duangsues.is_a? SaltedFish
@dsuses
60 subscribers
609 photos
6 videos
91 files
562 links
🌶🐔🐟 duangsuse 的日常
尤其喜欢发些奇奇怪怪的东西
和转载别人的东西
Download Telegram
About
Blog
Apps
Platform
Join
duangsues.is_a? SaltedFish
60 subscribers
duangsues.is_a? SaltedFish
(无奈准备 Python 反而比虚拟机更耗时
6 views
duangsues.is_a? SaltedFish
垃圾酷安下不了应用了,估计是赚炸了(跑
6 views
duangsues.is_a? SaltedFish
如果我有 qemu-arm ...
6 views
duangsues.is_a? SaltedFish
LuaJava
6 views
duangsues.is_a? SaltedFish

su
/data/data/com.hipipal.qpy3/files/bin/python-root

from ctypes import *
import ctypes

c=ctypes.CDLL("/sdcard/liba.so")

c.Java_com_coolapk_market_util_AuthUtils_getAS.restype = c_char_p

c.Java_com_coolapk_market_util_AuthUtils_getAS.argtypes = [c_char_p]

c.Java_com_coolapk_market_util_AuthUtils_getAS

sb=create_string_buffer(b'2e0dc2d2-b18f-47f1-a83a-d503922e8656')

c.Java_com_coolapk_market_util_AuthUtils_getAS(sb)
Segmentation fault



#tech #emmm 老李说的没错,我对底层的确非常无知了(
6 views
duangsues.is_a? SaltedFish
This media is not supported in your browser
VIEW IN TELEGRAM
6 views
duangsues.is_a? SaltedFish
算了,直接分析吧
6 views
duangsues.is_a? SaltedFish
升级了 Cutter
6 views
duangsues.is_a? SaltedFish
https://github.com/by-syk/CoolapkTokenGetter/blob/master/app/src/main/jniLibs/x86/liba.so

找到了更容易分析的 x86 版本 liba.so!
GitHub
by-syk/CoolapkTokenGetter
CoolapkTokenGetter - CoolApk Token Getter
25 views
duangsues.is_a? SaltedFish
如果 Lite 有缩进语义就不需要 if as suffix 了(
6 views
duangsues.is_a? SaltedFish
r2 的实验性 aa 好方便啊,还能推出函数的返回类型
6 views
duangsues.is_a? SaltedFish
[x] Analyze all flags starting with sym. and entry0 (aa)
[x] Analyze function calls (aac)
[x] Analyze len bytes of instructions for references (aar)
[x] Emulate code to find computed references (aae)
[x] Analyze consecutive function (aat)
[x] Constructing a function name for fcn.* and sym.func.* functions (aan)
[x] Type matching analysis for all functions (afta)
7 views
duangsues.is_a? SaltedFish
const char *
7 views
duangsues.is_a? SaltedFish
有价值看的函数:


BD(12 Basic Blocks)
BDL(3 Basic Blocks)
BE(9 Basic Blocks)
BEL(Simple,1 Basic Block)
Java_com_coolapk_market_util_AuthUtils_getAS (restype = const char* argtypes=[const char*],1 Basic Blocks)
(Called r、BDL、bd、strlen、memecpy、time、sprintf、strcat、BEL、be、me)

r(Simple,4 Basic blocks,called strlen)

me(6 Basic Blocks,called MI、MU、MF)
8 viewsedited  
duangsues.is_a? SaltedFish
工程量比较大...(
8 views
duangsues.is_a? SaltedFish
This media is not supported in your browser
VIEW IN TELEGRAM
8 views
duangsues.is_a? SaltedFish
想尝试都不行... 因为只有 x86 的没 64b 的


require 'ffi'

module Coolapk
  # ...
end

module CoolApk::Auth
  extend FFI::Library
  ffi_lib 'liba.so'
  attach_function :getAS, 'Java_com_coolapk_market_util_AuthUtils_getAS', %i[string], :string
end

LoadError
: Could not open library 'liba.so': liba.so: wrong ELF class: ELFCLASS32
8 viewsedited  
duangsues.is_a? SaltedFish

    def attach_function(name, func, args, returns = nil, options = nil)
      mname, a2, a3, a4, a5 = name, func, args, returns, options
      cname, arg_types, ret_type, opts = (a4 && (a2.is_a?(String) || a2.is_a?(Symbol))) ? [ a2, a3, a4, a5 ] : [ mname.to_s, a2, a3, a4 ]


我说它是怎么不 name = func 就支持两种传参格式的...
8 views
duangsues.is_a? SaltedFish
This media is not supported in your browser
VIEW IN TELEGRAM
8 views
duangsues.is_a? SaltedFish
好难理解的自定义参数处理
8 views
duangsues.is_a? SaltedFish
duangsues.is_a? SaltedFish
def attach_function(name, func, args, returns = nil, options = nil) mname, a2, a3, a4, a5 = name, func, args, returns, options cname, arg_types, ret_type, opts = (a4 && (a2.is_a?(String) || a2.is_a?(Symbol))) ? [ a2, a3, a4, a5 ] : [ mname.to_s…
attach_function :getAS, 'Java_com_coolapk_market_util_AuthUtils_getAS', %i[string], :string
8 views