下载帮

您现在的位置是:首页 > 教程分享 > iOS

iOS

最右APP协议加密算法分析笔记

2021-04-18 22:10iOS
IOS协议逆向分析—最右app协议签名算法逆向 本次使用的工具

IDA7.0

lldb

Charles

本次分析的版本是4.2.1(在目前最新版本4.6.4中依然适用)

开始前先进行如下步骤

1.app砸壳后用IDA加载

2.配置抓包工具charles

ok 开始前不会使用Charles的可以搜索关键字"Charles ios https"或直接查看该链接"https://www.xzb.cc/tutorial/4365.html" 其中https如何抓包都有详细讲解 此处不在赘述

首先开启抓包工具 打开APP刷新内容抓包结果如下

通过POST请求可以看到url上有个"sign"参数,每次请求该sign都会发生变化,接下来使用IDA进行分析该参数来源。

IDA中字符串搜索"sign=" 根据字符串推测是最后一个 鼠标左键双击进入

看到下图

在图中高亮处按下X键或者右键选中“jump to xref to operand”

弹出如下内容 点击ok

继续在图中高亮处按下X键或者右键选中“jump to xref to operand” 

弹出如下内容

根据分析得知"[ZYAPIClient postWithURL:parameters]"中有sign来源 双击进入

按下f5转换为伪代码进行查看

如上图所示 sign的参数是通过调用"ZYAPIClient signWithParameters"返回的

此时先不关注v27参数内容是什么 等下动态调试再来看该参数内容

通过代码知道调用"ZYAPIClient signWithParameters"后返回sign值

继续使用IDA进行分析 在函数窗口中搜索“ZYAPIClient signWithParameters”双击跳转到如下图

得知参数是由“ZYCrypto signWithParameters”返回 那么函数窗口中继续搜索“ZYCrypto signWithParameters”

得知数据是调用了“sub_100FB6090”函数返回的 双击函数进入查看伪代码

查看代码得知还调用了"sub_100DB274C"和"sub_100FB6004"两个函数 接下来查看这两个函数

跳转到“sub_100DB274C”函数后肉眼可以看出是一系列循环位操作计算 流程图如下 逻辑清晰 无混淆 看起来并不复杂 代码量不算多

函数“sub_100FB6004”如下图

函数到此为止 记录下调用流程

"ZYAPIClient signWithParameters" -> "ZYCrypto signWithParameters" -> "sub_100FB6090" -> "sub_100DB274C" -> "sub_100FB6004"

接下来就是动态调试拿到调用函数时传入的参数及还原成c代码即可 下面开始动态调试(对于lldb的配置此处不再赘述)

首先ssh到手机

	
ssh root@ip
打开最右app 然后在ssh查找app进程
ps -e |grep var
//////////////////////////////////////////////////////////////////////////
iphone5s:~ root# ps -e |grep var
  372 ??         0:00.06 /usr/libexec/pkd -d/var/db/PlugInKit-Annotations
  632 ??         0:01.69 /var/mobile/Containers/Bundle/Application/84BED02F-A270-4B92-868D-3C4A6F564F28/tieba.app/tieba
  641 ttys000    0:00.01 grep var

debugserver附加

debugserver *:1234 --attach=pid
//////////////////////////////////////////////////////////////////////////
iphone5s:~ root# debugserver *:1234 --attach=632
debugserver-@(#)PROGRAM:debugserver  PROJECT:debugserver-320.2.89
 for arm64.
Attaching to process 632...
Listening to port 1234 for a connection from *...

打开lldb连接到越狱后的手机(可能卡住一段时间 耐心等待)

YoudeMacBook-Pro:~ youfuck$ lldb
(lldb) process connect connect://172.16.4.29:1234
Process 632 stopped
* thread #1, queue = 'com.apple.main-thread', stop reason = signal SIGSTOP
    frame #0: 0x0000000194f24e7c libsystem_kernel.dylib`mach_msg_trap + 8
libsystem_kernel.dylib`mach_msg_trap:
->  0x194f24e7c <+8>: ret
 
libsystem_kernel.dylib`mach_msg_overwrite_trap:
    0x194f24e80 <+0>: mov    x16, #-0x20
    0x194f24e84 <+4>: svc    #0x80
    0x194f24e88 <+8>: ret
Target 0: (tieba) stopped.

以上lldb已经附加到app 接下来对之前找到的关键位置下断点进行调试

先获取模块基地址

image list -o -f 模块名称
//////////////////////////////////////////////////////////////////////////
(lldb) image list -o -f tieba
[  0] 0x000000000004c000 /private/var/mobile/Containers/Bundle/Application/84BED02F-A270-4B92-868D-3C4A6F564F28/tieba.app/tieba(0x000000010004c000)

此时lldb调试先看调用"sub_100FB6090"时传入的参数(为什么不从之前的函数下断 因为之前的函数通过伪代码可以看出并没什么修改数据 所以直接在此处下断点)

下断点 "br s -a 模块基地址+ida中看到的函数地址" 然后在app中刷新一下即可触发断点

(lldb) br s -a 0x4c000+0x100FB6090
Breakpoint 2: where = tieba`Assimp::FBX::Connection::Compare(Assimp::FBX::Connection const*) const + 10732152, address = 0x0000000101002090


断下后查看参数 查看参数1即x0 可以看出字符串就是抓包时所发送的数据

(lldb) x $x0 $x0+600
0x157575c38: 7b 22 64 69 72 65 63 74 69 6f 6e 22 3a 22 64 6f  {"direction":"do
0x157575c48: 77 6e 22 2c 22 68 5f 6d 6f 64 65 6c 22 3a 22 69  wn","h_model":"i
0x157575c58: 50 68 6f 6e 65 20 35 73 20 28 47 6c 6f 62 61 6c  Phone 5s (Global
0x157575c68: 29 22 2c 22 68 5f 63 68 22 3a 22 61 70 70 73 74  )","h_ch":"appst
0x157575c78: 6f 72 65 22 2c 22 68 5f 61 70 70 22 3a 22 7a 75  ore","h_app":"zu
0x157575c88: 69 79 6f 75 22 2c 22 63 5f 74 79 70 65 73 22 3a  iyou","c_types":
0x157575c98: 5b 31 2c 32 2c 33 2c 39 2c 31 30 2c 37 2c 38 5d  [1,2,3,9,10,7,8]
0x157575ca8: 2c 22 68 5f 6e 74 22 3a 31 2c 22 68 5f 61 76 22  ,"h_nt":1,"h_av"
0x157575cb8: 3a 22 34 2e 32 2e 31 22 2c 22 74 6f 6b 65 6e 22  :"4.2.1","token"
0x157575cc8: 3a 22 54 35 4b 61 4e 38 4b 64 4b 69 6f 65 49 64  :"T5KaN8KdKioeId
0x157575cd8: 6d 69 36 58 72 68 39 59 45 79 39 37 4b 30 65 4c  mi6Xrh9YEy97K0eL
0x157575ce8: 51 6d 6e 5f 4e 76 32 62 38 35 5a 78 34 45 74 50  Qmn_Nv2b85Zx4EtP
0x157575cf8: 72 44 69 4f 2d 2d 58 65 75 4d 33 2d 5f 31 6c 5a  rDiO--XeuM3-_1lZ
0x157575d08: 6d 72 7a 30 2d 79 7a 22 2c 22 74 61 62 22 3a 22  mrz0-yz","tab":"
0x157575d18: 72 65 63 22 2c 22 68 5f 64 69 64 22 3a 22 32 32  rec","h_did":"22
0x157575d28: 32 65 62 66 37 65 31 66 39 62 62 35 64 65 39 38  2ebf7e1f9bb5de98
0x157575d38: 35 31 32 39 31 62 33 63 36 37 30 61 34 65 30 66  51291b3c670a4e0f
0x157575d48: 31 61 33 31 63 34 22 2c 22 66 69 6c 74 65 72 22  1a31c4","filter"
0x157575d58: 3a 22 61 6c 6c 22 2c 22 68 5f 6f 73 22 3a 22 38  :"all","h_os":"8
0x157575d68: 2e 31 30 30 30 30 30 22 2c 22 61 75 74 6f 22 3a  .100000","auto":
0x157575d78: 31 2c 22 68 5f 74 73 22 3a 31 35 33 39 37 34 37  1,"h_ts":1539747
0x157575d88: 30 39 35 37 31 32 2c 22 68 5f 6d 22 3a 34 38 38  095712,"h_m":488
0x157575d98: 33 36 37 38 36 2c 22 68 5f 69 64 66 61 22 3a 22  36786,"h_idfa":"
0x157575da8: 41 39 33 42 39 35 41 34 2d 39 30 43 33 2d 34 43  A93B95A4-90C3-4C
0x157575db8: 38 42 2d 39 38 41 38 2d 42 39 46 37 42 34 38 43  8B-98A8-B9F7B48C
0x157575dc8: 35 37 46 31 22 2c 22 68 5f 64 74 22 3a 31 7d 00  57F1","h_dt":1}.
0x157575dd8: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0  ...............�
0x157575de8: 00 00 00 00 00 00 00 f0 11 00 00 00 00 00 00 00  .......�........
0x157575df8: 13 15 00 00 c0 00 00 00 03 64 00 00 23 a9 00 00  ....�....d..#�..
0x157575e08: 00 00 00 00 00 00 00 10 21 43 50 58 05 00 00 00  ........!CPX....
0x157575e18: 00 f0 00 00 98 00 00 00 02 00 00 00 71 75 65 72  .�..........quer
0x157575e28: 79 00 00 00 00 80 00 00 6c 00 00 00 31 6a 30 0b  y.......l...1j0.
0x157575e38: 0c 06 72 5f 44 61 74 61 01 01 01 30 0c 0c 04 73  ..r_Data...0...s
0x157575e48: 79 6e 63 0c 04 73 79 6e 61 30 0d 0c 05 63 6c 61  ync..syna0...cla
0x157575e58: 73 73 0c 04 67 65 6e 70 30 12 0c 04 61 63 63 74  ss..genp0...acct
0x157575e68: 0c 0a 69 64 66 61 41 63 6f 75 6e 74 30 13 0c 04  ..idfaAcount0...
0x157575e78: 73 76 63 65 0c 0b 69 64 66 61 53 65 72 76 69 63  svce..idfaServic
0x157575e88: 65 30 15 0c 07 6d 5f 4c                          e0...m_L

对“sub_100DB274C”下断点

br s -a 0x4c000+0x100DB274C

调用"sub_100DB274C"时参数如下

(lldb) x $x0 $x0+0x1ab
0x1576d0670: 59 30 4d 54 42 6c 4f 44 63 78 6e 22 3a 22 64 6f  Y0MTBlODcxn":"do
0x1576d0680: 77 6e 22 2c 22 68 5f 6d 6f 64 65 6c 22 3a 22 69  wn","h_model":"i
0x1576d0690: 50 68 6f 6e 65 20 35 73 20 28 47 6c 6f 62 61 6c  Phone 5s (Global
0x1576d06a0: 29 22 2c 22 68 5f 63 68 22 3a 22 61 70 70 73 74  )","h_ch":"appst
0x1576d06b0: 6f 72 65 22 2c 22 68 5f 61 70 70 22 3a 22 7a 75  ore","h_app":"zu
0x1576d06c0: 69 79 6f 75 22 2c 22 63 5f 74 79 70 65 73 22 3a  iyou","c_types":
0x1576d06d0: 5b 31 2c 32 2c 33 2c 39 2c 31 30 2c 37 2c 38 5d  [1,2,3,9,10,7,8]
0x1576d06e0: 2c 22 68 5f 6e 74 22 3a 31 2c 22 68 5f 61 76 22  ,"h_nt":1,"h_av"
0x1576d06f0: 3a 22 34 2e 32 2e 31 22 2c 22 74 6f 6b 65 6e 22  :"4.2.1","token"
0x1576d0700: 3a 22 54 35 4b 61 4e 38 4b 64 4b 69 6f 65 49 64  :"T5KaN8KdKioeId
0x1576d0710: 6d 69 36 58 72 68 39 59 45 79 39 37 4b 30 65 4c  mi6Xrh9YEy97K0eL
0x1576d0720: 51 6d 6e 5f 4e 76 32 62 38 35 5a 78 34 45 74 50  Qmn_Nv2b85Zx4EtP
0x1576d0730: 72 44 69 4f 2d 2d 58 65 75 4d 33 2d 5f 31 6c 5a  rDiO--XeuM3-_1lZ
0x1576d0740: 6d 72 7a 30 2d 79 7a 22 2c 22 74 61 62 22 3a 22  mrz0-yz","tab":"
0x1576d0750: 72 65 63 22 2c 22 68 5f 64 69 64 22 3a 22 32 32  rec","h_did":"22
0x1576d0760: 32 65 62 66 37 65 31 66 39 62 62 35 64 65 39 38  2ebf7e1f9bb5de98
0x1576d0770: 35 31 32 39 31 62 33 63 36 37 30 61 34 65 30 66  51291b3c670a4e0f
0x1576d0780: 31 61 33 31 63 34 22 2c 22 66 69 6c 74 65 72 22  1a31c4","filter"
0x1576d0790: 3a 22 61 6c 6c 22 2c 22 68 5f 6f 73 22 3a 22 38  :"all","h_os":"8
0x1576d07a0: 2e 31 30 30 30 30 30 22 2c 22 61 75 74 6f 22 3a  .100000","auto":
0x1576d07b0: 31 2c 22 68 5f 74 73 22 3a 31 35 33 39 37 34 37  1,"h_ts":1539747
0x1576d07c0: 30 39 35 37 31 32 2c 22 68 5f 6d 22 3a 34 38 38  095712,"h_m":488
0x1576d07d0: 33 36 37 38 36 2c 22 68 5f 69 64 66 61 22 3a 22  36786,"h_idfa":"
0x1576d07e0: 41 39 33 42 39 35 41 34 2d 39 30 43 33 2d 34 43  A93B95A4-90C3-4C
0x1576d07f0: 38 42 2d 39 38 41 38 2d 42 39 46 37 42 34 38 43  8B-98A8-B9F7B48C
0x1576d0800: 35 37 46 31 22 2c 22 68 5f 64 74 22 3a 31 7d 5a  57F1","h_dt":1}Z
0x1576d0810: 44 7b 22 64 69 72 65 63 74 69 6f                 D{"directio

经过观察发现进入函数时传的参数是post请求的参数内容 然后调用了string::append函数对传入的字符串追加了新的内容 "ZDY0MTBlODcx" 最后将字符串前十位和后十位进行交换得到我们上面所看到的文本

对“sub_100FB6090”代码还原实现如下:

std::string str = szData;
str.append("ZDY0MTBlODcx");
std::string strHead = str.substr(0, 10);
std::string strEnd = str.substr(str.length()-10, str.length());
str.replace(0, 10, strEnd);
str.replace(str.length()-10, str.length(), strHead);

最后在调用“sub_100FB6004”时传入"sub_100DB274C"的返回值 最后返回了sign值 其中“sub_100FB6004”中有使用全局变量 直接使用x命令 复制出来即可

以下为还原后的c代码 可直接使用

// zuiyouEncryption.cpp : 
//
 
#include "stdafx.h"
#include 
#include 
#include 
 
#define u_int64_t unsigned long long
#define u_int32_t unsigned int
 
struct TAG_UINT64
{
    u_int32_t low;
    u_int32_t high;
 
    void set(u_int32_t _high, u_int32_t _low){
        this->high = _high;
        this->low = _low;
    }
};
 
u_int64_t qword_101126D90 = 0xEFCDAB8967452301;
u_int64_t qword_101126D98 = 0x1032547698BADCFE;
char a0123456789abcd_0[] = "0123456789abcdef";
unsigned char byte_101209EC8[] =
{
    0x78, 0xA4, 0x6A, 0xD7, 0x56, 0xB7, 0xC7, 0xE8, 0xDB, 0x70, 0x20, 0x24, 0xEE, 0xCE, 0xBD, 0xC1, 0xAF, 0xF,
    0x7C, 0xF5, 0x2A, 0xC6, 0x87, 0x47, 0x13, 0x46, 0x30, 0xA8, 1, 0x95, 0x46, 0xFD, 0xD8, 0x98, 0x80, 0x69, 0xAF, 0xF7, 0x44, 0x8B, 0xB1, 0x5B, 0xFF, 0xFF, 0xBE,
    0xD7, 0x5C, 0x89, 0x22, 0x11, 0x90, 0x6B, 0x93, 0x71, 0x98, 0xFD, 0x8E, 0x43, 0x79, 0xA6, 0x21, 8, 0xB4, 0x49, 0x62, 0x25, 0x1E, 0xF6, 0x40, 0xB3, 0x40, 0xC0,
    0x51, 0x5A, 0x5E, 0x26, 0xAA, 0xC7, 0xB6, 0xE9, 0x5D, 0x10, 0x2F, 0xD6, 0x53, 0x14, 0x44, 2, 0x81, 0xE6, 0xA1, 0xD8, 0xC8, 0xFB, 0xD3, 0xE7, 0xE6, 0xCD, 0xE1,
    0x21, 0xD6, 7, 0x37, 0xC3, 0x87, 0xD, 0xD5, 0xF4, 0xED, 0x14, 0x5A, 0x45, 5, 0xE9, 0xE3, 0xA9, 0xF8, 0xA3, 0xEF, 0xFC, 0xD9, 2, 0x6F, 0x67, 0x8A, 0x4C, 0x2A,
    0x8D, 0x42, 0x39, 0xFA, 0xFF, 0x81, 0xF6, 0x71, 0x87, 0x22, 0x61, 0x9D, 0x6D, 0xC, 0x38, 0xE5, 0xFD, 0x44, 0xEA, 0xBE, 0xA4, 0xA9, 0xCF, 0xDE, 0x4B, 0x60, 0x4B,
    0xBB, 0xF6, 0x70, 0xBC, 0xBF, 0xBE, 0xC6, 0x7E, 0x9B, 0x28, 0xFA, 0x27, 0xA1, 0xEA, 0x85, 0x30, 0xEF, 0xD4, 5, 0x1D, 0x88, 4, 0x39, 0xD0, 0xD4, 0xD9, 0xE5, 0x99,
    0xDB, 0xE6, 0xF8, 0x7C, 0xA2, 0x1F, 0x65, 0x56, 0xAC, 0xC4, 0x44, 0x22, 0x29, 0xF4, 0x97, 0xFF, 0x2A, 0x43, 0xA7, 0x23, 0x94, 0xAB, 0x39, 0xA0, 0x93, 0xFC, 0xC3,
    0x59, 0x5B, 0x65, 0x92, 0xCC, 0xC, 0x8F, 0x7D, 0xF4, 0xEF, 0xFF, 0xD1, 0x5D, 0x84, 0x85, 0x4F, 0x7E, 0xA8, 0x6F, 0xE0, 0xE6, 0x2C, 0xFE, 0x14, 0x43, 1, 0xA3,
    0xA1, 0x11, 8, 0x4E, 0x82, 0x7E, 0x53, 0xF7, 0x35, 0xF2, 0x3A, 0xBD, 0xBB, 0xD2, 0xD7, 0x2A, 0x91, 0xD3, 0x86, 0xEB, 0, 0, 0, 0, 0x80, 0x88, 0xE5, 0x40, 0,
    0, 0, 0, 0, 0x7C, 0xD5, 0x40, 0x41, 0x42, 0x43, 0x44, 0x45, 0x46, 0x47, 0x48, 0x49, 0x4A, 0x4B, 0x4C, 0x4D, 0x4E, 0x4F, 0x50, 0x51, 0x52, 0x53, 0x54, 0x55, 0x56,
    0x57, 0x58, 0x59, 0x5A, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66, 0x67, 0x68, 0x69, 0x6A, 0x6B, 0x6C, 0x6D, 0x6E, 0x6F, 0x70, 0x71, 0x72, 0x73, 0x74, 0x75, 0x76, 0x77,
    0x78, 0x79, 0x7A, 0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37, 0x38, 0x39, 0x2B, 0x2F, 0xA2, 0xB4, 0xB7, 0x3E, 0x8F, 0x53, 0x34, 0x3F, 0x4D, 0x15, 0xC, 0x3E,
    0, 0, 0, 0, 0x87, 0x16, 0x99, 0x3E, 0xA2, 0x45, 0x16, 0x3F, 0xD5, 0x78, 0xE9, 0x3D, 0, 0, 0, 0, 0xD8, 0xF0, 0x74, 0x3E, 0x69, 0x6F, 0xF0, 0x3E, 0, 0, 0, 0, 0,
    0x80, 0x63, 0x40, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0xE6, 0x3F, 0, 0, 0, 0, 0, 0x60, 0x6C, 0xC0, 0x51, 0x46, 0x6F, 0xCB, 0x5A, 0x1D, 0x93, 0x3F, 0xD0, 0xB0,
    0x2B, 0x40, 0xEE, 0x35, 0xD7, 0x3F, 0x39, 0xB4, 0xC8, 0x76, 0xBE, 0x9F, 0xCA, 0x3F, 0, 0, 0, 0, 0, 0xA0, 0x72, 0xC0, 0, 0, 0, 0, 0, 0xC0, 0x76, 0xC0, 0, 0,
    0, 0, 0, 0xA0, 0x72, 0x40, 0, 0, 0, 0, 0, 0x40, 0x72, 0x40, 0, 0, 0, 0, 0, 0, 0x6F, 0x40, 0, 2, 0, 0, 0, 0x20, 0, 0, 0x46, 0x46, 0x49, 0x41, 0x66, 0x61, 0x34,
    0x6D, 0x45, 0x56, 0x41, 0x57, 0, 0, 0, 0, 0, 0, 0, 0, 0xF3, 4, 0x35, 0xBF, 0, 0, 0, 0, 0x3A, 0xCD, 0x13, 0x3F, 0x3A, 0xCD, 0x13, 0xBF, 0, 0, 0, 0
};
 
u_int32_t _bic_(u_int32_t x,u_int32_t m) {
    return x & (x ^ m);
}
 
u_int32_t _ror_(u_int32_t x, u_int32_t m) {
    return (x >> m) | (x << (32 - m));
}
 
void sub_100DB274C(u_int64_t X0/*data*/, u_int64_t X1/*dataLen*/, u_int64_t X2/*outdata*/) {
 
    u_int64_t X3 = 0;
    u_int64_t X4 = 0;
    u_int64_t X5 = 0;
    u_int64_t X6 = 0;
    u_int64_t X8 = 0;
    u_int64_t X9 = 0;
    u_int64_t X10 = 0;
    u_int64_t X11 = 0;
    u_int64_t i = 0;
    u_int64_t X13 = 0;
    u_int64_t X14 = 0;
    u_int64_t X15 = 0;
    u_int64_t X19 = 0;
    u_int64_t X20 = 0;
    u_int64_t X21 = 0;
    u_int64_t X22 = 0;
    u_int64_t X23 = 0;
    u_int64_t X24 = 0;
    u_int64_t X25 = 0;
    u_int64_t X26 = 0;
    u_int64_t X27 = 0;
 
    char data[0x512] = {0};
 
    u_int64_t var_120 = (u_int64_t)(data + 0x10);
    u_int64_t var_118 = (u_int64_t)(data + 0x18);
    u_int64_t var_108 = (u_int64_t)(data + 0x28);
    u_int64_t var_100 = (u_int64_t)(data + 0x30);
    u_int64_t var_FC = (u_int64_t)(data + 0x34);
    u_int64_t var_F8 = (u_int64_t)(data + 0x38);
    u_int64_t var_F4 = (u_int64_t)(data + 0x3C);
    u_int64_t var_F0 = (u_int64_t)(data + 0x40);
    u_int64_t var_E8 = (u_int64_t)(data + 0x48);
    u_int64_t var_B0 = (u_int64_t)(data + 0x80);
    u_int64_t var_AC = (u_int64_t)(data + 0x84);
    u_int64_t var_A8 = (u_int64_t)(data + 0x88);
    u_int64_t var_A0 = (u_int64_t)(data + 0x90);
    u_int64_t var_98 = (u_int64_t)(data + 0x98);
 
    *(u_int64_t*)var_120 = X2;
    X2 = X1;
    X3 = X0;
    X6 = 0;
    X20 = 0;
    *(u_int64_t*)var_A8 = qword_101126D90;
    *(u_int64_t*)var_100 = X2 << 3;
    *(u_int64_t*)var_108 = X2 >> 0x1d;
    X24 = var_E8;
    X19 = X24 + 4;
    *(u_int64_t*)var_A0 = qword_101126D98;
    X21 = X24 + 0x38;
    X5 = 0x67452301;
    X23 = 0x10325476;
    X22 = 0x98BADCFE;
    X4 = 0xEFCDAB89;
    X26 = (u_int64_t)&byte_101209EC8;
    *(u_int64_t*)(var_118) = X19;
    *(u_int64_t*)(var_118+0x8) = X21;
    do
    {
        X8 = X2 - X20;
        X27 = X8 > 0x3F ? 0x40 : X8;
        X1 = X3 + X20;
        if(X27 > 0x3F) {
            X6 = 0;
        }else {
            ((TAG_UINT64*)var_F8)->set((u_int32_t)X22, (u_int32_t)X23);
            *(u_int64_t*)var_F0 = X20;
            ((TAG_UINT64*)var_FC)->low = (u_int32_t)X5;
            X26 = X4;
            X25 = X3;
            X19 = X2;
            X22 = var_98;
            X2 = X27;
            X0 = var_98;
            X21 = X6;
            X23 = X27;
            memcpy((void*)X0, (void*)X1, X2);
            X22 += X23;
            X8 = 0x40 - X23;
            X1 = X8;
            X0 = X22;
            memset((void*)X0, 0, (u_int32_t)X1);//BL              _bzero
            if(X21 == 0) {
                ((unsigned char*)X22)[0] = 0x80;
            }
            X1 = var_98;
            X6 = 1;
            X2 = X19;
            X3 = X25;
            X4 = X26;
            X5 = (u_int32_t)*(u_int64_t*)var_FC;
            X23 = *(u_int64_t*)var_FC >> 32;
            X19 = *(u_int64_t*)var_118;
            X21 = *(u_int64_t*)(var_118 + 0x8);
            X20 = *(u_int64_t*)var_F0;
            X22 = ((TAG_UINT64*)var_F4)->low;
            X26 = (u_int64_t)&byte_101209EC8;
        }
        i = 0;
        do{
            ((TAG_UINT64*)(X24 + i))->low = (u_int32_t)(((unsigned char*)(X1+1+i))[-1] | ((((unsigned char*)(X1+1+i))[0] | ((((unsigned char*)(X1+1+i))[1] | (((unsigned char*)(X1+1+i))[2] << 8)) << 8)) << 8));
        }while((i += 4) != 0x40);
        if(X27 <= 0x37) {
            *(u_int64_t*)var_B0 = (u_int32_t)*(u_int64_t*)var_100;
            *(u_int64_t*)var_AC = (u_int32_t)*(u_int64_t*)var_108;
        }
        i = 0;
        X13 = X26 + 8;
        X14 = X24 + 8;
        X8 = X23;
        X9 = X22;
        X10 = X4;
        X11 = X5;
        do
        {
            X11 = _ror_((u_int32_t)((((_bic_((u_int32_t)X8, (u_int32_t)X10) | (X10 & X9)) + X11) + (u_int32_t)*(u_int64_t*)(X14-8)) + (u_int32_t)*(u_int64_t*)(X13-8)), 0x19) + X10;
            X8 = _ror_((u_int32_t)((*(u_int64_t*)(X14 - 8) >> 32) + X8 + (*(u_int64_t*)(X13-8) >> 32) + ((X11 & X10) | _bic_((u_int32_t)X9, (u_int32_t)X11))), 0x14) + X11;
            X9 = _ror_((u_int32_t)((u_int32_t)*(u_int64_t*)X14 + X9 + (u_int32_t)*(u_int64_t*)X13 + ((X8 & X11) | _bic_((u_int32_t)X10, (u_int32_t)X8))), 0xF) + X8;
            X10 = _ror_((u_int32_t)((*(u_int64_t*)X14 >> 32) + X10 + (*(u_int64_t*)X13 >> 32) + ((X9 & X8) | _bic_((u_int32_t)X11, (u_int32_t)X9))), 0xA) + X9;
            X14 += 0x10;
            X13 += 0x10;
        }while((i += 4) < 0x10);
        i = 0;
        X13 = X26 + 0x4C;
        X14 = 0xA;
        X15 = X19;
        do
        {
            X11 = _ror_((u_int32_t)((((X10 & X8) | _bic_((u_int32_t)X9, (u_int32_t)X8)) + X11 + (u_int32_t)*(u_int64_t*)X15) + (u_int32_t)*(u_int64_t*)(X13-0xc)), 0x1B) + X10;
            X8 = _ror_((u_int32_t)(X8 + ((u_int32_t)*(u_int64_t*)(X24 + (((X14 - 4) & 0xF) << 2))) + (*(u_int64_t*)(X13-0xc) >> 32) + ((X11 & X9) | _bic_((u_int32_t)X10, (u_int32_t)X9))), 0x17) + X11;
            X9 = _ror_((u_int32_t)((u_int32_t)*(u_int64_t*)(X24 + (((X14 & 0xE) | 1) << 2)) + X9 + (u_int32_t)*(u_int64_t*)(X13-4) + ((X8 & X10) | _bic_((u_int32_t)X11, (u_int32_t)X10))), 0x12) + X8;
            X10 = _ror_((u_int32_t)((u_int32_t)*(u_int64_t*)(X15-4) + X10 + (u_int32_t)*(u_int64_t*)X13 + ((X9 & X11) | _bic_((u_int32_t)X8, (u_int32_t)X11))), 0xC) + X9;
            X13 += 0x10;
            X15 += 0x10;
            X14 += 0x14;
        }while((i += 4) < 0x10);
        i = 0;
        X13 = X26 + 0x8C;
        X14 = 5;
        X15 = X21;
        do
        {
            X11 = _ror_((u_int32_t)(((X9  ^ X8) ^ X10) + X11 + (u_int32_t)*(u_int64_t*)(X24 + ((X14 & 0xD) << 2)) + (u_int32_t)*(u_int64_t*)(X13-0xc)), 0x1C) + X10;
            X8 = _ror_((u_int32_t)(X8 + (u_int32_t)*(u_int64_t*)(X24 + (((X14 + 3) & 0xF) << 2)) + (*(u_int64_t*)(X13-0xc) >> 32) + ((X11 ^ X10) ^ X9)), 0x15)+ X11;
            X9 = _ror_((u_int32_t)(((u_int32_t)*(u_int64_t*)(X24 + (((X14 + 6) & 0xF) << 2))) + X9 + (u_int32_t)*(u_int64_t*)(X13-4) + (X8 ^ (X11 ^ X10))), 0x10) + X8;
            X10 = _ror_((u_int32_t)((u_int32_t)*(u_int64_t*)X15 + X10 + (u_int32_t)*(u_int64_t*)X13 + ((X8 ^ X11) ^ X9)), 0x9) + X9;
            X15 -= 0x10;
            X13 += 0x10;
            X14 += 0xC;
        }while((i += 4) < 0x10);
        i = 0;
        X13 = X26 + 0xCC;
        X14 = X21;
        X15 = 0x15;
        do
        {
            X11 = _ror_((u_int32_t)(((((X10 | (~X8)) ^ X9) + X11) + ((u_int32_t)*(u_int64_t*)(X24 + (((X15 - 0x15) & 0xC) << 2)))) + (u_int32_t)*(u_int64_t*)(X13-0xc)), 0x1A) + X10;
            X8 = _ror_((u_int32_t)((u_int32_t)*(u_int64_t*)(X24 + (((X15 - 0xE) & 0xF) << 2)) + X8 + (*(u_int64_t*)(X13-0xc) >> 32) + ((X11 | (~X9)) ^ X10)), 0x16) + X11;
            X9 = _ror_((u_int32_t)((u_int32_t)*(u_int64_t*)X14 + X9 + (u_int32_t)*(u_int64_t*)(X13-0x4) + ((X8 | (~X10)) ^ X11)), 0x11) + X8;
            X10 = _ror_((u_int32_t)(((u_int32_t)*(u_int64_t*)(X24 + ((X15 & 0xF) << 2))) + X10 + (u_int32_t)*(u_int64_t*)X13 + ((X9 | (~X11)) ^ X8)), 0xB) + X9;
            X13 += 0x10;
            X14 -= 0x10;
            X15 +=0x1C;
        }while((i += 4) < 0x10);
        X5 += X11;
        X4 += X10;
        X22 += X9;
        X23 += X8;
        ((TAG_UINT64*)&X27)->high = 0;
        X20 += X27;
    }while(X27 >= 0x38);
    i = 0;
    ((TAG_UINT64*)var_A8)->set((u_int32_t)X4, (u_int32_t)X5);
    ((TAG_UINT64*)var_A0)->set((u_int32_t)X23, (u_int32_t)X22);
    X13 = *(u_int64_t*)var_120;
    ((unsigned char*)(X13))[0] = X5;
    ((unsigned char*)(X13))[1] = X5 >> 8;
    ((unsigned char*)(X13))[2] = X5 >> 0x10;
    ((unsigned char*)(X13))[3] = X5 >> 0x18;
    ((unsigned char*)(X13))[4] = X4;
    ((unsigned char*)(X13))[5] = X4 >> 8;
    ((unsigned char*)(X13))[6] = X4 >> 0x10;
    ((unsigned char*)(X13))[7] = X4 >> 0x18;
    do
    {
        X10 = (u_int32_t)*(u_int64_t*)(((u_int64_t)var_A8 + 8) + i);
        X11 = X13 + i;
        ((unsigned char*)(X11))[8] = X10;
        ((unsigned char*)(X11))[9] = X10 >> 8;
        ((unsigned char*)(X11))[0xA] = X10 >> 0x10;
        ((unsigned char*)(X11))[0xB] = X10 >> 0x18;
        X10 = i + 0xC;
        i = i + 4;
    }while(X10 < 0x10);
}
 
void sub_100FB6004(u_int64_t outData, u_int64_t inData) {
    u_int64_t i = 0;
    do{
        ((unsigned char*)(outData))[i*2] = a0123456789abcd_0[(((unsigned char*)(inData))[i]) >> 4];
        ((unsigned char*)(outData))[i*2+1] = a0123456789abcd_0[(((unsigned char*)(inData))[i]) & 0xF];
    }while((i += 1) < 0x10);
}
 
std::string calcSign(const char* szData) {
    std::string str = szData;
    str.append("ZDY0MTBlODcx");
    std::string strHead = str.substr(0, 10);
    std::string strEnd = str.substr(str.length()-10, str.length());
    str.replace(0, 10, strEnd);
    str.replace(str.length()-10, str.length(), strHead);
 
    char szBuff[64] = {0};
    char szSign[64] = {0};
    std::string strRet = "";
    sub_100DB274C((u_int64_t)str.c_str(), str.length(), (u_int64_t)szBuff);
    sub_100FB6004((u_int64_t)szSign, (u_int64_t)szBuff);
    strRet = szSign;
    return strRet;
}
int main(int argc, char* argv[])
{
    std::string sign = "";
    const char* data = "{\"h_model\":\"iPhone 7\",\"h_ch\":\"appstore\",\"phone\":\"15658195157\",\"no_hash_code\":1,\"region_code\":86,\"h_app\":\"zuiyou\",\"type\":\"reg\",\"h_ts\":1539152851066,\"h_av\":\"4.6.4\",\"h_nt\":1,\"h_did\":\"32086bc6014d1a8a447100a065a21edc\",\"h_m\":95849495,\"h_os\":1030000,\"token\":\"T4K2Nn_Be6gYozzVxZd0Liea7qDY1cn75TJlGmRz6cH7kwagjSU5JrAW2CmeBiPozxpOf\",\"h_dt\":1}";
    DWORD dwStartTime = GetTickCount();
    sign = calcSign(data);
    printf("sign: %s\r\n", sign.c_str());
    return 0;
}

以上就是对sign值生成过程的全部分析记录 至于POST数据字段都是怎么来的可以按照上述步骤查找到
 

zuiyouEncryption.rar
4b55c8b8963ef799e5da97e5a557ad8d.rar (10.24 KB)

文章评论