常见编码:
hex
https://www.baidu.com
68 74 74 70 73 3a 2f 2f 77 77 77 2e 62 61 69 64 75 2e 63 6f 6d
URL encode
https://www.baidu.com&it=[]
https://www.baidu.com&it=%5B%5D
Base64
https://www.baidu.com1
当字符集是 :A-Za-z0-9+/=
aHR0cHM6Ly93d3cuYmFpZHUuY29tMQ==
HTML Entry
https://www.baidu.com
https://www.baidu.com
HASH算法
CRC32-4个字节的int
https://www.baidu.com
b369f4b3
MD5- 长度为32的字符串或者为0x10大小的buffer
https://www.baidu.com
f9751de431104b125f48dd79cc55822a
SHA1-长度为40的字符串或者为0x14大小的buffer
https://www.baidu.com
354abe0fccb2fb8cf553b6eef2ce24b2f3db80d1
00000000 33 35 34 61 62 65 30 66 63 63 62 32 66 62 38 63 |354abe0fccb2fb8c|
00000010 66 35 35 33 62 36 65 65 66 32 63 65 32 34 62 32 |f553b6eef2ce24b2|
00000020 66 33 64 62 38 30 64 31 |f3db80d1|
SHA256 - 长度为64的字符串或者为0x20大小的buffer
https://www.baidu.com
bc5c3283cae3c6567656b6a52bd8b31a806da655336169b611ad9ab790581364
HMAC(和其他hash算法进行组合) - 在MAC的基础上加了key,长度还是原先的hash长度
输入:https://www.baidu.com
Key : 1234
hash算法 :SHA256
结果:f8302cfeb33852538b05738b2acaaf344dd69ae821ba0662ca4dc4e918f234ad 长度是64
对称算法
RC4
输出结果有可不见字符
输入 : https://www.baidu.com
输出 -> to hex :
00000000 b6 6c fd 31 d0 0d 72 15 fd 71 69 49 35 0f fb 09 |¶lý1Ð.r.ýqiI5.û.|
00000010 b2 34 1c cc 9d |²4.Ì.|
DES
输入:https://www.baidu.com
KEY 8个字节(UTF8) 12345678
IV 8个字节 (UTF8) 12345678
mod : CBC
输出 : fce91c20c338e9644d4f685c22775c8869fda677a4e8e9da
3-DES
输入:https://www.baidu.com
KEY 24个字节(UTF8) 123456781234567812345678
IV 16个字节 (UTF8) 12345678
mod : CBC
输出 : 6ecac81813caabfa18fce47abc20fda55b3714dade778d29
AES
key
16 bytes = AES-128
24 bytes = AES-192
32 bytes = AES-256
输入:https://www.baidu.com
KEY 16个字节(hex) 1234567812345678
IV 16个字节 (hex) 1234567812345678
mod : CBC
输出 : 015a0f4745a1d9b1427116dc994d319c437c4a19bfc7ab0746548520d2c4291d
国密SM4 - 强度相当于(略低于) AES-128
gmssl
非对称算法
RSA
https://8gwifi.org/rsafunctions.jsp
Generate RSA Key Size : 1024 bit
RSA Ciphers : RSA
Public Key
-----BEGIN PUBLIC KEY-----
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCHfhIAZen9QvX2iK6krE92sNYK
8BFfb1auHrTsnAqsSjR7UO41FoC7G2WhYlaiT3B73vnspb2vwLCf7WRACx1jPyHQ
HKKRdPLLgQWCwmvExFsVi76SlL2wrwjXc1XviGT9GAAaVbjEmkPXVTSKElXsW870
AtPdqSm0vaFdiwdEvQIDAQAB
-----END PUBLIC KEY-----
Private Key
-----BEGIN RSA PRIVATE KEY-----
MIICXAIBAAKBgQCHfhIAZen9QvX2iK6krE92sNYK8BFfb1auHrTsnAqsSjR7UO41
FoC7G2WhYlaiT3B73vnspb2vwLCf7WRACx1jPyHQHKKRdPLLgQWCwmvExFsVi76S
lL2wrwjXc1XviGT9GAAaVbjEmkPXVTSKElXsW870AtPdqSm0vaFdiwdEvQIDAQAB
AoGAJhLXHCWHSxO16kEeUkfZTJEElK5BM4Al62fVj2eJ2EBB3yUuytw38FwSgvcP
QSzxft15fXZVhz2uZEJhGV4GM6AUJdSCVNUAs4ZsWQIZ6mZAJqO55yJFSauo/6r7
wP2MXxpFXChj7Lw7MhQlVC+R61lpkKC85ruqyF22FBq0eAECQQD6Q+Af5dFOkUOL
lW3YtbJ6aNUGUJn7S1YGjcGSZ253oEJ83edXFiXM2L9wX5B3Pgbw6uiAmh3VbMRb
8R7zxtldAkEAipjoFRbr3SEicDZ76auqpBmpq3R+Gg1vG26x9XUfEs6Pz1bSf2mc
WoqzJh56ieHrfNaPeuuT5GXrJeFff1WC4QJBAIv8P3dYI3WhB3kiQmk/aO/Th6Sa
nSbVAu9zh10PAdlkCQyzSt2Jg+dLLfn7WmF4joVfwGF+00U4K7WJ79hH1/kCQAHz
KMCzM9pGjw95FMEy0xG/8q0g1G1VZwzBv+suHKPNGCTYmdmFCNgVP3P31c1+yitV
cWtPSSNbc7VyuD84WsECQEpW/50SLW5qc84BHxYwYuoSkOIBLP9JF0y6p6OU4dUZ
bfhYuSVpNrpS9i49RwyHeSPJxyDai+3hSdJuTe7TaPs=
-----END RSA PRIVATE KEY-----
明文:
https://www.baidu.com
密文
caFkORvCt4z+mkaczZfcS5cmFovoAhnaXWlic/uNXAx1rPAotF8YOMpH81cFeJy4dpdogyPbHoXVwDg7KYXRtilunVmYhlUpShgqbNen9QGRbh+4KsbV2YaJ2mTzKIM8wwvQJHhzcnFwVo1tRVRy0Sq/2JGPiYJKNpJvqeKCyKA=
ECC (椭圆曲线加密)
https://8gwifi.org/ecfunctions.jsp
压缩算法
gzip
1f 8b
zlib
78 9c
zip
50 4b
tar
开头是文件名
7z
开头 : 37 7A
7z
加密库
openssl
cryptopp 编译比较方便
chilkat 收费的
工具:
在线网站 :https://gchq.github.io/CyberChef/
例子
Base64
2-1
03-07 15:00:14.580 9448 9448 E : LUSw2f"u$crfZN!~ -> TFVTdzJmInUkY3JmWk4hfg==
03-07 15:00:14.926 9448 9448 E : 4(BRi:]HmLr2*D1W -> NChCUmk6XUhtTHIyKkQxVw==
03-07 15:00:15.139 9448 9448 E : pVKz-#1S*l!N{{Qh -> cFZLei0jMVMqbCFOe3tRaA==
03-07 15:00:17.051 9448 9448 E : 6rwx\$EPg*?a3rH -> IDZyd3hcJEVQZyo/YTNySA==
03-07 15:00:17.237 9448 9448 E : zS>~qz6\gu~G@6u3 -> elM+fnF6NlxndX5HQDZ1Mw==
03-07 15:00:17.406 9448 9448 E : `\sltOF@W-2^SJ"r -> YFxzbHRPRkBXLTJeU0oicg==
03-07 15:00:17.550 9448 9448 E : q|L*SS0%|vCq(># -> cXxMKlNTMCV8dkNxKD4jIA==
从输出看是Base64,验证也是Base64
2-2
03-07 15:02:41.982 9804 9804 E : H1NS0mbu`D@_`VM{ -> iaFeksYqEVl5hbYUEF1dTI==
03-07 15:02:42.232 9804 9804 E : R}u% J Rx@H_Wf9& -> kVuu0iYczF0Ogb6UlvEP05==
03-07 15:02:42.452 9804 9804 E : )8SCkdhx4^YK,hbk -> cj6jgvq9KH5tD++mmG67KI==
03-07 15:02:42.620 9804 9804 E : %l&gz"6B'l?h>xK2 -> 0CI/1wW7d9zVLaxWfV6mB5==
03-07 15:02:42.764 9804 9804 E : ^.vRsq,gl}TUDG:N -> D7PvkVdJmGNpUlhlhbMQj5==
03-07 15:02:42.891 9804 9804 E : 1A&<T(@J%;'kt`Bj -> Bkb/fFgWgbW+erNoNGYZK5==
看结果是base64,但是验证时候不是正确
看so 分析后,开发实现的base64使用的字符集与原始base64的不同
2-3
03-07 15:15:38.556 10033 10033 E : Mbzi&\}{@[pPtpI!;-:hJT]Q=FYJ/<' -> \.mNrsR{kT~^.pFuzVFmU\h~wW*KZ-Gtv[RRs)LLm&==
03-07 15:15:38.759 10033 10033 E : W6dq^H|ih?CPhj>yY9W_>l>mk}p -> ^MV#^KQo(\+rL|qv(+bh^#K^CHbYkKzvtC"
03-07 15:15:38.920 10033 10033 E : ng#t(uj_94}7]{-D=Ql(WA -> T^r!sL#N{QEFq_Ay]]aw}fN}TL#]||==
03-07 15:15:39.071 10033 10033 E : Bfs/J\9C)shOZl.G#9 -> xZ_DTEqvzVtqv|'{#Z+py=tB
03-07 15:15:39.215 10033 10033 E : 6U4h1sa%lvhl"'mp}MqwWH -> qQRA{f$@ZzSas^#a\ swr_Nqr]s]zW==
03-07 15:15:39.367 10033 10033 E : !cb0x.nAF{v]+ylO!~U_BuNi -> R).~QMzZ *+kwU}Lw_o[7*a]]`B}\H{
03-07 15:15:39.502 10033 10033 E : mb>UlHat```.joo~.xH}v{R;7~>jE'^ -> ].UfZ.4USTtJS,^}rWgQk)OPsVGqlGUMxpPfr'[eTJ==
03-07 15:15:39.638 10033 10033 E : 4[DXMJ=JJd/5h\1`="&z<T=8SKn:#we -> x-~n.nGKv[|KRELGr-&4SoH)me/LZoHP[H~}w)xpRu==
看起来还是Base64的,因为结尾是 == ,但是有特殊符号,字符集应该是被换掉了
找到字符集被替换掉了
同时还对字符集进一个步异或
2-4
03-07 15:27:04.716 10225 10225 E : rt^#kgG(mJquBk=gb*a:(@@4%}I -> dakhJuaak45zla2CjSwcMuJnLX0+jjALrPXi
03-07 15:27:05.875 10225 10225 E : 6I;5ej_fhXM.s#myf -> g)8Cg EdKM!1`Wsd>gpb ]=
03-07 15:27:06.070 10225 10225 E : H3o"eWr?Cli^N}!%g=b8' -> leg[J]E^d"xeB&GfCoW r$dmL"Uo
03-07 15:27:06.231 10225 10225 E : #BK)&;3FX7h/uW"YfAH&&!CZn{eVx9 -> JIrXTrLLfIMRgpUPe[d(1/MGlDLVJZgsBdaYEdUN
03-07 15:27:06.400 10225 10225 E : b 9kcFyc+[Ot3D"J47b!>sL&$ZH% -> L*ALmrg/s-fj1KxKfKj*l+jsL*qedK9Tr.cVnv==
03-07 15:27:06.569 10225 10225 E : iK{]@\:TI=FVBbBu51!Dc1n=qF -> m^aHK^Y~h]khi^M+jRr@eYD1J^k-f+Ob~^V=
03-07 15:27:06.713 10225 10225 E : Egxp+8qMN}c=G-w[Q\l@"{; -> k&eXdMwXdSXt&fok8Xx1O2sBfA!dA`=
03-07 15:27:06.832 10225 10225 E : p;;*^*?qZQ*fOddcYH<u?LQ&_f}p -> dlwNT[Oiis2qDpcTCrk$LDGViUD(C.qTKrMdx]==
看起来还是Base64的,因为结尾是 == ,但是有特殊符号,字符集应该是被换掉了
同时修改了算法中的一个异或
CRC32
3-1
03-07 15:46:27.949 10506 10506 E : GUkUBWTdkVGrLgUHVFbaTYTGgVkAz -> 375ede52
03-07 15:46:28.092 10506 10506 E : txppliIKqXzMARNGBSHO -> f131ab1e
03-07 15:46:28.236 10506 10506 E : ESTYyfPSmperYJHL -> 94e64387
03-07 15:46:28.388 10506 10506 E : yZCCYkScIsQJHjeRQ -> 8760400a
03-07 15:46:28.540 10506 10506 E : LPTWaSaZdfBwvKwUKvkBm -> 4b36cbdf
03-07 15:46:28.760 10506 10506 E : qNgArdUjvEzQMRWbJpPJwqDYf -> 6714d7bf
结果是4个字符,看起来是CRC32 ,校验之后,是CRC32
看so文件,这里CRC32使用一个常量表实现的
.rodata:00016974 dword_16974 DCD 0, 0x77073096, 0xEE0E612C, 0x990951BA, 0x76DC419, 0x706AF48F
.rodata:00016974 ; DATA XREF: .text:00008D1A↑o
.rodata:00016974 ; .text:off_8D20↑o ...
.rodata:00016974 DCD 0xE963A535, 0x9E6495A3, 0xEDB8832, 0x79DCB8A4, 0xE0D5E91E
.rodata:00016974 DCD 0x97D2D988, 0x9B64C2B, 0x7EB17CBD, 0xE7B82D07, 0x90BF1D91
.rodata:00016974 DCD 0x1DB71064, 0x6AB020F2, 0xF3B97148, 0x84BE41DE, 0x1ADAD47D
.rodata:00016974 DCD 0x6DDDE4EB, 0xF4D4B551, 0x83D385C7, 0x136C9856, 0x646BA8C0
.rodata:00016974 DCD 0xFD62F97A, 0x8A65C9EC, 0x14015C4F, 0x63066CD9, 0xFA0F3D63
.rodata:00016974 DCD 0x8D080DF5, 0x3B6E20C8, 0x4C69105E, 0xD56041E4, 0xA2677172
.rodata:00016974 DCD 0x3C03E4D1, 0x4B04D447, 0xD20D85FD, 0xA50AB56B, 0x35B5A8FA
.rodata:00016974 DCD 0x42B2986C, 0xDBBBC9D6, 0xACBCF940, 0x32D86CE3, 0x45DF5C75
.rodata:00016974 DCD 0xDCD60DCF, 0xABD13D59, 0x26D930AC, 0x51DE003A, 0xC8D75180
.rodata:00016974 DCD 0xBFD06116, 0x21B4F4B5, 0x56B3C423, 0xCFBA9599, 0xB8BDA50F
.rodata:00016974 DCD 0x2802B89E, 0x5F058808, 0xC60CD9B2, 0xB10BE924, 0x2F6F7C87
.rodata:00016974 DCD 0x58684C11, 0xC1611DAB, 0xB6662D3D, 0x76DC4190, 0x1DB7106
.rodata:00016974 DCD 0x98D220BC, 0xEFD5102A, 0x71B18589, 0x6B6B51F, 0x9FBFE4A5
.rodata:00016974 DCD 0xE8B8D433, 0x7807C9A2, 0xF00F934, 0x9609A88E, 0xE10E9818
.rodata:00016974 DCD 0x7F6A0DBB, 0x86D3D2D, 0x91646C97, 0xE6635C01, 0x6B6B51F4
.rodata:00016974 DCD 0x1C6C6162, 0x856530D8, 0xF262004E, 0x6C0695ED, 0x1B01A57B
.rodata:00016974 DCD 0x8208F4C1, 0xF50FC457, 0x65B0D9C6, 0x12B7E950, 0x8BBEB8EA
.rodata:00016974 DCD 0xFCB9887C, 0x62DD1DDF, 0x15DA2D49, 0x8CD37CF3, 0xFBD44C65
.rodata:00016974 DCD 0x4DB26158, 0x3AB551CE, 0xA3BC0074, 0xD4BB30E2, 0x4ADFA541
.rodata:00016974 DCD 0x3DD895D7, 0xA4D1C46D, 0xD3D6F4FB, 0x4369E96A, 0x346ED9FC
.rodata:00016974 DCD 0xAD678846, 0xDA60B8D0, 0x44042D73, 0x33031DE5, 0xAA0A4C5F
.rodata:00016974 DCD 0xDD0D7CC9, 0x5005713C, 0x270241AA, 0xBE0B1010, 0xC90C2086
.rodata:00016974 DCD 0x5768B525, 0x206F85B3, 0xB966D409, 0xCE61E49F, 0x5EDEF90E
.rodata:00016974 DCD 0x29D9C998, 0xB0D09822, 0xC7D7A8B4, 0x59B33D17, 0x2EB40D81
.rodata:00016974 DCD 0xB7BD5C3B, 0xC0BA6CAD, 0xEDB88320, 0x9ABFB3B6, 0x3B6E20C
.rodata:00016974 DCD 0x74B1D29A, 0xEAD54739, 0x9DD277AF, 0x4DB2615, 0x73DC1683
3-2
03-07 15:48:05.074 10607 10607 E : GtoBDCkJQMVjIzKz -> 3d2f76f
03-07 15:48:05.237 10607 10607 E : qdOrzEsWeVZnpTrTkVXxbWExcD -> 2f4a9c29
03-07 15:48:05.379 10607 10607 E : DflTSrmokDsnJxcvNBSxlhzvuQr -> c376459
03-07 15:48:05.514 10607 10607 E : zJCTEpEkbIIPNEwOQtMsBnxPH -> a4658bab
03-07 15:48:05.650 10607 10607 E : zgIJZWDPDAjUTIUCyRFbVu -> b546a51f
03-07 15:48:05.769 10607 10607 E : GcajlQAEMOCSHeJWGhvekwdCTVlf -> 22210b4f
03-07 15:48:05.846 10607 10607 E : WKlSIyjjRjptQGibYhBCRT -> 287c8bcc
03-07 15:48:05.963 10607 10607 E : DuxjnrFzDJNpdGNvVgHsfcdXdLNGUa -> 993fa282
结果是4个字符,看起来是CRC32 ,校验之后,是CRC32
看so文件,CRC的常量使用代码实现的
for ( i = 0; i != 256; ++i )
{
v1 = 8;
v2 = i;
while ( v1 )
{
v3 = (v2 >> 1) ^ 0xEDB88320;
if ( !(v2 << 31) )
v3 = v2 >> 1;
--v1;
v2 = v3;
}
dword_1B064[i] = v2;
}
3-3
03-07 15:55:29.335 10765 10765 E : bKtRXBHjvVjxjpoSqL -> 9979b87c
03-07 15:55:29.513 10765 10765 E : aiGqAkJWyVjSFDjSXYvabI -> 1fb3752
03-07 15:55:29.674 10765 10765 E : gYkYtrnVKIXMIXAzXCxPbWdrGPS -> 8326bb40
03-07 15:55:29.817 10765 10765 E : hidceunCubaQGjzhARAZCSPirb -> f105cbcd
03-07 15:55:29.996 10765 10765 E : skkwBazFSWNJmEyygwDTBqYu -> a866fb26
03-07 15:55:30.147 10765 10765 E : HAHOSvGzwAsxsUGgdbfaRwFgY -> 45168ca5
03-07 15:55:30.334 10765 10765 E : OtotgIwKBQPprfWMFqVwisj -> aee9d1be
03-07 15:55:30.452 10765 10765 E : YiNcqLfSdPkuhesREsSAPmCBEaQb -> 67bda576
结果是4个字符,看起来是CRC32 ,校验之后,不是,看so文件
生成常量的值是自定义的
for ( i = 0; i != 256; ++i )
{
v1 = 8;
v2 = i;
while ( v1 )
{
v3 = (v2 >> 1) ^ 0xEDB88310; //这个值和标准CRC32不一样
if ( !(v2 << 31) )
v3 = v2 >> 1;
--v1;
v2 = v3;
}
dword_1B064[i] = v2;
}
3-4
03-07 15:59:05.377 10890 10890 E : GRqWFUSuwBJbQvQFUlrDGbItNGkiuQl -> f9e8402
03-07 15:59:05.521 10890 10890 E : EREXKssTnjEfOlbofNzsGJifufpjdf -> b1075595
03-07 15:59:05.665 10890 10890 E : QGmObPRWWyLWfewdWFpwFT -> 7eaaa64c
03-07 15:59:06.013 10890 10890 E : lJWFBLCeXfCehGdVXfsbEQiBIA -> 84c0d09d
03-07 15:59:06.182 10890 10890 E : zLBrwTVucdBmuhGwmyYDg -> 6516b297
03-07 15:59:06.335 10890 10890 E : MylVCCpzCJCNPvUeEVKpMkErEIuQ -> 1c413ae8
03-07 15:59:06.478 10890 10890 E : TYocdoDIiEZHNHCRpNzqzXTkwxAJ -> 29e838ea
结果是4个字符,看起来是CRC32 ,校验之后,不是,看so文件
自定义的CRC32,在计算时多了一个异或 ^ 0x29
MD5
4-1
03-07 16:05:26.982 11049 11049 E : uwgXILMiMQdDpHLnbKySgsCTcAzuBu -> bd710db8323a893701e5553720c46491
03-07 16:05:27.125 11049 11049 E : rWSgQHVDfUpQofzpwzPnujfmGOMbU -> aef2973473764ebfcf1ee77e9bf0436d
03-07 16:05:27.277 11049 11049 E : JqwrblkPEPkGwPMmCTkqkDcUnpVY -> a812bf30fb96ba51611bfae8d8eec35d
03-07 16:05:27.413 11049 11049 E : vSZcRVqpQuljMWiednLKjrFhsDRG -> 9e2f11977c78ec3836d2b4891f14d1c1
03-07 16:05:27.625 11049 11049 E : gYPvmSuxazxCBZwqOyULPPOFTyicuX -> 7a639e25c83bf973dc3783020bc101b0
03-07 16:05:27.751 11049 11049 E : VwWykdeOoSbENTcfLNRzQHs -> 4adf1921a8c58f419d9190f50682aa7c
03-07 16:05:27.895 11049 11049 E : bHWnSQjIwAMuHyVkYHpJwIKVeqpuHrb -> 7d5e0f3576d9f989bdf0eb86171b722d
输出为32个数字,看起来是md5,但是验证之后不是md5,看so文件
存在几个常量 ,这些常量是md5中的
v9 = 0x98BADCFE;
v10 = 0x10325476;
v7 = 0x67452301;
v8 = 0xEFCDAB89;
后又发现又updata了一些字符:意思就是把需要加密的字符串和一些常量字符串拼接在一起加密了
4-2
03-07 16:16:09.408 11258 11258 E : qORLfRMuSTNGxRbqzDdnkTSAifxn -> 3d26f6a1e5af04c261ae7df66671fee7
03-07 16:16:09.755 11258 11258 E : FeJbFSXypIpDYuLKEbpMJvwsX -> e3edabb6b76c733ec6e57bd26e092789
03-07 16:16:09.889 11258 11258 E : CekTQsHJgeWtutiDZYpemraFuc -> e45fe8beaf128a849695f8fed3e36268
03-07 16:16:10.042 11258 11258 E : AmQEdZGttcplkEJX -> 89574977806dfba081ddb8758b819ca1
03-07 16:16:10.195 11258 11258 E : ZAYUZBmfXpLevSqGNO -> 582a93de56b83a41a578725b2ef16161
03-07 16:16:10.337 11258 11258 E : LHIXtsDVmplIRrYqnLCBnddyQ -> 798077d428f1a71833f2cd20f4855875
03-07 16:16:10.473 11258 11258 E : RBAFzCxRlqGcufHDeVuUNRng -> afcc707c74aa89355a5a8a642e7aa3f9
03-07 16:16:10.592 11258 11258 E : vLokJerUXhvtNhqrHiBHI -> 9e1044298c7773255da716041c19d18f
输出为32个数字,看起来是md5,但是验证之后不是md5,看so文件,发现常量值被替换了
v9 = 0xBA98FEDC;
v10 = 0x32107654;
v7 = 0x45670123;
v8 = 0xCDEF89AB;
4-3
03-07 16:26:02.722 11539 11539 E : PkOyuirVoMmUxXfXxwarslgoBJxO -> c31c0eacb40fa259b2f8704313718fe7
03-07 16:26:02.875 11539 11539 E : TBkBfVZyqZinvxaKkEQpwGPBu -> 7097fbdff813b69d05595d163d347333
03-07 16:26:03.018 11539 11539 E : FUkDTpKnCSRpOYGqSmonJMDkl -> d5928921638bbb7b20fb66ed0736f833
03-07 16:26:03.171 11539 11539 E : ApTxYSaCVSGbPIsRMTrAhzwn -> e817ee9af0c30697b11f424b72095799
03-07 16:26:03.298 11539 11539 E : BsVWpeSfXbCeHcRRYqfZmUsr -> 30dec6fe01f2a4e5c69d09833af4d4cb
03-07 16:26:03.441 11539 11539 E : HSkMvHvkYpodxKLJsZxFnEfjqT -> 650e89afc08cbff257fb5b7c83cc52e8
03-07 16:26:03.619 11539 11539 E : wGUjlxvgoYjBodOHMHwdPSED -> f9403133c6acf212501104bff1ef286e
输出为32个数字,看起来是md5,但是验证之后不是md5,看so文件,发现是ollvm混淆的
通过 frida(指定输入)和ida trace ,运行两个,通过文件对比工具,看差异部分
4-4
md5的常量值被替换了
3002
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
