0x01背景
在逆向保护技巧中 常见到反调试。我这里写了一个包含几种反调试的demo程序
反调试代码在github
这篇汇总了17种方案:https://bbs.pediy.com/thread-223460.htm
0x02逆向分析方法一
当然我们逆向看到的都是ARM汇编。就从汇编看起
.text:000040C2 ALIGN 4 //对齐
.text:000040C4
.text:000040C4 ; =============== S U B R O U T I N E =======================================
.text:000040C4
.text:000040C4 ; Attributes: bp-based frame
.text:000040C4
.text:000040C4 ; _DWORD anti_debug01(void)
.text:000040C4 EXPORT _Z12anti_debug01v
.text:000040C4 _Z12anti_debug01v
.text:000040C4
.text:000040C4 var_14 = -0x14
.text:000040C4 var_10 = -0x10
.text:000040C4 var_C = -0xC
.text:000040C4
.text:000040C4 PUSH {R4,R6,R7,LR};参数入栈顺序从右到左
.text:000040C6 ADD R7, SP, #8 ;r7=sp+8
.text:000040C8 SUB SP, SP, #0x10;sp=sp+0x10
.text:000040CA MOVS R0, #0 ; request
.text:000040CC STR R0, [SP,#0x18+var_C] ;将r0的值写入[SP,#0x18+var_C] 内存地址
.text:000040CE LDR R1, [SP,#0x18+var_C]
.text:000040D0 LDR R2, [SP,#0x18+var_C]
.text:000040D2 LDR R3, [SP,#0x18+var_C]
.text:000040D4 BL j_j_ptrace;不懂为什么函数前要加上这个j_j_
.text:000040D8 LDR R1, =(aTsl - 0x40DE)
.text:000040DA ADD R1, PC ; "TSL"
.text:000040DC LDR R2, =(aS - 0x40E2)
.text:000040DE ADD R2, PC ; "%s"
.text:000040E0 LDR R3, =(aAntidebug01Run - 0x40E6)
.text:000040E2 ADD R3, PC ; "antidebug01 run"
.text:000040E4 MOVS R4, #3
.text:000040E6 STR R0, [SP,#0x18+var_10]
.text:000040E8 PUSH {R4}
.text:000040EA POP {R0}
.text:000040EC BL j_j___android_log_print
.text:000040F0 STR R0, [SP,#0x18+var_14]
.text:000040F2 ADD SP, SP, #0x10
.text:000040F4 POP {R4,R6,R7,PC}
.text:000040F4 ; End of function anti_debug01(void)
.text:000040F4
.text:000040F4 ; ---------------------------------------------------------------------------
ida F5后的结果
int anti_debug01(void)
{
j_j_ptrace(0, 0, 0, 0);
return j_j___android_log_print(3, "TSL", "%s", "antidebug01 run");
}
原方法如下:
//方法一:附加到自身 让ida附加不上 无法实现调试
void anti_debug01(){
ptrace(PTRACE_TRACEME,0,0,0);
LOGD("%s","antidebug01 run");
}
0x03逆向分析方法二
.text:00004104 ; =============== S U B R O U T I N E =======================================
.text:00004104
.text:00004104 ; Attributes: bp-based frame
.text:00004104
.text:00004104 ; anti_debug02(void)
.text:00004104 EXPORT _Z12anti_debug02v
.text:00004104 _Z12anti_debug02v
.text:00004104
.text:00004104 var_850 = -0x850
.text:00004104 var_84C = -0x84C
.text:00004104 var_848 = -0x848
.text:00004104 var_844 = -0x844
.text:00004104 var_840 = -0x840
.text:00004104 var_83C = -0x83C
.text:00004104 s2 = -0x838
.text:00004104 var_834 = -0x834
.text:00004104 filename = -0x830
.text:00004104 var_82C = -0x82C
.text:00004104 var_828 = -0x828
.text:00004104 var_824 = -0x824
.text:00004104 var_820 = -0x820
.text:00004104 var_81C = -0x81C
.text:00004104 stream = -0x818
.text:00004104 var_814 = -0x814
.text:00004104 var_810 = -0x810
.text:00004104 s = -0x80C
.text:00004104 var_454 = -0x454
.text:00004104 var_7 = -7
.text:00004104
.text:00004104 PUSH {R4,R6,R7,LR}
.text:00004106 ADD R7, SP, #8
.text:00004108 LDR R4, =0xFFFFF7B8
.text:0000410A ADD SP, R4
.text:0000410C ADD R0, SP, #0x850+var_824
.text:0000410E LDR R1, =(__stack_chk_guard_ptr - 0x4114)
.text:00004110 ADD R1, PC ; __stack_chk_guard_ptr
.text:00004112 LDR R1, [R1] ; __stack_chk_guard
.text:00004114 LDR R1, [R1]
.text:00004116 STR R1, [R0]
.text:00004118 MOVS R1, #0x400
.text:0000411C STR R1, [SP,#0x850+var_810]
.text:0000411E STR R0, [SP,#0x850+var_828]
.text:00004120 BL j_j_getpid
.text:00004124 STR R0, [SP,#0x850+var_814]
.text:00004126 LDR R2, [SP,#0x850+var_814]
.text:00004128 LDR R0, =(aProcDStatus - 0x412E)
.text:0000412A ADD R0, PC ; "proc/%d/status"
.text:0000412C ADD R1, SP, #0x850+var_454
.text:0000412E ADDS R1, #0x48
.text:00004130 STR R0, [SP,#0x850+var_82C]
.text:00004132 PUSH {R1}
.text:00004134 POP {R0}
.text:00004136 LDR R3, [SP,#0x850+var_82C]
.text:00004138 STR R1, [SP,#0x850+filename]
.text:0000413A PUSH {R3}
.text:0000413C POP {R1}
.text:0000413E BL j_j_sprintf
.text:00004142 LDR R1, =(aR - 0x4148)
.text:00004144 ADD R1, PC ; "r"
.text:00004146 LDR R2, [SP,#0x850+filename]
.text:00004148 STR R0, [SP,#0x850+var_834]
.text:0000414A MOVS R0, R2 ; filename
.text:0000414C BL j_j_fopen
.text:00004150 STR R0, [SP,#0x850+stream]
.text:00004152 LDR R0, [SP,#0x850+stream]
.text:00004154 CMP R0, #0
.text:00004156 BEQ loc_4200
.text:00004158 B loc_415A
.text:0000415A ; ---------------------------------------------------------------------------
.text:0000415A
.text:0000415A loc_415A ; CODE XREF: anti_debug02(void)+54j
.text:0000415A B loc_415C
.text:0000415C ; ---------------------------------------------------------------------------
.text:0000415C
.text:0000415C loc_415C ; CODE XREF: anti_debug02(void):loc_415Aj
.text:0000415C ; anti_debug02(void)+F8j
.text:0000415C LDR R2, [SP,#0x850+stream] ; stream
.text:0000415E MOVS R0, #1
.text:00004160 LSLS R1, R0, #0xA
.text:00004162 ADD R0, SP, #0x850+s ; s
.text:00004164 BL j_j_fgets
.text:00004168 CMP R0, #0
.text:0000416A BEQ loc_41FE
.text:0000416C B loc_416E
.text:0000416E ; ---------------------------------------------------------------------------
.text:0000416E
.text:0000416E loc_416E ; CODE XREF: anti_debug02(void)+68j
.text:0000416E LDR R0, =(aTracerpid - 0x4174)
.text:00004170 ADD R0, PC ; "TracerPid"
.text:00004172 ADD R1, SP, #0x850+s
.text:00004174 MOVS R2, #9 ; n
.text:00004176 STR R0, [SP,#0x850+s2]
.text:00004178 PUSH {R1}
.text:0000417A POP {R0}
.text:0000417C LDR R1, [SP,#0x850+s2] ; s2
.text:0000417E BL j_j_strncmp
.text:00004182 CMP R0, #0
.text:00004184 BNE loc_41D0
.text:00004186 B loc_4188
.text:00004188 ; ---------------------------------------------------------------------------
.text:00004188
.text:00004188 loc_4188 ; CODE XREF: anti_debug02(void)+82j
.text:00004188 ADD R0, SP, #0x850+s
.text:0000418A ADDS R0, #0xA ; nptr
.text:0000418C BL j_j_atoi
.text:00004190 STR R0, [SP,#0x850+var_81C]
.text:00004192 LDR R0, [SP,#0x850+var_81C]
.text:00004194 CMP R0, #0
.text:00004196 BEQ loc_41CE
.text:00004198 B loc_419A
.text:0000419A ; ---------------------------------------------------------------------------
.text:0000419A
.text:0000419A loc_419A ; CODE XREF: anti_debug02(void)+94j
.text:0000419A LDR R0, [SP,#0x850+stream] ; stream
.text:0000419C BL j_j_fclose
.text:000041A0 LDR R1, =(aTsl - 0x41A6)
.text:000041A2 ADD R1, PC ; "TSL"
.text:000041A4 LDR R2, =(aS - 0x41AA)
.text:000041A6 ADD R2, PC ; "%s"
.text:000041A8 LDR R3, =(aAntidebug02Run - 0x41AE)
.text:000041AA ADD R3, PC ; "antidebug02 run exit"
.text:000041AC MOVS R4, #3
.text:000041AE STR R0, [SP,#0x850+var_83C]
.text:000041B0 PUSH {R4}
.text:000041B2 POP {R0}
.text:000041B4 BL j_j___android_log_print
.text:000041B8 LDR R1, [SP,#0x850+var_814]
.text:000041BA MOVS R2, #9
.text:000041BC STR R0, [SP,#0x850+var_840]
.text:000041BE PUSH {R1}
.text:000041C0 POP {R0}
.text:000041C2 PUSH {R2}
.text:000041C4 POP {R1}
.text:000041C6 BL j_j_kill
.text:000041CA STR R0, [SP,#0x850+var_820]
.text:000041CC B loc_41CE
.text:000041CE ; ---------------------------------------------------------------------------
.text:000041CE
.text:000041CE loc_41CE ; CODE XREF: anti_debug02(void)+92j
.text:000041CE ; anti_debug02(void)+C8j
.text:000041CE B loc_41FE
.text:000041D0 ; ---------------------------------------------------------------------------
.text:000041D0
.text:000041D0 loc_41D0 ; CODE XREF: anti_debug02(void)+80j
.text:000041D0 LDR R0, =(aTsl - 0x41D6)
.text:000041D2 ADD R0, PC ; "TSL"
.text:000041D4 LDR R1, =(aS - 0x41DA)
.text:000041D6 ADD R1, PC ; "%s"
.text:000041D8 LDR R2, =(aNoAntidebug02R - 0x41DE)
.text:000041DA ADD R2, PC ; "no antidebug02 run"
.text:000041DC MOVS R3, #3
.text:000041DE STR R0, [SP,#0x850+var_844]
.text:000041E0 PUSH {R3}
.text:000041E2 POP {R0}
.text:000041E4 LDR R3, [SP,#0x850+var_844]
.text:000041E6 STR R1, [SP,#0x850+var_848]
.text:000041E8 PUSH {R3}
.text:000041EA POP {R1}
.text:000041EC LDR R4, [SP,#0x850+var_848]
.text:000041EE STR R2, [SP,#0x850+var_84C]
.text:000041F0 PUSH {R4}
.text:000041F2 POP {R2}
.text:000041F4 LDR R3, [SP,#0x850+var_84C]
.text:000041F6 BL j_j___android_log_print
.text:000041FA STR R0, [SP,#0x850+var_850]
.text:000041FC B loc_415C
.text:000041FE ; ---------------------------------------------------------------------------
.text:000041FE
.text:000041FE loc_41FE ; CODE XREF: anti_debug02(void)+66j
.text:000041FE ; anti_debug02(void):loc_41CEj
.text:000041FE B loc_4200
.text:00004200 ; ---------------------------------------------------------------------------
.text:00004200
.text:00004200 loc_4200 ; CODE XREF: anti_debug02(void)+52j
.text:00004200 ; anti_debug02(void):loc_41FEj
.text:00004200 LDR R0, =(__stack_chk_guard_ptr - 0x4206)
.text:00004202 ADD R0, PC ; __stack_chk_guard_ptr
.text:00004204 LDR R0, [R0] ; __stack_chk_guard
.text:00004206 LDR R0, [R0]
.text:00004208 LDR R1, [SP,#0x850+var_828]
.text:0000420A LDR R2, [R1]
.text:0000420C CMP R0, R2
.text:0000420E BNE loc_421A
.text:00004210 B loc_4212
.text:00004212 ; ---------------------------------------------------------------------------
.text:00004212
.text:00004212 loc_4212 ; CODE XREF: anti_debug02(void)+10Cj
.text:00004212 SUBS R4, R7, #-var_7
.text:00004214 SUBS R4, #1
.text:00004216 MOV SP, R4
.text:00004218 POP {R4,R6,R7,PC}
.text:0000421A ; ---------------------------------------------------------------------------
.text:0000421A
.text:0000421A loc_421A ; CODE XREF: anti_debug02(void)+10Aj
.text:0000421A BL j_j___stack_chk_fail
.text:0000421A ; End of function anti_debug02(void)
.text:0000421A
.text:0000421E ; ---------------------------------------------------------------------------
.text:0000421E NOP
.text:0000421E ; ---------------------------------------------------------------------------
.text:00004220 off_4220 DCD __stack_chk_guard_ptr - 0x4114
.text:00004220 ; DATA XREF: anti_debug02(void)+Ar
.text:00004224 off_4224 DCD aProcDStatus - 0x412E ; DATA XREF: anti_debug02(void)+24r
.text:00004224 ; "proc/%d/status"
.text:00004228 off_4228 DCD aR - 0x4148 ; DATA XREF: anti_debug02(void)+3Er
.text:00004228 ; "r"
.text:0000422C off_422C DCD aTracerpid - 0x4174 ; DATA XREF: anti_debug02(void):loc_416Er
.text:0000422C ; "TracerPid"
.text:00004230 off_4230 DCD aTsl - 0x41D6 ; DATA XREF: anti_debug02(void):loc_41D0r
.text:00004230 ; "TSL"
.text:00004234 off_4234 DCD aS - 0x41DA ; DATA XREF: anti_debug02(void)+D0r
.text:00004234 ; "%s"
.text:00004238 off_4238 DCD aNoAntidebug02R - 0x41DE
.text:00004238 ; DATA XREF: anti_debug02(void)+D4r
.text:00004238 ; "no antidebug02 run"
.text:0000423C off_423C DCD aTsl - 0x41A6 ; DATA XREF: anti_debug02(void)+9Cr
.text:0000423C ; "TSL"
.text:00004240 off_4240 DCD aS - 0x41AA ; DATA XREF: anti_debug02(void)+A0r
.text:00004240 ; "%s"
.text:00004244 off_4244 DCD aAntidebug02Run - 0x41AE
.text:00004244 ; DATA XREF: anti_debug02(void)+A4r
.text:00004244 ; "antidebug02 run exit"
.text:00004248 off_4248 DCD __stack_chk_guard_ptr - 0x4206
.text:00004248 ; DATA XREF: anti_debug02(void):loc_4200r
.text:0000424C dword_424C DCD 0xFFFFF7B8 ; DATA XREF: anti_debug02(void)+4r
.text:00004250
F5后的代码:
int anti_debug02()
{
int v0; // r3@1
int result; // r0@8
int v2; // [sp+0h] [bp-850h]@0
int v3; // [sp+4h] [bp-84Ch]@0
int v4; // [sp+8h] [bp-848h]@0
int v5; // [sp+Ch] [bp-844h]@0
int v6; // [sp+2Ch] [bp-824h]@1
int v7; // [sp+30h] [bp-820h]@5
int v8; // [sp+34h] [bp-81Ch]@4
FILE *stream; // [sp+38h] [bp-818h]@1
int v10; // [sp+3Ch] [bp-814h]@1
int v11; // [sp+40h] [bp-810h]@1
char s; // [sp+44h] [bp-80Ch]@2
__int16 v13; // [sp+4Eh] [bp-802h]@4
int v14; // [sp+444h] [bp-40Ch]@1
v6 = _stack_chk_guard;
v11 = 1024;
v10 = j_j_getpid();
j_j_sprintf((char *)&v14, "proc/%d/status", v10);
stream = j_j_fopen((const char *)&v14, "r");
if ( stream )
{
while ( j_j_fgets(&s, 1024, stream) )
{
if ( !j_j_strncmp(&s, "TracerPid", 9u) )
{
v8 = j_j_atoi((const char *)&v13);
if ( v8 )
{
j_j_fclose(stream);
j_j___android_log_print(3, "TSL", "%s", "antidebug02 run exit", v2, v3, v4, v5);
v7 = j_j_kill(v10, 9);
}
break;
}
v5 = (int)"TSL";
v4 = (int)"%s";
v3 = (int)"no antidebug02 run";
v2 = j_j___android_log_print(3, "TSL", "%s", "no antidebug02 run");
}
}
result = _stack_chk_guard;
if ( _stack_chk_guard != v6 )
j_j___stack_chk_fail(_stack_chk_guard, &v6, v6, v0, v2, v3, v4, v5);
return result;
}
程序代码
//方法二:检测TracerPid的值 如果不为0 说明正在被调试
void anti_debug02(){
const int bufsize=1024;
char filename[bufsize];
char line [bufsize];
int pid=getpid();//getpid ()用来取得目前进程的进程识别码,许多程序利用取到的此值来建立临时文件, 以避免临时文件相同带来的问题。
FILE *fp;
sprintf(filename,"proc/%d/status",pid);//C语言sprintf()函数:将格式化的数据写入字符串
fp=fopen(filename,"r");//
if (fp!= NULL){
while(fgets(line,bufsize,fp)){
if(strncmp(line,"TracerPid",9)==0){
int status=atoi(&line[10]);//第10为转成整数
if(status!=0){
fclose(fp);//先关闭
LOGD("%s","antidebug02 run exit");
int ret=kill(pid,SIGKILL);
}
break;
}
LOGD("%s","no antidebug02 run");
}
}
}
0x04逆向分析方法三
.text:00004250 PUSH {R4,R6,R7,LR}
.text:00004252 ADD R7, SP, #8
.text:00004254 LDR R4, =0xFFFFF7D0
.text:00004256 ADD SP, R4
.text:00004258 ADD R0, SP, #0x838+var_820
.text:0000425A LDR R1, =(__stack_chk_guard_ptr - 0x4260)
.text:0000425C ADD R1, PC ; __stack_chk_guard_ptr
.text:0000425E LDR R1, [R1] ; __stack_chk_guard
.text:00004260 LDR R1, [R1]
.text:00004262 STR R1, [R0]
.text:00004264 MOVS R1, #0x400
.text:00004268 STR R1, [SP,#0x838+var_810]
.text:0000426A STR R0, [SP,#0x838+var_824]
.text:0000426C BL j_j_getpid
.text:00004270 STR R0, [SP,#0x838+pid]
.text:00004272 LDR R0, =(aProcNetTcp - 0x4278)
.text:00004274 ADD R0, PC ; "proc/net/tcp"
.text:00004276 ADD R1, SP, #0x838+var_43C
.text:00004278 ADDS R1, #0x30
.text:0000427A STR R0, [SP,#0x838+var_828]
.text:0000427C PUSH {R1}
.text:0000427E POP {R0}
.text:00004280 LDR R2, [SP,#0x838+var_828]
.text:00004282 STR R1, [SP,#0x838+filename]
.text:00004284 PUSH {R2}
.text:00004286 POP {R1}
.text:00004288 BL j_j_sprintf
.text:0000428C LDR R1, =(aR - 0x4292)
.text:0000428E ADD R1, PC ; "r"
.text:00004290 LDR R2, [SP,#0x838+filename]
.text:00004292 STR R0, [SP,#0x838+var_830]
.text:00004294 MOVS R0, R2 ; filename
.text:00004296 BL j_j_fopen
.text:0000429A STR R0, [SP,#0x838+stream]
.text:0000429C LDR R0, [SP,#0x838+stream]
.text:0000429E CMP R0, #0
.text:000042A0 BEQ loc_42E2
.text:000042A2 B loc_42A4
.text:000042A4 ; ---------------------------------------------------------------------------
.text:000042A4
.text:000042A4 loc_42A4 ; CODE XREF: anti_debug03(void)+52j
.text:000042A4 B loc_42A6
.text:000042A6 ; ---------------------------------------------------------------------------
.text:000042A6
.text:000042A6 loc_42A6 ; CODE XREF: anti_debug03(void):loc_42A4j
.text:000042A6 ; anti_debug03(void):loc_42DEj
.text:000042A6 LDR R2, [SP,#0x838+stream] ; stream
.text:000042A8 MOVS R0, #1
.text:000042AA LSLS R1, R0, #0xA
.text:000042AC ADD R0, SP, #0x838+s ; s
.text:000042AE BL j_j_fgets
.text:000042B2 CMP R0, #0
.text:000042B4 BEQ loc_42E0
.text:000042B6 B loc_42B8
.text:000042B8 ; ---------------------------------------------------------------------------
.text:000042B8
.text:000042B8 loc_42B8 ; CODE XREF: anti_debug03(void)+66j
.text:000042B8 LDR R0, =(a5d8a - 0x42BE)
.text:000042BA ADD R0, PC ; "5D8A"
.text:000042BC ADD R1, SP, #0x838+s
.text:000042BE MOVS R2, #4 ; n
.text:000042C0 STR R0, [SP,#0x838+s2]
.text:000042C2 PUSH {R1}
.text:000042C4 POP {R0}
.text:000042C6 LDR R1, [SP,#0x838+s2] ; s2
.text:000042C8 BL j_j_strncmp
.text:000042CC CMP R0, #0
.text:000042CE BNE loc_42DE
.text:000042D0 B loc_42D2
.text:000042D2 ; ---------------------------------------------------------------------------
.text:000042D2
.text:000042D2 loc_42D2 ; CODE XREF: anti_debug03(void)+80j
.text:000042D2 LDR R0, [SP,#0x838+pid] ; pid
.text:000042D4 MOVS R1, #9 ; sig
.text:000042D6 BL j_j_kill
.text:000042DA STR R0, [SP,#0x838+var_81C]
.text:000042DC B loc_42DE
.text:000042DE ; ---------------------------------------------------------------------------
.text:000042DE
.text:000042DE loc_42DE ; CODE XREF: anti_debug03(void)+7Ej
.text:000042DE ; anti_debug03(void)+8Cj
.text:000042DE B loc_42A6
.text:000042E0 ; ---------------------------------------------------------------------------
.text:000042E0
.text:000042E0 loc_42E0 ; CODE XREF: anti_debug03(void)+64j
.text:000042E0 B loc_42E2
.text:000042E2 ; ---------------------------------------------------------------------------
.text:000042E2
.text:000042E2 loc_42E2 ; CODE XREF: anti_debug03(void)+50j
.text:000042E2 ; anti_debug03(void):loc_42E0j
.text:000042E2 LDR R0, [SP,#0x838+stream] ; stream
.text:000042E4 BL j_j_fclose
.text:000042E8 LDR R1, =(__stack_chk_guard_ptr - 0x42EE)
.text:000042EA ADD R1, PC ; __stack_chk_guard_ptr
.text:000042EC LDR R1, [R1] ; __stack_chk_guard
.text:000042EE LDR R1, [R1]
.text:000042F0 LDR R2, [SP,#0x838+var_824]
.text:000042F2 LDR R3, [R2]
.text:000042F4 CMP R1, R3
.text:000042F6 STR R0, [SP,#0x838+var_838]
.text:000042F8 BNE loc_4304
.text:000042FA B loc_42FC
.text:000042FC ; ---------------------------------------------------------------------------
.text:000042FC
.text:000042FC loc_42FC ; CODE XREF: anti_debug03(void)+AAj
.text:000042FC SUBS R4, R7, #-var_7
.text:000042FE SUBS R4, #1
.text:00004300 MOV SP, R4
.text:00004302 POP {R4,R6,R7,PC}
.text:00004304 ; ---------------------------------------------------------------------------
.text:00004304
.text:00004304 loc_4304 ; CODE XREF: anti_debug03(void)+A8j
.text:00004304 BL j_j___stack_chk_fail
.text:00004304 ; End of function anti_debug03(void)
.text:00004304
.text:00004304 ; ---------------------------------------------------------------------------
.text:00004308 off_4308 DCD __stack_chk_guard_ptr - 0x4260
.text:00004308 ; DATA XREF: anti_debug03(void)+Ar
.text:0000430C off_430C DCD aProcNetTcp - 0x4278 ; DATA XREF: anti_debug03(void)+22r
.text:0000430C ; "proc/net/tcp"
.text:00004310 off_4310 DCD aR - 0x4292 ; DATA XREF: anti_debug03(void)+3Cr
.text:00004310 ; "r"
.text:00004314 off_4314 DCD __stack_chk_guard_ptr - 0x42EE
.text:00004314 ; DATA XREF: anti_debug03(void)+98r
.text:00004318 off_4318 DCD a5d8a - 0x42BE ; DATA XREF: anti_debug03(void):loc_42B8r
.text:00004318 ; "5D8A"
.text:0000431C dword_431C DCD 0xFFFFF7D0 ; DATA XREF: anti_debug03(void)+4r
.text:00004320
.text:00004320 ; =============== S U B R O U T I N E =======================================
.text:00004320
.text:00004320
.text:00004320 EXPORT __cxa_get_exception_ptr
.text:00004320 __cxa_get_exception_ptr
.text:00004320 LDR R0, [R0,#0x24]
.text:00004322 BX LR
.text:00004322 ; End of function __cxa_get_exception_ptr
.text:00004322
.text:00004324
.text:00004324 ; =============== S U B R O U T I N E =======================================
.text:00004324
.text:00004324
.text:00004324 EXPORT __cxa_begin_catch
.text:00004324 __cxa_begin_catch ; CODE XREF: j___cxa_begin_catch+8j
.text:00004324 ; DATA XREF: .got:__cxa_begin_catch_ptro
.text:00004324 PUSH {R3-R5,LR}
.text:00004326 MOVS R4, R0
.text:00004328 BL j_j_j___cxa_get_globals
.text:0000432C LDRB R1, [R4]
.text:0000432E MOVS R3, R4
.text:00004330 SUBS R3, #0x20
.text:00004332 LDR R2, [R0]
.text:00004334 CMP R1, #0x47
.text:00004336 BEQ loc_4344
.text:00004338
.text:00004338 loc_4338 ; CODE XREF: __cxa_begin_catch+24j
.text:00004338 ; __cxa_begin_catch+2Aj ...
.text:00004338 CMP R2, #0
.text:0000433A BNE loc_4396
.text:0000433C MOVS R5, #0
.text:0000433E STR R3, [R0]
.text:00004340
.text:00004340 loc_4340 ; CODE XREF: __cxa_begin_catch+6Aj
.text:00004340 MOVS R0, R5
.text:00004342 POP {R3-R5,PC}
.text:00004344 ; ---------------------------------------------------------------------------
.text:00004344
.text:00004344 loc_4344 ; CODE XREF: __cxa_begin_catch+12j
.text:00004344 LDRB R1, [R4,#1]
.text:00004346 CMP R1, #0x4E
.text:00004348 BNE loc_4338
.text:0000434A LDRB R1, [R4,#2]
.text:0000434C CMP R1, #0x55
.text:0000434E BNE loc_4338
.text:00004350 LDRB R1, [R4,#3]
.text:00004352 CMP R1, #0x43
.text:00004354 BNE loc_4338
.text:00004356 LDRB R1, [R4,#4]
.text:00004358 CMP R1, #0x43
.text:0000435A BNE loc_4338
.text:0000435C LDRB R1, [R4,#5]
.text:0000435E CMP R1, #0x2B
.text:00004360 BNE loc_4338
.text:00004362 LDRB R1, [R4,#6]
.text:00004364 CMP R1, #0x2B
.text:00004366 BNE loc_4338
.text:00004368 LDRB R1, [R4,#7]
.text:0000436A CMP R1, #1
.text:0000436C BHI loc_4338
.text:0000436E LDR R1, [R3,#0x14]
.text:00004370 CMP R1, #0
.text:00004372 BLT loc_4390
.text:00004374 ADDS R1, #1
.text:00004376
.text:00004376 loc_4376 ; CODE XREF: __cxa_begin_catch+70j
.text:00004376 STR R1, [R3,#0x14]
.text:00004378 LDR R1, [R0,#4]
.text:0000437A SUBS R1, #1
.text:0000437C STR R1, [R0,#4]
.text:0000437E CMP R2, R3
.text:00004380 BEQ loc_4386
.text:00004382 STR R2, [R3,#0x10]
.text:00004384 STR R3, [R0]
.text:00004386
.text:00004386 loc_4386 ; CODE XREF: __cxa_begin_catch+5Cj
.text:00004386 MOVS R0, R4
.text:00004388 LDR R5, [R4,#0x24]
.text:0000438A BL nullsub_5
.text:0000438E B loc_4340
.text:00004390 ; ---------------------------------------------------------------------------
.text:00004390
.text:00004390 loc_4390 ; CODE XREF: __cxa_begin_catch+4Ej
.text:00004390 MOVS R5, #1
.text:00004392 SUBS R1, R5, R1
.text:00004394 B loc_4376
.text:00004396 ; ---------------------------------------------------------------------------
.text:00004396
.text:00004396 loc_4396 ; CODE XREF: __cxa_begin_catch+16j
.text:00004396 BL j_j_j__ZSt9terminatev
.text:0000439A ; ---------------------------------------------------------------------------
.text:0000439A ADDS R3, R1, #1
.text:0000439C BEQ loc_43A2
.text:0000439E BL j_j_j___cxa_end_cleanup
.text:000043A2 ; ---------------------------------------------------------------------------
.text:000043A2
.text:000043A2 loc_43A2 ; CODE XREF: __cxa_begin_catch+78j
.text:000043A2 BL j_j_j___cxa_call_unexpected
.text:000043A6 ; ---------------------------------------------------------------------------
.text:000043A6 NOP
.text:000043A6 ; End of function __cxa_begin_catch
.text:000043A6
.text:000043A8
.text:000043A8 ; =============== S U B R O U T I N E =======================================
.text:000043A8
.text:000043A8
.text:000043A8 EXPORT __cxa_end_catch
.text:000043A8 __cxa_end_catch ; CODE XREF: j___cxa_end_catch+8j
.text:000043A8 ; DATA XREF: .got:__cxa_end_catch_ptro
.text:000043A8 PUSH {R3,LR}
.text:000043AA BL j_j_j___cxa_get_globals_fast
.text:000043AE LDR R3, [R0]
.text:000043B0 CMP R3, #0
.text:000043B2 BEQ locret_43C8
.text:000043B4 MOVS R2, #0x20
.text:000043B6 LDRB R2, [R3,R2]
.text:000043B8 CMP R2, #0x47
.text:000043BA BEQ loc_43CA
.text:000043BC
.text:000043BC loc_43BC ; CODE XREF: __cxa_end_catch+28j
.text:000043BC ; __cxa_end_catch+30j ...
.text:000043BC MOVS R2, #0
.text:000043BE ADDS R3, #0x20
.text:000043C0 STR R2, [R0]
.text:000043C2 MOVS R0, R3
.text:000043C4 BL sub_14D0A
.text:000043C8
.text:000043C8 locret_43C8 ; CODE XREF: __cxa_end_catch+Aj
.text:000043C8 ; __cxa_end_catch+6Cj ...
.text:000043C8 POP {R3,PC}
.text:000043CA ; ---------------------------------------------------------------------------
.text:000043CA
.text:000043CA loc_43CA ; CODE XREF: __cxa_end_catch+12j
.text:000043CA MOVS R2, #0x21
.text:000043CC LDRB R2, [R3,R2]
.text:000043CE CMP R2, #0x4E
.text:000043D0 BNE loc_43BC
.text:000043D2 MOVS R2, #0x22
.text:000043D4 LDRB R2, [R3,R2]
.text:000043D6 CMP R2, #0x55
.text:000043D8 BNE loc_43BC
.text:000043DA MOVS R2, #0x23
.text:000043DC LDRB R2, [R3,R2]
.text:000043DE CMP R2, #0x43
.text:000043E0 BNE loc_43BC
.text:000043E2 MOVS R2, #0x24
.text:000043E4 LDRB R2, [R3,R2]
.text:000043E6 CMP R2, #0x43
.text:000043E8 BNE loc_43BC
.text:000043EA MOVS R2, #0x25
.text:000043EC LDRB R2, [R3,R2]
.text:000043EE CMP R2, #0x2B
.text:000043F0 BNE loc_43BC
.text:000043F2 MOVS R2, #0x26
.text:000043F4 LDRB R2, [R3,R2]
.text:000043F6 CMP R2, #0x2B
.text:000043F8 BNE loc_43BC
.text:000043FA MOVS R2, #0x27
.text:000043FC LDRB R2, [R3,R2]
.text:000043FE CMP R2, #1
.text:00004400 BHI loc_43BC
.text:00004402 LDR R2, [R3,#0x14]
.text:00004404 CMP R2, #0
.text:00004406 BLT loc_441A
.text:00004408 SUBS R2, #1
.text:0000440A CMP R2, #0
.text:0000440C BEQ loc_4428
.text:0000440E ADDS R1, R2, #1
.text:00004410 BEQ loc_4416
.text:00004412
.text:00004412 loc_4412 ; CODE XREF: __cxa_end_catch+76j
.text:00004412 STR R2, [R3,#0x14]
.text:00004414 B locret_43C8
.text:00004416 ; ---------------------------------------------------------------------------
.text:00004416
.text:00004416 loc_4416 ; CODE XREF: __cxa_end_catch+68j
.text:00004416 BL j_j_j__ZSt9terminatev
.text:0000441A ; ---------------------------------------------------------------------------
.text:0000441A
.text:0000441A loc_441A ; CODE XREF: __cxa_end_catch+5Ej
.text:0000441A ADDS R2, #1
.text:0000441C CMP R2, #0
.text:0000441E BNE loc_4412
.text:00004420 LDR R1, [R3,#0x10]
.text:00004422 STR R1, [R0]
.text:00004424 STR R2, [R3,#0x14]
.text:00004426 B locret_43C8
.text:00004428 ; ---------------------------------------------------------------------------
.text:00004428
.text:00004428 loc_4428 ; CODE XREF: __cxa_end_catch+64j
.text:00004428 LDR R2, [R3,#0x10]
.text:0000442A ADDS R3, #0x20
.text:0000442C STR R2, [R0]
.text:0000442E MOVS R0, R3
.text:00004430 BL sub_14D0A
.text:00004434 B locret_43C8
.text:00004434 ; End of function __cxa_end_catch
.text:00004434
.text:00004434 ; --------------------------------------------------------
F5
int anti_debug03(void)
{
int result; // r0@6
char *s2; // [sp+4h] [bp-834h]@0
int v2; // [sp+8h] [bp-830h]@1
int v3; // [sp+18h] [bp-820h]@1
int v4; // [sp+1Ch] [bp-81Ch]@4
FILE *stream; // [sp+20h] [bp-818h]@1
__pid_t pid; // [sp+24h] [bp-814h]@1
int v7; // [sp+28h] [bp-810h]@1
char s; // [sp+2Ch] [bp-80Ch]@2
int v9; // [sp+42Ch] [bp-40Ch]@1
v3 = _stack_chk_guard;
v7 = 1024;
pid = j_j_getpid();
v2 = j_j_sprintf((char *)&v9, "proc/net/tcp");
stream = j_j_fopen((const char *)&v9, "r");
if ( stream )
{
while ( j_j_fgets(&s, 1024, stream) )
{
s2 = "5D8A";
if ( !j_j_strncmp(&s, "5D8A", 4u) )
v4 = j_j_kill(pid, 9);
}
}
result = j_j_fclose(stream);
if ( _stack_chk_guard != v3 )
j_j___stack_chk_fail(result, _stack_chk_guard, &v3, v3, result, s2, v2, &v9);
return result;
}
程序代码
//方法三:检测常用的端口
void anti_debug03(){
const int bufsize=1024;
char filename[bufsize];
char line [bufsize];
int pid=getpid();
FILE *fp;
sprintf(filename,"proc/net/tcp");//C语言sprintf()函数:将格式化的数据写入字符串
fp=fopen(filename,"r");//
if (fp!= NULL){
while(fgets(line,bufsize,fp)){
if(strncmp(line,"5D8A",4)==0){
int ret=kill(pid,SIGKILL);
}
}
}
fclose(fp);//关闭流
}
0x05逆向分析方法四
.text:00003F4C PUSH {R4-R7,LR}
.text:00003F4E ADD R7, SP, #0xC
.text:00003F50 SUB SP, SP, #0x5C
.text:00003F52 LDR R0, =(aDataLocalTmp - 0x3F58)
.text:00003F54 ADD R0, PC ; "/data/local/tmp"
.text:00003F56 STR R0, [SP,#0x68+name]
.text:00003F58 LDR R0, =(aTsl - 0x3F5E)
.text:00003F5A ADD R0, PC ; "TSL"
.text:00003F5C LDR R1, =(aS - 0x3F62)
.text:00003F5E ADD R1, PC ; "%s"
.text:00003F60 LDR R2, =(aReadDir - 0x3F66)
.text:00003F62 ADD R2, PC ; "read dir"
.text:00003F64 MOVS R3, #3
.text:00003F66 STR R0, [SP,#0x68+var_1C]
.text:00003F68 PUSH {R3}
.text:00003F6A POP {R0}
.text:00003F6C LDR R4, [SP,#0x68+var_1C]
.text:00003F6E STR R1, [SP,#0x68+var_20]
.text:00003F70 PUSH {R4}
.text:00003F72 POP {R1}
.text:00003F74 LDR R5, [SP,#0x68+var_20]
.text:00003F76 STR R2, [SP,#0x68+var_24]
.text:00003F78 PUSH {R5}
.text:00003F7A POP {R2}
.text:00003F7C LDR R6, [SP,#0x68+var_24]
.text:00003F7E STR R3, [SP,#0x68+var_28]
.text:00003F80 MOVS R3, R6
.text:00003F82 BL j_j___android_log_print
.text:00003F86 LDR R1, [SP,#0x68+name]
.text:00003F88 STR R0, [SP,#0x68+var_2C]
.text:00003F8A MOVS R0, R1 ; name
.text:00003F8C BL j_j_opendir
.text:00003F90 STR R0, [SP,#0x68+dirp]
.text:00003F92 LDR R0, =(aReadDirFinsh - 0x3F98)
.text:00003F94 ADD R0, PC ; "read dir finsh"
.text:00003F96 LDR R1, [SP,#0x68+var_28]
.text:00003F98 STR R0, [SP,#0x68+var_30]
.text:00003F9A MOVS R0, R1
.text:00003F9C LDR R1, [SP,#0x68+var_1C]
.text:00003F9E LDR R2, [SP,#0x68+var_20]
.text:00003FA0 LDR R3, [SP,#0x68+var_30]
.text:00003FA2 BL j_j___android_log_print
.text:00003FA6 LDR R1, [SP,#0x68+dirp]
.text:00003FA8 CMP R1, #0
.text:00003FAA STR R0, [SP,#0x68+var_34]
.text:00003FAC BEQ loc_4020
.text:00003FAE B loc_3FB0
.text:00003FB0 ; ---------------------------------------------------------------------------
.text:00003FB0
.text:00003FB0 loc_3FB0 ; CODE XREF: anti_debug04(void)+62j
.text:00003FB0 B loc_3FB2
.text:00003FB2 ; ---------------------------------------------------------------------------
.text:00003FB2
.text:00003FB2 loc_3FB2 ; CODE XREF: anti_debug04(void):loc_3FB0j
.text:00003FB2 ; anti_debug04(void):loc_4014j
.text:00003FB2 LDR R0, [SP,#0x68+dirp] ; dirp
.text:00003FB4 BL j_j_readdir
.text:00003FB8 STR R0, [SP,#0x68+var_18]
.text:00003FBA CMP R0, #0
.text:00003FBC BEQ loc_4016
.text:00003FBE B loc_3FC0
.text:00003FC0 ; ---------------------------------------------------------------------------
.text:00003FC0
.text:00003FC0 loc_3FC0 ; CODE XREF: anti_debug04(void)+72j
.text:00003FC0 LDR R0, [SP,#0x68+var_18]
.text:00003FC2 ADDS R0, #0x13 ; s1
.text:00003FC4 LDR R1, =(aAndroid_server - 0x3FCA)
.text:00003FC6 ADD R1, PC ; "android_server"
.text:00003FC8 MOVS R2, #0xE ; n
.text:00003FCA BL j_j_strncmp
.text:00003FCE CMP R0, #0
.text:00003FD0 BNE loc_4014
.text:00003FD2 B loc_3FD4
.text:00003FD4 ; ---------------------------------------------------------------------------
.text:00003FD4
.text:00003FD4 loc_3FD4 ; CODE XREF: anti_debug04(void)+86j
.text:00003FD4 LDR R0, [SP,#0x68+var_18]
.text:00003FD6 ADDS R0, #0x13
.text:00003FD8 LDR R1, =(aTsl - 0x3FDE)
.text:00003FDA ADD R1, PC ; "TSL"
.text:00003FDC LDR R2, =(aS - 0x3FE2)
.text:00003FDE ADD R2, PC ; "%s"
.text:00003FE0 MOVS R3, #3
.text:00003FE2 STR R0, [SP,#0x68+var_38]
.text:00003FE4 PUSH {R3}
.text:00003FE6 POP {R0}
.text:00003FE8 STR R1, [SP,#0x68+var_3C]
.text:00003FEA STR R2, [SP,#0x68+var_40]
.text:00003FEC LDR R4, [SP,#0x68+var_38]
.text:00003FEE STR R3, [SP,#0x68+var_44]
.text:00003FF0 PUSH {R4}
.text:00003FF2 POP {R3}
.text:00003FF4 BL j_j___android_log_print
.text:00003FF8 LDR R1, =(aAntidebug04Run - 0x3FFE)
.text:00003FFA ADD R1, PC ; "antidebug04 run android_server exit th"...
.text:00003FFC LDR R2, [SP,#0x68+var_44]
.text:00003FFE STR R0, [SP,#0x68+var_48]
.text:00004000 MOVS R0, R2
.text:00004002 LDR R3, [SP,#0x68+var_3C]
.text:00004004 STR R1, [SP,#0x68+var_4C]
.text:00004006 MOVS R1, R3
.text:00004008 LDR R2, [SP,#0x68+var_40]
.text:0000400A LDR R3, [SP,#0x68+var_4C]
.text:0000400C BL j_j___android_log_print
.text:00004010 STR R0, [SP,#0x68+var_50]
.text:00004012 B loc_4014
.text:00004014 ; ---------------------------------------------------------------------------
.text:00004014
.text:00004014 loc_4014 ; CODE XREF: anti_debug04(void)+84j
.text:00004014 ; anti_debug04(void)+C6j
.text:00004014 B loc_3FB2
.text:00004016 ; ---------------------------------------------------------------------------
.text:00004016
.text:00004016 loc_4016 ; CODE XREF: anti_debug04(void)+70j
.text:00004016 LDR R0, [SP,#0x68+dirp] ; dirp
.text:00004018 BL j_j_closedir
.text:0000401C STR R0, [SP,#0x68+var_54]
.text:0000401E B loc_404E
.text:00004020 ; ---------------------------------------------------------------------------
.text:00004020
.text:00004020 loc_4020 ; CODE XREF: anti_debug04(void)+60j
.text:00004020 LDR R0, =(aTsl - 0x4026)
.text:00004022 ADD R0, PC ; "TSL"
.text:00004024 LDR R1, =(aS - 0x402A)
.text:00004026 ADD R1, PC ; "%s"
.text:00004028 LDR R2, =(aDirNotAccess - 0x402E)
.text:0000402A ADD R2, PC ; "dir not access"
.text:0000402C MOVS R3, #3
.text:0000402E STR R0, [SP,#0x68+var_58]
.text:00004030 PUSH {R3}
.text:00004032 POP {R0}
.text:00004034 LDR R3, [SP,#0x68+var_58]
.text:00004036 STR R1, [SP,#0x68+var_5C]
.text:00004038 PUSH {R3}
.text:0000403A POP {R1}
.text:0000403C LDR R4, [SP,#0x68+var_5C]
.text:0000403E STR R2, [SP,#0x68+var_60]
.text:00004040 PUSH {R4}
.text:00004042 POP {R2}
.text:00004044 LDR R3, [SP,#0x68+var_60]
.text:00004046 BL j_j___android_log_print
.text:0000404A STR R0, [SP,#0x68+var_64]
.text:0000404C B loc_404E
.text:0000404E ; ---------------------------------------------------------------------------
.text:0000404E
.text:0000404E loc_404E ; CODE XREF: anti_debug04(void)+D2j
.text:0000404E ; anti_debug04(void)+100j
.text:0000404E ADD SP, SP, #0x5C
.text:00004050 POP {R4-R7,PC}
.text:00004050 ; End of function anti_debug04(void)
.text:00004050
.text:00004050 ; ---------------------------------------------------------------------------
.text:00004052 ALIGN 4
.text:00004054 off_4054 DCD aDataLocalTmp - 0x3F58 ; DATA XREF: anti_debug04(void)+6r
.text:00004054 ; "/data/local/tmp"
.text:00004058 off_4058 DCD aTsl - 0x3F5E ; DATA XREF: anti_debug04(void)+Cr
.text:00004058 ; "TSL"
.text:0000405C off_405C DCD aS - 0x3F62 ; DATA XREF: anti_debug04(void)+10r
.text:0000405C ; "%s"
.text:00004060 off_4060 DCD aReadDir - 0x3F66 ; DATA XREF: anti_debug04(void)+14r
.text:00004060 ; "read dir"
.text:00004064 off_4064 DCD aReadDirFinsh - 0x3F98
.text:00004064 ; DATA XREF: anti_debug04(void)+46r
.text:00004064 ; "read dir finsh"
.text:00004068 off_4068 DCD aTsl - 0x4026 ; DATA XREF: anti_debug04(void):loc_4020r
.text:00004068 ; "TSL"
.text:0000406C off_406C DCD aS - 0x402A ; DATA XREF: anti_debug04(void)+D8r
.text:0000406C ; "%s"
.text:00004070 off_4070 DCD aDirNotAccess - 0x402E
.text:00004070 ; DATA XREF: anti_debug04(void)+DCr
.text:00004070 ; "dir not access"
.text:00004074 off_4074 DCD aAndroid_server - 0x3FCA
.text:00004074 ; DATA XREF: anti_debug04(void)+78r
.text:00004074 ; "android_server"
.text:00004078 off_4078 DCD aTsl - 0x3FDE ; DATA XREF: anti_debug04(void)+8Cr
.text:00004078 ; "TSL"
.text:0000407C off_407C DCD aS - 0x3FE2 ; DATA XREF: anti_debug04(void)+90r
.text:0000407C ; "%s"
.text:00004080 off_4080 DCD aAntidebug04Run - 0x3FFE
.text:00004080 ; DATA XREF: anti_debug04(void)+ACr
.text:00004080 ; "antidebug04 run android_server exit th"...
int anti_debug04(void)
{
int result; // r0@6
struct dirent *v1; // [sp+50h] [bp-18h]@2
DIR *dirp; // [sp+54h] [bp-14h]@1
j_j___android_log_print(3, "TSL", "%s", "read dir");
dirp = j_j_opendir("/data/local/tmp");
j_j___android_log_print(3, "TSL", "%s", "read dir finsh");
if ( dirp )
{
while ( 1 )
{
v1 = j_j_readdir(dirp);
if ( !v1 )
break;
if ( !j_j_strncmp(&v1->d_name[8], "android_server", 0xEu) )
{
j_j___android_log_print(3, "TSL", "%s", &v1->d_name[8]);
j_j___android_log_print(3, "TSL", "%s", "antidebug04 run android_server exit the programe exit");
}
}
result = j_j_closedir(dirp);
}
else
{
result = j_j___android_log_print(3, "TSL", "%s", "dir not access");
}
return result;
}
//第四种检测是否存在android_server 判断是否正在被调试 这里要有读取目录的权限
void anti_debug04(){
const char* rootPath = "/data/local/tmp";
LOGD("%s","read dir");
DIR* dir;
dir = opendir(rootPath);
LOGD("%s","read dir finsh");
if (dir!= NULL) {
dirent *currentDir;
while ((currentDir = readdir(dir)) != NULL) {
//readdir()方法就像java中迭代器的next()方法一样
//currentDir->d_name; //文件名,目录名
//currentDir->d_type; //类型,是目录还是文件啥的
if(strncmp(currentDir->d_name,"android_server",14)==0){
LOGD("%s",currentDir->d_name);
LOGD("%s","antidebug04 run android_server exit the programe exit");
}
}
closedir(dir); //用完要关掉,要不然会出错
} else{
LOGD("%s","dir not access");
}
}