-
-
[原创]某APP登录参数分析
-
发表于: 2022-4-21 11:23
-
本篇文章仅为学习交流所用,涉及的数据已做脱敏处理,请勿用于不当途径,侵权请联系
IDA、JADX、Frida、Charles
首先抓包看一下登录包:
{
"params": "5F1D4B282F5E89548F98FC30853F4F9289D874AA82EDB0ED82330B07CF5D208ECAAF446BAEA4D4848BB7515573123514EFDEA8E6C1000FEF8F30A9901382B7119822C74B9C91394F9DDFF8B239E241F9",
"clienttime_ms": "1647312358378",
"support_face_verify": "1",
"dfid": "-",
"dev": "Pixel%204",
"plat": "1",
"pk": "7C9E722B7BCCE5B56BAB9D42902B2A4F238BAA40EACCCEECACE72C3EE46A85B1B833F7800E6D2B968EE809303485376180BD8494EBA84F006DBD050E1F876B3713DE64AFADDA4F51FCC522C6DAC0AFFC8A04AABAF47F95FE6D3F2FB6726A16FC4664AB66CE065E3FCFD7D0FACD3DCA05AA96D74DD96EC74DBF54CA72D088E42C",
"t1": "bfaf46951c6a5c58d4bf618c517354de",
"support_verify": "1",
"support_multi": "1",
"t2": "c397de1fd7e436639fa90f367c0b47d290831b64f19d803fc09a91ee47bcc1648e5a87f1f934ed09cfb7046dad52253cf564684d5bdef1d67fc91c74d6245335237a78074f157641a1ddfb5ca4a66c5d72855feae18282b981d896c6f170cb54ca7c21aad3811d69c80a73ad3482c340",
"key": "8d73d8b5da06bad3b466d864812d488b",
"username": "130*696"
}
通过JADX搜索“params”字符串定位到位置:
通过objection hook该方法内的a方法,得到如下结果:
(agent) [302556] Called com.xxxx.fanxing.allinone.common.utils.a.a(java.lang.String, java.lang.String, java.lang.String, java.lang.String)
(agent) [302556] Arguments com.xxx.fanxing.allinone.common.utils.a.a({"username":"13*96","clienttime_ms":"1647313862199","pwd":"557998555"}, utf-8, 0dd6da40aea47d05b5f6612596fd2e7f, b5f6612596fd2e7f)
(agent) [793424] Backtrace:
com.xxx.fanxing.allinone.common.utils.a.a(Native Method)
com.xxx.fanxing.allinone.common.utils.a.a(SourceFile:117)
com.xxx.fanxing.allinone.common.utils.a.a(Native Method)
com.xxx.fanxing.allinone.common.utils.a.c(SourceFile:106)
com.xxx.fanxing.core.protocol.g.e.c(SourceFile:85)
com.xxx.fanxing.core.protocol.g.e.c(Native Method)
com.xxx.fanxing.core.protocol.g.a.d(SourceFile:76)
com.xxx.fanxing.core.modul.user.login.c.a(SourceFile:50)
com.xxx.fanxing.core.modul.user.login.f.a(SourceFile:228)
com.xxx.fanxing.core.modul.user.ui.a.a(SourceFile:577)
com.xxx.fanxing.core.modul.user.ui.a.j(SourceFile:554)
com.xxx.fanxing.core.modul.user.ui.a.i(SourceFile:520)
com.xxx.fanxing.core.modul.user.ui.a.onClick(SourceFile:417)
android.view.View.performClick(View.java:7259)
android.view.View.performClickInternal(View.java:7236)
android.view.View.access$3600(View.java:801)
android.view.View$PerformClick.run(View.java:27892)
android.os.Handler.handleCallback(Handler.java:883)
android.os.Handler.dispatchMessage(Handler.java:100)
android.os.Looper.loop(Looper.java:214)
android.app.ActivityThread.main(ActivityThread.java:7356)
java.lang.reflect.Method.invoke(Native Method)
com.android.internal.os.RuntimeInit$MethodAndArgsCaller.run(RuntimeInit.java:492)
com.android.internal.os.ZygoteInit.main(ZygoteInit.java:930)
这样我们可以得到a.c(jSONObject.toString(), this.g)中两个参数的来源,其中第一个参数为JSON结构:{"username":"13**96","clienttime_ms":"1647313862199","pwd":"557998555"},第二个参数为AES的KEY,最终将KEY拆分为(0,32)和(16,32)具体生成方式如下:
a方法如下:
最终为通过KeyGenerator生成一个32位的key,然后对key进行MD5,最后将其分割
通过搜索字符串即可定位到如下函数:
{"clienttime_ms":"1647829236357","key":"E96E510C296711ECEA6C85CAF6152F4D"}
最终调用native层的cc::i加密方法
PUBKEY:
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQD2DT4odzkDd7hMlZ7djdZQH12j38nKxriINW1MGjMry3tXheya113xwmbBOwN0GA4zTwKFauFJRzcsD0nDFq1eaatcFKeDF25R4dnQRX+4BdTwFVS8lIb8nJMluSBwK+i4Z3VF+gfZ0AqQOXda6lJ4jPBt9Ep7VXEAHXUDn9JM8wIDAQAB
Python版RSA_NOPADDING加密方法实现:
最终调用native层的cc::d方法
这里只分析f4函数内关键步骤部分:
cc::d方法里为AES_256_CBC_ENCRYPT
encData: |1649905000102
key:bdeaed243193ce11ac913bbd48d340a4
iv:ac913bbd48d340a4
最终调用native层的cc::e方法
f6函数内部逻辑与t1的f4函数一致
cc::e方法里为AES_256_CBC_ENCRYPT
encData: ||9eea2d301e53|Pixel 4|1649905000118
key:dc8e123f07636a41361b62235fc313ac
iv:361b62235fc313ac
com.xxx.fanxing.core.protocol.g.e.c
ao.m = key
com.xxx.fanxing.allinone.common.d.a
public static int g() {
return 1131;
}
this.b = AppId
com.xxx.fanxing.allinone.common.d.a
public static String h() {
return "4lu0l3cujt2KWIjcM374F8oX5N2lGY59";
}
this.e = AppKey=“4lu0l3cujt2KWIjcM374F8oX5N2lGY59”
getVersion = APPVersion
public int getVersion() {
return y.s();
}
55400
this.h = clienttime_ms
key = MD5("" + AppId + AppKey + APPVersion + String.valueOf(this.h).toLowerCase())
com.xxx.fanxing.allinone.watch.common.protocol.user.a
(agent) [013697] Arguments com.xxx.fanxing.allinone.watch.common.protocol.user.a.a(https://loginservice.kugou.com/v9/login_by_pwd,
1650353888,
1tRbIu1gsMjC2Htvln120WPp,
{"params":"2CA44E5F5D8F189BC68662C0438844D7043484C37D09E7AD1A8A138D44CDCBB0465684EE3C6FD64263174944AD6F2027D0782D9BF64A904432F9FD764CF1C96FF5C90B16DB2932E15FDC56178940207F","clienttime_ms":"1650353888654","support_face_verify":"1","dfid":"1tRbIu1gsMjC2Htvln120WPp","dev":"Pixel%204","plat":"1","pk":"5F03A05AFD4E10B7283A9F2634153FEFA0AF318DD781687BB907DA770614C021921AEB30AB7A808714C132ECA24285E43E6EA2134A91BB79893B10B4024040E32C8EA448463251173D9E412A5B640F240AA601690DDF9A180599F73AA5CF45F8570F6562ABEFA31196CBB0BB31BB6E781974C56A4640CB70D25955D04F3CC7EA","t1":"cdb7d88e278cab7c596af28cfcd873ba","support_verify":"1","support_multi":"1","t2":"c397de1fd7e436639fa90f367c0b47d290831b64f19d803fc09a91ee47bcc1648e5a87f1f934ed09cfb7046dad52253cf564684d5bdef1d67fc91c74d6245335d459ddad1015bb5e96678cc0185b5ea20cc2563d5fc8f040aa77b49c039e40c5e2ca000392eeebfce750e3612ff280f6","key":"ffa858faa437189eb024cdeeb37e372d","username":"130*669"})
com.xxx.fanxing.allinone.common.utils.ao.a(
4lu0l3cujt2KWIjcM374F8oX5N2lGY59
appid=1131clienttime=1650356391clientver=55400dfid=1tRbIu1gsMjC2Htvln120WPpmid=5c539aee628111af4fc4645c761885bfuuid=5c539aee628111af4fc4645c761885bf
{"params":"3FF4D2AB2A549FDBD95EBA40F155635B1E9A5EB353EF147EC459EC47FE18EDE2ED465FAE1E974ABB8605499F1434228E6A30779E0E07DB12A79775A6073EE748709951692C97506CD6384513250870B3","clienttime_ms":"1650356391589","support_face_verify":"1","dfid":"1tRbIu1gsMjC2Htvln120WPp","dev":"Pixel%204","plat":"1","pk":"62A6F1633AD5B9F85007AD597B90157C854A796FEA8D965E110C9D8FB152170E18CF6868F4497E1FAA62F13B257758DF803B2E4ABCF28980207534BE8B8728DFA50A4F00AD2626307B31C850E8ACED450393643C5CE8DD679E1F77186D3CED20DB72E8003C4EF2048EC1942035159EDB2590095D09B6E7A706A72F5E96408212","t1":"512640caae5a66bb98402eda86b5b026","support_verify":"1","support_multi":"1","t2":"c397de1fd7e436639fa90f367c0b47d290831b64f19d803fc09a91ee47bcc1648e5a87f1f934ed09cfb7046dad52253cf564684d5bdef1d67fc91c74d6245335d459ddad1015bb5e96678cc0185b5ea2a4865a6be23bed4a31f7625c6927379348d014b77b354e00181c2e0b1530397a","key":"7e8cfb92bb4be58f9a62e0af4c040783","username":"130*669"}
4lu0l3cujt2KWIjcM374F8oX5N2lGY59)
signature=MD5(appkey+appid=1131clienttime=1650356391clientver=55400dfid=1tRbIu1gsMjC2Htvln120WPpmid=5c539aee628111af4fc4645c761885bfuuid=5c539aee628111af4fc4645c761885bf+ post data + appkey)
this.j.put("params", a.c(jSONObject.toString(), this.g));
进入c方法内可以看到:this.j.put("params", a.c(jSONObject.toString(), this.g));
进入c方法内可以看到:public static String c(String str, String str2) throws Exception {
return a(str, "utf-8", ao.a(str2).substring(0, 32), ao.a(str2).substring(16, 32));
}
public static String c(String str, String str2) throws Exception {
return a(str, "utf-8", ao.a(str2).substring(0, 32), ao.a(str2).substring(16, 32));
}
this.g = com.xxx.fanxing.allinone.common.utils.a.a(com.kugou.fanxing.allinone.common.constant.c.hz() ? 128 : 64);
this.g = com.xxx.fanxing.allinone.common.utils.a.a(com.kugou.fanxing.allinone.common.constant.c.hz() ? 128 : 64);
public static String a(int i) {
try {
KeyGenerator instance = KeyGenerator.getInstance("AES");
instance.init(i);
return a(instance.generateKey().getEncoded());
} catch (Exception e) {
e.printStackTrace();
return null;
}
}
public static String c(String str, String str2) throws Exception {
return a(str, "utf-8", ao.a(str2).substring(0, 32), ao.a(str2).substring(16, 32));
}
public static String a(String str) {
return a(str.getBytes());
}
public static String a(byte[] bArr) { try {
MessageDigest instance = MessageDigest.getInstance("MD5");
instance.update(bArr);
return bd.a(instance.digest());
} catch (Exception e) {
e.printStackTrace();
return null;
}
}
public static String a(byte[] bArr) { StringBuilder sb = new StringBuilder();
for (byte b : bArr) {
String hexString = Integer.toHexString(b & 255);
if (hexString.length() == 1) {
sb.append('0');
}
sb.append(hexString);
}
return sb.toString();
}
public static String a(String str, String str2, String str3, String str4) throws Exception {
SecretKeySpec secretKeySpec = new SecretKeySpec(str3.getBytes(str2), "AES");
Cipher instance = Cipher.getInstance("AES/CBC/PKCS5Padding");
instance.init(1, secretKeySpec, new IvParameterSpec(str4.getBytes()));
return a(instance.doFinal(str.getBytes(str2)));
}
public static String a(int i) {
try {
KeyGenerator instance = KeyGenerator.getInstance("AES");
instance.init(i);
return a(instance.generateKey().getEncoded());
} catch (Exception e) {
e.printStackTrace();
return null;
}
}
public static String c(String str, String str2) throws Exception {
return a(str, "utf-8", ao.a(str2).substring(0, 32), ao.a(str2).substring(16, 32));
}
public static String a(String str) {
return a(str.getBytes());
}
public static String a(byte[] bArr) { try {
MessageDigest instance = MessageDigest.getInstance("MD5");
instance.update(bArr);
return bd.a(instance.digest());
} catch (Exception e) {
e.printStackTrace();
return null;
}
}
public static String a(byte[] bArr) { StringBuilder sb = new StringBuilder();
for (byte b : bArr) {
String hexString = Integer.toHexString(b & 255);
if (hexString.length() == 1) {
sb.append('0');
}
sb.append(hexString);
}
return sb.toString();
}
public static String a(String str, String str2, String str3, String str4) throws Exception {
SecretKeySpec secretKeySpec = new SecretKeySpec(str3.getBytes(str2), "AES");
Cipher instance = Cipher.getInstance("AES/CBC/PKCS5Padding");
instance.init(1, secretKeySpec, new IvParameterSpec(str4.getBytes()));
return a(instance.doFinal(str.getBytes(str2)));
}
public String e() { String a2 = com.xxx.fanxing.core.common.fingerprint.a.a();
return TextUtils.isEmpty(a2) ? "-" : a2;
}
a2 -> share_data -> device_fingerprint
通过sharedPreferences读取了文件名为share_data里的device_fingerprint字段public String e() { String a2 = com.xxx.fanxing.core.common.fingerprint.a.a();
return TextUtils.isEmpty(a2) ? "-" : a2;
}
a2 -> share_data -> device_fingerprint
通过sharedPreferences读取了文件名为share_data里的device_fingerprint字段hashMap.put("pk", com.xxx.fanxing.core.protocol.g.a.a(String.valueOf(currentTimeMillis), a2));
public static String a(String str, String str2) throws Exception {
HashMap hashMap = new HashMap();
hashMap.put("clienttime_ms", str);
hashMap.put(ao.M, str2);
return com.xxx.common.player.kugouplayer.a.d(hashMap);
}
hashMap.put("pk", com.xxx.fanxing.core.protocol.g.a.a(String.valueOf(currentTimeMillis), a2));
public static String a(String str, String str2) throws Exception {
HashMap hashMap = new HashMap();
hashMap.put("clienttime_ms", str);
hashMap.put(ao.M, str2);
return com.xxx.common.player.kugouplayer.a.d(hashMap);
}
str为时间戳,str2为AES随机密钥
组成形式如下:str为时间戳,str2为AES随机密钥
组成形式如下:import rsa
import base64
from Crypto.PublicKey import RSA
def zfillStrToBin(s):
b = bytes(s.encode())
for i in range(128 - len(b)):
b += b'\0'
print(len(b))
return b
class RsaNopadding:
def __init__(self, key):
self.pubkey = RSA.importKey(base64.b64decode(key))
def encrypt(self, message):
kLen = rsa.common.byte_size(self.pubkey.n)
msg = zfillStrToBin(message)
_b = rsa.transform.bytes2int(msg)
_i = rsa.core.encrypt_int(_b, self.pubkey.e, self.pubkey.n)
result = rsa.transform.int2bytes(_i, kLen)
return result.hex().upper()
message = '{"clienttime_ms":"1647829236357","key":"E96E510C296711ECEA6C85CAF6152F4D"}'
msg = RsaNopadding(
"MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQD2DT4odzkDd7hMlZ7djdZQH12j38nKxriINW1MGjMry3tXheya113xwmbBOwN0GA4zTwKFauFJRzcsD0nDFq1eaatcFKeDF25R4dnQRX+4BdTwFVS8lIb8nJMluSBwK+i4Z3VF+gfZ0AqQOXda6lJ4jPBt9Ep7VXEAHXUDn9JM8wIDAQAB")
print(msg.encrypt(message))
import rsa
import base64
from Crypto.PublicKey import RSA
def zfillStrToBin(s):
b = bytes(s.encode())
for i in range(128 - len(b)):
b += b'\0'
print(len(b))
return b
class RsaNopadding:
def __init__(self, key):
self.pubkey = RSA.importKey(base64.b64decode(key))
def encrypt(self, message):
kLen = rsa.common.byte_size(self.pubkey.n)
msg = zfillStrToBin(message)
_b = rsa.transform.bytes2int(msg)
_i = rsa.core.encrypt_int(_b, self.pubkey.e, self.pubkey.n)
result = rsa.transform.int2bytes(_i, kLen)
return result.hex().upper()
message = '{"clienttime_ms":"1647829236357","key":"E96E510C296711ECEA6C85CAF6152F4D"}'
msg = RsaNopadding(
"MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQD2DT4odzkDd7hMlZ7djdZQH12j38nKxriINW1MGjMry3tXheya113xwmbBOwN0GA4zTwKFauFJRzcsD0nDFq1eaatcFKeDF25R4dnQRX+4BdTwFVS8lIb8nJMluSBwK+i4Z3VF+gfZ0AqQOXda6lJ4jPBt9Ep7VXEAHXUDn9JM8wIDAQAB")
print(msg.encrypt(message))
String t1 = com.xxx.common.player.kugouplayer.a.b(null);
String t1 = com.xxx.common.player.kugouplayer.a.b(null);
int __fastcall f4(int a1)
{LABEL_44: // 走这
v76[0] = (int)v76;
v76[1] = (int)v76;
v76[2] = 0;
v77 = 0;
v78 = 0;
v79 = 0;
std::string::__init((int)&v77, (int)&aEia[2], 1);
v34 = v77;
v35 = v78;
v77 = 0;
v78 = 0;
v103 = v34;
v104 = v35;
v105 = v79;
v79 = 0;
std::string::basic_string((int)v106, (int)&v66);
std::list<std::pair<std::string,std::string>>::push_back((int)v76, (int)&v103);
std::string::~string((int)v106);
std::string::~string((int)&v103);
std::string::~string((int)&v77);
v80 = 0;
v81 = 0;
v82 = 0;
std::string::__init((int)&v80, (int)"b", 1);
f5(&v83); // daytime
v36 = v80;
v37 = v81;
v38 = v82;
v80 = 0;
v81 = 0;
v82 = 0;
v103 = v36;
v104 = v37;
v105 = v38;
v39 = v83;
v40 = v84;
v41 = v85;
v83 = 0;
v84 = 0;
v85 = 0;
v106[0] = v39;
v106[1] = v40;
v106[2] = v41;
std::list<std::pair<std::string,std::string>>::push_back((int)v76, (int)&v103);
std::string::~string((int)v106);
std::string::~string((int)&v103);
std::string::~string((int)&v83);
std::string::~string((int)&v80);
f9((int)v86, (int)v76);
v87 = 0;
v42 = v107;
v88 = 0;
v89 = 0;
v95[0] = 0;
v95[1] = 0;
v95[2] = 0;
v43 = aBdeaed243193ce; // v42=bdeaed243193ce1i#~DC<M[g
do
{
v44 = *(_DWORD *)v43;
v43 += 8;
v45 = *((_DWORD *)v43 - 1);
*(_DWORD *)v42 = v44; // 整个循环将bdeaed243193ce1i#~DC<M[g扩展到bdeaed243193ce1i#~DC<M[g..=2..~4
*((_DWORD *)v42 + 1) = v45;
v42 += 8;
}
while ( v43 != (const char *)&unk_D90E4 );
v103 = 0;
v104 = 0;
v105 = 0;
std::string::__init((int)&v103, (int)v107, 32);// v105=v109=bdeaed243193ce1i#~DC<M[g..=2..~4
// 62 64 65 61 65 64 32 34 33 31 39 33 63 65 31 69
// 23 7E 44 43 3C 4D 5B 67 7F 0E 3D 32 01 2E 7E 34
v46 = (unsigned __int8)v103;
if ( (v103 & 1) == 0 )
v46 = (int)(unsigned __int8)v103 >> 1;
if ( (v103 & 1) != 0 )
v46 = v104;
v47 = v46 - 2;
do
{
if ( v47 < 0 )
break;
v48 = (v103 & 1) != 0 ? v105 : (int *)((char *)&v103 + 1);
v49 = (char *)v48 + v47; // 转换v105为bdeaed243193ce11ac913bbd48d340a4
v50 = (v103 & 1) != 0 ? v105 : (int *)((char *)&v103 + 1);
v51 = *((_BYTE *)v50 + v47);
v52 = (char *)&unk_D90E4 + v47 - v46;
--v47;
*v49 = v51 ^ v52[17];
}
while ( v47 != v46 - 18 );
std::string::basic_string((int)&v100, (int)&v103);
std::string::~string((int)&v103);
v53 = v107;
v54 = aAc913bbd48d340; // v54 = ac913bbd48d340a41234567890qwertyuiopasdfghjklzxcvbnm.
do
{
v55 = *(_DWORD *)v54;
v54 += 8;
v56 = *((_DWORD *)v54 - 1);
*(_DWORD *)v53 = v55; // 整个循环将ac913bbd48d340a41234567890qwertyuiopasdfghjklzxcvbnm.转换为ac913bbd48d340a4
*((_DWORD *)v53 + 1) = v56;
v53 += 8;
}
while ( v54 != &aAc913bbd48d340[16] );
v103 = 0;
v104 = 0;
v105 = 0;
std::string::__init((int)&v103, (int)v107, 16);// v103=v107=ac913bbd48d340a4
std::string::basic_string((int)v99, (int)&v103);
std::string::~string((int)&v103);
sub_394FC(1, v86, v95, (unsigned __int8 *)&v100, v99);// AES加密
std::string::~string((int)v99);
std::string::~string((int)&v100);
f11((int)&v96, (int)v95); // HEX格式化
v58 = v87 & 1;
if ( (v87 & 1) != 0 )
{
v57 = v89;
v58 = 0;
}
else
{
BYTE1(v87) = v87 & 1;
}
if ( (v87 & 1) != 0 )
{
*v57 = v58;
v88 = v58;
}
else
{
LOBYTE(v87) = v58;
}
std::string::reserve((int)&v87, 0);
v59 = v96;
v60 = v97;
v61 = v98;
v96 = 0;
v97 = 0;
v98 = 0;
v87 = v59;
v88 = v60;
v89 = (_BYTE *)v61;
std::string::~string((int)&v96);
std::string::~string((int)v95);
if ( (*(_BYTE *)a1 & 1) != 0 )
{
**(_BYTE **)(a1 + 8) = 0;
*(_DWORD *)(a1 + 4) = 0;
}
else
{
*(_BYTE *)(a1 + 1) = 0;
*(_BYTE *)a1 = 0;
}
std::string::reserve(a1, 0);
v62 = v87;
v63 = v88;
v64 = (int)v89;
v87 = 0;
v88 = 0;
v89 = 0;
*(_DWORD *)a1 = v62;
*(_DWORD *)(a1 + 4) = v63;
*(_DWORD *)(a1 + 8) = v64;
std::string::~string((int)&v87);
std::string::~string((int)v86);
std::__list_imp<std::pair<std::string,std::string>>::clear(v76);
std::string::~string((int)&v66);
return a1;
}int __fastcall f4(int a1)
{LABEL_44: // 走这
v76[0] = (int)v76;
v76[1] = (int)v76;
v76[2] = 0;
v77 = 0;
v78 = 0;
v79 = 0;
std::string::__init((int)&v77, (int)&aEia[2], 1);
v34 = v77;
v35 = v78;
v77 = 0;
v78 = 0;
v103 = v34;
v104 = v35;
v105 = v79;
v79 = 0;
std::string::basic_string((int)v106, (int)&v66);
std::list<std::pair<std::string,std::string>>::push_back((int)v76, (int)&v103);
std::string::~string((int)v106);
std::string::~string((int)&v103);
std::string::~string((int)&v77);
v80 = 0;
v81 = 0;
v82 = 0;
std::string::__init((int)&v80, (int)"b", 1);
f5(&v83); // daytime
v36 = v80;
v37 = v81;
v38 = v82;
v80 = 0;
v81 = 0;
v82 = 0;
v103 = v36;
v104 = v37;
v105 = v38;
v39 = v83;
v40 = v84;
v41 = v85;
v83 = 0;
v84 = 0;
v85 = 0;
v106[0] = v39;
v106[1] = v40;
v106[2] = v41;
std::list<std::pair<std::string,std::string>>::push_back((int)v76, (int)&v103);
std::string::~string((int)v106);
std::string::~string((int)&v103);
std::string::~string((int)&v83);
std::string::~string((int)&v80);
f9((int)v86, (int)v76);
v87 = 0;
v42 = v107;
v88 = 0;
v89 = 0;
v95[0] = 0;
v95[1] = 0;
v95[2] = 0;
v43 = aBdeaed243193ce; // v42=bdeaed243193ce1i#~DC<M[g
do
{
v44 = *(_DWORD *)v43;
v43 += 8;
v45 = *((_DWORD *)v43 - 1);
*(_DWORD *)v42 = v44; // 整个循环将bdeaed243193ce1i#~DC<M[g扩展到bdeaed243193ce1i#~DC<M[g..=2..~4
*((_DWORD *)v42 + 1) = v45;
v42 += 8;
}
while ( v43 != (const char *)&unk_D90E4 );
v103 = 0;
v104 = 0;
v105 = 0;
std::string::__init((int)&v103, (int)v107, 32);// v105=v109=bdeaed243193ce1i#~DC<M[g..=2..~4
// 62 64 65 61 65 64 32 34 33 31 39 33 63 65 31 69
// 23 7E 44 43 3C 4D 5B 67 7F 0E 3D 32 01 2E 7E 34
v46 = (unsigned __int8)v103;
if ( (v103 & 1) == 0 )
v46 = (int)(unsigned __int8)v103 >> 1;
if ( (v103 & 1) != 0 )
v46 = v104;
v47 = v46 - 2;
do
{
if ( v47 < 0 )
break;
v48 = (v103 & 1) != 0 ? v105 : (int *)((char *)&v103 + 1);
v49 = (char *)v48 + v47; // 转换v105为bdeaed243193ce11ac913bbd48d340a4
v50 = (v103 & 1) != 0 ? v105 : (int *)((char *)&v103 + 1);
v51 = *((_BYTE *)v50 + v47);
v52 = (char *)&unk_D90E4 + v47 - v46;
--v47;
*v49 = v51 ^ v52[17];
}
while ( v47 != v46 - 18 );
std::string::basic_string((int)&v100, (int)&v103);
std::string::~string((int)&v103);
v53 = v107;
v54 = aAc913bbd48d340; // v54 = ac913bbd48d340a41234567890qwertyuiopasdfghjklzxcvbnm.
do
{
v55 = *(_DWORD *)v54;
v54 += 8;
v56 = *((_DWORD *)v54 - 1);
*(_DWORD *)v53 = v55; // 整个循环将ac913bbd48d340a41234567890qwertyuiopasdfghjklzxcvbnm.转换为ac913bbd48d340a4
*((_DWORD *)v53 + 1) = v56;
v53 += 8;
}
while ( v54 != &aAc913bbd48d340[16] );
v103 = 0;
v104 = 0;
v105 = 0;
std::string::__init((int)&v103, (int)v107, 16);// v103=v107=ac913bbd48d340a4
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)
学到了,感谢大佬
