Wenhua Posted July 4, 2022 Share Posted July 4, 2022 Is there any way to filter this BL jump and find all the addresses that jump to 727a163cac Link to comment Share on other sites More sharing options...
Platonic Posted July 5, 2022 Share Posted July 5, 2022 22 hours ago, Wenhua said: Is there any way to filter this BL jump and find all the addresses that jump to 727a163cac You need to use a disassembler as Ghidra. If i recall Ghidra can show all addresses that hold instructions that branch to your desired address. You can't do it with GG because GG pointers are addresses that hold a variable, that variable holds a value which is an address in VM. Link to comment Share on other sites More sharing options...
darklinux Posted July 5, 2022 Share Posted July 5, 2022 If static analyzing is not your thing you can hook the target function and log all return addresses. Link to comment Share on other sites More sharing options...
MC874 Posted July 6, 2022 Share Posted July 6, 2022 On 7/4/2022 at 10:24 PM, Wenhua said: Is there any way to filter this BL jump and find all the addresses that jump to 727a163cac You can but it's hard to do in Android, especially there's no many available tools for this. 1) On Android, you can try to use Dissasemble on Playstore, personally i havent tried this one because i prefer to try it on PC 2) On Windows/PC; there's many option to do this. The first one is to use Cheat Engine, but this way: You need to Emulate your Game inside Android Emulator like LDPlayer, NOX, Mumu, or Bluestack. Run it inside Emulator and rescan your values in AoB form for the best option. After found the target, right click on the values and select "What Access to this address", it will re-attach CE into debug mode. Run the game, and you will found what address and how many times it's accessing your target. 3) Another way is yet direct, you need to use Ghidra or IDA Pro to Dissasemble your Game Library. It's more advanced and yet the best way to read in-game environment. Takes out the library from the game inside Lib Folder, open it in IDA and use Little Endian Arm. Scan the AoB, and then go into the main function. You will find target function, right click on it and choose XRef. For visualization, you can try to change the window from text into graph, for easy reading. Link to comment Share on other sites More sharing options...
CmP Posted July 8, 2022 Share Posted July 8, 2022 GG is not the right tool for that, but it can still be accomplished with GG by developing a script to do that. One of the simplest options for such script is to use disasm API function for disassembling instructions and then process function's output accordingly. An example of script that implements this approach is included below. Note that for the script to process, for example, 10-20+ MBs of instructions more than a minute may be needed. local jumpDestinationAddress = 0x7001234560 -- target address to find BL instructions that jump to it local startAddress = 0x7001000000 -- address starting from which to process instructions local endAddress = 0x7001FFFFFF -- address to which to process instructions (address of last byte of last instruction to process) local instructionsInBlock = 100000 -- amount of instructions in processed blocks, too high amounts will cause OutOfMemoryError local blockSize = instructionsInBlock * 4 -- block size in bytes local getValues = gg.getValues local dwordType = gg.TYPE_DWORD local function readDwordValues(startAddress, endAddress) local values = {} local index = 1 for address = startAddress, endAddress, 4 do values[index] = {address = address, flags = dwordType} index = index + 1 end return getValues(values) end local disasm = gg.disasm local asmType = gg.ASM_ARM64 local string_sub = string.sub local string_find = string.find local function processInstructions(instructions, targetAddress) local destinationAddressString = string.format("%X", targetAddress) local targetPattern = ";[^%x]*" .. destinationAddressString .. "[^%x]" -- pattern for comment to BL instructions that includes target address exactly local targetInstructions = {} local index = 1 for i = 1, #instructions do local instruction = instructions[i] local disassembled = disasm(asmType, instruction.address, instruction.value) -- Discarding all results that don't start with "BL" to avoid checking the pattern each time if string_sub(disassembled, 1, 2) == "BL" and string_find(disassembled, targetPattern) ~= nil then targetInstructions[index] = instruction index = index + 1 end end return targetInstructions end local function appendTable(destination, source) local index = #destination + 1 for i, v in ipairs(source) do destination[index] = v index = index + 1 end end local targetInstructions = {} for blockStartAddress = startAddress, endAddress, blockSize do local blockEndAddress = blockStartAddress + blockSize - 1 if blockEndAddress > endAddress then blockEndAddress = endAddress end local instructions = readDwordValues(blockStartAddress, blockEndAddress) local partialResults = processInstructions(instructions, jumpDestinationAddress) appendTable(targetInstructions, partialResults) end gg.loadResults(targetInstructions) BL_specified_destination_finder.lua Link to comment Share on other sites More sharing options...
Question
Wenhua
Is there any way to filter this BL jump and find all the addresses that jump to 727a163cac
Link to comment
Share on other sites
4 answers to this question
Recommended Posts
Archived
This topic is now archived and is closed to further replies.