Patch so file

In the previous section, we used the analysis to locate the function of sub_130c () which is very likely to do anti-debug detection, and the author opened a new thread, and used a while to continuously execute sub_130c () this function, So it is unrealistic to say that every time we manually modify Tracerpid.

So why don't we give the sub_130c () This function to NOP? In order to prevent NOP error, we first select all the code in the "F5" interface, and then use the "Copy to assembly" function, you can put the C language code into the assembly code.

Here we see that if we want to comment out the sub_130c () function, we just need to comment out the code in this position 000016b8, if we want to comment out the dword_62b0 (3) function, We need to comment out the code in the three locations of the 000016BC-000016C4. Next we select the 000016b8 line and then click Hexview. Hexview will help us to locate the 000016B8 position automatically.

Because ARM does not have a separate NOP instruction. So we use Movs R0,r0 as NOP. The corresponding machine code is "xx A0 E1". So we changed the content of "FF FF EB" to "xx A0 E1".

We'll go back to the "F5" interface and we'll see that the sub_130c () function is gone.

Finally we click "Edit->plugins->modifyfile", then we can save the new so file. We overwrite the so file in the original apk and then re-sign it.

This time we run the program and then use IDA to load it, and the app doesn't flash back, which means we've made a patch. So we first place the breakpoint at "Java_com_yaotong_crackme_mainactivity_securitycheck". Then enter a password in the app and click the "Enter Password" button on the app.

The program pauses at "Java_com_yaotong_crackme_mainactivity_securitycheck". We can see the C language of disassembly by pressing "P" and then "F5". The unk_4005228c here is a pointer to a pointer that holds the password string.

Because it is a pointer pointer, we will first double-click into this address.

Then, at this address, press three "D" to convert the data format from the character to the pointer form.

Then we can double-click into this address to see the last flag. The answer is "aiyou,bucuoo."

In this problem we just use a very simple patch so technique, in the actual combat we can not only NOP, we can also change the conditional judgment statement, such as "BNE" into "BEQ". We can even modify the jump address, such as directly to the program B to an address to execute, so that there is no need for a single NOP a lot of statements. Note that the jump instruction in arm is calculated based on the relative address, so you have to calculate the relative jump value based on the current instruction address and the destination address.

For example, 00001bcc:beq loc_1c28 corresponding assembly code for "0A".

0x0a represents beq, "15 00 00" Represents the relative address of the jump, because the value of the PC in arm is the address of the next two (next) instruction of the current instruction, so we need to add the 0x15 to 2. You can then calculate the last address to jump to: (0x15 + 0x2) + 0X1BCC = 0x1c28. The results of Ida disassembly also verify that the result is beq loc_1c28.

Next we want to modify the assembly code to 00001bcc:bne loc_1c2c. Just change "0A" to "1 a" and "15" into "16".

0x0a represents beq, "15 00 00" Represents the relative address of the jump, because the value of the PC in arm is the address of the next two (next) instruction of the current instruction, so we need to add the 0x15 to 2. You can then calculate the last address to jump to: (0x15 + 0x2) + 0X1BCC = 0x1c28. The results of Ida disassembly also verify that the result is beq loc_1c28.

Next we want to modify the assembly code to 00001bcc:bne loc_1c2c. Just change "0A" to "1 a" and "15" into "16".

Patch so file