Reverse Engineering Asked by shinhong on September 30, 2021
I have the following pseudocode generated by IDA Pro decompiler:
__int64 *__usercall sub_155B5@<X0>(__int64 *a1@<X0>, unsigned int a2@<W1>, char **a3@<X8>)
{
...
result = sub_222E0((__int64 *)a3, 2 * a2, 0x20u);
return result;
}
Using frida-trace, I could verify that sub_155B5 is called for every API request. This is the command that I used:
$ frida-trace -U com.app.name -a 'libname.so!0x155b5'
Therefore, I thought I could safely assume that sub_222E0 was also executed, because it’s contained by sub_155B5 which was obviously executed. However, it turned out that I was wrong. frida-trace failed to trace sub_222E0 using the same command above.
What are the possible causes for this outcome?
Thank you.
Here’s the declaration of sub_222E0:
__int64 __fastcall sub_222E0(__int64 a1, __int64 a2, __int64 a3)
{
return sub_4D2EC(*(_QWORD **)(a1 + 64), a2, a3);
}
And frida-trace does trace sub_4D2EC everytime sub_155B5 is executed, but not sub_222E0.
Get help from others!
Recent Answers
Recent Questions
© 2024 TransWikia.com. All rights reserved. Sites we Love: PCI Database, UKBizDB, Menu Kuliner, Sharing RPP