-
-
[原创]]看雪.京东 2018CTF-第五题分析
-
发表于: 2018-6-25 13:05 6033
-
_DWORD *init_proc()
{
int v0; // r4
_DWORD *result; // r0
unsigned int v2; // r7
int v3; // r2
int v4; // r3
const char *v5; // r1
int v6; // r2
int v7; // r3
int v8; // r2
int v9; // r3
int v10; // r2
int v11; // r3
int v12; // [sp+8h] [bp-F8h]
unsigned __int8 *v13; // [sp+Ch] [bp-F4h]
int v14; // [sp+10h] [bp-F0h]
char v15; // [sp+14h] [bp-ECh]
char v16; // [sp+18h] [bp-E8h]
char v17; // [sp+1Ch] [bp-E4h]
char v18; // [sp+20h] [bp-E0h]
int string_ASBQ838ZquyW; // [sp+24h] [bp-DCh]
int v20; // [sp+2Ch] [bp-D4h]
int v21; // [sp+30h] [bp-D0h]
newString1(&string_ASBQ838ZquyW, (int)"ASBQ838ZquyW");
v0 = sub_8A68(&string_ASBQ838ZquyW);
result = deleteString(&string_ASBQ838ZquyW);
if ( v0 ) // v0=0
{
newString1(&v12, (int)"333");
newString1(&v13, (int)"%*s%d");
newString1(&v14, (int)"UYetrq736UMayFindMe233");
CreateUnknowStructFunc((int)&string_ASBQ838ZquyW, 24);
sub_F0A4((int)&v20, &v13);
sub_DD44(&v15, &v21);
sub_191A8(&v13);
v2 = *v13;
if ( std::operator==<char>(&v14, &v15) )
{
newString1(&v18, (int)"DABD786ABH");
if ( v2 == 1 )
{
v5 = "8a7d9Vduya";
}
else if ( v2 >= 1 )
{
if ( v2 == 2 )
v5 = "73812huvVQ";
else
v5 = "daj87YBDASYBvy";
}
else
{
v5 = "UDHA47DBsd";
}
SetStringNull((int)&v13, (int)v5, v3, v4);
copyString((int)&v13, (int)&v18);
deleteString(&v18);
}
if ( std::operator!=<char,std::char_traits<char>,std::allocator<char>>(&v14, &v15) )
{
SetStringNull((int)&v13, (int)&unk_30735, v6, v7);
newString1(&v16, (int)"DU8NABvA");
copyStringFromLocation((int)&v18, &v16, 0, 1u);
copyString((int)&v13, (int)&v18);
deleteString(&v18);
if ( std::operator!=<char,std::char_traits<char>,std::allocator<char>>(&v13, &unk_30735) )
SetStringNull((int)&v13, (int)&unk_30735, v8, v9);
copyStringFromLocation((int)&v17, &v16, 1u, 2u);
copyString((int)&v13, (int)&v17);
deleteString(&v17);
if ( std::operator!=<char,std::char_traits<char>,std::allocator<char>>(&v13, &unk_30735) )
SetStringNull((int)&v13, (int)&unk_30735, v10, v11);
deleteString(&v16);
}
GetStringBuf(&v16, (int *)&v13);
deleteString(&v15);
sub_DBAC(&string_ASBQ838ZquyW);
deleteString(&v14);
StringChange((int)&v12, (int)&v16);
deleteString(&v16);
deleteString(&v13);
if ( std::operator==<char,std::char_traits<char>,std::allocator<char>>(&v12, "333") )
sleep_0(0);
result = deleteString(&v12);
}
return result;
} 上面的有些函数可能参数个数不对,不过不影响分析。
LOAD:00034CD0 5D 62 00 00 DCD initfunction1+1 LOAD:00034CD4 5D 63 00 00 DCD initfunction2+1 LOAD:00034CD8 4D 65 00 00 DCD initfunction3+1 ; 啥也没做 LOAD:00034CDC BD 67 00 00 DCD sub_67BC+1 ; 创建反调试线程 LOAD:00034CE0 DD 6C 00 00 DCD sub_6CDC+1 LOAD:00034CE4 49 70 00 00 DCD sub_7048+1 LOAD:00034CE8 8D 73 00 00 DCD sub_738C+1 LOAD:00034CEC C5 76 00 00 DCD sub_76C4+1 LOAD:00034CF0 69 78 00 00 DCD sub_7868+1 LOAD:00034CF4 85 78 00 00 DCD sub_7884+1 LOAD:00034CF8 C5 78 00 00 DCD sub_78C4+1 LOAD:00034CFC D5 78 00 00 DCD sub_78D4+1 LOAD:00034D00 B1 79 00 00 DCD sub_79B0+1 LOAD:00034D04 8D 7A 00 00 DCD sub_7A8C+1
init_array函数先于jni_onload 函数运行,jni_onload应该被加密了,而上面的函数应该存在对其解密。
3、函数625D
该函数作用:36090 = lkdakjudajndn 函数地址,用于使用动态注册jni函数。其它的都是混淆。
4、函数635D
该函数主要作用: dword_36094 = 0x64。其它的都是混淆。
5、函数654D
该函数啥也没做。
6、函数67BC
该函数主要用于创建反调试线程B8BC,其它的没用。
_DWORD *sub_67BC()
{
char *v0; // r8
int *v1; // r8
unsigned int v2; // r10
int v3; // r2
int v4; // r3
const char *v5; // r1
int v6; // r2
int v7; // r3
int v8; // r2
int v9; // r3
int v10; // r2
int v11; // r3
char *v12; // r0
unsigned int v13; // r11
int v14; // r2
int v15; // r3
const char *v16; // r1
int v17; // r2
int v18; // r3
int v19; // r2
int v20; // r3
int v21; // r2
int v22; // r3
int malloc_20; // [sp+4h] [bp-1DCh]
char v25; // [sp+Ch] [bp-1D4h]
int string_daka97YGBB; // [sp+10h] [bp-1D0h]
char v27; // [sp+14h] [bp-1CCh]
int v28; // [sp+18h] [bp-1C8h]
char v29; // [sp+1Ch] [bp-1C4h]
int string_UYetrq736UMayFindMe233; // [sp+20h] [bp-1C0h]
char v31; // [sp+24h] [bp-1BCh]
char v32; // [sp+28h] [bp-1B8h]
char v33; // [sp+2Ch] [bp-1B4h]
int v34; // [sp+30h] [bp-1B0h]
int string_A782E192B81NICAIsan38Qz; // [sp+34h] [bp-1ACh]
char string_52651; // [sp+38h] [bp-1A8h]
char string_33687; // [sp+3Ch] [bp-1A4h]
char v38; // [sp+40h] [bp-1A0h]
char v39; // [sp+48h] [bp-198h]
char v40; // [sp+4Ch] [bp-194h]
char v41; // [sp+FCh] [bp-E4h]
int v42; // [sp+104h] [bp-DCh]
int v43; // [sp+108h] [bp-D8h]
malloc_20 = operator new(0x20u);
sub_C8A0(malloc_20);
newString1(&string_A782E192B81NICAIsan38Qz, (int)"A782E192B81NICAIsan38Qz");
CreateUnknowStructFunc((int)&v38, 24);
hextoString((int)&v39, 52651);
sub_DD44(&string_52651, &v40);
v0 = (_BYTE *)(&loc_CD76 + 2); // V0=CD78
if ( !std::operator==<char>(&string_A782E192B81NICAIsan38Qz, &string_52651) )
v0 = (_BYTE *)(&loc_CDAA + 1); // V0=CDAB
if ( std::operator!=<char,std::char_traits<char>,std::allocator<char>>(&string_52651, &string_A782E192B81NICAIsan38Qz) )
{
CreateUnknowStructFunc((int)&v41, 24);
hextoString((int)&v42, 33687);
sub_DD44(&string_33687, &v43);
v0 = (char *)std::operator==<char,std::char_traits<char>,std::allocator<char>>(&string_33687, "0d87a");
deleteString(&string_33687);
sub_DBAC(&v41);
if ( v0 )
v0 = (char *)off_35CFC + 0x4A04F;
}
deleteString(&string_52651);
sub_DBAC(&v38);
deleteString(&string_A782E192B81NICAIsan38Qz);
newString1(&v25, (int)"94DASIH78bdgskl998");
if ( !v0 )
{ // pthread_create
(*(void (__fastcall **)(char *, _DWORD, void (*)(), _DWORD))(malloc_20 + 28))(&string_33687, 0, anti_debug, 0);
v1 = &string_daka97YGBB;
newString1(&string_daka97YGBB, (int)"daka97YGBB");
newString1(&string_UYetrq736UMayFindMe233, (int)"UYetrq736UMayFindMe233");
CreateUnknowStructFunc((int)&v38, 24);
sub_F0A4((int)&v39, &string_daka97YGBB);
sub_DD44(&v31, &v40);
sub_191A8(&string_daka97YGBB);
v2 = *(unsigned __int8 *)string_daka97YGBB;
if ( std::operator==<char>(&string_UYetrq736UMayFindMe233, &v31) )
{
newString1(&v41, (int)"DABD786ABH");
if ( v2 == 1 )
{
v5 = "8a7d9Vduya";
}
else if ( v2 >= 1 )
{
if ( v2 == 2 )
v5 = "73812huvVQ";
else
v5 = "daj87YBDASYBvy";
}
else
{
v5 = "UDHA47DBsd";
}
SetStringNull((int)&string_daka97YGBB, (int)v5, v3, v4);
copyString((int)&string_daka97YGBB, (int)&v41);
deleteString(&v41);
}
if ( std::operator!=<char,std::char_traits<char>,std::allocator<char>>(&string_UYetrq736UMayFindMe233, &v31) )
{
SetStringNull((int)&string_daka97YGBB, (int)&unk_30735, v6, v7);
newString1(&v41, (int)"DU8NABvA");
copyStringFromLocation((int)&v33, &v41, 0, 1u);
copyString((int)&string_daka97YGBB, (int)&v33);
deleteString(&v33);
if ( std::operator!=<char,std::char_traits<char>,std::allocator<char>>(&string_daka97YGBB, &unk_30735) )
SetStringNull((int)&string_daka97YGBB, (int)&unk_30735, v8, v9);
copyStringFromLocation((int)&v32, &v41, 1u, 2u);
copyString((int)&string_daka97YGBB, (int)&v32);
deleteString(&v32);
if ( std::operator!=<char,std::char_traits<char>,std::allocator<char>>(&string_daka97YGBB, &unk_30735) )
SetStringNull((int)&string_daka97YGBB, (int)&unk_30735, v10, v11);
deleteString(&v41);
}
GetStringBuf(&v27, &string_daka97YGBB);
deleteString(&v31);
sub_DBAC(&v38);
deleteString(&string_UYetrq736UMayFindMe233);
copyString((int)&v25, (int)&v27);
v12 = &v27;
LABEL_40:
deleteString(v12);
deleteString(v1);
return deleteString(&v25);
}
if ( v0 != (char *)-1 )
{
sub_5F68((int)&v33, 0, (int)sub_8100, 0);
v1 = &v28;
newString1(&v28, (int)"%*s%d");
newString1(&v34, (int)"UYetrq736UMayFindMe233");
CreateUnknowStructFunc((int)&v41, 24);
sub_F0A4((int)&v42, &v28);
sub_DD44(&string_A782E192B81NICAIsan38Qz, &v43);
sub_191A8(&v28);
v13 = *(unsigned __int8 *)v28;
if ( std::operator==<char>(&v34, &string_A782E192B81NICAIsan38Qz) )
{
newString1(&v38, (int)"DABD786ABH");
if ( v13 == 1 )
{
v16 = "8a7d9Vduya";
}
else if ( v13 >= 1 )
{
if ( v13 == 2 )
v16 = "73812huvVQ";
else
v16 = "daj87YBDASYBvy";
}
else
{
v16 = "UDHA47DBsd";
}
SetStringNull((int)&v28, (int)v16, v14, v15);
copyString((int)&v28, (int)&v38);
deleteString(&v38);
}
if ( std::operator!=<char,std::char_traits<char>,std::allocator<char>>(&v34, &string_A782E192B81NICAIsan38Qz) )
{
SetStringNull((int)&v28, (int)&unk_30735, v17, v18);
newString1(&v38, (int)"DU8NABvA");
copyStringFromLocation((int)&string_33687, &v38, 0, 1u);
copyString((int)&v28, (int)&string_33687);
deleteString(&string_33687);
if ( std::operator!=<char,std::char_traits<char>,std::allocator<char>>(&v28, &unk_30735) )
SetStringNull((int)&v28, (int)&unk_30735, v19, v20);
copyStringFromLocation((int)&string_52651, &v38, 1u, 2u);
copyString((int)&v28, (int)&string_52651);
deleteString(&string_52651);
if ( std::operator!=<char,std::char_traits<char>,std::allocator<char>>(&v28, &unk_30735) )
SetStringNull((int)&v28, (int)&unk_30735, v21, v22);
deleteString(&v38);
}
GetStringBuf(&v29, &v28);
deleteString(&string_A782E192B81NICAIsan38Qz);
sub_DBAC(&v41);
deleteString(&v34);
copyString((int)&v25, (int)&v29);
v12 = &v29;
goto LABEL_40;
}
if ( std::operator==<char,std::char_traits<char>,std::allocator<char>>(&v25, "94DASIH78bdgskl998") )
sub_5F68((int)&v41, 0, (int)sub_8100, 0);
return deleteString(&v25);
}
后面的函数懒得分析,应该是代码解密的。先不管,看下反调线程。
_DWORD *sub_67BC()
{
char *v0; // r8
int *v1; // r8
unsigned int v2; // r10
int v3; // r2
int v4; // r3
const char *v5; // r1
int v6; // r2
int v7; // r3
int v8; // r2
int v9; // r3
int v10; // r2
int v11; // r3
char *v12; // r0
unsigned int v13; // r11
int v14; // r2
int v15; // r3
const char *v16; // r1
int v17; // r2
int v18; // r3
int v19; // r2
int v20; // r3
int v21; // r2
int v22; // r3
int malloc_20; // [sp+4h] [bp-1DCh]
char v25; // [sp+Ch] [bp-1D4h]
int string_daka97YGBB; // [sp+10h] [bp-1D0h]
char v27; // [sp+14h] [bp-1CCh]
int v28; // [sp+18h] [bp-1C8h]
char v29; // [sp+1Ch] [bp-1C4h]
int string_UYetrq736UMayFindMe233; // [sp+20h] [bp-1C0h]
char v31; // [sp+24h] [bp-1BCh]
char v32; // [sp+28h] [bp-1B8h]
char v33; // [sp+2Ch] [bp-1B4h]
int v34; // [sp+30h] [bp-1B0h]
int string_A782E192B81NICAIsan38Qz; // [sp+34h] [bp-1ACh]
char string_52651; // [sp+38h] [bp-1A8h]
char string_33687; // [sp+3Ch] [bp-1A4h]
char v38; // [sp+40h] [bp-1A0h]
char v39; // [sp+48h] [bp-198h]
char v40; // [sp+4Ch] [bp-194h]
char v41; // [sp+FCh] [bp-E4h]
int v42; // [sp+104h] [bp-DCh]
int v43; // [sp+108h] [bp-D8h]
malloc_20 = operator new(0x20u);
sub_C8A0(malloc_20);
newString1(&string_A782E192B81NICAIsan38Qz, (int)"A782E192B81NICAIsan38Qz");
CreateUnknowStructFunc((int)&v38, 24);
hextoString((int)&v39, 52651);
sub_DD44(&string_52651, &v40);
v0 = (_BYTE *)(&loc_CD76 + 2); // V0=CD78
if ( !std::operator==<char>(&string_A782E192B81NICAIsan38Qz, &string_52651) )
v0 = (_BYTE *)(&loc_CDAA + 1); // V0=CDAB
if ( std::operator!=<char,std::char_traits<char>,std::allocator<char>>(&string_52651, &string_A782E192B81NICAIsan38Qz) )
{
CreateUnknowStructFunc((int)&v41, 24);
hextoString((int)&v42, 33687);
sub_DD44(&string_33687, &v43);
v0 = (char *)std::operator==<char,std::char_traits<char>,std::allocator<char>>(&string_33687, "0d87a");
deleteString(&string_33687);
sub_DBAC(&v41);
if ( v0 )
v0 = (char *)off_35CFC + 0x4A04F;
}
deleteString(&string_52651);
sub_DBAC(&v38);
deleteString(&string_A782E192B81NICAIsan38Qz);
newString1(&v25, (int)"94DASIH78bdgskl998");
if ( !v0 )
{ // pthread_create
(*(void (__fastcall **)(char *, _DWORD, void (*)(), _DWORD))(malloc_20 + 28))(&string_33687, 0, anti_debug, 0);
v1 = &string_daka97YGBB;
newString1(&string_daka97YGBB, (int)"daka97YGBB");
newString1(&string_UYetrq736UMayFindMe233, (int)"UYetrq736UMayFindMe233");
CreateUnknowStructFunc((int)&v38, 24);
sub_F0A4((int)&v39, &string_daka97YGBB);
sub_DD44(&v31, &v40);
sub_191A8(&string_daka97YGBB);
v2 = *(unsigned __int8 *)string_daka97YGBB;
if ( std::operator==<char>(&string_UYetrq736UMayFindMe233, &v31) )
{
newString1(&v41, (int)"DABD786ABH");
if ( v2 == 1 )
{
v5 = "8a7d9Vduya";
}
else if ( v2 >= 1 )
{
if ( v2 == 2 )
v5 = "73812huvVQ";
else
v5 = "daj87YBDASYBvy";
}
else
{
v5 = "UDHA47DBsd";
}
SetStringNull((int)&string_daka97YGBB, (int)v5, v3, v4);
copyString((int)&string_daka97YGBB, (int)&v41);
deleteString(&v41);
}
if ( std::operator!=<char,std::char_traits<char>,std::allocator<char>>(&string_UYetrq736UMayFindMe233, &v31) )
{
SetStringNull((int)&string_daka97YGBB, (int)&unk_30735, v6, v7);
newString1(&v41, (int)"DU8NABvA");
copyStringFromLocation((int)&v33, &v41, 0, 1u);
copyString((int)&string_daka97YGBB, (int)&v33);
deleteString(&v33);
if ( std::operator!=<char,std::char_traits<char>,std::allocator<char>>(&string_daka97YGBB, &unk_30735) )
SetStringNull((int)&string_daka97YGBB, (int)&unk_30735, v8, v9);
copyStringFromLocation((int)&v32, &v41, 1u, 2u);
copyString((int)&string_daka97YGBB, (int)&v32);
deleteString(&v32);
if ( std::operator!=<char,std::char_traits<char>,std::allocator<char>>(&string_daka97YGBB, &unk_30735) )
SetStringNull((int)&string_daka97YGBB, (int)&unk_30735, v10, v11);
deleteString(&v41);
}
GetStringBuf(&v27, &string_daka97YGBB);
deleteString(&v31);
sub_DBAC(&v38);
deleteString(&string_UYetrq736UMayFindMe233);
copyString((int)&v25, (int)&v27);
v12 = &v27;
LABEL_40:
deleteString(v12);
deleteString(v1);
return deleteString(&v25);
}
if ( v0 != (char *)-1 )
{
sub_5F68((int)&v33, 0, (int)sub_8100, 0);
v1 = &v28;
newString1(&v28, (int)"%*s%d");
newString1(&v34, (int)"UYetrq736UMayFindMe233");
CreateUnknowStructFunc((int)&v41, 24);
sub_F0A4((int)&v42, &v28);
sub_DD44(&string_A782E192B81NICAIsan38Qz, &v43);
sub_191A8(&v28);
v13 = *(unsigned __int8 *)v28;
if ( std::operator==<char>(&v34, &string_A782E192B81NICAIsan38Qz) )
{
newString1(&v38, (int)"DABD786ABH");
if ( v13 == 1 )
{
v16 = "8a7d9Vduya";
}
else if ( v13 >= 1 )
{
if ( v13 == 2 )
v16 = "73812huvVQ";
else
v16 = "daj87YBDASYBvy";
}
else
{
v16 = "UDHA47DBsd";
}
SetStringNull((int)&v28, (int)v16, v14, v15);
copyString((int)&v28, (int)&v38);
deleteString(&v38);
}
if ( std::operator!=<char,std::char_traits<char>,std::allocator<char>>(&v34, &string_A782E192B81NICAIsan38Qz) )
{
SetStringNull((int)&v28, (int)&unk_30735, v17, v18);
newString1(&v38, (int)"DU8NABvA");
copyStringFromLocation((int)&string_33687, &v38, 0, 1u);
copyString((int)&v28, (int)&string_33687);
deleteString(&string_33687);
if ( std::operator!=<char,std::char_traits<char>,std::allocator<char>>(&v28, &unk_30735) )
SetStringNull((int)&v28, (int)&unk_30735, v19, v20);
copyStringFromLocation((int)&string_52651, &v38, 1u, 2u);
copyString((int)&v28, (int)&string_52651);
deleteString(&string_52651);
if ( std::operator!=<char,std::char_traits<char>,std::allocator<char>>(&v28, &unk_30735) )
SetStringNull((int)&v28, (int)&unk_30735, v21, v22);
deleteString(&v38);
}
GetStringBuf(&v29, &v28);
deleteString(&string_A782E192B81NICAIsan38Qz);
sub_DBAC(&v41);
deleteString(&v34);
copyString((int)&v25, (int)&v29);
v12 = &v29;
goto LABEL_40;
}
if ( std::operator==<char,std::char_traits<char>,std::allocator<char>>(&v25, "94DASIH78bdgskl998") )
sub_5F68((int)&v41, 0, (int)sub_8100, 0);
return deleteString(&v25);
}
后面的函数懒得分析,应该是代码解密的。先不管,看下反调线程。
三、反调试线程 B8BC
这个函数也加入了很多字符串垃圾指令。其主要做如下几件事:
1、解密字符串“tracePid”。
1、解密字符串“tracePid”。
2、解密字符串“%*s%d”。
3、解密字符串“/proc/self/status”。
4、打开文件
“/proc/self/status”,一行一行读取,一直找到
“tracePid”为止。
5、调用scanf获取tracePid的数值。
6、如果
tracePid > 0, 则全局变量0x36098 = 0xBD9813BA,否则
0x36098 = 0x2333AE83。
7 、线程sleep 5秒。
0x36098 的值在对输入key进行变换时有用到,当程序处于调试状态时,会使key计算出错。过掉反调试方法很多,但是无论用啥方法必须要使0x36098 赋值为
0x2333AE83 。可以让线程进入死循环,或者让线程终止,或者让线程sleep(100000)秒,也可以直接修改逻辑让tracePid恒等于0。
void anti_debug()
{
unsigned int v0; // r9
int v1; // r2
int v2; // r3
const char *v3; // r1
int v4; // r2
int v5; // r3
int v6; // r2
int v7; // r3
int v8; // r2
int v9; // r3
signed int v10; // r10
unsigned int i; // r7
int v12; // r11
unsigned int j; // r6
signed int v14; // r9
unsigned int k; // r7
int v16; // r10
unsigned int v17; // r5
signed int v18; // r9
unsigned int l; // r9
int v20; // r11
unsigned int v21; // r5
unsigned int v22; // r8
int v23; // r2
int v24; // r3
const char *v25; // r1
int v26; // r2
int v27; // r3
int v28; // r2
int v29; // r3
int v30; // r2
int v31; // r3
int v32; // r3
char *readBuf_1; // r6
int v34; // r3
char *v35; // r7
int string_format_3; // r0
int v37; // r3
int v38; // r2
char *v39; // r10
int fd; // [sp+0h] [bp-1080h]
char v41; // [sp+8h] [bp-1078h]
char v42; // [sp+8h] [bp-1078h]
unsigned int v43; // [sp+18h] [bp-1068h]
int *v44; // [sp+18h] [bp-1068h]
int new_20; // [sp+1Ch] [bp-1064h]
char v46; // [sp+30h] [bp-1050h]
unsigned __int8 read_1ByteBuf; // [sp+58h] [bp-1028h]
int string_W302sWW6O6WWb0b6W; // [sp+5Ch] [bp-1024h]
char string_AG60As3wWPCAsA6A; // [sp+60h] [bp-1020h]
int string_NULL_U8; // [sp+64h] [bp-101Ch]
_BYTE *string_NULL; // [sp+68h] [bp-1018h]
int string_racePid; // [sp+6Ch] [bp-1014h]
int string_AG60As3wWPCAsA6A_1; // [sp+70h] [bp-1010h]
int sring_P5U6UP2UsCP20CUW2; // [sp+74h] [bp-100Ch]
int string_proc_self_status; // [sp+78h] [bp-1008h]
int buf_W302sWW6O6WWb0b6WP5U6UP2UsCP20CUW2; // [sp+7Ch] [bp-1004h]
int string_format_2; // [sp+80h] [bp-1000h]
int string_format_1; // [sp+84h] [bp-FFCh]
int string_NULL_3; // [sp+88h] [bp-FF8h]
char v60; // [sp+8Ch] [bp-FF4h]
int string_UYetrq736UMayFindMe233; // [sp+90h] [bp-FF0h]
char string_W302sWW6O6WWb0b6W_2; // [sp+94h] [bp-FECh]
char v63; // [sp+98h] [bp-FE8h]
char string_D; // [sp+9Ch] [bp-FE4h]
int string_BQ366EYdQs_1; // [sp+A0h] [bp-FE0h]
char string_22_1; // [sp+A4h] [bp-FDCh]
int string_A782E192B81NICAIsan38Qz; // [sp+A8h] [bp-FD8h]
char string_1321; // [sp+ACh] [bp-FD4h]
char string_BQ366EYdQs; // [sp+B0h] [bp-FD0h]
char string_AG60As3wWPCAsA6A_2; // [sp+B4h] [bp-FCCh]
int string_NULL_2; // [sp+B8h] [bp-FC8h]
int string_BQ366EYdQs_2; // [sp+BCh] [bp-FC4h]
char string_22_3; // [sp+C0h] [bp-FC0h]
int string_A782E192B81NICAIsan38Qz_1; // [sp+C4h] [bp-FBCh]
char string_1321_1; // [sp+C8h] [bp-FB8h]
char v76; // [sp+CCh] [bp-FB4h]
char string_W302sWW6O6WWb0b6WP5U6UP2UsCP20CUW2; // [sp+D0h] [bp-FB0h]
int string_NULL_1; // [sp+D4h] [bp-FACh]
int string_BQ366EYdQs_3; // [sp+D8h] [bp-FA8h]
char string_22_4; // [sp+DCh] [bp-FA4h]
char v81; // [sp+E0h] [bp-FA0h]
char v82; // [sp+E4h] [bp-F9Ch]
char v83; // [sp+E8h] [bp-F98h]
char string_PW0PwWZ60Z_1; // [sp+ECh] [bp-F94h]
int string_format; // [sp+F0h] [bp-F90h]
int string_UYetrq736UMayFindMe233_2; // [sp+F4h] [bp-F8Ch]
char string_UYetrq736UMayFindMe233_1_1; // [sp+F8h] [bp-F88h]
char string_U8; // [sp+FCh] [bp-F84h]
char v89; // [sp+100h] [bp-F80h]
int string_A782E192B81NICAIsan38Qz_2; // [sp+104h] [bp-F7Ch]
char string_100; // [sp+108h] [bp-F78h]
int string_A782E192B81NICAIsan38Qz_3; // [sp+10Ch] [bp-F74h]
char buf_3928; // [sp+110h] [bp-F70h]
char v94; // [sp+114h] [bp-F6Ch]
int v95; // [sp+11Ch] [bp-F64h]
int v96; // [sp+120h] [bp-F60h]
char v97; // [sp+1D0h] [bp-EB0h]
char string_22; // [sp+1D8h] [bp-EA8h]
int v99; // [sp+1DCh] [bp-EA4h]
char v100; // [sp+28Ch] [bp-DF4h]
int v101; // [sp+294h] [bp-DECh]
char v102; // [sp+298h] [bp-DE8h]
char v103; // [sp+348h] [bp-D38h]
int string_22_2; // [sp+350h] [bp-D30h]
char v105; // [sp+354h] [bp-D2Ch]
char v106; // [sp+404h] [bp-C7Ch]
int v107; // [sp+40Ch] [bp-C74h]
int v108; // [sp+410h] [bp-C70h]
char string_readBuf; // [sp+4C0h] [bp-BC0h]
char v110; // [sp+4C8h] [bp-BB8h]
int v111; // [sp+4CCh] [bp-BB4h]
char tracePid; // [sp+57Ch] [bp-B04h]
int v113; // [sp+584h] [bp-AFCh]
char v114; // [sp+588h] [bp-AF8h]
char string_33687; // [sp+638h] [bp-A48h]
int v116; // [sp+640h] [bp-A40h]
int v117; // [sp+644h] [bp-A3Ch]
int string_DU8NABvA_1; // [sp+6F4h] [bp-98Ch]
int v119; // [sp+6FCh] [bp-984h]
int v120; // [sp+700h] [bp-980h]
char string_DU8NABvA; // [sp+7B0h] [bp-8D0h]
char string_UYetrq736UMayFindMe233_1; // [sp+7B8h] [bp-8C8h]
int v123; // [sp+7BCh] [bp-8C4h]
char readBuf; // [sp+86Ch] [bp-814h]
char v125; // [sp+96Bh] [bp-715h]
char v126; // [sp+C54h] [bp-42Ch]
char v127[1003]; // [sp+C55h] [bp-42Bh]
int v128; // [sp+1054h] [bp-2Ch]
v128 = *(_DWORD *)off_35CEC;
new_20 = operator new(0x20u);
sub_C8A0(new_20);
newString1(&string_W302sWW6O6WWb0b6W, (int)"W302sWW6O6WWb0b6W");
GetStringBuf(&string_NULL_U8, &string_W302sWW6O6WWb0b6W);
newString1(&string_UYetrq736UMayFindMe233, (int)"UYetrq736UMayFindMe233");
CreateUnknowStructFunc((int)&v94, 24);
sub_F0A4((int)&v95, &string_NULL_U8);
sub_DD44(&string_W302sWW6O6WWb0b6W_2, &v96);
sub_191A8(&string_NULL_U8);
v0 = *(unsigned __int8 *)string_NULL_U8;
if ( std::operator==<char>(&string_UYetrq736UMayFindMe233, &string_W302sWW6O6WWb0b6W_2) )
{
newString1(&string_DU8NABvA, (int)"DABD786ABH");
if ( v0 == 1 )
{
v3 = "8a7d9Vduya";
}
else if ( v0 >= 1 )
{
if ( v0 == 2 )
v3 = "73812huvVQ";
else
v3 = "daj87YBDASYBvy";
}
else
{
v3 = "UDHA47DBsd";
}
SetStringNull((int)&string_NULL_U8, (int)v3, v1, v2);
copyString((int)&string_NULL_U8, (int)&string_DU8NABvA);
deleteString(&string_DU8NABvA);
}
if ( std::operator!=<char,std::char_traits<char>,std::allocator<char>>(
&string_UYetrq736UMayFindMe233,
&string_W302sWW6O6WWb0b6W_2) )
{
SetStringNull((int)&string_NULL_U8, (int)&unk_30735, v4, v5);
newString1(&string_DU8NABvA, (int)"DU8NABvA");
copyStringFromLocation((int)&string_D, &string_DU8NABvA, 0, 1u);
copyString((int)&string_NULL_U8, (int)&string_D);
deleteString(&string_D);
if ( std::operator!=<char,std::char_traits<char>,std::allocator<char>>(&string_NULL_U8, &unk_30735) )
SetStringNull((int)&string_NULL_U8, (int)&unk_30735, v6, v7);
copyStringFromLocation((int)&v63, &string_DU8NABvA, 1u, 2u);
copyString((int)&string_NULL_U8, (int)&v63);
deleteString(&v63);
if ( std::operator!=<char,std::char_traits<char>,std::allocator<char>>(&string_NULL_U8, &unk_30735) )
SetStringNull((int)&string_NULL_U8, (int)&unk_30735, v8, v9);
deleteString(&string_DU8NABvA);
}
GetStringBuf(&string_NULL, &string_NULL_U8);
deleteString(&string_W302sWW6O6WWb0b6W_2);
sub_DBAC(&v94);
deleteString(&string_UYetrq736UMayFindMe233);
sub_B870((int *)&string_AG60As3wWPCAsA6A, (int)"AG60As3wWPCAsA6A", &string_NULL);
deleteString(&string_NULL);
deleteString(&string_NULL_U8);
GetStringBuf(&string_AG60As3wWPCAsA6A_1, (int *)&string_AG60As3wWPCAsA6A);
newString1(&string_racePid, (int)&unk_30735);
GetStringBuf(&string_AG60As3wWPCAsA6A_2, &string_AG60As3wWPCAsA6A_1);
newString1(&string_NULL_2, (int)&unk_30735);
newString1(&string_BQ366EYdQs_1, (int)"BQ366EYdQs3716UCANDOIT666");
CreateUnknowStructFunc((int)&v97, 24);
hextoString((int)&string_22, 22);
sub_DD44(&string_22_1, &v99);
copyStringFromLocation((int)&string_BQ366EYdQs, &string_BQ366EYdQs_1, 0, 0xAu);
StringChange((int)&string_BQ366EYdQs_1, (int)&string_BQ366EYdQs);
deleteString(&string_BQ366EYdQs);
if ( std::operator==<char>(&string_BQ366EYdQs_1, &string_22_1) )
v10 = 50;
else
v10 = 1; // =1
deleteString(&string_22_1);
sub_DBAC(&v97);
deleteString(&string_BQ366EYdQs_1);
if ( !(*(_DWORD *)(*(_DWORD *)&string_AG60As3wWPCAsA6A_2 - 12) % (unsigned int)(v10 + 1)) )
{
for ( i = 0; i < *(_DWORD *)(*(_DWORD *)&string_AG60As3wWPCAsA6A_2 - 12) / (unsigned int)(v10 + 1); ++i )
{
v41 = *((_BYTE *)off_35D00
+ *(unsigned __int8 *)(*(_DWORD *)&string_AG60As3wWPCAsA6A_2
+ *(_DWORD *)(*(_DWORD *)&string_AG60As3wWPCAsA6A_2 - 12)
- 1
- i)
+ 119) | 16 * *((_BYTE *)off_35D00 + *(unsigned __int8 *)(*(_DWORD *)&string_AG60As3wWPCAsA6A_2 + i) + 0x77);
newString1(&string_A782E192B81NICAIsan38Qz, (int)"A782E192B81NICAIsan38Qz");
CreateUnknowStructFunc((int)&v100, 24);
hextoString((int)&v101, 1321);
sub_DD44(&string_1321, &v102);
LOBYTE(v12) = 0xF6u;
if ( !std::operator==<char>(&string_A782E192B81NICAIsan38Qz, &string_1321) )
LOBYTE(v12) = 41;
if ( std::operator!=<char,std::char_traits<char>,std::allocator<char>>(
&string_1321,
&string_A782E192B81NICAIsan38Qz) )
{
CreateUnknowStructFunc((int)&string_DU8NABvA, 24);
hextoString((int)&string_UYetrq736UMayFindMe233_1, 33687);
sub_DD44(&string_DU8NABvA_1, &v123);
v12 = std::operator==<char,std::char_traits<char>,std::allocator<char>>(&string_DU8NABvA_1, "0d87a");// v12=0
deleteString(&string_DU8NABvA_1);
sub_DBAC(&string_DU8NABvA);
if ( v12 )
LOBYTE(v12) = (_BYTE)off_35CFC + 79;
}
deleteString(&string_1321);
sub_DBAC(&v100);
deleteString(&string_A782E192B81NICAIsan38Qz);
CreateStringByChar(&string_NULL_2, v41 + v12);// 空字符串
}
}
StringChange((int)&string_AG60As3wWPCAsA6A_1, (int)&string_NULL_2);
deleteString(&string_NULL_2);
deleteString(&string_AG60As3wWPCAsA6A_2);
for ( j = 0; j < *(_DWORD *)(string_AG60As3wWPCAsA6A_1 - 12); ++j )
CreateStringByChar(
&string_racePid,
*((_BYTE *)off_35CF0 + (*(unsigned __int8 *)(string_AG60As3wWPCAsA6A_1 + j) ^ 0x22) + 31));
deleteString(&string_AG60As3wWPCAsA6A_1);
newString1(&sring_P5U6UP2UsCP20CUW2, (int)"P5U6UP2UsCP20CUW2");
stringStrCat(&buf_W302sWW6O6WWb0b6WP5U6UP2UsCP20CUW2, &string_W302sWW6O6WWb0b6W, (int)&sring_P5U6UP2UsCP20CUW2);
newString1(&string_proc_self_status, (int)&unk_30735);
GetStringBuf(&string_W302sWW6O6WWb0b6WP5U6UP2UsCP20CUW2, &buf_W302sWW6O6WWb0b6WP5U6UP2UsCP20CUW2);
newString1(&string_NULL_1, (int)&unk_30735);
newString1(&string_BQ366EYdQs_2, (int)"BQ366EYdQs3716UCANDOIT666");
CreateUnknowStructFunc((int)&v103, 24);
hextoString((int)&string_22_2, 22);
sub_DD44(&string_22_3, &v105);
copyStringFromLocation((int)&v76, &string_BQ366EYdQs_2, 0, 0xAu);
StringChange((int)&string_BQ366EYdQs_2, (int)&v76);
deleteString(&v76);
if ( std::operator==<char>(&string_BQ366EYdQs_2, &string_22_3) )
v14 = 50;
else
v14 = 1;
deleteString(&string_22_3);
sub_DBAC(&v103);
deleteString(&string_BQ366EYdQs_2);
if ( !(*(_DWORD *)(*(_DWORD *)&string_W302sWW6O6WWb0b6WP5U6UP2UsCP20CUW2 - 12) % (unsigned int)(v14 + 1)) )
{
for ( k = 0; k < *(_DWORD *)(*(_DWORD *)&string_W302sWW6O6WWb0b6WP5U6UP2UsCP20CUW2 - 12) / (unsigned int)(v14 + 1); ++k )
{
v42 = *((_BYTE *)off_35D00
+ *(unsigned __int8 *)(*(_DWORD *)&string_W302sWW6O6WWb0b6WP5U6UP2UsCP20CUW2
+ *(_DWORD *)(*(_DWORD *)&string_W302sWW6O6WWb0b6WP5U6UP2UsCP20CUW2 - 12)
- 1
- k)
+ 119) | 16
* *((_BYTE *)off_35D00
+ *(unsigned __int8 *)(*(_DWORD *)&string_W302sWW6O6WWb0b6WP5U6UP2UsCP20CUW2 + k)
+ 119);
newString1(&string_A782E192B81NICAIsan38Qz_1, (int)"A782E192B81NICAIsan38Qz");
CreateUnknowStructFunc((int)&v106, 24);
hextoString((int)&v107, 1321);
sub_DD44(&string_1321_1, &v108);
LOBYTE(v16) = -10;
if ( !std::operator==<char>(&string_A782E192B81NICAIsan38Qz_1, &string_1321_1) )
LOBYTE(v16) = 41;
if ( std::operator!=<char,std::char_traits<char>,std::allocator<char>>(
&string_1321_1,
&string_A782E192B81NICAIsan38Qz_1) )
{
CreateUnknowStructFunc((int)&string_DU8NABvA, 24);
hextoString((int)&string_UYetrq736UMayFindMe233_1, 33687);
sub_DD44(&string_DU8NABvA_1, &v123);
v16 = std::operator==<char,std::char_traits<char>,std::allocator<char>>(&string_DU8NABvA_1, "0d87a");
deleteString(&string_DU8NABvA_1);
sub_DBAC(&string_DU8NABvA);
if ( v16 )
LOBYTE(v16) = (_BYTE)off_35CFC + 79;
}
deleteString(&string_1321_1);
sub_DBAC(&v106);
deleteString(&string_A782E192B81NICAIsan38Qz_1);
CreateStringByChar(&string_NULL_1, v42 + v16);
}
}
StringChange((int)&buf_W302sWW6O6WWb0b6WP5U6UP2UsCP20CUW2, (int)&string_NULL_1);
v17 = 0;
deleteString(&string_NULL_1);
deleteString(&string_W302sWW6O6WWb0b6WP5U6UP2UsCP20CUW2);
while ( v17 < *(_DWORD *)(buf_W302sWW6O6WWb0b6WP5U6UP2UsCP20CUW2 - 12) )
CreateStringByChar(
&string_proc_self_status,
*((_BYTE *)off_35CF4 + (*(unsigned __int8 *)(buf_W302sWW6O6WWb0b6WP5U6UP2UsCP20CUW2 + v17++) ^ 0x11) + 31));
deleteString(&buf_W302sWW6O6WWb0b6WP5U6UP2UsCP20CUW2);
newString1(&string_format_1, (int)"PW0PwWZ60Z");
newString1(&string_format_2, (int)&unk_30735);
GetStringBuf(&string_PW0PwWZ60Z_1, &string_format_1);
newString1(&string_format, (int)&unk_30735);
newString1(&string_BQ366EYdQs_3, (int)"BQ366EYdQs3716UCANDOIT666");
CreateUnknowStructFunc((int)&string_readBuf, 24);
hextoString((int)&v110, 22);
sub_DD44(&string_22_4, &v111);
copyStringFromLocation((int)&v83, &string_BQ366EYdQs_3, 0, 0xAu);
StringChange((int)&string_BQ366EYdQs_3, (int)&v83);
deleteString(&v83);
if ( std::operator==<char>(&string_BQ366EYdQs_3, &string_22_4) )
v18 = 50;
else
v18 = 1;
deleteString(&string_22_4);
sub_DBAC(&string_readBuf);
deleteString(&string_BQ366EYdQs_3);
v43 = v18 + 1; // v43=2
if ( !(*(_DWORD *)(*(_DWORD *)&string_PW0PwWZ60Z_1 - 12) % (unsigned int)(v18 + 1)) )
{
for ( l = 0; l < *(_DWORD *)(*(_DWORD *)&string_PW0PwWZ60Z_1 - 12) / v43; ++l )
{
v46 = *((_BYTE *)off_35D00
+ *(unsigned __int8 *)(*(_DWORD *)&string_PW0PwWZ60Z_1
+ *(_DWORD *)(*(_DWORD *)&string_PW0PwWZ60Z_1 - 12)
- 1
- l)
+ 119) | 16 * *((_BYTE *)off_35D00 + *(unsigned __int8 *)(*(_DWORD *)&string_PW0PwWZ60Z_1 + l) + 119);
newString1(&v81, (int)"A782E192B81NICAIsan38Qz");
CreateUnknowStructFunc((int)&tracePid, 24);
hextoString((int)&v113, 1321);
sub_DD44(&v82, &v114);
LOBYTE(v20) = -10;
if ( !std::operator==<char>(&v81, &v82) )
LOBYTE(v20) = 41;
if ( std::operator!=<char,std::char_traits<char>,std::allocator<char>>(&v82, &v81) )
{
CreateUnknowStructFunc((int)&string_DU8NABvA, 24);
hextoString((int)&string_UYetrq736UMayFindMe233_1, 33687);
sub_DD44(&string_DU8NABvA_1, &v123);
v20 = std::operator==<char,std::char_traits<char>,std::allocator<char>>(&string_DU8NABvA_1, "0d87a");
deleteString(&string_DU8NABvA_1);
sub_DBAC(&string_DU8NABvA);
if ( v20 )
LOBYTE(v20) = (_BYTE)off_35CFC + 79;
}
deleteString(&v82);
sub_DBAC(&tracePid);
deleteString(&v81);
CreateStringByChar(&string_format, v46 + v20);// %*s%d
}
}
StringChange((int)&string_format_1, (int)&string_format);
v21 = 0;
deleteString(&string_format);
deleteString(&string_PW0PwWZ60Z_1);
while ( v21 < *(_DWORD *)(string_format_1 - 12) )
CreateStringByChar(
&string_format_2,
*((_BYTE *)off_35CF0 + (*(unsigned __int8 *)(string_format_1 + v21++) ^ 0x22) + 31));
deleteString(&string_format_1);
memset_0((int)&v126, 0, 1024);
*g_0xDA78DE8A = 0xDA78DE8A; // 0xDA78DE8A
GetStringBuf(&string_NULL_3, &string_proc_self_status);
newString1(&string_UYetrq736UMayFindMe233_2, (int)"UYetrq736UMayFindMe233");
CreateUnknowStructFunc((int)&string_DU8NABvA, 24);
sub_F0A4((int)&string_UYetrq736UMayFindMe233_1, &string_NULL_3);
sub_DD44(&string_UYetrq736UMayFindMe233_1_1, &v123);
sub_191A8(&string_NULL_3);
v22 = *(unsigned __int8 *)string_NULL_3;
if ( std::operator==<char>(&string_UYetrq736UMayFindMe233_2, &string_UYetrq736UMayFindMe233_1_1) )
{
newString1(&string_DU8NABvA_1, (int)"DABD786ABH");
if ( v22 == 1 )
{
v25 = "8a7d9Vduya";
}
else if ( v22 >= 1 )
{
if ( v22 == 2 )
v25 = "73812huvVQ";
else
v25 = "daj87YBDASYBvy";
}
else
{
v25 = "UDHA47DBsd";
}
SetStringNull((int)&string_NULL_3, (int)v25, v23, v24);
copyString((int)&string_NULL_3, (int)&string_DU8NABvA_1);
deleteString(&string_DU8NABvA_1);
}
if ( std::operator!=<char,std::char_traits<char>,std::allocator<char>>(
&string_UYetrq736UMayFindMe233_2,
&string_UYetrq736UMayFindMe233_1_1) )
{
SetStringNull((int)&string_NULL_3, (int)&unk_30735, v26, v27);// 走这里
newString1(&string_DU8NABvA_1, (int)"DU8NABvA");
copyStringFromLocation((int)&v89, &string_DU8NABvA_1, 0, 1u);
copyString((int)&string_NULL_3, (int)&v89);
deleteString(&v89);
if ( std::operator!=<char,std::char_traits<char>,std::allocator<char>>(&string_NULL_3, &unk_30735) )
SetStringNull((int)&string_NULL_3, (int)&unk_30735, v28, v29);
copyStringFromLocation((int)&string_U8, &string_DU8NABvA_1, 1u, 2u);
copyString((int)&string_NULL_3, (int)&string_U8);
deleteString(&string_U8);
if ( std::operator!=<char,std::char_traits<char>,std::allocator<char>>(&string_NULL_3, &unk_30735) )
SetStringNull((int)&string_NULL_3, (int)&unk_30735, v30, v31);
deleteString(&string_DU8NABvA_1);
}
GetStringBuf(&v60, &string_NULL_3);
deleteString(&string_UYetrq736UMayFindMe233_1_1);
sub_DBAC(&string_DU8NABvA);
deleteString(&string_UYetrq736UMayFindMe233_2);
copyString((int)&string_racePid, (int)&v60);
deleteString(&v60);
deleteString(&string_NULL_3);
while ( 1 )
{
fd = (*(int (__fastcall **)(int, _DWORD))(new_20 + 20))(string_proc_self_status, 0);// fopen
if ( fd )
{
memset_0((int)&readBuf, 0, 1000);
while ( 1 ) // 读一行
{
*(_WORD *)&read_1ByteBuf = 0;
readBuf_1 = &readBuf;
do
{
if ( !(*(int (__fastcall **)(int, unsigned __int8 *, signed int))(new_20 + 12))(fd, &read_1ByteBuf, 1) )// read
break;
v32 = read_1ByteBuf;
*readBuf_1++ = read_1ByteBuf;
if ( v32 == 0xA )
break;
}
while ( readBuf_1 != &v125 );
v34 = read_1ByteBuf;
*readBuf_1 = 0;
if ( !v34 && readBuf_1 == &readBuf || !&readBuf )
goto LABEL_83;
newString1(&string_readBuf, (int)&readBuf);
if ( stringCmp((int)&string_readBuf, &string_racePid, 0) != -1 )
break;
deleteString(&string_readBuf);
}
newString1(&string_A782E192B81NICAIsan38Qz_2, (int)"A782E192B81NICAIsan38Qz");
CreateUnknowStructFunc((int)&string_33687, 24);
hextoString((int)&v116, 100);
sub_DD44(&string_100, &v117);
if ( std::operator==<char>(&string_A782E192B81NICAIsan38Qz_2, &string_100) )
v35 = (_BYTE *)(&word_30 + 1);
else
v35 = (char *)&dword_64;
if ( std::operator!=<char,std::char_traits<char>,std::allocator<char>>(
&string_100,
&string_A782E192B81NICAIsan38Qz_2) )
{
CreateUnknowStructFunc((int)&string_DU8NABvA, 24);
hextoString((int)&string_UYetrq736UMayFindMe233_1, 33687);
sub_DD44(&string_DU8NABvA_1, &v123);
v35 = (char *)std::operator==<char,std::char_traits<char>,std::allocator<char>>(&string_DU8NABvA_1, "0d87a");
deleteString(&string_DU8NABvA_1);
sub_DBAC(&string_DU8NABvA);
if ( v35 )
v35 = (char *)off_35CFC + 303183;
}
deleteString(&string_100);
sub_DBAC(&string_33687);
deleteString(&string_A782E192B81NICAIsan38Qz_2);
string_format_3 = string_format_2;
*(_DWORD *)&tracePid = v35;
v37 = 0;
v38 = *(_DWORD *)(string_format_2 - 12);
while ( v37 < v38 )
{
*(&v126 + v37) = *(_BYTE *)(string_format_3 + v37);
++v37;
}
v127[v38 & ~(v38 >> 31)] = 0;
(*(void (__fastcall **)(_DWORD))(new_20 + 4))(*(_DWORD *)&string_readBuf);// sscanf
if ( *(_DWORD *)&tracePid <= 0 )
{
v44 = g_0xDA78DE8A;
newString1(&string_A782E192B81NICAIsan38Qz_3, (int)"A782E192B81NICAIsan38Qz");
CreateUnknowStructFunc((int)&string_DU8NABvA_1, 24);
hextoString((int)&v119, 3928);
sub_DD44(&buf_3928, &v120);
v39 = (_BYTE *)(&stru_F18 + 13);
if ( !std::operator==<char>(&string_A782E192B81NICAIsan38Qz_3, &buf_3928) )
v39 = (_BYTE *)&stru_F58;
if ( std::operator!=<char,std::char_traits<char>,std::allocator<char>>(
&buf_3928,
&string_A782E192B81NICAIsan38Qz_3) )
{
CreateUnknowStructFunc((int)&string_DU8NABvA, 24);
hextoString((int)&string_UYetrq736UMayFindMe233_1, 33687);
sub_DD44(&string_33687, &v123);
v39 = (char *)std::operator==<char,std::char_traits<char>,std::allocator<char>>(&string_33687, "0d87a");
deleteString(&string_33687);
sub_DBAC(&string_DU8NABvA);
if ( v39 )
v39 = (char *)off_35CFC + 303183;
}
deleteString(&buf_3928);
sub_DBAC(&string_DU8NABvA_1);
deleteString(&string_A782E192B81NICAIsan38Qz_3);
*v44 = (int)(v39 + 0x2333AE83);
}
else
{
*g_0xDA78DE8A = 0xBD9813BA;
((void (__fastcall *)(_DWORD))loc_7B68)(0);
}
deleteString(&string_readBuf);
LABEL_83:
(*(void (__fastcall **)(int))(new_20 + 16))(fd);
}
(*(void (__fastcall **)(signed int))(new_20 + 24))(5);
}
}
四、jni_onload函数
void anti_debug()
{
unsigned int v0; // r9
int v1; // r2
int v2; // r3
const char *v3; // r1
int v4; // r2
int v5; // r3
int v6; // r2
int v7; // r3
int v8; // r2
int v9; // r3
signed int v10; // r10
unsigned int i; // r7
int v12; // r11
unsigned int j; // r6
signed int v14; // r9
unsigned int k; // r7
int v16; // r10
unsigned int v17; // r5
signed int v18; // r9
unsigned int l; // r9
int v20; // r11
unsigned int v21; // r5
unsigned int v22; // r8
int v23; // r2
int v24; // r3
const char *v25; // r1
int v26; // r2
int v27; // r3
int v28; // r2
int v29; // r3
int v30; // r2
int v31; // r3
int v32; // r3
char *readBuf_1; // r6
int v34; // r3
char *v35; // r7
int string_format_3; // r0
int v37; // r3
int v38; // r2
char *v39; // r10
int fd; // [sp+0h] [bp-1080h]
char v41; // [sp+8h] [bp-1078h]
char v42; // [sp+8h] [bp-1078h]
unsigned int v43; // [sp+18h] [bp-1068h]
int *v44; // [sp+18h] [bp-1068h]
int new_20; // [sp+1Ch] [bp-1064h]
char v46; // [sp+30h] [bp-1050h]
unsigned __int8 read_1ByteBuf; // [sp+58h] [bp-1028h]
int string_W302sWW6O6WWb0b6W; // [sp+5Ch] [bp-1024h]
char string_AG60As3wWPCAsA6A; // [sp+60h] [bp-1020h]
int string_NULL_U8; // [sp+64h] [bp-101Ch]
_BYTE *string_NULL; // [sp+68h] [bp-1018h]
int string_racePid; // [sp+6Ch] [bp-1014h]
int string_AG60As3wWPCAsA6A_1; // [sp+70h] [bp-1010h]
int sring_P5U6UP2UsCP20CUW2; // [sp+74h] [bp-100Ch]
int string_proc_self_status; // [sp+78h] [bp-1008h]
int buf_W302sWW6O6WWb0b6WP5U6UP2UsCP20CUW2; // [sp+7Ch] [bp-1004h]
int string_format_2; // [sp+80h] [bp-1000h]
int string_format_1; // [sp+84h] [bp-FFCh]
int string_NULL_3; // [sp+88h] [bp-FF8h]
char v60; // [sp+8Ch] [bp-FF4h]
int string_UYetrq736UMayFindMe233; // [sp+90h] [bp-FF0h]
char string_W302sWW6O6WWb0b6W_2; // [sp+94h] [bp-FECh]
char v63; // [sp+98h] [bp-FE8h]
char string_D; // [sp+9Ch] [bp-FE4h]
int string_BQ366EYdQs_1; // [sp+A0h] [bp-FE0h]
char string_22_1; // [sp+A4h] [bp-FDCh]
int string_A782E192B81NICAIsan38Qz; // [sp+A8h] [bp-FD8h]
char string_1321; // [sp+ACh] [bp-FD4h]
char string_BQ366EYdQs; // [sp+B0h] [bp-FD0h]
char string_AG60As3wWPCAsA6A_2; // [sp+B4h] [bp-FCCh]
int string_NULL_2; // [sp+B8h] [bp-FC8h]
int string_BQ366EYdQs_2; // [sp+BCh] [bp-FC4h]
char string_22_3; // [sp+C0h] [bp-FC0h]
int string_A782E192B81NICAIsan38Qz_1; // [sp+C4h] [bp-FBCh]
char string_1321_1; // [sp+C8h] [bp-FB8h]
char v76; // [sp+CCh] [bp-FB4h]
char string_W302sWW6O6WWb0b6WP5U6UP2UsCP20CUW2; // [sp+D0h] [bp-FB0h]
int string_NULL_1; // [sp+D4h] [bp-FACh]
int string_BQ366EYdQs_3; // [sp+D8h] [bp-FA8h]
char string_22_4; // [sp+DCh] [bp-FA4h]
char v81; // [sp+E0h] [bp-FA0h]
char v82; // [sp+E4h] [bp-F9Ch]
char v83; // [sp+E8h] [bp-F98h]
char string_PW0PwWZ60Z_1; // [sp+ECh] [bp-F94h]
int string_format; // [sp+F0h] [bp-F90h]
int string_UYetrq736UMayFindMe233_2; // [sp+F4h] [bp-F8Ch]
char string_UYetrq736UMayFindMe233_1_1; // [sp+F8h] [bp-F88h]
char string_U8; // [sp+FCh] [bp-F84h]
char v89; // [sp+100h] [bp-F80h]
int string_A782E192B81NICAIsan38Qz_2; // [sp+104h] [bp-F7Ch]
char string_100; // [sp+108h] [bp-F78h]
int string_A782E192B81NICAIsan38Qz_3; // [sp+10Ch] [bp-F74h]
char buf_3928; // [sp+110h] [bp-F70h]
char v94; // [sp+114h] [bp-F6Ch]
int v95; // [sp+11Ch] [bp-F64h]
int v96; // [sp+120h] [bp-F60h]
char v97; // [sp+1D0h] [bp-EB0h]
char string_22; // [sp+1D8h] [bp-EA8h]
int v99; // [sp+1DCh] [bp-EA4h]
char v100; // [sp+28Ch] [bp-DF4h]
int v101; // [sp+294h] [bp-DECh]
char v102; // [sp+298h] [bp-DE8h]
char v103; // [sp+348h] [bp-D38h]
int string_22_2; // [sp+350h] [bp-D30h]
char v105; // [sp+354h] [bp-D2Ch]
char v106; // [sp+404h] [bp-C7Ch]
int v107; // [sp+40Ch] [bp-C74h]
int v108; // [sp+410h] [bp-C70h]
char string_readBuf; // [sp+4C0h] [bp-BC0h]
char v110; // [sp+4C8h] [bp-BB8h]
int v111; // [sp+4CCh] [bp-BB4h]
char tracePid; // [sp+57Ch] [bp-B04h]
int v113; // [sp+584h] [bp-AFCh]
char v114; // [sp+588h] [bp-AF8h]
char string_33687; // [sp+638h] [bp-A48h]
int v116; // [sp+640h] [bp-A40h]
int v117; // [sp+644h] [bp-A3Ch]
int string_DU8NABvA_1; // [sp+6F4h] [bp-98Ch]
int v119; // [sp+6FCh] [bp-984h]
int v120; // [sp+700h] [bp-980h]
char string_DU8NABvA; // [sp+7B0h] [bp-8D0h]
char string_UYetrq736UMayFindMe233_1; // [sp+7B8h] [bp-8C8h]
int v123; // [sp+7BCh] [bp-8C4h]
char readBuf; // [sp+86Ch] [bp-814h]
char v125; // [sp+96Bh] [bp-715h]
char v126; // [sp+C54h] [bp-42Ch]
char v127[1003]; // [sp+C55h] [bp-42Bh]
int v128; // [sp+1054h] [bp-2Ch]
v128 = *(_DWORD *)off_35CEC;
new_20 = operator new(0x20u);
sub_C8A0(new_20);
newString1(&string_W302sWW6O6WWb0b6W, (int)"W302sWW6O6WWb0b6W");
GetStringBuf(&string_NULL_U8, &string_W302sWW6O6WWb0b6W);
newString1(&string_UYetrq736UMayFindMe233, (int)"UYetrq736UMayFindMe233");
CreateUnknowStructFunc((int)&v94, 24);
sub_F0A4((int)&v95, &string_NULL_U8);
sub_DD44(&string_W302sWW6O6WWb0b6W_2, &v96);
sub_191A8(&string_NULL_U8);
v0 = *(unsigned __int8 *)string_NULL_U8;
if ( std::operator==<char>(&string_UYetrq736UMayFindMe233, &string_W302sWW6O6WWb0b6W_2) )
{
newString1(&string_DU8NABvA, (int)"DABD786ABH");
if ( v0 == 1 )
{
v3 = "8a7d9Vduya";
}
else if ( v0 >= 1 )
{
if ( v0 == 2 )
v3 = "73812huvVQ";
else
v3 = "daj87YBDASYBvy";
}
else
{
v3 = "UDHA47DBsd";
}
SetStringNull((int)&string_NULL_U8, (int)v3, v1, v2);
copyString((int)&string_NULL_U8, (int)&string_DU8NABvA);
deleteString(&string_DU8NABvA);
}
if ( std::operator!=<char,std::char_traits<char>,std::allocator<char>>(
&string_UYetrq736UMayFindMe233,
&string_W302sWW6O6WWb0b6W_2) )
{
SetStringNull((int)&string_NULL_U8, (int)&unk_30735, v4, v5);
newString1(&string_DU8NABvA, (int)"DU8NABvA");
copyStringFromLocation((int)&string_D, &string_DU8NABvA, 0, 1u);
copyString((int)&string_NULL_U8, (int)&string_D);
deleteString(&string_D);
if ( std::operator!=<char,std::char_traits<char>,std::allocator<char>>(&string_NULL_U8, &unk_30735) )
SetStringNull((int)&string_NULL_U8, (int)&unk_30735, v6, v7);
copyStringFromLocation((int)&v63, &string_DU8NABvA, 1u, 2u);
copyString((int)&string_NULL_U8, (int)&v63);
deleteString(&v63);
if ( std::operator!=<char,std::char_traits<char>,std::allocator<char>>(&string_NULL_U8, &unk_30735) )
SetStringNull((int)&string_NULL_U8, (int)&unk_30735, v8, v9);
deleteString(&string_DU8NABvA);
}
GetStringBuf(&string_NULL, &string_NULL_U8);
deleteString(&string_W302sWW6O6WWb0b6W_2);
sub_DBAC(&v94);
deleteString(&string_UYetrq736UMayFindMe233);
sub_B870((int *)&string_AG60As3wWPCAsA6A, (int)"AG60As3wWPCAsA6A", &string_NULL);
deleteString(&string_NULL);
deleteString(&string_NULL_U8);
GetStringBuf(&string_AG60As3wWPCAsA6A_1, (int *)&string_AG60As3wWPCAsA6A);
newString1(&string_racePid, (int)&unk_30735);
GetStringBuf(&string_AG60As3wWPCAsA6A_2, &string_AG60As3wWPCAsA6A_1);
newString1(&string_NULL_2, (int)&unk_30735);
newString1(&string_BQ366EYdQs_1, (int)"BQ366EYdQs3716UCANDOIT666");
CreateUnknowStructFunc((int)&v97, 24);
hextoString((int)&string_22, 22);
sub_DD44(&string_22_1, &v99);
copyStringFromLocation((int)&string_BQ366EYdQs, &string_BQ366EYdQs_1, 0, 0xAu);
StringChange((int)&string_BQ366EYdQs_1, (int)&string_BQ366EYdQs);
deleteString(&string_BQ366EYdQs);
if ( std::operator==<char>(&string_BQ366EYdQs_1, &string_22_1) )
v10 = 50;
else
v10 = 1; // =1
deleteString(&string_22_1);
sub_DBAC(&v97);
deleteString(&string_BQ366EYdQs_1);
if ( !(*(_DWORD *)(*(_DWORD *)&string_AG60As3wWPCAsA6A_2 - 12) % (unsigned int)(v10 + 1)) )
{
for ( i = 0; i < *(_DWORD *)(*(_DWORD *)&string_AG60As3wWPCAsA6A_2 - 12) / (unsigned int)(v10 + 1); ++i )
{
v41 = *((_BYTE *)off_35D00
+ *(unsigned __int8 *)(*(_DWORD *)&string_AG60As3wWPCAsA6A_2
+ *(_DWORD *)(*(_DWORD *)&string_AG60As3wWPCAsA6A_2 - 12)
- 1
- i)
+ 119) | 16 * *((_BYTE *)off_35D00 + *(unsigned __int8 *)(*(_DWORD *)&string_AG60As3wWPCAsA6A_2 + i) + 0x77);
newString1(&string_A782E192B81NICAIsan38Qz, (int)"A782E192B81NICAIsan38Qz");
CreateUnknowStructFunc((int)&v100, 24);
hextoString((int)&v101, 1321);
sub_DD44(&string_1321, &v102);
LOBYTE(v12) = 0xF6u;
if ( !std::operator==<char>(&string_A782E192B81NICAIsan38Qz, &string_1321) )
LOBYTE(v12) = 41;
if ( std::operator!=<char,std::char_traits<char>,std::allocator<char>>(
&string_1321,
&string_A782E192B81NICAIsan38Qz) )
{
CreateUnknowStructFunc((int)&string_DU8NABvA, 24);
hextoString((int)&string_UYetrq736UMayFindMe233_1, 33687);
sub_DD44(&string_DU8NABvA_1, &v123);
v12 = std::operator==<char,std::char_traits<char>,std::allocator<char>>(&string_DU8NABvA_1, "0d87a");// v12=0
deleteString(&string_DU8NABvA_1);
sub_DBAC(&string_DU8NABvA);
if ( v12 )
LOBYTE(v12) = (_BYTE)off_35CFC + 79;
}
deleteString(&string_1321);
sub_DBAC(&v100);
deleteString(&string_A782E192B81NICAIsan38Qz);
CreateStringByChar(&string_NULL_2, v41 + v12);// 空字符串
}
}
StringChange((int)&string_AG60As3wWPCAsA6A_1, (int)&string_NULL_2);
deleteString(&string_NULL_2);
deleteString(&string_AG60As3wWPCAsA6A_2);
for ( j = 0; j < *(_DWORD *)(string_AG60As3wWPCAsA6A_1 - 12); ++j )
CreateStringByChar(
&string_racePid,
*((_BYTE *)off_35CF0 + (*(unsigned __int8 *)(string_AG60As3wWPCAsA6A_1 + j) ^ 0x22) + 31));
deleteString(&string_AG60As3wWPCAsA6A_1);
newString1(&sring_P5U6UP2UsCP20CUW2, (int)"P5U6UP2UsCP20CUW2");
stringStrCat(&buf_W302sWW6O6WWb0b6WP5U6UP2UsCP20CUW2, &string_W302sWW6O6WWb0b6W, (int)&sring_P5U6UP2UsCP20CUW2);
newString1(&string_proc_self_status, (int)&unk_30735);
GetStringBuf(&string_W302sWW6O6WWb0b6WP5U6UP2UsCP20CUW2, &buf_W302sWW6O6WWb0b6WP5U6UP2UsCP20CUW2);
newString1(&string_NULL_1, (int)&unk_30735);
newString1(&string_BQ366EYdQs_2, (int)"BQ366EYdQs3716UCANDOIT666");
CreateUnknowStructFunc((int)&v103, 24);
hextoString((int)&string_22_2, 22);
sub_DD44(&string_22_3, &v105);
copyStringFromLocation((int)&v76, &string_BQ366EYdQs_2, 0, 0xAu);
StringChange((int)&string_BQ366EYdQs_2, (int)&v76);
deleteString(&v76);
if ( std::operator==<char>(&string_BQ366EYdQs_2, &string_22_3) )
v14 = 50;
else
v14 = 1;
deleteString(&string_22_3);
sub_DBAC(&v103);
deleteString(&string_BQ366EYdQs_2);
if ( !(*(_DWORD *)(*(_DWORD *)&string_W302sWW6O6WWb0b6WP5U6UP2UsCP20CUW2 - 12) % (unsigned int)(v14 + 1)) )
{
for ( k = 0; k < *(_DWORD *)(*(_DWORD *)&string_W302sWW6O6WWb0b6WP5U6UP2UsCP20CUW2 - 12) / (unsigned int)(v14 + 1); ++k )
{
v42 = *((_BYTE *)off_35D00
+ *(unsigned __int8 *)(*(_DWORD *)&string_W302sWW6O6WWb0b6WP5U6UP2UsCP20CUW2
+ *(_DWORD *)(*(_DWORD *)&string_W302sWW6O6WWb0b6WP5U6UP2UsCP20CUW2 - 12)
- 1
- k)
+ 119) | 16
* *((_BYTE *)off_35D00
+ *(unsigned __int8 *)(*(_DWORD *)&string_W302sWW6O6WWb0b6WP5U6UP2UsCP20CUW2 + k)
+ 119);
newString1(&string_A782E192B81NICAIsan38Qz_1, (int)"A782E192B81NICAIsan38Qz");
CreateUnknowStructFunc((int)&v106, 24);
hextoString((int)&v107, 1321);
sub_DD44(&string_1321_1, &v108);
LOBYTE(v16) = -10;
if ( !std::operator==<char>(&string_A782E192B81NICAIsan38Qz_1, &string_1321_1) )
LOBYTE(v16) = 41;
if ( std::operator!=<char,std::char_traits<char>,std::allocator<char>>(
&string_1321_1,
&string_A782E192B81NICAIsan38Qz_1) )
{
CreateUnknowStructFunc((int)&string_DU8NABvA, 24);
hextoString((int)&string_UYetrq736UMayFindMe233_1, 33687);
sub_DD44(&string_DU8NABvA_1, &v123);
v16 = std::operator==<char,std::char_traits<char>,std::allocator<char>>(&string_DU8NABvA_1, "0d87a");
deleteString(&string_DU8NABvA_1);
sub_DBAC(&string_DU8NABvA);
if ( v16 )
LOBYTE(v16) = (_BYTE)off_35CFC + 79;
}
deleteString(&string_1321_1);
sub_DBAC(&v106);
deleteString(&string_A782E192B81NICAIsan38Qz_1);
CreateStringByChar(&string_NULL_1, v42 + v16);
}
}
StringChange((int)&buf_W302sWW6O6WWb0b6WP5U6UP2UsCP20CUW2, (int)&string_NULL_1);
v17 = 0;
deleteString(&string_NULL_1);
deleteString(&string_W302sWW6O6WWb0b6WP5U6UP2UsCP20CUW2);
while ( v17 < *(_DWORD *)(buf_W302sWW6O6WWb0b6WP5U6UP2UsCP20CUW2 - 12) )
CreateStringByChar(
&string_proc_self_status,
*((_BYTE *)off_35CF4 + (*(unsigned __int8 *)(buf_W302sWW6O6WWb0b6WP5U6UP2UsCP20CUW2 + v17++) ^ 0x11) + 31));
deleteString(&buf_W302sWW6O6WWb0b6WP5U6UP2UsCP20CUW2);
newString1(&string_format_1, (int)"PW0PwWZ60Z");
newString1(&string_format_2, (int)&unk_30735);
GetStringBuf(&string_PW0PwWZ60Z_1, &string_format_1);
newString1(&string_format, (int)&unk_30735);
newString1(&string_BQ366EYdQs_3, (int)"BQ366EYdQs3716UCANDOIT666");
CreateUnknowStructFunc((int)&string_readBuf, 24);
hextoString((int)&v110, 22);
sub_DD44(&string_22_4, &v111);
copyStringFromLocation((int)&v83, &string_BQ366EYdQs_3, 0, 0xAu);
StringChange((int)&string_BQ366EYdQs_3, (int)&v83);
deleteString(&v83);
if ( std::operator==<char>(&string_BQ366EYdQs_3, &string_22_4) )
v18 = 50;
else
v18 = 1;
deleteString(&string_22_4);
sub_DBAC(&string_readBuf);
deleteString(&string_BQ366EYdQs_3);
v43 = v18 + 1; // v43=2
if ( !(*(_DWORD *)(*(_DWORD *)&string_PW0PwWZ60Z_1 - 12) % (unsigned int)(v18 + 1)) )
{
for ( l = 0; l < *(_DWORD *)(*(_DWORD *)&string_PW0PwWZ60Z_1 - 12) / v43; ++l )
{
v46 = *((_BYTE *)off_35D00
+ *(unsigned __int8 *)(*(_DWORD *)&string_PW0PwWZ60Z_1
+ *(_DWORD *)(*(_DWORD *)&string_PW0PwWZ60Z_1 - 12)
- 1
- l)
+ 119) | 16 * *((_BYTE *)off_35D00 + *(unsigned __int8 *)(*(_DWORD *)&string_PW0PwWZ60Z_1 + l) + 119);
newString1(&v81, (int)"A782E192B81NICAIsan38Qz");
CreateUnknowStructFunc((int)&tracePid, 24);
hextoString((int)&v113, 1321);
sub_DD44(&v82, &v114);
LOBYTE(v20) = -10;
if ( !std::operator==<char>(&v81, &v82) )
LOBYTE(v20) = 41;
if ( std::operator!=<char,std::char_traits<char>,std::allocator<char>>(&v82, &v81) )
{
CreateUnknowStructFunc((int)&string_DU8NABvA, 24);
hextoString((int)&string_UYetrq736UMayFindMe233_1, 33687);
sub_DD44(&string_DU8NABvA_1, &v123);
v20 = std::operator==<char,std::char_traits<char>,std::allocator<char>>(&string_DU8NABvA_1, "0d87a");
deleteString(&string_DU8NABvA_1);
sub_DBAC(&string_DU8NABvA);
if ( v20 )
LOBYTE(v20) = (_BYTE)off_35CFC + 79;
}
deleteString(&v82);
sub_DBAC(&tracePid);
deleteString(&v81);
CreateStringByChar(&string_format, v46 + v20);// %*s%d
}
}
StringChange((int)&string_format_1, (int)&string_format);
v21 = 0;
deleteString(&string_format);
deleteString(&string_PW0PwWZ60Z_1);
while ( v21 < *(_DWORD *)(string_format_1 - 12) )
CreateStringByChar(
&string_format_2,
*((_BYTE *)off_35CF0 + (*(unsigned __int8 *)(string_format_1 + v21++) ^ 0x22) + 31));
deleteString(&string_format_1);
memset_0((int)&v126, 0, 1024);
*g_0xDA78DE8A = 0xDA78DE8A; // 0xDA78DE8A
GetStringBuf(&string_NULL_3, &string_proc_self_status);
newString1(&string_UYetrq736UMayFindMe233_2, (int)"UYetrq736UMayFindMe233");
CreateUnknowStructFunc((int)&string_DU8NABvA, 24);
sub_F0A4((int)&string_UYetrq736UMayFindMe233_1, &string_NULL_3);
sub_DD44(&string_UYetrq736UMayFindMe233_1_1, &v123);
sub_191A8(&string_NULL_3);
v22 = *(unsigned __int8 *)string_NULL_3;
if ( std::operator==<char>(&string_UYetrq736UMayFindMe233_2, &string_UYetrq736UMayFindMe233_1_1) )
{
newString1(&string_DU8NABvA_1, (int)"DABD786ABH");
if ( v22 == 1 )
{
v25 = "8a7d9Vduya";
}
else if ( v22 >= 1 )
{
if ( v22 == 2 )
v25 = "73812huvVQ";
else
v25 = "daj87YBDASYBvy";
}
else
{
v25 = "UDHA47DBsd";
}
SetStringNull((int)&string_NULL_3, (int)v25, v23, v24);
copyString((int)&string_NULL_3, (int)&string_DU8NABvA_1);
deleteString(&string_DU8NABvA_1);
}
if ( std::operator!=<char,std::char_traits<char>,std::allocator<char>>(
&string_UYetrq736UMayFindMe233_2,
&string_UYetrq736UMayFindMe233_1_1) )
{
SetStringNull((int)&string_NULL_3, (int)&unk_30735, v26, v27);// 走这里
newString1(&string_DU8NABvA_1, (int)"DU8NABvA");
copyStringFromLocation((int)&v89, &string_DU8NABvA_1, 0, 1u);
copyString((int)&string_NULL_3, (int)&v89);
deleteString(&v89);
if ( std::operator!=<char,std::char_traits<char>,std::allocator<char>>(&string_NULL_3, &unk_30735) )
SetStringNull((int)&string_NULL_3, (int)&unk_30735, v28, v29);
copyStringFromLocation((int)&string_U8, &string_DU8NABvA_1, 1u, 2u);
copyString((int)&string_NULL_3, (int)&string_U8);
deleteString(&string_U8);
if ( std::operator!=<char,std::char_traits<char>,std::allocator<char>>(&string_NULL_3, &unk_30735) )
SetStringNull((int)&string_NULL_3, (int)&unk_30735, v30, v31);
deleteString(&string_DU8NABvA_1);
}
GetStringBuf(&v60, &string_NULL_3);
deleteString(&string_UYetrq736UMayFindMe233_1_1);
sub_DBAC(&string_DU8NABvA);
deleteString(&string_UYetrq736UMayFindMe233_2);
copyString((int)&string_racePid, (int)&v60);
deleteString(&v60);
deleteString(&string_NULL_3);
while ( 1 )
{
fd = (*(int (__fastcall **)(int, _DWORD))(new_20 + 20))(string_proc_self_status, 0);// fopen
if ( fd )
{
memset_0((int)&readBuf, 0, 1000);
while ( 1 ) // 读一行
{
*(_WORD *)&read_1ByteBuf = 0;
readBuf_1 = &readBuf;
do
{
if ( !(*(int (__fastcall **)(int, unsigned __int8 *, signed int))(new_20 + 12))(fd, &read_1ByteBuf, 1) )// read
break;
v32 = read_1ByteBuf;
*readBuf_1++ = read_1ByteBuf;
if ( v32 == 0xA )
break;
}
while ( readBuf_1 != &v125 );
v34 = read_1ByteBuf;
*readBuf_1 = 0;
if ( !v34 && readBuf_1 == &readBuf || !&readBuf )
goto LABEL_83;
newString1(&string_readBuf, (int)&readBuf);
if ( stringCmp((int)&string_readBuf, &string_racePid, 0) != -1 )
break;
deleteString(&string_readBuf);
}
newString1(&string_A782E192B81NICAIsan38Qz_2, (int)"A782E192B81NICAIsan38Qz");
CreateUnknowStructFunc((int)&string_33687, 24);
hextoString((int)&v116, 100);
sub_DD44(&string_100, &v117);
if ( std::operator==<char>(&string_A782E192B81NICAIsan38Qz_2, &string_100) )
v35 = (_BYTE *)(&word_30 + 1);
else
v35 = (char *)&dword_64;
if ( std::operator!=<char,std::char_traits<char>,std::allocator<char>>(
&string_100,
&string_A782E192B81NICAIsan38Qz_2) )
{
CreateUnknowStructFunc((int)&string_DU8NABvA, 24);
hextoString((int)&string_UYetrq736UMayFindMe233_1, 33687);
sub_DD44(&string_DU8NABvA_1, &v123);
v35 = (char *)std::operator==<char,std::char_traits<char>,std::allocator<char>>(&string_DU8NABvA_1, "0d87a");
deleteString(&string_DU8NABvA_1);
sub_DBAC(&string_DU8NABvA);
if ( v35 )
v35 = (char *)off_35CFC + 303183;
}
deleteString(&string_100);
sub_DBAC(&string_33687);
deleteString(&string_A782E192B81NICAIsan38Qz_2);
string_format_3 = string_format_2;
*(_DWORD *)&tracePid = v35;
v37 = 0;
v38 = *(_DWORD *)(string_format_2 - 12);
while ( v37 < v38 )
{
*(&v126 + v37) = *(_BYTE *)(string_format_3 + v37);
++v37;
}
v127[v38 & ~(v38 >> 31)] = 0;
(*(void (__fastcall **)(_DWORD))(new_20 + 4))(*(_DWORD *)&string_readBuf);// sscanf
if ( *(_DWORD *)&tracePid <= 0 )
{
v44 = g_0xDA78DE8A;
newString1(&string_A782E192B81NICAIsan38Qz_3, (int)"A782E192B81NICAIsan38Qz");
CreateUnknowStructFunc((int)&string_DU8NABvA_1, 24);
hextoString((int)&v119, 3928);
sub_DD44(&buf_3928, &v120);
v39 = (_BYTE *)(&stru_F18 + 13);
if ( !std::operator==<char>(&string_A782E192B81NICAIsan38Qz_3, &buf_3928) )
v39 = (_BYTE *)&stru_F58;
if ( std::operator!=<char,std::char_traits<char>,std::allocator<char>>(
&buf_3928,
&string_A782E192B81NICAIsan38Qz_3) )
{
CreateUnknowStructFunc((int)&string_DU8NABvA, 24);
hextoString((int)&string_UYetrq736UMayFindMe233_1, 33687);
sub_DD44(&string_33687, &v123);
v39 = (char *)std::operator==<char,std::char_traits<char>,std::allocator<char>>(&string_33687, "0d87a");
deleteString(&string_33687);
sub_DBAC(&string_DU8NABvA);
if ( v39 )
v39 = (char *)off_35CFC + 303183;
}
deleteString(&buf_3928);
sub_DBAC(&string_DU8NABvA_1);
deleteString(&string_A782E192B81NICAIsan38Qz_3);
*v44 = (int)(v39 + 0x2333AE83);
}
else
{
*g_0xDA78DE8A = 0xBD9813BA;
((void (__fastcall *)(_DWORD))loc_7B68)(0);
}
deleteString(&string_readBuf);
LABEL_83:
(*(void (__fastcall **)(int))(new_20 + 16))(fd);
}
(*(void (__fastcall **)(signed int))(new_20 + 24))(5);
}
}
四、jni_onload函数
此函数不能直接下断点,否则可能会使代码解密失败,可以直接在libdvm中下断点。这个函数主要作用是动态注册native
lkdakjudajndn函数 从这里可知
lkdakjudajndn函数地址为:AC98。这个函数是真正的key校验过程。
五、函数
lkdakjudajndn
AC98
该函数比较大,主要做了如下事情:
1、将输入key的jstring对象转换成
cstring对象
。
2、key长度必须大于等于10,小于等于20。
3、将输入key置换到最后一位,变成key_change1。
4、索引
索引 0x7FC2 ,key_change2[i] = 0x7FC2[
key_change1[i]],得到
key_change2。
5、将
key_change2按照字节进行低4位与高四位的置换生成
key_change3。
6、将
key_change3以4字节形式与
0x36098内容进行异或,当处于调试状态是其值为
0xBD9813BA,否则为
0x2333AE83。得到
key_change4,从这里可知key长度为0x10。
7、将
key_change4相邻2字节交换,得到
key_change5 ,即
key_change5[2i] =
key_change4[2i+1]
key_change5[2i + 1] =
key_change4[2i]。
8、 再次
索引7FC2 ,key_change6[i] = 7FC2[
key_change5
[i]], 得到
key_change6。
9、将
key_change6的第一字符置换到最后位置,得到
key_change7。
[峰会]看雪.第八届安全开发者峰会10月23日上海龙之梦大酒店举办!
最后于 2018-6-25 15:40
被oooAooo编辑
,原因:
赞赏
|
|
|---|---|
|
|
 ,JNI_OnLoad是被Hook了导致没有走到那里的
|
|
|
他的文章
- 看雪CTF 2019总决赛 第六题 三道八佛 IDA脱壳脚本 5647
- [原创]看雪CTF2019Q3第四题WP 5909
- [原创]看雪CTF2019Q3 第二题WP 6708
- [2019看雪CTF晋级赛Q3第九题WP 12430
- [原创]看雪CTF2019晋级赛Q2第三题 4990
赞赏
雪币:
留言:
