分析一个具有jumpout特征的函数,本来是基于这篇帖子进行了一些脚本的修改:
但trace过程,每当执行到br x27 这样的寄存器跳转指令时就挂了,原因是寄存器x27中存储的地址值打印出来根本就是个错误的,完全不在当前程序的内存地址范畴中,相当的奇怪,有大佬懂的指点下!!
目标函数的反汇编代码如下:【其中有多处的br指令】
XXX[0x1046e9f8c]: sub sp, sp, #0xc0 ; =0xc0
XXX[0x1046e9f90]: stp x28, x27, [sp, #0x60]
XXX[0x1046e9f94]: stp x26, x25, [sp, #0x70]
XXX[0x1046e9f98]: stp x24, x23, [sp, #0x80]
XXX[0x1046e9f9c]: stp x22, x21, [sp, #0x90]
XXX[0x1046e9fa0]: stp x20, x19, [sp, #0xa0]
XXX[0x1046e9fa4]: stp x29, x30, [sp, #0xb0]
XXX[0x1046e9fa8]: add x29, sp, #0xb0 ; =0xb0
XXX[0x1046e9fac]: mov x19, x7
XXX[0x1046e9fb0]: mov x21, x6
XXX[0x1046e9fb4]: mov x23, x5
XXX[0x1046e9fb8]: mov x22, x4
XXX[0x1046e9fbc]: mov x24, x3
XXX[0x1046e9fc0]: mov x20, x0
XXX[0x1046e9fc4]: ldr x28, [x29, #0x10]
XXX[0x1046e9fc8]: mov w8, #0xb5
XXX[0x1046e9fcc]: str w8, [sp, #0x20]
XXX[0x1046e9fd0]: add x8, sp, #0x24 ; =0x24
XXX[0x1046e9fd4]: add x9, sp, #0x20 ; =0x20
XXX[0x1046e9fd8]: adr x27, #0x4
XXX[0x1046e9fdc]: ldrsw x1, 0x1046ea008
XXX[0x1046e9fe0]: mov x15, #0x55
XXX[0x1046e9fe4]: eor x1, x1, x15
XXX[0x1046e9fe8]: mov x25, #0x4d
XXX[0x1046e9fec]: eor x1, x1, x25
XXX[0x1046e9ff0]: ldrsw x3, [x9]
XXX[0x1046e9ff4]: eor x1, x1, x3
XXX[0x1046e9ff8]: add x27, x27, x1
XXX[0x1046e9ffc]: mov w13, #0x66
XXX[0x1046ea000]: str w13, [x8]
XXX[0x1046ea004]: br x27
XXX[0x1046ea008]: udf #0xed
XXX[0x1046ea00c]: .long 0xf5c3e516 ; unknown opcode
XXX[0x1046ea010]: .long 0xe49b0825 ; unknown opcode
XXX[0x1046ea014]: .long 0xcea5a7b5 ; unknown opcode
XXX[0x1046ea018]: ldrb w12, [x10, #0xee9]
XXX[0x1046ea01c]: mov x0, x2
XXX[0x1046ea020]: bl 0x105c5f070
XXX[0x1046ea024]: mov x25, x0
XXX[0x1046ea028]: mov x0, x24
XXX[0x1046ea02c]: bl 0x105c5f070
XXX[0x1046ea030]: mov x26, x0
XXX[0x1046ea034]: mov x0, x22
XXX[0x1046ea038]: bl 0x105c5f070
XXX[0x1046ea03c]: mov x24, x0
XXX[0x1046ea040]: str wzr, [sp, #0x58]
XXX[0x1046ea044]: ldr w8, [sp, #0x24]
XXX[0x1046ea048]: cmp w8, #0xcb ; =0xcb
XXX[0x1046ea04c]: b.hi 0x1046ea184
XXX[0x1046ea050]: mov x0, x23
XXX[0x1046ea054]: bl 0x105c5f070
XXX[0x1046ea058]: mov x23, x0
XXX[0x1046ea05c]: mov x0, x26
XXX[0x1046ea060]: bl 0x105c5f07c
XXX[0x1046ea064]: mov x26, x0
XXX[0x1046ea068]: adrp x8, 10211
XXX[0x1046ea06c]: ldr x22, [x8, #0xd80]
XXX[0x1046ea070]: mov x1, x22
XXX[0x1046ea074]: bl 0x105c5f028
XXX[0x1046ea078]: mov x27, x0
XXX[0x1046ea07c]: mov x0, x26
XXX[0x1046ea080]: bl 0x105c5f058
XXX[0x1046ea084]: str x27, [sp, #0x28]
XXX[0x1046ea088]: mov x0, x25
XXX[0x1046ea08c]: bl 0x105c5f07c
XXX[0x1046ea090]: mov x25, x0
XXX[0x1046ea094]: mov x1, x22
XXX[0x1046ea098]: bl 0x105c5f028
XXX[0x1046ea09c]: mov x26, x0
XXX[0x1046ea0a0]: mov x0, x25
XXX[0x1046ea0a4]: bl 0x105c5f058
XXX[0x1046ea0a8]: str x26, [sp, #0x30]
XXX[0x1046ea0ac]: str w21, [sp, #0x38]
XXX[0x1046ea0b0]: mov x0, x24
XXX[0x1046ea0b4]: bl 0x105c5f07c
XXX[0x1046ea0b8]: mov x21, x0
XXX[0x1046ea0bc]: mov x1, x22
XXX[0x1046ea0c0]: bl 0x105c5f028
XXX[0x1046ea0c4]: mov x24, x0
XXX[0x1046ea0c8]: mov x0, x21
XXX[0x1046ea0cc]: bl 0x105c5f058
XXX[0x1046ea0d0]: str x24, [sp, #0x40]
XXX[0x1046ea0d4]: adrp x8, 10385
XXX[0x1046ea0d8]: ldr x1, [x8, #0x2f0]
XXX[0x1046ea0dc]: mov x0, x20
XXX[0x1046ea0e0]: mov x2, x23
XXX[0x1046ea0e4]: bl 0x105c5f028
XXX[0x1046ea0e8]: bl 0x105c5f094
XXX[0x1046ea0ec]: mov x20, x0
XXX[0x1046ea0f0]: mov x0, x23
XXX[0x1046ea0f4]: bl 0x105c5f058
XXX[0x1046ea0f8]: mov x0, x20
XXX[0x1046ea0fc]: bl 0x105c5f07c
XXX[0x1046ea100]: mov x20, x0
XXX[0x1046ea104]: mov x1, x22
XXX[0x1046ea108]: bl 0x105c5f028
XXX[0x1046ea10c]: str x0, [sp, #0x48]
XXX[0x1046ea110]: str w19, [sp, #0x50]
XXX[0x1046ea114]: mov x0, x20
XXX[0x1046ea118]: bl 0x105c5f058
XXX[0x1046ea11c]: mov w8, #0x53
XXX[0x1046ea120]: stur w8, [x29, #-0x54]
XXX[0x1046ea124]: sub x8, x29, #0x54 ; =0x54
XXX[0x1046ea128]: adr x7, #0x4
XXX[0x1046ea12c]: ldrsw x23, 0x1046ea150
XXX[0x1046ea130]: add x23, x23, #0xb9 ; =0xb9
XXX[0x1046ea134]: add x23, x23, #0x20 ; =0x20
XXX[0x1046ea138]: sub x23, x23, #0xf6 ; =0xf6
XXX[0x1046ea13c]: ldrsw x5, [x8]
XXX[0x1046ea140]: add x23, x23, x5
XXX[0x1046ea144]: add x7, x7, x23
XXX[0x1046ea148]: mov x8, #0x4
XXX[0x1046ea14c]: br x7
XXX[0x1046ea150]: udf #0x2
XXX[0x1046ea154]: .long 0x32676ab5 ; unknown opcode
XXX[0x1046ea158]: b 0xfe3b4074
XXX[0x1046ea15c]: .long 0x7188dbe6 ; unknown opcode
XXX[0x1046ea160]: stp s13, s26, [x15], #0x40
XXX[0x1046ea164]: adrp x8, 11287
XXX[0x1046ea168]: ldr x8, [x8, #0x790]
XXX[0x1046ea16c]: mov w0, #0x558e
XXX[0x1046ea170]: add x1, sp, #0x28 ; =0x28
XXX[0x1046ea174]: add x2, sp, #0x58 ; =0x58
XXX[0x1046ea178]: blr x8
XXX[0x1046ea17c]: mov x22, x0
XXX[0x1046ea180]: cbz x22, 0x1046ea27c
XXX[0x1046ea184]: ldr x8, [x22]
XXX[0x1046ea188]: cbz x8, 0x1046ea1c0
XXX[0x1046ea18c]: adrp x9, 10428
XXX[0x1046ea190]: ldr x0, [x9, #0x978]
XXX[0x1046ea194]: adrp x9, 10212
XXX[0x1046ea198]: ldr x1, [x9, #0xc0]
XXX[0x1046ea19c]: str x8, [sp]
XXX[0x1046ea1a0]: adrp x2, 6291
XXX[0x1046ea1a4]: add x2, x2, #0x768 ; =0x768
XXX[0x1046ea1a8]: bl 0x105c5f028
XXX[0x1046ea1ac]: bl 0x105c5f094
XXX[0x1046ea1b0]: mov x19, x0
XXX[0x1046ea1b4]: ldr x0, [x22]
XXX[0x1046ea1b8]: bl 0x105c5df84
XXX[0x1046ea1bc]: b 0x1046ea1c4
XXX[0x1046ea1c0]: mov x19, #0x0
XXX[0x1046ea1c4]: mov x0, x22
XXX[0x1046ea1c8]: bl 0x105c5df84
XXX[0x1046ea1cc]: adrp x8, 10211
XXX[0x1046ea1d0]: ldr x21, [x8, #0xde8]
XXX[0x1046ea1d4]: mov x0, x19
XXX[0x1046ea1d8]: mov x1, x21
XXX[0x1046ea1dc]: bl 0x105c5f028
XXX[0x1046ea1e0]: cbnz x0, 0x1046ea338
XXX[0x1046ea1e4]: ldr w26, [sp, #0x58]
XXX[0x1046ea1e8]: cbz w26, 0x1046ea338
XXX[0x1046ea1ec]: adrp x27, 10428
XXX[0x1046ea1f0]: ldr x22, [x27, #0x978]
XXX[0x1046ea1f4]: adrp x8, 10212
XXX[0x1046ea1f8]: ldr x20, [x8, #0xc0]
XXX[0x1046ea1fc]: adrp x23, 11287
XXX[0x1046ea200]: add x23, x23, #0xe77 ; =0xe77
XXX[0x1046ea204]: ldrb w8, [x23, #0x9d]
XXX[0x1046ea208]: tbnz w8, #0x0, 0x1046ea23c
XXX[0x1046ea20c]: adrp x0, 11287
XXX[0x1046ea210]: add x0, x0, #0xd6e ; =0xd6e
XXX[0x1046ea214]: adrp x2, 12731
XXX[0x1046ea218]: add x2, x2, #0x804 ; =0x804
XXX[0x1046ea21c]: adrp x3, 12731
XXX[0x1046ea220]: add x3, x3, #0x7ff ; =0x7ff
XXX[0x1046ea224]: orr w1, wzr, #0xe
XXX[0x1046ea228]: orr w4, wzr, #0x4
XXX[0x1046ea22c]: mov w5, #0xaf
XXX[0x1046ea230]: bl 0x1046f15cc
XXX[0x1046ea234]: orr w8, wzr, #0x1
XXX[0x1046ea238]: strb w8, [x23, #0x9d]
XXX[0x1046ea23c]: str x19, [sp, #0x18]
XXX[0x1046ea240]: adrp x8, 11287
XXX[0x1046ea244]: add x8, x8, #0xd6e ; =0xd6e
XXX[0x1046ea248]: str x8, [sp]
XXX[0x1046ea24c]: adrp x2, 6291
XXX[0x1046ea250]: add x2, x2, #0x768 ; =0x768
XXX[0x1046ea254]: mov x0, x22
XXX[0x1046ea258]: mov x1, x20
XXX[0x1046ea25c]: bl 0x105c5f028
XXX[0x1046ea260]: bl 0x105c5f094
XXX[0x1046ea264]: mov x22, x0
XXX[0x1046ea268]: cbz x22, 0x1046ea284
XXX[0x1046ea26c]: mov w8, #0x0
XXX[0x1046ea270]: mov w24, #0x88
XXX[0x1046ea274]: tbnz w8, #0x0, 0x1046ea35c
XXX[0x1046ea278]: b 0x1046ea41c
XXX[0x1046ea27c]: mov x19, #0x0
XXX[0x1046ea280]: b 0x1046ea1cc
XXX[0x1046ea284]: orr w24, wzr, #0x7c
XXX[0x1046ea288]: b 0x1046ea41c
XXX[0x1046ea28c]: adrp x8, 10428
XXX[0x1046ea290]: ldr x21, [x8, #0xd80]
XXX[0x1046ea294]: ldr x22, [x27, #0x978]
XXX[0x1046ea298]: adrp x23, 11287
XXX[0x1046ea29c]: add x23, x23, #0xe77 ; =0xe77
XXX[0x1046ea2a0]: ldrb w8, [x23, #0x9e]
XXX[0x1046ea2a4]: tbnz w8, #0x0, 0x1046ea2d8
XXX[0x1046ea2a8]: adrp x0, 11287
XXX[0x1046ea2ac]: add x0, x0, #0xd7c ; =0xd7c
XXX[0x1046ea2b0]: adrp x2, 12731
XXX[0x1046ea2b4]: add x2, x2, #0x820 ; =0x820
XXX[0x1046ea2b8]: adrp x3, 12096
XXX[0x1046ea2bc]: add x3, x3, #0xa10 ; =0xa10
XXX[0x1046ea2c0]: orr w19, wzr, #0x1
XXX[0x1046ea2c4]: orr w1, wzr, #0x30
XXX[0x1046ea2c8]: orr w5, wzr, #0x1
XXX[0x1046ea2cc]: mov w4, #0x0
XXX[0x1046ea2d0]: bl 0x1046f1548
XXX[0x1046ea2d4]: strb w19, [x23, #0x9e]
XXX[0x1046ea2d8]: adrp x8, 11287
XXX[0x1046ea2dc]: add x8, x8, #0xd7c ; =0xd7c
XXX[0x1046ea2e0]: str x8, [sp]
XXX[0x1046ea2e4]: adrp x2, 6291
XXX[0x1046ea2e8]: add x2, x2, #0x768 ; =0x768
XXX[0x1046ea2ec]: mov x0, x22
XXX[0x1046ea2f0]: mov x1, x20
XXX[0x1046ea2f4]: bl 0x105c5f028
XXX[0x1046ea2f8]: bl 0x105c5f094
XXX[0x1046ea2fc]: mov x20, x0
XXX[0x1046ea300]: ldrsw x8, [sp, #0x58]
XXX[0x1046ea304]: add x3, x8, #0x578 ; =0x578
XXX[0x1046ea308]: adrp x8, 10213
XXX[0x1046ea30c]: ldr x1, [x8, #0xf90]
XXX[0x1046ea310]: mov x0, x21
XXX[0x1046ea314]: mov x2, x20
XXX[0x1046ea318]: mov x4, #0x0
XXX[0x1046ea31c]: bl 0x105c5f028
XXX[0x1046ea320]: bl 0x105c5f094
XXX[0x1046ea324]: bl 0x105c5eefc
XXX[0x1046ea328]: str x0, [x28]
XXX[0x1046ea32c]: mov x0, x20
XXX[0x1046ea330]: bl 0x105c5f058
XXX[0x1046ea334]: ldr x19, [sp, #0x18]
XXX[0x1046ea338]: mov x0, x19
XXX[0x1046ea33c]: ldp x29, x30, [sp, #0xb0]
XXX[0x1046ea340]: ldp x20, x19, [sp, #0xa0]
XXX[0x1046ea344]: ldp x22, x21, [sp, #0x90]
XXX[0x1046ea348]: ldp x24, x23, [sp, #0x80]
XXX[0x1046ea34c]: ldp x26, x25, [sp, #0x70]
XXX[0x1046ea350]: ldp x28, x27, [sp, #0x60]
XXX[0x1046ea354]: add sp, sp, #0xc0 ; =0xc0
XXX[0x1046ea358]: b 0x105c5ef20
XXX[0x1046ea35c]: cmp w25, #0x82 ; =0x82
XXX[0x1046ea360]: b.ne 0x1046ea374
XXX[0x1046ea364]: cmp w19, #0x86 ; =0x86
XXX[0x1046ea368]: b.ne 0x1046ea3c8
XXX[0x1046ea36c]: mov x24, x23
XXX[0x1046ea370]: b 0x1046ea3f8
XXX[0x1046ea374]: mov w8, #0x7d
XXX[0x1046ea378]: str w8, [sp, #0x20]
XXX[0x1046ea37c]: add x8, sp, #0x24 ; =0x24
XXX[0x1046ea380]: add x9, sp, #0x20 ; =0x20
XXX[0x1046ea384]: adr x15, #0x4
XXX[0x1046ea388]: ldrsw x5, 0x1046ea3ac
XXX[0x1046ea38c]: mvn x5, x5
XXX[0x1046ea390]: add x5, x5, #0xe1 ; =0xe1
XXX[0x1046ea394]: ldrsw x13, [x9]
XXX[0x1046ea398]: eor x5, x5, x13
XXX[0x1046ea39c]: add x15, x15, x5
XXX[0x1046ea3a0]: mov w4, #0x77
XXX[0x1046ea3a4]: str w4, [x8]
XXX[0x1046ea3a8]: br x15
XXX[0x1046ea3ac]: udf #0x9b
XXX[0x1046ea3b0]: .long 0xb1b5d51c ; unknown opcode
XXX[0x1046ea3b4]: .long 0x75e9f1a9 ; unknown opcode
XXX[0x1046ea3b8]: .long 0x415dced2 ; unknown opcode
XXX[0x1046ea3bc]: .long 0xdcb45e74 ; unknown opcode
XXX[0x1046ea3c0]: b 0x1046ea334
XXX[0x1046ea3c4]: mov w19, #0x62
XXX[0x1046ea3c8]: ldr x0, [x27, #0x978]
XXX[0x1046ea3cc]: adrp x8, 6286
XXX[0x1046ea3d0]: add x8, x8, #0x468 ; =0x468
XXX[0x1046ea3d4]: stp x23, x8, [sp]
XXX[0x1046ea3d8]: adrp x2, 6338
XXX[0x1046ea3dc]: add x2, x2, #0x2c8 ; =0x2c8
XXX[0x1046ea3e0]: mov x1, x20
XXX[0x1046ea3e4]: bl 0x105c5f028
XXX[0x1046ea3e8]: bl 0x105c5f094
XXX[0x1046ea3ec]: mov x24, x0
XXX[0x1046ea3f0]: mov x0, x23
XXX[0x1046ea3f4]: bl 0x105c5f058
XXX[0x1046ea3f8]: str x24, [sp]
XXX[0x1046ea3fc]: adrp x0, 6286
XXX[0x1046ea400]: add x0, x0, #0x3c8 ; =0x3c8
XXX[0x1046ea404]: bl 0x100149308
XXX[0x1046ea408]: mov x0, x24
XXX[0x1046ea40c]: bl 0x105c5f058
XXX[0x1046ea410]: mov w8, #0x0
XXX[0x1046ea414]: orr w24, wzr, #0x7c
XXX[0x1046ea418]: tbnz w8, #0x0, 0x1046ea35c
XXX[0x1046ea41c]: cmp w24, #0x88 ; =0x88
XXX[0x1046ea420]: b.ne 0x1046ea46c
XXX[0x1046ea424]: sxtw x8, w26
XXX[0x1046ea428]: add x8, x8, #0x578 ; =0x578
XXX[0x1046ea42c]: ldr x0, [x27, #0x978]
XXX[0x1046ea430]: str x8, [sp]
XXX[0x1046ea434]: mov x1, x20
XXX[0x1046ea438]: mov x2, x22
XXX[0x1046ea43c]: bl 0x105c5f028
XXX[0x1046ea440]: bl 0x105c5f094
XXX[0x1046ea444]: mov x23, x0
XXX[0x1046ea448]: adrp x0, 6286
XXX[0x1046ea44c]: add x0, x0, #0x468 ; =0x468
XXX[0x1046ea450]: mov x1, x21
XXX[0x1046ea454]: bl 0x105c5f028
XXX[0x1046ea458]: cbnz x0, 0x1046ea3c4
XXX[0x1046ea45c]: mov w19, #0x86
XXX[0x1046ea460]: mov w24, #0x88
XXX[0x1046ea464]: mov w25, #0x82
XXX[0x1046ea468]: b 0x1046ea47c
XXX[0x1046ea46c]: mov x0, x22
XXX[0x1046ea470]: bl 0x105c5f058
XXX[0x1046ea474]: cbnz x28, 0x1046ea28c
XXX[0x1046ea478]: orr w25, wzr, #0x7
XXX[0x1046ea47c]: orr w8, wzr, #0x1
XXX[0x1046ea480]: tbnz w8, #0x0, 0x1046ea35c
XXX[0x1046ea484]: b 0x1046ea41c