宝儿网    博客    电影频道    新闻中心
   注册

新浪围脖即拍即传功能实现分析

2011-09-24 12:29
工具列表:
siscontents - 用来解包sisx文件
sisToolz   -  用来压缩/解压symbian可执行文件
WinHex  - 二进制编辑工具
IDA.pro.5.5  - 反汇编工具(动态调试)
 
程序:weibo_10232300.sisx
 
1. 解包
用siscontents把weibo_10232300.sisx解包到一个文件夹,经过分析,确定SinaImageScanEx_0x200294B7.exe为捕获拍照事件的程序。
 
2. 解压
编译好的symbian程序一般都经过压缩处理,所以要先解压。
用sisToolz里的Symbian OS 9.x-ELF_Toolz_1.0.exe解压c_sys\bin\SinaImageScanEx_0x200294B7.exe
 
3. 反汇编
SinaImageScanEx_0x200294B7.exe拖到IDA里,直接点确定。
 
4. 重新打包
 dimsns.pkg文件
 
 
; DimSNS.pkg
; This is an auto-generated PKG file by Carbide.
; This file uses variables specific to Carbide builds that will not work
; on command-line builds. If you want to use this generated PKG file from the
; command-line tools you will need to modify the variables with the appropriate
; values: $(EPOCROOT), $(PLATFORM), $(TARGET)
; Also, the resource file entries should be changed to match the language
; used in the build. For example, if building for LANGUAGE_01, change the file
; extensions .rsc to .r01.
;
;Language - standard language definitions
&EN
; standard SIS file header
#{"DimSNS"},(0xE7B6D39C),1,0,0
;Localised Vendor name
%{"Vendor-EN"}
;Unique Vendor name
:"Vendor"
;Supports Series 60 v 3.0
;The platform UID for S60 3rd Edition SDK for Symbian OS, Feature Pack 2is 0x102752AE.
;0x102032BE for S60 3rd Edition SDK Feature Pack 1
;0x101F7961 for S60 3rd Edition SDK
;0x102032BF for S60 2nd Edition SDK Feature Pack 3
;0x10200BAB for S60 2nd Edition SDK Feature Pack 2
;0x101F9115 for S60 2nd Edition SDK Feature Pack 1 (v2.1)
;0x101F7960 for S60 2nd Edition SDK (v2.0)
[0x101F7961], 0, 0, 0, {"Series60ProductID"}

"F:\Symbian\Carbide\workspace\DimSNS\sis\weibo\SinaImageScanEx_0x200294B7_reg.RSC"-"!:\private\10003a3f\import\apps\SinaImageScanEx_0x200294B7_reg.RSC"
"F:\Symbian\Carbide\workspace\DimSNS\sis\weibo\SinaImageScanEx_0x200294B7.rsc"-"!:\resource\apps\SinaImageScanEx_0x200294B7.rsc"
;"F:\Symbian\Carbide\workspace\DimSNS\sis\weibo\SinaImageScanEx_0x200294B7.exe"-"!:\sys\bin\SinaImageScanEx_0x200294B7.exe",FR,RI
"F:\Symbian\Carbide\workspace\DimSNS\sis\weibo\SinaImageScanEx_0x200294B7.exe"-"!:\sys\bin\SinaImageScanEx_0x200294B7.exe"
 
 
***Invoking makesis.exe ....
F:\S60\devices\S60_3rd_FP2_SDK_v1.1\epoc32\tools\makesis.exe F:\S60\devices\S60_3rd_FP2_SDK_v1.1\epoc32\build\Symbian\Carbide\workspace\DimSNS\group\_resolvedDimSNS.pkg F:\Symbian\Carbide\workspace\DimSNS\sis\DimSNS.sis
***Invoking signsis.exe....
F:\S60\devices\S60_3rd_FP2_SDK_v1.1\epoc32\tools\signsis.exe -s F:\Symbian\Carbide\workspace\DimSNS\sis\DimSNS.sis F:\Symbian\Carbide\workspace\DimSNS\sis\DimSNS.sisx "F:\Developer.cer" "F:\Developer.key" 
 
安装到手机上,用于动态调试。
 
5. 动态调试
手机上安装trk, IDA进程选项(application=c:\sys\bin\SinaImageScanEx_0x200294B7.exe[手机上程序的路径], Input file=用于反汇编的文件)。连接数据线就可以动态跟踪。
 
--------------------------------------------------------------------------------------
 
6. 逆向
以过分析,新浪微薄程序是通过RFs::NotifyChange监视两个文件夹c:\data\images\和e:\images\
实现拍照的即拍即传,针对这个函数初始化和激活后做的操作进行反编译成C++代码。
 
sub_78F11768
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
.text:78F11768
.text:78F11768 ; =============== S U B R O U T I N E =======================================
.text:78F11768
.text:78F11768
.text:78F11768 sub_78F11768                            ; CODE XREF: sub_78F11478+14p
.text:78F11768                                         ; sub_78F117AC+72p ...
.text:78F11768 PUSH    {R4,LR}
.text:78F1176A LDR     R3, [R0,#8]
.text:78F1176C MOVS    R4, R0
.text:78F1176E LSLS    R2, R3, #0x1F
.text:78F11770 BPL     loc_78F11774
.text:78F11772
.text:78F11772 locret_78F11772                         ; CODE XREF: sub_78F11768+20j
.text:78F11772 POP     {R4,PC}
.text:78F11774 ; ---------------------------------------------------------------------------
.text:78F11774
.text:78F11774 loc_78F11774                            ; CODE XREF: sub_78F11768+8j
.text:78F11774 MOVS    R3, R0
.text:78F11776 ADDS    R2, R0, #4
.text:78F11778 ADDS    R3, #0x28 ; '('
.text:78F1177A ADDS    R0, #0x20 ; ' '
.text:78F1177C MOVS    R1, #0x20 ; ' '
.text:78F1177E BLX     _ZN3RFs12NotifyChangeE11TNotifyTypeR14TRequestStatusRK7TDesC16 ; RFs::NotifyChange(TNotifyType, TRequestStatus &, TDesC16  const&)
.text:78F11782 MOVS    R0, R4
.text:78F11784 BLX     _ZN7CActive9SetActiveEv         ; CActive::SetActive(void)
.text:78F11788 B       locret_78F11772
.text:78F11788 ; End of function sub_78F11768
.text:78F11788
.text:78F11788 ; ------------------------------------------------------
 
===================================================================================
void StartMonitoring( TDesC16  const& path )
{
         iFs.NotifyChange(ENotifyWrite, iStatus, path);
  SetActive();
}
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
 
 
232次阅读 |0个评论
• 位流先锋的其他博客日志