Ida静态分析不能转成伪代码

clf · 2018 年10 月 19 日 07:17

这里我有2个问题，相关，所以我都放在一起问了：

问题一：

在静态分析的时候，有几个类的所有方法都没办法F5,报错如下：

527C3398183D6FD4C84469742D23D619

IDA版本：7.0
Arch：ARM64

在ARM64的时候，伪代码是这样的：

id __cdecl -[xxx xxx](xxx *self, SEL a2, id a3, id a4, id a5, id a6, int a7, int a8, id *a9)
{
  sub_1012A5738();
  return (id)sub_1012A5738();
}

汇编如下：

__text:00000001012A5730     var_10          = -0x10
__text:00000001012A5730
__text:00000001012A5730 000                 STP             X0, X30, [SP,#var_10]!
__text:00000001012A5734 000                 BL              sub_1012A5738

char *sub_1012A5738()
{
  return sub_1012A5758;
}


汇编如下：
__text:00000001012A5758 000                 ADR             X0, sub_1012A5758
__text:00000001012A576C 010                 MOV             X30, X0
__text:00000001012A5770 000                 RET

然后sub_1012A5758就没办法编译进去了。

另外我尝试了ARMV7：

id __cdecl -[xxx xxx](xxx *self, SEL a2, id a3, id a4, id a5, id a6, int a7, int a8, id *a9)
{
  sub_10BC39C((int)self, (int)a2, (int)a3, (int)a4);
}

汇编如下：

__text:010BC370 var_4           = -4
__text:010BC370
__text:010BC370                 PUSH            {R0-R2,LR}
__text:010BC372                 ADR             R1, sub_10BC390
__text:010BC374                 MOVS            R1, R1
__text:010BC376                 SUBS            R1, #5
__text:010BC378                 MOVS            R0, R0
__text:010BC37A                 MOVS            R0, R1
__text:010BC37C                 MOVS            R2, R2
__text:010BC37E                 ADDS            R0, #0x12
__text:010BC380                 STR             R0, [SP,#0x10+var_4]
__text:010BC382                 POP             {R0-R2,PC}

void __fastcall __noreturn sub_10BC39C(int a1, int a2, int a3, int a4)
{
  int v4; // r4
  int v5; // r5
  int v6; // r6
  int v7; // r7
  int i; // r0
  int v9; // r3
  int v10; // r9
  int v11; // r3
  int v12; // r12
  int v13; // r1
  int v14; // [sp+0h] [bp-Ch]
  int v15; // [sp+4h] [bp-8h]

  v14 = a1;
  v15 = a2;
  for ( i = 8; ; i = 10 )
  {
    sub_109F4A0(i, a2, a3, a4, v14, v15);
    a3 = v6 << 10;
    v6 = v5 << 25;
    HIWORD(v9) = 595;
    v10 = *(_DWORD *)(v7 - 24) + 1400;
    v11 = *(_DWORD *)(v9 + 17548280);
    v12 = *(_DWORD *)(v7 - 260);
    *(_DWORD *)(v7 - 276) = v4 << 27;
    *(_DWORD *)(v7 - 280) = v13;
    a2 = v11;
    v4 = v7 - 256;
    a4 = *(_DWORD *)(v7 - 276);
  }
}

汇编如下：

__text:010BC39C sub_10BC39C
__text:010BC39C                 PUSH            {R0,R1,LR}
__text:010BC39E                 MOVW            R0, #8
__text:010BC3A2                 NOP
__text:010BC3A4
__text:010BC3A4 loc_10BC3A4                             ; CODE XREF: sub_10BC39C+90↓j
__text:010BC3A4                 BLX             sub_109F4A0
__text:010BC3A8                 MOVS            R0, R1
__text:010BC3AA                 MOVS            R0, R0
__text:010BC3AC                 LSLS            R0, R1, #1
__text:010BC3AE                 MOVS            R0, R0
__text:010BC3B0                 LSLS            R0, R1, #2
__text:010BC3B2                 MOVS            R0, R0
__text:010BC3B4                 LSLS            R0, R7, #2
__text:010BC3B6                 MOVS            R0, R0
__text:010BC3B8                 LSLS            R4, R4, #4
__text:010BC3BA                 MOVS            R0, R0
__text:010BC3BC                 LSLS            R2, R0, #5
__text:010BC3BE                 MOVS            R0, R0
__text:010BC3C0                 LSLS            R2, R0, #7
__text:010BC3C2                 MOVS            R0, R0
__text:010BC3C4                 LSLS            R2, R2, #7
__text:010BC3C6                 MOVS            R0, R0
__text:010BC3C8                 LSLS            R4, R4, #7
__text:010BC3CA                 MOVS            R0, R0
__text:010BC3CC                 LSLS            R0, R1, #9
__text:010BC3CE                 MOVS            R0, R0
__text:010BC3D0                 LSLS            R2, R6, #0xA
__text:010BC3D2                 MOVS            R0, R0
__text:010BC3D4                 LSLS            R6, R4, #0xC
__text:010BC3D6                 MOVS            R0, R0
__text:010BC3D8                 LSLS            R0, R4, #0xE
__text:010BC3DA                 MOVS            R0, R0
__text:010BC3DC                 LSLS            R0, R4, #0x10
__text:010BC3DE                 MOVS            R0, R0
__text:010BC3E0                 LSLS            R4, R0, #0x13
__text:010BC3E2                 MOVS            R0, R0
__text:010BC3E4                 LSLS            R4, R4, #0x15
__text:010BC3E6                 MOVS            R0, R0
__text:010BC3E8                 LSLS            R6, R4, #0x17
__text:010BC3EA                 MOVS            R0, R0
__text:010BC3EC                 LSLS            R6, R5, #0x19
__text:010BC3EE                 MOVS            R0, R0
__text:010BC3F0                 MOVT.W          R3, #0x253
__text:010BC3F4                 ADD             R3, PC
__text:010BC3F6                 LDR.W           R9, [R7,#-0x18]
__text:010BC3FA                 ADD.W           R9, R9, #0x578
__text:010BC3FE                 LDR             R3, [R3]
__text:010BC400                 SUB             SP, SP, #4
__text:010BC402                 SUB.W           R4, R7, #0x100
__text:010BC406                 LDR.W           R12, [R4,#-4]
__text:010BC40A                 SUB.W           R4, R7, #0x100
__text:010BC40E                 STR.W           R0, [R4,#-0x14]
__text:010BC412                 MOV             R0, R12
__text:010BC414                 SUB.W           R4, R7, #0x100
__text:010BC418                 STR.W           R1, [R4,#-0x18]
__text:010BC41C                 MOV             R1, R3
__text:010BC41E                 SUB.W           R4, R7, #0x100
__text:010BC422                 LDR.W           R3, [R4,#-0x14]
__text:010BC426                 PUSH            {R0,R1,LR}
__text:010BC428                 MOVW            R0, #0xA
__text:010BC42C                 BL              loc_10BC3A4

int __fastcall sub_109F4A0(int a1, int a2, int a3, int a4, int a5, int a6)
{
  int v6; // lr
  int (__fastcall *v7)(int, int, int, int, int, int, _DWORD); // r1

  v7 = (int (__fastcall *)(int, int, int, int, int, int, _DWORD))(*(_DWORD *)((v6 & 0xFFFFFFFE) + 4 * a1) + v6);
  return v7(a5, a6, a3, a4, a5, a6, v7);
}

汇编如下：

__text:0109F4A0 arg_8           =  8
__text:0109F4A0
__text:0109F4A0                 BIC             R1, LR, #1
__text:0109F4A4                 LDR             R1, [R1,R0,LSL#2]
__text:0109F4A8                 ADD             R1, R1, LR
__text:0109F4AC                 LDR             LR, [SP,#arg_8]
__text:0109F4B0                 STR             R1, [SP,#arg_8]
__text:0109F4B4                 LDMFD           SP!, {R0,R1,PC}

看起来是比ARM64的清晰了，但感觉分析的不对。

参考这个链接说是sp堆栈不平衡，但是还是没解决这个问题，使用hopper也尝试过，也是没办法编译成伪代码，请问各位大佬有没有什么可解办法？跪谢！

问题二；

鉴于问题一的方法，ida分析的汇编代码和动态调试lldb的代码不一致

同一方法lldb显示：

0x101389730 <+0>:    stp    x0, x30, [sp, #-0x10]!
    0x101389734 <+4>:    bl     0x101389738               ; <+8>
    0x101389738 <+8>:    adr    x0, #0x20                 ; <+40>
    0x10138973c <+12>:   mov    x30, x0
    0x101389740 <+16>:   ret    
    0x101389744 <+20>:   .long  0x45454b61                ; unknown opcode
    0x101389748 <+24>:   .long  0x09304b09                ; unknown opcode
    0x10138974c <+28>:   stxrb  w16, w14, [x26]
    0x101389750 <+32>:   .long  0x631a1260                ; unknown opcode
    0x101389754 <+36>:   .long  0x57194603                ; unknown opcode
    0x101389758 <+40>:   ldp    x0, x30, [sp], #0x10
    0x10138975c <+44>:   stp    x0, x30, [sp, #-0x10]!
    0x101389760 <+48>:   ldr    w0, 0x101389768           ; <+56>
    0x101389764 <+52>:   bl     0x10136280c               ; +[AnangkeStateFactory createAnangkeState] + 184
    0x101389768 <+56>:   .long  0x00000006                ; unknown opcode
    0x10138976c <+60>:   .long  0x00000044                ; unknown opcode
    0x101389770 <+64>:   .long  0x000000a8                ; unknown opcode
    0x101389774 <+68>:   .long  0x00000104                ; unknown opcode
    0x101389778 <+72>:   .long  0x00000160                ; unknown opcode
    0x10138977c <+76>:   .long  0x00000178                ; unknown opcode
    0x101389780 <+80>:   .long  0x00000194                ; unknown opcode
    0x101389784 <+84>:   .long  0x000001b0                ; unknown opcode
    0x101389788 <+88>:   .long  0x00000224                ; unknown opcode
    0x10138978c <+92>:   .long  0x000002c0                ; unknown opcode
    0x101389790 <+96>:   .long  0x0000034c                ; unknown opcode
    0x101389794 <+100>:  .long  0x000003d8                ; unknown opcode
    0x101389798 <+104>:  .long  0x00000474                ; unknown opcode
    0x10138979c <+108>:  .long  0x00000510                ; unknown opcode
    0x1013897a0 <+112>:  .long  0x000005f0                ; unknown opcode
    0x1013897a4 <+116>:  .long  0x0000067c                ; unknown opcode
    0x1013897a8 <+120>:  .long  0x00000748                ; unknown opcode
    0x1013897ac <+124>:  ldp    x0, x30, [sp], #0x10

后面还有一些省略了
...

xcode版本：9.4.1

这种看起来是解析错误了。。。。翻看论坛是混淆了ARM和THUMB指令。
尝试了disass -A thumbv7。。。以及换了xcode的版本为8.3都无解，还请各位大佬指教下！感激不尽！

wangxiaoning · 2018 年10 月 19 日 12:33

就没人给这个妹子解答下吗

xkang · 2018 年10 月 20 日 01:37

为啥不用Hopper呢？IDA对OC好像不是太友好

Zhang · 2018 年10 月 20 日 12:33

问题一:
可能是混淆过，Hikari的产物也是这个尿性。看了一下汇编几处地方感觉确实不像是正常编译器生成的代码，当然也可能是我paranoid。

问题二:
一般以IDA/Hopper的为主, lldb的dis感觉一直有各种奇怪的bug。看起来反汇编没有出错，我的意见是贴一下有positive sp报错的函数的完整汇编上来，亦或是发二进制和有问题的部分的地址。

EDIT: Add more content

clf · 2018 年10 月 22 日 01:52

用hopper也尝试了的，我个人觉得ida更好用

clf · 2018 年10 月 22 日 01:52

你给力。。

clf · 2018 年10 月 22 日 02:02

嗯嗯，感谢回答，问题一中我也是这么觉得的，这些代码是App中协议分析的重要地方，做些保护是必然的。Hikari我看过，只不过没用它来看混淆过的代码。这种的张总有解决的办法么？可以让它正常伪代码出来。

clf · 2018 年10 月 22 日 02:18

这是问题二的完整汇编代码：

0x101381730 <+0>:    stp    x0, x30, [sp, #-0x10]!
    0x101381734 <+4>:    bl     0x101381738               ; <+8>
    0x101381738 <+8>:    adr    x0, #0x20                 ; <+40>
    0x10138173c <+12>:   mov    x30, x0
    0x101381740 <+16>:   ret    
    0x101381744 <+20>:   .long  0x45454b61                ; unknown opcode
    0x101381748 <+24>:   .long  0x09304b09                ; unknown opcode
    0x10138174c <+28>:   stxrb  w16, w14, [x26]
    0x101381750 <+32>:   .long  0x631a1260                ; unknown opcode
    0x101381754 <+36>:   .long  0x57194603                ; unknown opcode
    0x101381758 <+40>:   ldp    x0, x30, [sp], #0x10
    0x10138175c <+44>:   stp    x0, x30, [sp, #-0x10]!
    0x101381760 <+48>:   ldr    w0, 0x101381768           ; <+56>
    0x101381764 <+52>:   bl     0x10135a80c               ; +[AnangkeStateFactory createAnangkeState] + 184
    0x101381768 <+56>:   .long  0x00000006                ; unknown opcode
    0x10138176c <+60>:   .long  0x00000044                ; unknown opcode
    0x101381770 <+64>:   .long  0x000000a8                ; unknown opcode
    0x101381774 <+68>:   .long  0x00000104                ; unknown opcode
    0x101381778 <+72>:   .long  0x00000160                ; unknown opcode
    0x10138177c <+76>:   .long  0x00000178                ; unknown opcode
    0x101381780 <+80>:   .long  0x00000194                ; unknown opcode
    0x101381784 <+84>:   .long  0x000001b0                ; unknown opcode
    0x101381788 <+88>:   .long  0x00000224                ; unknown opcode
    0x10138178c <+92>:   .long  0x000002c0                ; unknown opcode
    0x101381790 <+96>:   .long  0x0000034c                ; unknown opcode
    0x101381794 <+100>:  .long  0x000003d8                ; unknown opcode
    0x101381798 <+104>:  .long  0x00000474                ; unknown opcode
    0x10138179c <+108>:  .long  0x00000510                ; unknown opcode
    0x1013817a0 <+112>:  .long  0x000005f0                ; unknown opcode
    0x1013817a4 <+116>:  .long  0x0000067c                ; unknown opcode
    0x1013817a8 <+120>:  .long  0x00000748                ; unknown opcode
    0x1013817ac <+124>:  ldp    x0, x30, [sp], #0x10
    0x1013817b0 <+128>:  sub    x27, x29, #0xb8           ; =0xb8 
    0x1013817b4 <+132>:  ldur   x0, [x27, #-0x100]
    0x1013817b8 <+136>:  bl     0x1033d2ccc               ; symbol stub for: objc_release
    0x1013817bc <+140>:  sub    x27, x29, #0x40           ; =0x40 
    0x1013817c0 <+144>:  ldur   x0, [x27, #-0x100]
    0x1013817c4 <+148>:  bl     0x1033d2b64               ; symbol stub for: objc_autoreleaseReturnValue
    0x1013817c8 <+152>:  adrp   x30, 8483
    0x1013817cc <+156>:  ldr    x30, [x30, #0xf80]
    0x1013817d0 <+160>:  ldr    x30, [x30]
    0x1013817d4 <+164>:  ldur   x8, [x29, #-0x18]
    0x1013817d8 <+168>:  cmp    x30, x8
    0x1013817dc <+172>:  sub    x30, x29, #0xc0           ; =0xc0 
    0x1013817e0 <+176>:  stur   x0, [x30, #-0x100]
    0x1013817e4 <+180>:  b.ne   0x101381eb4               ; <+1924>
    0x1013817e8 <+184>:  sub    x1, x29, #0xc0            ; =0xc0 
    0x1013817ec <+188>:  ldur   x0, [x1, #-0x100]
    0x1013817f0 <+192>:  sub    sp, x29, #0x10            ; =0x10 
    0x1013817f4 <+196>:  ldp    x29, x30, [sp, #0x10]
    0x1013817f8 <+200>:  ldp    x28, x27, [sp], #0x20
    0x1013817fc <+204>:  ret    
    0x101381800 <+208>:  stp    x0, x30, [sp, #-0x10]!
    0x101381804 <+212>:  ldr    w0, 0x10138180c           ; <+220>
    0x101381808 <+216>:  bl     0x101381764               ; <+52>
    0x10138180c <+220>:  .long  0x0000000f                ; unknown opcode
    0x101381810 <+224>:  ldp    x0, x30, [sp], #0x10
    0x101381814 <+228>:  sub    x27, x29, #0x28           ; =0x28 
    0x101381818 <+232>:  ldur   x0, [x27, #-0x100]
    0x10138181c <+236>:  sub    x27, x29, #0x8            ; =0x8 
    0x101381820 <+240>:  ldur   x8, [x27, #-0x100]
    0x101381824 <+244>:  sub    x27, x29, #0x38           ; =0x38 
    0x101381828 <+248>:  stur   x0, [x27, #-0x100]
    0x10138182c <+252>:  mov    x0, x8
    0x101381830 <+256>:  bl     0x1033d1da8               ; symbol stub for: free
    0x101381834 <+260>:  sub    x30, x29, #0x38           ; =0x38 
    0x101381838 <+264>:  ldur   x0, [x30, #-0x100]
    0x10138183c <+268>:  sub    x30, x29, #0x10           ; =0x10 
    0x101381840 <+272>:  stur   x0, [x30, #-0x100]
    0x101381844 <+276>:  sub    x27, x29, #0x10           ; =0x10 
    0x101381848 <+280>:  ldur   x0, [x27, #-0x100]
    0x10138184c <+284>:  adrp   x8, 11710
    0x101381850 <+288>:  add    x8, x8, #0xbd0            ; =0xbd0 
    0x101381854 <+292>:  ldr    x8, [x8]
    0x101381858 <+296>:  sub    x27, x29, #0x40           ; =0x40 
    0x10138185c <+300>:  stp    x0, x30, [sp, #-0x10]!
    0x101381860 <+304>:  ldr    w0, 0x101381868           ; <+312>
    0x101381864 <+308>:  bl     0x101381764               ; <+52>
    0x101381868 <+312>:  .long  0x0000000c                ; unknown opcode
    0x10138186c <+316>:  ldp    x0, x30, [sp], #0x10
    0x101381870 <+320>:  stur   x8, [x29, #-0x50]
    0x101381874 <+324>:  ldur   x0, [x29, #-0x90]
    0x101381878 <+328>:  bl     0x1033d2cf0               ; symbol stub for: objc_retainAutorelease
    0x10138187c <+332>:  ldur   x1, [x29, #-0xd8]
    0x101381880 <+336>:  bl     0x1033d2c90               ; symbol stub for: objc_msgSend
    0x101381884 <+340>:  ldur   x1, [x29, #-0xa0]
    0x101381888 <+344>:  stur   x0, [x29, #-0xe8]
    0x10138188c <+348>:  mov    x0, x1
    0x101381890 <+352>:  bl     0x1033d2ccc               ; symbol stub for: objc_release
    0x101381894 <+356>:  ldur   x8, [x29, #-0xe8]
    0x101381898 <+360>:  stur   x8, [x29, #-0x48]
    0x10138189c <+364>:  ldur   w6, [x29, #-0x68]
    0x1013818a0 <+368>:  stur   w6, [x29, #-0x40]
    0x1013818a4 <+372>:  ldur   x0, [x29, #-0xa8]
    0x1013818a8 <+376>:  bl     0x1033d2cf0               ; symbol stub for: objc_retainAutorelease
    0x1013818ac <+380>:  ldur   x1, [x29, #-0xd8]
    0x1013818b0 <+384>:  bl     0x1033d2c90               ; symbol stub for: objc_msgSend
    0x1013818b4 <+388>:  ldur   x1, [x29, #-0xb8]
    0x1013818b8 <+392>:  stp    x0, x30, [sp, #-0x10]!
    0x1013818bc <+396>:  ldr    w0, 0x1013818c4           ; <+404>
    0x1013818c0 <+400>:  bl     0x101381764               ; <+52>
    0x1013818c4 <+404>:  .long  0x0000000e                ; unknown opcode
    0x1013818c8 <+408>:  ldp    x0, x30, [sp], #0x10
    0x1013818cc <+412>:  sub    sp, sp, #0x10             ; =0x10 
    0x1013818d0 <+416>:  stp    x0, x30, [sp, #-0x10]!
    0x1013818d4 <+420>:  ldr    w0, 0x1013818dc           ; <+428>
    0x1013818d8 <+424>:  bl     0x101381764               ; <+52>
    0x1013818dc <+428>:  .long  0x00000009                ; unknown opcode
    0x1013818e0 <+432>:  ldp    x0, x30, [sp], #0x10
    0x1013818e4 <+436>:  bl     0x10139ed70               ; +[SensorDataCaptureUtils getInstance] + 33732
    0x1013818e8 <+440>:  sub    sp, sp, #0x10             ; =0x10 
    0x1013818ec <+444>:  stp    x0, x30, [sp, #-0x10]!
    0x1013818f0 <+448>:  ldr    w0, 0x1013818f8           ; <+456>
    0x1013818f4 <+452>:  bl     0x101381764               ; <+52>
    0x1013818f8 <+456>:  .long  0x00000008                ; unknown opcode
    0x1013818fc <+460>:  ldp    x0, x30, [sp], #0x10
    0x101381900 <+464>:  sub    x30, x29, #0x70           ; =0x70 
    0x101381904 <+468>:  stur   x2, [x30, #-0x100]
    0x101381908 <+472>:  stp    x0, x30, [sp, #-0x10]!
    0x10138190c <+476>:  ldr    w0, 0x101381914           ; <+484>
    0x101381910 <+480>:  bl     0x101381764               ; <+52>
    0x101381914 <+484>:  .long  0x0000000b                ; unknown opcode
    0x101381918 <+488>:  ldp    x0, x30, [sp], #0x10
    0x10138191c <+492>:  stp    x28, x27, [sp, #-0x20]!
    0x101381920 <+496>:  stp    x29, x30, [sp, #0x10]
    0x101381924 <+500>:  add    x29, sp, #0x10            ; =0x10 
    0x101381928 <+504>:  sub    sp, sp, #0x1b0            ; =0x1b0 
    0x10138192c <+508>:  ldr    x8, [x29, #0x10]
    0x101381930 <+512>:  adrp   x9, 8483
    0x101381934 <+516>:  ldr    x9, [x9, #0xf80]
    0x101381938 <+520>:  ldr    x9, [x9]
    0x10138193c <+524>:  mov    x1, x9
    0x101381940 <+528>:  stur   x9, [x29, #-0x18]
    0x101381944 <+532>:  mov    x9, x2
    0x101381948 <+536>:  mov    x10, x3
    0x10138194c <+540>:  stur   x0, [x29, #-0x58]
    0x101381950 <+544>:  mov    x0, x2
    0x101381954 <+548>:  stur   x8, [x29, #-0x60]
    0x101381958 <+552>:  stur   w7, [x29, #-0x64]
    0x10138195c <+556>:  stur   w6, [x29, #-0x68]
    0x101381960 <+560>:  stur   x5, [x29, #-0x70]
    0x101381964 <+564>:  stur   x4, [x29, #-0x78]
    0x101381968 <+568>:  stur   x3, [x29, #-0x80]
    0x10138196c <+572>:  stur   x10, [x29, #-0x88]
    0x101381970 <+576>:  stur   x9, [x29, #-0x90]
    0x101381974 <+580>:  stur   x1, [x29, #-0x98]
    0x101381978 <+584>:  bl     0x1033d2ce4               ; symbol stub for: objc_retain
    0x10138197c <+588>:  stp    x0, x30, [sp, #-0x10]!
    0x101381980 <+592>:  ldr    w0, 0x101381988           ; <+600>
    0x101381984 <+596>:  bl     0x101381764               ; <+52>
    0x101381988 <+600>:  .long  0x0000000a                ; unknown opcode
    0x10138198c <+604>:  ldp    x0, x30, [sp], #0x10
    0x101381990 <+608>:  ldur   x1, [x30, #-0x100]
    0x101381994 <+612>:  sub    x30, x29, #0x90           ; =0x90 
    0x101381998 <+616>:  stur   x1, [x30, #-0x100]
    0x10138199c <+620>:  cbz    x0, 0x101381a10           ; <+736>
    0x1013819a0 <+624>:  adrp   x8, 11869
    0x1013819a4 <+628>:  add    x8, x8, #0x200            ; =0x200 
    0x1013819a8 <+632>:  ldr    x0, [x8]
    0x1013819ac <+636>:  sub    sp, sp, #0x10             ; =0x10 
    0x1013819b0 <+640>:  adrp   x8, 8793
    0x1013819b4 <+644>:  add    x8, x8, #0xca8            ; =0xca8 
    0x1013819b8 <+648>:  mov    x9, sp
    0x1013819bc <+652>:  str    x8, [x9, #0x8]
    0x1013819c0 <+656>:  sub    x27, x29, #0x80           ; =0x80 
    0x1013819c4 <+660>:  ldur   x8, [x27, #-0x100]
    0x1013819c8 <+664>:  str    x8, [x9]
    0x1013819cc <+668>:  adrp   x2, 8933
    0x1013819d0 <+672>:  add    x2, x2, #0xc88            ; =0xc88 
    0x1013819d4 <+676>:  sub    x27, x29, #0x68           ; =0x68 
    0x1013819d8 <+680>:  ldur   x1, [x27, #-0x100]
    0x1013819dc <+684>:  bl     0x1033d2c90               ; symbol stub for: objc_msgSend
    0x1013819e0 <+688>:  add    sp, sp, #0x10             ; =0x10 
    0x1013819e4 <+692>:  bl     0x1033d2d08               ; symbol stub for: objc_retainAutoreleasedReturnValue
    0x1013819e8 <+696>:  sub    x27, x29, #0x88           ; =0x88 
    0x1013819ec <+700>:  ldur   x1, [x27, #-0x100]
    0x1013819f0 <+704>:  sub    x27, x29, #0x98           ; =0x98 
    0x1013819f4 <+708>:  stur   x0, [x27, #-0x100]
    0x1013819f8 <+712>:  mov    x0, x1
    0x1013819fc <+716>:  bl     0x1033d2ccc               ; symbol stub for: objc_release
    0x101381a00 <+720>:  sub    x30, x29, #0x98           ; =0x98 
    0x101381a04 <+724>:  ldur   x0, [x30, #-0x100]
    0x101381a08 <+728>:  sub    x30, x29, #0x90           ; =0x90 
    0x101381a0c <+732>:  stur   x0, [x30, #-0x100]
    0x101381a10 <+736>:  sub    x27, x29, #0x90           ; =0x90 
    0x101381a14 <+740>:  ldur   x8, [x27, #-0x100]
    0x101381a18 <+744>:  stp    x0, x30, [sp, #-0x10]!
    0x101381a1c <+748>:  ldr    w0, 0x101381a24           ; <+756>
    0x101381a20 <+752>:  bl     0x101381764               ; <+52>
    0x101381a24 <+756>:  .long  0x00000003                ; unknown opcode
    0x101381a28 <+760>:  ldp    x0, x30, [sp], #0x10
    0x101381a2c <+764>:  mov    x8, sp
    0x101381a30 <+768>:  str    x0, [x8]
    0x101381a34 <+772>:  adrp   x2, 8822
    0x101381a38 <+776>:  add    x2, x2, #0xa68            ; =0xa68 
    0x101381a3c <+780>:  sub    x27, x29, #0xb0           ; =0xb0 
    0x101381a40 <+784>:  ldur   x0, [x27, #-0x100]
    0x101381a44 <+788>:  sub    x27, x29, #0x68           ; =0x68 
    0x101381a48 <+792>:  ldur   x1, [x27, #-0x100]
    0x101381a4c <+796>:  bl     0x1033d2c90               ; symbol stub for: objc_msgSend
    0x101381a50 <+800>:  add    sp, sp, #0x10             ; =0x10 
    0x101381a54 <+804>:  bl     0x1033d2d08               ; symbol stub for: objc_retainAutoreleasedReturnValue
    0x101381a58 <+808>:  mov    x8, #0x0
    0x101381a5c <+812>:  adrp   x9, 11711
    0x101381a60 <+816>:  add    x9, x9, #0x8e0            ; =0x8e0 
    0x101381a64 <+820>:  ldursw x10, [x29, #-0x1c]
    0x101381a68 <+824>:  add    x3, x10, #0x578           ; =0x578 
    0x101381a6c <+828>:  ldr    x1, [x9]
    0x101381a70 <+832>:  sub    x27, x29, #0xa8           ; =0xa8 
    0x101381a74 <+836>:  ldur   x9, [x27, #-0x100]
    0x101381a78 <+840>:  sub    x27, x29, #0xb8           ; =0xb8 
    0x101381a7c <+844>:  stur   x0, [x27, #-0x100]
    0x101381a80 <+848>:  mov    x0, x9
    0x101381a84 <+852>:  sub    x27, x29, #0xb8           ; =0xb8 
    0x101381a88 <+856>:  ldur   x2, [x27, #-0x100]
    0x101381a8c <+860>:  mov    x4, x8
    0x101381a90 <+864>:  bl     0x1033d2c90               ; symbol stub for: objc_msgSend
    0x101381a94 <+868>:  bl     0x1033d2d08               ; symbol stub for: objc_retainAutoreleasedReturnValue
    0x101381a98 <+872>:  bl     0x1033d2b40               ; symbol stub for: objc_autorelease
    0x101381a9c <+876>:  ldur   x8, [x29, #-0x60]
    0x101381aa0 <+880>:  str    x0, [x8]
    0x101381aa4 <+884>:  stp    x0, x30, [sp, #-0x10]!
    0x101381aa8 <+888>:  ldr    w0, 0x101381ab0           ; <+896>
    0x101381aac <+892>:  bl     0x101381764               ; <+52>
    0x101381ab0 <+896>:  .long  0x00000000                ; unknown opcode
    0x101381ab4 <+900>:  ldp    x0, x30, [sp], #0x10
    0x101381ab8 <+904>:  mov    x9, sp
    0x101381abc <+908>:  str    x8, [x9]
    0x101381ac0 <+912>:  adrp   x0, 8793
    0x101381ac4 <+916>:  add    x0, x0, #0xbc8            ; =0xbc8 
    0x101381ac8 <+920>:  sub    x27, x29, #0xa0           ; =0xa0 
    0x101381acc <+924>:  stur   x8, [x27, #-0x100]
    0x101381ad0 <+928>:  bl     0x1033d0974               ; symbol stub for: NSLog
    0x101381ad4 <+932>:  add    sp, sp, #0x10             ; =0x10 
    0x101381ad8 <+936>:  sub    x27, x29, #0xa0           ; =0xa0 
    0x101381adc <+940>:  ldur   x8, [x27, #-0x100]
    0x101381ae0 <+944>:  mov    x0, x8
    0x101381ae4 <+948>:  bl     0x1033d2ccc               ; symbol stub for: objc_release
    0x101381ae8 <+952>:  sub    x27, x29, #0x70           ; =0x70 
    0x101381aec <+956>:  ldur   x0, [x27, #-0x100]
    0x101381af0 <+960>:  bl     0x1033d2ccc               ; symbol stub for: objc_release
    0x101381af4 <+964>:  ldur   x0, [x29, #-0x60]
    0x101381af8 <+968>:  cbz    x0, 0x1013817bc           ; <+140>
    0x101381afc <+972>:  mov    x8, #0x0
    0x101381b00 <+976>:  adrp   x9, 11869
    0x101381b04 <+980>:  add    x9, x9, #0x200            ; =0x200 
    0x101381b08 <+984>:  adrp   x10, 11869
    0x101381b0c <+988>:  add    x10, x10, #0x510          ; =0x510 
    0x101381b10 <+992>:  ldr    x0, [x10]
    0x101381b14 <+996>:  ldr    x9, [x9]
    0x101381b18 <+1000>: mov    x1, x8
    0x101381b1c <+1004>: sub    x27, x29, #0xa8           ; =0xa8 
    0x101381b20 <+1008>: stur   x0, [x27, #-0x100]
    0x101381b24 <+1012>: mov    x0, x1
    0x101381b28 <+1016>: sub    x27, x29, #0xb0           ; =0xb0 
    0x101381b2c <+1020>: stur   x9, [x27, #-0x100]
    0x101381b30 <+1024>: stp    x0, x30, [sp, #-0x10]!
    0x101381b34 <+1028>: ldr    w0, 0x101381b3c           ; <+1036>
    0x101381b38 <+1032>: bl     0x101381764               ; <+52>
    0x101381b3c <+1036>: .long  0x00000004                ; unknown opcode
    0x101381b40 <+1040>: ldp    x0, x30, [sp], #0x10
    0x101381b44 <+1044>: ldur   x1, [x29, #-0x78]
    0x101381b48 <+1048>: ldur   x2, [x29, #-0x80]
    0x101381b4c <+1052>: stur   x0, [x29, #-0xa0]
    0x101381b50 <+1056>: mov    x0, x2
    0x101381b54 <+1060>: stur   x1, [x29, #-0xa8]
    0x101381b58 <+1064>: bl     0x1033d2ce4               ; symbol stub for: objc_retain
    0x101381b5c <+1068>: ldur   x1, [x29, #-0x78]
    0x101381b60 <+1072>: stur   x0, [x29, #-0xb0]
    0x101381b64 <+1076>: mov    x0, x1
    0x101381b68 <+1080>: bl     0x1033d2ce4               ; symbol stub for: objc_retain
    0x101381b6c <+1084>: sub    x8, x29, #0x50            ; =0x50 
    0x101381b70 <+1088>: sub    x9, x29, #0x1c            ; =0x1c 
    0x101381b74 <+1092>: stur   wzr, [x29, #-0x1c]
    0x101381b78 <+1096>: ldur   x1, [x29, #-0x70]
    0x101381b7c <+1100>: stur   x0, [x29, #-0xb8]
    0x101381b80 <+1104>: mov    x0, x1
    0x101381b84 <+1108>: stur   x8, [x29, #-0xc0]
    0x101381b88 <+1112>: stur   x9, [x29, #-0xc8]
    0x101381b8c <+1116>: bl     0x1033d2ce4               ; symbol stub for: objc_retain
    0x101381b90 <+1120>: ldur   x1, [x29, #-0x88]
    0x101381b94 <+1124>: stur   x0, [x29, #-0xd0]
    0x101381b98 <+1128>: mov    x0, x1
    0x101381b9c <+1132>: bl     0x1033d2cf0               ; symbol stub for: objc_retainAutorelease
    0x101381ba0 <+1136>: adrp   x8, 11710
    0x101381ba4 <+1140>: add    x8, x8, #0xf08            ; =0xf08 
    0x101381ba8 <+1144>: ldr    x8, [x8]
    0x101381bac <+1148>: mov    x1, x8
    0x101381bb0 <+1152>: stur   x8, [x29, #-0xd8]
    0x101381bb4 <+1156>: bl     0x1033d2c90               ; symbol stub for: objc_msgSend
    0x101381bb8 <+1160>: ldur   x1, [x29, #-0xb0]
    0x101381bbc <+1164>: stur   x0, [x29, #-0xe0]
    0x101381bc0 <+1168>: mov    x0, x1
    0x101381bc4 <+1172>: bl     0x1033d2ccc               ; symbol stub for: objc_release
    0x101381bc8 <+1176>: ldur   x8, [x29, #-0xe0]
    0x101381bcc <+1180>: stp    x0, x30, [sp, #-0x10]!
    0x101381bd0 <+1184>: ldr    w0, 0x101381bd8           ; <+1192>
    0x101381bd4 <+1188>: bl     0x101381764               ; <+52>
    0x101381bd8 <+1192>: .long  0x00000002                ; unknown opcode
    0x101381bdc <+1196>: ldp    x0, x30, [sp], #0x10
    0x101381be0 <+1200>: sub    x30, x29, #0x78           ; =0x78 
    0x101381be4 <+1204>: stur   x1, [x30, #-0x100]
    0x101381be8 <+1208>: cbz    x0, 0x101381ae8           ; <+952>
    0x101381bec <+1212>: adrp   x8, 11869
    0x101381bf0 <+1216>: add    x8, x8, #0x200            ; =0x200 
    0x101381bf4 <+1220>: sub    x27, x29, #0x4c           ; =0x4c 
    0x101381bf8 <+1224>: ldur   w9, [x27, #-0x100]
    0x101381bfc <+1228>: mov    x10, x9
    0x101381c00 <+1232>: sxtw   x10, w10
    0x101381c04 <+1236>: add    x10, x10, #0x578          ; =0x578 
    0x101381c08 <+1240>: ldr    x0, [x8]
    0x101381c0c <+1244>: sub    sp, sp, #0x10             ; =0x10 
    0x101381c10 <+1248>: mov    x8, sp
    0x101381c14 <+1252>: str    x10, [x8]
    0x101381c18 <+1256>: sub    x27, x29, #0x68           ; =0x68 
    0x101381c1c <+1260>: ldur   x1, [x27, #-0x100]
    0x101381c20 <+1264>: sub    x27, x29, #0x78           ; =0x78 
    0x101381c24 <+1268>: ldur   x2, [x27, #-0x100]
    0x101381c28 <+1272>: bl     0x1033d2c90               ; symbol stub for: objc_msgSend
    0x101381c2c <+1276>: add    sp, sp, #0x10             ; =0x10 
    0x101381c30 <+1280>: bl     0x1033d2d08               ; symbol stub for: objc_retainAutoreleasedReturnValue
    0x101381c34 <+1284>: adrp   x8, 8793
    0x101381c38 <+1288>: add    x8, x8, #0xca8            ; =0xca8 
    0x101381c3c <+1292>: mov    x1, x0
    0x101381c40 <+1296>: sub    x27, x29, #0x80           ; =0x80 
    0x101381c44 <+1300>: stur   x0, [x27, #-0x100]
    0x101381c48 <+1304>: mov    x0, x8
    0x101381c4c <+1308>: sub    x27, x29, #0x48           ; =0x48 
    0x101381c50 <+1312>: ldur   x8, [x27, #-0x100]
    0x101381c54 <+1316>: sub    x27, x29, #0x88           ; =0x88 
    0x101381c58 <+1320>: stur   x1, [x27, #-0x100]
    0x101381c5c <+1324>: mov    x1, x8
    0x101381c60 <+1328>: bl     0x1033d2c90               ; symbol stub for: objc_msgSend
    0x101381c64 <+1332>: sub    x30, x29, #0x88           ; =0x88 
    0x101381c68 <+1336>: stp    x0, x30, [sp, #-0x10]!
    0x101381c6c <+1340>: ldr    w0, 0x101381c74           ; <+1348>
    0x101381c70 <+1344>: bl     0x101381764               ; <+52>
    0x101381c74 <+1348>: .long  0x00000007                ; unknown opcode
    0x101381c78 <+1352>: ldp    x0, x30, [sp], #0x10
    0x101381c7c <+1356>: stur   x0, [x27, #-0x100]
    0x101381c80 <+1360>: mov    x1, x8
    0x101381c84 <+1364>: sub    x27, x29, #0x48           ; =0x48 
    0x101381c88 <+1368>: stur   x8, [x27, #-0x100]
    0x101381c8c <+1372>: bl     0x1033d2c90               ; symbol stub for: objc_msgSend
    0x101381c90 <+1376>: cmp    x0, #0x0                  ; =0x0 
    0x101381c94 <+1380>: cset   w9, eq
    0x101381c98 <+1384>: ldur   w10, [x29, #-0x1c]
    0x101381c9c <+1388>: cmp    w10, #0x0                 ; =0x0 
    0x101381ca0 <+1392>: cset   w11, ne
    0x101381ca4 <+1396>: and    w9, w9, w11
    0x101381ca8 <+1400>: sub    x30, x29, #0x4c           ; =0x4c 
    0x101381cac <+1404>: stur   w10, [x30, #-0x100]
    0x101381cb0 <+1408>: tbnz   w9, #0x0, 0x101381cb8     ; <+1416>
    0x101381cb4 <+1412>: b      0x1013817bc               ; <+140>
    0x101381cb8 <+1416>: orr    x8, xzr, #0x1
    0x101381cbc <+1420>: mov    x9, sp
    0x101381cc0 <+1424>: subs   x9, x9, #0x10             ; =0x10 
    0x101381cc4 <+1428>: mov    sp, x9
    0x101381cc8 <+1432>: mov    x0, x8
    0x101381ccc <+1436>: sub    x27, x29, #0x58           ; =0x58 
    0x101381cd0 <+1440>: stur   x9, [x27, #-0x100]
    0x101381cd4 <+1444>: bl     0x10139ecbc               ; +[SensorDataCaptureUtils getInstance] + 33552
    0x101381cd8 <+1448>: orr    w2, wzr, #0xe
    0x101381cdc <+1452>: sub    x27, x29, #0x58           ; =0x58 
    0x101381ce0 <+1456>: ldur   x1, [x27, #-0x100]
    0x101381ce4 <+1460>: bl     0x10135c260               ; 52ePwUb81O7L
    0x101381ce8 <+1464>: adrp   x8, 11710
    0x101381cec <+1468>: add    x8, x8, #0xa80            ; =0xa80 
    0x101381cf0 <+1472>: adrp   x9, 11869
    0x101381cf4 <+1476>: add    x9, x9, #0x200            ; =0x200 
    0x101381cf8 <+1480>: ldr    x9, [x9]
    0x101381cfc <+1484>: ldr    x8, [x8]
    0x101381d00 <+1488>: sub    sp, sp, #0x10             ; =0x10 
    0x101381d04 <+1492>: mov    x1, sp
    0x101381d08 <+1496>: sub    x27, x29, #0x58           ; =0x58 
    0x101381d0c <+1500>: ldur   x30, [x27, #-0x100]
    0x101381d10 <+1504>: str    x30, [x1]
    0x101381d14 <+1508>: adrp   x2, 8822
    0x101381d18 <+1512>: add    x2, x2, #0xa68            ; =0xa68 
    0x101381d1c <+1516>: sub    x27, x29, #0x5c           ; =0x5c 
    0x101381d20 <+1520>: stur   w0, [x27, #-0x100]
    0x101381d24 <+1524>: mov    x0, x9
    0x101381d28 <+1528>: mov    x1, x8
    0x101381d2c <+1532>: sub    x27, x29, #0x68           ; =0x68 
    0x101381d30 <+1536>: stur   x8, [x27, #-0x100]
    0x101381d34 <+1540>: bl     0x1033d2c90               ; symbol stub for: objc_msgSend
    0x101381d38 <+1544>: add    sp, sp, #0x10             ; =0x10 
    0x101381d3c <+1548>: bl     0x1033d2d08               ; symbol stub for: objc_retainAutoreleasedReturnValue
    0x101381d40 <+1552>: mov    x1, x0
    0x101381d44 <+1556>: mov    x2, x1
    0x101381d48 <+1560>: stp    x0, x30, [sp, #-0x10]!
    0x101381d4c <+1564>: ldr    w0, 0x101381d54           ; <+1572>
    0x101381d50 <+1568>: bl     0x101381764               ; <+52>
    0x101381d54 <+1572>: .long  0x00000005                ; unknown opcode
    0x101381d58 <+1576>: ldp    x0, x30, [sp], #0x10
    0x101381d5c <+1580>: sub    x30, x29, #0x28           ; =0x28 
    0x101381d60 <+1584>: stur   x8, [x30, #-0x100]
    0x101381d64 <+1588>: cbz    x11, 0x101381814          ; <+228>
    0x101381d68 <+1592>: adrp   x8, 11710
    0x101381d6c <+1596>: add    x8, x8, #0xa80            ; =0xa80 
    0x101381d70 <+1600>: adrp   x9, 11869
    0x101381d74 <+1604>: add    x9, x9, #0x200            ; =0x200 
    0x101381d78 <+1608>: ldr    x0, [x9]
    0x101381d7c <+1612>: ldr    x1, [x8]
    0x101381d80 <+1616>: sub    sp, sp, #0x10             ; =0x10 
    0x101381d84 <+1620>: mov    x8, sp
    0x101381d88 <+1624>: sub    x27, x29, #0x18           ; =0x18 
    0x101381d8c <+1628>: ldur   x9, [x27, #-0x100]
    0x101381d90 <+1632>: str    x9, [x8]
    0x101381d94 <+1636>: adrp   x2, 8822
    0x101381d98 <+1640>: add    x2, x2, #0xa68            ; =0xa68 
    0x101381d9c <+1644>: bl     0x1033d2c90               ; symbol stub for: objc_msgSend
    0x101381da0 <+1648>: add    sp, sp, #0x10             ; =0x10 
    0x101381da4 <+1652>: bl     0x1033d2d08               ; symbol stub for: objc_retainAutoreleasedReturnValue
    0x101381da8 <+1656>: sub    x27, x29, #0x20           ; =0x20 
    0x101381dac <+1660>: ldur   x8, [x27, #-0x100]
    0x101381db0 <+1664>: ldr    x9, [x8]
    0x101381db4 <+1668>: sub    x27, x29, #0x30           ; =0x30 
    0x101381db8 <+1672>: stur   x0, [x27, #-0x100]
    0x101381dbc <+1676>: mov    x0, x9
    0x101381dc0 <+1680>: bl     0x1033d1da8               ; symbol stub for: free
    0x101381dc4 <+1684>: sub    x30, x29, #0x30           ; =0x30 
    0x101381dc8 <+1688>: ldur   x0, [x30, #-0x100]
    0x101381dcc <+1692>: sub    x30, x29, #0x28           ; =0x28 
    0x101381dd0 <+1696>: stur   x0, [x30, #-0x100]
    0x101381dd4 <+1700>: stp    x0, x30, [sp, #-0x10]!
    0x101381dd8 <+1704>: ldr    w0, 0x101381de0           ; <+1712>
    0x101381ddc <+1708>: bl     0x101381764               ; <+52>
    0x101381de0 <+1712>: .long  0x00000001                ; unknown opcode
    0x101381de4 <+1716>: ldp    x0, x30, [sp], #0x10
    0x101381de8 <+1720>: stur   x0, [x29, #-0xf0]
    0x101381dec <+1724>: mov    x0, x1
    0x101381df0 <+1728>: bl     0x1033d2ccc               ; symbol stub for: objc_release
    0x101381df4 <+1732>: adrp   x8, 11772
    0x101381df8 <+1736>: add    x8, x8, #0x1c0            ; =0x1c0 
    0x101381dfc <+1740>: ldur   x9, [x29, #-0xf0]
    0x101381e00 <+1744>: stur   x9, [x29, #-0x38]
    0x101381e04 <+1748>: ldr    x1, [x8]
    0x101381e08 <+1752>: ldur   x0, [x29, #-0x58]
    0x101381e0c <+1756>: ldur   x2, [x29, #-0xd0]
    0x101381e10 <+1760>: bl     0x1033d2c90               ; symbol stub for: objc_msgSend
    0x101381e14 <+1764>: ldur   x1, [x29, #-0xd0]
    0x101381e18 <+1768>: stur   x0, [x29, #-0xf8]
    0x101381e1c <+1772>: mov    x0, x1
    0x101381e20 <+1776>: bl     0x1033d2ccc               ; symbol stub for: objc_release
    0x101381e24 <+1780>: ldur   x0, [x29, #-0xf8]
    0x101381e28 <+1784>: bl     0x1033d2d08               ; symbol stub for: objc_retainAutoreleasedReturnValue
    0x101381e2c <+1788>: bl     0x1033d2cf0               ; symbol stub for: objc_retainAutorelease
    0x101381e30 <+1792>: stur   x0, [x29, #-0x100]
    0x101381e34 <+1796>: ldur   x1, [x29, #-0xd8]
    0x101381e38 <+1800>: bl     0x1033d2c90               ; symbol stub for: objc_msgSend
    0x101381e3c <+1804>: stur   x0, [x29, #-0x30]
    0x101381e40 <+1808>: ldur   w6, [x29, #-0x64]
    0x101381e44 <+1812>: stur   w6, [x29, #-0x28]
    0x101381e48 <+1816>: ldur   x0, [x29, #-0x100]
    0x101381e4c <+1820>: bl     0x1033d2ccc               ; symbol stub for: objc_release
    0x101381e50 <+1824>: mov    w0, #0x558e
    0x101381e54 <+1828>: sub    x2, x29, #0x1c            ; =0x1c 
    0x101381e58 <+1832>: ldur   x1, [x29, #-0xc0]
    0x101381e5c <+1836>: bl     0x10136bd8c               ; 52wxszKzLTZs
    0x101381e60 <+1840>: mov    x8, #0x0
    0x101381e64 <+1844>: sub    x30, x29, #0x8            ; =0x8 
    0x101381e68 <+1848>: stur   x0, [x30, #-0x100]
    0x101381e6c <+1852>: sub    x30, x29, #0x10           ; =0x10 
    0x101381e70 <+1856>: stur   x8, [x30, #-0x100]
    0x101381e74 <+1860>: cbz    x0, 0x101381844           ; <+276>
    0x101381e78 <+1864>: mov    x8, #0x0
    0x101381e7c <+1868>: sub    x30, x29, #0x8            ; =0x8 
    0x101381e80 <+1872>: ldur   x9, [x30, #-0x100]
    0x101381e84 <+1876>: sub    x30, x29, #0x8            ; =0x8 
    0x101381e88 <+1880>: ldur   x10, [x30, #-0x100]
    0x101381e8c <+1884>: ldr    x11, [x10]
    0x101381e90 <+1888>: sub    x30, x29, #0x18           ; =0x18 
    0x101381e94 <+1892>: stur   x11, [x30, #-0x100]
    0x101381e98 <+1896>: sub    x30, x29, #0x20           ; =0x20 
    0x101381e9c <+1900>: stur   x9, [x30, #-0x100]
    0x101381ea0 <+1904>: stp    x0, x30, [sp, #-0x10]!
    0x101381ea4 <+1908>: ldr    w0, 0x101381eac           ; <+1916>
    0x101381ea8 <+1912>: bl     0x101381764               ; <+52>
    0x101381eac <+1916>: .long  0x0000000d                ; unknown opcode
    0x101381eb0 <+1920>: ldp    x0, x30, [sp], #0x10
    0x101381eb4 <+1924>: bl     0x1033d1634               ; symbol stub for: __stack_chk_fail

另：0x101381740执行完下一步是0x101381758

0x10135a80c代码：

    0x10135a80c <+184>: stp    x0, x1, [sp, #-0x10]!
    0x10135a810 <+188>: add    w0, w0, #0x1              ; =0x1 
    0x10135a814 <+192>: ldr    w0, [x30, w0, uxtw #2]
    0x10135a818 <+196>: add    x30, x30, w0, uxtw
    0x10135a81c <+200>: ldp    x0, x1, [sp], #0x10
    0x10135a820 <+204>: ret

0x10135a80c 下一步便是0x101381918

yueluo · 2018 年12 月 26 日 12:36

手动平衡下堆栈就可以F5了

Unicorn · 2018 年12 月 29 日 07:30

这明明就是个大哥哥

Zhang · 2018 年12 月 29 日 11:03

好了我现在知道怎么自己在Hikari里手撸这种了。

Baby!

yueluo · 2018 年12 月 29 日 13:30

瞄了一眼才发现这玩意是X里XXX，这个其实还好，平衡下堆栈就能F5了，难的是后面一个类似于“vm”一样的东西，lz要是只是逆着玩，可以讨论下，不然当我没说吧

clf · 2019 年1 月 24 日 06:32

求指教[quote=“Zhang, post:11, topic:13124, full:true”]
好了我现在知道怎么自己在Hikari里手撸这种了。

Baby!
[/quote]

666，求指教

clf · 2019 年1 月 24 日 06:34

看前辈的经验，尝试过，不知道是不是我平衡堆栈的姿势错了，没有F5出来