\n

解释: x0=unidbg@0xbffff530 和 x1=RW@0x40593000的区别？
unidbg@0xbffff530 表示该寄存器的值是一个指向内存地址的指针，需要读取内存中的内容拿到该指针指向的内存地址(小端序) -> 0x40453190
0xbffff530 是一个十六进制表示的内存地址，可能是一个函数调用栈中的某个位置，或者是一个特定的内存区域。

\n

故 m0x40453190拿到指针指向的内容

\n

\n
-----------------------------------------------------------------------------<
[14:29:03 639]RW@0x40453190, md5=3df7798f10b205454d00aa228ccb2704, hex=18581040000000000100000001000000530000005300000060e04540000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
size: 112
0000: 18 58 10 40 00 {00 00 00 01 00 00 00 01 00 00 00 .X.@............
0010: 53 00 00 00 53} 00 00 00 60 E0 45 40 00 00 00 00 S...S...`.E@....
0020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0040: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0050: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0060: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
^-----------------------------------------------------------------------------^
这里就是前十六字节具体的来源了，大括号括起来的就是前十六字节，需要通过trace(0x40453196, 0x40453196 + 16)查看一下具体咋生成的
[14:38:38 180] Memory WRITE at 0x40453198, data size = 4, data value = 0x00000001, PC=RX@0x400492f0[libshield.so]0x492f0, LR=RX@0x400492ec[libshield.so]0x492ec
[14:38:38 181] Memory WRITE at 0x4045319c, data size = 4, data value = 0x00000001, PC=RX@0x400492f0[libshield.so]0x492f0, LR=RX@0x400492ec[libshield.so]0x492ec
[14:38:38 181] Memory WRITE at 0x404531a4, data size = 4, data value = 0x00000053, PC=RX@0x4004930c[libshield.so]0x4930c, LR=RX@0x400492ec[libshield.so]0x492ec
[14:38:38 184] Memory WRITE at 0x404531a0, data size = 4, data value = 0x00000053, PC=RX@0x40049574[libshield.so]0x49574, LR=RX@0x40049570[libshield.so]0x49570
依旧通过PC或者LR去查看一下代码执行的地方和执行完跳转回去的地方。
\n

\n

查看IDA代码片段 4个部分前两部分都是写死赋值为1 后两部分都基于v7,v7与如下a1参数有关 v7 = (unsigned int)(*(_DWORD *)(*a1 + 20LL) + *(_DWORD *)(*a1 + 24LL) + *(_DWORD *)(*a1 + 28LL) + 24);
void __usercall sub_4926C(_QWORD *a1@<X0>, _QWORD *a2@<X8>)

\n

v5 = (_DWORD *)*a2;
v5[2] = 1;
v5[3] = 1;
v6 = a1;
v7 = (unsigned int)((_DWORD *)(*a1 + 20LL) + *(_DWORD *)(*a1 + 24LL) + *(_DWORD *)(*a1 + 28LL) + 24);
v5[5] = v7;

\n

v20 = (_DWORD *) * a2;
*(_QWORD *)(*a2 + 24LL) = v19;
sub_51698(v21, 13LL, & qword_10B508);
sub_511E0(v21, (unsigned int)
v7, v8, v19);
v20[4] = v7;

\n

于是打断点sub_4926C拿到x0的参数查看trace确认该函数只在0xBCD6C处调用(多次调用的地方记得反复翻阅trace确认寻找命中点)

\n

\n
-----------------------------------------------------------------------------<
[14:59:38 020]x0=unidbg@0xbffff540, md5=43d7feda9b1b909b055506e5e5fc9dbf, hex=10e058400000000000e058400000000078792d0000000000f0f4ffbf0000000018a0454000000000389045400000000010e058400000000000e0584000000000383145400000000038314540000000000831454000000000000000000000000000000000000000006030454000000000
size: 112
0000: 10 E0 58 40 00 00 00 00 00 E0 58 40 00 00 00 00 ..X@......X@....
0010: 78 79 2D 00 00 00 00 00 F0 F4 FF BF 00 00 00 00 xy-.............
0020: 18 A0 45 40 00 00 00 00 38 90 45 40 00 00 00 00 ..E@....8.E@....
0030: 10 E0 58 40 00 00 00 00 00 E0 58 40 00 00 00 00 ..X@......X@....
0040: 38 31 45 40 00 00 00 00 38 31 45 40 00 00 00 00 81E@....81E@....
0050: 08 31 45 40 00 00 00 00 00 00 00 00 00 00 00 00 .1E@............
0060: 00 00 00 00 00 00 00 00 60 30 45 40 00 00 00 00 ........`0E@....
^-----------------------------------------------------------------------------^
\n

\n

根据之前了解的规则，x0=unidbg@0xbffff540这里依旧是一个指针指向0x4058e010(小端序) 通过m0x4058e010拿到如下内容 (不要忘了这里是为了追溯与v7相关的参数a1，拿到53这个值)

\n

\n
-----------------------------------------------------------------------------<
[15:01:21 051]RW@0x4058e010, md5=b6a05095480f6c61e02ef52ea62aad46, hex=38581040000000000100000001affaec020000000700000024000000100000001070454000000000503145400000000000e04740000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
size: 112
0000: 38 58 10 40 00 00 00 00 01 00 00 00 01 AF FA EC 8X.@............
0010: 02 00 00 00 07 00 00 00 24 00 00 00 10 00 00 00 ........$.......
0020: 10 70 45 40 00 00 00 00 50 31 45 40 00 00 00 00 .pE@....P1E@....
0030: 00 E0 47 40 00 00 00 00 00 00 00 00 00 00 00 00 ..G@............
0040: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0050: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0060: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
^-----------------------------------------------------------------------------^
\n

\n

思考(*(*a1 + 20LL) + *(*a1 + 24LL) + *(a1 + 28LL) + 24);这行代码的结果是0x53怎么来的? 由刚才的操作我们已经知道了a1就是上述这片内存区域了，直接取如上位置对应值进行计算看
是否为53即可(验证是写死的还是变化的)
10+0+50+24 -> 84 -> 0x54(看样子是写死的,继续分析其本质是啥)

\n

*******************************(细节探索)
继续分析指针指向的地址0x4058e010看看是什么东西 -> emulator.traceWrite(0x4058e024,0x4058e024+9);(目的是查看20 24 28这三个位置的内容)
[15:16:33 394] Memory WRITE at 0x4058e024, data size = 4, data value = 0x00000007, PC=RX@0x40049138[libshield.so]0x49138, LR=RX@0x40049128[libshield.so]0x49128
[15:16:33 395] Memory WRITE at 0x4058e028, data size = 4, data value = 0x00000024, PC=RX@0x40049154[libshield.so]0x49154, LR=RX@0x40049140[libshield.so]0x49140
[15:16:33 395] Memory WRITE at 0x4058e02c, data size = 4, data value = 0x00000010, PC=RX@0x40049160[libshield.so]0x49160, LR=RX@0x4004915c[libshield.so]0x4915c
IDA查看0x49154 -> 地址为0xBCCDC 查询a2 a5 a7 -> mx1 mx4 mx5
void *__usercall sub_4908C@<X0>( int a1@<W0>,const char **a2@<X1>,int a3@<W2>,int a4@<W3>,const char **a5@<X4>,const void *a6@<X5>,unsigned int a7@<W6>,__int64 *a8@<X8>)
略...

\n

\n
-----------------------------------------------------------------------------<
[15:39:38 557]RW@0x4045a018, md5=852c37585df595b765f26ab3730bbe86, hex=33393932336533632d366336652d333839312d393435612d66643033633437393665623300000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
size: 112
0000: 33 39 39 32 33 65 33 63 2D 36 63 36 65 2D 33 38 39923e3c-6c6e-38
0010: 39 31 2D 39 34 35 61 2D 66 64 30 33 63 34 37 39 91-945a-fd03c479
0020: 36 65 62 33 00 00 00 00 00 00 00 00 00 00 00 00 6eb3............
0030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0040: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0050: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0060: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
^-----------------------------------------------------------------------------^ 这里是deviceid
\n

\n

\n

5.后0x53字节(继续之前的日志)
[11:42:15 779] Memory WRITE at 0x40593010, data size = 8, data value = 0x1b521b31ed111635, PC=RX@0x4028c220[libc.so]0x1c220, LR=RX@0x400497dc[libshield.so]0x497dc
[11:42:15 779] Memory WRITE at 0x40593018, data size = 8, data value = 0x523a8ba0fadcdf0f, PC=RX@0x4028c220[libc.so]0x1c220, LR=RX@0x400497dc[libshield.so]0x497dc
[11:42:15 779] Memory WRITE at 0x40593020, data size = 8, data value = 0xe346e96b453b9986, PC=RX@0x4028c224[libc.so]0x1c224, LR=RX@0x400497dc[libshield.so]0x497dc
[11:42:15 779] Memory WRITE at 0x40593028, data size = 8, data value = 0x41a44c50e17e0d7e, PC=RX@0x4028c224[libc.so]0x1c224, LR=RX@0x400497dc[libshield.so]0x497dc
[11:42:15 780] Memory WRITE at 0x40593030, data size = 8, data value = 0x9d1f64e39db28dcc, PC=RX@0x4028c228[libc.so]0x1c228, LR=RX@0x400497dc[libshield.so]0x497dc
[11:42:15 780] Memory WRITE at 0x40593038, data size = 8, data value = 0xd522c3cf0ae6acfe, PC=RX@0x4028c228[libc.so]0x1c228, LR=RX@0x400497dc[libshield.so]0x497dc
[11:42:15 780] Memory WRITE at 0x40593040, data size = 8, data value = 0x180c4137a6d87ecc, PC=RX@0x4028c22c[libc.so]0x1c22c, LR=RX@0x400497dc[libshield.so]0x497dc
[11:42:15 780] Memory WRITE at 0x40593048, data size = 8, data value = 0x2dd5f3bf378b6545, PC=RX@0x4028c22c[libc.so]0x1c22c, LR=RX@0x400497dc[libshield.so]0x497dc
[11:42:15 780] Memory WRITE at 0x40593050, data size = 8, data value = 0x651c903d3ce7d435, PC=RX@0x4028c18c[libc.so]0x1c18c, LR=RX@0x400497dc[libshield.so]0x497dc
[11:42:15 780] Memory WRITE at 0x40593058, data size = 8, data value = 0xa52b0c3aec0e552b, PC=RX@0x4028c18c[libc.so]0x1c18c, LR=RX@0x400497dc[libshield.so]0x497dc
[11:42:15 780] Memory WRITE at 0x40593053, data size = 8, data value = 0x0e552b651c903d3c, PC=RX@0x4028c1a4[libc.so]0x1c1a4, LR=RX@0x400497dc[libshield.so]0x497dc
[11:42:15 780] Memory WRITE at 0x4059305b, data size = 8, data value = 0x10cad6 a52b0c3aec, PC=RX@0x4028c1a4[libc.so]0x1c1a4, LR=RX@0x400497dc[libshield.so]0x497dc
通过LR返回的地址0x497dc 发现memcpy(v10 + 16, *(const void **)(v4 + 24), v14); 需要据此溯源找到原本的位置
查看trace[09:33:31 927][libshield.so 0x0497d8] [f622ff97] 0x400497d8: \