首页
社区
课程
招聘
[原创]对ollvm的算法进行逆向分析和还原
发表于: 2021-11-30 16:51 26490

[原创]对ollvm的算法进行逆向分析和还原

2021-11-30 16:51
26490

https://bbs.pediy.com/thread-270220.htm
3W班试题1:
分析出KanxueSign函数的算法

图片描述

图片描述
图片描述

图片描述
对datadiv_decode64400029844576484运行时解密

图片描述
通过frida对函数进行分析,可以将output分为3部分进行处理;

hook函数

分析出使用 firstInstallTime + startTime 进行后续运算

firstInstallTime + startTime

通过 (~v25 & 0xB5 | v25 & 0x4A) ^ 0xE9 运算 32字节变64字节

sub_1B2DC 入参如下:

疑似sha256

重点分析 sub_1D1E8 函数,
图片描述
还原函数如下:

图片描述

分析sub_26300
图片描述
还原sub_26300

分析sub_1B89C
图片描述
还原sub_1B89C算法

图片描述

图片描述

通过java层的 randomLong值的第一个数 查 dword_5C008

图片描述

hook sub_F11C方法
图片描述
魔改base64
图片描述

魔改sha265 + 查表 + 魔改base64

2021-11-30 14:29:23.634 17199-17199/? E/KANXUE:
input: jPCAeDizNJqxh52TNFcabKlmX8KmxKws0NjF
output: 9c4d974eef6e8cba9dd8b260d19704a2f91e54fac3a9a3039e961b960d5bfa420207014700be00a800be020700be011c011c0207010501c1009e00ca019000be016b0239014b008200ca01c10071007102b6009e00bd016b0147019000bd01b801b802c701dd029701a200d401a2019c00bd020600a501e2009302490072012d01e00071007202a202b1023a02a200c902000200020701a900be02a2008200ca00be011c0190ahrybxzva3vxa6aLbQeMak4Mb38Kbe==
2021-11-30 14:29:23.634 17199-17199/? E/KANXUE:
input: jPCAeDizNJqxh52TNFcabKlmX8KmxKws0NjF
output: 9c4d974eef6e8cba9dd8b260d19704a2f91e54fac3a9a3039e961b960d5bfa420207014700be00a800be020700be011c011c0207010501c1009e00ca019000be016b0239014b008200ca01c10071007102b6009e00bd016b0147019000bd01b801b802c701dd029701a200d401a2019c00bd020600a501e2009302490072012d01e00071007202a202b1023a02a200c902000200020701a900be02a2008200ca00be011c0190ahrybxzva3vxa6aLbQeMak4Mb38Kbe==
public static native String KanxueSign(String str)
对应
sub_12AE4
public static native String KanxueSign(String str)
对应
sub_12AE4
.....
xmmword_5CB20              0  1  2  3  4  5  6  7  8  9  A  B  C  D  E  F  0123456789ABCDEF
7d48b22b20  4b 61 6e 78 75 65 53 69 67 6e 20 65 72 72 6f 72  KanxueSign error
7d48b22b30  21 00 00 00 00 00 00 00 4b 61 6e 78 75 65 53 69  !.......KanxueSi
7d48b22b40  67 6e 00 00 00 00 00 00 00 00 00 00 00 00 00 00  gn..............
 
stru_5CA60              0  1  2  3  4  5  6  7  8  9  A  B  C  D  E  F  0123456789ABCDEF
7d48b22a60  63 6f 6d 2f 6b 61 6e 78 75 65 2f 6f 6c 6c 76 6d  com/kanxue/ollvm
7d48b22a70  5f 6e 64 6b 2f 4d 61 69 6e 41 63 74 69 76 69 74  _ndk/MainActivit
7d48b22a80  79 00 00 00 00 00 00 00 73 74 61 72 74 54 69 6d  y.......startTim
7d48b22a90  65 00 00 00 4a 00 00 00 00 00 00 00 00 00 00 00  e...J...........
 
qword_5CA88              0  1  2  3  4  5  6  7  8  9  A  B  C  D  E  F  0123456789ABCDEF
7d48b22a88  73 74 61 72 74 54 69 6d 65 00 00 00 4a 00 00 00  startTime...J...
7d48b22a98  00 00 00 00 00 00 00 00 66 69 72 73 74 49 6e 73  ........firstIns
7d48b22aa8  74 61 6c 6c 54 69 6d 65 00 00 00 00 00 00 00 00  tallTime........
7d48b22ab8  00 00 00 00 00 00 00 00 70 61 63 6b 61 67 65 43  ........packageC
7d48b22ac8  6f 64 65 50 61 74 68 00 4c 6a 61 76 61 2f 6c 61  odePath.Ljava/la
7d48b22ad8  6e 67 2f 53 74 72 69 6e 67 3b 00 00 00 00 00 00  ng/String;......
7d48b22ae8  72 61 6e 64 6f 6d 4c 6f 6e 67 00 00 00 00 00 00  randomLong......
7d48b22af8  25 30 38 6c 78 25 30 38 6c 78 00 00 25 30 32 78  %08lx%08lx..%02x
7d48b22b08  00 00 00 00 25 30 34 78 00 00 00 00 00 00 00 00  ....%04x........
.....
.....
xmmword_5CB20              0  1  2  3  4  5  6  7  8  9  A  B  C  D  E  F  0123456789ABCDEF
7d48b22b20  4b 61 6e 78 75 65 53 69 67 6e 20 65 72 72 6f 72  KanxueSign error
7d48b22b30  21 00 00 00 00 00 00 00 4b 61 6e 78 75 65 53 69  !.......KanxueSi
7d48b22b40  67 6e 00 00 00 00 00 00 00 00 00 00 00 00 00 00  gn..............
 
stru_5CA60              0  1  2  3  4  5  6  7  8  9  A  B  C  D  E  F  0123456789ABCDEF
7d48b22a60  63 6f 6d 2f 6b 61 6e 78 75 65 2f 6f 6c 6c 76 6d  com/kanxue/ollvm
7d48b22a70  5f 6e 64 6b 2f 4d 61 69 6e 41 63 74 69 76 69 74  _ndk/MainActivit
7d48b22a80  79 00 00 00 00 00 00 00 73 74 61 72 74 54 69 6d  y.......startTim
7d48b22a90  65 00 00 00 4a 00 00 00 00 00 00 00 00 00 00 00  e...J...........
 
qword_5CA88              0  1  2  3  4  5  6  7  8  9  A  B  C  D  E  F  0123456789ABCDEF
7d48b22a88  73 74 61 72 74 54 69 6d 65 00 00 00 4a 00 00 00  startTime...J...
7d48b22a98  00 00 00 00 00 00 00 00 66 69 72 73 74 49 6e 73  ........firstIns
7d48b22aa8  74 61 6c 6c 54 69 6d 65 00 00 00 00 00 00 00 00  tallTime........
7d48b22ab8  00 00 00 00 00 00 00 00 70 61 63 6b 61 67 65 43  ........packageC
7d48b22ac8  6f 64 65 50 61 74 68 00 4c 6a 61 76 61 2f 6c 61  odePath.Ljava/la
7d48b22ad8  6e 67 2f 53 74 72 69 6e 67 3b 00 00 00 00 00 00  ng/String;......
7d48b22ae8  72 61 6e 64 6f 6d 4c 6f 6e 67 00 00 00 00 00 00  randomLong......
7d48b22af8  25 30 38 6c 78 25 30 38 6c 78 00 00 25 30 32 78  %08lx%08lx..%02x
7d48b22b08  00 00 00 00 25 30 34 78 00 00 00 00 00 00 00 00  ....%04x........
.....
output 9c4d974eef6e8cba9dd8b260d19704a2f91e54fac3a9a3039e961b960d5bfa420207014700be00a800be020700be011c011c0207010501c1009e00ca019000be016b0239014b008200ca01c10071007102b6009e00bd016b0147019000bd01b801b802c701dd029701a200d401a2019c00bd020600a501e2009302490072012d01e00071007202a202b1023a02a200c902000200020701a90
0be02a2008200ca00be011c0190ahrybxzva3vxa6aLbQeMak4Mb38Kbe==
output 9c4d974eef6e8cba9dd8b260d19704a2f91e54fac3a9a3039e961b960d5bfa420207014700be00a800be020700be011c011c0207010501c1009e00ca019000be016b0239014b008200ca01c10071007102b6009e00bd016b0147019000bd01b801b802c701dd029701a200d401a2019c00bd020600a501e2009302490072012d01e00071007202a202b1023a02a200c902000200020701a90
0be02a2008200ca00be011c0190ahrybxzva3vxa6aLbQeMak4Mb38Kbe==
9c4d974eef6e8cba9dd8b260d19704a2f91e54fac3a9a3039e961b960d5bfa42
9c4d974eef6e8cba9dd8b260d19704a2f91e54fac3a9a3039e961b960d5bfa42
sub_1A9D0(v48, s, v11);
sub_1B2DC(&v49, v27);
sub_1D1E8
sub_1AFC4(v48, v47);
sub_17F9C(v30, v31, v29[0]);
sub_1A9D0(v48, s, v11);
sub_1B2DC(&v49, v27);
sub_1D1E8
sub_1AFC4(v48, v47);
sub_17F9C(v30, v31, v29[0]);
public static long firstInstallTime = System.currentTimeMillis();
firstInstallTime = getPackageManager().getPackageInfo(getPackageName(), 0).firstInstallTime;
public static long startTime = System.currentTimeMillis();
public static long firstInstallTime = System.currentTimeMillis();
firstInstallTime = getPackageManager().getPackageInfo(getPackageName(), 0).firstInstallTime;
public static long startTime = System.currentTimeMillis();
7d50734e50  31 37 64 36 39 61 30 38 63 30 63 31 37 64 32 31  17d69a08c0c17d21
7d50734e60  61 32 34 32 30 35 00 00 00 00 00 00 00 00 00 00  a24205..........
7d50734e50  31 37 64 36 39 61 30 38 63 30 63 31 37 64 32 31  17d69a08c0c17d21
7d50734e60  61 32 34 32 30 35 00 00 00 00 00 00 00 00 00 00  a24205..........
7d50734b10  6d 6b 38 6a 65 3d 6c 64 3f 6c 3f 6d 6b 38 6e 6d  mk8je=ld?l?mk8nm
7d50734b20  3d 6e 68 6e 6c 69 5c 5c 5c 5c 5c 5c 5c 5c 5c 5c  =nhnli\\\\\\\\\\
7d50734b30  5c 5c 5c 5c 5c 5c 5c 5c 5c 5c 5c 5c 5c 5c 5c 5c  \\\\\\\\\\\\\\\\
7d50734b40  5c 5c 5c 5c 5c 5c 5c 5c 5c 5c 5c 5c 5c 5c 5c 5c  \\\\\\\\\\\\\\\\
7d50734b10  6d 6b 38 6a 65 3d 6c 64 3f 6c 3f 6d 6b 38 6e 6d  mk8je=ld?l?mk8nm
7d50734b20  3d 6e 68 6e 6c 69 5c 5c 5c 5c 5c 5c 5c 5c 5c 5c  =nhnli\\\\\\\\\\
7d50734b30  5c 5c 5c 5c 5c 5c 5c 5c 5c 5c 5c 5c 5c 5c 5c 5c  \\\\\\\\\\\\\\\\
7d50734b40  5c 5c 5c 5c 5c 5c 5c 5c 5c 5c 5c 5c 5c 5c 5c 5c  \\\\\\\\\\\\\\\\
addr_1B2DC onEnter args0              0  1  2  3  4  5  6  7  8  9  A  B  C  D  E  F  0123456789ABCDEF
7d50734d80  67 e6 09 6a 85 ae 67 bb 72 f3 6e 3c 3a f5 4f a5  g..j..g.r.n<:.O.             // 疑似sha256
7d50734d90  7f 52 0e 51 8c 68 05 9b ab d9 83 1f 19 cd e0 5b  .R.Q.h.........[
 
addr_1B2DC onEnter args1              0  1  2  3  4  5  6  7  8  9  A  B  C  D  E  F  0123456789ABCDEF
7d50734b10  6d 6b 38 6a 65 3d 6c 64 3f 6c 3f 6d 6b 38 6e 6d  mk8je=ld?l?mk8nm
7d50734b20  3d 6e 68 6e 6c 69 5c 5c 5c 5c 5c 5c 5c 5c 5c 5c  =nhnli\\\\\\\\\\
7d50734b30  5c 5c 5c 5c 5c 5c 5c 5c 5c 5c 5c 5c 5c 5c 5c 5c  \\\\\\\\\\\\\\\\
7d50734b40  5c 5c 5c 5c 5c 5c 5c 5c 5c 5c 5c 5c 5c 5c 5c 5c  \\\\\\\\\\\\\\\\
 
addr_1B2DC onEnter args2 0x40
addr_1B2DC onEnter args0              0  1  2  3  4  5  6  7  8  9  A  B  C  D  E  F  0123456789ABCDEF
7d50734d80  67 e6 09 6a 85 ae 67 bb 72 f3 6e 3c 3a f5 4f a5  g..j..g.r.n<:.O.             // 疑似sha256
7d50734d90  7f 52 0e 51 8c 68 05 9b ab d9 83 1f 19 cd e0 5b  .R.Q.h.........[
 
addr_1B2DC onEnter args1              0  1  2  3  4  5  6  7  8  9  A  B  C  D  E  F  0123456789ABCDEF
7d50734b10  6d 6b 38 6a 65 3d 6c 64 3f 6c 3f 6d 6b 38 6e 6d  mk8je=ld?l?mk8nm
7d50734b20  3d 6e 68 6e 6c 69 5c 5c 5c 5c 5c 5c 5c 5c 5c 5c  =nhnli\\\\\\\\\\
7d50734b30  5c 5c 5c 5c 5c 5c 5c 5c 5c 5c 5c 5c 5c 5c 5c 5c  \\\\\\\\\\\\\\\\
7d50734b40  5c 5c 5c 5c 5c 5c 5c 5c 5c 5c 5c 5c 5c 5c 5c 5c  \\\\\\\\\\\\\\\\
 
addr_1B2DC onEnter args2 0x40
0x6a09e667, 0xbb67ae85, 0x3c6ef372, 0x737f4c85b0,
0x510e527f, 0x9b05688c, 0x1f83d9ab, 0x737f4c8570
0x6a09e667, 0xbb67ae85, 0x3c6ef372, 0x737f4c85b0,
0x510e527f, 0x9b05688c, 0x1f83d9ab, 0x737f4c8570
int *__fastcall sub_1D1E8(int *result, _DWORD *a2, __int64 a3)
{
    //函数过大,放附件了;
}
int *__fastcall sub_1D1E8(int *result, _DWORD *a2, __int64 a3)
{
    //函数过大,放附件了;
}
 
__int64 __fastcall sub_26300(unsigned int a1, int a2, unsigned int a3, _DWORD *a4, unsigned int a5, int a6, int a7, _DWORD *a8, int a9)
{
    unsigned __int64 v9; // t2
    int v10; // w22
    int v11; // w5
    unsigned __int64 v12; // kr00_8
    int v13; // w8
    int v14; // w14
    int v15; // w15
    __int64 result; // x0
    int v17; // [xsp+14h] [xbp-3Ch]
    HIDWORD(v9) = a5;
    LODWORD(v9) = a5;
    v10 = ~((a6 ^ a7) & a5);
    v11 = (v9 >> 25) ^ (a5 << 21) ^ ((unsigned __int64)a5 >> 11);
    HIDWORD(v9) = a1;
    LODWORD(v9) = a1;
    v12 = (unsigned __int64)a1 << 10;
    v17 = ((a1 >> 2) | (a1 << 30)) ^ (v9 >> 13);
    v13 = *a8 + ~(a7 ^ v10) + (((a5 << 26) | ((unsigned __int64)a5 >> 6)) ^ v11) + a9;
    v14 = a2 | a1;
    v15 = a2 & a1;
    result = (a2 | a1) ^ a3;
    *a4 += v13;
    *a8 = ((v12 | HIDWORD(v12)) ^ v17) + v13 + (v15 | v14 & a3);
    return result;
}
__int64 __fastcall sub_26300(unsigned int a1, int a2, unsigned int a3, _DWORD *a4, unsigned int a5, int a6, int a7, _DWORD *a8, int a9)
{
    unsigned __int64 v9; // t2
    int v10; // w22
    int v11; // w5
    unsigned __int64 v12; // kr00_8
    int v13; // w8
    int v14; // w14
    int v15; // w15
    __int64 result; // x0
    int v17; // [xsp+14h] [xbp-3Ch]
    HIDWORD(v9) = a5;
    LODWORD(v9) = a5;
    v10 = ~((a6 ^ a7) & a5);
    v11 = (v9 >> 25) ^ (a5 << 21) ^ ((unsigned __int64)a5 >> 11);
    HIDWORD(v9) = a1;
    LODWORD(v9) = a1;
    v12 = (unsigned __int64)a1 << 10;
    v17 = ((a1 >> 2) | (a1 << 30)) ^ (v9 >> 13);
    v13 = *a8 + ~(a7 ^ v10) + (((a5 << 26) | ((unsigned __int64)a5 >> 6)) ^ v11) + a9;
    v14 = a2 | a1;
    v15 = a2 & a1;
    result = (a2 | a1) ^ a3;
    *a4 += v13;
    *a8 = ((v12 | HIDWORD(v12)) ^ v17) + v13 + (v15 | v14 & a3);
    return result;
}
7d50734d80  67 e6 09 6a 85 ae 67 bb 72 f3 6e 3c 3a f5 4f a5  g..j..g.r.n<:.O.
7d50734d90  7f 52 0e 51 8c 68 05 9b ab d9 83 1f 19 cd e0 5b  .R.Q.h.........[
 
7d50734b10  6d 6b 38 6a 65 3d 6c 64 3f 6c 3f 6d 6b 38 6e 6d  mk8je=ld?l?mk8nm
7d50734b20  3d 6e 68 6e 6c 69 5c 5c 5c 5c 5c 5c 5c 5c 5c 5c  =nhnli\\\\\\\\\\
7d50734b30  5c 5c 5c 5c 5c 5c 5c 5c 5c 5c 5c 5c 5c 5c 5c 5c  \\\\\\\\\\\\\\\\
7d50734b40  5c 5c 5c 5c 5c 5c 5c 5c 5c 5c 5c 5c 5c 5c 5c 5c  \\\\\\\\\\\\\\\\
 
经过函数sub_1D1E8((int *)result,key,0x1) 处理得到
 
7d50734d80  87 2e 2b 58 48 6f fc 78 7c db f9 b2 8d b3 87 55  ..+XHo.x|......U
7d50734d90  ce 0f 70 74 fc 59 39 3c 50 48 f5 f1 64 28 60 bd  ..pt.Y9<PH..d(`.
7d50734d80  67 e6 09 6a 85 ae 67 bb 72 f3 6e 3c 3a f5 4f a5  g..j..g.r.n<:.O.
7d50734d90  7f 52 0e 51 8c 68 05 9b ab d9 83 1f 19 cd e0 5b  .R.Q.h.........[
 
7d50734b10  6d 6b 38 6a 65 3d 6c 64 3f 6c 3f 6d 6b 38 6e 6d  mk8je=ld?l?mk8nm
7d50734b20  3d 6e 68 6e 6c 69 5c 5c 5c 5c 5c 5c 5c 5c 5c 5c  =nhnli\\\\\\\\\\
7d50734b30  5c 5c 5c 5c 5c 5c 5c 5c 5c 5c 5c 5c 5c 5c 5c 5c  \\\\\\\\\\\\\\\\
7d50734b40  5c 5c 5c 5c 5c 5c 5c 5c 5c 5c 5c 5c 5c 5c 5c 5c  \\\\\\\\\\\\\\\\
 
经过函数sub_1D1E8((int *)result,key,0x1) 处理得到
 
7d50734d80  87 2e 2b 58 48 6f fc 78 7c db f9 b2 8d b3 87 55  ..+XHo.x|......U
7d50734d90  ce 0f 70 74 fc 59 39 3c 50 48 f5 f1 64 28 60 bd  ..pt.Y9<PH..d(`.
7d50734de8  67 e6 09 6a 85 ae 67 bb 72 f3 6e 3c 3a f5 4f a5  g..j..g.r.n<:.O.
7d50734df8  7f 52 0e 51 8c 68 05 9b ab d9 83 1f 19 cd e0 5b  .R.Q.h.........[
 
7d50734b10  07 01 52 00 0f 57 06 0e 55 06 55 07 01 52 04 07  ..R..W..U.U..R..
7d50734b20  57 04 02 04 06 03 36 36 36 36 36 36 36 36 36 36  W.....6666666666
7d50734b30  36 36 36 36 36 36 36 36 36 36 36 36 36 36 36 36  6666666666666666
7d50734b40  36 36 36 36 36 36 36 36 36 36 36 36 36 36 36 36  6666666666666666
 
经过函数sub_1D1E8((int *)result,key,0x1) 处理得到
 
7d50734de8  f4 78 93 8b 63 04 c3 95 86 19 0c 03 0b c4 3c ab  .x..c.........<.
7d50734df8  7a ab c0 f7 39 bd 67 b5 8e 7a 1b ca 13 7e cb d5  z...9.g..z...~..
7d50734de8  67 e6 09 6a 85 ae 67 bb 72 f3 6e 3c 3a f5 4f a5  g..j..g.r.n<:.O.
7d50734df8  7f 52 0e 51 8c 68 05 9b ab d9 83 1f 19 cd e0 5b  .R.Q.h.........[
 
7d50734b10  07 01 52 00 0f 57 06 0e 55 06 55 07 01 52 04 07  ..R..W..U.U..R..
7d50734b20  57 04 02 04 06 03 36 36 36 36 36 36 36 36 36 36  W.....6666666666
7d50734b30  36 36 36 36 36 36 36 36 36 36 36 36 36 36 36 36  6666666666666666
7d50734b40  36 36 36 36 36 36 36 36 36 36 36 36 36 36 36 36  6666666666666666
 
经过函数sub_1D1E8((int *)result,key,0x1) 处理得到
 
7d50734de8  f4 78 93 8b 63 04 c3 95 86 19 0c 03 0b c4 3c ab  .x..c.........<.
7d50734df8  7a ab c0 f7 39 bd 67 b5 8e 7a 1b ca 13 7e cb d5  z...9.g..z...~..
7d50734de8  f4 78 93 8b 63 04 c3 95 86 19 0c 03 0b c4 3c ab  .x..c.........<.
7d50734df8  7a ab c0 f7 39 bd 67 b5 8e 7a 1b ca 13 7e cb d5  z...9.g..z...~..
 
7da963b000  2f 64 61 74 61 2f 61 70 70 2f 63 6f 6d 2e 6b 61  /data/app/com.ka
7da963b010  6e 78 75 65 2e 6f 6c 6c 76 6d 5f 6e 64 6b 5f 31  nxue.ollvm_ndk_1
7da963b020  31 2d 55 41 47 54 47 4f 5f 30 5a 4c 35 52 53 33  1-UAGTGO_0ZL5RS3
7da963b030  66 6c 53 73 50 48 73 77 3d 3d 2f 62 61 73 65 2e  flSsPHsw==/base.
 
经过函数sub_1D1E8((int *)result,key,0x1) 处理得到
7d50734de8  52 dc d8 f0 11 63 f2 5d 61 5b 0d 5b 97 fb bd 58  R....c.]a[.[...X
7d50734df8  d8 e6 36 0c 44 6c 2f 87 e9 29 47 e0 bf 4f 55 b6  ..6.Dl/..)G..OU.
7d50734de8  f4 78 93 8b 63 04 c3 95 86 19 0c 03 0b c4 3c ab  .x..c.........<.
7d50734df8  7a ab c0 f7 39 bd 67 b5 8e 7a 1b ca 13 7e cb d5  z...9.g..z...~..
 
7da963b000  2f 64 61 74 61 2f 61 70 70 2f 63 6f 6d 2e 6b 61  /data/app/com.ka
7da963b010  6e 78 75 65 2e 6f 6c 6c 76 6d 5f 6e 64 6b 5f 31  nxue.ollvm_ndk_1
7da963b020  31 2d 55 41 47 54 47 4f 5f 30 5a 4c 35 52 53 33  1-UAGTGO_0ZL5RS3
7da963b030  66 6c 53 73 50 48 73 77 3d 3d 2f 62 61 73 65 2e  flSsPHsw==/base.
 
经过函数sub_1D1E8((int *)result,key,0x1) 处理得到
7d50734de8  52 dc d8 f0 11 63 f2 5d 61 5b 0d 5b 97 fb bd 58  R....c.]a[.[...X
7d50734df8  d8 e6 36 0c 44 6c 2f 87 e9 29 47 e0 bf 4f 55 b6  ..6.Dl/..)G..OU.
7d50734de8  52 dc d8 f0 11 63 f2 5d 61 5b 0d 5b 97 fb bd 58  R....c.]a[.[...X
7d50734df8  d8 e6 36 0c 44 6c 2f 87 e9 29 47 e0 bf 4f 55 b6  ..6.Dl/..)G..OU.
 
7d50734e08  61 70 6b 80 00 00 00 00 00 00 00 00 00 00 00 00  apk.............
7d50734e18  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
7d50734e28  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
7d50734e38  00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 18  ................
 
经过函数sub_1D1E8((int *)result,key,0x1) 处理得到
 
7d50734de8  fe 93 4b f7 f7 31 2d 96 cd 30 30 a7 be a3 b2 b3  ..K..1-..00.....
7d50734df8  e2 78 21 59 b2 89 a7 0b f0 bf e9 4e 47 f9 9f c1  .x!Y.......NG...
7d50734de8  52 dc d8 f0 11 63 f2 5d 61 5b 0d 5b 97 fb bd 58  R....c.]a[.[...X
7d50734df8  d8 e6 36 0c 44 6c 2f 87 e9 29 47 e0 bf 4f 55 b6  ..6.Dl/..)G..OU.
 
7d50734e08  61 70 6b 80 00 00 00 00 00 00 00 00 00 00 00 00  apk.............
7d50734e18  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
7d50734e28  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
7d50734e38  00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 18  ................
 
经过函数sub_1D1E8((int *)result,key,0x1) 处理得到
 

[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入!

最后于 2021-11-30 17:01 被neilwu编辑 ,原因:
上传的附件:
收藏
免费 4
支持
分享
最新回复 (10)
雪    币: 3277
活跃值: (1992)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
2
看这流程图,是不是有一种万丈深渊的感觉?
2021-12-1 08:31
0
雪    币: 10941
活跃值: (7324)
能力值: ( LV12,RANK:219 )
在线值:
发帖
回帖
粉丝
3
chixiaojie 看这流程图,是不是有一种万丈深渊的感觉?
木有
2021-12-1 09:25
0
雪    币: 4995
活跃值: (6578)
能力值: ( LV12,RANK:200 )
在线值:
发帖
回帖
粉丝
5
sub_1D1E8函数是按着ida f5的结果还原的吗?我试着还原,一堆错误,64次函数调用,分析麻了
2021-12-1 15:53
0
雪    币: 10941
活跃值: (7324)
能力值: ( LV12,RANK:219 )
在线值:
发帖
回帖
粉丝
6
飞翔的猫咪 sub_1D1E8函数是按着ida f5的结果还原的吗?我试着还原,一堆错误,64次函数调用,分析麻了
需要去混淆的 
2021-12-1 16:36
0
雪    币: 4995
活跃值: (6578)
能力值: ( LV12,RANK:200 )
在线值:
发帖
回帖
粉丝
7

去混淆的挺彻底的

最后于 2022-7-22 18:45 被飞翔的猫咪编辑 ,原因:
2021-12-1 16:52
0
雪    币: 214
活跃值: (146)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
8
我分析出来似乎并没有魔改sha256?只是做了两次哈希
2021-12-3 08:08
0
雪    币: 10941
活跃值: (7324)
能力值: ( LV12,RANK:219 )
在线值:
发帖
回帖
粉丝
9
ladder 我分析出来似乎并没有魔改sha256?只是做了两次哈希
附件是我还原的 64个常量kt和代初始值 后续都有变化 我是用正常的sha256验证发现结果没对 才还原的 
2021-12-3 09:39
0
雪    币: 129
活跃值: (4505)
能力值: ( LV3,RANK:20 )
在线值:
发帖
回帖
粉丝
10

大佬,我在想第一轮算法的第一次计算结果怎么来的,我hook到的还是两个时间相加转换出来的那个结果

7d50734b10  07 01 52 00 0f 57 06 0e 55 06 55 07 01 52 04 07  ..R..W..U.U..R..
7d50734b20  57 04 02 04 06 03 36 36 36 36 36 36 36 36 36 36  W.....6666666666
7d50734b30  36 36 36 36 36 36 36 36 36 36 36 36 36 36 36 36  6666666666666666
7d50734b40  36 36 36 36 36 36 36 36 36 36 36 36 36 36 36 36  6666666666666666


2022-8-26 16:09
0
雪    币: 129
活跃值: (4505)
能力值: ( LV3,RANK:20 )
在线值:
发帖
回帖
粉丝
11
嘿嘿,完成了第一步算法,找到了刚那个时间二次转换的算法
*v28 = (~(_BYTE)v29 & 0xEA | v29 & 0x15) ^ 0x80;
2022-8-26 17:00
0
游客
登录 | 注册 方可回帖
返回
//