看雪8月ollvm题,考察ollvm算法还原能力
1、找到对应产生结果的函数MainActivity中的public native byte[] e(byte[] arg1)
2、frida固定入参
3、ida打开libxxxxdun.so找到对应函数,本层无混淆
根据hook结果
可发现,有一个结构体
其中sub_B940(outputobj, inputobj);函数传入了入参和出参的结构体,分别打印该函数调用前和调用后出参
得到的结果为算法结果,所以sub_B940为算法关键函数
跟进sub_B940, 大致分析一下函数,发现sub_11094传入了input,且有一个用于传出的参数,比较像算法函数
hook一下sub_011094
hook结果发现执行完毕有算法结果
跟进sub_011094,发现混淆比较严重,trace一下试试
由trace逆出一轮中间值以及怎样算出最终结果的
追溯中间结果是怎么生成的
调试发现这个关键赋值位置的BLX R2,实际调用了sub_257F4
跟进sub_257F4,找到sub_1ECFC,跟进sub_1ECFC,从memcpy往上追溯
根据memcpy的参数来源:
由此hook查看其中间结果
得到结果
sub_1ECFC调用了两次,第二次调用时结果已经生成了,故而往上追溯sub_257F4
追溯参数来源按照同样的格式进行hook
得到的是一个初始结果
搜索sub_257F4里调用sub_1ECFC的位置,发现全部是类似这样的BB
于是尝试按照结构体格式hook sub_566B4 打印结果
得到结果
调试该函数,得到sub_5A6DC函数,在此处赋值
trace一下sub_5A6DC, 得到算法全貌
package com.kanxue.ollvm8;
import android.os.Bundle;
import android.widget.TextView;
import androidx.appcompat.app.AppCompatActivity;
import okio.ByteString;
import org.apache.commons.lang3.RandomStringUtils;
public class MainActivity extends AppCompatActivity {
static {
System.loadLibrary("xxxxdun");
}
public native byte[] e(byte[] arg1) {
}
@Override // androidx.appcompat.app.AppCompatActivity
protected void onCreate(Bundle arg3) {
super.onCreate(arg3);
this.setContentView(0x7F09001C); // layout:activity_main
TextView v3 = (TextView)this.findViewById(0x7F070061); // id:sample_text
StringBuilder v0 = new StringBuilder();
v0.append(RandomStringUtils.randomAlphabetic(10));
v0.append("_pediy_imyang_");
v3.setText(ByteString.of(this.e(v0.toString().getBytes())).hex());
}
}
package com.kanxue.ollvm8;
import android.os.Bundle;
import android.widget.TextView;
import androidx.appcompat.app.AppCompatActivity;
import okio.ByteString;
import org.apache.commons.lang3.RandomStringUtils;
public class MainActivity extends AppCompatActivity {
static {
System.loadLibrary("xxxxdun");
}
public native byte[] e(byte[] arg1) {
}
@Override // androidx.appcompat.app.AppCompatActivity
protected void onCreate(Bundle arg3) {
super.onCreate(arg3);
this.setContentView(0x7F09001C); // layout:activity_main
TextView v3 = (TextView)this.findViewById(0x7F070061); // id:sample_text
StringBuilder v0 = new StringBuilder();
v0.append(RandomStringUtils.randomAlphabetic(10));
v0.append("_pediy_imyang_");
v3.setText(ByteString.of(this.e(v0.toString().getBytes())).hex());
}
}
function hook_java(){
Java.perform(function () {
//org.apache.commons.lang3.RandomStringUtils.randomAlphabetic(int): java.lang.String
var RandomStringUtils = Java.use("org.apache.commons.lang3.RandomStringUtils");
RandomStringUtils.randomAlphabetic.overload('int').implementation = function(arg){
var result = this.randomAlphabetic(arg);
//console.log("org.apache.commons.lang3.RandomStringUtils.randomAlphabetic:", result);
result = "elDIkbaKit";
return result;
}
//com.kanxue.ollvm5.MainActivity.encryt(byte[]): byte[]
var ByteString = Java.use("com.android.okhttp.okio.ByteString");
var MainActivity = Java.use("com.kanxue.ollvm8.MainActivity");
MainActivity.e.implementation = function(arg){
var result = this.e(arg);
console.log("com.kanxue.ollvm8.MainActivity arg:", ByteString.of(arg).hex());
console.log("com.kanxue.ollvm8.MainActivity result:", ByteString.of(result).hex());
return result;
}
});
}
function hook_java(){
Java.perform(function () {
//org.apache.commons.lang3.RandomStringUtils.randomAlphabetic(int): java.lang.String
var RandomStringUtils = Java.use("org.apache.commons.lang3.RandomStringUtils");
RandomStringUtils.randomAlphabetic.overload('int').implementation = function(arg){
var result = this.randomAlphabetic(arg);
//console.log("org.apache.commons.lang3.RandomStringUtils.randomAlphabetic:", result);
result = "elDIkbaKit";
return result;
}
//com.kanxue.ollvm5.MainActivity.encryt(byte[]): byte[]
var ByteString = Java.use("com.android.okhttp.okio.ByteString");
var MainActivity = Java.use("com.kanxue.ollvm8.MainActivity");
MainActivity.e.implementation = function(arg){
var result = this.e(arg);
console.log("com.kanxue.ollvm8.MainActivity arg:", ByteString.of(arg).hex());
console.log("com.kanxue.ollvm8.MainActivity result:", ByteString.of(result).hex());
return result;
}
});
}
int __fastcall Java_com_kanxue_ollvm8_MainActivity_e(JNIEnv *a1, int a2, int a3)
{
int v5; // r6
int v6; // r8
int v7; // r0
int v8; // r10
int v9; // r6
int v10; // r0
_DWORD v12[3]; // [sp+4h] [bp-44h] BYREF
char v13[12]; // [sp+10h] [bp-38h] BYREF
char v14[12]; // [sp+1Ch] [bp-2Ch] BYREF
v5 = ((int (__fastcall *)(JNIEnv *, int))(*a1)->GetArrayLength)(a1, a3);
v6 = ((int (__fastcall *)(JNIEnv *, int, _DWORD))(*a1)->GetByteArrayElements)(a1, a3, 0);
sub_ED80((int)v14, v6, v5);
sub_EDA4(v12, (int)v14);
sub_B940(v13, v12);
sub_BE34((int)v12);
v7 = sub_BA18(v13);
v8 = sub_F060(a1, v7);
v9 = sub_BA18(v13);
v10 = sub_BB44(v13);
((void (__fastcall *)(JNIEnv *, int, _DWORD, int, int))(*a1)->SetByteArrayRegion)(a1, v8, 0, v9, v10);
sub_F178(a1, a3, v6, 0);
sub_BE34((int)v13);
sub_BE34((int)v14);
return v8;
}
int __fastcall Java_com_kanxue_ollvm8_MainActivity_e(JNIEnv *a1, int a2, int a3)
{
int v5; // r6
int v6; // r8
int v7; // r0
int v8; // r10
int v9; // r6
int v10; // r0
_DWORD v12[3]; // [sp+4h] [bp-44h] BYREF
char v13[12]; // [sp+10h] [bp-38h] BYREF
char v14[12]; // [sp+1Ch] [bp-2Ch] BYREF
v5 = ((int (__fastcall *)(JNIEnv *, int))(*a1)->GetArrayLength)(a1, a3);
v6 = ((int (__fastcall *)(JNIEnv *, int, _DWORD))(*a1)->GetByteArrayElements)(a1, a3, 0);
sub_ED80((int)v14, v6, v5);
sub_EDA4(v12, (int)v14);
sub_B940(v13, v12);
sub_BE34((int)v12);
v7 = sub_BA18(v13);
v8 = sub_F060(a1, v7);
v9 = sub_BA18(v13);
v10 = sub_BB44(v13);
((void (__fastcall *)(JNIEnv *, int, _DWORD, int, int))(*a1)->SetByteArrayRegion)(a1, v8, 0, v9, v10);
sub_F178(a1, a3, v6, 0);
sub_BE34((int)v13);
sub_BE34((int)v14);
return v8;
}
sub_0E210 onEnter: 0 1 2 3 4 5 6 7 8 9 A B C D E F 0123456789ABCDEF
cda0e034 21 00 00 00 18 00 00 00 40 e0 5f cc 58 e0 a0 cd !.......@._.X...
cda0e044 11 18 df d1 16 00 00 00 21 00 00 00 18 00 00 00 ........!.......
cda0e054 c0 0f 94 cc b1 a1 eb ac 00 00 00 00 00 c4 fd dd ................
cda0e064 88 e1 a0 cd 14 e1 a0 cd 44 c0 e0 eb 02 00 00 00 ........D.......
cda0e074 00 00 00 00 a8 e2 a0 cd 77 80 fd cc 44 c0 e0 eb ........w...D...
cda0e084 00 00 00 00 02 00 00 00 b0 19 30 14 c0 a8 70 13 ..........0...p.
cda0e094 01 00 00 00 70 79 20 cc 01 00 00 00 24 fa 00 00 ....py .....$...
cda0e0a4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 3f ...............?
cda0e0b4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
cda0e0c4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
cda0e0d4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
cda0e0e4 02 00 00 00 00 00 00 00 a8 e2 a0 cd 00 00 00 00 ................
cda0e0f4 88 e1 a0 cd 14 e1 a0 cd 77 c5 10 e9 00 00 00 00 ........w.......
cda0e104 b0 19 30 14 c0 a8 70 13 76 11 5e d2 00 01 00 00 ..0...p.v.^.....
cda0e114 00 00 00 00 02 00 00 00 00 00 00 00 a8 e2 a0 cd ................
cda0e124 4e 00 00 00 48 e1 a0 cd 88 e1 a0 cd 00 00 00 00 N...H...........
sub_0E210 onLeave: 0 1 2 3 4 5 6 7 8 9 A B C D E F 0123456789ABCDEF
cc5fe040 65 6c 44 49 6b 62 61 4b 69 74 5f 70 65 64 69 79 elDIkbaKit_pediy
cc5fe050 5f 69 6d 79 61 6e 67 5f 00 69 76 69 74 79 00 00 _imyang_.ivity..
cc5fe060 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
cc5fe070 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
cc5fe080 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
cc5fe090 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
cc5fe0a0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
cc5fe0b0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
cc5fe0c0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
cc5fe0d0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
cc5fe0e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
cc5fe0f0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
cc5fe100 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
cc5fe110 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
cc5fe120 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
cc5fe130 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
sub_0E210 onEnter: 0 1 2 3 4 5 6 7 8 9 A B C D E F 0123456789ABCDEF
cda0e034 21 00 00 00 18 00 00 00 40 e0 5f cc 58 e0 a0 cd !.......@._.X...
cda0e044 11 18 df d1 16 00 00 00 21 00 00 00 18 00 00 00 ........!.......
cda0e054 c0 0f 94 cc b1 a1 eb ac 00 00 00 00 00 c4 fd dd ................
cda0e064 88 e1 a0 cd 14 e1 a0 cd 44 c0 e0 eb 02 00 00 00 ........D.......
cda0e074 00 00 00 00 a8 e2 a0 cd 77 80 fd cc 44 c0 e0 eb ........w...D...
cda0e084 00 00 00 00 02 00 00 00 b0 19 30 14 c0 a8 70 13 ..........0...p.
cda0e094 01 00 00 00 70 79 20 cc 01 00 00 00 24 fa 00 00 ....py .....$...
cda0e0a4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 3f ...............?
cda0e0b4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
cda0e0c4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
cda0e0d4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
cda0e0e4 02 00 00 00 00 00 00 00 a8 e2 a0 cd 00 00 00 00 ................
cda0e0f4 88 e1 a0 cd 14 e1 a0 cd 77 c5 10 e9 00 00 00 00 ........w.......
cda0e104 b0 19 30 14 c0 a8 70 13 76 11 5e d2 00 01 00 00 ..0...p.v.^.....
cda0e114 00 00 00 00 02 00 00 00 00 00 00 00 a8 e2 a0 cd ................
cda0e124 4e 00 00 00 48 e1 a0 cd 88 e1 a0 cd 00 00 00 00 N...H...........
sub_0E210 onLeave: 0 1 2 3 4 5 6 7 8 9 A B C D E F 0123456789ABCDEF
cc5fe040 65 6c 44 49 6b 62 61 4b 69 74 5f 70 65 64 69 79 elDIkbaKit_pediy
cc5fe050 5f 69 6d 79 61 6e 67 5f 00 69 76 69 74 79 00 00 _imyang_.ivity..
cc5fe060 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
cc5fe070 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
cc5fe080 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
cc5fe090 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
cc5fe0a0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
cc5fe0b0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
cc5fe0c0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
cc5fe0d0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
cc5fe0e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
cc5fe0f0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
cc5fe100 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
cc5fe110 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
cc5fe120 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
cc5fe130 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
struct {
int n1;
int nlen;
char* buff; //指向input/output的二进制
}
struct {
int n1;
int nlen;
char* buff; //指向input/output的二进制
}
var output;
var sub_0B940 = base_libxxxxdun.add(0xB940 + 1);
Interceptor.attach(sub_0B940, {
onEnter: function (args) {
arg0 = args[0];
arg1 = args[1];
output = args[0];
var input = ptr(arg1).add(8);
//console.log("sub_0B940 onEnter:", hexdump((ptr(arg0).add(8)).readPointer()));
//console.log("sub_0B940 onEnter:", hexdump(input.readPointer()));
}, onLeave: function (ret) {
var input = ptr(arg1).add(8);
output = ptr(arg0).add(8);
console.log("sub_0B940 onLeave:", hexdump(output.readPointer()));
//console.log("sub_0B940 onLeave:", hexdump(input.readPointer()));
}
});
var output;
var sub_0B940 = base_libxxxxdun.add(0xB940 + 1);
Interceptor.attach(sub_0B940, {
onEnter: function (args) {
arg0 = args[0];
arg1 = args[1];
output = args[0];
var input = ptr(arg1).add(8);
//console.log("sub_0B940 onEnter:", hexdump((ptr(arg0).add(8)).readPointer()));
//console.log("sub_0B940 onEnter:", hexdump(input.readPointer()));
}, onLeave: function (ret) {
var input = ptr(arg1).add(8);
output = ptr(arg0).add(8);
console.log("sub_0B940 onLeave:", hexdump(output.readPointer()));
//console.log("sub_0B940 onLeave:", hexdump(input.readPointer()));
}
});
sub_0B940 onLeave: 0 1 2 3 4 5 6 7 8 9 A B C D E F 0123456789ABCDEF
cc4fc0a0 75 8f 3e 3c 9c 5c e1 79 2d 3b 25 93 12 b6 a9 8a u.><.\.y-;%.....
cc4fc0b0 40 59 ab 04 b1 7a 25 73 00 74 69 76 69 74 79 00 @Y...z%s.tivity.
cc4fc0c0 65 6c 44 49 6b 62 61 4b 69 74 5f 70 65 64 69 79 elDIkbaKit_pediy
cc4fc0d0 5f 69 6d 79 61 6e 67 5f 00 69 76 69 74 79 00 00 _imyang_.ivity..
cc4fc0e0 75 8f 3e 3c 9c 5c e1 79 2d 3b 25 93 12 b6 a9 8a u.><.\.y-;%.....
cc4fc0f0 40 59 ab 04 b1 7a 25 73 00 74 69 76 69 74 79 00 @Y...z%s.tivity.
cc4fc100 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
cc4fc110 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
cc4fc120 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
cc4fc130 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
cc4fc140 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
cc4fc150 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
cc4fc160 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
cc4fc170 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
cc4fc180 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
cc4fc190 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
sub_0B940 onLeave: 0 1 2 3 4 5 6 7 8 9 A B C D E F 0123456789ABCDEF
cc4fc0a0 75 8f 3e 3c 9c 5c e1 79 2d 3b 25 93 12 b6 a9 8a u.><.\.y-;%.....
cc4fc0b0 40 59 ab 04 b1 7a 25 73 00 74 69 76 69 74 79 00 @Y...z%s.tivity.
cc4fc0c0 65 6c 44 49 6b 62 61 4b 69 74 5f 70 65 64 69 79 elDIkbaKit_pediy
cc4fc0d0 5f 69 6d 79 61 6e 67 5f 00 69 76 69 74 79 00 00 _imyang_.ivity..
cc4fc0e0 75 8f 3e 3c 9c 5c e1 79 2d 3b 25 93 12 b6 a9 8a u.><.\.y-;%.....
cc4fc0f0 40 59 ab 04 b1 7a 25 73 00 74 69 76 69 74 79 00 @Y...z%s.tivity.
cc4fc100 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
cc4fc110 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
cc4fc120 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
cc4fc130 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
cc4fc140 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
cc4fc150 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
cc4fc160 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
cc4fc170 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
cc4fc180 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
cc4fc190 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
int __fastcall func_B940(int outputobj, unsigned __int8 *inputobj)
{
int len1; // r0
int v5; // r6
int inputbuff; // r4
int len1_; // r0
int v8; // r5
int v9; // r0
int v11; // [sp+8h] [bp-30h] BYREF
int len2; // [sp+Ch] [bp-2Ch] BYREF
unsigned __int8 v13[12]; // [sp+10h] [bp-28h] BYREF
int v14; // [sp+1Ch] [bp-1Ch]
sub_B9F8(v13);
len1 = getlen_BA18(inputobj);
sub_BA10(v13, len1);
len2 = getlen_BA18(v13);
v5 = getbuff_BB44(v13);
inputbuff = getbuff_BB44(inputobj);
len1_ = getlen_BA18(inputobj);
sub_11094(v5, (int)&len2, inputbuff, len1_, 9);
v8 = sub_BB54((int)v13);
v11 = sub_BB54((int)v13);
v9 = sub_BCB8(&v11, len2);
sub_BE1C((_DWORD *)outputobj, v8, v9);
sub_BE34((int)v13);
return _stack_chk_guard - v14;
}
int __fastcall func_B940(int outputobj, unsigned __int8 *inputobj)
{
int len1; // r0
int v5; // r6
int inputbuff; // r4
int len1_; // r0
int v8; // r5
int v9; // r0
int v11; // [sp+8h] [bp-30h] BYREF
int len2; // [sp+Ch] [bp-2Ch] BYREF
unsigned __int8 v13[12]; // [sp+10h] [bp-28h] BYREF
int v14; // [sp+1Ch] [bp-1Ch]
sub_B9F8(v13);
len1 = getlen_BA18(inputobj);
sub_BA10(v13, len1);
len2 = getlen_BA18(v13);
v5 = getbuff_BB44(v13);
inputbuff = getbuff_BB44(inputobj);
len1_ = getlen_BA18(inputobj);
sub_11094(v5, (int)&len2, inputbuff, len1_, 9);
v8 = sub_BB54((int)v13);
v11 = sub_BB54((int)v13);
v9 = sub_BCB8(&v11, len2);
sub_BE1C((_DWORD *)outputobj, v8, v9);
sub_BE34((int)v13);
return _stack_chk_guard - v14;
}
var a0,a1,a2;
var sub_011094 = base_libxxxxdun.add(0x11094 + 1);
Interceptor.attach(sub_011094, {
onEnter: function (args) {
a0 = args[0];
a1 = args[1];
a2 = args[2];
console.log("sub_011094 onEnter:", hexdump(args[0]));
console.log("sub_011094 onEnter:", hexdump(args[1]));
console.log("sub_011094 onEnter:", hexdump(args[2]));
console.log("sub_011094 onEnter:", args[3]);
}, onLeave: function (ret) {
//var pLeave = ptr(ret).readPointer()
//console.log("sub_011094 onLeave:", hexdump(ret));
console.log("sub_011094 onLeave:", hexdump(a0));
console.log("sub_011094 onLeave:", hexdump(a1));
console.log("sub_011094 onLeave:", hexdump(a2));
}
});
var a0,a1,a2;
var sub_011094 = base_libxxxxdun.add(0x11094 + 1);
Interceptor.attach(sub_011094, {
onEnter: function (args) {
a0 = args[0];
a1 = args[1];
a2 = args[2];
console.log("sub_011094 onEnter:", hexdump(args[0]));
console.log("sub_011094 onEnter:", hexdump(args[1]));
console.log("sub_011094 onEnter:", hexdump(args[2]));
console.log("sub_011094 onEnter:", args[3]);
}, onLeave: function (ret) {
//var pLeave = ptr(ret).readPointer()
//console.log("sub_011094 onLeave:", hexdump(ret));
console.log("sub_011094 onLeave:", hexdump(a0));
console.log("sub_011094 onLeave:", hexdump(a1));
console.log("sub_011094 onLeave:", hexdump(a2));
}
});
sub_011094 onLeave: 0 1 2 3 4 5 6 7 8 9 A B C D E F 0123456789ABCDEF
cc840a00 75 8f 3e 3c 9c 5c e1 79 2d 3b 25 93 12 b6 a9 8a u.><.\.y-;%.....
cc840a10 40 59 ab 04 b1 7a 25 73 00 74 69 76 69 74 79 00 @Y...z%s.tivity.
cc840a20 75 8f 3e 3c 9c 5c e1 79 2d 3b 25 93 12 b6 a9 8a u.><.\.y-;%.....
cc840a30 40 59 ab 04 b1 7a 25 73 00 74 69 76 69 74 79 00 @Y...z%s.tivity.
cc840a40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
cc840a50 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
cc840a60 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
cc840a70 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
cc840a80 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
cc840a90 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
cc840aa0 00 00 00 00 34 00 00 00 00 00 00 00 00 00 00 00 ....4...........
cc840ab0 00 00 00 00 51 00 00 00 00 00 14 42 00 00 00 00 ....Q......B....
cc840ac0 69 6e 64 69 72 65 63 74 20 72 65 66 20 74 61 62 indirect ref tab
cc840ad0 6c 65 00 00 00 00 00 00 00 00 00 00 00 00 00 00 le..............
cc840ae0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
cc840af0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
sub_011094 onLeave: 0 1 2 3 4 5 6 7 8 9 A B C D E F 0123456789ABCDEF
cda10ffc 18 00 00 00 21 00 00 00 18 00 00 00 00 0a 84 cc ....!...........
cda1100c b1 a1 eb ac 58 79 a5 cc 90 10 a1 cd b8 91 da e9 ....Xy..........
cda1101c 4c 10 a1 cd 50 07 27 e9 18 00 00 00 78 10 a1 cd L...P.'.....x...
cda1102c f7 0c e5 cc 16 00 00 00 21 00 00 00 18 00 00 00 ........!.......
cda1103c e0 09 84 cc 58 10 a1 cd 11 48 df d1 16 00 00 00 ....X....H......
cda1104c 21 00 00 00 18 00 00 00 c0 09 84 cc b1 a1 eb ac !...............
cda1105c 00 00 00 00 00 1e fd dd 88 11 a1 cd 14 11 a1 cd ................
cda1106c 44 c0 e0 eb 02 00 00 00 00 00 00 00 a8 12 a1 cd D...............
cda1107c 77 00 fe cc 44 c0 e0 eb 00 00 00 00 02 00 00 00 w...D...........
cda1108c 98 21 dc 13 c0 a8 90 13 01 00 00 00 60 a9 26 cc .!..........`.&.
cda1109c 01 00 00 00 24 fa 00 00 00 00 00 00 00 00 00 00 ....$...........
cda110ac 00 00 00 00 00 00 f0 3f 00 00 00 00 00 00 00 00 .......?........
cda110bc 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
cda110cc 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
cda110dc 00 00 00 00 00 00 00 00 02 00 00 00 00 00 00 00 ................
cda110ec a8 12 a1 cd 00 00 00 00 88 11 a1 cd 14 11 a1 cd ................
sub_011094 onLeave: 0 1 2 3 4 5 6 7 8 9 A B C D E F 0123456789ABCDEF
cc8409e0 65 6c 44 49 6b 62 61 4b 69 74 5f 70 65 64 69 79 elDIkbaKit_pediy
cc8409f0 5f 69 6d 79 61 6e 67 5f 00 69 76 69 74 79 00 00 _imyang_.ivity..
cc840a00 75 8f 3e 3c 9c 5c e1 79 2d 3b 25 93 12 b6 a9 8a u.><.\.y-;%.....
758f3e3c9c5ce1792d3b259312b6a98a4059ab04b17a2573
sub_011094 onLeave: 0 1 2 3 4 5 6 7 8 9 A B C D E F 0123456789ABCDEF
cc840a00 75 8f 3e 3c 9c 5c e1 79 2d 3b 25 93 12 b6 a9 8a u.><.\.y-;%.....
cc840a10 40 59 ab 04 b1 7a 25 73 00 74 69 76 69 74 79 00 @Y...z%s.tivity.
cc840a20 75 8f 3e 3c 9c 5c e1 79 2d 3b 25 93 12 b6 a9 8a u.><.\.y-;%.....
cc840a30 40 59 ab 04 b1 7a 25 73 00 74 69 76 69 74 79 00 @Y...z%s.tivity.
cc840a40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
cc840a50 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
cc840a60 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
cc840a70 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
cc840a80 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
cc840a90 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
cc840aa0 00 00 00 00 34 00 00 00 00 00 00 00 00 00 00 00 ....4...........
cc840ab0 00 00 00 00 51 00 00 00 00 00 14 42 00 00 00 00 ....Q......B....
cc840ac0 69 6e 64 69 72 65 63 74 20 72 65 66 20 74 61 62 indirect ref tab
cc840ad0 6c 65 00 00 00 00 00 00 00 00 00 00 00 00 00 00 le..............
cc840ae0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
cc840af0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
sub_011094 onLeave: 0 1 2 3 4 5 6 7 8 9 A B C D E F 0123456789ABCDEF
cda10ffc 18 00 00 00 21 00 00 00 18 00 00 00 00 0a 84 cc ....!...........
cda1100c b1 a1 eb ac 58 79 a5 cc 90 10 a1 cd b8 91 da e9 ....Xy..........
[培训]科锐软件逆向54期预科班、正式班开始火爆招生报名啦!!!
