-
-
[原创]GoJni 协议加解密分析
-
发表于: 2023-3-23 22:18 30091
-
string
看起来是一个整体,但是本质上是一片连续的内存空间,我们也可以将它理解成一个由字符组成的数组,相比于切片仅仅少了一个 Cap
属性
字符串:底层结构是一个包含指向底层数据的指针和长度信息的结构体,定义如下:
这里记住 Go 的字符串是,字符串 + 字符串长度 或 字符串 + 字符串长度 + 容量 组成的即可
ARM 中常用的栈是 sp < bp
的,也就是递减的(向下增长、连续的内存区域,通常被称为“向下堆栈”或“逆序堆栈”),临时变量 < sp
,可用堆栈 > sp
补充:SP 与 BP 都是栈指针,用于管理栈的位置和操作。它们的使用方法和作用有所不同,但都是必不可少的
在 ARM 架构中,BP 并不是必须的,因为可以使用 SP 来访问局部变量和参数。但是在某些情况下,BP 可以提高代码的可读性和可维护性,特别是在调试时。此外,BP 还可以用于保存上一个函数的栈帧指针,以便在返回时恢复上一个函数的状态
大概分析了下请求都有加密且格式固定,如下图 data
根据一些关键词进行快速定位,k
方法一看就很像
跟了一下 String e2 = e(encryptData);
逻辑最终到了 native 层,hook 一下
拿了 token + 一堆设备信息进行加密,这里先不追 token 怎么来的(我猜是初始化 App 得到的!
经过多次调用相同入参,密文不同(猜测可能对称加密里不同的加密分组模式, pwd
可能就是初始化向量的 IV
,这里仅仅是一个猜测
其实打开 IDA 看到这我是懵逼的
通过 ChatGPT 分析可知,这是 Go 写的 jni 程序(利用 ChatGPI 辅助分析这套组合拳是真的不错!!
汇编解释
参考文档 内部机制 - Go语言高级编程
Java_com_qq_lib_EncryptUtil_encrypt
这里应该遵循 JNI 调用,所以参数1到参数4应该是 env, clz, src, pwd
其实这里还可以使用 JEB 分析 So(下图为 JEB 分析 Native 函数的结果
进入 cgoexp_17c794619cba_Java_com_qq_lib_EncryptUtil_encrypt
分析逻辑可以发现不管是 JEB 还是 IDA,区别还是挺大的,但我对它俩的反编译结果都不是很满意
大概分析了下,看了几个函数调用觉得 sub_FFD0C
函数有点像加密处理相关的东西
ALT + F7 运行 go_parser/go_parser.py
加载脚本文件即可恢复符号,不过这里脚本似乎跑到提示 Standard types building finished. Total types count: 718
应该就可以中断脚本了(估计脚本还存在 Bug,不过对于我们来说够用了
与没修复的 cgoexp_17c794619cba_Java_com_qq_lib_EncryptUtil_encrypt
函数对比,可以发现清晰许多
sub_FFD0C
函数对应 main__libso_encrypt
,是不是清晰许多
这里还写了一个 Call
去调用,方便我们调试,也可以选择传入不是 JSON 格式的数据,因为后面有对这个明文进行处理,如果不是 JSON 格式就不会执行那个流程,但是也会出密文
该函数主要做的事:将 base64 编码的字符串解码并进行格式校验
如果格式不符合要求,则返回相应的错误信息;否则返回空指针表示处理成功
这里就是传入了一个文件路径,得到了一个文件的 MD5 值
写个了 Python 代码进行验证,发现结果是对的
这里就是把我们之前的字符串再次序列化
hook 代码
这里是 for 循环得到一个 key3,在调用函数 main_swapByteLocation
得到 key4,因为这里的值是固定的,只要 pwd 与前面对 pwd 的算法没有改变,这里就可以直接拿最后计算的结果即可
关于 Key 的处理
关于 IV 的处理
还原符号就是爽!!!,这里可以直接看到算法名以及使用的模式
写了一个 Go 的 AES_CFB 进行验证,验证结果是一致的,这里还剩下最后一步
对 key 解码进行处理
生成16位随机 IV opensslRandomPseudoBytes
已在知识星球"10亿级应用的逆向分享"原创首发
type
string string
type
string string
/
/
from
: src\reflect\value.go
type
StringHeader struct {
Data uintptr
Len
int
}
/
/
Data 字段是一个 uintptr 类型的指针,指向实际存储字符串数据的内存地址;
Len
字段表示字符串的长度,即其中包含的字符数(而不是字节数)。
需要注意的是,由于 Go 语言中字符串是不可变的,因此字符串的底层结构是只读的。在对字符串进行修改时,会创建一个新的字符串对象来保存修改后的结果。
/
/
切片
type
SliceHeader struct {
Data uintptr
Len
int
Cap
int
}
/
/
from
: src\reflect\value.go
type
StringHeader struct {
Data uintptr
Len
int
}
/
/
Data 字段是一个 uintptr 类型的指针,指向实际存储字符串数据的内存地址;
Len
字段表示字符串的长度,即其中包含的字符数(而不是字节数)。
需要注意的是,由于 Go 语言中字符串是不可变的,因此字符串的底层结构是只读的。在对字符串进行修改时,会创建一个新的字符串对象来保存修改后的结果。
/
/
切片
type
SliceHeader struct {
Data uintptr
Len
int
Cap
int
}
/
/
请求数据
data String
4b797a6b79724b6a784f4e5063555949c7102e99bdf73b4b11732ca323bc6ec9d1bd741a879d5675286139db959b8b5f7e928e412007f5270161a89213628b4f2d541a83c9a3a504d18fc62380dc8bdab4a756ecba21a00377a3d21779ce5c5def79b933e1238237a567405ede8d609a051a9960b668bb7beca1a6910d36014bc6c99dc6b063bbc6afad592ffe6cea1a1a667723e7d97f54e43369e5fdedf38fd9649715200d21f756cf3ae294405f057dd16d0be6c9b85e19a11f64a02d8c62a0ceedc8875703a7c1034b5872822143c4b1e0de826bd02576f88dc0f94586b70225363e99ae9dd86991b66c23bb6ea3750e1d9e403634babca10d4853446a852fcb3a93a7e0119b96e3d4d157395d4f1b1a033d4ab62f52fcdac519fe10f9d4ece5b0ba4030adea08b0eb6b9dd2f63c8e2332ea04e1a2b23432b5137219a0f780f5301955dc48418a230b59636f1281a954986ca3cf33fda43b07439558e41cbb6e34592db8d2bba90ddb9a923f93c7b9b6f5810fcd036cc6b2cf5aff30b6b12c273a1a07fbdb7dcb36766b03fc962fc43556a19a360c2a9de8f8728d396816039959abfb36e01b01ce7661ad07d5b2400a12cc0a43d5538c82b92351ef9ebf1cba1dafec962cfcbb0ba5d2dda2923b2438580dcb1b4e1bc0589f877ec7e1ccbec214f2849140c1103a4deaea4432f5ea5cfa03df281dab9f2017dac99a5f7dce1e7560ca130d5d31e8a8d30cb053d4cf67d959ad32337994ff49646a34994b5d05bc9613eb7f619988714ab820ad0c1d668af5d734d5ee29658a9b14086c5bdee3cd9a55b7522e6b18cfdeb420e550bf8344a3e3c19aa79dbb3f4918c6b5fb082ea5b0b32752defe446fd418b372cf672b185a7d662ac0e00bb75b9c6b62b854bf0eb4c1599e4ba2b4f4c0c81a94c9cda58b8b4d4f6a5c
_ver String v1
sign String ceaac2487fa17e7019b05ab4cf41ebd0
timestamp String
1678025314
/
/
请求数据
data String
4b797a6b79724b6a784f4e5063555949c7102e99bdf73b4b11732ca323bc6ec9d1bd741a879d5675286139db959b8b5f7e928e412007f5270161a89213628b4f2d541a83c9a3a504d18fc62380dc8bdab4a756ecba21a00377a3d21779ce5c5def79b933e1238237a567405ede8d609a051a9960b668bb7beca1a6910d36014bc6c99dc6b063bbc6afad592ffe6cea1a1a667723e7d97f54e43369e5fdedf38fd9649715200d21f756cf3ae294405f057dd16d0be6c9b85e19a11f64a02d8c62a0ceedc8875703a7c1034b5872822143c4b1e0de826bd02576f88dc0f94586b70225363e99ae9dd86991b66c23bb6ea3750e1d9e403634babca10d4853446a852fcb3a93a7e0119b96e3d4d157395d4f1b1a033d4ab62f52fcdac519fe10f9d4ece5b0ba4030adea08b0eb6b9dd2f63c8e2332ea04e1a2b23432b5137219a0f780f5301955dc48418a230b59636f1281a954986ca3cf33fda43b07439558e41cbb6e34592db8d2bba90ddb9a923f93c7b9b6f5810fcd036cc6b2cf5aff30b6b12c273a1a07fbdb7dcb36766b03fc962fc43556a19a360c2a9de8f8728d396816039959abfb36e01b01ce7661ad07d5b2400a12cc0a43d5538c82b92351ef9ebf1cba1dafec962cfcbb0ba5d2dda2923b2438580dcb1b4e1bc0589f877ec7e1ccbec214f2849140c1103a4deaea4432f5ea5cfa03df281dab9f2017dac99a5f7dce1e7560ca130d5d31e8a8d30cb053d4cf67d959ad32337994ff49646a34994b5d05bc9613eb7f619988714ab820ad0c1d668af5d734d5ee29658a9b14086c5bdee3cd9a55b7522e6b18cfdeb420e550bf8344a3e3c19aa79dbb3f4918c6b5fb082ea5b0b32752defe446fd418b372cf672b185a7d662ac0e00bb75b9c6b62b854bf0eb4c1599e4ba2b4f4c0c81a94c9cda58b8b4d4f6a5c
_ver String v1
sign String ceaac2487fa17e7019b05ab4cf41ebd0
timestamp String
1678025314
java.lang.Exception
at java.security.MessageDigest.update(Native Method)
at com.szcx.lib.encrypt.e.a.e(SourceFile:
2
)
at com.szcx.lib.encrypt.c.k(SourceFile:
10
)
at com.tencent.mm.network.d.o2(SourceFile:
1
)
at com.tencent.mm.network.d.q2(SourceFile:
6
)
at com.tencent.mm.network.d.a4(SourceFile:
3
)
at com.tencent.mm.ui.fragment.main.MineFragment.r3(SourceFile:
1
)
at com.tencent.mm.ui.fragment.main.MineFragment.s4(SourceFile:
1
)
at com.scwang.smartrefresh.layout.SmartRefreshLayout$l.onAnimationEnd(SourceFile:
4
)
at android.animation.Animator$AnimatorListener.onAnimationEnd(Animator.java:
554
)
at android.animation.ValueAnimator.endAnimation(ValueAnimator.java:
1242
)
at android.animation.ValueAnimator.doAnimationFrame(ValueAnimator.java:
1484
)
at android.animation.AnimationHandler.doAnimationFrame(AnimationHandler.java:
146
)
at android.animation.AnimationHandler.access$
100
(AnimationHandler.java:
37
)
at android.animation.AnimationHandler$
1.doFrame
(AnimationHandler.java:
54
)
at android.view.Choreographer$CallbackRecord.run(Choreographer.java:
964
)
at android.view.Choreographer.doCallbacks(Choreographer.java:
790
)
at android.view.Choreographer.doFrame(Choreographer.java:
721
)
at android.view.Choreographer$FrameDisplayEventReceiver.run(Choreographer.java:
951
)
at android.os.Handler.handleCallback(Handler.java:
883
)
at android.os.Handler.dispatchMessage(Handler.java:
100
)
at android.os.Looper.loop(Looper.java:
214
)
at android.app.ActivityThread.main(ActivityThread.java:
7356
)
at java.lang.reflect.Method.invoke(Native Method)
at com.android.internal.os.RuntimeInit$MethodAndArgsCaller.run(RuntimeInit.java:
492
)
at com.android.internal.os.ZygoteInit.main(ZygoteInit.java:
930
)
[
*
] SHA
-
256
| update | Utf8: _ver
=
v1&data
=
4b797a6b79724b6a784f4e5063555949c7102e99bdf73b4b11732ca323bc6ec9d1bd741a879d5675286139db959b8b5f7e928e412007f5270161a89213628b4f2d541a83c9a3a504d18fc62380dc8bdab4a756ecba21a00377a3d21779ce5c5def79b933e1238237a567405ede8d609a051a9960b668bb7beca1a6910d36014bc6c99dc6b063bbc6afad592ffe6cea1a1a667723e7d97f54e43369e5fdedf38fd9649715200d21f756cf3ae294405f057dd16d0be6c9b85e19a11f64a02d8c62a0ceedc8875703a7c1034b5872822143c4b1e0de826bd02576f88dc0f94586b70225363e99ae9dd86991b66c23bb6ea3750e1d9e403634babca10d4853446a852fcb3a93a7e0119b96e3d4d157395d4f1b1a033d4ab62f52fcdac519fe10f9d4ece5b0ba4030adea08b0eb6b9dd2f63c8e2332ea04e1a2b23432b5137219a0f780f5301955dc48418a230b59636f1281a954986ca3cf33fda43b07439558e41cbb6e34592db8d2bba90ddb9a923f93c7b9b6f5810fcd036cc6b2cf5aff30b6b12c273a1a07fbdb7dcb36766b03fc962fc43556a19a360c2a9de8f8728d396816039959abfb36e01b01ce7661ad07d5b2400a12cc0a43d5538c82b92351ef9ebf1cba1dafec962cfcbb0ba5d2dda2923b2438580dcb1b4e1bc0589f877ec7e1ccbec214f2849140c1103a4deaea4432f5ea5cfa03df281dab9f2017dac99a5f7dce1e7560ca130d5d31e8a8d30cb053d4cf67d959ad32337994ff49646a34994b5d05bc9613eb7f619988714ab820ad0c1d668af5d734d5ee29658a9b14086c5bdee3cd9a55b7522e6b18cfdeb420e550bf8344a3e3c19aa79dbb3f4918c6b5fb082ea5b0b32752defe446fd418b372cf672b185a7d662ac0e00bb75b9c6b62b854bf0eb4c1599e4ba2b4f4c0c81a94c9cda58b8b4d4f6a5c
×tamp
=
167802531481d7beac44a86f4337f534ec93328370
[
*
] SHA
-
256
| digest |
Hex
:
596d1c38df70c52a5c4834a970f78774e0213c95cb3b852ac96cbc1dacf08cf4
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
⚡
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
java.lang.Exception
at java.security.MessageDigest.update(Native Method)
at java.security.MessageDigest.digest(MessageDigest.java:
447
)
at com.szcx.lib.encrypt.e.c.b(SourceFile:
3
)
at com.szcx.lib.encrypt.c.j(SourceFile:
3
)
at com.szcx.lib.encrypt.c.k(SourceFile:
10
)
at com.tencent.mm.network.d.o2(SourceFile:
1
)
at com.tencent.mm.network.d.q2(SourceFile:
6
)
at com.tencent.mm.network.d.a4(SourceFile:
3
)
at com.tencent.mm.ui.fragment.main.MineFragment.r3(SourceFile:
1
)
at com.tencent.mm.ui.fragment.main.MineFragment.s4(SourceFile:
1
)
at com.scwang.smartrefresh.layout.SmartRefreshLayout$l.onAnimationEnd(SourceFile:
4
)
at android.animation.Animator$AnimatorListener.onAnimationEnd(Animator.java:
554
)
at android.animation.ValueAnimator.endAnimation(ValueAnimator.java:
1242
)
at android.animation.ValueAnimator.doAnimationFrame(ValueAnimator.java:
1484
)
at android.animation.AnimationHandler.doAnimationFrame(AnimationHandler.java:
146
)
at android.animation.AnimationHandler.access$
100
(AnimationHandler.java:
37
)
at android.animation.AnimationHandler$
1.doFrame
(AnimationHandler.java:
54
)
at android.view.Choreographer$CallbackRecord.run(Choreographer.java:
964
)
at android.view.Choreographer.doCallbacks(Choreographer.java:
790
)
at android.view.Choreographer.doFrame(Choreographer.java:
721
)
at android.view.Choreographer$FrameDisplayEventReceiver.run(Choreographer.java:
951
)
at android.os.Handler.handleCallback(Handler.java:
883
)
at android.os.Handler.dispatchMessage(Handler.java:
100
)
at android.os.Looper.loop(Looper.java:
214
)
at android.app.ActivityThread.main(ActivityThread.java:
7356
)
at java.lang.reflect.Method.invoke(Native Method)
at com.android.internal.os.RuntimeInit$MethodAndArgsCaller.run(RuntimeInit.java:
492
)
at com.android.internal.os.ZygoteInit.main(ZygoteInit.java:
930
)
[
*
] MD5 | update | Utf8:
596d1c38df70c52a5c4834a970f78774e0213c95cb3b852ac96cbc1dacf08cf4
[
*
] MD5 | digest |
Hex
: ceaac2487fa17e7019b05ab4cf41ebd0
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
⚡
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
java.lang.Exception
at java.security.MessageDigest.update(Native Method)
at com.szcx.lib.encrypt.e.a.e(SourceFile:
2
)
at com.szcx.lib.encrypt.c.k(SourceFile:
10
)
at com.tencent.mm.network.d.o2(SourceFile:
1
)
at com.tencent.mm.network.d.q2(SourceFile:
6
)
at com.tencent.mm.network.d.a4(SourceFile:
3
)
at com.tencent.mm.ui.fragment.main.MineFragment.r3(SourceFile:
1
)
at com.tencent.mm.ui.fragment.main.MineFragment.s4(SourceFile:
1
)
at com.scwang.smartrefresh.layout.SmartRefreshLayout$l.onAnimationEnd(SourceFile:
4
)
at android.animation.Animator$AnimatorListener.onAnimationEnd(Animator.java:
554
)
at android.animation.ValueAnimator.endAnimation(ValueAnimator.java:
1242
)
at android.animation.ValueAnimator.doAnimationFrame(ValueAnimator.java:
1484
)
at android.animation.AnimationHandler.doAnimationFrame(AnimationHandler.java:
146
)
at android.animation.AnimationHandler.access$
100
(AnimationHandler.java:
37
)
at android.animation.AnimationHandler$
1.doFrame
(AnimationHandler.java:
54
)
at android.view.Choreographer$CallbackRecord.run(Choreographer.java:
964
)
at android.view.Choreographer.doCallbacks(Choreographer.java:
790
)
at android.view.Choreographer.doFrame(Choreographer.java:
721
)
at android.view.Choreographer$FrameDisplayEventReceiver.run(Choreographer.java:
951
)
at android.os.Handler.handleCallback(Handler.java:
883
)
at android.os.Handler.dispatchMessage(Handler.java:
100
)
at android.os.Looper.loop(Looper.java:
214
)
at android.app.ActivityThread.main(ActivityThread.java:
7356
)
at java.lang.reflect.Method.invoke(Native Method)
at com.android.internal.os.RuntimeInit$MethodAndArgsCaller.run(RuntimeInit.java:
492
)
at com.android.internal.os.ZygoteInit.main(ZygoteInit.java:
930
)
[
*
] SHA
-
256
| update | Utf8: _ver
=
v1&data
=
4b797a6b79724b6a784f4e5063555949c7102e99bdf73b4b11732ca323bc6ec9d1bd741a879d5675286139db959b8b5f7e928e412007f5270161a89213628b4f2d541a83c9a3a504d18fc62380dc8bdab4a756ecba21a00377a3d21779ce5c5def79b933e1238237a567405ede8d609a051a9960b668bb7beca1a6910d36014bc6c99dc6b063bbc6afad592ffe6cea1a1a667723e7d97f54e43369e5fdedf38fd9649715200d21f756cf3ae294405f057dd16d0be6c9b85e19a11f64a02d8c62a0ceedc8875703a7c1034b5872822143c4b1e0de826bd02576f88dc0f94586b70225363e99ae9dd86991b66c23bb6ea3750e1d9e403634babca10d4853446a852fcb3a93a7e0119b96e3d4d157395d4f1b1a033d4ab62f52fcdac519fe10f9d4ece5b0ba4030adea08b0eb6b9dd2f63c8e2332ea04e1a2b23432b5137219a0f780f5301955dc48418a230b59636f1281a954986ca3cf33fda43b07439558e41cbb6e34592db8d2bba90ddb9a923f93c7b9b6f5810fcd036cc6b2cf5aff30b6b12c273a1a07fbdb7dcb36766b03fc962fc43556a19a360c2a9de8f8728d396816039959abfb36e01b01ce7661ad07d5b2400a12cc0a43d5538c82b92351ef9ebf1cba1dafec962cfcbb0ba5d2dda2923b2438580dcb1b4e1bc0589f877ec7e1ccbec214f2849140c1103a4deaea4432f5ea5cfa03df281dab9f2017dac99a5f7dce1e7560ca130d5d31e8a8d30cb053d4cf67d959ad32337994ff49646a34994b5d05bc9613eb7f619988714ab820ad0c1d668af5d734d5ee29658a9b14086c5bdee3cd9a55b7522e6b18cfdeb420e550bf8344a3e3c19aa79dbb3f4918c6b5fb082ea5b0b32752defe446fd418b372cf672b185a7d662ac0e00bb75b9c6b62b854bf0eb4c1599e4ba2b4f4c0c81a94c9cda58b8b4d4f6a5c
×tamp
=
167802531481d7beac44a86f4337f534ec93328370
[
*
] SHA
-
256
| digest |
Hex
:
596d1c38df70c52a5c4834a970f78774e0213c95cb3b852ac96cbc1dacf08cf4
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
⚡
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
java.lang.Exception
at java.security.MessageDigest.update(Native Method)
at java.security.MessageDigest.digest(MessageDigest.java:
447
)
at com.szcx.lib.encrypt.e.c.b(SourceFile:
3
)
at com.szcx.lib.encrypt.c.j(SourceFile:
3
)
at com.szcx.lib.encrypt.c.k(SourceFile:
10
)
at com.tencent.mm.network.d.o2(SourceFile:
1
)
at com.tencent.mm.network.d.q2(SourceFile:
6
)
at com.tencent.mm.network.d.a4(SourceFile:
3
)
at com.tencent.mm.ui.fragment.main.MineFragment.r3(SourceFile:
1
)
at com.tencent.mm.ui.fragment.main.MineFragment.s4(SourceFile:
1
)
at com.scwang.smartrefresh.layout.SmartRefreshLayout$l.onAnimationEnd(SourceFile:
4
)
at android.animation.Animator$AnimatorListener.onAnimationEnd(Animator.java:
554
)
at android.animation.ValueAnimator.endAnimation(ValueAnimator.java:
1242
)
at android.animation.ValueAnimator.doAnimationFrame(ValueAnimator.java:
1484
)
at android.animation.AnimationHandler.doAnimationFrame(AnimationHandler.java:
146
)
at android.animation.AnimationHandler.access$
100
(AnimationHandler.java:
37
)
at android.animation.AnimationHandler$
1.doFrame
(AnimationHandler.java:
54
)
at android.view.Choreographer$CallbackRecord.run(Choreographer.java:
964
)
at android.view.Choreographer.doCallbacks(Choreographer.java:
790
)
at android.view.Choreographer.doFrame(Choreographer.java:
721
)
at android.view.Choreographer$FrameDisplayEventReceiver.run(Choreographer.java:
951
)
at android.os.Handler.handleCallback(Handler.java:
883
)
at android.os.Handler.dispatchMessage(Handler.java:
100
)
at android.os.Looper.loop(Looper.java:
214
)
at android.app.ActivityThread.main(ActivityThread.java:
7356
)
at java.lang.reflect.Method.invoke(Native Method)
at com.android.internal.os.RuntimeInit$MethodAndArgsCaller.run(RuntimeInit.java:
492
)
at com.android.internal.os.ZygoteInit.main(ZygoteInit.java:
930
)
[
*
] MD5 | update | Utf8:
596d1c38df70c52a5c4834a970f78774e0213c95cb3b852ac96cbc1dacf08cf4
[
*
] MD5 | digest |
Hex
: ceaac2487fa17e7019b05ab4cf41ebd0
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
⚡
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
/
/
抓包数据
data String
627a50674a6d776d73587454705468521edbeb72a11ac72b90b74764a0580a0ef17d65423ba7bca562050f72a3c518aea1bf9c6cc3427cb1aff14212e40f2c30c44494b628355e0a5911c066595a2da3f265b76de6c4be7d6cae4277bba320f2cd730a40aa8558644176567f2b94c006513bf19ef1f7724566c843c8bf8dd6a9f06fad04362847472c91d1f63f8f1a11b48d9aa7a330535fd558ef2f87b15bbe233797659bcf01d4a48089c07cce73644da19f6a5f0fb54cf014a5212843aa03a28b3f5a616d2a34115d03b7dec62ea4f1b9da0b6dea710587c4d758e47fbd824fc38c5b6e49491e0aead6fd2134b4f6ca0ce7a5bb4c1fc8e77be276b0523f5ddee057a1007a6f6abbbba042f78a4afd6be2b41d10988e1d470c1cf003a2642a60112e127cfcb585a835989146da5bfae44adab85c01d8c3ea2f49c213aad8a12e9fda7f876c401c21af65bda3c5212147c1a71cb583988002ac631c13d2fed6f30bb2c48b11e34fadd1f7c827fb40d8d02065b564c2304db9ebae729db919ffd0080ab3bdca10a740b89d0da0f3885f7db85a4a13665258eff2b2be7b30895606a9820a8a2dd71a4cb5c3c594077176d49deaf08dc77b98b69729a87cd82f48e6656b179f69e1942fe68932eec1c7da4393b592cd41ffc68de9f1721a44c62ae2c645f3be198e64173d5151a329329cdc2ddabeadb82032e7be0ddaff534344e963984f80e245820c48e1fee944b8814b8d7f80095dd0a983270292c73aeed987e237405b86499098ca1fbc688dc986c17653be283ae69f9c371749034de089012c26497cffc9911b4e0365ceb489086f2b3c987c3073a334996d444686047f47651789c8c4e5d1f1864f54c384aad28b1d6856005c8ed4973e62fee5ec8966e462d18f74cb81407067ddf7b3c07a4cbcff164331a2c13c
_ver String v1
sign String dbda8ee96f5dcd2de4b85a66e5fb10ff
timestamp String
1678030550
/
/
抓包数据
data String
627a50674a6d776d73587454705468521edbeb72a11ac72b90b74764a0580a0ef17d65423ba7bca562050f72a3c518aea1bf9c6cc3427cb1aff14212e40f2c30c44494b628355e0a5911c066595a2da3f265b76de6c4be7d6cae4277bba320f2cd730a40aa8558644176567f2b94c006513bf19ef1f7724566c843c8bf8dd6a9f06fad04362847472c91d1f63f8f1a11b48d9aa7a330535fd558ef2f87b15bbe233797659bcf01d4a48089c07cce73644da19f6a5f0fb54cf014a5212843aa03a28b3f5a616d2a34115d03b7dec62ea4f1b9da0b6dea710587c4d758e47fbd824fc38c5b6e49491e0aead6fd2134b4f6ca0ce7a5bb4c1fc8e77be276b0523f5ddee057a1007a6f6abbbba042f78a4afd6be2b41d10988e1d470c1cf003a2642a60112e127cfcb585a835989146da5bfae44adab85c01d8c3ea2f49c213aad8a12e9fda7f876c401c21af65bda3c5212147c1a71cb583988002ac631c13d2fed6f30bb2c48b11e34fadd1f7c827fb40d8d02065b564c2304db9ebae729db919ffd0080ab3bdca10a740b89d0da0f3885f7db85a4a13665258eff2b2be7b30895606a9820a8a2dd71a4cb5c3c594077176d49deaf08dc77b98b69729a87cd82f48e6656b179f69e1942fe68932eec1c7da4393b592cd41ffc68de9f1721a44c62ae2c645f3be198e64173d5151a329329cdc2ddabeadb82032e7be0ddaff534344e963984f80e245820c48e1fee944b8814b8d7f80095dd0a983270292c73aeed987e237405b86499098ca1fbc688dc986c17653be283ae69f9c371749034de089012c26497cffc9911b4e0365ceb489086f2b3c987c3073a334996d444686047f47651789c8c4e5d1f1864f54c384aad28b1d6856005c8ed4973e62fee5ec8966e462d18f74cb81407067ddf7b3c07a4cbcff164331a2c13c
_ver String v1
sign String dbda8ee96f5dcd2de4b85a66e5fb10ff
timestamp String
1678030550
[DEBUG][
03
/
05
/
2023
,
-
1
:
35
:
50
PM][PID:
28955
][main][
28955
][showStacks] java.lang.Exception
at com.qq.lib.EncryptUtil.encrypt(Native Method)
at com.szcx.lib.encrypt.c.f(SourceFile:
1
)
at com.szcx.lib.encrypt.c.e(SourceFile:
1
)
at com.szcx.lib.encrypt.c.k(SourceFile:
2
)
at com.tencent.mm.network.d.o2(SourceFile:
1
)
at com.tencent.mm.network.d.q2(SourceFile:
6
)
at com.tencent.mm.network.d.a4(SourceFile:
3
)
at com.tencent.mm.ui.fragment.main.MineFragment.r3(SourceFile:
1
)
at com.tencent.mm.ui.fragment.main.MineFragment.s4(SourceFile:
1
)
at com.scwang.smartrefresh.layout.SmartRefreshLayout$l.onAnimationEnd(SourceFile:
4
)
at android.animation.Animator$AnimatorListener.onAnimationEnd(Animator.java:
554
)
at android.animation.ValueAnimator.endAnimation(ValueAnimator.java:
1242
)
at android.animation.ValueAnimator.doAnimationFrame(ValueAnimator.java:
1484
)
at android.animation.AnimationHandler.doAnimationFrame(AnimationHandler.java:
146
)
at android.animation.AnimationHandler.access$
100
(AnimationHandler.java:
37
)
at android.animation.AnimationHandler$
1.doFrame
(AnimationHandler.java:
54
)
at android.view.Choreographer$CallbackRecord.run(Choreographer.java:
964
)
at android.view.Choreographer.doCallbacks(Choreographer.java:
790
)
at android.view.Choreographer.doFrame(Choreographer.java:
721
)
at android.view.Choreographer$FrameDisplayEventReceiver.run(Choreographer.java:
951
)
at android.os.Handler.handleCallback(Handler.java:
883
)
at android.os.Handler.dispatchMessage(Handler.java:
100
)
at android.os.Looper.loop(Looper.java:
214
)
at android.app.ActivityThread.main(ActivityThread.java:
7356
)
at java.lang.reflect.Method.invoke(Native Method)
at com.android.internal.os.RuntimeInit$MethodAndArgsCaller.run(RuntimeInit.java:
492
)
at com.android.internal.os.ZygoteInit.main(ZygoteInit.java:
930
)
[>>>] com.qq.lib.EncryptUtil.encrypt
[
+
] encrypt_arg[
0
] :
=
> {
"system_build_id"
:
"a1000"
,
"system_iid"
:
"923868eb5f543afa55f1f33cfac37d35"
,
"app_status"
:
"9A5C6BDC62AD1CFE45A6578F84E858F9CA1A4F76:2"
,
"system_version"
:
"5.7.1"
,
"system_build_aff"
:"
","
bundle_id
":"
tv.iytqy.cvhaca
","
system_app_type
":"
local
","
new_player
":"
fx
","
system_oauth_id
":"
02274477773a9ac8a2cf3605400ece4b
","
system_oauth_type
":"
android
","
system_token
":"
023FAC3AFE2285DC98E50CA4C638E0845277DC8CB62CCCC088DA1E3CB679180C97F2688C0DBE197F03950D84900C2A6B050334216C4CC604021DCC624543AFDDEF8D19363E43F9C0B8EEC79BBF269E7DE77B0304FF1034FED885ACA4C74DAC768D26D9FADD
"}
[
+
] encrypt_arg[
1
] :
=
> BwcnBzRjN2U
/
MmZhYjRmND4xPjI
+
NWQwZWU0YmI2MWQ3YjAzKw8cEywsIS4BIg
=
=
[<<<] encrypt_result :
=
>
627a50674a6d776d73587454705468521edbeb72a11ac72b90b74764a0580a0ef17d65423ba7bca562050f72a3c518aea1bf9c6cc3427cb1aff14212e40f2c30c44494b628355e0a5911c066595a2da3f265b76de6c4be7d6cae4277bba320f2cd730a40aa8558644176567f2b94c006513bf19ef1f7724566c843c8bf8dd6a9f06fad04362847472c91d1f63f8f1a11b48d9aa7a330535fd558ef2f87b15bbe233797659bcf01d4a48089c07cce73644da19f6a5f0fb54cf014a5212843aa03a28b3f5a616d2a34115d03b7dec62ea4f1b9da0b6dea710587c4d758e47fbd824fc38c5b6e49491e0aead6fd2134b4f6ca0ce7a5bb4c1fc8e77be276b0523f5ddee057a1007a6f6abbbba042f78a4afd6be2b41d10988e1d470c1cf003a2642a60112e127cfcb585a835989146da5bfae44adab85c01d8c3ea2f49c213aad8a12e9fda7f876c401c21af65bda3c5212147c1a71cb583988002ac631c13d2fed6f30bb2c48b11e34fadd1f7c827fb40d8d02065b564c2304db9ebae729db919ffd0080ab3bdca10a740b89d0da0f3885f7db85a4a13665258eff2b2be7b30895606a9820a8a2dd71a4cb5c3c594077176d49deaf08dc77b98b69729a87cd82f48e6656b179f69e1942fe68932eec1c7da4393b592cd41ffc68de9f1721a44c62ae2c645f3be198e64173d5151a329329cdc2ddabeadb82032e7be0ddaff534344e963984f80e245820c48e1fee944b8814b8d7f80095dd0a983270292c73aeed987e237405b86499098ca1fbc688dc986c17653be283ae69f9c371749034de089012c26497cffc9911b4e0365ceb489086f2b3c987c3073a334996d444686047f47651789c8c4e5d1f1864f54c384aad28b1d6856005c8ed4973e62fee5ec8966e462d18f74cb81407067ddf7b3c07a4cbcff164331a2c13c
[DEBUG][
03
/
05
/
2023
,
-
1
:
35
:
50
PM][PID:
28955
][main][
28955
][showStacks] java.lang.Exception
at com.qq.lib.EncryptUtil.encrypt(Native Method)
at com.szcx.lib.encrypt.c.f(SourceFile:
1
)
at com.szcx.lib.encrypt.c.e(SourceFile:
1
)
at com.szcx.lib.encrypt.c.k(SourceFile:
2
)
at com.tencent.mm.network.d.o2(SourceFile:
1
)
at com.tencent.mm.network.d.q2(SourceFile:
6
)
at com.tencent.mm.network.d.a4(SourceFile:
3
)
at com.tencent.mm.ui.fragment.main.MineFragment.r3(SourceFile:
1
)
at com.tencent.mm.ui.fragment.main.MineFragment.s4(SourceFile:
1
)
at com.scwang.smartrefresh.layout.SmartRefreshLayout$l.onAnimationEnd(SourceFile:
4
)
at android.animation.Animator$AnimatorListener.onAnimationEnd(Animator.java:
554
)
at android.animation.ValueAnimator.endAnimation(ValueAnimator.java:
1242
)
at android.animation.ValueAnimator.doAnimationFrame(ValueAnimator.java:
1484
)
at android.animation.AnimationHandler.doAnimationFrame(AnimationHandler.java:
146
)
at android.animation.AnimationHandler.access$
100
(AnimationHandler.java:
37
)
at android.animation.AnimationHandler$
1.doFrame
(AnimationHandler.java:
54
)
at android.view.Choreographer$CallbackRecord.run(Choreographer.java:
964
)
at android.view.Choreographer.doCallbacks(Choreographer.java:
790
)
at android.view.Choreographer.doFrame(Choreographer.java:
721
)
at android.view.Choreographer$FrameDisplayEventReceiver.run(Choreographer.java:
951
)
at android.os.Handler.handleCallback(Handler.java:
883
)
at android.os.Handler.dispatchMessage(Handler.java:
100
)
at android.os.Looper.loop(Looper.java:
214
)
at android.app.ActivityThread.main(ActivityThread.java:
7356
)
at java.lang.reflect.Method.invoke(Native Method)
at com.android.internal.os.RuntimeInit$MethodAndArgsCaller.run(RuntimeInit.java:
492
)
at com.android.internal.os.ZygoteInit.main(ZygoteInit.java:
930
)
[>>>] com.qq.lib.EncryptUtil.encrypt
[
+
] encrypt_arg[
0
] :
=
> {
"system_build_id"
:
"a1000"
,
"system_iid"
:
"923868eb5f543afa55f1f33cfac37d35"
,
"app_status"
:
"9A5C6BDC62AD1CFE45A6578F84E858F9CA1A4F76:2"
,
"system_version"
:
"5.7.1"
,
"system_build_aff"
:"
","
bundle_id
":"
tv.iytqy.cvhaca
","
system_app_type
":"
local
","
new_player
":"
fx
","
system_oauth_id
":"
02274477773a9ac8a2cf3605400ece4b
","
system_oauth_type
":"
android
","
system_token
":"
023FAC3AFE2285DC98E50CA4C638E0845277DC8CB62CCCC088DA1E3CB679180C97F2688C0DBE197F03950D84900C2A6B050334216C4CC604021DCC624543AFDDEF8D19363E43F9C0B8EEC79BBF269E7DE77B0304FF1034FED885ACA4C74DAC768D26D9FADD
"}
[
+
] encrypt_arg[
1
] :
=
> BwcnBzRjN2U
/
MmZhYjRmND4xPjI
+
NWQwZWU0YmI2MWQ3YjAzKw8cEywsIS4BIg
=
=
[<<<] encrypt_result :
=
>
627a50674a6d776d73587454705468521edbeb72a11ac72b90b74764a0580a0ef17d65423ba7bca562050f72a3c518aea1bf9c6cc3427cb1aff14212e40f2c30c44494b628355e0a5911c066595a2da3f265b76de6c4be7d6cae4277bba320f2cd730a40aa8558644176567f2b94c006513bf19ef1f7724566c843c8bf8dd6a9f06fad04362847472c91d1f63f8f1a11b48d9aa7a330535fd558ef2f87b15bbe233797659bcf01d4a48089c07cce73644da19f6a5f0fb54cf014a5212843aa03a28b3f5a616d2a34115d03b7dec62ea4f1b9da0b6dea710587c4d758e47fbd824fc38c5b6e49491e0aead6fd2134b4f6ca0ce7a5bb4c1fc8e77be276b0523f5ddee057a1007a6f6abbbba042f78a4afd6be2b41d10988e1d470c1cf003a2642a60112e127cfcb585a835989146da5bfae44adab85c01d8c3ea2f49c213aad8a12e9fda7f876c401c21af65bda3c5212147c1a71cb583988002ac631c13d2fed6f30bb2c48b11e34fadd1f7c827fb40d8d02065b564c2304db9ebae729db919ffd0080ab3bdca10a740b89d0da0f3885f7db85a4a13665258eff2b2be7b30895606a9820a8a2dd71a4cb5c3c594077176d49deaf08dc77b98b69729a87cd82f48e6656b179f69e1942fe68932eec1c7da4393b592cd41ffc68de9f1721a44c62ae2c645f3be198e64173d5151a329329cdc2ddabeadb82032e7be0ddaff534344e963984f80e245820c48e1fee944b8814b8d7f80095dd0a983270292c73aeed987e237405b86499098ca1fbc688dc986c17653be283ae69f9c371749034de089012c26497cffc9911b4e0365ceb489086f2b3c987c3073a334996d444686047f47651789c8c4e5d1f1864f54c384aad28b1d6856005c8ed4973e62fee5ec8966e462d18f74cb81407067ddf7b3c07a4cbcff164331a2c13c
int
__usercall Java_com_qq_lib_EncryptUtil_encrypt@<R0>()
{
cgo_wait_runtime_init_done();
/
/
初始化上下文
crosscall2();
cgo_release_context();
/
/
释放上下文
return
0
;
}
int
__usercall Java_com_qq_lib_EncryptUtil_encrypt@<R0>()
{
cgo_wait_runtime_init_done();
/
/
初始化上下文
crosscall2();
cgo_release_context();
/
/
释放上下文
return
0
;
}
; Attributes: bp
-
based frame
;
int
__usercall Java_com_qq_lib_EncryptUtil_encrypt@<R0>()
EXPORT Java_com_qq_lib_EncryptUtil_encrypt
Java_com_qq_lib_EncryptUtil_encrypt
var_2C
=
-
0x2C
var_28
=
-
0x28
var_24
=
-
0x24
var_20
=
-
0x20
var_1C
=
-
0x1C
PUSH {R4
-
R8,R10,R11,LR} ; 将寄存器 R4
-
R8、R10、R11 和 LR 压入栈中
ADD R11, SP,
#0x18 ; 建立栈帧: 将 R11 设为当前栈顶地址加上 24 的值
SUB SP, SP,
#0x18 ; 分配栈空间
MOV R8, R3 ; 将寄存器 R3 中的值复制到 R8 中,这是第
4
个参数⭐pwd
MOV R5, R2 ; 将寄存器 R2 中的值复制到 R5 中,这是第
3
个参数⭐src
MOV R6, R1 ; 将寄存器 R1 中的值复制到 R6 中,这是第
2
个参数⭐
class
MOV R7, R0 ; 将寄存器 R0 中的值复制到 R7 中,这是第
1
个参数⭐env
BL _cgo_wait_runtime_init_done ; 调用_cgo_wait_runtime_init_done函数
MOV R4, R0 ; 将 _cgo_wait_runtime_init_done 函数的返回值存储到 R4 中
MOV R0,
#0 ; 将 0 存储到 R0 中
STR
R8, [SP,
#0x30+var_20] ; 将 R8 寄存器的值保存到栈空间⭐pwd
ADD R1, SP,
#0x30+var_2C ; 计算第一个参数的地址⭐将指针变量 var_2C 的地址存储到 R1 中⭐args 参数结构体 栈起始地址
STR
R5, [SP,
#0x30+var_24] ; 将 R5 寄存器的值保存到栈空间⭐src Java传过来的参数
MOV R2,
#0x14 ; 将 20 保存到 R2 寄存器,也就是参数占用的字节数⭐args_len 参数长度
STR
R6, [SP,
#0x30+var_28] ; 将R6寄存器的值保存到栈空间⭐class
MOV R3, R4 ; 将 R4 寄存器的值保存到 R3 寄存器⭐cgo_context
STR
R7, [SP,
#0x30+var_2C] ; 将 R7 寄存器的值保存到栈空间
STR
R0, [SP,
#0x30+var_1C] ; 将 0 保存到栈空间
LDR R0,
=
(_cgoexp_17c794619cba_Java_com_qq_lib_EncryptUtil_encrypt_ptr
-
0x103EA0
) ; 计算 _cgoexp_17c794619cba_Java_com_qq_lib_EncryptUtil_encrypt_ptr 函数的地址到 R0 中
LDR R0, [PC,R0] ; 将 _cgoexp_17c794619cba_Java_com_qq_lib_EncryptUtil_encrypt 的地址加载到 R0 中
BL crosscall2 ; 调用 crosscall2 函数
MOV R0, R4 ; 将 R4 寄存器的值保存到 R0 寄存器
BL _cgo_release_context ; 调用 _cgo_release_context 函数
LDR R0, [SP,
#0x30+var_1C] ; 加载栈空间中的值
SUB SP, R11,
#0x18 ; 设置栈顶为 R11,即栈底指针,也就是恢复原来的栈空间
POP {R4
-
R8,R10,R11,PC} ; 弹出 R4
-
R8、R10、R11 和返回地址 PC 的值,返回跳转到 PC 指向的地址
; End of function Java_com_qq_lib_EncryptUtil_encrypt
; Attributes: bp
-
based frame
;
int
__usercall Java_com_qq_lib_EncryptUtil_encrypt@<R0>()
EXPORT Java_com_qq_lib_EncryptUtil_encrypt
Java_com_qq_lib_EncryptUtil_encrypt
var_2C
=
-
0x2C
var_28
=
-
0x28
var_24
=
-
0x24
var_20
=
-
0x20
var_1C
=
-
0x1C
PUSH {R4
-
R8,R10,R11,LR} ; 将寄存器 R4
-
R8、R10、R11 和 LR 压入栈中
ADD R11, SP,
#0x18 ; 建立栈帧: 将 R11 设为当前栈顶地址加上 24 的值
SUB SP, SP,
#0x18 ; 分配栈空间
MOV R8, R3 ; 将寄存器 R3 中的值复制到 R8 中,这是第
4
个参数⭐pwd
MOV R5, R2 ; 将寄存器 R2 中的值复制到 R5 中,这是第
3
个参数⭐src
MOV R6, R1 ; 将寄存器 R1 中的值复制到 R6 中,这是第
2
个参数⭐
class
MOV R7, R0 ; 将寄存器 R0 中的值复制到 R7 中,这是第
1
个参数⭐env
BL _cgo_wait_runtime_init_done ; 调用_cgo_wait_runtime_init_done函数
MOV R4, R0 ; 将 _cgo_wait_runtime_init_done 函数的返回值存储到 R4 中
MOV R0,
#0 ; 将 0 存储到 R0 中
STR
R8, [SP,
#0x30+var_20] ; 将 R8 寄存器的值保存到栈空间⭐pwd
ADD R1, SP,
#0x30+var_2C ; 计算第一个参数的地址⭐将指针变量 var_2C 的地址存储到 R1 中⭐args 参数结构体 栈起始地址
STR
R5, [SP,
#0x30+var_24] ; 将 R5 寄存器的值保存到栈空间⭐src Java传过来的参数
MOV R2,
#0x14 ; 将 20 保存到 R2 寄存器,也就是参数占用的字节数⭐args_len 参数长度
STR
R6, [SP,
#0x30+var_28] ; 将R6寄存器的值保存到栈空间⭐class
MOV R3, R4 ; 将 R4 寄存器的值保存到 R3 寄存器⭐cgo_context
STR
R7, [SP,
#0x30+var_2C] ; 将 R7 寄存器的值保存到栈空间
STR
R0, [SP,
#0x30+var_1C] ; 将 0 保存到栈空间
LDR R0,
=
(_cgoexp_17c794619cba_Java_com_qq_lib_EncryptUtil_encrypt_ptr
-
0x103EA0
) ; 计算 _cgoexp_17c794619cba_Java_com_qq_lib_EncryptUtil_encrypt_ptr 函数的地址到 R0 中
LDR R0, [PC,R0] ; 将 _cgoexp_17c794619cba_Java_com_qq_lib_EncryptUtil_encrypt 的地址加载到 R0 中
BL crosscall2 ; 调用 crosscall2 函数
MOV R0, R4 ; 将 R4 寄存器的值保存到 R0 寄存器
BL _cgo_release_context ; 调用 _cgo_release_context 函数
LDR R0, [SP,
#0x30+var_1C] ; 加载栈空间中的值
SUB SP, R11,
#0x18 ; 设置栈顶为 R11,即栈底指针,也就是恢复原来的栈空间
POP {R4
-
R8,R10,R11,PC} ; 弹出 R4
-
R8、R10、R11 和返回地址 PC 的值,返回跳转到 PC 指向的地址
; End of function Java_com_qq_lib_EncryptUtil_encrypt
int
__usercall Java_com_qq_lib_EncryptUtil_encrypt@<R0>(
int
env,
int
clz,
int
src,
int
pwd)
{
int
inited;
/
/
r4
args v14;
/
/
[sp
+
4h
] [bp
-
2Ch
] BYREF
int
v15;
/
/
[sp
+
14h
] [bp
-
1Ch
]
inited
=
cgo_wait_runtime_init_done();
v14.pwd
=
pwd;
v14.src
=
src;
v14.clz
=
clz;
v14.env
=
env;
v15
=
0
;
crosscall2((
int
)cgoexp_17c794619cba_Java_com_qq_lib_EncryptUtil_encrypt, (
int
)&v14,
20
, inited);
cgo_release_context();
return
v15;
}
int
__usercall Java_com_qq_lib_EncryptUtil_encrypt@<R0>(
int
env,
int
clz,
int
src,
int
pwd)
{
int
inited;
/
/
r4
args v14;
/
/
[sp
+
4h
] [bp
-
2Ch
] BYREF
int
v15;
/
/
[sp
+
14h
] [bp
-
1Ch
]
inited
=
cgo_wait_runtime_init_done();
v14.pwd
=
pwd;
v14.src
=
src;
v14.clz
=
clz;
v14.env
=
env;
v15
=
0
;
crosscall2((
int
)cgoexp_17c794619cba_Java_com_qq_lib_EncryptUtil_encrypt, (
int
)&v14,
20
, inited);
cgo_release_context();
return
v15;
}
/
/
IDA源反编译源代码
int
__usercall cgoexp_17c794619cba_Java_com_qq_lib_EncryptUtil_encrypt@<R0>(
int
a1,
int
*
a2)
{
int
v2;
/
/
r10
int
v4;
/
/
[sp
+
14h
] [bp
-
4h
]
while
( (unsigned
int
)&a1 <
=
*
(_DWORD
*
)(v2
+
8
) )
sub_9FD10();
v4
=
sub_103658(
*
a2, a2[
1
], a2[
2
], a2[
3
]);
a2[
4
]
=
v4;
sub_40DF8(v4);
return
sub_3ADAC();
}
/
/
经过脚本修复
int
__usercall cgoexp_17c794619cba_Java_com_qq_lib_EncryptUtil_encrypt@<R0>(
int
a1,
int
*
a2)
{
int
v2;
/
/
r10
int
v4;
/
/
[sp
+
14h
] [bp
-
4h
]
while
( (unsigned
int
)&a1 <
=
*
(_DWORD
*
)(v2
+
8
) )
runtime_morestack_noctxt();
v4
=
main_Java_com_qq_lib_EncryptUtil_encrypt(
*
a2, a2[
1
], a2[
2
], a2[
3
]);
a2[
4
]
=
v4;
runtime_convT32(v4);
return
runtime_cgoCheckResult();
}
/
/
IDA源反编译源代码
int
__usercall cgoexp_17c794619cba_Java_com_qq_lib_EncryptUtil_encrypt@<R0>(
int
a1,
int
*
a2)
{
int
v2;
/
/
r10
int
v4;
/
/
[sp
+
14h
] [bp
-
4h
]
while
( (unsigned
int
)&a1 <
=
*
(_DWORD
*
)(v2
+
8
) )
sub_9FD10();
v4
=
sub_103658(
*
a2, a2[
1
], a2[
2
], a2[
3
]);
a2[
4
]
=
v4;
sub_40DF8(v4);
return
sub_3ADAC();
}
/
/
经过脚本修复
int
__usercall cgoexp_17c794619cba_Java_com_qq_lib_EncryptUtil_encrypt@<R0>(
int
a1,
int
*
a2)
{
int
v2;
/
/
r10
int
v4;
/
/
[sp
+
14h
] [bp
-
4h
]
while
( (unsigned
int
)&a1 <
=
*
(_DWORD
*
)(v2
+
8
) )
runtime_morestack_noctxt();
v4
=
main_Java_com_qq_lib_EncryptUtil_encrypt(
*
a2, a2[
1
], a2[
2
], a2[
3
]);
a2[
4
]
=
v4;
runtime_convT32(v4);
return
runtime_cgoCheckResult();
}
function hook_main__libso_encrypt() {
let base
=
Module.findBaseAddress(
"libsojm.so"
);
Interceptor.attach(base.add(
0xFFD0C
), {
onEnter: function (args) {
this.arg0_len
=
findRangeByAddress(args[
1
])
if
(this.arg0_len
=
=
64
) {
/
/
过滤输出, 感觉其他值都是无用的
console.log(`onEnter encrypt arg0:${args[
0
]} arg1:${args[
1
]} arg2:${args[
2
]} arg3:${args[
3
]} arg4:${args[
4
]} arg5:${args[
5
]} arg6:${args[
6
]} arg7:${args[
7
]} arg8:${args[
8
]} arg9:${args[
9
]}`);
console.error(`[
*
] libso_encrypt.args[${
0
}] onEnter :
=
> ${args[
0
].readCString()}`)
/
/
BwcnBzRjN2U
/
MmZhYjRmND4xPjI
+
NWQwZWU0YmI2MWQ3YjAzKw8cEywsIS4BIg
=
=
console.error(`[
*
] libso_encrypt.args[${
1
}] onEnter :
=
> ${findRangeByAddress(args[
1
])}`)
/
/
arg1 是 args[
0
] 字符串的长度
/
/
console.error(`[
*
] libso_encrypt.args[${
1
}] onEnter :
=
> ${findRangeByAddress(args[
1
])}`)
/
/
arg1 是 args[
0
] 字符串的长度
/
/
console.error(`[
*
] libso_encrypt.args[${
2
}] onEnter :
=
> ${findRangeByAddress(args[
2
].readPointer())}`)
/
/
arg2 感觉也是字符串长度 go 的字符串可能是字符串
+
长度 |
slice
是长度
+
容量
/
/
arg3 似乎是函数执行次数
/
/
console.error(`[
*
] libso_encrypt.args[${
4
}] onEnter :
=
> ${findRangeByAddress(args[
4
].readPointer().readPointer())}`)
/
/
867740
固定值
/
/
console.error(`[
*
] libso_encrypt.args[${
5
}] onEnter :
=
> ${findRangeByAddress(args[
5
].readPointer().readPointer())}`)
/
/
16
个
0
console.error(`[
*
] libso_encrypt.args[${
5
}] onEnter :
=
> ${ab2Hex(args[
5
].readPointer().readPointer().readByteArray(
16
))}`)
/
/
16
个
0
console.error(`[
*
] libso_encrypt.args[${
6
}] onEnter :
=
> ${args[
6
].readCString()}`)
/
/
data 明文数据⭐
console.error(`[
*
] libso_encrypt.args[${
7
}] onEnter :
=
> ${findRangeByAddress(args[
7
])}`)
/
/
明文数据长度
console.error(`[
*
] libso_encrypt.args[${
8
}] onEnter :
=
> ${findRangeByAddress(args[
8
])}`)
/
/
也是明文数据长度
console.error(`[
*
] libso_encrypt.args[${
9
}] onEnter :
=
> ${args[
9
].readCString()}`)
/
/
又是key
console.error(`[
*
] libso_encrypt.args[${
10
}] onEnter :
=
> ${findRangeByAddress(args[
10
])}`)
/
/
key 长度
console.error(`[
*
] libso_encrypt.args[${
11
}] onEnter :
=
> ${findRangeByAddress(args[
11
])}`)
/
/
key 长度
console.error(
"------------------------------------------------------------"
);
}
}, onLeave: function (retval) {
/
/
console.log(`onLeave encrypt ${retval}`);
/
/
console.error(
"------------------------------------------------------------"
);
}
});
}
function call() {
Java.perform(()
=
> {
let ret
=
Java.use(
"com.qq.lib.EncryptUtil"
).encrypt(`{
"system_build_id"
:
"a1000"
,
"system_iid"
:
"923868eb5f543afa55f1f33cfac37d35"
,
"app_status"
:
"9A5C6BDC62AD1CFE45A6578F84E858F9CA1A4F76:2"
,
"system_version"
:
"5.7.1"
,
"system_build_aff"
:"
","
bundle_id
":"
tv.iytqy.cvhaca
","
system_app_type
":"
local
","
new_player
":"
fx
","
system_oauth_id
":"
02274477773a9ac8a2cf3605400ece4b
","
system_oauth_type
":"
android
","
system_token
":"
023FAC3AFE2285DC98E50CA4C638E0845277DC8CB62CCCC088DA1E3CB679180C97F2688C0DBE197F03950D84900C2A6B050334216C4CC604021DCC624543AFDDEF8D19363E43F9C0B8EEC79BBF269E7DE77B0304FF1034FED885ACA4C74DAC768D26D9FADD
"}`, "
BwcnBzRjN2U
/
MmZhYjRmND4xPjI
+
NWQwZWU0YmI2MWQ3YjAzKw8cEywsIS4BIg
=
=
")
console.warn(`encrypt(
"abcdef0123456789"
,
"BwcnBzRjN2U/MmZhYjRmND4xPjI+NWQwZWU0YmI2MWQ3YjAzKw8cEywsIS4BIg=="
) :
=
> ${ret}`)
})
}
function hook_dlopen(addr, soName, callback) {
Interceptor.attach(addr, {
onEnter: function (args) {
const name
=
args[
0
].readCString();
/
/
输出so路径
if
(name.indexOf(soName) !
=
=
-
1
) this.hook
=
true;
}, onLeave: function (retval) {
if
(this.hook) callback();
}
})
}
const android_dlopen_ext
=
Module.findExportByName(null,
"android_dlopen_ext"
);
hook_dlopen(android_dlopen_ext,
"libsojm.so"
, so);
so()
function hook_main__libso_encrypt() {
let base
=
Module.findBaseAddress(
"libsojm.so"
);
Interceptor.attach(base.add(
0xFFD0C
), {
onEnter: function (args) {
this.arg0_len
=
findRangeByAddress(args[
1
])
if
(this.arg0_len
=
=
64
) {
/
/
过滤输出, 感觉其他值都是无用的
console.log(`onEnter encrypt arg0:${args[
0
]} arg1:${args[
1
]} arg2:${args[
2
]} arg3:${args[
3
]} arg4:${args[
4
]} arg5:${args[
5
]} arg6:${args[
6
]} arg7:${args[
7
]} arg8:${args[
8
]} arg9:${args[
9
]}`);
console.error(`[
*
] libso_encrypt.args[${
0
}] onEnter :
=
> ${args[
0
].readCString()}`)
/
/
BwcnBzRjN2U
/
MmZhYjRmND4xPjI
+
NWQwZWU0YmI2MWQ3YjAzKw8cEywsIS4BIg
=
=
console.error(`[
*
] libso_encrypt.args[${
1
}] onEnter :
=
> ${findRangeByAddress(args[
1
])}`)
/
/
arg1 是 args[
0
] 字符串的长度
/
/
console.error(`[
*
] libso_encrypt.args[${
1
}] onEnter :
=
> ${findRangeByAddress(args[
1
])}`)
/
/
arg1 是 args[
0
] 字符串的长度
/
/
console.error(`[
*
] libso_encrypt.args[${
2
}] onEnter :
=
> ${findRangeByAddress(args[
2
].readPointer())}`)
/
/
arg2 感觉也是字符串长度 go 的字符串可能是字符串
+
长度 |
slice
是长度
+
容量
/
/
arg3 似乎是函数执行次数
/
/
console.error(`[
*
] libso_encrypt.args[${
4
}] onEnter :
=
> ${findRangeByAddress(args[
4
].readPointer().readPointer())}`)
/
/
867740
固定值
/
/
console.error(`[
*
] libso_encrypt.args[${
5
}] onEnter :
=
> ${findRangeByAddress(args[
5
].readPointer().readPointer())}`)
/
/
16
个
0
console.error(`[
*
] libso_encrypt.args[${
5
}] onEnter :
=
> ${ab2Hex(args[
5
].readPointer().readPointer().readByteArray(
16
))}`)
/
/
16
个
0
console.error(`[
*
] libso_encrypt.args[${
6
}] onEnter :
=
> ${args[
6
].readCString()}`)
/
/
data 明文数据⭐
console.error(`[
*
] libso_encrypt.args[${
7
}] onEnter :
=
> ${findRangeByAddress(args[
7
])}`)
/
/
明文数据长度
console.error(`[
*
] libso_encrypt.args[${
8
}] onEnter :
=
> ${findRangeByAddress(args[
8
])}`)
/
/
也是明文数据长度
console.error(`[
*
] libso_encrypt.args[${
9
}] onEnter :
=
> ${args[
9
].readCString()}`)
/
/
又是key
console.error(`[
*
] libso_encrypt.args[${
10
}] onEnter :
=
> ${findRangeByAddress(args[
10
])}`)
/
/
key 长度
console.error(`[
*
] libso_encrypt.args[${
11
}] onEnter :
=
> ${findRangeByAddress(args[
11
])}`)
/
/
key 长度
console.error(
"------------------------------------------------------------"
);
}
}, onLeave: function (retval) {
/
/
console.log(`onLeave encrypt ${retval}`);
/
/
console.error(
"------------------------------------------------------------"
);
}
});
}
function call() {
Java.perform(()
=
> {
let ret
=
Java.use(
"com.qq.lib.EncryptUtil"
).encrypt(`{
"system_build_id"
:
"a1000"
,
"system_iid"
:
"923868eb5f543afa55f1f33cfac37d35"
,
"app_status"
:
"9A5C6BDC62AD1CFE45A6578F84E858F9CA1A4F76:2"
,
"system_version"
:
"5.7.1"
,
"system_build_aff"
:"
","
bundle_id
":"
tv.iytqy.cvhaca
","
system_app_type
":"
local
","
new_player
":"
fx
","
system_oauth_id
":"
02274477773a9ac8a2cf3605400ece4b
","
system_oauth_type
":"
android
","
system_token
":"
023FAC3AFE2285DC98E50CA4C638E0845277DC8CB62CCCC088DA1E3CB679180C97F2688C0DBE197F03950D84900C2A6B050334216C4CC604021DCC624543AFDDEF8D19363E43F9C0B8EEC79BBF269E7DE77B0304FF1034FED885ACA4C74DAC768D26D9FADD
"}`, "
BwcnBzRjN2U
/
MmZhYjRmND4xPjI
+
NWQwZWU0YmI2MWQ3YjAzKw8cEywsIS4BIg
=
=
")
console.warn(`encrypt(
"abcdef0123456789"
,
"BwcnBzRjN2U/MmZhYjRmND4xPjI+NWQwZWU0YmI2MWQ3YjAzKw8cEywsIS4BIg=="
) :
=
> ${ret}`)
})
}
function hook_dlopen(addr, soName, callback) {
Interceptor.attach(addr, {
onEnter: function (args) {
const name
=
args[
0
].readCString();
/
/
输出so路径
if
(name.indexOf(soName) !
=
=
-
1
) this.hook
=
true;
}, onLeave: function (retval) {
if
(this.hook) callback();
}
})
}
const android_dlopen_ext
=
Module.findExportByName(null,
"android_dlopen_ext"
);
hook_dlopen(android_dlopen_ext,
"libsojm.so"
, so);
so()
/
/
输出日志
onEnter encrypt arg0:
0x86902940
arg1:
0x40
arg2:
0x40
arg3:
0x22d
arg4:
0xc6a44ba0
arg5:
0x86965f28
arg6:
0x86944b40
arg7:
0x22d
arg8:
0x22d
arg9:
0x86902940
[
*
] libso_encrypt.args[
0
] onEnter :
=
> BwcnBzRjN2U
/
MmZhYjRmND4xPjI
+
NWQwZWU0YmI2MWQ3YjAzKw8cEywsIS4BIg
=
=
[
*
] libso_encrypt.args[
1
] onEnter :
=
>
64
[
*
] libso_encrypt.args[
5
] onEnter :
=
> [
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
]
[
*
] libso_encrypt.args[
6
] onEnter :
=
> {
"system_build_id"
:
"a1000"
,
"system_iid"
:
"923868eb5f543afa55f1f33cfac37d35"
,
"app_status"
:
"9A5C6BDC62AD1CFE45A6578F84E858F9CA1A4F76:2"
,
"system_version"
:
"5.7.1"
,
"system_build_aff"
:"
","
bundle_id
":"
tv.iytqy.cvhaca
","
system_app_type
":"
local
","
new_player
":"
fx
","
system_oauth_id
":"
02274477773a9ac8a2cf3605400ece4b
","
system_oauth_type
":"
android
","
system_token
":"
023FAC3AFE2285DC98E50CA4C638E0845277DC8CB62CCCC088DA1E3CB679180C97F2688C0DBE197F03950D84900C2A6B050334216C4CC604021DCC624543AFDDEF8D19363E43F9C0B8EEC79BBF269E7DE77B0304FF1034FED885ACA4C74DAC768D26D9FADD
"}
[
*
] libso_encrypt.args[
7
] onEnter :
=
>
557
[
*
] libso_encrypt.args[
8
] onEnter :
=
>
557
[
*
] libso_encrypt.args[
9
] onEnter :
=
> BwcnBzRjN2U
/
MmZhYjRmND4xPjI
+
NWQwZWU0YmI2MWQ3YjAzKw8cEywsIS4BIg
=
=
[
*
] libso_encrypt.args[
10
] onEnter :
=
>
64
[
*
] libso_encrypt.args[
11
] onEnter :
=
>
64
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
encrypt(
"abcdef0123456789"
,
"BwcnBzRjN2U/MmZhYjRmND4xPjI+NWQwZWU0YmI2MWQ3YjAzKw8cEywsIS4BIg=="
) :
=
>
6841646c536444435553467a65706946f933c2cae8a2a199fb1e46d1d60a1da52bd51cf0bdf4cae032f95454abdbfed529ccfcf252fa7581ef7504c5cd3c3465940bcbc59c629a029459dc10585f7426ab652646f2d2e4fc5861572e9b6ee65320ac4190fc6ffe3d41487fbb365e98dd906f9c3b13cbc46e422e75b0a28b947ede0dfe4acc98a851ec029f3d74f556f31cc2b82fafe70669fd0177ab1e2194e919c1c86789978beb1a46c2b4b14fb199596b46050fa85bf667d599fb31fd56e00de19b90b154c73a418c0ca7f4b9a2fadb3d5f912551c255681893db2e4260e3982743c8dfa5f3ba1010b58ae876c3361348f45cdfbd11be8a65e036e7c638834aa787c08417102f84c612020587e5518db749cd5616394e2eee544ca4febfa386e9befb9e8634ef17f34cb5afb8f1cbe45bb00706ef2547a8009b8faa7e7c4702dc9061e0143478d413b4d0477720c4c9779cc7b4f2ae60cc6b3fe5191e3c8a4948a344c92fdff1bd291b79d7148f933771199b6383bfa05c51f73d059673e5a1459213d2ef2bb858c134093aa44bb58f139a6870a853e31b9590c216f70e739fcbaef17d95550e61d8c3ca5ffa257f7f2534e6ed069e51f355a2b03e9f786fd33060b39f17721acb449bec0fce25cb9fdfce67be2475b06eba9ab0005a68bace1918ce4a2e61a726f286f775963f424c22dbcffaefef7d575fa868fb7a5111f36967a3537fd3d0c24e8e86196df7885624620fed4f085a07d205f19d201536391a1687fd7781491a60fe27f11d3ff3b03bba1ec20175ba4533ac8e2d3fd3a13dd20721706da02e5107745436ebd97425b1b7550f68e55d65a021e3467d1fa48a44912669286f4915ed84dbe276e53059f632d98cf2154831857d23c7d88f3f54f5050d7e97290b5f5a91a976c2ff4aec897c84ccc6ebad
/
/
输出日志
onEnter encrypt arg0:
0x86902940
arg1:
0x40
arg2:
0x40
arg3:
0x22d
arg4:
0xc6a44ba0
arg5:
0x86965f28
arg6:
0x86944b40
arg7:
0x22d
arg8:
0x22d
arg9:
0x86902940
[
*
] libso_encrypt.args[
0
] onEnter :
=
> BwcnBzRjN2U
/
MmZhYjRmND4xPjI
+
NWQwZWU0YmI2MWQ3YjAzKw8cEywsIS4BIg
=
=
[
*
] libso_encrypt.args[
1
] onEnter :
=
>
64
[
*
] libso_encrypt.args[
5
] onEnter :
=
> [
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
]
[
*
] libso_encrypt.args[
6
] onEnter :
=
> {
"system_build_id"
:
"a1000"
,
"system_iid"
:
"923868eb5f543afa55f1f33cfac37d35"
,
"app_status"
:
"9A5C6BDC62AD1CFE45A6578F84E858F9CA1A4F76:2"
,
"system_version"
:
"5.7.1"
,
"system_build_aff"
:"
","
bundle_id
":"
tv.iytqy.cvhaca
","
system_app_type
":"
local
","
new_player
":"
fx
","
system_oauth_id
":"
02274477773a9ac8a2cf3605400ece4b
","
system_oauth_type
":"
android
","
system_token
":"
023FAC3AFE2285DC98E50CA4C638E0845277DC8CB62CCCC088DA1E3CB679180C97F2688C0DBE197F03950D84900C2A6B050334216C4CC604021DCC624543AFDDEF8D19363E43F9C0B8EEC79BBF269E7DE77B0304FF1034FED885ACA4C74DAC768D26D9FADD
"}
[
*
] libso_encrypt.args[
7
] onEnter :
=
>
557
[
*
] libso_encrypt.args[
8
] onEnter :
=
>
557
[
*
] libso_encrypt.args[
9
] onEnter :
=
> BwcnBzRjN2U
/
MmZhYjRmND4xPjI
+
NWQwZWU0YmI2MWQ3YjAzKw8cEywsIS4BIg
=
=
[
*
] libso_encrypt.args[
10
] onEnter :
=
>
64
[
*
] libso_encrypt.args[
11
] onEnter :
=
>
64
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
encrypt(
"abcdef0123456789"
,
"BwcnBzRjN2U/MmZhYjRmND4xPjI+NWQwZWU0YmI2MWQ3YjAzKw8cEywsIS4BIg=="
) :
=
>
6841646c536444435553467a65706946f933c2cae8a2a199fb1e46d1d60a1da52bd51cf0bdf4cae032f95454abdbfed529ccfcf252fa7581ef7504c5cd3c3465940bcbc59c629a029459dc10585f7426ab652646f2d2e4fc5861572e9b6ee65320ac4190fc6ffe3d41487fbb365e98dd906f9c3b13cbc46e422e75b0a28b947ede0dfe4acc98a851ec029f3d74f556f31cc2b82fafe70669fd0177ab1e2194e919c1c86789978beb1a46c2b4b14fb199596b46050fa85bf667d599fb31fd56e00de19b90b154c73a418c0ca7f4b9a2fadb3d5f912551c255681893db2e4260e3982743c8dfa5f3ba1010b58ae876c3361348f45cdfbd11be8a65e036e7c638834aa787c08417102f84c612020587e5518db749cd5616394e2eee544ca4febfa386e9befb9e8634ef17f34cb5afb8f1cbe45bb00706ef2547a8009b8faa7e7c4702dc9061e0143478d413b4d0477720c4c9779cc7b4f2ae60cc6b3fe5191e3c8a4948a344c92fdff1bd291b79d7148f933771199b6383bfa05c51f73d059673e5a1459213d2ef2bb858c134093aa44bb58f139a6870a853e31b9590c216f70e739fcbaef17d95550e61d8c3ca5ffa257f7f2534e6ed069e51f355a2b03e9f786fd33060b39f17721acb449bec0fce25cb9fdfce67be2475b06eba9ab0005a68bace1918ce4a2e61a726f286f775963f424c22dbcffaefef7d575fa868fb7a5111f36967a3537fd3d0c24e8e86196df7885624620fed4f085a07d205f19d201536391a1687fd7781491a60fe27f11d3ff3b03bba1ec20175ba4533ac8e2d3fd3a13dd20721706da02e5107745436ebd97425b1b7550f68e55d65a021e3467d1fa48a44912669286f4915ed84dbe276e53059f632d98cf2154831857d23c7d88f3f54f5050d7e97290b5f5a91a976c2ff4aec897c84ccc6ebad
void __golang main__libso_encrypt(
int
a1,
int
a2,
int
key1,
int
a4,
int
a5,
int
a6,
int
a7,
int
a8,
int
data,
int
data_len,
int
a11,
int
key2)
{
/
/
.. 省略一些参数命名
while
( (unsigned
int
)&a1 <
=
*
(_DWORD
*
)(v12
+
8
) )
runtime_morestack_noctxt();
data
=
0
;
data_len
=
0
;
v96
=
&off_11ED34;
main_logger(v13, (
int
)
"in encrypt"
,
10
);
/
/
应该是个C的打印函数
main_parsePassphrase(v24, a6, a7, a8);
/
/
将 base64 编码的字符串解码并进行格式校验
/
/
1.
检查栈空间是否足够。
/
/
/
/
2.
将传入的 base64 编码的密码字符串解码为二进制数据。
/
/
/
/
3.
如果解码出错或者解码后的二进制数据长度小于
30
,则返回相应的错误信息。
/
/
/
/
4.
根据特定规则对解密后的二进制数据进行处理(异或操作等)。
/
/
/
/
5.
将处理后的数据切片成若干个固定长度的子切片,并分别记录日志。
/
/
/
/
6.
对其中一个子切片进行进一步的处理,并检查其格式是否符合特定要求。
/
/
/
/
7.
如果格式不符合要求,则返回相应的错误信息;否则返回空指针表示处理成功。
v14
=
v58;
if
( v83 )
{
data
=
0
;
data_len
=
0
;
main__libso_encrypt_func1(v37, v41);
/
/
异常捕获的函数,用于恢复发生在goroutine中的panic
}
else
{
v92
=
v69;
v87
=
v75;
v88
=
v78;
v93
=
v79;
runtime_newobject(v25, (
int
)&map_string_interface_, v41);
/
/
malloc 分配一段内存并返回指向该内存地址的指针
v95
=
v42;
runtime_makemap_small(v26, v38);
if
( dword_1B9460 )
{
runtime_gcWriteBarrier();
/
/
垃圾回收
v15
=
v16;
}
else
{
v15
=
v95;
*
(_DWORD
*
)v95
=
v39;
}
encoding_json_Unmarshal(v27, key1, a4, a5, (
int
)&map_string_interface__ptr, v15, v75, v78);
/
/
将 JSON 数据解析为 Go 的结构体
if
( v76 )
{
v17
=
a5;
v18
=
a4;
v19
=
key1;
}
else
{
v20
=
v89;
do
*
v20
+
+
=
0
;
/
/
内存清零
while
( (
int
)v20 <
=
(
int
)&v89[
15
] );
qmemcpy(v89,
"__package_name__"
, sizeof(v89));
/
/
字符串拷贝
runtime_slicebytetostring(v28,
0
, (
int
)v89,
16
, v59, v70);
/
/
将字节切片转换为字符串
v91
=
v60;
v86
=
v71;
v21
=
v89;
do
*
v21
+
+
=
0
;
/
/
内存清零
while
( (
int
)v21 <
=
(
int
)&v89[
15
] );
qmemcpy(v89,
"__package_hash__"
, sizeof(v89));
/
/
字符串拷贝
runtime_slicebytetostring(v29,
0
, (
int
)v89,
16
, v60, v71);
/
/
将字节切片转换为字符串
v90
=
v61;
v85
=
v72;
main__libso_getPackageName(v30, a2, v44, v48, v61);
/
/
反射调用 Java 层方法获取包名
runtime_slicebytetostring(v31,
0
, v45, v49, v62, v72);
/
/
将字节切片转换为字符串
runtime_convTstring(v32, v63, (
int
)v73, v50);
/
/
将指向任意类型的指针转换为字符串
v22
=
*
(_DWORD
*
)v95;
v94
=
v51;
runtime_mapassign_faststr((
int
)&map_string_interface_, v22, v91, v86);
/
/
将指针指向的数据转为字符串返回
*
v73
=
&string;
if
( dword_1B9460 )
runtime_gcWriteBarrier();
/
/
垃圾回收
else
v73[
1
]
=
v94;
main__libso_getPackageCodePath(v33, a2, v46, v52, v64);
/
/
获取应用路径
runtime_slicebytetostring(v34,
0
, v47, v53, v65, (
int
)v73);
/
/
将字节切片转换为字符串
main_md5File(v35, v66, (
int
)v74, v54, v66);
runtime_convTstring(v36, (
int
)v55, v67, v55);
/
/
将指向任意类型的指针转换为字符串
v23
=
*
(_DWORD
*
)v95;
v94
=
v56;
v77
=
runtime_mapassign_faststr((
int
)&map_string_interface_, v23, v90, v85);
/
/
将指针指向的数据转为字符串返回
*
v74
=
&string;
if
( dword_1B9460 )
runtime_gcWriteBarrier();
/
/
垃圾回收
else
v74[
1
]
=
v94;
v68
=
encoding_json_Marshal((
int
)&map_string_interface_,
*
(_DWORD
*
)v95);
/
/
转json数据
v19
=
v57;
v18
=
v68;
v17
=
(
int
)v74;
if
( v77 )
{
v17
=
a5;
v18
=
a4;
v19
=
key1;
}
}
if
( v14 )
{
data
=
0
;
data_len
=
0
;
}
else
{
main_oldEncrypt(v28, v19, v18, v17, v93, v80, v81, v92, v87, v88, v81,
0
);
/
/
开始加密
data
=
v82;
data_len
=
v84;
}
main__libso_encrypt_func1(v40, v43);
}
}
void __golang main__libso_encrypt(
int
a1,
int
a2,
int
key1,
int
a4,
int
a5,
int
a6,
int
a7,
int
a8,
int
data,
int
data_len,
int
a11,
int
key2)
{
/
/
.. 省略一些参数命名
while
( (unsigned
int
)&a1 <
=
*
(_DWORD
*
)(v12
+
8
) )
runtime_morestack_noctxt();
data
=
0
;
data_len
=
0
;
v96
=
&off_11ED34;
main_logger(v13, (
int
)
"in encrypt"
,
10
);
/
/
应该是个C的打印函数
main_parsePassphrase(v24, a6, a7, a8);
/
/
将 base64 编码的字符串解码并进行格式校验
/
/
1.
检查栈空间是否足够。
/
/
/
/
2.
将传入的 base64 编码的密码字符串解码为二进制数据。
/
/
/
/
3.
如果解码出错或者解码后的二进制数据长度小于
30
,则返回相应的错误信息。
/
/
/
/
4.
根据特定规则对解密后的二进制数据进行处理(异或操作等)。
/
/
/
/
5.
将处理后的数据切片成若干个固定长度的子切片,并分别记录日志。
/
/
/
/
6.
对其中一个子切片进行进一步的处理,并检查其格式是否符合特定要求。
/
/
/
/
7.
如果格式不符合要求,则返回相应的错误信息;否则返回空指针表示处理成功。
v14
=
v58;
if
( v83 )
{
data
=
0
;
data_len
=
0
;
main__libso_encrypt_func1(v37, v41);
/
/
异常捕获的函数,用于恢复发生在goroutine中的panic
}
else
{
v92
=
v69;
v87
=
v75;
v88
=
v78;
v93
=
v79;
runtime_newobject(v25, (
int
)&map_string_interface_, v41);
/
/
malloc 分配一段内存并返回指向该内存地址的指针
v95
=
v42;
runtime_makemap_small(v26, v38);
if
( dword_1B9460 )
{
runtime_gcWriteBarrier();
/
/
垃圾回收
v15
=
v16;
}
else
{
v15
=
v95;
*
(_DWORD
*
)v95
=
v39;
}
encoding_json_Unmarshal(v27, key1, a4, a5, (
int
)&map_string_interface__ptr, v15, v75, v78);
/
/
将 JSON 数据解析为 Go 的结构体
if
( v76 )
{
v17
=
a5;
v18
=
a4;
v19
=
key1;
}
else
{
v20
=
v89;
do
*
v20
+
+
=
0
;
/
/
内存清零
while
( (
int
)v20 <
=
(
int
)&v89[
15
] );
qmemcpy(v89,
"__package_name__"
, sizeof(v89));
/
/
字符串拷贝
runtime_slicebytetostring(v28,
0
, (
int
)v89,
16
, v59, v70);
/
/
将字节切片转换为字符串
v91
=
v60;
v86
=
v71;
v21
=
v89;
do
*
v21
+
+
=
0
;
/
/
内存清零
while
( (
int
)v21 <
=
(
int
)&v89[
15
] );
qmemcpy(v89,
"__package_hash__"
, sizeof(v89));
/
/
字符串拷贝
runtime_slicebytetostring(v29,
0
, (
int
)v89,
16
, v60, v71);
/
/
将字节切片转换为字符串
v90
=
v61;
v85
=
v72;
main__libso_getPackageName(v30, a2, v44, v48, v61);
/
/
反射调用 Java 层方法获取包名
runtime_slicebytetostring(v31,
0
, v45, v49, v62, v72);
/
/
将字节切片转换为字符串
runtime_convTstring(v32, v63, (
int
)v73, v50);
/
/
将指向任意类型的指针转换为字符串
v22
=
*
(_DWORD
*
)v95;
v94
=
v51;
runtime_mapassign_faststr((
int
)&map_string_interface_, v22, v91, v86);
/
/
将指针指向的数据转为字符串返回
*
v73
=
&string;
if
( dword_1B9460 )
runtime_gcWriteBarrier();
/
/
垃圾回收
else
v73[
1
]
=
v94;
main__libso_getPackageCodePath(v33, a2, v46, v52, v64);
/
/
获取应用路径
runtime_slicebytetostring(v34,
0
, v47, v53, v65, (
int
)v73);
/
/
将字节切片转换为字符串
main_md5File(v35, v66, (
int
)v74, v54, v66);
runtime_convTstring(v36, (
int
)v55, v67, v55);
/
/
将指向任意类型的指针转换为字符串
v23
=
*
(_DWORD
*
)v95;
v94
=
v56;
v77
=
runtime_mapassign_faststr((
int
)&map_string_interface_, v23, v90, v85);
/
/
将指针指向的数据转为字符串返回
*
v74
=
&string;
if
( dword_1B9460 )
runtime_gcWriteBarrier();
/
/
垃圾回收
else
v74[
1
]
=
v94;
v68
=
encoding_json_Marshal((
int
)&map_string_interface_,
*
(_DWORD
*
)v95);
/
/
转json数据
v19
=
v57;
v18
=
v68;
v17
=
(
int
)v74;
if
( v77 )
{
v17
=
a5;
v18
=
a4;
v19
=
key1;
}
}
if
( v14 )
{
data
=
0
;
data_len
=
0
;
}
else
{
main_oldEncrypt(v28, v19, v18, v17, v93, v80, v81, v92, v87, v88, v81,
0
);
/
/
开始加密
data
=
v82;
data_len
=
v84;
}
main__libso_encrypt_func1(v40, v43);
}
}
function hook_main_parsePassphrase_ret() {
let base
=
Module.findBaseAddress(
"libsojm.so"
);
Interceptor.attach(base.add(
0xFFD9C
), {
onEnter(args) {
console.log(`call
0xFFD9C
${JSON.stringify(this.context)}`);
console.log(`call
0xFFD9C
${findRangeByAddress(this.context.r0)}`);
console.log(`call
0xFFD9C
${findRangeByAddress(this.context.r1)}`);
}
});
}
/
/
BwcnBzRjN2U
/
MmZhYjRmND4xPjI
+
NWQwZWU0YmI2MWQ3YjAzKw8cEywsIS4BIg
=
=
/
/
..'.
4c7e
?
2fab4f4
>
1
>
2
>
5d0ee4bb61d7b03
+
...,,!.." 这是直接解码的字符串
/
/
得到了两个字符串(其实这里就是对我们传入的 PWD 解码对后半部分进行了一些类的运算
8692ece4
6d
49
5a
55
6a
6a
67
68
47
64
00
00
00
00
00
00
mIZUjjghGd......
8692ecc4
34
63
37
65
3f
32
66
61
62
34
66
34
3e
31
3e
32
4c7e
?
2fab4f4
>
1
>
2
8692ecd4
3e
35
64
30
65
65
34
62
62
36
31
64
37
62
30
33
>
5d0ee4bb61d7b03
/
/
关于这里为什么是从栈上取的,是因为它的调用约定并不是 fastcall,分析汇编可知都是栈传递参数跟接受返回值
.text:
000FFD64
5B
0D
00
EB BL main_logger
.text:
000FFD64
.text:
000FFD68
90
00
9D
E5 LDR R0, [SP,
#0x7C+arg_14]
.text:
000FFD6C
04
00
8D
E5
STR
R0, [SP,
#0x7C+var_78] ; int
.text:
000FFD70
94
00
9D
E5 LDR R0, [SP,
#0x7C+data]
.text:
000FFD74
08
00
8D
E5
STR
R0, [SP,
#0x7C+var_74] ; int
.text:
000FFD78
98
00
9D
E5 LDR R0, [SP,
#0x7C+data_len]
.text:
000FFD7C
0C
00
8D
E5
STR
R0, [SP,
#0x7C+var_70] ; int
.text:
000FFD80
1C
05
00
EB BL main_parsePassphrase
.text:
000FFD80
.text:
000FFD84
14
00
9D
E5 LDR R0, [SP,
#0x7C+var_68]
.text:
000FFD88
20
10
9D
E5 LDR R1, [SP,
#0x7C+var_5C]
.text:
000FFD8C
18
20
9D
E5 LDR R2, [SP,
#0x7C+var_64]
.text:
000FFD90
1C
30
9D
E5 LDR R3, [SP,
#0x7C+var_60]
.text:
000FFD94
24
40
9D
E5 LDR R4, [SP,
#0x7C+var_58]
.text:
000FFD98
28
50
9D
E5 LDR R5, [SP,
#0x7C+var_54]
.text:
000FFD9C
2C
60
9D
E5 LDR R6, [SP,
#0x7C+var_50]
.text:
000FFDA0
10
70
DD E5 LDRB R7, [SP,
#0x7C+var_6C]
.text:
000FFDA4
11
80
DD E5 LDRB R8, [SP,
#0x7C+var_6C+1]
.text:
000FFDA8
00
00
56
E3
CMP
R6,
#0
.text:
000FFDAC
32
01
00
1A
BNE loc_10027C
function hook_main_parsePassphrase_ret() {
let base
=
Module.findBaseAddress(
"libsojm.so"
);
Interceptor.attach(base.add(
0xFFD9C
), {
onEnter(args) {
console.log(`call
0xFFD9C
${JSON.stringify(this.context)}`);
console.log(`call
0xFFD9C
${findRangeByAddress(this.context.r0)}`);
console.log(`call
0xFFD9C
${findRangeByAddress(this.context.r1)}`);
}
});
}
/
/
BwcnBzRjN2U
/
MmZhYjRmND4xPjI
+
NWQwZWU0YmI2MWQ3YjAzKw8cEywsIS4BIg
=
=
/
/
..'.
4c7e
?
2fab4f4
>
1
>
2
>
5d0ee4bb61d7b03
+
...,,!.." 这是直接解码的字符串
/
/
得到了两个字符串(其实这里就是对我们传入的 PWD 解码对后半部分进行了一些类的运算
8692ece4
6d
49
5a
55
6a
6a
67
68
47
64
00
00
00
00
00
00
mIZUjjghGd......
8692ecc4
34
63
37
65
3f
32
66
61
62
34
66
34
3e
31
3e
32
4c7e
?
2fab4f4
>
1
>
2
8692ecd4
3e
35
64
30
65
65
34
62
62
36
31
64
37
62
30
33
>
5d0ee4bb61d7b03
/
/
关于这里为什么是从栈上取的,是因为它的调用约定并不是 fastcall,分析汇编可知都是栈传递参数跟接受返回值
.text:
000FFD64
5B
0D
00
EB BL main_logger
.text:
000FFD64
.text:
000FFD68
90
00
9D
E5 LDR R0, [SP,
#0x7C+arg_14]
.text:
000FFD6C
04
00
8D
E5
STR
R0, [SP,
#0x7C+var_78] ; int
.text:
000FFD70
94
00
9D
E5 LDR R0, [SP,
#0x7C+data]
.text:
000FFD74
08
00
8D
E5
STR
R0, [SP,
#0x7C+var_74] ; int
.text:
000FFD78
98
00
9D
E5 LDR R0, [SP,
#0x7C+data_len]
.text:
000FFD7C
0C
00
8D
E5
STR
R0, [SP,
#0x7C+var_70] ; int
.text:
000FFD80
1C
05
00
EB BL main_parsePassphrase
.text:
000FFD80
.text:
000FFD84
14
00
9D
E5 LDR R0, [SP,
#0x7C+var_68]
.text:
000FFD88
20
10
9D
E5 LDR R1, [SP,
#0x7C+var_5C]
.text:
000FFD8C
18
20
9D
E5 LDR R2, [SP,
#0x7C+var_64]
.text:
000FFD90
1C
30
9D
E5 LDR R3, [SP,
#0x7C+var_60]
.text:
000FFD94
24
40
9D
E5 LDR R4, [SP,
#0x7C+var_58]
.text:
000FFD98
28
50
9D
E5 LDR R5, [SP,
#0x7C+var_54]
.text:
000FFD9C
2C
60
9D
E5 LDR R6, [SP,
#0x7C+var_50]
.text:
000FFDA0
10
70
DD E5 LDRB R7, [SP,
#0x7C+var_6C]
.text:
000FFDA4
11
80
DD E5 LDRB R8, [SP,
#0x7C+var_6C+1]
.text:
000FFDA8
00
00
56
E3
CMP
R6,
#0
.text:
000FFDAC
32
01
00
1A
BNE loc_10027C
function hook_main_md5File() {
let base
=
Module.findBaseAddress(
"libsojm.so"
);
Interceptor.attach(base.add(
0xFF94C
), {
onEnter: function (args) {
this.arg1
=
args[
1
]
if
(this.arg1
=
=
0x3b
) {
console.log(`onEnter main_md5File arg0:${args[
0
]} arg1:${args[
1
]} arg2:${args[
2
]} arg3:${args[
3
]} arg4:${args[
4
]}`);
console.log(`onEnter main_md5File arg0:${args[
0
].readCString(
0x3b
)}`);
/
/
包路径
/
data
/
app
/
tv.iytqy.cvhaca
-
gmGCryB_O0HztLC7rqkhRQ
=
=
/
base.apk
/
/
console.log(`onEnter main_md5File arg1:${findRangeByAddress(args[
1
])}`);
/
/
arg1 参数
0
长度
/
/
console.log(`onEnter main_md5File arg2:${findRangeByAddress(args[
2
])}`);
/
/
地址内容为
0
/
/
console.log(`onEnter main_md5File arg3:${findRangeByAddress(args[
3
])}`);
/
/
地址内容为
0
/
/
console.log(`onEnter main_md5File arg4:${findRangeByAddress(args[
4
])}`);
/
/
不知道这个是啥
}
}, onLeave: function (retval) {
if
(this.arg1
=
=
0x3b
) {
console.log(`onLeave main_md5File ${retval.readCString(
32
)}`);
/
/
678c7f3bf3584a2079295d8834928146
}
}
});
}
function hook_main_md5File() {
let base
=
Module.findBaseAddress(
"libsojm.so"
);
Interceptor.attach(base.add(
0xFF94C
), {
onEnter: function (args) {
this.arg1
=
args[
1
]
if
(this.arg1
=
=
0x3b
) {
console.log(`onEnter main_md5File arg0:${args[
0
]} arg1:${args[
1
]} arg2:${args[
2
]} arg3:${args[
3
]} arg4:${args[
4
]}`);
console.log(`onEnter main_md5File arg0:${args[
0
].readCString(
0x3b
)}`);
/
/
包路径
/
data
/
app
/
tv.iytqy.cvhaca
-
gmGCryB_O0HztLC7rqkhRQ
=
=
/
base.apk
/
/
console.log(`onEnter main_md5File arg1:${findRangeByAddress(args[
1
])}`);
/
/
arg1 参数
0
长度
/
/
console.log(`onEnter main_md5File arg2:${findRangeByAddress(args[
2
])}`);
/
/
地址内容为
0
/
/
console.log(`onEnter main_md5File arg3:${findRangeByAddress(args[
3
])}`);
/
/
地址内容为
0
/
/
console.log(`onEnter main_md5File arg4:${findRangeByAddress(args[
4
])}`);
/
/
不知道这个是啥
}
}, onLeave: function (retval) {
if
(this.arg1
=
=
0x3b
) {
console.log(`onLeave main_md5File ${retval.readCString(
32
)}`);
/
/
678c7f3bf3584a2079295d8834928146
}
}
});
}
onEnter main_md5File arg0:
0x86844940
arg1:
0x3b
arg2:
0x304f5f42
arg3:
0x4c747a48
arg4:
0xe6f73709
onEnter main_md5File arg0:
/
data
/
app
/
tv.iytqy.cvhaca
-
gmGCryB_O0HztLC7rqkhRQ
=
=
/
base.apk
onLeave main_md5File
678c7f3bf3584a2079295d8834928146
onEnter main_md5File arg0:
0x86844940
arg1:
0x3b
arg2:
0x304f5f42
arg3:
0x4c747a48
arg4:
0xe6f73709
onEnter main_md5File arg0:
/
data
/
app
/
tv.iytqy.cvhaca
-
gmGCryB_O0HztLC7rqkhRQ
=
=
/
base.apk
onLeave main_md5File
678c7f3bf3584a2079295d8834928146
import
hashlib
filename
=
'50ash_5.7.1_230305_3.apk'
hasher
=
hashlib.md5()
with
open
(filename,
'rb'
) as f:
buf
=
f.read()
hasher.update(buf)
md5hash
=
hasher.hexdigest()
print
(md5hash)
# [Running] python -u "c:\Users\Administrator\Desktop\50度灰\getMD5File.py"
# 678c7f3bf3584a2079295d8834928146
import
hashlib
filename
=
'50ash_5.7.1_230305_3.apk'
hasher
=
hashlib.md5()
with
open
(filename,
'rb'
) as f:
buf
=
f.read()
hasher.update(buf)
md5hash
=
hasher.hexdigest()
print
(md5hash)
# [Running] python -u "c:\Users\Administrator\Desktop\50度灰\getMD5File.py"
# 678c7f3bf3584a2079295d8834928146
v68
=
encoding_json_Marshal((
int
)&map_string_interface_,
*
(_DWORD
*
)v95);
/
/
转json数据
v18
=
v68;
main_oldEncrypt(v28, v19, v18, v17, v93, v80, v81, v92, v87, v88, v81,
0
);
/
/
开始加密
/
/
所以这里我们直接 hook main_oldEncrypt 就可以得到加密前的明文了
v68
=
encoding_json_Marshal((
int
)&map_string_interface_,
*
(_DWORD
*
)v95);
/
/
转json数据
v18
=
v68;
main_oldEncrypt(v28, v19, v18, v17, v93, v80, v81, v92, v87, v88, v81,
0
);
/
/
开始加密
/
/
所以这里我们直接 hook main_oldEncrypt 就可以得到加密前的明文了
function hook_main_oldEncrypt() {
let base
=
Module.findBaseAddress(
"libsojm.so"
);
Interceptor.attach(base.add(
0xFF5EC
), {
onEnter: function (args) {
console.log(`onEnter main_oldEncrypt arg0:${args[
0
]} arg1:${args[
1
]} arg2:${args[
2
]} arg3:${args[
3
]} arg4:${args[
4
]} arg5:${args[
5
]} arg6:${args[
6
]} arg7:${args[
7
]} arg8:${args[
8
]} arg9:${args[
9
]} arg10:${args[
10
]} arg11:${args[
11
]}`);
console.warn(`onEnter main_oldEncrypt arg1:${args[
1
].readCString()}`);
/
/
console.log(`onEnter main_oldEncrypt arg4:${findRangeByAddress(args[
4
])}`);
console.log(`onEnter main_oldEncrypt arg8:${args[
8
].readCString()}`);
/
/
key1
console.log(`onEnter main_oldEncrypt arg11:${args[
11
].readCString()}`);
/
/
key2
}, onLeave: function (retval) {
/
/
console.log(`onLeave main_oldEncrypt ${findRangeByAddress(retval)}`);
console.log(`onLeave main_oldEncrypt ${retval.readCString()}`);
console.error(
"------------------------------------------------------------"
);
}
});
}
function hook_main_oldEncrypt() {
let base
=
Module.findBaseAddress(
"libsojm.so"
);
Interceptor.attach(base.add(
0xFF5EC
), {
onEnter: function (args) {
console.log(`onEnter main_oldEncrypt arg0:${args[
0
]} arg1:${args[
1
]} arg2:${args[
2
]} arg3:${args[
3
]} arg4:${args[
4
]} arg5:${args[
5
]} arg6:${args[
6
]} arg7:${args[
7
]} arg8:${args[
8
]} arg9:${args[
9
]} arg10:${args[
10
]} arg11:${args[
11
]}`);
console.warn(`onEnter main_oldEncrypt arg1:${args[
1
].readCString()}`);
/
/
console.log(`onEnter main_oldEncrypt arg4:${findRangeByAddress(args[
4
])}`);
console.log(`onEnter main_oldEncrypt arg8:${args[
8
].readCString()}`);
/
/
key1
console.log(`onEnter main_oldEncrypt arg11:${args[
11
].readCString()}`);
/
/
key2
}, onLeave: function (retval) {
/
/
console.log(`onLeave main_oldEncrypt ${findRangeByAddress(retval)}`);
console.log(`onLeave main_oldEncrypt ${retval.readCString()}`);
console.error(
"------------------------------------------------------------"
);
}
});
}
[Pixel::XXXXX]
-
> call()
onEnter main_oldEncrypt arg0:
0xc
arg1:
0x869d0580
arg2:
0x288
arg3:
0x2c0
arg4:
0xc96436f0
arg5:
0x869d0580
arg6:
0x288
arg7:
0x2c0
arg8:
0x868a4c34
arg9:
0x20
arg10:
0x2c
arg11:
0x868a4c54
onEnter main_oldEncrypt arg1:{
"__package_hash__"
:
"678c7f3bf3584a2079295d8834928146"
,
"__package_name__"
:
"tv.iytqy.cvhaca"
,
"app_status"
:
"9A5C6BDC62AD1CFE45A6578F84E858F9CA1A4F76:2"
,
"bundle_id"
:
"tv.iytqy.cvhaca"
,
"new_player"
:
"fx"
,
"system_app_type"
:
"local"
,
"system_build_aff"
:"
","
system_build_id
":"
a1000
","
system_iid
":"
923868eb5f543afa55f1f33cfac37d35
","
system_oauth_id
":"
02274477773a9ac8a2cf3605400ece4b
","
system_oauth_type
":"
android
","
system_token
":"
023FAC3AFE2285DC98E50CA4C638E0845277DC8CB62CCCC088DA1E3CB679180C97F2688C0DBE197F03950D84900C2A6B050334216C4CC604021DCC624543AFDDEF8D19363E43F9C0B8EEC79BBF269E7DE77B0304FF1034FED885ACA4C74DAC768D26D9FADD
","
system_version
":"
5.7
.
1
"}
onEnter main_oldEncrypt arg8:
4c7e
?
2fab4f4
>
1
>
2
>
5d0ee4bb61d7b03mIZUjjghGd
onEnter main_oldEncrypt arg11:mIZUjjghGd
onLeave main_oldEncrypt
436a4b4d6961565043615063737077526c2e5dd70001b006397ce672c6fe1948f74ac72436bccb766585953419b0a7d4643fd7b98319a6696558f3e129bd7865383a4311256cdc126a00d49126379d5cc3f5a1a0fcd8a6fb6f6293d0ad6e628451cd26efecfaa5021099af5b428da2081533953dcf9a1e3a6f46a560471e6cef6e591b4937c36cd5ccb0de0364279eecf0970e101286faa0d25476e49a2e8b5a24f5d4d2e2c1afb67785f96511f48290864e6fdac548a325f9b30b0c7a99dd2c909518ccac45d9efa2c9973c5f0de468d094e6573afc44d2ffe73d6d79ee76d45fd8fcdf7d45c8a47fca7e85769239da6bfd9e35eaaa59bf3a6bb7741258a42bca7272e611bb8ddd93e807d126c3898f0f1aa9f37af485c140b706fe7a3f0d684eb3132ecd208cf52338a617095e7bb2b2b3eb749c7f7f01d8bfc7d386a2799ae6f015a87ba1519109aa92c4ec2e9d15650a46d239616ec515605d56b7ef3a954f2edbbb85f8c86e2f19c19e6422cc7dcf2277ebd968cf9751f5548f5ae77387985e0dfb7262787b13416138cb5c5952d4d3305a7688910984c75adc0a7f85347917bef0d909ad5a024f2275a5609e2d813f4c43d9bd00b4e82479725b78b197032bf78a163db5f1cbbbd1d09df698cbcb0024646d58d848dd08ad6168413842aa3925a5dd782c6b7d4d58d38a24d3dfe17e8a5e7be5dbeb0ade63d730e10015fd421d1f78f8744322f38f2f2764584dd4f6b36fc3cd0ccd22a9aaaacd92174882fccabc91712364d2afbe83bb6c2ad3d5cafcfd2f09e6e94d79d9dea18c9f7a599640177893b37bdd3e6ed388339d9c1ef9f5d9c197cff02555488bbce4b8ac7366b623b9dadcf3813a6451290094773076b616bbf9f7079c5c39c1ed3c3e211648f862d47b34d644d4c0ae05e0d5fb73d8b046151d2677
/
/
分析
/
/
onLeave 返回值就是我们最终加密的密文
/
/
arg1 是我们加密前的明文
/
/
传入了两个key
4c7e
?
2fab4f4
>
1
>
2
>
5d0ee4bb61d7b03mIZUjjghGd
与 mIZUjjghGd
/
/
其实这里应该是
4c7e
?
2fab4f4
>
1
>
2
>
5d0ee4bb61d7b03
与 mIZUjjghGd,他们挨在一起的,所以是一起打印的
[Pixel::XXXXX]
-
> call()
onEnter main_oldEncrypt arg0:
0xc
arg1:
0x869d0580
arg2:
0x288
arg3:
0x2c0
arg4:
0xc96436f0
arg5:
0x869d0580
arg6:
0x288
arg7:
0x2c0
arg8:
0x868a4c34
arg9:
0x20
arg10:
0x2c
arg11:
0x868a4c54
onEnter main_oldEncrypt arg1:{
"__package_hash__"
:
"678c7f3bf3584a2079295d8834928146"
,
"__package_name__"
:
"tv.iytqy.cvhaca"
,
"app_status"
:
"9A5C6BDC62AD1CFE45A6578F84E858F9CA1A4F76:2"
,
"bundle_id"
:
"tv.iytqy.cvhaca"
,
"new_player"
:
"fx"
,
"system_app_type"
:
"local"
,
"system_build_aff"
:"
","
system_build_id
":"
a1000
","
system_iid
":"
923868eb5f543afa55f1f33cfac37d35
","
system_oauth_id
":"
02274477773a9ac8a2cf3605400ece4b
","
system_oauth_type
":"
android
","
system_token
":"
023FAC3AFE2285DC98E50CA4C638E0845277DC8CB62CCCC088DA1E3CB679180C97F2688C0DBE197F03950D84900C2A6B050334216C4CC604021DCC624543AFDDEF8D19363E43F9C0B8EEC79BBF269E7DE77B0304FF1034FED885ACA4C74DAC768D26D9FADD
","
system_version
":"
5.7
.
1
"}
onEnter main_oldEncrypt arg8:
4c7e
?
2fab4f4
>
1
>
2
>
5d0ee4bb61d7b03mIZUjjghGd
onEnter main_oldEncrypt arg11:mIZUjjghGd
onLeave main_oldEncrypt
436a4b4d6961565043615063737077526c2e5dd70001b006397ce672c6fe1948f74ac72436bccb766585953419b0a7d4643fd7b98319a6696558f3e129bd7865383a4311256cdc126a00d49126379d5cc3f5a1a0fcd8a6fb6f6293d0ad6e628451cd26efecfaa5021099af5b428da2081533953dcf9a1e3a6f46a560471e6cef6e591b4937c36cd5ccb0de0364279eecf0970e101286faa0d25476e49a2e8b5a24f5d4d2e2c1afb67785f96511f48290864e6fdac548a325f9b30b0c7a99dd2c909518ccac45d9efa2c9973c5f0de468d094e6573afc44d2ffe73d6d79ee76d45fd8fcdf7d45c8a47fca7e85769239da6bfd9e35eaaa59bf3a6bb7741258a42bca7272e611bb8ddd93e807d126c3898f0f1aa9f37af485c140b706fe7a3f0d684eb3132ecd208cf52338a617095e7bb2b2b3eb749c7f7f01d8bfc7d386a2799ae6f015a87ba1519109aa92c4ec2e9d15650a46d239616ec515605d56b7ef3a954f2edbbb85f8c86e2f19c19e6422cc7dcf2277ebd968cf9751f5548f5ae77387985e0dfb7262787b13416138cb5c5952d4d3305a7688910984c75adc0a7f85347917bef0d909ad5a024f2275a5609e2d813f4c43d9bd00b4e82479725b78b197032bf78a163db5f1cbbbd1d09df698cbcb0024646d58d848dd08ad6168413842aa3925a5dd782c6b7d4d58d38a24d3dfe17e8a5e7be5dbeb0ade63d730e10015fd421d1f78f8744322f38f2f2764584dd4f6b36fc3cd0ccd22a9aaaacd92174882fccabc91712364d2afbe83bb6c2ad3d5cafcfd2f09e6e94d79d9dea18c9f7a599640177893b37bdd3e6ed388339d9c1ef9f5d9c197cff02555488bbce4b8ac7366b623b9dadcf3813a6451290094773076b616bbf9f7079c5c39c1ed3c3e211648f862d47b34d644d4c0ae05e0d5fb73d8b046151d2677
/
/
分析
/
/
onLeave 返回值就是我们最终加密的密文
/
/
arg1 是我们加密前的明文
/
/
传入了两个key
4c7e
?
2fab4f4
>
1
>
2
>
5d0ee4bb61d7b03mIZUjjghGd
与 mIZUjjghGd
/
/
其实这里应该是
4c7e
?
2fab4f4
>
1
>
2
>
5d0ee4bb61d7b03
与 mIZUjjghGd,他们挨在一起的,所以是一起打印的
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
赞赏
|
|
---|---|
|
大佬请问有木有apk的样本
|
|
mb_wvvozxbm 大佬请问有木有apk的样本这个可能不太方便在这分享 |
|
k佬牛逼
|
- [原创]GoJni 协议加解密分析 30092
- [原创]FRIDA Patchs 16.0.9 21547
- [原创]FRIDA 编译 | 14.2.17 10025
- [原创]FRIDA 最新版编译 | 16.0.9 13376
- [原创] Android Studio Debug dlopen 7189