在 ARM 汇编里函数调用是使用 bl 指令跳转到函数地址,攻击者逆向分析很容易找到调用过程,分析参数和返回值。
可以将一些敏感的函数,比如将加密函数写成 inline 内联,无论代码里调用了多少次函数,编译器会将整个函数代码拷贝到需要调用的地方,而不会使用 bl 指令跳转,不能明显的看出函数参数传递和返回值,大大增加了分析的难度。
以下是一个简单的异或加密函数
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 |
char* xor_encrypt (char *inbuf, int len){ char *outbuf = malloc(len); for (int i=0; i <= len; i++) { outbuf[i] = inbuf[i] ^ 0x33; } return outbuf; } - (void)viewDidLoad { [super viewDidLoad]; // Do any additional setup after loading the view, typically from a nib. char *str1 = xor_encrypt("123", 3); char *str2 = xor_encrypt("456", 3); char *str3 = xor_encrypt("789", 3); } |
反汇编的效果如下:
xor_encrypt 函数的反汇编代码如下:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 |
inlineTest`xor_encrypt: 0x7b3f0 <+0>: push {r7, lr} 0x7b3f2 <+2>: mov r7, sp 0x7b3f4 <+4>: sub sp, #0x10 0x7b3f6 <+6>: str r0, [sp, #0xc] 0x7b3f8 <+8>: str r1, [sp, #0x8] -> 0x7b3fa <+10>: ldr r0, [sp, #0x8] 0x7b3fc <+12>: blx 0x7efd8 ; symbol stub for: malloc 0x7b400 <+16>: movs r1, #0x0 0x7b402 <+18>: str r0, [sp, #0x4] 0x7b404 <+20>: str r1, [sp] 0x7b406 <+22>: ldr r0, [sp] 0x7b408 <+24>: ldr r1, [sp, #0x8] 0x7b40a <+26>: cmp r0, r1 0x7b40c <+28>: bgt 0x7b42c ; <+60> at ViewController.m:324 0x7b40e <+30>: ldr r0, [sp] 0x7b410 <+32>: ldr r1, [sp, #0xc] 0x7b412 <+34>: add r0, r1 0x7b414 <+36>: ldrsb.w r0, [r0] 0x7b418 <+40>: eor r0, r0, #0x33 0x7b41c <+44>: ldr r1, [sp] 0x7b41e <+46>: ldr r2, [sp, #0x4] 0x7b420 <+48>: add r1, r2 0x7b422 <+50>: strb r0, [r1] 0x7b424 <+52>: ldr r0, [sp] 0x7b426 <+54>: adds r0, #0x1 0x7b428 <+56>: str r0, [sp] 0x7b42a <+58>: b 0x7b406 ; <+22> at ViewController.m:319 0x7b42c <+60>: ldr r0, [sp, #0x4] 0x7b42e <+62>: add sp, #0x10 0x7b430 <+64>: pop {r7, pc} |
将函数的声明修改成 static inline
|
1 |
static inline char* xor_encrypt(char *inbuf, int len) __attribute__ ((always_inline)); |
编译后的反汇编的效果如下:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 |
inlineTest`-[ViewController viewDidLoad]: 0xbd3a0 <+0>: push {r7, lr} 0xbd3a2 <+2>: mov r7, sp 0xbd3a4 <+4>: sub sp, #0x4c 0xbd3a6 <+6>: add r2, sp, #0xc 0xbd3a8 <+8>: movw r3, #0x3d40 0xbd3ac <+12>: movt r3, #0x0 0xbd3b0 <+16>: add r3, pc 0xbd3b2 <+18>: ldr r3, [r3] 0xbd3b4 <+20>: movw r9, #0x4510 0xbd3b8 <+24>: movt r9, #0x0 0xbd3bc <+28>: add r9, pc 0xbd3be <+30>: movw r12, #0x459e 0xbd3c2 <+34>: movt r12, #0x0 0xbd3c6 <+38>: add r12, pc 0xbd3c8 <+40>: str r0, [sp, #0x18] 0xbd3ca <+42>: str r1, [sp, #0x14] 0xbd3cc <+44>: ldr r0, [sp, #0x18] 0xbd3ce <+46>: str r0, [sp, #0xc] 0xbd3d0 <+48>: ldr.w r0, [r12] 0xbd3d4 <+52>: str r0, [sp, #0x10] 0xbd3d6 <+54>: ldr.w r1, [r9] 0xbd3da <+58>: mov r0, r2 0xbd3dc <+60>: blx r3 0xbd3de <+62>: movs r0, #0x3 0xbd3e0 <+64>: movw r1, #0x3747 0xbd3e4 <+68>: movt r1, #0x0 0xbd3e8 <+72>: add r1, pc -> 0xbd3ea <+74>: str r1, [sp, #0x28] 0xbd3ec <+76>: str r0, [sp, #0x24] 0xbd3ee <+78>: ldr r0, [sp, #0x24] 0xbd3f0 <+80>: blx 0xc0fd8 ; symbol stub for: malloc 0xbd3f4 <+84>: movs r1, #0x0 0xbd3f6 <+86>: str r0, [sp, #0x20] 0xbd3f8 <+88>: str r1, [sp, #0x1c] 0xbd3fa <+90>: ldr r0, [sp, #0x1c] 0xbd3fc <+92>: ldr r1, [sp, #0x24] 0xbd3fe <+94>: cmp r0, r1 0xbd400 <+96>: bgt 0xbd420 ; <+128> [inlined] xor_encrypt + 50 at ViewController.m:334 0xbd402 <+98>: ldr r0, [sp, #0x1c] 0xbd404 <+100>: ldr r1, [sp, #0x28] 0xbd406 <+102>: add r0, r1 0xbd408 <+104>: ldrsb.w r0, [r0] 0xbd40c <+108>: eor r0, r0, #0x33 0xbd410 <+112>: ldr r1, [sp, #0x1c] 0xbd412 <+114>: ldr r2, [sp, #0x20] 0xbd414 <+116>: add r1, r2 0xbd416 <+118>: strb r0, [r1] 0xbd418 <+120>: ldr r0, [sp, #0x1c] 0xbd41a <+122>: adds r0, #0x1 0xbd41c <+124>: str r0, [sp, #0x1c] 0xbd41e <+126>: b 0xbd3fa ; <+90> [inlined] xor_encrypt + 12 at ViewController.m:334 0xbd420 <+128>: movs r0, #0x3 0xbd422 <+130>: movw r1, #0x3709 0xbd426 <+134>: movt r1, #0x0 0xbd42a <+138>: add r1, pc 0xbd42c <+140>: ldr r2, [sp, #0x20] 0xbd42e <+142>: str r2, [sp, #0x8] 0xbd430 <+144>: str r1, [sp, #0x38] 0xbd432 <+146>: str r0, [sp, #0x34] 0xbd434 <+148>: ldr r0, [sp, #0x34] 0xbd436 <+150>: blx 0xc0fd8 ; symbol stub for: malloc 0xbd43a <+154>: movs r1, #0x0 0xbd43c <+156>: str r0, [sp, #0x30] 0xbd43e <+158>: str r1, [sp, #0x2c] 0xbd440 <+160>: ldr r0, [sp, #0x2c] 0xbd442 <+162>: ldr r1, [sp, #0x34] 0xbd444 <+164>: cmp r0, r1 0xbd446 <+166>: bgt 0xbd466 ; <+198> [inlined] xor_encrypt + 50 at ViewController.m:335 0xbd448 <+168>: ldr r0, [sp, #0x2c] 0xbd44a <+170>: ldr r1, [sp, #0x38] 0xbd44c <+172>: add r0, r1 0xbd44e <+174>: ldrsb.w r0, [r0] 0xbd452 <+178>: eor r0, r0, #0x33 0xbd456 <+182>: ldr r1, [sp, #0x2c] 0xbd458 <+184>: ldr r2, [sp, #0x30] 0xbd45a <+186>: add r1, r2 0xbd45c <+188>: strb r0, [r1] 0xbd45e <+190>: ldr r0, [sp, #0x2c] 0xbd460 <+192>: adds r0, #0x1 0xbd462 <+194>: str r0, [sp, #0x2c] 0xbd464 <+196>: b 0xbd440 ; <+160> [inlined] xor_encrypt + 12 at ViewController.m:335 0xbd466 <+198>: movs r0, #0x3 0xbd468 <+200>: movw r1, #0x36c7 0xbd46c <+204>: movt r1, #0x0 0xbd470 <+208>: add r1, pc 0xbd472 <+210>: ldr r2, [sp, #0x30] 0xbd474 <+212>: str r2, [sp, #0x4] 0xbd476 <+214>: str r1, [sp, #0x48] 0xbd478 <+216>: str r0, [sp, #0x44] 0xbd47a <+218>: ldr r0, [sp, #0x44] 0xbd47c <+220>: blx 0xc0fd8 ; symbol stub for: malloc 0xbd480 <+224>: movs r1, #0x0 0xbd482 <+226>: str r0, [sp, #0x40] 0xbd484 <+228>: str r1, [sp, #0x3c] 0xbd486 <+230>: ldr r0, [sp, #0x3c] 0xbd488 <+232>: ldr r1, [sp, #0x44] 0xbd48a <+234>: cmp r0, r1 0xbd48c <+236>: bgt 0xbd4ac ; <+268> [inlined] xor_encrypt + 50 at ViewController.m:336 0xbd48e <+238>: ldr r0, [sp, #0x3c] 0xbd490 <+240>: ldr r1, [sp, #0x48] 0xbd492 <+242>: add r0, r1 0xbd494 <+244>: ldrsb.w r0, [r0] 0xbd498 <+248>: eor r0, r0, #0x33 0xbd49c <+252>: ldr r1, [sp, #0x3c] 0xbd49e <+254>: ldr r2, [sp, #0x40] 0xbd4a0 <+256>: add r1, r2 0xbd4a2 <+258>: strb r0, [r1] 0xbd4a4 <+260>: ldr r0, [sp, #0x3c] 0xbd4a6 <+262>: adds r0, #0x1 0xbd4a8 <+264>: str r0, [sp, #0x3c] 0xbd4aa <+266>: b 0xbd486 ; <+230> [inlined] xor_encrypt + 12 at ViewController.m:336 0xbd4ac <+268>: ldr r0, [sp, #0x40] 0xbd4ae <+270>: str r0, [sp] 0xbd4b0 <+272>: add sp, #0x4c 0xbd4b2 <+274>: pop {r7, pc} |
可以看出 xor_encrypt 在 viewDidLoad 里调用了三次,所以 xor_encrypt 的代码拷贝了三份,增强了分析的难度。