duangsues.is_a? SaltedFish
@dsuses
60 subscribers
609 photos
6 videos
91 files
562 links
🌶🐔🐟 duangsuse 的日常
尤其喜欢发些奇奇怪怪的东西
和转载别人的东西
Download Telegram
About
Blog
Apps
Platform
Join
duangsues.is_a? SaltedFish
60 subscribers
duangsues.is_a? SaltedFish
算了,直接分析吧
6 views
duangsues.is_a? SaltedFish
升级了 Cutter
6 views
duangsues.is_a? SaltedFish
https://github.com/by-syk/CoolapkTokenGetter/blob/master/app/src/main/jniLibs/x86/liba.so

找到了更容易分析的 x86 版本 liba.so!
GitHub
by-syk/CoolapkTokenGetter
CoolapkTokenGetter - CoolApk Token Getter
25 views
duangsues.is_a? SaltedFish
如果 Lite 有缩进语义就不需要 if as suffix 了(
6 views
duangsues.is_a? SaltedFish
r2 的实验性 aa 好方便啊,还能推出函数的返回类型
6 views
duangsues.is_a? SaltedFish
[x] Analyze all flags starting with sym. and entry0 (aa)
[x] Analyze function calls (aac)
[x] Analyze len bytes of instructions for references (aar)
[x] Emulate code to find computed references (aae)
[x] Analyze consecutive function (aat)
[x] Constructing a function name for fcn.* and sym.func.* functions (aan)
[x] Type matching analysis for all functions (afta)
7 views
duangsues.is_a? SaltedFish
const char *
7 views
duangsues.is_a? SaltedFish
有价值看的函数:


BD(12 Basic Blocks)
BDL(3 Basic Blocks)
BE(9 Basic Blocks)
BEL(Simple,1 Basic Block)
Java_com_coolapk_market_util_AuthUtils_getAS (restype = const char* argtypes=[const char*],1 Basic Blocks)
(Called r、BDL、bd、strlen、memecpy、time、sprintf、strcat、BEL、be、me)

r(Simple,4 Basic blocks,called strlen)

me(6 Basic Blocks,called MI、MU、MF)
8 viewsedited  
duangsues.is_a? SaltedFish
工程量比较大...(
8 views
duangsues.is_a? SaltedFish
This media is not supported in your browser
VIEW IN TELEGRAM
8 views
duangsues.is_a? SaltedFish
想尝试都不行... 因为只有 x86 的没 64b 的


require 'ffi'

module Coolapk
  # ...
end

module CoolApk::Auth
  extend FFI::Library
  ffi_lib 'liba.so'
  attach_function :getAS, 'Java_com_coolapk_market_util_AuthUtils_getAS', %i[string], :string
end

LoadError
: Could not open library 'liba.so': liba.so: wrong ELF class: ELFCLASS32
8 viewsedited  
duangsues.is_a? SaltedFish

    def attach_function(name, func, args, returns = nil, options = nil)
      mname, a2, a3, a4, a5 = name, func, args, returns, options
      cname, arg_types, ret_type, opts = (a4 && (a2.is_a?(String) || a2.is_a?(Symbol))) ? [ a2, a3, a4, a5 ] : [ mname.to_s, a2, a3, a4 ]


我说它是怎么不 name = func 就支持两种传参格式的...
8 views
duangsues.is_a? SaltedFish
This media is not supported in your browser
VIEW IN TELEGRAM
8 views
duangsues.is_a? SaltedFish
好难理解的自定义参数处理
8 views
duangsues.is_a? SaltedFish
duangsues.is_a? SaltedFish
def attach_function(name, func, args, returns = nil, options = nil) mname, a2, a3, a4, a5 = name, func, args, returns, options cname, arg_types, ret_type, opts = (a4 && (a2.is_a?(String) || a2.is_a?(Symbol))) ? [ a2, a3, a4, a5 ] : [ mname.to_s…
attach_function :getAS, 'Java_com_coolapk_market_util_AuthUtils_getAS', %i[string], :string
8 views
duangsues.is_a? SaltedFish
0x1cea: Java_com_coolapk_market_util_AuthUtils_getAS
0x1ca9: be
0x1bb0: me
0x1b84: bd
0x1b07: r
0x187e: MF
0x173a: MU
0x16fa: MI
0x8c4: BE
0x8a1: BEL
0x6c4: BD
0x664: BDL
8 views
duangsues.is_a? SaltedFish

dse@susepc:~$ r2 liba.so 
[0x000005b0]> is
[Symbols]
004 0x00000664 0x00000664 GLOBAL   FUNC   96 BDL
005 0x000006c4 0x000006c4 GLOBAL   FUNC  477 BD
006 0x000008a1 0x000008a1 GLOBAL   FUNC   35 BEL
007 0x000008c4 0x000008c4 GLOBAL   FUNC  546 BE
008 0x000016fa 0x000016fa GLOBAL   FUNC   64 MI
009 0x0000173a 0x0000173a GLOBAL   FUNC  324 MU
011 0x0000187e 0x0000187e GLOBAL   FUNC  649 MF
013 0x00001b07 0x00001b07 GLOBAL   FUNC  125 r
015 0x00001b84 0x00001b84 GLOBAL   FUNC   44 bd
016 0x00001bb0 0x00001bb0 GLOBAL   FUNC  249 me
019 0x00001ca9 0x00001ca9 GLOBAL   FUNC   65 be
020 0x00001cea 0x00001cea GLOBAL   FUNC 1303 Java_com_coolapk_market_util_AuthUtils_getAS
023 0x00004004 0x00004004 GLOBAL NOTYPE    0 _edata
024 0x00004004 0x00004004 GLOBAL NOTYPE    0 __bss_start
025 0x00004004 0x00004004 GLOBAL NOTYPE    0 _end
001 0x00000540 0x00000540 GLOBAL   FUNC   16 imp.__cxa_finalize
002 0x00000520 0x00000520 GLOBAL   FUNC   16 imp.__cxa_atexit
003 0x00000530 0x00000530 GLOBAL   FUNC   16 imp.__stack_chk_fail
010 0x00000550 0x00000550 GLOBAL   FUNC   16 imp.memcpy
012 0x00000560 0x00000560 GLOBAL   FUNC   16 imp.memset
014 0x00000570 0x00000570 GLOBAL   FUNC   16 imp.strlen
017 0x00000000 0x00000000 GLOBAL OBJECT   16 imp.__stack_chk_guard
018 0x00000580 0x00000580 GLOBAL   FUNC   16 imp.sprintf
021 0x00000590 0x00000590 GLOBAL   FUNC   16 imp.time
022 0x000005a0 0x000005a0 GLOBAL   FUNC   16 imp.strcat

[0x000005b0]> 0x00001cea
[0x00001cea]> aaaa
7 views
duangsues.is_a? SaltedFish
duangsues.is_a? SaltedFish
0x1cea: Java_com_coolapk_market_util_AuthUtils_getAS 0x1ca9: be 0x1bb0: me 0x1b84: bd 0x1b07: r 0x187e: MF 0x173a: MU 0x16fa: MI 0x8c4: BE 0x8a1: BEL 0x6c4: BD 0x664: BDL
(一个一个分析然后拿 Ruby 重写嘛
6 views
duangsues.is_a? SaltedFish
This media is not supported in your browser
VIEW IN TELEGRAM
6 views
duangsues.is_a? SaltedFish
6 views
duangsues.is_a? SaltedFish
| lea eax, dword [local_d0h] |
| mov dword [esp], eax |
| call sym.r;[gb] |
| lea eax, dword [local_d0h] |
| mov dword [esp], eax |
| call sym.BDL;[gc] |
| mov dword [local_178h], eax
直播分析
6 views