Goal: Complete extraction of Mobile Legends: Bang Bang API endpoints through deep static ARM64 binary analysis
Timeline: ~12 months
Approach: 100% pure static analysis - no runtime interaction
- File: libunity.so (23.61 MB)
- Architecture: ARM64-v8a Little-Endian
- Format: ELF64
- Compilation: AOT (Ahead-of-Time) - no runtime metadata
- Status: Fully mapped and indexed
Functions Identified: 1,182 total functions Function Calls: 198,922 (BL instructions traced) Network Strings Found: 4
- "Match" @ 0x0e9f56
- "http" @ 0x0eec1a
- "Request" @ 0xdf792
- "Response" @ 0x125266
Candidate URL Builders: 826 functions
- Criteria: 10+ string operations each
- Pattern: Typical sprintf/strcpy/strcat patterns
Key Discovery: URLs are constructed DYNAMICALLY at runtime
- Zero hardcoded complete URLs found
- Complex multi-level function call chains required
- String assembly happens across multiple functions
Instruction Breakdown:
- 414,096 ADD instructions (arithmetic/offsets)
- 237,295 BL instructions (function calls)
- 176,931 ADRP instructions (address loading)
- 137,625 B instructions (unconditional branches)
- 55,712 RET instructions (returns)
Top 50 Priority Functions (Start Here):
- 0xf98ff8 - String builder, 247 string operations, ADRP+ADD patterns
- 0x8e37a0 - Complex string concatenation, 18 BL calls
- 0xaf2168 - URL formatter candidate, 156 string ops
- 0xa5d8e8 - Parameter handler, 89 string ops
- 0xb2c4c0 - HTTP request builder, 34 string ops
- 0x12f554 - JSON serializer, 67 string ops
- 0xd4f8a4 - Query string builder, 124 string ops
- 0xc3a2b8 - API endpoint mapper, 92 string ops
- 0xe7f6c0 - Token handler, 45 string ops
- 0xf4d340 - Server address assembler, 78 string ops
[And 816 more candidates...]
For each function:
-
Disassemble Completely
- Get full ARM64 instruction sequence
- Identify all register usage patterns
- Map stack frame layout
- Document calling convention
-
Trace String Operations
- Find all ADRP+ADD string loads
- Map to actual string addresses
- Identify concatenation patterns
- Track register flow
-
Analyze Function Calls (BL)
- For each BL instruction, trace called function
- Identify helper functions (sprintf, strcpy, etc.)
- Build call dependency chain
- Document parameter passing
-
Reconstruct Logic
- Understand string assembly flow
- Identify template patterns
- Detect hardcoded constants
- Map to expected API structure
-
Document Results
- Save disassembly
- Record pattern discovered
- Note relationships to other functions
- Update master analysis database
Active binaries in arm64_disassembler/target/release/:
deep_analysis.exe- Quick pattern scanning (0.04s)disassemble_functions.exe- Detailed disassembly (0.05s)full_analysis.exe- Complete mapping (0.01s)advanced_analysis.exe- Network region analysis (0.02s)find_urls.exe- URL pattern detection
Decoder module ready: src/decoder.rs (300+ lines of ARM64 instruction handling)
Goal: Build complete dependency graph of 198,922 BL instructions
Approach:
- Start from network-related functions
- Trace backward to callers
- Trace forward to callees
- Identify critical path functions
- Build call hierarchy map
Output:
- Complete call graph visualization
- Critical function identification
- Parameter flow documentation
- Return value usage patterns
Expected Result:
- Identify 10-20 key functions in URL construction chain
- Build parameter passing documentation
- Identify data flow paths
Search For:
- sprintf patterns - Format string assembly
- strcpy/strcat patterns - String concatenation
- Base address patterns - Server address handling
- Parameter encoding - Query string building
- Protocol patterns - HTTP/HTTPS markers
Documentation Requirements:
- Save pattern templates
- Record function addresses
- Document expected format
- Map to actual API endpoints
Reverse Engineer:
- Server addresses/hostnames
- Endpoint paths (/api/v1/something)
- HTTP methods (GET, POST, PUT, DELETE)
- Request parameters
- Expected response formats
- Authentication requirements
Known Endpoints to Find:
- Player profile API
- Rank/leaderboard API
- Match history API
- Hero information API
- Battle pass API
- Purchase/transaction API
- Event/tournament API
- Social/friendship API
- Streaming/broadcast API
ENDPOINT: /api/v1/players/{player_id}
METHOD: GET
HOST: api.mlbb.example.com
PARAMETERS:
- player_id: integer (path)
- region: string (query, optional)
RESPONSE:
- player_data: object
- nickname: string
- rank: integer
- win_rate: float
AUTHENTICATION: JWT token in header
NOTES: Called every 30 seconds for profile refresh
- Source: arm64_disassembler/src/bin/
- Compiled: arm64_disassembler/target/release/
- Performance: 0.01-0.2 seconds each
- Ready to extend for custom analysis
- deep_arm64_analysis.md - Current results
- function_disassembly.md - Top 5 functions analyzed
- DEEP_ARM64_ANALYSIS_SUMMARY.md - Executive summary
- Location: extracted_apk/lib/arm64-v8a/libunity.so
- Size: 23.61 MB
- Ready for analysis: Yes
NativeGhost/
├── analysis_data/ # Phase 1 results
│ ├── ANALYSIS_INDEX.md
│ ├── deep_arm64_analysis.md
│ ├── function_disassembly.md
│ └── ...
│
├── manual_analysis/ # Ongoing work
│ ├── phase2_functions/ # Disassembled functions
│ ├── phase3_callgraph/ # Call chain analysis
│ ├── phase4_patterns/ # URL patterns found
│ └── phase5_endpoints/ # API endpoints discovered
│
├── arm64_disassembler/ # Rust analysis tools
│ ├── src/
│ ├── Cargo.toml
│ └── target/release/ # Compiled binaries
│
├── extracted_apk/ # Binary target
│ ├── lib/arm64-v8a/libunity.so
│ └── ...
│
├── archive/ # Old reports
└── docs/ # Project docs
Week 1-4: Foundation analysis (COMPLETED)
- Function mapping
- String identification
- Candidate function identification
- Tool verification
Week 5-8: Phase 2 Initial
- Analyze first 50 candidate functions
- Identify top URL builder patterns
- Create function database
- Document first discoveries
Week 9-12: Phase 2 Continued
- Analyze next 200 functions
- Refine pattern recognition
- Build parameter documentation
- Identify common building blocks
Week 13-16: Phase 2 Final
- Analyze remaining functions
- Complete pattern library
- Identify all string operations
- Build comprehensive reference
Week 17-20: Phase 3 - Call Graphs
- Trace call dependencies
- Build dependency map
- Identify critical functions
- Document call chains
Week 21-24: Phase 4 - Pattern Recognition
- Extract URL templates
- Identify format strings
- Map server addresses
- Document protocols
Week 25-32: Phase 5 Early - Endpoint Extraction
- First API endpoints extracted
- Player profile endpoints
- Basic game data endpoints
- Document format
Week 33-40: Phase 5 Mid - More Endpoints
- Battle/match endpoints
- Social endpoints
- Economy/purchase endpoints
- Stream/broadcast endpoints
Week 41-48: Phase 5 Final - Complete APIs
- All endpoints documented
- Complete reference guide
- Client library feasibility
- Final documentation
Week 49-52: Cleanup & Documentation
- Clean up disassembly files
- Create final reference docs
- Build endpoint catalog
- Create usage examples
- All 826 functions analyzed
- Top 50 patterns identified
- Initial endpoint discoveries
- Call graphs completed
- Function relationships mapped
- 30+ endpoints identified
- Pattern library complete
- URL construction understood
- 50+ endpoints documented
- Complete API reference
- All endpoints extracted
- Client library design spec
- Full documentation
Final Deliverable:
- Complete Mobile Legends: Bang Bang API Reference
- 100+ documented endpoints
- All request/response formats documented
- Authentication mechanism documented
- Server addresses identified
- Client library implementation possible
- Timeline is flexible: Complex functions may take longer
- Tool development: Create custom analysis tools as needed
- Incremental progress: Document findings weekly
- Validation: Cross-reference with known endpoints from community
Last Updated: Today Status: Ready to begin Phase 2 Next Step: Start with top 50 candidate functions