[原创]GoJni 协议加解密分析-Android安全-看雪-安全社区|安全招聘|kanxue.com

[原创]GoJni 协议加解密分析
发表于: 2023-3-23 22:18 29948
[原创]GoJni 协议加解密分析

.KK
2023-3-23 22:18
29948
string 看起来是一个整体，但是本质上是一片连续的内存空间，我们也可以将它理解成一个由字符组成的数组，相比于切片仅仅少了一个 Cap 属性
字符串：底层结构是一个包含指向底层数据的指针和长度信息的结构体，定义如下：
这里记住 Go 的字符串是，字符串 + 字符串长度 或 字符串 + 字符串长度 + 容量 组成的即可
  
ARM 中常用的栈是 sp < bp 的，也就是递减的（向下增长、连续的内存区域，通常被称为“向下堆栈”或“逆序堆栈”），临时变量 < sp，可用堆栈 > sp
  补充：SP 与 BP 都是栈指针，用于管理栈的位置和操作。它们的使用方法和作用有所不同，但都是必不可少的
在 ARM 架构中，BP 并不是必须的，因为可以使用 SP 来访问局部变量和参数。但是在某些情况下，BP 可以提高代码的可读性和可维护性，特别是在调试时。此外，BP 还可以用于保存上一个函数的栈帧指针，以便在返回时恢复上一个函数的状态
 
大概分析了下请求都有加密且格式固定，如下图 data
 
根据一些关键词进行快速定位，k 方法一看就很像
  
跟了一下 String e2 = e(encryptData); 逻辑最终到了 native 层，hook 一下
  
拿了 token + 一堆设备信息进行加密，这里先不追 token 怎么来的（我猜是初始化 App 得到的！
经过多次调用相同入参，密文不同（猜测可能对称加密里不同的加密分组模式， pwd 可能就是初始化向量的 IV ，这里仅仅是一个猜测
其实打开 IDA 看到这我是懵逼的
  
通过 ChatGPT 分析可知，这是 Go 写的 jni 程序（利用 ChatGPI 辅助分析这套组合拳是真的不错！！
  
汇编解释
参考文档 内部机制 - Go语言高级编程
Java_com_qq_lib_EncryptUtil_encrypt 这里应该遵循 JNI 调用，所以参数1到参数4应该是 env, clz, src, pwd
  
其实这里还可以使用 JEB 分析 So（下图为 JEB 分析 Native 函数的结果
  
进入 cgoexp_17c794619cba_Java_com_qq_lib_EncryptUtil_encrypt 分析逻辑可以发现不管是 JEB 还是 IDA，区别还是挺大的，但我对它俩的反编译结果都不是很满意
  
大概分析了下，看了几个函数调用觉得 sub_FFD0C 函数有点像加密处理相关的东西
  
ALT + F7 运行 go_parser/go_parser.py 加载脚本文件即可恢复符号，不过这里脚本似乎跑到提示 Standard types building finished. Total types count: 718 应该就可以中断脚本了（估计脚本还存在 Bug，不过对于我们来说够用了
  
与没修复的 cgoexp_17c794619cba_Java_com_qq_lib_EncryptUtil_encrypt 函数对比，可以发现清晰许多
sub_FFD0C 函数对应 main__libso_encrypt ，是不是清晰许多
  
这里还写了一个 Call 去调用，方便我们调试，也可以选择传入不是 JSON 格式的数据，因为后面有对这个明文进行处理，如果不是 JSON 格式就不会执行那个流程，但是也会出密文
该函数主要做的事：将 base64 编码的字符串解码并进行格式校验
如果格式不符合要求，则返回相应的错误信息；否则返回空指针表示处理成功
这里就是传入了一个文件路径，得到了一个文件的 MD5 值
写个了 Python 代码进行验证，发现结果是对的
这里就是把我们之前的字符串再次序列化
hook 代码
这里是 for 循环得到一个 key3，在调用函数 main_swapByteLocation 得到 key4，因为这里的值是固定的，只要 pwd 与前面对 pwd 的算法没有改变，这里就可以直接拿最后计算的结果即可
关于 Key 的处理
关于 IV 的处理
还原符号就是爽！！！，这里可以直接看到算法名以及使用的模式
  
写了一个 Go 的 AES_CFB 进行验证，验证结果是一致的，这里还剩下最后一步
对 key 解码进行处理
生成16位随机 IV opensslRandomPseudoBytes
已在知识星球"10亿级应用的逆向分享"原创首发

type string string

type string string

// from: src\reflect\value.go

type StringHeader struct {

    Data uintptr

    Len  int
}

// Data 字段是一个 uintptr 类型的指针，指向实际存储字符串数据的内存地址；Len 字段表示字符串的长度，即其中包含的字符数（而不是字节数）。
 
需要注意的是，由于 Go 语言中字符串是不可变的，因此字符串的底层结构是只读的。在对字符串进行修改时，会创建一个新的字符串对象来保存修改后的结果。
 
// 切片

type SliceHeader struct {

    Data uintptr

    Len  int

    Cap  int
}

// from: src\reflect\value.go

type StringHeader struct {

    Data uintptr

    Len  int
}

// Data 字段是一个 uintptr 类型的指针，指向实际存储字符串数据的内存地址；Len 字段表示字符串的长度，即其中包含的字符数（而不是字节数）。
 
需要注意的是，由于 Go 语言中字符串是不可变的，因此字符串的底层结构是只读的。在对字符串进行修改时，会创建一个新的字符串对象来保存修改后的结果。
 
// 切片

type SliceHeader struct {

    Data uintptr

    Len  int

    Cap  int
}

// 请求数据

data    String    4b797a6b79724b6a784f4e5063555949c7102e99bdf73b4b11732ca323bc6ec9d1bd741a879d5675286139db959b8b5f7e928e412007f5270161a89213628b4f2d541a83c9a3a504d18fc62380dc8bdab4a756ecba21a00377a3d21779ce5c5def79b933e1238237a567405ede8d609a051a9960b668bb7beca1a6910d36014bc6c99dc6b063bbc6afad592ffe6cea1a1a667723e7d97f54e43369e5fdedf38fd9649715200d21f756cf3ae294405f057dd16d0be6c9b85e19a11f64a02d8c62a0ceedc8875703a7c1034b5872822143c4b1e0de826bd02576f88dc0f94586b70225363e99ae9dd86991b66c23bb6ea3750e1d9e403634babca10d4853446a852fcb3a93a7e0119b96e3d4d157395d4f1b1a033d4ab62f52fcdac519fe10f9d4ece5b0ba4030adea08b0eb6b9dd2f63c8e2332ea04e1a2b23432b5137219a0f780f5301955dc48418a230b59636f1281a954986ca3cf33fda43b07439558e41cbb6e34592db8d2bba90ddb9a923f93c7b9b6f5810fcd036cc6b2cf5aff30b6b12c273a1a07fbdb7dcb36766b03fc962fc43556a19a360c2a9de8f8728d396816039959abfb36e01b01ce7661ad07d5b2400a12cc0a43d5538c82b92351ef9ebf1cba1dafec962cfcbb0ba5d2dda2923b2438580dcb1b4e1bc0589f877ec7e1ccbec214f2849140c1103a4deaea4432f5ea5cfa03df281dab9f2017dac99a5f7dce1e7560ca130d5d31e8a8d30cb053d4cf67d959ad32337994ff49646a34994b5d05bc9613eb7f619988714ab820ad0c1d668af5d734d5ee29658a9b14086c5bdee3cd9a55b7522e6b18cfdeb420e550bf8344a3e3c19aa79dbb3f4918c6b5fb082ea5b0b32752defe446fd418b372cf672b185a7d662ac0e00bb75b9c6b62b854bf0eb4c1599e4ba2b4f4c0c81a94c9cda58b8b4d4f6a5c
_ver    String    v1
sign    String    ceaac2487fa17e7019b05ab4cf41ebd0

timestamp    String    1678025314

// 请求数据

data    String    4b797a6b79724b6a784f4e5063555949c7102e99bdf73b4b11732ca323bc6ec9d1bd741a879d5675286139db959b8b5f7e928e412007f5270161a89213628b4f2d541a83c9a3a504d18fc62380dc8bdab4a756ecba21a00377a3d21779ce5c5def79b933e1238237a567405ede8d609a051a9960b668bb7beca1a6910d36014bc6c99dc6b063bbc6afad592ffe6cea1a1a667723e7d97f54e43369e5fdedf38fd9649715200d21f756cf3ae294405f057dd16d0be6c9b85e19a11f64a02d8c62a0ceedc8875703a7c1034b5872822143c4b1e0de826bd02576f88dc0f94586b70225363e99ae9dd86991b66c23bb6ea3750e1d9e403634babca10d4853446a852fcb3a93a7e0119b96e3d4d157395d4f1b1a033d4ab62f52fcdac519fe10f9d4ece5b0ba4030adea08b0eb6b9dd2f63c8e2332ea04e1a2b23432b5137219a0f780f5301955dc48418a230b59636f1281a954986ca3cf33fda43b07439558e41cbb6e34592db8d2bba90ddb9a923f93c7b9b6f5810fcd036cc6b2cf5aff30b6b12c273a1a07fbdb7dcb36766b03fc962fc43556a19a360c2a9de8f8728d396816039959abfb36e01b01ce7661ad07d5b2400a12cc0a43d5538c82b92351ef9ebf1cba1dafec962cfcbb0ba5d2dda2923b2438580dcb1b4e1bc0589f877ec7e1ccbec214f2849140c1103a4deaea4432f5ea5cfa03df281dab9f2017dac99a5f7dce1e7560ca130d5d31e8a8d30cb053d4cf67d959ad32337994ff49646a34994b5d05bc9613eb7f619988714ab820ad0c1d668af5d734d5ee29658a9b14086c5bdee3cd9a55b7522e6b18cfdeb420e550bf8344a3e3c19aa79dbb3f4918c6b5fb082ea5b0b32752defe446fd418b372cf672b185a7d662ac0e00bb75b9c6b62b854bf0eb4c1599e4ba2b4f4c0c81a94c9cda58b8b4d4f6a5c
_ver    String    v1
sign    String    ceaac2487fa17e7019b05ab4cf41ebd0

timestamp    String    1678025314
java.lang.Exception

    at java.security.MessageDigest.update(Native Method)

    at com.szcx.lib.encrypt.e.a.e(SourceFile:2)

    at com.szcx.lib.encrypt.c.k(SourceFile:10)

    at com.tencent.mm.network.d.o2(SourceFile:1)

    at com.tencent.mm.network.d.q2(SourceFile:6)

    at com.tencent.mm.network.d.a4(SourceFile:3)

    at com.tencent.mm.ui.fragment.main.MineFragment.r3(SourceFile:1)

    at com.tencent.mm.ui.fragment.main.MineFragment.s4(SourceFile:1)

    at com.scwang.smartrefresh.layout.SmartRefreshLayout$l.onAnimationEnd(SourceFile:4)

    at android.animation.Animator$AnimatorListener.onAnimationEnd(Animator.java:554)

    at android.animation.ValueAnimator.endAnimation(ValueAnimator.java:1242)

    at android.animation.ValueAnimator.doAnimationFrame(ValueAnimator.java:1484)

    at android.animation.AnimationHandler.doAnimationFrame(AnimationHandler.java:146)

    at android.animation.AnimationHandler.access$100(AnimationHandler.java:37)

    at android.animation.AnimationHandler$1.doFrame(AnimationHandler.java:54)

    at android.view.Choreographer$CallbackRecord.run(Choreographer.java:964)

    at android.view.Choreographer.doCallbacks(Choreographer.java:790)

    at android.view.Choreographer.doFrame(Choreographer.java:721)

    at android.view.Choreographer$FrameDisplayEventReceiver.run(Choreographer.java:951)

    at android.os.Handler.handleCallback(Handler.java:883)

    at android.os.Handler.dispatchMessage(Handler.java:100)

    at android.os.Looper.loop(Looper.java:214)

    at android.app.ActivityThread.main(ActivityThread.java:7356)

    at java.lang.reflect.Method.invoke(Native Method)

    at com.android.internal.os.RuntimeInit$MethodAndArgsCaller.run(RuntimeInit.java:492)

    at com.android.internal.os.ZygoteInit.main(ZygoteInit.java:930)
 
[*]    SHA-256 | update | Utf8: _ver=v1&data=4b797a6b79724b6a784f4e5063555949c7102e99bdf73b4b11732ca323bc6ec9d1bd741a879d5675286139db959b8b5f7e928e412007f5270161a89213628b4f2d541a83c9a3a504d18fc62380dc8bdab4a756ecba21a00377a3d21779ce5c5def79b933e1238237a567405ede8d609a051a9960b668bb7beca1a6910d36014bc6c99dc6b063bbc6afad592ffe6cea1a1a667723e7d97f54e43369e5fdedf38fd9649715200d21f756cf3ae294405f057dd16d0be6c9b85e19a11f64a02d8c62a0ceedc8875703a7c1034b5872822143c4b1e0de826bd02576f88dc0f94586b70225363e99ae9dd86991b66c23bb6ea3750e1d9e403634babca10d4853446a852fcb3a93a7e0119b96e3d4d157395d4f1b1a033d4ab62f52fcdac519fe10f9d4ece5b0ba4030adea08b0eb6b9dd2f63c8e2332ea04e1a2b23432b5137219a0f780f5301955dc48418a230b59636f1281a954986ca3cf33fda43b07439558e41cbb6e34592db8d2bba90ddb9a923f93c7b9b6f5810fcd036cc6b2cf5aff30b6b12c273a1a07fbdb7dcb36766b03fc962fc43556a19a360c2a9de8f8728d396816039959abfb36e01b01ce7661ad07d5b2400a12cc0a43d5538c82b92351ef9ebf1cba1dafec962cfcbb0ba5d2dda2923b2438580dcb1b4e1bc0589f877ec7e1ccbec214f2849140c1103a4deaea4432f5ea5cfa03df281dab9f2017dac99a5f7dce1e7560ca130d5d31e8a8d30cb053d4cf67d959ad32337994ff49646a34994b5d05bc9613eb7f619988714ab820ad0c1d668af5d734d5ee29658a9b14086c5bdee3cd9a55b7522e6b18cfdeb420e550bf8344a3e3c19aa79dbb3f4918c6b5fb082ea5b0b32752defe446fd418b372cf672b185a7d662ac0e00bb75b9c6b62b854bf0eb4c1599e4ba2b4f4c0c81a94c9cda58b8b4d4f6a5c&timestamp=167802531481d7beac44a86f4337f534ec93328370

[*]    SHA-256 | digest | Hex: 596d1c38df70c52a5c4834a970f78774e0213c95cb3b852ac96cbc1dacf08cf4
 
================================================== ⚡ ==================================================
 
java.lang.Exception

    at java.security.MessageDigest.update(Native Method)

    at java.security.MessageDigest.digest(MessageDigest.java:447)

    at com.szcx.lib.encrypt.e.c.b(SourceFile:3)

    at com.szcx.lib.encrypt.c.j(SourceFile:3)

    at com.szcx.lib.encrypt.c.k(SourceFile:10)

    at com.tencent.mm.network.d.o2(SourceFile:1)

    at com.tencent.mm.network.d.q2(SourceFile:6)

    at com.tencent.mm.network.d.a4(SourceFile:3)

    at com.tencent.mm.ui.fragment.main.MineFragment.r3(SourceFile:1)

    at com.tencent.mm.ui.fragment.main.MineFragment.s4(SourceFile:1)

    at com.scwang.smartrefresh.layout.SmartRefreshLayout$l.onAnimationEnd(SourceFile:4)

    at android.animation.Animator$AnimatorListener.onAnimationEnd(Animator.java:554)

    at android.animation.ValueAnimator.endAnimation(ValueAnimator.java:1242)

    at android.animation.ValueAnimator.doAnimationFrame(ValueAnimator.java:1484)

    at android.animation.AnimationHandler.doAnimationFrame(AnimationHandler.java:146)

    at android.animation.AnimationHandler.access$100(AnimationHandler.java:37)

    at android.animation.AnimationHandler$1.doFrame(AnimationHandler.java:54)

    at android.view.Choreographer$CallbackRecord.run(Choreographer.java:964)

    at android.view.Choreographer.doCallbacks(Choreographer.java:790)

    at android.view.Choreographer.doFrame(Choreographer.java:721)

    at android.view.Choreographer$FrameDisplayEventReceiver.run(Choreographer.java:951)

    at android.os.Handler.handleCallback(Handler.java:883)

    at android.os.Handler.dispatchMessage(Handler.java:100)

    at android.os.Looper.loop(Looper.java:214)

    at android.app.ActivityThread.main(ActivityThread.java:7356)

    at java.lang.reflect.Method.invoke(Native Method)

    at com.android.internal.os.RuntimeInit$MethodAndArgsCaller.run(RuntimeInit.java:492)

    at com.android.internal.os.ZygoteInit.main(ZygoteInit.java:930)
 
[*]    MD5 | update | Utf8: 596d1c38df70c52a5c4834a970f78774e0213c95cb3b852ac96cbc1dacf08cf4

[*]    MD5 | digest | Hex: ceaac2487fa17e7019b05ab4cf41ebd0
 
================================================== ⚡ ==================================================
java.lang.Exception

    at java.security.MessageDigest.update(Native Method)

    at com.szcx.lib.encrypt.e.a.e(SourceFile:2)

    at com.szcx.lib.encrypt.c.k(SourceFile:10)

    at com.tencent.mm.network.d.o2(SourceFile:1)

    at com.tencent.mm.network.d.q2(SourceFile:6)

    at com.tencent.mm.network.d.a4(SourceFile:3)

    at com.tencent.mm.ui.fragment.main.MineFragment.r3(SourceFile:1)

    at com.tencent.mm.ui.fragment.main.MineFragment.s4(SourceFile:1)

    at com.scwang.smartrefresh.layout.SmartRefreshLayout$l.onAnimationEnd(SourceFile:4)

    at android.animation.Animator$AnimatorListener.onAnimationEnd(Animator.java:554)

    at android.animation.ValueAnimator.endAnimation(ValueAnimator.java:1242)

    at android.animation.ValueAnimator.doAnimationFrame(ValueAnimator.java:1484)

    at android.animation.AnimationHandler.doAnimationFrame(AnimationHandler.java:146)

    at android.animation.AnimationHandler.access$100(AnimationHandler.java:37)

    at android.animation.AnimationHandler$1.doFrame(AnimationHandler.java:54)

    at android.view.Choreographer$CallbackRecord.run(Choreographer.java:964)

    at android.view.Choreographer.doCallbacks(Choreographer.java:790)

    at android.view.Choreographer.doFrame(Choreographer.java:721)

    at android.view.Choreographer$FrameDisplayEventReceiver.run(Choreographer.java:951)

    at android.os.Handler.handleCallback(Handler.java:883)

    at android.os.Handler.dispatchMessage(Handler.java:100)

    at android.os.Looper.loop(Looper.java:214)

    at android.app.ActivityThread.main(ActivityThread.java:7356)

    at java.lang.reflect.Method.invoke(Native Method)

    at com.android.internal.os.RuntimeInit$MethodAndArgsCaller.run(RuntimeInit.java:492)

    at com.android.internal.os.ZygoteInit.main(ZygoteInit.java:930)
 
[*]    SHA-256 | update | Utf8: _ver=v1&data=4b797a6b79724b6a784f4e5063555949c7102e99bdf73b4b11732ca323bc6ec9d1bd741a879d5675286139db959b8b5f7e928e412007f5270161a89213628b4f2d541a83c9a3a504d18fc62380dc8bdab4a756ecba21a00377a3d21779ce5c5def79b933e1238237a567405ede8d609a051a9960b668bb7beca1a6910d36014bc6c99dc6b063bbc6afad592ffe6cea1a1a667723e7d97f54e43369e5fdedf38fd9649715200d21f756cf3ae294405f057dd16d0be6c9b85e19a11f64a02d8c62a0ceedc8875703a7c1034b5872822143c4b1e0de826bd02576f88dc0f94586b70225363e99ae9dd86991b66c23bb6ea3750e1d9e403634babca10d4853446a852fcb3a93a7e0119b96e3d4d157395d4f1b1a033d4ab62f52fcdac519fe10f9d4ece5b0ba4030adea08b0eb6b9dd2f63c8e2332ea04e1a2b23432b5137219a0f780f5301955dc48418a230b59636f1281a954986ca3cf33fda43b07439558e41cbb6e34592db8d2bba90ddb9a923f93c7b9b6f5810fcd036cc6b2cf5aff30b6b12c273a1a07fbdb7dcb36766b03fc962fc43556a19a360c2a9de8f8728d396816039959abfb36e01b01ce7661ad07d5b2400a12cc0a43d5538c82b92351ef9ebf1cba1dafec962cfcbb0ba5d2dda2923b2438580dcb1b4e1bc0589f877ec7e1ccbec214f2849140c1103a4deaea4432f5ea5cfa03df281dab9f2017dac99a5f7dce1e7560ca130d5d31e8a8d30cb053d4cf67d959ad32337994ff49646a34994b5d05bc9613eb7f619988714ab820ad0c1d668af5d734d5ee29658a9b14086c5bdee3cd9a55b7522e6b18cfdeb420e550bf8344a3e3c19aa79dbb3f4918c6b5fb082ea5b0b32752defe446fd418b372cf672b185a7d662ac0e00bb75b9c6b62b854bf0eb4c1599e4ba2b4f4c0c81a94c9cda58b8b4d4f6a5c&timestamp=167802531481d7beac44a86f4337f534ec93328370

[*]    SHA-256 | digest | Hex: 596d1c38df70c52a5c4834a970f78774e0213c95cb3b852ac96cbc1dacf08cf4
 
================================================== ⚡ ==================================================
 
java.lang.Exception

    at java.security.MessageDigest.update(Native Method)

    at java.security.MessageDigest.digest(MessageDigest.java:447)

    at com.szcx.lib.encrypt.e.c.b(SourceFile:3)

    at com.szcx.lib.encrypt.c.j(SourceFile:3)

    at com.szcx.lib.encrypt.c.k(SourceFile:10)

    at com.tencent.mm.network.d.o2(SourceFile:1)

    at com.tencent.mm.network.d.q2(SourceFile:6)

    at com.tencent.mm.network.d.a4(SourceFile:3)

    at com.tencent.mm.ui.fragment.main.MineFragment.r3(SourceFile:1)

    at com.tencent.mm.ui.fragment.main.MineFragment.s4(SourceFile:1)

    at com.scwang.smartrefresh.layout.SmartRefreshLayout$l.onAnimationEnd(SourceFile:4)

    at android.animation.Animator$AnimatorListener.onAnimationEnd(Animator.java:554)

    at android.animation.ValueAnimator.endAnimation(ValueAnimator.java:1242)

    at android.animation.ValueAnimator.doAnimationFrame(ValueAnimator.java:1484)

    at android.animation.AnimationHandler.doAnimationFrame(AnimationHandler.java:146)

    at android.animation.AnimationHandler.access$100(AnimationHandler.java:37)

    at android.animation.AnimationHandler$1.doFrame(AnimationHandler.java:54)

    at android.view.Choreographer$CallbackRecord.run(Choreographer.java:964)

    at android.view.Choreographer.doCallbacks(Choreographer.java:790)

    at android.view.Choreographer.doFrame(Choreographer.java:721)

    at android.view.Choreographer$FrameDisplayEventReceiver.run(Choreographer.java:951)

    at android.os.Handler.handleCallback(Handler.java:883)

    at android.os.Handler.dispatchMessage(Handler.java:100)

    at android.os.Looper.loop(Looper.java:214)

    at android.app.ActivityThread.main(ActivityThread.java:7356)

    at java.lang.reflect.Method.invoke(Native Method)

    at com.android.internal.os.RuntimeInit$MethodAndArgsCaller.run(RuntimeInit.java:492)

    at com.android.internal.os.ZygoteInit.main(ZygoteInit.java:930)
 
[*]    MD5 | update | Utf8: 596d1c38df70c52a5c4834a970f78774e0213c95cb3b852ac96cbc1dacf08cf4

[*]    MD5 | digest | Hex: ceaac2487fa17e7019b05ab4cf41ebd0
 
================================================== ⚡ ==================================================

// 抓包数据

data    String    627a50674a6d776d73587454705468521edbeb72a11ac72b90b74764a0580a0ef17d65423ba7bca562050f72a3c518aea1bf9c6cc3427cb1aff14212e40f2c30c44494b628355e0a5911c066595a2da3f265b76de6c4be7d6cae4277bba320f2cd730a40aa8558644176567f2b94c006513bf19ef1f7724566c843c8bf8dd6a9f06fad04362847472c91d1f63f8f1a11b48d9aa7a330535fd558ef2f87b15bbe233797659bcf01d4a48089c07cce73644da19f6a5f0fb54cf014a5212843aa03a28b3f5a616d2a34115d03b7dec62ea4f1b9da0b6dea710587c4d758e47fbd824fc38c5b6e49491e0aead6fd2134b4f6ca0ce7a5bb4c1fc8e77be276b0523f5ddee057a1007a6f6abbbba042f78a4afd6be2b41d10988e1d470c1cf003a2642a60112e127cfcb585a835989146da5bfae44adab85c01d8c3ea2f49c213aad8a12e9fda7f876c401c21af65bda3c5212147c1a71cb583988002ac631c13d2fed6f30bb2c48b11e34fadd1f7c827fb40d8d02065b564c2304db9ebae729db919ffd0080ab3bdca10a740b89d0da0f3885f7db85a4a13665258eff2b2be7b30895606a9820a8a2dd71a4cb5c3c594077176d49deaf08dc77b98b69729a87cd82f48e6656b179f69e1942fe68932eec1c7da4393b592cd41ffc68de9f1721a44c62ae2c645f3be198e64173d5151a329329cdc2ddabeadb82032e7be0ddaff534344e963984f80e245820c48e1fee944b8814b8d7f80095dd0a983270292c73aeed987e237405b86499098ca1fbc688dc986c17653be283ae69f9c371749034de089012c26497cffc9911b4e0365ceb489086f2b3c987c3073a334996d444686047f47651789c8c4e5d1f1864f54c384aad28b1d6856005c8ed4973e62fee5ec8966e462d18f74cb81407067ddf7b3c07a4cbcff164331a2c13c
_ver    String    v1
sign    String    dbda8ee96f5dcd2de4b85a66e5fb10ff

timestamp    String    1678030550

// 抓包数据

data    String    627a50674a6d776d73587454705468521edbeb72a11ac72b90b74764a0580a0ef17d65423ba7bca562050f72a3c518aea1bf9c6cc3427cb1aff14212e40f2c30c44494b628355e0a5911c066595a2da3f265b76de6c4be7d6cae4277bba320f2cd730a40aa8558644176567f2b94c006513bf19ef1f7724566c843c8bf8dd6a9f06fad04362847472c91d1f63f8f1a11b48d9aa7a330535fd558ef2f87b15bbe233797659bcf01d4a48089c07cce73644da19f6a5f0fb54cf014a5212843aa03a28b3f5a616d2a34115d03b7dec62ea4f1b9da0b6dea710587c4d758e47fbd824fc38c5b6e49491e0aead6fd2134b4f6ca0ce7a5bb4c1fc8e77be276b0523f5ddee057a1007a6f6abbbba042f78a4afd6be2b41d10988e1d470c1cf003a2642a60112e127cfcb585a835989146da5bfae44adab85c01d8c3ea2f49c213aad8a12e9fda7f876c401c21af65bda3c5212147c1a71cb583988002ac631c13d2fed6f30bb2c48b11e34fadd1f7c827fb40d8d02065b564c2304db9ebae729db919ffd0080ab3bdca10a740b89d0da0f3885f7db85a4a13665258eff2b2be7b30895606a9820a8a2dd71a4cb5c3c594077176d49deaf08dc77b98b69729a87cd82f48e6656b179f69e1942fe68932eec1c7da4393b592cd41ffc68de9f1721a44c62ae2c645f3be198e64173d5151a329329cdc2ddabeadb82032e7be0ddaff534344e963984f80e245820c48e1fee944b8814b8d7f80095dd0a983270292c73aeed987e237405b86499098ca1fbc688dc986c17653be283ae69f9c371749034de089012c26497cffc9911b4e0365ceb489086f2b3c987c3073a334996d444686047f47651789c8c4e5d1f1864f54c384aad28b1d6856005c8ed4973e62fee5ec8966e462d18f74cb81407067ddf7b3c07a4cbcff164331a2c13c
_ver    String    v1
sign    String    dbda8ee96f5dcd2de4b85a66e5fb10ff

timestamp    String    1678030550

[DEBUG][03/05/2023, -1:35:50 PM][PID:28955][main][28955][showStacks]  java.lang.Exception

        at com.qq.lib.EncryptUtil.encrypt(Native Method)                                                     

        at com.szcx.lib.encrypt.c.f(SourceFile:1)                                                            

        at com.szcx.lib.encrypt.c.e(SourceFile:1)                                                            

        at com.szcx.lib.encrypt.c.k(SourceFile:2)                                                            

        at com.tencent.mm.network.d.o2(SourceFile:1)                                                         

        at com.tencent.mm.network.d.q2(SourceFile:6)                                                         

        at com.tencent.mm.network.d.a4(SourceFile:3)                                                         

        at com.tencent.mm.ui.fragment.main.MineFragment.r3(SourceFile:1)                                     

        at com.tencent.mm.ui.fragment.main.MineFragment.s4(SourceFile:1)                                     

        at com.scwang.smartrefresh.layout.SmartRefreshLayout$l.onAnimationEnd(SourceFile:4)                  

        at android.animation.Animator$AnimatorListener.onAnimationEnd(Animator.java:554)                     

        at android.animation.ValueAnimator.endAnimation(ValueAnimator.java:1242)                             

        at android.animation.ValueAnimator.doAnimationFrame(ValueAnimator.java:1484)                         

        at android.animation.AnimationHandler.doAnimationFrame(AnimationHandler.java:146)                    

        at android.animation.AnimationHandler.access$100(AnimationHandler.java:37)                           

        at android.animation.AnimationHandler$1.doFrame(AnimationHandler.java:54)                            

        at android.view.Choreographer$CallbackRecord.run(Choreographer.java:964)                             

        at android.view.Choreographer.doCallbacks(Choreographer.java:790)                                    

        at android.view.Choreographer.doFrame(Choreographer.java:721)                                        

        at android.view.Choreographer$FrameDisplayEventReceiver.run(Choreographer.java:951)                  

        at android.os.Handler.handleCallback(Handler.java:883)                                               

        at android.os.Handler.dispatchMessage(Handler.java:100)

        at android.os.Looper.loop(Looper.java:214)

        at android.app.ActivityThread.main(ActivityThread.java:7356)

        at java.lang.reflect.Method.invoke(Native Method)

        at com.android.internal.os.RuntimeInit$MethodAndArgsCaller.run(RuntimeInit.java:492)

        at com.android.internal.os.ZygoteInit.main(ZygoteInit.java:930)
 
[>>>] com.qq.lib.EncryptUtil.encrypt

[ + ] encrypt_arg[0]       :=>  {"system_build_id":"a1000","system_iid":"923868eb5f543afa55f1f33cfac37d35","app_status":"9A5C6BDC62AD1CFE45A6578F84E858F9CA1A4F76:2","system_version":"5.7.1","system_build_aff":"","bundle_id":"tv.iytqy.cvhaca","system_app_type":"local","new_player":"fx","system_oauth_id":"02274477773a9ac8a2cf3605400ece4b","system_oauth_type":"android","system_token":"023FAC3AFE2285DC98E50CA4C638E0845277DC8CB62CCCC088DA1E3CB679180C97F2688C0DBE197F03950D84900C2A6B050334216C4CC604021DCC624543AFDDEF8D19363E43F9C0B8EEC79BBF269E7DE77B0304FF1034FED885ACA4C74DAC768D26D9FADD"}

[ + ] encrypt_arg[1]       :=>  BwcnBzRjN2U/MmZhYjRmND4xPjI+NWQwZWU0YmI2MWQ3YjAzKw8cEywsIS4BIg==

[<<<] encrypt_result       :=>  627a50674a6d776d73587454705468521edbeb72a11ac72b90b74764a0580a0ef17d65423ba7bca562050f72a3c518aea1bf9c6cc3427cb1aff14212e40f2c30c44494b628355e0a5911c066595a2da3f265b76de6c4be7d6cae4277bba320f2cd730a40aa8558644176567f2b94c006513bf19ef1f7724566c843c8bf8dd6a9f06fad04362847472c91d1f63f8f1a11b48d9aa7a330535fd558ef2f87b15bbe233797659bcf01d4a48089c07cce73644da19f6a5f0fb54cf014a5212843aa03a28b3f5a616d2a34115d03b7dec62ea4f1b9da0b6dea710587c4d758e47fbd824fc38c5b6e49491e0aead6fd2134b4f6ca0ce7a5bb4c1fc8e77be276b0523f5ddee057a1007a6f6abbbba042f78a4afd6be2b41d10988e1d470c1cf003a2642a60112e127cfcb585a835989146da5bfae44adab85c01d8c3ea2f49c213aad8a12e9fda7f876c401c21af65bda3c5212147c1a71cb583988002ac631c13d2fed6f30bb2c48b11e34fadd1f7c827fb40d8d02065b564c2304db9ebae729db919ffd0080ab3bdca10a740b89d0da0f3885f7db85a4a13665258eff2b2be7b30895606a9820a8a2dd71a4cb5c3c594077176d49deaf08dc77b98b69729a87cd82f48e6656b179f69e1942fe68932eec1c7da4393b592cd41ffc68de9f1721a44c62ae2c645f3be198e64173d5151a329329cdc2ddabeadb82032e7be0ddaff534344e963984f80e245820c48e1fee944b8814b8d7f80095dd0a983270292c73aeed987e237405b86499098ca1fbc688dc986c17653be283ae69f9c371749034de089012c26497cffc9911b4e0365ceb489086f2b3c987c3073a334996d444686047f47651789c8c4e5d1f1864f54c384aad28b1d6856005c8ed4973e62fee5ec8966e462d18f74cb81407067ddf7b3c07a4cbcff164331a2c13c

[DEBUG][03/05/2023, -1:35:50 PM][PID:28955][main][28955][showStacks]  java.lang.Exception

        at com.qq.lib.EncryptUtil.encrypt(Native Method)                                                     

        at com.szcx.lib.encrypt.c.f(SourceFile:1)                                                            

        at com.szcx.lib.encrypt.c.e(SourceFile:1)                                                            

        at com.szcx.lib.encrypt.c.k(SourceFile:2)                                                            

        at com.tencent.mm.network.d.o2(SourceFile:1)                                                         

        at com.tencent.mm.network.d.q2(SourceFile:6)                                                         

        at com.tencent.mm.network.d.a4(SourceFile:3)                                                         

        at com.tencent.mm.ui.fragment.main.MineFragment.r3(SourceFile:1)                                     

        at com.tencent.mm.ui.fragment.main.MineFragment.s4(SourceFile:1)                                     

        at com.scwang.smartrefresh.layout.SmartRefreshLayout$l.onAnimationEnd(SourceFile:4)                  

        at android.animation.Animator$AnimatorListener.onAnimationEnd(Animator.java:554)                     

        at android.animation.ValueAnimator.endAnimation(ValueAnimator.java:1242)                             

        at android.animation.ValueAnimator.doAnimationFrame(ValueAnimator.java:1484)                         

        at android.animation.AnimationHandler.doAnimationFrame(AnimationHandler.java:146)                    

        at android.animation.AnimationHandler.access$100(AnimationHandler.java:37)                           

        at android.animation.AnimationHandler$1.doFrame(AnimationHandler.java:54)                            

        at android.view.Choreographer$CallbackRecord.run(Choreographer.java:964)                             

        at android.view.Choreographer.doCallbacks(Choreographer.java:790)                                    

        at android.view.Choreographer.doFrame(Choreographer.java:721)                                        

        at android.view.Choreographer$FrameDisplayEventReceiver.run(Choreographer.java:951)                  

        at android.os.Handler.handleCallback(Handler.java:883)                                               

        at android.os.Handler.dispatchMessage(Handler.java:100)

        at android.os.Looper.loop(Looper.java:214)

        at android.app.ActivityThread.main(ActivityThread.java:7356)

        at java.lang.reflect.Method.invoke(Native Method)

        at com.android.internal.os.RuntimeInit$MethodAndArgsCaller.run(RuntimeInit.java:492)

        at com.android.internal.os.ZygoteInit.main(ZygoteInit.java:930)
 
[>>>] com.qq.lib.EncryptUtil.encrypt

[ + ] encrypt_arg[0]       :=>  {"system_build_id":"a1000","system_iid":"923868eb5f543afa55f1f33cfac37d35","app_status":"9A5C6BDC62AD1CFE45A6578F84E858F9CA1A4F76:2","system_version":"5.7.1","system_build_aff":"","bundle_id":"tv.iytqy.cvhaca","system_app_type":"local","new_player":"fx","system_oauth_id":"02274477773a9ac8a2cf3605400ece4b","system_oauth_type":"android","system_token":"023FAC3AFE2285DC98E50CA4C638E0845277DC8CB62CCCC088DA1E3CB679180C97F2688C0DBE197F03950D84900C2A6B050334216C4CC604021DCC624543AFDDEF8D19363E43F9C0B8EEC79BBF269E7DE77B0304FF1034FED885ACA4C74DAC768D26D9FADD"}

[ + ] encrypt_arg[1]       :=>  BwcnBzRjN2U/MmZhYjRmND4xPjI+NWQwZWU0YmI2MWQ3YjAzKw8cEywsIS4BIg==

[<<<] encrypt_result       :=>  627a50674a6d776d73587454705468521edbeb72a11ac72b90b74764a0580a0ef17d65423ba7bca562050f72a3c518aea1bf9c6cc3427cb1aff14212e40f2c30c44494b628355e0a5911c066595a2da3f265b76de6c4be7d6cae4277bba320f2cd730a40aa8558644176567f2b94c006513bf19ef1f7724566c843c8bf8dd6a9f06fad04362847472c91d1f63f8f1a11b48d9aa7a330535fd558ef2f87b15bbe233797659bcf01d4a48089c07cce73644da19f6a5f0fb54cf014a5212843aa03a28b3f5a616d2a34115d03b7dec62ea4f1b9da0b6dea710587c4d758e47fbd824fc38c5b6e49491e0aead6fd2134b4f6ca0ce7a5bb4c1fc8e77be276b0523f5ddee057a1007a6f6abbbba042f78a4afd6be2b41d10988e1d470c1cf003a2642a60112e127cfcb585a835989146da5bfae44adab85c01d8c3ea2f49c213aad8a12e9fda7f876c401c21af65bda3c5212147c1a71cb583988002ac631c13d2fed6f30bb2c48b11e34fadd1f7c827fb40d8d02065b564c2304db9ebae729db919ffd0080ab3bdca10a740b89d0da0f3885f7db85a4a13665258eff2b2be7b30895606a9820a8a2dd71a4cb5c3c594077176d49deaf08dc77b98b69729a87cd82f48e6656b179f69e1942fe68932eec1c7da4393b592cd41ffc68de9f1721a44c62ae2c645f3be198e64173d5151a329329cdc2ddabeadb82032e7be0ddaff534344e963984f80e245820c48e1fee944b8814b8d7f80095dd0a983270292c73aeed987e237405b86499098ca1fbc688dc986c17653be283ae69f9c371749034de089012c26497cffc9911b4e0365ceb489086f2b3c987c3073a334996d444686047f47651789c8c4e5d1f1864f54c384aad28b1d6856005c8ed4973e62fee5ec8966e462d18f74cb81407067ddf7b3c07a4cbcff164331a2c13c

int __usercall Java_com_qq_lib_EncryptUtil_encrypt@<R0>()
{

  cgo_wait_runtime_init_done();  // 初始化上下文

  crosscall2();

  cgo_release_context();  // 释放上下文

  return 0;
}

int __usercall Java_com_qq_lib_EncryptUtil_encrypt@<R0>()
{

  cgo_wait_runtime_init_done();  // 初始化上下文

  crosscall2();

  cgo_release_context();  // 释放上下文

  return 0;
}

; Attributes: bp-based frame
 
; int __usercall Java_com_qq_lib_EncryptUtil_encrypt@<R0>()
EXPORT Java_com_qq_lib_EncryptUtil_encrypt
Java_com_qq_lib_EncryptUtil_encrypt
 
var_2C= -0x2C

var_28= -0x28

var_24= -0x24

var_20= -0x20

var_1C= -0x1C
 
PUSH            {R4-R8,R10,R11,LR}              ; 将寄存器 R4-R8、R10、R11 和 LR 压入栈中

ADD             R11, SP, #0x18                  ; 建立栈帧:  将 R11 设为当前栈顶地址加上 24 的值

SUB             SP, SP, #0x18                   ; 分配栈空间

MOV             R8, R3                          ; 将寄存器 R3 中的值复制到 R8 中，这是第 4 个参数⭐pwd

MOV             R5, R2                          ; 将寄存器 R2 中的值复制到 R5 中，这是第 3 个参数⭐src

MOV             R6, R1                          ; 将寄存器 R1 中的值复制到 R6 中，这是第 2 个参数⭐class

MOV             R7, R0                          ; 将寄存器 R0 中的值复制到 R7 中，这是第 1 个参数⭐env
BL              _cgo_wait_runtime_init_done     ; 调用_cgo_wait_runtime_init_done函数
MOV             R4, R0                          ; 将 _cgo_wait_runtime_init_done 函数的返回值存储到 R4 中

MOV             R0, #0                          ; 将 0 存储到 R0 中

STR             R8, [SP,#0x30+var_20]           ; 将 R8 寄存器的值保存到栈空间⭐pwd

ADD             R1, SP, #0x30+var_2C            ; 计算第一个参数的地址⭐将指针变量 var_2C 的地址存储到 R1 中⭐args 参数结构体 栈起始地址

STR             R5, [SP,#0x30+var_24]           ; 将 R5 寄存器的值保存到栈空间⭐src Java传过来的参数

MOV             R2, #0x14                       ; 将 20 保存到 R2 寄存器，也就是参数占用的字节数⭐args_len 参数长度

STR             R6, [SP,#0x30+var_28]           ; 将R6寄存器的值保存到栈空间⭐class
MOV             R3, R4                          ; 将 R4 寄存器的值保存到 R3 寄存器⭐cgo_context

STR             R7, [SP,#0x30+var_2C]           ; 将 R7 寄存器的值保存到栈空间

STR             R0, [SP,#0x30+var_1C]           ; 将 0 保存到栈空间

LDR             R0, =(_cgoexp_17c794619cba_Java_com_qq_lib_EncryptUtil_encrypt_ptr - 0x103EA0) ; 计算 _cgoexp_17c794619cba_Java_com_qq_lib_EncryptUtil_encrypt_ptr 函数的地址到 R0 中
LDR             R0, [PC,R0]                     ; 将 _cgoexp_17c794619cba_Java_com_qq_lib_EncryptUtil_encrypt 的地址加载到 R0 中
BL              crosscall2                      ; 调用 crosscall2 函数
MOV             R0, R4                          ; 将 R4 寄存器的值保存到 R0 寄存器
BL              _cgo_release_context            ; 调用 _cgo_release_context 函数

LDR             R0, [SP,#0x30+var_1C]           ; 加载栈空间中的值

SUB             SP, R11, #0x18                  ; 设置栈顶为 R11，即栈底指针，也就是恢复原来的栈空间

POP             {R4-R8,R10,R11,PC}              ; 弹出 R4-R8、R10、R11 和返回地址 PC 的值，返回跳转到 PC 指向的地址
; End of function Java_com_qq_lib_EncryptUtil_encrypt

; Attributes: bp-based frame
 
; int __usercall Java_com_qq_lib_EncryptUtil_encrypt@<R0>()
EXPORT Java_com_qq_lib_EncryptUtil_encrypt
Java_com_qq_lib_EncryptUtil_encrypt
 
var_2C= -0x2C

var_28= -0x28

var_24= -0x24

var_20= -0x20

var_1C= -0x1C
 
PUSH            {R4-R8,R10,R11,LR}              ; 将寄存器 R4-R8、R10、R11 和 LR 压入栈中

ADD             R11, SP, #0x18                  ; 建立栈帧:  将 R11 设为当前栈顶地址加上 24 的值

SUB             SP, SP, #0x18                   ; 分配栈空间

MOV             R8, R3                          ; 将寄存器 R3 中的值复制到 R8 中，这是第 4 个参数⭐pwd

MOV             R5, R2                          ; 将寄存器 R2 中的值复制到 R5 中，这是第 3 个参数⭐src

MOV             R6, R1                          ; 将寄存器 R1 中的值复制到 R6 中，这是第 2 个参数⭐class

MOV             R7, R0                          ; 将寄存器 R0 中的值复制到 R7 中，这是第 1 个参数⭐env
BL              _cgo_wait_runtime_init_done     ; 调用_cgo_wait_runtime_init_done函数
MOV             R4, R0                          ; 将 _cgo_wait_runtime_init_done 函数的返回值存储到 R4 中

MOV             R0, #0                          ; 将 0 存储到 R0 中

STR             R8, [SP,#0x30+var_20]           ; 将 R8 寄存器的值保存到栈空间⭐pwd

ADD             R1, SP, #0x30+var_2C            ; 计算第一个参数的地址⭐将指针变量 var_2C 的地址存储到 R1 中⭐args 参数结构体 栈起始地址

STR             R5, [SP,#0x30+var_24]           ; 将 R5 寄存器的值保存到栈空间⭐src Java传过来的参数

MOV             R2, #0x14                       ; 将 20 保存到 R2 寄存器，也就是参数占用的字节数⭐args_len 参数长度

STR             R6, [SP,#0x30+var_28]           ; 将R6寄存器的值保存到栈空间⭐class
MOV             R3, R4                          ; 将 R4 寄存器的值保存到 R3 寄存器⭐cgo_context

STR             R7, [SP,#0x30+var_2C]           ; 将 R7 寄存器的值保存到栈空间

STR             R0, [SP,#0x30+var_1C]           ; 将 0 保存到栈空间

LDR             R0, =(_cgoexp_17c794619cba_Java_com_qq_lib_EncryptUtil_encrypt_ptr - 0x103EA0) ; 计算 _cgoexp_17c794619cba_Java_com_qq_lib_EncryptUtil_encrypt_ptr 函数的地址到 R0 中
LDR             R0, [PC,R0]                     ; 将 _cgoexp_17c794619cba_Java_com_qq_lib_EncryptUtil_encrypt 的地址加载到 R0 中
BL              crosscall2                      ; 调用 crosscall2 函数
MOV             R0, R4                          ; 将 R4 寄存器的值保存到 R0 寄存器
BL              _cgo_release_context            ; 调用 _cgo_release_context 函数

LDR             R0, [SP,#0x30+var_1C]           ; 加载栈空间中的值

SUB             SP, R11, #0x18                  ; 设置栈顶为 R11，即栈底指针，也就是恢复原来的栈空间

POP             {R4-R8,R10,R11,PC}              ; 弹出 R4-R8、R10、R11 和返回地址 PC 的值，返回跳转到 PC 指向的地址
; End of function Java_com_qq_lib_EncryptUtil_encrypt

int __usercall Java_com_qq_lib_EncryptUtil_encrypt@<R0>(int env, int clz, int src, int pwd)
{

  int inited; // r4

  args v14; // [sp+4h] [bp-2Ch] BYREF

  int v15; // [sp+14h] [bp-1Ch]
 
  inited = cgo_wait_runtime_init_done();

  v14.pwd = pwd;

  v14.src = src;

  v14.clz = clz;

  v14.env = env;

  v15 = 0;

  crosscall2((int)cgoexp_17c794619cba_Java_com_qq_lib_EncryptUtil_encrypt, (int)&v14, 20, inited);

  cgo_release_context();

  return v15;
}

int __usercall Java_com_qq_lib_EncryptUtil_encrypt@<R0>(int env, int clz, int src, int pwd)
{

  int inited; // r4

  args v14; // [sp+4h] [bp-2Ch] BYREF

  int v15; // [sp+14h] [bp-1Ch]
 
  inited = cgo_wait_runtime_init_done();

  v14.pwd = pwd;

  v14.src = src;

  v14.clz = clz;

  v14.env = env;

  v15 = 0;

  crosscall2((int)cgoexp_17c794619cba_Java_com_qq_lib_EncryptUtil_encrypt, (int)&v14, 20, inited);

  cgo_release_context();

  return v15;
}

// IDA源反编译源代码

int __usercall cgoexp_17c794619cba_Java_com_qq_lib_EncryptUtil_encrypt@<R0>(int a1, int *a2)
{

  int v2; // r10

  int v4; // [sp+14h] [bp-4h]
 
  while ( (unsigned int)&a1 <= *(_DWORD *)(v2 + 8) )

    sub_9FD10();

  v4 = sub_103658(*a2, a2[1], a2[2], a2[3]);

  a2[4] = v4;

  sub_40DF8(v4);

  return sub_3ADAC();
}
 
// 经过脚本修复

int __usercall cgoexp_17c794619cba_Java_com_qq_lib_EncryptUtil_encrypt@<R0>(int a1, int *a2)
{

  int v2; // r10

  int v4; // [sp+14h] [bp-4h]
 
  while ( (unsigned int)&a1 <= *(_DWORD *)(v2 + 8) )

    runtime_morestack_noctxt();

  v4 = main_Java_com_qq_lib_EncryptUtil_encrypt(*a2, a2[1], a2[2], a2[3]);

  a2[4] = v4;

  runtime_convT32(v4);

  return runtime_cgoCheckResult();
}

// IDA源反编译源代码

int __usercall cgoexp_17c794619cba_Java_com_qq_lib_EncryptUtil_encrypt@<R0>(int a1, int *a2)
{

  int v2; // r10

  int v4; // [sp+14h] [bp-4h]
 
  while ( (unsigned int)&a1 <= *(_DWORD *)(v2 + 8) )

    sub_9FD10();

  v4 = sub_103658(*a2, a2[1], a2[2], a2[3]);

  a2[4] = v4;

  sub_40DF8(v4);

  return sub_3ADAC();
}
 
// 经过脚本修复

int __usercall cgoexp_17c794619cba_Java_com_qq_lib_EncryptUtil_encrypt@<R0>(int a1, int *a2)
{

  int v2; // r10

  int v4; // [sp+14h] [bp-4h]
 
  while ( (unsigned int)&a1 <= *(_DWORD *)(v2 + 8) )

    runtime_morestack_noctxt();

  v4 = main_Java_com_qq_lib_EncryptUtil_encrypt(*a2, a2[1], a2[2], a2[3]);

  a2[4] = v4;

  runtime_convT32(v4);

  return runtime_cgoCheckResult();
}
function hook_main__libso_encrypt() {

    let base = Module.findBaseAddress("libsojm.so");
 
    Interceptor.attach(base.add(0xFFD0C), {

        onEnter: function (args) {

            this.arg0_len = findRangeByAddress(args[1])

            if (this.arg0_len == 64) {  // 过滤输出, 感觉其他值都是无用的

                console.log(`onEnter encrypt arg0:${args[0]} arg1:${args[1]} arg2:${args[2]} arg3:${args[3]} arg4:${args[4]} arg5:${args[5]} arg6:${args[6]} arg7:${args[7]} arg8:${args[8]} arg9:${args[9]}`);

                console.error(`[ * ] libso_encrypt.args[${0}] onEnter :=> ${args[0].readCString()}`)  // BwcnBzRjN2U/MmZhYjRmND4xPjI+NWQwZWU0YmI2MWQ3YjAzKw8cEywsIS4BIg==

                console.error(`[ * ] libso_encrypt.args[${1}] onEnter :=> ${findRangeByAddress(args[1])}`)  // arg1 是 args[0] 字符串的长度

                // console.error(`[ * ] libso_encrypt.args[${1}] onEnter :=> ${findRangeByAddress(args[1])}`)  // arg1 是 args[0] 字符串的长度

                // console.error(`[ * ] libso_encrypt.args[${2}] onEnter :=> ${findRangeByAddress(args[2].readPointer())}`)  // arg2 感觉也是字符串长度 go 的字符串可能是字符串+长度 | slice 是长度+容量

                // arg3 似乎是函数执行次数

                // console.error(`[ * ] libso_encrypt.args[${4}] onEnter :=> ${findRangeByAddress(args[4].readPointer().readPointer())}`)  // 867740 固定值 

                // console.error(`[ * ] libso_encrypt.args[${5}] onEnter :=> ${findRangeByAddress(args[5].readPointer().readPointer())}`)  // 16个0

                console.error(`[ * ] libso_encrypt.args[${5}] onEnter :=> ${ab2Hex(args[5].readPointer().readPointer().readByteArray(16))}`)  // 16个0

                console.error(`[ * ] libso_encrypt.args[${6}] onEnter :=> ${args[6].readCString()}`)         // data 明文数据⭐

                console.error(`[ * ] libso_encrypt.args[${7}] onEnter :=> ${findRangeByAddress(args[7])}`)   // 明文数据长度

                console.error(`[ * ] libso_encrypt.args[${8}] onEnter :=> ${findRangeByAddress(args[8])}`)   // 也是明文数据长度

                console.error(`[ * ] libso_encrypt.args[${9}] onEnter :=> ${args[9].readCString()}`)         // 又是key

                console.error(`[ * ] libso_encrypt.args[${10}] onEnter :=> ${findRangeByAddress(args[10])}`) // key 长度

                console.error(`[ * ] libso_encrypt.args[${11}] onEnter :=> ${findRangeByAddress(args[11])}`) // key 长度

                console.error("------------------------------------------------------------");

            }
 
        }, onLeave: function (retval) {

            // console.log(`onLeave encrypt ${retval}`);

            // console.error("------------------------------------------------------------");

        }

    });
}
 
function call() {

    Java.perform(() => {

        let ret = Java.use("com.qq.lib.EncryptUtil").encrypt(`{"system_build_id":"a1000","system_iid":"923868eb5f543afa55f1f33cfac37d35","app_status":"9A5C6BDC62AD1CFE45A6578F84E858F9CA1A4F76:2","system_version":"5.7.1","system_build_aff":"","bundle_id":"tv.iytqy.cvhaca","system_app_type":"local","new_player":"fx","system_oauth_id":"02274477773a9ac8a2cf3605400ece4b","system_oauth_type":"android","system_token":"023FAC3AFE2285DC98E50CA4C638E0845277DC8CB62CCCC088DA1E3CB679180C97F2688C0DBE197F03950D84900C2A6B050334216C4CC604021DCC624543AFDDEF8D19363E43F9C0B8EEC79BBF269E7DE77B0304FF1034FED885ACA4C74DAC768D26D9FADD"}`, "BwcnBzRjN2U/MmZhYjRmND4xPjI+NWQwZWU0YmI2MWQ3YjAzKw8cEywsIS4BIg==")

        console.warn(`encrypt("abcdef0123456789", "BwcnBzRjN2U/MmZhYjRmND4xPjI+NWQwZWU0YmI2MWQ3YjAzKw8cEywsIS4BIg==") :=> ${ret}`)

    })
}
 
function hook_dlopen(addr, soName, callback) {

    Interceptor.attach(addr, {

        onEnter: function (args) {

            const name = args[0].readCString();  // 输出so路径

            if (name.indexOf(soName) !== -1) this.hook = true;

        }, onLeave: function (retval) {

            if (this.hook) callback();

        }

    })
}
 
const android_dlopen_ext = Module.findExportByName(null, "android_dlopen_ext");

hook_dlopen(android_dlopen_ext, "libsojm.so", so);
 
so()
function hook_main__libso_encrypt() {

    let base = Module.findBaseAddress("libsojm.so");
 
    Interceptor.attach(base.add(0xFFD0C), {

        onEnter: function (args) {

            this.arg0_len = findRangeByAddress(args[1])

            if (this.arg0_len == 64) {  // 过滤输出, 感觉其他值都是无用的

                console.log(`onEnter encrypt arg0:${args[0]} arg1:${args[1]} arg2:${args[2]} arg3:${args[3]} arg4:${args[4]} arg5:${args[5]} arg6:${args[6]} arg7:${args[7]} arg8:${args[8]} arg9:${args[9]}`);

                console.error(`[ * ] libso_encrypt.args[${0}] onEnter :=> ${args[0].readCString()}`)  // BwcnBzRjN2U/MmZhYjRmND4xPjI+NWQwZWU0YmI2MWQ3YjAzKw8cEywsIS4BIg==

                console.error(`[ * ] libso_encrypt.args[${1}] onEnter :=> ${findRangeByAddress(args[1])}`)  // arg1 是 args[0] 字符串的长度

                // console.error(`[ * ] libso_encrypt.args[${1}] onEnter :=> ${findRangeByAddress(args[1])}`)  // arg1 是 args[0] 字符串的长度

                // console.error(`[ * ] libso_encrypt.args[${2}] onEnter :=> ${findRangeByAddress(args[2].readPointer())}`)  // arg2 感觉也是字符串长度 go 的字符串可能是字符串+长度 | slice 是长度+容量

                // arg3 似乎是函数执行次数

                // console.error(`[ * ] libso_encrypt.args[${4}] onEnter :=> ${findRangeByAddress(args[4].readPointer().readPointer())}`)  // 867740 固定值 

                // console.error(`[ * ] libso_encrypt.args[${5}] onEnter :=> ${findRangeByAddress(args[5].readPointer().readPointer())}`)  // 16个0

                console.error(`[ * ] libso_encrypt.args[${5}] onEnter :=> ${ab2Hex(args[5].readPointer().readPointer().readByteArray(16))}`)  // 16个0

                console.error(`[ * ] libso_encrypt.args[${6}] onEnter :=> ${args[6].readCString()}`)         // data 明文数据⭐

                console.error(`[ * ] libso_encrypt.args[${7}] onEnter :=> ${findRangeByAddress(args[7])}`)   // 明文数据长度

                console.error(`[ * ] libso_encrypt.args[${8}] onEnter :=> ${findRangeByAddress(args[8])}`)   // 也是明文数据长度

                console.error(`[ * ] libso_encrypt.args[${9}] onEnter :=> ${args[9].readCString()}`)         // 又是key

                console.error(`[ * ] libso_encrypt.args[${10}] onEnter :=> ${findRangeByAddress(args[10])}`) // key 长度

                console.error(`[ * ] libso_encrypt.args[${11}] onEnter :=> ${findRangeByAddress(args[11])}`) // key 长度

                console.error("------------------------------------------------------------");

            }
 
        }, onLeave: function (retval) {

            // console.log(`onLeave encrypt ${retval}`);

            // console.error("------------------------------------------------------------");

        }

    });
}
 
function call() {

    Java.perform(() => {

        let ret = Java.use("com.qq.lib.EncryptUtil").encrypt(`{"system_build_id":"a1000","system_iid":"923868eb5f543afa55f1f33cfac37d35","app_status":"9A5C6BDC62AD1CFE45A6578F84E858F9CA1A4F76:2","system_version":"5.7.1","system_build_aff":"","bundle_id":"tv.iytqy.cvhaca","system_app_type":"local","new_player":"fx","system_oauth_id":"02274477773a9ac8a2cf3605400ece4b","system_oauth_type":"android","system_token":"023FAC3AFE2285DC98E50CA4C638E0845277DC8CB62CCCC088DA1E3CB679180C97F2688C0DBE197F03950D84900C2A6B050334216C4CC604021DCC624543AFDDEF8D19363E43F9C0B8EEC79BBF269E7DE77B0304FF1034FED885ACA4C74DAC768D26D9FADD"}`, "BwcnBzRjN2U/MmZhYjRmND4xPjI+NWQwZWU0YmI2MWQ3YjAzKw8cEywsIS4BIg==")

        console.warn(`encrypt("abcdef0123456789", "BwcnBzRjN2U/MmZhYjRmND4xPjI+NWQwZWU0YmI2MWQ3YjAzKw8cEywsIS4BIg==") :=> ${ret}`)

    })
}
 
function hook_dlopen(addr, soName, callback) {

    Interceptor.attach(addr, {

        onEnter: function (args) {

            const name = args[0].readCString();  // 输出so路径

            if (name.indexOf(soName) !== -1) this.hook = true;

        }, onLeave: function (retval) {

            if (this.hook) callback();

        }

    })
}
 
const android_dlopen_ext = Module.findExportByName(null, "android_dlopen_ext");

hook_dlopen(android_dlopen_ext, "libsojm.so", so);
 
so()

// 输出日志

onEnter encrypt arg0:0x86902940 arg1:0x40 arg2:0x40 arg3:0x22d arg4:0xc6a44ba0 arg5:0x86965f28 arg6:0x86944b40 arg7:0x22d arg8:0x22d arg9:0x86902940

[ * ] libso_encrypt.args[0] onEnter :=> BwcnBzRjN2U/MmZhYjRmND4xPjI+NWQwZWU0YmI2MWQ3YjAzKw8cEywsIS4BIg==

[ * ] libso_encrypt.args[1] onEnter :=> 64

[ * ] libso_encrypt.args[5] onEnter :=> [00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00]

[ * ] libso_encrypt.args[6] onEnter :=> {"system_build_id":"a1000","system_iid":"923868eb5f543afa55f1f33cfac37d35","app_status":"9A5C6BDC62AD1CFE45A6578F84E858F9CA1A4F76:2","system_version":"5.7.1","system_build_aff":"","bundle_id":"tv.iytqy.cvhaca","system_app_type":"local","new_player":"fx","system_oauth_id":"02274477773a9ac8a2cf3605400ece4b","system_oauth_type":"android","system_token":"023FAC3AFE2285DC98E50CA4C638E0845277DC8CB62CCCC088DA1E3CB679180C97F2688C0DBE197F03950D84900C2A6B050334216C4CC604021DCC624543AFDDEF8D19363E43F9C0B8EEC79BBF269E7DE77B0304FF1034FED885ACA4C74DAC768D26D9FADD"}

[ * ] libso_encrypt.args[7] onEnter :=> 557

[ * ] libso_encrypt.args[8] onEnter :=> 557

[ * ] libso_encrypt.args[9] onEnter :=> BwcnBzRjN2U/MmZhYjRmND4xPjI+NWQwZWU0YmI2MWQ3YjAzKw8cEywsIS4BIg==

[ * ] libso_encrypt.args[10] onEnter :=> 64

[ * ] libso_encrypt.args[11] onEnter :=> 64

------------------------------------------------------------

encrypt("abcdef0123456789", "BwcnBzRjN2U/MmZhYjRmND4xPjI+NWQwZWU0YmI2MWQ3YjAzKw8cEywsIS4BIg==") :=> 6841646c536444435553467a65706946f933c2cae8a2a199fb1e46d1d60a1da52bd51cf0bdf4cae032f95454abdbfed529ccfcf252fa7581ef7504c5cd3c3465940bcbc59c629a029459dc10585f7426ab652646f2d2e4fc5861572e9b6ee65320ac4190fc6ffe3d41487fbb365e98dd906f9c3b13cbc46e422e75b0a28b947ede0dfe4acc98a851ec029f3d74f556f31cc2b82fafe70669fd0177ab1e2194e919c1c86789978beb1a46c2b4b14fb199596b46050fa85bf667d599fb31fd56e00de19b90b154c73a418c0ca7f4b9a2fadb3d5f912551c255681893db2e4260e3982743c8dfa5f3ba1010b58ae876c3361348f45cdfbd11be8a65e036e7c638834aa787c08417102f84c612020587e5518db749cd5616394e2eee544ca4febfa386e9befb9e8634ef17f34cb5afb8f1cbe45bb00706ef2547a8009b8faa7e7c4702dc9061e0143478d413b4d0477720c4c9779cc7b4f2ae60cc6b3fe5191e3c8a4948a344c92fdff1bd291b79d7148f933771199b6383bfa05c51f73d059673e5a1459213d2ef2bb858c134093aa44bb58f139a6870a853e31b9590c216f70e739fcbaef17d95550e61d8c3ca5ffa257f7f2534e6ed069e51f355a2b03e9f786fd33060b39f17721acb449bec0fce25cb9fdfce67be2475b06eba9ab0005a68bace1918ce4a2e61a726f286f775963f424c22dbcffaefef7d575fa868fb7a5111f36967a3537fd3d0c24e8e86196df7885624620fed4f085a07d205f19d201536391a1687fd7781491a60fe27f11d3ff3b03bba1ec20175ba4533ac8e2d3fd3a13dd20721706da02e5107745436ebd97425b1b7550f68e55d65a021e3467d1fa48a44912669286f4915ed84dbe276e53059f632d98cf2154831857d23c7d88f3f54f5050d7e97290b5f5a91a976c2ff4aec897c84ccc6ebad

// 输出日志

onEnter encrypt arg0:0x86902940 arg1:0x40 arg2:0x40 arg3:0x22d arg4:0xc6a44ba0 arg5:0x86965f28 arg6:0x86944b40 arg7:0x22d arg8:0x22d arg9:0x86902940

[ * ] libso_encrypt.args[0] onEnter :=> BwcnBzRjN2U/MmZhYjRmND4xPjI+NWQwZWU0YmI2MWQ3YjAzKw8cEywsIS4BIg==

[ * ] libso_encrypt.args[1] onEnter :=> 64

[ * ] libso_encrypt.args[5] onEnter :=> [00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00]

[ * ] libso_encrypt.args[6] onEnter :=> {"system_build_id":"a1000","system_iid":"923868eb5f543afa55f1f33cfac37d35","app_status":"9A5C6BDC62AD1CFE45A6578F84E858F9CA1A4F76:2","system_version":"5.7.1","system_build_aff":"","bundle_id":"tv.iytqy.cvhaca","system_app_type":"local","new_player":"fx","system_oauth_id":"02274477773a9ac8a2cf3605400ece4b","system_oauth_type":"android","system_token":"023FAC3AFE2285DC98E50CA4C638E0845277DC8CB62CCCC088DA1E3CB679180C97F2688C0DBE197F03950D84900C2A6B050334216C4CC604021DCC624543AFDDEF8D19363E43F9C0B8EEC79BBF269E7DE77B0304FF1034FED885ACA4C74DAC768D26D9FADD"}

[ * ] libso_encrypt.args[7] onEnter :=> 557

[ * ] libso_encrypt.args[8] onEnter :=> 557

[ * ] libso_encrypt.args[9] onEnter :=> BwcnBzRjN2U/MmZhYjRmND4xPjI+NWQwZWU0YmI2MWQ3YjAzKw8cEywsIS4BIg==

[ * ] libso_encrypt.args[10] onEnter :=> 64

[ * ] libso_encrypt.args[11] onEnter :=> 64

------------------------------------------------------------

encrypt("abcdef0123456789", "BwcnBzRjN2U/MmZhYjRmND4xPjI+NWQwZWU0YmI2MWQ3YjAzKw8cEywsIS4BIg==") :=> 6841646c536444435553467a65706946f933c2cae8a2a199fb1e46d1d60a1da52bd51cf0bdf4cae032f95454abdbfed529ccfcf252fa7581ef7504c5cd3c3465940bcbc59c629a029459dc10585f7426ab652646f2d2e4fc5861572e9b6ee65320ac4190fc6ffe3d41487fbb365e98dd906f9c3b13cbc46e422e75b0a28b947ede0dfe4acc98a851ec029f3d74f556f31cc2b82fafe70669fd0177ab1e2194e919c1c86789978beb1a46c2b4b14fb199596b46050fa85bf667d599fb31fd56e00de19b90b154c73a418c0ca7f4b9a2fadb3d5f912551c255681893db2e4260e3982743c8dfa5f3ba1010b58ae876c3361348f45cdfbd11be8a65e036e7c638834aa787c08417102f84c612020587e5518db749cd5616394e2eee544ca4febfa386e9befb9e8634ef17f34cb5afb8f1cbe45bb00706ef2547a8009b8faa7e7c4702dc9061e0143478d413b4d0477720c4c9779cc7b4f2ae60cc6b3fe5191e3c8a4948a344c92fdff1bd291b79d7148f933771199b6383bfa05c51f73d059673e5a1459213d2ef2bb858c134093aa44bb58f139a6870a853e31b9590c216f70e739fcbaef17d95550e61d8c3ca5ffa257f7f2534e6ed069e51f355a2b03e9f786fd33060b39f17721acb449bec0fce25cb9fdfce67be2475b06eba9ab0005a68bace1918ce4a2e61a726f286f775963f424c22dbcffaefef7d575fa868fb7a5111f36967a3537fd3d0c24e8e86196df7885624620fed4f085a07d205f19d201536391a1687fd7781491a60fe27f11d3ff3b03bba1ec20175ba4533ac8e2d3fd3a13dd20721706da02e5107745436ebd97425b1b7550f68e55d65a021e3467d1fa48a44912669286f4915ed84dbe276e53059f632d98cf2154831857d23c7d88f3f54f5050d7e97290b5f5a91a976c2ff4aec897c84ccc6ebad
void __golang main__libso_encrypt(

        int a1,

        int a2,

        int key1,

        int a4,

        int a5,

        int a6,

        int a7,

        int a8,

        int data,

        int data_len,

        int a11,

        int key2)
{

// .. 省略一些参数命名
 
  while ( (unsigned int)&a1 <= *(_DWORD *)(v12 + 8) )

    runtime_morestack_noctxt();

  data = 0;

  data_len = 0;

  v96 = &off_11ED34;

  main_logger(v13, (int)"in encrypt", 10);      // 应该是个C的打印函数

  main_parsePassphrase(v24, a6, a7, a8);        // 将 base64 编码的字符串解码并进行格式校验

                                                // 1.检查栈空间是否足够。

                                                //

                                                // 2.将传入的 base64 编码的密码字符串解码为二进制数据。

                                                //

                                                // 3.如果解码出错或者解码后的二进制数据长度小于 30，则返回相应的错误信息。

                                                //

                                                // 4.根据特定规则对解密后的二进制数据进行处理（异或操作等）。

                                                //

                                                // 5.将处理后的数据切片成若干个固定长度的子切片，并分别记录日志。

                                                //

                                                // 6.对其中一个子切片进行进一步的处理，并检查其格式是否符合特定要求。

                                                //

                                                // 7.如果格式不符合要求，则返回相应的错误信息；否则返回空指针表示处理成功。

  v14 = v58;

  if ( v83 )

  {

    data = 0;

    data_len = 0;

    main__libso_encrypt_func1(v37, v41);        // 异常捕获的函数,用于恢复发生在goroutine中的panic

  }

  else

  {

    v92 = v69;

    v87 = v75;

    v88 = v78;

    v93 = v79;

    runtime_newobject(v25, (int)&map_string_interface_, v41);// malloc 分配一段内存并返回指向该内存地址的指针

    v95 = v42;

    runtime_makemap_small(v26, v38);

    if ( dword_1B9460 )

    {

      runtime_gcWriteBarrier();                 // 垃圾回收

      v15 = v16;

    }

    else

    {

      v15 = v95;

      *(_DWORD *)v95 = v39;

    }

    encoding_json_Unmarshal(v27, key1, a4, a5, (int)&map_string_interface__ptr, v15, v75, v78);// 将 JSON 数据解析为 Go 的结构体

    if ( v76 )

    {

      v17 = a5;

      v18 = a4;

      v19 = key1;

    }

    else

    {

      v20 = v89;

      do

        *v20++ = 0;                             // 内存清零

      while ( (int)v20 <= (int)&v89[15] );

      qmemcpy(v89, "__package_name__", sizeof(v89));// 字符串拷贝

      runtime_slicebytetostring(v28, 0, (int)v89, 16, v59, v70);// 将字节切片转换为字符串

      v91 = v60;

      v86 = v71;

      v21 = v89;

      do

        *v21++ = 0;                             // 内存清零

      while ( (int)v21 <= (int)&v89[15] );

      qmemcpy(v89, "__package_hash__", sizeof(v89));// 字符串拷贝

      runtime_slicebytetostring(v29, 0, (int)v89, 16, v60, v71);// 将字节切片转换为字符串

      v90 = v61;

      v85 = v72;

      main__libso_getPackageName(v30, a2, v44, v48, v61);// 反射调用 Java 层方法获取包名

      runtime_slicebytetostring(v31, 0, v45, v49, v62, v72);// 将字节切片转换为字符串

      runtime_convTstring(v32, v63, (int)v73, v50);// 将指向任意类型的指针转换为字符串

      v22 = *(_DWORD *)v95;

      v94 = v51;

      runtime_mapassign_faststr((int)&map_string_interface_, v22, v91, v86);// 将指针指向的数据转为字符串返回

      *v73 = &string;

      if ( dword_1B9460 )

        runtime_gcWriteBarrier();               // 垃圾回收

      else

        v73[1] = v94;

      main__libso_getPackageCodePath(v33, a2, v46, v52, v64);// 获取应用路径

      runtime_slicebytetostring(v34, 0, v47, v53, v65, (int)v73);// 将字节切片转换为字符串

      main_md5File(v35, v66, (int)v74, v54, v66);

      runtime_convTstring(v36, (int)v55, v67, v55);// 将指向任意类型的指针转换为字符串

      v23 = *(_DWORD *)v95;

      v94 = v56;

      v77 = runtime_mapassign_faststr((int)&map_string_interface_, v23, v90, v85);// 将指针指向的数据转为字符串返回

      *v74 = &string;

      if ( dword_1B9460 )

        runtime_gcWriteBarrier();               // 垃圾回收

      else

        v74[1] = v94;

      v68 = encoding_json_Marshal((int)&map_string_interface_, *(_DWORD *)v95);// 转json数据

      v19 = v57;

      v18 = v68;

      v17 = (int)v74;

      if ( v77 )

      {

        v17 = a5;

        v18 = a4;

        v19 = key1;

      }

    }

    if ( v14 )

    {

      data = 0;

      data_len = 0;

    }

    else

    {

      main_oldEncrypt(v28, v19, v18, v17, v93, v80, v81, v92, v87, v88, v81, 0);// 开始加密

      data = v82;

      data_len = v84;

    }

    main__libso_encrypt_func1(v40, v43);

  }
}
void __golang main__libso_encrypt(

        int a1,

        int a2,

        int key1,

        int a4,

        int a5,

        int a6,

        int a7,

        int a8,

        int data,

        int data_len,

        int a11,

        int key2)
{

// .. 省略一些参数命名
 
  while ( (unsigned int)&a1 <= *(_DWORD *)(v12 + 8) )

    runtime_morestack_noctxt();

  data = 0;

  data_len = 0;

  v96 = &off_11ED34;

  main_logger(v13, (int)"in encrypt", 10);      // 应该是个C的打印函数

  main_parsePassphrase(v24, a6, a7, a8);        // 将 base64 编码的字符串解码并进行格式校验

                                                // 1.检查栈空间是否足够。

                                                //

                                                // 2.将传入的 base64 编码的密码字符串解码为二进制数据。

                                                //

                                                // 3.如果解码出错或者解码后的二进制数据长度小于 30，则返回相应的错误信息。

                                                //

                                                // 4.根据特定规则对解密后的二进制数据进行处理（异或操作等）。

                                                //

                                                // 5.将处理后的数据切片成若干个固定长度的子切片，并分别记录日志。

                                                //

                                                // 6.对其中一个子切片进行进一步的处理，并检查其格式是否符合特定要求。

                                                //

                                                // 7.如果格式不符合要求，则返回相应的错误信息；否则返回空指针表示处理成功。

  v14 = v58;

  if ( v83 )

  {

    data = 0;

    data_len = 0;

    main__libso_encrypt_func1(v37, v41);        // 异常捕获的函数,用于恢复发生在goroutine中的panic

  }

  else

  {

    v92 = v69;

    v87 = v75;

    v88 = v78;

    v93 = v79;

    runtime_newobject(v25, (int)&map_string_interface_, v41);// malloc 分配一段内存并返回指向该内存地址的指针

    v95 = v42;

    runtime_makemap_small(v26, v38);

    if ( dword_1B9460 )

    {

      runtime_gcWriteBarrier();                 // 垃圾回收

      v15 = v16;

    }

    else

    {

      v15 = v95;

      *(_DWORD *)v95 = v39;

    }

    encoding_json_Unmarshal(v27, key1, a4, a5, (int)&map_string_interface__ptr, v15, v75, v78);// 将 JSON 数据解析为 Go 的结构体

    if ( v76 )

    {

      v17 = a5;

      v18 = a4;

      v19 = key1;

    }

    else

    {

      v20 = v89;

      do

        *v20++ = 0;                             // 内存清零

      while ( (int)v20 <= (int)&v89[15] );

      qmemcpy(v89, "__package_name__", sizeof(v89));// 字符串拷贝

      runtime_slicebytetostring(v28, 0, (int)v89, 16, v59, v70);// 将字节切片转换为字符串

      v91 = v60;

      v86 = v71;

      v21 = v89;

      do

        *v21++ = 0;                             // 内存清零

      while ( (int)v21 <= (int)&v89[15] );

      qmemcpy(v89, "__package_hash__", sizeof(v89));// 字符串拷贝

      runtime_slicebytetostring(v29, 0, (int)v89, 16, v60, v71);// 将字节切片转换为字符串

      v90 = v61;

      v85 = v72;

      main__libso_getPackageName(v30, a2, v44, v48, v61);// 反射调用 Java 层方法获取包名

      runtime_slicebytetostring(v31, 0, v45, v49, v62, v72);// 将字节切片转换为字符串

      runtime_convTstring(v32, v63, (int)v73, v50);// 将指向任意类型的指针转换为字符串

      v22 = *(_DWORD *)v95;

      v94 = v51;

      runtime_mapassign_faststr((int)&map_string_interface_, v22, v91, v86);// 将指针指向的数据转为字符串返回

      *v73 = &string;

      if ( dword_1B9460 )

        runtime_gcWriteBarrier();               // 垃圾回收

      else

        v73[1] = v94;

      main__libso_getPackageCodePath(v33, a2, v46, v52, v64);// 获取应用路径

      runtime_slicebytetostring(v34, 0, v47, v53, v65, (int)v73);// 将字节切片转换为字符串

      main_md5File(v35, v66, (int)v74, v54, v66);

      runtime_convTstring(v36, (int)v55, v67, v55);// 将指向任意类型的指针转换为字符串

      v23 = *(_DWORD *)v95;

      v94 = v56;

      v77 = runtime_mapassign_faststr((int)&map_string_interface_, v23, v90, v85);// 将指针指向的数据转为字符串返回

      *v74 = &string;

      if ( dword_1B9460 )

        runtime_gcWriteBarrier();               // 垃圾回收

      else

        v74[1] = v94;

      v68 = encoding_json_Marshal((int)&map_string_interface_, *(_DWORD *)v95);// 转json数据

      v19 = v57;

      v18 = v68;

      v17 = (int)v74;

      if ( v77 )

      {

        v17 = a5;

        v18 = a4;

        v19 = key1;

      }

    }

    if ( v14 )

    {

      data = 0;

      data_len = 0;

    }

    else

    {

      main_oldEncrypt(v28, v19, v18, v17, v93, v80, v81, v92, v87, v88, v81, 0);// 开始加密

      data = v82;

      data_len = v84;

    }

    main__libso_encrypt_func1(v40, v43);

  }
}
function hook_main_parsePassphrase_ret() {

 let base = Module.findBaseAddress("libsojm.so");

 Interceptor.attach(base.add(0xFFD9C), {

     onEnter(args) {

         console.log(`call 0xFFD9C ${JSON.stringify(this.context)}`);

         console.log(`call 0xFFD9C ${findRangeByAddress(this.context.r0)}`);

         console.log(`call 0xFFD9C ${findRangeByAddress(this.context.r1)}`);

     }

 });
}
 
// BwcnBzRjN2U/MmZhYjRmND4xPjI+NWQwZWU0YmI2MWQ3YjAzKw8cEywsIS4BIg==

// ..'.4c7e?2fab4f4>1>2>5d0ee4bb61d7b03+...,,!.." 这是直接解码的字符串
 
// 得到了两个字符串（其实这里就是对我们传入的 PWD 解码对后半部分进行了一些类的运算

8692ece4  6d 49 5a 55 6a 6a 67 68 47 64 00 00 00 00 00 00  mIZUjjghGd......
 
8692ecc4  34 63 37 65 3f 32 66 61 62 34 66 34 3e 31 3e 32  4c7e?2fab4f4>1>2

8692ecd4  3e 35 64 30 65 65 34 62 62 36 31 64 37 62 30 33  >5d0ee4bb61d7b03
 
// 关于这里为什么是从栈上取的，是因为它的调用约定并不是 fastcall，分析汇编可知都是栈传递参数跟接受返回值

.text:000FFD64 5B 0D 00 EB                   BL              main_logger

.text:000FFD64

.text:000FFD68 90 00 9D E5                   LDR             R0, [SP,#0x7C+arg_14]

.text:000FFD6C 04 00 8D E5                   STR             R0, [SP,#0x7C+var_78]   ; int

.text:000FFD70 94 00 9D E5                   LDR             R0, [SP,#0x7C+data]

.text:000FFD74 08 00 8D E5                   STR             R0, [SP,#0x7C+var_74]   ; int

.text:000FFD78 98 00 9D E5                   LDR             R0, [SP,#0x7C+data_len]

.text:000FFD7C 0C 00 8D E5                   STR             R0, [SP,#0x7C+var_70]   ; int

.text:000FFD80 1C 05 00 EB                   BL              main_parsePassphrase

.text:000FFD80

.text:000FFD84 14 00 9D E5                   LDR             R0, [SP,#0x7C+var_68]

.text:000FFD88 20 10 9D E5                   LDR             R1, [SP,#0x7C+var_5C]

.text:000FFD8C 18 20 9D E5                   LDR             R2, [SP,#0x7C+var_64]

.text:000FFD90 1C 30 9D E5                   LDR             R3, [SP,#0x7C+var_60]

.text:000FFD94 24 40 9D E5                   LDR             R4, [SP,#0x7C+var_58]

.text:000FFD98 28 50 9D E5                   LDR             R5, [SP,#0x7C+var_54]

.text:000FFD9C 2C 60 9D E5                   LDR             R6, [SP,#0x7C+var_50]

.text:000FFDA0 10 70 DD E5                   LDRB            R7, [SP,#0x7C+var_6C]

.text:000FFDA4 11 80 DD E5                   LDRB            R8, [SP,#0x7C+var_6C+1]

.text:000FFDA8 00 00 56 E3                   CMP             R6, #0

.text:000FFDAC 32 01 00 1A                   BNE             loc_10027C
function hook_main_parsePassphrase_ret() {

 let base = Module.findBaseAddress("libsojm.so");

 Interceptor.attach(base.add(0xFFD9C), {

     onEnter(args) {

         console.log(`call 0xFFD9C ${JSON.stringify(this.context)}`);

         console.log(`call 0xFFD9C ${findRangeByAddress(this.context.r0)}`);

         console.log(`call 0xFFD9C ${findRangeByAddress(this.context.r1)}`);

     }

 });
}
 
// BwcnBzRjN2U/MmZhYjRmND4xPjI+NWQwZWU0YmI2MWQ3YjAzKw8cEywsIS4BIg==

// ..'.4c7e?2fab4f4>1>2>5d0ee4bb61d7b03+...,,!.." 这是直接解码的字符串
 
// 得到了两个字符串（其实这里就是对我们传入的 PWD 解码对后半部分进行了一些类的运算

8692ece4  6d 49 5a 55 6a 6a 67 68 47 64 00 00 00 00 00 00  mIZUjjghGd......
 
8692ecc4  34 63 37 65 3f 32 66 61 62 34 66 34 3e 31 3e 32  4c7e?2fab4f4>1>2

8692ecd4  3e 35 64 30 65 65 34 62 62 36 31 64 37 62 30 33  >5d0ee4bb61d7b03
 
// 关于这里为什么是从栈上取的，是因为它的调用约定并不是 fastcall，分析汇编可知都是栈传递参数跟接受返回值

.text:000FFD64 5B 0D 00 EB                   BL              main_logger

.text:000FFD64

.text:000FFD68 90 00 9D E5                   LDR             R0, [SP,#0x7C+arg_14]

.text:000FFD6C 04 00 8D E5                   STR             R0, [SP,#0x7C+var_78]   ; int

.text:000FFD70 94 00 9D E5                   LDR             R0, [SP,#0x7C+data]

.text:000FFD74 08 00 8D E5                   STR             R0, [SP,#0x7C+var_74]   ; int

.text:000FFD78 98 00 9D E5                   LDR             R0, [SP,#0x7C+data_len]

.text:000FFD7C 0C 00 8D E5                   STR             R0, [SP,#0x7C+var_70]   ; int

.text:000FFD80 1C 05 00 EB                   BL              main_parsePassphrase

.text:000FFD80

.text:000FFD84 14 00 9D E5                   LDR             R0, [SP,#0x7C+var_68]

.text:000FFD88 20 10 9D E5                   LDR             R1, [SP,#0x7C+var_5C]

.text:000FFD8C 18 20 9D E5                   LDR             R2, [SP,#0x7C+var_64]

.text:000FFD90 1C 30 9D E5                   LDR             R3, [SP,#0x7C+var_60]

.text:000FFD94 24 40 9D E5                   LDR             R4, [SP,#0x7C+var_58]

.text:000FFD98 28 50 9D E5                   LDR             R5, [SP,#0x7C+var_54]

.text:000FFD9C 2C 60 9D E5                   LDR             R6, [SP,#0x7C+var_50]

.text:000FFDA0 10 70 DD E5                   LDRB            R7, [SP,#0x7C+var_6C]

.text:000FFDA4 11 80 DD E5                   LDRB            R8, [SP,#0x7C+var_6C+1]

.text:000FFDA8 00 00 56 E3                   CMP             R6, #0

.text:000FFDAC 32 01 00 1A                   BNE             loc_10027C
function hook_main_md5File() {

    let base = Module.findBaseAddress("libsojm.so");
 
    Interceptor.attach(base.add(0xFF94C), {

        onEnter: function (args) {

            this.arg1 = args[1]

            if (this.arg1 == 0x3b) {

                console.log(`onEnter main_md5File arg0:${args[0]} arg1:${args[1]} arg2:${args[2]} arg3:${args[3]} arg4:${args[4]}`);

                console.log(`onEnter main_md5File arg0:${args[0].readCString(0x3b)}`);  // 包路径 /data/app/tv.iytqy.cvhaca-gmGCryB_O0HztLC7rqkhRQ==/base.apk

                // console.log(`onEnter main_md5File arg1:${findRangeByAddress(args[1])}`);// arg1 参数0 长度

                // console.log(`onEnter main_md5File arg2:${findRangeByAddress(args[2])}`); // 地址内容为0

                // console.log(`onEnter main_md5File arg3:${findRangeByAddress(args[3])}`);  // 地址内容为0

                // console.log(`onEnter main_md5File arg4:${findRangeByAddress(args[4])}`);  // 不知道这个是啥

            }
 
        }, onLeave: function (retval) {
 
            if (this.arg1 == 0x3b) {

                console.log(`onLeave main_md5File ${retval.readCString(32)}`);  // 678c7f3bf3584a2079295d8834928146

            }

        }

    });
}
function hook_main_md5File() {

    let base = Module.findBaseAddress("libsojm.so");
 
    Interceptor.attach(base.add(0xFF94C), {

        onEnter: function (args) {

            this.arg1 = args[1]

            if (this.arg1 == 0x3b) {

                console.log(`onEnter main_md5File arg0:${args[0]} arg1:${args[1]} arg2:${args[2]} arg3:${args[3]} arg4:${args[4]}`);

                console.log(`onEnter main_md5File arg0:${args[0].readCString(0x3b)}`);  // 包路径 /data/app/tv.iytqy.cvhaca-gmGCryB_O0HztLC7rqkhRQ==/base.apk

                // console.log(`onEnter main_md5File arg1:${findRangeByAddress(args[1])}`);// arg1 参数0 长度

                // console.log(`onEnter main_md5File arg2:${findRangeByAddress(args[2])}`); // 地址内容为0

                // console.log(`onEnter main_md5File arg3:${findRangeByAddress(args[3])}`);  // 地址内容为0

                // console.log(`onEnter main_md5File arg4:${findRangeByAddress(args[4])}`);  // 不知道这个是啥

            }
 
        }, onLeave: function (retval) {
 
            if (this.arg1 == 0x3b) {

                console.log(`onLeave main_md5File ${retval.readCString(32)}`);  // 678c7f3bf3584a2079295d8834928146

            }

        }

    });
}

onEnter main_md5File arg0:0x86844940 arg1:0x3b arg2:0x304f5f42 arg3:0x4c747a48 arg4:0xe6f73709

onEnter main_md5File arg0:/data/app/tv.iytqy.cvhaca-gmGCryB_O0HztLC7rqkhRQ==/base.apk

onLeave main_md5File 678c7f3bf3584a2079295d8834928146

onEnter main_md5File arg0:0x86844940 arg1:0x3b arg2:0x304f5f42 arg3:0x4c747a48 arg4:0xe6f73709

onEnter main_md5File arg0:/data/app/tv.iytqy.cvhaca-gmGCryB_O0HztLC7rqkhRQ==/base.apk

onLeave main_md5File 678c7f3bf3584a2079295d8834928146

import hashlib
 
filename = '50ash_5.7.1_230305_3.apk'

hasher = hashlib.md5()
 
with open(filename, 'rb') as f:

    buf = f.read()

    hasher.update(buf)
 
md5hash = hasher.hexdigest()

print(md5hash)
 
# [Running] python -u "c:\Users\Administrator\Desktop\50度灰\getMD5File.py"
# 678c7f3bf3584a2079295d8834928146

import hashlib
 
filename = '50ash_5.7.1_230305_3.apk'

hasher = hashlib.md5()
 
with open(filename, 'rb') as f:

    buf = f.read()

    hasher.update(buf)
 
md5hash = hasher.hexdigest()

print(md5hash)
 
# [Running] python -u "c:\Users\Administrator\Desktop\50度灰\getMD5File.py"
# 678c7f3bf3584a2079295d8834928146

v68 = encoding_json_Marshal((int)&map_string_interface_, *(_DWORD *)v95);  // 转json数据

v18 = v68;

main_oldEncrypt(v28, v19, v18, v17, v93, v80, v81, v92, v87, v88, v81, 0);  // 开始加密
 
// 所以这里我们直接 hook main_oldEncrypt 就可以得到加密前的明文了

v68 = encoding_json_Marshal((int)&map_string_interface_, *(_DWORD *)v95);  // 转json数据

v18 = v68;

main_oldEncrypt(v28, v19, v18, v17, v93, v80, v81, v92, v87, v88, v81, 0);  // 开始加密
 
// 所以这里我们直接 hook main_oldEncrypt 就可以得到加密前的明文了
function hook_main_oldEncrypt() {

    let base = Module.findBaseAddress("libsojm.so");
 
    Interceptor.attach(base.add(0xFF5EC), {

        onEnter: function (args) {

            console.log(`onEnter main_oldEncrypt arg0:${args[0]} arg1:${args[1]} arg2:${args[2]} arg3:${args[3]} arg4:${args[4]} arg5:${args[5]} arg6:${args[6]} arg7:${args[7]} arg8:${args[8]} arg9:${args[9]} arg10:${args[10]} arg11:${args[11]}`);

            console.warn(`onEnter main_oldEncrypt arg1:${args[1].readCString()}`);

            // console.log(`onEnter main_oldEncrypt arg4:${findRangeByAddress(args[4])}`);

            console.log(`onEnter main_oldEncrypt arg8:${args[8].readCString()}`);  // key1

            console.log(`onEnter main_oldEncrypt arg11:${args[11].readCString()}`);  // key2

        }, onLeave: function (retval) {

            // console.log(`onLeave main_oldEncrypt ${findRangeByAddress(retval)}`);

            console.log(`onLeave main_oldEncrypt ${retval.readCString()}`);

            console.error("------------------------------------------------------------");

        }

    });
}
function hook_main_oldEncrypt() {

    let base = Module.findBaseAddress("libsojm.so");
 
    Interceptor.attach(base.add(0xFF5EC), {

        onEnter: function (args) {

            console.log(`onEnter main_oldEncrypt arg0:${args[0]} arg1:${args[1]} arg2:${args[2]} arg3:${args[3]} arg4:${args[4]} arg5:${args[5]} arg6:${args[6]} arg7:${args[7]} arg8:${args[8]} arg9:${args[9]} arg10:${args[10]} arg11:${args[11]}`);

            console.warn(`onEnter main_oldEncrypt arg1:${args[1].readCString()}`);

            // console.log(`onEnter main_oldEncrypt arg4:${findRangeByAddress(args[4])}`);

            console.log(`onEnter main_oldEncrypt arg8:${args[8].readCString()}`);  // key1

            console.log(`onEnter main_oldEncrypt arg11:${args[11].readCString()}`);  // key2

        }, onLeave: function (retval) {

            // console.log(`onLeave main_oldEncrypt ${findRangeByAddress(retval)}`);

            console.log(`onLeave main_oldEncrypt ${retval.readCString()}`);

            console.error("------------------------------------------------------------");

        }

    });
}

[Pixel::XXXXX]-> call()

onEnter main_oldEncrypt arg0:0xc arg1:0x869d0580 arg2:0x288 arg3:0x2c0 arg4:0xc96436f0 arg5:0x869d0580 arg6:0x288 arg7:0x2c0 arg8:0x868a4c34 arg9:0x20 arg10:0x2c arg11:0x868a4c54

onEnter main_oldEncrypt arg1:{"__package_hash__":"678c7f3bf3584a2079295d8834928146","__package_name__":"tv.iytqy.cvhaca","app_status":"9A5C6BDC62AD1CFE45A6578F84E858F9CA1A4F76:2","bundle_id":"tv.iytqy.cvhaca","new_player":"fx","system_app_type":"local","system_build_aff":"","system_build_id":"a1000","system_iid":"923868eb5f543afa55f1f33cfac37d35","system_oauth_id":"02274477773a9ac8a2cf3605400ece4b","system_oauth_type":"android","system_token":"023FAC3AFE2285DC98E50CA4C638E0845277DC8CB62CCCC088DA1E3CB679180C97F2688C0DBE197F03950D84900C2A6B050334216C4CC604021DCC624543AFDDEF8D19363E43F9C0B8EEC79BBF269E7DE77B0304FF1034FED885ACA4C74DAC768D26D9FADD","system_version":"5.7.1"}

onEnter main_oldEncrypt arg8:4c7e?2fab4f4>1>2>5d0ee4bb61d7b03mIZUjjghGd
onEnter main_oldEncrypt arg11:mIZUjjghGd

onLeave main_oldEncrypt 436a4b4d6961565043615063737077526c2e5dd70001b006397ce672c6fe1948f74ac72436bccb766585953419b0a7d4643fd7b98319a6696558f3e129bd7865383a4311256cdc126a00d49126379d5cc3f5a1a0fcd8a6fb6f6293d0ad6e628451cd26efecfaa5021099af5b428da2081533953dcf9a1e3a6f46a560471e6cef6e591b4937c36cd5ccb0de0364279eecf0970e101286faa0d25476e49a2e8b5a24f5d4d2e2c1afb67785f96511f48290864e6fdac548a325f9b30b0c7a99dd2c909518ccac45d9efa2c9973c5f0de468d094e6573afc44d2ffe73d6d79ee76d45fd8fcdf7d45c8a47fca7e85769239da6bfd9e35eaaa59bf3a6bb7741258a42bca7272e611bb8ddd93e807d126c3898f0f1aa9f37af485c140b706fe7a3f0d684eb3132ecd208cf52338a617095e7bb2b2b3eb749c7f7f01d8bfc7d386a2799ae6f015a87ba1519109aa92c4ec2e9d15650a46d239616ec515605d56b7ef3a954f2edbbb85f8c86e2f19c19e6422cc7dcf2277ebd968cf9751f5548f5ae77387985e0dfb7262787b13416138cb5c5952d4d3305a7688910984c75adc0a7f85347917bef0d909ad5a024f2275a5609e2d813f4c43d9bd00b4e82479725b78b197032bf78a163db5f1cbbbd1d09df698cbcb0024646d58d848dd08ad6168413842aa3925a5dd782c6b7d4d58d38a24d3dfe17e8a5e7be5dbeb0ade63d730e10015fd421d1f78f8744322f38f2f2764584dd4f6b36fc3cd0ccd22a9aaaacd92174882fccabc91712364d2afbe83bb6c2ad3d5cafcfd2f09e6e94d79d9dea18c9f7a599640177893b37bdd3e6ed388339d9c1ef9f5d9c197cff02555488bbce4b8ac7366b623b9dadcf3813a6451290094773076b616bbf9f7079c5c39c1ed3c3e211648f862d47b34d644d4c0ae05e0d5fb73d8b046151d2677
 
// 分析

// onLeave 返回值就是我们最终加密的密文

// arg1 是我们加密前的明文

// 传入了两个key 4c7e?2fab4f4>1>2>5d0ee4bb61d7b03mIZUjjghGd 与 mIZUjjghGd

// 其实这里应该是 4c7e?2fab4f4>1>2>5d0ee4bb61d7b03 与 mIZUjjghGd，他们挨在一起的，所以是一起打印的

[Pixel::XXXXX]-> call()

onEnter main_oldEncrypt arg0:0xc arg1:0x869d0580 arg2:0x288 arg3:0x2c0 arg4:0xc96436f0 arg5:0x869d0580 arg6:0x288 arg7:0x2c0 arg8:0x868a4c34 arg9:0x20 arg10:0x2c arg11:0x868a4c54

onEnter main_oldEncrypt arg1:{"__package_hash__":"678c7f3bf3584a2079295d8834928146","__package_name__":"tv.iytqy.cvhaca","app_status":"9A5C6BDC62AD1CFE45A6578F84E858F9CA1A4F76:2","bundle_id":"tv.iytqy.cvhaca","new_player":"fx","system_app_type":"local","system_build_aff":"","system_build_id":"a1000","system_iid":"923868eb5f543afa55f1f33cfac37d35","system_oauth_id":"02274477773a9ac8a2cf3605400ece4b","system_oauth_type":"android","system_token":"023FAC3AFE2285DC98E50CA4C638E0845277DC8CB62CCCC088DA1E3CB679180C97F2688C0DBE197F03950D84900C2A6B050334216C4CC604021DCC624543AFDDEF8D19363E43F9C0B8EEC79BBF269E7DE77B0304FF1034FED885ACA4C74DAC768D26D9FADD","system_version":"5.7.1"}

onEnter main_oldEncrypt arg8:4c7e?2fab4f4>1>2>5d0ee4bb61d7b03mIZUjjghGd
onEnter main_oldEncrypt arg11:mIZUjjghGd

onLeave main_oldEncrypt 436a4b4d6961565043615063737077526c2e5dd70001b006397ce672c6fe1948f74ac72436bccb766585953419b0a7d4643fd7b98319a6696558f3e129bd7865383a4311256cdc126a00d49126379d5cc3f5a1a0fcd8a6fb6f6293d0ad6e628451cd26efecfaa5021099af5b428da2081533953dcf9a1e3a6f46a560471e6cef6e591b4937c36cd5ccb0de0364279eecf0970e101286faa0d25476e49a2e8b5a24f5d4d2e2c1afb67785f96511f48290864e6fdac548a325f9b30b0c7a99dd2c909518ccac45d9efa2c9973c5f0de468d094e6573afc44d2ffe73d6d79ee76d45fd8fcdf7d45c8a47fca7e85769239da6bfd9e35eaaa59bf3a6bb7741258a42bca7272e611bb8ddd93e807d126c3898f0f1aa9f37af485c140b706fe7a3f0d684eb3132ecd208cf52338a617095e7bb2b2b3eb749c7f7f01d8bfc7d386a2799ae6f015a87ba1519109aa92c4ec2e9d15650a46d239616ec515605d56b7ef3a954f2edbbb85f8c86e2f19c19e6422cc7dcf2277ebd968cf9751f5548f5ae77387985e0dfb7262787b13416138cb5c5952d4d3305a7688910984c75adc0a7f85347917bef0d909ad5a024f2275a5609e2d813f4c43d9bd00b4e82479725b78b197032bf78a163db5f1cbbbd1d09df698cbcb0024646d58d848dd08ad6168413842aa3925a5dd782c6b7d4d58d38a24d3dfe17e8a5e7be5dbeb0ade63d730e10015fd421d1f78f8744322f38f2f2764584dd4f6b36fc3cd0ccd22a9aaaacd92174882fccabc91712364d2afbe83bb6c2ad3d5cafcfd2f09e6e94d79d9dea18c9f7a599640177893b37bdd3e6ed388339d9c1ef9f5d9c197cff02555488bbce4b8ac7366b623b9dadcf3813a6451290094773076b616bbf9f7079c5c39c1ed3c3e211648f862d47b34d644d4c0ae05e0d5fb73d8b046151d2677
 
// 分析

// onLeave 返回值就是我们最终加密的密文

// arg1 是我们加密前的明文

// 传入了两个key 4c7e?2fab4f4>1>2>5d0ee4bb61d7b03mIZUjjghGd 与 mIZUjjghGd

// 其实这里应该是 4c7e?2fab4f4>1>2>5d0ee4bb61d7b03 与 mIZUjjghGd，他们挨在一起的，所以是一起打印的

				登录后可查看完整内容
			
[招生]科锐逆向工程师培训(2024年11月15日实地，远程教学同时开班, 第51期)

		最后于  2023-3-23 22:19		
				被.KK编辑
				
		，原因： 添加标题		
	
		#逆向分析
		#协议分析
	
上传的附件：

			分析.7z
		
		（3.17MB，23次下载）
收藏・17
免费・12
支持
打赏 + 20.00雪花
Imyang
打赏次数 1
雪花 + 20.00
Imyang
+20.00
2023/03/23
精品文章～
最新回复 (3)
天道happy 雪币： 227 能力值： ( LV1，RANK：0 ) 在线值：发帖 0 回帖 2 粉丝 0 关注私信	天道happy 2 楼大佬请问有木有apk的样本 2023-3-24 11:55 0
.KK 雪币： 1200 活跃值： (6061) 能力值： ( LV3，RANK：20 ) 在线值：发帖 6 回帖 40 粉丝 53 关注私信	.KK 3 楼 mb_wvvozxbm 大佬请问有木有apk的样本这个可能不太方便在这分享 2023-3-24 21:51 0
淡定小胖子雪币： 1985 活跃值： (1800) 能力值： ( LV2，RANK：10 ) 在线值：发帖 5 回帖 47 粉丝 5 关注私信	淡定小胖子 4 楼 k佬牛逼 2023-3-25 18:41 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复
.KK
发帖
回帖
RANK
关注
私信
他的文章
关于我们
联系我们
企业服务
看雪公众号
最新回复 (3)
天道happy 雪币： 227 能力值： ( LV1，RANK：0 ) 在线值：发帖 0 回帖 2 粉丝 0 关注私信	天道happy 2 楼大佬请问有木有apk的样本 2023-3-24 11:55 0
.KK 雪币： 1200 活跃值： (6061) 能力值： ( LV3，RANK：20 ) 在线值：发帖 6 回帖 40 粉丝 53 关注私信	.KK 3 楼 mb_wvvozxbm 大佬请问有木有apk的样本这个可能不太方便在这分享 2023-3-24 21:51 0
淡定小胖子雪币： 1985 活跃值： (1800) 能力值： ( LV2，RANK：10 ) 在线值：发帖 5 回帖 47 粉丝 5 关注私信	淡定小胖子 4 楼 k佬牛逼 2023-3-25 18:41 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复