TransWikia.com

Frida not able to trace sub_XXXXX which must have been called

Reverse Engineering Asked by shinhong on September 30, 2021

I have the following pseudocode generated by IDA Pro decompiler:

__int64 *__usercall sub_155B5@<X0>(__int64 *a1@<X0>, unsigned int a2@<W1>, char **a3@<X8>)
{
  ...
  result = sub_222E0((__int64 *)a3, 2 * a2, 0x20u); 
  return result;
}

Using frida-trace, I could verify that sub_155B5 is called for every API request. This is the command that I used:

$ frida-trace -U com.app.name -a 'libname.so!0x155b5'

Therefore, I thought I could safely assume that sub_222E0 was also executed, because it’s contained by sub_155B5 which was obviously executed. However, it turned out that I was wrong. frida-trace failed to trace sub_222E0 using the same command above.

What are the possible causes for this outcome?

Thank you.

EDIT

Here’s the declaration of sub_222E0:

__int64 __fastcall sub_222E0(__int64 a1, __int64 a2, __int64 a3)
{
  return sub_4D2EC(*(_QWORD **)(a1 + 64), a2, a3);
}

And frida-trace does trace sub_4D2EC everytime sub_155B5 is executed, but not sub_222E0.

Add your own answers!

Ask a Question

Get help from others!

© 2024 TransWikia.com. All rights reserved. Sites we Love: PCI Database, UKBizDB, Menu Kuliner, Sharing RPP