0
前言
文章中所有内容仅供学习交流使用,不用于其他任何目的,抓包内容、敏感网址、数据接口均已做脱敏处理,严禁用于商业和非法用途,否则由此产生的一切后果与作者无关。若有侵权,请在vx【amuncocoL】联系作者
一
抓包&加密字段的定位分析
APP使用花瓶抓包如下,本次就对抓包中的sign来进行分析
使用frda-trace跟踪下NSURL方法看下
frida-trace -UF -m "+[NSURL URLWith*]"js代码如下js代码如下
/** Auto-generated by Frida. Please modify to match the signature of +[NSURL URLWithString:relativeToURL:].* This stub is currently auto-generated from manpages when available.** For full API reference, see: https://frida.re/docs/javascript-api/*/{/*** Called synchronously when about to call +[NSURL URLWithString:relativeToURL:].** @this {object} - Object allowing you to store state for use in onLeave.* @param {function} log - Call this function with a string to be presented to the user.* @param {array} args - Function arguments represented as an array of NativePointer objects.* For example use args[0].readUtf8String() if the first argument is a pointer to a C string encoded as UTF-8.* It is also possible to modify arguments by assigning a NativePointer object to an element of this array.* @param {object} state - Object allowing you to keep state across function calls.* Only one JavaScript function will execute at a time, so do not worry about race-conditions.* However, do not use this to store function arguments across onEnter/onLeave, but instead* use "this" which is an object for keeping state local to an invocation.*/onEnter(log, args, state) {var url = ObjC.Object(args[2]);log(Thread.backtrace(this.context, Backtracer.ACCURATE).map(DebugSymbol.fromAddress).join("n") + "n");log(`+[NSURL URLWithString:${url} relativeToURL:${args[3]}]`);},/*** Called synchronously when about to return from +[NSURL URLWithString:relativeToURL:].** See onEnter for details.** @this {object} - Object allowing you to access state stored in onEnter.* @param {function} log - Call this function with a string to be presented to the user.* @param {NativePointer} retval - Return value represented as a NativePointer object.* @param {object} state - Object allowing you to keep state across function calls.*/onLeave(log, retval, state) {}}
结果:
URLWithString:https://xxxx/cgi-bin/musics.fcg relativeToURL:0x0]0x100c5d6d8 xx.app/XXMusic!-[AFHTTPSessionManager dataTaskWithHTTPMethod:URLString:parameters:headers:uploadProgress:downloadProgress:success:failure:]0x1082d9828 xx.app/XXMusic!-[QMAFNHTTPRequestImpl startRequest]0x10876d350 xx.app/XXMusic!+[ComHelper execOnMainThread:sync:]0x1082d8dc4 xx.app/XXMusic!-[QMAFNHTTPRequestImpl startAsynchronousInQueue:]0x108ff5674 xx.app/XXMusic!-[QMUniteNetBase startConnection]0x109931604 xx.app/XXMusic!-[ProtocolUniteRequest startConnectionWithPostData:]0x10993173c xx.app/XXMusic!-[ProtocolUniteRequest continueWorkWith:SID:ipv4Address:]0x1097aaa40 xx.app/XXMusic!-[NetworkRobot requestForNetWork:]0x1079be6cc xx.app/XXMusic!-[NetWorkUserSessionRobot requestForSessionRobotNetWork:]0x10992fad8 xx.app/XXMusic!-[ProtocolUniteRequest startWorkOnMainThread:]0x1985e29a8 libdispatch.dylib!_dispatch_call_block_and_release0x1985e3524 libdispatch.dylib!_dispatch_client_callout0x1985c66fc libdispatch.dylib!_dispatch_main_queue_callback_4CF$VARIANT$armv810x19889b6bc CoreFoundation!__CFRUNLOOP_IS_SERVICING_THE_MAIN_DISPATCH_QUEUE__0x198896590 CoreFoundation!__CFRunLoopRun0x198895ba8 CoreFoundation!CFRunLoopRunSpecific
看到可疑字段方法 -[ProtocolUniteRequest startConnectionWithPostData:]打印下内容js代码如下:
/** Auto-generated by Frida. Please modify to match the signature of -[ProtocolUniteRequest startConnectionWithPostData:].* This stub is currently auto-generated from manpages when available.** For full API reference, see: https://frida.re/docs/javascript-api/*/{/*** Called synchronously when about to call -[ProtocolUniteRequest startConnectionWithPostData:].** @this {object} - Object allowing you to store state for use in onLeave.* @param {function} log - Call this function with a string to be presented to the user.* @param {array} args - Function arguments represented as an array of NativePointer objects.* For example use args[0].readUtf8String() if the first argument is a pointer to a C string encoded as UTF-8.* It is also possible to modify arguments by assigning a NativePointer object to an element of this array.* @param {object} state - Object allowing you to keep state across function calls.* Only one JavaScript function will execute at a time, so do not worry about race-conditions.* However, do not use this to store function arguments across onEnter/onLeave, but instead* use "this" which is an object for keeping state local to an invocation.*/onEnter(log, args, state) {var result = new ObjC.Object(args[2]);log(`-[ProtocolUniteRequest startConnectionWithPostData:${result}n${hexdump(result.bytes())}]`);},/*** Called synchronously when about to return from -[ProtocolUniteRequest startConnectionWithPostData:].** See onEnter for details.** @this {object} - Object allowing you to access state stored in onEnter.* @param {function} log - Call this function with a string to be presented to the user.* @param {NativePointer} retval - Return value represented as a NativePointer object.* @param {object} state - Object allowing you to keep state across function calls.*/onLeave(log, retval, state) {}}
结果
667 ms -[ProtocolUniteRequest startConnectionWithPostData:{length = 621, bytes = 0x874fc5a3 05789c6d 53596f9b 301c7fef ... 77b6fb0b f4bf1fa9 }0 1 2 3 4 5 6 7 8 9 A B C D E F 0123456789ABCDEF12f9835c0 87 4f c5 a3 05 78 9c 6d 53 59 6f 9b 30 1c 7f ef .O...x.mSYo.0...12f9835d0 a7 88 78 6d e8 6c 63 1b 98 b4 07 30 49 5b 25 b4 ..xm.lc....0I[%.12f9835e0 69 d7 36 d9 34 29 32 c4 24 b4 5c 21 90 5e ca 77 i.6.4)2.$.!.^.w12f9835f0 1f 97 73 74 f3 03 12 bf e3 7f da 9f 67 bd 9e 72 ..st........g..r12f983600 e7 5e 46 a9 c7 23 96 c6 b1 48 0a b6 0c 21 40 40 .^F..#...H...!@@12f983610 e9 7d ef 7d 56 74 25 88 d3 45 19 89 1a 50 e2 72 .}.}Vt%..E...P.r12f983620 13 fa 17 cb 63 fd 85 f4 a5 65 52 fc cc b7 4a bf ....c....eR...J.12f983630 73 89 62 95 2e 1a d7 a5 28 58 dc f0 92 cc 78 ce s.b.....(X....x.12f983640 e3 43 8a 0a c9 c5 ba 14 9b e2 18 ab 50 2f fc 98 .C..........P/..12f983650 17 ef 59 93 5c eb 1f 70 bf 09 56 81 a0 7f 2a 0e ..Y...p..V...*.12f983660 db 8c 08 d6 47 f9 ea 98 6f 45 de f0 4a 47 ec ce ....G...oE..JG..12f983670 e4 77 57 6b 2b 55 1c 1f 77 9e f8 8d 1c c8 50 ca .wWk+U..w.....P.12f983680 6d 26 92 47 e7 da 69 60 62 db 16 a2 90 58 3a a5 m&.G..i`b....X:.12f983690 18 11 66 51 db 46 03 86 6c 8b 21 46 a9 25 4d 61 ..fQ.F..l.!F.%Ma12f9836a0 c0 1b bd 05 0d 13 52 a8 ab 4c a7 58 c5 0e 1d a8 ......R..L.X....12f9836b0 86 03 a0 4a 4d c7 22 80 10 d3 60 ba f4 04 13 91 ...JM."...`.....]58646 ms -[ProtocolUniteRequest startConnectionWithPostData:{length = 586, bytes = 0xaf58c255 38789c6d 545d73a2 30147def ... 76f1f907 d4b807a6 }0 1 2 3 4 5 6 7 8 9 A B C D E F 0123456789ABCDEF118ebb340 af 58 c2 55 38 78 9c 6d 54 5d 73 a2 30 14 7d ef .X.U8x.mT]s.0.}.118ebb350 af 70 78 b5 b4 49 48 82 ec cc 3e 00 6a d7 6e 5d .px..IH...>.j.n]118ebb360 b5 b6 d5 ee 74 a6 13 20 68 2a 5f 42 74 d7 76 fa ....t.. h*_Bt.v.118ebb370 df 57 c0 a0 ee 2e 4f dc 73 cf 4d ce 3d f7 c2 c7 .W....O.s.M.=...118ebb380 45 ab a5 f9 69 1c 6b ad 2f ad 8f 7d b0 0f e3 c4 E...i.k./..}....118ebb390 2f 23 0d 40 ed b2 46 46 19 4f 1e bb 83 6e 05 13 /#[email protected]..118ebb3a0 c7 b1 11 85 c4 36 29 c5 88 b8 36 75 1c d4 73 91 .....6)...6u..s.118ebb3b0 63 bb c8 a5 d4 56 45 22 64 15 df 86 1d 0b 52 68 c....VE"d.....Rh118ebb3c0 ea ae 49 b1 8e bb b4 a7 77 ba 00 ea d4 ea da 04 ..I.....w.......118ebb3d0 10 62 75 5c 53 d5 84 63 9e 17 69 c2 22 21 77 b5 .buS..c..i."!w.118ebb3e0 06 95 91 39 f3 b9 08 2a 10 a2 57 42 00 46 1d 60 ...9...*..WB.F.`118ebb3f0 61 eb 95 9a 26 c6 94 5a 54 51 d3 62 cb f3 9a 68 a...&..ZTQ.b...h118ebb400 5c 35 a8 bf 3c 54 83 63 5f 09 97 72 97 f1 0a 46 5..<T.c_..r...F118ebb410 0a cc 96 e9 1e 57 b0 18 97 21 04 97 86 ca ff e2 .....W...!......118ebb420 5e 76 ae 2d f6 6b c3 30 6d 20 5f d6 02 54 3c 19 ^v.-.k.0m _..T<.118ebb430 0c 7b 03 83 56 20 47 21 86 1c 60 83 30 14 72 86 .{..V G!..`.0.r.]
看内容NSData不是直接想要的json数据,可能有处理追下上一层代码,结果如下:
startConnectionWithPostData call0x10d0e173c xx.app/XXMusic!-[ProtocolUniteRequest continueWorkWith:SID:ipv4Address:]0x10cf5aa40 xx.app/XXMusic!-[NetworkRobot requestForNetWork:]0x10b16e6cc xx.app/XXMusic!-[NetWorkUserSessionRobot requestForSessionRobotNetWork:]0x10d0dfad8 xx.app/XXMusic!-[ProtocolUniteRequest startWorkOnMainThread:]0x1985e29a8 libdispatch.dylib!_dispatch_call_block_and_release0x1985e3524 libdispatch.dylib!_dispatch_client_callout0x1985c66fc libdispatch.dylib!_dispatch_main_queue_callback_4CF$VARIANT$armv810x19889b6bc CoreFoundation!__CFRUNLOOP_IS_SERVICING_THE_MAIN_DISPATCH_QUEUE__0x198896590 CoreFoundation!__CFRunLoopRun0x198895ba8 CoreFoundation!CFRunLoopRunSpecific0x1a2a05344 GraphicsServices!GSEventRunModal0x19c9d13e4 UIKitCore!UIApplicationMain0x10b368180 XXMusic!0x70d8180 (0x1070d8180)0x19871d8f0 libdyld.dylib!start
去ida看下这块代码
找到可疑代码,这个ProtocolUniteRequest类用的挺多的直接模糊trace一下看看
发现关键点去updateCGISummaryWithData看看ida,并加下注释
继续看getSummaryFromData:sign:mask:
frida打印下getSummaryFromData:sign:mask:的入参和返回值
确认getSummaryFromData:sign:mask:是我们要找的加密的地方,经过调试确认sign和mask的入参都是指针,最终赋值后返回结果,继续ida看一下。
改下ida中注释和和参数更清晰一些:
发现有一处fastcall的代码没识别出来,看下汇编
00000001077C1DF4处发现一处花指令,BLX x8
跟下此处寄存器X8的值为0x105a66d80,跟一下trace确认下
没问题看下0x105a66d80的ida代码
void __fastcall sub_105A66D80(__int64 a1, char *jsonBytes, __int64 jsonBytesLen, __int64 character, __int64 characterCount, _QWORD *sign, _DWORD *a7, _QWORD *mask, unsigned int *a9){__int64 v9; // x26__int64 v10_character; // x24int v11_jsonBytesLen; // w23char *v12_jsonBytes; // x25signed __int64 v13; // x9signed __int64 v14; // x8char *v15; // x9int v16; // w10__int64 v17; // x8int v18; // w10int v19; // w0unsigned __int64 v20; // x28_QWORD *v21; // x27__int64 v22; // x8__int64 *v23; // x19__int64 v24; // x20unsigned __int64 v25; // x19_BYTE *v26; // x20int v27; // w0signed int v28; // w10__int64 v29; // x8char *v30; // x27unsigned __int64 v31; // x3char *v32; // x8char *v33; // x8char *v34; // x9int v35; // w10__int64 v36; // x8int v37; // w10int v38; // w0unsigned __int64 v39; // x19_QWORD *v40; // x27__int64 v41; // x8__int64 *v42; // x19__int64 v43; // x20void *v44; // x20unsigned __int64 v45; // x19_BYTE *v46; // x21int v47; // w0unsigned __int64 v48; // x19char *v49; // x27char *v50; // x28signed int v51; // w8int v52; // w0int v53; // w0unsigned __int64 v54; // x27int v55; // w0char *v56; // x27char *v57; // x28signed int v58; // w8__int64 v59; // x8char *v60; // x19unsigned __int64 v61; // x3char *v62; // x8char *v63; // x8__int64 *v64; // x8__int64 v65; // [xsp-C0h] [xbp-250h]__int64 v66; // [xsp-B0h] [xbp-240h]__int64 v67; // [xsp-A0h] [xbp-230h]__int64 v68; // [xsp-60h] [xbp-1F0h]__int64 v69; // [xsp-40h] [xbp-1D0h]__int64 v70; // [xsp-30h] [xbp-1C0h]__int64 v71; // [xsp-20h] [xbp-1B0h]int v72; // [xsp+Ch] [xbp-184h]unsigned __int64 v73; // [xsp+10h] [xbp-180h]__int64 v74; // [xsp+18h] [xbp-178h]unsigned int *v75; // [xsp+20h] [xbp-170h]_QWORD *v76_mask; // [xsp+28h] [xbp-168h]_QWORD *v77_sign; // [xsp+30h] [xbp-160h]_DWORD *v78; // [xsp+38h] [xbp-158h]int v79; // [xsp+44h] [xbp-14Ch]unsigned __int64 v80; // [xsp+48h] [xbp-148h]int v81; // [xsp+54h] [xbp-13Ch]__int64 *v82; // [xsp+58h] [xbp-138h]char **v83; // [xsp+60h] [xbp-130h]unsigned __int64 *v84; // [xsp+68h] [xbp-128h]__int64 *v85; // [xsp+70h] [xbp-120h]char *v86; // [xsp+78h] [xbp-118h]__int64 *v87; // [xsp+80h] [xbp-110h]int *v88; // [xsp+88h] [xbp-108h]char *v89; // [xsp+90h] [xbp-100h]__int64 *v90; // [xsp+98h] [xbp-F8h]bool v91; // [xsp+A7h] [xbp-E9h]char **v92; // [xsp+A8h] [xbp-E8h]unsigned __int64 *v93; // [xsp+B0h] [xbp-E0h]__int64 *v94; // [xsp+B8h] [xbp-D8h]__int64 *v95; // [xsp+C0h] [xbp-D0h]char *v96; // [xsp+C8h] [xbp-C8h]char *v97; // [xsp+D0h] [xbp-C0h]bool v98; // [xsp+DAh] [xbp-B6h]bool v99; // [xsp+DBh] [xbp-B5h]bool v100; // [xsp+DCh] [xbp-B4h]bool v101; // [xsp+DDh] [xbp-B3h]bool v102; // [xsp+DEh] [xbp-B2h]bool v103; // [xsp+DFh] [xbp-B1h]int v104; // [xsp+E0h] [xbp-B0h]bool v105; // [xsp+E7h] [xbp-A9h]__int64 *v106; // [xsp+E8h] [xbp-A8h]int *v107; // [xsp+F0h] [xbp-A0h]void *v108; // [xsp+F8h] [xbp-98h]char *v109; // [xsp+100h] [xbp-90h]bool v110; // [xsp+10Fh] [xbp-81h]unsigned __int64 v111; // [xsp+110h] [xbp-80h]int v112; // [xsp+11Ch] [xbp-74h]unsigned __int64 v113; // [xsp+120h] [xbp-70h]char v114; // [xsp+12Fh] [xbp-61h]v76_mask = mask;v78 = a7;v77_sign = sign;v9 = characterCount;v10_character = character;v11_jsonBytesLen = jsonBytesLen;v12_jsonBytes = jsonBytes;v75 = a9;v81 = 0xA5040081;v74 = (unsigned int)(2 * characterCount + 100);v73 = (signed int)v74;v13 = 0xD2E86A22LL;while ( 1 ){while ( 1 ){while ( 1 ){while ( 1 ){while ( 1 ){while ( 1 ){while ( 1 ){v14 = v13;if ( (signed int)v13 > (signed int)0xE721E269 )break;if ( (signed int)v13 > (signed int)0xB2EF6EDB ){if ( (signed int)v13 <= (signed int)0xC607B543 ){if ( (signed int)v13 > (signed int)0xBB681CEE ){if ( (signed int)v13 > (signed int)0xC25BDD19 ){switch ( (_DWORD)v13 ){case 0xC25BDD1A:*((_DWORD *)v82 + v112) = 0x66E29653;LABEL_276:v13 = 2023102239LL;break;case 0xC278E721:v13 = 3465402809LL;break;case 0xC2B76F7A:v13 = 4275275017LL;break;}}else if ( (_DWORD)v13 == 0xBB681CEF ){operator delete[](v89);LABEL_229:v13 = 3480679835LL;}else{v13 = 1132744097LL;if ( (_DWORD)v14 != 0xBE621227 ){v13 = v14;if ( (_DWORD)v14 == 0xC2504430 ){v48 = (signed int)((unsigned __int64)sub_105A69D18(v11_jsonBytesLen) + 100);v49 = (char *)operator new[](v48);bzero(v49, v48);v50 = &v49[(signed int)sub_105A69DD8(v49, (__int64)v12_jsonBytes, v11_jsonBytesLen) - 1];v114 = 1;v51 = 477118237;do{while ( 1 ){while ( v51 <= 1958198328 ){if ( v51 == 477118237 ){if ( v114 )v51 = 1958198329;elsev51 = 956395870;}else if ( v51 == 956395870 ){sub_105A68BC0(v49, v50);v51 = 1958198329;}}if ( v51 != 1958198329 )break;sub_105A68BC0(v49, v50);v51 = 2135809535;}}while ( v51 != 2135809535 );v13 = 2514143472LL;}}}}else if ( (signed int)v13 > (signed int)0xB71C56BD ){switch ( (_DWORD)v13 ){case 0xB71C56BE:v13 = 4248676001LL;break;case 0xB92DB823:*((_DWORD *)v82 + v112) = 0xD7164068;v13 = 2832887900LL;break;case 0xB9363B2C:*((_DWORD *)v82 + v112) = 0x87B0EF19;v13 = 4087210103LL;break;}}else if ( (_DWORD)v13 == 0xB2EF6EDC ){*((_DWORD *)v82 + v112) = 0xE152795E;LABEL_214:v13 = 2192879068LL;}else{v13 = 4275275017LL;if ( (_DWORD)v14 != 0xB4DAB225 ){v13 = v14;if ( (_DWORD)v14 == 0xB570BFD4 ){if ( v110 )v13 = 0xB4DAB225LL;elsev13 = 2817919582LL;}}}}else if ( (signed int)v13 <= (signed int)0xD205B143 ){if ( (signed int)v13 > -829564488 ){switch ( (_DWORD)v13 ){case 0xCE8DD9B9:v104 = v112 + 1;v13 = 2051987939LL;break;case 0xCF76F59B:operator delete[](v89);v13 = 1375524921LL;break;case 0xD1AB35BA:v91 = v112 < 6;v13 = 1280004147LL;break;}}else if ( (_DWORD)v13 == 0xC607B544 ){v13 = 3517658554LL;}else{v13 = 3728247870LL;if ( (_DWORD)v14 != 0xC730F652 ){v13 = v14;if ( (_DWORD)v14 == 0xCE0B7E71 ){if ( v100 )v13 = 1628273862LL;elsev13 = 141982393LL;}}}}else if ( (signed int)v13 <= (signed int)0xDA432A92 ){switch ( (_DWORD)v13 ){case 0xD205B144:v79 = 0;v13 = 659525532LL;break;case 0xD2E86A22:if ( v81 == -1543557255 )v13 = 3260040240LL;elsev13 = 2514143472LL;break;case 0xD581D1E3:v101 = v112 == 3;v13 = 2204367695LL;break;}}else if ( (signed int)v13 > -566719427 ){if ( (_DWORD)v13 == -566719426 ){*((_DWORD *)v82 + v112) = -803979417;v13 = 925998957LL;}else if ( (_DWORD)v13 == -546479912 ){v105 = v113 < 0xC;v13 = 1091764479LL;}}else if ( (_DWORD)v13 == -633132397 ){*((_DWORD *)v82 + v112) = -803979417;v13 = 3728247870LL;}else if ( (_DWORD)v13 == -608735904 ){v15 = v97;v16 = *((_DWORD *)*v83 + 2);*(_QWORD *)v97 = *(_QWORD *)*v83;*((_DWORD *)v15 + 2) = v16;v17 = (__int64)v86;v18 = *((_DWORD *)v95 + 4);*(_OWORD *)(v86 + 12) = *(_OWORD *)v95;*(_DWORD *)(v17 + 28) = v18;v19 = strlen(v97);v20 = (signed int)((unsigned __int64)sub_105A69D18(v19) + 100);v21 = (_QWORD *)operator new[](v20);bzero(v21, v20);LODWORD(v20) = sub_105A69DD8(v21, (__int64)v97, 32);v106 = v87;v22 = (__int64)v87;*v87 = 0LL;*(_QWORD *)(v22 + 8) = 0LL;v23 = v87;*v87 = 0LL;v23[1] = 0LL;*v23 = *v21;v24 = (__int64)v87;*(_QWORD *)(v24 + 8) = *(_QWORD *)((char *)v21 + strlen((const char *)v21) - 8);v107 = v88;*v88 = v74;v108 = (void *)operator new[](v73);bzero(v108, *v88);sub_105A6B99C(v10_character, v9, v23, v108, v88);v25 = (signed int)((unsigned __int64)sub_105A69D18(*v88) + 100);v26 = (_BYTE *)operator new[](v25);bzero(v26, v25);v27 = sub_105A69DD8(v26, (__int64)v108, *v88);*v88 = v27;*v77_sign = v21;*v78 = v20;*v76_mask = v26;*v75 = *v88;v109 = *v83;v110 = v109 == 0LL;v13 = 3044065236LL;}}else if ( (signed int)v13 <= -1655129951 ){if ( (signed int)v13 > -1947344085 ){if ( (signed int)v13 > -1780823825 ){switch ( (_DWORD)v13 ){case 0x95DAC8F0:v82 = &v71;v83 = (char **)&v70;v84 = (unsigned __int64 *)&v69;v85 = &v68;v86 = (char *)&v67;v87 = &v66;v88 = (int *)&v65;v54 = (signed int)((unsigned __int64)sub_105A69D18(v11_jsonBytesLen) + 100);v89 = (char *)operator new[](v54);bzero(v89, v54);v55 = sub_105A69DD8(v89, (__int64)v12_jsonBytes, v11_jsonBytesLen);v56 = &v89[v55 - 1];v57 = v89;v114 = 1;v58 = 477118237;do{while ( 1 ){while ( v58 <= 1958198328 ){if ( v58 == 477118237 ){if ( v114 )v58 = 1958198329;elsev58 = 956395870;}else if ( v58 == 956395870 ){sub_105A68BC0(v57, v56);v58 = 1958198329;}}if ( v58 != 1958198329 )break;sub_105A68BC0(v57, v56);v58 = 2135809535;}}while ( v58 != 2135809535 );v90 = v82;v64 = v82;v82[1] = 0LL;v64[2] = 0LL;*v64 = 0LL;v13 = 3523588420LL;break;case 0x96A8F85A:*((_DWORD *)v82 + v112) = -2018447591;v13 = 3107339052LL;break;case 0x9958E744:v13 = 1116671598LL;break;default:v13 = (unsigned int)v13;break;}}else{v13 = 1646335956LL;if ( (_DWORD)v14 != -1947344084 ){if ( (_DWORD)v14 == -1931826308 ){if ( v102 )v13 = 1990928477LL;elsev13 = 2165761309LL;}else{v13 = v14;if ( (_DWORD)v14 == -1825908632 ){v34 = v97;v35 = *((_DWORD *)*v83 + 2);*(_QWORD *)v97 = *(_QWORD *)*v83;*((_DWORD *)v34 + 2) = v35;v36 = (__int64)v86;v37 = *((_DWORD *)v95 + 4);*(_OWORD *)(v86 + 12) = *(_OWORD *)v95;*(_DWORD *)(v36 + 28) = v37;v38 = strlen(v97);v39 = (signed int)((unsigned __int64)sub_105A69D18(v38) + 100);v40 = (_QWORD *)operator new[](v39);bzero(v40, v39);v72 = sub_105A69DD8(v40, (__int64)v97, 32);v41 = (__int64)v87;*v87 = 0LL;*(_QWORD *)(v41 + 8) = 0LL;v42 = v87;*v87 = 0LL;v42[1] = 0LL;*v42 = *v40;v43 = (__int64)v87;*(_QWORD *)(v43 + 8) = *(_QWORD *)((char *)v40 + strlen((const char *)v40) - 8);*v88 = v74;v44 = (void *)operator new[](v73);bzero(v44, *v88);sub_105A6B99C(v10_character, v9, v42, v44, v88);v45 = (signed int)((unsigned __int64)sub_105A69D18(*v88) + 100);v46 = (_BYTE *)operator new[](v45);bzero(v46, v45);v47 = sub_105A69DD8(v46, (__int64)v44, *v88);*v88 = v47;*v77_sign = v40;*v78 = v72;*v76_mask = v46;*v75 = *v88;v13 = 3686231392LL;}}}}}else if ( (signed int)v13 > -2090599602 ){if ( (_DWORD)v13 == -2090599601 ){if ( v101 )v13 = 1903144460LL;elsev13 = 1622300059LL;}else{v13 = 1287323684LL;if ( (_DWORD)v14 != -2073910976 ){v13 = v14;if ( (_DWORD)v14 == -1986724659 ){operator delete[](v109);v13 = 4263581891LL;}}}}else{v13 = 1746604926LL;if ( (_DWORD)v14 != -2131475526 ){v13 = 2739105484LL;if ( (_DWORD)v14 != -2129205987 ){v13 = v14;if ( (_DWORD)v14 == -2102088228 ){*((_DWORD *)v82 + v112) = -514688674;v13 = 1228479780LL;}}}}}else if ( (signed int)v13 <= -1477047715 ){if ( (signed int)v13 > -1563174650 ){switch ( (_DWORD)v13 ){case 0xA2D3D907:if ( v103 )v13 = 781761793LL;elsev13 = 1621068214LL;break;case 0xA3436ECC:v103 = v112 == 5;v13 = 2731792647LL;break;case 0xA399A9D0:LABEL_171:v13 = 3582054883LL;break;}}else{switch ( (_DWORD)v13 ){case 0x9D58B8A2:v13 = 2347623212LL;break;case 0x9F4D2141:*((_DWORD *)v82 + v112) = 0xD2134F6A;v13 = 827267122LL;break;case 0xA2ACDD19:v92 = v83;*v83 = 0LL;sub_105A742B8(v82, 6, (__int64)v83);v93 = v84;*v84 = 20LL;v94 = v85;v29 = (__int64)v85;*v85 = 0LL;*(_QWORD *)(v29 + 8) = 0LL;*(_DWORD *)(v29 + 16) = 0;v30 = *v83;v31 = strlen(v89);v95 = v85;sub_105A75724(v30, 0xCuLL, v89, v31, v85, v84);v96 = v86;v32 = v86;*(_OWORD *)v86 = 0u;*((_OWORD *)v32 + 1) = 0u;*((_OWORD *)v32 + 2) = 0u;*((_OWORD *)v32 + 3) = 0u;v97 = v86;v33 = v86;*(_OWORD *)v86 = 0u;*((_OWORD *)v33 + 1) = 0u;*((_OWORD *)v33 + 2) = 0u;*((_OWORD *)v33 + 3) = 0u;v13 = 2877930767LL;break;}}}else if ( (signed int)v13 <= -1381857227 ){v13 = 2308242637LL;if ( (_DWORD)v14 != -1477047714 ){if ( (_DWORD)v14 == -1462079396 ){*((_DWORD *)v82 + v112) = -686407576;v13 = 3877757546LL;}else{v13 = v14;if ( (_DWORD)v14 == -1417036529 ){v80 = 0LL;v13 = 1129743545LL;}}}}else if ( (signed int)v13 > -1319784651 ){if ( (_DWORD)v13 == -1319784650 ){*v83 = 0LL;sub_105A742B8(v82, 6, (__int64)v83);*v84 = 20LL;v59 = (__int64)v85;*v85 = 0LL;*(_QWORD *)(v59 + 8) = 0LL;*(_DWORD *)(v59 + 16) = 0;v60 = *v83;v61 = strlen(v89);sub_105A75724(v60, 0xCuLL, v89, v61, v85, v84);v62 = v86;*(_OWORD *)v86 = 0u;*((_OWORD *)v62 + 1) = 0u;*((_OWORD *)v62 + 2) = 0u;*((_OWORD *)v62 + 3) = 0u;v63 = v86;*(_OWORD *)v86 = 0u;*((_OWORD *)v63 + 1) = 0u;*((_OWORD *)v63 + 2) = 0u;*((_OWORD *)v63 + 3) = 0u;v13 = 2729237785LL;}else if ( (_DWORD)v13 == -1316424643 ){operator delete[](v109);v13 = 2308242637LL;}}else{v13 = 3686231392LL;if ( (_DWORD)v14 != -1381857226 ){v13 = v14;if ( (_DWORD)v14 == -1346034034 )v13 = 148366661LL;}}}if ( (signed int)v13 <= 1034992028 )break;if ( (signed int)v13 <= 1612033778 ){if ( (signed int)v13 > 1228479779 ){if ( (signed int)v13 > 1339663383 ){v13 = 1287323684LL;if ( (_DWORD)v14 != 1339663384 ){if ( (_DWORD)v14 == 1375524921 ){v13 = 2221056320LL;}else{v13 = v14;if ( (_DWORD)v14 == 1551613431 )goto LABEL_214;}}}else{v13 = 1621068214LL;if ( (_DWORD)v14 != 1228479780 ){if ( (_DWORD)v14 == 1280004147 ){if ( v91 )v13 = 988645273LL;elsev13 = 26488783LL;}else if ( (_DWORD)v14 == 1287323684 ){v13 = 2639837346LL;}else{v13 = (unsigned int)v14;}}}}else if ( (signed int)v13 > 1129743544 ){if ( (_DWORD)v13 == 1129743545 ){v113 = v80;v13 = 3748487384LL;}else{if ( (_DWORD)v13 != 1132744097 ){v28 = 1141047469;goto LABEL_150;}v99 = v112 == 1;v13 = 4246319303LL;}}else{switch ( (_DWORD)v13 ){case 0x3DB0B99D:v13 = 2739105484LL;break;case 0x411300FF:if ( v105 )v13 = 2163491770LL;elsev13 = 2913110070LL;break;case 0x428F0E6E:goto LABEL_229;}}}else if ( (signed int)v13 <= 1746604925 ){if ( (signed int)v13 > 1628273861 ){v13 = 2832887900LL;if ( (_DWORD)v14 != 1628273862 ){if ( (_DWORD)v14 == 1643399054 ){v13 = 3072087742LL;}else{v13 = v14;if ( (_DWORD)v14 == 1646335956 ){operator delete[](v108);v13 = 1643399054LL;}}}}else if ( (_DWORD)v13 == 1612033779 ){v13 = 3748487384LL;}else{v13 = 3465402809LL;if ( (_DWORD)v14 != 1621068214 ){v13 = v14;if ( (_DWORD)v14 == 1622300059 )LABEL_64:v13 = 4095840971LL;}}}else if ( (signed int)v13 <= 1946831370 ){switch ( (_DWORD)v13 ){case 0x681B137E:v52 = rand();(*v83)[v113] = v52- 26 * (((unsigned __int64)(0x4EC4EC4FLL * v52) >> 35) + (0x4EC4EC4FLL * v52 < 0))+ 65;v111 = v113 + 1;v13 = 1823952144LL;break;case 0x6CB74D10:v80 = v111;v13 = 1129743545LL;break;case 0x716FAE0C:goto LABEL_276;}}else if ( (signed int)v13 > 2023102238 ){if ( (_DWORD)v13 == 2023102239 ){*((_DWORD *)v82 + v112) = 1726125651;v13 = 1141047469LL;}else if ( (_DWORD)v13 == 2051987939 ){v79 = v104;v13 = 659525532LL;}}else if ( (_DWORD)v13 == 1946831371 ){if ( v98 )v13 = 1551613431LL;elsev13 = 3194098215LL;}else if ( (_DWORD)v13 == 1990928477 ){goto LABEL_251;}}if ( (signed int)v13 > 148366660 )break;if ( (signed int)v13 > -46291296 ){if ( (signed int)v13 > 26488782 ){v13 = 2729237785LL;if ( (_DWORD)v14 != 26488783 ){if ( (_DWORD)v14 == 50418901 ){v13 = 1132744097LL;}else{v13 = v14;if ( (_DWORD)v14 == 141982393 )goto LABEL_171;}}}else{if ( (_DWORD)v13 == -19692279 )LODWORD(v13) = -1722226876;if ( (_DWORD)v14 == -31385405 )LODWORD(v13) = 0xB4DAB225;if ( (_DWORD)v14 == -46291295 )v13 = 451106034LL;elsev13 = (unsigned int)v13;}}else if ( (signed int)v13 > -196260974 ){v13 = 4248676001LL;if ( (_DWORD)v14 != -196260973 ){if ( (_DWORD)v14 == -169489463 ){v53 = rand();(*v83)[v113] = v53- 26 * (((unsigned __int64)(1321528399LL * v53) >> 35) + (1321528399LL * v53 < 0))+ 65;v13 = 1746604926LL;}else{v13 = v14;if ( (_DWORD)v14 == -48647993 ){if ( v99 )v13 = 3341874770LL;elsev13 = 442139509LL;}}}}else{v13 = 1621068214LL;if ( (_DWORD)v14 != -417209750 ){v13 = 1621068214LL;if ( (_DWORD)v14 != -207757193 ){v13 = v14;if ( (_DWORD)v14 == -199126325 ){v102 = v112 == 4;v13 = 2363140988LL;}}}}}if ( (signed int)v13 <= 659525531 )break;if ( (signed int)v13 > 891053476 ){if ( (_DWORD)v13 == 891053477 ){*((_DWORD *)v82 + v112) = -770486422;LABEL_251:v13 = 2672632129LL;}else{v13 = 1621068214LL;if ( (_DWORD)v14 != 925998957 ){v13 = v14;if ( (_DWORD)v14 == 988645273 )LABEL_239:v13 = 476291354LL;}}}else if ( (_DWORD)v13 == 659525532 ){v112 = v79;v13 = 3517658554LL;}else{v13 = 3107339052LL;if ( (_DWORD)v14 != 781761793 ){v13 = v14;v28 = 827267122;LABEL_150:if ( (_DWORD)v14 == v28 )v13 = 1621068214LL;}}}if ( (signed int)v13 > 442139508 )break;switch ( (_DWORD)v13 ){case 0x8D7E545:v100 = v112 == 2;v13 = 3456859761LL;break;case 0xC3D2CF6:goto LABEL_239;case 0x12B11C41:operator delete[](v108);v13 = 1646335956LL;break;}}if ( (signed int)v13 <= 476291353 )break;if ( (_DWORD)v13 == 476291354 ){v98 = v112 == 0;v13 = 1946831371LL;}else if ( (_DWORD)v13 == 647334148 ){goto LABEL_64;}}v13 = 148366661LL;if ( (_DWORD)v14 != 442139509 ){v13 = v14;if ( (_DWORD)v14 == 451106034 )break;}}}
好家伙这流程眼花了,不出意外ollvm混淆,歇一歇开始分析他。
二
混淆算法分析
使用frida-stalker对0x105a66d80进行指令追踪,这里只追踪下汇编bl,br,bx,blx,b相关指令
没有截全,看起来挺多其实有很多重复和方法内跳转的,python写个脚本去个重,然后ida对去重后调用简单归类如下:
// 0x105a66d80范围内暂不跟0x105a67c740x105a66e4c0x105a685280x10988c010 //new0x10988bfe0 //delete0x10988c64c //bzero// 需要跟0x105a6b99c0x105a69dd80x105a757240x105a68bc00x105a742b80x105a69d180x10988e8c0 //strlen
frida-trace跟一下,frida-trace看调用关系还是很舒服的
看调用
sub_5a66d80第2个参数的json值给了->sub_105A69DD8,json太长截取一部分,sub_105A69DD8结果返回了像是base64的值。
进去看下sub_105A69DD8看下
sub_105A69DD8还是一个ollvm混淆但是在里面找到了base64的常量,去工具里拿着去看看和标准的能不能对上。
看来没有魔改是标准base64
继续看sub_5a68bc0是base64后的数据反转并给了sub_5a75724
继续看
sub_5a75724->结果拼接一串字符->通过sub_105A69DD8也就是base64最终生成sign。
跟下sub_5a75724
char *__fastcall sub_105A75724(char *result, unsigned __int64 a2, char *a3, unsigned __int64 a4, void *a5, unsigned __int64 *a6){unsigned __int64 v6; // x20signed __int64 v7; // x9signed __int64 v8; // x8unsigned __int64 v9; // x9unsigned int v10; // w10bool v11; // zfunsigned __int64 v12; // x8unsigned __int64 v13; // x8unsigned __int64 v14; // x8__int64 v15; // [xsp-1C0h] [xbp-3A0h]__int64 v16; // [xsp-160h] [xbp-340h]__int64 v17; // [xsp-120h] [xbp-300h]__int64 v18; // [xsp-100h] [xbp-2E0h]__int64 v19; // [xsp-E0h] [xbp-2C0h]__int64 v20; // [xsp-C0h] [xbp-2A0h]__int64 v21; // [xsp-60h] [xbp-240h]char *v22; // [xsp+0h] [xbp-1E0h]unsigned __int64 v23; // [xsp+8h] [xbp-1D8h]void *v24; // [xsp+10h] [xbp-1D0h]__int64 v25; // [xsp+18h] [xbp-1C8h]char *v26; // [xsp+20h] [xbp-1C0h]size_t v27; // [xsp+28h] [xbp-1B8h]unsigned __int64 v28; // [xsp+30h] [xbp-1B0h]unsigned __int64 v29; // [xsp+38h] [xbp-1A8h]char *v30; // [xsp+40h] [xbp-1A0h]unsigned __int64 *v31; // [xsp+48h] [xbp-198h]unsigned __int64 v32; // [xsp+50h] [xbp-190h]unsigned __int64 v33; // [xsp+58h] [xbp-188h]int v34; // [xsp+64h] [xbp-17Ch]char *v35; // [xsp+68h] [xbp-178h]char *v36; // [xsp+70h] [xbp-170h]char *v37; // [xsp+78h] [xbp-168h]char *v38; // [xsp+80h] [xbp-160h]char *v39; // [xsp+88h] [xbp-158h]char *v40; // [xsp+90h] [xbp-150h]char *v41; // [xsp+98h] [xbp-148h]__int64 *v42; // [xsp+A0h] [xbp-140h]__int64 *v43; // [xsp+A8h] [xbp-138h]__int64 *v44; // [xsp+B0h] [xbp-130h]__int64 *v45; // [xsp+B8h] [xbp-128h]__int64 *v46; // [xsp+C0h] [xbp-120h]__int64 *v47; // [xsp+C8h] [xbp-118h]bool v48; // [xsp+D7h] [xbp-109h]char *v49; // [xsp+D8h] [xbp-108h]bool v50; // [xsp+E7h] [xbp-F9h]unsigned __int64 v51; // [xsp+E8h] [xbp-F8h]bool v52; // [xsp+F7h] [xbp-E9h]unsigned __int64 v53; // [xsp+F8h] [xbp-E8h]char *v54; // [xsp+100h] [xbp-E0h]char *v55; // [xsp+108h] [xbp-D8h]bool v56; // [xsp+117h] [xbp-C9h]unsigned __int64 v57; // [xsp+118h] [xbp-C8h]bool v58; // [xsp+127h] [xbp-B9h]unsigned __int64 v59; // [xsp+128h] [xbp-B8h]char *v60; // [xsp+130h] [xbp-B0h]unsigned __int64 v61; // [xsp+138h] [xbp-A8h]bool v62; // [xsp+147h] [xbp-99h]char *v63; // [xsp+148h] [xbp-98h]unsigned __int64 v64; // [xsp+150h] [xbp-90h]unsigned __int64 v65; // [xsp+158h] [xbp-88h]unsigned __int64 v66; // [xsp+160h] [xbp-80h]unsigned __int64 v67; // [xsp+168h] [xbp-78h]unsigned __int64 v68; // [xsp+170h] [xbp-70h]size_t v69; // [xsp+178h] [xbp-68h]v31 = a6;v32 = a2;v23 = a4;v24 = a5;v22 = a3;v30 = result;v34 = 406921345;v7 = 2457684891LL;do{while ( 1 ){while ( 1 ){while ( 1 ){while ( 1 ){while ( 1 ){while ( 1 ){while ( 1 ){v8 = v7;if ( (signed int)v7 > -159564559 )break;if ( (signed int)v7 > -1223833414 ){if ( (signed int)v7 <= -795775964 ){if ( (signed int)v7 > -977462125 ){if ( (signed int)v7 > -838625674 ){if ( (_DWORD)v7 == -838625673 ){v40[v65] = v63[v65] ^ 0x36;v7 = 2451452317LL;}else if ( (_DWORD)v7 == -830369611 ){*v31 = v69;result = (char *)memcpy(v24, v60, v69);v7 = 1550340197LL;}}else if ( (_DWORD)v7 == -977462124 ){v33 = v57;v7 = 2995040035LL;}else if ( (_DWORD)v7 == -932556467 ){v7 = 3741527025LL;}else{v7 = (unsigned int)v7;}}else if ( (signed int)v7 > -1163925382 ){if ( (_DWORD)v7 == -1163925381 ){v63 = v26;v64 = v25;v7 = 45144871LL;}else if ( (_DWORD)v7 == -1043379693 ){v27 = v61;v7 = 1895308929LL;}}else if ( (_DWORD)v7 == -1223833413 ){v35 = (char *)&v21;v36 = (char *)&v20;v37 = (char *)&v19;v38 = (char *)&v18;v39 = (char *)&v17;v40 = (char *)&v16;v41 = (char *)&v15;v42 = &v21;v43 = &v20;v44 = &v19;v45 = &v18;v46 = &v17;v47 = &v16;v48 = v32 > 0x40;v7 = 2768444069LL;}else if ( (_DWORD)v7 == -1192170538 ){v7 = 1526381404LL;}}else if ( (signed int)v7 <= -553440272 ){if ( (signed int)v7 > -674161717 ){v7 = 1612848525LL;if ( (_DWORD)v8 != -674161716 ){v7 = v8;if ( (_DWORD)v8 == -561474366 ){v65 = v6;v7 = 1526381404LL;}}}else if ( (_DWORD)v7 == -795775963 ){sub_105A78F34(v36, v54, 0x40uLL);sub_105A78F34(v36, v55, 0x14uLL);v60 = v38;result = sub_105A7979C(v38, (__int64)v36);v61 = *v31;v62 = v61 > 0x14;v7 = 1227044507LL;}else if ( (_DWORD)v7 == -790663497 ){v52 = v66 < 0x40;v7 = 1820794915LL;}}else if ( (signed int)v7 <= -462661553 ){if ( (_DWORD)v7 == -553440271 ){v7 = 3251587603LL;}else if ( (_DWORD)v7 == -523561380 ){if ( v50 )v7 = 590477026LL;elsev7 = 353334999LL;}}else{switch ( (_DWORD)v7 ){case 0xE46C5850:v7 = 195850526LL;break;case 0xE7E03B0F:v40[v66] = 54;v7 = 2333845335LL;break;case 0xF59E3031:goto LABEL_196;}}}else if ( (signed int)v7 <= -1560858352 ){if ( (signed int)v7 > -1843514980 ){if ( (signed int)v7 > -1740752000 ){if ( (_DWORD)v7 == -1740751999 ){v6 = v51;v7 = 3733492930LL;}else if ( (_DWORD)v7 == -1596213140 ){if ( v58 )v7 = 885745930LL;elsev7 = 1104155869LL;}}else if ( (_DWORD)v7 == -1843514979 ){v40[v65] = v63[v65] ^ 0x36;v51 = v65 + 1;v7 = 2554215297LL;}else if ( (_DWORD)v7 == -1837282405 ){if ( v34 == 552240454 )v7 = 2734108945LL;elsev7 = 3071133883LL;}}else if ( (signed int)v7 > -1891701264 ){if ( (_DWORD)v7 == -1891701263 ){sub_105A78F34(v36, v54, 0x40uLL);sub_105A78F34(v36, v55, 0x14uLL);result = sub_105A7979C(v38, (__int64)v36);v7 = 3499191333LL;}else if ( (_DWORD)v7 == -1869013166 ){v14 = v53;goto LABEL_201;}}else if ( (_DWORD)v7 == -2004205146 ){v40[v68] = 92;v59 = v68 + 1;v7 = 2080111287LL;}else if ( (_DWORD)v7 == -1961121961 ){v40[v66] = 54;v53 = v66 + 1;v7 = 2425954130LL;}}else if ( (signed int)v7 <= -1421928703 ){if ( (signed int)v7 > -1467729960 ){if ( (_DWORD)v7 == -1467729959 ){v7 = 1993878318LL;}else if ( (_DWORD)v7 == -1440312896 ){v7 = 3832305744LL;}else{v7 = (unsigned int)v7;}}else{v7 = 3071133883LL;if ( (_DWORD)v8 != -1560858351 ){v7 = v8;if ( (_DWORD)v8 == -1526523227 ){if ( v48 )v7 = 385316875LL;elsev7 = 3131041915LL;v25 = v32;v26 = v30;}}}}else if ( (signed int)v7 <= -1359613945 ){if ( (_DWORD)v7 == -1421928702 ){sub_105A78F34(v35, v40, 0x40uLL);sub_105A78F34(v35, v22, v23);sub_105A7979C(v37, (__int64)v35);result = (char *)sub_105A78E74((__int64)v36);LABEL_196:v7 = 1570576911LL;}else if ( (_DWORD)v7 == -1411505872 ){if ( v56 )v7 = 3620805580LL;elsev7 = 1028760380LL;}}else{switch ( (_DWORD)v7 ){case 0xAEF5F008:v7 = 3504303799LL;break;case 0xB284AF23:v67 = v33;v7 = 1993878318LL;break;case 0xB2CA0EFC:v7 = 476274680LL;break;}}}if ( (signed int)v7 > 624470236 )break;if ( (signed int)v7 <= 329937752 ){if ( (signed int)v7 > 78064674 ){if ( (signed int)v7 > 265260292 ){if ( (_DWORD)v7 == 265260293 ){sub_105A78E74((__int64)v41);sub_105A78F34(v41, v30, v32);v49 = v39;result = sub_105A7979C(v39, (__int64)v41);v7 = 329937753LL;}else if ( (_DWORD)v7 == 281393142 ){result = (char *)sub_105A78E74((__int64)v35);v7 = 45144871LL;}}else if ( (_DWORD)v7 == 78064675 ){v40[v67] = v63[v67] ^ 0x5C;v7 = 1612848525LL;}else if ( (_DWORD)v7 == 195850526 ){v13 = v64;goto LABEL_205;}}else if ( (signed int)v7 > -4140768 ){if ( (_DWORD)v7 == -4140767 ){v14 = v64;LABEL_201:v28 = v14;v7 = 1209671314LL;}else if ( (_DWORD)v7 == 45144871 ){result = (char *)sub_105A78E74((__int64)v35);v7 = 4253755556LL;}}else{if ( (_DWORD)v7 == -41211740 )v9 = 0LL;elsev9 = v6;if ( (_DWORD)v8 == -41211740 )v10 = -561474366;elsev10 = v8;v11 = (_DWORD)v8 == -159564558;v12 = v33;if ( v11 )v12 = 0LL;v33 = v12;if ( !v11 )v6 = v9;if ( v11 )v7 = 2995040035LL;elsev7 = v10;}}else if ( (signed int)v7 <= 476274679 ){if ( (signed int)v7 > 353334998 ){if ( (_DWORD)v7 == 385316875 )LODWORD(v7) = 265260293;if ( (_DWORD)v8 == 353334999 )v7 = 476274680LL;elsev7 = (unsigned int)v7;}else if ( (_DWORD)v7 == 329937753 ){v25 = 20LL;v26 = v49;v7 = 3131041915LL;}else if ( (_DWORD)v7 == 344651219 ){v40[v68] = 92;v7 = 2290762150LL;}}else if ( (signed int)v7 <= 549809264 ){if ( (_DWORD)v7 == 476274680 ){v7 = 4290826529LL;}else if ( (_DWORD)v7 == 549290913 ){*v31 = v69;result = (char *)memcpy(v24, v60, v69);v7 = 3464597685LL;}}else if ( (_DWORD)v7 == 549809265 ){v58 = v68 < 0x40;v7 = 2698754156LL;}else{v7 = 2451452317LL;if ( (_DWORD)v8 != 590477026 ){v7 = v8;if ( (_DWORD)v8 == 622416850 ){v68 = v29;v7 = 549809265LL;}}}}if ( (signed int)v7 <= 1612848524 )break;if ( (signed int)v7 > 1895308928 ){if ( (signed int)v7 > 2080111286 ){if ( (_DWORD)v7 == 2080111287 ){v13 = v59;LABEL_205:v29 = v13;v7 = 622416850LL;}else if ( (_DWORD)v7 == 2135828716 ){sub_105A78E74((__int64)v41);sub_105A78F34(v41, v30, v32);result = sub_105A7979C(v39, (__int64)v41);v7 = 265260293LL;}}else if ( (_DWORD)v7 == 1895308929 ){v69 = v27;v7 = 3464597685LL;}else if ( (_DWORD)v7 == 1993878318 ){v56 = v67 < v64;v7 = 2883461424LL;}}else if ( (signed int)v7 > 1861169075 ){if ( (_DWORD)v7 == 1871164284 )LODWORD(v7) = -1961121961;if ( (_DWORD)v8 == 1861169076 )v7 = 3741527025LL;elsev7 = (unsigned int)v7;}else if ( (_DWORD)v7 == 1612848525 ){v40[v67] = v63[v67] ^ 0x5C;v57 = v67 + 1;v7 = 3317505172LL;}else if ( (_DWORD)v7 == 1820794915 ){if ( v52 )v7 = 1871164284LL;elsev7 = 4120784945LL;}}if ( (signed int)v7 > 1209671313 )break;if ( (signed int)v7 > 1028760379 ){if ( (_DWORD)v7 == 1104155869 )LODWORD(v7) = -795775963;if ( (_DWORD)v8 == 1028760380 )v7 = 3832305744LL;elsev7 = (unsigned int)v7;}else if ( (_DWORD)v7 == 624470237 ){v7 = 549809265LL;}else if ( (_DWORD)v7 == 885745930 ){v7 = 2290762150LL;}else{v7 = (unsigned int)v7;}}if ( (signed int)v7 > 1526381403 )break;if ( (_DWORD)v7 == 1209671314 ){v66 = v28;v7 = 3504303799LL;}else if ( (_DWORD)v7 == 1227044507 ){if ( v62 )v7 = 1895308929LL;elsev7 = 3362410829LL;v27 = 20LL;}}if ( (_DWORD)v7 != 1526381404 )break;v50 = v65 < v64;v7 = 3771405916LL;}if ( (_DWORD)v7 != 1570576911 )break;v54 = v40;sub_105A78F34(v35, v40, 0x40uLL);sub_105A78F34(v35, v22, v23);v55 = v37;sub_105A7979C(v37, (__int64)v35);result = (char *)sub_105A78E74((__int64)v36);v7 = 4135402738LL;}}while ( (_DWORD)v7 != 0x5C685065 );return result;}
又一个ollvm混淆,还是体力活用stalker打印指令调用并去重,结果如下:
继续跟一下这几个方法0x10988dbf4为memcpy先不跟
0x105378f34中发现特征
再看0x105a7979c
char *__fastcall sub_105A7979C(char *result, __int64 a2){__int64 v2; // x19__int64 v3; // x21signed __int64 v4; // x9signed __int64 v5; // x8unsigned int v6; // w9__int64 v7; // [xsp-10h] [xbp-D0h]_DWORD *v8; // [xsp+8h] [xbp-B8h]char *v9; // [xsp+10h] [xbp-B0h]unsigned int v10; // [xsp+1Ch] [xbp-A4h]unsigned int v11; // [xsp+20h] [xbp-A0h]unsigned int v12; // [xsp+24h] [xbp-9Ch]char *v13; // [xsp+28h] [xbp-98h]__int64 *v14; // [xsp+30h] [xbp-90h]bool v15; // [xsp+3Bh] [xbp-85h]unsigned int v16; // [xsp+3Ch] [xbp-84h]_QWORD *v17; // [xsp+40h] [xbp-80h]bool v18; // [xsp+4Fh] [xbp-71h]char *v19; // [xsp+50h] [xbp-70h]bool v20; // [xsp+5Bh] [xbp-65h]unsigned int v21; // [xsp+5Ch] [xbp-64h]unsigned int v22; // [xsp+60h] [xbp-60h]unsigned int v23; // [xsp+64h] [xbp-5Ch]v2 = a2;v9 = result;v12 = -136856641;v3 = a2 + 28;v8 = (_DWORD *)(a2 + 20);v4 = 1607120826LL;do{while ( 1 ){while ( 1 ){while ( 1 ){while ( 1 ){while ( 1 ){while ( 1 ){v5 = v4;if ( (signed int)v4 > -83786955 )break;if ( (signed int)v4 > -876601527 ){if ( (signed int)v4 > -563463480 ){if ( (signed int)v4 <= -389775121 ){if ( (_DWORD)v4 == -563463479 ){v13[v22] = *(_DWORD *)(v2 + 4LL * (v22 < 4) + 20) >> (~(8 * v22) & 0x18);v4 = 2118224515LL;}else if ( (_DWORD)v4 == -426129629 ){v4 = 3389532714LL;}else{v4 = (unsigned int)v4;}}else{switch ( (_DWORD)v4 ){case 0xE8C480F0:v4 = 1010775802LL;break;case 0xF0B6C013:if ( v15 )v4 = 1711485877LL;elsev4 = 250744340LL;break;case 0xF7DD7762:v10 = v16;v4 = 3525953453LL;break;}}}else if ( (signed int)v4 <= -640866756 ){if ( (_DWORD)v4 == -876601526 ){v10 = 0;v4 = 3525953453LL;}else if ( (_DWORD)v4 == -769013843 ){v22 = v10;v4 = 226767736LL;}}else{if ( (_DWORD)v4 == -585924294 )LODWORD(v4) = 1810112464;if ( (_DWORD)v5 == -620343849 )LODWORD(v4) = -1824176569;if ( (_DWORD)v5 == -640866755 )v4 = 1008132196LL;elsev4 = (unsigned int)v4;}}else if ( (signed int)v4 > -1725628451 ){if ( (signed int)v4 <= -1145783944 ){if ( (_DWORD)v4 == -1725628450 ){v23 = v11;v4 = 1010775802LL;}else if ( (_DWORD)v4 == -1391418308 ){result = sub_105A78F34((char *)v2, v13, 8uLL);v4 = 3389532714LL;}}else if ( (_DWORD)v4 == -1145783943 ){v9[v23] = *(_DWORD *)(v2 + (v23 & 0xFFFFFFFC)) >> (~(8 * v23) & 0x18);v21 = v23 + 1;v4 = 4211180342LL;}else{v4 = 400175399LL;if ( (_DWORD)v5 != -921733180 ){v4 = v5;if ( (_DWORD)v5 == -905434582 ){v19 = v13;result = sub_105A78F34((char *)v2, v13, 8uLL);v4 = 2321485485LL;}}}}else if ( (signed int)v4 <= -1824176570 ){if ( (_DWORD)v4 == -2047298192 ){v9[v23] = *(_DWORD *)(v2 + (v23 & 0xFFFFFFFC)) >> (24 - 8 * ((v23 ^ 0xFC) & v23));v4 = 3149183353LL;}else{v6 = v11;if ( (_DWORD)v5 == -1973481811 )v6 = 0;v11 = v6;if ( (_DWORD)v5 == -1973481811 )v4 = 2569338846LL;elsev4 = (unsigned int)v5;}}else if ( (_DWORD)v4 == -1824176569 ){v13 = (char *)&v7;v14 = &v7;v4 = 3418365770LL;}else{v4 = 3149183353LL;if ( (_DWORD)v5 != -1784623723 ){v4 = v5;if ( (_DWORD)v5 == -1737321527 ){result = sub_105A78F34((char *)v2, "x80", 1uLL);v4 = 1743404419LL;}}}}if ( (signed int)v4 <= 1010775801 )break;if ( (signed int)v4 > 1721564015 ){if ( (signed int)v4 <= 1810112463 ){v4 = 360474866LL;if ( (_DWORD)v5 != 1721564016 ){v4 = v5;if ( (_DWORD)v5 == 1743404419 ){result = sub_105A78F34((char *)v2, "x80", 1uLL);v4 = 3654100541LL;}}}else{switch ( (_DWORD)v4 ){case 0x6BE41FD0:*(_OWORD *)(v3 + 32) = 0u;*(_OWORD *)(v3 + 48) = 0u;*(_OWORD *)v3 = 0u;*(_OWORD *)(v3 + 16) = 0u;*(_QWORD *)v2 = 0LL;*(_QWORD *)(v2 + 8) = 0LL;*(_DWORD *)(v2 + 16) = 0;*v17 = 0LL;*(_QWORD *)v19 = 0LL;result = (char *)sub_105A76678(v2, (unsigned int *)v3);v4 = 394726872LL;break;case 0x7E418A83:v13[v22] = *(_DWORD *)(v2 + 4LL * (v22 < 4) + 20) >> (~(8 * v22) & 0x18);v16 = v22 + 1;v4 = 4158486370LL;break;case 0x7F08B99D:if ( v18 )v4 = 3373234116LL;elsev4 = 3868837667LL;break;}}}else if ( (signed int)v4 <= 1607120825 ){if ( (_DWORD)v4 == 1010775802 ){v20 = v23 < 0x14;v4 = 1632411338LL;}else if ( (_DWORD)v4 == 1472023553 ){result = sub_105A78F34((char *)v2, (char *)&unk_10EEF4309, 1uLL);v4 = 400175399LL;}}else{switch ( (_DWORD)v4 ){case 0x5FCAB7BA:if ( v12 <= 0x35EDB67A )v4 = 3674623447LL;elsev4 = 2470790727LL;break;case 0x614C9ECA:if ( v20 )v4 = 2510343573LL;elsev4 = 3709043002LL;break;case 0x660333B5:v4 = 2118224515LL;break;default:v4 = (unsigned int)v4;break;}}}if ( (signed int)v4 > 360474865 )break;if ( (signed int)v4 <= 122334379 ){if ( (_DWORD)v4 == -83786954 ){v11 = v21;v4 = 2569338846LL;}else if ( (_DWORD)v4 == 60596893 ){*(_OWORD *)(v3 + 32) = 0u;*(_OWORD *)(v3 + 48) = 0u;*(_OWORD *)v3 = 0u;*(_OWORD *)(v3 + 16) = 0u;*(_QWORD *)v2 = 0LL;*(_QWORD *)(v2 + 8) = 0LL;*(_DWORD *)(v2 + 16) = 0;*v17 = 0LL;*(_QWORD *)v19 = 0LL;result = (char *)sub_105A76678(v2, (unsigned int *)v3);v4 = 1810112464LL;}}else{switch ( (_DWORD)v4 ){case 0x74AACAC:v4 = 226767736LL;break;case 0xD843378:v15 = v22 < 8;v4 = 4038508563LL;break;case 0xEF20E14:v4 = 1743404419LL;break;default:v4 = (unsigned int)v4;break;}}}if ( (signed int)v4 <= 504262410 )break;if ( (_DWORD)v4 == 1008132196 )LODWORD(v4) = 360474866;if ( (_DWORD)v5 == 504262411 )v4 = 1008132196LL;elsev4 = (unsigned int)v4;}if ( (_DWORD)v4 != 360474866 )break;v17 = v8;v18 = (*v8 & 0x1F8) != 448;v4 = 2131278237LL;}if ( (_DWORD)v4 != 400175399 )break;result = sub_105A78F34((char *)v2, (char *)&unk_10EEF4309, 1uLL);v4 = 504262411LL;}}while ( (_DWORD)v4 != 394726872 );return result;}
也是个混淆但是影响不大,进入sub_105A76678发现
熟悉常见加密算法特征的朋友看到这个常量应该已经知道答案了, 为了防止侵权这里就不点出来了。
验证下没有魔改
最后剩下几个字母和sub_5a75724这个结果的拼接,是有几个c函数rand()出来的,这个rand()不知道为什么在stalker trace里没识别到。
最后在ida里才找到的
好了都对上了最后base64一下拿到结果。
三
总结
在这里感谢大弟co***L and 二弟**白,在本样本分析中给予的支持 [土狗贴贴]
此app的sign仅仅只做了混淆,还好没有魔改算法,加了魔改的话头发就要掉没了囧~
撒花~后续再会
原文始发于微信公众号(小白逆向之旅):【iOS逆向】某音乐sign分析-过ollvm与花指令
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论