{"id":13843710,"url":"https://github.com/amimo/ollvm-breaker","last_synced_at":"2025-04-06T09:08:04.201Z","repository":{"id":176057266,"uuid":"226291453","full_name":"amimo/ollvm-breaker","owner":"amimo","description":"使用Binary Ninja去除ollvm流程平坦混淆","archived":false,"fork":false,"pushed_at":"2020-02-17T11:53:20.000Z","size":951,"stargazers_count":421,"open_issues_count":1,"forks_count":89,"subscribers_count":11,"default_branch":"master","last_synced_at":"2025-03-30T07:11:55.003Z","etag":null,"topics":["binary-ninja","deobfuscation","ollvm"],"latest_commit_sha":null,"homepage":null,"language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/amimo.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2019-12-06T09:22:51.000Z","updated_at":"2025-03-16T12:40:12.000Z","dependencies_parsed_at":null,"dependency_job_id":"e841a34e-30ba-4e17-ba69-291b7e43f826","html_url":"https://github.com/amimo/ollvm-breaker","commit_stats":null,"previous_names":["amimo/ollvm-breaker"],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/amimo%2Follvm-breaker","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/amimo%2Follvm-breaker/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/amimo%2Follvm-breaker/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/amimo%2Follvm-breaker/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/amimo","download_url":"https://codeload.github.com/amimo/ollvm-breaker/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":247457801,"owners_count":20941906,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["binary-ninja","deobfuscation","ollvm"],"created_at":"2024-08-04T17:02:25.017Z","updated_at":"2025-04-06T09:08:04.177Z","avatar_url":"https://github.com/amimo.png","language":"Python","funding_links":[],"categories":["Python","Python (1887)"],"sub_categories":[],"readme":"# ollvm-breaker\n使用Binary Ninja去除ollvm流程平坦混淆\n\n## 使用\n使用IDA打开tests目录下的libvdog.so,运行tests下的fix-libvdog.py反混淆,重新分析程序.\n当前修复了vdog五个函数,JNI_OnLoad,crazy::GetPackageName,prevent_attach_one,attach_thread_scn,crazy::CheckDex.\n\n## 效果\n混淆代码\n```c\njint JNI_OnLoad(JavaVM *vm, void *reserved)\n{\n  jint v2; // w9\n  int v3; // w8\n  int v4; // w9\n  int i; // w8\n  int v6; // w9\n  const char *v7; // x0\n  int v8; // w8\n  bool v9; // zf\n  const char *v10; // x0\n  int v11; // w8\n  crazy *v12; // x0\n  _JNIEnv *v13; // x1\n  crazy *v14; // x8\n  int j; // w9\n  unsigned int v16; // w0\n  int k; // w8\n  crazy *v18; // x0\n  int l; // w8\n  __int64 v21; // [xsp-FA0h] [xbp-1210h]\n  __int64 v22; // [xsp-7D0h] [xbp-A40h]\n  __int64 v23; // [xsp-30h] [xbp-2A0h]\n  __int64 v24; // [xsp-20h] [xbp-290h]\n  char *v25; // [xsp+8h] [xbp-268h]\n  void *v26; // [xsp+10h] [xbp-260h]\n  jint v27; // [xsp+18h] [xbp-258h]\n  jint v28; // [xsp+1Ch] [xbp-254h]\n  JavaVM *v29; // [xsp+20h] [xbp-250h]\n  char *v30; // [xsp+28h] [xbp-248h]\n  char *v31; // [xsp+30h] [xbp-240h]\n  crazy::String *v32; // [xsp+38h] [xbp-238h]\n  __int64 (__fastcall **v33)(JavaVM *, void *); // [xsp+40h] [xbp-230h]\n  const char *v34; // [xsp+48h] [xbp-228h]\n  int v35; // [xsp+54h] [xbp-21Ch]\n  int v36; // [xsp+58h] [xbp-218h]\n  int v37; // [xsp+5Ch] [xbp-214h]\n  JavaVM *v38; // [xsp+60h] [xbp-210h]\n  char *v39; // [xsp+68h] [xbp-208h]\n  const char *v40; // [xsp+70h] [xbp-200h]\n  int v41; // [xsp+7Ch] [xbp-1F4h]\n  char *v42; // [xsp+80h] [xbp-1F0h]\n  FILE *v43; // [xsp+88h] [xbp-1E8h]\n  int v44; // [xsp+94h] [xbp-1DCh]\n  crazy *v45; // [xsp+98h] [xbp-1D8h]\n  JavaVM *v46; // [xsp+A0h] [xbp-1D0h]\n  int v47; // [xsp+A8h] [xbp-1C8h]\n  int v48; // [xsp+ACh] [xbp-1C4h]\n  crazy *v49; // [xsp+B0h] [xbp-1C0h]\n  JavaVM *v50; // [xsp+B8h] [xbp-1B8h]\n  crazy *v51; // [xsp+C0h] [xbp-1B0h]\n  crazy *v52; // [xsp+C8h] [xbp-1A8h]\n  jint (**v53)(JavaVM *, void **, jint); // [xsp+D0h] [xbp-1A0h]\n  crazy::String **v54; // [xsp+E8h] [xbp-188h]\n  const char *v55; // [xsp+F0h] [xbp-180h]\n  char *v56; // [xsp+F8h] [xbp-178h]\n  int v57; // [xsp+104h] [xbp-16Ch]\n  const char *v58; // [xsp+108h] [xbp-168h]\n  JavaVM *v59; // [xsp+110h] [xbp-160h]\n  crazy::String *v60; // [xsp+118h] [xbp-158h]\n  __int64 v61; // [xsp+218h] [xbp-58h]\n\n  v26 = reserved;\n  v29 = vm;\n  v61 = *(_QWORD *)off_DFF90;\n  v3 = 1718907589;\n  v27 = v2;\nLABEL_2:\n  v28 = v2;\n  while ( 1 )\n  {\n    while ( 1 )\n    {\n      while ( 1 )\n      {\n        while ( 1 )\n        {\n          while ( 1 )\n          {\n            v4 = v3;\n            if ( v3 \u003e -1796611739 )\n              break;\n            v3 = -1591680163;\n          }\n          if ( v3 \u003e 2122517887 )\n            crazy::AbortProcess((crazy *)vm);\n          if ( v3 \u003c= 2071858715 )\n            break;\n          vm = (JavaVM *)strstr(v40, \"sg.bigo.enterprise.live:service\");\n          v50 = vm;\n          v3 = -1796611738;\n        }\n        if ( v3 \u003e 2038211856 )\n          crazy::AbortProcess((crazy *)vm);\n        if ( v3 \u003c= 1985452749 )\n          break;\n        v52 = 0LL;\n        for ( i = -641593896; ; i = 1602492537 )\n        {\n          do\n          {\n            while ( 1 )\n            {\n              while ( 1 )\n              {\n                v6 = i;\n                if ( i \u003e -959375403 )\n                  break;\n                v53 = \u0026(*v59)-\u003eGetEnv;\n                i = 1919464359;\n              }\n              i = -959375402;\n              if ( v6 \u003e -641593897 )\n                break;\n              if ( v6 != -959375402 )\n              {\n                while ( 1 )\n                  ;\n              }\n              v59 = v29;\n              i = -1329367337;\n            }\n          }\n          while ( v6 == -641593896 );\n          if ( v6 != 1919464359 )\n            break;\n          v60 = (crazy::String *)*v53;\n        }\n        vm = (JavaVM *)((__int64 (__fastcall *)(JavaVM *, crazy **, __int64))v60)(v29, \u0026v52, 65540LL);\n        if ( (_DWORD)vm )\n          v3 = 152851513;\n        else\n          v3 = -225316631;\n      }\n      if ( v3 \u003c= 1919761782 )\n        break;\n      v3 = -1591680163;\n    }\n    if ( v3 \u003e 1873022920 )\n      return v28;\n    if ( v3 \u003e 1838028940 )\n    {\n      if ( v35 )\n        v3 = 2122517888;\n      else\n        v3 = 484421971;\n    }\n    else if ( v3 \u003e 1734873926 )\n    {\n      vm = (JavaVM *)j_aop_init();\n      v3 = -930274867;\n    }\n    else if ( v3 \u003e 1718907588 )\n    {\n      v30 = (char *)\u0026v22;\n      v31 = (char *)\u0026v21;\n      v3 = -7854534;\n    }\n    else if ( v3 \u003e 1609266205 )\n    {\n      vm = (JavaVM *)sub_F688();\n      v48 = (int)vm;\n      v3 = -319607287;\n    }\n    else if ( v3 \u003e 1465118877 )\n    {\n      v27 = -1;\n      v3 = -1719305536;\n    }\n    else if ( v3 \u003e 1433580932 )\n    {\n      if ( v43 )\n        v3 = 300194280;\n      else\n        v3 = 1919761783;\n    }\n    else if ( v3 \u003e 1297281499 )\n    {\n      *off_DFF18 = 23;\n      v3 = -455933748;\n    }\n    else if ( v3 \u003e 1182817588 )\n    {\n      if ( v41 == 15 )\n        v3 = 1734873927;\n      else\n        v3 = -930274867;\n    }\n    else if ( v3 \u003e -1782315967 )\n    {\n      if ( v3 \u003e 1038839700 )\n      {\n        vm = (JavaVM *)strcmp(v34, (const char *)v38);\n        v35 = (int)vm;\n        v3 = 1838028941;\n      }\n      else if ( v3 \u003e 1027871973 )\n      {\n        vm = (JavaVM *)sub_76F60(v51);\n        if ( (unsigned __int8)vm \u0026 1 )\n          v3 = -1618151004;\n        else\n          v3 = -990688990;\n      }\n      else if ( v3 \u003e 939162912 )\n      {\n        vm = (JavaVM *)crazy::GetPackageName((crazy *)vm);\n        v3 = -1039152186;\n      }\n      else if ( v3 \u003e 775964469 )\n      {\n        *off_DFEE8 = 1;\n        v3 = -376454767;\n      }\n      else if ( v3 \u003e 742678025 )\n      {\n        if ( v37 )\n          v3 = -625239653;\n        else\n          v3 = -1665109333;\n      }\n      else if ( v3 \u003e 585706880 )\n      {\n        vm = (JavaVM *)crazy::checkdex_1(v49, (_JNIEnv *)reserved);\n        if ( (unsigned __int8)vm \u0026 1 )\n          v3 = -208592878;\n        else\n          v3 = 2038211857;\n      }\n      else if ( v3 \u003e 542546871 )\n      {\n        v3 = 1985452750;\n      }\n      else if ( v3 \u003e 492398670 )\n      {\n        v7 = (const char *)crazy::GetPlatformVersion(v45, (_JNIEnv *)reserved);\n        vm = (JavaVM *)strchr(v7, 77);\n        if ( vm )\n          v3 = 1297281500;\n        else\n          v3 = -455933748;\n      }\n      else if ( v3 \u003e 484421970 )\n      {\n        crazy::String::~String(v32);\n        v3 = -1237920250;\n      }\n      else if ( v3 \u003e 411468606 )\n      {\n        vm = (JavaVM *)crazy::checkSignature_1(v52, (_JNIEnv *)reserved);\n        if ( (unsigned __int8)vm \u0026 1 )\n          v3 = -847794275;\n        else\n          v3 = -648924866;\n      }\n      else if ( v3 \u003e 300194279 )\n      {\n        v39 = v31;\n        vm = (JavaVM *)memset(v31, 0, 0x7D0u);\n        v3 = -1781762611;\n      }\n      else if ( v3 \u003e 152851512 )\n      {\n        v8 = 152851513;\nLABEL_122:\n        v9 = v4 == v8;\n        v3 = v4;\n        if ( v9 )\n        {\n          v28 = -1;\n          v3 = 1873022921;\n        }\n      }\n      else if ( v3 \u003e 117134184 )\n      {\n        vm = (JavaVM *)anti_debug_start();\n        v3 = -1974907953;\n      }\n      else if ( v3 \u003e 105840861 )\n      {\n        v3 = 939162913;\n      }\n      else if ( v3 \u003e 79862069 )\n      {\n        vm = (JavaVM *)sub_2E998();\n        v38 = vm;\n        if ( *(_BYTE *)vm )\n          v3 = 105840862;\n        else\n          v3 = -1237920250;\n      }\n      else if ( v3 \u003e -7854535 )\n      {\n        v32 = (crazy::String *)\u0026v24;\n        v33 = (__int64 (__fastcall **)(JavaVM *, void *))\u0026v23;\n        v3 = -1413870337;\n      }\n      else if ( v3 \u003e -139557228 )\n      {\n        v10 = (const char *)sub_2E728();\n        vm = (JavaVM *)strlen(v10);\n        v46 = vm;\n        v3 = -554839129;\n      }\n      else if ( v3 \u003e -208592879 )\n      {\n        vm = (JavaVM *)sub_E7EC(*off_DFE98[0], \"JNI_OnLoad\", v33);\n        v37 = (int)vm;\n        v3 = 742678026;\n      }\n      else if ( v3 \u003e -225316632 )\n      {\n        v11 = 1488047907;\n        while ( v11 \u003e -588102432 )\n        {\n          if ( v11 \u003e 939763251 )\n          {\n            if ( v11 == 939763252 )\n            {\n              v59 = *(JavaVM **)v58;\n              v11 = 1689158789;\n            }\n            else if ( v11 == 1689158789 )\n            {\n              v53 = (jint (**)(JavaVM *, void **, jint))(v59 + 219);\n              v11 = -588102431;\n            }\n            else\n            {\n              v58 = (const char *)v52;\n              v11 = 939763252;\n            }\n          }\n          else\n          {\n            v60 = (crazy::String *)*v53;\n            v11 = -1117867482;\n          }\n        }\n        ((void (__fastcall *)(crazy *, __int64))v60)(v52, off_DFF58);\n        v12 = v52;\n        *off_DFFF8 = (__int64)v52;\n        vm = (JavaVM *)crazy::GetApiLevel(v12, v13);\n        v14 = v52;\n        *off_DFF18 = (_DWORD)vm;\n        v45 = v14;\n        v3 = 492398671;\n      }\n      else if ( v3 \u003e -319607288 )\n      {\n        if ( v48 )\n          v3 = -1781655590;\n        else\n          v3 = 1465118878;\n      }\n      else if ( v3 \u003e -376454768 )\n      {\n        vm = (JavaVM *)sub_2E738();\n        v47 = (int)vm;\n        v3 = -647280407;\n      }\n      else if ( v3 \u003e -455933749 )\n      {\n        v36 = *off_DFF18;\n        v3 = -711396653;\n      }\n      else if ( v3 \u003e -554839130 )\n      {\n        if ( v46 )\n          v3 = -1679856594;\n        else\n          v3 = -853626539;\n      }\n      else if ( v3 \u003e -625239654 )\n      {\n        vm = (JavaVM *)(*v33)(v29, v26);\n        v3 = -1782315966;\n      }\n      else if ( v3 \u003e -647280408 )\n      {\n        if ( v47 == 2 )\n          v3 = -1525365595;\n        else\n          v3 = -1618151004;\n      }\n      else\n      {\n        if ( v3 \u003e -648924867 )\n          crazy::AbortProcess((crazy *)vm);\n        if ( v3 \u003e -711396654 )\n        {\n          if ( v36 \u003c= 23 )\n            v3 = -376454767;\n          else\n            v3 = 775964470;\n        }\n        else if ( v3 \u003e -847794276 )\n        {\n          v3 = 79862070;\n        }\n        else if ( v3 \u003e -853626540 )\n        {\n          v3 = -1719305536;\n          v27 = 65540;\n        }\n        else if ( v3 \u003e -930274868 )\n        {\n          vm = (JavaVM *)anti_section_hook();\n          v3 = 411468607;\n        }\n        else\n        {\n          if ( v3 \u003e -990688991 )\n          {\n            v8 = -990688990;\n            goto LABEL_122;\n          }\n          if ( v3 \u003e -1039152187 )\n          {\n            for ( j = -1458226292; j == -1458226292; j = -1943834868 )\n              v60 = v32;\n            v34 = *(const char **)v60;\n            v3 = 1038839701;\n          }\n          else if ( v3 \u003e -1155919955 )\n          {\n            if ( v44 == 1 )\n              v3 = 1609266206;\n            else\n              v3 = -1781655590;\n          }\n          else if ( v3 \u003e -1237920251 )\n          {\n            vm = (JavaVM *)sub_2E738();\n            v44 = (int)vm;\n            v3 = -1155919954;\n          }\n          else if ( v3 \u003e -1413870338 )\n          {\n            v3 = 542546872;\n          }\n          else if ( v3 \u003e -1525365596 )\n          {\n            v51 = v52;\n            v3 = 1027871974;\n          }\n          else if ( v3 \u003e -1591680164 )\n          {\n            v41 = *off_DFF18;\n            v3 = 1182817589;\n          }\n          else if ( v3 \u003e -1618151005 )\n          {\n            v42 = v30;\n            memset(v30, 0, 0x7D0u);\n            v25 = v30;\n            v16 = getpid();\n            sprintf(v25, \"/proc/%d/cmdline\", v16);\n            vm = (JavaVM *)fopen(v25, \"r\");\n            v43 = (FILE *)vm;\n            v3 = 1433580933;\n          }\n          else if ( v3 \u003e -1665109334 )\n          {\n            v3 = -139557227;\n          }\n          else if ( v3 \u003e -1679856595 )\n          {\n            for ( k = -1119912898; ; k = -1679727783 )\n            {\n              while ( 1 )\n              {\n                while ( 1 )\n                {\n                  while ( 1 )\n                  {\n                    while ( 1 )\n                    {\n                      while ( k \u003e 504275913 )\n                      {\n                        sprintf(v56, \"/data/data/%s/.hide/%s\", v55, v58);\n                        vm = (JavaVM *)remove(v56);\n                        v57 = (int)vm;\n                        k = 308794308;\n                      }\n                      if ( k \u003c= 308794307 )\n                        break;\n                      if ( v57 )\n                        k = -158042328;\n                      else\n                        k = -1095053525;\n                    }\n                    if ( k \u003c= -158042329 )\n                      break;\n                    v9 = k == -158042328;\n                    k = -1095053525;\n                    if ( !v9 )\n                    {\n                      while ( 1 )\n                        ;\n                    }\n                  }\n                  if ( k \u003e -1499369114 )\n                    break;\n                  v18 = (crazy *)memset(v54, 0, 0x100u);\n                  crazy::GetPackageName(v18);\n                  for ( l = -1458226292; l == -1458226292; l = -1943834868 )\n                    v59 = (JavaVM *)\u0026v53;\n                  v55 = (const char *)*v59;\n                  crazy::String::~String((crazy::String *)\u0026v53);\n                  k = -1499369113;\n                }\n                if ( k != -1499369113 )\n                  break;\n                v56 = (char *)\u0026v60;\n                vm = (JavaVM *)sub_2E728();\n                v58 = (const char *)vm;\n                k = 504275914;\n              }\n              if ( k != -1119912898 )\n                break;\n              v54 = \u0026v60;\n            }\n            v3 = -853626539;\n          }\n          else\n          {\n            if ( v3 \u003e -1719305537 )\n            {\n              v3 = 1873022921;\n              v2 = v27;\n              goto LABEL_2;\n            }\n            v3 = -139557227;\n            if ( v4 != -1782315966 )\n            {\n              if ( v4 == -1781762611 )\n              {\n                v40 = v31;\n                fscanf(v43, \"%s\", v31);\n                fclose(v43);\n                vm = (JavaVM *)strchr(v40, 58);\n                if ( vm )\n                  v3 = 2071858716;\n                else\n                  v3 = 117134185;\n              }\n              else\n              {\n                v49 = v52;\n                v3 = 585706881;\n              }\n            }\n          }\n        }\n      }\n    }\n    else if ( v50 )\n    {\n      v3 = 117134185;\n    }\n    else\n    {\n      v3 = -1974907953;\n    }\n  }\n}\n```\n反混淆后的代码\n```c\njint JNI_OnLoad(JavaVM *vm, void *reserved)\n{\n  int v2; // w9\n  _JNIEnv *v3; // x1\n  _BOOL4 v5; // w8\n  crazy *v6; // x0\n  int v7; // w8\n  crazy *v8; // x0\n  _JNIEnv *v9; // x1\n  const char *v10; // x0\n  _JNIEnv *v12; // x1\n  crazy *v13; // x0\n  crazy *v14; // x0\n  const char *v15; // x0\n  crazy *v16; // x0\n  _JNIEnv *v17; // x1\n  int v18; // w0\n  crazy *v19; // x8\n  unsigned int v20; // w0\n  crazy *v21; // x0\n  __int64 v23; // [xsp-FD0h] [xbp-1240h]\n  __int64 v24; // [xsp-FC0h] [xbp-1230h]\n  __int64 v25; // [xsp-FA0h] [xbp-1210h]\n  __int64 v26; // [xsp-7D0h] [xbp-A40h]\n  char *v27; // [xsp+8h] [xbp-268h]\n  void *v28; // [xsp+10h] [xbp-260h]\n  int v29; // [xsp+18h] [xbp-258h]\n  int v30; // [xsp+1Ch] [xbp-254h]\n  JavaVM *v31; // [xsp+20h] [xbp-250h]\n  char *v32; // [xsp+28h] [xbp-248h]\n  char *v33; // [xsp+30h] [xbp-240h]\n  crazy::String *v34; // [xsp+38h] [xbp-238h]\n  void (__fastcall **v35)(JavaVM *, void *); // [xsp+40h] [xbp-230h]\n  const char *v36; // [xsp+48h] [xbp-228h]\n  int v37; // [xsp+54h] [xbp-21Ch]\n  int v38; // [xsp+58h] [xbp-218h]\n  int v39; // [xsp+5Ch] [xbp-214h]\n  const char *v40; // [xsp+60h] [xbp-210h]\n  char *v41; // [xsp+68h] [xbp-208h]\n  const char *v42; // [xsp+70h] [xbp-200h]\n  int v43; // [xsp+7Ch] [xbp-1F4h]\n  char *v44; // [xsp+80h] [xbp-1F0h]\n  FILE *v45; // [xsp+88h] [xbp-1E8h]\n  int v46; // [xsp+94h] [xbp-1DCh]\n  crazy *v47; // [xsp+98h] [xbp-1D8h]\n  __int64 v48; // [xsp+A0h] [xbp-1D0h]\n  int v49; // [xsp+A8h] [xbp-1C8h]\n  int v50; // [xsp+ACh] [xbp-1C4h]\n  crazy *v51; // [xsp+B0h] [xbp-1C0h]\n  char *v52; // [xsp+B8h] [xbp-1B8h]\n  crazy *v53; // [xsp+C0h] [xbp-1B0h]\n  crazy *v54; // [xsp+C8h] [xbp-1A8h]\n  jint (**v55)(JavaVM *, void **, jint); // [xsp+D0h] [xbp-1A0h]\n  crazy::String **v56; // [xsp+E8h] [xbp-188h]\n  const char *v57; // [xsp+F0h] [xbp-180h]\n  char *v58; // [xsp+F8h] [xbp-178h]\n  int v59; // [xsp+104h] [xbp-16Ch]\n  const char *v60; // [xsp+108h] [xbp-168h]\n  JavaVM *v61; // [xsp+110h] [xbp-160h]\n  crazy::String *v62; // [xsp+118h] [xbp-158h]\n  __int64 v63; // [xsp+218h] [xbp-58h]\n\n  v28 = reserved;\n  v31 = vm;\n  v63 = *(_QWORD *)off_DFF90;\n  v29 = v2;\n  v30 = v2;\n  v32 = (char *)\u0026v26;\n  v33 = (char *)\u0026v25;\n  v34 = (crazy::String *)\u0026v24;\n  v35 = (void (__fastcall **)(JavaVM *, void *))\u0026v23;\n  v54 = 0LL;\n  v61 = vm;\n  v55 = \u0026(*vm)-\u003eGetEnv;\n  v62 = (crazy::String *)*v55;\n  if ( ((unsigned int (__fastcall *)(JavaVM *, crazy **, __int64))v62)(vm, \u0026v54, 65540LL) != 0 )\n    return -1;\n  v60 = (const char *)v54;\n  v61 = *(JavaVM **)v54;\n  v55 = (jint (**)(JavaVM *, void **, jint))(v61 + 219);\n  v62 = (crazy::String *)v61[219];\n  ((void (*)(void))v62)();\n  v16 = v54;\n  *off_DFFF8 = (__int64)v54;\n  v18 = crazy::GetApiLevel(v16, v17);\n  v19 = v54;\n  *off_DFF18 = v18;\n  v47 = v19;\n  v10 = (const char *)crazy::GetPlatformVersion(v19, v9);\n  if ( strchr(v10, 77) != 0LL )\n    *off_DFF18 = 23;\n  v38 = *off_DFF18;\n  if ( v38 \u003e 23 )\n    *off_DFEE8 = 1;\n  v49 = sub_2E738();\n  if ( v49 == 2 )\n  {\n    v53 = v54;\n    v7 = sub_76F60(v53) \u0026 1 ? -1618151004 : -990688990;\n    if ( v7 \u003e -990688991 )\n      return -1;\n  }\n  v44 = v32;\n  memset(v32, 0, 0x7D0u);\n  v27 = v32;\n  v20 = getpid();\n  sprintf(v27, \"/proc/%d/cmdline\", v20);\n  v45 = fopen(v27, \"r\");\n  if ( v45 != 0LL )\n  {\n    v41 = v33;\n    memset(v33, 0, 0x7D0u);\n    v42 = v33;\n    fscanf(v45, \"%s\", v33);\n    fclose(v45);\n    v5 = strchr(v42, 58) == 0LL;\n    if ( v5 || (v52 = strstr(v42, \"sg.bigo.enterprise.live:service\"), v52 != 0LL) )\n      anti_debug_start();\n  }\n  v43 = *off_DFF18;\n  if ( v43 == 15 )\n    j_aop_init();\n  anti_section_hook();\n  v13 = (crazy *)crazy::checkSignature_1(v54, v12);\n  if ( ((unsigned __int8)v13 \u0026 1) == 0 )\n    crazy::AbortProcess(v13);\n  v14 = (crazy *)sub_2E998();\n  v40 = (const char *)v14;\n  if ( *(_BYTE *)v14 )\n  {\n    crazy::GetPackageName(v14);\n    v62 = v34;\n    v36 = *(const char **)v34;\n    v6 = (crazy *)strcmp(v36, v40);\n    v37 = (int)v6;\n    if ( v37 != 0 )\n      crazy::AbortProcess(v6);\n    crazy::String::~String(v34);\n  }\n  v46 = sub_2E738();\n  if ( v46 == 1 )\n  {\n    v50 = sub_F688();\n    if ( v50 == 0 )\n      return -1;\n  }\n  v51 = v54;\n  v8 = (crazy *)crazy::checkdex_1(v54, v3);\n  if ( ((unsigned __int8)v8 \u0026 1) == 0 )\n    crazy::AbortProcess(v8);\n  v39 = sub_E7EC(*off_DFE98[0], \"JNI_OnLoad\", v35);\n  if ( v39 != 0 )\n    (*v35)(v31, v28);\n  v15 = (const char *)sub_2E728();\n  v48 = strlen(v15);\n  if ( v48 != 0 )\n  {\n    v56 = \u0026v62;\n    v21 = (crazy *)memset(\u0026v62, 0, 0x100u);\n    crazy::GetPackageName(v21);\n    v61 = (JavaVM *)\u0026v55;\n    v57 = (const char *)v55;\n    crazy::String::~String((crazy::String *)\u0026v55);\n    v58 = (char *)\u0026v62;\n    v60 = (const char *)sub_2E728();\n    sprintf(v58, \"/data/data/%s/.hide/%s\", v57, v60);\n    v59 = remove(v58);\n  }\n  return 65540;\n}\n```\n## 参考资源\n* 思路和部分代码源于[llvm-deobfuscator](https://github.com/RPISEC/llvm-deobfuscator.git)\n* z3相关代码源于[f-ing-around-with-binaryninja](https://github.com/joshwatson/f-ing-around-with-binaryninja.git)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Famimo%2Follvm-breaker","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Famimo%2Follvm-breaker","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Famimo%2Follvm-breaker/lists"}