某手so函数分析之后的思考

最新推荐文章于 2022-11-07 21:44:42 发布

lonelyakin

最新推荐文章于 2022-11-07 21:44:42 发布

阅读量1.3k

点赞数

分类专栏： android 文章标签： so逆向

本文链接：https://blog.csdn.net/jk38687587/article/details/44944761

版权

0x1 分析算法
要解密的函数自身很简单，没有常用算法和复杂的逻辑，纯粹位移操作，ida动态调试一番确定函数传参和返回值之后分析得知
大致分为三步
1.cpu_clock_star()初始化struct x的值
2.cpu_clock_x(struct x, string data, int dataLen) 循环取data的64个字节作为参数放入sub_1b80
3.sub_1b80(struct x, string data) 取data中的字符hex值与固定值进行运算将结果放入struct+0 和struct+ 4处
4.cpu_clock_release(struct x) 同上计算data中不足64字节的字符

0x2 还原算法
最后结果是要在c#中实现调用，本来觉得用c/c++应该好写点，然后编译dll供c#调用，由于长期侵淫于java对于本来不精通的c几乎都还给书籍了，最后在某大牛，和无名基友的帮助下完成c#版本

public struct cpu_clock_struct
    {
        public uint[] key ;
        public byte[] data ;
        public byte[] result;
        public uint[] length;
    }

    class Program
    {
        private static string[] s = { "38", "27", "00", "b5", "63", "f4" };

        public static string getClock(string data)
        {
            byte[] bytes = System.Text.Encoding.UTF8.GetBytes(data);
            cpu_clock_struct cc = cpu_clock_start();
            cpu_clock_x(cc, bytes, bytes.Length);
            for (int i = 0; i < s.Length; i++)
            {
                byte[] tmpBytes = System.Text.Encoding.UTF8.GetBytes(s[i]);
                cpu_clock_x(cc, tmpBytes, 2);
            }
            cpu_clock_release(cc);
            return BitConverter.ToString(cc.result).Replace("-", string.Empty);
        }

        public static void cpu_clock_release(cpu_clock_struct cc )
        {
            uint[] tmps = new uint[16];
            uint tmp = (cc.length[0] << 0x17) >> 0x1a;
            if (tmp > 0x37 )
            {
                tmp = 0x78 - tmp;
            }
            else
            {
                tmp = 0x38 - tmp;
            }

            byte[] unk_6004 = new byte[tmp];
            for (int i = 0; i < tmp; i++)
            {
                unk_6004[i] = 0x00;
            }
            unk_6004[0] = 0x80;
            tmps[14] = cc.length[0];
            tmps[15] = cc.length[1];
            cpu_clock_x(cc, unk_6004,(int)tmp);

            for (int k = 0, h = 0; k < 56; k += 4, h++)
            {
                tmps[h] = (uint)(cc.data[k] | cc.data[k + 1] << 8 | cc.data[k + 2] << 0x10 | cc.data[k + 3] << 0x18);
            }

            sub_1B80(cc.key, tmps);
            for (int i = 0; i < 16; i++)
            {
                cc.result[i]=(byte)((cc.key[i/4]>>((i%4)*8)) &0xFF);
            }
        }

        public static cpu_clock_struct cpu_clock_start()
        {
            cpu_clock_struct cc = new cpu_clock_struct();
            cc.key = new uint[4];
            cc.data = new byte[64];
            cc.result = new byte[16];
            cc.length = new uint[2];
            cc.length[0] = 0;
            cc.length[1] = 0;
            cc.key[0] = 0x67452301;
            cc.key[1] = 0xefcdab89;
            cc.key[2] = 0x98badcfe;
            cc.key[3] = 0x10325476;
            return cc;
        }

        public static void cpu_clock_x(cpu_clock_struct cc, byte[] bytes, int len)
        {
            int jtmp = (int)((cc.length[0] << 23) >> 26);
            if (cc.length[0] > (len * 8 + cc.length[0]))
            {
                cc.length[1] += 1;
            }
            cc.length[0] += (uint)len << 3;
            cc.length[1] += (