Introduction to the
In the SO file of apK application, the function instruction is fixed, but if the software breakpoint is placed, the instruction will change (the breakpoint address is rewritten as BKPT breakpoint instruction), can calculate the hash value of the instruction in memory to check whether the function is modified or the breakpoint is placed.
The principle of
When the function in our program is under the software breakpoint, the breakpoint address will be rewritten to the BKPT instruction, can search in the function body BKPT instruction to detect the software power failure.
Code implementation
/* Parameter 1: the first address of the function parameter 2: the function size */
typedef uint8_t u8;
typedef uint32_t u32;
int checkFuncbkpt(u8* addr,u32 size)
{
u32 uRet=0;
// Define the breakpoint instruction
/ / u8 armBkpt [4] = {0 xf0, 0 x01, 0 xf0, 0 xe7};
/ / u8 thumbBkpt [2] = {0 x10, 0 xde};
u8 armBkpt[4] = {0};
armBkpt[0] =0xf0;
armBkpt[1] =0x01;
armBkpt[2] =0xf0;
armBkpt[3] =0xe7;
u8 thumbBkpt[2] = {0};
thumbBkpt[0] =0x10;
thumbBkpt[1] =0xde;
// Judge mode
int mode=(u32)addr%2;
if(1==mode)
{
LOGA("Checkbkpt :(thumb mode) this address is in thumb mode \n");
u8* start=(u8*)((u32)addr- 1);
u8* end=(u8*)((u32)start+size);
// Loop through the comparison
while(1)
{
if(start >= end) {
uRet=0;
LOGA("Checkbkpt :(no find BKPT) no breakpoint found.\n");
break;
}
if( 0= =memcmp(start,thumbBkpt,2) )
{
uRet=1;
LOGA("Checkbkpt :(find it) found breakpoint.\n");
break;
}
start=start+2;
}//while
}//if
else
{
LOGA("Checkbkpt :(arm mode) this address is in arm mode \n");
u8* start=(u8*)addr;
u8* end=(u8*)((u32)start+size);
// Traverse the comparison
while(1) {if (start >= end) {
uRet = 0;
LOGA("Checkbkpt :(no find) no breakpoint found.\n");
break;
}
if (0= =memcmp(start,armBkpt , 4)){
uRet = 1;
LOGA("Checkbkpt :(find it) found breakpoint.\n");
break;
}
start = start + 4;
}//while
}//else
return 1;
}
Copy the code