ollvm后的算法还原案例分享

咸鱼炒白菜看雪学院 2021-03-07

本文为看雪论坛优秀文章

看雪论坛作者ID：咸鱼炒白菜

PS：样本来自看雪3W班第三题，主要是对其被ollvm的算法进行还原，还原思路是先通过动态trace找出有效的代码路径，再结合ida静态分析还原算法。

1. 开jeb，查看button的click事件，可以看到算法函数来自sign1：

@Override // android.support.v7.app.AppCompatActivityprotected void onCreate(Bundle arg2) { super.onCreate(arg2); HelloJni.mContext = this.getApplicationContext(); this.setContentView(0x7F09001C); // layout:activity_hello_jni this.tv = (TextView)this.findViewById(0x7F070042); // id:hello_textview ((Button)this.findViewById(0x7F070024)).setOnClickListener(new View.OnClickListener() { // id:button_sign2 @Override // android.view.View$OnClickListener public void onClick(View arg3) { HelloJni.this.tv.setText(HelloJni.this.sign1(RandomStringUtils.randomAlphabetic(16))); } });} public native String sign1(String arg1) {}

hookRegisterNative找到函数sign1:sign1_10BE8。

进入sign1_10BE8函数，猜测sprintf是将结果二进制转字符串，所以尝试hook在sprintf上面的那个函数sub_1494C4。

sub_1494C4(&v15, 16LL, &v13);*(_OWORD *)s = 0u;v12 = 0u;sprintf(s, &byte_1FF008, (unsigned __int8)v13);sprintf(&s[2], &byte_1FF008, BYTE1(v13));sprintf(&s[4], &byte_1FF008, BYTE2(v13));sprintf(&s[6], &byte_1FF008, BYTE3(v13));sprintf(&s[8], &byte_1FF008, BYTE4(v13));sprintf((char *)((unsigned __int64)s | 0xA), &byte_1FF008, BYTE5(v13));sprintf((char *)((unsigned __int64)s | 0xC), &byte_1FF008, BYTE6(v13));sprintf((char *)((unsigned __int64)s | 0xE), &byte_1FF008, HIBYTE(v13));sprintf((char *)&v12, &byte_1FF008, (unsigned __int8)v14);sprintf((char *)&v12 + 2, &byte_1FF008, BYTE1(v14));sprintf((char *)&v12 + 4, &byte_1FF008, BYTE2(v14));sprintf((char *)&v12 + 6, &byte_1FF008, BYTE3(v14));sprintf((char *)&v12 + 8, &byte_1FF008, BYTE4(v14));sprintf((char *)&v12 + 10, &byte_1FF008, BYTE5(v14));sprintf((char *)&v12 + 12, &byte_1FF008, BYTE6(v14));sprintf((char *)&v12 + 14, &byte_1FF008, HIBYTE(v14));

frida hook代码：

//1494C4var arg2;var addr_1494C4 = base.add(0x1494C4);Interceptor.attach(addr_1494C4, { onEnter: function (args) { arg2 = args[2]; console.log("addr_1494C4 onEnter arg0 open(", hexdump(args[0]), ")"); console.log("addr_1494C4 onEnter arg1 open(", args[1], ")"); console.log("addr_1494C4 onEnter arg1 open(", hexdump(arg2), ")"); }, onLeave: function (retval) { console.log("addr_1494C4 onLeave arg0 open(", hexdump(arg2), ")"); }});

由比对结果可知，第一个参数是输入的不知名参数，第二个参数是不知名参数的长度，第三个是出参结果二进制，即定义成：sub_1494C4(input, inputlen, &output)。

所以sub_1494C4为关键算法函数：

addr_1494C4 onEnter arg0 open( 0 1 2 3 4 5 6 7 8 9 A B C D E F 0123456789ABCDEF7ff66cc708 fc 89 a2 ea 8a 3e 78 39 94 53 5b 7c 7d f7 77 f1 .....>x9.S[|}.w.7ff66cc718 d5 05 f5 cc 2e c4 d8 79 14 57 28 f6 72 00 00 00 .......y.W(.r...7ff66cc728 14 57 28 f6 72 00 00 00 1c ca 6c f6 7f 00 00 00 .W(.r.....l.....7ff66cc738 00 ea cb 0c 73 00 00 00 e8 0b d9 f5 72 00 00 00 ....s.......r...7ff66cc748 00 ea cb 0c 73 00 00 00 48 c8 6c f6 7f 00 00 00 ....s...H.l.....7ff66cc758 6c d2 09 f6 72 00 00 00 f8 20 4a 8f 73 00 00 00 l...r.... J.s...7ff66cc768 88 d4 6c f6 7f 00 00 00 02 00 00 00 08 54 00 13 ..l..........T..7ff66cc778 88 23 07 13 07 00 00 00 00 ea cb 0c 73 00 00 00 .#..........s...7ff66cc788 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................7ff66cc798 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................7ff66cc7a8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................7ff66cc7b8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................7ff66cc7c8 00 00 00 00 00 00 00 00 00 ea cb 0c 73 00 00 00 ............s...7ff66cc7d8 00 00 00 00 00 00 00 00 00 ea cb 0c 73 00 00 00 ............s...7ff66cc7e8 1c ca 6c f6 7f 00 00 00 14 57 28 f6 72 00 00 00 ..l......W(.r...7ff66cc7f8 08 00 00 00 00 00 00 00 40 2a 9d 91 73 00 00 00 ........@*..s... )addr_1494C4 onEnter arg1 open( 0x10 )addr_1494C4 onEnter arg1 open( 0 1 2 3 4 5 6 7 8 9 A B C D E F 0123456789ABCDEF7ff66cc6f8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................7ff66cc708 fc 89 a2 ea 8a 3e 78 39 94 53 5b 7c 7d f7 77 f1 .....>x9.S[|}.w.7ff66cc718 d5 05 f5 cc 2e c4 d8 79 14 57 28 f6 72 00 00 00 .......y.W(.r...7ff66cc728 14 57 28 f6 72 00 00 00 1c ca 6c f6 7f 00 00 00 .W(.r.....l.....7ff66cc738 00 ea cb 0c 73 00 00 00 e8 0b d9 f5 72 00 00 00 ....s.......r...7ff66cc748 00 ea cb 0c 73 00 00 00 48 c8 6c f6 7f 00 00 00 ....s...H.l.....7ff66cc758 6c d2 09 f6 72 00 00 00 f8 20 4a 8f 73 00 00 00 l...r.... J.s...7ff66cc768 88 d4 6c f6 7f 00 00 00 02 00 00 00 08 54 00 13 ..l..........T..7ff66cc778 88 23 07 13 07 00 00 00 00 ea cb 0c 73 00 00 00 .#..........s...7ff66cc788 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................7ff66cc798 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................7ff66cc7a8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................7ff66cc7b8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................7ff66cc7c8 00 00 00 00 00 00 00 00 00 ea cb 0c 73 00 00 00 ............s...7ff66cc7d8 00 00 00 00 00 00 00 00 00 ea cb 0c 73 00 00 00 ............s...7ff66cc7e8 1c ca 6c f6 7f 00 00 00 14 57 28 f6 72 00 00 00 ..l......W(.r... )addr_1494C4 onLeave arg0 open( 0 1 2 3 4 5 6 7 8 9 A B C D E F 0123456789ABCDEF7ff66cc6f8 3a c4 09 73 eb 0d 21 97 56 f6 c7 2e d1 cc be ca :..s..!.V.......7ff66cc708 fc 89 a2 ea 8a 3e 78 39 94 53 5b 7c 7d f7 77 f1 .....>x9.S[|}.w.7ff66cc718 d5 05 f5 cc 2e c4 d8 79 14 57 28 f6 72 00 00 00 .......y.W(.r...7ff66cc728 14 57 28 f6 72 00 00 00 1c ca 6c f6 7f 00 00 00 .W(.r.....l.....7ff66cc738 00 ea cb 0c 73 00 00 00 e8 0b d9 f5 72 00 00 00 ....s.......r...7ff66cc748 00 ea cb 0c 73 00 00 00 48 c8 6c f6 7f 00 00 00 ....s...H.l.....7ff66cc758 6c d2 09 f6 72 00 00 00 f8 20 4a 8f 73 00 00 00 l...r.... J.s...7ff66cc768 88 d4 6c f6 7f 00 00 00 02 00 00 00 08 54 00 13 ..l..........T..7ff66cc778 88 23 07 13 07 00 00 00 00 ea cb 0c 73 00 00 00 .#..........s...7ff66cc788 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................7ff66cc798 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................7ff66cc7a8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................7ff66cc7b8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................7ff66cc7c8 00 00 00 00 00 00 00 00 00 ea cb 0c 73 00 00 00 ............s...7ff66cc7d8 00 00 00 00 00 00 00 00 00 ea cb 0c 73 00 00 00 ............s...7ff66cc7e8 1c ca 6c f6 7f 00 00 00 14 57 28 f6 72 00 00 00 ..l......W(.r... )

返回到sign1函数，尝试hooksub_14141C：

var addr_14141C_arg2;var addr_14141C = base.add(0x14141C);Interceptor.attach(addr_14141C, { onEnter: function (args) { addr_14141C_arg2 = args[2]; console.log("addr_14141C onEnter args0", hexdump(args[0])); console.log("addr_14141C onEnter args1", args[1]); //console.log("addr_14141C onEnter args2", hexdump(args[2])); }, onLeave: function (retval) { console.log("addr_14141C onLeave args2", hexdump(addr_14141C_arg2)); }});

由结果，修改函数定义sub_15B68(__int64 input, unsigned int length, __int64 output)：

[Google AOSP on msm8996::com.example.hellojni_sign2]-> addr_14141C onEnter args0              0  1  2  3  4  5  6  7  8  9  A  B  C  D  E  F  0123456789ABCDEF

7ff66cc6b9 68 51 64 41 41 4f 4a 56 69 68 76 59 79 44 51 6b hQdAAOJVihvYyDQk7ff66cc6c9 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 00 ................7ff66cc6d9 00 00 00 01 00 00 00 05 00 00 00 00 00 00 00 00 ................7ff66cc6e9 00 43 00 7f 00 00 00 03 00 00 00 00 00 59 00 d5 .C...........Y..7ff66cc6f9 05 f5 cc 2e c4 d8 79 02 00 00 00 00 00 00 00 00 ......y.........7ff66cc709 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d5 ................ 7ff66cc719 05 f5 cc 2e c4 d8 79 14 57 28 f6 72 00 00 00 14 ......y.W(.r....7ff66cc729 57 28 f6 72 00 00 00 1c ca 6c f6 7f 00 00 00 00 W(.r.....l......7ff66cc739 ea cb 0c 73 00 00 00 e8 0b d9 f5 72 00 00 00 00 ...s.......r....7ff66cc749 ea cb 0c 73 00 00 00 48 c8 6c f6 7f 00 00 00 6c ...s...H.l.....l7ff66cc759 d2 09 f6 72 00 00 00 f8 20 4a 8f 73 00 00 00 88 ...r.... J.s....7ff66cc769 d4 6c f6 7f 00 00 00 02 00 00 00 08 54 00 13 b8 .l..........T...7ff66cc779 75 06 13 07 00 00 00 00 00 00 00 00 00 08 40 00 u.............@.7ff66cc789 00 80 3f 00 00 00 00 00 00 00 00 00 00 00 00 00 ..?.............7ff66cc799 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................7ff66cc7a9 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................addr_14141C onEnter args1 0x10addr_14141C onLeave args2 0 1 2 3 4 5 6 7 8 9 A B C D E F 0123456789ABCDEF7ff66cc708 fd 61 f4 00 91 9d ca db 33 65 6b 8c ea 79 9b 7e .a......3ek..y.~7ff66cc718 d5 05 f5 cc 2e c4 d8 79 14 57 28 f6 72 00 00 00 .......y.W(.r...7ff66cc728 14 57 28 f6 72 00 00 00 1c ca 6c f6 7f 00 00 00 .W(.r.....l.....7ff66cc738 00 ea cb 0c 73 00 00 00 e8 0b d9 f5 72 00 00 00 ....s.......r...7ff66cc748 00 ea cb 0c 73 00 00 00 48 c8 6c f6 7f 00 00 00 ....s...H.l.....7ff66cc758 6c d2 09 f6 72 00 00 00 f8 20 4a 8f 73 00 00 00 l...r.... J.s...7ff66cc768 88 d4 6c f6 7f 00 00 00 02 00 00 00 08 54 00 13 ..l..........T..7ff66cc778 b8 75 06 13 07 00 00 00 00 00 00 00 00 00 08 40 .u.............@7ff66cc788 00 00 80 3f 00 00 00 00 00 00 00 00 00 00 00 00 ...?............7ff66cc798 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................7ff66cc7a8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................7ff66cc7b8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................7ff66cc7c8 00 00 00 00 00 00 00 00 00 ea cb 0c 73 00 00 00 ............s...7ff66cc7d8 00 00 00 00 00 00 00 00 00 ea cb 0c 73 00 00 00 ............s...7ff66cc7e8 1c ca 6c f6 7f 00 00 00 14 57 28 f6 72 00 00 00 ..l......W(.r...7ff66cc7f8 08 00 00 00 00 00 00 00 40 2a 9d 91 73 00 00 00 ........@*..s...

hook sub_1390B8 看看：

sub_1390B8(v182, len, output);input = sub_1390B8(v182, len, output);

var arg2;var addr_1390B8 = base.add(0x1390B8);Interceptor.attach(addr_1390B8, { onEnter: function (args) { arg2 = args[2]; console.log("addr_1390B8 onEnter arg0 open(", hexdump(args[0]), ")"); console.log("addr_1390B8 onEnter arg1 open(", args[1], ")"); console.log("addr_1390B8 onEnter arg2 open(", hexdump(arg2), ")"); }, onLeave: function (retval) { console.log("addr_1390B8 onLeave arg0 open(", hexdump(arg2), ")"); }});

由hook的结果，修改函数定义sub_1390B8(__int64 input, unsigned int length, __int64 output)：

addr_1390B8 onEnter arg0 open( 0 1 2 3 4 5 6 7 8 9 A B C D E F 0123456789ABCDEF7ff66cc6b9 79 56 55 65 65 73 7a 5a 45 4e 6f 64 6a 45 65 77 yVUeeszZENodjEew7ff66cc6c9 00 00 00 00 00 00 00 3c c7 6c f6 7f 00 00 00 00 .......<.l......7ff66cc6d9 ea cb 0c 73 00 00 00 00 00 00 00 00 00 00 00 00 ...s............7ff66cc6e9 00 43 00 7f 00 00 00 00 c8 6c f6 00 00 59 00 d5 .C.......l...Y..7ff66cc6f9 05 f5 cc 2e c4 d8 79 02 00 00 00 00 00 00 00 00 ......y.........7ff66cc709 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d5 ................7ff66cc719 05 f5 cc 2e c4 d8 79 14 57 28 f6 72 00 00 00 14 ......y.W(.r....7ff66cc729 57 28 f6 72 00 00 00 1c ca 6c f6 7f 00 00 00 00 W(.r.....l......7ff66cc739 ea cb 0c 73 00 00 00 e8 0b d9 f5 72 00 00 00 00 ...s.......r....7ff66cc749 ea cb 0c 73 00 00 00 48 c8 6c f6 7f 00 00 00 6c ...s...H.l.....l7ff66cc759 d2 09 f6 72 00 00 00 f8 20 4a 8f 73 00 00 00 88 ...r.... J.s....7ff66cc769 d4 6c f6 7f 00 00 00 02 00 00 00 08 54 00 13 48 .l..........T..H7ff66cc779 19 cc 12 07 00 00 00 00 ea cb 0c 73 00 00 00 02 ...........s....7ff66cc789 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................7ff66cc799 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................7ff66cc7a9 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ )addr_1390B8 onEnter arg1 open( 0x10 )addr_1390B8 onEnter arg2 open( 0 1 2 3 4 5 6 7 8 9 A B C D E F 0123456789ABCDEF7ff66cc708 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................7ff66cc718 d5 05 f5 cc 2e c4 d8 79 14 57 28 f6 72 00 00 00 .......y.W(.r...7ff66cc728 14 57 28 f6 72 00 00 00 1c ca 6c f6 7f 00 00 00 .W(.r.....l.....7ff66cc738 00 ea cb 0c 73 00 00 00 e8 0b d9 f5 72 00 00 00 ....s.......r...7ff66cc748 00 ea cb 0c 73 00 00 00 48 c8 6c f6 7f 00 00 00 ....s...H.l.....7ff66cc758 6c d2 09 f6 72 00 00 00 f8 20 4a 8f 73 00 00 00 l...r.... J.s...7ff66cc768 88 d4 6c f6 7f 00 00 00 02 00 00 00 08 54 00 13 ..l..........T..7ff66cc778 48 19 cc 12 07 00 00 00 00 ea cb 0c 73 00 00 00 H...........s...7ff66cc788 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................7ff66cc798 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................7ff66cc7a8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................7ff66cc7b8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................7ff66cc7c8 00 00 00 00 00 00 00 00 00 ea cb 0c 73 00 00 00 ............s...7ff66cc7d8 00 00 00 00 00 00 00 00 00 ea cb 0c 73 00 00 00 ............s...7ff66cc7e8 1c ca 6c f6 7f 00 00 00 14 57 28 f6 72 00 00 00 ..l......W(.r...7ff66cc7f8 08 00 00 00 00 00 00 00 40 2a 9d 91 73 00 00 00 ........@*..s... )addr_1390B8 onLeave arg0 open( 0 1 2 3 4 5 6 7 8 9 A B C D E F 0123456789ABCDEF7ff66cc708 bc ca f4 e4 52 8f af 6c f3 7e 66 ea 9b 6a ee d8 ....R..l.~f..j..7ff66cc718 d5 05 f5 cc 2e c4 d8 79 14 57 28 f6 72 00 00 00 .......y.W(.r...7ff66cc728 14 57 28 f6 72 00 00 00 1c ca 6c f6 7f 00 00 00 .W(.r.....l.....7ff66cc738 00 ea cb 0c 73 00 00 00 e8 0b d9 f5 72 00 00 00 ....s.......r...7ff66cc748 00 ea cb 0c 73 00 00 00 48 c8 6c f6 7f 00 00 00 ....s...H.l.....7ff66cc758 6c d2 09 f6 72 00 00 00 f8 20 4a 8f 73 00 00 00 l...r.... J.s...7ff66cc768 88 d4 6c f6 7f 00 00 00 02 00 00 00 08 54 00 13 ..l..........T..7ff66cc778 48 19 cc 12 07 00 00 00 00 ea cb 0c 73 00 00 00 H...........s...7ff66cc788 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................7ff66cc798 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................7ff66cc7a8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................7ff66cc7b8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................7ff66cc7c8 00 00 00 00 00 00 00 00 00 ea cb 0c 73 00 00 00 ............s...7ff66cc7d8 00 00 00 00 00 00 00 00 00 ea cb 0c 73 00 00 00 ............s...7ff66cc7e8 1c ca 6c f6 7f 00 00 00 14 57 28 f6 72 00 00 00 ..l......W(.r...7ff66cc7f8 08 00 00 00 00 00 00 00 40 2a 9d 91 73 00 00 00 ........@*..s... )

跟进sub_1390B8, 找output参数的引用。

发现与之关联的函数为sub_131ADC, hook看看：

var arg2;var addr_131ADC = base.add(0x131ADC);Interceptor.attach(addr_131ADC, { onEnter: function (args) { arg2 = args[1]; console.log("addr_131ADC onEnter arg0 open(", hexdump(args[0]), ")"); //console.log("addr_131ADC onEnter arg1 open(", args[1], ")"); console.log("addr_131ADC onEnter arg2 open(", hexdump(args[1]), ")"); }, onLeave: function (retval) { console.log("addr_131ADC onLeave arg0 open(", hexdump(arg2), ")"); }});

发现拼接421d38d938156606164a15d2e7f822d9+xAhVpgkjDTMneXhX：

addr_131ADC onEnter arg0 open( 0 1 2 3 4 5 6 7 8 9 A B C D E F 0123456789ABCDEF7ff66cc430 30 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0...............7ff66cc440 01 23 45 67 00 00 00 00 89 ab cd ef 00 00 00 00 .#Eg............7ff66cc450 fe dc ba 98 00 00 00 00 76 54 32 10 00 00 00 00 ........vT2.....7ff66cc460 34 32 31 64 33 38 64 39 33 38 31 35 36 36 30 36 421d38d9381566067ff66cc470 31 36 34 61 31 35 64 32 65 37 66 38 32 32 64 39 164a15d2e7f822d97ff66cc480 78 41 68 56 70 67 6b 6a 44 54 4d 6e 65 58 68 58 xAhVpgkjDTMneXhX7ff66cc490 00 00 00 00 7f 00 00 00 a0 41 ae 8d 73 00 00 00 .........A..s...7ff66cc4a0 20 3f dc 8d 73 00 00 00 d8 7c 1f 02 73 00 00 00 ?..s....|..s...7ff66cc4b0 02 00 00 00 00 00 00 00 02 00 00 00 00 00 00 00 ................7ff66cc4c0 a0 ea cb 0c 73 00 00 00 40 2a 9d 91 73 00 00 00 ....s...@*..s...7ff66cc4d0 08 00 00 00 00 00 00 00 14 57 28 f6 72 00 00 00 .........W(.r...7ff66cc4e0 40 2a 9d 91 73 00 00 00 00 83 9f 04 73 00 00 00 @*..s.......s...7ff66cc4f0 b9 c6 6c f6 7f 00 00 00 c0 c1 cc 0c 73 00 00 00 ..l.........s...7ff66cc500 50 c7 6c f6 7f 00 00 00 74 60 50 8e 73 00 00 00 P.l.....t`P.s...7ff66cc510 01 00 00 00 69 80 f8 eb 1c 14 ec f5 72 00 00 00 ....i.......r...7ff66cc520 b0 c6 6c f6 05 8b 9e 7a 01 00 00 00 fb 74 61 85 ..l....z.....ta. )addr_131ADC onLeave arg0 open( 0 1 2 3 4 5 6 7 8 9 A B C D E F 0123456789ABCDEF7ff66cc708 2b b3 31 c7 9a dc e3 3f 72 0d b2 64 15 46 40 62 +.1....?r..d.F@b7ff66cc718 d5 05 f5 cc 2e c4 d8 79 14 57 28 f6 72 00 00 00 .......y.W(.r...7ff66cc728 14 57 28 f6 72 00 00 00 1c ca 6c f6 7f 00 00 00 .W(.r.....l.....7ff66cc738 00 ea cb 0c 73 00 00 00 e8 0b d9 f5 72 00 00 00 ....s.......r...7ff66cc748 00 ea cb 0c 73 00 00 00 48 c8 6c f6 7f 00 00 00 ....s...H.l.....7ff66cc758 6c d2 09 f6 72 00 00 00 f8 20 4a 8f 73 00 00 00 l...r.... J.s...7ff66cc768 88 d4 6c f6 7f 00 00 00 02 00 00 00 08 54 00 13 ..l..........T..7ff66cc778 88 2f cc 12 07 00 00 00 00 ea cb 0c 73 00 00 00 ./..........s...7ff66cc788 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................7ff66cc798 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................7ff66cc7a8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................7ff66cc7b8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................7ff66cc7c8 00 00 00 00 00 00 00 00 00 ea cb 0c 73 00 00 00 ............s...7ff66cc7d8 00 00 00 00 00 00 00 00 00 ea cb 0c 73 00 00 00 ............s...7ff66cc7e8 1c ca 6c f6 7f 00 00 00 14 57 28 f6 72 00 00 00 ..l......W(.r...7ff66cc7f8 08 00 00 00 00 00 00 00 40 2a 9d 91 73 00 00 00 ........@*..s... )

盲猜是MD5，验证一下CyberChef&input=NDIxZDM4ZDkzODE1NjYwNjE2NGExNWQyZTdmODIyZDl4QWhWcGdrakRUTW5lWGhY)（https://gchq.github.io/CyberChef/#recipe=MD5(），发现一致。但是在ida中静态找没找到MD5常量，猜测是指令替换导致的。

返回对比验证sub_1494C4，可知，第一个参数即为MD5(421d38d938156606164a15d2e7f822d9 + inputString)。

跟进sub_1494C4，查找output参数的引用，找到1个。

发现静态看没法看，trace动态分析。

注意脚本设置断点, 由于是ARM64，要切换T为0：

def set_breakpoint(ea, isthumb=1): idc.SetReg(ea, "T", 0) idc.MakeCode(ea) idc.add_bpt(ea)

根据trace的结果加上ida的f5，可以定位到对应的算法的基本块的范围。

定位到153F24位置的代码疑似是密码表，尝试hook，对比trace的结果，发现一致，得到密码表char v2015[] = {0x3a,0x33,0x9b,0x79,0x61,0xf3,0x27,0x96,0xbe,0x5b,0x84,0xd2,0x6c,0xf5,0xb9,0x15};

//153F28var addr_153F28 = base.add(0x153F28);Interceptor.attach(addr_153F28, { onEnter: function (args) { console.log("addr_153F28 x11", this.context.x11) //console.log("addr_153F28 x28", this.context.x28); }, onLeave: function (retval) { //console.log("addr_153F28 x11", this.context.x11) }});

定位到第二个疑似密码表的位置：

.text:0000000000153F5C LDUR W16, [X29,#var_80]

往上追溯看[X29,#var_80]，找到全局变量xmmword_1FF160，用print_string打印，得到定值151caed3cfc7e999ebf6b66d3e8e96cc：

.text:000000000014A688 ADRL X10, xmmword_1FF160.text:000000000014A690 ADRP X12, #y_ptr@PAGE.text:000000000014A694 LDRB W9, [X10,X9].text:000000000014A698 MOV W28, #0x12A4.text:000000000014A69C MOV W30, #0x7415.text:000000000014A6A0 MOVK W28, #0x56C,LSL#16.text:000000000014A6A4 STUR W9, [X29,#var_80]

function print_string(addr){ var libbase = Module.findBaseAddress("libhello-jni.so"); var str_addr = libbase.add(addr); console.log("print_string:", hexdump(str_addr));}

根据trace还原代码：

void hello3(){ int v1973 = 0x2696953; //c2020 = MD5(421d38d938156606164a15d2e7f822d9 + inputString) char* c2020 = "ABCDEF0123456789"; char* v2020 = new char[16]; int v1957 = 0xB0C2D611; int v1993 = 0xCEBB8BEA; char v2015[] = {0x3a,0x33,0x9b,0x79,0x61,0xf3,0x27,0x96,0xbe,0x5b,0x84,0xd2,0x6c,0xf5,0xb9,0x15}; char* v2018 = "151caed3cfc7e999ebf6b66d3e8e96cc"; //result

          //char v2020[] = {0x75, 0x6a, 0x33, 0xa2, 0x95, 0x96, 0x9c, 0x28, 0x75, 0xb2, 0x78, 0xc5, 0xba, 0xc9, 0x51, 0x75};

for(int i = 0; i< 16; i++){ int v1433 = c2020[i]; int v1434 = v2015[i]; int v1435 = (~v1433 & 0x80 | v1433 & 0x7C) ^ 0x7C; int v1436 = v1435 & (v1433 ^ 0xFC) & v1433 | v1435 ^ (v1433 ^ 0xFC) & v1433; int v1437 = v1434 & ~v1434; int v1438 = (~v1434 & 0xE5 | v1434 & 0x1A) ^ 0x1A;

              int v1439 = ((~(v1436 & 0xFC | ~v1436 & 3) & 0xE6 | (v1436 & 0xFC | ~v1436 & 3) & 0x19) ^ 0x19) & ~v1434 | v1434 & ((~(v1436 & 0xFC | ~v1436 & 3) & 0xE6 | (v1436 & 0xFC | ~v1436 & 3) & 0x19) ^ 0xE6);

int v1440 = (v2015[i] ^ ~v1439) & v1439; int v1441 = 0;

              int v1442 = (~v1433 & 0xB0 | v1433 & 0x4F) ^ (((~(v1438 & v1437 | v1438 ^ v1437) & 0x73 | (v1438 & v1437 | v1438 ^ v1437) & 0x8C) ^ 0x30) & 0xB0 | ((~(v1438 & v1437 | v1438 ^ v1437) & 0x73 | (v1438 & v1437 | v1438 ^ v1437) & 0x8C) ^ 0xC) & 0x4F);

int v1443 = ~v1440 & 0x43 | v1440 & 0xBC; int v1446 = v1441 & 0x85254009; v1441 = (c2020[i] ^ ~v1442) & v1442; int v1447 = v1443 ^ 0xBC; v1446 = ~v1441 & 0xD6 | v1441 & 0x29;

              int v1449 = (v1443 ^ 0xD2) & (v1443 ^ 0xBC) ^ (v1440 ^ 0x91) & v1440 | ~(~((v1443 ^ 0xD2) & (v1443 ^ 0xBC)) | ~((v1440 ^ 0x91) & v1440));

v1443 ^= 0x43u; int v1450 = v1446 ^ 9; v1446 = v1446 ^ 0xD6; int v1451 = (~v1441 | 0x91) & 0x61 | ~(~v1441 | 0x91) & 0xE; int v1452 = v1443 & 0xE4; int v1453 = v1446 | 0x6E; int v1454 = v1443 | v1446; int v1455 = v1447 & 0x1B; int v1456 = v1446 & 0xE4 | v1450 & 0x1B; int v1459 = (v1452 | v1455) ^ v1456 | ~v1454;

              int v1460 = ((v1453 & 0x61 | ~v1453 & 0xF0) ^ v1451) & ~v1449 | v1449 & ~((v1453 & 0x61 | ~v1453 & 0xF0) ^ v1451);

              int v50 = (~(~v46 & 0x31447415) & 0xC23208CD | ~v46 & 0x1010) ^ (~((v46 ^ 0x15) & v46) & 0xF3766CCD | (v46 ^ 0x15) & v46 & 0xC899332) | ~(~(~v46 & 0x31447415) | ~((v46 ^ 0x15) & v46));

int v51 = ~(~(v48 ^ 0x56C12A4) & 0xD2B20D14 | (v48 ^ 0x56C12A4) & 0x2D4DF2EB) ^ 0xD2B20D14; int v53 = (~v46 & 0x5E58FB3C | v46 & 0xA1A704C3) ^ (~v51 & 0x5E58FB3C | v51 & 0xA1A704C3);

              int v55 = ~(~(v1993 & ~v50 | v50 & 0x31447415) & 0xF5E68FF6 | (v1993 & ~v50 | v50 & 0x31447415) & 0xA197009) ^ 0xF5E68FF6;

int v56 = (v2016 ^ ~v53) & v53; int v57 = v49 & v55 | v49 ^ v55; int v59 = ~(~v56 & 0x78091A2 | v56 & 0xF87F6E5D) ^ 0x78091A2; int v60 = ~v57; int v63 = ~(~v60 & 0x92D59C4D | v60 & 0x6D2A63B2) ^ 0x92D59C4D; int v64 = ~v60 | 0x7E8D11FF; int v65 = (~v59 ^ 0x7E8D11FF) & v59 & v56 & 0x8172EE00 | (~v59 ^ 0x7E8D11FF) & v59 ^ v56 & 0x8172EE00; int v66 = ~v65 & 0x6C72C022; int v67 = v65 & 0x938D3FDD; int v71 = v59 & v63 | v59 ^ v63;

              int v73 = (~((~v63 ^ 0x7E8D11FF) & v63) & 0x1CBD7045 | (~v63 ^ 0x7E8D11FF) & v63 & 0xE3428FBA) ^ (v64 & 0x1CBD7045 | ~v64 & 0xE3428FBA) | ~(v64 | ~((~v63 ^ 0x7E8D11FF) & v63));

int v76 = ~(~v71 & 0x240C7637 | v71 & 0xDBF389C8) ^ 0x240C7637; int v77 = (v66 | v67) ^ (~v73 & 0x6C72C022 | v73 & 0x938D3FDD); int v2019 = v77 & v76 | v77 ^ v76;

              int v828 = (v2019 ^ 0x4F3D29EE) & v2019 & ~(v2019 | 0xB0C2D611) | (v2019 | 0xB0C2D611) ^ ~((v2019 ^ 0x4F3D29EE) & v2019);

int v829 = v1957 & ~v828 | v828 & 0x4F3D29EE;

              int v830 = (~((v829 ^ 0xFF) & v829) & 0x908C3C81 | (v829 ^ 0xFF) & v829 & 0x6F73C37E) ^ (~(~v829 & 0xFFFFFF00 | v829) & 0x908C3C81 | (~v829 & 0xFFFFFF00 | v829) & 0x6F73C37E) | ~(~((v829 ^ 0xFF) & v829) | ~(~v829 & 0xFFFFFF00 | v829));

              int v832 = (~(~v830 & 0x10533610) & 0x870BAA76 | ~v830 & 0x10501400) ^ (~((v830 ^ 0x10533610) & v830) & 0x870BAA76 | (v830 ^ 0x10533610) & v830 & 0x78F45589) | ~(~(~v830 & 0x10533610) | ~((v830 ^ 0x10533610) & v830));

int v834 = v2015[i] + 1933657666

                 + ~((~(~v832 & 0xEFACC9EF | v832 & 0x10533610) & 0x36649895 | (~v832 & 0xEFACC9EF | v832 & 0x10533610) & 0xC99B676A) ^ 0xC99B676A | ~(~v832 & 0xEFACC9EF | v832 & 0x10533610));

int result = (v834 - 1933657666)&0x00000FF; //LOGD("xxxxx v2020 %x\n", v2020); v2020[i] = result; } for(int i = 0; i< 16; i++){ int v941 = v2020[i]; int v942 = v2015[i]; //int v1925 = -1960883346; int v943 = v2018[i % 8]; int v944 = ~v942 & 0xFE | v942 & 1; int v945 = v941 & ~v941; int v946 = ~v941 & 0x91 | v941 & 0x6E; int v947 = ~v945 & 0xC0 | v945 & 0x3F; int v948 = v946 ^ 0x91 | ~v945; int v949 = (v943 | 0xAC) & 0xBF | ~(v943 | 0xAC) & 0x40; int v950 = ~(~v942 & 0x65 | v942 & 0x9A) ^ 0x65; int v951 = (~v943 | 0x53) & 0xBF | ~(~v943 | 0x53) & 0x40; int v952 = ~(~v944 ^ 0xFE) & 0x52 | ~(v944 ^ 0xFE) ^ 0xAD; int v953 = (~v943 & 6 | v943 & 0xF9) ^ 0xAC; int v954 = (v2018[i % 8] ^ ~v953) & v953; int v955 = v949 ^ v951; int v956 = (~v950 & 0x69 | v950 & 0x96) ^ 0xC4 | v950 & 0xAD; int v957 = ~(~v941 & 0x87 | v941 & 0x78) ^ 0x87; int v958 = (~(~v946 ^ 0x91) & 0xC0 | (~v946 ^ 0x91) & 0x3F) ^ v947; int v959 = ~v952 & 0x3E | v952 & 0xC1; int v960 = ~(~(v957 & 0xAD | v957 ^ 0xAD) & 0x3E | (v957 & 0xAD | v957 ^ 0xAD) & 0xC1) ^ 0x3E; int v961 = (v954 ^ 0x88) & ~v954 & v954 & 0x77 | (v954 ^ 0x88) & ~v954 ^ v954 & 0x77; int v962 = ~(~(v958 | ~v948) & 0x24 | (v958 | ~v948) & 0xDB) ^ 0x24;

      int v963 = ~(~(~v955 & 0xAC | v955 & v1973) & 0x55 | (~v955 & 0xAC | v955 & v1973) & 0xAA) | ~(~v955 & 0xAC | v955 & v1973);

int v964 = ~v961 & 0x87 | v961 & 0x78; int v965 = ~(~v959 ^ 0x3E) & 0x47 | (~v959 ^ 0x3E) & 0xB8; int v966 = ~(~v956 & 0xA1 | v956 & 0x5E) ^ 0xA1; int v967 = v959 ^ 0x3E | ~v966; int v968 = ~(~v960 & 0x74 | v960 & 0x8B) ^ 0x74; int v969 = ~v963; int v970 = v965 ^ (~v966 & 0x47 | v966 & 0xB8); int v971 = v963 & ~v954; int v972 = v954 ^ ~v963; int v973 = ~v963 & 0x77; int v974 = v971 | v972; v969 |= 0x77u; int v975 = v970 & ~v967 | v967 ^ ~v970; int v976 = ~(~(v962 & 0x52 | v962 ^ 0x52) & 0xA8 | (v962 & 0x52 | v962 ^ 0x52) & 0x57) ^ 0xA8;

      int v977 = (~((~v968 ^ 0xB8) & v968) & 0xA8 | (~v968 ^ 0xB8) & v968 & 0x57) ^ ((~v960 | 0xB8) & 0xA8 | ~(~v960 | 0xB8) & 0x57) | ~(~v960 | 0xB8 | ~((~v968 ^ 0xB8) & v968));

      int v980 = (~(((v969 ^ v973) & 0x87 | (v969 ^ ~v973) & 0x78) ^ v964) & 0xA6 | (((v969 ^ v973) & 0x87 | (v969 ^ ~v973) & 0x78) ^ v964) & 0x59) ^ (v974 & 0xA6 | ~v974 & 0x59) | ~(v974 | ~(((v969 ^ v973) & 0x87 | (v969 ^ ~v973) & 0x78) ^ v964));

int v981 = (~v979 & 0xD5 | v979 & 0x2A) ^ (~v977 & 0xD5 | v977 & 0x2A); int v982 = v981 & ~v978 | v978 ^ ~v981; int v983 = v982 & ~(v982 ^ ~(~v975 & 0xE4 | v975 & 0x1B) ^ 0xE4);

      int v984 = (~v983 & 0x4A | v983 & 0xB5) ^ (~((v975 ^ v982) & v975) & 0x4A | (v975 ^ v982) & v975 & 0xB5) | ~(~v983 | ~((v975 ^ v982) & v975));

int v985 = v984 & ~v984; int v986 = ~v984 & 0xE6 | v984 & 0x19; int v987 = ~v985 & 0xA | v985 & 0xF5; int v988 = (~v984 & 0x21 | v984 & 0xDE) ^ 0x74 | ~v984; int v989 = v986 ^ 0xE6 | ~v985; int v990 = (~(~v986 ^ 0xE6) & 0xA | (~v986 ^ 0xE6) & 0xF5) ^ v987; int v991 = v988 & 0x44 | ~v988 & 0xBB; int v992 = ((v990 | ~v989) & 1 | ~(v990 | ~v989) & 0xFE) ^ 0xAB; int v993 = v992 & ~(v992 ^ 0xAA); int v994 = (v993 ^ v988) & v993; int v995 = (~v993 & 0x44 | v993 & 0xBB) ^ v991; int v996 = v994 & v995 | v994 ^ v995; int v997 = ~(~v996 & 0x30 | v996 & 0xCF) ^ 0x30; int v2021 = (~(v980 & ~(v980 ^ v997)) & 0x61 | v980 & ~(v980 ^ v997) & 0x9E); //LOGD("xxxxx v2021 %x\n", v2021); int v2022 = v2021 ^ ((v980 | ~v996) & 0x61 | ~(v980 | ~v996) & 0x9E); LOGD("xxxxx v2022 %x\n", v2022); }}

- End -

看雪ID：咸鱼炒白菜

https://bbs.pediy.com/user-752228.htm

*本文由看雪论坛咸鱼炒白菜原创，转载请注明来自看雪社区。

高三女生醉酒后被强奸致死？检方回应

高三女生醉酒后被强奸致死？检方回应

波罗的海，电缆断裂！

川普的成长秘辛：家庭和大学如何塑造一位“坚刚不可夺其志”的总统

萝莉岛事件背后所隐藏的真相，可能比我们想象的更恐怖