首页
论坛
课程
招聘
[原创]App防Bot新版ATT方案浅析与算法还原
2021-12-24 09:11 30938

[原创]App防Bot新版ATT方案浅析与算法还原

2021-12-24 09:11
30938

本文仅限学习交流,请勿用于非法以及商业用途,由于时间和水平有限,文中错漏之处在所难免,敬请各位大佬多多批评指正。

1
2
3
4
5
6
7
8
9
10
目录:
一、产品概述
1.1、App端防护能决哪些安全问题
1.2、如何为应用开启App防护
二、产品整体框架
三、初始化逻辑
四、环境检测与设备指纹
五、签名流程
六、算法还原
七、总结

一、产品概述

对旧版产品本感兴趣的可以移步到这里: 旧版产品

1.1、App端防护能决哪些安全问题

App防护提供的SDK安全方案解决以下原生App端的安全问题:

 

恶意注册、撞库、暴力破解
针对App的大流量CC攻击
短信、验证码接口被刷
薅羊毛、抢红包
恶意秒杀限时限购商品
恶意查票、刷票(例如,机票、酒店等场景)
价值资讯爬取(例如,价格、征信、融资、小说等内容)
机器批量投票
灌水、恶意评论

1.2、如何为应用开启App防护

注册登录,提交配置,获取APPKEY与SDK,APP中集成SDK后可以在后台开启App防护状态开关,并设置App防护策略,流程如图1-2所示:

图1-2

二、产品整体框架

App集成SDK主要用于对通过App客户端发起的请求时对请求体进行签名发送到应用服务器。WAF服务端获得应用服务器收到的请求后,通过解析校验签名串(wToken)进行风险识别、拦截恶意请求,识别App业务中的风险,实现App防护的目的。它整体的框架如图2-1所示:

图2-1

三、初始化逻辑

3.1、初始化

SDK初始化接口定义:

1
int init(Context context, String appkey, int type);

功能:初始化SDK,执行一次初始化采集。一次初始化采集表示采集一次终端设备信息,您可以根据业务的不同,重新调用init函数进行初始化采集。
初始化采集分为两种模式:采集全量数据、采集除需授权字段外的数据(不采集涉及终端设备用户隐私的字段,包括:imei、imsi、simSerial、wifiMac、wifiList、bluetoothMac)。
接口参数:

 

<context>:Context类型,传入您应用的上下文。

 

<appkey>:String类型,设置为您的SDK认证密钥。

 

<type>:CollectType类型,设置采集模式。取值:
DEFAULT:表示采集全量数据。
NO_GRANTED:表示采集除需授权字段外的数据。
返回值:int类型,返回初始化结果,0表示成功,-1表示失败。

java层:

加载so与定义几个Native方法:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
public class TigerTallyAPI {
    protected static final String TAG = "Alibg_SDK";
    private static final ExecutorService executorService;
    private static int initRet;
    private static a sensorInitInfo;
 
    static {
        TigerTallyAPI.executorService = Executors.newSingleThreadExecutor();
        TigerTallyAPI.sensorInitInfo = null;
        System.loadLibrary("tiger_tally");
    }
 
    private static native int _genericNt(String arg0, int arg1) {
    }
    private static native int _genericNt2(int arg0, String[] arg1) {
    }
    private static native String _genericNt3(int arg0, byte[] arg1) {
    }
    static int access$100() {
        return TigerTallyAPI.initRet;
    }
    private static int genericNt(String arg0, int arg1) {
        return TigerTallyAPI._genericNt(arg0, arg1);
    }
    private static int genericNt2(int arg0, String[] arg1) {
        return TigerTallyAPI._genericNt2(arg0, arg1);
    }
    //走到so层
    public static int init(Context arg3, String arg4, int arg5) {
        AppInfo.setContext(arg3);
        try {
            TigerTallyAPI.initRet = 0;
            CountDownLatch v0 = new CountDownLatch(1);
            TigerTallyAPI.genericNt2(2, new String[]{arg4});
            TigerTallyAPI.executorService.execute(new Runnable() {
                @Override
                public final void run() {
                    try {
                        TigerTallyAPI.sensorInitInfo = AppInfo.rS();
                        Thread.sleep(50L);
                        TigerTallyAPI.initRet = TigerTallyAPI.genericNt("", this.a);
                        AppInfo.uS(TigerTallyAPI.sensorInitInfo);
                        TigerTallyAPI.access$100();
                    }
                    catch(Throwable v0) {
                        try {
                            v0.printStackTrace();
                        }
                        catch(Throwable v0_1) {
                            arg5.countDown();
                            throw v0_1;
                        }
                    }
 
                    arg5.countDown();
                }
            });
            v0.await(100L, TimeUnit.MILLISECONDS);
        }
        catch(Throwable v3) {
            v3.printStackTrace();
            TigerTallyAPI.initRet = -1;
        }
 
        return TigerTallyAPI.initRet;
    }

Native方法说明:

1
2
3
4
5
6
7
.text:CB138170 F2 F7 16 F8 BL              Dec_RiskString_sub_CEE741A0
.text:CB138174 DF F8 A8 C0 LDR.W           R12, =(off_CB215C28 - 0xCB13817E) ; "_genericNt"
.text:CB138178 06 A9       ADD             R1, SP, #0x68+var_50
 
_genericNt2_sub_CDDFF308:解密appkey
_genericNt_sub_CDDFF2B4:获取设备信息,生成设备指纹
_genericNt3_sub_CDDFF500:签名生成
Native层JNI_OnLoad:

解密字符串,so中字符串都是加密的,全部解密方法如下:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
.text:CB129D30             DecString_loc_CEE73D30
.text:CB129D30 2D E9 F0 4F PUSH.W          {R4-R11,LR}
.text:CB129D34 85 B0       SUB             SP, SP, #0x14
.text:CB129D36 03 92       STR             R2, [SP,#0xC]
.text:CB129D38 42 F6 A0 62+MOV             R2, #0xAD992EA0
.text:CB129D38 CA F6 99 52
.text:CB129D40 11 44       ADD             R1, R2
.text:CB129D42 10 44       ADD             R0, R2
.text:CB129D44 4F 4A       LDR             R2, =(off_CB21C5F8 - 0xCB129D50)
.text:CB129D46 02 91       STR             R1, [SP,#8]
.text:CB129D48 4F F6 42 5A MOVW            R10, #0xFD42
.text:CB129D4C 7A 44       ADD             R2, PC                  ; off_CB21C5F8
.text:CB129D4E DD F8 38 C0 LDR.W           R12, [SP,#0x38]
.text:CB129D52 4D F6 AF 06 MOVW            R6, #0xD8AF
.text:CB129D56 04 90       STR             R0, [SP,#0x10]
.text:CB129D58 12 68       LDR             R2, [R2]                ; off_CB21D280
.text:CB129D5A 0E 20       MOVS            R0, #0xE
.text:CB129D5C 01 92       STR             R2, [SP,#4]
.text:CB129D5E 4F F0 00 08 MOV.W           R8, #0
.text:CB129D62 49 4A       LDR             R2, =(off_CB21C5FC - 0xCB129D74)
.text:CB129D64 C0 F6 1B 5A MOVT            R10, #0xD1B
.text:CB129D68 49 F6 9D 75 MOVW            R5, #0x9F9D
.text:CB129D6C CF F2 5B 66 MOVT            R6, #0xF65B
.text:CB129D70 7A 44       ADD             R2, PC                  ; off_CB21C5FC
.text:CB129D72 D2 F8 00 90 LDR.W           R9, [R2]                ; off_CB21D1F0
.text:CB129D76 45 4A       LDR             R2, =(off_CB21C5F8 - 0xCB129D7C)
.text:CB129D78 7A 44       ADD             R2, PC                  ; off_CB21C5F8
.text:CB129D7A 17 68       LDR             R7, [R2]                ; off_CB21D280
.text:CB129D7C 40 4A       LDR             R2, =(off_CB21C5F8 - 0xCB129D82)
.text:CB129D7E 7A 44       ADD             R2, PC                  ; off_CB21C5F8
.text:CB129D80 11 68       LDR             R1, [R2]                ; off_CB21D280
.text:CB129D82 44 4A       LDR             R2, =(off_CB21C600 - 0xCB129D8E)
.text:CB129D84 00 91       STR             R1, [SP]
.text:CB129D86 44 F6 A7 61 MOVW            R1, #0x4EA7
.text:CB129D8A 7A 44       ADD             R2, PC                  ; off_CB21C600
.text:CB129D8C C8 F2 54 41 MOVT            R1, #0x8454
.text:CB129D90 D2 F8 00 E0 LDR.W           LR, [R2]                ; unk_CB21D250
.text:CB129D94 3E 4A       LDR             R2, =(off_CB21C5F8 - 0xCB129D9A)
.text:CB129D96 7A 44       ADD             R2, PC                  ; off_CB21C5F8
.text:CB129D98 D2 F8 00 B0 LDR.W           R11, [R2]               ; off_CB21D280
.text:CB129D9C
.text:CB129D9C                                                     ; .text:CB129E6C↓j
.text:CB129D9C                                                     ; DATA XREF: ...
.text:CB129D9C 02 46       MOV             R2, R0
.text:CB129D9E 0D 2A       CMP             R2, #0xD
.text:CB129DA0 00 F3 55 80 BGT.W           loc_CB129E4E
.text:CB129DA4 09 2A       CMP             R2, #9
.text:CB129DA6 1C D1       BNE             loc_CB129DE2
.text:CB129DA8 01 9A       LDR             R2, [SP,#4]
.text:CB129DAA 50 69       LDR             R0, [R2,#0x14]
.text:CB129DAC D2 F8 A4 20 LDR.W           R2, [R2,#0xA4]
.text:CB129DB0 50 43       MULS            R0, R2
.text:CB129DB2 50 45       CMP             R0, R10
.text:CB129DB4 01 D1       BNE             loc_CB129DBA
.text:CB129DB6 09 22       MOVS            R2, #9
.text:CB129DB8 43 E0       B               loc_CB129E42
.text:CB129DBA
.text:CB129DBA             loc_CB129DBA           
.text:CB129DBA 8C F8 00 30 STRB.W          R3, [R12]
.text:CB129DBE B9 F8 56 00 LDRH.W          R0, [R9,#(word_CB21D246 - 0xCB21D1F0)]
.text:CB129DC2 A8 42       CMP             R0, R5
.text:CB129DC4 30 D0       BEQ             loc_CB129E28
.text:CB129DC6 B8 88       LDRH            R0, [R7,#(dword_CB21D284 - 0xCB21D280)]
.text:CB129DC8 0D 6A       LDR             R5, [R1,#0x20]
.text:CB129DCA 7C 3A       SUBS            R2, #0x7C ; '|'
.text:CB129DCC 6A 01       LSLS            R2, R5, #5
.text:CB129DCE C6 6E       LDR             R6, [R0,#0x6C]
.text:CB129DD0 89 F1 78 69+DCD 0x6978F189, 0x20A4F8D7, 0x22094350, 0xD1EC4550
.text:CB129DE0 2F E0       B               loc_CB129E42
.text:CB129DE2
.text:CB129DE2             loc_CB129DE2
.text:CB129DE2 02 98       LDR             R0, [SP,#8]
.text:CB129DE4 75 46       MOV             R5, LR
.text:CB129DE6 04 9C       LDR             R4, [SP,#0x10]
.text:CB129DE8 43 F2 E0 2E+MOV             LR, #0x89DD32E0
.text:CB129DE8 C8 F6 DD 1E
.text:CB129DF0 10 F8 08 00 LDRB.W          R0, [R0,R8]
.text:CB129DF4 6A 30       ADDS            R0, #0x6A ; 'j'
.text:CB129DF6 80 EA 08 00 EOR.W           R0, R0, R8
.text:CB129DFA 18 44       ADD             R0, R3
.text:CB129DFC 04 F8 08 00 STRB.W          R0, [R4,R8]
.text:CB129E00 08 F1 01 08 ADD.W           R8, R8, #1
.text:CB129E04 00 9C       LDR             R4, [SP]
.text:CB129E06 D4 F8 CC 00 LDR.W           R0, [R4,#0xCC]
.text:CB129E0A D4 F8 20 41 LDR.W           R4, [R4,#0x120]
.text:CB129E0E 44 43       MULS            R4, R0
.text:CB129E10 03 98       LDR             R0, [SP,#0xC]
.text:CB129E12 80 45       CMP             R8, R0
.text:CB129E14 4F F0 09 00 MOV.W           R0, #9
.text:CB129E18 38 BF       IT CC
.text:CB129E1A 08 20       MOVCC           R0, #8
.text:CB129E1C 74 45       CMP             R4, LR
.text:CB129E1E AE 46       MOV             LR, R5
.text:CB129E20 49 F6 9D 75 MOVW            R5, #0x9F9D
.text:CB129E24 BA D0       BEQ             loc_CB129D9C
.text:CB129E26 14 E0       B               loc_CB129E52
.text:CB129E28
.text:CB129E28             loc_CB129E28
.text:CB129E28 10 22       MOVS            R2, #0x10
.text:CB129E2A 20 E0       B               loc_CB129E6E
.text:CB129E2C
.text:CB129E2C             loc_CB129E2C 
.text:CB129E2C BC 97       STR             R7, [SP,#0x2F0]
.text:CB129E2E 4A 5B       LDRH            R2, [R1,R5]
.text:CB129E30 25 48       LDR             R0, loc_CB129EC6+2
.text:CB129E32 7F 4E       LDR             R6, loc_CB12A02E+2
.text:CB129E34 05 E0       B               loc_CB129E42
.text:CB129E36
.text:CB129E36             loc_CB129E36
.text:CB129E36 59 D1       BNE             loc_CB129EEC
.text:CB129E38 FD 64       STR             R5, [R7,#(off_CB21D2CC - 0xCB21D280)]
.text:CB129E3A A9 1F       SUBS            R1, R5, #6
.text:CB129E3C
.text:CB129E3C             loc_CB129E3C
.text:CB129E3C FC CB       LDM             R3, {R2-R7}
.text:CB129E3E 3A 1F       SUBS            R2, R7, #4
.text:CB129E40 59 4A       LDR             R2, =unk_E0026909
.text:CB129E42
.text:CB129E42             loc_CB129E42
.text:CB129E42 1C 38       SUBS            R0, #0x1C
.text:CB129E44 C9 2E       CMP             R6, #0xC9
.text:CB129E46 C7 92       STR             R2, [SP,#0x31C]
.text:CB129E48 9D 3F       SUBS            R7, #0x9D
.text:CB129E4A 1B E8       DCW 0xE81B
.text:CB129E4C F6 DA       BGE             loc_CB129E3C
.text:CB129E4E
.text:CB129E4E             loc_CB129E4E
.text:CB129E4E 10 2A       CMP             R2, #0x10
.text:CB129E50 0D DA       BGE             loc_CB129E6E
.text:CB129E52
.text:CB129E52             loc_CB129E52
.text:CB129E52 9C F8 00 40 LDRB.W          R4, [R12]
.text:CB129E56 90 1C       ADDS            R0, R2, #2
.text:CB129E58 4F F0 00 08 MOV.W           R8, #0
.text:CB129E5C 00 2C       CMP             R4, #0
.text:CB129E5E 08 BF       IT EQ
.text:CB129E60 82 F0 06 00 EOREQ.W         R0, R2, #6
.text:CB129E64 9E F8 27 40 LDRB.W          R4, [LR,#(byte_CB21D277 - 0xCB21D250)]
.text:CB129E68 95 2C       CMP             R4, #0x95
.text:CB129E6A E4 D1       BNE             loc_CB129E36
.text:CB129E6C 96 E7       B               loc_CB129D9C
.text:CB129E6E
.text:CB129E6E             loc_CB129E6E
.text:CB129E6E DB F8 D4 00 LDR.W           R0, [R11,#(dword_CB21D354 - 0xCB21D280)]
.text:CB129E72 48 43       MULS            R0, R1
.text:CB129E74 B0 42       CMP             R0, R6
.text:CB129E76 D9 D0       BEQ             loc_CB129E2C
.text:CB129E78 04 98       LDR             R0, [SP,#0x10]
.text:CB129E7A 05 B0       ADD             SP, SP, #0x14
.text:CB129E7C BD E8 F0 8F POP.W           {R4-R11,PC}
注册Native方法:

解密Native方法名

1
2
3
4
5
6
7
8
9
10
11
12
13
.data.rel.ro:CB215C28                                                     ; "_genericNt"
.data.rel.ro:CB215C2C 5E 31 22 CB DCD aLjavaLangStrin                     ; "(Ljava/lang/String;I)I"
.data.rel.ro:CB215C30 B5 42 14 CB DCD _genericNt_sub_CDDFF2B4+1
.data.rel.ro:CB215C34 4B 30 22 CB DCD aGenericnt2                         ; "_genericNt2"
.data.rel.ro:CB215C38 33 30 22 CB DCD aILjavaLangStri                     ; "(I[Ljava/lang/String;)I"
.data.rel.ro:CB215C3C 09 43 14 CB DCD _genericNt2_sub_CDDFF308+1
.data.rel.ro:CB215C40 27 30 22 CB off_CB215C40 DCD aGenericnt3            ; DATA XREF: RegNative_sub_CDB0C110+72↑o
.data.rel.ro:CB215C40                                                     ; "_genericNt3"
.data.rel.ro:CB215C44 0F 30 22 CB DCD aIBLjavaLangStr                     ; "(I[B)Ljava/lang/String;"
.data.rel.ro:CB215C48 01 45 14 CB DCD _genericNt3_sub_CDDFF500+1
.data.rel.ro:CB215C4C 0A 30 22 CB DCD aOnsc                               ; "onSc"
.data.rel.ro:CB215C50 AF 2F 22 CB DCD aLandroidHardwa                     ; "(Landroid/hardware/SensorManager;Lcom/a"...
.data.rel.ro:CB215C54 19 46 14 CB DCD onSc_sub_CDDFF618+1

注册方法

1
2
3
4
5
6
.text:CB1381D8 F1 F7 AA FD BL              DecString_loc_CEE73D30  ; com/aliyun/TigerTally/TigerTallyAPI
.text:CB1381DC 03 99       LDR             R1, [SP,#0x68+var_5C]
.text:CB1381DE 04 22       MOVS            R2, #4
.text:CB1381E0 0B F0 3A FF BL              RegNative_loc_CEE8E058 //RegisterNatives
.text:CB1381E4 0C 49       LDR             R1, =(__stack_chk_guard_ptr - 0xCB1381EC)
.text:CB1381E6 12 9A       LDR             R2, [SP,#0x68+var_20]

3.2、解密APPKEY

native int _genericNt2(int arg0, String[] arg1)

获取java层传入的sdk appkey

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
.text:CB131490             getString_sub_CF0FF490
.text:CB131490
.text:CB131490             var_30= -0x30
.text:CB131490             var_28= -0x28
.text:CB131490             var_21= -0x21
.text:CB131490             var_20= -0x20
.text:CB131490
.text:CB131490             ; __unwind { // CB1C8914
.text:CB131490 F0 B5       PUSH            {R4-R7,LR}
.text:CB131492 03 AF       ADD             R7, SP, #0xC
.text:CB131494 2D E9 00 0F PUSH.W          {R8-R11}
.text:CB131498 85 B0       SUB             SP, SP, #0x14
.text:CB13149A 04 46       MOV             R4, R0
.text:CB13149C 38 48       LDR             R0, =(__stack_chk_guard_ptr - 0xCB1314A6)
.text:CB13149E 0E 46       MOV             R6, R1
.text:CB1314A0 91 46       MOV             R9, R2
.text:CB1314A2 78 44       ADD             R0, PC                  ; __stack_chk_guard_ptr
.text:CB1314A4 00 2E       CMP             R6, #0
.text:CB1314A6 00 68       LDR             R0, [R0]                ; __stack_chk_guard
.text:CB1314A8 00 68       LDR             R0, [R0]
.text:CB1314AA 07 F8 21 3C STRB.W          R3, [R7,#var_21]
.text:CB1314AE 04 90       STR             R0, [SP,#0x30+var_20]
.text:CB1314B0 24 D0       BEQ             loc_CB1314FC
.text:CB1314B2 B9 F1 00 0F CMP.W           R9, #0
.text:CB1314B6 21 D0       BEQ             loc_CB1314FC
.text:CB1314B8 30 68       LDR             R0, [R6]
.text:CB1314BA A7 F1 21 02 SUB.W           R2, R7, #-var_21
.text:CB1314BE 49 46       MOV             R1, R9
.text:CB1314C0 D0 F8 A4 32 LDR.W           R3, [R0,#0x2A4]
.text:CB1314C4 30 46       MOV             R0, R6
.text:CB1314C6 98 47       BLX             R3                      ; GetStringUTFChars
.text:CB1314C8 80 46       MOV             R8, R0
.text:CB1314CA B8 F1 00 0F CMP.W           R8, #0
.text:CB1314CE 15 D0       BEQ             loc_CB1314FC
.text:CB1314D0 00 20       MOVS            R0, #0
.text:CB1314D2 02 90       STR             R0, [SP,#0x30+var_28]
.text:CB1314D4 CD E9 00 00 STRD.W          R0, R0, [SP,#0x30+var_30]
.text:CB1314D8 40 46       MOV             R0, R8                  ; s
.text:CB1314DA F7 F7 CE E8 BLX             strlen
.text:CB1314DE 05 46       MOV             R5, R0
.text:CB1314E0 15 F1 10 0F CMN.W           R5, #0x10
.text:CB1314E4 3D D2       BCS             loc_CB131562
.text:CB1314E6 0B 2D       CMP             R5, #0xB
.text:CB1314E8 0D D2       BCS             loc_CB131506
.text:CB1314EA 68 00       LSLS            R0, R5, #1
.text:CB1314EC 00 2D       CMP             R5, #0
.text:CB1314EE 8D F8 00 00 STRB.W          R0, [SP,#0x30+var_30]
.text:CB1314F2 68 46       MOV             R0, SP
.text:CB1314F4 40 F0 01 0A ORR.W           R10, R0, #1
.text:CB1314F8 13 D1       BNE             loc_CB131522
.text:CB1314FA 17 E0       B               loc_CB13152C
.text:CB1314FC
.text:CB1314FC             loc_CB1314FC
.text:CB1314FC 00 20       MOVS            R0, #0
.text:CB1314FE 20 60       STR             R0, [R4]
.text:CB131500 60 60       STR             R0, [R4,#4]
.text:CB131502 A0 60       STR             R0, [R4,#8]
.text:CB131504 20 E0       B               loc_CB131548
.text:CB131506             loc_CB131506
.text:CB131506 05 F1 10 00 ADD.W           R0, R5, #0x10
.text:CB13150A 20 F0 0F 0B BIC.W           R11, R0, #0xF
.text:CB13150E 58 46       MOV             R0, R11
.text:CB131510 98 F0 BA FF BL              malloc_sub_CF198488
.text:CB131514 82 46       MOV             R10, R0
.text:CB131516 4B F0 01 00 ORR.W           R0, R11, #1
.text:CB13151A CD F8 08 A0 STR.W           R10, [SP,#0x30+var_28]
.text:CB13151E CD E9 00 05 STRD.W          R0, R5, [SP,#0x30+var_30]
.text:CB131522
.text:CB131522             loc_CB131522
.text:CB131522 50 46       MOV             R0, R10
.text:CB131524 41 46       MOV             R1, R8
.text:CB131526 2A 46       MOV             R2, R5
.text:CB131528 F7 F7 12 E9 BLX             __aeabi_memcpy
.text:CB13152C
.text:CB13152C             loc_CB13152C
.text:CB13152C 00 20       MOVS            R0, #0
.text:CB13152E 0A F8 05 00 STRB.W          R0, [R10,R5]
.text:CB131532 30 68       LDR             R0, [R6]
.text:CB131534 D0 F8 A8 32 LDR.W           R3, [R0,#0x2A8]
.text:CB131538 30 46       MOV             R0, R6
.text:CB13153A 49 46       MOV             R1, R9
.text:CB13153C 42 46       MOV             R2, R8
.text:CB13153E 98 47       BLX             R3                      ; ReleaseStringUTFChars
.text:CB131540 68 46       MOV             R0, SP
.text:CB131542 90 E8 0E 00 LDM.W           R0, {R1-R3}
.text:CB131546 0E C4       STM             R4!, {R1-R3}
.text:CB131548
.text:CB131548             loc_CB131548
.text:CB131548 0E 48       LDR             R0, =(__stack_chk_guard_ptr - 0xCB131550)
.text:CB13154A 04 99       LDR             R1, [SP,#0x30+var_20]
.text:CB13154C 78 44       ADD             R0, PC                  ; __stack_chk_guard_ptr
.text:CB13154E 00 68       LDR             R0, [R0]                ; __stack_chk_guard
.text:CB131550 00 68       LDR             R0, [R0]
.text:CB131552 40 1A       SUBS            R0, R0, R1
.text:CB131554 02 BF       ITTT EQ
.text:CB131556 05 B0       ADDEQ           SP, SP, #0x14
.text:CB131558 BD E8 00 0F POPEQ.W         {R8-R11}
.text:CB13155C F0 BD       POPEQ           {R4-R7,PC}

获取到的sdk appkey

1
2
3
4
5
6
7
8
9
10
E2CAD3C0  73 76 67 46 39 77 6B 42  42 62 36 32 62 7A 70 78  svgF9wkBBb62bzpx
E2CAD3D0  41 68 55 75 75 37 70 73  4F 6C 57 35 37 52 79 77  AhUuu7psOlW57Ryw
E2CAD3E0  53 52 49 38 73 4C 52 6C  62 43 76 4F 62 6C 50 4D  SRI8sLRlbCvOblPM
E2CAD3F0  79 6D 6E 69 63 47 71 48  6B 54 34 69 51 4C 30 71  ymnicGqHkT4iQL0q
E2CAD400  62 2D 69 55 54 52 33 43  4E 6E 67 64 50 71 73 43  b-iUTR3CNngdPqsC
E2CAD410  35 6C 7A 31 62 45 61 46  4C 78 54 35 47 53 69 33  5lz1bEaFLxT5GSi3
E2CAD420  51 66 57 6B 5A 35 64 63  67 69 4F 6C 39 61 5F 6A  QfWkZ5dcgiOl9a_j
E2CAD430  47 5A 4D 75 4E 62 41 61  52 41 55 76 43 74 52 7A  GZMuNbFaSAUvCtRz
E2CAD440  4E 54 6A 57 54 4E 30 56  5F 62 51 63 79 75 72 52  NTjWTN0V_bQcyurR
E2CAD450  72 6D 4F 70 30 41 3D 3D  00 00 00 00 00 00 31 31  rmOp0A==

Base64与AES解密appkey

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
.text:CB18E1C0             DecAppkey_SplitStr_sub_CF15C1C0
.text:CB18E1C0
.text:CB18E1C0             var_150= -0x150
.text:CB18E1C0             var_148= -0x148
.text:CB18E1C0             ptr= -0x144
.text:CB18E1C0             s= -0x140
.text:CB18E1C0             var_13C= -0x13C
.text:CB18E1C0             var_138= -0x138
.text:CB18E1C0             var_134= -0x134
.text:CB18E1C0             var_130= -0x130
.text:CB18E1C0             var_12C= -0x12C
.text:CB18E1C0             var_128= -0x128
.text:CB18E1C0             var_124= -0x124
.text:CB18E1C0             var_120= -0x120
.text:CB18E1C0             var_11C= -0x11C
.text:CB18E1C0             var_118= -0x118
.text:CB18E1C0             var_114= -0x114
.text:CB18E1C0             var_110= -0x110
.text:CB18E1C0             var_10C= -0x10C
.text:CB18E1C0             var_108= -0x108
.text:CB18E1C0             var_104= -0x104
.text:CB18E1C0             var_100= -0x100
.text:CB18E1C0             var_FC= -0xFC
.text:CB18E1C0             var_F8= -0xF8
.text:CB18E1C0             var_F4= -0xF4
.text:CB18E1C0             var_F0= -0xF0
.text:CB18E1C0             anonymous_0= -0xEC
.text:CB18E1C0             var_E8= -0xE8
.text:CB18E1C0             var_E4= -0xE4
.text:CB18E1C0             var_E0= -0xE0
.text:CB18E1C0             var_20= -0x20
.text:CB18E1C0
.text:CB18E1C0             ; __unwind { // CB1C8914
.text:CB18E1C0 F0 B5       PUSH            {R4-R7,LR}
.text:CB18E1C2 03 AF       ADD             R7, SP, #0xC
.text:CB18E1C4 2D E9 00 0F PUSH.W          {R8-R11}
.text:CB18E1C8 CD B0       SUB             SP, SP, #0x134
.text:CB18E1CA 81 46       MOV             R9, R0
.text:CB18E1CC DF F8 0C 08 LDR.W           R0, =(__stack_chk_guard_ptr - 0xCB18E1D6)
.text:CB18E1D0 88 46       MOV             R8, R1
.text:CB18E1D2 78 44       ADD             R0, PC                  ; __stack_chk_guard_ptr
.text:CB18E1D4 00 68       LDR             R0, [R0]                ; __stack_chk_guard
.text:CB18E1D6 00 68       LDR             R0, [R0]
.text:CB18E1D8 4C 90       STR             R0, [SP,#0x150+var_20]
.text:CB18E1DA 00 F0 25 FC BL              DecString_loc_C5D9FA28
.text:CB18E1DE 00 26       MOVS            R6, #0
.text:CB18E1E0 CB 46       MOV             R11, R9
.text:CB18E1E2 48 46       MOV             R0, R9
.text:CB18E1E4 2C 21       MOVS            R1, #0x2C ; ','
.text:CB18E1E6 C9 F8 94 60 STR.W           R6, [R9,#0x94]
.text:CB18E1EA 4B F8 90 6F STR.W           R6, [R11,#0x90]!
.text:CB18E1EE 9A F7 7A EA BLX             __aeabi_memclr4
.text:CB18E1F2 09 F1 38 0A ADD.W           R10, R9, #0x38 ; '8'
.text:CB18E1F6 54 21       MOVS            R1, #0x54 ; 'T'
.text:CB18E1F8 50 46       MOV             R0, R10
.text:CB18E1FA 9A F7 74 EA BLX             __aeabi_memclr4
.text:CB18E1FE 48 46       MOV             R0, R9
.text:CB18E200 C9 F8 8C B0 STR.W           R11, [R9,#0x8C]
.text:CB18E204 40 F8 9C 6F STR.W           R6, [R0,#0x9C]!
.text:CB18E208 09 F1 C8 04 ADD.W           R4, R9, #0xC8
.text:CB18E20C 17 90       STR             R0, [SP,#0x150+var_F4]
.text:CB18E20E 4D 46       MOV             R5, R9
.text:CB18E210 C9 F8 98 00 STR.W           R0, [R9,#0x98]
.text:CB18E214 48 46       MOV             R0, R9
.text:CB18E216 40 F8 A8 6F STR.W           R6, [R0,#0xA8]!
.text:CB18E21A 30 21       MOVS            R1, #0x30 ; '0'
.text:CB18E21C C9 F8 A0 60 STR.W           R6, [R9,#0xA0]
.text:CB18E220 16 90       STR             R0, [SP,#0x150+var_F8]
.text:CB18E222 C9 F8 A4 00 STR.W           R0, [R9,#0xA4]
.text:CB18E226 48 46       MOV             R0, R9
.text:CB18E228 40 F8 B4 6F STR.W           R6, [R0,#0xB4]!
.text:CB18E22C C9 F8 AC 60 STR.W           R6, [R9,#0xAC]
.text:CB18E230 15 90       STR             R0, [SP,#0x150+var_FC]
.text:CB18E232 C9 F8 B0 00 STR.W           R0, [R9,#0xB0]
.text:CB18E236 48 46       MOV             R0, R9
.text:CB18E238 C9 F8 C4 60 STR.W           R6, [R9,#0xC4]
.text:CB18E23C 40 F8 C0 6F STR.W           R6, [R0,#0xC0]!
.text:CB18E240 C9 F8 B8 60 STR.W           R6, [R9,#0xB8]
.text:CB18E244 14 90       STR             R0, [SP,#0x150+var_100]
.text:CB18E246 C9 F8 BC 00 STR.W           R0, [R9,#0xBC]
.text:CB18E24A 20 46       MOV             R0, R4
.text:CB18E24C C9 E9 40 66 STRD.W          R6, R6, [R9,#0x100]
.text:CB18E250 45 F8 FC 6F STR.W           R6, [R5,#0xFC]!
.text:CB18E254 9A F7 46 EA BLX             __aeabi_memclr4
.text:CB18E258 4B 46       MOV             R3, R9
.text:CB18E25A 0B 95       STR             R5, [SP,#0x150+var_124]
.text:CB18E25C 2E 80       STRH            R6, [R5]
.text:CB18E25E 23 F8 5C 6F STRH.W          R6, [R3,#0x5C]!
.text:CB18E262 18 46       MOV             R0, R3
.text:CB18E264 1D 46       MOV             R5, R3
.text:CB18E266 20 F8 24 6F STRH.W          R6, [R0,#0x24]!
.text:CB18E26A 0C 90       STR             R0, [SP,#0x150+var_120]
.text:CB18E26C 18 46       MOV             R0, R3
.text:CB18E26E 20 F8 18 6F STRH.W          R6, [R0,#0x18]!
.text:CB18E272 0D 90       STR             R0, [SP,#0x150+var_11C]
.text:CB18E274 25 F8 0C 6F STRH.W          R6, [R5,#0xC]!
.text:CB18E278 13 F8 3C 0C LDRB.W          R0, [R3,#-0x3C]
.text:CB18E27C C0 07       LSLS            R0, R0, #0x1F
.text:CB18E27E 02 D1       BNE             loc_CB18E286
.text:CB18E280 A9 F8 20 60 STRH.W          R6, [R9,#0x20]
.text:CB18E284 04 E0       B               loc_CB18E290
.text:CB18E286
.text:CB18E286             loc_CB18E286
.text:CB18E286 D9 F8 28 00 LDR.W           R0, [R9,#0x28]
.text:CB18E28A 06 70       STRB            R6, [R0]
.text:CB18E28C C9 F8 24 60 STR.W           R6, [R9,#0x24]
.text:CB18E290
.text:CB18E290             loc_CB18E290
.text:CB18E290 99 F8 00 00 LDRB.W          R0, [R9]
.text:CB18E294 C0 07       LSLS            R0, R0, #0x1F
.text:CB18E296 03 D1       BNE             loc_CB18E2A0
.text:CB18E298 00 20       MOVS            R0, #0
.text:CB18E29A A9 F8 00 00 STRH.W          R0, [R9]
.text:CB18E29E 05 E0       B               loc_CB18E2AC
.text:CB18E2A0
.text:CB18E2A0             loc_CB18E2A0
.text:CB18E2A0 D9 F8 08 00 LDR.W           R0, [R9,#8]
.text:CB18E2A4 00 21       MOVS            R1, #0
.text:CB18E2A6 01 70       STRB            R1, [R0]
.text:CB18E2A8 C9 F8 04 10 STR.W           R1, [R9,#4]
.text:CB18E2AC
.text:CB18E2AC             loc_CB18E2AC
.text:CB18E2AC 09 F1 BC 00 ADD.W           R0, R9, #0xBC
.text:CB18E2B0 11 90       STR             R0, [SP,#0x150+var_10C]
.text:CB18E2B2 09 F1 B0 00 ADD.W           R0, R9, #0xB0
.text:CB18E2B6 12 90       STR             R0, [SP,#0x150+var_108]
.text:CB18E2B8 09 F1 A4 00 ADD.W           R0, R9, #0xA4
.text:CB18E2BC 13 90       STR             R0, [SP,#0x150+var_104]
.text:CB18E2BE 09 F1 98 00 ADD.W           R0, R9, #0x98
.text:CB18E2C2 10 90       STR             R0, [SP,#0x150+var_110]
.text:CB18E2C4 99 F8 0C 10 LDRB.W          R1, [R9,#0xC]
.text:CB18E2C8 09 F1 8C 00 ADD.W           R0, R9, #0x8C
.text:CB18E2CC 07 94       STR             R4, [SP,#0x150+var_134]
.text:CB18E2CE C9 07       LSLS            R1, R1, #0x1F
.text:CB18E2D0 03 D1       BNE             loc_CB18E2DA
.text:CB18E2D2 00 21       MOVS            R1, #0
.text:CB18E2D4 A9 F8 0C 10 STRH.W          R1, [R9,#0xC]
.text:CB18E2D8 05 E0       B               loc_CB18E2E6
.text:CB18E2DA
.text:CB18E2DA             loc_CB18E2DA
.text:CB18E2DA D9 F8 14 20 LDR.W           R2, [R9,#0x14]
.text:CB18E2DE 00 21       MOVS            R1, #0
.text:CB18E2E0 11 70       STRB            R1, [R2]
.text:CB18E2E2 C9 F8 10 10 STR.W           R1, [R9,#0x10]
.text:CB18E2E6
.text:CB18E2E6             loc_CB18E2E6
.text:CB18E2E6 99 F8 38 10 LDRB.W          R1, [R9,#0x38]
.text:CB18E2EA 00 26       MOVS            R6, #0
.text:CB18E2EC A3 F1 40 02 SUB.W           R2, R3, #0x40 ; '@'
.text:CB18E2F0 C9 F8 34 60 STR.W           R6, [R9,#0x34]
.text:CB18E2F4 A3 F1 44 04 SUB.W           R4, R3, #0x44 ; 'D'
.text:CB18E2F8 0A 94       STR             R4, [SP,#0x150+var_128]
.text:CB18E2FA C9 07       LSLS            R1, R1, #0x1F
.text:CB18E2FC 08 92       STR             R2, [SP,#0x150+var_130]
.text:CB18E2FE CD E9 0E 53 STRD.W          R5, R3, [SP,#0x150+var_118]
.text:CB18E302 02 D1       BNE             loc_CB18E30A
.text:CB18E304 AA F8 00 60 STRH.W          R6, [R10]
.text:CB18E308 04 E0       B               loc_CB18E314
.text:CB18E30A
.text:CB18E30A             loc_CB18E30A
.text:CB18E30A D9 F8 40 10 LDR.W           R1, [R9,#0x40]
.text:CB18E30E 0E 70       STRB            R6, [R1]
.text:CB18E310 C9 F8 3C 60 STR.W           R6, [R9,#0x3C]
.text:CB18E314
.text:CB18E314             loc_CB18E314
.text:CB18E314 D9 F8 90 10 LDR.W           R1, [R9,#0x90]
.text:CB18E318 D9 F8 44 30 LDR.W           R3, [R9,#0x44]
.text:CB18E31C D9 F8 50 20 LDR.W           R2, [R9,#0x50]
.text:CB18E320 C9 F8 48 30 STR.W           R3, [R9,#0x48]
.text:CB18E324 C9 F8 54 20 STR.W           R2, [R9,#0x54]
.text:CB18E328 06 90       STR             R0, [SP,#0x150+var_138]
.text:CB18E32A 00 F0 6F FF BL              nop_sub_CF15D20C
.text:CB18E32E 00 26       MOVS            R6, #0
.text:CB18E330 D9 F8 9C 10 LDR.W           R1, [R9,#0x9C]
.text:CB18E334 CD F8 24 B0 STR.W           R11, [SP,#0x150+var_12C]
.text:CB18E338 C9 E9 23 B6 STRD.W          R11, R6, [R9,#0x8C]
.text:CB18E33C C9 F8 94 60 STR.W           R6, [R9,#0x94]
.text:CB18E340 DD F8 40 B0 LDR.W           R11, [SP,#0x150+var_110]
.text:CB18E344 58 46       MOV             R0, R11
.text:CB18E346 00 F0 61 FF BL              nop_sub_CF15D20C
.text:CB18E34A 17 98       LDR             R0, [SP,#0x150+var_F4]
.text:CB18E34C D9 F8 B4 10 LDR.W           R1, [R9,#0xB4]
.text:CB18E350 C9 E9 26 06 STRD.W          R0, R6, [R9,#0x98]
.text:CB18E354 C9 F8 A0 60 STR.W           R6, [R9,#0xA0]
.text:CB18E358 12 98       LDR             R0, [SP,#0x150+var_108]
.text:CB18E35A 00 F0 57 FF BL              nop_sub_CF15D20C
.text:CB18E35E 15 98       LDR             R0, [SP,#0x150+var_FC]
.text:CB18E360 D9 F8 A8 10 LDR.W           R1, [R9,#0xA8]
.text:CB18E364 C9 E9 2C 06 STRD.W          R0, R6, [R9,#0xB0]
.text:CB18E368 C9 F8 B8 60 STR.W           R6, [R9,#0xB8]
.text:CB18E36C 13 98       LDR             R0, [SP,#0x150+var_104]
.text:CB18E36E 00 F0 4D FF BL              nop_sub_CF15D20C
.text:CB18E372 16 98       LDR             R0, [SP,#0x150+var_F8]
.text:CB18E374 D9 F8 C0 10 LDR.W           R1, [R9,#0xC0]
.text:CB18E378 C9 E9 29 06 STRD.W          R0, R6, [R9,#0xA4]
.text:CB18E37C C9 F8 AC 60 STR.W           R6, [R9,#0xAC]
.text:CB18E380 11 98       LDR             R0, [SP,#0x150+var_10C]
.text:CB18E382 00 F0 43 FF BL              nop_sub_CF15D20C
.text:CB18E386 14 9D       LDR             R5, [SP,#0x150+var_100]
.text:CB18E388 2C 24       MOVS            R4, #0x2C ; ','
.text:CB18E38A D9 F8 C8 00 LDR.W           R0, [R9,#0xC8]
.text:CB18E38E D9 F8 D4 10 LDR.W           R1, [R9,#0xD4]
.text:CB18E392 D9 F8 E0 20 LDR.W           R2, [R9,#0xE0]
.text:CB18E396 D9 F8 EC 30 LDR.W           R3, [R9,#0xEC]
.text:CB18E39A C9 E9 2F 56 STRD.W          R5, R6, [R9,#0xBC]
.text:CB18E39E 64 25       MOVS            R5, #0x64 ; 'd'
.text:CB18E3A0 C9 F8 C4 60 STR.W           R6, [R9,#0xC4]
.text:CB18E3A4 89 F8 1C 61 STRB.W          R6, [R9,#0x11C]
.text:CB18E3A8 89 F8 32 60 STRB.W          R6, [R9,#0x32]
.text:CB18E3AC A9 F8 30 60 STRH.W          R6, [R9,#0x30]
.text:CB18E3B0 C9 F8 2C 60 STR.W           R6, [R9,#0x2C]
.text:CB18E3B4 48 F2 1F 56+MOV             R6, #0x51EB851F
.text:CB18E3B4 C5 F2 EB 16
.text:CB18E3BC C9 F8 CC 00 STR.W           R0, [R9,#0xCC]
.text:CB18E3C0 C9 F8 D8 10 STR.W           R1, [R9,#0xD8]
.text:CB18E3C4 C9 F8 E4 20 STR.W           R2, [R9,#0xE4]
.text:CB18E3C8 C9 F8 F0 30 STR.W           R3, [R9,#0xF0]
.text:CB18E3CC
.text:CB18E3CC             loc_CB18E3CC
.text:CB18E3CC 9A F7 E0 EA BLX             arc4random
.text:CB18E3D0 A0 FB 06 12 UMULL.W         R1, R2, R0, R6
.text:CB18E3D4 51 09       LSRS            R1, R2, #5
.text:CB18E3D6 01 FB 15 00 MLS.W           R0, R1, R5, R0
.text:CB18E3DA A4 F1 2C 01 SUB.W           R1, R4, #0x2C ; ','
.text:CB18E3DE 06 29       CMP             R1, #6
.text:CB18E3E0 09 F8 04 00 STRB.W          R0, [R9,R4]
.text:CB18E3E4 04 F1 01 00 ADD.W           R0, R4, #1
.text:CB18E3E8 04 46       MOV             R4, R0
.text:CB18E3EA EF D3       BCC             loc_CB18E3CC
.text:CB18E3EC 00 20       MOVS            R0, #0
.text:CB18E3EE 1B 90       STR             R0, [SP,#0x150+var_E4]
.text:CB18E3F0 40 46       MOV             R0, R8                  ; s
.text:CB18E3F2 9A F7 42 E9 BLX             strlen
.text:CB18E3F6 01 46       MOV             R1, R0
.text:CB18E3F8 1B AA       ADD             R2, SP, #0x150+var_E4
.text:CB18E3FA 40 46       MOV             R0, R8
.text:CB18E3FC 01 23       MOVS            R3, #1
.text:CB18E3FE FF F7 77 FD BL              decBase64_sub_CF15BEF0  ; R3:1解密,R3:0加密
.text:CB18E402 80 46       MOV             R8, R0
.text:CB18E404 DF F8 D8 05 LDR.W           R0, =(off_CB219D7C - 0xCB18E412)
.text:CB18E408 2B 23       MOVS            R3, #0x2B ; '+'
.text:CB18E40A DF F8 D8 15 LDR.W           R1, =(off_CB219D80 - 0xCB18E418)
.text:CB18E40E 78 44       ADD             R0, PC                  ; off_CB219D7C
.text:CB18E410 DF F8 D4 25 LDR.W           R2, =(unk_CB226C40 - 0xCB18E41C)
.text:CB18E414 79 44       ADD             R1, PC                  ; off_CB219D80
.text:CB18E416 00 68       LDR             R0, [R0]                ; unk_DE32430B
.text:CB18E418 7A 44       ADD             R2, PC                  ; unk_CB226C40
.text:CB18E41A 09 68       LDR             R1, [R1]                ; unk_DE30CE9A
.text:CB18E41C 00 92       STR             R2, [SP,#0x150+var_150]
.text:CB18E41E 11 22       MOVS            R2, #0x11
.text:CB18E420 00 F0 F2 FD BL              DecString_loc_CF15D008  ; 24e96202f2d6fe64,aeskey
.text:CB18E424 DF F8 C8 15 LDR.W           R1, =(off_CB219D88 - 0xCB18E434)
.text:CB18E428 05 46       MOV             R5, R0
.text:CB18E42A DF F8 C0 05 LDR.W           R0, =(off_CB219D84 - 0xCB18E43A)
.text:CB18E42E 6B 23       MOVS            R3, #0x6B ; 'k'
.text:CB18E430 79 44       ADD             R1, PC                  ; off_CB219D88
.text:CB18E432 DF F8 C0 25 LDR.W           R2, =(unk_CB226C41 - 0xCB18E43C)
.text:CB18E436 78 44       ADD             R0, PC                  ; off_CB219D84
.text:CB18E438 7A 44       ADD             R2, PC                  ; unk_CB226C41
.text:CB18E43A 00 68       LDR             R0, [R0]                ; unk_DE3242FA
.text:CB18E43C 09 68       LDR             R1, [R1]                ; unk_DE30CE7A
.text:CB18E43E 00 92       STR             R2, [SP,#0x150+var_150]
.text:CB18E440 11 22       MOVS            R2, #0x11
.text:CB18E442 00 F0 E1 FD BL              DecString_loc_CF15D008  ; 632870a7427e3bdc iv
.text:CB18E446 02 46       MOV             R2, R0
.text:CB18E448 1C A8       ADD             R0, SP, #0x150+var_E0
.text:CB18E44A 29 46       MOV             R1, R5
.text:CB18E44C EF F7 CC FA BL              AES_initkey_sub_CDB519E8 ; R1:KEY,R2:IV
.text:CB18E450 1B 9A       LDR             R2, [SP,#0x150+var_E4]
.text:CB18E452 1C A8       ADD             R0, SP, #0x150+var_E0
.text:CB18E454 41 46       MOV             R1, R8
.text:CB18E456 F0 F7 9B FC BL              AES_DecAppkey_sub_CF14CD90 ; r0:key,r1:数据,r2:大小,r3:初始化key,r4:大小
.text:CB18E45A DF F8 9C 05 LDR.W           R0, =(off_CB219D8C - 0xCB18E46A)
.text:CB18E45E 02 22       MOVS            R2, #2
.text:CB18E460 DF F8 98 15 LDR.W           R1, =(off_CB219D90 - 0xCB18E470)
.text:CB18E464 5C 23       MOVS            R3, #0x5C ; '\'
.text:CB18E466 78 44       ADD             R0, PC                  ; off_CB219D8C
.text:CB18E468 DF F8 94 65 LDR.W           R6, =(unk_CB226C44 - 0xCB18E474)
.text:CB18E46C 79 44       ADD             R1, PC                  ; off_CB219D90
.text:CB18E46E 00 68       LDR             R0, [R0]                ; unk_DE32426C
.text:CB18E470 7E 44       ADD             R6, PC                  ; unk_CB226C44
.text:CB18E472 09 68       LDR             R1, [R1]                ; unk_DE30CE6B
.text:CB18E474 00 96       STR             R6, [SP,#0x150+var_150]
.text:CB18E476 00 F0 C7 FD BL              DecString_loc_CF15D008  ; |
.text:CB18E47A 01 46       MOV             R1, R0                  ; delim
.text:CB18E47C 40 46       MOV             R0, R8                  ; s
.text:CB18E47E 9A F7 8E EA BLX             strtok
.text:CB18E482 DF F8 84 15 LDR.W           R1, =(off_CB219D98 - 0xCB18E492)
.text:CB18E486 04 46       MOV             R4, R0
.text:CB18E488 DF F8 78 05 LDR.W           R0, =(off_CB219D94 - 0xCB18E496)
.text:CB18E48C 02 22       MOVS            R2, #2
.text:CB18E48E 79 44       ADD             R1, PC                  ; off_CB219D98
.text:CB18E490 5C 23       MOVS            R3, #0x5C ; '\'
.text:CB18E492 78 44       ADD             R0, PC                  ; off_CB219D94
.text:CB18E494 00 68       LDR             R0, [R0]                ; unk_DE32426C
.text:CB18E496 09 68       LDR             R1, [R1]                ; unk_DE30CE6B
.text:CB18E498 00 96       STR             R6, [SP,#0x150+var_150]
.text:CB18E49A 00 F0 B5 FD BL              DecString_loc_CF15D008  ; |
.text:CB18E49E 01 46       MOV             R1, R0                  ; delim
.text:CB18E4A0 00 20       MOVS            R0, #0                  ; s
.text:CB18E4A2 9A F7 7C EA BLX             strtok
.text:CB18E4A6 DF F8 68 15 LDR.W           R1, =(off_CB219DA0 - 0xCB18E4B6)
.text:CB18E4AA 05 46       MOV             R5, R0
.text:CB18E4AC DF F8 5C 05 LDR.W           R0, =(off_CB219D9C - 0xCB18E4BA)
.text:CB18E4B0 02 22       MOVS            R2, #2
.text:CB18E4B2 79 44       ADD             R1, PC                  ; off_CB219DA0
.text:CB18E4B4 5C 23       MOVS            R3, #0x5C ; '\'
.text:CB18E4B6 78 44       ADD             R0, PC                  ; off_CB219D9C
.text:CB18E4B8 00 68       LDR             R0, [R0]                ; unk_DE32426C
.text:CB18E4BA 09 68       LDR             R1, [R1]                ; unk_DE30CE6B
.text:CB18E4BC 00 96       STR             R6, [SP,#0x150+var_150]
.text:CB18E4BE 00 F0 A3 FD BL              DecString_loc_CF15D008  ; |
.text:CB18E4C2 01 46       MOV             R1, R0                  ; delim
.text:CB18E4C4 00 20       MOVS            R0, #0                  ; s
.text:CB18E4C6 9A F7 6A EA BLX             strtok
.text:CB18E4CA 34 B3       CBZ             R4, loc_CB18E51A
.text:CB18E4CC 2D B3       CBZ             R5, loc_CB18E51A
.text:CB18E4CE 20 B3       CBZ             R0, loc_CB18E51A
.text:CB18E4D0 DF F8 40 15 LDR.W           R1, =(asc_CB226C45 - 0xCB18E4DE) ; ""
.text:CB18E4D4 CD E9 04 04 STRD.W          R0, R4, [SP,#0x150+s]
.text:CB18E4D8 28 46       MOV             R0, R5                  ; s
.text:CB18E4DA 79 44       ADD             R1, PC                  ; "" ; delim
.text:CB18E4DC CD F8 08 A0 STR.W           R10, [SP,#0x150+var_148]
.text:CB18E4E0 9A F7 5C EA BLX             strtok
.text:CB18E4E4 83 46       MOV             R11, R0
.text:CB18E4E6 00 20       MOVS            R0, #0
.text:CB18E4E8 1A 90       STR             R0, [SP,#0x150+var_E8]
.text:CB18E4EA CD E9 18 00 STRD.W          R0, R0, [SP,#0x150+var_F0]
.text:CB18E4EE 58 46       MOV             R0, R11                 ; s
.text:CB18E4F0 9A F7 C2 E8 BLX             strlen
.text:CB18E4F4 82 46       MOV             R10, R0
.text:CB18E4F6 1A F1 10 0F CMN.W           R10, #0x10
.text:CB18E4FA 80 F0 AC 81 BCS.W           loc_CB18E856
.text:CB18E4FE BA F1 0B 0F CMP.W           R10, #0xB
.text:CB18E502 12 D2       BCS             loc_CB18E52A
.text:CB18E504 4F EA 4A 00 MOV.W           R0, R10,LSL#1
.text:CB18E508 BA F1 00 0F CMP.W           R10, #0
.text:CB18E50C 8D F8 60 00 STRB.W          R0, [SP,#0x150+var_F0]
.text:CB18E510 18 A8       ADD             R0, SP, #0x150+var_F0
.text:CB18E512 40 F0 01 05 ORR.W           R5, R0, #1
.text:CB18E516 15 D1       BNE             loc_CB18E544
.text:CB18E518 19 E0       B               loc_CB18E54E
.text:CB18E51A
.text:CB18E51A             loc_CB18E51A
.text:CB18E51A B8 F1 00 0F CMP.W           R8, #0
.text:CB18E51E 00 F0 8C 81 BEQ.W           loc_CB18E83A
.text:CB18E522 40 46       MOV             R0, R8                  ; ptr
.text:CB18E524 9A F7 1A E9 BLX             free
.text:CB18E528 87 E1       B               loc_CB18E83A
.text:CB18E52A
.text:CB18E52A             loc_CB18E52A
.text:CB18E52A 0A F1 10 00 ADD.W           R0, R10, #0x10
.text:CB18E52E 20 F0 0F 06 BIC.W           R6, R0, #0xF
.text:CB18E532 30 46       MOV             R0, R6
.text:CB18E534 3B F0 A8 FF BL              malloc_sub_CF198488
.text:CB18E538 05 46       MOV             R5, R0
.text:CB18E53A 46 F0 01 00 ORR.W           R0, R6, #1
.text:CB18E53E 1A 95       STR             R5, [SP,#0x150+var_E8]
.text:CB18E540 CD E9 18 0A STRD.W          R0, R10, [SP,#0x150+var_F0]
.text:CB18E544
.text:CB18E544             loc_CB18E544
.text:CB18E544 28 46       MOV             R0, R5
.text:CB18E546 59 46       MOV             R1, R11
.text:CB18E548 52 46       MOV             R2, R10
.text:CB18E54A 9A F7 02 E9 BLX             __aeabi_memcpy
.text:CB18E54E
.text:CB18E54E             loc_CB18E54E
.text:CB18E54E 00 20       MOVS            R0, #0
.text:CB18E550 05 F8 0A 00 STRB.W          R0, [R5,R10]
.text:CB18E554 0F 9D       LDR             R5, [SP,#0x150+var_114]
.text:CB18E556 29 78       LDRB            R1, [R5]
.text:CB18E558 CD F8 0C 80 STR.W           R8, [SP,#0x150+ptr]
.text:CB18E55C C9 07       LSLS            R1, R1, #0x1F
.text:CB18E55E 01 D1       BNE             loc_CB18E564
.text:CB18E560 28 80       STRH            R0, [R5]
.text:CB18E562 04 E0       B               loc_CB18E56E
.text:CB18E564
.text:CB18E564             loc_CB18E564
.text:CB18E564 D9 F8 64 10 LDR.W           R1, [R9,#0x64]
.text:CB18E568 08 70       STRB            R0, [R1]
.text:CB18E56A C9 F8 60 00 STR.W           R0, [R9,#0x60]
.text:CB18E56E
.text:CB18E56E DD F8 14 B0 LDR.W           R11, [SP,#0x150+var_13C]
.text:CB18E572 28 46       MOV             R0, R5
.text:CB18E574 00 21       MOVS            R1, #0
.text:CB18E576 00 24       MOVS            R4, #0
.text:CB18E578 A4 F7 DE F8 BL              nop_sub_CF100738
.text:CB18E57C 18 A8       ADD             R0, SP, #0x150+var_F0
.text:CB18E57E 2A 46       MOV             R2, R5
.text:CB18E580 DF F8 94 14 LDR.W           R1, =(asc_CB226C45 - 0xCB18E58E) ; ""
.text:CB18E584 90 E8 68 00 LDM.W           R0, {R3,R5,R6}
.text:CB18E588 00 20       MOVS            R0, #0                  ; s
.text:CB18E58A 79 44       ADD             R1, PC                  ; "" ; delim
.text:CB18E58C 68 C2       STM             R2!, {R3,R5,R6}
.text:CB18E58E 9A F7 06 EA BLX             strtok
.text:CB18E592 1A 94       STR             R4, [SP,#0x150+var_E8]
.text:CB18E594 82 46       MOV             R10, R0
.text:CB18E596 CD E9 18 44 STRD.W          R4, R4, [SP,#0x150+var_F0]
.text:CB18E59A 9A F7 6E E8 BLX             strlen
.text:CB18E59E 05 46       MOV             R5, R0
.text:CB18E5A0 15 F1 10 0F CMN.W           R5, #0x10
.text:CB18E5A4 80 F0 5A 81 BCS.W           loc_CB18E85C
.text:CB18E5A8 0B 2D       CMP             R5, #0xB
.text:CB18E5AA 08 D2       BCS             loc_CB18E5BE
.text:CB18E5AC 68 00       LSLS            R0, R5, #1
.text:CB18E5AE 00 2D       CMP             R5, #0
.text:CB18E5B0 8D F8 60 00 STRB.W          R0, [SP,#0x150+var_F0]
.text:CB18E5B4 18 A8       ADD             R0, SP, #0x150+var_F0
.text:CB18E5B6 40 F0 01 06 ORR.W           R6, R0, #1
.text:CB18E5BA 0E D1       BNE             loc_CB18E5DA
.text:CB18E5BC 12 E0       B               loc_CB18E5E4
.text:CB18E5BE
.text:CB18E5BE             loc_CB18E5BE
.text:CB18E5BE 05 F1 10 00 ADD.W           R0, R5, #0x10
.text:CB18E5C2 20 F0 0F 0B BIC.W           R11, R0, #0xF
.text:CB18E5C6 58 46       MOV             R0, R11
.text:CB18E5C8 3B F0 5E FF BL              malloc_sub_CF198488
.text:CB18E5CC 06 46       MOV             R6, R0
.text:CB18E5CE 4B F0 01 00 ORR.W           R0, R11, #1
.text:CB18E5D2 18 A9       ADD             R1, SP, #0x150+var_F0
.text:CB18E5D4 61 C1       STM             R1!, {R0,R5,R6}
.text:CB18E5D6 DD F8 14 B0 LDR.W           R11, [SP,#0x150+var_13C]
.text:CB18E5DA
.text:CB18E5DA             loc_CB18E5DA
.text:CB18E5DA 30 46       MOV             R0, R6
.text:CB18E5DC 51 46       MOV             R1, R10
.text:CB18E5DE 2A 46       MOV             R2, R5
.text:CB18E5E0 9A F7 B6 E8 BLX             __aeabi_memcpy
.text:CB18E5E4
.text:CB18E5E4             loc_CB18E5E4
.text:CB18E5E4 00 20       MOVS            R0, #0
.text:CB18E5E6 70 55       STRB            R0, [R6,R5]
.text:CB18E5E8 0E 9D       LDR             R5, [SP,#0x150+var_118]
.text:CB18E5EA 29 78       LDRB            R1, [R5]
.text:CB18E5EC C9 07       LSLS            R1, R1, #0x1F
.text:CB18E5EE 01 D1       BNE             loc_CB18E5F4
.text:CB18E5F0 28 80       STRH            R0, [R5]
.text:CB18E5F2 04 E0       B               loc_CB18E5FE
.text:CB18E5F4
.text:CB18E5F4             loc_CB18E5F4
.text:CB18E5F4 D9 F8 70 10 LDR.W           R1, [R9,#0x70]
.text:CB18E5F8 08 70       STRB            R0, [R1]
.text:CB18E5FA C9 F8 6C 00 STR.W           R0, [R9,#0x6C]
.text:CB18E5FE
.text:CB18E5FE             loc_CB18E5FE
.text:CB18E5FE 0D F1 60 0A ADD.W           R10, SP, #0x150+var_F0
.text:CB18E602 28 46       MOV             R0, R5
.text:CB18E604 00 21       MOVS            R1, #0
.text:CB18E606 00 24       MOVS            R4, #0
.text:CB18E608 A4 F7 96 F8 BL              nop_sub_CF100738
.text:CB18E60C 52 46       MOV             R2, R10
.text:CB18E60E 28 46       MOV             R0, R5
.text:CB18E610 92 E8 68 00 LDM.W           R2, {R3,R5,R6}
.text:CB18E614 DF F8 04 14 LDR.W           R1, =(asc_CB226C45 - 0xCB18E61C) ; ""
.text:CB18E618 79 44       ADD             R1, PC                  ; "" ; delim
.text:CB18E61A 68 C0       STM             R0!, {R3,R5,R6}
.text:CB18E61C 04 98       LDR             R0, [SP,#0x150+s]       ; s
.text:CB18E61E 9A F7 BE E9 BLX             strtok
.text:CB18E622 1A 94       STR             R4, [SP,#0x150+var_E8]
.text:CB18E624 80 46       MOV             R8, R0
.text:CB18E626 CD E9 18 44 STRD.W          R4, R4, [SP,#0x150+var_F0]
.text:CB18E62A 9A F7 26 E8 BLX             strlen
.text:CB18E62E 05 46       MOV             R5, R0
.text:CB18E630 15 F1 10 0F CMN.W           R5, #0x10
.text:CB18E634 80 F0 15 81 BCS.W           loc_CB18E862
.text:CB18E638 0B 2D       CMP             R5, #0xB
.text:CB18E63A 07 D2       BCS             loc_CB18E64C
.text:CB18E63C 4A F0 01 06 ORR.W           R6, R10, #1
.text:CB18E640 68 00       LSLS            R0, R5, #1
.text:CB18E642 00 2D       CMP             R5, #0
.text:CB18E644 8D F8 60 00 STRB.W          R0, [SP,#0x150+var_F0]
.text:CB18E648 0E D1       BNE             loc_CB18E668
.text:CB18E64A 12 E0       B               loc_CB18E672
.text:CB18E64C
.text:CB18E64C             loc_CB18E64C
.text:CB18E64C 05 F1 10 00 ADD.W           R0, R5, #0x10
.text:CB18E650 20 F0 0F 0A BIC.W           R10, R0, #0xF
.text:CB18E654 50 46       MOV             R0, R10
.text:CB18E656 3B F0 17 FF BL              malloc_sub_CF198488
.text:CB18E65A 06 46       MOV             R6, R0
.text:CB18E65C 4A F0 01 00 ORR.W           R0, R10, #1
.text:CB18E660 18 A9       ADD             R1, SP, #0x150+var_F0
.text:CB18E662 61 C1       STM             R1!, {R0,R5,R6}
.text:CB18E664 0D F1 60 0A ADD.W           R10, SP, #0x150+var_F0
.text:CB18E668
.text:CB18E668             loc_CB18E668
.text:CB18E668 30 46       MOV             R0, R6
.text:CB18E66A 41 46       MOV             R1, R8
.text:CB18E66C 2A 46       MOV             R2, R5
.text:CB18E66E 9A F7 70 E8 BLX             __aeabi_memcpy
.text:CB18E672
.text:CB18E672             loc_CB18E672
.text:CB18E672 00 20       MOVS            R0, #0
.text:CB18E674 70 55       STRB            R0, [R6,R5]
.text:CB18E676 0D 9D       LDR             R5, [SP,#0x150+var_11C]
.text:CB18E678 29 78       LDRB            R1, [R5]
.text:CB18E67A C9 07       LSLS            R1, R1, #0x1F
.text:CB18E67C 01 D1       BNE             loc_CB18E682
.text:CB18E67E 28 80       STRH            R0, [R5]
.text:CB18E680 04 E0       B               loc_CB18E68C
.text:CB18E682
.text:CB18E682             loc_CB18E682
.text:CB18E682 D9 F8 7C 10 LDR.W           R1, [R9,#0x7C]
.text:CB18E686 08 70       STRB            R0, [R1]
.text:CB18E688 C9 F8 78 00 STR.W           R0, [R9,#0x78]
.text:CB18E68C
.text:CB18E68C             loc_CB18E68C
.text:CB18E68C 28 46       MOV             R0, R5
.text:CB18E68E 00 21       MOVS            R1, #0
.text:CB18E690 00 24       MOVS            R4, #0
.text:CB18E692 A4 F7 51 F8 BL              nop_sub_CF100738
.text:CB18E696 52 46       MOV             R2, R10
.text:CB18E698 28 46       MOV             R0, R5
.text:CB18E69A 92 E8 68 00 LDM.W           R2, {R3,R5,R6}
.text:CB18E69E E0 49       LDR             R1, =(asc_CB226C45 - 0xCB18E6A4) ; ""
.text:CB18E6A0 79 44       ADD             R1, PC                  ; "" ; delim
.text:CB18E6A2 68 C0       STM             R0!, {R3,R5,R6}
.text:CB18E6A4 00 20       MOVS            R0, #0                  ; s
.text:CB18E6A6 9A F7 7A E9 BLX             strtok
.text:CB18E6AA 1A 94       STR             R4, [SP,#0x150+var_E8]
.text:CB18E6AC 80 46       MOV             R8, R0
.text:CB18E6AE CD E9 18 44 STRD.W          R4, R4, [SP,#0x150+var_F0]
.text:CB18E6B2 99 F7 E2 EF BLX             strlen
.text:CB18E6B6 05 46       MOV             R5, R0
.text:CB18E6B8 15 F1 10 0F CMN.W           R5, #0x10
.text:CB18E6BC 80 F0 D4 80 BCS.W           loc_CB18E868
.text:CB18E6C0 0B 2D       CMP             R5, #0xB
.text:CB18E6C2 07 D2       BCS             loc_CB18E6D4
.text:CB18E6C4 4A F0 01 06 ORR.W           R6, R10, #1
.text:CB18E6C8 68 00       LSLS            R0, R5, #1
.text:CB18E6CA 00 2D       CMP             R5, #0
.text:CB18E6CC 8D F8 60 00 STRB.W          R0, [SP,#0x150+var_F0]
.text:CB18E6D0 0E D1       BNE             loc_CB18E6F0
.text:CB18E6D2 12 E0       B               loc_CB18E6FA
.text:CB18E6D4
.text:CB18E6D4             loc_CB18E6D4
.text:CB18E6D4 05 F1 10 00 ADD.W           R0, R5, #0x10
.text:CB18E6D8 20 F0 0F 0A BIC.W           R10, R0, #0xF
.text:CB18E6DC 50 46       MOV             R0, R10
.text:CB18E6DE 3B F0 D3 FE BL              malloc_sub_CF198488
.text:CB18E6E2 06 46       MOV             R6, R0
.text:CB18E6E4 4A F0 01 00 ORR.W           R0, R10, #1
.text:CB18E6E8 18 A9       ADD             R1, SP, #0x150+var_F0
.text:CB18E6EA 61 C1       STM             R1!, {R0,R5,R6}
.text:CB18E6EC 0D F1 60 0A ADD.W           R10, SP, #0x150+var_F0
.text:CB18E6F0
.text:CB18E6F0             loc_CB18E6F0
.text:CB18E6F0 30 46       MOV             R0, R6
.text:CB18E6F2 41 46       MOV             R1, R8
.text:CB18E6F4 2A 46       MOV             R2, R5
.text:CB18E6F6 9A F7 2C E8 BLX             __aeabi_memcpy
.text:CB18E6FA
.text:CB18E6FA             loc_CB18E6FA
.text:CB18E6FA 0C 9C       LDR             R4, [SP,#0x150+var_120]
.text:CB18E6FC 00 20       MOVS            R0, #0
.text:CB18E6FE 70 55       STRB            R0, [R6,R5]
.text:CB18E700 21 78       LDRB            R1, [R4]
.text:CB18E702 C9 07       LSLS            R1, R1, #0x1F
.text:CB18E704 01 D1       BNE             loc_CB18E70A
.text:CB18E706 20 80       STRH            R0, [R4]
.text:CB18E708 04 E0       B               loc_CB18E714
.text:CB18E70A
.text:CB18E70A             loc_CB18E70A
.text:CB18E70A D9 F8 88 10 LDR.W           R1, [R9,#0x88]
.text:CB18E70E 08 70       STRB            R0, [R1]
.text:CB18E710 C9 F8 84 00 STR.W           R0, [R9,#0x84]
.text:CB18E714
.text:CB18E714             loc_CB18E714
.text:CB18E714 20 46       MOV             R0, R4
.text:CB18E716 00 21       MOVS            R1, #0
.text:CB18E718 A4 F7 0E F8 BL              nop_sub_CF100738
.text:CB18E71C 50 46       MOV             R0, R10
.text:CB18E71E 90 E8 4C 00 LDM.W           R0, {R2,R3,R6}
.text:CB18E722 4C C4       STM             R4!, {R2,R3,R6}
.text:CB18E724 A9 F7 B8 FC BL              pthread_mutex_lock_sub_C59FF098
.text:CB18E728 80 46       MOV             R8, R0
.text:CB18E72A 00 20       MOVS            R0, #0
.text:CB18E72C 1A 90       STR             R0, [SP,#0x150+var_E8]
.text:CB18E72E CD E9 18 00 STRD.W          R0, R0, [SP,#0x150+var_F0]
.text:CB18E732 58 46       MOV             R0, R11                 ; s
.text:CB18E734 99 F7 A0 EF BLX             strlen
.text:CB18E738 05 46       MOV             R5, R0
.text:CB18E73A 15 F1 10 0F CMN.W           R5, #0x10
.text:CB18E73E 80 F0 96 80 BCS.W           loc_CB18E86E
.text:CB18E742 0B 2D       CMP             R5, #0xB
.text:CB18E744 07 D2       BCS             loc_CB18E756
.text:CB18E746 4A F0 01 06 ORR.W           R6, R10, #1
.text:CB18E74A 68 00       LSLS            R0, R5, #1
.text:CB18E74C 00 2D       CMP             R5, #0
.text:CB18E74E 8D F8 60 00 STRB.W          R0, [SP,#0x150+var_F0]
.text:CB18E752 0E D1       BNE             loc_CB18E772
.text:CB18E754 12 E0       B               loc_CB18E77C
.text:CB18E756
.text:CB18E756             loc_CB18E756
.text:CB18E756 05 F1 10 00 ADD.W           R0, R5, #0x10
.text:CB18E75A 20 F0 0F 0A BIC.W           R10, R0, #0xF
.text:CB18E75E 50 46       MOV             R0, R10
.text:CB18E760 3B F0 92 FE BL              malloc_sub_CF198488
.text:CB18E764 06 46       MOV             R6, R0
.text:CB18E766 4A F0 01 00 ORR.W           R0, R10, #1
.text:CB18E76A 18 A9       ADD             R1, SP, #0x150+var_F0
.text:CB18E76C 61 C1       STM             R1!, {R0,R5,R6}
.text:CB18E76E 0D F1 60 0A ADD.W           R10, SP, #0x150+var_F0
.text:CB18E772
.text:CB18E772             loc_CB18E772
.text:CB18E772 30 46       MOV             R0, R6
.text:CB18E774 59 46       MOV             R1, R11
.text:CB18E776 2A 46       MOV             R2, R5
.text:CB18E778 99 F7 EA EF BLX             __aeabi_memcpy
.text:CB18E77C
.text:CB18E77C             loc_CB18E77C
.text:CB18E77C 00 20       MOVS            R0, #0
.text:CB18E77E 70 55       STRB            R0, [R6,R5]
.text:CB18E780 45 46       MOV             R5, R8
.text:CB18E782 15 F8 18 1F LDRB.W          R1, [R5,#0x18]!
.text:CB18E786 11 F0 01 0F TST.W           R1, #1
.text:CB18E78A 01 D1       BNE             loc_CB18E790
.text:CB18E78C 28 80       STRH            R0, [R5]
.text:CB18E78E 04 E0       B               loc_CB18E79A
.text:CB18E790
.text:CB18E790             loc_CB18E790
.text:CB18E790 D8 F8 20 10 LDR.W           R1, [R8,#0x20]
.text:CB18E794 08 70       STRB            R0, [R1]
.text:CB18E796 C8 F8 1C 00 STR.W           R0, [R8,#0x1C]
.text:CB18E79A
.text:CB18E79A             loc_CB18E79A
.text:CB18E79A 28 46       MOV             R0, R5
.text:CB18E79C 00 21       MOVS            R1, #0
.text:CB18E79E 00 24       MOVS            R4, #0
.text:CB18E7A0 A3 F7 CA FF BL              nop_sub_CF100738
.text:CB18E7A4 50 46       MOV             R0, R10
.text:CB18E7A6 90 E8 0E 00 LDM.W           R0, {R1-R3}
.text:CB18E7AA 58 46       MOV             R0, R11                 ; s
.text:CB18E7AC 0E C5       STM             R5!, {R1-R3}
.text:CB18E7AE 1A 94       STR             R4, [SP,#0x150+var_E8]
.text:CB18E7B0 CD E9 18 44 STRD.W          R4, R4, [SP,#0x150+var_F0]
.text:CB18E7B4 99 F7 60 EF BLX             strlen
.text:CB18E7B8 05 46       MOV             R5, R0
.text:CB18E7BA 15 F1 10 0F CMN.W           R5, #0x10
.text:CB18E7BE 59 D2       BCS             loc_CB18E874
.text:CB18E7C0 0B 2D       CMP             R5, #0xB
.text:CB18E7C2 07 D2       BCS             loc_CB18E7D4
.text:CB18E7C4 4A F0 01 06 ORR.W           R6, R10, #1
.text:CB18E7C8 68 00       LSLS            R0, R5, #1
.text:CB18E7CA 00 2D       CMP             R5, #0
.text:CB18E7CC 8D F8 60 00 STRB.W          R0, [SP,#0x150+var_F0]
.text:CB18E7D0 0C D1       BNE             loc_CB18E7EC
.text:CB18E7D2 10 E0       B               loc_CB18E7F6
.text:CB18E7D4
.text:CB18E7D4             loc_CB18E7D4
.text:CB18E7D4 05 F1 10 00 ADD.W           R0, R5, #0x10
.text:CB18E7D8 20 F0 0F 08 BIC.W           R8, R0, #0xF
.text:CB18E7DC 40 46       MOV             R0, R8
.text:CB18E7DE 3B F0 53 FE BL              malloc_sub_CF198488
.text:CB18E7E2 06 46       MOV             R6, R0
.text:CB18E7E4 48 F0 01 00 ORR.W           R0, R8, #1
.text:CB18E7E8 18 A9       ADD             R1, SP, #0x150+var_F0
.text:CB18E7EA 61 C1       STM             R1!, {R0,R5,R6}
.text:CB18E7EC
.text:CB18E7EC             loc_CB18E7EC
.text:CB18E7EC 30 46       MOV             R0, R6
.text:CB18E7EE 59 46       MOV             R1, R11
.text:CB18E7F0 2A 46       MOV             R2, R5
.text:CB18E7F2 99 F7 AE EF BLX             __aeabi_memcpy
.text:CB18E7F6
.text:CB18E7F6             loc_CB18E7F6
.text:CB18E7F6 0B 9C       LDR             R4, [SP,#0x150+var_124]
.text:CB18E7F8 00 20       MOVS            R0, #0
.text:CB18E7FA 70 55       STRB            R0, [R6,R5]
.text:CB18E7FC 21 78       LDRB            R1, [R4]
.text:CB18E7FE C9 07       LSLS            R1, R1, #0x1F
.text:CB18E800 01 D1       BNE             loc_CB18E806
.text:CB18E802 20 80       STRH            R0, [R4]
.text:CB18E804 04 E0       B               loc_CB18E810
.text:CB18E806
.text:CB18E806             loc_CB18E806
.text:CB18E806 D9 F8 04 11 LDR.W           R1, [R9,#0x104]
.text:CB18E80A 08 70       STRB            R0, [R1]
.text:CB18E80C C9 F8 00 01 STR.W           R0, [R9,#0x100]
.text:CB18E810
.text:CB18E810             loc_CB18E810
.text:CB18E810 20 46       MOV             R0, R4
.text:CB18E812 00 21       MOVS            R1, #0
.text:CB18E814 A3 F7 90 FF BL              nop_sub_CF100738
.text:CB18E818 9A E8 07 00 LDM.W           R10, {R0-R2}
.text:CB18E81C 07 C4       STM             R4!, {R0-R2}
.text:CB18E81E 03 98       LDR             R0, [SP,#0x150+ptr]     ; ptr
.text:CB18E820 08 B1       CBZ             R0, loc_CB18E826
.text:CB18E822 99 F7 9C EF BLX             free
.text:CB18E826
.text:CB18E826             loc_CB18E826
.text:CB18E826 0A 20       MOVS            R0, #0xA
.text:CB18E828 0D 21       MOVS            R1, #0xD
.text:CB18E82A C9 E9 42 10 STRD.W          R1, R0, [R9,#0x108]
.text:CB18E82E 06 22       MOVS            R2, #6
.text:CB18E830 08 23       MOVS            R3, #8
.text:CB18E832 D2 26       MOVS            R6, #0xD2
.text:CB18E834 09 F5 88 70 ADD.W           R0, R9, #0x110
.text:CB18E838 4C C0       STM             R0!, {R2,R3,R6}
.text:CB18E83A
.text:CB18E83A             loc_CB18E83A
.text:CB18E83A 7A 48       LDR             R0, =(__stack_chk_guard_ptr - 0xCB18E842)
.text:CB18E83C 4C 99       LDR             R1, [SP,#0x150+var_20]
.text:CB18E83E 78 44       ADD             R0, PC                  ; __stack_chk_guard_ptr
.text:CB18E840 00 68       LDR             R0, [R0]                ; __stack_chk_guard
.text:CB18E842 00 68       LDR             R0, [R0]
.text:CB18E844 40 1A       SUBS            R0, R0, R1
.text:CB18E846 01 BF       ITTTT EQ
.text:CB18E848 48 46       MOVEQ           R0, R9
.text:CB18E84A 4D B0       ADDEQ           SP, SP, #0x134
.text:CB18E84C BD E8 00 0F POPEQ.W         {R8-R11}
.text:CB18E850 F0 BD       POPEQ           {R4-R7,PC}

解密后得到几个字符串,后续做为密钥:

1
2
3
4
5
6
7
8
55b4dc20eaf2a88a|0ea7_7dfd964a-0377-4188-ada7-0758b4f7f63b|ff4b_b5c0d0a4-4763-44e8-baa6-dfca9a66efdb
//拆分
0ea7_7dfd964a-0377-4188-ada7-0758b4f7f63b
0ea7
7dfd964a-0377-4188-ada7-0758b4f7f63b
ff4b
b5c0d0a4-4763-44e8-baa6-dfca9a66efdb
55b4dc20eaf2a88a

四、环境检测与设备指纹

4.1、环境风险检测

检测xp、frida、miksg、hook、root、accessibility、debug
检测root:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
"com.thirdparty.superuser"
"com.noshufou.android.su",
"/daemonsu",
"/subin/su",
"/system/usr/we-need-root/su-backup",
"/system/bin/.ext/.su",
"/sbin_orig/su",
"/su/xbin",
"/system/xbin/mu",
"/su/su.d",
"/system/su",
"/su",
"/su/suhide",
"/vendor/bin/su",
"/system/priv-app/Superuser.apk",
"/system/app/Superuser.apk",
"/data/local/su",
"/system/bin/failsafe/su",
"/system/sd/xbin/su",
"/data/local/bin/su",
"/data/local/xbin/su",
"/system/xbin/su",
"/system/bin/su",
"/sbin/su",
"/su/bin/su",
 
.text:C7101AB0             chekc_root_su_sub_C4732AB0
.text:C7101AB0
.text:C7101AB0             var_20= -0x20
.text:C7101AB0             var_18= -0x18
.text:C7101AB0             var_14= -0x14
.text:C7101AB0
.text:C7101AB0             ; __unwind { // C7155914
.text:C7101AB0 F0 B5       PUSH            {R4-R7,LR}
.text:C7101AB2 03 AF       ADD             R7, SP, #0xC
.text:C7101AB4 4D F8 04 8D PUSH.W          {R8}
.text:C7101AB8 84 B0       SUB             SP, SP, #0x10
.text:C7101ABA 22 49       LDR             R1, =(__stack_chk_guard_ptr - 0xC7101AC0)
.text:C7101ABC 79 44       ADD             R1, PC                  ; __stack_chk_guard_ptr
.text:C7101ABE 09 68       LDR             R1, [R1]                ; __stack_chk_guard
.text:C7101AC0 09 68       LDR             R1, [R1]
.text:C7101AC2 03 91       STR             R1, [SP,#0x20+var_14]
.text:C7101AC4 D0 E9 00 45 LDRD.W          R4, R5, [R0]
.text:C7101AC8 AC 42       CMP             R4, R5
.text:C7101ACA 1E D0       BEQ             loc_C7101B0A
.text:C7101ACC E8 46       MOV             R8, SP
.text:C7101ACE
.text:C7101ACE             loc_C7101ACE
.text:C7101ACE 40 46       MOV             R0, R8
.text:C7101AD0 21 46       MOV             R1, R4
.text:C7101AD2 BC F7 A3 FC BL              memory_cpy_sub_CF0FF41C
.text:C7101AD6 9D F8 00 00 LDRB.W          R0, [SP,#0x20+var_20]
.text:C7101ADA 02 99       LDR             R1, [SP,#0x20+var_18]
.text:C7101ADC 10 F0 01 0F TST.W           R0, #1
.text:C7101AE0 08 BF       IT EQ
.text:C7101AE2 48 F0 01 01 ORREQ.W         R1, R8, #1
.text:C7101AE6 21 20       MOVS            R0, #0x21 ; '!'         ; sysno
.text:C7101AE8 00 22       MOVS            R2, #0
.text:C7101AEA B3 F7 FE EE BLX             syscall                 ; check
.text:C7101AEE 06 46       MOV             R6, R0
.text:C7101AF0 9D F8 00 00 LDRB.W          R0, [SP,#0x20+var_20]
.text:C7101AF4 C0 07       LSLS            R0, R0, #0x1F
.text:C7101AF6 1C BF       ITT NE
.text:C7101AF8 02 98       LDRNE           R0, [SP,#0x20+var_18]
.text:C7101AFA 55 F0 03 FD BLNE            free_sub_BDDF1504
.text:C7101AFE 2E B1       CBZ             R6, loc_C7101B0C
.text:C7101B00 0C 34       ADDS            R4, #0xC

检测magisk

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
/sbin/.magisk
/proc/mounts
 
.text:C71006DE B6 F7 27 FB BL              DecString_loc_CEE73D30  ; r
.text:C71006E2 01 46       MOV             R1, R0                  ; modes
.text:C71006E4 20 46       MOV             R0, R4                  ; filename
.text:C71006E6 B4 F7 E0 EF BLX             fopen
.text:C71006EA 83 46       MOV             R11, R0
.text:C71006EC BB F1 00 0F CMP.W           R11, #0
.text:C71006F0 08 D0       BEQ             loc_C7100704
.text:C71006F2 58 46       MOV             R0, R11                 ; stream
.text:C71006F4 B5 F7 22 E9 BLX             feof
.text:C71006F8 98 B1       CBZ             R0, loc_C7100722
.text:C7100732 40 46       MOV             R0, R8                  ; s
.text:C7100734 4F F4 80 71 MOV.W           R1, #0x100              ; n
.text:C7100738 5A 46       MOV             R2, R11                 ; stream
.text:C710073A B4 F7 BC EF BLX             fgets
.text:C710073E 40 46       MOV             R0, R8                  ; s
.text:C7100740 04 95       STR             R5, [SP,#0x138+var_128]
.text:C7100742 CD E9 02 55 STRD.W          R5, R5, [SP,#0x138+var_130]
.text:C7100746 B4 F7 98 EF BLX             strlen
.text:C710074A 04 46       MOV             R4, R0
.text:C710074C 14 F1 10 0F CMN.W           R4, #0x10
.text:C7100750 30 D2       BCS             loc_C71007B4
.text:C7100752 0B 2C       CMP             R4, #0xB
.text:C7100754 06 D2       BCS             loc_C7100764
.text:C7100756 01 9E       LDR             R6, [SP,#0x138+var_134]
.text:C7100758 60 00       LSLS            R0, R4, #1
.text:C710075A 00 2C       CMP             R4, #0
.text:C710075C 8D F8 08 00 STRB.W          R0, [SP,#0x138+var_130]
.text:C7100760 0E D1       BNE             loc_C7100780
.text:C7100762 12 E0       B               loc_C710078A
.text:C7100764
.text:C7100764             loc_C7100764
.text:C7100764 04 F1 10 00 ADD.W           R0, R4, #0x10
.text:C7100768 20 F0 0F 05 BIC.W           R5, R0, #0xF
.text:C710076C 28 46       MOV             R0, R5
.text:C710076E 56 F0 8B FE BL              malloc_sub_CF198488
.text:C7100772 06 46       MOV             R6, R0
.text:C7100774 45 F0 01 00 ORR.W           R0, R5, #1
.text:C7100778 04 96       STR             R6, [SP,#0x138+var_128]
.text:C710077A 00 25       MOVS            R5, #0
.text:C710077C CD E9 02 04 STRD.W          R0, R4, [SP,#0x138+var_130]
.text:C7100780
.text:C7100780             loc_C7100780
.text:C7100780 30 46       MOV             R0, R6
.text:C7100782 41 46       MOV             R1, R8
.text:C7100784 22 46       MOV             R2, R4
.text:C7100786 B4 F7 E4 EF BLX             __aeabi_memcpy
.text:C710078A
.text:C710078A             loc_C710078A
.text:C710078A 35 55       STRB            R5, [R6,R4]
.text:C710078C 50 46       MOV             R0, R10
.text:C710078E 49 46       MOV             R1, R9
.text:C7100790 F8 F7 66 FE BL              memcmp_sub_CDB40460
.text:C7100794 04 46       MOV             R4, R0
.text:C7100796 9D F8 08 00 LDRB.W          R0, [SP,#0x138+var_130]
.text:C710079A C0 07       LSLS            R0, R0, #0x1F
.text:C710079C 1C BF       ITT NE
.text:C710079E 04 98       LDRNE           R0, [SP,#0x138+var_128]
.text:C71007A0 56 F0 B0 FE BLNE            free_sub_BDDF1504
.text:C71007A4 00 2C       CMP             R4, #0
.text:C71007A6 A8 D0       BEQ             loc_C71006FA
.text:C71007A8 58 46       MOV             R0, R11                 ; stream
.text:C71007AA B5 F7 C8 E8 BLX             feof
.text:C71007AE 00 28       CMP             R0, #0
.text:C71007B0 BF D0       BEQ             loc_C7100732

检测xposed

1
2
3
getSystemClassLoader
de.robv.android.xposed.XposedBridge
loadClass

检测多开

1
2
io.va.exposed64
createPackageContext

检测frida

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
查找内存中特征
frida-
 
.text:C70C67DE BA F1 4A 0F CMP.W           R10, #0x4A ; 'J'
.text:C70C67E2 73 DA       BGE             loc_C70C68CC
.text:C70C67E4 BA F1 41 0F CMP.W           R10, #0x41 ; 'A'
.text:C70C67E8 50 46       MOV             R0, R10
.text:C70C67EA C0 F2 F1 80 BLT.W           loc_C70C69D0
.text:C70C67EE 40 F0 DA 80 BNE.W           loc_C70C69A6
.text:C70C67F2 06 99       LDR             R1, [SP,#0x70+var_58]
.text:C70C67F4 B1 F8 4C 00 LDRH.W          R0, [R1,#0x4C]
.text:C70C67F8 09 8D       LDRH            R1, [R1,#0x28]
.text:C70C67FA 08 43       ORRS            R0, R1
.text:C70C67FC 4F F6 18 31 MOVW            R1, #0xFB18
.text:C70C6800 80 B2       UXTH            R0, R0
.text:C70C6802 88 42       CMP             R0, R1
.text:C70C6804 00 F0 04 81 BEQ.W           loc_C70C6A10
.text:C70C6808 8D 48       LDR             R0, =(off_C71A2A5C - 0xC70C6812)
.text:C70C680A 8D 23       MOVS            R3, #0x8D
.text:C70C680C 8D 49       LDR             R1, =(off_C71A2A60 - 0xC70C6816)
.text:C70C680E 78 44       ADD             R0, PC                  ; off_C71A2A5C
.text:C70C6810 8D 4A       LDR             R2, =(unk_C71B070C - 0xC70C681A)
.text:C70C6812 79 44       ADD             R1, PC                  ; off_C71A2A60
.text:C70C6814 00 68       LDR             R0, [R0]                ; unk_1981D86D
.text:C70C6816 7A 44       ADD             R2, PC                  ; unk_C71B070C
.text:C70C6818 13 9C       LDR             R4, [SP,#0x70+var_24]
.text:C70C681A 09 68       LDR             R1, [R1]                ; unk_19802832
.text:C70C681C 00 92       STR             R2, [SP,#0x70+var_70]
.text:C70C681E 07 22       MOVS            R2, #7
.text:C70C6820 F0 F7 86 FA BL              DecString_loc_CEE73D30  ; frida-
.text:C70C6824 11 90       STR             R0, [SP,#0x70+s]
.text:C70C6826 04 F1 10 08 ADD.W           R8, R4, #0x10
.text:C70C682A 6A 20       MOVS            R0, #0x6A ; 'j'
.text:C70C682C C5 E7       B               loc_C70C67BA
.text:C70C682E
.text:C70C682E             loc_C70C682E
.text:C70C682E 0D 99       LDR             R1, [SP,#0x70+var_3C]
.text:C70C6830 B1 F8 5C 00 LDRH.W          R0, [R1,#0x5C]
.text:C70C6834 89 88       LDRH            R1, [R1,#4]
.text:C70C6836 08 44       ADD             R0, R1
.text:C70C6838 10 90       STR             R0, [SP,#0x70+var_30]
.text:C70C683A 08 F1 01 00 ADD.W           R0, R8, #1
.text:C70C683E 0F 90       STR             R0, [SP,#0x70+var_34]
.text:C70C6840 50 46       MOV             R0, R10
.text:C70C6842
.text:C70C6842             loc_C70C6842
.text:C70C6842 BA F1 5F 0F CMP.W           R10, #0x5F ; '_'
.text:C70C6846 5B DB       BLT             loc_C70C6900
.text:C70C6848 BA F1 65 0F CMP.W           R10, #0x65 ; 'e'
.text:C70C684C 7C DB       BLT             loc_C70C6948
.text:C70C684E BA F1 6A 0F CMP.W           R10, #0x6A ; 'j'
.text:C70C6852 C0 F2 A1 80 BLT.W           loc_C70C6998
.text:C70C6856 98 F8 00 00 LDRB.W          R0, [R8]
.text:C70C685A 10 F0 01 0F TST.W           R0, #1
.text:C70C685E 06 BF       ITTE EQ
.text:C70C6860 44 08       LSREQ           R4, R0, #1
.text:C70C6862 DD F8 3C 90 LDREQ.W         R9, [SP,#0x70+var_34]
.text:C70C6866 D8 E9 01 49 LDRDNE.W        R4, R9, [R8,#4]
.text:C70C686A 11 98       LDR             R0, [SP,#0x70+s]        ; s
.text:C70C686C EE F7 04 EF BLX             strlen
.text:C70C6870 05 46       MOV             R5, R0
.text:C70C6872 1D B3       CBZ             R5, loc_C70C68BC
.text:C70C6874 AC 42       CMP             R4, R5
.text:C70C6876 1F DB       BLT             loc_C70C68B8
.text:C70C6878 11 98       LDR             R0, [SP,#0x70+s]
.text:C70C687A 09 EB 04 0B ADD.W           R11, R9, R4
.text:C70C687E 06 78       LDRB            R6, [R0]
.text:C70C6880 48 46       MOV             R0, R9                  ; s
.text:C70C6882
.text:C70C6882             loc_C70C6882                            ; CODE XREF: check_frida_sub_C4A836F0+1B6↓j
.text:C70C6882 61 1B       SUBS            R1, R4, R5
.text:C70C6884 4A 1C       ADDS            R2, R1, #1              ; n
.text:C70C6886 17 D0       BEQ             loc_C70C68B8
.text:C70C6888 31 46       MOV             R1, R6                  ; c
.text:C70C688A EE F7 AA EF BLX             memchr
.text:C70C688E 04 46       MOV             R4, R0
.text:C70C6890 94 B1       CBZ             R4, loc_C70C68B8
.text:C70C6892 11 99       LDR             R1, [SP,#0x70+s]        ; s2
.text:C70C6894 20 46       MOV             R0, R4                  ; s1
.text:C70C6896 2A 46       MOV             R2, R5                  ; n
.text:C70C6898 EE F7 A8 EF BLX             memcmp
.text:C70C689C 28 B1       CBZ             R0, loc_C70C68AA
.text:C70C689E 60 1C       ADDS            R0, R4, #1
.text:C70C68A0 AB EB 00 04 SUB.W           R4, R11, R0

检测hook

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
.text:C70EF776             check_start_loc_C472C776
.text:C70EF776 08 F1 10 01 ADD.W           R1, R8, #0x10
.text:C70EF77A 28 46       MOV             R0, R5
.text:C70EF77C C2 F7 4E FE BL              memory_cpy_sub_CF0FF41C
.text:C70EF780 D8 F8 1C 40 LDR.W           R4, [R8,#0x1C]
.text:C70EF784 33 94       STR             R4, [SP,#0x1A0+var_D4]
.text:C70EF786 16 A8       ADD             R0, SP, #0x1A0+var_148
.text:C70EF788 29 46       MOV             R1, R5
.text:C70EF78A C2 F7 47 FE BL              memory_cpy_sub_CF0FF41C
.text:C70EF78E 20 46       MOV             R0, R4
.text:C70EF790 31 46       MOV             R1, R6
.text:C70EF792 BA F7 B6 E8 BLX             dladdr                  ; 根据函数地趣获取自身so路径,判断是否被hook
.text:C70EF796 00 28       CMP             R0, #0
.text:C70EF798 00 F0 F2 80 BEQ.W           loc_C70EF980
.text:C70EF79C DD F8 48 90 LDR.W           R9, [SP,#0x1A0+var_158]
.text:C70EF7A0 CD F8 40 A0 STR.W           R10, [SP,#0x1A0+var_160]
.text:C70EF7A4 CD E9 0E AA STRD.W          R10, R10, [SP,#0x1A0+var_168]
.text:C70EF7A8 48 46       MOV             R0, R9                  ; s
.text:C70EF7AA B9 F7 66 EF BLX             strlen
.text:C70EF7AE 04 46       MOV             R4, R0
.text:C70EF7B0 14 F1 10 0F CMN.W           R4, #0x10
.text:C70EF7B4 80 F0 D7 81 BCS.W           loc_C70EFB66
.text:C70EF7B8 0B 2C       CMP             R4, #0xB
.text:C70EF7BA 06 D2       BCS             loc_C70EF7CA
.text:C70EF7BC 02 9D       LDR             R5, [SP,#0x1A0+var_198]
.text:C70EF7BE 60 00       LSLS            R0, R4, #1
.text:C70EF7C0 00 2C       CMP             R4, #0
.text:C70EF7C2 8D F8 38 00 STRB.W          R0, [SP,#0x1A0+var_168]
.text:C70EF7C6 0E D1       BNE             loc_C70EF7E6
.text:C70EF7C8 12 E0       B               loc_C70EF7F0
.text:C70EF7CA
.text:C70EF7CA             loc_C70EF7CA
.text:C70EF7CA 04 F1 10 00 ADD.W           R0, R4, #0x10
.text:C70EF7CE 20 F0 0F 0A BIC.W           R10, R0, #0xF
.text:C70EF7D2 50 46       MOV             R0, R10
.text:C70EF7D4 5B F0 58 FE BL              malloc_sub_CF198488
.text:C70EF7D8 05 46       MOV             R5, R0
.text:C70EF7DA 4A F0 01 00 ORR.W           R0, R10, #1
.text:C70EF7DE 0E A9       ADD             R1, SP, #0x1A0+var_168
.text:C70EF7E0 31 C1       STM             R1!, {R0,R4,R5}
.text:C70EF7E2 4F F0 00 0A MOV.W           R10, #0
.text:C70EF7E6
.text:C70EF7E6             loc_C70EF7E6
.text:C70EF7E6 28 46       MOV             R0, R5
.text:C70EF7E8 49 46       MOV             R1, R9
.text:C70EF7EA 22 46       MOV             R2, R4
.text:C70EF7EC B9 F7 B0 EF BLX             __aeabi_memcpy
.text:C70EF7F0
.text:C70EF7F0             loc_C70EF7F0
.text:C70EF7F0 05 F8 04 A0 STRB.W          R10, [R5,R4]
.text:C70EF7F4 08 A8       ADD             R0, SP, #0x1A0+var_180
.text:C70EF7F6 0E A9       ADD             R1, SP, #0x1A0+var_168
.text:C70EF7F8 D4 F7 75 FC BL              memcmp_sub_CDA130E6
.text:C70EF7FC 04 46       MOV             R4, R0
.text:C70EF7FE 9D F8 38 00 LDRB.W          R0, [SP,#0x1A0+var_168]
.text:C70EF802 C0 07       LSLS            R0, R0, #0x1F
.text:C70EF804 1C BF       ITT NE
.text:C70EF806 10 98       LDRNE           R0, [SP,#0x1A0+var_160]
.text:C70EF808 5B F0 7C FE BLNE            free_sub_BDDF1504

检测调试

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
//TracerPid
.text:C70BAE10             Read_TracerPid_sub_C4A83E10
.text:C70BAE10
.text:C70BAE10             var_128= -0x128
.text:C70BAE10             s= -0x120
.text:C70BAE10             var_1C= -0x1C
.text:C70BAE10
.text:C70BAE10             ; __unwind { // FBF89000
.text:C70BAE10 F0 B5       PUSH            {R4-R7,LR}
.text:C70BAE12 03 AF       ADD             R7, SP, #0xC
.text:C70BAE14 2D E9 00 0B PUSH.W          {R8,R9,R11}
.text:C70BAE18 C4 B0       SUB             SP, SP, #0x110
.text:C70BAE1A 35 48       LDR             R0, =(__stack_chk_guard_ptr - 0xC70BAE24)
.text:C70BAE1C 4F F4 80 71 MOV.W           R1, #0x100
.text:C70BAE20 78 44       ADD             R0, PC
.text:C70BAE22 00 68       LDR             R0, [R0]
.text:C70BAE24 00 68       LDR             R0, [R0]
.text:C70BAE26 43 90       STR             R0, [SP,#0x128+var_1C]
.text:C70BAE28 02 A8       ADD             R0, SP, #0x128+s
.text:C70BAE2A EE F7 80 EC BLX             __aeabi_memclr8
.text:C70BAE2E 31 48       LDR             R0, =(off_C7196A44 - 0xC70BAE38)
.text:C70BAE30 05 23       MOVS            R3, #5
.text:C70BAE32 31 49       LDR             R1, =(off_C7196A48 - 0xC70BAE3C)
.text:C70BAE34 78 44       ADD             R0, PC                  ; off_C7196A44
.text:C70BAE36 31 4A       LDR             R2, =(unk_C71A46F5 - 0xC70BAE40)
.text:C70BAE38 79 44       ADD             R1, PC                  ; off_C7196A48
.text:C70BAE3A 00 68       LDR             R0, [R0]                ; unk_19811856
.text:C70BAE3C 7A 44       ADD             R2, PC                  ; unk_C71A46F5
.text:C70BAE3E 09 68       LDR             R1, [R1]                ; unk_197F6820
.text:C70BAE40 00 92       STR             R2, [SP,#0x128+var_128]
.text:C70BAE42 12 22       MOVS            R2, #0x12
.text:C70BAE44 EF F7 74 FF BL              DecString_loc_CEE73D30  ; /proc/self/status
.text:C70BAE48 2E 49       LDR             R1, =(off_C7196A50 - 0xC70BAE54)
.text:C70BAE4A 04 46       MOV             R4, R0
.text:C70BAE4C 2C 48       LDR             R0, =(off_C7196A4C - 0xC70BAE58)
.text:C70BAE4E C3 23       MOVS            R3, #0xC3
.text:C70BAE50 79 44       ADD             R1, PC                  ; off_C7196A50
.text:C70BAE52 2D 4A       LDR             R2, =(unk_C71A089C - 0xC70BAE5A)
.text:C70BAE54 78 44       ADD             R0, PC                  ; off_C7196A4C
.text:C70BAE56 7A 44       ADD             R2, PC                  ; unk_C71A089C
.text:C70BAE58 00 68       LDR             R0, [R0]                ; unk_1980DA04
.text:C70BAE5A 09 68       LDR             R1, [R1]                ; unk_197F26F6
.text:C70BAE5C 00 92       STR             R2, [SP,#0x128+var_128]
.text:C70BAE5E 02 22       MOVS            R2, #2
.text:C70BAE60 EF F7 66 FF BL              DecString_loc_CEE73D30  ; r
.text:C70BAE64 01 46       MOV             R1, R0                  ; modes
.text:C70BAE66 20 46       MOV             R0, R4                  ; filename
.text:C70BAE68 EE F7 1E EC BLX             fopen
.text:C70BAE6C 04 46       MOV             R4, R0
.text:C70BAE6E 3C B3       CBZ             R4, loc_C70BAEC0
.text:C70BAE70 02 A8       ADD             R0, SP, #0x128+s        ; s
.text:C70BAE72 4F F4 80 71 MOV.W           R1, #0x100              ; n
.text:C70BAE76 22 46       MOV             R2, R4                  ; stream
.text:C70BAE78 EE F7 1C EC BLX             fgets
.text:C70BAE7C F0 B1       CBZ             R0, loc_C70BAEBC
.text:C70BAE7E DF F8 8C 80 LDR.W           R8, =(off_C7196A54 - 0xC70BAE8E)
.text:C70BAE82 02 AD       ADD             R5, SP, #0x128+s
.text:C70BAE84 DF F8 88 90 LDR.W           R9, =(off_C7196A58 - 0xC70BAE90)
.text:C70BAE88 22 4E       LDR             R6, =(unk_C71A46D1 - 0xC70BAE92)
.text:C70BAE8A F8 44       ADD             R8, PC                  ; off_C7196A54
.text:C70BAE8C F9 44       ADD             R9, PC                  ; off_C7196A58
.text:C70BAE8E 7E 44       ADD             R6, PC                  ; unk_C71A46D1
.text:C70BAE90
.text:C70BAE90             loc_C70BAE90
.text:C70BAE90 D8 F8 00 00 LDR.W           R0, [R8]                ; unk_19811832
.text:C70BAE94 0B 22       MOVS            R2, #0xB
.text:C70BAE96 D9 F8 00 10 LDR.W           R1, [R9]                ; unk_197F67EA
.text:C70BAE9A F4 23       MOVS            R3, #0xF4
.text:C70BAE9C 00 96       STR             R6, [SP,#0x128+var_128]
.text:C70BAE9E EF F7 47 FF BL              DecString_loc_CEE73D30  ; TracerPid:
.text:C70BAEA2 01 46       MOV             R1, R0                  ; needle
.text:C70BAEA4 28 46       MOV             R0, R5                  ; haystack
.text:C70BAEA6 EE F7 66 EC BLX             strstr
.text:C70BAEAA 58 B9       CBNZ            R0, loc_C70BAEC4
.text:C70BAEAC 28 46       MOV             R0, R5                  ; s
.text:C70BAEAE 4F F4 80 71 MOV.W           R1, #0x100              ; n
.text:C70BAEB2 22 46       MOV             R2, R4                  ; stream
.text:C70BAEB4 EE F7 FE EB BLX             fgets
.text:C70BAEB8 00 28       CMP             R0, #0
.text:C70BAEBA E9 D1       BNE             loc_C70BAE90
.text:C70BAEBC
.text:C70BAEBC             loc_C70BAEBC
.text:C70BAEBC 00 25       MOVS            R5, #0
.text:C70BAEBE 05 E0       B               loc_C70BAECC
.text:C70BAEC0
.text:C70BAEC0             loc_C70BAEC
.text:C70BAEC0 00 25       MOVS            R5, #0
.text:C70BAEC2 06 E0       B               loc_C70BAED2
.text:C70BAEC4
.text:C70BAEC4             loc_C70BAEC4
.text:C70BAEC4 0B 30       ADDS            R0, #0xB
.text:C70BAEC6 EE F7 A4 EC BLX             atoi
.text:C70BAECA 05 46       MOV             R5, R0
.text:C70BAECC
.text:C70BAECC             loc_C70BAECC
.text:C70BAECC 20 46       MOV             R0, R4
.text:C70BAECE EE F7 F8 EB BLX             fclose
 
 
//isDebuggerConnected
.text:C70E96F8             isDebuggerConnected_sub_C4AB26F8
.text:C70E96F8
.text:C70E96F8             var_C8= -0xC8
.text:C70E96F8             var_C0= -0xC0
.text:C70E96F8             var_A0= -0xA0
.text:C70E96F8             var_1C= -0x1C
.text:C70E96F8
.text:C70E96F8             ; __unwind { // C7149914
.text:C70E96F8 F0 B5       PUSH            {R4-R7,LR}
.text:C70E96FA 03 AF       ADD             R7, SP, #0xC
.text:C70E96FC 2D E9 00 0B PUSH.W          {R8,R9,R11}
.text:C70E9700 AC B0       SUB             SP, SP, #0xB0
.text:C70E9702 35 49       LDR             R1, =(__stack_chk_guard_ptr - 0xC70E970A)
.text:C70E9704 35 4A       LDR             R2, =(off_C7197F90 - 0xC70E970E)
.text:C70E9706 79 44       ADD             R1, PC                  ; __stack_chk_guard_ptr
.text:C70E9708 35 4B       LDR             R3, =(off_C7197F94 - 0xC70E9712)
.text:C70E970A 7A 44       ADD             R2, PC                  ; off_C7197F90
.text:C70E970C 09 68       LDR             R1, [R1]                ; __stack_chk_guard
.text:C70E970E 7B 44       ADD             R3, PC                  ; off_C7197F94
.text:C70E9710 09 68       LDR             R1, [R1]
.text:C70E9712 2B 91       STR             R1, [SP,#0xC8+var_1C]
.text:C70E9714 D0 F8 20 80 LDR.W           R8, [R0,#0x20]
.text:C70E9718 10 68       LDR             R0, [R2]                ; unk_19813151
.text:C70E971A 32 4A       LDR             R2, =(unk_C71A5FD8 - 0xC70E9724)
.text:C70E971C 19 68       LDR             R1, [R3]                ; unk_197F81D0
.text:C70E971E A1 23       MOVS            R3, #0xA1
.text:C70E9720 7A 44       ADD             R2, PC                  ; unk_C71A5FD8
.text:C70E9722 00 92       STR             R2, [SP,#0xC8+var_C8]
.text:C70E9724 14 22       MOVS            R2, #0x14
.text:C70E9726 C1 F7 03 FB BL              DecString_loc_CEE73D30  ; isDebuggerConnected
.text:C70E972A 30 49       LDR             R1, =(off_C7197F9C - 0xC70E9736)
.text:C70E972C 81 46       MOV             R9, R0
.text:C70E972E 2E 48       LDR             R0, =(off_C7197F98 - 0xC70E973A)
.text:C70E9730 CA 23       MOVS            R3, #0xCA
.text:C70E9732 79 44       ADD             R1, PC                  ; off_C7197F9C
.text:C70E9734 2E 4A       LDR             R2, =(unk_C71A4484 - 0xC70E973C)
.text:C70E9736 78 44       ADD             R0, PC                  ; off_C7197F98
.text:C70E9738 7A 44       ADD             R2, PC                  ; unk_C71A4484
.text:C70E973A 00 68       LDR             R0, [R0]                ; unk_19811617
.text:C70E973C 09 68       LDR             R1, [R1]                ; unk_197F656F
.text:C70E973E 00 92       STR             R2, [SP,#0xC8+var_C8]
.text:C70E9740 04 22       MOVS            R2, #4
.text:C70E9742 C1 F7 F5 FA BL              DecString_loc_CEE73D30  ; ()Z
.text:C70E9746 2C 49       LDR             R1, =(off_C7197FA4 - 0xC70E9752)
.text:C70E9748 06 46       MOV             R6, R0
.text:C70E974A 2A 48       LDR             R0, =(off_C7197FA0 - 0xC70E9756)
.text:C70E974C 22 23       MOVS            R3, #0x22 ; '"'
.text:C70E974E 79 44       ADD             R1, PC                  ; off_C7197FA4
.text:C70E9750 2A 4A       LDR             R2, =(unk_C71A5FD9 - 0xC70E9758)
.text:C70E9752 78 44       ADD             R0, PC                  ; off_C7197FA0
.text:C70E9754 7A 44       ADD             R2, PC                  ; unk_C71A5FD9
.text:C70E9756 00 68       LDR             R0, [R0]                ; unk_19813140
.text:C70E9758 09 68       LDR             R1, [R1]                ; unk_197F81B0
.text:C70E975A 00 92       STR             R2, [SP,#0xC8+var_C8]
.text:C70E975C 11 22       MOVS            R2, #0x11
.text:C70E975E C1 F7 E7 FA BL              DecString_loc_CEE73D30  ; android/os/Debug
.text:C70E9762 04 46       MOV             R4, R0
.text:C70E9764 26 48       LDR             R0, =(off_C719E640 - 0xC70E976E)
.text:C70E9766 27 49       LDR             R1, =(dword_C71A5FDC - 0xC70E9770)
.text:C70E9768 27 4A       LDR             R2, =(dword_C719E644 - 0xC70E9772)
.text:C70E976A 78 44       ADD             R0, PC                  ; off_C719E640
.text:C70E976C 79 44       ADD             R1, PC                  ; dword_C71A5FDC
.text:C70E976E 7A 44       ADD             R2, PC                  ; dword_C719E644
.text:C70E9770 00 68       LDR             R0, [R0]
.text:C70E9772 0D 68       LDR             R5, [R1]
.text:C70E9774 10 68       LDR             R0, [R2]
.text:C70E9776 3D B9       CBNZ            R5, loc_C70E9788
.text:C70E9778 43 F6 38 21 MOVW            R1, #0x3A38
.text:C70E977C CD F7 88 FB BL              getFunc_loc_CF103E90
.text:C70E9780 05 46       MOV             R5, R0
.text:C70E9782 22 48       LDR             R0, =(dword_C71A5FDC - 0xC70E9788)
.text:C70E9784 78 44       ADD             R0, PC                  ; dword_C71A5FDC
.text:C70E9786 05 60       STR             R5, [R0]
.text:C70E9788
.text:C70E9788             loc_C70E9788
.text:C70E9788 00 94       STR             R4, [SP,#0xC8+var_C8]
.text:C70E978A 02 AC       ADD             R4, SP, #0xC8+var_C0
.text:C70E978C 41 46       MOV             R1, R8
.text:C70E978E 4A 46       MOV             R2, R9
.text:C70E9790 20 46       MOV             R0, R4
.text:C70E9792 33 46       MOV             R3, R6
.text:C70E9794 A8 47       BLX             R5
.text:C70E9796 0A 98       LDR             R0, [SP,#0xC8+var_A0]
.text:C70E9798 28 B1       CBZ             R0, loc_C70E97A6
.text:C70E979A 04 F1 10 00 ADD.W           R0, R4, #0x10
.text:C70E979E CB F7 F1 FD BL              CallStaticBooleanMethod_sub_C4A7E384
.text:C70E97A2 04 46       MOV             R4, R0

4.2、设备指纹

双重反射采集信息:

统一入口,动态调用不同的方法获取设备信息

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
.text:C70C5350
.text:C70C5350             ; __unwind { // C7155914
.text:C70C5350 B0 B5       PUSH            {R4,R5,R7,LR}
.text:C70C5352 02 AF       ADD             R7, SP, #8
.text:C70C5354 0D 46       MOV             R5, R1
.text:C70C5356 04 46       MOV             R4, R0
.text:C70C5358 28 68       LDR             R0, [R5]
.text:C70C535A 11 46       MOV             R1, R2
.text:C70C535C 43 68       LDR             R3, [R0,#4]
.text:C70C535E 28 46       MOV             R0, R5
.text:C70C5360 98 47       BLX             R3
.text:C70C5362 28 68       LDR             R0, [R5]
.text:C70C5364 29 46       MOV             R1, R5
.text:C70C5366 02 68       LDR             R2, [R0]
.text:C70C5368 20 46       MOV             R0, R4
.text:C70C536A 90 47       BLX             R2
.text:C70C536C 28 68       LDR             R0, [R5]
.text:C70C536E 81 68       LDR             R1, [R0,#8]
.text:C70C5370 28 46       MOV             R0, R5
.text:C70C5372 88 47       BLX             R1                      ; DeleteLocalRef
.text:C70C5374 B0 BD       POP             {R4,R5,R7,PC}
JNI反射调用forName、getDeclaredMethod获取设备信息
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
.text:C70F02D8             call_getDeclaredMethod_loc_C4AB92D8
.text:C70F02D8 DF F8 18 04 LDR.W           R0, =(off_C7198390 - 0xC70F02EA)
.text:C70F02DC 38 23       MOVS            R3, #0x38 ; '8'
.text:C70F02DE DF F8 18 14 LDR.W           R1, =(off_C7198394 - 0xC70F02EC)
.text:C70F02E2 DD F8 54 A0 LDR.W           R10, [SP,#0x348+var_2F4]
.text:C70F02E6 78 44       ADD             R0, PC                  ; off_C7198390
.text:C70F02E8 79 44       ADD             R1, PC                  ; off_C7198394
.text:C70F02EA DF F8 10 24 LDR.W           R2, =(unk_C71A628F - 0xC70F02F6)
.text:C70F02EE DA F8 20 40 LDR.W           R4, [R10,#0x20]
.text:C70F02F2 7A 44       ADD             R2, PC                  ; unk_C71A628F
.text:C70F02F4 00 68       LDR             R0, [R0]                ; unk_19813440
.text:C70F02F6 09 68       LDR             R1, [R1]                ; unk_197F8500
.text:C70F02F8 00 92       STR             R2, [SP,#0x348+n]
.text:C70F02FA 12 22       MOVS            R2, #0x12
.text:C70F02FC BA F7 18 FD BL              DecString_loc_CEE73D30  ; getDeclaredMethod
.text:C70F0300 DF F8 00 14 LDR.W           R1, =(off_C719839C - 0xC70F0310)
.text:C70F0304 05 46       MOV             R5, R0
.text:C70F0306 DF F8 F8 03 LDR.W           R0, =(off_C7198398 - 0xC70F0316)
.text:C70F030A 4D 23       MOVS            R3, #0x4D ; 'M'
.text:C70F030C 79 44       ADD             R1, PC                  ; off_C719839C
.text:C70F030E DF F8 F8 23 LDR.W           R2, =(unk_C71A6290 - 0xC70F0318)
.text:C70F0312 78 44       ADD             R0, PC                  ; off_C7198398
.text:C70F0314 7A 44       ADD             R2, PC                  ; unk_C71A6290
.text:C70F0316 00 68       LDR             R0, [R0]                ; unk_198133FF
.text:C70F0318 09 68       LDR             R1, [R1]                ; unk_197F84B0
.text:C70F031A 00 92       STR             R2, [SP,#0x348+n]
.text:C70F031C 41 22       MOVS            R2, #0x41 ; 'A'
.text:C70F031E BA F7 07 FD BL              DecString_loc_CEE73D30  ; (Ljava/lang/String;[Ljava/lang/Class;)Ljava/lang/reflect/Method;
.text:C70F0322 03 46       MOV             R3, R0
.text:C70F0324 13 98       LDR             R0, [SP,#0x348+var_2FC]
.text:C70F0326 21 46       MOV             R1, R4
.text:C70F0328 CD F8 00 80 STR.W           R8, [SP,#0x348+n]
.text:C70F032C 2A 46       MOV             R2, R5
.text:C70F032E 01 90       STR             R0, [SP,#0x348+var_344]
.text:C70F0330 7A A8       ADD             R0, SP, #0x348+var_160
.text:C70F0332 C3 46       MOV             R11, R8
.text:C70F0334 B0 46       MOV             R8, R6
.text:C70F0336 02 96       STR             R6, [SP,#0x348+var_340]
.text:C70F0338 00 F0 4C FB BL              call_getDeclaredMethod_sub_C4AB99D4
.text:C70F033C 88 98       LDR             R0, [SP,#0x348+var_128]
.text:C70F033E 20 B1       CBZ             R0, loc_C70F034A
.text:C70F0340 08 98       LDR             R0, [SP,#0x348+var_328]
.text:C70F0342 C1 F7 43 F8 BL              CallStaticObjectMethod_sub_CF0FE3CC
.text:C70F0346 04 46       MOV             R4, R0
.text:C70F0348 00 E0       B               loc_C70F034C
.text:C70F034A
.text:C70F034A             loc_C70F034A
.text:C70F034A 00 24       MOVS            R4, #0
.text:C70F034C
.text:C70F034C             loc_C70F034C
.text:C70F034C 7A A8       ADD             R0, SP, #0x348+var_160
.text:C70F034E BA F7 3B FE BL              DeleteLocal_loc_CF0F7FC8
.text:C70F0352 DF F8 B8 03 LDR.W           R0, =(off_C71983A0 - 0xC70F0360)
.text:C70F0356 97 23       MOVS            R3, #0x97
.text:C70F0358 DF F8 B4 13 LDR.W           R1, =(off_C71983A4 - 0xC70F0366)
.text:C70F035C 78 44       ADD             R0, PC                  ; off_C71983A0
.text:C70F035E DF F8 B4 23 LDR.W           R2, =(unk_C71A6291 - 0xC70F036E)
.text:C70F0362 79 44       ADD             R1, PC                  ; off_C71983A4
.text:C70F0364 DA F8 20 50 LDR.W           R5, [R10,#0x20]
.text:C70F0368 00 68       LDR             R0, [R0]                ; unk_198133F2
.text:C70F036A 7A 44       ADD             R2, PC                  ; unk_C71A6291
.text:C70F036C 09 68       LDR             R1, [R1]                ; unk_197F84A1
.text:C70F036E 00 92       STR             R2, [SP,#0x348+n]
.text:C70F0370 0D 22       MOVS            R2, #0xD
.text:C70F0372 BA F7 DD FC BL              DecString_loc_CEE73D30  ; getModifiers
.text:C70F0376 DF F8 A4 13 LDR.W           R1, =(off_C71983AC - 0xC70F0386)
.text:C70F037A 06 46       MOV             R6, R0
.text:C70F037C DF F8 98 03 LDR.W           R0, =(off_C71983A8 - 0xC70F038C)
.text:C70F0380 09 23       MOVS            R3, #9
.text:C70F0382 79 44       ADD             R1, PC                  ; off_C71983AC
.text:C70F0384 DF F8 98 23 LDR.W           R2, =(unk_C71A43D5 - 0xC70F038E)
.text:C70F0388 78 44       ADD             R0, PC                  ; off_C71983A8
.text:C70F038A 7A 44       ADD             R2, PC                  ; unk_C71A43D5
.text:C70F038C 00 68       LDR             R0, [R0]                ; unk_1981153A
.text:C70F038E 09 68       LDR             R1, [R1]                ; unk_197F647F
.text:C70F0390 00 92       STR             R2, [SP,#0x348+n]
.text:C70F0392 04 22       MOVS            R2, #4
.text:C70F0394 BA F7 CC FC BL              DecString_loc_CEE73D30
.text:C70F0398 03 46       MOV             R3, R0
.text:C70F039A 52 A8       ADD             R0, SP, #0x348+var_200
.text:C70F039C 29 46       MOV             R1, R5
.text:C70F039E 32 46       MOV             R2, R6
.text:C70F03A0 00 94       STR             R4, [SP,#0x348+n]
.text:C70F03A2 C0 F7 7F FA BL              GetMethodID_sub_CF0FD8A4
.text:C70F03A6 0B 9E       LDR             R6, [SP,#0x348+var_31C]
.text:C70F03A8 66 98       LDR             R0, [SP,#0x348+var_1B0]
.text:C70F03AA 20 B1       CBZ             R0, loc_C70F03B6
.text:C70F03AC 07 98       LDR             R0, [SP,#0x348+var_32C]
.text:C70F03AE C0 F7 CB FB BL              CallStaticIntMethodV_sub_C4A79B48
.text:C70F03B2 05 46       MOV             R5, R0
.text:C70F03B4 01 E0       B               loc_C70F03BA
单条加密设备信息:

获取完一组信息后单条加密:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
.text:C711C232             vm_enc_Deviceinfo_sub_D5C4A232
.text:C711C232
.text:C711C232             var_7C= -0x7C
.text:C711C232             var_78= -0x78
.text:C711C232             var_74= -0x74
.text:C711C232             var_70= -0x70
.text:C711C232             var_6C= -0x6C
.text:C711C232             var_68= -0x68
.text:C711C232             var_64= -0x64
.text:C711C232             var_60= -0x60
.text:C711C232             var_5C= -0x5C
.text:C711C232             var_58= -0x58
.text:C711C232             var_54= -0x54
.text:C711C232             var_50= -0x50
.text:C711C232             var_4C= -0x4C
.text:C711C232             var_48= -0x48
.text:C711C232             var_40= -0x40
.text:C711C232             var_38= -0x38
.text:C711C232             var_30= -0x30
.text:C711C232             var_24= -0x24
.text:C711C232             var_8= -8
.text:C711C232
.text:C711C232           
.text:C711C232 00 F0 01 B8 B.W             loc_C711C238
.text:C711C236 00 00       ALIGN 4
.text:C711C236             ; } // starts at C711C232
.text:C711C238
.text:C711C238             loc_C711C238
.text:C711C238             ; __unwind { // FBF95000
.text:C711C238 F0 B5       PUSH            {R4-R7,LR}
.text:C711C23A 03 AF       ADD             R7, SP, #0x14+var_8
.text:C711C23C 2D E9 00 0B PUSH.W          {R8,R9,R11}
.text:C711C240 98 B0       SUB             SP, SP, #0x60 ; '`'
.text:C711C242 6C 46       MOV             R4, SP
.text:C711C244 6F F3 03 04 BFC.W           R4, #0, #4
.text:C711C248 A5 46       MOV             SP, R4
.text:C711C24A 06 46       MOV             R6, R0
.text:C711C24C 39 48       LDR             R0, =(__stack_chk_guard_ptr - 0xC711C256)
.text:C711C24E 91 46       MOV             R9, R2
.text:C711C250 0D 46       MOV             R5, R1
.text:C711C252
.text:C711C252             loc_C711C252
.text:C711C252 78 44       ADD             R0, PC
.text:C711C254 00 68       LDR             R0, [R0]
.text:C711C256 00 68       LDR             R0, [R0]
.text:C711C258 17 90       STR             R0, [SP,#0x80+var_24]
.text:C711C25A FF F7 E5 FB BL              DecString_loc_C5D9FA28
.text:C711C25E 36 48       LDR             R0, =(off_C71A6E2C - 0xC711C268)
.text:C711C260 36 49       LDR             R1, =(off_C71A6E30 - 0xC711C26C)
.text:C711C262 37 4A       LDR             R2, =(off_C71A6E34 - 0xC711C272)
.text:C711C264 78 44       ADD             R0, PC                  ; off_C71A6E2C
.text:C711C266 37 4B       LDR             R3, =(off_C71A6E38 - 0xC711C278)
.text:C711C268 79 44       ADD             R1, PC                  ; off_C71A6E30
.text:C711C26A DF F8 DC C0 LDR.W           R12, =(off_C71A6E3C - 0xC711C27A)
.text:C711C26E 7A 44       ADD             R2, PC                  ; off_C71A6E34
.text:C711C270 DF F8 D8 E0 LDR.W           LR, =(off_C71A6E40 - 0xC711C280)
.text:C711C274 7B 44       ADD             R3, PC                  ; off_C71A6E38
.text:C711C276 FC 44       ADD             R12, PC                 ; off_C71A6E3C
.text:C711C278 DF F8 D4 80 LDR.W           R8, =(off_C71A6E44 - 0xC711C286)
.text:C711C27C FE 44       ADD             LR, PC                  ; off_C71A6E40
.text:C711C27E 00 68       LDR             R0, [R0]
.text:C711C280 09 68       LDR             R1, [R1]                ; unk_1EE7B36D
.text:C711C282 F8 44       ADD             R8, PC                  ; off_C71A6E44
.text:C711C284 12 68       LDR             R2, [R2]                ; unk_2338AB2F
.text:C711C286 1B 68       LDR             R3, [R3]
.text:C711C288 DC F8 00 40 LDR.W           R4, [R12]
.text:C711C28C 02 95       STR             R5, [SP,#0x80+var_78]
.text:C711C28E DE F8 00 50 LDR.W           R5, [LR]
.text:C711C292 01 96       STR             R6, [SP,#0x80+var_7C]
.text:C711C294 2F 4E       LDR             R6, =(off_C71A6E48 - 0xC711C29E)
.text:C711C296 D8 F8 00 C0 LDR.W           R12, [R8]
.text:C711C29A 7E 44       ADD             R6, PC                  ; off_C71A6E48
.text:C711C29C CD F8 0C 90 STR.W           R9, [SP,#0x80+var_74]
.text:C711C2A0 36 68       LDR             R6, [R6]                ; unk_289ECB2F
.text:C711C2A2 04 90       STR             R0, [SP,#0x80+var_70]
.text:C711C2A4 2C 48       LDR             R0, =(off_C71A6E4C - 0xC711C2AA)
.text:C711C2A6 78 44       ADD             R0, PC                  ; off_C71A6E4C
.text:C711C2A8 D0 F8 00 E0 LDR.W           LR, [R0]                ; unk_FFBB3F99
.text:C711C2AC 05 91       STR             R1, [SP,#0x80+var_6C]
.text:C711C2AE 2B 49       LDR             R1, =(off_C71A6E50 - 0xC711C2B6)
.text:C711C2B0 2F 48       LDR             R0, =(off_C71A6E64 - 0xC711C2B8)
.text:C711C2B2 79 44       ADD             R1, PC                  ; off_C71A6E50
.text:C711C2B4 78 44       ADD             R0, PC                  ; off_C71A6E64
.text:C711C2B6 D1 F8 00 80 LDR.W           R8, [R1]
.text:C711C2BA
.text:C711C2BA             loc_C711C2BA
.text:C711C2BA 06 92       STR             R2, [SP,#0x80+var_68]
.text:C711C2BC 28 4A       LDR             R2, =(off_C71A6E54 - 0xC711C2C4)
.text:C711C2BE 2E 49       LDR             R1, =(off_C71A6E6C - 0xC711C2C6)
.text:C711C2C0 7A 44       ADD             R2, PC                  ; off_C71A6E54
.text:C711C2C2 79 44       ADD             R1, PC                  ; off_C71A6E6C
.text:C711C2C4 D2 F8 00 90 LDR.W           R9, [R2]
.text:C711C2C8 07 93       STR             R3, [SP,#0x80+var_64]
.text:C711C2CA 26 4B       LDR             R3, =(off_C71A6E58 - 0xC711C2D0)
.text:C711C2CC 7B 44       ADD             R3, PC                  ; off_C71A6E58
.text:C711C2CE 1B 68       LDR             R3, [R3]                ; unk_1BBAF35F
.text:C711C2D0 08 94       STR             R4, [SP,#0x80+var_60]
.text:C711C2D2 25 4C       LDR             R4, =(off_C71A6E5C - 0xC711C2D8)
.text:C711C2D4 7C 44       ADD             R4, PC                  ; off_C71A6E5C
.text:C711C2D6 24 68       LDR             R4, [R4]                ; unk_2410E6C3
.text:C711C2D8 09 95       STR             R5, [SP,#0x80+var_5C]
.text:C711C2DA 24 4D       LDR             R5, =(off_C71A6E60 - 0xC711C2E0)
.text:C711C2DC 7D 44       ADD             R5, PC                  ; off_C71A6E60
.text:C711C2DE 2D 68       LDR             R5, [R5]
.text:C711C2E0 CD F8 28 C0 STR.W           R12, [SP,#0x80+var_58]
.text:C711C2E4 00 68       LDR             R0, [R0]                ; unk_EBE3C835
.text:C711C2E6 0B 96       STR             R6, [SP,#0x80+var_54]
.text:C711C2E8 22 4E       LDR             R6, =(off_C71A6E68 - 0xC711C2EE)
.text:C711C2EA 7E 44       ADD             R6, PC                  ; off_C71A6E68
.text:C711C2EC 36 68       LDR             R6, [R6]                ; unk_E0C18413
.text:C711C2EE CD F8 30 E0 STR.W           LR, [SP,#0x80+var_50]
.text:C711C2F2 0A 68       LDR             R2, [R1]
.text:C711C2F4 21 49       LDR             R1, =(off_C71A6E70 - 0xC711C2FE)
.text:C711C2F6 CD F8 34 80 STR.W           R8, [SP,#0x80+var_4C]
.text:C711C2FA 79 44       ADD             R1, PC                  ; off_C71A6E70
.text:C711C2FC 09 68       LDR             R1, [R1]
.text:C711C2FE CD E9 0E 93 STRD.W          R9, R3, [SP,#0x80+var_48]
.text:C711C302 CD E9 10 45 STRD.W          R4, R5, [SP,#0x80+var_40]
.text:C711C306
.text:C711C306             loc_C711C306
.text:C711C306 CD E9 12 06 STRD.W          R0, R6, [SP,#0x80+var_38]
.text:C711C30A 4F F4 10 70 MOV.W           R0, #0x240
.text:C711C30E 14 92       STR             R2, [SP,#0x80+var_30]
.text:C711C310 6A 46       MOV             R2, SP
.text:C711C312 00 F0 37 F8 BL              VM_Entrance_loc_CDF4C384 ; R:传入不同数字代走不同逻辑
.text:C711C316 1A 48       LDR             R0, =(__stack_chk_guard_ptr - 0xC711C31E)
.text:C711C318 17 99       LDR             R1, [SP,#0x80+var_24]
.text:C711C31A 78 44       ADD             R0, PC
.text:C711C31C 00 68       LDR             R0, [R0]
.text:C711C31E 00 68       LDR             R0, [R0]
.text:C711C320 40 1A       SUBS            R0, R0, R1
.text:C711C322 01 BF       ITTTT EQ
.text:C711C324 A7 F1 18 04 SUBEQ.W         R4, R7, #0x18
.text:C711C328 A5 46       MOVEQ           SP, R4
.text:C711C32A BD E8 00 0B POPEQ.W         {R8,R9,R11}
.text:C711C32E F0 BD       POPEQ           {R4-R7,PC}

最终会走到VM_Entrance_loc_CDF4C384中进行加密,90%的功能都是在这里面动态调用不同方法完成的。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
.text:C711C384             VM_Entrance_loc_CDF4C384
.text:C711C384 2D E9 F0 4F PUSH.W          {R4-R11,LR}             ; R:传入不同数字代走不同逻辑
.text:C711C388 03 AF       ADD             R7, SP, #0xC
.text:C711C38A AD F5 13 7D SUB.W           SP, SP, #0x24C
.text:C711C38E 6E 46       MOV             R6, SP
.text:C711C390 42 F6 24 5A MOVW            R10, #0x2D24
.text:C711C394 C6 F8 A8 00 STR.W           R0, [R6,#0xA8]
.text:C711C398 46 F2 47 24 MOVW            R4, #0x6247
.text:C711C39C DF F8 94 0A LDR.W           R0, =(off_C71A9B50 - 0xC711C3B0)
.text:C711C3A0 CF F6 A0 4A MOVT            R10, #0xFCA0
.text:C711C3A4 C6 F8 40 11 STR.W           R1, [R6,#0x140]
.text:C711C3A8 C5 F2 99 54 MOVT            R4, #0x5599
.text:C711C3AC 78 44       ADD             R0, PC                  ; off_C71A9B50
 
//分发器
.text:C711C968             VMDispatcher_loc_CB187968
.text:C711C968 D6 F8 44 11 LDR.W           R1, [R6,#0x144]         ; 调用不同方法
.text:C711C96C 88 7A       LDRB            R0, [R1,#0xA]
.text:C711C96E 09 7B       LDRB            R1, [R1,#0xC]
.text:C711C970 08 43       ORRS            R0, R1
.text:C711C972 C0 B2       UXTB            R0, R0
.text:C711C974 2F 28       CMP             R0, #0x2F ; '/'
.text:C711C976 41 F0 22 80 BNE.W           loc_C711D9BE
.text:C711C97A D6 F8 3C 01 LDR.W           R0, [R6,#0x13C]
.text:C711C97E 40 F2 15 21+MOV             R1, #0x41920215
.text:C711C97E C4 F2 92 11
.text:C711C986 D0 F8 C4 00 LDR.W           R0, [R0,#0xC4]
.text:C711C98A 08 43       ORRS            R0, R1
.text:C711C98C 48 F2 F5 31+MOV             R1, #unk_E39683F5
.text:C711C98C CE F2 96 31
.text:C711C994 88 42       CMP             R0, R1
.text:C711C996 7F F4 8A AF BNE.W           loc_C711C8AE
.text:C711C99A A7 F1 20 00 SUB.W           R0, R7, #0x20 ; ' '
.text:C711C99E 01 68       LDR             R1, [R0]
.text:C711C9A0 57 F8 78 0C LDR.W           R0, [R7,#-0x78]
.text:C711C9A4 88 47       BLX             R1                      ; 调用不同方法
.text:C711C9A6 57 F8 7C 0C LDR.W           R0, [R7,#-0x7C]
.text:C711C9AA 00 F0 7A BF B.W             loc_C711D8A2
 
//加密
.text:C711D288             encdata_loc_BF53C288
.text:C711D288 57 F8 A8 2C LDR.W           R2, [R7,#-0xA8]         ; 加密数据
.text:C711D28C 0C 68       LDR             R4, [R1]                ; 取密钥
.text:C711D28E 12 68       LDR             R2, [R2]                ; 取数据
.text:C711D290 62 40       EORS            R2, R4                  ; 加密
.text:C711D292 A7 F1 90 04 SUB.W           R4, R7, #0x90
.text:C711D296
.text:C711D296             loc_C711D296
.text:C711D296 44 F8 2C 20 STR.W           R2, [R4,R12,LSL#2]      ; 存加密数据
.text:C711D29A F4 6E       LDR             R4, [R6,#0x6C]
.text:C711D29C E2 6A       LDR             R2, [R4,#0x2C]
.text:C711D29E E4 6E       LDR             R4, [R4,#0x6C]
.text:C711D2A0 22 44       ADD             R2, R4
.text:C711D2A2 49 F2 F4 24+MOV             R4, #0x4E892F4
.text:C711D2A2 C0 F2 E8 44
.text:C711D2AA A2 42       CMP             R2, R4
.text:C711D2AC 14 D1       BNE             loc_C711D2D8
 
.text:C711D96E             getencdata_loc_BF53C96E
.text:C711D96E 57 F8 A8 2C LDR.W           R2, [R7,#-0xA8]         ; 取加密后数据
.text:C711D972 57 F8 FC 3C LDR.W           R3, [R7,#-0xFC]
.text:C711D976 09 68       LDR             R1, [R1]                ; 取第一次加密后数据
.text:C711D978 12 68       LDR             R2, [R2]
.text:C711D97A D1 54       STRB            R1, [R2,R3]             ; 最终存数据
.text:C711D97C 83 E7       B               loc_C711D886
组合设备信息再次加密:

组合加密后的设备信息

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
.text:C7112E44             getbody_crc_sub_CDA4AE44                ; CODE XREF: getinfo_sub_CDF805D0+69C↑p
.text:C7112E44                                                     ; .text:JNI_OnLoad+1AAC0↓p
.text:C7112E44                                                     ; DATA XREF: ...
.text:C7112E44
.text:C7112E44             var_B0= -0xB0
.text:C7112E44             var_AC= -0xAC
.text:C7112E44             var_A8= -0xA8
.text:C7112E44             var_A4= -0xA4
.text:C7112E44             var_A0= -0xA0
.text:C7112E44             var_9C= -0x9C
.text:C7112E44             var_98= -0x98
.text:C7112E44             var_94= -0x94
.text:C7112E44             var_90= -0x90
.text:C7112E44             var_8C= -0x8C
.text:C7112E44             var_88= -0x88
.text:C7112E44             var_84= -0x84
.text:C7112E44             var_80= -0x80
.text:C7112E44             var_7C= -0x7C
.text:C7112E44             var_78= -0x78
.text:C7112E44             var_74= -0x74
.text:C7112E44             var_70= -0x70
.text:C7112E44             var_6C= -0x6C
.text:C7112E44             var_64= -0x64
.text:C7112E44             var_60= -0x60
.text:C7112E44             var_5C= -0x5C
.text:C7112E44             var_58= -0x58
.text:C7112E44             var_50= -0x50
.text:C7112E44             var_4C= -0x4C
.text:C7112E44             var_44= -0x44
.text:C7112E44             crc= -0x40
.text:C7112E44             var_3C= -0x3C
.text:C7112E44             var_38= -0x38
.text:C7112E44             var_30= -0x30
.text:C7112E44             var_28= -0x28
.text:C7112E44             var_24= -0x24
.text:C7112E44             var_20= -0x20
.text:C7112E44
.text:C7112E44             ; __unwind { // C7149914
.text:C7112E44 F0 B5       PUSH            {R4-R7,LR}
.text:C7112E46 03 AF       ADD             R7, SP, #0xC
.text:C7112E48 2D E9 00 0F PUSH.W          {R8-R11}
.text:C7112E4C A5 B0       SUB             SP, SP, #0x94
.text:C7112E4E 80 46       MOV             R8, R0
.text:C7112E50 DF F8 F8 06 LDR.W           R0, =(__stack_chk_guard_ptr - 0xC7112E5C)
.text:C7112E54 92 46       MOV             R10, R2
.text:C7112E56 8B 46       MOV             R11, R1
.text:C7112E58 78 44       ADD             R0, PC                  ; __stack_chk_guard_ptr
.text:C7112E5A 00 2B       CMP             R3, #0
.text:C7112E5C 00 68       LDR             R0, [R0]                ; __stack_chk_guard
.text:C7112E5E 00 68       LDR             R0, [R0]
.text:C7112E60 24 90       STR             R0, [SP,#0xB0+var_20]
.text:C7112E62 4F F6 DF 20+MOV             R0, #0xFADFFADF
.text:C7112E62 CF F6 DF 20
.text:C7112E6A 0C 90       STR             R0, [SP,#0xB0+var_80]
.text:C7112E6C 4F F0 01 00 MOV.W           R0, #1
.text:C7112E70 14 90       STR             R0, [SP,#0xB0+var_60]
.text:C7112E72 23 D0       BEQ             loc_C7112EBC
.text:C7112E74 DF F8 D8 06 LDR.W           R0, =(dword_C71A03A4 - 0xC7112E88)
.text:C7112E78 0B F1 1C 05 ADD.W           R5, R11, #0x1C
.text:C7112E7C DF F8 D4 16 LDR.W           R1, =(dword_C71A97EC - 0xC7112E8C)
.text:C7112E80 DF F8 D4 26 LDR.W           R2, =(dword_C71A03A8 - 0xC7112E8E)
.text:C7112E84 78 44       ADD             R0, PC                  ; dword_C71A03A4
.text:C7112E86 05 93       STR             R3, [SP,#0xB0+var_9C]
.text:C7112E88 79 44       ADD             R1, PC                  ; dword_C71A97EC
.text:C7112E8A 7A 44       ADD             R2, PC                  ; dword_C71A03A8
.text:C7112E8C 00 68       LDR             R0, [R0]
.text:C7112E8E 09 68       LDR             R1, [R1]
.text:C7112E90 10 68       LDR             R0, [R2]
.text:C7112E92 41 B9       CBNZ            R1, loc_C7112EA6
.text:C7112E94 4A F6 EA 41 MOVW            R1, #0xACEA
.text:C7112E98 00 F0 84 FC BL              getFunc_loc_CDFDB7A4
.text:C7112E9C 01 46       MOV             R1, R0
.text:C7112E9E DF F8 BC 06 LDR.W           R0, =(dword_C71A97EC - 0xC7112EA6)
.text:C7112EA2 78 44       ADD             R0, PC                  ; dword_C71A97EC
.text:C7112EA4 01 60       STR             R1, [R0]
.text:C7112EA6
.text:C7112EA6             loc_C7112EA6
.text:C7112EA6 28 46       MOV             R0, R5
.text:C7112EA8 88 47       BLX             R1                      ; pthread_mutex_lock
.text:C7112EAA 5C 46       MOV             R4, R11
.text:C7112EAC 14 F8 20 0F LDRB.W          R0, [R4,#0x20]!
.text:C7112EB0 10 F0 01 0F TST.W           R0, #1
.text:C7112EB4 19 D1       BNE             loc_C7112EEA
.text:C7112EB6 00 20       MOVS            R0, #0
.text:C7112EB8 20 80       STRH            R0, [R4]
.text:C7112EBA 1C E0       B               loc_C7112EF6
.text:C7112EBC
.text:C7112EBC             loc_C7112EBC
.text:C7112EBC 00 20       MOVS            R0, #0
.text:C7112EBE C8 E9 00 00 STRD.W          R0, R0, [R8]
.text:C7112EC2 C8 F8 08 00 STR.W           R0, [R8,#8]
.text:C7112EC6 00 20       MOVS            R0, #0                  ; s
.text:C7112EC8 96 F7 D6 EB BLX             strlen
.text:C7112ECC 04 46       MOV             R4, R0
.text:C7112ECE 14 F1 10 0F CMN.W           R4, #0x10
.text:C7112ED2 80 F0 08 83 BCS.W           loc_C71134E6
.text:C7112ED6 0B 2C       CMP             R4, #0xB
.text:C7112ED8 80 F0 74 81 BCS.W           loc_C71131C4
.text:C7112EDC 60 00       LSLS            R0, R4, #1
.text:C7112EDE 00 2C       CMP             R4, #0
.text:C7112EE0 08 F8 01 0B STRB.W          R0, [R8],#1
.text:C7112EE4 40 F0 7C 81 BNE.W           loc_C71131E0
.text:C7112EE8 7F E1       B               loc_C71131EA
.text:C7112EEA
.text:C7112EEA             loc_C7112EEA
.text:C7112EEA DB F8 28 00 LDR.W           R0, [R11,#0x28]
.text:C7112EEE 00 21       MOVS            R1, #0
.text:C7112EF0 01 70       STRB            R1, [R0]
.text:C7112EF2 CB F8 24 10 STR.W           R1, [R11,#0x24]
.text:C7112EF6
.text:C7112EF6             loc_C7112EF6
.text:C7112EF6 DF F8 68 06 LDR.W           R0, =(dword_C71A03AC - 0xC7112F06)
.text:C7112EFA DF F8 68 16 LDR.W           R1, =(dword_C71A97F0 - 0xC7112F08)
.text:C7112EFE DF F8 68 36 LDR.W           R3, =(off_C71A03B0 - 0xC7112F0A)
.text:C7112F02 78 44       ADD             R0, PC                  ; dword_C71A03AC
.text:C7112F04 79 44       ADD             R1, PC                  ; dword_C71A97F0
.text:C7112F06 7B 44       ADD             R3, PC                  ; off_C71A03B0
.text:C7112F08 00 68       LDR             R0, [R0]
.text:C7112F0A 0A 68       LDR             R2, [R1]
.text:C7112F0C 19 68       LDR             R1, [R3]
.text:C7112F0E 32 B9       CBNZ            R2, loc_C7112F1E
.text:C7112F10 00 F0 48 FC BL              getFunc_loc_CDFDB7A4
.text:C7112F14 02 46       MOV             R2, R0
.text:C7112F16 DF F8 54 06 LDR.W           R0, =(dword_C71A97F0 - 0xC7112F1E)
.text:C7112F1A 78 44       ADD             R0, PC                  ; dword_C71A97F0
.text:C7112F1C 02 60       STR             R2, [R0]
.text:C7112F1E
.text:C7112F1E             loc_C7112F1E
.text:C7112F1E 06 95       STR             R5, [SP,#0xB0+var_98]
.text:C7112F20 90 47       BLX             R2                      ; pthread_mutex_lock
.text:C7112F22 05 46       MOV             R5, R0
.text:C7112F24 DF F8 48 06 LDR.W           R0, =(dword_C71A97F4 - 0xC7112F34)
.text:C7112F28 DF F8 48 16 LDR.W           R1, =(dword_C71A03B4 - 0xC7112F36)
.text:C7112F2C 05 F1 24 06 ADD.W           R6, R5, #0x24 ; '$'
.text:C7112F30 78 44       ADD             R0, PC                  ; dword_C71A97F4
.text:C7112F32 79 44       ADD             R1, PC                  ; dword_C71A03B4
.text:C7112F34 02 68       LDR             R2, [R0]
.text:C7112F36 08 68       LDR             R0, [R1]
.text:C7112F38 42 B9       CBNZ            R2, loc_C7112F4C
.text:C7112F3A 4C F6 D1 11 MOVW            R1, #0xC9D1
.text:C7112F3E 00 F0 31 FC BL              getFunc_loc_CDFDB7A4
.text:C7112F42 02 46       MOV             R2, R0
.text:C7112F44 DF F8 30 06 LDR.W           R0, =(dword_C71A97F4 - 0xC7112F4C)
.text:C7112F48
.text:C7112F48             loc_C7112F48
.text:C7112F48 78 44       ADD             R0, PC 
.text:C7112F4A 02 60       STR             R2, [R0]
.text:C7112F4C
.text:C7112F4C             loc_C7112F4C
.text:C7112F4C 0D F1 38 09 ADD.W           R9, SP, #0xB0+var_78
.text:C7112F50 31 46       MOV             R1, R6
.text:C7112F52 48 46       MOV             R0, R9
.text:C7112F54 90 47       BLX             R2                      ; 第二步服务器返回base64解密后的值
.text:C7112F56 05 F1 0C 01 ADD.W           R1, R5, #0xC
.text:C7112F5A 11 A8       ADD             R0, SP, #0xB0+var_6C
.text:C7112F5C 9F F7 5E FA BL              memory_cpy_sub_CF0FF41C
.text:C7112F60 DB E9 32 56 LDRD.W          R5, R6, [R11,#0xC8]
.text:C7112F64 DB E9 38 01 LDRD.W          R0, R1, [R11,#0xE0]
.text:C7112F68 08 1A       SUBS            R0, R1, R0
.text:C7112F6A 59 46       MOV             R1, R11
.text:C7112F6C 80 10       ASRS            R0, R0, #2
.text:C7112F6E 0D 90       STR             R0, [SP,#0xB0+var_7C]
.text:C7112F70 11 F8 0C 0F LDRB.W          R0, [R1,#0xC]!
.text:C7112F74 10 F0 01 0F TST.W           R0, #1
.text:C7112F78 0C BF       ITE EQ
.text:C7112F7A 40 08       LSREQ           R0, R0, #1
.text:C7112F7C DB F8 10 00 LDRNE.W         R0, [R11,#0x10]
.text:C7112F80 04 90       STR             R0, [SP,#0xB0+var_A0]
.text:C7112F82 9B F8 00 00 LDRB.W          R0, [R11]
.text:C7112F86 01 91       STR             R1, [SP,#0xB0+var_AC]
.text:C7112F88 10 F0 01 0F TST.W           R0, #1
.text:C7112F8C 0C BF       ITE EQ
.text:C7112F8E 40 08       LSREQ           R0, R0, #1
.text:C7112F90 DB F8 04 00 LDRNE.W         R0, [R11,#4]
.text:C7112F94 03 90       STR             R0, [SP,#0xB0+var_A4]
.text:C7112F96 0C A9       ADD             R1, SP, #0xB0+var_80
.text:C7112F98 20 46       MOV             R0, R4
.text:C7112F9A 04 22       MOVS            R2, #4
.text:C7112F9C CD F8 08 80 STR.W           R8, [SP,#0xB0+var_A8]
.text:C7112FA0 A0 F7 3F FC BL              putvuale_sub_C4A7C822
.text:C711335E             loc_C711335E
.text:C711335E DD E9 03 24 LDRD.W          R2, R4, [SP,#0xB0+var_A4]
.text:C7113362 B9 F1 01 0F CMP.W           R9, #1
.text:C7113366 0B D1       BNE             loc_C7113380
.text:C7113368 52 B1       CBZ             R2, loc_C7113380
.text:C711336A 9B F8 00 00 LDRB.W          R0, [R11]
.text:C711336E C0 07       LSLS            R0, R0, #0x1F
.text:C7113370 0C BF       ITE EQ
.text:C7113372 0B F1 01 01 ADDEQ.W         R1, R11, #1
.text:C7113376 DB F8 08 10 LDRNE.W         R1, [R11,#8]
.text:C711337A 40 46       MOV             R0, R8
.text:C711337C A0 F7 51 FA BL              putvuale_sub_C4A7C822
.text:C7113380
.text:C7113380             loc_C7113380
.text:C7113380 54 B1       CBZ             R4, loc_C7113398
.text:C7113382 01 99       LDR             R1, [SP,#0xB0+var_AC]
.text:C7113384 08 78       LDRB            R0, [R1]
.text:C7113386 C0 07       LSLS            R0, R0, #0x1F
.text:C7113388 0C BF       ITE EQ
.text:C711338A 01 31       ADDEQ           R1, #1
.text:C711338C DB F8 14 10 LDRNE.W         R1, [R11,#0x14]
.text:C7113390 40 46       MOV             R0, R8
.text:C7113392 22 46       MOV             R2, R4
.text:C7113394 A0 F7 45 FA BL              putvuale_sub_C4A7C822   ; 单条加密的设备数据
.text:C7113398
.text:C7113398             loc_C7113398
.text:C7113398 98 F8 00 00 LDRB.W          R0, [R8]
.text:C711339C 10 F0 01 0F TST.W           R0, #1
 
//计算组合后数据的crc
.text:C71040BE             crc_sub_CDA3C0BE                        ; CODE XREF: getbody_crc_sub_CDA4AE44+59A↓p
.text:C71040BE
.text:C71040BE             var_8= -8
.text:C71040BE
.text:C71040BE             ; __unwind { // FBF89000
.text:C71040BE 82 EA 01 03 EOR.W           R3, R2, R1
.text:C71040C2 4E F6 95 12+MOV             R2, #0x5BD1E995
.text:C71040C2 C5 F6 D1 32
.text:C71040CA 04 29       CMP             R1, #4
.text:C71040CC 1B D3       BCC             loc_C7104106
.text:C71040CE B0 B5       PUSH            {R4,R5,R7,LR}
.text:C71040D0 02 AF       ADD             R7, SP, #0x10+var_8
.text:C71040D2 A1 F1 04 0E SUB.W           LR, R1, #4
.text:C71040D6 2E F0 03 05 BIC.W           R5, LR, #3
.text:C71040DA 44 19       ADDS            R4, R0, R5
.text:C71040DC 04 F1 04 0C ADD.W           R12, R4, #4
.text:C71040E0
.text:C71040E0             loc_C71040E0                            ; CODE XREF: crc_sub_CDA3C0BE+3C↓j
.text:C71040E0 50 F8 04 4B LDR.W           R4, [R0],#4
.text:C71040E4 53 43       MULS            R3, R2
.text:C71040E6 04 39       SUBS            R1, #4
.text:C71040E8 03 29       CMP             R1, #3
.text:C71040EA 02 FB 04 F4 MUL.W           R4, R2, R4
.text:C71040EE 84 EA 14 64 EOR.W           R4, R4, R4,LSR#24
.text:C71040F2 02 FB 04 F4 MUL.W           R4, R2, R4
.text:C71040F6 83 EA 04 03 EOR.W           R3, R3, R4
.text:C71040FA F1 D8       BHI             loc_C71040E0
.text:C71040FC AE EB 05 01 SUB.W           R1, LR, R5
.text:C7104100 BD E8 B0 40 POP.W           {R4,R5,R7,LR}
.text:C7104104 00 E0       B               sub_C7104108

组合后数据(部分)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
//组合请求体 计算设备信息crc 第10位起是crc
CAA29000  DF FA DF FA 01 0D 0A 06  08 25 B9 D2 5F C0 07 0E  .........%......
CAA29010  0B 5F 18 28 31 40 36 1F  4C 68 9E D2 6D F1 A2 A4  ._.(1@6.Lh......
CAA29020  18 28 91 E8 24 4A C2 0C  EA 01 86 B6 7B 05 09 AD  .(..........{...
CAA29030  AC 19 B0 90 5B 57 7F 82  7E FC 76 66 4E A0 35 35  ....[W..~.vfN.55
CAA29040  C8 BC 7A 6E 69 F5 1A F0  03 63 5D B9 8E B8 94 A9  ȼ zni....c].....
CAA29050  46 12 6B BC EC 20 F2 02  00 08 64 00 05 28 02 0A  F.k.......d..(..
CAA29060  00 0D 00 00 00 00 C4 CF  4A 0F C4 CF 4A 0F 76 4A  ........J...J.vJ
CAA29070  48 03 2C E0 93 C5 4D E3  00 00 86 20 A4 6E 7D 01  H.,...M.... .n}.
CAA29080  00 00 86 20 A4 6E 7D 01  00 00 C3 83 7B BD 7D 01  ... .n}...Ã {.}.
CAA29090  00 00 00 10 85 01 00 00  00 00 00 80 4C 01 00 00  ............L...
CAA290A0  00 00 00 20 57 EB 00 00  00 00 00 00 00 00 00 00  ... W...........
CAA290B0  00 00 00 00 00 00 00 00  00 00 0E 03 37 05 21 04  ............7.!.
CAA290C0  3C 01 65 02 66 06 67 05  69 02 6A 06 6B 05 74 06  <.e.f.g.i.j.k.t.
CAA290D0  28 04 27 02 32 02 2E 05  C9 02 18 01 19 02 31 03  (.'.2.........1.
CAA290E0  33 05 3B 03 00 06 01 01  02 02 26 01 0C 01 0D 04  3.;.......&.....
CAA290F0  06 03 07 01 05 06 25 01  09 02 08 01 64 02 03 04  ......%.....d...
CAA29100  0A 03 1A 01 29 30 2E 3A  6B 72 38 31 2C 72 3D 31  ....)0.:kr81,r=1
CAA29110  2E 30 72 39 31 31 39 34  3B 72 3D 31 33 00 5B 4E  .0r91194;r=13.[N
CAA29120  45 4E 4A 5C 4E 06 44 4E  52 5C 00 80 78 78 80 75  ENJ\N.DNR\..xx.u
CAA29130  7E 38 76 7A 6B 75 72 77  38 76 7A 6B 75 72 77 23  ~8vzkurw8vzkurw#
CAA29140  2A 29 38 4A 49 2A 5A 37  2A 22 2A 29 29 2E 37 29  *)8JI*Z7*"*)).7)

压缩加密组合后数据

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
.text:C7117244             vm_enc_body_sub_C8E49244
.text:C7117244
.text:C7117244             var_58= -0x58
.text:C7117244             var_54= -0x54
.text:C7117244             var_50= -0x50
.text:C7117244             var_4C= -0x4C
.text:C7117244             var_48= -0x48
.text:C7117244             var_44= -0x44
.text:C7117244             var_40= -0x40
.text:C7117244             var_3C= -0x3C
.text:C7117244             var_38= -0x38
.text:C7117244             var_30= -0x30
.text:C7117244             var_28= -0x28
.text:C7117244             var_20= -0x20
.text:C7117244             var_1C= -0x1C
.text:C7117244             var_18= -0x18
.text:C7117244             arg_0=  8
.text:C7117244
.text:C7117244             ; __unwind { // FBF89000
.text:C7117244 F0 B5       PUSH            {R4-R7,LR}
.text:C7117246 03 AF       ADD             R7, SP, #0xC
.text:C7117248 2D E9 00 07 PUSH.W          {R8-R10}
.text:C711724C 90 B0       SUB             SP, SP, #0x40
.text:C711724E 6C 46       MOV             R4, SP
.text:C7117250 6F F3 03 04 BFC.W           R4, #0, #4
.text:C7117254 A5 46       MOV             SP, R4
.text:C7117256 04 46       MOV             R4, R0
.text:C7117258 29 48       LDR             R0, =(__stack_chk_guard_ptr - 0xC7117262)
.text:C711725A 98 46       MOV             R8, R3
.text:C711725C 15 46       MOV             R5, R2
.text:C711725E 78 44       ADD             R0, PC                  ; __stack_chk_guard_ptr
.text:C7117260 0E 46       MOV             R6, R1
.text:C7117262 00 68       LDR             R0, [R0]                ; __stack_chk_guard
.text:C7117264 00 68       LDR             R0, [R0]
.text:C7117266 0F 90       STR             R0, [SP,#0x58+var_1C]
.text:C7117268 F8 F7 DE FB BL              DecString_loc_C5D9FA28
.text:C711726C 25 48       LDR             R0, =(off_C719AF1C - 0xC7117276)
.text:C711726E 26 49       LDR             R1, =(off_C719AF20 - 0xC711727A)
.text:C7117270 26 4A       LDR             R2, =(off_C719AF24 - 0xC7117280)
.text:C7117272 78 44       ADD             R0, PC                  ; off_C719AF1C
.text:C7117274 26 4B       LDR             R3, =(off_C719AF28 - 0xC7117286)
.text:C7117276 79 44       ADD             R1, PC                  ; off_C719AF20
.text:C7117278 DF F8 98 C0 LDR.W           R12, =(off_C719AF2C - 0xC711728C)
.text:C711727C 7A 44       ADD             R2, PC                  ; off_C719AF24
.text:C711727E DF F8 98 E0 LDR.W           LR, =(off_C719AF30 - 0xC7117290)
.text:C7117282 7B 44       ADD             R3, PC                  ; off_C719AF28
.text:C7117284 DF F8 94 90 LDR.W           R9, =(off_C719AF34 - 0xC7117294)
.text:C7117288 FC 44       ADD             R12, PC                 ; off_C719AF2C
.text:C711728A 00 68       LDR             R0, [R0]                ; unk_1F6B475D
.text:C711728C FE 44       ADD             LR, PC                  ; off_C719AF30
.text:C711728E 09 68       LDR             R1, [R1]                ; unk_E103CAD5
.text:C7117290 F9 44       ADD             R9, PC                  ; off_C719AF34
.text:C7117292 D2 F8 00 A0 LDR.W           R10, [R2]
.text:C7117296 1B 68       LDR             R3, [R3]                ; unk_EF4A43D1
.text:C7117298 02 96       STR             R6, [SP,#0x58+var_50]
.text:C711729A DC F8 00 60 LDR.W           R6, [R12]               ; unk_DFC4E66F
.text:C711729E 01 94       STR             R4, [SP,#0x58+var_54]
.text:C71172A0 DE F8 00 40 LDR.W           R4, [LR]                ; unk_2AD2FC11
.text:C71172A4 03 95       STR             R5, [SP,#0x58+var_4C]
.text:C71172A6 BA 68       LDR             R2, [R7,#arg_0]
.text:C71172A8 D9 F8 00 50 LDR.W           R5, [R9]
.text:C71172AC CD F8 10 80 STR.W           R8, [SP,#0x58+var_48]
.text:C71172B0 05 92       STR             R2, [SP,#0x58+var_44]
.text:C71172B2 1B 4A       LDR             R2, =(off_C719AF38 - 0xC71172B8)
.text:C71172B4 7A 44       ADD             R2, PC                  ; off_C719AF38
.text:C71172B6 12 68       LDR             R2, [R2]                ; unk_25B83385
.text:C71172B8 06 90       STR             R0, [SP,#0x58+var_40]
.text:C71172BA 1A 48       LDR             R0, =(off_C719AF3C - 0xC71172C0)
.text:C71172BC 78 44       ADD             R0, PC                  ; off_C719AF3C
.text:C71172BE 00 68       LDR             R0, [R0]                ; unk_D8E2104D
.text:C71172C0 07 91       STR             R1, [SP,#0x58+var_3C]
.text:C71172C2 19 49       LDR             R1, =(off_C719AF40 - 0xC71172C8)
.text:C71172C4 79 44       ADD             R1, PC                  ; off_C719AF40
.text:C71172C6 09 68       LDR             R1, [R1]
.text:C71172C8 CD E9 08 A3 STRD.W          R10, R3, [SP,#0x58+var_38]
.text:C71172CC CD E9 0A 64 STRD.W          R6, R4, [SP,#0x58+var_30]
.text:C71172D0 CD E9 0C 52 STRD.W          R5, R2, [SP,#0x58+var_28]
.text:C71172D4 6A 46       MOV             R2, SP
.text:C71172D6 0E 90       STR             R0, [SP,#0x58+var_20]
.text:C71172D8 4F F4 3C 70 MOV.W           R0, #0x2F0
.text:C71172DC F9 F7 52 F8 BL              VM_Entrance_loc_CDF4C384 ; R:传入不同数字代走不同逻辑
.text:C71172E0 12 49       LDR             R1, =(__stack_chk_guard_ptr - 0xC71172E8)
.text:C71172E2 00 98       LDR             R0, [SP,#0x58+var_58]
.text:C71172E4 79 44       ADD             R1, PC                  ; __stack_chk_guard_ptr
.text:C71172E6 0F 9A       LDR             R2, [SP,#0x58+var_1C]
.text:C71172E8 09 68       LDR             R1, [R1]                ; __stack_chk_guard
.text:C71172EA 09 68       LDR             R1, [R1]
.text:C71172EC 89 1A       SUBS            R1, R1, R2
.text:C71172EE 01 BF       ITTTT EQ
.text:C71172F0 A7 F1 18 04 SUBEQ.W         R4, R7, #-var_18
.text:C71172F4 A5 46       MOVEQ           SP, R4
.text:C71172F6 BD E8 00 07 POPEQ.W         {R8-R10}
.text:C71172FA F0 BD       POPEQ           {R4-R7,PC}
 
压缩
text:C7117A0E EF F7 11 F9 BL              compress_sub_BF10CC34   ; R0:返回地址,R2:加密的设备数据,R3:大小 compress
.text:C7117A12 06 46       MOV             R6, R0
.text:C7117A14 DB F8 44 00 LDR.W           R0, [R11,#(dword_C71A02E4 - 0xC71A02A0)]
.text:C7117A18 DB F8 B4 10 LDR.W           R1, [R11,#(dword_C71A0354 - 0xC71A02A0)]
.text:C7117A1C 08 43       ORRS            R0, R1
.text:C7117A1E 4D F6 FD 51+MOV             R1, #0x775EDDFD
.text:C7117A1E C7 F2 5E 71
.text:C7117A26 88 42       CMP             R0, R1

生成AES密钥

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
计算 7dfd964a-0377-4188-ada7-0758b4f7f63b 的md5值,该值为sdk appkey解密出来的
.text:C7104000
.text:C7104000             md5_sub_D5C3E000
.text:C7104000
.text:C7104000             var_1C= -0x1C
.text:C7104000             var_14= -0x14
.text:C7104000
.text:C7104000             ; __unwind { // FBF89000
.text:C7104000 F0 B5       PUSH            {R4-R7,LR}
.text:C7104002 03 AF       ADD             R7, SP, #0xC
.text:C7104004 4D F8 04 BD PUSH.W          {R11}
.text:C7104008 84 B0       SUB             SP, SP, #0x10
.text:C710400A 05 46       MOV             R5, R0
.text:C710400C 1A 48       LDR             R0, =(__stack_chk_guard_ptr - 0xC7104016)
.text:C710400E 01 AE       ADD             R6, SP, #0x20+var_1C
.text:C7104010 0C 46       MOV             R4, R1
.text:C7104012 78 44       ADD             R0, PC                  ; __stack_chk_guard_ptr
.text:C7104014 04 F1 10 01 ADD.W           R1, R4, #0x10
.text:C7104018 08 22       MOVS            R2, #8
.text:C710401A 00 68       LDR             R0, [R0]                ; __stack_chk_guard
.text:C710401C 00 68       LDR             R0, [R0]
.text:C710401E 03 90       STR             R0, [SP,#0x20+var_14]
.text:C7104020 30 46       MOV             R0, R6
.text:C7104022 00 F0 2F F8 BL              md5_init_sub_CB17B084
.text:C7104026 20 69       LDR             R0, [R4,#0x10]
.text:C7104028 78 22       MOVS            R2, #0x78 ; 'x'
.text:C710402A 14 49       LDR             R1, =(off_C719EE58 - 0xC7104034)
.text:C710402C C0 F3 C5 00 UBFX.W          R0, R0, #3, #6
.text:C7104030 79 44       ADD             R1, PC                  ; off_C719EE58
.text:C7104032 38 28       CMP             R0, #0x38 ; '8'
.text:C7104034 38 BF       IT CC
.text:C7104036 38 22       MOVCC           R2, #0x38 ; '8'
.text:C7104038 12 1A       SUBS            R2, R2, R0
.text:C710403A 20 46       MOV             R0, R4
.text:C710403C FF F7 C8 FB BL              md5_update_sub_D5C3D7D0
.text:C7104040 20 46       MOV             R0, R4
.text:C7104042 31 46       MOV             R1, R6
.text:C7104044 08 22       MOVS            R2, #8
.text:C7104046 FF F7 C3 FB BL              md5_update_sub_D5C3D7D0
.text:C710404A 28 46       MOV             R0, R5
.text:C710404C 21 46       MOV             R1, R4
.text:C710404E 10 22       MOVS            R2, #0x10
.text:C7104050 00 F0 18 F8 BL              md5_init_sub_CB17B084   ; R0:返回值
.text:C7104054 20 46       MOV             R0, R4
.text:C7104056 58 21       MOVS            R1, #0x58 ; 'X'
.text:C7104058 A5 F7 62 EB BLX             __aeabi_memclr
.text:C710405C 08 48       LDR             R0, =(__stack_chk_guard_ptr - 0xC7104064)
.text:C710405E 03 99       LDR             R1, [SP,#0x20+var_14]
.text:C7104060 78 44       ADD             R0, PC                  ; __stack_chk_guard_ptr
.text:C7104062 00 68       LDR             R0, [R0]                ; __stack_chk_guard
.text:C7104064 00 68       LDR             R0, [R0]
.text:C7104066 40 1A       SUBS            R0, R0, R1
.text:C7104068 02 BF       ITTT EQ
.text:C710406A 04 B0       ADDEQ           SP, SP, #0x10
.text:C710406C 5D F8 04 BB POPEQ.W         {R11}
.text:C7104070 F0 BD       POPEQ           {R4-R7,PC}

计算后的MD5值

1
C7094F80  CB C5 B0 32 9C 91 1A 82  0D F1 0C 30 6D 81 99 10

AES 加密

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
//初始化key
.text:C70FE9E8             ; R1:KEY,R2:IV
.text:C70FE9E8             ; int __fastcall AES_initkey_sub_CDB519E8(_DWORD, _DWORD, _DWORD)
.text:C70FE9E8             var_48= -0x48
.text:C70FE9E8             var_38= -0x38
.text:C70FE9E8             var_34= -0x34
.text:C70FE9E8             var_30= -0x30
.text:C70FE9E8             var_2C= -0x2C
.text:C70FE9E8             var_24= -0x24
.text:C70FE9E8             var_14= -0x14
.text:C70FE9E8             var_10= -0x10
.text:C70FE9E8
.text:C70FE9E8             ; __unwind { // FBF89000
.text:C70FE9E8 F0 B5       PUSH            {R4-R7,LR}
.text:C70FE9EA 03 AF       ADD             R7, SP, #0xC
.text:C70FE9EC 4D F8 04 BD PUSH.W          {R11}
.text:C70FE9F0 8E B0       SUB             SP, SP, #0x38
.text:C70FE9F2 6C 46       MOV             R4, SP
.text:C70FE9F4 6F F3 03 04 BFC.W           R4, #0, #4
.text:C70FE9F8 A5 46       MOV             SP, R4
.text:C70FE9FA 06 46       MOV             R6, R0
.text:C70FE9FC 19 48       LDR             R0, =(__stack_chk_guard_ptr - 0xC70FEA06)
.text:C70FE9FE 14 46       MOV             R4, R2
.text:C70FEA00 1A 4A       LDR             R2, =(off_C719AA44 - 0xC70FEA0C)
.text:C70FEA02 78 44       ADD             R0, PC                  ; __stack_chk_guard_ptr
.text:C70FEA04 0D 46       MOV             R5, R1
.text:C70FEA06 18 49       LDR             R1, =(off_C719AA40 - 0xC70FEA12)
.text:C70FEA08 7A 44       ADD             R2, PC                  ; off_C719AA44
.text:C70FEA0A 00 68       LDR             R0, [R0]                ; __stack_chk_guard
.text:C70FEA0C 28 23       MOVS            R3, #0x28 ; '('
.text:C70FEA0E 79 44       ADD             R1, PC                  ; off_C719AA40
.text:C70FEA10 00 68       LDR             R0, [R0]
.text:C70FEA12 0D 90       STR             R0, [SP,#0x48+var_14]
.text:C70FEA14 08 68       LDR             R0, [R1]                ; unk_257D1632
.text:C70FEA16 11 68       LDR             R1, [R2]                ; unk_257B6842
.text:C70FEA18 15 4A       LDR             R2, =(unk_C71A71F0 - 0xC70FEA1E)
.text:C70FEA1A 7A 44       ADD             R2, PC                  ; unk_C71A71F0
.text:C70FEA1C 00 92       STR             R2, [SP,#0x48+var_48]
.text:C70FEA1E C0 22       MOVS            R2, #0xC0
.text:C70FEA20 FF F7 C6 FE BL              initkey_sub_C5D8E7B0
.text:C70FEA24 13 48       LDR             R0, =(off_C719AA34 - 0xC70FEA2E)
.text:C70FEA26 14 49       LDR             R1, =(off_C719AA38 - 0xC70FEA30)
.text:C70FEA28 14 4A       LDR             R2, =(off_C719AA3C - 0xC70FEA34)
.text:C70FEA2A 78 44       ADD             R0, PC                  ; off_C719AA34
.text:C70FEA2C 79 44       ADD             R1, PC                  ; off_C719AA38
.text:C70FEA2E 03 68       LDR             R3, [R0]                ; unk_231A4F2F
.text:C70FEA30 7A 44       ADD             R2, PC                  ; off_C719AA3C
.text:C70FEA32 05 96       STR             R6, [SP,#0x48+var_34]
.text:C70FEA34 09 68       LDR             R1, [R1]
.text:C70FEA36 06 95       STR             R5, [SP,#0x48+var_30]
.text:C70FEA38 10 68       LDR             R0, [R2]
.text:C70FEA3A CD E9 07 43 STRD.W          R4, R3, [SP,#0x48+var_2C]
.text:C70FEA3E 09 91       STR             R1, [SP,#0x48+var_24]
.text:C70FEA40 04 A9       ADD             R1, SP, #0x48+var_38
.text:C70FEA42 00 F0 1F F8 BL              AES_initkey_loc_CB175A84
.text:C70FEA46 0E 48       LDR             R0, =(__stack_chk_guard_ptr - 0xC70FEA4E)
.text:C70FEA48 0D 99       LDR             R1, [SP,#0x48+var_14]
.text:C70FEA4A 78 44       ADD             R0, PC                  ; __stack_chk_guard_ptr
.text:C70FEA4C 00 68       LDR             R0, [R0]                ; __stack_chk_guard
.text:C70FEA4E 00 68       LDR             R0, [R0]
.text:C70FEA50 40 1A       SUBS            R0, R0, R1
.text:C70FEA52 01 BF       ITTTT EQ
.text:C70FEA54 A7 F1 10 04 SUBEQ.W         R4, R7, #-var_10
.text:C70FEA58 A5 46       MOVEQ           SP, R4
.text:C70FEA5A 5D F8 04 BB POPEQ.W         {R11}
.text:C70FEA5E F0 BD       POPEQ           {R4-R7,PC}
 
//AES 加密
.text:C70FFB10             ; R0:初始化的key,R1:数据,R2:大小
.text:C70FFB10             AES_Encdata_sub_C290EB10
.text:C70FFB10             ; __unwind { // FBF89000
.text:C70FFB10 F0 B5       PUSH            {R4-R7,LR}
.text:C70FFB12 03 AF       ADD             R7, SP, #0xC
.text:C70FFB14 2D E9 00 0F PUSH.W          {R8-R11}
.text:C70FFB18 8B B0       SUB             SP, SP, #0x2C
.text:C70FFB1A 00 EE 10 2A VMOV            S0, R2
.text:C70FFB1E 9F ED 64 1B VLDR            D1, =0.1
.text:C70FFB22 88 46       MOV             R8, R1
.text:C70FFB22             ; End of function AES_Encdata_sub_C290EB10
.text:C70FFB22
.text:C70FFB24             ; START OF FUNCTION CHUNK FOR sub_C7100108
.text:C70FFB24
.text:C70FFB24             loc_C70FFB24
.text:C70FFB24 00 F1 B0 04 ADD.W           R4, R0, #0xB0
.text:C70FFB28 B8 EE 40 0B VCVT.F64.U32    D0, S0
.text:C70FFB2C 6F F0 71 03 MOV             R3, #0xFFFFFF8E
.text:C70FFB30 41 F6 AE 26 MOVW            R6, #0x1AAE
.text:C70FFB34 30 EE 01 0B VADD.F64        D0, D0, D1
.text:C70FFB38 BC EE C0 0B VCVT.U32.F64    S0, D0
.text:C70FFB3C 10 EE 10 2A VMOV            R2, S0
.text:C70FFB40 03 92       STR             R2, [SP,#0x50+var_44]
.text:C70FFB42 5D 4A       LDR             R2, =(off_C719DA5C - 0xC70FFB4C)
.text:C70FFB44 00 90       STR             R0, [SP,#0]
.text:C70FFB46 00 20       MOVS            R0, #0
.text:C70FFB48 7A 44       ADD             R2, PC                  ; off_C719DA5C
.text:C70FFB4A 08 90       STR             R0, [SP,#0x50+var_30]
.text:C70FFB4C 38 20       MOVS            R0, #0x38 ; '8'
.text:C70FFB4E 15 68       LDR             R5, [R2]                ; unk_C719E810
.text:C70FFB50 5B 4A       LDR             R2, =(off_C719DA60 - 0xC70FFB56)
.text:C70FFB52 7A 44       ADD             R2, PC                  ; off_C719DA60
.text:C70FFB54 D2 F8 00 B0 LDR.W           R11, [R2]               ; unk_C719E850
.text:C70FFB58 58 4A       LDR             R2, =(off_C719DA5C - 0xC70FFB5E)
.text:C70FFB5A 7A 44       ADD             R2, PC                  ; off_C719DA5C
.text:C70FFB5C
.text:C70FFB5C             loc_C70FFB5C                            ; CODE XREF: sub_C7100108-51A↓j
.text:C70FFB5C 12 68       LDR             R2, [R2]
.text:C70FFB5E 01 92       STR             R2, [SP,#4]
.text:C70FFB60 CD F8 10 80 STR.W           R8, [SP,#0x50+var_40]
.text:C70FFB64 05 94       STR             R4, [SP,#0x50+var_3C]
.text:C70FFB66 2A E0       B               loc_C70FFBBE
.text:C70FFB68
.text:C70FFB68             loc_C70FFB68
.text:C70FFB68 5A 48       LDR             R0, =(dword_C719E9F4 - 0xC70FFB6E)
.text:C70FFB6A 78 44       ADD             R0, PC                  ; dword_C719E9F4
.text:C70FFB6C 00 68       LDR             R0, [R0]
.text:C70FFB6E 5A 48       LDR             R0, =(off_C719E9F8 - 0xC70FFB74)
.text:C70FFB70 78 44       ADD             R0, PC                  ; off_C719E9F8
.text:C70FFB72 00 68       LDR             R0, [R0]                ; dword_C709A0A0
.text:C70FFB74 0A 90       STR             R0, [SP,#0x50+var_28]
.text:C70FFB76 59 48       LDR             R0, =(off_C719E9FC - 0xC70FFB7C)
.text:C70FFB78 78 44       ADD             R0, PC                  ; off_C719E9FC
.text:C70FFB7A 00 68       LDR             R0, [R0]
.text:C70FFB7C 09 90       STR             R0, [SP,#0x50+var_2C]
.text:C70FFB7E 2E 20       MOVS            R0, #0x2E ; '.'
.text:C70FFB80 1D E0       B               loc_C70FFBBE
.text:C70FFB82
.text:C70FFB82             loc_C70FFB82
.text:C70FFB82 57 48       LDR             R0, =(off_C719EA04 - 0xC70FFB8A)
.text:C70FFB84 57 49       LDR             R1, =(dword_C71A72F8 - 0xC70FFB8C)
.text:C70FFB86 78 44       ADD             R0, PC                  ; off_C719EA04
.text:C70FFB88 79 44       ADD             R1, PC                  ; dword_C71A72F8
.text:C70FFB8A 00 68       LDR             R0, [R0]
.text:C70FFB8C 0A 68       LDR             R2, [R1]
.text:C70FFB8E 56 49       LDR             R1, =(dword_C719EA08 - 0xC70FFB96)
.text:C70FFB90 00 2A       CMP             R2, #0
.text:C70FFB92 79 44       ADD             R1, PC                  ; dword_C719EA08
.text:C70FFB94 09 68       LDR             R1, [R1]
.text:C70FFB96 05 D1       BNE             loc_C70FFBA4
.text:C70FFB98 00 F0 AA F8 BL              getdec_enc_func_sub_CDB52CF0 ; getdecencfunc
.text:C70FFB9C 02 46       MOV             R2, R0
.text:C70FFB9E 53 48       LDR             R0, =(dword_C71A72F8 - 0xC70FFBA4)
.text:C70FFBA0 78 44       ADD             R0, PC                  ; dword_C71A72F8
.text:C70FFBA2 02 60       STR             R2, [R0]
.text:C70FFBA4
.text:C70FFBA4             loc_C70FFBA4
.text:C70FFBA4 00 99       LDR             R1, [SP,#0]
.text:C70FFBA6 50 46       MOV             R0, R10
.text:C70FFBA8 90 47       BLX             R2                      ; 加解密
.text:C70FFBAA 02 99       LDR             R1, [SP,#0x50+var_48]
.text:C70FFBAC A9 F1 02 00 SUB.W           R0, R9, #2
.text:C70FFBB0 6F F0 71 03 MOV             R3, #0xFFFFFF8E
.text:C70FFBB4 10 31       ADDS            R1, #0x10
.text:C70FFBB6 08 91       STR             R1, [SP,#0x50+var_30]
.text:C70FFBB8 06 9C       LDR             R4, [SP,#0x50+var_38]
.text:C70FFBBA 04 F1 10 08 ADD.W           R8, R4, #0x10
.text:C70FFBBE
.text:C70FFBBE             loc_C70FFBBE
.text:C70FFBBE A9 7E       LDRB            R1, [R5,#(dword_C719E828+2 - 0xC719E810)]
.text:C70FFBC0 59 43       MULS            R1, R3
.text:C70FFBC2
.text:C70FFBC2             loc_C70FFBC2
.text:C70FFBC2 81 46       MOV             R9, R0
.text:C70FFBC4
.text:C70FFBC4             loc_C70FFBC4
.text:C70FFBC4 B9 F1 36 0F CMP.W           R9, #0x36 ; '6'
.text:C70FFBC8 2C DD       BLE             loc_C70FFC24
.text:C70FFBCA C8 B2       UXTB            R0, R1
.text:C70FFBCC FC 28       CMP             R0, #0xFC
.text:C70FFBCE F9 D0       BEQ             loc_C70FFBC4
.text:C70FFBD0 B9 F1 38 0F CMP.W           R9, #0x38 ; '8'
.text:C70FFBD4 0F DB       BLT             loc_C70FFBF6
.text:C70FFBD6 4F F0 29 00 MOV.W           R0, #0x29 ; ')'
.text:C70FFBDA F2 D0       BEQ             loc_C70FFBC2
.text:C70FFBDC 01 99       LDR             R1, [SP,#4]
.text:C70FFBDE 91 F8 25 00 LDRB.W          R0, [R1,#0x25]
.text:C70FFBE2 91 F8 26 10 LDRB.W          R1, [R1,#0x26]
.text:C70FFBE6 48 43       MULS            R0, R1
.text:C70FFBE8 C0 B2       UXTB            R0, R0
.text:C70FFBEA 4C 28       CMP             R0, #0x4C ; 'L'
.text:C70FFBEC C9 D1       BNE             loc_C70FFB82
.text:C70FFBEE B5 D7       BVC             loc_C70FFB5C
.text:C70FFBF0 0C 59       LDR             R4, [R1,R4]
.text:C70FFBF2 24 8B       LDRH            R4, [R4,#0x18]
.text:C70FFBF4 0F 41       ASRS            R7, R1
.text:C70FFBF6
.text:C70FFBF6             loc_C70FFBF6
.text:C70FFBF6 40 F6 87 20 MOVW            R0, #0xA87
.text:C70FFBFA 49 46       MOV             R1, R9
.text:C70FFBFC 60 F0 8E FF BL              nop_sub_CEF29B1C
.text:C70FFC00 03 99       LDR             R1, [SP,#0x50+var_44]
.text:C70FFC02 6F F0 71 03 MOV             R3, #0xFFFFFF8E
.text:C70FFC06 08 9A       LDR             R2, [SP,#0x50+var_30]
.text:C70FFC08 8A 42       CMP             R2, R1
.text:C70FFC0A 28 BF       IT CS
.text:C70FFC0C 89 F0 10 00 EORCS.W         R0, R9, #0x10
.text:C70FFC10 02 92       STR             R2, [SP,#0x50+var_48]
.text:C70FFC12 CD E9 06 84 STRD.W          R8, R4, [SP,#0x50+var_38]
.text:C70FFC16 D2 E7       B               loc_C70FFBBE
.text:C70FFC18
.text:C70FFC18             loc_C70FFC18
.text:C70FFC18 80 FD BA EE STC             p14, c14, [R0,#0x2E8]
.text:C70FFC1C 2B AC       ADD             R4, SP, #0xAC
.text:C70FFC1E E6 1E       SUBS            R6, R4, #3
.text:C70FFC20 A7 61       STR             R7, [R4,#0x18]
.text:C70FFC20             ; END OF FUNCTION CHUNK FOR sub_C7100108
.text:C70FFC22 D2          DCB 0xD2
.text:C70FFC23 FA          DCB 0xFA
.text:C70FFC24             ; START OF FUNCTION CHUNK FOR sub_C7100108
.text:C70FFC24
.text:C70FFC24             loc_C70FFC24
.text:C70FFC24 B9 F1 2E 0F CMP.W           R9, #0x2E ; '.'
.text:C70FFC28 23 DB       BLT             loc_C70FFC72
.text:C70FFC2A B9 F1 31 0F CMP.W           R9, #0x31 ; '1'
.text:C70FFC2E BF F6 9B AF BGE.W           loc_C70FFB68
.text:C70FFC32 BB F8 5C 00 LDRH.W          R0, [R11,#(word_C719E8AC - 0xC719E850)]
.text:C70FFC36 B0 42       CMP             R0, R6
.text:C70FFC38 EE D0       BEQ             loc_C70FFC18
.text:C70FFC3A 23 48       LDR             R0, =(dword_C71A72F4 - 0xC70FFC40)
.text:C70FFC3C 78 44       ADD             R0, PC                  ; dword_C71A72F4
.text:C70FFC3E 02 68       LDR             R2, [R0]
.text:C70FFC40 3A B9       CBNZ            R2, loc_C70FFC52
.text:C70FFC42 DD E9 09 10 LDRD.W          R1, R0, [SP,#0x50+var_2C]
.text:C70FFC46 00 F0 53 F8 BL              getdec_enc_func_sub_CDB52CF0 ; getdecencfunc
.text:C70FFC4A 02 46       MOV             R2, R0
.text:C70FFC4C 1F 48       LDR             R0, =(dword_C71A72F4 - 0xC70FFC52)
.text:C70FFC4E 78 44       ADD             R0, PC                  ; dword_C71A72F4
.text:C70FFC50 02 60       STR             R2, [R0]
.text:C70FFC52
.text:C70FFC52             loc_C70FFC52
.text:C70FFC52 DD F8 18 A0 LDR.W           R10, [SP,#0x50+var_38]
.text:C70FFC56 07 99       LDR             R1, [SP,#0x50+var_34]
.text:C70FFC58 50 46       MOV             R0, R10
.text:C70FFC5A 90 47       BLX             R2                      ; 解密
.text:C70FFC5C 1C 48       LDR             R0, =(unk_C719EA00 - 0xC70FFC64)
.text:C70FFC5E 49 46       MOV             R1, R9
.text:C70FFC60 78 44       ADD             R0, PC                  ; unk_C719EA00
.text:C70FFC62 00 68       LDR             R0, [R0]
.text:C70FFC64 40 F6 3E 20 MOVW            R0, #0xA3E
.text:C70FFC68 60 F0 58 FF BL              nop_sub_CEF29B1C
.text:C70FFC6C 6F F0 71 03 MOV             R3, #0xFFFFFF8E
.text:C70FFC70 A5 E7       B               loc_C70FFBBE
.text:C70FFC72
.text:C70FFC72             loc_C70FFC72
.text:C70FFC72 00 20       MOVS            R0, #0
.text:C70FFC74 B9 F1 29 0F CMP.W           R9, #0x29 ; ')'
.text:C70FFC78 08 90       STR             R0, [SP,#0x50+var_30]
.text:C70FFC7A 4F F0 37 00 MOV.W           R0, #0x37 ; '7'
.text:C70FFC7E DD E9 04 84 LDRD.W          R8, R4, [SP,#0x50+var_40]
.text:C70FFC82 3F F4 9C AF BEQ.W           loc_C70FFBBE
.text:C70FFC86 0F 48       LDR             R0, =(off_C719DA60 - 0xC70FFC90)
.text:C70FFC88 44 F2 EA 11 MOVW            R1, #0x41EA
.text:C70FFC8C 78 44       ADD             R0, PC                  ; off_C719DA60
.text:C70FFC8E 00 68       LDR             R0, [R0]                ; unk_C719E850
.text:C70FFC90 B0 F8 46 00 LDRH.W          R0, [R0,#(word_C719E896 - 0xC719E850)]
.text:C70FFC94
.text:C70FFC94             loc_C70FFC94
.text:C70FFC94 88 42       CMP             R0, R1
.text:C70FFC96 FD D1       BNE             loc_C70FFC94
.text:C70FFC98 05 98       LDR             R0, [SP,#0x50+var_3C]   ; 加密结束
.text:C70FFC9A 10 22       MOVS            R2, #0x10
.text:C70FFC9C 07 99       LDR             R1, [SP,#0x50+var_34]
.text:C70FFC9E 0B B0       ADD             SP, SP, #0x2C ; ','
.text:C70FFCA0 BD E8 00 0F POP.W           {R8-R11}
.text:C70FFCA4 BD E8 F0 40 POP.W           {R4-R7,LR}

加密后(部分)

1
2
3
4
5
6
7
8
9
DE749300  21 90 DA C9 7A 71 49 C4  0C 6F E0 87 66 88 21 9B  !...zqI..o....!.
DE749310  25 E3 B3 8F 95 FB AE 3E  45 1E 02 F7 6C 66 12 20  %㳏  ...>E......
DE749320  1C 9A F7 5A E9 D7 9E B3  26 FE EB 37 17 2E 33 62  ........&.....3b
DE749330  59 E2 7D 16 86 E7 48 9C  EB 83 5B 7E 65 BD 18 DA  Y..........~e...
DE749340  6A 9C 78 73 28 FC AF F1  C8 81 2B 57 AB C3 4F DE  j.xs(......W....
DE749350  3F 6D 4A C9 6B A8 5F D5  CC 1E 44 53 1F 22 C9 62  ?mJ..._...DS."..
DE749360  94 B7 32 94 5D 7C 2E BF  04 12 A0 4C 1C AB 76 41  ..2.]|.....L..vA
DE749370  86 CD 05 BF 90 04 BF F0  F6 87 A4 0B 01 87 5B CA  ..............[.
DE749380  45 F0 46 5F 8D A1 5B 62  8D 02 53 21 0C 42 BA 53  E.....[b..S!.B.S

发送服务器请求设备指纹:

反射java层发送网络请求

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
.text:C70C7244             postnet_sub_C8DF9244
.text:C70C7244
.text:C70C7244             var_D0= -0xD0
.text:C70C7244             var_CC= -0xCC
.text:C70C7244             var_C4= -0xC4
.text:C70C7244             var_C0= -0xC0
.text:C70C7244             var_70= -0x70
.text:C70C7244             var_20= -0x20
.text:C70C7244             arg_0=  8
.text:C70C7244
.text:C70C7244             ; __unwind { // C7149914
.text:C70C7244 F0 B5       PUSH            {R4-R7,LR}
.text:C70C7246 03 AF       ADD             R7, SP, #0xC
.text:C70C7248 2D E9 00 0F PUSH.W          {R8-R11}
.text:C70C724C AD B0       SUB             SP, SP, #0xB4
.text:C70C724E 04 46       MOV             R4, R0
.text:C70C7250 9C 48       LDR             R0, =(__stack_chk_guard_ptr - 0xC70C725A)
.text:C70C7252 1D 46       MOV             R5, R3
.text:C70C7254 16 46       MOV             R6, R2
.text:C70C7256 78 44       ADD             R0, PC                  ; __stack_chk_guard_ptr
.text:C70C7258 89 46       MOV             R9, R1
.text:C70C725A 00 68       LDR             R0, [R0]                ; __stack_chk_guard
.text:C70C725C 00 68       LDR             R0, [R0]
.text:C70C725E 2C 90       STR             R0, [SP,#0xD0+var_20]
.text:C70C7260 E3 F7 9E FF BL              Dec_RiskString_sub_CEE741A0
.text:C70C7264 31 78       LDRB            R1, [R6]
.text:C70C7266 70 68       LDR             R0, [R6,#4]
.text:C70C7268 11 F0 01 0F TST.W           R1, #1
.text:C70C726C 08 BF       IT EQ
.text:C70C726E 48 08       LSREQ           R0, R1, #1
.text:C70C7270 00 28       CMP             R0, #0
.text:C70C7272 00 F0 10 81 BEQ.W           loc_C70C7496
.text:C70C7276 94 48       LDR             R0, =(dword_C719E4E0 - 0xC70C7280)
.text:C70C7278 94 49       LDR             R1, =(dword_C71A4CB0 - 0xC70C7282)
.text:C70C727A 95 4B       LDR             R3, =(off_C719E4E4 - 0xC70C7288)
.text:C70C727C 78 44       ADD             R0, PC                  ; dword_C719E4E0
.text:C70C727E 79 44       ADD             R1, PC                  ; dword_C71A4CB0
.text:C70C7280 D7 F8 08 B0 LDR.W           R11, [R7,#arg_0]
.text:C70C7284 7B 44       ADD             R3, PC                  ; off_C719E4E4
.text:C70C7286 00 68       LDR             R0, [R0]
.text:C70C7288 0A 68       LDR             R2, [R1]
.text:C70C728A 18 68       LDR             R0, [R3]
.text:C70C728C 3A B9       CBNZ            R2, loc_C70C729E
.text:C70C728E 40 F2 0B 71 MOVW            R1, #0x70B
.text:C70C7292 EF F7 FD FD BL              getFunc_loc_CF103E90
.text:C70C7296 02 46       MOV             R2, R0
.text:C70C7298 8E 48       LDR             R0, =(dword_C71A4CB0 - 0xC70C729E)
.text:C70C729A 78 44       ADD             R0, PC                  ; dword_C71A4CB0
.text:C70C729C 02 60       STR             R2, [R0]
.text:C70C729E
.text:C70C729E             loc_C70C729E                            ; CODE XREF: postnet_sub_C8DF9244+48↑j
.text:C70C729E 20 46       MOV             R0, R4
.text:C70C72A0 31 46       MOV             R1, R6
.text:C70C72A2 90 47       BLX             R2                      ; NewStringUTF url
.text:C70C72A4 80 46       <