Category - 第五空间2021

解压出apps__UNI__14D1880\www\app-service.js
主要逻辑在这
enter image description here
f["encrypt"](c)调用类似chacha加密的函数,依葫芦画瓢解密即可

  1. iv = [0, 0, 0, 0, 0, 0, 0, 74, 0, 0, 0, 0]
  2. key = [_ for _ in range(32)]
  3. def _get32(t, e):
  4. return t[e] ^ t[e+1] << 8 ^ t[e+2] << 16 ^ t[e+3] << 24
  5. n = 1
  6. _rounds = 20
  7. _sigma = [1634760805, 857760878, 2036477234, 1797285236]
  8. _param = [_sigma[0], _sigma[1], _sigma[2], _sigma[3], _get32(key, 0), _get32(key, 4), _get32(key, 8), _get32(key, 12), _get32(key, 16), _get32(key, 20), _get32(key, 24), _get32(key, 28), n, _get32(iv, 0), _get32(iv, 4), _get32(iv, 8)]
  9. _keystream = [0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0]
  10. _byteCounter = 0
  11. def _rotl(num, e):
  12. return (num << e | num >> 32 - e) & 0xffffffff
  13. def _quarterround(t, e, n, r, o):
  14. print(t)
  15. t[e] += t[n]
  16. t[e] &= 0xffffffff
  17. t[o

从capp.apk提取出app.exe,将ida f5后的伪代码复制另存为cpp文件,编译为exe方便windows上debug

  1. #define _CRT_SECURE_NO_WARNINGS
  2. #include <cstdio>
  3. #include <cstdlib>
  4. unsigned char input[38] = { 0 };
  5. unsigned char ctr = 0;
  6. char my_getchar() {
  7. return input[ctr++];
  8. }
  9. int main(int argc, const char** argv, const char** envp)
  10. {
  11. int result; // w0
  12. long long v4; // [xsp+0h] [xbp+0h] BYREF
  13. int* v5; // [xsp+20h] [xbp+20h]
  14. long long v6; // [xsp+28h] [xbp+28h]
  15. int v7; // [xsp+34h] [xbp+34h]
  16. int i; // [xsp+38h] [xbp+38h]
  17. int j; // [xsp+3Ch] [xbp+3Ch]
  18. v7 = 1000;
  19. v6 = 999LL;
  20. // v5 = (int *)(4 * (((unsigned __int64)&v4 + 3) >> 2));
  21. v5 = (int*)malloc(4 * 10000);
  22. i = 0;
  23. // slogan();
  24. scanf("%s", (char*)input);
  25. for (i = 0; i < v7; ++i)
  26. v5[i] = 0;
  27. for (j = 43; v5[j]; --v5[j])
  28. ;
  29. ++j;
  30. --j;
  31. ++j;
  32. while (v5[j])
  33. --v5[j];
  34. for (j -= 43; v5[j]; --v5[j])
  35. ;
  36. for (j += 42; v5[j]; --v5[j])
  37. {