最右APP协议加密算法分析笔记
- IDA7.0
- lldb
- Charles
本次分析的版本是4.2.1(在目前最新版本4.6.4中依然适用)
开始前先进行如下步骤
1.app砸壳后用IDA加载
2.配置抓包工具charles
ok 开始前不会使用Charles的可以搜索关键字"Charles ios https"或直接查看该链接"https://www.cnblogs.com/junhuawang/p/7280957.html" 其中https如何抓包都有详细讲解 此处不在赘述
首先开启抓包工具 打开APP刷新内容抓包结果如下
通过POST请求可以看到url上有个"sign"参数,每次请求该sign都会发生变化,接下来使用IDA进行分析该参数来源。
IDA中字符串搜索"sign=" 根据字符串推测是最后一个 鼠标左键双击进入
看到下图
在图中高亮处按下X键或者右键选中“jump to xref to operand”
弹出如下内容 点击ok
继续在图中高亮处按下X键或者右键选中“jump to xref to operand”
弹出如下内容
根据分析得知"[ZYAPIClient postWithURL:parameters]"中有sign来源 双击进入
按下f5转换为伪代码进行查看
如上图所示 sign的参数是通过调用"ZYAPIClient signWithParameters"返回的
此时先不关注v27参数内容是什么 等下动态调试再来看该参数内容
通过代码知道调用"ZYAPIClient signWithParameters"后返回sign值
继续使用IDA进行分析 在函数窗口中搜索“ZYAPIClient signWithParameters”双击跳转到如下图
得知参数是由“ZYCrypto signWithParameters”返回 那么函数窗口中继续搜索“ZYCrypto signWithParameters”
得知数据是调用了“sub_100FB6090”函数返回的 双击函数进入查看伪代码
查看代码得知还调用了"sub_100DB274C"和"sub_100FB6004"两个函数 接下来查看这两个函数
跳转到“sub_100DB274C”函数后肉眼可以看出是一系列循环位操作计算 流程图如下 逻辑清晰 无混淆 看起来并不复杂 代码量不算多
函数“sub_100FB6004”如下图
函数到此为止 记录下调用流程
"ZYAPIClient signWithParameters" -> "ZYCrypto signWithParameters" -> "sub_100FB6090" -> "sub_100DB274C" -> "sub_100FB6004"
接下来就是动态调试拿到调用函数时传入的参数及还原成c代码即可
下面开始动态调试(对于lldb的配置此处不再赘述)
首先ssh到手机
打开最右app 然后在ssh查找app进程
ps -e |grep var ////////////////////////////////////////////////////////////////////////// iphone5s:~ root# ps -e |grep var 372 ?? ? ? ? ? 0:00.06 /usr/libexec/pkd -d/var/db/PlugInKit-Annotations 632 ?? ? ? ? ? 0:01.69 /var/mobile/Containers/Bundle/Application/84BED02F-A270-4B92-868D-3C4A6F564F28/tieba.app/tieba 641 ttys000 ? 0:00.01 grep var
debugserver附加
debugserver *:1234 --attach=pid ////////////////////////////////////////////////////////////////////////// iphone5s:~ root# debugserver *:1234 --attach=632 debugserver-@(#)PROGRAM:debugserver PROJECT:debugserver-320.2.89 for arm64. Attaching to process 632... Listening to port 1234 for a connection from *...
打开lldb连接到越狱后的手机(可能卡住一段时间 耐心等待)
YoudeMacBook-Pro:~ youfuck$ lldb (lldb) process connect connect://172.16.4.29:1234 Process 632 stopped * thread #1, queue = 'com.apple.main-thread', stop reason = signal SIGSTOP ? frame #0: 0x0000000194f24e7c libsystem_kernel.dylib`mach_msg_trap + 8 libsystem_kernel.dylib`mach_msg_trap: -> 0x194f24e7c <+8>: ret libsystem_kernel.dylib`mach_msg_overwrite_trap: ? 0x194f24e80 <+0>: mov ? x16, #-0x20 ? 0x194f24e84 <+4>: svc ? #0x80 ? 0x194f24e88 <+8>: ret Target 0: (tieba) stopped.
以上lldb已经附加到app 接下来对之前找到的关键位置下断点进行调试
先获取模块基地址
image list -o -f 模块名称 ////////////////////////////////////////////////////////////////////////// (lldb) image list -o -f tieba [ 0] 0x000000000004c000 /private/var/mobile/Containers/Bundle/Application/84BED02F-A270-4B92-868D-3C4A6F564F28/tieba.app/tieba(0x000000010004c000)
此时lldb调试先看调用"sub_100FB6090"时传入的参数(为什么不从之前的函数下断 因为之前的函数通过伪代码可以看出并没什么修改数据 所以直接在此处下断点)
下断点 "br s -a 模块基地址+ida中看到的函数地址" 然后在app中刷新一下即可触发断点
(lldb) br s -a 0x4c000+0x100FB6090 Breakpoint 2: where = tieba`Assimp::FBX::Connection::Compare(Assimp::FBX::Connection const*) const + 10732152, address = 0x0000000101002090
断下后查看参数 查看参数1即x0 可以看出字符串就是抓包时所发送的数据
(lldb) x $x0 $x0+600 0x157575c38: 7b 22 64 69 72 65 63 74 69 6f 6e 22 3a 22 64 6f {"direction":"do 0x157575c48: 77 6e 22 2c 22 68 5f 6d 6f 64 65 6c 22 3a 22 69 wn","h_model":"i 0x157575c58: 50 68 6f 6e 65 20 35 73 20 28 47 6c 6f 62 61 6c Phone 5s (Global 0x157575c68: 29 22 2c 22 68 5f 63 68 22 3a 22 61 70 70 73 74 )","h_ch":"appst 0x157575c78: 6f 72 65 22 2c 22 68 5f 61 70 70 22 3a 22 7a 75 ore","h_app":"zu 0x157575c88: 69 79 6f 75 22 2c 22 63 5f 74 79 70 65 73 22 3a iyou","c_types": 0x157575c98: 5b 31 2c 32 2c 33 2c 39 2c 31 30 2c 37 2c 38 5d [1,2,3,9,10,7,8] 0x157575ca8: 2c 22 68 5f 6e 74 22 3a 31 2c 22 68 5f 61 76 22 ,"h_nt":1,"h_av" 0x157575cb8: 3a 22 34 2e 32 2e 31 22 2c 22 74 6f 6b 65 6e 22 :"4.2.1","token" 0x157575cc8: 3a 22 54 35 4b 61 4e 38 4b 64 4b 69 6f 65 49 64 :"T5KaN8KdKioeId 0x157575cd8: 6d 69 36 58 72 68 39 59 45 79 39 37 4b 30 65 4c mi6Xrh9YEy97K0eL 0x157575ce8: 51 6d 6e 5f 4e 76 32 62 38 35 5a 78 34 45 74 50 Qmn_Nv2b85Zx4EtP 0x157575cf8: 72 44 69 4f 2d 2d 58 65 75 4d 33 2d 5f 31 6c 5a rDiO--XeuM3-_1lZ 0x157575d08: 6d 72 7a 30 2d 79 7a 22 2c 22 74 61 62 22 3a 22 mrz0-yz","tab":" 0x157575d18: 72 65 63 22 2c 22 68 5f 64 69 64 22 3a 22 32 32 rec","h_did":"22 0x157575d28: 32 65 62 66 37 65 31 66 39 62 62 35 64 65 39 38 2ebf7e1f9bb5de98 0x157575d38: 35 31 32 39 31 62 33 63 36 37 30 61 34 65 30 66 51291b3c670a4e0f 0x157575d48: 31 61 33 31 63 34 22 2c 22 66 69 6c 74 65 72 22 1a31c4","filter" 0x157575d58: 3a 22 61 6c 6c 22 2c 22 68 5f 6f 73 22 3a 22 38 :"all","h_os":"8 0x157575d68: 2e 31 30 30 30 30 30 22 2c 22 61 75 74 6f 22 3a .100000","auto": 0x157575d78: 31 2c 22 68 5f 74 73 22 3a 31 35 33 39 37 34 37 1,"h_ts":1539747 0x157575d88: 30 39 35 37 31 32 2c 22 68 5f 6d 22 3a 34 38 38 095712,"h_m":488 0x157575d98: 33 36 37 38 36 2c 22 68 5f 69 64 66 61 22 3a 22 36786,"h_idfa":" 0x157575da8: 41 39 33 42 39 35 41 34 2d 39 30 43 33 2d 34 43 A93B95A4-90C3-4C 0x157575db8: 38 42 2d 39 38 41 38 2d 42 39 46 37 42 34 38 43 8B-98A8-B9F7B48C 0x157575dc8: 35 37 46 31 22 2c 22 68 5f 64 74 22 3a 31 7d 00 57F1","h_dt":1}. 0x157575dd8: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 ...............? 0x157575de8: 00 00 00 00 00 00 00 f0 11 00 00 00 00 00 00 00 .......?........ 0x157575df8: 13 15 00 00 c0 00 00 00 03 64 00 00 23 a9 00 00 ....?....d..#?.. 0x157575e08: 00 00 00 00 00 00 00 10 21 43 50 58 05 00 00 00 ........!CPX.... 0x157575e18: 00 f0 00 00 98 00 00 00 02 00 00 00 71 75 65 72 .?..........quer 0x157575e28: 79 00 00 00 00 80 00 00 6c 00 00 00 31 6a 30 0b y.......l...1j0. 0x157575e38: 0c 06 72 5f 44 61 74 61 01 01 01 30 0c 0c 04 73 ..r_Data...0...s 0x157575e48: 79 6e 63 0c 04 73 79 6e 61 30 0d 0c 05 63 6c 61 ync..syna0...cla 0x157575e58: 73 73 0c 04 67 65 6e 70 30 12 0c 04 61 63 63 74 ss..genp0...acct 0x157575e68: 0c 0a 69 64 66 61 41 63 6f 75 6e 74 30 13 0c 04 ..idfaAcount0... 0x157575e78: 73 76 63 65 0c 0b 69 64 66 61 53 65 72 76 69 63 svce..idfaServic 0x157575e88: 65 30 15 0c 07 6d 5f 4c ? ? ? ? ? ? ? ? ? ? ? ? e0...m_L
对“sub_100DB274C”下断点
br s -a 0x4c000+0x100DB274C
调用"sub_100DB274C"时参数如下
(lldb) x $x0 $x0+0x1ab 0x1576d0670: 59 30 4d 54 42 6c 4f 44 63 78 6e 22 3a 22 64 6f Y0MTBlODcxn":"do 0x1576d0680: 77 6e 22 2c 22 68 5f 6d 6f 64 65 6c 22 3a 22 69 wn","h_model":"i 0x1576d0690: 50 68 6f 6e 65 20 35 73 20 28 47 6c 6f 62 61 6c Phone 5s (Global 0x1576d06a0: 29 22 2c 22 68 5f 63 68 22 3a 22 61 70 70 73 74 )","h_ch":"appst 0x1576d06b0: 6f 72 65 22 2c 22 68 5f 61 70 70 22 3a 22 7a 75 ore","h_app":"zu 0x1576d06c0: 69 79 6f 75 22 2c 22 63 5f 74 79 70 65 73 22 3a iyou","c_types": 0x1576d06d0: 5b 31 2c 32 2c 33 2c 39 2c 31 30 2c 37 2c 38 5d [1,2,3,9,10,7,8] 0x1576d06e0: 2c 22 68 5f 6e 74 22 3a 31 2c 22 68 5f 61 76 22 ,"h_nt":1,"h_av" 0x1576d06f0: 3a 22 34 2e 32 2e 31 22 2c 22 74 6f 6b 65 6e 22 :"4.2.1","token" 0x1576d0700: 3a 22 54 35 4b 61 4e 38 4b 64 4b 69 6f 65 49 64 :"T5KaN8KdKioeId 0x1576d0710: 6d 69 36 58 72 68 39 59 45 79 39 37 4b 30 65 4c mi6Xrh9YEy97K0eL 0x1576d0720: 51 6d 6e 5f 4e 76 32 62 38 35 5a 78 34 45 74 50 Qmn_Nv2b85Zx4EtP 0x1576d0730: 72 44 69 4f 2d 2d 58 65 75 4d 33 2d 5f 31 6c 5a rDiO--XeuM3-_1lZ 0x1576d0740: 6d 72 7a 30 2d 79 7a 22 2c 22 74 61 62 22 3a 22 mrz0-yz","tab":" 0x1576d0750: 72 65 63 22 2c 22 68 5f 64 69 64 22 3a 22 32 32 rec","h_did":"22 0x1576d0760: 32 65 62 66 37 65 31 66 39 62 62 35 64 65 39 38 2ebf7e1f9bb5de98 0x1576d0770: 35 31 32 39 31 62 33 63 36 37 30 61 34 65 30 66 51291b3c670a4e0f 0x1576d0780: 31 61 33 31 63 34 22 2c 22 66 69 6c 74 65 72 22 1a31c4","filter" 0x1576d0790: 3a 22 61 6c 6c 22 2c 22 68 5f 6f 73 22 3a 22 38 :"all","h_os":"8 0x1576d07a0: 2e 31 30 30 30 30 30 22 2c 22 61 75 74 6f 22 3a .100000","auto": 0x1576d07b0: 31 2c 22 68 5f 74 73 22 3a 31 35 33 39 37 34 37 1,"h_ts":1539747 0x1576d07c0: 30 39 35 37 31 32 2c 22 68 5f 6d 22 3a 34 38 38 095712,"h_m":488 0x1576d07d0: 33 36 37 38 36 2c 22 68 5f 69 64 66 61 22 3a 22 36786,"h_idfa":" 0x1576d07e0: 41 39 33 42 39 35 41 34 2d 39 30 43 33 2d 34 43 A93B95A4-90C3-4C 0x1576d07f0: 38 42 2d 39 38 41 38 2d 42 39 46 37 42 34 38 43 8B-98A8-B9F7B48C 0x1576d0800: 35 37 46 31 22 2c 22 68 5f 64 74 22 3a 31 7d 5a 57F1","h_dt":1}Z 0x1576d0810: 44 7b 22 64 69 72 65 63 74 69 6f ? ? ? ? ? ? ? ? D{"directio
经过观察发现进入函数时传的参数是post请求的参数内容 然后调用了string::append函数对传入的字符串追加了新的内容 "ZDY0MTBlODcx" 最后将字符串前十位和后十位进行交换得到我们上面所看到的文本
对“sub_100FB6090”代码还原实现如下:
std::string str = szData; str.append("ZDY0MTBlODcx"); std::string strHead = str.substr(0, 10); std::string strEnd = str.substr(str.length()-10, str.length()); str.replace(0, 10, strEnd); str.replace(str.length()-10, str.length(), strHead);
其中“sub_100FB6004”中有使用全局变量 直接使用x命令 复制出来即可
以下为还原后的c代码 可直接使用
// zuiyouEncryption.cpp : // #include "stdafx.h" #include <Windows.h> #include <iostream> #include <string> #define u_int64_t unsigned long long #define u_int32_t unsigned int struct TAG_UINT64 { ? u_int32_t low; ? u_int32_t high; ? void set(u_int32_t _high, u_int32_t _low){ ? ? ? this->high = _high; ? ? ? this->low = _low; ? } }; u_int64_t qword_101126D90 = 0xEFCDAB8967452301; u_int64_t qword_101126D98 = 0x1032547698BADCFE; char a0123456789abcd_0[] = "0123456789abcdef"; unsigned char byte_101209EC8[] = { ? 0x78, 0xA4, 0x6A, 0xD7, 0x56, 0xB7, 0xC7, 0xE8, 0xDB, 0x70, 0x20, 0x24, 0xEE, 0xCE, 0xBD, 0xC1, 0xAF, 0xF, ? 0x7C, 0xF5, 0x2A, 0xC6, 0x87, 0x47, 0x13, 0x46, 0x30, 0xA8, 1, 0x95, 0x46, 0xFD, 0xD8, 0x98, 0x80, 0x69, 0xAF, 0xF7, 0x44, 0x8B, 0xB1, 0x5B, 0xFF, 0xFF, 0xBE, ? 0xD7, 0x5C, 0x89, 0x22, 0x11, 0x90, 0x6B, 0x93, 0x71, 0x98, 0xFD, 0x8E, 0x43, 0x79, 0xA6, 0x21, 8, 0xB4, 0x49, 0x62, 0x25, 0x1E, 0xF6, 0x40, 0xB3, 0x40, 0xC0, ? 0x51, 0x5A, 0x5E, 0x26, 0xAA, 0xC7, 0xB6, 0xE9, 0x5D, 0x10, 0x2F, 0xD6, 0x53, 0x14, 0x44, 2, 0x81, 0xE6, 0xA1, 0xD8, 0xC8, 0xFB, 0xD3, 0xE7, 0xE6, 0xCD, 0xE1, ? 0x21, 0xD6, 7, 0x37, 0xC3, 0x87, 0xD, 0xD5, 0xF4, 0xED, 0x14, 0x5A, 0x45, 5, 0xE9, 0xE3, 0xA9, 0xF8, 0xA3, 0xEF, 0xFC, 0xD9, 2, 0x6F, 0x67, 0x8A, 0x4C, 0x2A, ? 0x8D, 0x42, 0x39, 0xFA, 0xFF, 0x81, 0xF6, 0x71, 0x87, 0x22, 0x61, 0x9D, 0x6D, 0xC, 0x38, 0xE5, 0xFD, 0x44, 0xEA, 0xBE, 0xA4, 0xA9, 0xCF, 0xDE, 0x4B, 0x60, 0x4B, ? 0xBB, 0xF6, 0x70, 0xBC, 0xBF, 0xBE, 0xC6, 0x7E, 0x9B, 0x28, 0xFA, 0x27, 0xA1, 0xEA, 0x85, 0x30, 0xEF, 0xD4, 5, 0x1D, 0x88, 4, 0x39, 0xD0, 0xD4, 0xD9, 0xE5, 0x99, ? 0xDB, 0xE6, 0xF8, 0x7C, 0xA2, 0x1F, 0x65, 0x56, 0xAC, 0xC4, 0x44, 0x22, 0x29, 0xF4, 0x97, 0xFF, 0x2A, 0x43, 0xA7, 0x23, 0x94, 0xAB, 0x39, 0xA0, 0x93, 0xFC, 0xC3, ? 0x59, 0x5B, 0x65, 0x92, 0xCC, 0xC, 0x8F, 0x7D, 0xF4, 0xEF, 0xFF, 0xD1, 0x5D, 0x84, 0x85, 0x4F, 0x7E, 0xA8, 0x6F, 0xE0, 0xE6, 0x2C, 0xFE, 0x14, 0x43, 1, 0xA3, ? 0xA1, 0x11, 8, 0x4E, 0x82, 0x7E, 0x53, 0xF7, 0x35, 0xF2, 0x3A, 0xBD, 0xBB, 0xD2, 0xD7, 0x2A, 0x91, 0xD3, 0x86, 0xEB, 0, 0, 0, 0, 0x80, 0x88, 0xE5, 0x40, 0, ? 0, 0, 0, 0, 0x7C, 0xD5, 0x40, 0x41, 0x42, 0x43, 0x44, 0x45, 0x46, 0x47, 0x48, 0x49, 0x4A, 0x4B, 0x4C, 0x4D, 0x4E, 0x4F, 0x50, 0x51, 0x52, 0x53, 0x54, 0x55, 0x56, ? 0x57, 0x58, 0x59, 0x5A, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66, 0x67, 0x68, 0x69, 0x6A, 0x6B, 0x6C, 0x6D, 0x6E, 0x6F, 0x70, 0x71, 0x72, 0x73, 0x74, 0x75, 0x76, 0x77, ? 0x78, 0x79, 0x7A, 0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37, 0x38, 0x39, 0x2B, 0x2F, 0xA2, 0xB4, 0xB7, 0x3E, 0x8F, 0x53, 0x34, 0x3F, 0x4D, 0x15, 0xC, 0x3E, ? 0, 0, 0, 0, 0x87, 0x16, 0x99, 0x3E, 0xA2, 0x45, 0x16, 0x3F, 0xD5, 0x78, 0xE9, 0x3D, 0, 0, 0, 0, 0xD8, 0xF0, 0x74, 0x3E, 0x69, 0x6F, 0xF0, 0x3E, 0, 0, 0, 0, 0, ? 0x80, 0x63, 0x40, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0xE6, 0x3F, 0, 0, 0, 0, 0, 0x60, 0x6C, 0xC0, 0x51, 0x46, 0x6F, 0xCB, 0x5A, 0x1D, 0x93, 0x3F, 0xD0, 0xB0, ? 0x2B, 0x40, 0xEE, 0x35, 0xD7, 0x3F, 0x39, 0xB4, 0xC8, 0x76, 0xBE, 0x9F, 0xCA, 0x3F, 0, 0, 0, 0, 0, 0xA0, 0x72, 0xC0, 0, 0, 0, 0, 0, 0xC0, 0x76, 0xC0, 0, 0, ? 0, 0, 0, 0xA0, 0x72, 0x40, 0, 0, 0, 0, 0, 0x40, 0x72, 0x40, 0, 0, 0, 0, 0, 0, 0x6F, 0x40, 0, 2, 0, 0, 0, 0x20, 0, 0, 0x46, 0x46, 0x49, 0x41, 0x66, 0x61, 0x34, ? 0x6D, 0x45, 0x56, 0x41, 0x57, 0, 0, 0, 0, 0, 0, 0, 0, 0xF3, 4, 0x35, 0xBF, 0, 0, 0, 0, 0x3A, 0xCD, 0x13, 0x3F, 0x3A, 0xCD, 0x13, 0xBF, 0, 0, 0, 0 }; u_int32_t _bic_(u_int32_t x,u_int32_t m) { ? return x & (x ^ m); } u_int32_t _ror_(u_int32_t x, u_int32_t m) { ? return (x >> m) | (x << (32 - m)); } void sub_100DB274C(u_int64_t X0/*data*/, u_int64_t X1/*dataLen*/, u_int64_t X2/*outdata*/) { ? u_int64_t X3 = 0; ? u_int64_t X4 = 0; ? u_int64_t X5 = 0; ? u_int64_t X6 = 0; ? u_int64_t X8 = 0; ? u_int64_t X9 = 0; ? u_int64_t X10 = 0; ? u_int64_t X11 = 0; ? u_int64_t i = 0; ? u_int64_t X13 = 0; ? u_int64_t X14 = 0; ? u_int64_t X15 = 0; ? u_int64_t X19 = 0; ? u_int64_t X20 = 0; ? u_int64_t X21 = 0; ? u_int64_t X22 = 0; ? u_int64_t X23 = 0; ? u_int64_t X24 = 0; ? u_int64_t X25 = 0; ? u_int64_t X26 = 0; ? u_int64_t X27 = 0; ? char data[0x512] = {0}; ? u_int64_t var_120 = (u_int64_t)(data + 0x10); ? u_int64_t var_118 = (u_int64_t)(data + 0x18); ? u_int64_t var_108 = (u_int64_t)(data + 0x28); ? u_int64_t var_100 = (u_int64_t)(data + 0x30); ? u_int64_t var_FC = (u_int64_t)(data + 0x34); ? u_int64_t var_F8 = (u_int64_t)(data + 0x38); ? u_int64_t var_F4 = (u_int64_t)(data + 0x3C); ? u_int64_t var_F0 = (u_int64_t)(data + 0x40); ? u_int64_t var_E8 = (u_int64_t)(data + 0x48); ? u_int64_t var_B0 = (u_int64_t)(data + 0x80); ? u_int64_t var_AC = (u_int64_t)(data + 0x84); ? u_int64_t var_A8 = (u_int64_t)(data + 0x88); ? u_int64_t var_A0 = (u_int64_t)(data + 0x90); ? u_int64_t var_98 = (u_int64_t)(data + 0x98); ? *(u_int64_t*)var_120 = X2; ? X2 = X1; ? X3 = X0; ? X6 = 0; ? X20 = 0; ? *(u_int64_t*)var_A8 = qword_101126D90; ? *(u_int64_t*)var_100 = X2 << 3; ? *(u_int64_t*)var_108 = X2 >> 0x1d; ? X24 = var_E8; ? X19 = X24 + 4; ? *(u_int64_t*)var_A0 = qword_101126D98; ? X21 = X24 + 0x38; ? X5 = 0x67452301; ? X23 = 0x10325476; ? X22 = 0x98BADCFE; ? X4 = 0xEFCDAB89; ? X26 = (u_int64_t)&byte_101209EC8; ? *(u_int64_t*)(var_118) = X19; ? *(u_int64_t*)(var_118+0x8) = X21; ? do ? { ? ? ? X8 = X2 - X20; ? ? ? X27 = X8 > 0x3F ? 0x40 : X8; ? ? ? X1 = X3 + X20; ? ? ? if(X27 > 0x3F) { ? ? ? ? ? X6 = 0; ? ? ? }else { ? ? ? ? ? ((TAG_UINT64*)var_F8)->set((u_int32_t)X22, (u_int32_t)X23); ? ? ? ? ? *(u_int64_t*)var_F0 = X20; ? ? ? ? ? ((TAG_UINT64*)var_FC)->low = (u_int32_t)X5; ? ? ? ? ? X26 = X4; ? ? ? ? ? X25 = X3; ? ? ? ? ? X19 = X2; ? ? ? ? ? X22 = var_98; ? ? ? ? ? X2 = X27; ? ? ? ? ? X0 = var_98; ? ? ? ? ? X21 = X6; ? ? ? ? ? X23 = X27; ? ? ? ? ? memcpy((void*)X0, (void*)X1, X2); ? ? ? ? ? X22 += X23; ? ? ? ? ? X8 = 0x40 - X23; ? ? ? ? ? X1 = X8; ? ? ? ? ? X0 = X22; ? ? ? ? ? memset((void*)X0, 0, (u_int32_t)X1);//BL ? ? ? ? ? ? _bzero ? ? ? ? ? if(X21 == 0) { ? ? ? ? ? ? ? ((unsigned char*)X22)[0] = 0x80; ? ? ? ? ? } ? ? ? ? ? X1 = var_98; ? ? ? ? ? X6 = 1; ? ? ? ? ? X2 = X19; ? ? ? ? ? X3 = X25; ? ? ? ? ? X4 = X26; ? ? ? ? ? X5 = (u_int32_t)*(u_int64_t*)var_FC; ? ? ? ? ? X23 = *(u_int64_t*)var_FC >> 32; ? ? ? ? ? X19 = *(u_int64_t*)var_118; ? ? ? ? ? X21 = *(u_int64_t*)(var_118 + 0x8); ? ? ? ? ? X20 = *(u_int64_t*)var_F0; ? ? ? ? ? X22 = ((TAG_UINT64*)var_F4)->low; ? ? ? ? ? X26 = (u_int64_t)&byte_101209EC8; ? ? ? } ? ? ? i = 0; ? ? ? do{ ? ? ? ? ? ((TAG_UINT64*)(X24 + i))->low = (u_int32_t)(((unsigned char*)(X1+1+i))[-1] | ((((unsigned char*)(X1+1+i))[0] | ((((unsigned char*)(X1+1+i))[1] | (((unsigned char*)(X1+1+i))[2] << 8)) << 8)) << 8)); ? ? ? }while((i += 4) != 0x40); ? ? ? if(X27 <= 0x37) { ? ? ? ? ? *(u_int64_t*)var_B0 = (u_int32_t)*(u_int64_t*)var_100; ? ? ? ? ? *(u_int64_t*)var_AC = (u_int32_t)*(u_int64_t*)var_108; ? ? ? } ? ? ? i = 0; ? ? ? X13 = X26 + 8; ? ? ? X14 = X24 + 8; ? ? ? X8 = X23; ? ? ? X9 = X22; ? ? ? X10 = X4; ? ? ? X11 = X5; ? ? ? do ? ? ? { ? ? ? ? ? X11 = _ror_((u_int32_t)((((_bic_((u_int32_t)X8, (u_int32_t)X10) | (X10 & X9)) + X11) + (u_int32_t)*(u_int64_t*)(X14-8)) + (u_int32_t)*(u_int64_t*)(X13-8)), 0x19) + X10; ? ? ? ? ? X8 = _ror_((u_int32_t)((*(u_int64_t*)(X14 - 8) >> 32) + X8 + (*(u_int64_t*)(X13-8) >> 32) + ((X11 & X10) | _bic_((u_int32_t)X9, (u_int32_t)X11))), 0x14) + X11; ? ? ? ? ? X9 = _ror_((u_int32_t)((u_int32_t)*(u_int64_t*)X14 + X9 + (u_int32_t)*(u_int64_t*)X13 + ((X8 & X11) | _bic_((u_int32_t)X10, (u_int32_t)X8))), 0xF) + X8; ? ? ? ? ? X10 = _ror_((u_int32_t)((*(u_int64_t*)X14 >> 32) + X10 + (*(u_int64_t*)X13 >> 32) + ((X9 & X8) | _bic_((u_int32_t)X11, (u_int32_t)X9))), 0xA) + X9; ? ? ? ? ? X14 += 0x10; ? ? ? ? ? X13 += 0x10; ? ? ? }while((i += 4) < 0x10); ? ? ? i = 0; ? ? ? X13 = X26 + 0x4C; ? ? ? X14 = 0xA; ? ? ? X15 = X19; ? ? ? do ? ? ? { ? ? ? ? ? X11 = _ror_((u_int32_t)((((X10 & X8) | _bic_((u_int32_t)X9, (u_int32_t)X8)) + X11 + (u_int32_t)*(u_int64_t*)X15) + (u_int32_t)*(u_int64_t*)(X13-0xc)), 0x1B) + X10; ? ? ? ? ? X8 = _ror_((u_int32_t)(X8 + ((u_int32_t)*(u_int64_t*)(X24 + (((X14 - 4) & 0xF) << 2))) + (*(u_int64_t*)(X13-0xc) >> 32) + ((X11 & X9) | _bic_((u_int32_t)X10, (u_int32_t)X9))), 0x17) + X11; ? ? ? ? ? X9 = _ror_((u_int32_t)((u_int32_t)*(u_int64_t*)(X24 + (((X14 & 0xE) | 1) << 2)) + X9 + (u_int32_t)*(u_int64_t*)(X13-4) + ((X8 & X10) | _bic_((u_int32_t)X11, (u_int32_t)X10))), 0x12) + X8; ? ? ? ? ? X10 = _ror_((u_int32_t)((u_int32_t)*(u_int64_t*)(X15-4) + X10 + (u_int32_t)*(u_int64_t*)X13 + ((X9 & X11) | _bic_((u_int32_t)X8, (u_int32_t)X11))), 0xC) + X9; ? ? ? ? ? X13 += 0x10; ? ? ? ? ? X15 += 0x10; ? ? ? ? ? X14 += 0x14; ? ? ? }while((i += 4) < 0x10); ? ? ? i = 0; ? ? ? X13 = X26 + 0x8C; ? ? ? X14 = 5; ? ? ? X15 = X21; ? ? ? do ? ? ? { ? ? ? ? ? X11 = _ror_((u_int32_t)(((X9 ^ X8) ^ X10) + X11 + (u_int32_t)*(u_int64_t*)(X24 + ((X14 & 0xD) << 2)) + (u_int32_t)*(u_int64_t*)(X13-0xc)), 0x1C) + X10; ? ? ? ? ? X8 = _ror_((u_int32_t)(X8 + (u_int32_t)*(u_int64_t*)(X24 + (((X14 + 3) & 0xF) << 2)) + (*(u_int64_t*)(X13-0xc) >> 32) + ((X11 ^ X10) ^ X9)), 0x15)+ X11; ? ? ? ? ? X9 = _ror_((u_int32_t)(((u_int32_t)*(u_int64_t*)(X24 + (((X14 + 6) & 0xF) << 2))) + X9 + (u_int32_t)*(u_int64_t*)(X13-4) + (X8 ^ (X11 ^ X10))), 0x10) + X8; ? ? ? ? ? X10 = _ror_((u_int32_t)((u_int32_t)*(u_int64_t*)X15 + X10 + (u_int32_t)*(u_int64_t*)X13 + ((X8 ^ X11) ^ X9)), 0x9) + X9; ? ? ? ? ? X15 -= 0x10; ? ? ? ? ? X13 += 0x10; ? ? ? ? ? X14 += 0xC; ? ? ? }while((i += 4) < 0x10); ? ? ? i = 0; ? ? ? X13 = X26 + 0xCC; ? ? ? X14 = X21; ? ? ? X15 = 0x15; ? ? ? do ? ? ? { ? ? ? ? ? X11 = _ror_((u_int32_t)(((((X10 | (~X8)) ^ X9) + X11) + ((u_int32_t)*(u_int64_t*)(X24 + (((X15 - 0x15) & 0xC) << 2)))) + (u_int32_t)*(u_int64_t*)(X13-0xc)), 0x1A) + X10; ? ? ? ? ? X8 = _ror_((u_int32_t)((u_int32_t)*(u_int64_t*)(X24 + (((X15 - 0xE) & 0xF) << 2)) + X8 + (*(u_int64_t*)(X13-0xc) >> 32) + ((X11 | (~X9)) ^ X10)), 0x16) + X11; ? ? ? ? ? X9 = _ror_((u_int32_t)((u_int32_t)*(u_int64_t*)X14 + X9 + (u_int32_t)*(u_int64_t*)(X13-0x4) + ((X8 | (~X10)) ^ X11)), 0x11) + X8; ? ? ? ? ? X10 = _ror_((u_int32_t)(((u_int32_t)*(u_int64_t*)(X24 + ((X15 & 0xF) << 2))) + X10 + (u_int32_t)*(u_int64_t*)X13 + ((X9 | (~X11)) ^ X8)), 0xB) + X9; ? ? ? ? ? X13 += 0x10; ? ? ? ? ? X14 -= 0x10; ? ? ? ? ? X15 +=0x1C; ? ? ? }while((i += 4) < 0x10); ? ? ? X5 += X11; ? ? ? X4 += X10; ? ? ? X22 += X9; ? ? ? X23 += X8; ? ? ? ((TAG_UINT64*)&X27)->high = 0; ? ? ? X20 += X27; ? }while(X27 >= 0x38); ? i = 0; ? ((TAG_UINT64*)var_A8)->set((u_int32_t)X4, (u_int32_t)X5); ? ((TAG_UINT64*)var_A0)->set((u_int32_t)X23, (u_int32_t)X22); ? X13 = *(u_int64_t*)var_120; ? ((unsigned char*)(X13))[0] = X5; ? ((unsigned char*)(X13))[1] = X5 >> 8; ? ((unsigned char*)(X13))[2] = X5 >> 0x10; ? ((unsigned char*)(X13))[3] = X5 >> 0x18; ? ((unsigned char*)(X13))[4] = X4; ? ((unsigned char*)(X13))[5] = X4 >> 8; ? ((unsigned char*)(X13))[6] = X4 >> 0x10; ? ((unsigned char*)(X13))[7] = X4 >> 0x18; ? do ? { ? ? ? X10 = (u_int32_t)*(u_int64_t*)(((u_int64_t)var_A8 + 8) + i); ? ? ? X11 = X13 + i; ? ? ? ((unsigned char*)(X11))[8] = X10; ? ? ? ((unsigned char*)(X11))[9] = X10 >> 8; ? ? ? ((unsigned char*)(X11))[0xA] = X10 >> 0x10; ? ? ? ((unsigned char*)(X11))[0xB] = X10 >> 0x18; ? ? ? X10 = i + 0xC; ? ? ? i = i + 4; ? }while(X10 < 0x10); } void sub_100FB6004(u_int64_t outData, u_int64_t inData) { ? u_int64_t i = 0; ? do{ ? ? ? ((unsigned char*)(outData))[i*2] = a0123456789abcd_0[(((unsigned char*)(inData))[i]) >> 4]; ? ? ? ((unsigned char*)(outData))[i*2+1] = a0123456789abcd_0[(((unsigned char*)(inData))[i]) & 0xF]; ? }while((i += 1) < 0x10); } std::string calcSign(const char* szData) { ? std::string str = szData; ? str.append("ZDY0MTBlODcx"); ? std::string strHead = str.substr(0, 10); ? std::string strEnd = str.substr(str.length()-10, str.length()); ? str.replace(0, 10, strEnd); ? str.replace(str.length()-10, str.length(), strHead); ? char szBuff[64] = {0}; ? char szSign[64] = {0}; ? std::string strRet = ""; ? sub_100DB274C((u_int64_t)str.c_str(), str.length(), (u_int64_t)szBuff); ? sub_100FB6004((u_int64_t)szSign, (u_int64_t)szBuff); ? strRet = szSign; ? return strRet; } int main(int argc, char* argv[]) { ? std::string sign = ""; ? const char* data = "{\"h_model\":\"iPhone 7\",\"h_ch\":\"appstore\",\"phone\":\"15658195157\",\"no_hash_code\":1,\"region_code\":86,\"h_app\":\"zuiyou\",\"type\":\"reg\",\"h_ts\":1539152851066,\"h_av\":\"4.6.4\",\"h_nt\":1,\"h_did\":\"32086bc6014d1a8a447100a065a21edc\",\"h_m\":95849495,\"h_os\":1030000,\"token\":\"T4K2Nn_Be6gYozzVxZd0Liea7qDY1cn75TJlGmRz6cH7kwagjSU5JrAW2CmeBiPozxpOf\",\"h_dt\":1}"; ? DWORD dwStartTime = GetTickCount(); ? sign = calcSign(data); ? printf("sign: %s\r\n", sign.c_str()); ? return 0; }
以上就是对sign值生成过程的全部分析记录 至于POST数据字段都是怎么来的可以按照上述步骤查找到
本文转载自:https://bbs.pediy.com/thread-247324.htm
版权声明:
作者:RuyeNet
链接:https://www.iloveu.top/archives/33
来源:RuyeNet
文章版权归作者所有,未经允许请勿转载。
THE END
二维码
打赏
文章目录
关闭
共有 0 条评论