使用版本 33.2.5
mssdk提供给 libsscronet.so 网络库的接口地址是 0x88ee0
参数签名函数调用序列 0x88ee0 -> 0x87e48 -> 0x86d60 -> 0x6B14c
0x6B14c -> 0x6Db40 -> 0x73908-> 0x7d3f0 (X-Argus)
-> 0x73968 -> 0x7dd18(X-Ladons)
-> 0x73688 -> 0x811a8(X-Gorgon)
本文只分析X-Gorgon参数生成方式,关键加密函数位于0x7e530
1、unidbg读写跟踪
String traceFile = "C:\\Users\\Administrator\\Desktop\\tracecode.txt";
PrintStream traceStream = new PrintStream(new FileOutputStream(traceFile), true);
emulator.traceCode(module.base + 0x7e530, module.base + 0x807B4).setRedirect(traceStream); //追踪函数指令
traceStream = new PrintStream(new FileOutputStream("C:\\Users\\Administrator\\Desktop\\traceread.txt"), true);
emulator.traceRead(0, 0xFFFFFFFF).setRedirect(traceStream);//追踪内存读
traceStream = new PrintStream(new FileOutputStream("C:\\Users\\Administrator\\Desktop\\tracewrite.txt"), true);
emulator.traceWrite(0, 0xFFFFFFFF).setRedirect(traceStream);//追踪内存写2、unidbg调用运行
运行后生成3个跟踪文件 tracecode.txt traceread.txt tracewrite.txt分别记录了函数0x7e530的执行指令,全局的内存读写记录。
输出X-Gorgon字符串:
8404e0a6000006292b2e51bf21d8e270474e655a4379e5d3f7f6
3、跟踪字符串生成过程
1)函数输入参数1:
0000: 12 B4 93 96 00 00 00 00 00 00 00 00 20 05 00 05 ............ ...
0010: 67 90 66 CC
分别是 md5(url_param) + md5(body) + sdk版本 + timestamp,共20字节
2)函数输入参数2:
buffer地址 0x4041a6e0
3)每个字节写入过程
从tracewrite.txt中提取地址 0x4041a6e0到 0x4041a6f9写入记录
Memory WRITE at 0x4041a6e2, data size = 1, data value = 0xe0, PC=RX@0x405b03d0[libmetasec_ov.so]0x803d0, LR=unidbg@0x13
Memory WRITE at 0x4041a6e3, data size = 1, data value = 0xa6, PC=RX@0x405afbd4[libmetasec_ov.so]0x7fbd4, LR=RX@0x405af5c8[libmetasec_ov.so]0x7f5c8
Memory WRITE at 0x4041a6e4, data size = 1, data value = 0x00, PC=RX@0x4066742c[libmetasec_ov.so]0x13742c, LR=RX@0x405afd88[libmetasec_ov.so]0x7fd88
Memory WRITE at 0x4041a6e5, data size = 1, data value = 0x00, PC=RX@0x4066742c[libmetasec_ov.so]0x13742c, LR=RX@0x405afd88[libmetasec_ov.so]0x7fd88
Memory WRITE at 0x4041a6e6, data size = 1, data value = 0x06, PC=RX@0x405b04e8[libmetasec_ov.so]0x804e8, LR=unidbg@0x13
Memory WRITE at 0x4041a6e7, data size = 1, data value = 0x29, PC=RX@0x405b04e8[libmetasec_ov.so]0x804e8, LR=unidbg@0x13
Memory WRITE at 0x4041a6e8, data size = 1, data value = 0x2b, PC=RX@0x405b04e8[libmetasec_ov.so]0x804e8, LR=unidbg@0x13
Memory WRITE at 0x4041a6e9, data size = 1, data value = 0x2e, PC=RX@0x405b04e8[libmetasec_ov.so]0x804e8, LR=unidbg@0x13
Memory WRITE at 0x4041a6ea, data size = 1, data value = 0x51, PC=RX@0x405b04e8[libmetasec_ov.so]0x804e8, LR=unidbg@0x13
Memory WRITE at 0x4041a6eb, data size = 1, data value = 0xbf, PC=RX@0x405b04e8[libmetasec_ov.so]0x804e8, LR=unidbg@0x13
Memory WRITE at 0x4041a6ec, data size = 1, data value = 0x21, PC=RX@0x405b04e8[libmetasec_ov.so]0x804e8, LR=unidbg@0x13
Memory WRITE at 0x4041a6ed, data size = 1, data value = 0xd8, PC=RX@0x405b04e8[libmetasec_ov.so]0x804e8, LR=unidbg@0x13
Memory WRITE at 0x4041a6ee, data size = 1, data value = 0xe2, PC=RX@0x405b04e8[libmetasec_ov.so]0x804e8, LR=unidbg@0x13
Memory WRITE at 0x4041a6ef, data size = 1, data value = 0x70, PC=RX@0x405b04e8[libmetasec_ov.so]0x804e8, LR=unidbg@0x13
Memory WRITE at 0x4041a6f0, data size = 1, data value = 0x47, PC=RX@0x405b04e8[libmetasec_ov.so]0x804e8, LR=unidbg@0x13
Memory WRITE at 0x4041a6f1, data size = 1, data value = 0x4e, PC=RX@0x405b04e8[libmetasec_ov.so]0x804e8, LR=unidbg@0x13
Memory WRITE at 0x4041a6f2, data size = 1, data value = 0x65, PC=RX@0x405b04e8[libmetasec_ov.so]0x804e8, LR=unidbg@0x13
Memory WRITE at 0x4041a6f3, data size = 1, data value = 0x5a, PC=RX@0x405b04e8[libmetasec_ov.so]0x804e8, LR=unidbg@0x13
Memory WRITE at 0x4041a6f4, data size = 1, data value = 0x43, PC=RX@0x405b04e8[libmetasec_ov.so]0x804e8, LR=unidbg@0x13
Memory WRITE at 0x4041a6f5, data size = 1, data value = 0x79, PC=RX@0x405b04e8[libmetasec_ov.so]0x804e8, LR=unidbg@0x13
Memory WRITE at 0x4041a6f6, data size = 1, data value = 0xe5, PC=RX@0x405b04e8[libmetasec_ov.so]0x804e8, LR=unidbg@0x13
Memory WRITE at 0x4041a6f7, data size = 1, data value = 0xd3, PC=RX@0x405b04e8[libmetasec_ov.so]0x804e8, LR=unidbg@0x13
Memory WRITE at 0x4041a6f8, data size = 1, data value = 0xf7, PC=RX@0x405b04e8[libmetasec_ov.so]0x804e8, LR=unidbg@0x13
Memory WRITE at 0x4041a6f9, data size = 1, data value = 0xf6, PC=RX@0x405b04e8[libmetasec_ov.so]0x804e8, LR=unidbg@0x13
第1个字节 0x84,指令地址 0x81138,直接写入无需计算
.text:0000000000081124 MOV W8, #0x16
.text:0000000000081128 MOV W9, #0x4A
.text:000000000008112C MOV W10, #0x84
.text:0000000000081130 STRB W8, [X19,#2]
.text:0000000000081134 STRB W9, [X19]
.text:0000000000081138 STRB W10, [X20] W10 = 0x84第2字节 0x04,指令地址 0x805A4,直接写入无需计算
.text:0000000000080590 LDR X10, [X19,#0x28]
.text:0000000000080594 MOV W11, #4
.text:0000000000080598 MOV W12, #0xBB
.text:000000000008059C MOV W13, #0x160
.text:00000000000805A0 LDR X10, [X10,#0x10]
.text:00000000000805A4 STRB W11, [X10,#1] W11 = 0x04第3字节 0xe0,指令地址 0x803d0
[libmetasec_ov.so 0x0803c8] [ad1d4039] 0x405b03c8: "ldrb w13, [x13, #7]" x13=0xbfffdb70 => w13=0xe0 从0xbfffdb77 加载
[libmetasec_ov.so 0x0803cc] [100a40f9] 0x405b03cc: "ldr x16, [x16, #0x10]" x16=0xbfffdf30 => x16=0x4041a6e0 取内存首地址
[libmetasec_ov.so 0x0803d0] [0d0a0039] 0x405b03d0: "strb w13, [x16, #2]" w13=0xe0 x16=0x4041a6e0 => w13=0xe0 写入 + 0x2 偏移
0xe0从地址 0xbfffdb77 读取
跟踪地址0xbfffdb77写入记录:
Memory WRITE at 0xbfffdb77, data size = 1, data value = 0xe0, PC=RX@0x405ae648[libmetasec_ov.so]0x7e648, LR=RX@0x405ae638[libmetasec_ov.so]0x7e638地址 0xbfffdb77的值在 地址 0x7e648 处写入:
[libmetasec_ov.so 0x07e638] [e00a40f9] 0x405ae638: "ldr x0, [x23, #0x10]" x23=0xbfffdf30 => x0=0x4041a6e0 X23是传入的string参数, X0是string对象的buffer地址,通过 malloc分配得到(可以当成随机数)
[libmetasec_ov.so 0x07e644] [087c48d3] 0x405ae644: "ubfx x8, x0, #8, #0x18" x8=0x4041a6e0 x0=0x4041a6e0 => x8=0x4041a6
[libmetasec_ov.so 0x07e648] [80721f38] 0x405ae648: "sturb w0, [x20, #-9]" w0=0x4041a6e0 x20=0xbfffdb80 => w0=0x4041a6e0 这里在 0xbfffdb77 写入 0xe0
[libmetasec_ov.so 0x07e64c] [88321f38] 0x405ae64c: "sturb w8, [x20, #-0xd]" w8=0x4041a6 x20=0xbfffdb80 => w8=0x4041a6 这里在 0xbfffdb73 写入 0xa0
第4字节 0xa6,指令地址 0x7fbd4
[libmetasec_ov.so 0x07fbc8] [692a42a9] 0x405afbc8: "ldp x9, x10, [x19, #0x20]" x9=0xaaa2 x10=0xe7700 x19=0xbfffdb90 => x9=0xbfffdb70 x10=0xbfffdf30
[libmetasec_ov.so 0x07fbcc] [290d4039] 0x405afbcc: "ldrb w9, [x9, #3]" x9=0xbfffdb70 => w9=0xa6 从地址 0xbfffdb73 加载一个字节 0xa0
[libmetasec_ov.so 0x07fbd0] [4a0940f9] 0x405afbd0: "ldr x10, [x10, #0x10]" x10=0xbfffdf30 => x10=0x4041a6e0
[libmetasec_ov.so 0x07fbd4] [490d0039] 0x405afbd4: "strb w9, [x10, #3]" w9=0xa6 x10=0x4041a6e0 => w9=0xa6 写入
第5和6字节 0x0000,指令地址0x13742c,初始化buffer为0后没有再写入
Memory WRITE at 0x4041a6e4, data size = 1, data value = 0x00, PC=RX@0x4066742c[libmetasec_ov.so]0x13742c, LR=RX@0x405afd88[libmetasec_ov.so]0x7fd88
Memory WRITE at 0x4041a6e5, data size = 1, data value = 0x00, PC=RX@0x4066742c[libmetasec_ov.so]0x13742c, LR=RX@0x405afd88[libmetasec_ov.so]0x7fd88后20字节 0x06292b2e51bf21d8e270474e655a4379e5d3f7f6,指令地址 0x804e8。都是同一个地址,应该是在做加密运算。0x804e8 是最终写入地址,实际上有每个字节有3次写入。
[17:49:07 930][libmetasec_ov.so 0x0804bc] [8df15f38] 0x405b04bc: "ldurb w13, [x12, #-1]" w13=0x18e x12=0x4041a6e7 => w13=0xb7 去除 0xb7
[17:49:07 930][libmetasec_ov.so 0x0804c0] [50040d0a] 0x405b04c0: "and w16, w2, w13, lsl #1" w2=0xffffffaa w13=0xb7 => w16=0x12a 运算
[17:49:07 931][libmetasec_ov.so 0x0804c4] [6d044d0a] 0x405b04c4: "and w13, w3, w13, lsr #1" w3=0x55 w13=0xb7 => w13=0x51
[17:49:07 931][libmetasec_ov.so 0x0804c8] [0d020d2a] 0x405b04c8: "orr w13, w16, w13" w16=0x12a w13=0x51 => w13=0x17b
[17:49:07 931][libmetasec_ov.so 0x0804cc] [b0751e53] 0x405b04cc: "lsl w16, w13, #2" w16=0x12a w13=0x17b => w16=0x5ec
[17:49:07 931][libmetasec_ov.so 0x0804d0] [8d084d0a] 0x405b04d0: "and w13, w4, w13, lsr #2" w4=0x33 w13=0x17b => w13=0x12
[17:49:07 931][libmetasec_ov.so 0x0804d4] [10761a12] 0x405b04d4: "and w16, w16, #0xffffffcf" w16=0x5ec => w16=0x5cc
[17:49:07 931][libmetasec_ov.so 0x0804d8] [0d020d2a] 0x405b04d8: "orr w13, w16, w13" w16=0x5cc w13=0x12 => w13=0x5de
[17:49:07 932][libmetasec_ov.so 0x0804dc] [b01d0453] 0x405b04dc: "ubfx w16, w13, #4, #4" w16=0x5cc w13=0x5de => w16=0xd
[17:49:07 932][libmetasec_ov.so 0x0804e0] [b06d1c33] 0x405b04e0: "bfi w16, w13, #4, #0x1c" w16=0xd w13=0x5de => w16=0x5ded
[17:49:07 932][libmetasec_ov.so 0x0804e4] [0d02084a] 0x405b04e4: "eor w13, w16, w8" w16=0x5ded w8=0xffffffeb => w13=0xffffa206
[17:49:07 932][libmetasec_ov.so 0x0804e8] [8df11f38] 0x405b04e8: "sturb w13, [x12, #-1]" w13=0xffffa206 x12=0x4041a6e7 => w13=0xffffa206 写入一个字节 0x06上述逻辑是取出一个字节,然后做加密运算,再写回。
跟踪查看地址 0x4041a6e6 在哪里写入 0xb7:
[10:40:11 176] Memory WRITE at 0x4041a6e6, data size = 1, data value = 0xb7, PC=RX@0x405b0334[libmetasec_ov.so]0x80334, LR=unidbg@0x13地址 0x80334 指令:
[17:49:07 922][libmetasec_ov.so 0x080320] [50696d38] 0x405b0320: "ldrb w16, [x10, x13]" x10=0x4041a6e7 x13=0x0 => w16=0x45 取出第八个字节
[17:49:07 923][libmetasec_ov.so 0x080324] [87f15f38] 0x405b0324: "ldurb w7, [x12, #-1]" w7=0x2f x12=0x4041a6e7 => w7=0xf2 取出第七个字节
[17:49:07 923][libmetasec_ov.so 0x080328] [f400102a] 0x405b0328: "orr w20, w7, w16" w7=0xf2 w16=0x45 => w20=0xf7 运算
[17:49:07 923][libmetasec_ov.so 0x08032c] [f000100a] 0x405b032c: "and w16, w7, w16" w7=0xf2 w16=0x45 => w16=0x40
[17:49:07 923][libmetasec_ov.so 0x080330] [9002104b] 0x405b0330: "sub w16, w20, w16" w20=0xf7 w16=0x40 => w16=0xb7
[17:49:07 923][libmetasec_ov.so 0x080334] [90f11f38] 0x405b0334: "sturb w16, [x12, #-1]" w16=0xb7 x12=0x4041a6e7 => w16=0xb7 第二次写入第七个字节这里取出了当前字节,和下一个字节做加密运算,然后写回
跟踪查看地址0x4041a6e6 在哪里写入 0xf2:
[10:40:11 170] Memory WRITE at 0x4041a6e6, data size = 1, data value = 0xf2, PC=RX@0x405b02ac[libmetasec_ov.so]0x802ac, LR=unidbg@0x13
地址 0x802ac 指令:
[17:49:07 916][libmetasec_ov.so 0x080298] [87f15f38] 0x405b0298: "ldurb w7, [x12, #-1]" w7=0xca4587e7 x12=0x4041a6e7 => w7=0x2f 取出第七个字节
[17:49:07 916][libmetasec_ov.so 0x08029c] [af050091] 0x405b029c: "add x15, x13, #1" x13=0x0 => x15=0x1
[17:49:07 916][libmetasec_ov.so 0x0802a0] [ff0117eb] 0x405b02a0: "cmp x15, x23" x23=0x14 => nzcv: N=1, Z=0, C=0, V=0 x15=0x1
[17:49:07 916][libmetasec_ov.so 0x0802a4] [f07c0453] 0x405b02a4: "lsr w16, w7, #4" w16=0xd79435f w7=0x2f => w16=0x2 运算
[17:49:07 916][libmetasec_ov.so 0x0802a8] [f01c1c33] 0x405b02a8: "bfi w16, w7, #4, #8" w16=0x2 w7=0x2f => w16=0x2f2
[17:49:07 917][libmetasec_ov.so 0x0802ac] [90f11f38] 0x405b02ac: "sturb w16, [x12, #-1]" w16=0x2f2 x12=0x4041a6e7 => w16=0x2f2 第一次写入这里取出 0x2f,经过运算得到 0xf2,再次写回
继续跟踪查看地址0x4041a6e6 在哪里写入 0x2f:
[10:40:11 089] Memory WRITE at 0x4041a6e6, data size = 1, data value = 0x2f, PC=RX@0x405b01cc[libmetasec_ov.so]0x801cc, LR=RX@0x405b007c[libmetasec_ov.so]0x8007c
地址 0x801cc 处指令:
[17:49:07 797][libmetasec_ov.so 0x080150] [28030052] 0x405b0150: "eor w8, w25, #1" w25=0x0 => w8=0x1
[17:49:07 797][libmetasec_ov.so 0x080154] [29031f53] 0x405b0154: "ubfiz w9, w25, #1, #1" w9=0x3d w25=0x0 => w9=0x0
[17:49:07 797][libmetasec_ov.so 0x080158] [2801080b] 0x405b0158: "add w8, w9, w8" w9=0x0 w8=0x1 => w8=0x1
[17:49:07 798][libmetasec_ov.so 0x08015c] [09fd0311] 0x405b015c: "add w9, w8, #0xff" w8=0x1 => w9=0x100
[17:49:07 798][libmetasec_ov.so 0x080160] [1f010071] 0x405b0160: "cmp w8, #0" => nzcv: N=0, Z=0, C=1, V=0 w8=0x1
[17:49:07 798][libmetasec_ov.so 0x080164] [29b1881a] 0x405b0164: "csel w9, w9, w8, lt" nzcv: N=0, Z=0, C=1, V=0 w9=0x100 w8=0x1 => w9=0x1
[17:49:07 798][libmetasec_ov.so 0x080168] [295d1812] 0x405b0168: "and w9, w9, #0xffffff00" w9=0x1 => w9=0x0
[17:49:07 798][libmetasec_ov.so 0x08016c] [0801094b] 0x405b016c: "sub w8, w8, w9" w8=0x1 w9=0x0 => w8=0x1
[17:49:07 799][libmetasec_ov.so 0x080170] [0a7d4093] 0x405b0170: "sxtw x10, w8" x10=0x1 w8=0x1 => x10=0x1
[17:49:07 799][libmetasec_ov.so 0x080174] [696b6a38] 0x405b0174: "ldrb w9, [x27, x10]" x27=0xbfffda60 x10=0x1 => w9=0x4b
[17:49:07 799][libmetasec_ov.so 0x080178] [4b03094a] 0x405b0178: "eor w11, w26, w9" w26=0x0 w9=0x4b => w11=0x4b
[17:49:07 799][libmetasec_ov.so 0x08017c] [4903092a] 0x405b017c: "orr w9, w26, w9" w26=0x0 w9=0x4b => w9=0x4b
[17:49:07 799][libmetasec_ov.so 0x080180] [29791f53] 0x405b0180: "lsl w9, w9, #1" w9=0x4b => w9=0x96
[17:49:07 799][libmetasec_ov.so 0x080184] [29010b4b] 0x405b0184: "sub w9, w9, w11" w9=0x96 w11=0x4b => w9=0x4b
[17:49:07 800][libmetasec_ov.so 0x080188] [2bfd0311] 0x405b0188: "add w11, w9, #0xff" w9=0x4b => w11=0x14a
[17:49:07 800][libmetasec_ov.so 0x08018c] [3f010071] 0x405b018c: "cmp w9, #0" => nzcv: N=0, Z=0, C=1, V=0 w9=0x4b
[17:49:07 800][libmetasec_ov.so 0x080190] [6bb1891a] 0x405b0190: "csel w11, w11, w9, lt" nzcv: N=0, Z=0, C=1, V=0 w11=0x14a w9=0x4b => w11=0x4b
[17:49:07 800][libmetasec_ov.so 0x080194] [6b5d1812] 0x405b0194: "and w11, w11, #0xffffff00" w11=0x4b => w11=0x0
[17:49:07 800][libmetasec_ov.so 0x080198] [29010b4b] 0x405b0198: "sub w9, w9, w11" w9=0x4b w11=0x0 => w9=0x4b
[17:49:07 802][libmetasec_ov.so 0x08019c] [2b7d4093] 0x405b019c: "sxtw x11, w9" x11=0x0 w9=0x4b => x11=0x4b
[17:49:07 802][libmetasec_ov.so 0x0801a0] [6c6b6b38] 0x405b01a0: "ldrb w12, [x27, x11]" x27=0xbfffda60 x11=0x4b => w12=0x89
[17:49:07 802][libmetasec_ov.so 0x0801a4] [6c6b2a38] 0x405b01a4: "strb w12, [x27, x10]" w12=0x89 x27=0xbfffda60 x10=0x1 => w12=0x89
[17:49:07 802][libmetasec_ov.so 0x0801a8] [6c6b2b38] 0x405b01a8: "strb w12, [x27, x11]" w12=0x89 x27=0xbfffda60 x11=0x4b => w12=0x89
[17:49:07 802][libmetasec_ov.so 0x0801ac] [6a6b6a38] 0x405b01ac: "ldrb w10, [x27, x10]" x27=0xbfffda60 x10=0x1 => w10=0x89
[17:49:07 802][libmetasec_ov.so 0x0801b0] [0b6b7638] 0x405b01b0: "ldrb w11, [x24, x22]" x24=0x4041a6e6 x22=0x0 => w11=0x12
[17:49:07 802][libmetasec_ov.so 0x0801b4] [4d010c2a] 0x405b01b4: "orr w13, w10, w12" w10=0x89 w12=0x89 => w13=0x89
[17:49:07 803][libmetasec_ov.so 0x0801b8] [4a010c0a] 0x405b01b8: "and w10, w10, w12" w10=0x89 w12=0x89 => w10=0x89
[17:49:07 803][libmetasec_ov.so 0x0801bc] [aa010a0b] 0x405b01bc: "add w10, w13, w10" w13=0x89 w10=0x89 => w10=0x112
[17:49:07 803][libmetasec_ov.so 0x0801c0] [4a1d4092] 0x405b01c0: "and x10, x10, #0xff" x10=0x112 => x10=0x12
[17:49:07 803][libmetasec_ov.so 0x0801c4] [6a6b6a38] 0x405b01c4: "ldrb w10, [x27, x10]" x27=0xbfffda60 x10=0x12 => w10=0x3d
[17:49:07 804][libmetasec_ov.so 0x0801c8] [4a010b4a] 0x405b01c8: "eor w10, w10, w11" w10=0x3d w11=0x12 => w10=0x2f
[17:49:07 804][libmetasec_ov.so 0x0801cc] [0a6b3638] 0x405b01cc: "strb w10, [x24, x22]" w10=0x2f x24=0x4041a6e6 x22=0x0 => w10=0x2f对原始的输入值,每一个字节加密处理
加密过程中,会从地址 0xbfffda60 保存的数组中取值参与运算
跟踪数组值写入地址:
[10:40:08 848] Memory WRITE at 0xbfffda60, data size = 1, data value = 0x00, PC=RX@0x405af6f4[libmetasec_ov.so]0x7f6f4, LR=unidbg@0x17a
该地址指令:
[17:49:05 332][libmetasec_ov.so 0x07f6f4] [776b3738] 0x405af6f4: "strb w23, [x27, x23]" w23=0xff x27=0xbfffda60 x23=0xff => w23=0xff会循环初始化该数组的值为 0 – 0xff
进一步跟踪,查看地址 0xbfffda60 + 0x12 ,在哪里被写入 0x3d
[10:40:10 049] Memory WRITE at 0xbfffda72, data size = 1, data value = 0x3d, PC=RX@0x405afca8[libmetasec_ov.so]0x7fca8, LR=RX@0x405af5c8[libmetasec_ov.so]0x7f5c8
位于地址 0x7fca8
[17:49:05 579][libmetasec_ov.so 0x07fc78] [696b7638] 0x405afc78: "ldrb w9, [x27, x22]" x27=0xbfffda60 x22=0x18 => w9=0x18 -> 取第下标第 i 个元素,值即为 i
[17:49:05 579][libmetasec_ov.so 0x07fc7c] [ca0a4092] 0x405afc7c: "and x10, x22, #7" x22=0x18 => x10=0x0 X10 = i & 0x7
[17:49:05 579][libmetasec_ov.so 0x07fc80] [6a696a38] 0x405afc80: "ldrb w10, [x11, x10]" x11=0xbfffdb70 x10=0x0 => w10=0x4a 从地址 0xbfffdb70加载一个字节
初始时 W8 = 0, 后续 W8 = 循环上一个下标处更新完的值
[17:49:05 579][libmetasec_ov.so 0x07fc84] [0901090b] 0x405afc84: "add w9, w8, w9" w8=0xdf w9=0x18 => w9=0xf7 计算
[17:49:05 579][libmetasec_ov.so 0x07fc88] [29010a0b] 0x405afc88: "add w9, w9, w10" w9=0xf7 w10=0x4a => w9=0x141
[17:49:05 579][libmetasec_ov.so 0x07fc8c] [2afd0311] 0x405afc8c: "add w10, w9, #0xff" w9=0x141 => w10=0x240
[17:49:05 580][libmetasec_ov.so 0x07fc90] [3f010071] 0x405afc90: "cmp w9, #0" => nzcv: N=0, Z=0, C=1, V=0 w9=0x141
[17:49:05 580][libmetasec_ov.so 0x07fc94] [4ab1891a] 0x405afc94: "csel w10, w10, w9, lt" nzcv: N=0, Z=0, C=1, V=0 w10=0x240 w9=0x141 => w10=0x141
[17:49:05 580][libmetasec_ov.so 0x07fc98] [4a5d1812] 0x405afc98: "and w10, w10, #0xffffff00" w10=0x141 => w10=0x100
[17:49:05 580][libmetasec_ov.so 0x07fc9c] [34010a4b] 0x405afc9c: "sub w20, w9, w10" w9=0x141 w10=0x100 => w20=0x41
[17:49:05 580][libmetasec_ov.so 0x07fca0] [9c7e4093] 0x405afca0: "sxtw x28, w20" x28=0xdf w20=0x41 => x28=0x41 计算得到一个新的下标 X28
[17:49:05 580][libmetasec_ov.so 0x07fca4] [776b7c38] 0x405afca4: "ldrb w23, [x27, x28]" x27=0xbfffda60 x28=0x41 => w23=0x41 从新的下标出加载一个字节
[17:49:05 580][libmetasec_ov.so 0x07fca8] [776b3638] 0x405afca8: "strb w23, [x27, x22]" w23=0x41 x27=0xbfffda60 x22=0x18 => w23=0x41 更新下标 i 处的字节值 [0xbfffda60 + 0x18] = 0x41
[17:49:05 425][libmetasec_ov.so 0x07fa48] [e803142a] 0x405afa48: "mov w8, w20" w20=0x41 => w8=0x41上述指令的作用是使用地址 0xbfffdb70 处的值,初始化前面的长256的表
地址 0xbfffdb70 是根据输入值,构造的一个 长8字节的key
继续跟踪查看 0xbfffdb70 - 0xbfffdb77 怎么生成
[10:40:06 455] Memory WRITE at 0xbfffdb70, data size = 1, data value = 0x4a, PC=RX@0x405b1134[libmetasec_ov.so]0x81134, LR=RX@0x405b08f4[libmetasec_ov.so]0x808f4算了不跟踪了,方法就这样。
附上测试代码:
if __name__ == "__main__":
# 第一步初始化表
table = [i for i in range(256)]
data = list(bytes.fromhex("12B493960000000000000000200500056790BF0C"))
key = list(bytes.fromhex("4a0016a6476c00e0"))
w8 = 0
for i in range(len(table)):
key_i = i & 7
w10 = key[key_i]
w9 = w8 + table[i]
# print("w9:{0:x}, w10:{1:x}".format(w9, w10))
w9 = w9 + w10
w10 = w9 + 0xff
w10 = w10 if w9 <= 0 else w9
w10 = w10 & 0xffffff00
w20 = w9 - w10
# print("w9:{0:x}, w10:{1:x}, w20:{2:x}, w8:{3:x}".format(w9, w10, w20, w8))
x28 = w20
table[i] = table[x28]
print(i, "{0:x} <- {1:x}".format(table[i], x28))
w8 = w20
print(table)
# 第二步 第一次加密
w26 = 0
for i in range(len(data)):
w25 = i
w8 = w25 ^ 1
w9 = ((w25 & 0x1) << 1) & 0x2
w8 = w9 + w8
w9 = w8 + 0xff
w9 = w9 if w8 < 0 else w8
w9 = w9 & 0xffffff00
w8 = w8 - w9
x10 = w8
w9 = table[x10]
w11 = w26 ^ w9
w9 = w26 | w9
w9 = w9 << 1
w9 = w9 - w11
w26 = w9
w11 = w9 + 0xff
w11 = w11 if w9 < 0 else w9
w11 = w11 & 0xffffff00
w9 = w9 - w11
x11 = w9
w12 = table[x11]
table[x10] = w12
table[x11] = w12
w10 = w12
w11 = data[i]
w13 = w10 | w12
w10 = w10 & w12
w10 = w13 + w10
x10 = w10 & 0xff
w10 = table[x10]
w10 = w10 ^ w11
data[i] = w10
print(data)
# 第三步 第二次加密
w2 = 0xffffffaa
w3 = 0x55
w4 = 0x33
w8 = ~len(data)
for i in range(len(data)):
# 第一次处理
val = data[i]
w16 = val >> 4
w16 = (w16 & ~(0xFF << 4)) | ((val & 0xFF) << 4)
data[i] = w16 & 0xff
# 第二次处理
if i == len(data) - 1:
w13 = data[0]
w13 = w13 ^ w16
data[i] = w13
else:
w16 = data[i + 1]
w7 = data[i]
w20 = w7 | w16
w16 = w7 & w16
w16 = w20 - w16
data[i] = w16
# 第三次处理
w13 = data[i]
w16 = w2 & (w13 << 1)
w13 = w3 & (w13 >> 1)
w13 = w16 | w13
w16 = w13 << 2
w13 = w4 & (w13 >> 2)
w16 = w16 & 0xffffffcf
w13 = w16 | w13
w16 = (w13 >> 4) & 0xF
w16 = (w16 & ~(0x1FFFFFF << 4)) | ((w13 & 0x1FFFFFF) << 4)
w13 = w16 ^ w8
data[i] = w13 & 0xff
print(bytes(data).hex())
