2025数字中国创新大赛 数字安全赛道 移动互联网(APP)安全积分争夺赛 【桃李组】技能实操赛 WriteUp (部分题目)

WriteUp
4.5k words

只列出了我做的题的wp.

逆向工程:

GoodLuck:

发现塞了很多混淆,OOXX看起来像是某种哈希,结合mainactivity中给出的md5值343701266d3d3c897670a0598dedcfb6,查询md5得到r9d3jv3,flag{r9d3jv3}.

偷天换日:

在so中找到check函数:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
bool __fastcall Java_com_ctf_goodluck1_Check_check(_JNIEnv *a1, __int64 a2, __int64 a3)
{
  char *s1; // [xsp+28h] [xbp-48h]
  __int64 v5; // [xsp+38h] [xbp-38h]
  __int64 MethodID; // [xsp+40h] [xbp-30h]
  __int64 Class; // [xsp+48h] [xbp-28h]

  Class = _JNIEnv::FindClass(a1, byte_36010);
  MethodID = _JNIEnv::GetMethodID(a1, Class, byte_36024, byte_36030);
  v5 = _JNIEnv::CallObjectMethod(a1, a3, MethodID);
  sub_E5D4(a1, v5);
  s1 = (char *)_JNIEnv::GetStringUTFChars();
  return strcmp(s1, byte_36040) != 0;
}

发现sub_E5D4是一个标准的base64,观察发现byte_36040附近是一些比较集中但是有偏移的数值:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
.data:0000000000036010 byte_36010      DCB  0xD,   6,0x11,   6,0x48, 0xB,   6,   9,   0,0x48,0x34,0x13,0x15, 0xE,   9,   0
.data:0000000000036010                                         ; DATA XREF: Java_com_ctf_goodluck1_Check_check+C↑o
.data:0000000000036010                                         ; .datadiv_decode15146375311672927909+1C↑o
.data:0000000000036020                 DCB 0x67,   0,   0,   0
.data:0000000000036024 ; _BYTE byte_36024[12]
.data:0000000000036024 byte_36024      DCB 0xE1,0xE3,0xF2,0xC4,0xFF,0xF2,0xE3,0xF5,0x86,   0,   0,   0
.data:0000000000036024                                         ; DATA XREF: Java_com_ctf_goodluck1_Check_check+14↑o
.data:0000000000036024                                         ; .datadiv_decode15146375311672927909+24↑o
.data:0000000000036030 ; _BYTE byte_36030[16]
.data:0000000000036030 byte_36030      DCB 0xAB, 0xAA, 0xD8, 0xC1, 0x83, 0, 0, 0, 0, 0, 0, 0
.data:0000000000036030                                         ; DATA XREF: Java_com_ctf_goodluck1_Check_check+1C↑o
.data:0000000000036030                                         ; .datadiv_decode15146375311672927909+2C↑o
.data:000000000003603C                 DCB 0, 0, 0, 0
.data:0000000000036040 ; char byte_36040[32]
.data:0000000000036040 byte_36040      DCB 0xA8, 0xBD, 0xAD, 0x9F, 0xF6, 0xB1, 0xBF, 0x8C, 0x90
.data:0000000000036040                                         ; DATA XREF: Java_com_ctf_goodluck1_Check_check+28↑o
.data:0000000000036040                                         ; .datadiv_decode15146375311672927909+34↑o
.data:0000000000036049                 DCB 0x87, 0xAB, 0x9F, 0x96, 0x94, 0xA9, 0xA4, 0x8D, 0x8F
.data:0000000000036052                 DCB 0xB0, 0x8F, 0x81, 0x87, 0xFC, 0xE4, 0xE4, 0xC5, 0
.data:000000000003605B                 DCB 0, 0, 0, 0, 0
.data:0000000000036060 ; _BYTE byte_36060[32]
.data:0000000000036060 byte_36060      DCB 0x10, 0x1F, 0x15, 3, 0x1E, 0x18, 0x15, 0x5E, 0x10
.data:0000000000036060                                         ; DATA XREF: sub_DD38+20↑o
.data:0000000000036060                                         ; .datadiv_decode15146375311672927909+3C↑o
.data:0000000000036069                 DCB 1, 1, 0x5E, 0x30, 0x12, 5, 0x18, 7, 0x18, 5, 8, 0x25
.data:0000000000036075                 DCB 0x19, 3, 0x14, 0x10, 0x15, 0x71, 0, 0, 0, 0, 0
.data:0000000000036080 ; _BYTE byte_36080[32]
.data:0000000000036080 byte_36080      DCB 0xCF, 0xFF, 0xC9, 0xCE, 0xCE, 0xD9, 0xD2, 0xC8, 0xFD
.data:0000000000036080                                         ; DATA XREF: sub_DD38+28↑o
.data:0000000000036080                                         ; .datadiv_decode15146375311672927909+44↑o
.data:0000000000036089                 DCB 0xDF, 0xC8, 0xD5, 0xCA, 0xD5, 0xC8, 0xC5, 0xE8, 0xD4
.data:0000000000036092                 DCB 0xCE, 0xD9, 0xDD, 0xD8, 0xBC, 0, 0, 0, 0, 0, 0, 0
.data:000000000003609E                 DCB 0, 0
.data:00000000000360A0 ; _BYTE byte_360A0[32]
.data:00000000000360A0 byte_360A0      DCB 0x85, 0xA8, 0xA7, 0xAD, 0xBB, 0xA6, 0xA0, 0xAD, 0xE6
.data:00000000000360A0                                         ; DATA XREF: sub_DD38+30↑o
.data:00000000000360A0                                         ; .datadiv_decode15146375311672927909+4C↑o
.data:00000000000360A9                 DCB 0xA8, 0xB9, 0xB9, 0xE6, 0x88, 0xAA, 0xBD, 0xA0, 0xBF
.data:00000000000360B2                 DCB 0xA0, 0xBD, 0xB0, 0x9D, 0xA1, 0xBB, 0xAC, 0xA8, 0xAD
.data:00000000000360BB                 DCB 0xF2, 0xC9, 0, 0, 0
.data:00000000000360C0 ; _BYTE byte_360C0[32]
.data:00000000000360C0 byte_360C0      DCB 0xAA, 0x8E, 0xA9, 0xAE, 0xB3, 0xAE, 0xA6, 0xAB, 0x86
.data:00000000000360C0                                         ; DATA XREF: sub_DD38+38↑o
.data:00000000000360C0                                         ; .datadiv_decode15146375311672927909+54↑o
.data:00000000000360C9                 DCB 0xB7, 0xB7, 0xAB, 0xAE, 0xA4, 0xA6, 0xB3, 0xAE, 0xA8
.data:00000000000360D2                 DCB 0xA9, 0xC7, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0
.data:00000000000360E0 ; _BYTE byte_360E0[32]
.data:00000000000360E0 byte_360E0      DCB 0xAD, 0x80, 0x8F, 0x85, 0x93, 0x8E, 0x88, 0x85, 0xCE
.data:00000000000360E0                                         ; DATA XREF: sub_DD38+40↑o
.data:00000000000360E0                                         ; .datadiv_decode15146375311672927909+5C↑o
.data:00000000000360E9                 DCB 0x80, 0x91, 0x91, 0xCE, 0xA0, 0x91, 0x91, 0x8D, 0x88
.data:00000000000360F2                 DCB 0x82, 0x80, 0x95, 0x88, 0x8E, 0x8F, 0xDA, 0xE1, 0
.data:00000000000360FB                 DCB 0, 0, 0, 0, 0
.data:0000000000036100 ; _BYTE byte_36100[24]
.data:0000000000036100 byte_36100      DCB 0xA7, 0xA8, 0xA2, 0xB4, 0xA9, 0xAF, 0xA2, 0xE9, 0xA7
.data:0000000000036100                                         ; DATA XREF: sub_DD38+48↑o
.data:0000000000036100                                         ; .datadiv_decode15146375311672927909+64↑o
.data:0000000000036109                 DCB 0xB6, 0xB6, 0xE9, 0x87, 0xB6, 0xB6, 0xAA, 0xAF, 0xA5
.data:0000000000036112                 DCB 0xA7, 0xB2, 0xAF, 0xA9, 0xA8, 0xC6
.data:0000000000036118 ; _BYTE byte_36118[24]
.data:0000000000036118 byte_36118      DCB 0x98, 0x9A, 0x8B, 0xBE, 0x8C, 0x8C, 0x9A, 0x8B, 0x8C
.data:0000000000036118                                         ; DATA XREF: sub_DD38+50↑o
.data:0000000000036118                                         ; .datadiv_decode15146375311672927909+6C↑o
.data:0000000000036121                 DCB 0xFF, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0
.data:0000000000036130 ; _BYTE byte_36130[48]
.data:0000000000036130 byte_36130      DCB 0x4E, 0x4F, 0x2A, 7, 8, 2, 0x14, 9, 0xF, 2, 0x49, 5
.data:0000000000036130                                         ; DATA XREF: sub_DD38+58↑o
.data:0000000000036130                                         ; .datadiv_decode15146375311672927909+74↑o
.data:000000000003613C                 DCB 9, 8, 0x12, 3, 8, 0x12, 0x49, 0x14, 3, 0x15, 0x49
.data:0000000000036147                 DCB 0x27, 0x15, 0x15, 3, 0x12, 0x2B, 7, 8, 7, 1, 3, 0x14
.data:0000000000036153                 DCB 0x5D, 0x66, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0
.data:0000000000036160 ; _BYTE byte_36160[36]
.data:0000000000036160 byte_36160      DCB 0x5C, 0x53, 0x59, 0x4F, 0x52, 0x54, 0x59, 0x12, 0x5E
.data:0000000000036160                                         ; DATA XREF: sub_DD38+60↑o
.data:0000000000036160                                         ; .datadiv_decode15146375311672927909+7C↑o
.data:0000000000036169                 DCB 0x52, 0x53, 0x49, 0x58, 0x53, 0x49, 0x12, 0x4F, 0x58
.data:0000000000036172                 DCB 0x4E, 0x12, 0x7C, 0x4E, 0x4E, 0x58, 0x49, 0x70, 0x5C
.data:000000000003617B                 DCB 0x53, 0x5C, 0x5A, 0x58, 0x4F, 0x3D, 0, 0, 0
.data:0000000000036184 ; _BYTE byte_36184[12]
.data:0000000000036184 byte_36184      DCB 0x13, 0xC, 0x19, 0x12, 0x3A, 0x18, 0x7C, 0, 0, 0, 0
.data:0000000000036184                                         ; DATA XREF: sub_DD38+68↑o
.data:0000000000036184                                         ; .datadiv_decode15146375311672927909+84↑o
.data:000000000003618F                 DCB 0
.data:0000000000036190 ; _BYTE byte_36190[64]
.data:0000000000036190 byte_36190      DCB 0xD5, 0xB1, 0x97, 0x9C, 0x8B, 0x9C, 0xD2, 0x91, 0x9C
.data:0000000000036190                                         ; DATA XREF: sub_DD38+70↑o
.data:0000000000036190                                         ; .datadiv_decode15146375311672927909+8C↑o
.data:0000000000036199                 DCB 0x93, 0x9A, 0xD2, 0xAE, 0x89, 0x8F, 0x94, 0x93, 0x9A
.data:00000000000361A2                 DCB 0xC6, 0xD4, 0xB1, 0x9C, 0x93, 0x99, 0x8F, 0x92, 0x94
.data:00000000000361AB                 DCB 0x99, 0xD2, 0x9E, 0x92, 0x93, 0x89, 0x98, 0x93, 0x89
.data:00000000000361B4                 DCB 0xD2, 0x8F, 0x98, 0x8E, 0xD2, 0xBC, 0x8E, 0x8E, 0x98
.data:00000000000361BD                 DCB 0x89, 0xBB, 0x94, 0x91, 0x98, 0xB9, 0x98, 0x8E, 0x9E
.data:00000000000361C6                 DCB 0x8F, 0x94, 0x8D, 0x89, 0x92, 0x8F, 0xC6, 0xFD, 0
.data:00000000000361CF                 DCB 0
.data:00000000000361D0 ; _BYTE byte_361D0[16]
.data:00000000000361D0 byte_361D0      DCB 0x89, 0x89, 0xC4, 0x8E, 0x8B, 0x9E, 0xEA, 0, 0, 0
.data:00000000000361D0                                         ; DATA XREF: sub_DD38+78↑o
.data:00000000000361D0                                         ; .datadiv_decode15146375311672927909+94↑o
.data:00000000000361DA                 DCB 0, 0, 0, 0, 0, 0
.data:00000000000361E0 ; _BYTE byte_361E0[40]
.data:00000000000361E0 byte_361E0      DCB 0x63, 0x6C, 0x66, 0x70, 0x6D, 0x6B, 0x66, 0x2D, 0x61
.data:00000000000361E0                                         ; DATA XREF: sub_DD38+80↑o
.data:00000000000361E0                                         ; .datadiv_decode15146375311672927909+9C↑o
.data:00000000000361E9                 DCB 0x6D, 0x6C, 0x76, 0x67, 0x6C, 0x76, 0x2D, 0x70, 0x67
.data:00000000000361F2                 DCB 0x71, 0x2D, 0x43, 0x71, 0x71, 0x67, 0x76, 0x44, 0x6B
.data:00000000000361FB                 DCB 0x6E, 0x67, 0x46, 0x67, 0x71, 0x61, 0x70, 0x6B, 0x72
.data:0000000000036204                 DCB 0x76, 0x6D, 0x70, 2
.data:0000000000036208 ; _BYTE byte_36208[12]
.data:0000000000036208 byte_36208      DCB 0xA9, 0xAB, 0xBA, 0x82, 0xAB, 0xA0, 0xA9, 0xBA, 0xA6
.data:0000000000036208                                         ; DATA XREF: sub_DD38+88↑o
.data:0000000000036208                                         ; .datadiv_decode15146375311672927909+A4↑o
.data:0000000000036211                 DCB 0xCE, 0, 0
.data:0000000000036214 ; _BYTE byte_36214[4]
.data:0000000000036214 byte_36214      DCB 0xD2, 0xD3, 0xB0, 0xFA
.data:0000000000036214                                         ; DATA XREF: sub_DD38+90↑o
.data:0000000000036214                                         ; .datadiv_decode15146375311672927909+AC↑o
.data:0000000000036218 ; _BYTE byte_36218[8]
.data:0000000000036218 byte_36218      DCB 0x8C, 0x93, 0x86, 0x8D, 0xE3, 0, 0, 0
.data:0000000000036218                                         ; DATA XREF: sub_DD38+98↑o
.data:0000000000036218                                         ; .datadiv_decode15146375311672927909+B4↑o
.data:0000000000036220 ; _BYTE byte_36220[48]
.data:0000000000036220 byte_36220      DCB 0xF6, 0x92, 0xB4, 0xBF, 0xA8, 0xBF, 0xF1, 0xB2, 0xBF
.data:0000000000036220                                         ; DATA XREF: sub_DD38+A0↑o
.data:0000000000036220                                         ; .datadiv_decode15146375311672927909+BC↑o
.data:0000000000036229                 DCB 0xB0, 0xB9, 0xF1, 0x8D, 0xAA, 0xAC, 0xB7, 0xB0, 0xB9
.data:0000000000036232                 DCB 0xE5, 0xF7, 0x92, 0xB4, 0xBF, 0xA8, 0xBF, 0xF1, 0xB7
.data:000000000003623B                 DCB 0xB1, 0xF1, 0x97, 0xB0, 0xAE, 0xAB, 0xAA, 0x8D, 0xAA
.data:0000000000036244                 DCB 0xAC, 0xBB, 0xBF, 0xB3, 0xE5, 0xDE, 0, 0, 0, 0, 0
.data:000000000003624F                 DCB 0
.data:0000000000036250 ; _BYTE byte_36250[20]
.data:0000000000036250 byte_36250      DCB 0xD4, 0xDF, 0xC8, 0xDF, 0x91, 0xD7, 0xD1, 0x91, 0xF7
.data:0000000000036250                                         ; DATA XREF: sub_DD38+A8↑o
.data:0000000000036250                                         ; .datadiv_decode15146375311672927909+C4↑o
.data:0000000000036259                 DCB 0xD0, 0xCE, 0xCB, 0xCA, 0xED, 0xCA, 0xCC, 0xDB, 0xDF
.data:0000000000036262                 DCB 0xD3, 0xBE
.data:0000000000036264 ; _BYTE byte_36264[8]
.data:0000000000036264 byte_36264      DCB 0xE3, 0xF4, 0xF0, 0xF5, 0x91, 0, 0, 0
.data:0000000000036264                                         ; DATA XREF: sub_DD38+B0↑o
.data:0000000000036264                                         ; .datadiv_decode15146375311672927909+CC↑o
.data:000000000003626C ; _BYTE byte_3626C[20]
.data:000000000003626C byte_3626C      DCB 0x57, 0x24, 0x3D, 0x36, 0x36, 0x56, 0x36, 0x7F, 0
.data:000000000003626C                                         ; DATA XREF: sub_DD38+B8↑o
.data:000000000003626C                                         ; .datadiv_decode15146375311672927909+D4↑o
.data:0000000000036275                 DCB 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0
.data:0000000000036280 aJbbijbbiaxnfax DCB "jbbijbbiaxnfaxnf",0xD,0
.data:0000000000036280                                         ; DATA XREF: sub_DD38+C8↑o
.data:0000000000036280                                         ; .datadiv_decode15146375311672927909+DC↑o
.data:0000000000036292                 ALIGN 0x20
.data:00000000000362A0 ; _BYTE byte_362A0[20]
.data:00000000000362A0 byte_362A0      DCB 0x24, 0x2F, 0x38, 0x2F, 0x61, 0x20, 0x27, 0x21, 0x61
.data:00000000000362A0                                         ; DATA XREF: sub_DD38+D0↑o
.data:00000000000362A0                                         ; .datadiv_decode15146375311672927909+E4↑o
.data:00000000000362A9                 DCB 0xC, 0x37, 0x3A, 0x2B, 0xC, 0x3B, 0x28, 0x28, 0x2B
.data:00000000000362B2                 DCB 0x3C, 0x4E
.data:00000000000362B4 a4              DCB "!,,/#!4%@",0       ; DATA XREF: sub_DD38+D8↑o
.data:00000000000362B4                                         ; .datadiv_decode15146375311672927909+EC↑o
.data:00000000000362BE                 ALIGN 0x20
.data:00000000000362C0 ; _BYTE byte_362C0[28]
.data:00000000000362C0 byte_362C0      DCB 0x2C, 0x4D, 0x2D, 0x48, 0x6E, 0x65, 0x72, 0x65, 0x2B
.data:00000000000362C0                                         ; DATA XREF: sub_DD38+E0↑o
.data:00000000000362C0                                         ; .datadiv_decode15146375311672927909+F4↑o
.data:00000000000362C9                 DCB 0x6A, 0x6D, 0x6B, 0x2B, 0x46, 0x7D, 0x70, 0x61, 0x46
.data:00000000000362D2                 DCB 0x71, 0x62, 0x62, 0x61, 0x76, 0x3F, 4, 0, 0, 0
.data:00000000000362DC ; _BYTE byte_362DC[4]
.data:00000000000362DC byte_362DC      DCB 0x43, 0x46, 0x47, 0x33
.data:00000000000362DC                                         ; DATA XREF: sub_DD38+E8↑o
.data:00000000000362DC                                         ; .datadiv_decode15146375311672927909+FC↑o
.data:00000000000362E0 ; _BYTE byte_362E0[28]
.data:00000000000362E0 byte_362E0      DCB 0xD1, 0xA2, 0xBB, 0xD0, 0xB5, 0x93, 0x98, 0x8F, 0x98
.data:00000000000362E0                                         ; DATA XREF: sub_DD38+F0↑o
.data:00000000000362E0                                         ; .datadiv_decode15146375311672927909+104↑o
.data:00000000000362E9                 DCB 0xD6, 0x97, 0x90, 0x96, 0xD6, 0xBB, 0x80, 0x8D, 0x9C
.data:00000000000362F2                 DCB 0xBB, 0x8C, 0x9F, 0x9F, 0x9C, 0x8B, 0xC2, 0xF9, 0
.data:00000000000362FB                 DCB 0
.data:00000000000362FC aNqmwjwqp       DCB "NQMWJWQP>",0       ; DATA XREF: sub_DD38+FC↑o
.data:00000000000362FC                                         ; .datadiv_decode15146375311672927909+110↑o
.data:0000000000036306                 ALIGN 0x10
.data:0000000000036310 ; _BYTE byte_36310[32]
.data:0000000000036310 byte_36310      DCB 0xFC, 0x9D, 0xFD, 0x98, 0xBE, 0xB5, 0xA2, 0xB5, 0xFB
.data:0000000000036310                                         ; DATA XREF: sub_DD38+108↑o
.data:0000000000036310                                         ; .datadiv_decode15146375311672927909+11C↑o
.data:0000000000036319                 DCB 0xBA, 0xBD, 0xBB, 0xFB, 0x96, 0xA1, 0xB2, 0xB2, 0xB1
.data:0000000000036322                 DCB 0xA6, 0xEF, 0xD4, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0
.data:0000000000036330 ; _BYTE byte_36330[32]
.data:0000000000036330 byte_36330      DCB 0xC0, 0xCC, 0xCE, 0x8C, 0xC0, 0xD7, 0xC5, 0x8C, 0xC4
.data:0000000000036330                                         ; DATA XREF: sub_DD38+114↑o
.data:0000000000036330                                         ; .datadiv_decode15146375311672927909+128↑o
.data:0000000000036339                 DCB 0xCC, 0xCC, 0xC7, 0xCF, 0xD6, 0xC0, 0xC8, 0x92, 0x8C
.data:0000000000036342                 DCB 0xEE, 0xC2, 0xCA, 0xCD, 0xE2, 0xC0, 0xD7, 0xCA, 0xD5
.data:000000000003634B                 DCB 0xCA, 0xD7, 0xDA, 0xA3, 0
.data:0000000000036350 ; _BYTE byte_36350[16]
.data:0000000000036350 byte_36350      DCB 0xE6, 0xED, 0xFA, 0xED, 0xA3, 0xE0, 0xED, 0xE2, 0xEB
.data:0000000000036350                                         ; DATA XREF: sub_DD38+120↑o
.data:0000000000036350                                         ; .datadiv_decode15146375311672927909+134↑o
.data:0000000000036359                 DCB 0xA3, 0xCF, 0xE0, 0xED, 0xFF, 0xFF, 0x8C
.data:0000000000036360 aHjLcnCNkj      DCB "HJ[lCN\\c@NKJ]/",0 ; DATA XREF: sub_DD38+12C↑o
.data:0000000000036360                                         ; .datadiv_decode15146375311672927909+140↑o
.data:0000000000036370 ; _BYTE byte_36370[32]
.data:0000000000036370 byte_36370      DCB 0xA9, 0xA8, 0xCD, 0xEB, 0xE0, 0xF7, 0xE0, 0xAE, 0xED
.data:0000000000036370                                         ; DATA XREF: sub_DD38+138↑o
.data:0000000000036370                                         ; .datadiv_decode15146375311672927909+14C↑o
.data:0000000000036379                 DCB 0xE0, 0xEF, 0xE6, 0xAE, 0xC2, 0xED, 0xE0, 0xF2, 0xF2
.data:0000000000036382                 DCB 0xCD, 0xEE, 0xE0, 0xE5, 0xE4, 0xF3, 0xBA, 0x81, 0
.data:000000000003638B                 DCB 0, 0, 0, 0, 0
.data:0000000000036390 ; _BYTE byte_36390[32]
.data:0000000000036390 byte_36390      DCB 0x23, 0x26, 0x2B, 0x31, 0x2E, 0x2C, 0x68, 0x34, 0x3E
.data:0000000000036390                                         ; DATA XREF: sub_DD38+144↑o
.data:0000000000036390                                         ; .datadiv_decode15146375311672927909+158↑o
.data:0000000000036399                 DCB 0x34, 0x33, 0x22, 0x2A, 0x68, 0x17, 0x26, 0x33, 0x2F
.data:00000000000363A2                 DCB 4, 0x2B, 0x26, 0x34, 0x34, 0xB, 0x28, 0x26, 0x23, 0x22
.data:00000000000363AC                 DCB 0x35, 0x47, 0, 0
.data:00000000000363B0 ; _BYTE byte_363B0[16]
.data:00000000000363B0 byte_363B0      DCB 0xD7, 0xC6, 0xD3, 0xCF, 0xEB, 0xCE, 0xD4, 0xD3, 0xA7
.data:00000000000363B0                                         ; DATA XREF: sub_DD38+150↑o
.data:00000000000363B0                                         ; .datadiv_decode15146375311672927909+164↑o
.data:00000000000363B9                 DCB 0, 0, 0, 0, 0, 0, 0
.data:00000000000363C0 ; _BYTE byte_363C0[32]
.data:00000000000363C0 byte_363C0      DCB 0x84, 0xAC, 0xA9, 0xA4, 0xBE, 0xA1, 0xA3, 0xE7, 0xBB
.data:00000000000363C0                                         ; DATA XREF: sub_DD38+15C↑o
.data:00000000000363C0                                         ; .datadiv_decode15146375311672927909+170↑o
.data:00000000000363C9                 DCB 0xB1, 0xBB, 0xBC, 0xAD, 0xA5, 0xE7, 0x8C, 0xAD, 0xB0
.data:00000000000363D2                 DCB 0x98, 0xA9, 0xBC, 0xA0, 0x84, 0xA1, 0xBB, 0xBC, 0xF3
.data:00000000000363DB                 DCB 0xC8, 0, 0, 0, 0
.data:00000000000363E0 ; _BYTE byte_363E0[28]
.data:00000000000363E0 byte_363E0      DCB 0x24, 0x21, 0x2C, 0x36, 0x29, 0x2B, 0x6F, 0x33, 0x39
.data:00000000000363E0                                         ; DATA XREF: sub_DD38+168↑o
.data:00000000000363E0                                         ; .datadiv_decode15146375311672927909+17C↑o
.data:00000000000363E9                 DCB 0x33, 0x34, 0x25, 0x2D, 0x6F, 4, 0x25, 0x38, 0x10
.data:00000000000363F2                 DCB 0x21, 0x34, 0x28, 0xC, 0x29, 0x33, 0x34, 0x40, 0, 0
.data:00000000000363FC ; _BYTE byte_363FC[20]
.data:00000000000363FC byte_363FC      DCB 0x68, 0x69, 0x74, 0x49, 0x60, 0x69, 0x61, 0x69, 0x62
.data:00000000000363FC                                         ; DATA XREF: sub_DD38+174↑o
.data:00000000000363FC                                         ; .datadiv_decode15146375311672927909+188↑o
.data:0000000000036405                 DCB 0x78, 0x7F, 0xC, 0, 0, 0, 0, 0, 0, 0, 0
.data:0000000000036410 ; _BYTE byte_36410[48]
.data:0000000000036410 byte_36410      DCB 0x97, 0x80, 0xA8, 0xAD, 0xA0, 0xBA, 0xA5, 0xA7, 0xE3
.data:0000000000036410                                         ; DATA XREF: sub_DD38+180↑o
.data:0000000000036410                                         ; .datadiv_decode15146375311672927909+194↑o
.data:0000000000036419                 DCB 0xBF, 0xB5, 0xBF, 0xB8, 0xA9, 0xA1, 0xE3, 0x88, 0xA9
.data:0000000000036422                 DCB 0xB4, 0x9C, 0xAD, 0xB8, 0xA4, 0x80, 0xA5, 0xBF, 0xB8
.data:000000000003642B                 DCB 0xE8, 0x89, 0xA0, 0xA9, 0xA1, 0xA9, 0xA2, 0xB8, 0xF7
.data:0000000000036434                 DCB 0xCC, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0
.data:0000000000036440 ; _BYTE byte_36440[40]
.data:0000000000036440 byte_36440      DCB 0xD0, 0xD5, 0xD8, 0xC2, 0xDD, 0xDF, 0x9B, 0xC7, 0xCD
.data:0000000000036440                                         ; DATA XREF: sub_DD38+18C↑o
.data:0000000000036440                                         ; .datadiv_decode15146375311672927909+1A0↑o
.data:0000000000036449                 DCB 0xC7, 0xC0, 0xD1, 0xD9, 0x9B, 0xFD, 0xDA, 0xF9, 0xD1
.data:0000000000036452                 DCB 0xD9, 0xDB, 0xC6, 0xCD, 0xF0, 0xD1, 0xCC, 0xF7, 0xD8
.data:000000000003645B                 DCB 0xD5, 0xC7, 0xC7, 0xF8, 0xDB, 0xD5, 0xD0, 0xD1, 0xC6
.data:0000000000036464                 DCB 0xB4, 0, 0, 0
.data:0000000000036468 ; _BYTE byte_36468[8]
.data:0000000000036468 byte_36468      DCB 0x15, 0x40, 0x47, 0x40, 0x5D, 0x17, 0x29, 0
.data:0000000000036468                                         ; DATA XREF: sub_DD38+198↑o
.data:0000000000036468                                         ; .datadiv_decode15146375311672927909+1AC↑o
.data:0000000000036470 ; _BYTE byte_36470[48]
.data:0000000000036470 byte_36470      DCB 0x59, 0x3D, 0x1B, 0x10, 7, 0x10, 0x5E, 0x1F, 0x18
.data:0000000000036470                                         ; DATA XREF: sub_DD38+1A4↑o
.data:0000000000036470                                         ; .datadiv_decode15146375311672927909+1B8↑o
.data:0000000000036479                 DCB 0x1E, 0x5E, 0x33, 8, 5, 0x14, 0x33, 4, 0x17, 0x17
.data:0000000000036483                 DCB 0x14, 3, 0x4A, 0x3D, 0x1B, 0x10, 7, 0x10, 0x5E, 0x1D
.data:000000000003648D                 DCB 0x10, 0x1F, 0x16, 0x5E, 0x32, 0x1D, 0x10, 2, 2, 0x3D
.data:0000000000036497                 DCB 0x1E, 0x10, 0x15, 0x14, 3, 0x4A, 0x58, 0x27, 0x71
.data:00000000000364A0 ; _BYTE byte_364A0[20]
.data:00000000000364A0 byte_364A0      DCB 0x7E, 0x75, 0x62, 0x75, 0x3B, 0x61, 0x60, 0x7D, 0x78
.data:00000000000364A0                                         ; DATA XREF: sub_DD38+1B0↑o
.data:00000000000364A0                                         ; .datadiv_decode15146375311672927909+1C4↑o
.data:00000000000364A9                 DCB 0x3B, 0x55, 0x66, 0x66, 0x75, 0x6D, 0x58, 0x7D, 0x67
.data:00000000000364B2                 DCB 0x60, 0x14
.data:00000000000364B4 ; _BYTE byte_364B4[12]
.data:00000000000364B4 byte_364B4      DCB 0xA4, 0xA1, 0xA1, 0xC5, 0, 0, 0, 0, 0, 0, 0, 0
.data:00000000000364B4                                         ; DATA XREF: sub_DD38+1BC↑o
.data:00000000000364B4                                         ; .datadiv_decode15146375311672927909+1D0↑o
.data:00000000000364C0 ; _BYTE byte_364C0[24]
.data:00000000000364C0 byte_364C0      DCB 0x88, 0xEC, 0xCA, 0xC1, 0xD6, 0xC1, 0x8F, 0xCC, 0xC1
.data:00000000000364C0                                         ; DATA XREF: sub_DD38+1C8↑o
.data:00000000000364C0                                         ; .datadiv_decode15146375311672927909+1DC↑o
.data:00000000000364C9                 DCB 0xCE, 0xC7, 0x8F, 0xEF, 0xC2, 0xCA, 0xC5, 0xC3, 0xD4
.data:00000000000364D2                 DCB 0x9B, 0x89, 0xFA, 0xA0, 0, 0
.data:00000000000364D8 ; _BYTE byte_364D8[8]
.data:00000000000364D8 byte_364D8      DCB 0x45, 0x5E, 0x70, 0x43, 0x43, 0x50, 0x48, 0x31
.data:00000000000364D8                                         ; DATA XREF: sub_DD38+1D4↑o
.data:00000000000364D8                                         ; .datadiv_decode15146375311672927909+1E8↑o
.data:00000000000364E0 ; _BYTE byte_364E0[24]
.data:00000000000364E0 byte_364E0      DCB 0xD3, 0xD2, 0xA0, 0xB7, 0x91, 0x9A, 0x8D, 0x9A, 0xD4
.data:00000000000364E0                                         ; DATA XREF: sub_DD38+1E0↑o
.data:00000000000364E0                                         ; .datadiv_decode15146375311672927909+1F4↑o
.data:00000000000364E9                 DCB 0x97, 0x9A, 0x95, 0x9C, 0xD4, 0xB4, 0x99, 0x91, 0x9E
.data:00000000000364F2                 DCB 0x98, 0x8F, 0xC0, 0xFB, 0, 0
.data:00000000000364F8 ; _BYTE byte_364F8[8]
.data:00000000000364F8 byte_364F8      DCB 0xEB, 0xEA, 0x95, 0xC3, 0, 0, 0, 0
.data:00000000000364F8                                         ; DATA XREF: sub_DD38+1EC↑o
.data:00000000000364F8                                         ; .datadiv_decode15146375311672927909+200↑o

查看这些数据的xref:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
_BYTE *datadiv_decode15146375311672927909()
{
  _BYTE *result; // x0
  unsigned int v52; // [xsp+Ch] [xbp-2C4h]
  unsigned int v53; // [xsp+10h] [xbp-2C0h]
  unsigned int v54; // [xsp+14h] [xbp-2BCh]
  unsigned int v55; // [xsp+18h] [xbp-2B8h]
  unsigned int v56; // [xsp+1Ch] [xbp-2B4h]
  unsigned int v57; // [xsp+20h] [xbp-2B0h]
  unsigned int v58; // [xsp+24h] [xbp-2ACh]
  unsigned int v59; // [xsp+28h] [xbp-2A8h]
  unsigned int v60; // [xsp+2Ch] [xbp-2A4h]
  unsigned int v61; // [xsp+30h] [xbp-2A0h]
  unsigned int v62; // [xsp+34h] [xbp-29Ch]
  unsigned int v63; // [xsp+38h] [xbp-298h]
  unsigned int v64; // [xsp+3Ch] [xbp-294h]
  unsigned int v65; // [xsp+40h] [xbp-290h]
  unsigned int v66; // [xsp+44h] [xbp-28Ch]
  unsigned int v67; // [xsp+48h] [xbp-288h]
  unsigned int v68; // [xsp+4Ch] [xbp-284h]
  unsigned int v69; // [xsp+50h] [xbp-280h]
  unsigned int v70; // [xsp+54h] [xbp-27Ch]
  unsigned int v71; // [xsp+58h] [xbp-278h]
  unsigned int v72; // [xsp+5Ch] [xbp-274h]
  unsigned int v73; // [xsp+60h] [xbp-270h]
  unsigned int v74; // [xsp+64h] [xbp-26Ch]
  unsigned int v75; // [xsp+68h] [xbp-268h]
  unsigned int v76; // [xsp+6Ch] [xbp-264h]
  unsigned int v77; // [xsp+70h] [xbp-260h]
  unsigned int v78; // [xsp+74h] [xbp-25Ch]
  unsigned int v79; // [xsp+78h] [xbp-258h]
  unsigned int v80; // [xsp+7Ch] [xbp-254h]
  unsigned int v81; // [xsp+80h] [xbp-250h]
  unsigned int v82; // [xsp+84h] [xbp-24Ch]
  unsigned int v83; // [xsp+88h] [xbp-248h]
  unsigned int v84; // [xsp+8Ch] [xbp-244h]
  unsigned int v85; // [xsp+90h] [xbp-240h]
  unsigned int v86; // [xsp+94h] [xbp-23Ch]
  unsigned int v87; // [xsp+98h] [xbp-238h]
  unsigned int v88; // [xsp+9Ch] [xbp-234h]
  unsigned int v89; // [xsp+A0h] [xbp-230h]
  unsigned int v90; // [xsp+A4h] [xbp-22Ch]
  unsigned int v91; // [xsp+A8h] [xbp-228h]
  signed int v92; // [xsp+ACh] [xbp-224h]
  unsigned int v93; // [xsp+B0h] [xbp-220h]
  unsigned int v94; // [xsp+B4h] [xbp-21Ch]
  unsigned int v95; // [xsp+B8h] [xbp-218h]
  unsigned int v96; // [xsp+BCh] [xbp-214h]
  unsigned int v97; // [xsp+C0h] [xbp-210h]
  unsigned int v98; // [xsp+C4h] [xbp-20Ch]
  unsigned int v99; // [xsp+C8h] [xbp-208h]
  unsigned int v100; // [xsp+CCh] [xbp-204h]
  unsigned int v101; // [xsp+D0h] [xbp-200h]
  unsigned int v102; // [xsp+D4h] [xbp-1FCh]

  result = byte_36118;
  v102 = 0;
  do
    asc_36010[v102] ^= 0x67u;
  while ( v102++ < 0x10 );
  v101 = 0;
  do
    byte_36024[v101] ^= 0x86u;
  while ( v101++ < 8 );
  v100 = 0;
  do
    byte_36030[v100] ^= 0x83u;
  while ( v100++ < 4 );
  v99 = 0;
  do
    byte_36040[v99] ^= 0xC5u;
  while ( v99++ < 0x19 );
  v98 = 0;
  do
    byte_36060[v98] ^= 0x71u;
  while ( v98++ < 0x1A );
  v97 = 0;
  do
    byte_36080[v97] ^= 0xBCu;
  while ( v97++ < 0x16 );
  v96 = 0;
  do
    byte_360A0[v96] ^= 0xC9u;
  while ( v96++ < 0x1C );
  v95 = 0;
  do
    byte_360C0[v95] ^= 0xC7u;
  while ( v95++ < 0x13 );
  v94 = 0;
  do
    byte_360E0[v94] ^= 0xE1u;
  while ( v94++ < 0x19 );
  v93 = 0;
  do
    byte_36100[v93] ^= 0xC6u;
  while ( v93++ < 0x17 );
  v92 = 0;
  do
    byte_36118[v92] = ~byte_36118[v92];
  while ( (unsigned int)v92++ < 9 );
  v91 = 0;
  do
    byte_36130[v91] ^= 0x66u;
  while ( v91++ < 0x24 );
  v90 = 0;
  do
    byte_36160[v90] ^= 0x3Du;
  while ( v90++ < 0x20 );
  v89 = 0;
  do
    byte_36184[v89] ^= 0x7Cu;
  while ( v89++ < 6 );
  v88 = 0;
  do
    byte_36190[v88] ^= 0xFDu;
  while ( v88++ < 0x3D );
  v87 = 0;
  do
    byte_361D0[v87] ^= 0xEAu;
  while ( v87++ < 6 );
  v86 = 0;
  do
    byte_361E0[v86] ^= 2u;
  while ( v86++ < 0x27 );
  v85 = 0;
  do
    byte_36208[v85] ^= 0xCEu;
  while ( v85++ < 9 );
  v84 = 0;
  do
    byte_36214[v84] ^= 0xFAu;
  while ( v84++ < 3 );
  v83 = 0;
  do
    byte_36218[v83] ^= 0xE3u;
  while ( v83++ < 4 );
  v82 = 0;
  do
    byte_36220[v82] ^= 0xDEu;
  while ( v82++ < 0x29 );
  v81 = 0;
  do
    byte_36250[v81] ^= 0xBEu;
  while ( v81++ < 0x13 );
  v80 = 0;
  do
    byte_36264[v80] ^= 0x91u;
  while ( v80++ < 4 );
  v79 = 0;
  do
    byte_3626C[v79] ^= 0x7Fu;
  while ( v79++ < 7 );
  v78 = 0;
  do
    aJbbijbbiaxnfax[v78] ^= 0xDu;
  while ( v78++ < 0x10 );
  v77 = 0;
  do
    byte_362A0[v77] ^= 0x4Eu;
  while ( v77++ < 0x13 );
  v76 = 0;
  do
    a4[v76] ^= 0x40u;
  while ( v76++ < 8 );
  v75 = 0;
  do
    byte_362C0[v75] ^= 4u;
  while ( v75++ < 0x18 );
  v74 = 0;
  do
    byte_362DC[v74] ^= 0x33u;
  while ( v74++ < 3 );
  v73 = 0;
  do
    byte_362E0[v73] ^= 0xF9u;
  while ( v73++ < 0x19 );
  v72 = 0;
  do
    aNqmwjwqp[v72] ^= 0x3Eu;
  while ( v72++ < 8 );
  v71 = 0;
  do
    byte_36310[v71] ^= 0xD4u;
  while ( v71++ < 0x14 );
  v70 = 0;
  do
    byte_36330[v70] ^= 0xA3u;
  while ( v70++ < 0x1E );
  v69 = 0;
  do
    byte_36350[v69] ^= 0x8Cu;
  while ( v69++ < 0xF );
  v68 = 0;
  do
    aHjLcnCNkj[v68] ^= 0x2Fu;
  while ( v68++ < 0xE );
  v67 = 0;
  do
    byte_36370[v67] ^= 0x81u;
  while ( v67++ < 0x19 );
  v66 = 0;
  do
    byte_36390[v66] ^= 0x47u;
  while ( v66++ < 0x1D );
  v65 = 0;
  do
    byte_363B0[v65] ^= 0xA7u;
  while ( v65++ < 8 );
  v64 = 0;
  do
    byte_363C0[v64] ^= 0xC8u;
  while ( v64++ < 0x1B );
  v63 = 0;
  do
    byte_363E0[v63] ^= 0x40u;
  while ( v63++ < 0x19 );
  v62 = 0;
  do
    byte_363FC[v62] ^= 0xCu;
  while ( v62++ < 0xB );
  v61 = 0;
  do
    byte_36410[v61] ^= 0xCCu;
  while ( v61++ < 0x24 );
  v60 = 0;
  do
    byte_36440[v60] ^= 0xB4u;
  while ( v60++ < 0x24 );
  v59 = 0;
  do
    byte_36468[v59] ^= 0x29u;
  while ( v59++ < 6 );
  v58 = 0;
  do
    byte_36470[v58] ^= 0x71u;
  while ( v58++ < 0x2F );
  v57 = 0;
  do
    byte_364A0[v57] ^= 0x14u;
  while ( v57++ < 0x13 );
  v56 = 0;
  do
    byte_364B4[v56] ^= 0xC5u;
  while ( v56++ < 3 );
  v55 = 0;
  do
    byte_364C0[v55] ^= 0xA0u;
  while ( v55++ < 0x15 );
  v54 = 0;
  do
    byte_364D8[v54] ^= 0x31u;
  while ( v54++ < 7 );
  v53 = 0;
  do
    byte_364E0[v53] ^= 0xFBu;
  while ( v53++ < 0x15 );
  v52 = 0;
  do
    byte_364F8[v52] ^= 0xC3u;
  while ( v52++ < 3 );
  return result;
}

编写idapython脚本进行手动解密:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
import ida_bytes

# 定义需要操作的全局变量及其对应的异或值
variables = [
    ("asc_36010", 0x67, 0x10),
    ("byte_36024", 0x86, 8),
    ("byte_36030", 0x83, 4),
    ("byte_36040", 0xC5, 0x19),
    ("byte_36060", 0x71, 0x1A),
    ("byte_36080", 0xBC, 0x16),
    ("byte_360A0", 0xC9, 0x1C),
    ("byte_360C0", 0xC7, 0x13),
    ("byte_360E0", 0xE1, 0x19),
    ("byte_36100", 0xC6, 0x17),
    ("byte_36118", None, 9),  # 特殊处理:按位取反
    ("byte_36130", 0x66, 0x24),
    ("byte_36160", 0x3D, 0x20),
    ("byte_36184", 0x7C, 6),
    ("byte_36190", 0xFD, 0x3D),
    ("byte_361D0", 0xEA, 6),
    ("byte_361E0", 2, 0x27),
    ("byte_36208", 0xCE, 9),
    ("byte_36214", 0xFA, 3),
    ("byte_36218", 0xE3, 4),
    ("byte_36220", 0xDE, 0x29),
    ("byte_36250", 0xBE, 0x13),
    ("byte_36264", 0x91, 4),
    ("byte_3626C", 0x7F, 7),
    ("aJbbijbbiaxnfax", 0xD, 0x10),
    ("byte_362A0", 0x4E, 0x13),
    ("a4", 0x40, 8),
    ("byte_362C0", 4, 0x18),
    ("byte_362DC", 0x33, 3),
    ("byte_362E0", 0xF9, 0x19),
    ("aNqmwjwqp", 0x3E, 8),
    ("byte_36310", 0xD4, 0x14),
    ("byte_36330", 0xA3, 0x1E),
    ("byte_36350", 0x8C, 0xF),
    ("aHjLcnCNkj", 0x2F, 0xE),
    ("byte_36370", 0x81, 0x19),
    ("byte_36390", 0x47, 0x1D),
    ("byte_363B0", 0xA7, 8),
    ("byte_363C0", 0xC8, 0x1B),
    ("byte_363E0", 0x40, 0x19),
    ("byte_363FC", 0xC, 0xB),
    ("byte_36410", 0xCC, 0x24),
    ("byte_36440", 0xB4, 0x24),
    ("byte_36468", 0x29, 6),
    ("byte_36470", 0x71, 0x2F),
    ("byte_364A0", 0x14, 0x13),
    ("byte_364B4", 0xC5, 3),
    ("byte_364C0", 0xA0, 0x15),
    ("byte_364D8", 0x31, 7),
    ("byte_364E0", 0xFB, 0x15),
    ("byte_364F8", 0xC3, 3),
]

def apply_xor_or_not(var_name, xor_value, length):
    addr = ida_name.get_name_ea(ida_idaapi.BADADDR, var_name)
    if addr == ida_idaapi.BADADDR:
        print(f"[-] Variable {var_name} not found!")
        return

    for i in range(length):
        byte = ida_bytes.get_byte(addr + i)
        if xor_value is not None:
            new_byte = byte ^ xor_value
        else:
            new_byte = ~byte & 0xFF  # 按位取反
        ida_bytes.patch_byte(addr + i, new_byte)

    print(f"[+] Updated variable {var_name} at 0x{addr:X}")

def main():
    print("[*] Starting decryption script...")
    for var_name, xor_value, length in variables:
        apply_xor_or_not(var_name, xor_value, length)
    print("[*] Decryption completed!")

if __name__ == "__main__":
    main()

原密文A8BDAD9FF6B1BF8C9087AB9F9694A9A48D8FB08F8187FCE4E4C5异或C5得到mxhZ3tzIUBnZSQlaHJuJDB9!!,发现头部缺少了一个大写字母Z,补上后得到ZmxhZ3tzIUBnZSQlaHJuJDB9!!,base64解得flag{s!@ge$%hrn$0},但是交上去不对,仔细观察JNI动态加载,发现有一个可疑的函数sub_DD38,其中加载了一个名为cc.dat的文件,并用上文解出来的keygoodgoodluckluck进行RC4解密:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
__int64 __fastcall sub_DAD8(__int64 a1, unsigned __int64 a2, __int64 key, unsigned __int64 lenkey)
{
  __int64 result; // x0
  unsigned int v5; // w8
  int v6; // w8
  int v7; // w9
  char v8; // [xsp+2Ch] [xbp-154h]
  unsigned __int64 i; // [xsp+30h] [xbp-150h]
  unsigned int v10; // [xsp+40h] [xbp-140h]
  unsigned int v11; // [xsp+44h] [xbp-13Ch]
  _BYTE v14[264]; // [xsp+68h] [xbp-118h] BYREF

  _ReadStatusReg(ARM64_SYSREG(3, 3, 13, 0, 2));
  result = sub_D918((__int64)v14, key, lenkey);
  v11 = 0;
  v10 = 0;
  for ( i = 0LL; i < a2; ++i )
  {
    if ( (int)(v11 + 1) >= 0 )
      v5 = v11 + 1;
    else
      v5 = v11 + 256;
    v11 = v11 + 1 - (v5 & 0xFFFFFF00);
    v6 = v10 + (unsigned __int8)v14[v11];
    v7 = v6 + 255;
    if ( v6 >= 0 )
      v7 = v10 + (unsigned __int8)v14[v11];
    v10 = v6 - (v7 & 0xFFFFFF00);
    v8 = v14[v11];
    v14[v11] = v14[v10];
    v14[v10] = v8;
    *(_BYTE *)(a1 + i) ^= v14[(unsigned __int8)(v14[v11] + v14[v10])];
  }
  _ReadStatusReg(ARM64_SYSREG(3, 3, 13, 0, 2));
  return result;
}

解密得到一个dex文件,查看:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
package com.ctf.goodluck1;

/* loaded from: C:\Users\LENOVO\Desktop\dump.dex */
public class Check {
    private static final int BASE_256 = 256;
    private static final char[] ALPHABET = "123456789ABCDEFGHJKLMNPQRSTUVWXYZabcdefghijkmnopqrstuvwxyz".toCharArray();
    private static final int CHARCS = ALPHABET.length;
    private static final int[] INDEXES = new int[128];

    static {
        for (int i = 0; i < INDEXES.length; i++) {
            INDEXES[i] = -1;
        }
        for (int i2 = 0; i2 < ALPHABET.length; i2++) {
            INDEXES[ALPHABET[i2]] = i2;
        }
    }

    public static String iiooii(byte[] input) {
        if (input.length == 0) {
            return "";
        }
        byte[] input2 = copyOfRange(input, 0, input.length);
        int zeroCount = 0;
        while (zeroCount < input2.length && input2[zeroCount] == 0) {
            zeroCount++;
        }
        byte[] temp = new byte[input2.length * 2];
        int j = temp.length;
        int startAt = zeroCount;
        while (startAt < input2.length) {
            byte mod = ooiioo(input2, startAt);
            if (input2[startAt] == 0) {
                startAt++;
            }
            j--;
            temp[j] = (byte) ALPHABET[mod];
        }
        while (j < temp.length && temp[j] == ALPHABET[0]) {
            j++;
        }
        while (true) {
            zeroCount--;
            if (zeroCount < 0) {
                return new String(copyOfRange(temp, j, temp.length));
            }
            j--;
            temp[j] = (byte) ALPHABET[0];
        }
    }

    private static byte ooiioo(byte[] number, int startAt) {
        int remainder = 0;
        for (int i = startAt; i < number.length; i++) {
            int temp = (remainder * BASE_256) + (number[i] & 255);
            number[i] = (byte) (temp / CHARCS);
            remainder = temp % CHARCS;
        }
        return (byte) remainder;
    }

    private static byte[] copyOfRange(byte[] source, int from, int to) {
        byte[] range = new byte[to - from];
        System.arraycopy(source, from, range, 0, range.length);
        return range;
    }

    public static boolean check(String content) {
        if (iiooii(content.getBytes()).equals("xpoetRPP2XbiAqZb57dz7yE")) {
            return true;
        }
        return false;
    }
}

发现是base58,解密得到flag{j#n$j@m^,*0}.

隐私合规:

harmony:

查看检验函数:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
public Object checkPassword(Object functionObject, Object newTarget, Index this) {
    asyncfunctionenter = asyncfunctionenter();
    try {
        if (this.userInput == false) {
            prompt = import { default as prompt } from "@ohos:prompt";
            prompt.showToast(createobjectwithbuffer(["message", "请输入密码", "duration", 2000]));
            return asyncfunctionresolve(null, asyncfunctionenter);
        }
        CryptoJS = import { CryptoJS } from "@package:pkg_modules/.ohpm/@ohos+crypto-js@2.0.4/pkg_modules/@ohos/crypto-js/index";
        MD5 = CryptoJS.MD5(this.userInput);
        if ((this.storedHash == MD5.toString() ? 1 : 0) != 0) {
            prompt2 = import { default as prompt } from "@ohos:prompt";
            obj = prompt2.showToast;
            obj2 = createobjectwithbuffer(["message", 0, "duration", 2000]);
            obj2.message = "恭喜,密码 " + this.userInput + " 正确!";
            obj(obj2);
            CryptoJS2 = import { CryptoJS } from "@package:pkg_modules/.ohpm/@ohos+crypto-js@2.0.4/pkg_modules/@ohos/crypto-js/index";
            MD52 = CryptoJS2.MD5(this.userInput + this.storedHash);
            this.exam1Flag = "Flag{" + MD52.toString() + "}";
        } else {
            this.exam1Flag = "密码错误,请重试~";
        }
        return asyncfunctionresolve(null, asyncfunctionenter);
    } catch (ExceptionI0 unused) {
        return asyncfunctionreject(asyncfunctionenter, asyncfunctionenter);
    }
}

发现要输入一个字符串,使其的md5和内部存储的md5相同,flag为输入的字符串+md5整体的md5,用ABCDecompiler找到字符串secret为:16f85293e920fd49eda6bf0df98bfd33,解密得到goodgood,拼接得到Flag{ee51e080d1db85f9927fe87aa92267bb}.