首页
社区
课程
招聘
问答 CTF 排行榜 知识库 工具下载 峰会 看雪商城 证书查询
  1. 社区
  2. Android安全
    3. 发新帖
[原创]某口算部分算法还原思路(禁止用来欺负小学生)
发表于: 2024-10-15 22:24 53354

[原创]某口算部分算法还原思路(禁止用来欺负小学生)

棕熊 活跃值
4
2024-10-15 22:24
53354

前言: 本文仅为了交流学习,提高逆向对抗的水平,更好的防护APP。
版本:应用商城最新
不提供Frida调用脚本,不提供成品算法,仅记录分析过程。如有侵权,请联系我下架,但是我更希望厂商能在不断对抗中进步学习进步自己的产品。

frida检测 spwan注入

进行入参的字符串分析

通过字符串出现的地址找到处理这个字符串的地址

定位到这个函数,发现是个基础函数,通过trace找一共调用了几次

写一个frida脚本进行hook,看处理了什么

发现算法直接被还原出来了,但是到这里还没有结束,让我们看看厂商创新的点

接下来目标变得非常简单,看这些字符串哪里来的

首先是简单的字符串拼接

大家可以根据打印日志尝试,进行还原

简单的字符串拼接我就不讲了:

这里有一串位置数字

找一下:

142401346320179532017943221662728816116777216143261965096053842881612216627182881616157632309605384288161611428816154288161612619650288161524802692576323014960538414480269248026927144161488641828816161147144161488643201794576323032017955763230288161521169605384288161552881615143355443219288161532881615214576323028816155480269219167772161414288161611416721288161541428816153433554432240134657632307288161614

的来源

根据入参数推算大概率和第三个参数有关系 -28673

看一下调用了哪些函数,找一下线索

发现调用了大量rand,在这里我推测和第三个入参,以及ctf中出现的伪随机数有关系

从内存中找一些线索

1324013443201793320179222216625288161167772161322

找到第一次出现的地方

发现在这个函数里

发现只是一个复制用的系统库函数

从函数头找上一次调用点

在此处发现线索

搜索内存写入的地址

7d09097130 [libRequestEncoder.so!67130] stp x8, x9, [x19, #48] ; r[X8=0xb400007c95400b01 X9=0xb400007c95400b17 X19=0xb400007c95400ac0] w[]

通过ida动静态结合

向上寻找上一层调用

再次向上追溯

发现是num_put的第二个参数

还处于系统库之中

找到疑似计算的地方

向上追溯一层堆栈,瞬间清晰明了,之前的几次append也被发现了

那么我们直接找增加随机数的这个append前面的逻辑即可

倒数第三次

根据log就可以还原

理所当然的只有一次出现 我们只需要跟踪

7d09096b88 [libRequestEncoder.so!66b88] csel x1, x10, x9, eq ; r[X10=0xb400007c95400c71 X9=0xb400007c7347c880] w[X1=0xb400007c72e0e900]

根据上下文判断(tst w8 0x1) x9会赋值给x1 追踪x9赋值的地方

发现在栈里 进一步跟踪栈的值

向上追溯发现大量字符串 是目标的

找到随机串第一次出现的地方

真口算

hook入参,出参,即可分析出

给厂商的建议:

增加混淆,把常规算法(md5)做一些魔改,哪怕魔改几个IV也会有出奇的作用,做一些反trace的检测

多增加一些浮点数运算,增大模拟调用难度

禁止拿去欺负小学生

function hook_dlopen(soName = '') {
    Interceptor.attach(Module.findExportByName(null, "android_dlopen_ext"), {
        onEnter: function (args) {
            var pathptr = args[0];
            if (pathptr !== undefined && pathptr != null) {
                var path = ptr(pathptr).readCString();
                if(path.indexOf('libmsaoaidsec.so') >= 0){
                    ptr(pathptr).writeUtf8String("");
                }
                console.log('path: ',path)
            }
        }
    });
}
hook_dlopen()
function hook_dlopen(soName = '') {
    Interceptor.attach(Module.findExportByName(null, "android_dlopen_ext"), {
        onEnter: function (args) {
            var pathptr = args[0];
            if (pathptr !== undefined && pathptr != null) {
                var path = ptr(pathptr).readCString();
                if(path.indexOf('libmsaoaidsec.so') >= 0){
                    ptr(pathptr).writeUtf8String("");
                }
                console.log('path: ',path)
            }
        }
    });
}
hook_dlopen()
gan_sign script loaded successfully
memory_function called with pointer: function value() {
[native code]
}
input/打码/android/auth/password wdi4n2t8edr -28673
output:  ad6980251c11b17d60ef6cd01cd6cba7
message: {'type': 'send', 'payload': 'ad6980251c11b17d60ef6cd01cd6cba7'} data: None
gan_sign script loaded successfully
memory_function called with pointer: function value() {
[native code]
}
input/打码/android/auth/password wdi4n2t8edr -28673
output:  ad6980251c11b17d60ef6cd01cd6cba7
message: {'type': 'send', 'payload': 'ad6980251c11b17d60ef6cd01cd6cba7'} data: None
[22041216C::包名打码 ]-> call()
gan_sign script loaded successfully
entered
Current string: /leo-gateway/android/auth/password
String to append: wdi4n2t8edr
entered
Current string: /leo-gateway/android/auth/passwordwdi4n2t8edr
String to append: bcd65d0baba159174a6b3331ac998605
entered
Current string: /leo-gateway/android/auth/passwordwdi4n2t8edrbcd65d0baba159174a6b3331ac998605
String to append: /leo-gateway/android/auth/password
entered
Current string: /leo-gateway/android/auth/passwordwdi4n2t8edrbcd65d0baba159174a6b3331ac998605/leo-gateway/android/auth/password
String to append: 654194b4dbd03e4dc79ccbce86dda67a
entered
Current string: /leo-gateway/android/auth/passwordwdi4n2t8edrbcd65d0baba159174a6b3331ac998605/leo-gateway/android/auth/password654194b4dbd03e4dc79ccbce86dda67a
String to append: 142401346320179532017943221662728816116777216143261965096053842881612216627182881616157632309605384288161611428816154288161612619650288161524802692576323014960538414480269248026927144161488641828816161147144161488643201794576323032017955763230288161521169605384288161552881615143355443219288161532881615214576323028816155480269219167772161414288161611416721288161541428816153433554432240134657632307288161614
entered
Current string: /leo-gateway/android/auth/passwordwdi4n2t8edrbcd65d0baba159174a6b3331ac998605/leo-gateway/android/auth/password654194b4dbd03e4dc79ccbce86dda67a142401346320179532017943221662728816116777216143261965096053842881612216627182881616157632309605384288161611428816154288161612619650288161524802692576323014960538414480269248026927144161488641828816161147144161488643201794576323032017955763230288161521169605384288161552881615143355443219288161532881615214576323028816155480269219167772161414288161611416721288161541428816153433554432240134657632307288161614
String to append: e137a72e24678540f39b76b454f30661
entered
Current string: /leo-gateway/android/auth/passwordwdi4n2t8edrbcd65d0baba159174a6b3331ac998605/leo-gateway/android/auth/password654194b4dbd03e4dc79ccbce86dda67a142401346320179532017943221662728816116777216143261965096053842881612216627182881616157632309605384288161611428816154288161612619650288161524802692576323014960538414480269248026927144161488641828816161147144161488643201794576323032017955763230288161521169605384288161552881615143355443219288161532881615214576323028816155480269219167772161414288161611416721288161541428816153433554432240134657632307288161614e137a72e24678540f39b76b454f30661
String to append: wdi4n2t8edr
input/leo-gateway/android/auth/password wdi4n2t8edr -28673
output:  48e0bfda36ffbd3d66d79264da7e5b93
message: {'type': 'send', 'payload': '48e0bfda36ffbd3d66d79264da7e5b93'} data: None
[22041216C::包名打码 ]-> call()
gan_sign script loaded successfully
entered
Current string: /leo-gateway/android/auth/password
String to append: wdi4n2t8edr
entered
Current string: /leo-gateway/android/auth/passwordwdi4n2t8edr
String to append: bcd65d0baba159174a6b3331ac998605
entered
Current string: /leo-gateway/android/auth/passwordwdi4n2t8edrbcd65d0baba159174a6b3331ac998605
String to append: /leo-gateway/android/auth/password
entered
Current string: /leo-gateway/android/auth/passwordwdi4n2t8edrbcd65d0baba159174a6b3331ac998605/leo-gateway/android/auth/password
String to append: 654194b4dbd03e4dc79ccbce86dda67a
entered
Current string: /leo-gateway/android/auth/passwordwdi4n2t8edrbcd65d0baba159174a6b3331ac998605/leo-gateway/android/auth/password654194b4dbd03e4dc79ccbce86dda67a
String to append: 142401346320179532017943221662728816116777216143261965096053842881612216627182881616157632309605384288161611428816154288161612619650288161524802692576323014960538414480269248026927144161488641828816161147144161488643201794576323032017955763230288161521169605384288161552881615143355443219288161532881615214576323028816155480269219167772161414288161611416721288161541428816153433554432240134657632307288161614
entered
Current string: /leo-gateway/android/auth/passwordwdi4n2t8edrbcd65d0baba159174a6b3331ac998605/leo-gateway/android/auth/password654194b4dbd03e4dc79ccbce86dda67a142401346320179532017943221662728816116777216143261965096053842881612216627182881616157632309605384288161611428816154288161612619650288161524802692576323014960538414480269248026927144161488641828816161147144161488643201794576323032017955763230288161521169605384288161552881615143355443219288161532881615214576323028816155480269219167772161414288161611416721288161541428816153433554432240134657632307288161614
String to append: e137a72e24678540f39b76b454f30661
entered
Current string: /leo-gateway/android/auth/passwordwdi4n2t8edrbcd65d0baba159174a6b3331ac998605/leo-gateway/android/auth/password654194b4dbd03e4dc79ccbce86dda67a142401346320179532017943221662728816116777216143261965096053842881612216627182881616157632309605384288161611428816154288161612619650288161524802692576323014960538414480269248026927144161488641828816161147144161488643201794576323032017955763230288161521169605384288161552881615143355443219288161532881615214576323028816155480269219167772161414288161611416721288161541428816153433554432240134657632307288161614e137a72e24678540f39b76b454f30661
String to append: wdi4n2t8edr
input/leo-gateway/android/auth/password wdi4n2t8edr -28673
output:  48e0bfda36ffbd3d66d79264da7e5b93
message: {'type': 'send', 'payload': '48e0bfda36ffbd3d66d79264da7e5b93'} data: None
// Hook std::string::append 函数
var libRequestEncoder =Module.findBaseAddress("libRequestEncoder.so")
 
var addr =libRequestEncoder.add(0xb18b0);
 
Interceptor.attach(ptr(addr), {
    onEnter: function (args) {
        console.log("entered")
        var a1 = args[0]; // std::string 对象
        var src = args[1]; // 要添加的字符串
        var n = args[2].toInt32(); // 要添加的长度
        // 判断是否使用小对象优化
        var v4 = Memory.readU8(a1);
        var isSSO = (v4 & 1) == 0;
 
        // 获取当前字符串内容
        var currentStr;
        if (isSSO) {
            // 小对象优化
            currentStr = Memory.readUtf8String(a1.add(1)); // 从a1 + 1位置读取字符串
        } else {
            // 堆上的字符串
            var ptr = Memory.readPointer(a1.add(16)); // a1[2] 是堆上的字符串指针
            currentStr = Memory.readUtf8String(ptr);
        }
 
        // 打印当前字符串和即将添加的字符串
        console.log("Current string: " + currentStr);
        console.log("String to append: " + Memory.readUtf8String(src, n));
    }
});
// Hook std::string::append 函数
var libRequestEncoder =Module.findBaseAddress("libRequestEncoder.so")
 
var addr =libRequestEncoder.add(0xb18b0);
 
Interceptor.attach(ptr(addr), {
    onEnter: function (args) {
        console.log("entered")
        var a1 = args[0]; // std::string 对象
        var src = args[1]; // 要添加的字符串
        var n = args[2].toInt32(); // 要添加的长度
        // 判断是否使用小对象优化
        var v4 = Memory.readU8(a1);
        var isSSO = (v4 & 1) == 0;
 
        // 获取当前字符串内容
        var currentStr;
        if (isSSO) {
            // 小对象优化
            currentStr = Memory.readUtf8String(a1.add(1)); // 从a1 + 1位置读取字符串
        } else {
            // 堆上的字符串
            var ptr = Memory.readPointer(a1.add(16)); // a1[2] 是堆上的字符串指针
            currentStr = Memory.readUtf8String(ptr);
        }
 
        // 打印当前字符串和即将添加的字符串
        console.log("Current string: " + currentStr);
        console.log("String to append: " + Memory.readUtf8String(src, n));
    }
});
void __usercall sub_66A48(
        __int64 a1@<X0>,
        unsigned __int8 *a2@<X1>,
        unsigned __int8 *a3@<X2>,
        int a4@<W3>,
        _QWORD *a5@<X8>)
{
  unsigned __int64 v8; // x8
  bool v9; // zf
  size_t v10; // x8
  void *v11; // x1
  size_t v12; // x2
  char *v13; // x1
  size_t v14; // x2
  unsigned __int64 v15; // x8
  bool v16; // zf
  size_t v17; // x8
  void *v18; // x1
  size_t v19; // x2
  char *v20; // x1
  size_t v21; // x2
  _BYTE *v22; // x1
  size_t v23; // x2
  char *v24; // x1
  size_t v25; // x2
  unsigned __int64 v26; // x8
  bool v27; // zf
  size_t v28; // x8
  void *v29; // x1
  size_t v30; // x2
  __int64 v31; // [xsp+0h] [xbp-C0h] BYREF
  size_t v32; // [xsp+8h] [xbp-B8h]
  void *v33; // [xsp+10h] [xbp-B0h]
  _BYTE v34[16]; // [xsp+18h] [xbp-A8h] BYREF
  void *v35; // [xsp+28h] [xbp-98h]
  unsigned __int8 v36; // [xsp+30h] [xbp-90h]
  _BYTE v37[15]; // [xsp+31h] [xbp-8Fh] BYREF
  void *v38; // [xsp+40h] [xbp-80h]
  _BYTE v39[112]; // [xsp+48h] [xbp-78h] BYREF
  __int64 v40; // [xsp+B8h] [xbp-8h]
 
  v40 = *(_QWORD *)(_ReadStatusReg(ARM64_SYSREG(3, 3, 13, 0, 2)) + 40);
  sub_65794(a1, a4);
  std::string::basic_string(v34, a2);
  v8 = *a3;
  v9 = (v8 & 1) == 0;
  v10 = v8 >> 1;
  if ( v9 )
    v11 = a3 + 1;
  else
    v11 = (void *)*((_QWORD *)a3 + 2);
  if ( v9 )
    v12 = v10;
  else
    v12 = *((_QWORD *)a3 + 1);
  std::string::append((int)v34, v11, v12);
  sub_64970(v39, v34);
  sub_655F4(&v31, v39);
  if ( (v31 & 1) != 0 )
    v13 = (char *)v33;
  else
    v13 = (char *)&v31 + 1;
  if ( (v31 & 1) != 0 )
    v14 = v32;
  else
    v14 = (unsigned __int64)(unsigned __int8)v31 >> 1;
  std::string::append((int)v34, v13, v14);
  if ( (v31 & 1) != 0 )
    operator delete(v33);
  v15 = *a2;
  v16 = (v15 & 1) == 0;
  v17 = v15 >> 1;
  if ( v16 )
    v18 = a2 + 1;
  else
    v18 = (void *)*((_QWORD *)a2 + 2);
  if ( v16 )
    v19 = v17;
  else
    v19 = *((_QWORD *)a2 + 1);
  std::string::append((int)v34, v18, v19);
  sub_64970(v39, v34);
  sub_655F4(&v31, v39);
  if ( (v31 & 1) != 0 )
    v20 = (char *)v33;
  else
    v20 = (char *)&v31 + 1;
  if ( (v31 & 1) != 0 )
    v21 = v32;
  else
    v21 = (unsigned __int64)(unsigned __int8)v31 >> 1;
  std::string::append((int)v34, v20, v21);
  if ( (v31 & 1) != 0 )
    operator delete(v33);
  if ( (v36 & 1) != 0 )
    v22 = v38;
  else
    v22 = v37;
  if ( (v36 & 1) != 0 )
    v23 = *(_QWORD *)&v37[7];
  else
    v23 = (unsigned __int64)v36 >> 1;
  std::string::append((int)v34, v22, v23);
  sub_64970(v39, v34);
  sub_655F4(&v31, v39);
  if ( (v31 & 1) != 0 )
    v24 = (char *)v33;
  else
    v24 = (char *)&v31 + 1;
  if ( (v31 & 1) != 0 )
    v25 = v32;
  else
    v25 = (unsigned __int64)(unsigned __int8)v31 >> 1;
  std::string::append((int)v34, v24, v25);
  if ( (v31 & 1) != 0 )
    operator delete(v33);
  v26 = *a3;
  v27 = (v26 & 1) == 0;
  v28 = v26 >> 1;
  if ( v27 )
    v29 = a3 + 1;
  else
    v29 = (void *)*((_QWORD *)a3 + 2);
  if ( v27 )
    v30 = v28;
  else
    v30 = *((_QWORD *)a3 + 1);
  std::string::append((int)v34, v29, v30);
  sub_64970(v39, v34);
  sub_655F4(a5, v39);
  if ( (v34[0] & 1) != 0 )
    operator delete(v35);
  if ( (v36 & 1) != 0 )
    operator delete(v38);
}
void __usercall sub_66A48(
        __int64 a1@<X0>,
        unsigned __int8 *a2@<X1>,
        unsigned __int8 *a3@<X2>,
        int a4@<W3>,
        _QWORD *a5@<X8>)
{
  unsigned __int64 v8; // x8
  bool v9; // zf
  size_t v10; // x8
  void *v11; // x1
  size_t v12; // x2
  char *v13; // x1
  size_t v14; // x2
  unsigned __int64 v15; // x8
  bool v16; // zf
  size_t v17; // x8
  void *v18; // x1
  size_t v19; // x2
  char *v20; // x1
  size_t v21; // x2
  _BYTE *v22; // x1
  size_t v23; // x2
  char *v24; // x1
  size_t v25; // x2
  unsigned __int64 v26; // x8
  bool v27; // zf
  size_t v28; // x8
  void *v29; // x1
  size_t v30; // x2
  __int64 v31; // [xsp+0h] [xbp-C0h] BYREF
  size_t v32; // [xsp+8h] [xbp-B8h]
  void *v33; // [xsp+10h] [xbp-B0h]
  _BYTE v34[16]; // [xsp+18h] [xbp-A8h] BYREF
  void *v35; // [xsp+28h] [xbp-98h]
  unsigned __int8 v36; // [xsp+30h] [xbp-90h]
  _BYTE v37[15]; // [xsp+31h] [xbp-8Fh] BYREF
  void *v38; // [xsp+40h] [xbp-80h]
  _BYTE v39[112]; // [xsp+48h] [xbp-78h] BYREF
  __int64 v40; // [xsp+B8h] [xbp-8h]
 
  v40 = *(_QWORD *)(_ReadStatusReg(ARM64_SYSREG(3, 3, 13, 0, 2)) + 40);
  sub_65794(a1, a4);
  std::string::basic_string(v34, a2);
  v8 = *a3;
  v9 = (v8 & 1) == 0;
  v10 = v8 >> 1;
  if ( v9 )
    v11 = a3 + 1;
  else
    v11 = (void *)*((_QWORD *)a3 + 2);
  if ( v9 )
    v12 = v10;
  else
    v12 = *((_QWORD *)a3 + 1);
  std::string::append((int)v34, v11, v12);
  sub_64970(v39, v34);
  sub_655F4(&v31, v39);
  if ( (v31 & 1) != 0 )
    v13 = (char *)v33;
  else
    v13 = (char *)&v31 + 1;
  if ( (v31 & 1) != 0 )
    v14 = v32;
  else
    v14 = (unsigned __int64)(unsigned __int8)v31 >> 1;
  std::string::append((int)v34, v13, v14);
  if ( (v31 & 1) != 0 )
    operator delete(v33);
  v15 = *a2;
  v16 = (v15 & 1) == 0;
  v17 = v15 >> 1;
  if ( v16 )
    v18 = a2 + 1;
  else
    v18 = (void *)*((_QWORD *)a2 + 2);
  if ( v16 )
    v19 = v17;
  else
    v19 = *((_QWORD *)a2 + 1);
  std::string::append((int)v34, v18, v19);
  sub_64970(v39, v34);
  sub_655F4(&v31, v39);
  if ( (v31 & 1) != 0 )
    v20 = (char *)v33;
  else
    v20 = (char *)&v31 + 1;
  if ( (v31 & 1) != 0 )
    v21 = v32;
  else
    v21 = (unsigned __int64)(unsigned __int8)v31 >> 1;
  std::string::append((int)v34, v20, v21);
  if ( (v31 & 1) != 0 )
    operator delete(v33);
  if ( (v36 & 1) != 0 )
    v22 = v38;
  else
    v22 = v37;
  if ( (v36 & 1) != 0 )
    v23 = *(_QWORD *)&v37[7];
  else
    v23 = (unsigned __int64)v36 >> 1;
  std::string::append((int)v34, v22, v23);
  sub_64970(v39, v34);
  sub_655F4(&v31, v39);
  if ( (v31 & 1) != 0 )
    v24 = (char *)v33;
  else
    v24 = (char *)&v31 + 1;
  if ( (v31 & 1) != 0 )
    v25 = v32;
  else
    v25 = (unsigned __int64)(unsigned __int8)v31 >> 1;
  std::string::append((int)v34, v24, v25);
  if ( (v31 & 1) != 0 )
    operator delete(v33);
  v26 = *a3;
  v27 = (v26 & 1) == 0;
  v28 = v26 >> 1;
  if ( v27 )
    v29 = a3 + 1;
  else
    v29 = (void *)*((_QWORD *)a3 + 2);
  if ( v27 )
    v30 = v28;
  else
    v30 = *((_QWORD *)a3 + 1);
  std::string::append((int)v34, v29, v30);
  sub_64970(v39, v34);
  sub_655F4(a5, v39);
  if ( (v34[0] & 1) != 0 )
    operator delete(v35);
  if ( (v36 & 1) != 0 )
    operator delete(v38);
}
__int64 __fastcall sub_65794(__int64 a1, int a2)
{
  unsigned int v3; // w27
  int8x8_t v4; // d8
  unsigned __int64 v5; // d0
  int v6; // w24
  unsigned int v7; // w8
  unsigned int v8; // w20
  unsigned int v9; // w23
  unsigned int v10; // w8
  unsigned int v11; // w19
  unsigned int v12; // w21
  unsigned int v13; // w22
  unsigned int v14; // w8
  unsigned int v15; // w9
  unsigned int v16; // w28
  int v17; // w8
  __int64 v18; // x1
  unsigned int v19; // w22
  unsigned int v20; // w8
  unsigned int v21; // w8
  unsigned int v22; // w21
  unsigned int v23; // w8
  unsigned int v24; // w23
  unsigned int v25; // w8
  unsigned int v26; // w8
  int32x2_t v27; // d0
  int v28; // w26
  unsigned int v29; // w9
  int v30; // w8
  __int64 v31; // x1
  unsigned int v32; // w8
  unsigned int v33; // w8
  unsigned int v34; // w23
  unsigned int v35; // w8
  unsigned int v36; // w9
  unsigned int v37; // w24
  unsigned int v38; // w8
  __int64 v39; // x1
  unsigned __int32 v40; // w8
  unsigned int v41; // w25
  unsigned int v42; // w19
  int v43; // w26
  unsigned int v44; // w8
  unsigned int v45; // w10
  bool v46; // cc
  unsigned int v47; // w9
  unsigned int v48; // w9
  char v49; // w8
  char v50; // w8
  int v51; // w21
  unsigned int v52; // w8
  unsigned int v53; // w10
  unsigned int v54; // w9
  unsigned int v55; // w23
  unsigned int v56; // w8
  unsigned int v57; // w8
  unsigned int v58; // w9
  unsigned int v59; // w8
  int v60; // w9
  __int64 v61; // kr00_8
  unsigned int v62; // w8
  __int64 v63; // x1
  int v64; // w28
  unsigned int v65; // w8
  unsigned int v66; // w8
  unsigned int v67; // w24
  __int64 v68; // x1
  char v69; // w8
  unsigned int v70; // w9
  unsigned int v71; // w9
  unsigned int v72; // w8
  int v73; // w9
  __int64 v74; // kr08_8
  unsigned int v75; // w8
  __int64 v76; // x1
  unsigned int v77; // w8
  unsigned int v78; // w8
  unsigned int v79; // w8
  unsigned int v80; // w20
  int8x8_t v81; // d0
  unsigned __int32 v82; // w8
  uint32x4_t v83; // q0
  uint32x4_t v84; // q0
  int8x16_t v85; // q1
  int v86; // w28
  unsigned int v87; // w8
  unsigned int v88; // w10
  unsigned int v89; // w9
  unsigned __int32 v90; // w8
  unsigned int v91; // w8
  unsigned int v92; // w8
  int v93; // w12
  int v94; // w20
  int v95; // w23
  int v96; // w24
  unsigned int v97; // w8
  unsigned int v98; // w9
  unsigned int v99; // w10
  unsigned int v100; // w8
  unsigned int v101; // w10
  unsigned int v102; // w9
  unsigned int v103; // w8
  unsigned int v104; // w10
  unsigned int v105; // w9
  unsigned int v106; // w8
  unsigned int v107; // w9
  unsigned int v108; // w8
  char v109; // w9
  __int64 v110; // kr10_8
  __int64 v111; // x1
  unsigned int v112; // w8
  unsigned int v113; // w8
  unsigned int v114; // w10
  unsigned int v115; // w9
  unsigned int v116; // w8
  int v117; // w22
  unsigned int v118; // w19
  __int64 v119; // x1
  __int64 v120; // x1
  unsigned int v121; // w8
  unsigned int v122; // w9
  unsigned int v123; // w8
  char v124; // w9
  __int64 v125; // kr18_8
  __int64 v126; // x1
  unsigned int v128; // [xsp+8h] [xbp-208h]
  unsigned int v129; // [xsp+10h] [xbp-200h]
  unsigned int v130; // [xsp+14h] [xbp-1FCh]
  unsigned int v131; // [xsp+18h] [xbp-1F8h]
  int v132; // [xsp+1Ch] [xbp-1F4h]
  int v133; // [xsp+20h] [xbp-1F0h]
  int v134; // [xsp+24h] [xbp-1ECh]
  int v135; // [xsp+28h] [xbp-1E8h]
  unsigned int v136; // [xsp+2Ch] [xbp-1E4h]
  unsigned int v137; // [xsp+2Ch] [xbp-1E4h]
  unsigned int v138; // [xsp+30h] [xbp-1E0h]
  unsigned int v139; // [xsp+34h] [xbp-1DCh]
  int v140; // [xsp+38h] [xbp-1D8h]
  int v141; // [xsp+38h] [xbp-1D8h]
  unsigned int v142; // [xsp+3Ch] [xbp-1D4h]
  int v143; // [xsp+3Ch] [xbp-1D4h]
  unsigned int v144; // [xsp+40h] [xbp-1D0h]
  int v145; // [xsp+40h] [xbp-1D0h]
  unsigned int v146; // [xsp+44h] [xbp-1CCh]
  int v147; // [xsp+44h] [xbp-1CCh]
  unsigned int v148; // [xsp+48h] [xbp-1C8h]
  unsigned __int32 v149; // [xsp+4Ch] [xbp-1C4h]
  unsigned int v150; // [xsp+50h] [xbp-1C0h]
  int v151; // [xsp+64h] [xbp-1ACh]
  unsigned int v152; // [xsp+64h] [xbp-1ACh]
  unsigned int v153; // [xsp+68h] [xbp-1A8h]
  unsigned int v154; // [xsp+6Ch] [xbp-1A4h]
  int v155; // [xsp+88h] [xbp-188h]
  unsigned int v156; // [xsp+88h] [xbp-188h]
  unsigned int v157; // [xsp+8Ch] [xbp-184h]
  unsigned int v158; // [xsp+8Ch] [xbp-184h]
  __int64 v159; // [xsp+98h] [xbp-178h]
  int v160; // [xsp+98h] [xbp-178h]
  int v161; // [xsp+A0h] [xbp-170h]
  int v162; // [xsp+A8h] [xbp-168h]
  unsigned int v163; // [xsp+B0h] [xbp-160h]
  unsigned int v164; // [xsp+B4h] [xbp-15Ch]
  unsigned int v165; // [xsp+B8h] [xbp-158h]
  unsigned int v166; // [xsp+BCh] [xbp-154h]
  unsigned int v167; // [xsp+BCh] [xbp-154h]
  int8x8_t v168; // [xsp+C0h] [xbp-150h]
  unsigned int v169; // [xsp+C0h] [xbp-150h]
  unsigned int v170; // [xsp+D8h] [xbp-138h]
  unsigned int v171; // [xsp+DCh] [xbp-134h]
  time_t timer; // [xsp+E0h] [xbp-130h] BYREF
  __int64 (__fastcall **v173)(); // [xsp+E8h] [xbp-128h] BYREF
  _QWORD v174[8]; // [xsp+F0h] [xbp-120h] BYREF
  __int128 v175; // [xsp+130h] [xbp-E0h]
  __int128 v176; // [xsp+140h] [xbp-D0h]
  int v177; // [xsp+150h] [xbp-C0h]
  _QWORD v178[18]; // [xsp+158h] [xbp-B8h] BYREF
  int v179; // [xsp+1E8h] [xbp-28h]
  __int64 v180; // [xsp+1F0h] [xbp-20h]
 
  v180 = *(_QWORD *)(_ReadStatusReg(ARM64_SYSREG(3, 3, 13, 0, 2)) + 40);
  time(&timer);
  v178[0] = off_D9C20;
  timer = (timer + a2) / 60;
  v173 = off_D9BF8;
  std::ios_base::init((std::ios_base *)v178, v174);
  v178[17] = 0LL;
  v179 = -1;
  v173 = off_D9B88;
  v178[0] = off_D9BB0;
  std::streambuf::basic_streambuf(v174);
  v3 = timer;
  v4.n64_u64[0] = vdup_n_s32(timer).n64_u64[0];
  v5 = vshl_u32(v4, (uint32x2_t)-2LL).n64_u64[0];
  v6 = HIDWORD(v5);
  v168.n64_u64[0] = v5;
  v140 = HIDWORD(v5) & 0x55555555;
  v7 = (((unsigned int)(timer - v140) >> 2) & 0x33333333) + ((timer - v140) & 0x33333333);
  v175 = 0u;
  v176 = 0u;
  v166 = (v7 + (v7 >> 4)) & 0xF0F0F0F;
  v177 = 16;
  v174[0] = off_D9C40;
  v146 = (v166 + (v166 >> 8) + ((v166 + (v166 >> 8)) >> 16)) & 0x3F;
  std::ostream::operator<<(&v173, v146);
  v8 = v3 + (v3 >> 31);
  v9 = (v8 >> 1) + (v8 >> 3);
  v10 = v9 + (v9 >> 4) + ((v9 + (v9 >> 4)) >> 8);
  v136 = v10 + HIWORD(v10);
  v154 = (v136 >> 3) + ((v8 - 12 * (v136 >> 3) + 4) >> 4);
  std::ostream::operator<<(&v173, v154);
  v150 = v3 >> 3;
  v11 = v6 + v168.n64_u32[0];
  v12 = (v11
       + v150
       + ((v11 + v150) >> 6)
       + ((v11 + v150 + ((v11 + v150) >> 6)) >> 12)
       + ((v11 + v150 + ((v11 + v150) >> 6)) >> 24)) >> 3;
  v13 = v3 - 9 * v12;
  if ( v13 <= 8 )
    v14 = (v11
         + v150
         + ((v11 + v150) >> 6)
         + ((v11 + v150 + ((v11 + v150) >> 6)) >> 12)
         + ((v11 + v150 + ((v11 + v150) >> 6)) >> 24)) >> 3;
  else
    v14 = v12 + 1;
  v144 = v14 + 1;
  std::ostream::operator<<(&v173, v14 + 1);
  v142 = v12 + ((v13 + 7) >> 4);
  std::ostream::operator<<(&v173, v142);
  v15 = HIWORD(v3);
  if ( v3 )
  {
    v16 = HIWORD(v3);
    if ( (_WORD)v3 )
    {
      v15 = v3;
      v17 = 1;
    }
    else
    {
      v17 = 17;
    }
    if ( !(_BYTE)v15 )
    {
      v15 >>= 8;
      v17 |= 8u;
    }
    if ( (v15 & 0xF) == 0 )
    {
      v15 >>= 4;
      v17 |= 4u;
    }
    if ( (v15 & 3) == 0 )
    {
      LOBYTE(v15) = v15 >> 2;
      v17 |= 2u;
    }
    v18 = v17 - (v15 & 1);
  }
  else
  {
    v16 = 0;
    v18 = 32LL;
  }
  std::ostream::operator<<(&v173, v18);
  v19 = v3 + 3;
  v157 = v3 >> 4;
  v20 = v6 + (v3 >> 4) + ((v6 + (v3 >> 4)) >> 4) + ((v6 + (v3 >> 4)) >> 5);
  v21 = (v20 + (v20 >> 12) + HIBYTE(v20)) >> 3;
  v22 = v21 + ((v3 + 3 - 13 * v21) >> 4);
  std::ostream::operator<<(&v173, v22);
  v23 = (v8 >> 6) - (v8 >> 10) + (v8 >> 12) + (v8 >> 13) - HIWORD(v8) + v9;
  v24 = ((v23 + (v23 >> 20)) >> 6) + ((v8 - 100 * ((v23 + (v23 >> 20)) >> 6) + 28) >> 7);
  std::ostream::operator<<(&v173, v24);
  v25 = v6 | v3 | ((v6 | v3) >> 2) | ((v6 | v3 | ((v6 | v3) >> 2)) >> 4);
  v26 = v25 | (v25 >> 8) | ((v25 | (v25 >> 8)) >> 16);
  v153 = v26 - (v26 >> 1);
  std::ostream::operator<<(&v173, v153);
  v27.n64_u64[0] = vand_s8(v168, (int8x8_t)0x5B6DB6DB09249249LL).n64_u64[0];
  v27.n64_u32[0] = vadd_s32(vdup_lane_s32(v27, 1), v27).n64_u32[0];
  v170 = ((v3 - v27.n64_u32[0] + ((v3 - v27.n64_u32[0]) >> 3)) & 0xC71C71C7) % 0x3F;
  std::ostream::operator<<(&v173, v170);
  v151 = v6;
  if ( v3 )
  {
    v28 = (unsigned __int16)v3;
    if ( (_WORD)v3 )
      v29 = v3;
    else
      v29 = v16;
    if ( (_WORD)v3 )
      v30 = 1;
    else
      v30 = 17;
    if ( !(_BYTE)v29 )
    {
      v29 >>= 8;
      v30 |= 8u;
    }
    if ( (v29 & 0xF) == 0 )
    {
      v29 >>= 4;
      v30 |= 4u;
    }
    if ( (v29 & 3) == 0 )
    {
      LOBYTE(v29) = v29 >> 2;
      v30 |= 2u;
    }
    v31 = v30 - (v29 & 1);
  }
  else
  {
    v16 = 0;
    v28 = 0;
    v31 = 32LL;
  }
  std::ostream::operator<<(&v173, v31);
  v32 = v11 - (v3 >> 5) + (v3 >> 7) + ((v11 - (v3 >> 5) + (v3 >> 7)) >> 10);
  v131 = ((v32 + (v32 >> 20)) >> 3) + ((v3 - 11 * ((v32 + (v32 >> 20)) >> 3) + 5) >> 4);
  std::ostream::operator<<(&v173, v131);
  v155 = v28;
  v139 = 21845 * v16
       + ((int)v3 >> 31)
       + ((21846 * v16 + ((unsigned int)(21846 * v28) >> 16)) >> 16)
       + ((21845 * v28 + (unsigned int)(unsigned __int16)(21846 * v16 + ((unsigned int)(21846 * v28) >> 16))) >> 16);
  std::ostream::operator<<(&v173, v139);
  std::ostream::operator<<(&v173, v24);
  std::ostream::operator<<(&v173, v22);
  v159 = (unsigned __int8)v16;
  v132 = byte_429F0[BYTE1(v3)];
  v133 = byte_429F0[(unsigned __int8)v16];
  v134 = byte_429F0[(unsigned __int8)v3];
  v135 = byte_429F0[HIBYTE(v3)];
  std::ostream::operator<<(&v173, (unsigned int)(v132 + v134 + v133 + v135));
  v163 = -v3 & v3;
  v171 = v163 + v3;
  v164 = ((v163 + v3) ^ v3) >> 1;
  v165 = v171 ^ v3;
  v33 = ((((v171 ^ v3) - (v164 & 0x55555555)) >> 2) & 0x33333333) + (((v171 ^ v3) - (v164 & 0x55555555)) & 0x33333333);
  v34 = (v163 + v3) | ~(-1 << (((16843009 * ((v33 + (v33 >> 4)) & 0xF0F0F0F)) >> 24) - 2));
  std::ostream::operator<<(&v173, v34);
  v35 = v11 + (v11 >> 4) + ((v11 + (v11 >> 4)) >> 8);
  v36 = (v35 + HIWORD(v35)) >> 2;
  v37 = v3 - 5 * v36;
  v130 = v36;
  if ( v37 <= 4 )
    v38 = (v35 + HIWORD(v35)) >> 2;
  else
    v38 = v36 + 1;
  if ( v37 <= 9 )
    v39 = v38;
  else
    v39 = v38 + 1;
  v148 = v39;
  std::ostream::operator<<(&v173, v39);
  v40 = v168.n64_u32[0]
      + v157
      + ((v168.n64_u32[0] + v157) >> 4)
      + ((v168.n64_u32[0] + v157 + ((v168.n64_u32[0] + v157) >> 4)) >> 8);
  v129 = v40 + HIWORD(v40) + ((11 * (-3 * (v40 + HIWORD(v40)) + v3)) >> 5);
  std::ostream::operator<<(&v173, v129);
  std::ostream::operator<<(&v173, v34);
  std::ostream::operator<<(&v173, v170);
  v41 = v3 + 2;
  v42 = v3 + 1;
  v43 = (v3 + 2) & ~v3;
  v44 = 0x80000000;
  while ( 1 )
  {
    if ( (v44 & v43) == 0 )
    {
      if ( (v44 & (-3 - v3) & v3) != 0 )
      {
        v47 = (v44 | v41) & -v44;
        if ( v47 <= v19 )
          goto LABEL_44;
      }
      goto LABEL_39;
    }
    v45 = (v44 | v3) & -v44;
    if ( v45 <= v42 )
      break;
LABEL_39:
    v46 = v44 > 1;
    v44 >>= 1;
    if ( !v46 )
    {
      v47 = v3 + 2;
LABEL_44:
      v45 = v3;
      goto LABEL_46;
    }
  }
  v47 = v3 + 2;
LABEL_46:
  std::ostream::operator<<(&v173, v45 | v47);
  v128 = v16;
  if ( v3 )
  {
    if ( v155 )
      v48 = v3;
    else
      v48 = v16;
    if ( v155 )
      v49 = 1;
    else
      v49 = 17;
    if ( !(_BYTE)v48 )
    {
      v48 >>= 8;
      v49 |= 8u;
    }
    if ( (v48 & 0xF) == 0 )
    {
      v48 >>= 4;
      v49 |= 4u;
    }
    if ( (v48 & 3) == 0 )
    {
      LOBYTE(v48) = v48 >> 2;
      v49 |= 2u;
    }
    v50 = v49 - (v48 & 1) + 2;
  }
  else
  {
    v50 = 34;
  }
  std::ostream::operator<<(&v173, (v165 >> v50) | v171);
  std::ostream::operator<<(&v173, v131);
  v51 = ~(v41 | v3);
  v52 = 0x80000000;
  while ( 2 )
  {
    if ( (v52 & v51) == 0 )
    {
LABEL_62:
      v46 = v52 > 1;
      v52 >>= 1;
      if ( !v46 )
      {
        v54 = v3 + 2;
LABEL_67:
        v53 = v3;
        goto LABEL_69;
      }
      continue;
    }
    break;
  }
  v53 = (v52 | v3) & -v52;
  if ( v53 > v42 )
  {
    v54 = (v52 | v41) & -v52;
    if ( v54 <= v19 )
      goto LABEL_67;
    goto LABEL_62;
  }
  v54 = v3 + 2;
LABEL_69:
  std::ostream::operator<<(&v173, v53 & v54);
  v55 = (v136 >> 2) + ((v8 - 6 * (v136 >> 2) + 2) >> 3);
  std::ostream::operator<<(&v173, v55);
  v137 = v130 + ((7 * v37) >> 5);
  std::ostream::operator<<(&v173, v137);
  std::ostream::operator<<(&v173, v170);
  std::ostream::operator<<(&v173, v129);
  v167 = (16843009 * v166) >> 24;
  std::ostream::operator<<(&v173, v167);
  v56 = (v8 >> 3) + (v8 >> 5) + (((v8 >> 3) + (v8 >> 5)) >> 4);
  v57 = v56 + (v56 >> 8) + ((v56 + (v56 >> 8)) >> 16);
  v138 = v57 + ((11 * (v8 - 6 * v57)) >> 6);
  std::ostream::operator<<(&v173, v138);
  std::ostream::operator<<(&v173, v55);
  if ( v3 )
  {
    if ( v3 >= 0x10000 )
      v58 = v3;
    else
      v58 = v3 << 16;
    if ( HIBYTE(v58) )
      v59 = v58;
    else
      v59 = v58 << 8;
    if ( HIBYTE(v58) )
      v60 = 16 * (v3 < 0x10000);
    else
      v60 = (16 * (v3 < 0x10000)) | 8;
    if ( !(v59 >> 28) )
    {
      v59 *= 16;
      v60 |= 4u;
    }
    v61 = 4LL * v59;
    if ( is_mul_ok(4u, v59) )
      v59 *= 4;
    v62 = ~v59;
    if ( !HIDWORD(v61) )
      v60 |= 2u;
    v63 = v60 + (v62 >> 31);
  }
  else
  {
    v63 = 32LL;
  }
  v64 = v155;
  std::ostream::operator<<(&v173, v63);
  v65 = (((v140 + (v3 & 0x55555555)) >> 2) & 0x33333333) + ((v140 + (v3 & 0x55555555)) & 0x33333333);
  v66 = (((((v65 >> 4) & 0x7070707) + (v65 & 0x7070707)) >> 8) & 0xF000F)
      + ((((v65 >> 4) & 0x7070707) + (v65 & 0x7070707)) & 0xF000F);
  v156 = (v66 & 0x1F) + HIWORD(v66);
  std::ostream::operator<<(&v173, v156);
  v67 = __rbit32(v3);
  std::ostream::operator<<(&v173, v67);
  std::ostream::operator<<(&v173, (unsigned int)(v132 + v134 + v133 + v135));
  if ( v3 )
  {
    if ( v64 )
      v69 = 1;
    else
      v69 = 17;
    if ( v64 )
      v70 = v3;
    else
      v70 = v128;
    if ( !(_BYTE)v70 )
    {
      v70 >>= 8;
      v69 |= 8u;
    }
    if ( (v70 & 0xF) == 0 )
    {
      v70 >>= 4;
      v69 |= 4u;
    }
    if ( (v70 & 3) == 0 )
    {
      LOBYTE(v70) = v70 >> 2;
      v69 |= 2u;
    }
    std::ostream::operator<<(&v173, (v165 >> (v69 - (v70 & 1) + 2)) | v171);
    std::ostream::operator<<(&v173, v167);
    if ( v3 >= 0x10000 )
      v71 = v3;
    else
      v71 = v3 << 16;
    if ( HIBYTE(v71) )
      v72 = v71;
    else
      v72 = v71 << 8;
    if ( HIBYTE(v71) )
      v73 = 16 * (v3 < 0x10000);
    else
      v73 = (16 * (v3 < 0x10000)) | 8;
    if ( !(v72 >> 28) )
    {
      v72 *= 16;
      v73 |= 4u;
    }
    v74 = 4LL * v72;
    if ( is_mul_ok(4u, v72) )
      v72 *= 4;
    v75 = ~v72;
    if ( !HIDWORD(v74) )
      v73 |= 2u;
    v76 = v73 + (v75 >> 31);
  }
  else
  {
    std::ostream::operator<<(&v173, v68);
    std::ostream::operator<<(&v173, v167);
    v76 = 32LL;
  }
  std::ostream::operator<<(&v173, v76);
  std::ostream::operator<<(&v173, v146);
  std::ostream::operator<<(&v173, v67);
  std::ostream::operator<<(&v173, v142);
  std::ostream::operator<<(&v173, v137);
  std::ostream::operator<<(&v173, v144);
  v77 = v150 + v157 + ((v150 + v157) >> 4) + ((v150 + v157 + ((v150 + v157) >> 4)) >> 8);
  v158 = v77 + HIWORD(v77) + ((13 * (v3 - 5 * (v77 + HIWORD(v77)))) >> 6);
  std::ostream::operator<<(&v173, v158);
  v78 = (v8 >> 1) + (v8 >> 2) + (((v8 >> 1) + (v8 >> 2)) >> 4);
  v79 = (v78 + (v78 >> 8) + ((v78 + (v78 >> 8)) >> 16)) >> 3;
  v80 = v79 + ((v8 - 10 * v79 + 6) >> 4);
  std::ostream::operator<<(&v173, v80);
  v81.n64_u64[0] = veor_s8(v168, v4).n64_u64[0];
  v82 = v81.n64_u32[1];
  v83.n128_u64[0] = veor_s8(vshr_n_u32(v81, 4uLL), v81).n64_u64[0];
  v83.n128_u32[2] = v82 ^ (v82 >> 2);
  v83.n128_u32[3] = v83.n128_u32[2];
  v84 = veorq_s8(vshlq_u32(v83, (uint32x4_t)xmmword_42890), v83);
  v85 = vandq_s8(
          veorq_s8(vshlq_u32(v84, (uint32x4_t)xmmword_42870), vshlq_u32(v84, (uint32x4_t)xmmword_42850)),
          (int8x16_t)xmmword_42910);
  v84.n128_u64[0] = vorr_s8((int8x8_t)v85.n128_u64[0], (int8x8_t)vextq_s8(v85, v85, 8uLL).n128_u64[0]).n64_u64[0];
  v149 = (v84.n128_u32[0] | v84.n128_u32[1] | ((v84.n128_u32[3] ^ (v84.n128_u32[3] >> 8)) >> 12) & 0x10 | (32 * (((unsigned __int8)(v84.n128_u8[12] ^ v84.n128_u8[13]) ^ (unsigned __int8)((v84.n128_u32[3] ^ (v84.n128_u32[3] >> 8)) >> 16)) & 1))) ^ -(v3 & 1) & 0x3F;
  std::ostream::operator<<(&v173, v149);
  v145 = byte_42BF0[BYTE1(v3)];
  v147 = byte_42BF0[(unsigned __int8)v3];
  v141 = byte_42BF0[HIBYTE(v3)];
  v143 = byte_42BF0[v159];
  std::ostream::operator<<(&v173, (unsigned int)(v145 + v147 + v143 + v141));
  std::ostream::operator<<(&v173, v139);
  v86 = v19 & v42;
  v87 = 0x80000000;
  do
  {
    if ( (v87 & v86) != 0 )
    {
      v89 = (v42 - v87) | (v87 - 1);
      if ( v89 >= v3 )
        goto LABEL_124;
      v88 = (v19 - v87) | (v87 - 1);
      if ( v88 >= v41 )
      {
        v89 = v3 + 1;
        goto LABEL_125;
      }
    }
    v46 = v87 > 1;
    v87 >>= 1;
  }
  while ( v46 );
  v89 = v3 + 1;
LABEL_124:
  v88 = v3 + 3;
LABEL_125:
  std::ostream::operator<<(&v173, v88 | v89);
  std::ostream::operator<<(&v173, v80);
  v90 = v3 - ((v151 & 0x77777777) + (v168.n64_u32[0] & 0x33333333) + (v150 & 0x11111111));
  v152 = (16843009 * ((v90 + (v90 >> 4)) & 0xF0F0F0F)) >> 24;
  std::ostream::operator<<(&v173, v152);
  v91 = (v3 - 1) | ((v3 - 1) >> 1) | (((v3 - 1) | ((v3 - 1) >> 1)) >> 2);
  v92 = v91 | (v91 >> 4) | ((v91 | (v91 >> 4)) >> 8);
  v169 = (v92 | HIWORD(v92)) + 1;
  std::ostream::operator<<(&v173, v169);
  v162 = byte_42AF0[(unsigned __int8)v3];
  v93 = byte_42AF0[v159];
  v161 = byte_42AF0[BYTE1(v3)];
  v94 = byte_42AF0[HIBYTE(v3)];
  v160 = v93;
  std::ostream::operator<<(&v173, (unsigned int)(v161 + v162 + v93 + v94));
  v95 = (-4 - v3) & v42;
  v96 = (-2 - v3) & v19;
  v97 = 0x80000000;
  do
  {
    if ( (v97 & v95) != 0 )
    {
      v98 = v42 & ~v97 | (v97 - 1);
      if ( v98 >= v3 )
        goto LABEL_133;
    }
    else if ( (v97 & v96) != 0 )
    {
      v99 = v19 & ~v97 | (v97 - 1);
      if ( v99 >= v41 )
      {
        v98 = v3 + 1;
        goto LABEL_134;
      }
    }
    v46 = v97 > 1;
    v97 >>= 1;
  }
  while ( v46 );
  v98 = v3 + 1;
LABEL_133:
  v99 = v3 + 3;
LABEL_134:
  std::ostream::operator<<(&v173, v99 & v98);
  v100 = 0x80000000;
  while ( 2 )
  {
    if ( (v100 & v51) == 0 )
    {
LABEL_135:
      v46 = v100 > 1;
      v100 >>= 1;
      if ( !v46 )
      {
        v102 = v3 + 2;
LABEL_140:
        v101 = v3;
        goto LABEL_142;
      }
      continue;
    }
    break;
  }
  v101 = (v100 | v3) & -v100;
  if ( v101 > v42 )
  {
    v102 = (v100 | v41) & -v100;
    if ( v102 <= v19 )
      goto LABEL_140;
    goto LABEL_135;
  }
  v102 = v3 + 2;
LABEL_142:
  std::ostream::operator<<(&v173, v101 & v102);
  std::ostream::operator<<(&v173, v156);
  std::ostream::operator<<(&v173, v148);
  v103 = 0x80000000;
  do
  {
    if ( (v103 & v86) != 0 )
    {
      v105 = (v42 - v103) | (v103 - 1);
      if ( v105 >= v3 )
        goto LABEL_149;
      v104 = (v19 - v103) | (v103 - 1);
      if ( v104 >= v41 )
      {
        v105 = v3 + 1;
        goto LABEL_150;
      }
    }
    v46 = v103 > 1;
    v103 >>= 1;
  }
  while ( v46 );
  v105 = v3 + 1;
LABEL_149:
  v104 = v3 + 3;
LABEL_150:
  std::ostream::operator<<(&v173, v104 | v105);
  std::ostream::operator<<(&v173, v138);
  std::ostream::operator<<(&v173, (unsigned int)(v161 + v162 + v160 + v94));
  std::ostream::operator<<(&v173, v153);
  std::ostream::operator<<(&v173, v167);
  std::ostream::operator<<(&v173, v152);
  v107 = -v3 & v3;
  v106 = (v171 ^ v3) >> 1;
  if ( v163 )
  {
    if ( v163 < 0x10000 )
      v107 = v163 << 16;
    if ( HIBYTE(v107) )
      v108 = v107;
    else
      v108 = v107 << 8;
    if ( HIBYTE(v107) )
      v109 = 16 * (v163 < 0x10000);
    else
      v109 = (16 * (v163 < 0x10000)) | 8;
    if ( !(v108 >> 28) )
    {
      v108 *= 16;
      v109 |= 4u;
    }
    v110 = 4LL * v108;
    if ( is_mul_ok(4u, v108) )
      v108 *= 4;
    if ( !HIDWORD(v110) )
      v109 |= 2u;
    v106 = v165 >> (~(unsigned __int8)((int)v108 >> 31) - v109 + 33);
  }
  std::ostream::operator<<(&v173, v106 | v171);
  std::ostream::operator<<(&v173, v167);
  std::ostream::operator<<(&v173, (unsigned int)(v145 + v147 + v143 + v141));
  LODWORD(v111) = -2;
  do
  {
    v112 = v111 + 2;
    v111 = (unsigned int)(v111 + 1);
  }
  while ( dword_42CF0[v112] < v3 );
  std::ostream::operator<<(&v173, v111);
  std::ostream::operator<<(&v173, v149);
  v113 = 0x80000000;
  while ( 2 )
  {
    if ( (v113 & v43) == 0 )
    {
      if ( (v113 & (-3 - v3) & v3) != 0 )
      {
        v115 = (v113 | v41) & -v113;
        if ( v115 <= v19 )
          goto LABEL_175;
      }
LABEL_170:
      v46 = v113 > 1;
      v113 >>= 1;
      if ( !v46 )
      {
        v115 = v3 + 2;
LABEL_175:
        v114 = v3;
        goto LABEL_177;
      }
      continue;
    }
    break;
  }
  v114 = (v113 | v3) & -v113;
  if ( v114 > v42 )
    goto LABEL_170;
  v115 = v3 + 2;
LABEL_177:
  std::ostream::operator<<(&v173, v114 | v115);
  std::ostream::operator<<(&v173, v170);
  v116 = 0x80000000;
  while ( 2 )
  {
    if ( (v116 & v95) == 0 )
    {
      if ( (v116 & v96) != 0 && (v19 & ~v116 | (v116 - 1)) >= v41 )
      {
        v19 = v19 & ~v116 | (v116 - 1);
        goto LABEL_186;
      }
      goto LABEL_179;
    }
    if ( (v42 & ~v116 | (v116 - 1)) < v3 )
    {
LABEL_179:
      v46 = v116 > 1;
      v116 >>= 1;
      if ( !v46 )
        goto LABEL_186;
      continue;
    }
    break;
  }
  v42 = v42 & ~v116 | (v116 - 1);
LABEL_186:
  std::ostream::operator<<(&v173, v19 & v42);
  v117 = ((v3 & 0x7F7F7F7F) + 2139062143) | v3 | 0x7F7F7F7F;
  v118 = ~v117;
  if ( v117 == -1 )
  {
    v119 = 4LL;
  }
  else if ( (v118 & 0x8080) != 0 )
  {
    v119 = ((v118 >> 7) & 1) == 0;
  }
  else
  {
    v119 = (v118 >> 23) & 1 ^ 3;
  }
  std::ostream::operator<<(&v173, v119);
  std::ostream::operator<<(&v173, v169);
  std::ostream::operator<<(&v173, v154);
  std::ostream::operator<<(&v173, v158);
  LODWORD(v120) = -2;
  do
  {
    v121 = v120 + 2;
    v120 = (unsigned int)(v120 + 1);
  }
  while ( dword_42CF0[v121] < v3 );
  std::ostream::operator<<(&v173, v120);
  v122 = -v3 & v3;
  if ( v163 )
  {
    if ( v163 < 0x10000 )
      v122 = v163 << 16;
    if ( HIBYTE(v122) )
      v123 = v122;
    else
      v123 = v122 << 8;
    if ( HIBYTE(v122) )
      v124 = 16 * (v163 < 0x10000);
    else
      v124 = (16 * (v163 < 0x10000)) | 8;
    if ( !(v123 >> 28) )
    {
      v123 *= 16;
      v124 |= 4u;
    }
    v125 = 4LL * v123;
    if ( is_mul_ok(4u, v123) )
      v123 *= 4;
    if ( !HIDWORD(v125) )
      v124 |= 2u;
    v164 = v165 >> (~(unsigned __int8)((int)v123 >> 31) - v124 + 33);
  }
  std::ostream::operator<<(&v173, v164 | v171);
  if ( v117 == -1 )
  {
    v126 = 4LL;
  }
  else if ( (v118 & 0x8080) != 0 )
  {
    v126 = ((v118 >> 7) & 1) == 0;
  }
  else
  {
    v126 = (v118 >> 23) & 1 ^ 3;
  }
  std::ostream::operator<<(&v173, v126);
  sub_671C4(v174);
  v178[0] = off_D9BB0;
  v173 = off_D9B88;
  v174[0] = off_D9C40;
  if ( (v175 & 1) != 0 )
    operator delete((void *)v176);
  std::streambuf::~streambuf(v174);
  std::ostream::~ostream(&v173, off_D9BC8);
  return std::ios::~ios(v178);
}
__int64 __fastcall sub_65794(__int64 a1, int a2)
{
  unsigned int v3; // w27
  int8x8_t v4; // d8
  unsigned __int64 v5; // d0
  int v6; // w24
  unsigned int v7; // w8
  unsigned int v8; // w20
  unsigned int v9; // w23
  unsigned int v10; // w8
  unsigned int v11; // w19
  unsigned int v12; // w21
  unsigned int v13; // w22
  unsigned int v14; // w8
  unsigned int v15; // w9
  unsigned int v16; // w28
  int v17; // w8
  __int64 v18; // x1
  unsigned int v19; // w22
  unsigned int v20; // w8
  unsigned int v21; // w8
  unsigned int v22; // w21
  unsigned int v23; // w8
  unsigned int v24; // w23
  unsigned int v25; // w8
  unsigned int v26; // w8
  int32x2_t v27; // d0
  int v28; // w26
  unsigned int v29; // w9
  int v30; // w8
  __int64 v31; // x1
  unsigned int v32; // w8
  unsigned int v33; // w8
  unsigned int v34; // w23
  unsigned int v35; // w8
  unsigned int v36; // w9
  unsigned int v37; // w24
  unsigned int v38; // w8
  __int64 v39; // x1
  unsigned __int32 v40; // w8
  unsigned int v41; // w25
  unsigned int v42; // w19
  int v43; // w26
  unsigned int v44; // w8
  unsigned int v45; // w10
  bool v46; // cc
  unsigned int v47; // w9
  unsigned int v48; // w9
  char v49; // w8
  char v50; // w8
  int v51; // w21
  unsigned int v52; // w8
  unsigned int v53; // w10
  unsigned int v54; // w9
  unsigned int v55; // w23
  unsigned int v56; // w8
  unsigned int v57; // w8
  unsigned int v58; // w9
  unsigned int v59; // w8
  int v60; // w9
  __int64 v61; // kr00_8
  unsigned int v62; // w8
  __int64 v63; // x1
  int v64; // w28
  unsigned int v65; // w8
  unsigned int v66; // w8
  unsigned int v67; // w24
  __int64 v68; // x1
  char v69; // w8
  unsigned int v70; // w9
  unsigned int v71; // w9
  unsigned int v72; // w8
  int v73; // w9
  __int64 v74; // kr08_8
  unsigned int v75; // w8
  __int64 v76; // x1
  unsigned int v77; // w8
  unsigned int v78; // w8
  unsigned int v79; // w8
  unsigned int v80; // w20
  int8x8_t v81; // d0
  unsigned __int32 v82; // w8
  uint32x4_t v83; // q0
  uint32x4_t v84; // q0
  int8x16_t v85; // q1
  int v86; // w28
  unsigned int v87; // w8
  unsigned int v88; // w10
  unsigned int v89; // w9
  unsigned __int32 v90; // w8
  unsigned int v91; // w8
  unsigned int v92; // w8
  int v93; // w12
  int v94; // w20
  int v95; // w23
  int v96; // w24
  unsigned int v97; // w8
  unsigned int v98; // w9
  unsigned int v99; // w10
  unsigned int v100; // w8
  unsigned int v101; // w10
  unsigned int v102; // w9
  unsigned int v103; // w8
  unsigned int v104; // w10
  unsigned int v105; // w9
  unsigned int v106; // w8
  unsigned int v107; // w9
  unsigned int v108; // w8
  char v109; // w9
  __int64 v110; // kr10_8
  __int64 v111; // x1
  unsigned int v112; // w8
  unsigned int v113; // w8
  unsigned int v114; // w10
  unsigned int v115; // w9
  unsigned int v116; // w8
  int v117; // w22
  unsigned int v118; // w19
  __int64 v119; // x1
  __int64 v120; // x1
  unsigned int v121; // w8
  unsigned int v122; // w9
  unsigned int v123; // w8
  char v124; // w9
  __int64 v125; // kr18_8
  __int64 v126; // x1
  unsigned int v128; // [xsp+8h] [xbp-208h]
  unsigned int v129; // [xsp+10h] [xbp-200h]
  unsigned int v130; // [xsp+14h] [xbp-1FCh]
  unsigned int v131; // [xsp+18h] [xbp-1F8h]
  int v132; // [xsp+1Ch] [xbp-1F4h]
  int v133; // [xsp+20h] [xbp-1F0h]
  int v134; // [xsp+24h] [xbp-1ECh]
  int v135; // [xsp+28h] [xbp-1E8h]
  unsigned int v136; // [xsp+2Ch] [xbp-1E4h]
  unsigned int v137; // [xsp+2Ch] [xbp-1E4h]
  unsigned int v138; // [xsp+30h] [xbp-1E0h]
  unsigned int v139; // [xsp+34h] [xbp-1DCh]
  int v140; // [xsp+38h] [xbp-1D8h]
  int v141; // [xsp+38h] [xbp-1D8h]
  unsigned int v142; // [xsp+3Ch] [xbp-1D4h]
  int v143; // [xsp+3Ch] [xbp-1D4h]
  unsigned int v144; // [xsp+40h] [xbp-1D0h]
  int v145; // [xsp+40h] [xbp-1D0h]
  unsigned int v146; // [xsp+44h] [xbp-1CCh]
  int v147; // [xsp+44h] [xbp-1CCh]
  unsigned int v148; // [xsp+48h] [xbp-1C8h]
  unsigned __int32 v149; // [xsp+4Ch] [xbp-1C4h]
  unsigned int v150; // [xsp+50h] [xbp-1C0h]
  int v151; // [xsp+64h] [xbp-1ACh]
  unsigned int v152; // [xsp+64h] [xbp-1ACh]
  unsigned int v153; // [xsp+68h] [xbp-1A8h]
  unsigned int v154; // [xsp+6Ch] [xbp-1A4h]
  int v155; // [xsp+88h] [xbp-188h]
  unsigned int v156; // [xsp+88h] [xbp-188h]
  unsigned int v157; // [xsp+8Ch] [xbp-184h]
  unsigned int v158; // [xsp+8Ch] [xbp-184h]
  __int64 v159; // [xsp+98h] [xbp-178h]
  int v160; // [xsp+98h] [xbp-178h]
  int v161; // [xsp+A0h] [xbp-170h]
  int v162; // [xsp+A8h] [xbp-168h]
  unsigned int v163; // [xsp+B0h] [xbp-160h]
  unsigned int v164; // [xsp+B4h] [xbp-15Ch]
  unsigned int v165; // [xsp+B8h] [xbp-158h]
  unsigned int v166; // [xsp+BCh] [xbp-154h]
  unsigned int v167; // [xsp+BCh] [xbp-154h]
  int8x8_t v168; // [xsp+C0h] [xbp-150h]
  unsigned int v169; // [xsp+C0h] [xbp-150h]
  unsigned int v170; // [xsp+D8h] [xbp-138h]
  unsigned int v171; // [xsp+DCh] [xbp-134h]
  time_t timer; // [xsp+E0h] [xbp-130h] BYREF
  __int64 (__fastcall **v173)(); // [xsp+E8h] [xbp-128h] BYREF
  _QWORD v174[8]; // [xsp+F0h] [xbp-120h] BYREF
  __int128 v175; // [xsp+130h] [xbp-E0h]
  __int128 v176; // [xsp+140h] [xbp-D0h]
  int v177; // [xsp+150h] [xbp-C0h]
  _QWORD v178[18]; // [xsp+158h] [xbp-B8h] BYREF
  int v179; // [xsp+1E8h] [xbp-28h]
  __int64 v180; // [xsp+1F0h] [xbp-20h]
 
  v180 = *(_QWORD *)(_ReadStatusReg(ARM64_SYSREG(3, 3, 13, 0, 2)) + 40);
  time(&timer);
  v178[0] = off_D9C20;
  timer = (timer + a2) / 60;
  v173 = off_D9BF8;
  std::ios_base::init((std::ios_base *)v178, v174);
  v178[17] = 0LL;
  v179 = -1;
  v173 = off_D9B88;
  v178[0] = off_D9BB0;
  std::streambuf::basic_streambuf(v174);
  v3 = timer;
  v4.n64_u64[0] = vdup_n_s32(timer).n64_u64[0];
  v5 = vshl_u32(v4, (uint32x2_t)-2LL).n64_u64[0];
  v6 = HIDWORD(v5);
  v168.n64_u64[0] = v5;
  v140 = HIDWORD(v5) & 0x55555555;
  v7 = (((unsigned int)(timer - v140) >> 2) & 0x33333333) + ((timer - v140) & 0x33333333);
  v175 = 0u;
  v176 = 0u;
  v166 = (v7 + (v7 >> 4)) & 0xF0F0F0F;
  v177 = 16;
  v174[0] = off_D9C40;
  v146 = (v166 + (v166 >> 8) + ((v166 + (v166 >> 8)) >> 16)) & 0x3F;
  std::ostream::operator<<(&v173, v146);
  v8 = v3 + (v3 >> 31);
  v9 = (v8 >> 1) + (v8 >> 3);
  v10 = v9 + (v9 >> 4) + ((v9 + (v9 >> 4)) >> 8);
  v136 = v10 + HIWORD(v10);
  v154 = (v136 >> 3) + ((v8 - 12 * (v136 >> 3) + 4) >> 4);
  std::ostream::operator<<(&v173, v154);
  v150 = v3 >> 3;
  v11 = v6 + v168.n64_u32[0];
  v12 = (v11
       + v150
       + ((v11 + v150) >> 6)
       + ((v11 + v150 + ((v11 + v150) >> 6)) >> 12)
       + ((v11 + v150 + ((v11 + v150) >> 6)) >> 24)) >> 3;
  v13 = v3 - 9 * v12;
  if ( v13 <= 8 )
    v14 = (v11
         + v150
         + ((v11 + v150) >> 6)
         + ((v11 + v150 + ((v11 + v150) >> 6)) >> 12)
         + ((v11 + v150 + ((v11 + v150) >> 6)) >> 24)) >> 3;
  else
    v14 = v12 + 1;
  v144 = v14 + 1;
  std::ostream::operator<<(&v173, v14 + 1);
  v142 = v12 + ((v13 + 7) >> 4);
  std::ostream::operator<<(&v173, v142);
  v15 = HIWORD(v3);
  if ( v3 )
  {
    v16 = HIWORD(v3);
    if ( (_WORD)v3 )
    {
      v15 = v3;
      v17 = 1;
    }
    else
    {
      v17 = 17;
    }
    if ( !(_BYTE)v15 )
    {
      v15 >>= 8;
      v17 |= 8u;
    }
    if ( (v15 & 0xF) == 0 )
    {
      v15 >>= 4;
      v17 |= 4u;
    }
    if ( (v15 & 3) == 0 )
    {
      LOBYTE(v15) = v15 >> 2;
      v17 |= 2u;
    }
    v18 = v17 - (v15 & 1);
  }
  else
  {
    v16 = 0;
    v18 = 32LL;
  }
  std::ostream::operator<<(&v173, v18);
  v19 = v3 + 3;
  v157 = v3 >> 4;
  v20 = v6 + (v3 >> 4) + ((v6 + (v3 >> 4)) >> 4) + ((v6 + (v3 >> 4)) >> 5);
  v21 = (v20 + (v20 >> 12) + HIBYTE(v20)) >> 3;
  v22 = v21 + ((v3 + 3 - 13 * v21) >> 4);
  std::ostream::operator<<(&v173, v22);
  v23 = (v8 >> 6) - (v8 >> 10) + (v8 >> 12) + (v8 >> 13) - HIWORD(v8) + v9;
  v24 = ((v23 + (v23 >> 20)) >> 6) + ((v8 - 100 * ((v23 + (v23 >> 20)) >> 6) + 28) >> 7);
  std::ostream::operator<<(&v173, v24);
  v25 = v6 | v3 | ((v6 | v3) >> 2) | ((v6 | v3 | ((v6 | v3) >> 2)) >> 4);
  v26 = v25 | (v25 >> 8) | ((v25 | (v25 >> 8)) >> 16);
  v153 = v26 - (v26 >> 1);
  std::ostream::operator<<(&v173, v153);
  v27.n64_u64[0] = vand_s8(v168, (int8x8_t)0x5B6DB6DB09249249LL).n64_u64[0];
  v27.n64_u32[0] = vadd_s32(vdup_lane_s32(v27, 1), v27).n64_u32[0];
  v170 = ((v3 - v27.n64_u32[0] + ((v3 - v27.n64_u32[0]) >> 3)) & 0xC71C71C7) % 0x3F;
  std::ostream::operator<<(&v173, v170);
  v151 = v6;
  if ( v3 )
  {
    v28 = (unsigned __int16)v3;
    if ( (_WORD)v3 )
      v29 = v3;
    else
      v29 = v16;
    if ( (_WORD)v3 )
      v30 = 1;
    else
      v30 = 17;
    if ( !(_BYTE)v29 )
    {
      v29 >>= 8;
      v30 |= 8u;
    }
    if ( (v29 & 0xF) == 0 )
    {
      v29 >>= 4;
      v30 |= 4u;
    }
    if ( (v29 & 3) == 0 )
    {

[培训]科锐软件逆向54期预科班、正式班开始火爆招生报名啦!!!

最后于 2024-10-17 14:23 被棕熊编辑 ,原因:
上传的附件:
收藏
免费 18
支持
分享
最新回复 (23)
mb_ldbucrik
雪    币: 2
能力值: ( LV1,RANK:0 )
在线值:
发帖
回帖
粉丝
私信
2
感谢分享,学习了
2024-10-15 23:07
0
你瞒我瞒
雪    币: 3199
活跃值: (12281)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
私信
3
人家也没想到这么火,突然就有大批成年人也`喜欢`答题了。现在可能加班加点加强安全,同时商务那边在购买xx企业版加固
2024-10-16 09:11
0
棕熊
雪    币: 4065
活跃值: (3145)
能力值: ( LV12,RANK:210 )
在线值:
发帖
回帖
粉丝
私信
4
你瞒我瞒 人家也没想到这么火,突然就有大批成年人也`喜欢`答题了。现在可能加班加点加强安全,同时商务那边在购买xx企业版加固[em_41]
能看出来在一直加固,不如一步到位,来个vm给大家玩玩
2024-10-16 09:55
0
mb_asiwnxyv
雪    币: 6
能力值: ( LV1,RANK:0 )
在线值:
发帖
回帖
粉丝
私信
5
你好,麻烦问一下是如何trace出来流程保存本地的,是unidbg吗,另外您的apk版本是多少,我目前也是卡在您提到的这个长数字中,我固定了时间戳,他结果也是固定了,所以我想跟你一样保存到一份日志到本地来。
2024-10-16 10:10
0
养只猫不好么
雪    币: 1559
活跃值: (3976)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
私信
6
感谢分享
2024-10-16 10:36
0
lhxdiao
雪    币: 2154
活跃值: (4033)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
私信
7
用STL标准库是降低逆向难度吧,特别是用共享cpp库的,逻辑清晰明了,那个 std::string的 append追加函数其实是operator +被优化成了append操作。
2024-10-16 10:53
1
墨穹呢
雪    币: 3505
活跃值: (5457)
能力值: ( LV3,RANK:20 )
在线值:
发帖
回帖
粉丝
私信
8
关键的时间戳生成没有分析出来。纯算的话这里可以阻挡一些人,但是阻挡不了unidbg
2024-10-16 11:50
0
mb_asiwnxyv
雪    币: 6
能力值: ( LV1,RANK:0 )
在线值:
发帖
回帖
粉丝
私信
9
墨穹呢 关键的时间戳生成没有分析出来。纯算的话这里可以阻挡一些人,但是阻挡不了unidbg
能和您讨论下思路吗
2024-10-16 12:34
0
墨穹呢
雪    币: 3505
活跃值: (5457)
能力值: ( LV3,RANK:20 )
在线值:
发帖
回帖
粉丝
私信
10
mb_asiwnxyv 能和您讨论下思路吗

其实没有什么可以讨论的,就是一个自写的时间戳生成,拓展成几百位的一个字符串,这个字符串和之前的path路径拼接,几轮标准的MD5

unidbg生成可以看xiaoyuan_unidbg

最后于 2024-10-16 12:39 被墨穹呢编辑 ,原因:
2024-10-16 12:37
0
mb_asiwnxyv
雪    币: 6
能力值: ( LV1,RANK:0 )
在线值:
发帖
回帖
粉丝
私信
11
墨穹呢 mb_asiwnxyv 能和您讨论下思路吗 其实没有什么可以讨论的,就是一个自写的时间戳生成,拓展成几百位的一个字符串,这个字符 ...
就是这个几百位的一个字符串 让我很迷茫,其他都分析得差不多了
2024-10-16 13:02
0
墨穹呢
雪    币: 3505
活跃值: (5457)
能力值: ( LV3,RANK:20 )
在线值:
发帖
回帖
粉丝
私信
12
mb_asiwnxyv 就是这个几百位的一个字符串 让我很迷茫,其他都分析得差不多了

你按照so的逻辑一步一步跟,就能还原出来了,这纯体力活

你看楼主的sub_65794伪代码:

time(&timer);
timer = (timer + a2) / 60

就一直跟着

timer

几百位的字符串,这个都是基于这个变量来的。

我给你看下我iOS还原出来的:


基本逻辑都是这样

2024-10-16 13:21
0
棕熊
雪    币: 4065
活跃值: (3145)
能力值: ( LV12,RANK:210 )
在线值:
发帖
回帖
粉丝
私信
13
墨穹呢 关键的时间戳生成没有分析出来。纯算的话这里可以阻挡一些人,但是阻挡不了unidbg
这个看我给的trace 看最后一张图 time(&timer)拿一些线索
2024-10-16 13:21
0
棕熊
雪    币: 4065
活跃值: (3145)
能力值: ( LV12,RANK:210 )
在线值:
发帖
回帖
粉丝
私信
14
lhxdiao 用STL标准库是降低逆向难度吧,特别是用共享cpp库的,逻辑清晰明了,那个 std::string的 append追加函数其实是operator +被优化成了append操作。
是这样的,但是string在内存里结构体的体现是有一定的难度的,假如没有符号,感觉分析会难一些,对于我这个trace工具确实是有一些难度
2024-10-16 13:22
0
棕熊
雪    币: 4065
活跃值: (3145)
能力值: ( LV12,RANK:210 )
在线值:
发帖
回帖
粉丝
私信
15
mb_asiwnxyv 你好,麻烦问一下是如何trace出来流程保存本地的,是unidbg吗,另外您的apk版本是多少,我目前也是卡在您提到的这个长数字中,我固定了时间戳,他结果也是固定了,所以我想跟你一样保存到一份日志到本 ...
您好,不是unidbg,是直接在真机上执行的,自己写的一个trace,注入可以参考我上一篇帖子,用的zygisk注入的,如果有需要可以联系我,我给你固定你的值帮你trace一份
2024-10-16 13:23
0
mb_asiwnxyv
雪    币: 6
能力值: ( LV1,RANK:0 )
在线值:
发帖
回帖
粉丝
私信
16
墨穹呢 你按照so的逻辑一步一步跟,就能还原出来了,这纯体力活你看楼主的sub_65794伪代码:time(&amp;timer); timer&nbsp;=&nbsp;(timer ...
好的 感谢您的回复
2024-10-16 13:25
0
棕熊
雪    币: 4065
活跃值: (3145)
能力值: ( LV12,RANK:210 )
在线值:
发帖
回帖
粉丝
私信
17
墨穹呢 mb_asiwnxyv 能和您讨论下思路吗 其实没有什么可以讨论的,就是一个自写的时间戳生成,拓展成几百位的一个字符串,这个字符 ...
已经star,感谢大佬一起交流
2024-10-16 13:31
0
mb_fidppcok
雪    币: 2793
活跃值: (3025)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
私信
18
反正觉得很强
2024-10-16 15:54
0
jfztaq
雪    币: 261
活跃值: (1371)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
私信
19
大神,能不能帮忙分析下i国网怎么开启webview调试
2024-10-16 19:24
0
method
雪    币: 1272
活跃值: (6663)
能力值: ( LV5,RANK:70 )
在线值:
发帖
回帖
粉丝
私信
20
兄弟 trace中 访问内存 字符串是怎么识别出来的的,效率怎么样
2024-10-16 20:58
0
棕熊
雪    币: 4065
活跃值: (3145)
能力值: ( LV12,RANK:210 )
在线值:
发帖
回帖
粉丝
私信
21
method 兄弟 trace中 访问内存 字符串是怎么识别出来的的,效率怎么样
自己写的一个trace 速度是unidbg的60倍左右
2024-10-17 14:23
0
mb_vvpefhit
雪    币: 6
能力值: ( LV1,RANK:0 )
在线值:
发帖
回帖
粉丝
私信
22
trace工具能发下吗
2024-10-20 17:56
0
mb_kbkqyusp
雪    币: 665
活跃值: (1617)
能力值: ( LV3,RANK:20 )
在线值:
发帖
回帖
粉丝
私信
23
佬,请问一些trace 功能,解析字符串部分怎么实现的呀,我的老是崩溃,SIGSEGV
2024-10-21 16:43
0
游客
登录 | 注册 方可回帖
回帖 表情 雪币赚取及消费
高级回复
返回