-
-
[原创]某APP登录参数分析
-
发表于: 2022-4-21 11:23 25389
-
本篇文章仅为学习交流所用,涉及的数据已做脱敏处理,请勿用于不当途径,侵权请联系
IDA、JADX、Frida、Charles
首先抓包看一下登录包:
{
"params": "5F1D4B282F5E89548F98FC30853F4F9289D874AA82EDB0ED82330B07CF5D208ECAAF446BAEA4D4848BB7515573123514EFDEA8E6C1000FEF8F30A9901382B7119822C74B9C91394F9DDFF8B239E241F9",
"clienttime_ms": "1647312358378",
"support_face_verify": "1",
"dfid": "-",
"dev": "Pixel%204",
"plat": "1",
"pk": "7C9E722B7BCCE5B56BAB9D42902B2A4F238BAA40EACCCEECACE72C3EE46A85B1B833F7800E6D2B968EE809303485376180BD8494EBA84F006DBD050E1F876B3713DE64AFADDA4F51FCC522C6DAC0AFFC8A04AABAF47F95FE6D3F2FB6726A16FC4664AB66CE065E3FCFD7D0FACD3DCA05AA96D74DD96EC74DBF54CA72D088E42C",
"t1": "bfaf46951c6a5c58d4bf618c517354de",
"support_verify": "1",
"support_multi": "1",
"t2": "c397de1fd7e436639fa90f367c0b47d290831b64f19d803fc09a91ee47bcc1648e5a87f1f934ed09cfb7046dad52253cf564684d5bdef1d67fc91c74d6245335237a78074f157641a1ddfb5ca4a66c5d72855feae18282b981d896c6f170cb54ca7c21aad3811d69c80a73ad3482c340",
"key": "8d73d8b5da06bad3b466d864812d488b",
"username": "130*696"
}
通过JADX搜索“params”字符串定位到位置:
通过objection hook该方法内的a方法,得到如下结果:
(agent) [302556] Called com.xxxx.fanxing.allinone.common.utils.a.a(java.lang.String, java.lang.String, java.lang.String, java.lang.String)
(agent) [302556] Arguments com.xxx.fanxing.allinone.common.utils.a.a({"username":"13*96","clienttime_ms":"1647313862199","pwd":"557998555"}, utf-8, 0dd6da40aea47d05b5f6612596fd2e7f, b5f6612596fd2e7f)
(agent) [793424] Backtrace:
com.xxx.fanxing.allinone.common.utils.a.a(Native Method)
com.xxx.fanxing.allinone.common.utils.a.a(SourceFile:117)
com.xxx.fanxing.allinone.common.utils.a.a(Native Method)
com.xxx.fanxing.allinone.common.utils.a.c(SourceFile:106)
com.xxx.fanxing.core.protocol.g.e.c(SourceFile:85)
com.xxx.fanxing.core.protocol.g.e.c(Native Method)
com.xxx.fanxing.core.protocol.g.a.d(SourceFile:76)
com.xxx.fanxing.core.modul.user.login.c.a(SourceFile:50)
com.xxx.fanxing.core.modul.user.login.f.a(SourceFile:228)
com.xxx.fanxing.core.modul.user.ui.a.a(SourceFile:577)
com.xxx.fanxing.core.modul.user.ui.a.j(SourceFile:554)
com.xxx.fanxing.core.modul.user.ui.a.i(SourceFile:520)
com.xxx.fanxing.core.modul.user.ui.a.onClick(SourceFile:417)
android.view.View.performClick(View.java:7259)
android.view.View.performClickInternal(View.java:7236)
android.view.View.access$3600(View.java:801)
android.view.View$PerformClick.run(View.java:27892)
android.os.Handler.handleCallback(Handler.java:883)
android.os.Handler.dispatchMessage(Handler.java:100)
android.os.Looper.loop(Looper.java:214)
android.app.ActivityThread.main(ActivityThread.java:7356)
java.lang.reflect.Method.invoke(Native Method)
com.android.internal.os.RuntimeInit$MethodAndArgsCaller.run(RuntimeInit.java:492)
com.android.internal.os.ZygoteInit.main(ZygoteInit.java:930)
这样我们可以得到a.c(jSONObject.toString(), this.g)中两个参数的来源,其中第一个参数为JSON结构:{"username":"13**96","clienttime_ms":"1647313862199","pwd":"557998555"},第二个参数为AES的KEY,最终将KEY拆分为(0,32)和(16,32)具体生成方式如下:
a方法如下:
最终为通过KeyGenerator生成一个32位的key,然后对key进行MD5,最后将其分割
通过搜索字符串即可定位到如下函数:
{"clienttime_ms":"1647829236357","key":"E96E510C296711ECEA6C85CAF6152F4D"}
最终调用native层的cc::i加密方法
PUBKEY:
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQD2DT4odzkDd7hMlZ7djdZQH12j38nKxriINW1MGjMry3tXheya113xwmbBOwN0GA4zTwKFauFJRzcsD0nDFq1eaatcFKeDF25R4dnQRX+4BdTwFVS8lIb8nJMluSBwK+i4Z3VF+gfZ0AqQOXda6lJ4jPBt9Ep7VXEAHXUDn9JM8wIDAQAB
Python版RSA_NOPADDING加密方法实现:
最终调用native层的cc::d方法
这里只分析f4函数内关键步骤部分:
cc::d方法里为AES_256_CBC_ENCRYPT
encData: |1649905000102
key:bdeaed243193ce11ac913bbd48d340a4
iv:ac913bbd48d340a4
最终调用native层的cc::e方法
f6函数内部逻辑与t1的f4函数一致
cc::e方法里为AES_256_CBC_ENCRYPT
encData: ||9eea2d301e53|Pixel 4|1649905000118
key:dc8e123f07636a41361b62235fc313ac
iv:361b62235fc313ac
com.xxx.fanxing.core.protocol.g.e.c
ao.m = key
com.xxx.fanxing.allinone.common.d.a
public static int g() {
return 1131;
}
this.b = AppId
com.xxx.fanxing.allinone.common.d.a
public static String h() {
return "4lu0l3cujt2KWIjcM374F8oX5N2lGY59";
}
this.e = AppKey=“4lu0l3cujt2KWIjcM374F8oX5N2lGY59”
getVersion = APPVersion
public int getVersion() {
return y.s();
}
55400
this.h = clienttime_ms
key = MD5("" + AppId + AppKey + APPVersion + String.valueOf(this.h).toLowerCase())
com.xxx.fanxing.allinone.watch.common.protocol.user.a
(agent) [013697] Arguments com.xxx.fanxing.allinone.watch.common.protocol.user.a.a(https://loginservice.kugou.com/v9/login_by_pwd,
1650353888,
1tRbIu1gsMjC2Htvln120WPp,
{"params":"2CA44E5F5D8F189BC68662C0438844D7043484C37D09E7AD1A8A138D44CDCBB0465684EE3C6FD64263174944AD6F2027D0782D9BF64A904432F9FD764CF1C96FF5C90B16DB2932E15FDC56178940207F","clienttime_ms":"1650353888654","support_face_verify":"1","dfid":"1tRbIu1gsMjC2Htvln120WPp","dev":"Pixel%204","plat":"1","pk":"5F03A05AFD4E10B7283A9F2634153FEFA0AF318DD781687BB907DA770614C021921AEB30AB7A808714C132ECA24285E43E6EA2134A91BB79893B10B4024040E32C8EA448463251173D9E412A5B640F240AA601690DDF9A180599F73AA5CF45F8570F6562ABEFA31196CBB0BB31BB6E781974C56A4640CB70D25955D04F3CC7EA","t1":"cdb7d88e278cab7c596af28cfcd873ba","support_verify":"1","support_multi":"1","t2":"c397de1fd7e436639fa90f367c0b47d290831b64f19d803fc09a91ee47bcc1648e5a87f1f934ed09cfb7046dad52253cf564684d5bdef1d67fc91c74d6245335d459ddad1015bb5e96678cc0185b5ea20cc2563d5fc8f040aa77b49c039e40c5e2ca000392eeebfce750e3612ff280f6","key":"ffa858faa437189eb024cdeeb37e372d","username":"130*669"})
com.xxx.fanxing.allinone.common.utils.ao.a(
4lu0l3cujt2KWIjcM374F8oX5N2lGY59
appid=1131clienttime=1650356391clientver=55400dfid=1tRbIu1gsMjC2Htvln120WPpmid=5c539aee628111af4fc4645c761885bfuuid=5c539aee628111af4fc4645c761885bf
{"params":"3FF4D2AB2A549FDBD95EBA40F155635B1E9A5EB353EF147EC459EC47FE18EDE2ED465FAE1E974ABB8605499F1434228E6A30779E0E07DB12A79775A6073EE748709951692C97506CD6384513250870B3","clienttime_ms":"1650356391589","support_face_verify":"1","dfid":"1tRbIu1gsMjC2Htvln120WPp","dev":"Pixel%204","plat":"1","pk":"62A6F1633AD5B9F85007AD597B90157C854A796FEA8D965E110C9D8FB152170E18CF6868F4497E1FAA62F13B257758DF803B2E4ABCF28980207534BE8B8728DFA50A4F00AD2626307B31C850E8ACED450393643C5CE8DD679E1F77186D3CED20DB72E8003C4EF2048EC1942035159EDB2590095D09B6E7A706A72F5E96408212","t1":"512640caae5a66bb98402eda86b5b026","support_verify":"1","support_multi":"1","t2":"c397de1fd7e436639fa90f367c0b47d290831b64f19d803fc09a91ee47bcc1648e5a87f1f934ed09cfb7046dad52253cf564684d5bdef1d67fc91c74d6245335d459ddad1015bb5e96678cc0185b5ea2a4865a6be23bed4a31f7625c6927379348d014b77b354e00181c2e0b1530397a","key":"7e8cfb92bb4be58f9a62e0af4c040783","username":"130*669"}
4lu0l3cujt2KWIjcM374F8oX5N2lGY59)
signature=MD5(appkey+appid=1131clienttime=1650356391clientver=55400dfid=1tRbIu1gsMjC2Htvln120WPpmid=5c539aee628111af4fc4645c761885bfuuid=5c539aee628111af4fc4645c761885bf+ post data + appkey)
this.j.put(
"params"
, a.c(jSONObject.toString(), this.g));
进入c方法内可以看到:
this.j.put(
"params"
, a.c(jSONObject.toString(), this.g));
进入c方法内可以看到:
public static String c(String
str
, String str2) throws Exception {
return
a(
str
,
"utf-8"
, ao.a(str2).substring(
0
,
32
), ao.a(str2).substring(
16
,
32
));
}
public static String c(String
str
, String str2) throws Exception {
return
a(
str
,
"utf-8"
, ao.a(str2).substring(
0
,
32
), ao.a(str2).substring(
16
,
32
));
}
this.g
=
com.xxx.fanxing.allinone.common.utils.a.a(com.kugou.fanxing.allinone.common.constant.c.hz() ?
128
:
64
);
this.g
=
com.xxx.fanxing.allinone.common.utils.a.a(com.kugou.fanxing.allinone.common.constant.c.hz() ?
128
:
64
);
public static String a(
int
i) {
try
{
KeyGenerator instance
=
KeyGenerator.getInstance(
"AES"
);
instance.init(i);
return
a(instance.generateKey().getEncoded());
} catch (Exception e) {
e.printStackTrace();
return
null;
}
}
public static String c(String
str
, String str2) throws Exception {
return
a(
str
,
"utf-8"
, ao.a(str2).substring(
0
,
32
), ao.a(str2).substring(
16
,
32
));
}
public static String a(String
str
) {
return
a(
str
.getBytes());
}
public static String a(byte[] bArr) {
try
{
MessageDigest instance
=
MessageDigest.getInstance(
"MD5"
);
instance.update(bArr);
return
bd.a(instance.digest());
} catch (Exception e) {
e.printStackTrace();
return
null;
}
}
public static String a(byte[] bArr) {
StringBuilder sb
=
new StringBuilder();
for
(byte b : bArr) {
String hexString
=
Integer.toHexString(b &
255
);
if
(hexString.length()
=
=
1
) {
sb.append(
'0'
);
}
sb.append(hexString);
}
return
sb.toString();
}
public static String a(String
str
, String str2, String str3, String str4) throws Exception {
SecretKeySpec secretKeySpec
=
new SecretKeySpec(str3.getBytes(str2),
"AES"
);
Cipher instance
=
Cipher.getInstance(
"AES/CBC/PKCS5Padding"
);
instance.init(
1
, secretKeySpec, new IvParameterSpec(str4.getBytes()));
return
a(instance.doFinal(
str
.getBytes(str2)));
}
public static String a(
int
i) {
try
{
KeyGenerator instance
=
KeyGenerator.getInstance(
"AES"
);
instance.init(i);
return
a(instance.generateKey().getEncoded());
} catch (Exception e) {
e.printStackTrace();
return
null;
}
}
public static String c(String
str
, String str2) throws Exception {
return
a(
str
,
"utf-8"
, ao.a(str2).substring(
0
,
32
), ao.a(str2).substring(
16
,
32
));
}
public static String a(String
str
) {
return
a(
str
.getBytes());
}
public static String a(byte[] bArr) {
try
{
MessageDigest instance
=
MessageDigest.getInstance(
"MD5"
);
instance.update(bArr);
return
bd.a(instance.digest());
} catch (Exception e) {
e.printStackTrace();
return
null;
}
}
public static String a(byte[] bArr) {
StringBuilder sb
=
new StringBuilder();
for
(byte b : bArr) {
String hexString
=
Integer.toHexString(b &
255
);
if
(hexString.length()
=
=
1
) {
sb.append(
'0'
);
}
sb.append(hexString);
}
return
sb.toString();
}
public static String a(String
str
, String str2, String str3, String str4) throws Exception {
SecretKeySpec secretKeySpec
=
new SecretKeySpec(str3.getBytes(str2),
"AES"
);
Cipher instance
=
Cipher.getInstance(
"AES/CBC/PKCS5Padding"
);
instance.init(
1
, secretKeySpec, new IvParameterSpec(str4.getBytes()));
return
a(instance.doFinal(
str
.getBytes(str2)));
}
public String e() {
String a2
=
com.xxx.fanxing.core.common.fingerprint.a.a();
return
TextUtils.isEmpty(a2) ?
"-"
: a2;
}
a2
-
> share_data
-
> device_fingerprint
通过sharedPreferences读取了文件名为share_data里的device_fingerprint字段
public String e() {
String a2
=
com.xxx.fanxing.core.common.fingerprint.a.a();
return
TextUtils.isEmpty(a2) ?
"-"
: a2;
}
a2
-
> share_data
-
> device_fingerprint
通过sharedPreferences读取了文件名为share_data里的device_fingerprint字段
hashMap.put(
"pk"
, com.xxx.fanxing.core.protocol.g.a.a(String.valueOf(currentTimeMillis), a2));
public static String a(String
str
, String str2) throws Exception {
HashMap hashMap
=
new HashMap();
hashMap.put(
"clienttime_ms"
,
str
);
hashMap.put(ao.M, str2);
return
com.xxx.common.player.kugouplayer.a.d(hashMap);
}
hashMap.put(
"pk"
, com.xxx.fanxing.core.protocol.g.a.a(String.valueOf(currentTimeMillis), a2));
public static String a(String
str
, String str2) throws Exception {
HashMap hashMap
=
new HashMap();
hashMap.put(
"clienttime_ms"
,
str
);
hashMap.put(ao.M, str2);
return
com.xxx.common.player.kugouplayer.a.d(hashMap);
}
str
为时间戳,str2为AES随机密钥
组成形式如下:
str
为时间戳,str2为AES随机密钥
组成形式如下:
import
rsa
import
base64
from
Crypto.PublicKey
import
RSA
def
zfillStrToBin(s):
b
=
bytes(s.encode())
for
i
in
range
(
128
-
len
(b)):
b
+
=
b
'\0'
print
(
len
(b))
return
b
class
RsaNopadding:
def
__init__(
self
, key):
self
.pubkey
=
RSA.importKey(base64.b64decode(key))
def
encrypt(
self
, message):
kLen
=
rsa.common.byte_size(
self
.pubkey.n)
msg
=
zfillStrToBin(message)
_b
=
rsa.transform.bytes2int(msg)
_i
=
rsa.core.encrypt_int(_b,
self
.pubkey.e,
self
.pubkey.n)
result
=
rsa.transform.int2bytes(_i, kLen)
return
result.
hex
().upper()
message
=
'{"clienttime_ms":"1647829236357","key":"E96E510C296711ECEA6C85CAF6152F4D"}'
msg
=
RsaNopadding(
"MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQD2DT4odzkDd7hMlZ7djdZQH12j38nKxriINW1MGjMry3tXheya113xwmbBOwN0GA4zTwKFauFJRzcsD0nDFq1eaatcFKeDF25R4dnQRX+4BdTwFVS8lIb8nJMluSBwK+i4Z3VF+gfZ0AqQOXda6lJ4jPBt9Ep7VXEAHXUDn9JM8wIDAQAB"
)
print
(msg.encrypt(message))
import
rsa
import
base64
from
Crypto.PublicKey
import
RSA
def
zfillStrToBin(s):
b
=
bytes(s.encode())
for
i
in
range
(
128
-
len
(b)):
b
+
=
b
'\0'
print
(
len
(b))
return
b
class
RsaNopadding:
def
__init__(
self
, key):
self
.pubkey
=
RSA.importKey(base64.b64decode(key))
def
encrypt(
self
, message):
kLen
=
rsa.common.byte_size(
self
.pubkey.n)
msg
=
zfillStrToBin(message)
_b
=
rsa.transform.bytes2int(msg)
_i
=
rsa.core.encrypt_int(_b,
self
.pubkey.e,
self
.pubkey.n)
result
=
rsa.transform.int2bytes(_i, kLen)
return
result.
hex
().upper()
message
=
'{"clienttime_ms":"1647829236357","key":"E96E510C296711ECEA6C85CAF6152F4D"}'
msg
=
RsaNopadding(
"MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQD2DT4odzkDd7hMlZ7djdZQH12j38nKxriINW1MGjMry3tXheya113xwmbBOwN0GA4zTwKFauFJRzcsD0nDFq1eaatcFKeDF25R4dnQRX+4BdTwFVS8lIb8nJMluSBwK+i4Z3VF+gfZ0AqQOXda6lJ4jPBt9Ep7VXEAHXUDn9JM8wIDAQAB"
)
print
(msg.encrypt(message))
String t1
=
com.xxx.common.player.kugouplayer.a.b(null);
String t1
=
com.xxx.common.player.kugouplayer.a.b(null);
int
__fastcall f4(
int
a1)
{
LABEL_44:
/
/
走这
v76[
0
]
=
(
int
)v76;
v76[
1
]
=
(
int
)v76;
v76[
2
]
=
0
;
v77
=
0
;
v78
=
0
;
v79
=
0
;
std::string::__init((
int
)&v77, (
int
)&aEia[
2
],
1
);
v34
=
v77;
v35
=
v78;
v77
=
0
;
v78
=
0
;
v103
=
v34;
v104
=
v35;
v105
=
v79;
v79
=
0
;
std::string::basic_string((
int
)v106, (
int
)&v66);
std::
list
<std::pair<std::string,std::string>>::push_back((
int
)v76, (
int
)&v103);
std::string::~string((
int
)v106);
std::string::~string((
int
)&v103);
std::string::~string((
int
)&v77);
v80
=
0
;
v81
=
0
;
v82
=
0
;
std::string::__init((
int
)&v80, (
int
)
"b"
,
1
);
f5(&v83);
/
/
daytime
v36
=
v80;
v37
=
v81;
v38
=
v82;
v80
=
0
;
v81
=
0
;
v82
=
0
;
v103
=
v36;
v104
=
v37;
v105
=
v38;
v39
=
v83;
v40
=
v84;
v41
=
v85;
v83
=
0
;
v84
=
0
;
v85
=
0
;
v106[
0
]
=
v39;
v106[
1
]
=
v40;
v106[
2
]
=
v41;
std::
list
<std::pair<std::string,std::string>>::push_back((
int
)v76, (
int
)&v103);
std::string::~string((
int
)v106);
std::string::~string((
int
)&v103);
std::string::~string((
int
)&v83);
std::string::~string((
int
)&v80);
f9((
int
)v86, (
int
)v76);
v87
=
0
;
v42
=
v107;
v88
=
0
;
v89
=
0
;
v95[
0
]
=
0
;
v95[
1
]
=
0
;
v95[
2
]
=
0
;
v43
=
aBdeaed243193ce;
/
/
v42
=
bdeaed243193ce1i
#~DC<M[g
do
{
v44
=
*
(_DWORD
*
)v43;
v43
+
=
8
;
v45
=
*
((_DWORD
*
)v43
-
1
);
*
(_DWORD
*
)v42
=
v44;
/
/
整个循环将bdeaed243193ce1i
#~DC<M[g扩展到bdeaed243193ce1i#~DC<M[g..=2..~4
*
((_DWORD
*
)v42
+
1
)
=
v45;
v42
+
=
8
;
}
while
( v43 !
=
(const char
*
)&unk_D90E4 );
v103
=
0
;
v104
=
0
;
v105
=
0
;
std::string::__init((
int
)&v103, (
int
)v107,
32
);
/
/
v105
=
v109
=
bdeaed243193ce1i
#~DC<M[g..=2..~4
/
/
62
64
65
61
65
64
32
34
33
31
39
33
63
65
31
69
/
/
23
7E
44
43
3C
4D
5B
67
7F
0E
3D
32
01
2E
7E
34
v46
=
(unsigned __int8)v103;
if
( (v103 &
1
)
=
=
0
)
v46
=
(
int
)(unsigned __int8)v103 >>
1
;
if
( (v103 &
1
) !
=
0
)
v46
=
v104;
v47
=
v46
-
2
;
do
{
if
( v47 <
0
)
break
;
v48
=
(v103 &
1
) !
=
0
? v105 : (
int
*
)((char
*
)&v103
+
1
);
v49
=
(char
*
)v48
+
v47;
/
/
转换v105为bdeaed243193ce11ac913bbd48d340a4
v50
=
(v103 &
1
) !
=
0
? v105 : (
int
*
)((char
*
)&v103
+
1
);
v51
=
*
((_BYTE
*
)v50
+
v47);
v52
=
(char
*
)&unk_D90E4
+
v47
-
v46;
-
-
v47;
*
v49
=
v51 ^ v52[
17
];
}
while
( v47 !
=
v46
-
18
);
std::string::basic_string((
int
)&v100, (
int
)&v103);
std::string::~string((
int
)&v103);
v53
=
v107;
v54
=
aAc913bbd48d340;
/
/
v54
=
ac913bbd48d340a41234567890qwertyuiopasdfghjklzxcvbnm.
do
{
v55
=
*
(_DWORD
*
)v54;
v54
+
=
8
;
v56
=
*
((_DWORD
*
)v54
-
1
);
*
(_DWORD
*
)v53
=
v55;
/
/
整个循环将ac913bbd48d340a41234567890qwertyuiopasdfghjklzxcvbnm.转换为ac913bbd48d340a4
*
((_DWORD
*
)v53
+
1
)
=
v56;
v53
+
=
8
;
}
while
( v54 !
=
&aAc913bbd48d340[
16
] );
v103
=
0
;
v104
=
0
;
v105
=
0
;
std::string::__init((
int
)&v103, (
int
)v107,
16
);
/
/
v103
=
v107
=
ac913bbd48d340a4
std::string::basic_string((
int
)v99, (
int
)&v103);
std::string::~string((
int
)&v103);
sub_394FC(
1
, v86, v95, (unsigned __int8
*
)&v100, v99);
/
/
AES加密
std::string::~string((
int
)v99);
std::string::~string((
int
)&v100);
f11((
int
)&v96, (
int
)v95);
/
/
HEX
格式化
v58
=
v87 &
1
;
if
( (v87 &
1
) !
=
0
)
{
v57
=
v89;
v58
=
0
;
}
else
{
BYTE1(v87)
=
v87 &
1
;
}
if
( (v87 &
1
) !
=
0
)
{
*
v57
=
v58;
v88
=
v58;
}
else
{
LOBYTE(v87)
=
v58;
}
std::string::reserve((
int
)&v87,
0
);
v59
=
v96;
v60
=
v97;
v61
=
v98;
v96
=
0
;
v97
=
0
;
v98
=
0
;
v87
=
v59;
v88
=
v60;
v89
=
(_BYTE
*
)v61;
std::string::~string((
int
)&v96);
std::string::~string((
int
)v95);
if
( (
*
(_BYTE
*
)a1 &
1
) !
=
0
)
{
*
*
(_BYTE
*
*
)(a1
+
8
)
=
0
;
*
(_DWORD
*
)(a1
+
4
)
=
0
;
}
else
{
*
(_BYTE
*
)(a1
+
1
)
=
0
;
*
(_BYTE
*
)a1
=
0
;
}
std::string::reserve(a1,
0
);
v62
=
v87;
v63
=
v88;
v64
=
(
int
)v89;
v87
=
0
;
v88
=
0
;
v89
=
0
;
*
(_DWORD
*
)a1
=
v62;
*
(_DWORD
*
)(a1
+
4
)
=
v63;
*
(_DWORD
*
)(a1
+
8
)
=
v64;
std::string::~string((
int
)&v87);
std::string::~string((
int
)v86);
std::__list_imp<std::pair<std::string,std::string>>::clear(v76);
std::string::~string((
int
)&v66);
return
a1;
}
int
__fastcall f4(
int
a1)
{
LABEL_44:
/
/
走这
v76[
0
]
=
(
int
)v76;
v76[
1
]
=
(
int
)v76;
v76[
2
]
=
0
;
v77
=
0
;
v78
=
0
;
v79
=
0
;
std::string::__init((
int
)&v77, (
int
)&aEia[
2
],
1
);
v34
=
v77;
v35
=
v78;
v77
=
0
;
v78
=
0
;
v103
=
v34;
v104
=
v35;
v105
=
v79;
v79
=
0
;
std::string::basic_string((
int
)v106, (
int
)&v66);
std::
list
<std::pair<std::string,std::string>>::push_back((
int
)v76, (
int
)&v103);
std::string::~string((
int
)v106);
std::string::~string((
int
)&v103);
std::string::~string((
int
)&v77);
v80
=
0
;
v81
=
0
;
v82
=
0
;
std::string::__init((
int
)&v80, (
int
)
"b"
,
1
);
f5(&v83);
/
/
daytime
v36
=
v80;
v37
=
v81;
v38
=
v82;
v80
=
0
;
v81
=
0
;
v82
=
0
;
v103
=
v36;
v104
=
v37;
v105
=
v38;
v39
=
v83;
v40
=
v84;
v41
=
v85;
v83
=
0
;
v84
=
0
;
v85
=
0
;
v106[
0
]
=
v39;
v106[
1
]
=
v40;
v106[
2
]
=
v41;
std::
list
<std::pair<std::string,std::string>>::push_back((
int
)v76, (
int
)&v103);
std::string::~string((
int
)v106);
std::string::~string((
int
)&v103);
std::string::~string((
int
)&v83);
std::string::~string((
int
)&v80);
f9((
int
)v86, (
int
)v76);
v87
=
0
;
v42
=
v107;
v88
=
0
;
v89
=
0
;
v95[
0
]
=
0
;
v95[
1
]
=
0
;
v95[
2
]
=
0
;
v43
=
aBdeaed243193ce;
/
/
v42
=
bdeaed243193ce1i
#~DC<M[g
do
{
v44
=
*
(_DWORD
*
)v43;
v43
+
=
8
;
v45
=
*
((_DWORD
*
)v43
-
1
);
*
(_DWORD
*
)v42
=
v44;
/
/
整个循环将bdeaed243193ce1i
#~DC<M[g扩展到bdeaed243193ce1i#~DC<M[g..=2..~4
*
((_DWORD
*
)v42
+
1
)
=
v45;
v42
+
=
8
;
}
while
( v43 !
=
(const char
*
)&unk_D90E4 );
v103
=
0
;
v104
=
0
;
v105
=
0
;
std::string::__init((
int
)&v103, (
int
)v107,
32
);
/
/
v105
=
v109
=
bdeaed243193ce1i
#~DC<M[g..=2..~4
/
/
62
64
65
61
65
64
32
34
33
31
39
33
63
65
31
69
/
/
23
7E
44
43
3C
4D
5B
67
7F
0E
3D
32
01
2E
7E
34
v46
=
(unsigned __int8)v103;
if
( (v103 &
1
)
=
=
0
)
v46
=
(
int
)(unsigned __int8)v103 >>
1
;
if
( (v103 &
1
) !
=
0
)
v46
=
v104;
v47
=
v46
-
2
;
do
{
if
( v47 <
0
)
break
;
v48
=
(v103 &
1
) !
=
0
? v105 : (
int
*
)((char
*
)&v103
+
1
);
v49
=
(char
*
)v48
+
v47;
/
/
转换v105为bdeaed243193ce11ac913bbd48d340a4
v50
=
(v103 &
1
) !
=
0
? v105 : (
int
*
)((char
*
)&v103
+
1
);
v51
=
*
((_BYTE
*
)v50
+
v47);
v52
=
(char
*
)&unk_D90E4
+
v47
-
v46;
-
-
v47;
*
v49
=
v51 ^ v52[
17
];
}
while
( v47 !
=
v46
-
18
);
std::string::basic_string((
int
)&v100, (
int
)&v103);
std::string::~string((
int
)&v103);
v53
=
v107;
v54
=
aAc913bbd48d340;
/
/
v54
=
ac913bbd48d340a41234567890qwertyuiopasdfghjklzxcvbnm.
do
{
v55
=
*
(_DWORD
*
)v54;
v54
+
=
8
;
v56
=
*
((_DWORD
*
)v54
-
1
);
*
(_DWORD
*
)v53
=
v55;
/
/
整个循环将ac913bbd48d340a41234567890qwertyuiopasdfghjklzxcvbnm.转换为ac913bbd48d340a4
*
((_DWORD
*
)v53
+
1
)
=
v56;
v53
+
=
8
;
}
while
( v54 !
=
&aAc913bbd48d340[
16
] );
v103
=
0
;
v104
=
0
;
v105
=
0
;
std::string::__init((
int
)&v103, (
int
)v107,
16
);
/
/
v103
=
v107
=
ac913bbd48d340a4
[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入!
赞赏
- [原创]某cocos2djs游戏jsc以及资源文件解密 1337
- [原创]某摄像头协议分析 22837
- [原创]某 APP 聊天协议逆向 44094
- [原创]某APP登录参数分析 25390