本文仅限学习交流,请勿用于非法以及商业用途,由于时间和水平有限,文中错漏之处在所难免,敬请各位大佬多多批评指正。
目录:一、产品概述1.1、App端防护能决哪些安全问题1.2、如何为应用开启App防护二、产品整体框架三、初始化逻辑四、环境检测与设备指纹五、签名流程六、算法还原七、总结
五、签名流程
5.1、整体流程
签名请求数据接口定义:
String vmpSign(int signType, byte[] input);功能:对输入的数据进行签名,并且返回签名串。
接口参数:
<signType>:int类型,取值固定为1,表示默认的签名算法。
<input>:byte[]类型,表示待签名的数据。
待签名数据一般是整个请求体(RequestBody)。
如果请求体为空(例如,POST请求的Body为空或者使用了GET请求),则设置成空对象(null)或者空字符串的Bytes值(例如,"".getBytes("UTF-8"))。
返回值:String类型,返回签名串。
签名流程:
请求体签名过程如图5-1所示:
图5-1
5.2、组合请求体与签名
获取要签名的请求体数据:
.text:C70B7AF8 getbody_sub_CDEF3AF8.text:C70B7AF8.text:C70B7AF8 var_30= -0x30.text:C70B7AF8 var_28= -0x28.text:C70B7AF8 var_20= -0x20.text:C70B7AF8 var_1C= -0x1C.text:C70B7AF8.text:C70B7AF8 ; __unwind { // FBF89000.text:C70B7AF8 F0 B5 PUSH {R4-R7,LR}.text:C70B7AFA 03 AF ADD R7, SP, #0xC.text:C70B7AFC 2D E9 00 07 PUSH.W {R8-R10}.text:C70B7B00 86 B0 SUB SP, SP, #0x18.text:C70B7B02 81 46 MOV R9, R0.text:C70B7B04 35 48 LDR R0, =(__stack_chk_guard_ptr - 0xC70B7B0E).text:C70B7B06 0C 46 MOV R4, R1.text:C70B7B08 16 46 MOV R6, R2.text:C70B7B0A 78 44 ADD R0, PC ; __stack_chk_guard_ptr.text:C70B7B0C 00 2C CMP R4, #0.text:C70B7B0E 00 68 LDR R0, [R0] ; __stack_chk_guard.text:C70B7B10 00 68 LDR R0, [R0].text:C70B7B12 05 90 STR R0, [SP,#0x30+var_1C].text:C70B7B14 2E D0 BEQ loc_C70B7B74.text:C70B7B16 6E B3 CBZ R6, loc_C70B7B74.text:C70B7B18 20 68 LDR R0, [R4].text:C70B7B1A 31 46 MOV R1, R6.text:C70B7B1C D0 F8 AC 22 LDR.W R2, [R0,#0x2AC].text:C70B7B20 20 46 MOV R0, R4.text:C70B7B22 90 47 BLX R2 ; GetArrayLength.text:C70B7B24 05 46 MOV R5, R0.text:C70B7B26 68 1C ADDS R0, R5, #1 ; size.text:C70B7B28 F1 F7 D6 ED BLX malloc.text:C70B7B2C 80 46 MOV R8, R0.text:C70B7B2E B8 F1 00 0F CMP.W R8, #0.text:C70B7B32 1F D0 BEQ loc_C70B7B74.text:C70B7B34 20 68 LDR R0, [R4].text:C70B7B36 31 46 MOV R1, R6.text:C70B7B38 00 22 MOVS R2, #0.text:C70B7B3A 2B 46 MOV R3, R5.text:C70B7B3C 4F F0 00 0A MOV.W R10, #0.text:C70B7B40 D0 F8 20 C3 LDR.W R12, [R0,#0x320].text:C70B7B44 20 46 MOV R0, R4.text:C70B7B46 CD F8 00 80 STR.W R8, [SP,#0x30+var_30].text:C70B7B4A E0 47 BLX R12 ; GetByteArrayRegion,获取请求体.text:C70B7B4C 15 F1 10 0F CMN.W R5, #0x10.text:C70B7B50 08 F8 05 A0 STRB.W R10, [R8,R5].text:C70B7B54 CD F8 10 A0 STR.W R10, [SP,#0x30+var_20].text:C70B7B58 CD E9 02 AA STRD.W R10, R10, [SP,#0x30+var_28].text:C70B7B5C 3B D2 BCS loc_C70B7BD6.text:C70B7B5E 0B 2D CMP R5, #0xB.text:C70B7B60 10 D2 BCS loc_C70B7B84.text:C70B7B62 68 00 LSLS R0, R5, #1.text:C70B7B64 00 2D CMP R5, #0.text:C70B7B66 8D F8 08 00 STRB.W R0, [SP,#0x30+var_28].text:C70B7B6A.text:C70B7B6A loc_C70B7B6A.text:C70B7B6A 02 A8 ADD R0, SP, #0x30+var_28.text:C70B7B6C 40 F0 01 04 ORR.W R4, R0, #1.text:C70B7B70 15 D1 BNE loc_C70B7B9E.text:C70B7B72 19 E0 B loc_C70B7BA8.text:C70B7B74.text:C70B7B74 loc_C70B7B74.text:C70B7B74 00 20 MOVS R0, #0.text:C70B7B76 C9 F8 00 00 STR.W R0, [R9].text:C70B7B7A C9 F8 04 00 STR.W R0, [R9,#4].text:C70B7B7E C9 F8 08 00 STR.W R0, [R9,#8].text:C70B7B82 1B E0 B loc_C70B7BBC.text:C70B7B84.text:C70B7B84 loc_C70B7B84.text:C70B7B84 05 F1 10 00 ADD.W R0, R5, #0x10.text:C70B7B88 20 F0 0F 06 BIC.W R6, R0, #0xF.text:C70B7B8C 30 46 MOV R0, R6.text:C70B7B8E 93 F0 7B FC BL malloc_sub_CF198488.text:C70B7B92 04 46 MOV R4, R0.text:C70B7B94 46 F0 01 00 ORR.W R0, R6, #1.text:C70B7B98 04 94 STR R4, [SP,#0x30+var_20].text:C70B7B9A CD E9 02 05 STRD.W R0, R5, [SP,#0x30+var_28].text:C70B7B9E.text:C70B7B9E loc_C70B7B9E.text:C70B7B9E 20 46 MOV R0, R4.text:C70B7BA0 41 46 MOV R1, R8.text:C70B7BA2 2A 46 MOV R2, R5.text:C70B7BA4 F1 F7 D4 ED BLX __aeabi_memcpy.text:C70B7BA8.text:C70B7BA8 loc_C70B7BA8.text:C70B7BA8 00 20 MOVS R0, #0.text:C70B7BAA 60 55 STRB R0, [R4,R5].text:C70B7BAC 40 46 MOV R0, R8 ; ptr.text:C70B7BAE F1 F7 D6 ED BLX free.text:C70B7BB2 02 A8 ADD R0, SP, #0x30+var_28.text:C70B7BB4 90 E8 0E 00 LDM.W R0, {R1-R3}.text:C70B7BB8 89 E8 0E 00 STM.W R9, {R1-R3}.text:C70B7BBC
进入签名主函数
.text:C71166C8 vmpsing_sub_CDF526C8.text:C71166C8.text:C71166C8 var_A4= -0xA4.text:C71166C8 var_A0= -0xA0.text:C71166C8 var_9C= -0x9C.text:C71166C8 var_98= -0x98.text:C71166C8 var_94= -0x94.text:C71166C8 var_90= -0x90.text:C71166C8 var_8C= -0x8C.text:C71166C8 var_88= -0x88.text:C71166C8 var_84= -0x84.text:C71166C8 var_80= -0x80.text:C71166C8 var_7C= -0x7C.text:C71166C8 var_78= -0x78.text:C71166C8 var_74= -0x74.text:C71166C8 var_70= -0x70.text:C71166C8 var_6C= -0x6C.text:C71166C8 var_68= -0x68.text:C71166C8 var_64= -0x64.text:C71166C8 var_60= -0x60.text:C71166C8 var_5C= -0x5C.text:C71166C8 var_58= -0x58.text:C71166C8 var_54= -0x54.text:C71166C8 var_50= -0x50.text:C71166C8 var_4C= -0x4C.text:C71166C8 var_48= -0x48.text:C71166C8 var_44= -0x44.text:C71166C8 var_40= -0x40.text:C71166C8 var_3C= -0x3C.text:C71166C8 var_34= -0x34.text:C71166C8 var_24= -0x24.text:C71166C8 var_20= -0x20.text:C71166C8 var_1C= -0x1C.text:C71166C8.text:C71166C8 ; __unwind { // FBF89000.text:C71166C8 F0 B5 PUSH {R4-R7,LR}.text:C71166CA 03 AF ADD R7, SP, #0xC.text:C71166CC 2D E9 00 0F PUSH.W {R8-R11}.text:C71166D0 A3 B0 SUB SP, SP, #0x8C.text:C71166D2 6C 46 MOV R4, SP.text:C71166D4 6F F3 03 04 BFC.W R4, #0, #4.text:C71166D8 A5 46 MOV SP, R4.text:C71166DA 06 46 MOV R6, R0.text:C71166DC 59 48 LDR R0, =(__stack_chk_guard_ptr - 0xC71166E6).text:C71166DE 91 46 MOV R9, R2.text:C71166E0 0D 46 MOV R5, R1.text:C71166E2 78 44 ADD R0, PC ; __stack_chk_guard_ptr.text:C71166E4 00 68 LDR R0, [R0] ; __stack_chk_guard.text:C71166E6 00 68 LDR R0, [R0].text:C71166E8 22 90 STR R0, [SP,#0xA8+var_20].text:C71166EA F9 F7 9D F9 BL DecString_loc_C5D9FA28.text:C71166EE 56 48 LDR R0, =(off_C719AEA0 - 0xC71166F8).text:C71166F0 56 49 LDR R1, =(off_C719AEA4 - 0xC71166FC).text:C71166F2 57 4A LDR R2, =(off_C719AEA8 - 0xC7116702).text:C71166F4 78 44 ADD R0, PC ; off_C719AEA0.text:C71166F6 57 4B LDR R3, =(off_C719AEAC - 0xC7116708).text:C71166F8 79 44 ADD R1, PC ; off_C719AEA4.text:C71166FA DF F8 5C C1 LDR.W R12, =(off_C719AEB0 - 0xC711670A).text:C71166FE 7A 44 ADD R2, PC ; off_C719AEA8.text:C7116700 DF F8 58 E1 LDR.W LR, =(off_C719AEB4 - 0xC7116710).text:C7116704 7B 44 ADD R3, PC ; off_C719AEAC.text:C7116706 FC 44 ADD R12, PC ; off_C719AEB0.text:C7116708 DF F8 54 81 LDR.W R8, =(off_C719AEB8 - 0xC7116716).text:C711670C FE 44 ADD LR, PC ; off_C719AEB4.text:C711670E 00 68 LDR R0, [R0].text:C7116710 09 68 LDR R1, [R1] ; unk_DC0C5BCB.text:C7116712 F8 44 ADD R8, PC ; off_C719AEB8.text:C7116714 12 68 LDR R2, [R2] ; unk_19559DFE.text:C7116716 1B 68 LDR R3, [R3].text:C7116718 DC F8 00 40 LDR.W R4, [R12].text:C711671C 02 95 STR R5, [SP,#0xA8+var_A0].text:C711671E DE F8 00 50 LDR.W R5, [LR] ; unk_E10C62D9.text:C7116722 01 96 STR R6, [SP,#0xA8+var_A4].text:C7116724 4F 4E LDR R6, =(off_C719AEBC - 0xC711672E).text:C7116726 D8 F8 00 C0 LDR.W R12, [R8].text:C711672A 7E 44 ADD R6, PC ; off_C719AEBC.text:C711672C CD F8 0C 90 STR.W R9, [SP,#0xA8+var_9C].text:C7116730 36 68 LDR R6, [R6] ; unk_D748D587.text:C7116732 04 90 STR R0, [SP,#0xA8+var_98].text:C7116734 4C 48 LDR R0, =(off_C719AEC0 - 0xC711673A).text:C7116736 78 44 ADD R0, PC ; off_C719AEC0.text:C7116738 D0 F8 00 E0 LDR.W LR, [R0].text:C711673C 05 91 STR R1, [SP,#0xA8+var_94].text:C711673E 4B 49 LDR R1, =(off_C719AEC4 - 0xC7116746).text:C7116740 4F 48 LDR R0, =(off_C719AED8 - 0xC7116748).text:C7116742 79 44 ADD R1, PC ; off_C719AEC4.text:C7116744 78 44 ADD R0, PC ; off_C719AED8.text:C7116746 09 68 LDR R1, [R1] ; unk_DB4E0EF9.text:C7116748 06 92 STR R2, [SP,#0xA8+var_90].text:C711674A 49 4A LDR R2, =(off_C719AEC8 - 0xC7116750).text:C711674C 7A 44 ADD R2, PC ; off_C719AEC8.text:C711674E 12 68 LDR R2, [R2].text:C7116750 07 93 STR R3, [SP,#0xA8+var_8C].text:C7116752 48 4B LDR R3, =(off_C719AECC - 0xC7116758).text:C7116754 7B 44 ADD R3, PC ; off_C719AECC.text:C7116756 1B 68 LDR R3, [R3].text:C7116758 08 94 STR R4, [SP,#0xA8+var_88].text:C711675A 47 4C LDR R4, =(off_C719AED0 - 0xC7116760).text:C711675C 7C 44 ADD R4, PC ; off_C719AED0.text:C711675E 24 68 LDR R4, [R4] ; unk_1BDC845B.text:C7116760 09 95 STR R5, [SP,#0xA8+var_84].text:C7116762 46 4D LDR R5, =(off_C719AED4 - 0xC7116768).text:C7116764 7D 44 ADD R5, PC ; off_C719AED4.text:C7116766 2D 68 LDR R5, [R5] ; unk_2A21A091.text:C7116768 CD F8 28 C0 STR.W R12, [SP,#0xA8+var_80].text:C711676C D0 F8 00 C0 LDR.W R12, [R0] ; unk_F0F4C315.text:C7116770 0B 96 STR R6, [SP,#0xA8+var_7C].text:C7116772 44 4E LDR R6, =(off_C719AEDC - 0xC711677A).text:C7116774 44 48 LDR R0, =(off_C719AEE0 - 0xC711677C).text:C7116776 7E 44 ADD R6, PC ; off_C719AEDC.text:C7116778 78 44 ADD R0, PC ; off_C719AEE0.text:C711677A 36 68 LDR R6, [R6] ; unk_15F9058B.text:C711677C CD F8 30 E0 STR.W LR, [SP,#0xA8+var_78].text:C7116780 D0 F8 00 E0 LDR.W LR, [R0].text:C7116784 0D 91 STR R1, [SP,#0xA8+var_74].text:C7116786 41 49 LDR R1, =(off_C719AEE4 - 0xC711678E).text:C7116788 45 48 LDR R0, =(off_C719AEF8 - 0xC7116790).text:C711678A 79 44 ADD R1, PC ; off_C719AEE4.text:C711678C 78 44 ADD R0, PC ; off_C719AEF8.text:C711678E 09 68 LDR R1, [R1].text:C7116790 0E 92 STR R2, [SP,#0xA8+var_70].text:C7116792 3F 4A LDR R2, =(off_C719AEE8 - 0xC7116798).text:C7116794 7A 44 ADD R2, PC ; off_C719AEE8.text:C7116796 D2 F8 00 80 LDR.W R8, [R2].text:C711679A 0F 93 STR R3, [SP,#0xA8+var_6C].text:C711679C 3D 4B LDR R3, =(off_C719AEEC - 0xC71167A2).text:C711679E 7B 44 ADD R3, PC ; off_C719AEEC.text:C71167A0 D3 F8 00 90 LDR.W R9, [R3] ; unk_E618CE8B.text:C71167A4 10 94 STR R4, [SP,#0xA8+var_68].text:C71167A6 3C 4C LDR R4, =(off_C719AEF0 - 0xC71167AC).text:C71167A8 7C 44 ADD R4, PC ; off_C719AEF0.text:C71167AA D4 F8 00 A0 LDR.W R10, [R4] ; unk_1C361051.text:C71167AE 11 95 STR R5, [SP,#0xA8+var_64].text:C71167B0 3A 4D LDR R5, =(off_C719AEF4 - 0xC71167B6).text:C71167B2 7D 44 ADD R5, PC ; off_C719AEF4.text:C71167B4 D5 F8 00 B0 LDR.W R11, [R5].text:C71167B8 CD F8 48 C0 STR.W R12, [SP,#0xA8+var_60].text:C71167BC D0 F8 00 C0 LDR.W R12, [R0] ; unk_EC9A6DA7.text:C71167C0 13 96 STR R6, [SP,#0xA8+var_5C].text:C71167C2 38 4E LDR R6, =(off_C719AEFC - 0xC71167CA).text:C71167C4 38 48 LDR R0, =(off_C719AF00 - 0xC71167CC).text:C71167C6 7E 44 ADD R6, PC ; off_C719AEFC.text:C71167C8 78 44 ADD R0, PC ; off_C719AF00.text:C71167CA 36 68 LDR R6, [R6] ; unk_DDD3C1D1.text:C71167CC CD F8 50 E0 STR.W LR, [SP,#0xA8+var_58].text:C71167D0 D0 F8 00 E0 LDR.W LR, [R0] ; unk_320DA0F5.text:C71167D4 15 91 STR R1, [SP,#0xA8+var_54].text:C71167D6 35 49 LDR R1, =(off_C719AF04 - 0xC71167DC).text:C71167D8 79 44 ADD R1, PC ; off_C719AF04.text:C71167DA 0A 68 LDR R2, [R1] ; unk_2C6D8FB1.text:C71167DC 34 49 LDR R1, =(off_C719AF08 - 0xC71167E6).text:C71167DE CD F8 58 80 STR.W R8, [SP,#0xA8+var_50].text:C71167E2 79 44 ADD R1, PC ; off_C719AF08.text:C71167E4 0B 68 LDR R3, [R1] ; unk_1BABC103.text:C71167E6 33 49 LDR R1, =(off_C719AF0C - 0xC71167F0).text:C71167E8 CD F8 5C 90 STR.W R9, [SP,#0xA8+var_4C].text:C71167EC 79 44 ADD R1, PC ; off_C719AF0C.text:C71167EE 0C 68 LDR R4, [R1] ; unk_EEFDC92D.text:C71167F0 31 49 LDR R1, =(off_C719AF10 - 0xC71167FA).text:C71167F2 CD F8 60 A0 STR.W R10, [SP,#0xA8+var_48].text:C71167F6 79 44 ADD R1, PC ; off_C719AF10.text:C71167F8 0D 68 LDR R5, [R1].text:C71167FA 30 49 LDR R1, =(off_C719AF14 - 0xC7116804).text:C71167FC CD F8 64 B0 STR.W R11, [SP,#0xA8+var_44].text:C7116800 79 44 ADD R1, PC ; off_C719AF14.text:C7116802 08 68 LDR R0, [R1] ; unk_FFC5974B.text:C7116804 2E 49 LDR R1, =(off_C719AF18 - 0xC7116812).text:C7116806 CD F8 68 C0 STR.W R12, [SP,#0xA8+var_40].text:C711680A 0D F1 74 0C ADD.W R12, SP, #0xA8+var_34.text:C711680E 79 44 ADD R1, PC ; off_C719AF18.text:C7116810 09 68 LDR R1, [R1].text:C7116812 CD E9 1B 6E STRD.W R6, LR, [SP,#0xA8+var_3C].text:C7116816 8C E8 3C 00 STM.W R12, {R2-R5}.text:C711681A 6A 46 MOV R2, SP.text:C711681C 21 90 STR R0, [SP,#0xA8+var_24].text:C711681E 4F F4 AA 60 MOV.W R0, #0x550.text:C7116822 F9 F7 AF FD BL VM_Entrance_loc_CDF4C384 ; R:传入不同数字代走不同逻辑.text:C7116826 27 48 LDR R0, =(__stack_chk_guard_ptr - 0xC711682E).text:C7116828 22 99 LDR R1, [SP,#0xA8+var_20].text:C711682A 78 44 ADD R0, PC ; __stack_chk_guard_ptr.text:C711682C 00 68 LDR R0, [R0] ; __stack_chk_guard.text:C711682E 00 68 LDR R0, [R0].text:C7116830 40 1A SUBS R0, R0, R1.text:C7116832 01 BF ITTTT EQ.text:C7116834 A7 F1 1C 04 SUBEQ.W R4, R7, #-var_1C.text:C7116838 A5 46 MOVEQ SP, R4.text:C711683A BD E8 00 0F POPEQ.W {R8-R11}.text:C711683E F0 BD POPEQ {R4-R7,PC}
组合数据
生成随机数
.text:C7161304 sub_C7161304.text:C7161304 D0 B5 PUSH {R4,R6,R7,LR}.text:C7161306 00 22 MOVS R2, #0.text:C7161308 0E 4B LDR R3, =0x3DF00000.text:C716130A 06 46 MOV R6, R0.text:C716130C 0F 46 MOV R7, R1.text:C716130E 00 F0 4F F9 BL sub_C71615B0.text:C7161312 00 F0 5F FB BL sub_C71619D4.text:C7161316 04 46 MOV R4, R0.text:C7161318 FF F7 08 FE BL sub_C7160F2C.text:C716131C 00 22 MOVS R2, #0.text:C716131E 0A 4B LDR R3, =0x41F00000.text:C7161320 00 F0 46 F9 BL sub_C71615B0.text:C7161324 02 46 MOV R2, R0.text:C7161326 0B 46 MOV R3, R1.text:C7161328 30 46 MOV R0, R6.text:C716132A 39 46 MOV R1, R7.text:C716132C FF F7 C0 FC BL sub_C7160CB0.text:C7161330 00 F0 50 FB BL sub_C71619D4.text:C7161334 00 22 MOVS R2, #0.text:C7161336 23 46 MOV R3, R4.text:C7161338 42 EA 00 02 ORR.W R2, R2, R0.text:C716133C 10 46 MOV R0, R2.text:C716133E 19 46 MOV R1, R3.text:C7161340 D0 BD POP {R4,R6,R7,PC}
7DD6CFBE50请求体+服务器返回设备指纹+设备风险+crc+随机数
.text:C7112E44 ; 组合数据.text:C7112E44 getbody_crc_sub_CDA4AE44.text:C7112E44.text:C7112E44.text:C7112E44 ; __unwind { // C7149914.text:C7112E44 F0 B5 PUSH {R4-R7,LR}.text:C7112E46 03 AF ADD R7, SP, #0xC.text:C7112E48 2D E9 00 0F PUSH.W {R8-R11}.text:C7112E4C A5 B0 SUB SP, SP, #0x94.text:C7112E4E 80 46 MOV R8, R0.text:C7112E50 DF F8 F8 06 LDR.W R0, =(__stack_chk_guard_ptr - 0xC7112E5C).text:C7112E54 92 46 MOV R10, R2.text:C7112E56 8B 46 MOV R11, R1.text:C7112E58 78 44 ADD R0, PC ; __stack_chk_guard_ptr.text:C7112E5A 00 2B CMP R3, #0.text:C7112E5C 00 68 LDR R0, [R0] ; __stack_chk_guard.text:C7112E5E 00 68 LDR R0, [R0].text:C7112E60 24 90 STR R0, [SP,#0xB0+var_20].text:C7112E62 4F F6 DF 20+MOV R0, #0xFADFFADF.text:C7112E62 CF F6 DF 20.text:C7112E6A 0C 90 STR R0, [SP,#0xB0+var_80].text:C7112E6C 4F F0 01 00 MOV.W R0, #1.text:C7112E70 14 90 STR R0, [SP,#0xB0+var_60].text:C7112E72 23 D0 BEQ loc_C7112EBC.text:C7112E74 DF F8 D8 06 LDR.W R0, =(dword_C71A03A4 - 0xC7112E88).text:C7112E78 0B F1 1C 05 ADD.W R5, R11, #0x1C.text:C7112E7C DF F8 D4 16 LDR.W R1, =(dword_C71A97EC - 0xC7112E8C).text:C7112E80 DF F8 D4 26 LDR.W R2, =(dword_C71A03A8 - 0xC7112E8E).text:C7112E84 78 44 ADD R0, PC ; dword_C71A03A4.text:C7112E86 05 93 STR R3, [SP,#0xB0+var_9C].text:C7112E88 79 44 ADD R1, PC ; dword_C71A97EC.text:C7112E8A 7A 44 ADD R2, PC ; dword_C71A03A8.text:C7112E8C 00 68 LDR R0, [R0].text:C7112E8E 09 68 LDR R1, [R1].text:C7112E90 10 68 LDR R0, [R2].text:C7112E92 41 B9 CBNZ R1, loc_C7112EA6.text:C7112E94 4A F6 EA 41 MOVW R1, #0xACEA.text:C7112E98 00 F0 84 FC BL getFunc_loc_CDFDB7A4.text:C7112E9C 01 46 MOV R1, R0.text:C7112E9E DF F8 BC 06 LDR.W R0, =(dword_C71A97EC - 0xC7112EA6).text:C7112EA2 78 44 ADD R0, PC ; dword_C71A97EC.text:C7112EA4 01 60 STR R1, [R0].text:C7112EA6.text:C7112EA6 loc_C7112EA6.text:C7112EA6 28 46 MOV R0, R5.text:C7112EA8 88 47 BLX R1 ; pthread_mutex_lock.text:C7112EAA 5C 46 MOV R4, R11.text:C7112EAC 14 F8 20 0F LDRB.W R0, [R4,#0x20]!.text:C7112EB0 10 F0 01 0F TST.W R0, #1.text:C7112EB4 19 D1 BNE loc_C7112EEA.text:C7112EB6 00 20 MOVS R0, #0.text:C7112EB8 20 80 STRH R0, [R4].text:C7112EBA 1C E0 B loc_C7112EF6.text:C7112EBC.text:C7112EBC loc_C7112EBC.text:C7112EBC 00 20 MOVS R0, #0.text:C7112EBE C8 E9 00 00 STRD.W R0, R0, [R8].text:C7112EC2 C8 F8 08 00 STR.W R0, [R8,#8].text:C7112EC6 00 20 MOVS R0, #0 ; s.text:C7112EC8 96 F7 D6 EB BLX strlen.text:C7112ECC 04 46 MOV R4, R0.text:C7112ECE 14 F1 10 0F CMN.W R4, #0x10.text:C7112ED2 80 F0 08 83 BCS.W loc_C71134E6.text:C7112ED6 0B 2C CMP R4, #0xB.text:C7112ED8 80 F0 74 81 BCS.W loc_C71131C4.text:C7112EDC 60 00 LSLS R0, R4, #1.text:C7112EDE 00 2C CMP R4, #0.text:C7112EE0 08 F8 01 0B STRB.W R0, [R8],#1.text:C7112EE4 40 F0 7C 81 BNE.W loc_C71131E0.text:C7112EE8 7F E1 B loc_C71131EA.text:C7112EEA.text:C7112EEA loc_C7112EEA.text:C7112EEA DB F8 28 00 LDR.W R0, [R11,#0x28].text:C7112EEE 00 21 MOVS R1, #0.text:C7112EF0 01 70 STRB R1, [R0].text:C7112EF2 CB F8 24 10 STR.W R1, [R11,#0x24].text:C7112EF6.text:C7112EF6 loc_C7112EF6.text:C7112EF6 DF F8 68 06 LDR.W R0, =(dword_C71A03AC - 0xC7112F06).text:C7112EFA DF F8 68 16 LDR.W R1, =(dword_C71A97F0 - 0xC7112F08).text:C7112EFE DF F8 68 36 LDR.W R3, =(off_C71A03B0 - 0xC7112F0A).text:C7112F02 78 44 ADD R0, PC ; dword_C71A03AC.text:C7112F04 79 44 ADD R1, PC ; dword_C71A97F0.text:C7112F06 7B 44 ADD R3, PC ; off_C71A03B0.text:C7112F08 00 68 LDR R0, [R0].text:C7112F0A 0A 68 LDR R2, [R1].text:C7112F0C 19 68 LDR R1, [R3].text:C7112F0E 32 B9 CBNZ R2, loc_C7112F1E.text:C7112F10 00 F0 48 FC BL getFunc_loc_CDFDB7A4.text:C7112F14 02 46 MOV R2, R0.text:C7112F16 DF F8 54 06 LDR.W R0, =(dword_C71A97F0 - 0xC7112F1E).text:C7112F1A 78 44 ADD R0, PC ; dword_C71A97F0.text:C7112F1C 02 60 STR R2, [R0].text:C7112F1E.text:C7112F1E loc_C7112F1E.text:C7112F1E 06 95 STR R5, [SP,#0xB0+var_98].text:C7112F20 90 47 BLX R2 ; pthread_mutex_lock.text:C7112F22 05 46 MOV R5, R0.text:C7112F24 DF F8 48 06 LDR.W R0, =(dword_C71A97F4 - 0xC7112F34).text:C7112F28 DF F8 48 16 LDR.W R1, =(dword_C71A03B4 - 0xC7112F36).text:C7112F2C 05 F1 24 06 ADD.W R6, R5, #0x24 ; '$'.text:C7112F30 78 44 ADD R0, PC ; dword_C71A97F4.text:C7112F32 79 44 ADD R1, PC ; dword_C71A03B4.text:C7112F34 02 68 LDR R2, [R0].text:C7112F36 08 68 LDR R0, [R1].text:C7112F38 42 B9 CBNZ R2, loc_C7112F4C.text:C7112F3A 4C F6 D1 11 MOVW R1, #0xC9D1.text:C7112F3E 00 F0 31 FC BL getFunc_loc_CDFDB7A4.text:C7112F42 02 46 MOV R2, R0.text:C7112F44 DF F8 30 06 LDR.W R0, =(dword_C71A97F4 - 0xC7112F4C).text:C7112F48.text:C7112F48 loc_C7112F48.text:C7112F48 78 44 ADD R0, PC.text:C7112F4A 02 60 STR R2, [R0].text:C7112F4C.text:C7112F4C loc_C7112F4C.text:C7112F4C 0D F1 38 09 ADD.W R9, SP, #0xB0+var_78.text:C7112F50 31 46 MOV R1, R6.text:C7112F52 48 46 MOV R0, R9.text:C7112F54 90 47 BLX R2 ; 第二步服务器返回base64解密后的值.text:C7112F56 05 F1 0C 01 ADD.W R1, R5, #0xC.text:C7112F5A 11 A8 ADD R0, SP, #0xB0+var_6C.text:C7112F5C 9F F7 5E FA BL memory_cpy_sub_CF0FF41C.text:C7112F60 DB E9 32 56 LDRD.W R5, R6, [R11,#0xC8].text:C7112F64 DB E9 38 01 LDRD.W R0, R1, [R11,#0xE0].text:C7112F68 08 1A SUBS R0, R1, R0.text:C7112F6A 59 46 MOV R1, R11.text:C7112F6C 80 10 ASRS R0, R0, #2.text:C7112F6E 0D 90 STR R0, [SP,#0xB0+var_7C].text:C7112F70 11 F8 0C 0F LDRB.W R0, [R1,#0xC]!.text:C7112F74 10 F0 01 0F TST.W R0, #1.text:C7112F78 0C BF ITE EQ.text:C7112F7A 40 08 LSREQ R0, R0, #1.text:C7112F7C DB F8 10 00 LDRNE.W R0, [R11,#0x10].text:C7112F80 04 90 STR R0, [SP,#0xB0+var_A0].text:C7112F82 9B F8 00 00 LDRB.W R0, [R11].text:C7112F86 01 91 STR R1, [SP,#0xB0+var_AC].text:C7112F88 10 F0 01 0F TST.W R0, #1.text:C7112F8C 0C BF ITE EQ.text:C7112F8E 40 08 LSREQ R0, R0, #1.text:C7112F90 DB F8 04 00 LDRNE.W R0, [R11,#4].text:C7112F94 03 90 STR R0, [SP,#0xB0+var_A4].text:C7112F96 0C A9 ADD R1, SP, #0xB0+var_80.text:C7112F98 20 46 MOV R0, R4.text:C7112F9A 04 22 MOVS R2, #4.text:C7112F9C CD F8 08 80 STR.W R8, [SP,#0xB0+var_A8].text:C7112FA0 A0 F7 3F FC BL putvuale_sub_C4A7C822.text:C7112FA4 14 A9 ADD R1, SP, #0xB0+var_60.text:C7112FA6 20 46 MOV R0, R4.text:C7112FA8 01 22 MOVS R2, #1.text:C7112FAA A0 F7 3A FC BL putvuale_sub_C4A7C822.text:C7112FAE 70 1B SUBS R0, R6, R5.text:C7112FB0 81 10 ASRS R1, R0, #2.text:C7112FB2 0D 98 LDR R0, [SP,#0xB0+var_7C].text:C7112FB4 0A 91 STR R1, [SP,#0xB0+var_88].text:C7112FB6 08 44 ADD R0, R1.text:C7112FB8 1B 90 STR R0, [SP,#0xB0+var_44].text:C7112FBA 0B F5 84 71 ADD.W R1, R11, #0x108.text:C7112FBE 20 46 MOV R0, R4.text:C7112FC0 01 22 MOVS R2, #1.text:C7112FC2 A0 F7 2E FC BL putvuale_sub_C4A7C822.text:C7112FC6 0B F5 86 78 ADD.W R8, R11, #0x10C.text:C7112FCA 20 46 MOV R0, R4.text:C7112FCC 41 46 MOV R1, R8.text:C7112FCE 01 22 MOVS R2, #1.text:C7112FD0 A0 F7 27 FC BL putvuale_sub_C4A7C822.text:C7112FD4 BA F1 01 0F CMP.W R10, #1.text:C7112FD8 11 D1 BNE loc_C7112FFE.text:C7112FDA 0B F5 88 71 ADD.W R1, R11, #0x110.text:C7112FDE 20 46 MOV R0, R4.text:C7112FE0 01 22 MOVS R2, #1.text:C7112FE2 A0 F7 1E FC BL putvuale_sub_C4A7C822.text:C7112FE6 0B F5 8A 71 ADD.W R1, R11, #0x114.text:C7112FEA 20 46 MOV R0, R4.text:C7112FEC 01 22 MOVS R2, #1.text:C7112FEE A0 F7 18 FC BL putvuale_sub_C4A7C822.text:C7112FF2 1B A9 ADD R1, SP, #0xB0+var_44.text:C7112FF4 20 46 MOV R0, R4.text:C7112FF6 01 22 MOVS R2, #1.text:C7112FF8 A0 F7 13 FC BL putvuale_sub_C4A7C822.text:C7112FFC 11 E0 B loc_C7113022.text:C7112FFE.text:C7112FFE loc_C7112FFE.text:C7112FFE 02 25 MOVS R5, #2.text:C7113000 18 95 STR R5, [SP,#0xB0+var_50].text:C7113002 18 A9 ADD R1, SP, #0xB0+var_50.text:C7113004 20 46 MOV R0, R4.text:C7113006 01 22 MOVS R2, #1.text:C7113008 A0 F7 0B FC BL putvuale_sub_C4A7C822.text:C711300C 18 95 STR R5, [SP,#0xB0+var_50].text:C711300E 18 A9 ADD R1, SP, #0xB0+var_50.text:C7113010 20 46 MOV R0, R4.text:C7113012 01 22 MOVS R2, #1.text:C7113014 A0 F7 05 FC BL putvuale_sub_C4A7C822.text:C7113018 0D A9 ADD R1, SP, #0xB0+var_7C.text:C711301A 20 46 MOV R0, R4.text:C711301C 01 22 MOVS R2, #1.text:C711301E A0 F7 00 FC BL putvuale_sub_C4A7C822.text:C7113022.text:C7113022 loc_C7113022.text:C7113022 00 20 MOVS R0, #0.text:C7113024 1C 90 STR R0, [SP,#0xB0+crc].text:C7113026 1C A9 ADD R1, SP, #0xB0+crc.text:C7113028 20 46 MOV R0, R4.text:C711302A 04 22 MOVS R2, #4.text:C711302C A0 F7 F9 FB BL putvuale_sub_C4A7C822.text:C7113030 0B F1 2C 01 ADD.W R1, R11, #0x2C ; ','.text:C7113034 20 46 MOV R0, R4.text:C7113036 07 22 MOVS R2, #7.text:C7113038 A0 F7 F3 FB BL putvuale_sub_C4A7C822.text:C711303C 9D F8 38 10 LDRB.W R1, [SP,#0xB0+var_78].text:C7113040 0F 98 LDR R0, [SP,#0xB0+var_74].text:C7113042 11 F0 01 0F TST.W R1, #1.text:C7113046 08 BF IT EQ.text:C7113048 48 08 LSREQ R0, R1, #1.text:C711304A 1D 90 STR R0, [SP,#0xB0+var_3C].text:C711304C 1D A9 ADD R1, SP, #0xB0+var_3C.text:C711304E 20 46 MOV R0, R4.text:C7113050 01 22 MOVS R2, #1.text:C7113052 A0 F7 E6 FB BL putvuale_sub_C4A7C822.text:C7113056 1D 9A LDR R2, [SP,#0xB0+var_3C].text:C7113058 52 B1 CBZ R2, loc_C7113070.text:C711305A 9D F8 38 00 LDRB.W R0, [SP,#0xB0+var_78].text:C711305E 10 99 LDR R1, [SP,#0xB0+var_70].text:C7113060 10 F0 01 0F TST.W R0, #1.text:C7113064 08 BF IT EQ.text:C7113066 49 F0 01 01 ORREQ.W R1, R9, #1.text:C711306A 20 46 MOV R0, R4.text:C711306C A0 F7 D9 FB BL putvuale_sub_C4A7C822.text:C7113070.text:C7113070 loc_C7113070.text:C7113070 0B F1 34 01 ADD.W R1, R11, #0x34 ; '4'.text:C7113074 20 46 MOV R0, R4.text:C7113076 02 22 MOVS R2, #2.text:C7113078 A0 F7 D3 FB BL putvuale_sub_C4A7C822.text:C711307C 58 46 MOV R0, R11.text:C711307E 10 F8 38 1F LDRB.W R1, [R0,#0x38]!.text:C7113082 11 F0 01 0F TST.W R1, #1.text:C7113086 0C BF ITE EQ.text:C7113088.text:C7113088 loc_C7113088.text:C7113088 41 1C ADDEQ R1, R0, #1.text:C711308A DB F8 40 10 LDRNE.W R1, [R11,#0x40].text:C711308E D8 F8 00 20 LDR.W R2, [R8].text:C7113092 20 46 MOV R0, R4.text:C7113094 A0 F7 C5 FB BL putvuale_sub_C4A7C822.text:C7113098 15 A8 ADD R0, SP, #0xB0+var_5C.text:C711309A 4F F0 00 08 MOV.W R8, #0.text:C711309E 04 30 ADDS R0, #4.text:C71130A0 CD E9 08 A4 STRD.W R10, R4, [SP,#0xB0+var_90].text:C71130A4 CD E9 16 88 STRD.W R8, R8, [SP,#0xB0+var_58].text:C71130A8 0B F1 B4 09 ADD.W R9, R11, #0xB4.text:C71130AC 0B 90 STR R0, [SP,#0xB0+var_84].text:C71130AE 15 90 STR R0, [SP,#0xB0+var_5C].text:C71130B0 18 A8 ADD R0, SP, #0xB0+var_50.text:C71130B2 CD E9 19 88 STRD.W R8, R8, [SP,#0xB0+var_4C].text:C71130B6 04 30 ADDS R0, #4.text:C71130B8 07 90 STR R0, [SP,#0xB0+var_94].text:C71130BA 18 90 STR R0, [SP,#0xB0+var_50].text:C71130BC DB F8 B0 40 LDR.W R4, [R11,#0xB0].text:C71130C0 A1 45 CMP R9, R4.text:C71130C2 2A D0 BEQ loc_C711311A.text:C71130C4 0D F1 78 0A ADD.W R10, SP, #0xB0+var_38.text:C71130C8 15 AD ADD R5, SP, #0xB0+var_5C.text:C71130CA 22 AE ADD R6, SP, #0xB0+var_28.text:C71130CC.text:C71130CC loc_C71130CC.text:C71130CC 60 69 LDR R0, [R4,#0x14].text:C71130CE 01 0C LSRS R1, R0, #0x10.text:C71130D0 B8 EB 10 4F CMP.W R8, R0,LSR#16.text:C71130D4 18 BF IT NE.text:C71130D6 01 21 MOVNE R1, #1.text:C71130D8 80 B2 UXTH R0, R0.text:C71130DA 8D F8 8C 10 STRB.W R1, [SP,#0xB0+var_24].text:C71130DE 22 90 STR R0, [SP,#0xB0+var_28].text:C71130E0 50 46 MOV R0, R10.text:C71130E2 29 46 MOV R1, R5.text:C71130E4 32 46 MOV R2, R6.text:C71130E6 33 46 MOV R3, R6.text:C71130E8 00 F0 0A FB BL malloc_sub_CDFDB700.text:C71130EC 60 68 LDR R0, [R4,#4].text:C71130EE 20 B1 CBZ R0, loc_C71130FA.text:C71130F0.text:C71130F0 loc_C71130F0.text:C71130F0 04 46 MOV R4, R0.text:C71130F2 20 68 LDR R0, [R4].text:C71130F4 00 28 CMP R0, #0.text:C71130F6 FB D1 BNE loc_C71130F0.text:C71130F8 0D E0 B loc_C7113116.text:C71130FA.text:C71130FA loc_C71130FA.text:C71130FA 20 46 MOV R0, R4.text:C71130FC 50 F8 08 1F LDR.W R1, [R0,#8]!.text:C7113100 0A 68 LDR R2, [R1].text:C7113102 A2 42 CMP R2, R4.text:C7113104 0C 46 MOV R4, R1.text:C7113106 06 D0 BEQ loc_C7113116.text:C7113108.text:C7113108 loc_C7113108.text:C7113108 01 68 LDR R1, [R0].text:C711310A 08 46 MOV R0, R1.text:C711310C 50 F8 08 4F LDR.W R4, [R0,#8]!.text:C7113110 22 68 LDR R2, [R4].text:C7113112 8A 42 CMP R2, R1.text:C7113114 F8 D1 BNE loc_C7113108.text:C7113116.text:C7113116 loc_C7113116.text:C7113116 A1 45 CMP R9, R4.text:C7113118 D8 D1 BNE loc_C71130CC.text:C711311A.text:C711311A loc_C711311A.text:C711311A DB F8 A4 A0 LDR.W R10, [R11,#0xA4].text:C711311E 0B F1 A8 04 ADD.W R4, R11, #0xA8.text:C7113122 54 45 CMP R4, R10.text:C7113124 30 D0 BEQ loc_C7113188.text:C7113126 0D F1 78 08 ADD.W R8, SP, #0xB0+var_38.text:C711312A 18 AD ADD R5, SP, #0xB0+var_50.text:C711312C 22 AE ADD R6, SP, #0xB0+var_28.text:C711312E 4F F0 00 09 MOV.W R9, #0.text:C7113132.text:C7113132 loc_C7113132.text:C7113132 DA F8 14 00 LDR.W R0, [R10,#0x14].text:C7113136 01 0C LSRS R1, R0, #0x10.text:C7113138 B9 EB 10 4F CMP.W R9, R0,LSR#16.text:C711313C 18 BF IT NE.text:C711313E 01 21 MOVNE R1, #1.text:C7113140 80 B2 UXTH R0, R0.text:C7113142 8D F8 8C 10 STRB.W R1, [SP,#0xB0+var_24].text:C7113146 22 90 STR R0, [SP,#0xB0+var_28].text:C7113148 40 46 MOV R0, R8.text:C711314A 29 46 MOV R1, R5.text:C711314C 32 46 MOV R2, R6.text:C711314E 33 46 MOV R3, R6.text:C7113150 00 F0 D6 FA BL malloc_sub_CDFDB700.text:C7113154 DA F8 04 00 LDR.W R0, [R10,#4].text:C7113158 28 B1 CBZ R0, loc_C7113166.text:C711315A.text:C711315A loc_C711315A.text:C711315A 82 46 MOV R10, R0.text:C711315C DA F8 00 00 LDR.W R0, [R10].text:C7113160 00 28 CMP R0, #0.text:C7113162 FA D1 BNE loc_C711315A.text:C7113164 0E E0 B loc_C7113184.text:C7113166.text:C7113166 loc_C7113166.text:C7113166 50 46 MOV R0, R10.text:C7113168 50 F8 08 1F LDR.W R1, [R0,#8]!.text:C711316C 0A 68 LDR R2, [R1].text:C711316E 52 45 CMP R2, R10.text:C7113170 8A 46 MOV R10, R1.text:C7113172 07 D0 BEQ loc_C7113184.text:C7113174.text:C7113174 loc_C7113174.text:C7113174 01 68 LDR R1, [R0].text:C7113176 08 46 MOV R0, R1.text:C7113178 50 F8 08 AF LDR.W R10, [R0,#8]!.text:C711317C DA F8 00 20 LDR.W R2, [R10].text:C7113180 8A 42 CMP R2, R1.text:C7113182 F7 D1 BNE loc_C7113174.text:C7113184.text:C7113184 loc_C7113184.text:C7113184 54 45 CMP R4, R10.text:C7113186 D4 D1 BNE loc_C7113132.text:C7113188.text:C7113188 loc_C7113188.text:C7113188 DD F8 20 90 LDR.W R9, [SP,#0xB0+var_90].text:C711318C B9 F1 01 0F CMP.W R9, #1.text:C7113190 3C D1 BNE loc_C711320C.text:C7113192 DB F8 10 01 LDR.W R0, [R11,#0x110].text:C7113196 DD E9 09 8A LDRD.W R8, R10, [SP,#0xB0+var_8C].text:C711319A 07 9E LDR R6, [SP,#0xB0+var_94].text:C711319C 00 28 CMP R0, #0.text:C711319E 65 D0 BEQ loc_C711326C.text:C71131A0 1E AC ADD R4, SP, #0xB0+var_38.text:C71131A2 00 25 MOVS R5, #0.text:C71131A4.text:C71131A4 loc_C71131A4.text:C71131A4 DB F8 44 00 LDR.W R0, [R11,#0x44].text:C71131A8 50 F8 25 00 LDR.W R0, [R0,R5,LSL#2].text:C71131AC 1E 90 STR R0, [SP,#0xB0+var_38].text:C71131AE 40 46 MOV R0, R8.text:C71131B0 21 46 MOV R1, R4.text:C71131B2 04 22 MOVS R2, #4.text:C71131B4 A0 F7 35 FB BL putvuale_sub_C4A7C822.text:C71131B8 DB F8 10 01 LDR.W R0, [R11,#0x110].text:C71131BC 01 35 ADDS R5, #1.text:C71131BE 85 42 CMP R5, R0.text:C71131C0 F0 D3 BCC loc_C71131A4.text:C71131C2 50 E0 B loc_C7113266.text:C71131C4.text:C71131C4 loc_C71131C4.text:C71131C4 04 F1 10 00 ADD.W R0, R4, #0x10.text:C71131C8 20 F0 0F 05 BIC.W R5, R0, #0xF.text:C71131CC 28 46 MOV R0, R5.text:C71131CE 38 F0 5B F9 BL malloc_sub_CF198488.text:C71131D2 45 F0 01 01 ORR.W R1, R5, #1.text:C71131D6 C8 E9 00 14 STRD.W R1, R4, [R8].text:C71131DA C8 F8 08 00 STR.W R0, [R8,#8].text:C71131DE 80 46 MOV R8, R0.text:C71131E0.text:C71131E0 loc_C71131E0.text:C71131E0 40 46 MOV R0, R8.text:C71131E2 00 21 MOVS R1, #0.text:C71131E4 22 46 MOV R2, R4.text:C71131E6 96 F7 B4 EA BLX __aeabi_memcpy.text:C71131EA.text:C71131EA loc_C71131EA.text:C71131EA 00 20 MOVS R0, #0.text:C71131EC 08 F8 04 00 STRB.W R0, [R8,R4].text:C71131F0.text:C71133C6 04 46 MOV R4, R0.text:C71133C8 DB F8 28 00 LDR.W R0, [R11,#0x28].text:C71133CC.text:C71133CC loc_C71133CC ; CODE XREF: getbody_crc_sub_CDA4AE44+572↑j.text:C71133CC 00 F1 0E 01 ADD.W R1, R0, #0xE.text:C71133D0 20 46 MOV R0, R4.text:C71133D2 2A 46 MOV R2, R5.text:C71133D4 96 F7 BC E9 BLX __aeabi_memcpy ; 设备数据.text:C71133D8 20 46 MOV R0, R4.text:C71133DA 29 46 MOV R1, R5.text:C71133DC 00 22 MOVS R2, #0.text:C71133DE F0 F7 6E FE BL crc_sub_CDA3C0BE ; crc.text:C71133E2 1C 90 STR R0, [SP,#0xB0+crc].text:C71133E4 04 20 MOVS R0, #4.text:C71133E6 1C AB ADD R3, SP, #0xB0+crc.text:C71133E8 00 90 STR R0, [SP,#0xB0+var_B0].text:C71133EA 40 46 MOV R0, R8.text:C71133EC 0A 21 MOVS R1, #0xA.text:C71133EE 04 22 MOVS R2, #4.text:C71133F0 00 F0 D0 F8 BL cppy_crc_sub_CDA4B594.text:C71133F4 01 46 MOV R1, R0.text:C71133F6 40 46 MOV R0, R8.text:C71133F8 A8 F7 B0 F8 BL memmove_sub_CDB0E55C.text:C71133FC 98 F8 00 00 LDRB.W R0, [R8].text:C7113400 10 F0 01 0F TST.W R0, #1.text:C7113404 0C BF ITE EQ.text:C7113406 40 08 LSREQ R0, R0, #1.text:C7113408 DB F8 24 00 LDRNE.W R0, [R11,#0x24].text:C711340C 05 99 LDR R1, [SP,#0xB0+var_9C]
组合后数据
CF274E00 69 20 61 6D 20 74 68 65 20 72 65 71 75 65 73 74 i am the requestCF274E10 20 62 6F 64 79 2C 20 65 6E 63 72 79 70 74 65 64 body, encryptedCF274E20 20 6F 72 20 6E 6F 74 21 26 30 65 61 37 5F DF FA or not!&0ea7_..CF274E30 DF FA 01 0D 0A 02 02 10 7C 67 BC 63 3F 63 3D 4A ........|g.c?c=JCF274E40 02 09 1D 40 36 1F 4C 68 9E D2 6D F1 A2 A4 18 28 [email protected].......(CF274E50 91 E8 24 4A C2 0C EA 01 86 B6 7B 05 09 AD AC 19 ..........{.....CF274E60 B0 90 5B 57 1B 86 71 57 7F D4 FF 36 F5 36 A8 2D ..[W..qW...6....CF274E70 F9 90 08 0D 25 9E C4 84 99 25 62 1C 06 1E 8C 5E ....%.Ą .%b....^CF274E80 27 92 9D 16 F2 02 00 08 64 00 05 2C 02 0A 00 0D '.......d..,....CF274E90 D2 A9 A5 00 4D E3 00 00 57 96 F1 D5 7D 01 00 00 ҩ ..M...W.......CF274EA0 00 00 00 00 00 00 00 00 00 06 01 03 02 03 26 01 ..............&.CF274EB0 0C 01 0D 03 06 01 07 02 05 02 25 05 09 04 08 06 ..........%.....CF274EC0 64 04 03 01 0A 01 1A 05 7F 73 71 34 7D 72 75 65 d........sq4}rueCF274ED0 69 74 34 7D 72 75 65 69 74 7C 7D 7F 79 5A 79 71 it4}rueit|}.yZyqCF274EE0 73 00 08 34 6B 0C 3B 3B 27 24 2A 2C 3F 24 26 25 s..4k.;;'$*,?$&%CF274EF0 00 7C 65 7B 00 07 02 06 54 07 5C 57 08 53 02 07 .|e{....T.\W.S..CF274F00 55 55 51 57 01 07 56 03 51 08 51 53 52 5B 51 5C UUQW..V.Q.QSR[Q\CF274F10 01 54 53 54 02 00 52 5B 00 7C 7B 00 34 0B 1C 07 .TST..R[.|{.4...CF274F20 10 44 3C 30 00 51 5D 50 52 55 54 00 5B 53 53 5B .D<0.Q]PRUT.[SS[CF274F30 52 59 00 65 69 7C 66 61 68 00 70 64 71 6F 6C 6D RY.ei|fah.pdqolmCF274F40 00 5B 73 73 7B 72 79 00 7F 00 53 4E 52 4E 54 00 .[ss{ry...SNRNT.CF274F50 53 58 58 54 1C 52 57 56 54 00 6D 3F 3C 3E 3D 32 SXXT.RWVT.m?<>=2CF274F60 40 40 6D 6D 6D 6D 3E 70 40 6D 00 26 37 44 44 36 @@mmmm>p@m.&7DD6CF274F70 43 46 42 45 35 30 00 CF 45 00 00 00 00 00 00 00 CFBE50
计算hmac值
.text:C71057A4 encbody_hmac_sha256_sub_CDF417A4.text:C71057A4.text:C71057A4 var_48= -0x48.text:C71057A4 var_44= -0x44.text:C71057A4 var_40= -0x40.text:C71057A4 var_3C= -0x3C.text:C71057A4 var_38= -0x38.text:C71057A4 var_34= -0x34.text:C71057A4 index= -0x30.text:C71057A4 var_2C= -0x2C.text:C71057A4 var_28= -0x28.text:C71057A4 bodydata1= -0x24.text:C71057A4 bodydata= -0x20.text:C71057A4 arg_1B4= 0x1BC.text:C71057A4 arg_290= 0x298.text:C71057A4 arg_2E0= 0x2E8.text:C71057A4.text:C71057A4 ; __unwind { // FBF89000.text:C71057A4 F0 B5 PUSH {R4-R7,LR}.text:C71057A6 03 AF ADD R7, SP, #0xC.text:C71057A8 2D E9 00 0F PUSH.W {R8-R11}.text:C71057AC 8B B0 SUB SP, SP, #0x2C.text:C71057AE 01 91 STR R1, [SP,#0x48+var_44].text:C71057B0 06 46 MOV R6, R0.text:C71057B2 74 49 LDR R1, =(off_C719DAAC - 0xC71057C2).text:C71057B4 06 F1 48 04 ADD.W R4, R6, #0x48 ; 'H'.text:C71057B8 06 F1 40 05 ADD.W R5, R6, #0x40 ; '@'.text:C71057BC 41 20 MOVS R0, #0x41 ; 'A'.text:C71057BE 79 44 ADD R1, PC ; off_C719DAAC.text:C71057C0 04 92 STR R2, [SP,#0x48+var_38].text:C71057C2 D1 F8 00 B0 LDR.W R11, [R1] ; unk_C719EEA0.text:C71057C6 6C 49 LDR R1, =(off_C719DAB4 - 0xC71057CC).text:C71057C8 79 44 ADD R1, PC ; off_C719DAB4.text:C71057CA D1 F8 00 80 LDR.W R8, [R1] ; unk_C719EEF0.text:C71057CE 6B 49 LDR R1, =(off_C719DAB4 - 0xC71057D4).text:C71057D0 79 44 ADD R1, PC ; off_C719DAB4.text:C71057D2 09 68 LDR R1, [R1] ; unk_C719EEF0.text:C71057D4 00 91 STR R1, [SP,#0x48+var_48].text:C71057D6 6A 49 LDR R1, =(off_C719DAB4 - 0xC71057DC).text:C71057D8 79 44 ADD R1, PC ; off_C719DAB4.text:C71057DA 09 68 LDR R1, [R1] ; unk_C719EEF0.text:C71057DC 05 91 STR R1, [SP,#0x48+var_34].text:C71057DE 64 49 LDR R1, =(off_C719DAB4 - 0xC71057E4).text:C71057E0 79 44 ADD R1, PC ; off_C719DAB4.text:C71057E2 09 68 LDR R1, [R1] ; unk_C719EEF0.text:C71057E4 03 91 STR R1, [SP,#0x48+var_3C].text:C71057E6 63 49 LDR R1, =(off_C719DAB4 - 0xC71057EC).text:C71057E8 79 44 ADD R1, PC ; off_C719DAB4.text:C71057EA 09 68 LDR R1, [R1] ; unk_C719EEF0.text:C71057EC 02 91 STR R1, [SP,#0x48+var_40].text:C71057EE.text:C71057EE loc_C71057EE.text:C71057EE 81 46 MOV R9, R0.text:C71057F0.text:C71057F0 loc_C71057F0.text:C71057F0 08 98 LDR R0, [SP,#0x48+var_28].text:C71057F2 01 30 ADDS R0, #1.text:C71057F4 06 90 STR R0, [SP,#0x48+index].text:C71057F6.text:C71057F6 loc_C71057F6.text:C71057F6 B9 F1 43 0F CMP.W R9, #0x43 ; 'C'.text:C71057FA 06 DA BGE loc_C710580A.text:C71057FC B9 F1 3F 0F CMP.W R9, #0x3F ; '?'.text:C7105800 0A DA BGE loc_C7105818.text:C7105802 B9 F1 3E 0F CMP.W R9, #0x3E ; '>'.text:C7105806 16 D1 BNE loc_C7105836.text:C7105808 AD E0 B loc_C7105966.text:C710580A.text:C710580A loc_C710580A.text:C710580A B9 F1 4B 0F CMP.W R9, #0x4B ; 'K'.text:C710580E 2A DA BGE loc_C7105866.text:C7105810 B9 F1 4A 0F CMP.W R9, #0x4A ; 'J'.text:C7105814.text:C7105814 loc_C7105814.text:C7105814 17 D1 BNE loc_C7105846.text:C7105816 3B E0 B loc_C7105890.text:C7105818.text:C7105818 loc_C7105818.text:C7105818 B9 F1 41 0F CMP.W R9, #0x41 ; 'A'.text:C710581C 80 F2 8B 80 BGE.W loc_C7105936.text:C7105820 B8 F8 5A 00 LDRH.W R0, [R8,#(word_C719EF4A - 0xC719EEF0)].text:C7105824 B8 F8 2E 10 LDRH.W R1, [R8,#(word_C719EF1E - 0xC719EEF0)].text:C7105828 48 43 MULS R0, R1.text:C710582A 48 F2 E2 51 MOVW R1, #0x85E2.text:C710582E 80 B2 UXTH R0, R0.text:C7105830 88 42 CMP R0, R1.text:C7105832 00 F0 69 80 BEQ.W loc_C7105908.text:C7105836.text:C7105836 loc_C7105836.text:C7105836 9B F8 02 00 LDRB.W R0, [R11,#(byte_C719EEA2 - 0xC719EEA0)].text:C710583A 18 28 CMP R0, #0x18.text:C710583C 23 D0 BEQ loc_C7105886.text:C710583E 9E 28 CMP R0, #0x9E.text:C7105840 2B 08 LSRS R3, R5, #0x20 ; ' '.text:C7105842 CC AB ADD R3, SP, #0x48+arg_2E0.text:C7105844 81 93 STR R3, [SP,#0x48+arg_1B4].text:C7105846.text:C7105846 loc_C7105846.text:C7105846 30 46 MOV R0, R6.text:C7105848 31 46 MOV R1, R6.text:C710584A D0 47 BLX R10 ; sha256_transform,R1:64字节数据.text:C710584C D4 E9 00 01 LDRD.W R0, R1, [R4].text:C7105850 89 F0 7F 09 EOR.W R9, R9, #0x7F.text:C7105854 10 F5 00 70 ADDS.W R0, R0, #0x200.text:C7105858 41 F1 00 01 ADC.W R1, R1, #0.text:C710585C.text:C710585C loc_C710585C.text:C710585C C4 E9 00 01 STRD.W R0, R1, [R4].text:C7105860 00 20 MOVS R0, #0.text:C7105862 28 60 STR R0, [R5].text:C7105864 C7 E7 B loc_C71057F6.text:C7105866.text:C7105866 loc_C7105866.text:C7105866 B9 F1 4E 0F CMP.W R9, #0x4E ; 'N'.text:C710586A 1B DD BLE loc_C71058A4.text:C710586C DD E9 09 10 LDRD.W R1, R0, [SP,#0x48+bodydata1].text:C7105870 4F F0 3C 09 MOV.W R9, #0x3C ; '<'.text:C7105874 08 70 STRB R0, [R1] ; bodydata.text:C7105876 28 68 LDR R0, [R5] ; offset.text:C7105878 01 30 ADDS R0, #1.text:C710587A 28 60 STR R0, [R5] ; offset+1 index.text:C710587C 40 28 CMP R0, #0x40 ; '@' ; 判断是否拷贝结束.text:C710587E 08 BF IT EQ.text:C7105880 4F F0 4B 09 MOVEQ.W R9, #0x4B ; 'K'.text:C7105884 B7 E7 B loc_C71057F6
多次计算hmac
appkey解密现来数据加密后与第一次计算得到的hmac组合b5c0d0a4-4763-44e8-baa6-dfca9a66efdb 再次计算hmac
.text:C71034A4 F0 B5 PUSH {R4-R7,LR}.text:C71034A6 03 AF ADD R7, SP, #0xC.text:C71034A8 2D E9 00 0F PUSH.W {R8-R11}.text:C71034AC DB B0 SUB SP, SP, #0x16C.text:C71034AE 0D F1 10 0C ADD.W R12, SP, #0x10.text:C71034B2 40 F6 0F 29 MOVW R9, #0xA0F.text:C71034B6 8C E8 0F 00 STM.W R12, {R0-R3}.text:C71034BA C0 F6 96 09 MOVT R9, #0x896.text:C71034BE 93 49 LDR R1, =(off_C719DA80 - 0xC71034C6).text:C71034C0 91 48 LDR R0, =(__stack_chk_guard_ptr - 0xC71034C8).text:C71034C2 79 44 ADD R1, PC ; off_C719DA80.text:C71034C4 78 44 ADD R0, PC ; __stack_chk_guard_ptr.text:C71034C6 D1 F8 00 A0 LDR.W R10, [R1] ; unk_C719ECA0.text:C71034CA 94 49 LDR R1, =(off_C719DA78 - 0xC71034D2).text:C71034CC 00 68 LDR R0, [R0] ; __stack_chk_guard.text:C71034CE 79 44 ADD R1, PC ; off_C719DA78.text:C71034D0 00 68 LDR R0, [R0].text:C71034D2 09 68 LDR R1, [R1] ; unk_C719EBC0.text:C71034D4 5A 90 STR R0, [SP,#0x168].text:C71034D6 39 20 MOVS R0, #0x39 ; '9'.text:C71034D8 03 91 STR R1, [SP,#0xC].text:C71034DA 8D 49 LDR R1, =(off_C719DA78 - 0xC71034E0).text:C71034DC 79 44 ADD R1, PC ; off_C719DA78.text:C71034DE D1 F8 00 B0 LDR.W R11, [R1] ; unk_C719EBC0.text:C71034E2 8C 49 LDR R1, =(off_C719DA78 - 0xC71034E8).text:C71034E4 79 44 ADD R1, PC ; off_C719DA78.text:C71034E6 09 68 LDR R1, [R1] ; unk_C719EBC0.text:C71034E8 0B 91 STR R1, [SP,#0x2C].text:C71034EA 8B 49 LDR R1, =(off_C719DA78 - 0xC71034F0).text:C71034EC 79 44 ADD R1, PC ; off_C719DA78.text:C71034EE 09 68 LDR R1, [R1] ; unk_C719EBC0.text:C71034F0 09 91 STR R1, [SP,#0x24].text:C71034F2 CF E0 B loc_C7103694.text:C71034F4.text:C71034F4 loc_C71034F4.text:C71034F4 06 46 MOV R6, R0.text:C71034F6 0D 46 MOV R5, R1.text:C71034F8 1C 46 MOV R4, R3.text:C71034FA 8E E0 B loc_C710361A.text:C71034FC.text:C71034FC loc_C71034FC.text:C71034FC 06 46 MOV R6, R0.text:C71034FE 0D 46 MOV R5, R1.text:C7103500 1C 46 MOV R4, R3.text:C7103502 A9 E0 B loc_C7103658.text:C7103504.text:C7103504 loc_C7103504.text:C7103504 34 28 CMP R0, #0x34 ; '4'.text:C7103506 65 DB BLT loc_C71035D4.text:C7103508 34 26 MOVS R6, #0x34 ; '4'.text:C710350A.text:C710350A loc_C710350A.text:C710350A 9F 48 LDR R0, =(dword_C71A737C - 0xC7103510).text:C710350C 78 44 ADD R0, PC ; dword_C71A737C.text:C710350E D0 F8 00 80 LDR.W R8, [R0].text:C7103512 9E 48 LDR R0, =(dword_C719EE50 - 0xC710351C).text:C7103514 B8 F1 00 0F CMP.W R8, #0.text:C7103518 78 44 ADD R0, PC ; dword_C719EE50.text:C710351A 00 68 LDR R0, [R0].text:C710351C 08 D1 BNE loc_C7103530.text:C710351E 45 F2 8A 11 MOVW R1, #0x518A.text:C7103522 FF F7 15 FB BL getfucn_loc_CB16CB50.text:C7103526 80 46 MOV R8, R0.text:C7103528 99 48 LDR R0, =(dword_C71A737C - 0xC710352E).text:C710352A 78 44 ADD R0, PC ; dword_C71A737C.text:C710352C C0 F8 00 80 STR.W R8, [R0].text:C7103530.text:C7103530 loc_C7103530.text:C7103530 03 99 LDR R1, [SP,#0xC].text:C7103532 86 F0 0C 00 EOR.W R0, R6, #0xC.text:C7103536 89 7E LDRB R1, [R1,#0x1A].text:C7103538 81 29 CMP R1, #0x81.text:C710353A 00 F0 AB 80 BEQ.W loc_C7103694.text:C710353E.text:C710353E loc_C710353E.text:C710353E DD E9 04 12 LDRD.W R1, R2, [SP,#0x10].text:C7103542 28 46 MOV R0, R5.text:C7103544 08 9B LDR R3, [SP,#0x20].text:C7103546 98 47 BLX R3 ; memcpy.text:C7103548 80 48 LDR R0, =(off_C719EE2C - 0xC7103550).text:C710354A 82 49 LDR R1, =(dword_C71A7370 - 0xC7103552).text:C710354C 78 44 ADD R0, PC ; off_C719EE2C.text:C710354E 79 44 ADD R1, PC ; dword_C71A7370.text:C7103550 00 68 LDR R0, [R0].text:C7103552 7F 48 LDR R0, =(dword_C719EE30 - 0xC7103558).text:C7103554 78 44 ADD R0, PC ; dword_C719EE30.text:C7103556 00 68 LDR R0, [R0].text:C7103558 0A 68 LDR R2, [R1].text:C710355A 7F 49 LDR R1, =(dword_C719EE34 - 0xC7103562).text:C710355C 00 2A CMP R2, #0.text:C710355E 79 44 ADD R1, PC ; dword_C719EE34.text:C7103560 09 68 LDR R1, [R1].text:C7103562 05 D1 BNE loc_C7103570.text:C7103564 FF F7 F4 FA BL getfucn_loc_CB16CB50.text:C7103568 02 46 MOV R2, R0.text:C710356A 7C 48 LDR R0, =(dword_C71A7370 - 0xC7103570).text:C710356C 78 44 ADD R0, PC ; dword_C71A7370.text:C710356E 02 60 STR R2, [R0].text:C7103570.text:C7103570 loc_C7103570.text:C7103570 28 46 MOV R0, R5.text:C7103572 90 47 BLX R2 ; 加密appkey解密后值.text:C7103574 7A 48 LDR R0, =(dword_C719EE38 - 0xC710357C).text:C7103576 7C 49 LDR R1, =(dword_C71A7374 - 0xC710357E).text:C7103578 78 44 ADD R0, PC ; dword_C719EE38.text:C710357A 79 44 ADD R1, PC ; dword_C71A7374.text:C710357C 00 68 LDR R0, [R0].text:C710357E 79 48 LDR R0, =(off_C719EE3C - 0xC7103584).text:C7103580 78 44 ADD R0, PC ; off_C719EE3C.text:C7103582 00 68 LDR R0, [R0].text:C7103584 0A 68 LDR R2, [R1].text:C7103586 79 49 LDR R1, =(off_C719EE40 - 0xC710358E).text:C7103588 00 2A CMP R2, #0.text:C710358A 79 44 ADD R1, PC ; off_C719EE40.text:C710358C 09 68 LDR R1, [R1].text:C710358E 05 D1 BNE loc_C710359C.text:C7103590 FF F7 DE FA BL getfucn_loc_CB16CB50.text:C7103594 02 46 MOV R2, R0.text:C7103596 76 48 LDR R0, =(dword_C71A7374 - 0xC710359C).text:C7103598 78 44 ADD R0, PC ; dword_C71A7374.text:C710359A 02 60 STR R2, [R0].text:C710359C.text:C710359C loc_C710359C.text:C710359C 28 46 MOV R0, R5.text:C710359E 90 47 BLX R2 ; 计算加密后的appkey的hmac.text:C71035A0 74 48 LDR R0, =(dword_C719EE44 - 0xC71035A8).text:C71035A2 76 49 LDR R1, =(dword_C71A7378 - 0xC71035AA).text:C71035A4 78 44 ADD R0, PC ; dword_C719EE44.text:C71035A6 79 44 ADD R1, PC ; dword_C71A7378.text:C71035A8 00 68 LDR R0, [R0].text:C71035AA 73 48 LDR R0, =(dword_C719EE48 - 0xC71035B0).text:C71035AC 78 44 ADD R0, PC ; dword_C719EE48.text:C71035AE 00 68 LDR R0, [R0].text:C71035B0 0B 68 LDR R3, [R1].text:C71035B2 73 49 LDR R1, =(dword_C719EE4C - 0xC71035BA).text:C71035B4 00 2B CMP R3, #0.text:C71035B6 79 44 ADD R1, PC ; dword_C719EE4C.text:C71035B8 09 68 LDR R1, [R1].text:C71035BA 05 D1 BNE loc_C71035C8.text:C71035BC FF F7 C8 FA BL getfucn_loc_CB16CB50.text:C71035C0 03 46 MOV R3, R0.text:C71035C2 70 48 LDR R0, =(dword_C71A7378 - 0xC71035C8).text:C71035C4 78 44 ADD R0, PC ; dword_C71A7378.text:C71035C6 03 60 STR R3, [R0].text:C71035C8.text:C71035C8 loc_C71035C8 ; CODE XREF: .text:JNI_OnLoad+5072↑j.text:C71035C8 DD E9 06 12 LDRD.W R1, R2, [SP,#0x18].text:C71035CC 28 46 MOV R0, R5.text:C71035CE 98 47 BLX R3 ; R1:计算第一次请求体hmac,R2:大小.text:C71035D0 34 20 MOVS R0, #0x34 ; '4'.text:C71035D2 5F E0 B loc_C7103694.text:C71035D4.text:C71035D4 loc_C71035D4.text:C71035D4 55 48 LDR R0, =(dword_C719EE14 - 0xC71035DC).text:C71035D6 57 49 LDR R1, =(dword_C71A7368 - 0xC71035DE).text:C71035D8 78 44 ADD R0, PC ; dword_C719EE14.text:C71035DA 79 44 ADD R1, PC ; dword_C71A7368.text:C71035DC 00 68 LDR R0, [R0].text:C71035DE 54 48 LDR R0, =(off_C719EE18 - 0xC71035E4).text:C71035E0 78 44 ADD R0, PC ; off_C719EE18.text:C71035E2 00 68 LDR R0, [R0].text:C71035E4 0A 68 LDR R2, [R1].text:C71035E6 54 49 LDR R1, =(off_C719EE1C - 0xC71035EE).text:C71035E8 00 2A CMP R2, #0.text:C71035EA 79 44 ADD R1, PC ; off_C719EE1C.text:C71035EC 09 68 LDR R1, [R1].text:C71035EE 05 D1 BNE loc_C71035FC.text:C71035F0 FF F7 AE FA BL getfucn_loc_CB16CB50.text:C71035F4 02 46 MOV R2, R0.text:C71035F6 51 48 LDR R0, =(dword_C71A7368 - 0xC71035FC).text:C71035F8 78 44 ADD R0, PC ; dword_C71A7368.text:C71035FA 02 60 STR R2, [R0].text:C71035FC.text:C71035FC loc_C71035FC.text:C71035FC 28 46 MOV R0, R5.text:C71035FE 90 47 BLX R2 ; memset.text:C7103600 4F 48 LDR R0, =(dword_C719EE20 - 0xC7103606).text:C7103602 78 44 ADD R0, PC ; dword_C719EE20.text:C7103604 00 68 LDR R0, [R0].text:C7103606 4F 48 LDR R0, =(off_C719EE24 - 0xC710360C).text:C7103608 78 44 ADD R0, PC ; off_C719EE24.text:C710360A 00 68 LDR R0, [R0].text:C710360C 02 90 STR R0, [SP,#8].text:C710360E 4E 48 LDR R0, =(dword_C719EE28 - 0xC7103614).text:C7103610 78 44 ADD R0, PC ; dword_C719EE28.text:C7103612 00 68 LDR R0, [R0].text:C7103614 01 90 STR R0, [SP,#4].text:C7103616 42 20 MOVS R0, #0x42 ; 'B'.text:C7103618 3C E0 B loc_C7103694.text:C710361A.text:C710361A loc_C710361A.text:C710361A 9B F8 02 00 LDRB.W R0, [R11,#(byte_C719EBC2 - 0xC719EBC0)].text:C710361E 9B F8 0D 10 LDRB.W R1, [R11,#(byte_C719EBCD - 0xC719EBC0)].text:C7103622 08 43 ORRS R0, R1.text:C7103624 C0 B2 UXTB R0, R0.text:C7103626 FD 28 CMP R0, #0xFD.text:C7103628 2F D0 BEQ word_C710368A.text:C710362A 38 2E CMP R6, #0x38 ; '8'.text:C710362C 01 DA BGE loc_C7103632.text:C710362E 31 20 MOVS R0, #0x31 ; '1'.text:C7103630 30 E0 B loc_C7103694.text:C7103632.text:C7103632 loc_C7103632.text:C7103632 B8 68 LDR R0, [R7,#8].text:C7103634 29 46 MOV R1, R5.text:C7103636 C0 47 BLX R8 ; 计算hmac appkey解密现来数据加密后与第一次计算得到的hmac组合,R0:返回.text:C7103638 0B 98 LDR R0, [SP,#0x2C].text:C710363A 56 49 LDR R1, =(dword_C719EE54 - 0xC7103640).text:C710363C 79 44 ADD R1, PC ; dword_C719EE54.text:C710363E 90 F8 34 00 LDRB.W R0, [R0,#0x34].text:C7103642 09 68 LDR R1, [R1].text:C7103644 0A 91 STR R1, [SP,#0x28].text:C7103646 00 F0 AF 01 AND.W R1, R0, #0xAF.text:C710364A 2D 20 MOVS R0, #0x2D ; '-'.text:C710364C 8A 29 CMP R1, #0x8A.text:C710364E 21 D0 BEQ loc_C7103694.text:C7103650 2F 0D LSRS R7, R5, #0x14.text:C7103652 19 7A LDRB R1, [R3,#8].text:C7103654 69 A4 ADR R4, (loc_C71037FA+2).text:C7103656 8E 95 STR R5, [SP,#0x238].text:C7103658.text:C7103658 loc_C7103658.text:C7103658 09 98 LDR R0, [SP,#0x24].text:C710365A 90 F8 24 00 LDRB.W R0, [R0,#0x24].text:C710365E 00 EB 40 10 ADD.W R0, R0, R0,LSL#5.text:C7103662 C0 B2 UXTB R0, R0.text:C7103664 A0 28 CMP R0, #0xA0.text:C7103666 D8 D0 BEQ loc_C710361A.text:C7103668 4B 48 LDR R0, =(dword_C71A736C - 0xC710366E).text:C710366A 78 44 ADD R0, PC ; dword_C71A736C.text:C710366C 00 68 LDR R0, [R0].text:C710366E 08 90 STR R0, [SP,#0x20].text:C7103670 40 B9 CBNZ R0, loc_C7103684.text:C7103672 DD E9 01 10 LDRD.W R1, R0, [SP,#4].text:C7103676 FF F7 6B FA BL getfucn_loc_CB16CB50.text:C710367A 01 46 MOV R1, R0.text:C710367C 47 48 LDR R0, =(dword_C71A736C - 0xC7103684).text:C710367E 08 91 STR R1, [SP,#0x20].text:C7103680 78 44 ADD R0, PC ; dword_C71A736C.text:C7103682 01 60 STR R1, [R0].text:C7103684.text:C7103684 loc_C7103684.text:C7103684 86 F0 69 00 EOR.W R0, R6, #0x69.text:C7103688 04 E0 B loc_C7103694
结果转换成字符串,随机数+hmac
7DD6CFBE50FD7930742D168D58099A46D14AE3C7B67341C880 B9BA4EEE79E5FCAEBCE9F68B //组合签名时用到中间50字节5.3、加密设备数据与签名组合
压缩aes与base64加密参与签名的设备数据
.text:C7117244 vm_enc_body_sub_C8E49244 ; CODE XREF: getinfo_sub_CDF805D0+6D2↑p.text:C7117244 ; .text:JNI_OnLoad+18B54↑p.text:C7117244.text:C7117244 var_58= -0x58.text:C7117244 var_54= -0x54.text:C7117244 var_50= -0x50.text:C7117244 var_4C= -0x4C.text:C7117244 var_48= -0x48.text:C7117244 var_44= -0x44.text:C7117244 var_40= -0x40.text:C7117244 var_3C= -0x3C.text:C7117244 var_38= -0x38.text:C7117244 var_30= -0x30.text:C7117244 var_28= -0x28.text:C7117244 var_20= -0x20.text:C7117244 var_1C= -0x1C.text:C7117244 var_18= -0x18.text:C7117244 arg_0= 8.text:C7117244.text:C7117244 ; __unwind { // FBF89000.text:C7117244 F0 B5 PUSH {R4-R7,LR}.text:C7117246 03 AF ADD R7, SP, #0xC.text:C7117248 2D E9 00 07 PUSH.W {R8-R10}.text:C711724C 90 B0 SUB SP, SP, #0x40.text:C711724E 6C 46 MOV R4, SP.text:C7117250 6F F3 03 04 BFC.W R4, #0, #4.text:C7117254 A5 46 MOV SP, R4.text:C7117256 04 46 MOV R4, R0.text:C7117258 29 48 LDR R0, =(__stack_chk_guard_ptr - 0xC7117262).text:C711725A 98 46 MOV R8, R3.text:C711725C 15 46 MOV R5, R2.text:C711725E 78 44 ADD R0, PC ; __stack_chk_guard_ptr.text:C7117260 0E 46 MOV R6, R1.text:C7117262 00 68 LDR R0, [R0] ; __stack_chk_guard.text:C7117264 00 68 LDR R0, [R0].text:C7117266 0F 90 STR R0, [SP,#0x58+var_1C].text:C7117268 F8 F7 DE FB BL DecString_loc_C5D9FA28.text:C711726C 25 48 LDR R0, =(off_C719AF1C - 0xC7117276).text:C711726E 26 49 LDR R1, =(off_C719AF20 - 0xC711727A).text:C7117270 26 4A LDR R2, =(off_C719AF24 - 0xC7117280).text:C7117272 78 44 ADD R0, PC ; off_C719AF1C.text:C7117274 26 4B LDR R3, =(off_C719AF28 - 0xC7117286).text:C7117276 79 44 ADD R1, PC ; off_C719AF20.text:C7117278 DF F8 98 C0 LDR.W R12, =(off_C719AF2C - 0xC711728C).text:C711727C 7A 44 ADD R2, PC ; off_C719AF24.text:C711727E DF F8 98 E0 LDR.W LR, =(off_C719AF30 - 0xC7117290).text:C7117282 7B 44 ADD R3, PC ; off_C719AF28.text:C7117284 DF F8 94 90 LDR.W R9, =(off_C719AF34 - 0xC7117294).text:C7117288 FC 44 ADD R12, PC ; off_C719AF2C.text:C711728A 00 68 LDR R0, [R0] ; unk_1F6B475D.text:C711728C FE 44 ADD LR, PC ; off_C719AF30.text:C711728E 09 68 LDR R1, [R1] ; unk_E103CAD5.text:C7117290 F9 44 ADD R9, PC ; off_C719AF34.text:C7117292 D2 F8 00 A0 LDR.W R10, [R2].text:C7117296 1B 68 LDR R3, [R3] ; unk_EF4A43D1.text:C7117298 02 96 STR R6, [SP,#0x58+var_50].text:C711729A DC F8 00 60 LDR.W R6, [R12] ; unk_DFC4E66F.text:C711729E 01 94 STR R4, [SP,#0x58+var_54].text:C71172A0 DE F8 00 40 LDR.W R4, [LR] ; unk_2AD2FC11.text:C71172A4 03 95 STR R5, [SP,#0x58+var_4C].text:C71172A6 BA 68 LDR R2, [R7,#arg_0].text:C71172A8 D9 F8 00 50 LDR.W R5, [R9].text:C71172AC CD F8 10 80 STR.W R8, [SP,#0x58+var_48].text:C71172B0 05 92 STR R2, [SP,#0x58+var_44].text:C71172B2 1B 4A LDR R2, =(off_C719AF38 - 0xC71172B8).text:C71172B4 7A 44 ADD R2, PC ; off_C719AF38.text:C71172B6 12 68 LDR R2, [R2] ; unk_25B83385.text:C71172B8 06 90 STR R0, [SP,#0x58+var_40].text:C71172BA 1A 48 LDR R0, =(off_C719AF3C - 0xC71172C0).text:C71172BC 78 44 ADD R0, PC ; off_C719AF3C.text:C71172BE 00 68 LDR R0, [R0] ; unk_D8E2104D.text:C71172C0 07 91 STR R1, [SP,#0x58+var_3C].text:C71172C2 19 49 LDR R1, =(off_C719AF40 - 0xC71172C8).text:C71172C4 79 44 ADD R1, PC ; off_C719AF40.text:C71172C6 09 68 LDR R1, [R1].text:C71172C8 CD E9 08 A3 STRD.W R10, R3, [SP,#0x58+var_38].text:C71172CC CD E9 0A 64 STRD.W R6, R4, [SP,#0x58+var_30].text:C71172D0 CD E9 0C 52 STRD.W R5, R2, [SP,#0x58+var_28].text:C71172D4 6A 46 MOV R2, SP.text:C71172D6 0E 90 STR R0, [SP,#0x58+var_20].text:C71172D8 4F F4 3C 70 MOV.W R0, #0x2F0.text:C71172DC F9 F7 52 F8 BL VM_Entrance_loc_CDF4C384 ; R:传入不同数字代走不同逻辑.text:C71172E0 12 49 LDR R1, =(__stack_chk_guard_ptr - 0xC71172E8).text:C71172E2 00 98 LDR R0, [SP,#0x58+var_58].text:C71172E4 79 44 ADD R1, PC ; __stack_chk_guard_ptr.text:C71172E6 0F 9A LDR R2, [SP,#0x58+var_1C].text:C71172E8 09 68 LDR R1, [R1] ; __stack_chk_guard.text:C71172EA 09 68 LDR R1, [R1].text:C71172EC 89 1A SUBS R1, R1, R2
生成aeskey
7dfd964a-0377-4188-ada7-0758b4f7f63b me5值AES加密
.text:C70FFB10.text:C70FFB10 ; R0:初始化的key,R1:数据,R2:大小.text:C70FFB10.text:C70FFB10 AES_Encdata_sub_C290EB10.text:C70FFB10 ; __unwind { // FBF89000.text:C70FFB10 F0 B5 PUSH {R4-R7,LR}.text:C70FFB12 03 AF ADD R7, SP, #0xC.text:C70FFB14 2D E9 00 0F PUSH.W {R8-R11}.text:C70FFB18 8B B0 SUB SP, SP, #0x2C.text:C70FFB1A 00 EE 10 2A VMOV S0, R2.text:C70FFB1E 9F ED 64 1B VLDR D1, =0.1.text:C70FFB22 88 46 MOV R8, R1.text:C70FFB24.text:C70FFB24 loc_C70FFB24.text:C70FFB24 00 F1 B0 04 ADD.W R4, R0, #0xB0.text:C70FFB28 B8 EE 40 0B VCVT.F64.U32 D0, S0.text:C70FFB2C 6F F0 71 03 MOV R3, #0xFFFFFF8E.text:C70FFB30 41 F6 AE 26 MOVW R6, #0x1AAE.text:C70FFB34 30 EE 01 0B VADD.F64 D0, D0, D1.text:C70FFB38 BC EE C0 0B VCVT.U32.F64 S0, D0.text:C70FFB3C 10 EE 10 2A VMOV R2, S0.text:C70FFB40 03 92 STR R2, [SP,#0x50+var_44].text:C70FFB42 5D 4A LDR R2, =(off_C719DA5C - 0xC70FFB4C).text:C70FFB44 00 90 STR R0, [SP,#0].text:C70FFB46 00 20 MOVS R0, #0.text:C70FFB48 7A 44 ADD R2, PC ; off_C719DA5C.text:C70FFB4A 08 90 STR R0, [SP,#0x50+var_30].text:C70FFB4C 38 20 MOVS R0, #0x38 ; '8'.text:C70FFB4E 15 68 LDR R5, [R2] ; unk_C719E810.text:C70FFB50 5B 4A LDR R2, =(off_C719DA60 - 0xC70FFB56).text:C70FFB52 7A 44 ADD R2, PC ; off_C719DA60.text:C70FFB54 D2 F8 00 B0 LDR.W R11, [R2] ; unk_C719E850.text:C70FFB58 58 4A LDR R2, =(off_C719DA5C - 0xC70FFB5E).text:C70FFB5A 7A 44 ADD R2, PC ; off_C719DA5C.text:C70FFB5C.text:C70FFB5C loc_C70FFB5C.text:C70FFB5C 12 68 LDR R2, [R2].text:C70FFB5E 01 92 STR R2, [SP,#4].text:C70FFB60 CD F8 10 80 STR.W R8, [SP,#0x50+var_40].text:C70FFB64 05 94 STR R4, [SP,#0x50+var_3C].text:C70FFB66 2A E0 B loc_C70FFBBE.text:C70FFB68.text:C70FFB68 loc_C70FFB68.text:C70FFB68 5A 48 LDR R0, =(dword_C719E9F4 - 0xC70FFB6E).text:C70FFB6A 78 44 ADD R0, PC ; dword_C719E9F4.text:C70FFB6C 00 68 LDR R0, [R0].text:C70FFB6E 5A 48 LDR R0, =(off_C719E9F8 - 0xC70FFB74).text:C70FFB70 78 44 ADD R0, PC ; off_C719E9F8.text:C70FFB72 00 68 LDR R0, [R0] ; dword_C709A0A0.text:C70FFB74 0A 90 STR R0, [SP,#0x50+var_28].text:C70FFB76 59 48 LDR R0, =(off_C719E9FC - 0xC70FFB7C).text:C70FFB78 78 44 ADD R0, PC ; off_C719E9FC.text:C70FFB7A 00 68 LDR R0, [R0].text:C70FFB7C 09 90 STR R0, [SP,#0x50+var_2C].text:C70FFB7E 2E 20 MOVS R0, #0x2E ; '.'.text:C70FFB80 1D E0 B loc_C70FFBBE.text:C70FFB82.text:C70FFB82 loc_C70FFB82.text:C70FFB82 57 48 LDR R0, =(off_C719EA04 - 0xC70FFB8A).text:C70FFB84 57 49 LDR R1, =(dword_C71A72F8 - 0xC70FFB8C).text:C70FFB86 78 44 ADD R0, PC ; off_C719EA04.text:C70FFB88 79 44 ADD R1, PC ; dword_C71A72F8.text:C70FFB8A 00 68 LDR R0, [R0].text:C70FFB8C 0A 68 LDR R2, [R1].text:C70FFB8E 56 49 LDR R1, =(dword_C719EA08 - 0xC70FFB96).text:C70FFB90 00 2A CMP R2, #0.text:C70FFB92 79 44 ADD R1, PC ; dword_C719EA08.text:C70FFB94 09 68 LDR R1, [R1].text:C70FFB96 05 D1 BNE loc_C70FFBA4.text:C70FFB98 00 F0 AA F8 BL getdec_enc_func_sub_CDB52CF0 ; getdecencfunc.text:C70FFB9C 02 46 MOV R2, R0.text:C70FFB9E 53 48 LDR R0, =(dword_C71A72F8 - 0xC70FFBA4).text:C70FFBA0 78 44 ADD R0, PC ; dword_C71A72F8.text:C70FFBA2 02 60 STR R2, [R0].text:C70FFBA4.text:C70FFBA4 loc_C70FFBA4.text:C70FFBA4 00 99 LDR R1, [SP,#0].text:C70FFBA6 50 46 MOV R0, R10.text:C70FFBA8 90 47 BLX R2 ; 加解密.text:C70FFBAA 02 99 LDR R1, [SP,#0x50+var_48].text:C70FFBAC A9 F1 02 00 SUB.W R0, R9, #2.text:C70FFBB0 6F F0 71 03 MOV R3, #0xFFFFFF8E.text:C70FFBB4 10 31 ADDS R1, #0x10.text:C70FFBB6 08 91 STR R1, [SP,#0x50+var_30]
base64加密aes加密后的数据
iJByjqu4/3AEZUxyQNgMlC7jWAIjZrVEK0YQ1bU1OnGaTAeh3AYalxfKYpkqI3fGhOBlr9FamFhDPPv/yN0+k6iGOzLhheXvQAPEAHadlgJ4CNKxIlMnhusyXeoz4vElOPG4W2TxMbhFoowx7USetpEe01ALAhX5aXeNpQA4Sdaz/o5ufdFF6g50cRgeQPoO7/PY5WjuJwpMtyJcdd4uIH7tt9JCAa6GaSwtw9lD2Yj6Gx6A9tuj3+GHde0iMogaEWJrJMRIM1XGpnbvFxgBxVIEKIYzqXpDK9mfV+CaGLJc9PRPjJmGvF46Zg4N9jacxZvDzO+BUx9Ffq3ZrUWl8ftkPXzUzTZyHqLZACoLs4JPLl/tFP3wIlcxf/7O36etnod4D2vzVp3GXbCzI9LWKe/w1Fi0GmOSCGHxEUL0kEE=组合签名
appk解密出的常量字符+AES+base64加密后的数据+appk解密出的常量字符+hamc(请求体+设备数据+appkey解密现来数据)前50字节0ea7_iJByjqu4/3AEZUxyQNgMlC7jWAIjZrVEK0YQ1bU1OnGaTAeh3AYalxfKYpkqI3fGhOBlr9FamFhDPPv/yN0+k6iGOzLhheXvQAPEAHadlgJ4CNKxIlMnhusyXeoz4vElOPG4W2TxMbhFoowx7USetpEe01ALAhX5aXeNpQA4Sdaz/o5ufdFF6g50cRgeQPoO7/PY5WjuJwpMtyJcdd4uIH7tt9JCAa6GaSwtw9lD2Yj6Gx6A9tuj3+GHde0iMogaEWJrJMRIM1XGpnbvFxgBxVIEKIYzqXpDK9mfV+CaGLJc9PRPjJmGvF46Zg4N9jacxZvDzO+BUx9Ffq3ZrUWl8ftkPXzUzTZyHqLZACoLs4JPLl/tFP3wIlcxf/7O36etnod4D2vzVp3GXbCzI9LWKe/w1Fi0GmOSCGHxEUL0kEE=&ff4b_7DD6CFBE50FD7930742D168D58099A46D14AE3C7B67341C880
六、算法还原
6.1、加密设备数据算法
BYTE iv[1][16] = {{"632870a7427e3bdc"}};BYTE key[1][16] = { {"24e96202f2d6fe64"} };int pass = 1;aes_key_setup(key[0], key_schedule, 128);BYTE outdata[10434] = { 0 };//解密appkey 第一步BYTE base64_appkey[1][10434] = {{"svgF9wkBBb62bzpxAhUuu7psOlW57RywSRI8sLRlbCvOblPMymnicGqHkT4iQL0qb-iUTR3CNngdPqsC5lz1bEaFLxT5GSi3QfWkZ5dcgiOl9a_jGZcdNsAaRAUvCtRzNTjWTN0V_bQcyurRrmOp0A=="}};base64_len = AliTigerTally_base64(base64_appkey, strlen(base64_appkey[0]), outdata, 0);if (0 == base64_len) {printf("AliTigerTally_base64 error!\n");return -1;}aesret = aes_decrypt_cbc(outdata, base64_len, out_ciphertext[0], key_schedule, 128, iv[0]);if (1 != aesret) {printf("aes_decrypt_cbc error!\n");return -1;}//appkey解密出的值 md5 生成密钥BYTE aeskey[32] = { 0 };memcpy(aeskey, AliTigerTally_md5("7dfd964a-0377-4188-ada7-0758b4f7f63b"), 16);//第二步加密设备信息BYTE iv2[1][16] = {{"55b4dc20eaf2a88a"}};BYTE key2[1][16] = { {0} };memcpy(key2[0], aeskey, 16);aes_key_setup(key2[0], key_schedule, 128);aesret = aes_encrypt_cbc(Devicedata, sizeof(Devicedata), enc_buf, key_schedule, 128, iv2[0]);if (1 != aesret) {printf("aes_encrypt_cbc error!\n");return -1;}//第三步 加密参与签名的设备风险信息BYTE iv3[1][16] = {{"55b4dc20eaf2a88a"}};BYTE key3[1][16] = { {0} };memcpy(key3[0], aeskey, 16);aes_key_setup(key3[0], key_schedule, 128);aesret = aes_encrypt_cbc(plaintext, sizeof(plaintext), enc_buf, key_schedule, 128, iv3[0]);if (1 != aesret) {printf("aes_encrypt_cbc error!\n");return -1;}base64_len = AliTigerTally_base64(enc_buf, strlen(enc_buf), outdata, 1);if (0 == base64_len) {printf("AliTigerTally_base64 error!\n");return -1;}printf("签名数据: %s\n", outdata);
还原后加密数据与SDK内存中加密数据相同,如图6-1所示:
图6-1
6.2、签名算法
sha256_init(&ctx);sha256_update(&ctx, text, sizeof(text));sha256_final(&ctx, buf);ByteToHexStr(buf, strbuf, 32);printf("sha256 :%s\n", strbuf);int AliTigerTally_base64(BYTE* data, int len, BYTE* outdata, int mod) {BYTE buf[1024];size_t buf_len;int pass = 1;int idx;if (mod == 1) {buf_len = base64_encode(data, outdata, len, mod);}if (mod == 0) {buf_len = base64_decode(data, outdata, len);}return buf_len;}
七、总结
技术角度:
对于这种高强度混淆的SDK逆向分析难度还是比较高的,主要分为三步,一是解密appkey,二是获测设备风险与获取设备指纹,三进行签名。
采集设备异常风险特征包括:
使用模拟器、使用代理、Root设备、调试模式、App被hook、App多开。
其中采集设备信息与加解密算法都是通过混淆的,如果对常见算法逻辑不熟悉,要完整还原算法是需要花费一定的时间。整体来讲安全度还是比较高。
但是强混淆与多重反射会影响效率、代码重复率高、体积大。
业务角度:
我个人理解从老版本到新版本更新迭代这个业务比较成熟才是,但是从注册到获取SDK集成到配置策略发布大概需要2-3天的时间,其实整个流程下来完全可以实现自动化操作与自检验,节省时间的同时提升体验与更快的响应,但是期间我需要多次联系WAF技术支持人员获取App防护SDK包且反响时间较长。
版本变更内容未说明,黑盒状态,新增功能?功能调整?BUG修复?可能是因为整体架构都是全新开发的原因吧。
样本获取方式,关注公众号,公众号输入框回复“att” 获取下载链接。
作者简介:
我是小三,目前从事软件安全相关工作,虽己工作多年,但内心依然有着执着的追求,信奉终身成长,不定义自己,热爱技术但不拘泥于技术,爱好分享,喜欢读书和乐于结交朋友,欢迎加我微信与我交朋友(公众号输入框回复“wx”即可)
文章来源: https://mp.weixin.qq.com/s?__biz=MzU3MDc0MTY1MA==&mid=2247484043&idx=1&sn=92f0f15cd5ff3d439fc582a611937c6f&chksm=fceb8476cb9c0d60031872f936833235a9ea4b7898e4157e0b5fdc07919940b1dc3ac68f03a1&scene=58&subscene=0#rd
如有侵权请联系:admin#unsafe.sh
如有侵权请联系:admin#unsafe.sh