首页
社区
课程
招聘
[原创]某APP登录参数分析
发表于: 2022-4-21 11:23 25389

[原创]某APP登录参数分析

2022-4-21 11:23
25389

本篇文章仅为学习交流所用,涉及的数据已做脱敏处理,请勿用于不当途径,侵权请联系

IDA、JADX、Frida、Charles


首先抓包看一下登录包:


{
"params": "5F1D4B282F5E89548F98FC30853F4F9289D874AA82EDB0ED82330B07CF5D208ECAAF446BAEA4D4848BB7515573123514EFDEA8E6C1000FEF8F30A9901382B7119822C74B9C91394F9DDFF8B239E241F9",
"clienttime_ms": "1647312358378",
"support_face_verify": "1",
"dfid": "-",
"dev": "Pixel%204",
"plat": "1",
"pk": "7C9E722B7BCCE5B56BAB9D42902B2A4F238BAA40EACCCEECACE72C3EE46A85B1B833F7800E6D2B968EE809303485376180BD8494EBA84F006DBD050E1F876B3713DE64AFADDA4F51FCC522C6DAC0AFFC8A04AABAF47F95FE6D3F2FB6726A16FC4664AB66CE065E3FCFD7D0FACD3DCA05AA96D74DD96EC74DBF54CA72D088E42C",
"t1": "bfaf46951c6a5c58d4bf618c517354de",
"support_verify": "1",
"support_multi": "1",
"t2": "c397de1fd7e436639fa90f367c0b47d290831b64f19d803fc09a91ee47bcc1648e5a87f1f934ed09cfb7046dad52253cf564684d5bdef1d67fc91c74d6245335237a78074f157641a1ddfb5ca4a66c5d72855feae18282b981d896c6f170cb54ca7c21aad3811d69c80a73ad3482c340",
"key": "8d73d8b5da06bad3b466d864812d488b",
"username": "130*696"
}

通过JADX搜索“params”字符串定位到位置:

通过objection hook该方法内的a方法,得到如下结果:

(agent) [302556] Called com.xxxx.fanxing.allinone.common.utils.a.a(java.lang.String, java.lang.String, java.lang.String, java.lang.String)

(agent) [302556] Arguments com.xxx.fanxing.allinone.common.utils.a.a({"username":"13*96","clienttime_ms":"1647313862199","pwd":"557998555"}, utf-8, 0dd6da40aea47d05b5f6612596fd2e7f, b5f6612596fd2e7f)

(agent) [793424] Backtrace:
com.xxx.fanxing.allinone.common.utils.a.a(Native Method)
com.xxx.fanxing.allinone.common.utils.a.a(SourceFile:117)
com.xxx.fanxing.allinone.common.utils.a.a(Native Method)
com.xxx.fanxing.allinone.common.utils.a.c(SourceFile:106)
com.xxx.fanxing.core.protocol.g.e.c(SourceFile:85)
com.xxx.fanxing.core.protocol.g.e.c(Native Method)
com.xxx.fanxing.core.protocol.g.a.d(SourceFile:76)
com.xxx.fanxing.core.modul.user.login.c.a(SourceFile:50)
com.xxx.fanxing.core.modul.user.login.f.a(SourceFile:228)
com.xxx.fanxing.core.modul.user.ui.a.a(SourceFile:577)
com.xxx.fanxing.core.modul.user.ui.a.j(SourceFile:554)
com.xxx.fanxing.core.modul.user.ui.a.i(SourceFile:520)
com.xxx.fanxing.core.modul.user.ui.a.onClick(SourceFile:417)
android.view.View.performClick(View.java:7259)
android.view.View.performClickInternal(View.java:7236)
android.view.View.access$3600(View.java:801)
android.view.View$PerformClick.run(View.java:27892)
android.os.Handler.handleCallback(Handler.java:883)
android.os.Handler.dispatchMessage(Handler.java:100)
android.os.Looper.loop(Looper.java:214)
android.app.ActivityThread.main(ActivityThread.java:7356)
java.lang.reflect.Method.invoke(Native Method)
com.android.internal.os.RuntimeInit$MethodAndArgsCaller.run(RuntimeInit.java:492)
com.android.internal.os.ZygoteInit.main(ZygoteInit.java:930)

这样我们可以得到a.c(jSONObject.toString(), this.g)中两个参数的来源,其中第一个参数为JSON结构:{"username":"13**96","clienttime_ms":"1647313862199","pwd":"557998555"},第二个参数为AES的KEY,最终将KEY拆分为(0,32)和(16,32)具体生成方式如下:

a方法如下:

最终为通过KeyGenerator生成一个32位的key,然后对key进行MD5,最后将其分割

通过搜索字符串即可定位到如下函数:

{"clienttime_ms":"1647829236357","key":"E96E510C296711ECEA6C85CAF6152F4D"}

最终调用native层的cc::i加密方法

PUBKEY:

MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQD2DT4odzkDd7hMlZ7djdZQH12j38nKxriINW1MGjMry3tXheya113xwmbBOwN0GA4zTwKFauFJRzcsD0nDFq1eaatcFKeDF25R4dnQRX+4BdTwFVS8lIb8nJMluSBwK+i4Z3VF+gfZ0AqQOXda6lJ4jPBt9Ep7VXEAHXUDn9JM8wIDAQAB

Python版RSA_NOPADDING加密方法实现:

最终调用native层的cc::d方法

这里只分析f4函数内关键步骤部分:

cc::d方法里为AES_256_CBC_ENCRYPT

encData: |1649905000102

key:bdeaed243193ce11ac913bbd48d340a4

iv:ac913bbd48d340a4

最终调用native层的cc::e方法

f6函数内部逻辑与t1的f4函数一致

cc::e方法里为AES_256_CBC_ENCRYPT

encData: ||9eea2d301e53|Pixel 4|1649905000118
key:dc8e123f07636a41361b62235fc313ac
iv:361b62235fc313ac

com.xxx.fanxing.core.protocol.g.e.c

ao.m = key

com.xxx.fanxing.allinone.common.d.a

public static int g() {
return 1131;
}

this.b = AppId

com.xxx.fanxing.allinone.common.d.a

public static String h() {
return "4lu0l3cujt2KWIjcM374F8oX5N2lGY59";
}

this.e = AppKey=“4lu0l3cujt2KWIjcM374F8oX5N2lGY59”

getVersion = APPVersion

public int getVersion() {
return y.s();
}

55400

this.h = clienttime_ms

key = MD5("" + AppId + AppKey + APPVersion + String.valueOf(this.h).toLowerCase())

com.xxx.fanxing.allinone.watch.common.protocol.user.a

(agent) [013697] Arguments com.xxx.fanxing.allinone.watch.common.protocol.user.a.a(https://loginservice.kugou.com/v9/login_by_pwd,
1650353888,
1tRbIu1gsMjC2Htvln120WPp,
{"params":"2CA44E5F5D8F189BC68662C0438844D7043484C37D09E7AD1A8A138D44CDCBB0465684EE3C6FD64263174944AD6F2027D0782D9BF64A904432F9FD764CF1C96FF5C90B16DB2932E15FDC56178940207F","clienttime_ms":"1650353888654","support_face_verify":"1","dfid":"1tRbIu1gsMjC2Htvln120WPp","dev":"Pixel%204","plat":"1","pk":"5F03A05AFD4E10B7283A9F2634153FEFA0AF318DD781687BB907DA770614C021921AEB30AB7A808714C132ECA24285E43E6EA2134A91BB79893B10B4024040E32C8EA448463251173D9E412A5B640F240AA601690DDF9A180599F73AA5CF45F8570F6562ABEFA31196CBB0BB31BB6E781974C56A4640CB70D25955D04F3CC7EA","t1":"cdb7d88e278cab7c596af28cfcd873ba","support_verify":"1","support_multi":"1","t2":"c397de1fd7e436639fa90f367c0b47d290831b64f19d803fc09a91ee47bcc1648e5a87f1f934ed09cfb7046dad52253cf564684d5bdef1d67fc91c74d6245335d459ddad1015bb5e96678cc0185b5ea20cc2563d5fc8f040aa77b49c039e40c5e2ca000392eeebfce750e3612ff280f6","key":"ffa858faa437189eb024cdeeb37e372d","username":"130*669"})

com.xxx.fanxing.allinone.common.utils.ao.a(

4lu0l3cujt2KWIjcM374F8oX5N2lGY59

appid=1131clienttime=1650356391clientver=55400dfid=1tRbIu1gsMjC2Htvln120WPpmid=5c539aee628111af4fc4645c761885bfuuid=5c539aee628111af4fc4645c761885bf

{"params":"3FF4D2AB2A549FDBD95EBA40F155635B1E9A5EB353EF147EC459EC47FE18EDE2ED465FAE1E974ABB8605499F1434228E6A30779E0E07DB12A79775A6073EE748709951692C97506CD6384513250870B3","clienttime_ms":"1650356391589","support_face_verify":"1","dfid":"1tRbIu1gsMjC2Htvln120WPp","dev":"Pixel%204","plat":"1","pk":"62A6F1633AD5B9F85007AD597B90157C854A796FEA8D965E110C9D8FB152170E18CF6868F4497E1FAA62F13B257758DF803B2E4ABCF28980207534BE8B8728DFA50A4F00AD2626307B31C850E8ACED450393643C5CE8DD679E1F77186D3CED20DB72E8003C4EF2048EC1942035159EDB2590095D09B6E7A706A72F5E96408212","t1":"512640caae5a66bb98402eda86b5b026","support_verify":"1","support_multi":"1","t2":"c397de1fd7e436639fa90f367c0b47d290831b64f19d803fc09a91ee47bcc1648e5a87f1f934ed09cfb7046dad52253cf564684d5bdef1d67fc91c74d6245335d459ddad1015bb5e96678cc0185b5ea2a4865a6be23bed4a31f7625c6927379348d014b77b354e00181c2e0b1530397a","key":"7e8cfb92bb4be58f9a62e0af4c040783","username":"130*669"}

4lu0l3cujt2KWIjcM374F8oX5N2lGY59)

signature=MD5(appkey+appid=1131clienttime=1650356391clientver=55400dfid=1tRbIu1gsMjC2Htvln120WPpmid=5c539aee628111af4fc4645c761885bfuuid=5c539aee628111af4fc4645c761885bf+ post data + appkey)

算法还原Python版

 
this.j.put("params", a.c(jSONObject.toString(), this.g));
 
进入c方法内可以看到:
this.j.put("params", a.c(jSONObject.toString(), this.g));
 
进入c方法内可以看到:
public static String c(String str, String str2) throws Exception {
        return a(str, "utf-8", ao.a(str2).substring(0, 32), ao.a(str2).substring(16, 32));
    }
public static String c(String str, String str2) throws Exception {
        return a(str, "utf-8", ao.a(str2).substring(0, 32), ao.a(str2).substring(16, 32));
    }
 
 
 
 
this.g = com.xxx.fanxing.allinone.common.utils.a.a(com.kugou.fanxing.allinone.common.constant.c.hz() ? 128 : 64);
this.g = com.xxx.fanxing.allinone.common.utils.a.a(com.kugou.fanxing.allinone.common.constant.c.hz() ? 128 : 64);
public static String a(int i) {
        try {
            KeyGenerator instance = KeyGenerator.getInstance("AES");
            instance.init(i);
            return a(instance.generateKey().getEncoded());
        } catch (Exception e) {
            e.printStackTrace();
            return null;
        }
    }
 
public static String c(String str, String str2) throws Exception {
        return a(str, "utf-8", ao.a(str2).substring(0, 32), ao.a(str2).substring(16, 32));
    }
public static String a(String str) {
        return a(str.getBytes());
    }
 
public static String a(byte[] bArr) {
        try {
            MessageDigest instance = MessageDigest.getInstance("MD5");
            instance.update(bArr);
            return bd.a(instance.digest());
        } catch (Exception e) {
            e.printStackTrace();
            return null;
        }
    }
public static String a(byte[] bArr) {
        StringBuilder sb = new StringBuilder();
        for (byte b : bArr) {
            String hexString = Integer.toHexString(b & 255);
            if (hexString.length() == 1) {
                sb.append('0');
            }
            sb.append(hexString);
        }
        return sb.toString();
    }
 
public static String a(String str, String str2, String str3, String str4) throws Exception {
        SecretKeySpec secretKeySpec = new SecretKeySpec(str3.getBytes(str2), "AES");
        Cipher instance = Cipher.getInstance("AES/CBC/PKCS5Padding");
        instance.init(1, secretKeySpec, new IvParameterSpec(str4.getBytes()));
        return a(instance.doFinal(str.getBytes(str2)));
    }
public static String a(int i) {
        try {
            KeyGenerator instance = KeyGenerator.getInstance("AES");
            instance.init(i);
            return a(instance.generateKey().getEncoded());
        } catch (Exception e) {
            e.printStackTrace();
            return null;
        }
    }
 
public static String c(String str, String str2) throws Exception {
        return a(str, "utf-8", ao.a(str2).substring(0, 32), ao.a(str2).substring(16, 32));
    }
public static String a(String str) {
        return a(str.getBytes());
    }
 
public static String a(byte[] bArr) {
        try {
            MessageDigest instance = MessageDigest.getInstance("MD5");
            instance.update(bArr);
            return bd.a(instance.digest());
        } catch (Exception e) {
            e.printStackTrace();
            return null;
        }
    }
public static String a(byte[] bArr) {
        StringBuilder sb = new StringBuilder();
        for (byte b : bArr) {
            String hexString = Integer.toHexString(b & 255);
            if (hexString.length() == 1) {
                sb.append('0');
            }
            sb.append(hexString);
        }
        return sb.toString();
    }
 
public static String a(String str, String str2, String str3, String str4) throws Exception {
        SecretKeySpec secretKeySpec = new SecretKeySpec(str3.getBytes(str2), "AES");
        Cipher instance = Cipher.getInstance("AES/CBC/PKCS5Padding");
        instance.init(1, secretKeySpec, new IvParameterSpec(str4.getBytes()));
        return a(instance.doFinal(str.getBytes(str2)));
    }
public String e() {
        String a2 = com.xxx.fanxing.core.common.fingerprint.a.a();
        return TextUtils.isEmpty(a2) ? "-" : a2;
    }
 
a2 -> share_data -> device_fingerprint
通过sharedPreferences读取了文件名为share_data里的device_fingerprint字段
public String e() {
        String a2 = com.xxx.fanxing.core.common.fingerprint.a.a();
        return TextUtils.isEmpty(a2) ? "-" : a2;
    }
 
a2 -> share_data -> device_fingerprint
通过sharedPreferences读取了文件名为share_data里的device_fingerprint字段
hashMap.put("pk", com.xxx.fanxing.core.protocol.g.a.a(String.valueOf(currentTimeMillis), a2));
 
public static String a(String str, String str2) throws Exception {
        HashMap hashMap = new HashMap();
        hashMap.put("clienttime_ms", str);
        hashMap.put(ao.M, str2);
        return com.xxx.common.player.kugouplayer.a.d(hashMap);
    }
hashMap.put("pk", com.xxx.fanxing.core.protocol.g.a.a(String.valueOf(currentTimeMillis), a2));
 
public static String a(String str, String str2) throws Exception {
        HashMap hashMap = new HashMap();
        hashMap.put("clienttime_ms", str);
        hashMap.put(ao.M, str2);
        return com.xxx.common.player.kugouplayer.a.d(hashMap);
    }
str为时间戳,str2为AES随机密钥
组成形式如下:
str为时间戳,str2为AES随机密钥
组成形式如下:
 
 
 
 
import rsa
import base64
from Crypto.PublicKey import RSA
 
 
def zfillStrToBin(s):
    b = bytes(s.encode())
    for i in range(128 - len(b)):
        b += b'\0'
    print(len(b))
    return b
 
 
class RsaNopadding:
 
    def __init__(self, key):
        self.pubkey = RSA.importKey(base64.b64decode(key))
 
    def encrypt(self, message):
        kLen = rsa.common.byte_size(self.pubkey.n)
        msg = zfillStrToBin(message)
        _b = rsa.transform.bytes2int(msg)
        _i = rsa.core.encrypt_int(_b, self.pubkey.e, self.pubkey.n)
        result = rsa.transform.int2bytes(_i, kLen)
        return result.hex().upper()
 
 
message = '{"clienttime_ms":"1647829236357","key":"E96E510C296711ECEA6C85CAF6152F4D"}'
msg = RsaNopadding(
    "MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQD2DT4odzkDd7hMlZ7djdZQH12j38nKxriINW1MGjMry3tXheya113xwmbBOwN0GA4zTwKFauFJRzcsD0nDFq1eaatcFKeDF25R4dnQRX+4BdTwFVS8lIb8nJMluSBwK+i4Z3VF+gfZ0AqQOXda6lJ4jPBt9Ep7VXEAHXUDn9JM8wIDAQAB")
print(msg.encrypt(message))
import rsa
import base64
from Crypto.PublicKey import RSA
 
 
def zfillStrToBin(s):
    b = bytes(s.encode())
    for i in range(128 - len(b)):
        b += b'\0'
    print(len(b))
    return b
 
 
class RsaNopadding:
 
    def __init__(self, key):
        self.pubkey = RSA.importKey(base64.b64decode(key))
 
    def encrypt(self, message):
        kLen = rsa.common.byte_size(self.pubkey.n)
        msg = zfillStrToBin(message)
        _b = rsa.transform.bytes2int(msg)
        _i = rsa.core.encrypt_int(_b, self.pubkey.e, self.pubkey.n)
        result = rsa.transform.int2bytes(_i, kLen)
        return result.hex().upper()
 
 
message = '{"clienttime_ms":"1647829236357","key":"E96E510C296711ECEA6C85CAF6152F4D"}'
msg = RsaNopadding(
    "MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQD2DT4odzkDd7hMlZ7djdZQH12j38nKxriINW1MGjMry3tXheya113xwmbBOwN0GA4zTwKFauFJRzcsD0nDFq1eaatcFKeDF25R4dnQRX+4BdTwFVS8lIb8nJMluSBwK+i4Z3VF+gfZ0AqQOXda6lJ4jPBt9Ep7VXEAHXUDn9JM8wIDAQAB")
print(msg.encrypt(message))
String t1 = com.xxx.common.player.kugouplayer.a.b(null);
String t1 = com.xxx.common.player.kugouplayer.a.b(null);
 
 
int __fastcall f4(int a1)
{
LABEL_44:                                       // 走这
  v76[0] = (int)v76;
  v76[1] = (int)v76;
  v76[2] = 0;
  v77 = 0;
  v78 = 0;
  v79 = 0;
  std::string::__init((int)&v77, (int)&aEia[2], 1);
  v34 = v77;
  v35 = v78;
  v77 = 0;
  v78 = 0;
  v103 = v34;
  v104 = v35;
  v105 = v79;
  v79 = 0;
  std::string::basic_string((int)v106, (int)&v66);
  std::list<std::pair<std::string,std::string>>::push_back((int)v76, (int)&v103);
  std::string::~string((int)v106);
  std::string::~string((int)&v103);
  std::string::~string((int)&v77);
  v80 = 0;
  v81 = 0;
  v82 = 0;
  std::string::__init((int)&v80, (int)"b", 1);
  f5(&v83);                                     // daytime
  v36 = v80;
  v37 = v81;
  v38 = v82;
  v80 = 0;
  v81 = 0;
  v82 = 0;
  v103 = v36;
  v104 = v37;
  v105 = v38;
  v39 = v83;
  v40 = v84;
  v41 = v85;
  v83 = 0;
  v84 = 0;
  v85 = 0;
  v106[0] = v39;
  v106[1] = v40;
  v106[2] = v41;
  std::list<std::pair<std::string,std::string>>::push_back((int)v76, (int)&v103);
  std::string::~string((int)v106);
  std::string::~string((int)&v103);
  std::string::~string((int)&v83);
  std::string::~string((int)&v80);
  f9((int)v86, (int)v76);
  v87 = 0;
  v42 = v107;
  v88 = 0;
  v89 = 0;
  v95[0] = 0;
  v95[1] = 0;
  v95[2] = 0;
  v43 = aBdeaed243193ce;                        // v42=bdeaed243193ce1i#~DC<M[g
  do
  {
    v44 = *(_DWORD *)v43;
    v43 += 8;
    v45 = *((_DWORD *)v43 - 1);
    *(_DWORD *)v42 = v44;                       // 整个循环将bdeaed243193ce1i#~DC<M[g扩展到bdeaed243193ce1i#~DC<M[g..=2..~4
    *((_DWORD *)v42 + 1) = v45;
    v42 += 8;
  }
  while ( v43 != (const char *)&unk_D90E4 );
  v103 = 0;
  v104 = 0;
  v105 = 0;
  std::string::__init((int)&v103, (int)v107, 32);// v105=v109=bdeaed243193ce1i#~DC<M[g..=2..~4
                                                // 62 64 65 61 65 64 32 34 33 31 39 33 63 65 31 69
                                                // 23 7E 44 43 3C 4D 5B 67 7F 0E 3D 32 01 2E 7E 34
  v46 = (unsigned __int8)v103;
  if ( (v103 & 1) == 0 )
    v46 = (int)(unsigned __int8)v103 >> 1;
  if ( (v103 & 1) != 0 )
    v46 = v104;
  v47 = v46 - 2;
  do
  {
    if ( v47 < 0 )
      break;
    v48 = (v103 & 1) != 0 ? v105 : (int *)((char *)&v103 + 1);
    v49 = (char *)v48 + v47;                    // 转换v105为bdeaed243193ce11ac913bbd48d340a4
    v50 = (v103 & 1) != 0 ? v105 : (int *)((char *)&v103 + 1);
    v51 = *((_BYTE *)v50 + v47);
    v52 = (char *)&unk_D90E4 + v47 - v46;
    --v47;
    *v49 = v51 ^ v52[17];
  }
  while ( v47 != v46 - 18 );
  std::string::basic_string((int)&v100, (int)&v103);
  std::string::~string((int)&v103);
  v53 = v107;
  v54 = aAc913bbd48d340;                        // v54 = ac913bbd48d340a41234567890qwertyuiopasdfghjklzxcvbnm.
  do
  {
    v55 = *(_DWORD *)v54;
    v54 += 8;
    v56 = *((_DWORD *)v54 - 1);
    *(_DWORD *)v53 = v55;                       // 整个循环将ac913bbd48d340a41234567890qwertyuiopasdfghjklzxcvbnm.转换为ac913bbd48d340a4
    *((_DWORD *)v53 + 1) = v56;
    v53 += 8;
  }
  while ( v54 != &aAc913bbd48d340[16] );
  v103 = 0;
  v104 = 0;
  v105 = 0;
  std::string::__init((int)&v103, (int)v107, 16);// v103=v107=ac913bbd48d340a4
  std::string::basic_string((int)v99, (int)&v103);
  std::string::~string((int)&v103);
  sub_394FC(1, v86, v95, (unsigned __int8 *)&v100, v99);// AES加密
  std::string::~string((int)v99);
  std::string::~string((int)&v100);
  f11((int)&v96, (int)v95);                     // HEX格式化
  v58 = v87 & 1;
  if ( (v87 & 1) != 0 )
  {
    v57 = v89;
    v58 = 0;
  }
  else
  {
    BYTE1(v87) = v87 & 1;
  }
  if ( (v87 & 1) != 0 )
  {
    *v57 = v58;
    v88 = v58;
  }
  else
  {
    LOBYTE(v87) = v58;
  }
  std::string::reserve((int)&v87, 0);
  v59 = v96;
  v60 = v97;
  v61 = v98;
  v96 = 0;
  v97 = 0;
  v98 = 0;
  v87 = v59;
  v88 = v60;
  v89 = (_BYTE *)v61;
  std::string::~string((int)&v96);
  std::string::~string((int)v95);
  if ( (*(_BYTE *)a1 & 1) != 0 )
  {
    **(_BYTE **)(a1 + 8) = 0;
    *(_DWORD *)(a1 + 4) = 0;
  }
  else
  {
    *(_BYTE *)(a1 + 1) = 0;
    *(_BYTE *)a1 = 0;
  }
  std::string::reserve(a1, 0);
  v62 = v87;
  v63 = v88;
  v64 = (int)v89;
  v87 = 0;
  v88 = 0;
  v89 = 0;
  *(_DWORD *)a1 = v62;
  *(_DWORD *)(a1 + 4) = v63;
  *(_DWORD *)(a1 + 8) = v64;
  std::string::~string((int)&v87);
  std::string::~string((int)v86);
  std::__list_imp<std::pair<std::string,std::string>>::clear(v76);
  std::string::~string((int)&v66);
  return a1;
}
int __fastcall f4(int a1)
{
LABEL_44:                                       // 走这
  v76[0] = (int)v76;
  v76[1] = (int)v76;
  v76[2] = 0;
  v77 = 0;
  v78 = 0;
  v79 = 0;
  std::string::__init((int)&v77, (int)&aEia[2], 1);
  v34 = v77;
  v35 = v78;
  v77 = 0;
  v78 = 0;
  v103 = v34;
  v104 = v35;
  v105 = v79;
  v79 = 0;
  std::string::basic_string((int)v106, (int)&v66);
  std::list<std::pair<std::string,std::string>>::push_back((int)v76, (int)&v103);
  std::string::~string((int)v106);
  std::string::~string((int)&v103);
  std::string::~string((int)&v77);
  v80 = 0;
  v81 = 0;
  v82 = 0;
  std::string::__init((int)&v80, (int)"b", 1);
  f5(&v83);                                     // daytime
  v36 = v80;
  v37 = v81;
  v38 = v82;
  v80 = 0;
  v81 = 0;
  v82 = 0;
  v103 = v36;
  v104 = v37;
  v105 = v38;
  v39 = v83;
  v40 = v84;
  v41 = v85;
  v83 = 0;
  v84 = 0;
  v85 = 0;
  v106[0] = v39;
  v106[1] = v40;
  v106[2] = v41;
  std::list<std::pair<std::string,std::string>>::push_back((int)v76, (int)&v103);
  std::string::~string((int)v106);
  std::string::~string((int)&v103);
  std::string::~string((int)&v83);
  std::string::~string((int)&v80);
  f9((int)v86, (int)v76);
  v87 = 0;
  v42 = v107;
  v88 = 0;
  v89 = 0;
  v95[0] = 0;
  v95[1] = 0;
  v95[2] = 0;
  v43 = aBdeaed243193ce;                        // v42=bdeaed243193ce1i#~DC<M[g
  do
  {
    v44 = *(_DWORD *)v43;
    v43 += 8;
    v45 = *((_DWORD *)v43 - 1);
    *(_DWORD *)v42 = v44;                       // 整个循环将bdeaed243193ce1i#~DC<M[g扩展到bdeaed243193ce1i#~DC<M[g..=2..~4
    *((_DWORD *)v42 + 1) = v45;
    v42 += 8;
  }
  while ( v43 != (const char *)&unk_D90E4 );
  v103 = 0;
  v104 = 0;
  v105 = 0;
  std::string::__init((int)&v103, (int)v107, 32);// v105=v109=bdeaed243193ce1i#~DC<M[g..=2..~4
                                                // 62 64 65 61 65 64 32 34 33 31 39 33 63 65 31 69
                                                // 23 7E 44 43 3C 4D 5B 67 7F 0E 3D 32 01 2E 7E 34
  v46 = (unsigned __int8)v103;
  if ( (v103 & 1) == 0 )
    v46 = (int)(unsigned __int8)v103 >> 1;
  if ( (v103 & 1) != 0 )
    v46 = v104;
  v47 = v46 - 2;
  do
  {
    if ( v47 < 0 )
      break;
    v48 = (v103 & 1) != 0 ? v105 : (int *)((char *)&v103 + 1);
    v49 = (char *)v48 + v47;                    // 转换v105为bdeaed243193ce11ac913bbd48d340a4
    v50 = (v103 & 1) != 0 ? v105 : (int *)((char *)&v103 + 1);
    v51 = *((_BYTE *)v50 + v47);
    v52 = (char *)&unk_D90E4 + v47 - v46;
    --v47;
    *v49 = v51 ^ v52[17];
  }
  while ( v47 != v46 - 18 );
  std::string::basic_string((int)&v100, (int)&v103);
  std::string::~string((int)&v103);
  v53 = v107;
  v54 = aAc913bbd48d340;                        // v54 = ac913bbd48d340a41234567890qwertyuiopasdfghjklzxcvbnm.
  do
  {
    v55 = *(_DWORD *)v54;
    v54 += 8;
    v56 = *((_DWORD *)v54 - 1);
    *(_DWORD *)v53 = v55;                       // 整个循环将ac913bbd48d340a41234567890qwertyuiopasdfghjklzxcvbnm.转换为ac913bbd48d340a4
    *((_DWORD *)v53 + 1) = v56;
    v53 += 8;
  }
  while ( v54 != &aAc913bbd48d340[16] );
  v103 = 0;
  v104 = 0;
  v105 = 0;
  std::string::__init((int)&v103, (int)v107, 16);// v103=v107=ac913bbd48d340a4

[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入!

最后于 2023-4-14 11:11 被REerr编辑 ,原因:
收藏
免费 6
支持
分享
最新回复 (2)
雪    币: 321
能力值: ( LV1,RANK:0 )
在线值:
发帖
回帖
粉丝
2
学到了,感谢大佬
2022-4-21 13:03
0
雪    币: 859
活跃值: (945)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
3
学习大佬,手机号暴露了哈哈
2022-8-11 10:13
0
游客
登录 | 注册 方可回帖
返回
//