还原 lamoda so算法笔记

[15:05:19 047]result, md5=af22f9686e00ae387cce3e46ea3f4c6d, hex=000000000000000000000000000000001c0c88645a91fb5e5ab281c6e76bc335aa3a0138eb86ef1ad422dbf86018dedb51659d67bf8a9ff8939d07e40a1d8aa58b3887d2b9f14325465db2f124f8040ab0034838f62ff8b6b19992fadb7aba88
size: 96
0000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0010: 1C 0C 88 64 5A 91 FB 5E 5A B2 81 C6 E7 6B C3 35 ...dZ..^Z....k.5
0020: AA 3A 01 38 EB 86 EF 1A D4 22 DB F8 60 18 DE DB .:.8....."..`...
0030: 51 65 9D 67 BF 8A 9F F8 93 9D 07 E4 0A 1D 8A A5 Qe.g............
0040: 8B 38 87 D2 B9 F1 43 25 46 5D B2 F1 24 F8 04 0A .8....C%F]..$...
0050: B0 03 48 38 F6 2F F8 B6 B1 99 92 FA DB 7A BA 88 ..H8./.......z..

[15:07:49 823]SetByteArrayRegion array=[B@4b952a2d, start=0, length=16, buf=unidbg@0xbffff320, md5=4ae71336e44bf9bf79d2752e234818a5, hex=00000000000000000000000000000000
size: 16
0000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
^-----------------------------------------------------------------------------^
[15:07:49 823] DEBUG [com.github.unidbg.linux.android.dvm.DalvikVM64] (DalvikVM64$12:200) - ExceptionOccurred: 0x0
JNIEnv->SetByteArrayRegion([B@4b952a2d, 16, 48, unidbg@0xbffff330) was called from RX@0x4007668c[libsigner.so]0x7668c

>-----------------------------------------------------------------------------<
[15:07:49 824]SetByteArrayRegion array=[B@4b952a2d, start=16, length=48, buf=unidbg@0xbffff330, md5=50f96e2116312900ace491069a3b651a, hex=1c0c88645a91fb5e5ab281c6e76bc335aa3a0138eb86ef1ad422dbf86018dedb51659d67bf8a9ff8939d07e40a1d8aa5
size: 48
0000: 1C 0C 88 64 5A 91 FB 5E 5A B2 81 C6 E7 6B C3 35 ...dZ..^Z....k.5
0010: AA 3A 01 38 EB 86 EF 1A D4 22 DB F8 60 18 DE DB .:.8....."..`...
0020: 51 65 9D 67 BF 8A 9F F8 93 9D 07 E4 0A 1D 8A A5 Qe.g............
^-----------------------------------------------------------------------------^
[15:07:49 824] DEBUG [com.github.unidbg.linux.android.dvm.DalvikVM64] (DalvikVM64$12:200) - ExceptionOccurred: 0x0
JNIEnv->SetByteArrayRegion([B@4b952a2d, 64, 32, unidbg@0xbffff360) was called from RX@0x4007668c[libsigner.so]0x7668c

>-----------------------------------------------------------------------------<
[15:07:49 824]SetByteArrayRegion array=[B@4b952a2d, start=64, length=32, buf=unidbg@0xbffff360, md5=5400590de16040020fd5e074478f6e01, hex=8b3887d2b9f14325465db2f124f8040ab0034838f62ff8b6b19992fadb7aba88
size: 32
0000: 8B 38 87 D2 B9 F1 43 25 46 5D B2 F1 24 F8 04 0A .8....C%F]..$...
0010: B0 03 48 38 F6 2F F8 B6 B1 99 92 FA DB 7A BA 88 ..H8./.......z..
^-----------------------------------------------------------------------------^

 

 

第一段 随机数：
[15:07:49 823]SetByteArrayRegion array=[B@4b952a2d, start=0, length=16, buf=unidbg@0xbffff320, md5=4ae71336e44bf9bf79d2752e234818a5, hex=00000000000000000000000000000000
size: 16
0000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................

第二段
aes cbc
iv = 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
key = (0xbffff0e0 =>> 0xbac >> sub_B80 args2 ) ==>( sub_B80 args2 0xbffff270 ==>> 0x7b278 =>> 0xbffff250 == >> 0x7aa70 data_search("cd8eec8a99167f9a03ce8f2df5e147f2b97d763f35d42126d193247fd67640a1"))
key 像是 hash ===>>> (使用 sha256 trace 中 IV 和address 找魔改IV 0x7aac4 sha256_init sha256_update sha256_final )
0000: CD 8E EC 8A 99 16 7F 9A 03 CE 8F 2D F5 E1 47 F2 ...........-..G.
0010: B9 7D 76 3F 35 D4 21 26 D1 93 24 7F D6 76 40 A1 .}v?5.!&..$..v@.
message : (0xbffff330)
0000: 00 00 00 00 00 00 00 00 6D BB A0 55 33 A4 CC 8F ........m..U3...
0010: 4A 19 5B F3 F3 6A F7 28 71 FA B9 AB C3 B0 A9 A8 J.[..j.(q.......
0020: 80 ED FB 55 3F 59 AB 40
result :
00000000 1c 0c 88 64 5a 91 fb 5e 5a b2 81 c6 e7 6b c3 35 |...dZ.û^Z².ÆçkÃ5|
00000010 aa 3a 01 38 eb 86 ef 1a d4 22 db f8 60 18 de db |ª:.8ë.ï.Ô"Ûø`.ÞÛ|
00000020 51 65 9d 67 bf 8a 9f f8 93 9d 07 e4 0a 1d 8a a5 |Qe.g¿..ø...ä...¥|

sha256:
第一次：
[09:11:57 180]sha256 update:RW@0x4008d000, md5=7ecb0a66d6451436d256cdcb8076a63e, hex=626e726b667a796d7a796a70
size: 12
0000: 62 6E 72 6B 66 7A 79 6D 7A 79 6A 70 bnrkfzymzyjp

[09:11:57 184]sha256 update:RW@0x4008d000, md5=f6c3b2cb63f979cad00d410b8b890609, hex=514b51312e3139303832382e30303220746573742d6b657973
size: 25
0000: 51 4B 51 31 2E 31 39 30 38 32 38 2E 30 30 32 20 QKQ1.190828.002
0010: 74 65 73 74 2D 6B 65 79 73 test-keys

[09:11:57 186]sha256 update:RW@0x4008d000, md5=eab1f499815932401b1e7089d392f60e, hex=323032332d30342d30325431323a34333a32332e3438365a2b30383030
size: 29
0000: 32 30 32 33 2D 30 34 2D 30 32 54 31 32 3A 34 33 2023-04-02T12:43
0010: 3A 32 33 2E 34 38 36 5A 2B 30 38 30 30 :23.486Z+0800

[09:11:57 189]sha256 update:RW@0x4008d000, md5=fd89784e59c72499525556f80289b2c7, hex=70726f64756374696f6e
size: 10
0000: 70 72 6F 64 75 63 74 69 6F 6E production

[09:11:57 191]sha256 update:RW@0x4008d000, md5=2f97fd77cdb9d41ae58d09ec31e2f019, hex=636f6d2e6c616d6f64612e6c697465
size: 15
0000: 63 6F 6D 2E 6C 61 6D 6F 64 61 2E 6C 69 74 65 com.lamoda.lite

[09:11:57 192]sha256 update:RW@0x4008d000, md5=3c13db96509bcd78b9569059eb6c1efb, hex=39623866303338303135353638646662
size: 16
0000: 39 62 38 66 30 33 38 30 31 35 35 36 38 64 66 62 9b8f038015568dfb

[09:11:57 197]sha256 update:RW@0x4008d000, md5=4119639092e62c55ea8be348e4d9260d, hex=6576656e74
size: 5
0000: 65 76 65 6E 74 event

[09:11:57 199]sha256 update:RW@0x4008d000, md5=0c3761868e40f07ce0f007e6fa92c531, hex=616e64726f6964342e33332e32
size: 13
0000: 61 6E 64 72 6F 69 64 34 2E 33 33 2E 32 android4.33.2


input :
00000000 62 6e 72 6b 66 7a 79 6d 7a 79 6a 70 51 4b 51 31 |bnrkfzymzyjpQKQ1|
00000010 2e 31 39 30 38 32 38 2e 30 30 32 20 74 65 73 74 |.190828.002 test|
00000020 2d 6b 65 79 73 32 30 32 33 2d 30 34 2d 30 32 54 |-keys2023-04-02T|
00000030 31 32 3a 34 33 3a 32 33 2e 34 38 36 5a 2b 30 38 |12:43:23.486Z+08|
00000040 30 30 70 72 6f 64 75 63 74 69 6f 6e 63 6f 6d 2e |00productioncom.|
00000050 6c 61 6d 6f 64 61 2e 6c 69 74 65 39 62 38 66 30 |lamoda.lite9b8f0|
00000060 33 38 30 31 35 35 36 38 64 66 62 65 76 65 6e 74 |38015568dfbevent|
00000070 61 6e 64 72 6f 69 64 34 2e 33 33 2e 32 |android4.33.2|

iv :
h0 = 0xd9a3ddc0
h1 = 0x1e54feb3
h2 = 0x36e6643d
h3 = 0x139534ab
h4 = 0xefac33fa
h5 = 0x3a08f627
h6 = 0xe70faa8
h7 = 0xa294be05
output :
6dbba055 33a4cc8f 4a195bf3 f36af728 71fab9abc3b0a9a880edfb553f59ab40


第二次 sha256:
intput:
[09:11:57 250]sha256 update:unidbg@0xbffff460, md5=2af4ff57c73bddb536ad3b508b7a4f9c, hex=c0dda3d9b3fe541e3d64e636ab349513
size: 16
0000: C0 DD A3 D9 B3 FE 54 1E 3D 64 E6 36 AB 34 95 13 ......T.=d.6.4..
==>> 0xbffff460 ==> 0x7fa90 硬编码
output： cd8eec8a99167f9a03ce8f2df5e147f2b97d763f35d42126d193247fd67640a1

第三次 sha256:
intput：
[09:11:57 251]sha256 update:unidbg@0xbffff470, md5=e5d00ad4e57439cb40b64c05732b8ef6, hex=fa33acef27f6083aa8fa700e05be94a2
size: 16
0000: FA 33 AC EF 27 F6 08 3A A8 FA 70 0E 05 BE 94 A2 .3..'..:..p.....
==>> 0xbffff470 == >> 0x7fa90
output: 668cc91f8882ab0dee416985c9fae8fb0c520d8fc8d48038dfa81388ca8b70a2

第四次:
intput:
[09:11:57 263]sha256 update:unidbg@0xbfffef90, md5=eeb76d450ad5b6f2a63353ad3f91749a, hex=50baff29beb49d3bd8775fb3ffccdecd3a643bb9fee2b60ee99e25befcbd46943636363636363636363636363636363636363636363636363636363636363636
size: 64
0000: 50 BA FF 29 BE B4 9D 3B D8 77 5F B3 FF CC DE CD P..)...;.w_.....
0010: 3A 64 3B B9 FE E2 B6 0E E9 9E 25 BE FC BD 46 94 :d;.......%...F.
0020: 36 36 36 36 36 36 36 36 36 36 36 36 36 36 36 36 6666666666666666
0030: 36 36 36 36 36 36 36 36 36 36 36 36 36 36 36 36 6666666666666666
[09:11:57 264]sha256 update:unidbg@0xbffff330, md5=50f96e2116312900ace491069a3b651a, hex=1c0c88645a91fb5e5ab281c6e76bc335aa3a0138eb86ef1ad422dbf86018dedb51659d67bf8a9ff8939d07e40a1d8aa5
size: 48
0000: 1C 0C 88 64 5A 91 FB 5E 5A B2 81 C6 E7 6B C3 35 ...dZ..^Z....k.5
0010: AA 3A 01 38 EB 86 EF 1A D4 22 DB F8 60 18 DE DB .:.8....."..`...
0020: 51 65 9D 67 BF 8A 9F F8 93 9D 07 E4 0A 1D 8A A5 Qe.g............

第五次:
intput :
[09:11:57 264]sha256 update:unidbg@0xbfffef90, md5=f2789a839ac0a7504ac6990c18360d5b, hex=3ad09543d4def751b21d35d995a6b4a7500e51d39488dc6483f44fd496d72cfe5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c
size: 64
0000: 3A D0 95 43 D4 DE F7 51 B2 1D 35 D9 95 A6 B4 A7 :..C...Q..5.....
0010: 50 0E 51 D3 94 88 DC 64 83 F4 4F D4 96 D7 2C FE P.Q....d..O...,.
0020: 5C 5C 5C 5C 5C 5C 5C 5C 5C 5C 5C 5C 5C 5C 5C 5C \\\\\\\\\\\\\\\\
0030: 5C 5C 5C 5C 5C 5C 5C 5C 5C 5C 5C 5C 5C 5C 5C 5C \\\\\\\\\\\\\\\\
[09:11:57 264]sha256 update:unidbg@0xbffff360, md5=6e5f3d12b040b2b1795a412bba100ab8, hex=eb4c6c3d7465cccfa1bea37f761bc0ef27eb98b662683d6b93f3fbd84372361b
size: 32
0000: EB 4C 6C 3D 74 65 CC CF A1 BE A3 7F 76 1B C0 EF .Ll=te......v...
0010: 27 EB 98 B6 62 68 3D 6B 93 F3 FB D8 43 72 36 1B '...bh=k....Cr6.


第三段

hmac-sha256
key : (近似于硬编码)
668cc91f8882ab0dee416985c9fae8fb0c520d8fc8d48038dfa81388ca8b70a2
intput : (来源于第二段的aes加密)
0000: 1C 0C 88 64 5A 91 FB 5E 5A B2 81 C6 E7 6B C3 35 ...dZ..^Z....k.5
0010: AA 3A 01 38 EB 86 EF 1A D4 22 DB F8 60 18 DE DB .:.8....."..`...
0020: 51 65 9D 67 BF 8A 9F F8 93 9D 07 E4 0A 1D 8A A5 Qe.g............
output :
8b3887d2b9f14325465db2f124f8040ab0034838f62ff8b6b19992fadb7aba88

0000: 8B 38 87 D2 B9 F1 43 25 46 5D B2 F1 24 F8 04 0A .8....C%F]..$...
0010: B0 03 48 38 F6 2F F8 B6 B1 99 92 FA DB 7A BA 88 ..H8./.......z..

 

 

成功还原