本文为看雪论坛文章
看雪论坛作者ID:laifuling
前言
思路
解题
进程名: com.kanxue.ollvm_ndk_9
package com.kanxue.ollvm_ndk;
import android.os.Bundle;
import android.util.Log;
import android.view.View;
import android.widget.Button;
import android.widget.TextView;
import androidx.appcompat.app.AppCompatActivity;
import com.kanxue.ollvm_ndk_9.R;
import org.apache.commons.lang3.RandomStringUtils;
public class MainActivity extends AppCompatActivity {
public static native String UUIDCheckSum(String str);
static {
System.loadLibrary("native-lib");
}
/* access modifiers changed from: protected */
public void onCreate(Bundle bundle) {
super.onCreate(bundle);
setContentView((int) R.layout.activity_main);
final TextView textView = (TextView) findViewById(R.id.sample_text);
((Button) findViewById(R.id.button)).setOnClickListener(new View.OnClickListener() {
public void onClick(View view) {
String randomAlphanumeric = RandomStringUtils.randomAlphanumeric(36);
String UUIDCheckSum = MainActivity.UUIDCheckSum(randomAlphanumeric);
textView.setText(UUIDCheckSum);
Log.e("kanxue", "input: " + randomAlphanumeric + " output: " + UUIDCheckSum);
}
});
}
}
从上面获取实用信息:
b. adb logcat -s "kanxue",查看输入输出结果。
.text:000000000000FF30 Java_com_kanxue_ollvm_1ndk_MainActivity_UUIDCheckSum
..略
.text:00000000000101CC RET
start_ea = (module.base + 0xFF30)
end_ea = [((module.base + 0x101CC))]
input: OBjr9WRO8BUNXhcB0hsGn6sgqa8y63XDvjIr
output: hybFqNvkiOSHePfdkgOOeN5D_inJbR9K_k0Ts3qMkijRoQ9v
直接用010Editor打开日志文件,从UUIDCheckSum入参开始,逐步追踪输入的str使用过程。具体跟踪:
---> (*_env)->GetStringUTFChars(_env, _uuid, 0LL);
libart.so:_ZN3art8CheckJNI17GetStringUTFCharsEP7_JNIEnvP8_jstringPh
a. input[0x17]=input[0x18]
全局搜索[X0, 结果的第823行,发现:
而0xE:
根据:
int len = input.length();
int t_23 =0xFF;
int t_22 = 0x0;
for(int i=0; i<len-2; i++){
if(i == 0x8 || i==0xD || i==0x12 || i==0x18){
input[i] = 0x2D;
continue;
}
if( i==0xE){
input[i] = 0x34;
continue;
}
if(i== 0x17){
input[i] = input[i+1];
}
t_23 = t_23 ^ input[i];
t_22 = t_22 + input[i];
//计算式
input[i] = input[i] ^ 1;
}
t_22 = t_22 - (t_22 & 0xFFFFFFF0);
t_23 = t_23 & 0xF;
input[0x22]= key_xmmword_37060[t_22];
input[0x23]=key_xmmword_37060[t_23];
std::cout << input << std::endl;
上述分析出:
input经sub_FCB4(_uuid_cpy, len); 处理后的样例结果:
NCks8VSN-CTOY-4C1i-Fo7rp-`9x72YEwkba
000043B5 libnative_lib.so:000000789DD8F11C LDRB W8, [X21,X24] X8=000000000000004E ;debug input_new[0x0]=0x4E X21=00000078A9094560
000043B5 libnative_lib.so:000000789DD8F120 LSR X8, X8, #2 X8=0000000000000013
000043B5 libnative_lib.so:000000789DD8F124 LDRB W1, [X23,X8] X1=0000000000000068 ;debug X23[0x13]=0x68 result[0x0]=0x68
// X23=X23=000000789DDB7010 对应的是:stru_37010
分析出下标计算式
<1>
libnative_lib.so:unk_789DD8F11C LDRB W8, [X21,X24] X8=0000000000000043
libnative_lib.so:000000789DD8F120 LSR X8, X8, #2 X8=0000000000000010
<2>
libnative_lib.so:000000789DD8F130 LDRB W8, [X21,X24] X8=0000000000000043
libnative_lib.so:000000789DD8F134 MOV W24, W22 X24=000000000000000A
libnative_lib.so:000000789DD8F138 CMP X24, X20 C=0 Z=0 N=1
libnative_lib.so:000000789DD8F13C UBFIZ X8, X8, #4, #2 X8=0000000000000030
libnative_lib.so:000000789DD8F140 B.CS unk_789DD8F198
libnative_lib.so:000000789DD8F144 LDRB W9, [X21,X24] X9=0000000000000054
libnative_lib.so:000000789DD8F148 ORR X8, X8, X9,LSR#4 X8=0000000000000035
libnative_lib.so:000000789DD8F14C LDRB W1, [X23,X8] X1=0000000000000050
<3>
libnative_lib.so:000000789DD8F158 LDRB W8, [X21,X24] X8=0000000000000054
libnative_lib.so:000000789DD8F15C ADD W24, W22, #1 X24=000000000000000B
libnative_lib.so:000000789DD8F160 CMP X24, X20 C=0 Z=0 N=1
libnative_lib.so:000000789DD8F164 UBFIZ X8, X8, #2, #4 X8=0000000000000010
libnative_lib.so:000000789DD8F168 B.CS unk_789DD8F1C0
libnative_lib.so:000000789DD8F16C LDRB W9, [X21,X24] X9=000000000000004F
libnative_lib.so:000000789DD8F170 ORR X8, X8, X9,LSR#6 X8=0000000000000011
libnative_lib.so:000000789DD8F174 LDRB W1, [X23,X8] X1=0000000000000066 ;debug result[0xE]=0x66
<4> libnative_lib.so:000000789DD8F180 LDRB W8, [X21,X24] X8=000000000000004F
libnative_lib.so:000000789DD8F184 AND X8, X8, #0x3F X8=000000000000000F
libnative_lib.so:000000789DD8F188 LDRB W1, [X23,X8] X1=000000000000006
注意:
#include <iostream>
int main() {
std::string key_xmmword_37060 = "0123456789abcdef";
std::string key_stru_37010 = "0123456789-_abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ";
std::string input = "5XH1S4C0qs1ofLGzvX7gTCwWOUqy2fxPUqc0";
int len = input.length();
int t_23 =0xFF;
int t_22 = 0x0;
for(int i=0; i<len-2; i++){
if(i == 0x8 || i==0xD || i==0x12 || i==0x18){
input[i] = 0x2D;
continue;
}
if( i==0xE){
input[i] = 0x34;
continue;
}
if(i== 0x17){
input[i] = input[i+1];
}
t_23 = t_23 ^ input[i];
t_22 = t_22 + input[i];
input[i] = input[i] ^ 1;
}
t_22 = t_22 - (t_22 & 0xFFFFFFF0);
t_23 = t_23 & 0xF;
input[0x22]= key_xmmword_37060[t_22];
input[0x23]=key_xmmword_37060[t_23];
std::cout << input << std::endl;
int k = 48;
int i = 0;
std::string result;
result.resize(k);
for(int j=0; j < k; j++){
int k_index;
int sk = j%4;
if(j!=0 && sk == 0)
i=i+3;
if(sk==0){
k_index =(input[i] >> 0x2) & 0xFF;
}else if(sk==1){
// UBFIZ X8, X8, #4, #2
int v11 = (input[i] & 0x3) *16;
//ORR X8, X8, X9,LSR#4
k_index = v11 | (input[i+1] >> 0x4);
}else if(sk==2){
//UBFIZ X8, X8, #2, #4
int v13 = (input[i+1] & 0xF) * 4;
k_index = v13 | (input[i+2] >> 0x6) ;
}else if(sk==3){
k_index = input[i+2] & 0x3F;
}
result[j] = key_stru_37010[k_index];
}
std::cout<<"result=" << result<<std::endl;
return 0;
}
kanxue : input: YJTRQNVwIJYZnQgNGhkGOweU4qogKhd2dfeR
output: k4HjiP1djRmHgPvppMOOhOnD_incrAeP_l1InyDDnhbznQeM
result= k4HjiP1djRmHgPvppMOOhOnD_incrAeP_l1InyDDnhbznQeM
kanxue : input: KHuwjWk1vYiB7c9COhIx9d6n2qiIKCdXkot2
output: gyzOrAHkox0Hk6v3bwOOeyTD_lySnhqN_l1Cg4D2njzEpxiS
result= gyzOrAHkox0Hk6v3bwOOeyTD_lySnhqN_l1Cg4D2njzEpxiS
本文附件可点击左下方阅读原文自行下载!
看雪ID:laifuling
https://bbs.pediy.com/user-home-814746.htm
# 往期推荐
球分享
球点赞
球在看
点击“阅读原文”,了解更多!