|
|
|
|
#1
05-08-2025, 19:29
|
|||
|
|||
|
Can you help check what kind of protection this Android .so file has?
This SO file has a special section called "ncc," which contains the initialization function (init). It's the only function with various root and hook detection mechanisms. The SO crashes before fully loading, likely because it detected something. I wonder if this is some kind of commercial protection?
01.png Additionally, after this kind of control flow flattening processing, are there any mature tools or solutions available now to assist with analysis? I haven’t done Android analysis in a long time, so I came here specifically to ask—thank you very much! 02.png I'm not sure how to upload the icon—attaching it as a file doesn't seem to work (or isn't accessible). https://imgur.com/a/c7HY4j8 
|
|
#2
05-08-2025, 20:43
|
|||
|
|||
|
not sure it's possible to help without real .so file here...
when you say > to assist with analysis you mean static or dynamic one?
|
|
#3
05-09-2025, 14:09
|
|||
|
|||
|
Quote:
Yes, for such a complex control flow flattening as shown in the above figure, it seems that tools like angr can't handle it. I wonder if there are any other tools? Generally, it should be simulation execution, right? This .so file is someone else's product. It probably isn't very appropriate to upload it, right? The main reason I analyzed it was that I wanted to bypass the root detection so that it could run on my mobile phone. However, it seems that this "Protection shell code" has some kind of detection. Additionally, I'm not sure if it violates the forum rules to upload certain commercial products here. Should I upload it?
|
 |
|
|
Similar Threads
|
||||
| Thread | Thread Starter | Forum | Replies | Last Post |
| Mac OSX file integrity check | anon_c | General Discussion | 0 | 08-22-2016 01:57 |
Hybrid Mode
