709EB6A0A8 AC 03 1C F8 STUR X12, [X29,#anonymous_14+2].text:000000709EB6A0AC A0 03 5C F8 LDUR X0, [X29,#anonymous_14+2].text:000000709EB6A0B0 68 52 00 B9 STR W8, [X19,#0x50].text:000000709EB6A0B4 69 26 00 F9 STR X9, [X19,#0x48].text:000000709EB6A0B8 6A 46 00 B9 STR W10, [X19,#0x44].text:000000709EB6A0BC 6B 1E 00 F9 STR X11, [X19,#0x38].text:000000709EB6A0C0 11 01 00 94 BL open_sub_786D1E8504 ; maps.text:000000709EB6A0C0.text:000000709EB6A0C4 A0 C3 1A B8 STUR W0, [X29,#var_54].text:000000709EB6A0C8 69 1E 40 F9 LDR X9, [X19,#0x38].text:000000709EB6A0CC A9 03 1A F8 STUR X9, [X29,#var_60].text:000000709EB6A0D0 7F 36 00 F9 STR XZR, [X19,#0x68].text:000000709EB6A0D4 68 46 40 B9 LDR W8, [X19,#0x44].text:000000709EB6A0D8 EB 03 08 2A MOV W11, W8.text:000000709EB6A0DC 6B 7D 40 D3 UBFX X11, X11, #0, #0x20 ; ' '.text:000000709EB6A0E0 6C 26 40 F9 LDR X12, [X19,#0x48].text:000000709EB6A0E4 6B 7D 0C 9B MUL X11, X11, X12.text:000000709EB6A0E8 ED 03 00 91 MOV X13, SP.text:000000709EB6A0EC AB 01 0B 8B ADD X11, X13, X11.text:000000709EB6A0F0 6B ED 7C 92 AND X11, X11, #0xFFFFFFFFFFFFFFF0.text:000000709EB6A0F4 7F 01 00 91 MOV SP, X11.text:000000709EB6A0F8 6A 52 40 B9 LDR W10, [X19,#0x50].text:000000709EB6A0FC 6A 01 00 B9 STR W10, [X11].text:000000709EB6A100 6B 1A 00 F9 STR X11, [X19,#0x30].text:000000709EB6A100.text:000000709EB6A104.text:000000709EB6A104 loc_709EB6A104.text:000000709EB6A104 48 19 97 52 A8 CA+MOV W8, #0x9E55B8CA.text:000000709EB6A104 B3 72.text:000000709EB6A10C 69 1A 40 F9 LDR X9, [X19,#0x30].text:000000709EB6A110 2A 01 40 B9 LDR W10, [X9].text:000000709EB6A114 1F 01 0A 6B CMP W8, W10.text:000000709EB6A118 E8 17 9F 1A CSET W8, EQ.text:000000709EB6A11C 6A 2E 00 B9 STR W10, [X19,#0x2C].text:000000709EB6A120 48 09 00 37 TBNZ W8, #0, loc_709EB6A248.text:000000709EB6A120.text:000000709EB6A124 01 00 00 14 B loc_709EB6A128.text:000000709EB6A124.text:000000709EB6A128.text:000000709EB6A128 loc_709EB6A128.text:000000709EB6A128 E8 03 97 52 C8 4D+MOV W8, #0x4A6EB81F.text:000000709EB6A128 A9 72.text:000000709EB6A130 69 2E 40 B9 LDR W9, [X19,#0x2C].text:000000709EB6A134 1F 01 09 6B CMP W8, W9.text:000000709EB6A138 E8 17 9F 1A CSET W8, EQ.text:000000709EB6A13C 48 0B 00 37 TBNZ W8, #0, loc_709EB6A2A4.text:000000709EB6A13C.text:000000709EB6A140 01 00 00 14 B loc_709EB6A144.text:000000709EB6A140.text:000000709EB6A144.text:000000709EB6A144 loc_709EB6A144.text:000000709EB6A144 A8 7E 85 52 28 6F+MOV W8, #0x63792BF5.text:000000709EB6A144 AC 72.text:000000709EB6A14C 69 2E 40 B9 LDR W9, [X19,#0x2C].text:000000709EB6A150 1F 01 09 6B CMP W8, W9.text:000000709EB6A154 E8 17 9F 1A CSET W8, EQ.text:000000709EB6A158 28 0B 00 37 TBNZ W8, #0, loc_709EB6A2BC.text:000000709EB6A158.text:000000709EB6A15C 01 00 00 14 B loc_709EB6A160.text:000000709EB6A15C.text:000000709EB6A160.text:000000709EB6A160 loc_709EB6A160.text:000000709EB6A160 C8 FB 95 52 E8 2D+MOV W8, #0xD16FAFDE.text:000000709EB6A160 BA 72.text:000000709EB6A168 69 2E 40 B9 LDR W9, [X19,#0x2C].text:000000709EB6A16C 1F 01 09 6B CMP W8, W9.text:000000709EB6A170 E8 17 9F 1A CSET W8, EQ.text:000000709EB6A174 E8 0B 00 37 TBNZ W8, #0, loc_709EB6A2F0.text:000000709EB6A174.text:000000709EB6A178 01 00 00 14 B loc_709EB6A17C.text:000000709EB6A178.text:000000709EB6A17C.text:000000709EB6A17C loc_709EB6A17C.text:000000709EB6A17C A8 4A 90 52 68 F1+MOV W8, #0xE78B8255.text:000000709EB6A17C BC 72.text:000000709EB6A184 69 2E 40 B9 LDR W9, [X19,#0x2C].text:000000709EB6A188 1F 01 09 6B CMP W8, W9.text:000000709EB6A18C E8 17 9F 1A CSET W8, EQ.text:000000709EB6A190 28 0D 00 37 TBNZ W8, #0, loc_709EB6A334.text:000000709EB6A190.text:000000709EB6A194 01 00 00 14 B loc_709EB6A198.text:000000709EB6A194.text:000000709EB6A198.text:000000709EB6A198 loc_709EB6A198.text:000000709EB6A198 C8 CB 8B 52 C8 2E+MOV W8, #0xD9765E5E.text:000000709EB6A198 BB 72.text:000000709EB6A1A0 69 2E 40 B9 LDR W9, [X19,#0x2C].text:000000709EB6A1A4 1F 01 09 6B CMP W8, W9.text:000000709EB6A1A8 E8 17 9F 1A CSET W8, EQ.text:000000709EB6A1AC E8 0C 00 37 TBNZ W8, #0, loc_709EB6A348.text:000000709EB6A1AC.text:000000709EB6A1B0 01 00 00 14 B loc_709EB6A1B4.text:000000709EB6A1B0.text:000000709EB6A1B4.text:000000709EB6A1B4 loc_709EB6A1B4.text:000000709EB6A1B4 A8 AB 9E 52 88 EC+MOV W8, #0xF64F55D.text:000000709EB6A1B4 A1 72.text:000000709EB6A1BC 69 2E 40 B9 LDR W9, [X19,#0x2C].text:000000709EB6A1C0 1F 01 09 6B CMP W8, W9.text:000000709EB6A1C4 E8 17 9F 1A CSET W8, EQ.text:000000709EB6A1C8 28 0F 00 37 TBNZ W8, #0, loc_709EB6A3AC.text:000000709EB6A1C8.text:000000709EB6A1CC 01 00 00 14 B loc_709EB6A1D0.text:000000709EB6A1CC.text:000000709EB6A1D0.text:000000709EB6A1D0 loc_709EB6A1D0.text:000000709EB6A1D0 88 2D 9E 52 C8 CE+MOV W8, #0x6676F16C.text:000000709EB6A1D0 AC 72.text:000000709EB6A1D8 69 2E 40 B9 LDR W9, [X19,#0x2C].text:000000709EB6A1DC 1F 01 09 6B CMP W8, W9.text:000000709EB6A1E0 E8 17 9F 1A CSET W8, EQ.text:000000709EB6A1E4 E8 0F 00 37 TBNZ W8, #0, loc_709EB6A3E0.text:000000709EB6A1E4.text:000000709EB6A1E8 01 00 00 14 B loc_709EB6A1EC.text:000000709EB6A1E8.text:000000709EB6A1EC.text:000000709EB6A1EC loc_709EB6A1EC.text:000000709EB6A1EC C8 C4 81 52 88 04+MOV W8, #0x90240E26.text:000000709EB6A1EC B2 72.text:000000709EB6A1F4 69 2E 40 B9 LDR W9, [X19,#0x2C].text:000000709EB6A1F8 1F 01 09 6B CMP W8, W9.text:000000709EB6A1FC E8 17 9F 1A CSET W8, EQ.text:000000709EB6A200 A8 0F 00 37 TBNZ W8, #0, loc_709EB6A3F4.text:000000709EB6A200.text:000000709EB6A204 01 00 00 14 B loc_709EB6A208.text:000000709EB6A204.text:000000709EB6A208.text:000000709EB6A208 loc_709EB6A208.text:000000709EB6A208 48 1F 91 52 48 A8+MOV W8, #0x8D4288FA.text:000000709EB6A208 B1 72.text:000000709EB6A210 69 2E 40 B9 LDR W9, [X19,#0x2C].text:000000709EB6A214 1F 01 09 6B CMP W8, W9.text:000000709EB6A218 E8 17 9F 1A CSET W8, EQ.text:000000709EB6A21C C8 0F 00 37 TBNZ W8, #0, loc_709EB6A414.text:000000709EB6A21C.text:000000709EB6A220 01 00 00 14 B loc_709EB6A224.text:000000709EB6A220.text:000000709EB6A224.text:000000709EB6A224 loc_709EB6A224.text:000000709EB6A224 A8 ED 81 52 A8 CD+MOV W8, #0x1E6D0F6D.text:000000709EB6A224 A3 72.text:000000709EB6A22C 69 2E 40 B9 LDR W9, [X19,#0x2C].text:000000709EB6A230 1F 01 09 6B CMP W8, W9.text:000000709EB6A234 E8 17 9F 1A CSET W8, EQ.text:000000709EB6A238 88 10 00 37 TBNZ W8, #0, loc_709EB6A448.text:000000709EB6A238.text:000000709EB6A23C 01 00 00 14 B loc_709EB6A240.text:000000709EB6A23C.text:000000709EB6A240.text:000000709EB6A240 loc_709EB6A240.text:000000709EB6A240 01 00 00 14 B loc_709EB6A244.text:000000709EB6A240.text:000000709EB6A244.text:000000709EB6A244 loc_709EB6A244.text:000000709EB6A244 89 00 00 14 B loc_709EB6A468.text:000000709EB6A244.text:000000709EB6A248.text:000000709EB6A248 loc_709EB6A248.text:000000709EB6A248 68 C2 01 91 ADD X8, X19, #0x70 ; 'p'.text:000000709EB6A24C E2 2B 40 B2 MOV X2, #0x7FF ; nbytes.text:000000709EB6A250 A9 ED 81 52 A9 CD+MOV W9, #0x1E6D0F6D.text:000000709EB6A250 A3 72.text:000000709EB6A258 EA 03 97 52 CA 4D+MOV W10, #0x4A6EB81F.text:000000709EB6A258 A9 72.text:000000709EB6A260 0B 00 80 D2 MOV X11, #0.text:000000709EB6A264 A0 C3 5A B8 LDUR W0, [X29,#var_54] ; fd.text:000000709EB6A268 E1 03 08 AA MOV X1, X8 ; buf.text:000000709EB6A26C 6B 12 00 F9 STR X11, [X19,#0x20].text:000000709EB6A270 6A 1E 00 B9 STR W10, [X19,#0x1C].text:000000709EB6A274 69 1A 00 B9 STR W9, [X19,#0x18].text:000000709EB6A278 42 D8 FD 97 BL .read ; 读maps.text:000000709EB6A278.text:000000709EB6A27C 68 12 40 F9 LDR X8, [X19,#0x20].text:000000709EB6A280 1F 00 08 EB CMP X0, X8.text:000000709EB6A284 E9 07 9F 1A CSET W9, NE.text:000000709EB6A288 3F 01 00 72 TST W9, #1.text:000000709EB6A28C 69 1E 40 B9 LDR W9, [X19,#0x1C].text:000000709EB6A290 6A 1A 40 B9 LDR W10, [X19,#0x18].text:000000709EB6A294 2C 11 8A 1A CSEL W12, W9, W10, NE.text:000000709EB6A298 6B 1A 40 F9 LDR X11, [X19,#0x30].text:000000709EB6A29C 6C 01 00 B9 STR W12, [X11].text:000000709EB6A2A0 72 00 00 14 B loc_709EB6A468.text:000000709EB6A2A0.text:000000709EB6A2A4.text:000000709EB6A2A4 loc_709EB6A2A4.text:000000709EB6A2A4 A8 7E 85 52 28 6F+MOV W8, #0x63792BF5.text:000000709EB6A2A4 AC 72.text:000000709EB6A2AC 7F 32 00 F9 STR XZR, [X19,#0x60].text:000000709EB6A2B0 69 1A 40 F9 LDR X9, [X19,#0x30].text:000000709EB6A2B4 28 01 00 B9 STR W8, [X9].text:000000709EB6A2B8 6C 00 00 14 B loc_709EB6A468.text:000000709EB6A2B8.text:000000709EB6A2BC.text:000000709EB6A2BC loc_709EB6A2BC.text:000000709EB6A2BC 48 1F 91 52 48 A8+MOV W8, #0x8D4288FA.text:000000709EB6A2BC B1 72.text:000000709EB6A2C4 C9 FB 95 52 E9 2D+MOV W9, #0xD16FAFDE.text:000000709EB6A2C4 BA 72.text:000000709EB6A2CC 6A 32 40 F9 LDR X10, [X19,#0x60].text:000000709EB6A2D0 AB 03 5D F8 LDUR X11, [X29,#var_30].text:000000709EB6A2D4 5F 01 0B EB CMP X10, X11.text:000000709EB6A2D8 EC 27 9F 1A CSET W12, CC.text:000000709EB6A2DC 9F 01 00 72 TST W12, #1.text:000000709EB6A2E0 28 11 88 1A CSEL W8, W9, W8, NE.text:000000709EB6A2E4 6A 1A 40 F9 LDR X10, [X19,#0x30].text:000000709EB6A2E8 48 01 00 B9 STR W8, [X10].text:000000709EB6A2EC 5F 00 00 14 B loc_709EB6A468.text:000000709EB6A2EC.text:000000709EB6A2F0.text:000000709EB6A2F0 loc_709EB6A2F0.text:000000709EB6A2F0 C8 CB 8B 52 C8 2E+MOV W8, #0xD9765E5E.text:000000709EB6A2F0 BB 72.text:000000709EB6A2F8 A9 4A 90 52 69 F1+MOV W9, #0xE78B8255.text:000000709EB6A2F8 BC 72.text:000000709EB6A300 EA 03 00 32 MOV W10, #1.text:000000709EB6A304 AB 83 5C F8 LDUR X11, [X29,#var_38].text:000000709EB6A308 6C 32 40 F9 LDR X12, [X19,#0x60].text:000000709EB6A30C 6B 01 0C 8B ADD X11, X11, X12.text:000000709EB6A310 6D 01 40 39 LDRB W13, [X11].text:000000709EB6A314 AD 1D 00 53 UXTB W13, W13.text:000000709EB6A318 BF 01 0A 6B CMP W13, W10.text:000000709EB6A31C EA 17 9F 1A CSET W10, EQ.text:000000709EB6A320 5F 01 00 72 TST W10, #1.text:000000709EB6A324 28 11 88 1A CSEL W8, W9, W8, NE.text:000000709EB6A328 6B 1A 40 F9 LDR X11, [X19,#0x30].text:000000709EB6A32C 68 01 00 B9 STR W8, [X11] ; 字符串解密.text:000000709EB6A330 4E 00 00 14 B loc_709EB6A468.text:000000709EB6A330.text:000000709EB6A334.text:000000709EB6A334 loc_709EB6A334.text:000000709EB6A334 C8 C4 81 52 88 04+MOV W8, #0x90240E26.text:000000709EB6A334 B2 72.text:000000709EB6A33C 69 1A 40 F9 LDR X9, [X19,#0x30].text:000000709EB6A340 28 01 00 B9 STR W8, [X9].text:000000709EB6A344 49 00 00 14 B loc_709EB6A468.text:000000709EB6A344.text:000000709EB6A348.text:000000709EB6A348 loc_709EB6A348.text:000000709EB6A348 68 C2 01 91 ADD X8, X19, #0x70 ; 'p'.text:000000709EB6A34C E9 03 7D B2 MOV X9, #8.text:000000709EB6A350 8A 2D 9E 52 CA CE+MOV W10, #0x6676F16C.text:000000709EB6A350 AC 72.text:000000709EB6A358 AB AB 9E 52 8B EC+MOV W11, #0xF64F55D.text:000000709EB6A358 A1 72.text:000000709EB6A360 AC 83 5D F8 LDUR X12, [X29,#var_28].text:000000709EB6A364 6D 32 40 F9 LDR X13, [X19,#0x60].text:000000709EB6A368 29 7D 0D 9B MUL X9, X9, X13.text:000000709EB6A36C 89 01 09 8B ADD X9, X12, X9.text:000000709EB6A370 21 01 40 F9 LDR X1, [X9] ; needle.text:000000709EB6A374 E0 03 08 AA MOV X0, X8 ; haystack.text:000000709EB6A378 6B 16 00 B9 STR W11, [X19,#0x14].text:000000709EB6A37C 6A 12 00 B9 STR W10, [X19,#0x10].text:000000709EB6A380 1C D8 FD 97 BL .strstr ; 查找多开特征.text:000000709EB6A380.text:000000709EB6A384 68 2E 40 F9 LDR X8, [X19,#0x58].text:000000709EB6A388 1F 00 08 EB CMP X0, X8.text:000000709EB6A38C EA 07 9F 1A CSET W10, NE.text:000000709EB6A390 5F 01 00 72 TST W10, #1.text:000000709EB6A394 6A 16 40 B9 LDR W10, [X19,#0x14].text:000000709EB6A398 6B 12 40 B9 LDR W11, [X19,#0x10].text:000000709EB6A39C 4E 11 8B 1A CSEL W14, W10, W11, NE.text:000000709EB6A3A0 69 1A 40 F9 LDR X9, [X19,#0x30].text:000000709EB6A3A4 2E 01 00 B9 STR W14, [X9].text:000000709EB6A3A8 30 00 00 14 B loc_709EB6A468.text:000000709EB6A3A8.text:000000709EB6A3AC.text:000000709EB6A3AC loc_709EB6A3AC.text:000000709EB6A3AC 88 2D 9E 52 C8 CE+MOV W8, #0x6676F16C.text:000000709EB6A3AC AC 72.text:000000709EB6A3B4 A9 83 5C F8 LDUR X9, [X29,#var_38].text:000000709EB6A3B8 6A 32 40 F9 LDR X10, [X19,#0x60].text:000000709EB6A3BC 29 01 0A 8B ADD X9, X9, X10.text:000000709EB6A3C0 6B 56 40 B9 LDR W11, [X19,#0x54].text:000000709EB6A3C4 2B 01 00 39 STRB W11, [X9].text:000000709EB6A3C8 69 36 40 F9 LDR X9, [X19,#0x68].text:000000709EB6A3CC 29 05 00 91 ADD X9, X9, #1.text:000000709EB6A3D0 69 36 00 F9 STR X9, [X19,#0x68].text:000000709EB6A3D4 69 1A 40 F9 LDR X9, [X19,#0x30].text:000000709EB6A3D8 28 01 00 B9 STR W8, [X9].text:000000709EB6A3DC 23 00 00 14 B loc_709EB6A468.text:000000709EB6A3DC.text:000000709EB6A3E0.text:000000709EB6A3E0 loc_709EB6A3E0.text:000000709EB6A3E0 C8 C4 81 52 88 04+MOV W8, #0x90240E26.text:000000709EB6A3E0 B2 72.text:000000709EB6A3E8 69 1A 40 F9 LDR X9, [X19,#0x30].text:000000709EB6A3EC 28 01 00 B9 STR W8, [X9].text:000000709EB6A3F0 1E 00 00 14 B loc_709EB6A468.text:000000709EB6A3F0.text:000000709EB6A3F4.text:000000709EB6A3F4 loc_709EB6A3F4.text:000000709EB6A3F4 A8 7E 85 52 28 6F+MOV W8, #0x63792BF5.text:000000709EB6A3F4 AC 72.text:000000709EB6A3FC 69 32 40 F9 LDR X9, [X19,#0x60].text:000000709EB6A400 29 05 00 91 ADD X9, X9, #1.text:000000709EB6A404 69 32 00 F9 STR X9, [X19,#0x60].text:000000709EB6A408 69 1A 40 F9 LDR X9, [X19,#0x30].text:000000709EB6A40C 28 01 00 B9 STR W8, [X9].text:000000709EB6A410 16 00 00 14 B loc_709EB6A468.text:000000709EB6A410.text:000000709EB6A414.text:000000709EB6A414 loc_709EB6A414.text:000000709EB6A414 68 C2 01 91 ADD X8, X19, #0x70 ; 'p'.text:000000709EB6A418 49 19 97 52 A9 CA+MOV W9, #0x9E55B8CA.text:000000709EB6A418 B3 72.text:000000709EB6A420 E2 03 75 B2 MOV X2, #0x800 ; size_t.text:000000709EB6A424 0A 00 80 52 MOV W10, #0.text:000000709EB6A428 E0 03 08 AA MOV X0, X8 ; void *.text:000000709EB6A42C E1 03 0A 2A MOV W1, W10 ; int.text:000000709EB6A430 69 0E 00 B9 STR W9, [X19,#0xC].text:000000709EB6A434 4F D8 FD 97 BL .memset.text:000000709EB6A434.text:000000709EB6A438 69 0E 40 B9 LDR W9, [X19,#0xC].text:000000709EB6A43C 68 1A 40 F9 LDR X8, [X19,#0x30].text:000000709EB6A440 09 01 00 B9 STR W9, [X8].text:000000709EB6A444 09 00 00 14 B loc_709EB6A468.text:000000709EB6A444.text:000000709EB6A448.text:000000709EB6A448 loc_709EB6A448.text:000000709EB6A448 A0 C3 5A B8 LDUR W0, [X29,#var_54] ; fd.text:000000709EB6A44C 81 D7 FD 97 BL .close.text:000000709EB6A44C.text:000000709EB6A450 68 36 40 F9 LDR X8, [X19,#0x68].text:000000709EB6A454 E0 03 08 AA MOV X0, X8.text:000000709EB6A458 BF 43 00 D1 SUB SP, X29, #0x10.text:000000709EB6A45C FD 7B 41 A9 LDP X29, X30, [SP,#0x10+var_s0].text:000000709EB6A460 FC 4F C2 A8 LDP X28, X19, [SP+0x10+var_10],#0x20.text:000000709EB6A464 C0 03 5F D6 RET
5.3、检测xposed
反射loadclass检测是否有xposed
getSystemClassLoaderloadClassde/robv/android/xposed/XposedBridge.text:000000709EAFB72C laodclass_sub_73683BA72C.text:000000709EAFB72C.text:000000709EAFB72C var_38= -0x38.text:000000709EAFB72C var_30= -0x30.text:000000709EAFB72C var_28= -0x28.text:000000709EAFB72C var_20= -0x20.text:000000709EAFB72C var_18= -0x18.text:000000709EAFB72C var_10= -0x10.text:000000709EAFB72C.text:000000709EAFB72C ; __unwind { // 1000.text:000000709EAFB72C FF 03 01 D1 SUB SP, SP, #0x40.text:000000709EAFB730 FE 1B 00 F9 STR X30, [SP,#0x40+var_10].text:000000709EAFB734 E0 17 00 F9 STR X0, [SP,#0x40+var_18].text:000000709EAFB738 E1 13 00 F9 STR X1, [SP,#0x40+var_20].text:000000709EAFB73C E2 0F 00 F9 STR X2, [SP,#0x40+var_28].text:000000709EAFB740 E3 0B 00 F9 STR X3, [SP,#0x40+var_30].text:000000709EAFB744 E4 07 00 F9 STR X4, [SP,#0x40+var_38].text:000000709EAFB748 E0 17 40 F9 LDR X0, [SP,#0x40+var_18].text:000000709EAFB74C E1 13 40 F9 LDR X1, [SP,#0x40+var_20].text:000000709EAFB750 E2 0F 40 F9 LDR X2, [SP,#0x40+var_28].text:000000709EAFB754 E3 0B 40 F9 LDR X3, [SP,#0x40+var_30].text:000000709EAFB758 E4 07 40 F9 LDR X4, [SP,#0x40+var_38].text:000000709EAFB75C 50 59 01 94 BL calljavamethond_sub_786D1CFC9C.text:000000709EAFB75C.text:000000709EAFB760 FE 1B 40 F9 LDR X30, [SP,#0x40+var_10].text:000000709EAFB764 FF 03 01 91 ADD SP, SP, #0x40 ; '@'.text:000000709EAFB768 C0 03 5F D6 RET
查找进程中是否有包含关键字
xposedbridgelibxposed_art.socom.saurik.substrate
5.4、检测magisk
特征df | grep /sbin/.magiskmount | grep /sbin/.magiskps | grep magiskstrstr /sbin/.magisk /sbin/.magisk.text:000000709EAF75B4 check_magisk_sub_786D1755B4.text:000000709EAF75B4.text:000000709EAF75B4 var_FC= -0xFC.text:000000709EAF75B4 var_8= -8.text:000000709EAF75B4 var_s0= 0.text:000000709EAF75B4.text:000000709EAF75B4 ; __unwind { // 1000.text:000000709EAF75B4 FC 0F 1E F8 STR X28, [SP,#-0x10+var_10]!.text:000000709EAF75B8 FD 7B 01 A9 STP X29, X30, [SP,#0x10+var_s0].text:000000709EAF75BC FD 43 00 91 ADD X29, SP, #0x10.text:000000709EAF75C0 FF C3 05 D1 SUB SP, SP, #0x170.text:000000709EAF75C4 A8 03 03 D1 SUB X8, X29, #-var_C0.text:000000709EAF75C8 00 45 00 F9 STR X0, [X8,#0x88].text:000000709EAF75CC 09 00 80 12 MOV W9, #0xFFFFFFFF.text:000000709EAF75D0 A9 43 1C B8 STUR W9, [X29,#var_3C].text:000000709EAF75D4 E0 03 1F AA MOV X0, XZR.text:000000709EAF75D8 00 3D 00 F9 STR X0, [X8,#0x78].text:000000709EAF75DC 00 39 00 F9 STR X0, [X8,#0x70].text:000000709EAF75E0 00 35 00 F9 STR X0, [X8,#0x68].text:000000709EAF75E4 00 31 00 F9 STR X0, [X8,#0x60].text:000000709EAF75E8 00 2D 00 F9 STR X0, [X8,#0x58].text:000000709EAF75EC 00 29 00 F9 STR X0, [X8,#0x50].text:000000709EAF75F0 00 25 00 F9 STR X0, [X8,#0x48].text:000000709EAF75F4 A0 03 18 F8 STUR X0, [X29,#var_80].text:000000709EAF75F8 A0 83 17 F8 STUR X0, [X29,#var_88].text:000000709EAF75FC A0 03 17 F8 STUR X0, [X29,#var_90].text:000000709EAF7600 A0 83 16 F8 STUR X0, [X29,#var_98].text:000000709EAF7604 A0 03 16 F8 STUR X0, [X29,#var_A0].text:000000709EAF7608 A0 83 15 F8 STUR X0, [X29,#var_A8].text:000000709EAF760C A0 03 15 F8 STUR X0, [X29,#var_B0].text:000000709EAF7610 A0 83 14 F8 STUR X0, [X29,#var_B8].text:000000709EAF7614 A0 03 14 F8 STUR X0, [X29,#var_C0].text:000000709EAF7618 02 45 40 F9 LDR X2, [X8,#0x88].text:000000709EAF761C 81 04 00 D0 21 D4+ADRL X1, td_17041652666579103358 ; " %s | grep /sbin/.magisk".text:000000709EAF761C 2D 91.text:000000709EAF7624 A0 03 03 D1 SUB X0, X29, #-var_C0.text:000000709EAF7628 A9 23 00 D1 SUB X9, X29, #-var_8.text:000000709EAF762C 20 01 10 F8 STUR X0, [X9,#-0x100].text:000000709EAF7630 A9 43 00 D1 SUB X9, X29, #-var_10.text:000000709EAF7634 28 01 10 F8 STUR X8, [X9,#-0x100].text:000000709EAF7638 81 11 00 94 BL sprintf_sub_786D179C3C.text:000000709EAF7638.text:000000709EAF763C E9 03 16 32 MOV W9, #0x400.text:000000709EAF7640 A9 C3 13 B8 STUR W9, [X29,#var_C4].text:000000709EAF7644 A9 C3 53 B8 LDUR W9, [X29,#var_C4].text:000000709EAF7648 E8 03 09 2A MOV W8, W9.text:000000709EAF764C E1 03 00 91 MOV X1, SP.text:000000709EAF7650 A1 03 13 F8 STUR X1, [X29,#var_D0].text:000000709EAF7654 08 3D 00 91 ADD X8, X8, #0xF.text:000000709EAF7658 08 71 7C 92 AND X8, X8, #0x1FFFFFFF0.text:000000709EAF765C E1 03 00 91 MOV X1, SP.text:000000709EAF7660 28 00 08 EB SUBS X8, X1, X8.text:000000709EAF7664 1F 01 00 91 MOV SP, X8.text:000000709EAF7668 E1 03 08 AA MOV X1, X8.text:000000709EAF766C A2 C3 93 B8 LDURSW X2, [X29,#var_C4] ; size_t.text:000000709EAF7670 E9 03 1F 2A MOV W9, WZR.text:000000709EAF7674 AA 53 00 D1 SUB X10, X29, #-var_14.text:000000709EAF7678 40 01 10 B8 STUR W0, [X10,#-0x100].text:000000709EAF767C E0 03 08 AA MOV X0, X8 ; void *.text:000000709EAF7680 A8 83 00 D1 SUB X8, X29, #-var_20.text:000000709EAF7684 01 01 10 F8 STUR X1, [X8,#-0x100].text:000000709EAF7688 E1 03 09 2A MOV W1, W9 ; int.text:000000709EAF768C B9 A3 FF 97 BL .memset.text:000000709EAF768C.text:000000709EAF7690 C1 04 00 90 21 78+ADRL X1, td_9163600524673654173 ; modes.text:000000709EAF7690 27 91.text:000000709EAF7698 A8 23 00 D1 SUB X8, X29, #-var_8.text:000000709EAF769C 08 01 50 F8 LDUR X8, [X8,#-0x100].text:000000709EAF76A0 A9 A3 00 D1 SUB X9, X29, #-var_28.text:000000709EAF76A4 20 01 10 F8 STUR X0, [X9,#-0x100].text:000000709EAF76A8 E0 03 08 AA MOV X0, X8 ; command.text:000000709EAF76AC 89 A3 FF 97 BL .popen ; 执行命令.text:000000709EAF76AC.text:000000709EAF76B0 A8 43 00 D1 SUB X8, X29, #-var_10.text:000000709EAF76B4 08 01 50 F8 LDUR X8, [X8,#-0x100].text:000000709EAF76B8 00 4D 00 F9 STR X0, [X8,#0x98].text:000000709EAF76BC 00 4D 40 F9 LDR X0, [X8,#0x98].text:000000709EAF76C0 A0 83 12 F8 STUR X0, [X29,#var_D8].text:000000709EAF76C4 89 2C 97 52 69 B0+MOV W9, #0xED83B964.text:000000709EAF76C4 BD 72.text:000000709EAF76CC A9 43 10 B8 STUR W9, [X29,#var_FC].text:000000709EAF76D0 01 00 00 14 B loc_709EAF76D4.text:000000709EAF76D0.text:000000709EAF76D4.text:000000709EAF76D4 loc_709EAF76D4.text:000000709EAF76D4 A8 43 50 B8 LDUR W8, [X29,#var_FC].text:000000709EAF76D8 E9 03 08 2A MOV W9, W8.text:000000709EAF76DC AA 73 83 52 2A E7+MOV W10, #0x87391B9D.text:000000709EAF76DC B0 72.text:000000709EAF76E4 08 01 0A 6B SUBS W8, W8, W10.text:000000709EAF76E8 AA B3 00 D1 SUB X10, X29, #-var_2C.text:000000709EAF76EC 49 01 10 B8 STUR W9, [X10,#-0x100].text:000000709EAF76F0 A9 C3 00 D1 SUB X9, X29, #-var_30.text:000000709EAF76F4 28 01 10 B8 STUR W8, [X9,#-0x100].text:000000709EAF76F8 80 15 00 54 B.EQ loc_709EAF79A8.text:000000709EAF76F8.text:000000709EAF76FC 01 00 00 14 B loc_709EAF7700.text:000000709EAF76FC.text:000000709EAF7700.text:000000709EAF7700 loc_709EAF7700.text:000000709EAF7700 48 87 82 52 88 E3+MOV W8, #0xC71C143A.text:000000709EAF7700 B8 72.text:000000709EAF7708 A9 B3 00 D1 SUB X9, X29, #-var_2C.text:000000709EAF770C 29 01 50 B8 LDUR W9, [X9,#-0x100].text:000000709EAF7710 28 01 08 6B SUBS W8, W9, W8.text:000000709EAF7714 A9 D3 00 D1 SUB X9, X29, #-var_34.text:000000709EAF7718 28 01 10 B8 STUR W8, [X9,#-0x100].text:000000709EAF771C 00 18 00 54 B.EQ loc_709EAF7A1C.text:000000709EAF771C.text:000000709EAF7720 01 00 00 14 B loc_709EAF7724.text:000000709EAF7720.text:000000709EAF7724.text:000000709EAF7724 loc_709EAF7724.text:000000709EAF7724 08 01 9D 52 68 89+MOV W8, #0xD44BE808.text:000000709EAF7724 BA 72.text:000000709EAF772C A9 B3 00 D1 SUB X9, X29, #-var_2C.text:000000709EAF7730 29 01 50 B8 LDUR W9, [X9,#-0x100].text:000000709EAF7734 28 01 08 6B SUBS W8, W9, W8.text:000000709EAF7738 A9 E3 00 D1 SUB X9, X29, #-var_38.text:000000709EAF773C 28 01 10 B8 STUR W8, [X9,#-0x100].text:000000709EAF7740 20 1A 00 54 B.EQ loc_709EAF7A84.text:000000709EAF7740.text:000000709EAF7744 01 00 00 14 B loc_709EAF7748.text:000000709EAF7744.text:000000709EAF7748.text:000000709EAF7748 loc_709EAF7748.text:000000709EAF7748 88 2C 97 52 68 B0+MOV W8, #0xED83B964.text:000000709EAF7748 BD 72.text:000000709EAF7750 A9 B3 00 D1 SUB X9, X29, #-var_2C.text:000000709EAF7754 29 01 50 B8 LDUR W9, [X9,#-0x100].text:000000709EAF7758 28 01 08 6B SUBS W8, W9, W8.text:000000709EAF775C A9 F3 00 D1 SUB X9, X29, #-var_3C.text:000000709EAF7760 28 01 10 B8 STUR W8, [X9,#-0x100].text:000000709EAF7764 40 08 00 54 B.EQ loc_709EAF786C.text:000000709EAF7764.text:000000709EAF7768 01 00 00 14 B loc_709EAF776C.text:000000709EAF7768.text:000000709EAF776C.text:000000709EAF776C loc_709EAF776C.text:000000709EAF776C 48 0E 8C 52 88 A1+MOV W8, #0xFD0C6072.text:000000709EAF776C BF 72.text:000000709EAF7774 A9 B3 00 D1 SUB X9, X29, #-var_2C.text:000000709EAF7778 29 01 50 B8 LDUR W9, [X9,#-0x100].text:000000709EAF777C 28 01 08 6B SUBS W8, W9, W8.text:000000709EAF7780 A9 03 01 D1 SUB X9, X29, #-var_40.text:000000709EAF7784 28 01 10 B8 STUR W8, [X9,#-0x100].text:000000709EAF7788 C0 18 00 54 B.EQ loc_709EAF7AA0.text:000000709EAF7788.text:000000709EAF778C 01 00 00 14 B loc_709EAF7790.text:000000709EAF778C.text:000000709EAF7790.text:000000709EAF7790 loc_709EAF7790.text:000000709EAF7790 A8 23 87 52 68 B4+MOV W8, #0xFDA3391D.text:000000709EAF7790 BF 72.text:000000709EAF7798 A9 B3 00 D1 SUB X9, X29, #-var_2C.text:000000709EAF779C 29 01 50 B8 LDUR W9, [X9,#-0x100].text:000000709EAF77A0 28 01 08 6B SUBS W8, W9, W8.text:000000709EAF77A4 A9 13 01 D1 SUB X9, X29, #-var_44.text:000000709EAF77A8 28 01 10 B8 STUR W8, [X9,#-0x100].text:000000709EAF77AC E0 14 00 54 B.EQ loc_709EAF7A48.text:000000709EAF77AC.text:000000709EAF77B0 01 00 00 14 B loc_709EAF77B4.text:000000709EAF77B0.text:000000709EAF77B4.text:000000709EAF77B4 loc_709EAF77B4.text:000000709EAF77B4 E8 15 90 52 A8 8E+MOV W8, #0x147580AF.text:000000709EAF77B4 A2 72.text:000000709EAF77BC A9 B3 00 D1 SUB X9, X29, #-var_2C.text:000000709EAF77C0 29 01 50 B8 LDUR W9, [X9,#-0x100].text:000000709EAF77C4 28 01 08 6B SUBS W8, W9, W8.text:000000709EAF77C8 A9 23 01 D1 SUB X9, X29, #-var_48.text:000000709EAF77CC 28 01 10 B8 STUR W8, [X9,#-0x100].text:000000709EAF77D0 80 07 00 54 B.EQ loc_709EAF78C0.text:000000709EAF77D0.text:000000709EAF77D4 01 00 00 14 B loc_709EAF77D8.text:000000709EAF77D4.text:000000709EAF77D8.text:000000709EAF77D8 loc_709EAF77D8.text:000000709EAF77D8 28 D8 87 52 88 44+MOV W8, #0x62243EC1.text:000000709EAF77D8 AC 72.text:000000709EAF77E0 A9 B3 00 D1 SUB X9, X29, #-var_2C.text:000000709EAF77E4 29 01 50 B8 LDUR W9, [X9,#-0x100].text:000000709EAF77E8 28 01 08 6B SUBS W8, W9, W8.text:000000709EAF77EC A9 33 01 D1 SUB X9, X29, #-var_4C.text:000000709EAF77F0 28 01 10 B8 STUR W8, [X9,#-0x100].text:000000709EAF77F4 80 0F 00 54 B.EQ loc_709EAF79E4.text:000000709EAF77F4.text:000000709EAF77F8 01 00 00 14 B loc_709EAF77FC.text:000000709EAF77F8.text:000000709EAF77FC.text:000000709EAF77FC loc_709EAF77FC.text:000000709EAF77FC 48 8D 8B 52 28 E2+MOV W8, #0x67115C6A.text:000000709EAF77FC AC 72.text:000000709EAF7804 A9 B3 00 D1 SUB X9, X29, #-var_2C.text:000000709EAF7808 29 01 50 B8 LDUR W9, [X9,#-0x100].text:000000709EAF780C 28 01 08 6B SUBS W8, W9, W8.text:000000709EAF7810 A9 43 01 D1 SUB X9, X29, #-var_50.text:000000709EAF7814 28 01 10 B8 STUR W8, [X9,#-0x100].text:000000709EAF7818 00 11 00 54 B.EQ loc_709EAF7A38.text:000000709EAF7818.text:000000709EAF781C 01 00 00 14 B loc_709EAF7820.text:000000709EAF781C.text:000000709EAF7820.text:000000709EAF7820 loc_709EAF7820.text:000000709EAF7820 68 82 99 52 88 24+MOV W8, #0x7924CC13.text:000000709EAF7820 AF 72.text:000000709EAF7828 A9 B3 00 D1 SUB X9, X29, #-var_2C.text:000000709EAF782C 29 01 50 B8 LDUR W9, [X9,#-0x100].text:000000709EAF7830 28 01 08 6B SUBS W8, W9, W8.text:000000709EAF7834 A9 53 01 D1 SUB X9, X29, #-var_54.text:000000709EAF7838 28 01 10 B8 STUR W8, [X9,#-0x100].text:000000709EAF783C 20 03 00 54 B.EQ loc_709EAF78A0.text:000000709EAF783C.text:000000709EAF7840 01 00 00 14 B loc_709EAF7844.text:000000709EAF7840.text:000000709EAF7844.text:000000709EAF7844 loc_709EAF7844.text:000000709EAF7844 A8 9D 8F 52 A8 94+MOV W8, #0x7CA57CED.text:000000709EAF7844 AF 72.text:000000709EAF784C A9 B3 00 D1 SUB X9, X29, #-var_2C.text:000000709EAF7850 29 01 50 B8 LDUR W9, [X9,#-0x100].text:000000709EAF7854 28 01 08 6B SUBS W8, W9, W8.text:000000709EAF7858 A9 63 01 D1 SUB X9, X29, #-var_58.text:000000709EAF785C 28 01 10 B8 STUR W8, [X9,#-0x100].text:000000709EAF7860 00 13 00 54 B.EQ loc_709EAF7AC0.text:000000709EAF7860.text:000000709EAF7864 01 00 00 14 B loc_709EAF7868.text:000000709EAF7864.text:000000709EAF7868.text:000000709EAF7868 loc_709EAF7868.text:000000709EAF7868 9D 00 00 14 B loc_709EAF7ADC.text:000000709EAF7868.text:000000709EAF786C.text:000000709EAF786C loc_709EAF786C.text:000000709EAF786C A8 43 00 D1 SUB X8, X29, #-var_10.text:000000709EAF7870 08 01 50 F8 LDUR X8, [X8,#-0x100].text:000000709EAF7874 09 4D 40 F9 LDR X9, [X8,#0x98].text:000000709EAF7878 29 01 00 F1 SUBS X9, X9, #0.text:000000709EAF787C EA 15 90 52 AA 8E+MOV W10, #0x147580AF.text:000000709EAF787C A2 72.text:000000709EAF7884 6B 82 99 52 8B 24+MOV W11, #0x7924CC13.text:000000709EAF7884 AF 72.text:000000709EAF788C 6A 01 8A 1A CSEL W10, W11, W10, EQ.text:000000709EAF7890 AA 43 10 B8 STUR W10, [X29,#var_FC].text:000000709EAF7894 A8 83 01 D1 SUB X8, X29, #-var_60.text:000000709EAF7898 09 01 10 F8 STUR X9, [X8,#-0x100].text:000000709EAF789C 90 00 00 14 B loc_709EAF7ADC.text:000000709EAF789C.text:000000709EAF78A0.text:000000709EAF78A0 loc_709EAF78A0.text:000000709EAF78A0 E8 03 1F 2A MOV W8, WZR.text:000000709EAF78A4 A8 43 1D B8 STUR W8, [X29,#var_2C].text:000000709EAF78A8 E8 03 00 32 MOV W8, #1.text:000000709EAF78AC A8 43 12 B8 STUR W8, [X29,#var_DC].text:000000709EAF78B0 A8 9D 8F 52 A8 94+MOV W8, #0x7CA57CED.text:000000709EAF78B0 AF 72.text:000000709EAF78B8 A8 43 10 B8 STUR W8, [X29,#var_FC].text:000000709EAF78BC 88 00 00 14 B loc_709EAF7ADC.text:000000709EAF78BC.text:000000709EAF78C0.text:000000709EAF78C0 loc_709EAF78C0.text:000000709EAF78C0 E8 03 1F 2A MOV W8, WZR.text:000000709EAF78C4 A8 03 12 B8 STUR W8, [X29,#var_E0].text:000000709EAF78C8 49 1E 80 52 MOV W9, #0xF2.text:000000709EAF78CC A9 83 10 38 STURB W9, [X29,#var_F8].text:000000709EAF78D0 EA 06 80 52 MOV W10, #0x37 ; '7'.text:000000709EAF78D4 AA 93 10 38 STURB W10, [X29,#var_F7].text:000000709EAF78D8 CB 04 80 52 MOV W11, #0x26 ; '&'.text:000000709EAF78DC AB A3 10 38 STURB W11, [X29,#var_F6].text:000000709EAF78E0 CB 12 80 52 MOV W11, #0x96.text:000000709EAF78E4 AB B3 10 38 STURB W11, [X29,#var_F5].text:000000709EAF78E8 CC 1C 80 52 MOV W12, #0xE6.text:000000709EAF78EC AC C3 10 38 STURB W12, [X29,#var_F4].text:000000709EAF78F0 A9 D3 10 38 STURB W9, [X29,#var_F3].text:000000709EAF78F4 49 1C 80 52 MOV W9, #0xE2.text:000000709EAF78F8 A9 E3 10 38 STURB W9, [X29,#var_F2].text:000000709EAF78FC C9 1A 80 52 MOV W9, #0xD6.text:000000709EAF7900 A9 F3 10 38 STURB W9, [X29,#var_F1].text:000000709EAF7904 C9 02 80 52 MOV W9, #0x16.text:000000709EAF7908 A9 03 11 38 STURB W9, [X29,#var_F0].text:000000709EAF790C C9 0E 80 52 MOV W9, #0x76 ; 'v'.text:000000709EAF7910 A9 13 11 38 STURB W9, [X29,#var_EF].text:000000709EAF7914 AB 23 11 38 STURB W11, [X29,#var_EE].text:000000709EAF7918 AA 33 11 38 STURB W10, [X29,#var_ED].text:000000709EAF791C C9 16 80 52 MOV W9, #0xB6.text:000000709EAF7920 A9 43 11 38 STURB W9, [X29,#var_EC].text:000000709EAF7924 A8 53 11 38 STURB W8, [X29,#var_EB].text:000000709EAF7928 AD E3 03 D1 SUB X13, X29, #-var_F8.text:000000709EAF792C A8 43 00 D1 SUB X8, X29, #-var_10.text:000000709EAF7930 0E 01 50 F8 LDUR X14, [X8,#-0x100].text:000000709EAF7934 CD 55 00 F9 STR X13, [X14,#0xA8].text:000000709EAF7938 CD 55 40 F9 LDR X13, [X14,#0xA8].text:000000709EAF793C CD 51 00 F9 STR X13, [X14,#0xA0].text:000000709EAF7940 01 00 00 14 B loc_709EAF7944.text:000000709EAF7940.text:000000709EAF7944.text:000000709EAF7944 loc_709EAF7944.text:000000709EAF7944 A8 43 00 D1 SUB X8, X29, #-var_10.text:000000709EAF7948 08 01 50 F8 LDUR X8, [X8,#-0x100].text:000000709EAF794C 09 55 40 F9 LDR X9, [X8,#0xA8].text:000000709EAF7950 2A 01 40 39 LDRB W10, [X9].text:000000709EAF7954 AA 01 00 34 CBZ W10, loc_709EAF7988.text:000000709EAF7954.text:000000709EAF7958 01 00 00 14 B loc_709EAF795C.text:000000709EAF7958.text:000000709EAF795C.text:000000709EAF795C loc_709EAF795C.text:000000709EAF795C A8 43 00 D1 SUB X8, X29, #-var_10.text:000000709EAF7960 08 01 50 F8 LDUR X8, [X8,#-0x100].text:000000709EAF7964 09 55 40 F9 LDR X9, [X8,#0xA8].text:000000709EAF7968 2A 01 40 39 LDRB W10, [X9].text:000000709EAF796C 4B 7D 04 53 LSR W11, W10, #4.text:000000709EAF7970 4B 1D 1C 33 BFI W11, W10, #4, #8.text:000000709EAF7974 2B 01 00 39 STRB W11, [X9].text:000000709EAF7978 09 55 40 F9 LDR X9, [X8,#0xA8].text:000000709EAF797C 29 05 00 91 ADD X9, X9, #1.text:000000709EAF7980 09 55 00 F9 STR X9, [X8,#0xA8].text:000000709EAF7984 F0 FF FF 17 B loc_709EAF7944.text:000000709EAF7984.text:000000709EAF7988.text:000000709EAF7988 loc_709EAF7988.text:000000709EAF7988 A8 43 00 D1 SUB X8, X29, #-var_10.text:000000709EAF798C 08 01 50 F8 LDUR X8, [X8,#-0x100].text:000000709EAF7990 09 51 40 F9 LDR X9, [X8,#0xA0].text:000000709EAF7994 A9 83 11 F8 STUR X9, [X29,#var_E8].text:000000709EAF7998 AA 73 83 52 2A E7+MOV W10, #0x87391B9D.text:000000709EAF7998 B0 72.text:000000709EAF79A0 AA 43 10 B8 STUR W10, [X29,#var_FC].text:000000709EAF79A4 4E 00 00 14 B loc_709EAF7ADC.text:000000709EAF79A4.text:000000709EAF79A8.text:000000709EAF79A8 loc_709EAF79A8.text:000000709EAF79A8 A1 C3 53 B8 LDUR W1, [X29,#var_C4] ; n.text:000000709EAF79AC A2 83 52 F8 LDUR X2, [X29,#var_D8] ; stream.text:000000709EAF79B0 A8 83 00 D1 SUB X8, X29, #-var_20.text:000000709EAF79B4 00 01 50 F8 LDUR X0, [X8,#-0x100] ; s.text:000000709EAF79B8 82 A3 FF 97 BL .fgets.text:000000709EAF79B8.text:000000709EAF79BC 00 00 00 F1 SUBS X0, X0, #0.text:000000709EAF79C0 A1 23 87 52 61 B4+MOV W1, #0xFDA3391D.text:000000709EAF79C0 BF 72.text:000000709EAF79C8 28 D8 87 52 88 44+MOV W8, #0x62243EC1.text:000000709EAF79C8 AC 72.text:000000709EAF79D0 08 11 81 1A CSEL W8, W8, W1, NE.text:000000709EAF79D4 A8 43 10 B8 STUR W8, [X29,#var_FC].text:000000709EAF79D8 A8 A3 01 D1 SUB X8, X29, #-var_68.text:000000709EAF79DC 00 01 10 F8 STUR X0, [X8,#-0x100].text:000000709EAF79E0 3F 00 00 14 B loc_709EAF7ADC.text:000000709EAF79E0.text:000000709EAF79E4.text:000000709EAF79E4 loc_709EAF79E4.text:000000709EAF79E4 A1 83 51 F8 LDUR X1, [X29,#var_E8] ; needle.text:000000709EAF79E8 A8 83 00 D1 SUB X8, X29, #-var_20.text:000000709EAF79EC 00 01 50 F8 LDUR X0, [X8,#-0x100] ; haystack.text:000000709EAF79F0 80 A2 FF 97 BL .strstr ; 查找特征.text:000000709EAF79F0.text:000000709EAF79F4 00 00 00 F1 SUBS X0, X0, #0.text:000000709EAF79F8 48 8D 8B 52 28 E2+MOV W8, #0x67115C6A.text:000000709EAF79F8 AC 72.text:000000709EAF7A00 49 87 82 52 89 E3+MOV W9, #0xC71C143A.text:000000709EAF7A00 B8 72.text:000000709EAF7A08 28 11 88 1A CSEL W8, W9, W8, NE.text:000000709EAF7A0C A8 43 10 B8 STUR W8, [X29,#var_FC].text:000000709EAF7A10 A8 C3 01 D1 SUB X8, X29, #-var_70.text:000000709EAF7A14 00 01 10 F8 STUR X0, [X8,#-0x100].text:000000709EAF7A18 31 00 00 14 B loc_709EAF7ADC.text:000000709EAF7A18.text:000000709EAF7A1C.text:000000709EAF7A1C loc_709EAF7A1C.text:000000709EAF7A1C A8 03 52 B8 LDUR W8, [X29,#var_E0].text:000000709EAF7A20 08 05 00 11 ADD W8, W8, #1.text:000000709EAF7A24 A8 03 12 B8 STUR W8, [X29,#var_E0].text:000000709EAF7A28 A8 23 87 52 68 B4+MOV W8, #0xFDA3391D.text:000000709EAF7A28 BF 72.text:000000709EAF7A30 A8 43 10 B8 STUR W8, [X29,#var_FC].text:000000709EAF7A34 2A 00 00 14 B loc_709EAF7ADC.text:000000709EAF7A34.text:000000709EAF7A38.text:000000709EAF7A38 loc_709EAF7A38.text:000000709EAF7A38 A8 73 83 52 28 E7+MOV W8, #0x87391B9D.text:000000709EAF7A38 B0 72.text:000000709EAF7A40 A8 43 10 B8 STUR W8, [X29,#var_FC].text:000000709EAF7A44 26 00 00 14 B loc_709EAF7ADC.text:000000709EAF7A44.text:000000709EAF7A48.text:000000709EAF7A48 loc_709EAF7A48.text:000000709EAF7A48 A0 83 52 F8 LDUR X0, [X29,#var_D8] ; stream.text:000000709EAF7A4C F9 A1 FF 97 BL .pclose.text:000000709EAF7A4C.text:000000709EAF7A50 A8 03 52 B8 LDUR W8, [X29,#var_E0].text:000000709EAF7A54 08 01 00 71 SUBS W8, W8, #0.text:000000709EAF7A58 49 0E 8C 52 89 A1+MOV W9, #0xFD0C6072.text:000000709EAF7A58 BF 72.text:000000709EAF7A60 0A 01 9D 52 6A 89+MOV W10, #0xD44BE808.text:000000709EAF7A60 BA 72.text:000000709EAF7A68 49 11 89 1A CSEL W9, W10, W9, NE.text:000000709EAF7A6C A9 43 10 B8 STUR W9, [X29,#var_FC].text:000000709EAF7A70 A9 D3 01 D1 SUB X9, X29, #-var_74.text:000000709EAF7A74 20 01 10 B8 STUR W0, [X9,#-0x100].text:000000709EAF7A78 A9 E3 01 D1 SUB X9, X29, #-var_78.text:000000709EAF7A7C 28 01 10 B8 STUR W8, [X9,#-0x100].text:000000709EAF7A80 17 00 00 14 B loc_709EAF7ADC.text:000000709EAF7A80.text:000000709EAF7A84.text:000000709EAF7A84 loc_709EAF7A84.text:000000709EAF7A84 E8 03 00 32 MOV W8, #1.text:000000709EAF7A88 A8 43 1D B8 STUR W8, [X29,#var_2C].text:000000709EAF7A8C A8 43 12 B8 STUR W8, [X29,#var_DC].text:000000709EAF7A90 A8 9D 8F 52 A8 94+MOV W8, #0x7CA57CED.text:000000709EAF7A90 AF 72.text:000000709EAF7A98 A8 43 10 B8 STUR W8, [X29,#var_FC].text:000000709EAF7A9C 10 00 00 14 B loc_709EAF7ADC.text:000000709EAF7A9C.text:000000709EAF7AA0.text:000000709EAF7AA0 loc_709EAF7AA0.text:000000709EAF7AA0 E8 03 1F 2A MOV W8, WZR.text:000000709EAF7AA4 A8 43 1D B8 STUR W8, [X29,#var_2C].text:000000709EAF7AA8 E8 03 00 32 MOV W8, #1.text:000000709EAF7AAC A8 43 12 B8 STUR W8, [X29,#var_DC].text:000000709EAF7AB0 A8 9D 8F 52 A8 94+MOV W8, #0x7CA57CED.text:000000709EAF7AB0 AF 72.text:000000709EAF7AB8 A8 43 10 B8 STUR W8, [X29,#var_FC].text:000000709EAF7ABC 08 00 00 14 B loc_709EAF7ADC.text:000000709EAF7ABC.text:000000709EAF7AC0.text:000000709EAF7AC0 loc_709EAF7AC0.text:000000709EAF7AC0 A8 03 53 F8 LDUR X8, [X29,#var_D0].text:000000709EAF7AC4 1F 01 00 91 MOV SP, X8.text:000000709EAF7AC8 A0 43 5D B8 LDUR W0, [X29,#var_2C].text:000000709EAF7ACC BF 43 00 D1 SUB SP, X29, #0x10.text:000000709EAF7AD0 FD 7B 41 A9 LDP X29, X30, [SP,#0x10+var_s0].text:000000709EAF7AD4 FC 07 42 F8 LDR X28, [SP+0x10+var_10],#0x20.text:000000709EAF7AD8 C0 03 5F D6 RET
5.5、检测自动点击
access/data/data/net.aisence.Touchelper/data/data/com.cyjh.mobileanjian/data/data/com.touchsprite.androidcn.testin.itestincom.tencent.wetestcom.alibaba.mtl.mdp.kguardcom.tencent.wetest.softkeyboardcom.baidu.crowdtest.mobileinfo
5.6、检测模拟器
access/system/lib/libc_malloc_debug_qemu.so/sys/qemu_trace/system/bin/qemu-props/dev/socket/qemud/dev/qemu_pipe/dev/socket/genyd/dev/socket/baseband_genyd/sys/devices/system/cpu/cpu0/cpufreq/scaling_cur_freq/system/bin/androVM-prop/system/bin/microvirt-prop/system/lib/libdroid4x.so/system/bin/windroyed/system/bin/microvirtd/system/bin/nox-props/system/bin/ttVM-prop/system/bin/droid4x-prop/data/.bluestacks.prop/data/local/tmp/tc/mobileagent/sdcard/.f22/sdcard/.f22/PhoneInfo.f22/sdcard/.f22/wxpic/dev/vboxuser/dev/vboxguest/system/bin/genybaseband//查找包名com.ami.duosupdater.uicom.bluestacks.homecom.bluestacks.windowsfilemanagercom.bluestacks.settingscom.bluestacks.bluestackslocationprovidercom.ami.launchmetrocom.ami.syncduosservicescom.bluestacks.appsettingscom.bluestacks.bstfoldercom.bluestacks.BstCommandProcessorcom.bluestacks.s2pcom.kaopu001.tiantianserver__system_property_getinit.svc.vbox86-setupinit.svc.droid4xinit.svc.su_kpbs_daemoninit.svc.noxdinit.svc.ttVM_x86-setupinit.svc.xxkmsginit.svc.microvirtdro.kernel.android.qemudandroVM.vbox_dpiandroVM.vbox_graph_modero.product.manufacturerpersist.phone.idpersist.hide_10070persist.hide_xxxxqemu.sf.fake_cameraqemu.sf.lcd_densityro.bootloaderinit.svc.qemu-props
5.7、检测云手机
accessgetPackageInfo //比较包名com.haimawan.cloudappstorecom.picoo.launchercom.svox.picocom.baidu.mtc.yseracom.baidu.mtc.new_monkey.testcom.baidu.crowdtest.mobileinfocn.testin.itestin
样本获取方式,关注公众号,公众号输入框回复“td” 获取下载链接。
作者简介:
我是小三,目前从事软件安全相关工作,虽己工作多年,但内心依然有着执着的追求,信奉终身成长,不定义自己,热爱技术但不拘泥于技术,爱好分享,喜欢读书和乐于结交朋友,欢迎加我微信与我交朋友(公众号输入框回复“wx”即可)
未完,接下一篇
原文始发于微信公众号(矛和盾的故事):某老牌反作弊产品分析-(存在加密漏洞可被中间人攻击)一
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论