One: Analyze the "getText" function
1. First open a function arbitrarily, take the getText function as an example, as shown in the figure below.
2. Double-click to open the function and start analyzing the assembly instructions. The position pointed by the arrow is the beginning of the instruction, as shown in the figure below.
.text:00001148 STMFD SP!,{R3-R5,LR}
Push stack operation, push R3-R5, LR to the top of the stack respectively.
.text:0000114C MOV R5, R1
Assign R1 to R5.
.text:00001150 LDR R3, [R0]
Give R0 the address to R3.
.text:00001154 MOV R4, R0
Give R0 to R4.
.text:00001164 BLX R3
The link state of the jump band is switched to R3.
.text:0000117C ADD R3, PC, R3
Add PC and R3 to R3.
Knowing his operation flow, what logic are these operations to achieve? Continue to analyze with this question.
2: Comparative analysis of the correspondence between source code, pseudo code, and assembly instructions
1. The following figure shows the logic of the source code, which is getting the value of the field.
2. Find the getText function in the disassembly window and press "F5" to switch the assembly instruction to pseudo-code. By viewing the pseudo-code in IDA, it is found that the default input parameter type needs to be modified to view, as shown in the figure below.
3. Select the parameter of getText function, right click N to modify the name. The first parameter is the env that you just saw, change it directly to env; right click Y to modify the type, and change the type to JNIEnv*. In this way, the recognition is completed, and the effect is shown in the figure below.
Analyze the logic here:
The first jump is: Findclass
The second jump is: GetFindID
The third jump is: GetObjectFieId
The fourth jump is: GetStringUTFChars
The fifth is to return one: NewStringUTF
Then modify the parameters, as shown in the figure below.
4. After the parameter modification is completed, right-click and select copy to copy the pseudo code to the disassembly window, which is the assembly instruction of the getText function, as shown in the figure below.
This is the final effect. By analyzing the final effect, you can understand the effect of these instructions, as shown in the figure below.
summary
This time mainly shared the static analysis process:
1. Analyze the function and check the ARM assembly instructions.
2. Compare and analyze the correspondence between source code, pseudo code, and assembly instructions.
3. Check the jump and sort out the logic.
4. Summarize the logic and realize the process.