Kry*_*ton 8 sqlite assembly objective-c ida ios
我发现guarded_open_nplibsqlite3.dylib使用该函数打开数据库文件.我看了一下sqlite3开源,没有这样的事情.所以Apple肯定会修改它guarded_open_np而不是使用unix open.
我知道这guarded_open_np是一个私有API,我找不到标题或文档.我想拦截(Cydia的MSFunctionHook)guarded_open_np,所以我需要知道什么是参数,而不仅仅是函数名称.
我使用IDA Pro对libsqlite3.dylib进行了逆向工程,这就是它所谓的guarded_open_np:
sub_79c1c:
push {r7, lr}
mov r7, sp
sub sp, #0x4
mov r3, r1
movw r1, #0xc57e
movt r1, #0x0
str r2, [sp, #0x4 + var_0]
add r1, pc
movs r2, #0xf
blx imp___picsymbolstub4__guarded_open_np
add sp, #0x4
pop {r7, pc}
但是,目前尚不清楚它可能采取什么样的准则.如果有一些官方网站提guarded_open_np及其所有参数,我很感激.
小智 2
从这里的信息来看,我不相信我们能够给出可靠的答案,尽管 CodaFi 是一个很好的建议。
也就是说,这里有一些参考资料可能有助于为您提供自我了解的工具:
首先,您可能已经知道了,但要了解寄存器和堆栈。
在汇编中,要调用函数,您通常遵循称为应用程序二进制接口(ABI)的东西,它只是设置约定,例如函数期望其参数在哪里(寄存器、堆栈等),它注册允许更改函数调用等。
Since this is iOS, you should be looking at the Procedure Call Standard for ARM Architecture and the iOS ABI Function Call Guide.
Looking at the "Basic Procedure Call Standard" section in the first link above, you can tell that function calls expect their first four arguments to be in registers r0~r4, respectively.
So for your investigation, you probably want to find out what's in these registers right before branching into guarded_open_np stub. XCode can spit out the assembly of a file for you, and you should be able to set breakpoints on it; then use the register read command in llvm to show you all your register contents (note some of the registers may just contain memory locations which you will want to examine with the memory read lldb commands).
For digging in a bit more into iOS assembly, I recommend Mike Ash's 3-part blog post "Disassembling the Assembly" parts 1, 2 and 3. Then you might like his recent post on the ARM 64 bit updates. These are informal resources but do help you get to grips quickly with scanning assembly and knowing generally what is going on where.
| 归档时间: |
|
| 查看次数: |
734 次 |
| 最近记录: |