-
-
[原创]某口算部分算法还原思路(禁止用来欺负小学生)
-
发表于: 2天前
-
前言: 本文仅为了交流学习,提高逆向对抗的水平,更好的防护APP。
版本:应用商城最新
不提供Frida调用脚本,不提供成品算法,仅记录分析过程。如有侵权,请联系我下架,但是我更希望厂商能在不断对抗中进步学习进步自己的产品。
frida检测 spwan注入
进行入参的字符串分析
通过字符串出现的地址找到处理这个字符串的地址
定位到这个函数,发现是个基础函数,通过trace找一共调用了几次
写一个frida脚本进行hook,看处理了什么
发现算法直接被还原出来了,但是到这里还没有结束,让我们看看厂商创新的点
接下来目标变得非常简单,看这些字符串哪里来的
首先是简单的字符串拼接
大家可以根据打印日志尝试,进行还原
简单的字符串拼接我就不讲了:
这里有一串位置数字
找一下:
142401346320179532017943221662728816116777216143261965096053842881612216627182881616157632309605384288161611428816154288161612619650288161524802692576323014960538414480269248026927144161488641828816161147144161488643201794576323032017955763230288161521169605384288161552881615143355443219288161532881615214576323028816155480269219167772161414288161611416721288161541428816153433554432240134657632307288161614
的来源
根据入参数推算大概率和第三个参数有关系 -28673
看一下调用了哪些函数,找一下线索
发现调用了大量rand,在这里我推测和第三个入参,以及ctf中出现的伪随机数有关系
从内存中找一些线索
1324013443201793320179222216625288161167772161322
找到第一次出现的地方
发现在这个函数里
发现只是一个复制用的系统库函数
从函数头找上一次调用点
在此处发现线索
搜索内存写入的地址
7d09097130 [libRequestEncoder.so!67130] stp x8, x9, [x19, #48] ; r[X8=0xb400007c95400b01 X9=0xb400007c95400b17 X19=0xb400007c95400ac0] w[]
通过ida动静态结合
向上寻找上一层调用
再次向上追溯
发现是num_put的第二个参数
还处于系统库之中
找到疑似计算的地方
向上追溯一层堆栈,瞬间清晰明了,之前的几次append也被发现了
那么我们直接找增加随机数的这个append前面的逻辑即可
倒数第三次
根据log就可以还原
理所当然的只有一次出现 我们只需要跟踪
7d09096b88 [libRequestEncoder.so!66b88] csel x1, x10, x9, eq ; r[X10=0xb400007c95400c71 X9=0xb400007c7347c880] w[X1=0xb400007c72e0e900]
根据上下文判断(tst w8 0x1) x9会赋值给x1 追踪x9赋值的地方
发现在栈里 进一步跟踪栈的值
向上追溯发现大量字符串 是目标的
找到随机串第一次出现的地方
真口算
hook入参,出参,即可分析出
给厂商的建议:
增加混淆,把常规算法(md5)做一些魔改,哪怕魔改几个IV也会有出奇的作用,做一些反trace的检测
多增加一些浮点数运算,增大模拟调用难度
禁止拿去欺负小学生
function hook_dlopen(soName = '') {
Interceptor.attach(Module.findExportByName(null, "android_dlopen_ext"), {
onEnter: function (args) {
var pathptr = args[0];
if (pathptr !== undefined && pathptr != null) {
var path = ptr(pathptr).readCString();
if(path.indexOf('libmsaoaidsec.so') >= 0){
ptr(pathptr).writeUtf8String("");
}
console.log('path: ',path)
}
}
});
}hook_dlopen()function hook_dlopen(soName = '') {
Interceptor.attach(Module.findExportByName(null, "android_dlopen_ext"), {
onEnter: function (args) {
var pathptr = args[0];
if (pathptr !== undefined && pathptr != null) {
var path = ptr(pathptr).readCString();
if(path.indexOf('libmsaoaidsec.so') >= 0){
ptr(pathptr).writeUtf8String("");
}
console.log('path: ',path)
}
}
});
}hook_dlopen()gan_sign script loaded successfullymemory_function called with pointer: function value() {[native code]}input: /打码/android/auth/password wdi4n2t8edr -28673
output: ad6980251c11b17d60ef6cd01cd6cba7message: {'type': 'send', 'payload': 'ad6980251c11b17d60ef6cd01cd6cba7'} data: None
gan_sign script loaded successfullymemory_function called with pointer: function value() {[native code]}input: /打码/android/auth/password wdi4n2t8edr -28673
output: ad6980251c11b17d60ef6cd01cd6cba7message: {'type': 'send', 'payload': 'ad6980251c11b17d60ef6cd01cd6cba7'} data: None
[22041216C::包名打码 ]-> call()
gan_sign script loaded successfullyenteredCurrent string: /leo-gateway/android/auth/password
String to append: wdi4n2t8edrenteredCurrent string: /leo-gateway/android/auth/passwordwdi4n2t8edr
String to append: bcd65d0baba159174a6b3331ac998605enteredCurrent string: /leo-gateway/android/auth/passwordwdi4n2t8edrbcd65d0baba159174a6b3331ac998605
String to append: /leo-gateway/android/auth/password
enteredCurrent string: /leo-gateway/android/auth/passwordwdi4n2t8edrbcd65d0baba159174a6b3331ac998605/leo-gateway/android/auth/password
String to append: 654194b4dbd03e4dc79ccbce86dda67a
enteredCurrent string: /leo-gateway/android/auth/passwordwdi4n2t8edrbcd65d0baba159174a6b3331ac998605/leo-gateway/android/auth/password654194b4dbd03e4dc79ccbce86dda67a
String to append: 142401346320179532017943221662728816116777216143261965096053842881612216627182881616157632309605384288161611428816154288161612619650288161524802692576323014960538414480269248026927144161488641828816161147144161488643201794576323032017955763230288161521169605384288161552881615143355443219288161532881615214576323028816155480269219167772161414288161611416721288161541428816153433554432240134657632307288161614
enteredCurrent string: /leo-gateway/android/auth/passwordwdi4n2t8edrbcd65d0baba159174a6b3331ac998605/leo-gateway/android/auth/password654194b4dbd03e4dc79ccbce86dda67a142401346320179532017943221662728816116777216143261965096053842881612216627182881616157632309605384288161611428816154288161612619650288161524802692576323014960538414480269248026927144161488641828816161147144161488643201794576323032017955763230288161521169605384288161552881615143355443219288161532881615214576323028816155480269219167772161414288161611416721288161541428816153433554432240134657632307288161614
String to append: e137a72e24678540f39b76b454f30661enteredCurrent string: /leo-gateway/android/auth/passwordwdi4n2t8edrbcd65d0baba159174a6b3331ac998605/leo-gateway/android/auth/password654194b4dbd03e4dc79ccbce86dda67a142401346320179532017943221662728816116777216143261965096053842881612216627182881616157632309605384288161611428816154288161612619650288161524802692576323014960538414480269248026927144161488641828816161147144161488643201794576323032017955763230288161521169605384288161552881615143355443219288161532881615214576323028816155480269219167772161414288161611416721288161541428816153433554432240134657632307288161614e137a72e24678540f39b76b454f30661
String to append: wdi4n2t8edrinput: /leo-gateway/android/auth/password wdi4n2t8edr -28673
output: 48e0bfda36ffbd3d66d79264da7e5b93
message: {'type': 'send', 'payload': '48e0bfda36ffbd3d66d79264da7e5b93'} data: None
[22041216C::包名打码 ]-> call()
gan_sign script loaded successfullyenteredCurrent string: /leo-gateway/android/auth/password
String to append: wdi4n2t8edrenteredCurrent string: /leo-gateway/android/auth/passwordwdi4n2t8edr
String to append: bcd65d0baba159174a6b3331ac998605enteredCurrent string: /leo-gateway/android/auth/passwordwdi4n2t8edrbcd65d0baba159174a6b3331ac998605
String to append: /leo-gateway/android/auth/password
enteredCurrent string: /leo-gateway/android/auth/passwordwdi4n2t8edrbcd65d0baba159174a6b3331ac998605/leo-gateway/android/auth/password
String to append: 654194b4dbd03e4dc79ccbce86dda67a
enteredCurrent string: /leo-gateway/android/auth/passwordwdi4n2t8edrbcd65d0baba159174a6b3331ac998605/leo-gateway/android/auth/password654194b4dbd03e4dc79ccbce86dda67a
String to append: 142401346320179532017943221662728816116777216143261965096053842881612216627182881616157632309605384288161611428816154288161612619650288161524802692576323014960538414480269248026927144161488641828816161147144161488643201794576323032017955763230288161521169605384288161552881615143355443219288161532881615214576323028816155480269219167772161414288161611416721288161541428816153433554432240134657632307288161614
enteredCurrent string: /leo-gateway/android/auth/passwordwdi4n2t8edrbcd65d0baba159174a6b3331ac998605/leo-gateway/android/auth/password654194b4dbd03e4dc79ccbce86dda67a142401346320179532017943221662728816116777216143261965096053842881612216627182881616157632309605384288161611428816154288161612619650288161524802692576323014960538414480269248026927144161488641828816161147144161488643201794576323032017955763230288161521169605384288161552881615143355443219288161532881615214576323028816155480269219167772161414288161611416721288161541428816153433554432240134657632307288161614
String to append: e137a72e24678540f39b76b454f30661enteredCurrent string: /leo-gateway/android/auth/passwordwdi4n2t8edrbcd65d0baba159174a6b3331ac998605/leo-gateway/android/auth/password654194b4dbd03e4dc79ccbce86dda67a142401346320179532017943221662728816116777216143261965096053842881612216627182881616157632309605384288161611428816154288161612619650288161524802692576323014960538414480269248026927144161488641828816161147144161488643201794576323032017955763230288161521169605384288161552881615143355443219288161532881615214576323028816155480269219167772161414288161611416721288161541428816153433554432240134657632307288161614e137a72e24678540f39b76b454f30661
String to append: wdi4n2t8edrinput: /leo-gateway/android/auth/password wdi4n2t8edr -28673
output: 48e0bfda36ffbd3d66d79264da7e5b93
message: {'type': 'send', 'payload': '48e0bfda36ffbd3d66d79264da7e5b93'} data: None
// Hook std::string::append 函数
var libRequestEncoder =Module.findBaseAddress("libRequestEncoder.so")
var addr =libRequestEncoder.add(0xb18b0);
Interceptor.attach(ptr(addr), { onEnter: function (args) {
console.log("entered")
var a1 = args[0]; // std::string 对象
var src = args[1]; // 要添加的字符串
var n = args[2].toInt32(); // 要添加的长度
// 判断是否使用小对象优化
var v4 = Memory.readU8(a1);
var isSSO = (v4 & 1) == 0;
// 获取当前字符串内容
var currentStr;
if (isSSO) {
// 小对象优化
currentStr = Memory.readUtf8String(a1.add(1)); // 从a1 + 1位置读取字符串
} else {
// 堆上的字符串
var ptr = Memory.readPointer(a1.add(16)); // a1[2] 是堆上的字符串指针
currentStr = Memory.readUtf8String(ptr);
}
// 打印当前字符串和即将添加的字符串
console.log("Current string: " + currentStr);
console.log("String to append: " + Memory.readUtf8String(src, n));
}
});// Hook std::string::append 函数
var libRequestEncoder =Module.findBaseAddress("libRequestEncoder.so")
var addr =libRequestEncoder.add(0xb18b0);
Interceptor.attach(ptr(addr), { onEnter: function (args) {
console.log("entered")
var a1 = args[0]; // std::string 对象
var src = args[1]; // 要添加的字符串
var n = args[2].toInt32(); // 要添加的长度
// 判断是否使用小对象优化
var v4 = Memory.readU8(a1);
var isSSO = (v4 & 1) == 0;
// 获取当前字符串内容
var currentStr;
if (isSSO) {
// 小对象优化
currentStr = Memory.readUtf8String(a1.add(1)); // 从a1 + 1位置读取字符串
} else {
// 堆上的字符串
var ptr = Memory.readPointer(a1.add(16)); // a1[2] 是堆上的字符串指针
currentStr = Memory.readUtf8String(ptr);
}
// 打印当前字符串和即将添加的字符串
console.log("Current string: " + currentStr);
console.log("String to append: " + Memory.readUtf8String(src, n));
}
});void __usercall sub_66A48( __int64 a1@<X0>,
unsigned __int8 *a2@<X1>,
unsigned __int8 *a3@<X2>,
int a4@<W3>,
_QWORD *a5@<X8>)
{ unsigned __int64 v8; // x8
bool v9; // zf
size_t v10; // x8
void *v11; // x1
size_t v12; // x2
char *v13; // x1
size_t v14; // x2
unsigned __int64 v15; // x8
bool v16; // zf
size_t v17; // x8
void *v18; // x1
size_t v19; // x2
char *v20; // x1
size_t v21; // x2
_BYTE *v22; // x1
size_t v23; // x2
char *v24; // x1
size_t v25; // x2
unsigned __int64 v26; // x8
bool v27; // zf
size_t v28; // x8
void *v29; // x1
size_t v30; // x2
__int64 v31; // [xsp+0h] [xbp-C0h] BYREF
size_t v32; // [xsp+8h] [xbp-B8h]
void *v33; // [xsp+10h] [xbp-B0h]
_BYTE v34[16]; // [xsp+18h] [xbp-A8h] BYREF
void *v35; // [xsp+28h] [xbp-98h]
unsigned __int8 v36; // [xsp+30h] [xbp-90h]
_BYTE v37[15]; // [xsp+31h] [xbp-8Fh] BYREF
void *v38; // [xsp+40h] [xbp-80h]
_BYTE v39[112]; // [xsp+48h] [xbp-78h] BYREF
__int64 v40; // [xsp+B8h] [xbp-8h]
v40 = *(_QWORD *)(_ReadStatusReg(ARM64_SYSREG(3, 3, 13, 0, 2)) + 40);
sub_65794(a1, a4);
std::string::basic_string(v34, a2);
v8 = *a3;
v9 = (v8 & 1) == 0;
v10 = v8 >> 1;
if ( v9 )
v11 = a3 + 1;
else
v11 = (void *)*((_QWORD *)a3 + 2);
if ( v9 )
v12 = v10;
else
v12 = *((_QWORD *)a3 + 1);
std::string::append((int)v34, v11, v12);
sub_64970(v39, v34);
sub_655F4(&v31, v39);
if ( (v31 & 1) != 0 )
v13 = (char *)v33;
else
v13 = (char *)&v31 + 1;
if ( (v31 & 1) != 0 )
v14 = v32;
else
v14 = (unsigned __int64)(unsigned __int8)v31 >> 1;
std::string::append((int)v34, v13, v14);
if ( (v31 & 1) != 0 )
operator delete(v33);
v15 = *a2;
v16 = (v15 & 1) == 0;
v17 = v15 >> 1;
if ( v16 )
v18 = a2 + 1;
else
v18 = (void *)*((_QWORD *)a2 + 2);
if ( v16 )
v19 = v17;
else
v19 = *((_QWORD *)a2 + 1);
std::string::append((int)v34, v18, v19);
sub_64970(v39, v34);
sub_655F4(&v31, v39);
if ( (v31 & 1) != 0 )
v20 = (char *)v33;
else
v20 = (char *)&v31 + 1;
if ( (v31 & 1) != 0 )
v21 = v32;
else
v21 = (unsigned __int64)(unsigned __int8)v31 >> 1;
std::string::append((int)v34, v20, v21);
if ( (v31 & 1) != 0 )
operator delete(v33);
if ( (v36 & 1) != 0 )
v22 = v38;
else
v22 = v37;
if ( (v36 & 1) != 0 )
v23 = *(_QWORD *)&v37[7];
else
v23 = (unsigned __int64)v36 >> 1;
std::string::append((int)v34, v22, v23);
sub_64970(v39, v34);
sub_655F4(&v31, v39);
if ( (v31 & 1) != 0 )
v24 = (char *)v33;
else
v24 = (char *)&v31 + 1;
if ( (v31 & 1) != 0 )
v25 = v32;
else
v25 = (unsigned __int64)(unsigned __int8)v31 >> 1;
std::string::append((int)v34, v24, v25);
if ( (v31 & 1) != 0 )
operator delete(v33);
v26 = *a3;
v27 = (v26 & 1) == 0;
v28 = v26 >> 1;
if ( v27 )
v29 = a3 + 1;
else
v29 = (void *)*((_QWORD *)a3 + 2);
if ( v27 )
v30 = v28;
else
v30 = *((_QWORD *)a3 + 1);
std::string::append((int)v34, v29, v30);
sub_64970(v39, v34);
sub_655F4(a5, v39);
if ( (v34[0] & 1) != 0 )
operator delete(v35);
if ( (v36 & 1) != 0 )
operator delete(v38);
}void __usercall sub_66A48( __int64 a1@<X0>,
unsigned __int8 *a2@<X1>,
unsigned __int8 *a3@<X2>,
int a4@<W3>,
_QWORD *a5@<X8>)
{ unsigned __int64 v8; // x8
bool v9; // zf
size_t v10; // x8
void *v11; // x1
size_t v12; // x2
char *v13; // x1
size_t v14; // x2
unsigned __int64 v15; // x8
bool v16; // zf
size_t v17; // x8
void *v18; // x1
size_t v19; // x2
char *v20; // x1
size_t v21; // x2
_BYTE *v22; // x1
size_t v23; // x2
char *v24; // x1
size_t v25; // x2
unsigned __int64 v26; // x8
bool v27; // zf
size_t v28; // x8
void *v29; // x1
size_t v30; // x2
__int64 v31; // [xsp+0h] [xbp-C0h] BYREF
size_t v32; // [xsp+8h] [xbp-B8h]
void *v33; // [xsp+10h] [xbp-B0h]
_BYTE v34[16]; // [xsp+18h] [xbp-A8h] BYREF
void *v35; // [xsp+28h] [xbp-98h]
unsigned __int8 v36; // [xsp+30h] [xbp-90h]
_BYTE v37[15]; // [xsp+31h] [xbp-8Fh] BYREF
void *v38; // [xsp+40h] [xbp-80h]
_BYTE v39[112]; // [xsp+48h] [xbp-78h] BYREF
__int64 v40; // [xsp+B8h] [xbp-8h]
v40 = *(_QWORD *)(_ReadStatusReg(ARM64_SYSREG(3, 3, 13, 0, 2)) + 40);
sub_65794(a1, a4);
std::string::basic_string(v34, a2);
v8 = *a3;
v9 = (v8 & 1) == 0;
v10 = v8 >> 1;
if ( v9 )
v11 = a3 + 1;
else
v11 = (void *)*((_QWORD *)a3 + 2);
if ( v9 )
v12 = v10;
else
v12 = *((_QWORD *)a3 + 1);
std::string::append((int)v34, v11, v12);
sub_64970(v39, v34);
sub_655F4(&v31, v39);
if ( (v31 & 1) != 0 )
v13 = (char *)v33;
else
v13 = (char *)&v31 + 1;
if ( (v31 & 1) != 0 )
v14 = v32;
else
v14 = (unsigned __int64)(unsigned __int8)v31 >> 1;
std::string::append((int)v34, v13, v14);
if ( (v31 & 1) != 0 )
operator delete(v33);
v15 = *a2;
v16 = (v15 & 1) == 0;
v17 = v15 >> 1;
if ( v16 )
v18 = a2 + 1;
else
v18 = (void *)*((_QWORD *)a2 + 2);
if ( v16 )
v19 = v17;
else
v19 = *((_QWORD *)a2 + 1);
std::string::append((int)v34, v18, v19);
sub_64970(v39, v34);
sub_655F4(&v31, v39);
if ( (v31 & 1) != 0 )
v20 = (char *)v33;
else
v20 = (char *)&v31 + 1;
if ( (v31 & 1) != 0 )
v21 = v32;
else
v21 = (unsigned __int64)(unsigned __int8)v31 >> 1;
std::string::append((int)v34, v20, v21);
if ( (v31 & 1) != 0 )
operator delete(v33);
if ( (v36 & 1) != 0 )
v22 = v38;
else
v22 = v37;
if ( (v36 & 1) != 0 )
v23 = *(_QWORD *)&v37[7];
else
v23 = (unsigned __int64)v36 >> 1;
std::string::append((int)v34, v22, v23);
sub_64970(v39, v34);
sub_655F4(&v31, v39);
if ( (v31 & 1) != 0 )
v24 = (char *)v33;
else
v24 = (char *)&v31 + 1;
if ( (v31 & 1) != 0 )
v25 = v32;
else
v25 = (unsigned __int64)(unsigned __int8)v31 >> 1;
std::string::append((int)v34, v24, v25);
if ( (v31 & 1) != 0 )
operator delete(v33);
v26 = *a3;
v27 = (v26 & 1) == 0;
v28 = v26 >> 1;
if ( v27 )
v29 = a3 + 1;
else
v29 = (void *)*((_QWORD *)a3 + 2);
if ( v27 )
v30 = v28;
else
v30 = *((_QWORD *)a3 + 1);
std::string::append((int)v34, v29, v30);
sub_64970(v39, v34);
sub_655F4(a5, v39);
if ( (v34[0] & 1) != 0 )
operator delete(v35);
if ( (v36 & 1) != 0 )
operator delete(v38);
}__int64 __fastcall sub_65794(__int64 a1, int a2)
{ unsigned int v3; // w27
int8x8_t v4; // d8
unsigned __int64 v5; // d0
int v6; // w24
unsigned int v7; // w8
unsigned int v8; // w20
unsigned int v9; // w23
unsigned int v10; // w8
unsigned int v11; // w19
unsigned int v12; // w21
unsigned int v13; // w22
unsigned int v14; // w8
unsigned int v15; // w9
unsigned int v16; // w28
int v17; // w8
__int64 v18; // x1
unsigned int v19; // w22
unsigned int v20; // w8
unsigned int v21; // w8
unsigned int v22; // w21
unsigned int v23; // w8
unsigned int v24; // w23
unsigned int v25; // w8
unsigned int v26; // w8
int32x2_t v27; // d0
int v28; // w26
unsigned int v29; // w9
int v30; // w8
__int64 v31; // x1
unsigned int v32; // w8
unsigned int v33; // w8
unsigned int v34; // w23
unsigned int v35; // w8
unsigned int v36; // w9
unsigned int v37; // w24
unsigned int v38; // w8
__int64 v39; // x1
unsigned __int32 v40; // w8
unsigned int v41; // w25
unsigned int v42; // w19
int v43; // w26
unsigned int v44; // w8
unsigned int v45; // w10
bool v46; // cc
unsigned int v47; // w9
unsigned int v48; // w9
char v49; // w8
char v50; // w8
int v51; // w21
unsigned int v52; // w8
unsigned int v53; // w10
unsigned int v54; // w9
unsigned int v55; // w23
unsigned int v56; // w8
unsigned int v57; // w8
unsigned int v58; // w9
unsigned int v59; // w8
int v60; // w9
__int64 v61; // kr00_8
unsigned int v62; // w8
__int64 v63; // x1
int v64; // w28
unsigned int v65; // w8
unsigned int v66; // w8
unsigned int v67; // w24
__int64 v68; // x1
char v69; // w8
unsigned int v70; // w9
unsigned int v71; // w9
unsigned int v72; // w8
int v73; // w9
__int64 v74; // kr08_8
unsigned int v75; // w8
__int64 v76; // x1
unsigned int v77; // w8
unsigned int v78; // w8
unsigned int v79; // w8
unsigned int v80; // w20
int8x8_t v81; // d0
unsigned __int32 v82; // w8
uint32x4_t v83; // q0
uint32x4_t v84; // q0
int8x16_t v85; // q1
int v86; // w28
unsigned int v87; // w8
unsigned int v88; // w10
unsigned int v89; // w9
unsigned __int32 v90; // w8
unsigned int v91; // w8
unsigned int v92; // w8
int v93; // w12
int v94; // w20
int v95; // w23
int v96; // w24
unsigned int v97; // w8
unsigned int v98; // w9
unsigned int v99; // w10
unsigned int v100; // w8
unsigned int v101; // w10
unsigned int v102; // w9
unsigned int v103; // w8
unsigned int v104; // w10
unsigned int v105; // w9
unsigned int v106; // w8
unsigned int v107; // w9
unsigned int v108; // w8
char v109; // w9
__int64 v110; // kr10_8
__int64 v111; // x1
unsigned int v112; // w8
unsigned int v113; // w8
unsigned int v114; // w10
unsigned int v115; // w9
unsigned int v116; // w8
int v117; // w22
unsigned int v118; // w19
__int64 v119; // x1
__int64 v120; // x1
unsigned int v121; // w8
unsigned int v122; // w9
unsigned int v123; // w8
char v124; // w9
__int64 v125; // kr18_8
__int64 v126; // x1
unsigned int v128; // [xsp+8h] [xbp-208h]
unsigned int v129; // [xsp+10h] [xbp-200h]
unsigned int v130; // [xsp+14h] [xbp-1FCh]
unsigned int v131; // [xsp+18h] [xbp-1F8h]
int v132; // [xsp+1Ch] [xbp-1F4h]
int v133; // [xsp+20h] [xbp-1F0h]
int v134; // [xsp+24h] [xbp-1ECh]
int v135; // [xsp+28h] [xbp-1E8h]
unsigned int v136; // [xsp+2Ch] [xbp-1E4h]
unsigned int v137; // [xsp+2Ch] [xbp-1E4h]
unsigned int v138; // [xsp+30h] [xbp-1E0h]
unsigned int v139; // [xsp+34h] [xbp-1DCh]
int v140; // [xsp+38h] [xbp-1D8h]
int v141; // [xsp+38h] [xbp-1D8h]
unsigned int v142; // [xsp+3Ch] [xbp-1D4h]
int v143; // [xsp+3Ch] [xbp-1D4h]
unsigned int v144; // [xsp+40h] [xbp-1D0h]
int v145; // [xsp+40h] [xbp-1D0h]
unsigned int v146; // [xsp+44h] [xbp-1CCh]
int v147; // [xsp+44h] [xbp-1CCh]
unsigned int v148; // [xsp+48h] [xbp-1C8h]
unsigned __int32 v149; // [xsp+4Ch] [xbp-1C4h]
unsigned int v150; // [xsp+50h] [xbp-1C0h]
int v151; // [xsp+64h] [xbp-1ACh]
unsigned int v152; // [xsp+64h] [xbp-1ACh]
unsigned int v153; // [xsp+68h] [xbp-1A8h]
unsigned int v154; // [xsp+6Ch] [xbp-1A4h]
int v155; // [xsp+88h] [xbp-188h]
unsigned int v156; // [xsp+88h] [xbp-188h]
unsigned int v157; // [xsp+8Ch] [xbp-184h]
unsigned int v158; // [xsp+8Ch] [xbp-184h]
__int64 v159; // [xsp+98h] [xbp-178h]
int v160; // [xsp+98h] [xbp-178h]
int v161; // [xsp+A0h] [xbp-170h]
int v162; // [xsp+A8h] [xbp-168h]
unsigned int v163; // [xsp+B0h] [xbp-160h]
unsigned int v164; // [xsp+B4h] [xbp-15Ch]
unsigned int v165; // [xsp+B8h] [xbp-158h]
unsigned int v166; // [xsp+BCh] [xbp-154h]
unsigned int v167; // [xsp+BCh] [xbp-154h]
int8x8_t v168; // [xsp+C0h] [xbp-150h]
unsigned int v169; // [xsp+C0h] [xbp-150h]
unsigned int v170; // [xsp+D8h] [xbp-138h]
unsigned int v171; // [xsp+DCh] [xbp-134h]
time_t timer; // [xsp+E0h] [xbp-130h] BYREF
__int64 (__fastcall **v173)(); // [xsp+E8h] [xbp-128h] BYREF
_QWORD v174[8]; // [xsp+F0h] [xbp-120h] BYREF
__int128 v175; // [xsp+130h] [xbp-E0h]
__int128 v176; // [xsp+140h] [xbp-D0h]
int v177; // [xsp+150h] [xbp-C0h]
_QWORD v178[18]; // [xsp+158h] [xbp-B8h] BYREF
int v179; // [xsp+1E8h] [xbp-28h]
__int64 v180; // [xsp+1F0h] [xbp-20h]
v180 = *(_QWORD *)(_ReadStatusReg(ARM64_SYSREG(3, 3, 13, 0, 2)) + 40);
time(&timer);
v178[0] = off_D9C20;
timer = (timer + a2) / 60;
v173 = off_D9BF8;
std::ios_base::init((std::ios_base *)v178, v174);
v178[17] = 0LL;
v179 = -1;
v173 = off_D9B88;
v178[0] = off_D9BB0;
std::streambuf::basic_streambuf(v174);
v3 = timer;
v4.n64_u64[0] = vdup_n_s32(timer).n64_u64[0];
v5 = vshl_u32(v4, (uint32x2_t)-2LL).n64_u64[0];
v6 = HIDWORD(v5);
v168.n64_u64[0] = v5;
v140 = HIDWORD(v5) & 0x55555555;
v7 = (((unsigned int)(timer - v140) >> 2) & 0x33333333) + ((timer - v140) & 0x33333333);
v175 = 0u;
v176 = 0u;
v166 = (v7 + (v7 >> 4)) & 0xF0F0F0F;
v177 = 16;
v174[0] = off_D9C40;
v146 = (v166 + (v166 >> 8) + ((v166 + (v166 >> 8)) >> 16)) & 0x3F;
std::ostream::operator<<(&v173, v146);
v8 = v3 + (v3 >> 31);
v9 = (v8 >> 1) + (v8 >> 3);
v10 = v9 + (v9 >> 4) + ((v9 + (v9 >> 4)) >> 8);
v136 = v10 + HIWORD(v10);
v154 = (v136 >> 3) + ((v8 - 12 * (v136 >> 3) + 4) >> 4);
std::ostream::operator<<(&v173, v154);
v150 = v3 >> 3;
v11 = v6 + v168.n64_u32[0];
v12 = (v11
+ v150
+ ((v11 + v150) >> 6)
+ ((v11 + v150 + ((v11 + v150) >> 6)) >> 12)
+ ((v11 + v150 + ((v11 + v150) >> 6)) >> 24)) >> 3;
v13 = v3 - 9 * v12;
if ( v13 <= 8 )
v14 = (v11
+ v150
+ ((v11 + v150) >> 6)
+ ((v11 + v150 + ((v11 + v150) >> 6)) >> 12)
+ ((v11 + v150 + ((v11 + v150) >> 6)) >> 24)) >> 3;
else
v14 = v12 + 1;
v144 = v14 + 1;
std::ostream::operator<<(&v173, v14 + 1);
v142 = v12 + ((v13 + 7) >> 4);
std::ostream::operator<<(&v173, v142);
v15 = HIWORD(v3);
if ( v3 )
{
v16 = HIWORD(v3);
if ( (_WORD)v3 )
{
v15 = v3;
v17 = 1;
}
else
{
v17 = 17;
}
if ( !(_BYTE)v15 )
{
v15 >>= 8;
v17 |= 8u;
}
if ( (v15 & 0xF) == 0 )
{
v15 >>= 4;
v17 |= 4u;
}
if ( (v15 & 3) == 0 )
{
LOBYTE(v15) = v15 >> 2;
v17 |= 2u;
}
v18 = v17 - (v15 & 1);
}
else
{
v16 = 0;
v18 = 32LL;
}
std::ostream::operator<<(&v173, v18);
v19 = v3 + 3;
v157 = v3 >> 4;
v20 = v6 + (v3 >> 4) + ((v6 + (v3 >> 4)) >> 4) + ((v6 + (v3 >> 4)) >> 5);
v21 = (v20 + (v20 >> 12) + HIBYTE(v20)) >> 3;
v22 = v21 + ((v3 + 3 - 13 * v21) >> 4);
std::ostream::operator<<(&v173, v22);
v23 = (v8 >> 6) - (v8 >> 10) + (v8 >> 12) + (v8 >> 13) - HIWORD(v8) + v9;
v24 = ((v23 + (v23 >> 20)) >> 6) + ((v8 - 100 * ((v23 + (v23 >> 20)) >> 6) + 28) >> 7);
std::ostream::operator<<(&v173, v24);
v25 = v6 | v3 | ((v6 | v3) >> 2) | ((v6 | v3 | ((v6 | v3) >> 2)) >> 4);
v26 = v25 | (v25 >> 8) | ((v25 | (v25 >> 8)) >> 16);
v153 = v26 - (v26 >> 1);
std::ostream::operator<<(&v173, v153);
v27.n64_u64[0] = vand_s8(v168, (int8x8_t)0x5B6DB6DB09249249LL).n64_u64[0];
v27.n64_u32[0] = vadd_s32(vdup_lane_s32(v27, 1), v27).n64_u32[0];
v170 = ((v3 - v27.n64_u32[0] + ((v3 - v27.n64_u32[0]) >> 3)) & 0xC71C71C7) % 0x3F;
std::ostream::operator<<(&v173, v170);
v151 = v6;
if ( v3 )
{
v28 = (unsigned __int16)v3;
if ( (_WORD)v3 )
v29 = v3;
else
v29 = v16;
if ( (_WORD)v3 )
v30 = 1;
else
v30 = 17;
if ( !(_BYTE)v29 )
{
v29 >>= 8;
v30 |= 8u;
}
if ( (v29 & 0xF) == 0 )
{
v29 >>= 4;
v30 |= 4u;
}
if ( (v29 & 3) == 0 )
{
LOBYTE(v29) = v29 >> 2;
v30 |= 2u;
}
v31 = v30 - (v29 & 1);
}
else
{
v16 = 0;
v28 = 0;
v31 = 32LL;
}
std::ostream::operator<<(&v173, v31);
v32 = v11 - (v3 >> 5) + (v3 >> 7) + ((v11 - (v3 >> 5) + (v3 >> 7)) >> 10);
v131 = ((v32 + (v32 >> 20)) >> 3) + ((v3 - 11 * ((v32 + (v32 >> 20)) >> 3) + 5) >> 4);
std::ostream::operator<<(&v173, v131);
v155 = v28;
v139 = 21845 * v16
+ ((int)v3 >> 31)
+ ((21846 * v16 + ((unsigned int)(21846 * v28) >> 16)) >> 16)
+ ((21845 * v28 + (unsigned int)(unsigned __int16)(21846 * v16 + ((unsigned int)(21846 * v28) >> 16))) >> 16);
std::ostream::operator<<(&v173, v139);
std::ostream::operator<<(&v173, v24);
std::ostream::operator<<(&v173, v22);
v159 = (unsigned __int8)v16;
v132 = byte_429F0[BYTE1(v3)];
v133 = byte_429F0[(unsigned __int8)v16];
v134 = byte_429F0[(unsigned __int8)v3];
v135 = byte_429F0[HIBYTE(v3)];
std::ostream::operator<<(&v173, (unsigned int)(v132 + v134 + v133 + v135));
v163 = -v3 & v3;
v171 = v163 + v3;
v164 = ((v163 + v3) ^ v3) >> 1;
v165 = v171 ^ v3;
v33 = ((((v171 ^ v3) - (v164 & 0x55555555)) >> 2) & 0x33333333) + (((v171 ^ v3) - (v164 & 0x55555555)) & 0x33333333);
v34 = (v163 + v3) | ~(-1 << (((16843009 * ((v33 + (v33 >> 4)) & 0xF0F0F0F)) >> 24) - 2));
std::ostream::operator<<(&v173, v34);
v35 = v11 + (v11 >> 4) + ((v11 + (v11 >> 4)) >> 8);
v36 = (v35 + HIWORD(v35)) >> 2;
v37 = v3 - 5 * v36;
v130 = v36;
if ( v37 <= 4 )
v38 = (v35 + HIWORD(v35)) >> 2;
else
v38 = v36 + 1;
if ( v37 <= 9 )
v39 = v38;
else
v39 = v38 + 1;
v148 = v39;
std::ostream::operator<<(&v173, v39);
v40 = v168.n64_u32[0]
+ v157
+ ((v168.n64_u32[0] + v157) >> 4)
+ ((v168.n64_u32[0] + v157 + ((v168.n64_u32[0] + v157) >> 4)) >> 8);
v129 = v40 + HIWORD(v40) + ((11 * (-3 * (v40 + HIWORD(v40)) + v3)) >> 5);
std::ostream::operator<<(&v173, v129);
std::ostream::operator<<(&v173, v34);
std::ostream::operator<<(&v173, v170);
v41 = v3 + 2;
v42 = v3 + 1;
v43 = (v3 + 2) & ~v3;
v44 = 0x80000000;
while ( 1 )
{
if ( (v44 & v43) == 0 )
{
if ( (v44 & (-3 - v3) & v3) != 0 )
{
v47 = (v44 | v41) & -v44;
if ( v47 <= v19 )
goto LABEL_44;
}
goto LABEL_39;
}
v45 = (v44 | v3) & -v44;
if ( v45 <= v42 )
break;
LABEL_39: v46 = v44 > 1;
v44 >>= 1;
if ( !v46 )
{
v47 = v3 + 2;
LABEL_44: v45 = v3;
goto LABEL_46;
}
}
v47 = v3 + 2;
LABEL_46: std::ostream::operator<<(&v173, v45 | v47);
v128 = v16;
if ( v3 )
{
if ( v155 )
v48 = v3;
else
v48 = v16;
if ( v155 )
v49 = 1;
else
v49 = 17;
if ( !(_BYTE)v48 )
{
v48 >>= 8;
v49 |= 8u;
}
if ( (v48 & 0xF) == 0 )
{
v48 >>= 4;
v49 |= 4u;
}
if ( (v48 & 3) == 0 )
{
LOBYTE(v48) = v48 >> 2;
v49 |= 2u;
}
v50 = v49 - (v48 & 1) + 2;
}
else
{
v50 = 34;
}
std::ostream::operator<<(&v173, (v165 >> v50) | v171);
std::ostream::operator<<(&v173, v131);
v51 = ~(v41 | v3);
v52 = 0x80000000;
while ( 2 )
{
if ( (v52 & v51) == 0 )
{
LABEL_62: v46 = v52 > 1;
v52 >>= 1;
if ( !v46 )
{
v54 = v3 + 2;
LABEL_67: v53 = v3;
goto LABEL_69;
}
continue;
}
break;
}
v53 = (v52 | v3) & -v52;
if ( v53 > v42 )
{
v54 = (v52 | v41) & -v52;
if ( v54 <= v19 )
goto LABEL_67;
goto LABEL_62;
}
v54 = v3 + 2;
LABEL_69: std::ostream::operator<<(&v173, v53 & v54);
v55 = (v136 >> 2) + ((v8 - 6 * (v136 >> 2) + 2) >> 3);
std::ostream::operator<<(&v173, v55);
v137 = v130 + ((7 * v37) >> 5);
std::ostream::operator<<(&v173, v137);
std::ostream::operator<<(&v173, v170);
std::ostream::operator<<(&v173, v129);
v167 = (16843009 * v166) >> 24;
std::ostream::operator<<(&v173, v167);
v56 = (v8 >> 3) + (v8 >> 5) + (((v8 >> 3) + (v8 >> 5)) >> 4);
v57 = v56 + (v56 >> 8) + ((v56 + (v56 >> 8)) >> 16);
v138 = v57 + ((11 * (v8 - 6 * v57)) >> 6);
std::ostream::operator<<(&v173, v138);
std::ostream::operator<<(&v173, v55);
if ( v3 )
{
if ( v3 >= 0x10000 )
v58 = v3;
else
v58 = v3 << 16;
if ( HIBYTE(v58) )
v59 = v58;
else
v59 = v58 << 8;
if ( HIBYTE(v58) )
v60 = 16 * (v3 < 0x10000);
else
v60 = (16 * (v3 < 0x10000)) | 8;
if ( !(v59 >> 28) )
{
v59 *= 16;
v60 |= 4u;
}
v61 = 4LL * v59;
if ( is_mul_ok(4u, v59) )
v59 *= 4;
v62 = ~v59;
if ( !HIDWORD(v61) )
v60 |= 2u;
v63 = v60 + (v62 >> 31);
}
else
{
v63 = 32LL;
}
v64 = v155;
std::ostream::operator<<(&v173, v63);
v65 = (((v140 + (v3 & 0x55555555)) >> 2) & 0x33333333) + ((v140 + (v3 & 0x55555555)) & 0x33333333);
v66 = (((((v65 >> 4) & 0x7070707) + (v65 & 0x7070707)) >> 8) & 0xF000F)
+ ((((v65 >> 4) & 0x7070707) + (v65 & 0x7070707)) & 0xF000F);
v156 = (v66 & 0x1F) + HIWORD(v66);
std::ostream::operator<<(&v173, v156);
v67 = __rbit32(v3);
std::ostream::operator<<(&v173, v67);
std::ostream::operator<<(&v173, (unsigned int)(v132 + v134 + v133 + v135));
if ( v3 )
{
if ( v64 )
v69 = 1;
else
v69 = 17;
if ( v64 )
v70 = v3;
else
v70 = v128;
if ( !(_BYTE)v70 )
{
v70 >>= 8;
v69 |= 8u;
}
if ( (v70 & 0xF) == 0 )
{
v70 >>= 4;
v69 |= 4u;
}
if ( (v70 & 3) == 0 )
{
LOBYTE(v70) = v70 >> 2;
v69 |= 2u;
}
std::ostream::operator<<(&v173, (v165 >> (v69 - (v70 & 1) + 2)) | v171);
std::ostream::operator<<(&v173, v167);
if ( v3 >= 0x10000 )
v71 = v3;
else
v71 = v3 << 16;
if ( HIBYTE(v71) )
v72 = v71;
else
v72 = v71 << 8;
if ( HIBYTE(v71) )
v73 = 16 * (v3 < 0x10000);
else
v73 = (16 * (v3 < 0x10000)) | 8;
if ( !(v72 >> 28) )
{
v72 *= 16;
v73 |= 4u;
}
v74 = 4LL * v72;
if ( is_mul_ok(4u, v72) )
v72 *= 4;
v75 = ~v72;
if ( !HIDWORD(v74) )
v73 |= 2u;
v76 = v73 + (v75 >> 31);
}
else
{
std::ostream::operator<<(&v173, v68);
std::ostream::operator<<(&v173, v167);
v76 = 32LL;
}
std::ostream::operator<<(&v173, v76);
std::ostream::operator<<(&v173, v146);
std::ostream::operator<<(&v173, v67);
std::ostream::operator<<(&v173, v142);
std::ostream::operator<<(&v173, v137);
std::ostream::operator<<(&v173, v144);
v77 = v150 + v157 + ((v150 + v157) >> 4) + ((v150 + v157 + ((v150 + v157) >> 4)) >> 8);
v158 = v77 + HIWORD(v77) + ((13 * (v3 - 5 * (v77 + HIWORD(v77)))) >> 6);
std::ostream::operator<<(&v173, v158);
v78 = (v8 >> 1) + (v8 >> 2) + (((v8 >> 1) + (v8 >> 2)) >> 4);
v79 = (v78 + (v78 >> 8) + ((v78 + (v78 >> 8)) >> 16)) >> 3;
v80 = v79 + ((v8 - 10 * v79 + 6) >> 4);
std::ostream::operator<<(&v173, v80);
v81.n64_u64[0] = veor_s8(v168, v4).n64_u64[0];
v82 = v81.n64_u32[1];
v83.n128_u64[0] = veor_s8(vshr_n_u32(v81, 4uLL), v81).n64_u64[0];
v83.n128_u32[2] = v82 ^ (v82 >> 2);
v83.n128_u32[3] = v83.n128_u32[2];
v84 = veorq_s8(vshlq_u32(v83, (uint32x4_t)xmmword_42890), v83);
v85 = vandq_s8(
veorq_s8(vshlq_u32(v84, (uint32x4_t)xmmword_42870), vshlq_u32(v84, (uint32x4_t)xmmword_42850)),
(int8x16_t)xmmword_42910);
v84.n128_u64[0] = vorr_s8((int8x8_t)v85.n128_u64[0], (int8x8_t)vextq_s8(v85, v85, 8uLL).n128_u64[0]).n64_u64[0];
v149 = (v84.n128_u32[0] | v84.n128_u32[1] | ((v84.n128_u32[3] ^ (v84.n128_u32[3] >> 8)) >> 12) & 0x10 | (32 * (((unsigned __int8)(v84.n128_u8[12] ^ v84.n128_u8[13]) ^ (unsigned __int8)((v84.n128_u32[3] ^ (v84.n128_u32[3] >> 8)) >> 16)) & 1))) ^ -(v3 & 1) & 0x3F;
std::ostream::operator<<(&v173, v149);
v145 = byte_42BF0[BYTE1(v3)];
v147 = byte_42BF0[(unsigned __int8)v3];
v141 = byte_42BF0[HIBYTE(v3)];
v143 = byte_42BF0[v159];
std::ostream::operator<<(&v173, (unsigned int)(v145 + v147 + v143 + v141));
std::ostream::operator<<(&v173, v139);
v86 = v19 & v42;
v87 = 0x80000000;
do
{
if ( (v87 & v86) != 0 )
{
v89 = (v42 - v87) | (v87 - 1);
if ( v89 >= v3 )
goto LABEL_124;
v88 = (v19 - v87) | (v87 - 1);
if ( v88 >= v41 )
{
v89 = v3 + 1;
goto LABEL_125;
}
}
v46 = v87 > 1;
v87 >>= 1;
}
while ( v46 );
v89 = v3 + 1;
LABEL_124: v88 = v3 + 3;
LABEL_125: std::ostream::operator<<(&v173, v88 | v89);
std::ostream::operator<<(&v173, v80);
v90 = v3 - ((v151 & 0x77777777) + (v168.n64_u32[0] & 0x33333333) + (v150 & 0x11111111));
v152 = (16843009 * ((v90 + (v90 >> 4)) & 0xF0F0F0F)) >> 24;
std::ostream::operator<<(&v173, v152);
v91 = (v3 - 1) | ((v3 - 1) >> 1) | (((v3 - 1) | ((v3 - 1) >> 1)) >> 2);
v92 = v91 | (v91 >> 4) | ((v91 | (v91 >> 4)) >> 8);
v169 = (v92 | HIWORD(v92)) + 1;
std::ostream::operator<<(&v173, v169);
v162 = byte_42AF0[(unsigned __int8)v3];
v93 = byte_42AF0[v159];
v161 = byte_42AF0[BYTE1(v3)];
v94 = byte_42AF0[HIBYTE(v3)];
v160 = v93;
std::ostream::operator<<(&v173, (unsigned int)(v161 + v162 + v93 + v94));
v95 = (-4 - v3) & v42;
v96 = (-2 - v3) & v19;
v97 = 0x80000000;
do
{
if ( (v97 & v95) != 0 )
{
v98 = v42 & ~v97 | (v97 - 1);
if ( v98 >= v3 )
goto LABEL_133;
}
else if ( (v97 & v96) != 0 )
{
v99 = v19 & ~v97 | (v97 - 1);
if ( v99 >= v41 )
{
v98 = v3 + 1;
goto LABEL_134;
}
}
v46 = v97 > 1;
v97 >>= 1;
}
while ( v46 );
v98 = v3 + 1;
LABEL_133: v99 = v3 + 3;
LABEL_134: std::ostream::operator<<(&v173, v99 & v98);
v100 = 0x80000000;
while ( 2 )
{
if ( (v100 & v51) == 0 )
{
LABEL_135: v46 = v100 > 1;
v100 >>= 1;
if ( !v46 )
{
v102 = v3 + 2;
LABEL_140: v101 = v3;
goto LABEL_142;
}
continue;
}
break;
}
v101 = (v100 | v3) & -v100;
if ( v101 > v42 )
{
v102 = (v100 | v41) & -v100;
if ( v102 <= v19 )
goto LABEL_140;
goto LABEL_135;
}
v102 = v3 + 2;
LABEL_142: std::ostream::operator<<(&v173, v101 & v102);
std::ostream::operator<<(&v173, v156);
std::ostream::operator<<(&v173, v148);
v103 = 0x80000000;
do
{
if ( (v103 & v86) != 0 )
{
v105 = (v42 - v103) | (v103 - 1);
if ( v105 >= v3 )
goto LABEL_149;
v104 = (v19 - v103) | (v103 - 1);
if ( v104 >= v41 )
{
v105 = v3 + 1;
goto LABEL_150;
}
}
v46 = v103 > 1;
v103 >>= 1;
}
while ( v46 );
v105 = v3 + 1;
LABEL_149: v104 = v3 + 3;
LABEL_150: std::ostream::operator<<(&v173, v104 | v105);
std::ostream::operator<<(&v173, v138);
std::ostream::operator<<(&v173, (unsigned int)(v161 + v162 + v160 + v94));
std::ostream::operator<<(&v173, v153);
std::ostream::operator<<(&v173, v167);
std::ostream::operator<<(&v173, v152);
v107 = -v3 & v3;
v106 = (v171 ^ v3) >> 1;
if ( v163 )
{
if ( v163 < 0x10000 )
v107 = v163 << 16;
if ( HIBYTE(v107) )
v108 = v107;
else
v108 = v107 << 8;
if ( HIBYTE(v107) )
v109 = 16 * (v163 < 0x10000);
else
v109 = (16 * (v163 < 0x10000)) | 8;
if ( !(v108 >> 28) )
{
v108 *= 16;
v109 |= 4u;
}
v110 = 4LL * v108;
if ( is_mul_ok(4u, v108) )
v108 *= 4;
if ( !HIDWORD(v110) )
v109 |= 2u;
v106 = v165 >> (~(unsigned __int8)((int)v108 >> 31) - v109 + 33);
}
std::ostream::operator<<(&v173, v106 | v171);
std::ostream::operator<<(&v173, v167);
std::ostream::operator<<(&v173, (unsigned int)(v145 + v147 + v143 + v141));
LODWORD(v111) = -2;
do
{
v112 = v111 + 2;
v111 = (unsigned int)(v111 + 1);
}
while ( dword_42CF0[v112] < v3 );
std::ostream::operator<<(&v173, v111);
std::ostream::operator<<(&v173, v149);
v113 = 0x80000000;
while ( 2 )
{
if ( (v113 & v43) == 0 )
{
if ( (v113 & (-3 - v3) & v3) != 0 )
{
v115 = (v113 | v41) & -v113;
if ( v115 <= v19 )
goto LABEL_175;
}
LABEL_170: v46 = v113 > 1;
v113 >>= 1;
if ( !v46 )
{
v115 = v3 + 2;
LABEL_175: v114 = v3;
goto LABEL_177;
}
continue;
}
break;
}
v114 = (v113 | v3) & -v113;
if ( v114 > v42 )
goto LABEL_170;
v115 = v3 + 2;
LABEL_177: std::ostream::operator<<(&v173, v114 | v115);
std::ostream::operator<<(&v173, v170);
v116 = 0x80000000;
while ( 2 )
{
if ( (v116 & v95) == 0 )
{
if ( (v116 & v96) != 0 && (v19 & ~v116 | (v116 - 1)) >= v41 )
{
v19 = v19 & ~v116 | (v116 - 1);
goto LABEL_186;
}
goto LABEL_179;
}
if ( (v42 & ~v116 | (v116 - 1)) < v3 )
{
LABEL_179: v46 = v116 > 1;
v116 >>= 1;
if ( !v46 )
goto LABEL_186;
continue;
}
break;
}
v42 = v42 & ~v116 | (v116 - 1);
LABEL_186: std::ostream::operator<<(&v173, v19 & v42);
v117 = ((v3 & 0x7F7F7F7F) + 2139062143) | v3 | 0x7F7F7F7F;
v118 = ~v117;
if ( v117 == -1 )
{
v119 = 4LL;
}
else if ( (v118 & 0x8080) != 0 )
{
v119 = ((v118 >> 7) & 1) == 0;
}
else
{
v119 = (v118 >> 23) & 1 ^ 3;
}
std::ostream::operator<<(&v173, v119);
std::ostream::operator<<(&v173, v169);
std::ostream::operator<<(&v173, v154);
std::ostream::operator<<(&v173, v158);
LODWORD(v120) = -2;
do
{
v121 = v120 + 2;
v120 = (unsigned int)(v120 + 1);
}
while ( dword_42CF0[v121] < v3 );
std::ostream::operator<<(&v173, v120);
v122 = -v3 & v3;
if ( v163 )
{
if ( v163 < 0x10000 )
v122 = v163 << 16;
if ( HIBYTE(v122) )
v123 = v122;
else
v123 = v122 << 8;
if ( HIBYTE(v122) )
v124 = 16 * (v163 < 0x10000);
else
v124 = (16 * (v163 < 0x10000)) | 8;
if ( !(v123 >> 28) )
{
v123 *= 16;
v124 |= 4u;
}
v125 = 4LL * v123;
if ( is_mul_ok(4u, v123) )
v123 *= 4;
if ( !HIDWORD(v125) )
v124 |= 2u;
v164 = v165 >> (~(unsigned __int8)((int)v123 >> 31) - v124 + 33);
}
std::ostream::operator<<(&v173, v164 | v171);
if ( v117 == -1 )
{
v126 = 4LL;
}
else if ( (v118 & 0x8080) != 0 )
{
v126 = ((v118 >> 7) & 1) == 0;
}
else
{
v126 = (v118 >> 23) & 1 ^ 3;
}
std::ostream::operator<<(&v173, v126);
sub_671C4(v174);
v178[0] = off_D9BB0;
v173 = off_D9B88;
v174[0] = off_D9C40;
if ( (v175 & 1) != 0 )
operator delete((void *)v176);
std::streambuf::~streambuf(v174);
std::ostream::~ostream(&v173, off_D9BC8);
return std::ios::~ios(v178);
}__int64 __fastcall sub_65794(__int64 a1, int a2)
{ unsigned int v3; // w27
int8x8_t v4; // d8
unsigned __int64 v5; // d0
int v6; // w24
unsigned int v7; // w8
unsigned int v8; // w20
unsigned int v9; // w23
unsigned int v10; // w8
unsigned int v11; // w19
unsigned int v12; // w21
unsigned int v13; // w22
unsigned int v14; // w8
unsigned int v15; // w9
unsigned int v16; // w28
int v17; // w8
__int64 v18; // x1
unsigned int v19; // w22
unsigned int v20; // w8
unsigned int v21; // w8
unsigned int v22; // w21
unsigned int v23; // w8
unsigned int v24; // w23
unsigned int v25; // w8
unsigned int v26; // w8
int32x2_t v27; // d0
int v28; // w26
unsigned int v29; // w9
int v30; // w8
__int64 v31; // x1
unsigned int v32; // w8
unsigned int v33; // w8
unsigned int v34; // w23
unsigned int v35; // w8
unsigned int v36; // w9
unsigned int v37; // w24
unsigned int v38; // w8
__int64 v39; // x1
unsigned __int32 v40; // w8
unsigned int v41; // w25
unsigned int v42; // w19
int v43; // w26
unsigned int v44; // w8
unsigned int v45; // w10
bool v46; // cc
unsigned int v47; // w9
unsigned int v48; // w9
char v49; // w8
char v50; // w8
int v51; // w21
unsigned int v52; // w8
unsigned int v53; // w10
unsigned int v54; // w9
unsigned int v55; // w23
unsigned int v56; // w8
unsigned int v57; // w8
unsigned int v58; // w9
unsigned int v59; // w8
int v60; // w9
__int64 v61; // kr00_8
unsigned int v62; // w8
__int64 v63; // x1
int v64; // w28
unsigned int v65; // w8
unsigned int v66; // w8
unsigned int v67; // w24
__int64 v68; // x1
char v69; // w8
unsigned int v70; // w9
unsigned int v71; // w9
unsigned int v72; // w8
int v73; // w9
__int64 v74; // kr08_8
unsigned int v75; // w8
__int64 v76; // x1
unsigned int v77; // w8
unsigned int v78; // w8
unsigned int v79; // w8
unsigned int v80; // w20
int8x8_t v81; // d0
unsigned __int32 v82; // w8
uint32x4_t v83; // q0
uint32x4_t v84; // q0
int8x16_t v85; // q1
int v86; // w28
unsigned int v87; // w8
unsigned int v88; // w10
unsigned int v89; // w9
unsigned __int32 v90; // w8
unsigned int v91; // w8
unsigned int v92; // w8
int v93; // w12
int v94; // w20
int v95; // w23
int v96; // w24
unsigned int v97; // w8
unsigned int v98; // w9
unsigned int v99; // w10
unsigned int v100; // w8
unsigned int v101; // w10
unsigned int v102; // w9
unsigned int v103; // w8
unsigned int v104; // w10
unsigned int v105; // w9
unsigned int v106; // w8
unsigned int v107; // w9
unsigned int v108; // w8
char v109; // w9
__int64 v110; // kr10_8
__int64 v111; // x1
unsigned int v112; // w8
unsigned int v113; // w8
unsigned int v114; // w10
unsigned int v115; // w9
unsigned int v116; // w8
int v117; // w22
unsigned int v118; // w19
__int64 v119; // x1
__int64 v120; // x1
unsigned int v121; // w8
unsigned int v122; // w9
unsigned int v123; // w8
char v124; // w9
__int64 v125; // kr18_8
__int64 v126; // x1
unsigned int v128; // [xsp+8h] [xbp-208h]
unsigned int v129; // [xsp+10h] [xbp-200h]
unsigned int v130; // [xsp+14h] [xbp-1FCh]
unsigned int v131; // [xsp+18h] [xbp-1F8h]
int v132; // [xsp+1Ch] [xbp-1F4h]
int v133; // [xsp+20h] [xbp-1F0h]
int v134; // [xsp+24h] [xbp-1ECh]
int v135; // [xsp+28h] [xbp-1E8h]
unsigned int v136; // [xsp+2Ch] [xbp-1E4h]
unsigned int v137; // [xsp+2Ch] [xbp-1E4h]
unsigned int v138; // [xsp+30h] [xbp-1E0h]
unsigned int v139; // [xsp+34h] [xbp-1DCh]
int v140; // [xsp+38h] [xbp-1D8h]
int v141; // [xsp+38h] [xbp-1D8h]
unsigned int v142; // [xsp+3Ch] [xbp-1D4h]
int v143; // [xsp+3Ch] [xbp-1D4h]
unsigned int v144; // [xsp+40h] [xbp-1D0h]
int v145; // [xsp+40h] [xbp-1D0h]
unsigned int v146; // [xsp+44h] [xbp-1CCh]
int v147; // [xsp+44h] [xbp-1CCh]
unsigned int v148; // [xsp+48h] [xbp-1C8h]
unsigned __int32 v149; // [xsp+4Ch] [xbp-1C4h]
unsigned int v150; // [xsp+50h] [xbp-1C0h]
int v151; // [xsp+64h] [xbp-1ACh]
unsigned int v152; // [xsp+64h] [xbp-1ACh]
unsigned int v153; // [xsp+68h] [xbp-1A8h]
unsigned int v154; // [xsp+6Ch] [xbp-1A4h]
int v155; // [xsp+88h] [xbp-188h]
unsigned int v156; // [xsp+88h] [xbp-188h]
unsigned int v157; // [xsp+8Ch] [xbp-184h]
unsigned int v158; // [xsp+8Ch] [xbp-184h]
__int64 v159; // [xsp+98h] [xbp-178h]
int v160; // [xsp+98h] [xbp-178h]
int v161; // [xsp+A0h] [xbp-170h]
int v162; // [xsp+A8h] [xbp-168h]
unsigned int v163; // [xsp+B0h] [xbp-160h]
unsigned int v164; // [xsp+B4h] [xbp-15Ch]
unsigned int v165; // [xsp+B8h] [xbp-158h]
unsigned int v166; // [xsp+BCh] [xbp-154h]
unsigned int v167; // [xsp+BCh] [xbp-154h]
int8x8_t v168; // [xsp+C0h] [xbp-150h]
unsigned int v169; // [xsp+C0h] [xbp-150h]
unsigned int v170; // [xsp+D8h] [xbp-138h]
unsigned int v171; // [xsp+DCh] [xbp-134h]
time_t timer; // [xsp+E0h] [xbp-130h] BYREF
__int64 (__fastcall **v173)(); // [xsp+E8h] [xbp-128h] BYREF
_QWORD v174[8]; // [xsp+F0h] [xbp-120h] BYREF
__int128 v175; // [xsp+130h] [xbp-E0h]
__int128 v176; // [xsp+140h] [xbp-D0h]
int v177; // [xsp+150h] [xbp-C0h]
_QWORD v178[18]; // [xsp+158h] [xbp-B8h] BYREF
int v179; // [xsp+1E8h] [xbp-28h]
__int64 v180; // [xsp+1F0h] [xbp-20h]
v180 = *(_QWORD *)(_ReadStatusReg(ARM64_SYSREG(3, 3, 13, 0, 2)) + 40);
time(&timer);
v178[0] = off_D9C20;
timer = (timer + a2) / 60;
v173 = off_D9BF8;
std::ios_base::init((std::ios_base *)v178, v174);
v178[17] = 0LL;
v179 = -1;
v173 = off_D9B88;
v178[0] = off_D9BB0;
std::streambuf::basic_streambuf(v174);
v3 = timer;
v4.n64_u64[0] = vdup_n_s32(timer).n64_u64[0];
v5 = vshl_u32(v4, (uint32x2_t)-2LL).n64_u64[0];
v6 = HIDWORD(v5);
v168.n64_u64[0] = v5;
v140 = HIDWORD(v5) & 0x55555555;
v7 = (((unsigned int)(timer - v140) >> 2) & 0x33333333) + ((timer - v140) & 0x33333333);
v175 = 0u;
v176 = 0u;
v166 = (v7 + (v7 >> 4)) & 0xF0F0F0F;
v177 = 16;
v174[0] = off_D9C40;
v146 = (v166 + (v166 >> 8) + ((v166 + (v166 >> 8)) >> 16)) & 0x3F;
std::ostream::operator<<(&v173, v146);
v8 = v3 + (v3 >> 31);
v9 = (v8 >> 1) + (v8 >> 3);
v10 = v9 + (v9 >> 4) + ((v9 + (v9 >> 4)) >> 8);
v136 = v10 + HIWORD(v10);
v154 = (v136 >> 3) + ((v8 - 12 * (v136 >> 3) + 4) >> 4);
std::ostream::operator<<(&v173, v154);
v150 = v3 >> 3;
v11 = v6 + v168.n64_u32[0];
v12 = (v11
+ v150
+ ((v11 + v150) >> 6)
+ ((v11 + v150 + ((v11 + v150) >> 6)) >> 12)
+ ((v11 + v150 + ((v11 + v150) >> 6)) >> 24)) >> 3;
v13 = v3 - 9 * v12;
if ( v13 <= 8 )
v14 = (v11
+ v150
+ ((v11 + v150) >> 6)
+ ((v11 + v150 + ((v11 + v150) >> 6)) >> 12)
+ ((v11 + v150 + ((v11 + v150) >> 6)) >> 24)) >> 3;
else
v14 = v12 + 1;
v144 = v14 + 1;
std::ostream::operator<<(&v173, v14 + 1);
v142 = v12 + ((v13 + 7) >> 4);
std::ostream::operator<<(&v173, v142);
v15 = HIWORD(v3);
if ( v3 )
{
v16 = HIWORD(v3);
if ( (_WORD)v3 )
{
v15 = v3;
v17 = 1;
}
else
{
v17 = 17;
}
if ( !(_BYTE)v15 )
{
v15 >>= 8;
v17 |= 8u;
}
if ( (v15 & 0xF) == 0 )
{
v15 >>= 4;
v17 |= 4u;
}
if ( (v15 & 3) == 0 )
{
LOBYTE(v15) = v15 >> 2;
v17 |= 2u;
}
v18 = v17 - (v15 & 1);
}
else
{
v16 = 0;
v18 = 32LL;
}
std::ostream::operator<<(&v173, v18);
v19 = v3 + 3;
v157 = v3 >> 4;
v20 = v6 + (v3 >> 4) + ((v6 + (v3 >> 4)) >> 4) + ((v6 + (v3 >> 4)) >> 5);
v21 = (v20 + (v20 >> 12) + HIBYTE(v20)) >> 3;
v22 = v21 + ((v3 + 3 - 13 * v21) >> 4);
std::ostream::operator<<(&v173, v22);
v23 = (v8 >> 6) - (v8 >> 10) + (v8 >> 12) + (v8 >> 13) - HIWORD(v8) + v9;
v24 = ((v23 + (v23 >> 20)) >> 6) + ((v8 - 100 * ((v23 + (v23 >> 20)) >> 6) + 28) >> 7);
std::ostream::operator<<(&v173, v24);
v25 = v6 | v3 | ((v6 | v3) >> 2) | ((v6 | v3 | ((v6 | v3) >> 2)) >> 4);
v26 = v25 | (v25 >> 8) | ((v25 | (v25 >> 8)) >> 16);
v153 = v26 - (v26 >> 1);
std::ostream::operator<<(&v173, v153);
v27.n64_u64[0] = vand_s8(v168, (int8x8_t)0x5B6DB6DB09249249LL).n64_u64[0];
v27.n64_u32[0] = vadd_s32(vdup_lane_s32(v27, 1), v27).n64_u32[0];
v170 = ((v3 - v27.n64_u32[0] + ((v3 - v27.n64_u32[0]) >> 3)) & 0xC71C71C7) % 0x3F;
std::ostream::operator<<(&v173, v170);
v151 = v6;
if ( v3 )
{
v28 = (unsigned __int16)v3;
if ( (_WORD)v3 )
v29 = v3;
else
v29 = v16;
if ( (_WORD)v3 )
v30 = 1;
else
v30 = 17;
if ( !(_BYTE)v29 )
{
v29 >>= 8;
v30 |= 8u;
}
if ( (v29 & 0xF) == 0 )
{
v29 >>= 4;
v30 |= 4u;
}
if ( (v29 & 3) == 0 )
{
最后于 22小时前
被mb_qzwrkwda编辑
,原因:
|
|
|---|---|
|
|
|
|
|
人家也没想到这么火,突然就有大批成年人也`喜欢`答题了。现在可能加班加点加强安全,同时商务那边在购买xx企业版加固
|
|
|
能看出来在一直加固,不如一步到位,来个vm给大家玩玩 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
能和您讨论下思路吗 |
|
|
其实没有什么可以讨论的,就是一个自写的时间戳生成,拓展成几百位的一个字符串,这个字符串和之前的path路径拼接,几轮标准的MD5 unidbg生成可以看xiaoyuan_unidbg
最后于 2天前
被墨穹呢编辑
,原因:
|
|
|
就是这个几百位的一个字符串 让我很迷茫,其他都分析得差不多了 |
|
|
你按照so的逻辑一步一步跟,就能还原出来了,这纯体力活 你看楼主的sub_65794伪代码: time(&timer); timer = (timer + a2) / 60 就一直跟着 timer 几百位的字符串,这个都是基于这个变量来的。 我给你看下我iOS还原出来的:
|
|
|
这个看我给的trace 看最后一张图 time(&timer)拿一些线索 |
|
|
是这样的,但是string在内存里结构体的体现是有一定的难度的,假如没有符号,感觉分析会难一些,对于我这个trace工具确实是有一些难度 |
|
|
您好,不是unidbg,是直接在真机上执行的,自己写的一个trace,注入可以参考我上一篇帖子,用的zygisk注入的,如果有需要可以联系我,我给你固定你的值帮你trace一份 |
|
|
好的 感谢您的回复 |
|
|
已经star,感谢大佬一起交流 |
|
|
|
|
|
|
|
|
|
|
|
自己写的一个trace 速度是unidbg的60倍左右 |
