【安卓逆向】酷狗音乐dfid逆向分析

酷狗音乐dfid逆向分析"/>

【安卓逆向】酷狗音乐dfid逆向分析

前言

免责声明：
    本篇博文的初衷是分享自己学习逆向分析时的个人感悟，所涉及的内容仅供学习、交流，请勿将其用于非法用途！！！任何由此引发的法律纠纷均与作者本人无关，请自行负责！！！
    
版权声明：
    未经作者本人授权，禁止转载！！！
    
    
（本文所有敏感数据已脱敏）

协议分析

dfid是酷狗音乐设备注册协议返回的设备id，如下图

具体协议内容如下

curl '=8b2be686785d0b22fdfa66d4fa617e56182cdc5fcc173e963f84f2295805d70996a3133f2fbf3ac48dcab0c3c2c8042bb7db4bc7790e0e32f208519a0f664941c559019cca2c17fb1e5a0c5c258b19d650ad832c04d88ef7e63a5864758943564daaf17227eb7ff54acca05ac6a7ea0c73fc73d010d8b2cdfd7f112dff62f997&dfid=-&platid=1&signature=05db9413c9f14ab8dbe522701d003c3d&appid=3202&part=0&mid=279541490104503494453849017798291875107&clientver=189000&clienttime=1693446168&userid=0' \
-H 'Host: userservice.kugou' \
-H 'signature: 05db9413c9f14ab8dbe522701d003c3d' \
-H 'kg-thash: 49c2486' \
-H 'user-agent: Android810-1151-189000-6-0-UpdateDeviceFingerProtocol-wifi' \
-H 'kg-rc: 1' \
-H 'kg-rf: 0076055e' \
-H 'content-type: application/json;charset=utf-8' \
--data-binary "3LySfhJ215i4LzD9EHBjrSHf2RZjZtN7sc/jC5ZqDX5f69/S44OUEfdBRk2PUFwdrPMUW5OrSsLIip08wQPlevfUMxMMzsQnOsXyGcU/G6FS3Y3pinUBWblqX9zto5zLYCc1G4dgaQKYNSztMhhCmHwIQ3V56tIBtDm/nxmRVN+XWN6v259YkRqWdsG48RnR2E9yeDiuNYi/cZYPLj/aX1JhmXaDiLzGecrhyi6meoTSP7gXy3DzpBOw/R6DDLzG9ncU9XpyZtfyfFPlgJnv1pK/0uLCOGdz/fdaAlYd2Cr/LQQoYSVikkMkTfhJXzAqwKUHYx/ZPXoyDaok1edWjcFklp2DXg5jYIynPOLK4YSGsnPEnFL+j/KxKECdBTy6Mb+N2MonD4HyTnWjrwMzT5i4o8/4gSgfbB2j2ySRuFQdBnxRZxmRVhdPrO84Udnbar/9NDGvCOTk9da7/2IW+xz2+tQSfVxLItVt/oE/7eTORd15hCs1yEQaibx2T3aMYwI5NByIAcDCbjbLfpequFTvjbcQgqBVynLxaE+Nk3uMYxfU6sF0CfBkngPezO4jY4Uo6RK+RcUJ/K+W1N28DTM1HW41gwIWklzgKWxNeYejcK37suBvPUJOar/efYuhOkwE4iktbzPEcr0CF1EsIJl6vfkkLuGoSVttm0s2MbAsjXMz08gHvHriNtLZ1Sou4olyPqTWyD9rSNhpT2LbBT7Qgda//9bAvwjXoCZxZq0FsvQm2Wc9utFPLVx2Tn3J0z1Fuu5Mh8De3w5K/0F3PHXoh0UMpB5advNRgnzjivnX4Lwj4w+8r/iF6xDNwNx01iETW/VeFFNrzFQWzeA5Nmb/9wp+9Ft1Yq5d9qDdvTrEh0BIT8gj6onibGP72BsURhQmxc1e/sAmGP03N98slkPqsd4WDL2u6C/cAm2bIbZLbGRwD+ygTMQxbV+Q/mLzj0tD/IjShPutmyF/cYFCCK1kQfRyekX44g9jpqesVvJNbgtz2wbaYQtxA753RDVvU4V2iaHtvUZtdwzR5BcZ4+PHqWPJQ6ZB2MDDmAeRTr5XBHVSI2pQeFoNTFStc0to9qxMQokYB6/vmVCogSSyAC/A8tDvUf5xN9FEbLyOYrXffeJRiKRfstt9IKPepHZb6+znd5l5PuxsPXaE+wQchjkepH/ZXHgx+g23xme06Y71Inp6ZczNG9XcWf4QV+pdafzJeppeINS1yZAQ6roZVu4iQeM6z7GMFJbZCCijbv1q5z9cLVD+w2ILBJLYWQDM8PUGKRk+iQULwaGYLVIGUn38JfxVTVpglDHpaX/+ciD557KBsp1jnXEr2H5u+tTViqEAbO+vkjWcZE5rA0urt53h6ootzQ4HZnK5dvEFsPBKkq7TAfDLlHmca9qEaPREc6Kq5+0YAUU2vQi5T83dKpcYYYfQrjvjrkyDbWWnxIJKaD55ncXf7H3NkfLmcHIfVJPPGnpkmrLWt21BtSZm/ofyTLxpJQ2Uce3w66MV6tKsmIiepxNPPlwrSJwxVT4qItc+nW8LrcW7HTWvrWKB8Ebo7hng3sAXJur4eTdvVLMSOi7o3U5la7JGk8P/kGalVvR4+GwW0xa17uFqVXh1ljBO5nKy+LfeJKCnY+LcGGb4hJJlnoYqonOGNR3kqU/dO5DYWu/iCJW1/c4cx9qqFjHFd4dpGMAdyrqRF6MmV/au2aktSzXVf2PL3nDCpzS2BYA8297FIR3My+36WwAN6/FD1GYYEFAZuw7sgUPdX2wLxSBlLhdwyekLTyWdMYMch1QZEF4PSQfKK2/8WFNPZJ/JYtegXgSiEcGFVUqRPlyIrqydt2pe5vcPsWLL7sO4Uz5gvcXGbdscU8caODAEOEzFChrSk9S85OU83YagqZ6KU0d/Xf+8AN9bW4vmq4kAgFfx8mVs6Kb5BuMLLuZpRfX1B8rfhytRUDWft28hN0CbtO07Uv9SSE7N3YvWrQuhBz9uz+8mGS3Lf6meoSoSB1aEXlD+kLiHf1J6MImenBu1DXBUtvfTX6RjQ0nCWvPnnafgObnPwVUX5iKCGCwOTOOBkMGk/pPhq4C6K1vWuwt0Z7+j0lw7nUWgpaEMlUHWX5D25rwGmbUfPKxNHDnS596tSGrTb801T6KcNN9oVmAOomod+EbgCBl/veWf058rU1/W9pYlPbeEgTOXfHaMQ9jz8TPN3VyeKZED4L4LCiQi/V7QZJWU8o2WpUxwnGh1YRIfnxTFMhsGx3RvZ4rGLzZ+fSeCFcmtHyAry066hafKPyMO/Z/7Q6u1vLe2xZfQ/VHVO3Uh4+6wv1RGQCrzkMS8P/epnr/88jW5cSWplbyu4smToId+/ek79gD/n0TwuZeKvVdqrZq+ZcSz/4LmOuDTof6/eVwz2iCKgXZm6pBlxh2ENwtYqzuIUDoDcows3+ps8UvHqi5w4Zxrjcweg7mHxkoXBauMwhJUwk+1ThewP+4+QAVlgNclOVsaNgNphNH7teKFdxXp5rjYU1iu8r08jPscnyc5pQAbtxkzGM0mF0uIj4wIk+n/Ed3iL2vzHp7nPbcza05ESZx0203E4Afi0EG9t4tsbsiKz8s8TalcfFgFd/xeLmMOOqVYq/cEqfzLe08y28AuIBLlU1P61C4FMaF5A1Y6xDxMOUZgSZt7VUR8XUKpZIQlzyWBumRSV8oZNT4VeAP6567h0yG1CgTmkJrMVMLBnMOoqDnslBXj3aJ7uCa76JOF+jcbF9NpPUGxtR02GXqPvRIKfuPn6rm6LtFT4E/QcpsiTLtYbRyZUBQZ/3+XU21TE2M8ldpB904AQq5UXgFN7aqrWl1D9/lDBW0RMSjFbO45csmd9naoF8gpSEvI6a5nzKSD1vSDt+PuPo3PhyNSDmpEF3jUL2o98Gsocd34alwAvLNJejlL0zPdAgQZCpBVnyV7aDmekRPjRxUPMf1ST9uhVuf/W3xVGlk4nKTv8aPKKqq4vHtqPMO3e1x0//KPlGgPbzDD4DCXncqO95lBvUid2zo3HUuR+QRIz/0xHKatPTi6YhezhCmkyJ0JPNvZ9GYw8WE3BhVAyxHlyXuI8J+qXmkPnUovDurMgM4Xq7gV4mbqb+IA1591FX108ctUgd6H42QcDtL3nNXS8Un/6VaXLVCB5THuJESrm51LfnnJ24Kf3A1jlnaMA1KrIxbi9dYP3zNLOQN9iJA1CXe01a+3fBj84ciK3tqOU5Wd44lmeEDQX+Hfwx6oDzBIDpGr1UmKOo+rl4ipbhDLyAuUeUD2QKHdKc3LLGKf08FjSBa/KsdbHY/npTtMQrCiQIvzyLsQenQxB76TF1qbXRaNtQXcxUSYjPikXHgDVtJ95TUwIN8Wu5DBWWPUyZBktRmubuCKVHeWLobpGw6b5rWi2r6A0ZYPS0vYxX0Pjqj6U17fgKG8HztERPZWhRmT1P/CQS/bO3JaK7ezBl4gsNs+CTf+CjCEwJ52m9pdc/rWo9qCG1IO/tBjxCPrthS4n3FOj7XlDCpP"

其中设备注册协议中存在 p、mid 两个加密参数，请求头中存在 signature 加密签名，请求体 也是加密的
本文接下来只对参数p和请求体的加密过程进行逆向还原，像mid、signature等参数的加密可通过java层代码分析可知，感兴趣的同学可自行分析

请求体加密还原

加密定位

通过代码分析可定位如下函数，j.u 函数对 json.getBytes() 进行加密，产生加密的请求体

我们使用objection hook下 as.b 函数看看传入 j.u 函数的 json 变量是什么
hook命令如下

android hooking watch class_method com.kugoumon.utils.as.b --dump-args --dump-return

hook结果如下

deviceFingerStr文本内容如下，可见都是一些设备指纹参数

{"availableRamSize": 1145593856,"availableRomSize": 9793256,"availableSDSize": 9793252,"basebandVer": "angler-03.88","batteryLevel": 83,"batteryStatus": 2,"bluetoothAddress": "02:00:00:00:00:00","bluetoothName": "Nexus 6P","board": "angler","bootloader": "angler-03.84","brand": "google","buildHost": "wpiv1.hot.corp.google","buildId": "OPM7.181205.001","buildModel": "Nexus 6P","buildSerial": "8XV7N16125001121","buildTags": "release-keys","buildTime": 1539967506000,"buildType": "user","buildUser": "android-build","channelID": "6","cpuInfo": "arm64-v8a","cpu_abi": "armeabi-v7a","cpu_abi2": "armeabi","density": 3.5,"device": "angler","display": "OPM7.181205.001","elapsedRealTime": 1902609,"emulator": false,"fingerPrint": "google/angler/angler:8.1.0/OPM7.181205.001/5080180:user/release-keys","hardware": "angler","imei": "d57ab112d635344a9b273aeb57b97e98","imsi": "-2d57ab112d635344a9b273aeb57b97e98","incremental": "5080180","innerVer": "5080180","inputMethodList": "[\"Google 印度语键盘\",\"Google 语音输入\",\"Google 日语输入法\",\"Google 韩语输入法\",\"Gboard\",\"谷歌拼音输入法\"]","ipAddress": "10.243.212.77","language": "zh","linuxCoreVer": "","manufacturer": "Huawei","netWorkType": 2,"networkOperator": "","networkOperatorName": "","phoneType": 1,"product": "angler","radioVersion": "angler-03.88","release": "8.1.0","scaledDensity": 3.5,"screenHeight": 2392,"screenWidth": 1440,"sdkInt": 27,"simCountryIso": "","simOperator": "","simOperatorName": "","simState": 1,"totalRamSize": 2935291904,"totalRomSize": 14037418,"totalSDSize": 14037418,"uuid": "d57ab112d635344a9b273aeb57b97e98","wifiBssid": "02:00:00:00:00:00","wifiSsid": "<unknown ssid>","xdpi": 515.154,"ydpi": 516.063,"accelerometer": true,"accelerometerValue": "{\"ix\":-0.79035646,\"iy\":-0.5891748,\"iz\":10.269844,\"ax\":-0.7759864,\"ay\":-0.5748047,\"az\":10.289004}","gravity": true,"gravityValue": "{\"ix\":-0.7431563,\"iy\":-0.5473629,\"iz\":9.76312,\"ax\":-0.7389288,\"ay\":-0.5478728,\"az\":9.7634115}","gyroscope": true,"gyroscopeValue": "{\"ix\":-0.0015210571,\"iy\":-1.645954E-4,\"iz\":-0.0012688022,\"ax\":0.0022313336,\"ay\":9.10073E-4,\"az\":-0.0012591371}","light": true,"lightValue": "{\"ix\":1287.2534,\"ax\":1291.2905}","magnetic": true,"magneticValue": "{\"ix\":254.5,\"iy\":-32.375,\"iz\":-33.875,\"ax\":255.25,\"ay\":-33.125,\"az\":-36.75}","orientation": true,"orientationValue": "{\"ix\":262.18207,\"iy\":3.209229,\"iz\":-4.323372,\"ax\":262.29172,\"ay\":3.2067575,\"az\":-4.3477025}","pressure": true,"pressureValue": "{\"ix\":1005.19403,\"ax\":1005.23016}","step_counter": true,"step_counterValue": "{\"ix\":0.0,\"ax\":0.0}","temperature": false,"temperatureValue": ""
}

接下来继续看 j.u 函数是怎么对上述设备指纹的明文进行加密的呢

j.u 函数最终调用 com.kugoumon.player.kugouplayer.j._u 函数完成加密，而 com.kugoumon.player.kugouplayer.j._u 函数被声明为一个native函数，因此还需对native层进行代码分析

在此之前，我们先看 com.kugoumon.player.kugouplayer.j._u 函数是在哪个so文件中实现的
通过以下frida脚本hook RegisterNatives函数

// 
function find_RegisterNatives(params) {let symbols = Module.enumerateSymbolsSync("libart.so");let addrRegisterNatives = null;for (let i = 0; i < symbols.length; i++) {let symbol = symbols[i];if (symbol.name.indexOf("art") >= 0 &&symbol.name.indexOf("JNI") >= 0 &&symbol.name.indexOf("RegisterNatives") >= 0 &&symbol.name.indexOf("CheckJNI") < 0) {addrRegisterNatives = symbol.address;console.log("RegisterNatives is at ", symbol.address, symbol.name);hook_RegisterNatives(addrRegisterNatives)}}
}function hook_RegisterNatives(addrRegisterNatives) {if (addrRegisterNatives != null) {Interceptor.attach(addrRegisterNatives, {onEnter: function (args) {console.log("[RegisterNatives] method_count:", args[3]);let class_name = Java.vm.tryGetEnv().getClassName(java_class);let java_class = args[1];let methods_ptr = ptr(args[2]);let method_count = parseInt(args[3]);for (let i = 0; i < method_count; i++) {let name_ptr = Memory.readPointer(methods_ptr.add(i * 3 * Process.pointerSize));let sig_ptr = Memory.readPointer(methods_ptr.add((i * 3 + 1) * Process.pointerSize));let fnPtr_ptr = Memory.readPointer(methods_ptr.add((i * 3 + 2) * Process.pointerSize));let name = Memory.readCString(name_ptr);let sig = Memory.readCString(sig_ptr);let module = Process.findModuleByAddress(fnPtr_ptr);console.log("[RegisterNatives] java_class:", class_name, "name:", name, "sig:", sig, "fnPtr:", fnPtr_ptr, "module_name:", module.name, "module_base:", module.base, "offset:", ptr(fnPtr_ptr).sub(module.base));}}});}
}setImmediate(find_RegisterNatives);

执行以下命令运行该脚本

frida -U -l hook_RegisterNatives.js -f com.kugou.android.douge --no-pause

可以知道 com.kugoumon.player.kugouplayer.j._u 函数在libj.so文件中实现的，其函数偏移地址为 0xef59

加密还原

接下来，我们用unidbg实现libj.so文件偏移位置 0xef59 处的函数调用，直接上代码，其中运行环境已补好，代码仅供参考

package every.app.unidbg;import com.github.unidbg.AndroidEmulator;
import com.github.unidbg.Emulator;
import com.github.unidbg.Module;
import com.github.unidbg.arm.backend.Unicorn2Factory;
import com.github.unidbg.file.FileResult;
import com.github.unidbg.file.IOResolver;
import com.github.unidbg.hook.hookzz.*;
import com.github.unidbg.linux.android.AndroidEmulatorBuilder;
import com.github.unidbg.linux.android.AndroidResolver;
import com.github.unidbg.linux.android.dvm.*;
import com.github.unidbg.linux.android.dvm.array.ByteArray;
import com.github.unidbg.memory.Memory;
import com.github.unidbg.utils.Inspector;
import com.sun.jna.Pointer;import java.io.File;
import java.io.FileNotFoundException;
import java.io.FileOutputStream;
import java.io.PrintStream;
import java.nio.charset.StandardCharsets;
import java.util.Arrays;
import java.util.List;public class KuGou extends AbstractJni implements IOResolver{private final AndroidEmulator emulator;private final VM vm;private final Module module;private final Memory memory;private final String traceFile = "unidbg-chqi/src/main/resources/kugou/trace.txt";// 补环境需要实例化一个静态类private A aobject = new A();private KuGou() throws FileNotFoundException {// 创建模拟器实例,进程名建议依照实际进程名填写，可以规避针对进程名的校验emulator = AndroidEmulatorBuilder.for32Bit().setProcessName("com.kugou.android.douge").addBackendFactory(new Unicorn2Factory(true)).build();emulator.getBackend().registerEmuCountHook(100000);emulator.getSyscallHandler().setVerbose(true);emulator.getSyscallHandler().setEnableThreadDispatcher(true);emulator.getSyscallHandler().addIOResolver(this);// 获取模拟器的内存操作接口memory = emulator.getMemory();// 设置系统类库解析memory.setLibraryResolver(new AndroidResolver(23));// 创建Android虚拟机,传入APK，unidbg可以替我们做部分签名校验的工作vm = emulator.createDalvikVM(new File("unidbg-chqi/src/main/resources/kugou/base.apk"));vm.setJni(this);vm.setVerbose(true);// 加载目标SODalvikModule dm = vm.loadLibrary("j", true);module = dm.getModule();// 打印汇编指令流PrintStream traceStream = new PrintStream(new FileOutputStream(traceFile), true);emulator.traceCode(module.base, module.base+module.size).setRedirect(traceStream);// 调用JNI_OnLoad函数module.findSymbolByName("JNI_OnLoad", false).call(emulator, vm.getJavaVM(), null);}public static class A {public byte[] a = null;public int e = 0;public byte[] r = null;}@Overridepublic FileResult resolve(Emulator emulator, String pathname, int oflags) {return null;}@Overridepublic DvmObject<?> newObjectV(BaseVM vm, DvmClass dvmClass, String signature, VaList vaList) {// 补环境，实例化j$A内部类switch (signature) {case "com/kugou/common/player/kugouplayer/j$A-><init>()V": {return vm.resolveClass("com/kugou/common/player/kugouplayer/j$A").newObject(aobject);}}return super.newObjectV(vm, dvmClass, signature, vaList);}@Overridepublic void setIntField(BaseVM vm, DvmObject<?> dvmObject, String signature, int value) {// 补环境，为j$A内部类成员e赋值switch (signature) {case "com/kugou/common/player/kugouplayer/j$A->e:I": {aobject.e = value;return;}}throw new UnsupportedOperationException(signature);}@Overridepublic void setObjectField(BaseVM vm, DvmObject<?> dvmObject, String signature, DvmObject<?> value) {// 补环境，为j$A内部类成员a和r成员赋值// 打印赋值内容System.out.println(Arrays.toString((byte[]) value.getValue()));switch (signature) {case "com/kugou/common/player/kugouplayer/j$A->a:[B": {aobject.a = (byte[]) value.getValue();return;}case "com/kugou/common/player/kugouplayer/j$A->r:[B": {aobject.r = (byte[]) value.getValue();return;}}throw new UnsupportedOperationException(signature);}// 调用0xef59处函数public String encrypt(String str) {ByteArray bytes = new ByteArray(vm, str.getBytes(StandardCharsets.UTF_8));List<Object> list = Arrays.asList(vm.getJNIEnv(), 0, vm.addLocalObject(bytes), str.length());Number number = module.callFunction(emulator, 0xef59, list.toArray());return vm.getObject(number.intValue()).getValue().toString();}public static void main(String[] args) throws FileNotFoundException {String str = "{\"availableRamSize\":1144287232,\"availableRomSize\":9794787,\"availableSDSize\":9794787,\"basebandVer\":\"angler-03.88\",\"batteryLevel\":100,\"batteryStatus\":2,\"bluetoothAddress\":\"02:00:00:00:00:00\",\"bluetoothName\":\"Nexus 6P\",\"board\":\"angler\",\"bootloader\":\"angler-03.84\",\"brand\":\"google\",\"buildHost\":\"wpiv1.hot.corp.google\",\"buildId\":\"OPM7.181205.001\",\"buildModel\":\"Nexus 6P\",\"buildSerial\":\"8XV7N16125001121\",\"buildTags\":\"release-keys\",\"buildTime\":1539967506000,\"buildType\":\"user\",\"buildUser\":\"android-build\",\"channelID\":\"6\",\"cpuInfo\":\"arm64-v8a\",\"cpu_abi\":\"armeabi-v7a\",\"cpu_abi2\":\"armeabi\",\"density\":3.5,\"device\":\"angler\",\"display\":\"OPM7.181205.001\",\"elapsedRealTime\":1644869,\"emulator\":false,\"fingerPrint\":\"google/angler/angler:8.1.0/OPM7.181205.001/5080180:user/release-keys\",\"hardware\":\"angler\",\"imei\":\"d57ab112d635344a9b273aeb57b97e98\",\"imsi\":\"-2d57ab112d635344a9b273aeb57b97e98\",\"incremental\":\"5080180\",\"innerVer\":\"5080180\",\"inputMethodList\":\"[\\\"Google 印度语键盘\\\",\\\"Google 语音输入\\\",\\\"Google 日语输入法\\\",\\\"Google 韩语输入法\\\",\\\"Gboard\\\",\\\"谷歌拼音输入法\\\"]\",\"ipAddress\":\"10.243.212.77\",\"language\":\"zh\",\"linuxCoreVer\":\"\",\"manufacturer\":\"Huawei\",\"netWorkType\":2,\"networkOperator\":\"\",\"networkOperatorName\":\"\",\"phoneType\":1,\"product\":\"angler\",\"radioVersion\":\"angler-03.88\",\"release\":\"8.1.0\",\"scaledDensity\":3.5,\"screenHeight\":2392,\"screenWidth\":1440,\"sdkInt\":27,\"simCountryIso\":\"\",\"simOperator\":\"\",\"simOperatorName\":\"\",\"simState\":1,\"totalRamSize\":2935291904,\"totalRomSize\":14037418,\"totalSDSize\":14037418,\"uuid\":\"d57ab112d635344a9b273aeb57b97e98\",\"wifiBssid\":\"02:00:00:00:00:00\",\"wifiSsid\":\"\\u003cunknown ssid\\u003e\",\"xdpi\":515.154,\"ydpi\":516.063,\"accelerometer\":true,\"accelerometerValue\":\"{\\\"ix\\\":-1.22146,\\\"iy\\\":0.5939649,\\\"iz\\\":10.169253,\\\"ax\\\":-1.1783496,\\\"ay\\\":0.6179151,\\\"az\\\":10.188414}\",\"gravity\":true,\"gravityValue\":\"{\\\"ix\\\":-0.9137828,\\\"iy\\\":-0.7723851,\\\"iz\\\":9.733386,\\\"ax\\\":-0.8847608,\\\"ay\\\":-0.9211294,\\\"az\\\":9.723122}\",\"gyroscope\":true,\"gyroscopeValue\":\"{\\\"ix\\\":-0.002420438,\\\"iy\\\":-0.0016973992,\\\"iz\\\":-0.0022671663,\\\"ax\\\":8.858195E-4,\\\"ay\\\":-0.0011214206,\\\"az\\\":-0.001157352}\",\"light\":true,\"lightValue\":\"{\\\"ix\\\":993.31433,\\\"ax\\\":997.3515}\",\"magnetic\":true,\"magneticValue\":\"{\\\"ix\\\":263.5,\\\"iy\\\":-26.6875,\\\"iz\\\":-40.25,\\\"ax\\\":264.625,\\\"ay\\\":-26.6875,\\\"az\\\":-39.0}\",\"orientation\":true,\"orientationValue\":\"{\\\"ix\\\":264.5293,\\\"iy\\\":-3.4872384,\\\"iz\\\":-6.6869216,\\\"ax\\\":264.63397,\\\"ay\\\":-3.4482582,\\\"az\\\":-6.6996193}\",\"pressure\":true,\"pressureValue\":\"{\\\"ix\\\":1003.4457,\\\"ax\\\":1003.5652}\",\"step_counter\":true,\"step_counterValue\":\"{\\\"ix\\\":0.0,\\\"ax\\\":0.0}\",\"temperature\":false,\"temperatureValue\":\"\"}";KuGou kg = new KuGou();kg.encrypt(str);}
}

执行完成后，打印的汇编指令流保存在 unidbg-chqi/src/main/resources/kugou/trace.txt 这个位置

打印的 j$A成员a 为

[53, 51, 56, 48, 101, 101, 49, 98, 100, 99, 102, 97, 48, 54, 99, 97, 54, 99, 99, 49, 99, 99, 49, 100, 51, 98, 99, 52, 57, 55, 56, 48, 102, 99, 54, 50, 53, 56, 100, 97, 99, 98, 56, 53, 99, 49, 50, 100, 51, 49, 98, 53, 102, 98, 49, 98, 54, 97, 51, 55, 51, 56, 98, 55, 56, 53, 57, 97, 101, 50, 49, 51, 57, 49, 100, 54, 100, 101, 51, 57, 54, 100, 101, 52, 102, 48, 49, 101, 55, 97, 102, 56, 50, 98, 55, 55, 57, 50, 52, 49, 52, 50, 50, 98, 57, 49, 57, 101, 102, 100, 52, 55, 51, 50, 57, 52, 50, 57, 50, 102, 55, 49, 49, 97, 100, 56, 56, 100, 50, 53, 57, 98, 56, 53, 56, 57, 52, 57, 54, 99, 48, 51, 97, 99, 56, 56, 99, 56, 49, 101, 55, 100, 48, 99, 51, 101, 54, 57, 97, 53, 99, 99, 48, 54, 101, 49, 97, 49, 55, 52, 50, 98, 98, 52, 50, 98, 53, 55, 54, 54, 99, 100, 51, 98, 98, 102, 57, 53, 52, 52, 100, 48, 54, 48, 51, 54, 98, 48, 48, 52, 100, 101, 56, 50, 100, 56, 55, 102, 57, 100, 54, 48, 55, 57, 57, 101, 54, 97, 100, 54, 102, 99, 100, 56, 55, 100, 48, 52, 52, 57, 97, 100, 98, 98, 48, 102, 102, 54, 48, 52, 49, 101, 53, 97, 102, 50, 101, 57, 97, 52, 99, 48, 56, 52, 55, 99, 99, 53, 53, 48, 52, 55, 49, 57, 54, 51, 53, 55, 100, 102, 51, 50, 97, 53, 53, 100, 53, 52, 48, 99, 100, 102, 101, 98, 97, 52, 54, 102, 57, 57, 57, 51, 48, 53, 48, 102, 53, 101, 99, 54, 100, 101, 49, 51, 53, 54, 101, 101, 56, 98, 98, 49, 48, 54, 101, 97, 102, 55, 49, 102, 102, 97, 57, 51, 52, 48, 54, 97, 52, 98, 98, 98, 100, 54, 52, 49, 51, 102, 48, 48, 56, 100, 101, 102, 101, 99, 102, 97, 57, 101, 51, 52, 101, 98, 100, 49, 57, 97, 55, 53, 101, 51, 48, 52, 56, 50, 101, 55, 55, 97, 98, 56, 49, 57, 57, 55, 101, 101, 56, 98, 50, 49, 53, 99, 55, 55, 54, 50, 54, 50, 99, 49, 97, 52, 49, 54, 53, 56, 99, 51, 53, 48, 52, 54, 101, 100, 101, 98, 55, 52, 53, 57, 49, 55, 100, 101, 99, 49, 99, 52, 53, 99, 57, 52, 102, 98, 100, 57, 53, 101, 102, 102, 100, 50, 102, 51, 57, 97, 102, 100, 57, 100, 97, 51, 97, 57, 99, 97, 100, 101, 53, 101, 50, 57, 54, 100, 55, 55, 54, 50, 49, 52, 48, 56, 50, 101, 48, 97, 57, 51, 53, 57, 51, 100, 50, 99, 97, 52, 102, 48, 51, 99, 48, 52, 98, 50, 98, 101, 100, 100, 52, 51, 98, 102, 53, 52, 97, 102, 51, 55, 99, 56, 49, 57, 49, 49, 98, 57, 56, 50, 51, 49, 98, 48, 49, 50, 50, 56, 101, 50, 55, 51, 49, 52, 49, 99, 100, 54, 97, 53, 52, 54, 51, 99, 97, 98, 49, 98, 101, 98, 51, 101, 48, 100, 56, 102, 98, 97, 52, 99, 54, 100, 97, 57, 49, 101, 53, 102, 48, 102, 48, 55, 51, 51, 49, 98, 54, 97, 49, 100, 50, 97, 102, 98, 48, 54, 50, 100, 52, 100, 50, 49, 50, 49, 102, 51, 98, 55, 97, 98, 55, 48, 55, 50, 100, 57, 48, 55, 99, 57, 54, 51, 53, 53, 101, 56, 100, 52, 57, 55, 102, 49, 57, 99, 99, 56, 54, 57, 52, 51, 48, 48, 50, 54, 57, 56, 50, 53, 99, 102, 48, 97, 101, 49, 100, 57, 97, 100, 53, 97, 97, 50, 57, 48, 52, 57, 52, 102, 52, 54, 99, 53, 97, 57, 99, 48, 55, 50, 49, 99, 57, 48, 55, 102, 57, 53, 48, 102, 101, 50, 52, 57, 98, 97, 97, 99, 49, 55, 97, 97, 99, 98, 100, 48, 48, 50, 57, 51, 97, 48, 98, 48, 51, 53, 52, 56, 98, 97, 99, 101, 99, 52, 49, 51, 57, 99, 49, 55, 101, 102, 53, 50, 56, 101, 97, 101, 98, 55, 48, 56, 49, 57, 100, 57, 99, 56, 50, 52, 55, 57, 50, 49, 102, 53, 53, 53, 57, 50, 97, 97, 55, 57, 55, 97, 51, 52, 52, 56, 101, 57, 49, 53, 48, 53, 100, 54, 55, 101, 56, 48, 57, 97, 99, 55, 98, 100, 56, 55, 100, 48, 48, 102, 97, 54, 49, 98, 101, 54, 97, 49, 100, 101, 51, 55, 102, 48, 56, 52, 56, 51, 98, 98, 101, 51, 54, 102, 52, 52, 55, 101, 97, 52, 100, 102, 55, 48, 51, 102, 57, 54, 99, 48, 54, 100, 98, 101, 56, 54, 98, 53, 56, 98, 100, 57, 54, 52, 56, 56, 48, 54, 50, 52, 53, 52, 100, 99, 97, 97, 54, 56, 57, 54, 52, 56, 100, 102, 102, 102, 97, 99, 99, 52, 56, 53, 50, 53, 53, 99, 54, 55, 101, 48, 56, 101, 99, 53, 56, 57, 55, 100, 49, 98, 100, 97, 54, 54, 54, 102, 100, 50, 54, 101, 55, 49, 56, 100, 98, 102, 54, 102, 100, 57, 100, 49, 49, 98, 49, 55, 53, 100, 99, 49, 98, 57, 48, 53, 100, 51, 56, 52, 52, 99, 101, 98, 101, 54, 57, 100, 57, 52, 102, 97, 50, 50, 53, 54, 98, 53, 50, 97, 98, 98, 48, 57, 48, 101, 100, 50, 53, 56, 52, 99, 53, 51, 49, 53, 57, 102, 50, 102, 49, 53, 99, 99, 55, 56, 54, 98, 50, 54, 98, 48, 49, 52, 56, 97, 52, 98, 55, 55, 56, 55, 57, 100, 97, 54, 98, 52, 56, 56, 98, 100, 100, 99, 57, 98, 50, 55, 49, 54, 102, 53, 53, 97, 56, 99, 57, 98, 53, 50, 48, 98, 54, 54, 100, 50, 100, 52, 56, 99, 57, 55, 50, 54, 48, 48, 51, 101, 54, 101, 53, 102, 54, 100, 56, 52, 57, 99, 99, 101, 48, 57, 54, 101, 57, 54, 102, 49, 57, 51, 98, 52, 100, 97, 50, 52, 101, 51, 53, 99, 101, 99, 99, 51, 54, 102, 98, 101, 51, 102, 101, 48, 49, 99, 101, 55, 56, 100, 52, 55, 98, 98, 54, 101, 98, 100, 100, 51, 98, 100, 49, 49, 97, 102, 100, 52, 102, 98, 100, 49, 57, 97, 98, 56, 51, 57, 55, 97, 98, 48, 56, 48, 52, 52, 56, 50, 100, 99, 54, 55, 52, 52, 49, 50, 99, 55, 55, 49, 101, 102, 56, 52, 48, 54, 100, 102, 98, 98, 55, 52, 98, 52, 53, 99, 56, 102, 100, 56, 56, 55, 52, 101, 54, 56, 102, 54, 51, 50, 48, 102, 56, 52, 48, 99, 53, 49, 49, 97, 55, 48, 49, 51, 99, 57, 97, 55, 52, 54, 57, 53, 52, 55, 57, 51, 54, 56, 48, 100, 101, 97, 100, 55, 54, 48, 99, 100, 50, 57, 50, 56, 53, 49, 52, 52, 98, 100, 102, 102, 56, 48, 48, 49, 54, 52, 57, 48, 51, 53, 48, 51, 56, 49, 102, 48, 57, 97, 54, 98, 52, 53, 53, 99, 53, 57, 100, 99, 56, 56, 97, 54, 51, 97, 49, 49, 51, 99, 52, 97, 52, 53, 98, 99, 49, 51, 97, 50, 48, 57, 57, 50, 102, 101, 101, 48, 55, 48, 51, 53, 54, 57, 50, 49, 48, 52, 98, 57, 49, 56, 101, 97, 102, 49, 100, 50, 55, 101, 52, 97, 57, 55, 55, 54, 53, 51, 55, 97, 55, 100, 101, 102, 56, 99, 99, 51, 48, 53, 100, 50, 100, 54, 49, 55, 99, 50, 53, 100, 56, 56, 53, 48, 52, 57, 53, 50, 50, 102, 48, 98, 55, 98, 97, 53, 54, 98, 55, 56, 48, 49, 52, 55, 55, 53, 99, 48, 53, 101, 100, 102, 101, 53, 55, 100, 97, 102, 57, 51, 53, 100, 100, 50, 101, 101, 100, 55, 98, 102, 97, 56, 50, 56, 102, 52, 101, 55, 97, 99, 102, 52, 53, 54, 49, 54, 56, 99, 50, 100, 55, 54, 99, 100, 49, 52, 100, 102, 48, 51, 97, 51, 51, 56, 101, 51, 54, 101, 49, 48, 98, 57, 99, 52, 55, 98, 56, 97, 99, 53, 102, 101, 54, 53, 97, 55, 48, 49, 57, 57, 100, 97, 54, 100, 57, 48, 99, 52, 97, 102, 101, 51, 49, 50, 52, 49, 97, 53, 55, 98, 50, 52, 51, 51, 53, 55, 101, 50, 48, 56, 49, 98, 55, 57, 56, 99, 48, 52, 57, 54, 52, 54, 56, 56, 52, 102, 102, 53, 53, 56, 97, 99, 100, 54, 57, 102, 53, 102, 55, 100, 53, 51, 51, 57, 57, 99, 49, 52, 99, 54, 100, 97, 55, 49, 49, 101, 98, 53, 101, 53, 57, 57, 55, 100, 98, 50, 52, 99, 53, 50, 52, 97, 48, 102, 101, 52, 99, 101, 101, 97, 101, 53, 51, 57, 53, 48, 97, 57, 50, 100, 99, 52, 48, 99, 49, 54, 55, 102, 102, 52, 52, 51, 98, 51, 53, 97, 102, 57, 56, 98, 99, 55, 97, 53, 51, 98, 98, 102, 50, 49, 57, 98, 50, 56, 99, 101, 53, 49, 52, 48, 49, 102, 51, 97, 97, 53, 57, 102, 102, 57, 97, 101, 48, 54, 50, 52, 100, 50, 50, 97, 54, 101, 49, 49, 102, 101, 50, 54, 55, 50, 101, 50, 57, 54, 54, 52, 50, 49, 51, 51, 97, 51, 100, 98, 57, 102, 51, 49, 49, 49, 52, 97, 56, 50, 49, 102, 52, 99, 52, 57, 56, 48, 48, 98, 52, 49, 49, 53, 51, 54, 102, 101, 53, 51, 52, 52, 56, 99, 50, 53, 102, 99, 51, 51, 50, 53, 48, 49, 98, 97, 98, 100, 48, 97, 99, 56, 102, 50, 50, 57, 55, 51, 101, 53, 48, 99, 102, 97, 57, 97, 102, 52, 55, 55, 102, 51, 100, 55, 101, 100, 51, 99, 102, 51, 102, 57, 50, 98, 52, 99, 57, 98, 50, 97, 50, 48, 57, 48, 56, 53, 49, 98, 56, 56, 97, 48, 48, 49, 55, 52, 49, 57, 99, 101, 97, 97, 98, 101, 50, 99, 54, 97, 56, 97, 53, 98, 51, 97, 48, 55, 100, 52, 100, 57, 52, 98, 48, 98, 51, 48, 48, 56, 54, 48, 53, 48, 50, 102, 102, 102, 51, 97, 48, 49, 102, 52, 49, 101, 101, 53, 57, 49, 48, 99, 57, 48, 100, 97, 102, 97, 52, 53, 54, 53, 51, 101, 99, 55, 49, 97, 51, 53, 101, 101, 99, 48, 98, 98, 55, 55, 97, 52, 50, 57, 50, 102, 102, 98, 97, 53, 54, 55, 99, 50, 102, 52, 53, 49, 54, 100, 99, 55, 51, 54, 99, 56, 55, 55, 56, 48, 56, 97, 52, 55, 51, 53, 55, 48, 56, 55, 50, 52, 48, 52, 102, 53, 51, 48, 100, 102, 101, 52, 49, 49, 49, 50, 98, 52, 98, 97, 49, 101, 97, 54, 55, 48, 53, 54, 100, 97, 56, 50, 52, 53, 49, 97, 98, 49, 51, 48, 98, 49, 100, 101, 98, 52, 55, 56, 49, 98, 101, 97, 97, 51, 97, 51, 50, 98, 97, 98, 102, 50, 56, 97, 49, 50, 99, 51, 100, 56, 57, 98, 97, 57, 54, 57, 50, 53, 99, 57, 49, 51, 54, 57, 53, 98, 56, 52, 56, 57, 54, 57, 53, 101, 100, 48, 51, 97, 55, 48, 56, 102, 48, 50, 55, 99, 50, 101, 50, 98, 99, 48, 56, 99, 52, 57, 97, 102, 52, 97, 50, 102, 102, 54, 52, 51, 56, 55, 102, 99, 50, 54, 54, 55, 101, 50, 53, 48, 52, 54, 99, 54, 57, 51, 100, 49, 51, 98, 52, 97, 50, 52, 57, 102, 101, 51, 55, 48, 50, 98, 55, 98, 53, 54, 50, 52, 48, 51, 102, 53, 51, 101, 51, 55, 102, 48, 56, 56, 53, 49, 48, 49, 54, 52, 50, 57, 50, 56, 51, 50, 97, 51, 97, 101, 52, 57, 52, 50, 49, 50, 50, 54, 49, 101, 55, 99, 98, 49, 101, 100, 56, 55, 56, 98, 102, 102, 49, 53, 101, 53, 53, 56, 56, 49, 98, 53, 54, 52, 50, 97, 50, 56, 100, 98, 98, 52, 53, 51, 53, 57, 48, 54, 102, 100, 100, 101, 97, 55, 51, 98, 55, 51, 97, 97, 99, 49, 99, 48, 55, 52, 98, 49, 57, 54, 51, 51, 53, 48, 48, 56, 101, 100, 48, 98, 97, 101, 54, 98, 51, 52, 50, 49, 54, 48, 101, 51, 50, 54, 55, 54, 51, 97, 101, 51, 97, 50, 99, 55, 57, 100, 55, 99, 55, 55, 56, 51, 98, 56, 102, 98, 97, 48, 52, 102, 51, 99, 99, 102, 52, 102, 48, 51, 98, 50, 54, 100, 54, 56, 99, 101, 57, 51, 57, 48, 51, 53, 102, 57, 100, 98, 55, 57, 101, 49, 48, 48, 56, 55, 55, 102, 52, 100, 49, 97, 98, 97, 57, 102, 48, 53, 55, 98, 100, 102, 50, 48, 99, 57, 53, 102, 57, 56, 100, 53, 49, 97, 48, 57, 56, 56, 102, 57, 100, 99, 101, 53, 53, 51, 97, 101, 52, 48, 101, 99, 53, 101, 100, 97, 100, 101, 57, 99, 48, 55, 48, 57, 97, 99, 99, 51, 51, 100, 99, 56, 57, 53, 57, 100, 102, 52, 54, 57, 52, 49, 102, 57, 57, 55, 102, 49, 50, 52, 53, 101, 99, 50, 101, 48, 49, 52, 100, 52, 100, 54, 99, 49, 49, 51, 51, 52, 98, 97, 51, 49, 101, 56, 99, 57, 97, 100, 50, 101, 52, 50, 100, 101, 98, 50, 53, 99, 102, 100, 102, 99, 55, 100, 54, 52, 49, 53, 49, 56, 55, 101, 57, 100, 56, 50, 53, 55, 102, 101, 53, 49, 54, 102, 51, 54, 101, 52, 102, 99, 48, 56, 101, 51, 48, 100, 102, 56, 49, 102, 49, 98, 51, 100, 57, 51, 52, 97, 56, 53, 102, 100, 102, 54, 101, 52, 54, 48, 56, 49, 51, 49, 53, 51, 99, 99, 97, 56, 52, 55, 56, 56, 55, 101, 52, 97, 99, 54, 97, 99, 50, 48, 54, 51, 102, 49, 101, 102, 100, 54, 51, 55, 97, 50, 55, 102, 48, 53, 98, 53, 53, 101, 99, 57, 50, 99, 56, 51, 53, 55, 54, 55, 56, 97, 57, 54, 97, 51, 56, 57, 53, 97, 56, 57, 48, 55, 53, 54, 48, 52, 57, 102, 57, 51, 48, 57, 99, 56, 53, 48, 97, 100, 99, 48, 100, 99, 101, 101, 98, 100, 98, 57, 55, 55, 50, 48, 101, 100, 102, 50, 49, 57, 53, 48, 102, 48, 53, 99, 99, 99, 49, 48, 48, 56, 50, 50, 102, 55, 53, 55, 50, 97, 101, 100, 55, 102, 54, 52, 100, 101, 50, 48, 48, 51, 56, 98, 50, 48, 49, 102, 48, 97, 56, 55, 55, 53, 55, 49, 52, 102, 55, 53, 48, 54, 57, 97, 56, 56, 101, 48, 98, 54, 54, 54, 101, 50, 57, 54, 102, 50, 102, 53, 56, 56, 97, 102, 52, 49, 55, 97, 57, 49, 100, 57, 102, 100, 48, 51, 54, 53, 49, 49, 55, 55, 56, 50, 53, 100, 52, 100, 97, 99, 100, 55, 102, 56, 54, 101, 54, 102, 100, 101, 101, 51, 102, 48, 56, 101, 102, 53, 50, 102, 48, 100, 51, 50, 97, 102, 48, 99, 52, 51, 57, 101, 55, 53, 102, 52, 53, 100, 55, 55, 56, 49, 102, 53, 56, 98, 50, 55, 102, 49, 56, 57, 48, 57, 97, 97, 50, 49, 52, 56, 50, 101, 57, 100, 57, 50, 50, 97, 49, 56, 54, 48, 99, 101, 51, 101, 99, 99, 57, 52, 97, 102, 51, 48, 98, 56, 55, 54, 54, 51, 100, 101, 100, 53, 49, 52, 48, 56, 102, 100, 54, 97, 97, 56, 52, 98, 52, 55, 51, 53, 56, 54, 99, 102, 56, 98, 49, 48, 55, 98, 48, 56, 54, 55, 99, 50, 97, 51, 53, 100, 55, 102, 56, 55, 57, 99, 51, 56, 57, 102, 98, 57, 101, 101, 55, 49, 54, 54, 50, 50, 50, 53, 52, 54, 54, 55, 55, 55, 48, 53, 57, 99, 99, 56, 56, 53, 54, 53, 100, 53, 57, 56, 102, 49, 49, 48, 50, 51, 50, 100, 56, 49, 102, 50, 54, 57, 100, 54, 52, 102, 55, 54, 50, 53, 98, 49, 50, 51, 49, 102, 97, 55, 98, 49, 50, 102, 100, 48, 53, 97, 97, 51, 51, 57, 98, 57, 51, 57, 49, 102, 56, 50, 102, 56, 51, 101, 49, 52, 53, 98, 55, 101, 98, 50, 56, 48, 54, 54, 55, 99, 98, 56, 54, 99, 53, 97, 57, 53, 48, 53, 100, 55, 55, 101, 48, 53, 101, 55, 52, 98, 99, 55, 102, 56, 55, 54, 57, 52, 99, 49, 52, 56, 101, 98, 55, 98, 56, 49, 50, 54, 56, 49, 57, 53, 54, 54, 55, 54, 97, 100, 100, 53, 53, 52, 48, 102, 97, 57, 54, 57, 52, 53, 54, 100, 98, 97, 99, 48, 50, 52, 99, 53, 102, 99, 48, 101, 55, 100, 102, 49, 57, 54, 52, 101, 57, 57, 99, 57, 51, 50, 52, 102, 57, 100, 98, 53, 54, 53, 51, 98, 53, 51, 98, 57, 53, 102, 54, 57, 50, 101, 97, 102, 51, 53, 57, 55, 99, 57, 53, 99, 97, 49, 48, 102, 56, 97, 99, 100, 102, 50, 49, 101, 98, 48, 55, 54, 102, 50, 55, 99, 52, 49, 98, 52, 48, 54, 49, 56, 57, 55, 53, 56, 49, 57, 54, 102, 55, 100, 55, 101, 54, 48, 100, 98, 55, 49, 57, 101, 100, 101, 49, 48, 48, 101, 48, 54, 50, 54, 55, 56, 48, 56, 51, 97, 55, 56, 48, 101, 51, 54, 97, 55, 49, 53, 98, 50, 100, 48, 51, 102, 56, 49, 97, 52, 52, 102, 98, 101, 97, 99, 49, 55, 55, 48, 56, 100, 54, 57, 102, 56, 48, 53, 51, 51, 49, 99, 49, 50, 56, 48, 56, 53, 54, 102, 100, 100, 53, 102, 56, 50, 49, 100, 57, 54, 56, 54, 100, 97, 101, 99, 102, 54, 48, 97, 101, 56, 48, 55, 52, 54, 99, 48, 99, 48, 53, 52, 54, 57, 100, 57, 55, 51, 48, 101, 54, 54, 97, 54, 51, 51, 97, 53, 56, 97, 99, 99, 50, 55, 102, 56, 56, 100, 100, 49, 48, 57, 99, 100, 51, 50, 55, 49, 102, 101, 97, 99, 52, 55, 52, 51, 50, 50, 50, 102, 100, 56, 97, 50, 49, 98, 100, 52, 51, 99, 51, 101, 57, 97, 98, 56, 53, 51, 50, 99, 56, 50, 54, 48, 48, 56, 51, 100, 97, 54, 56, 50, 52, 55, 100, 49, 51, 98, 98, 51, 48, 53, 57, 56, 98, 56, 50, 56, 55, 56, 52, 52, 55, 52, 55, 98, 56, 100, 52, 99, 98, 50, 97, 55, 54, 49, 56, 51, 56, 50, 101, 54, 49, 100, 102, 52, 48, 51, 56, 54, 102, 98, 53, 98, 50, 55, 56, 102, 102, 54, 53, 49, 100, 100, 56, 54, 101, 53, 101, 50, 48, 102, 50, 49, 48, 56, 99, 57, 100, 49, 101, 55, 102, 57, 56, 50, 56, 99, 53, 98, 50, 49, 48, 100, 99, 53, 50, 49, 48, 98, 49, 100, 57, 49, 54, 48, 99, 50, 52, 97, 102, 49, 49, 53, 50, 53, 49, 101, 102, 55, 97, 53, 51, 56, 97, 51, 54, 53, 98, 49, 55, 100, 51, 101, 49, 56, 97, 52, 52, 51, 57, 49, 51, 54, 98, 97, 99, 54, 102, 53, 100, 99, 48, 98, 56, 49, 98, 52, 48, 97, 56, 51, 101, 49, 99, 57, 52, 99, 98, 102, 52, 53, 51, 57, 57, 52, 55, 51, 98, 48, 102, 97, 53, 98, 101, 57, 52, 97, 57, 102, 51, 49, 101, 56, 100, 50, 101, 55, 50, 98, 57, 97, 54, 56, 48, 50, 51, 57, 54, 55, 48, 99, 50, 101, 102, 51, 50, 102, 99, 54, 49, 49, 98, 101, 53, 48, 98, 99, 52, 102, 101, 52, 50, 52, 55, 97, 100, 55, 50, 53, 57, 101, 54, 51, 48, 51, 57, 56, 55, 52, 52, 50, 49, 48, 97, 100, 55, 100, 102, 52, 100, 49, 54, 102, 100, 51, 57, 49, 55, 56, 51, 102, 48, 99, 57, 49, 100, 102, 49, 54, 100, 97, 101, 102, 99, 56, 48, 100, 57, 98, 54, 100, 100, 57, 97, 51, 49, 48, 102, 49, 97, 97, 52, 98, 99, 48, 55, 99, 102, 100, 98, 101, 100, 97, 48, 55, 99, 49, 56, 49, 51, 100, 50, 100, 100, 97, 99, 54, 52, 57, 49, 52, 55, 57, 50, 51, 97, 52, 48, 56, 100, 55, 57, 98, 97, 101, 50, 49, 50, 99, 53, 99, 56, 52, 57, 100, 53, 54, 52, 53, 56, 56, 55, 52, 56, 56, 101, 55, 98, 97, 55, 98, 56, 55, 102, 101, 99, 101, 50, 99, 50, 98, 100, 57, 52, 100, 56, 57, 52, 101, 102, 99, 102, 52, 52, 99, 100, 97, 97, 51, 52, 101, 56, 97, 57, 49, 55, 98, 101, 100, 102, 99, 56, 102, 99, 100, 57, 53, 98, 52, 57, 53, 102, 99, 55, 54, 48, 57, 100, 99, 49, 48, 48, 98, 101, 50, 51, 98, 99, 49, 55, 49, 101, 98, 49, 50, 49, 55, 101, 98, 53, 52, 97, 52, 54, 101, 99, 49, 50, 100, 101, 48, 50, 57, 53, 54, 97, 51, 102, 53, 52, 48, 55, 50, 51, 53, 48, 49, 97, 51, 101, 54, 51, 102, 56, 97, 101, 52, 55, 52, 98, 51, 52, 99, 55, 102, 50, 102, 57, 102, 57, 100, 52, 48, 55, 56, 51, 100, 50, 98, 48, 54, 98, 56, 49, 57, 48, 52, 102, 98, 53, 48, 55, 98, 101, 52, 48, 57, 97, 48, 102, 50, 101, 101, 101, 51, 51, 48, 54, 53, 101, 102, 56, 100, 53, 98, 102, 55, 102, 97, 53, 57, 101, 49, 57, 56, 52, 52, 49, 54, 53, 100, 99, 98, 48, 54, 48, 51, 102, 55, 100, 49, 99, 53, 54, 53, 99, 101, 99, 50, 101, 55, 48, 99, 50, 98, 97, 54, 49, 98, 101, 50, 97, 100, 52, 102, 53, 57, 52, 57, 99, 102, 57, 54, 99, 51, 99, 97, 53, 102, 49, 48, 54, 53, 97, 55, 56, 102, 55, 57, 48, 53, 51, 56, 55, 50, 51, 49, 49, 100, 48, 98, 55, 51, 52, 55, 99, 50, 52, 101, 51, 53, 101, 99, 97, 102, 97, 101, 48, 53, 49, 53, 52, 54, 52, 55, 98, 49, 52, 51, 102, 100, 51, 55, 102, 56, 97, 101, 48, 98, 49, 56, 57, 98, 101, 53, 49, 55, 100, 102, 56, 53, 97, 48, 102, 56, 52, 49, 101, 53, 101, 54, 49, 57, 53, 51, 98, 49, 100, 53, 50, 100, 98, 98, 99, 55, 56, 57, 51, 57, 49, 49, 48, 50, 51, 102, 102, 99, 56, 49, 52, 53, 53, 50, 98, 51, 55, 49, 98, 57, 55, 57, 100, 54, 98, 97, 98, 99, 55, 98, 55, 48, 100, 100, 57, 51, 101, 99, 100, 97, 56, 55, 101, 98, 57, 54, 51, 48, 100, 100, 51, 97, 56, 49, 55, 101, 101, 98, 50, 53, 57, 53, 55, 100, 98, 102, 101, 51, 102, 49, 56, 51, 48, 101, 52, 49, 100, 55, 49, 101, 102, 57, 57, 53, 57, 49, 56, 57, 48, 55, 52, 49, 53, 51, 98, 101, 51, 50, 54, 100, 99, 102, 100, 98, 50, 100, 98, 99, 50, 48, 49, 50, 102, 98, 48, 102, 98, 50, 48, 97, 49, 50, 57, 101, 57, 48, 98, 102, 52, 57, 97, 98, 98, 53, 100, 57, 100, 98, 51, 100, 102, 54, 48, 56, 49, 54, 101, 50, 100, 55, 57, 101, 48, 97, 49, 49, 49, 51, 53, 51, 57, 101, 50, 52, 56, 99, 98, 55, 55, 100, 102, 99, 102, 57, 55, 49, 51, 100, 98, 53, 52, 97, 98, 51, 49, 57, 97, 50, 49, 98, 57, 56, 100, 54, 50, 55, 101, 51, 54, 51, 52, 56, 54, 49, 53, 56, 54, 55, 52, 48, 101, 51, 50, 54, 102, 55, 48, 55, 52, 49, 100, 57, 50, 48, 56, 102, 99, 50, 56, 97, 48, 101, 99, 100, 53, 51, 99, 53, 52, 97, 55, 50, 101, 56, 54, 51, 102, 51, 48, 100, 49, 49, 97, 99, 49, 99, 54, 97, 54, 53, 48, 54, 50, 50, 49, 102, 102, 54, 98, 53, 99, 48, 48, 101, 52, 51, 52, 57, 56, 53, 99, 100, 52, 48, 97, 53, 48, 57, 56, 54, 55, 52, 50, 101, 98, 50, 55, 99, 55, 56, 98, 52, 56, 51, 57, 101, 49, 98, 100, 51, 48, 97, 97, 53, 57, 56, 101, 52, 49, 53, 57, 56, 100, 99, 100, 97, 56, 48, 99, 98, 99, 54, 97, 98, 53, 49, 52, 52, 53, 55, 54, 50, 51, 99, 48, 98, 100, 54, 102, 101, 53, 51, 53, 102, 98, 100, 57, 48, 99, 102, 101, 48, 101, 98, 50, 102, 55, 52, 101, 50, 52, 55, 50, 99, 50, 97, 97, 56, 53, 53, 101, 53, 99, 54, 56, 56, 55, 52, 51, 99, 100, 57, 100, 98, 100, 102, 102, 98, 50, 99, 99, 56, 102, 52, 99, 98, 102, 97, 56, 50, 51, 55, 55, 48, 97, 101, 101, 100, 56, 50, 54, 100, 53, 56, 101, 49, 99, 52, 52, 49, 53, 97, 101, 56, 100, 50, 49, 52, 97, 55, 50, 51, 50, 51, 99, 50, 54, 57, 102, 49, 52, 50, 57, 53, 52, 55, 102, 49, 100, 49, 54, 53, 53, 55, 50, 54, 101, 52, 51, 48, 57, 49, 99, 101, 51, 48, 99, 97, 51, 101, 101, 53, 57, 49, 57, 102, 102, 102, 49, 98, 99, 97, 52, 56, 51, 48, 54, 50, 98, 55, 101, 57, 101, 54, 97, 100, 53, 51, 53, 51, 98, 97, 97, 49, 102, 51, 98, 102, 48, 101, 50, 54, 49, 49, 57, 48, 49, 53, 100, 57, 56, 48, 50, 56, 101, 56, 102, 51, 53, 48, 53, 57, 53, 57, 100, 55, 50, 50, 50, 54, 57, 49, 55, 57, 54, 55, 100, 49, 55, 51, 53, 97, 99, 56, 102, 50, 52, 48, 99, 100, 49, 97, 52, 98, 100, 101, 54, 97, 57, 101, 53, 57, 49, 55, 52, 50, 53, 50, 48, 99, 100, 52, 51, 101, 99, 53, 54, 97, 55, 55, 100, 57, 98, 98, 97, 53, 52, 98, 100, 53, 102, 97, 50, 100, 98, 54, 48, 54, 49, 55, 99, 98, 97, 57, 57, 102, 55, 54, 98, 54, 98, 100, 54, 51, 56, 97, 101, 100, 51, 52, 97, 100, 55, 97, 51, 100, 48, 57, 55, 54, 48, 49, 48, 99, 52, 101, 97, 48, 52, 52, 97, 53, 52, 52, 52, 97, 97, 102, 100, 99, 100, 99, 51, 54, 99, 98, 50, 55, 53, 97, 49, 102, 48, 51, 48, 50, 100, 97, 100, 52, 55, 97, 51, 49, 99, 101, 100, 97, 52, 101, 49, 97, 55, 57, 57, 57, 52, 55, 98, 51, 52, 50, 48, 56, 51, 55, 56, 51, 53, 53, 55, 48, 55, 49, 98, 101, 55, 100, 55, 49, 55, 101, 98, 53, 100, 48, 53, 98, 55, 57, 97, 99, 100, 53, 100, 49, 97, 100, 97, 56, 50, 101, 101, 53, 97, 53, 97, 101, 102, 52, 98, 49, 102, 48, 101, 49, 101, 100, 98, 49, 49, 54, 56, 99, 102, 99, 52, 55, 55, 50, 97, 50, 49, 51, 48, 49, 101, 97, 97, 50, 102, 57, 55, 56, 49, 97, 99, 56, 97, 57, 51, 51, 102, 53, 99, 97, 99, 97, 54, 101, 51, 54, 99, 100, 99, 101, 48, 50, 99, 55, 49, 49, 101, 57, 53, 101, 101, 54, 98, 100, 52, 52, 102, 56, 50, 100, 57, 55, 51, 55, 48, 48, 102, 54, 57, 102, 51, 100, 102, 52, 53, 55, 50, 50, 101, 54, 56, 54, 51, 52, 97, 57, 52, 101, 57, 57, 101, 57, 54, 102, 99, 54, 48, 102, 97, 97, 97, 97, 100, 97, 99, 48, 48, 50, 50, 56, 53, 98, 56, 101, 53, 97, 102, 51, 54, 98, 55, 50, 56, 56, 100, 99, 55, 52, 98, 57, 53, 48, 51, 101, 55, 51, 98, 102, 52, 99, 49, 49, 51, 55, 101, 55, 57, 98, 56, 98, 102, 97, 97, 53, 49, 101, 55, 97, 98, 55, 51, 50, 98, 97, 98, 51, 50, 49, 55, 98, 57, 56, 100, 50, 49, 56, 100, 49, 52, 57, 50, 56, 102, 57, 52, 51, 55, 48, 52, 102, 55, 100, 56, 99, 99, 48, 100, 56, 51, 54, 101, 49, 98, 48, 97, 98, 99, 55, 57, 48, 53, 50, 49, 99, 49, 56, 56, 100, 52, 100, 57, 100, 55, 57, 57, 100, 49, 51, 51, 99, 100, 98, 57, 49, 97, 56, 102, 55, 52, 49, 48, 51, 50, 57, 100, 50, 97, 98, 98, 54, 56, 52, 53, 55, 53, 51, 48, 49, 53, 98, 54, 99, 99, 56, 51, 101, 48, 53, 99, 50, 53, 56, 53, 56, 55, 101, 99, 57, 53, 51, 48, 100, 53, 52, 49, 97, 49, 99, 49, 56, 101, 97, 49, 101, 97, 98, 53, 54, 49, 53, 56, 50, 57, 102, 50, 51, 53, 102, 57, 50, 100, 56, 101, 53, 50, 101, 51, 97, 100, 51, 49, 57, 52, 57, 56, 52, 99, 56, 99, 98, 101, 101, 55, 57, 100, 51, 51, 99, 48, 56, 53, 54, 97, 51, 56, 49, 57, 48, 51, 48, 56, 51, 48, 102, 56, 99, 48, 101, 48, 56, 54, 56, 48, 56, 101, 99, 102, 51, 57, 98, 98, 100, 54, 57, 97, 56, 55, 101, 54, 55, 57, 49, 101, 51, 50, 57, 53, 99, 55, 48, 57, 51, 51, 50, 99, 57, 48, 99, 102, 52, 57, 53, 50, 56, 99, 99, 55, 57, 50, 100, 102, 51, 54, 51, 98, 57, 50, 99, 100, 49, 99, 56, 54, 53, 99, 52, 51, 56, 56, 53, 101, 97, 51, 54, 49, 50, 55, 100, 101, 55, 100, 51, 102, 101, 102, 100, 54, 49, 53, 53, 102, 57, 101, 102, 53, 57, 57, 54, 55, 57, 98, 57, 48, 56, 48, 54, 102, 54, 100, 53, 50, 53, 99, 97, 101, 100, 50, 99, 56, 52, 101, 55, 54, 98, 49, 49, 98, 52, 57, 101, 49, 57, 48, 99, 53, 100, 53, 53, 102, 54, 52, 48, 50, 98, 56, 57, 49, 100, 48, 51, 49, 53, 54, 99, 51, 52, 55, 100, 100, 53, 102, 54, 100, 98, 55, 102, 55, 97, 52, 97, 51, 54, 54, 99, 48, 49, 97, 102, 52, 49, 102, 49, 51, 49, 51, 99, 100, 97, 54, 99, 102, 48, 99, 49, 55, 100, 54, 48, 53, 54, 51, 97, 102, 98, 54, 99, 49, 97, 98, 101, 49, 56, 51, 99, 52, 98, 55, 51, 98, 52, 55, 54, 50, 54, 53, 53, 50, 55, 51, 56, 100, 53, 99, 54, 51, 57, 51, 54, 54, 49, 98, 54, 97, 57, 102, 55, 101, 55, 53, 57, 99, 48, 55, 98, 51, 54, 101, 101, 53, 56, 101, 100, 50, 97, 99, 56, 102, 51, 50, 49, 97, 98, 57, 99, 53, 99, 52, 50, 99, 99]

打印的 j$A成员r 为

[54, 55, 53, 97, 51, 100, 100, 50, 50, 97, 101, 101, 50, 102, 50, 52, 101, 99, 97, 52, 99, 50, 55, 97, 51, 57, 50, 49, 56, 99, 101, 55, 48, 52, 51, 101, 49, 50, 102, 48, 98, 101, 56, 101, 53, 53, 54, 53, 56, 99, 52, 55, 55, 101, 56, 55, 48, 101, 56, 48, 99, 51, 48, 56, 101, 53, 53, 53, 101, 102, 97, 51, 50, 57, 56, 101, 48, 99, 56, 57, 98, 97, 51, 97, 56, 50, 51, 49, 48, 48, 48, 102, 57, 100, 49, 49, 49, 49, 49, 50, 49, 57, 100, 100, 52, 51, 99, 55, 51, 98, 98, 101, 54, 48, 98, 51, 101, 102, 54, 102, 54, 101, 55, 99, 51, 101, 50, 51, 56, 50, 49, 100, 97, 101, 50, 53, 100, 52, 102, 99, 57, 56, 99, 97, 50, 97, 51, 55, 50, 48, 99, 49, 98, 99, 55, 51, 101, 49, 56, 51, 99, 51, 99, 55, 50, 53, 97, 102, 51, 98, 57, 50, 49, 102, 57, 52, 52, 102, 52, 49, 55, 100, 50, 57, 102, 101, 99, 97, 55, 57, 102, 55, 98, 102, 48, 102, 54, 52, 97, 51, 51, 51, 102, 98, 50, 52, 53, 54, 51, 99, 52, 99, 100, 49, 99, 50, 48, 55, 100, 101, 48, 99, 56, 49, 57, 56, 50, 50, 97, 99, 98, 52, 48, 52, 99, 56, 50, 98, 57, 97, 99, 48, 52, 54, 101, 48, 55, 50, 97, 98, 100, 51, 97, 52, 50, 97]

通过前期代码分析可知，j$A成员a 经过base64编码就是设备注册上传的请求体，j$A成员r 则是请求 参数p

查看汇编指令流具体看看 j$A成员a和r 是怎么产生的
奇怪的事情发生了，通过 unidbg-chqi/src/main/resources/kugou/trace.txt 文件中的汇编指令流查找输入参数和输出结果都找不到任何加密痕迹。后来发现libj.so文件引用了另一个叫libcrypto_kg.so的so文件，那么加密运算极有可能是在libcrypto_kg.so文件中实现的

接下来简单验证下。继续看libj.so文件 0xef59 函数

发现 generateDF 函数很可能为加密入口函数，跟进去看看

还是挺复杂的，跟进 h14 函数

发现它调用了aes加密函数，而 EVP_aes_128_cbc 与 EVP_aes_256_cbc 均为导入函数。当然是从libcrypto_kg.so文件中导入的了

接下来开始分析libcrypto_kg.so文件中实现的aes函数了。从导出函数窗口可以找到aes cbc加密模式的函数入口为 AES_cbc_encrypt ，偏移地址为 0x3583c

具体函数内容如下

那么如何知道 AES_cbc_encrypt 函数都传了哪些参数呢？我们通过以下Frida脚本hook AES_cbc_encrypt 函数与 AES_set_encrypt_key 函数

var arg1, arg2, arg3, arg4, arg5;function inline_hook_3583C() {var libnative_lib_addr = Module.findBaseAddress("libcrypto_kg.so");if (libnative_lib_addr) {var addr_3583C = libnative_lib_addr.add(0x3583D);console.log("addr_3583C:", addr_3583C);var ptr_func = new NativePointer(addr_3583C);Interceptor.attach(ptr_func, {onEnter: function (args) {arg1 = args[0];arg2 = args[1];arg3 = args[2];arg4 = args[3];arg5 = args[4];console.log("==========================================================================================AES_ENCRYPT");console.log("arg1:")console.log(hexdump(arg1, {offset: 0,length: 3000,header: true,ansi: true}));console.log("arg2:")console.log(hexdump(arg2, {offset: 0,length: 256,header: true,ansi: true}));console.log("arg3:")console.log(arg3);console.log("arg4:")console.log(hexdump(arg4, {offset: 0,length: 256,header: true,ansi: true}));console.log("arg5:")console.log(hexdump(arg5, {offset: 0,length: 256,header: true,ansi: true}));},onLeave: function (retval) {console.log("AES_ENCRYPT return:");console.log(retval);console.log(hexdump(arg2, {offset: 0,length: 3000,header: true,ansi: true}));}})}
}function inline_hook_358DC() {var libnative_lib_addr = Module.findBaseAddress("libcrypto_kg.so");if (libnative_lib_addr) {var addr_358DC = libnative_lib_addr.add(0x358DD);console.log("addr_358DC:", addr_358DC);var ptr_func = new NativePointer(addr_358DC);Interceptor.attach(ptr_func, {onEnter: function (args) {arg1 = args[0];arg2 = args[1];arg3 = args[2];console.log("==========================================================================================AES_ENCRYPT_SET_KEY");console.log("arg1:")console.log(hexdump(arg1, {offset: 0,length: 256,header: true,ansi: true}));console.log("arg2:")console.log(arg2);console.log("arg3:")console.log(hexdump(arg3, {offset: 0,length: 256,header: true,ansi: true}));},onLeave: function (retval) {console.log("AES_ENCRYPT_SET_KEY return");}})}
}function hook() {inline_hook_3583C();inline_hook_358DC();
}setImmediate(hook);

打印AES key为 de50********c51e

AES_cbc_encrypt 函数参数1为明文的设备指纹

AES_cbc_encrypt 函数参数2没有内容，用于保存加密结果

AES_cbc_encrypt 函数参数3暂时不知道是什么

AES_cbc_encrypt 函数参数4为iv ad2f********f48d

AES_cbc_encrypt 函数返回的加密结果

此时我们通过抓包得到设备注册上传的请求体为

S3Beru4BBqQIjPdvELBAh2zopeuum3tljZ/PBAjtNT+6sngotc8zNiUoopysrFSpsC95mArw+kpE8gNGIenhgbWSsCPbHOSFpoSPkSrpJC9AOhxffzvuFSk/46QdILJTziQWeR6lEMa2mvIMP2XOjT1QwSXTxQJ98l8N2YNuS3xuQWR3ZChTTWt6DH9JvE4+DetpqRQOVKEZRBuZfn4qCQF06/AycqXsyTdHPdsw2MgdZ1P8vbpVeFqI9nw980oag9Cqod8sU7c1rWxSEAIsdUjR7hwaUTtbAK8GJOY3DrQJDumRHLyXUkKoyIqR8nHLyYFwvmfAXI3l2hE6Gv+mbqGmkd8ADlIZir1ExkZPoIL+SWkEMYrqfCrSZXugPeTXAfuvZZ+kIV99ZsTWzI9UfoDj3Zbr3FjOlQtbbEuZ1PAeQ5vWj+HzXGt7f11qjtg0TzsacRo30jBUq5zD/YVWtDu6g2EWx71gIJVikXe7kUnkBY/cQR6rseUS3v4egkYLeRimzVgN1rHBl09La5+6eDHoIRPYDjEn2bHilwF5HZaLOilc88WQGGQjHn9UmFrJIbvaeMtAXR423dRj2FPV0YB4f+gX9iGxjNwmoWYiVQ8ghk5ibWFh9QJ9grREejUoqiiYBLLxQUZAHYgZmjf0biqtlKGjjrB6bsUfVyaF9hvHpMriaT23QnEionT39ffUnNmCz4nz5XP8SW3qzf+6etWsLtvGAwhI7i7gtvbXbZNJTItUttbr7d6g/UstqyzayF2B1pYvqKAKSGepHi+kgLu3HSB3Rgpjy/VtR8H+Zhd5A1kisJLQyPTs4nOXPa9/z19MdROTiRTRKPjQhPQrET//XR0KXqDxtdqPoQpDw4v+480MSZkQc0WMM1j0Ip3l4G7qd/BZZrQsL2E7EtiSSzEKXMFm5NwF0y4+zTLCY+hE0n2ttxXBa87UOKtKE2PH4CFW6qKCAHvl8bK8faTwrEgIEgpycWJIYUuZ+T3cUWU20ugWr1Zba/jcNRBdOCSTU//wPl6DTFbuU2Jvolp3Re9vKmafm9cA+5yyczFjz42orizd+tTN9/yAIJteo2u7tcBsp2eULlXJ0Vro3tJcsWcljgh3+jOCt2btPlSIqN4PTuRvtN6B/tQdZKh6ucWRCmqsTSGmnLPkU2+lOOZsT/Vj05aUEM+nL54QSLM7YORLmNj0yHtmrRcyJ8QvghyXPnTT2QbGqP4aK08ei3U0XWW8PCa197oqfGQjOAN0pcjJapQ+E6iV88NBoRLJ5fVLkgfW1UbaWCCA5FgqPBOhmhLhg5v0iVRAQvkqK0znW1hbGii3iZOpXaBOE5IUGAmjjXF7gOmgN9UAQcefVmnt9ayZHlcuXDd4IWgqsIg/azH5c72cC9IHd2dvrxG1yQTHUf7qwe7kGdp7g+QqZ4I+9YNJ9y+tCldeuWP/9oT3kMuEgFmmma3L3t8JrrZlut35daPD8x/ENyBI/UFp4uuhewGL1Sqd1dQfxkGtHkK8nZVptHbkIfoQ/NjIDa6PH0wy3F8aX81P+yPQUrEitM/2gUsyqlZUyW+yGJcGzHIXTH6aQtrOaLywnprso1g+AbBUmOBagAQ7eY5Q6pjDSQa40MRQiZA/L48351LlzTwnrpb7ADquO6qofHITJVIfyhz1sJOK5ReTfb+Nd2hciIhZ4ke8ottyb7iyeGnRTu5ltDDHXXpESMPcavfNGCaO2waRNPMyrbdMj7OPHBcITM342sfhdWKpzl8lz1fzX03co5s7i93H/laNRgikf0t7MxdK2fSoLfXuxrZ+NQOrcG0yZCFqmqxQl+MIhHNU1evEEHc51/U3rMnT4A/thM/4EO62z0qdDWvoRoxEldG9S72ta2eOyNd1/iCnyoWAaI5ZC6P8JK/iyg3ZmtikYq0th3C2K59twMOMrNgIk0YnLMwF4iWBsyPc7RnWtgTG0iKwF9cNbwrCuV7GTspBmDqt67CmKr76Ba8m1a3KTGfRZ0G5+0cmLYVxqc7g7V+Qa4eGskmnwqbOJk0J7HxXQguCdIR/PcYoRBbsPqFDcjTqoqAmkwbqHFdKtOjNuj4dlrydsV36ObBct0/4vLkrhVuJmwN7Yrgu3nb1GgxoOz7JaZ+ptOp25eAqWeaTUPYGttO5SqmyO4rJdvS9LxCkXBacFF5oL5f1Xg+jD1AgscMz4C1/iVFuBHsNgqhWnaVIXzraQMJv38d9hGiUmomW/nInTuCWo44psx2n9l+2WYTihxkIbrblyNBsEQaJ0xEULCaYcO10eIY70FRIWkxDyiZ7hMlNOspS2A2mBsogP56HkYyRYy1A1iA3br+lcEoUMD820Ra7JIMk8ngXn0DT35+ZqBCdRd8PnX2Rc4S8KR7fsCtqXLZe0OEpXpD/fPmvc3X5RVqpKHFkJ7iVgVL/mcgUQIJ/q/JsNiRyy1DyvOVinryWCP/Wf8fYbSTE26YVjKcIb8D0s3P/7dfet/EXTmzNoQlBJdBsAZ7p14WTgi4wGNebuA9fyi+VgnXDj+1tP9HzcZUSWm2l2GTw7S0DXZ5SmUkNtdvMDMTwxp3OwehH0RzU4LbTgYZP2dfoFUNm3XfpFab+4jsqRGKFB3DoMzv/ASDE6WJxU+7ou/TAeGSr1NWCECIKRAhmONjL562AsV8tmoiThknhn39UBkLO18tn720pZj5l8s07ve0tQ822kyPF6qJ2KpIyA1ZHVTjHEBrKoh4gPDQGdbhCUzCT3dQioyCWTTY/6gXwFSE62jDxFwhJwB6biBp0MphoZnMfhFj1BwqB3i91bPL57zc0f3ZxJVRD5z7V8J02q2mjvQ8OiwlPzNITI+aSeLiIp8Cbw0TanM5GvVqfzqZ+7F3oYbjY5eCoSwPq0CLCkxzx4w45jlXRwO2xCmpM8ueCTQBvbpKf98DWsAJwz8AVwOgEHLuGzLjf3QNXNzsuKgx32ZkWqdTe3WHPXOm1bq0IVP53JtgPIGLihiJH8Gc4cPFgT9EwfDeCgMP3ZH3SqoyXJeZwCW4YI9/m/Ai80v9ppglY0UymPZI/k5fLF7peALz+ZmaXhXer3UXDNFk4Z6SBS74YjpFpfT6Go+nFUv0/2luJ/sTmnifuBSYb9bqHbU2QOYN27xW19jpFAnXlcYchGPwWIWAyalFZlJn4J98XWBV3i44q1xW3SUbAQUTZzO7yL+5eA+49QoEbMVOCiv5isb6b0Pq3W+eiBMvq+dbKALxfY4GrH8qiKgpY6qAePpTTiGcLXfxPQJfLVKxONtjBlMZCQh9kyXrQMwITCX5ReQlBRmuoHt2gvhIUfxO0BJeHbuU8e4Z8OXRH06Wx9yqLn80uNArBKCLITBLa9PCthY2NyJyr1tsS0IQr9X1D0GeNsQLOKvi8JQdUbeZHglU7UF9XU9xKO+GB0k/bn+VBuxP1R4sHcqif6pbCLd2p+1yuXSzENvxNcRbv9YhoL4JTM3ovsY5H8AAWDJS/87gRri5BtGtfhFW4DF/+eglFHIpxXcelzx46

base64解码并转换为hex字符串为

4b705eaeee0106a4088cf76f10b040876ce8a5ebae9b7b658d9fcf0408ed353fbab27828b5cf33362528a29cacac54a9b02f79980af0fa4a44f2034621e9e181b592b023db1ce485a6848f912ae9242f403a1c5f7f3bee15293fe3a41d20b253ce2416791ea510c6b69af20c3f65ce8d3d50c125d3c5027df25f0dd9836e4b7c6e4164776428534d6b7a0c7f49bc4e3e0deb69a9140e54a119441b997e7e2a090174ebf03272a5ecc937473ddb30d8c81d6753fcbdba55785a88f67c3df34a1a83d0aaa1df2c53b735ad6c5210022c7548d1ee1c1a513b5b00af0624e6370eb4090ee9911cbc975242a8c88a91f271cbc98170be67c05c8de5da113a1affa66ea1a691df000e52198abd44c6464fa082fe496904318aea7c2ad2657ba03de4d701fbaf659fa4215f7d66c4d6cc8f547e80e3dd96ebdc58ce950b5b6c4b99d4f01e439bd68fe1f35c6b7b7f5d6a8ed8344f3b1a711a37d23054ab9cc3fd8556b43bba836116c7bd602095629177bb9149e4058fdc411eabb1e512defe1e82460b7918a6cd580dd6b1c1974f4b6b9fba7831e82113d80e3127d9b1e29701791d968b3a295cf3c5901864231e7f54985ac921bbda78cb405d1e36ddd463d853d5d180787fe817f621b18cdc26a16622550f20864e626d6161f5027d82b4447a3528aa289804b2f14146401d88199a37f46e2aad94a1a38eb07a6ec51f572685f61bc7a4cae2693db7427122a274f7f5f7d49cd982cf89f3e573fc496deacdffba7ad5ac2edbc6030848ee2ee0b6f6d76d93494c8b54b6d6ebeddea0fd4b2dab2cdac85d81d6962fa8a00a4867a91e2fa480bbb71d2077460a63cbf56d47c1fe661779035922b092d0c8f4ece273973daf7fcf5f4c7513938914d128f8d084f42b113fff5d1d0a5ea0f1b5da8fa10a43c38bfee3cd0c49991073458c3358f4229de5e06eea77f05966b42c2f613b12d8924b310a5cc166e4dc05d32e3ecd32c263e844d27dadb715c16bced438ab4a1363c7e02156eaa282007be5f1b2bc7da4f0ac4808120a72716248614b99f93ddc516536d2e816af565b6bf8dc35105d38249353fff03e5e834c56ee53626fa25a7745ef6f2a669f9bd700fb9cb2733163cf8da8ae2cddfad4cdf7fc80209b5ea36bbbb5c06ca767942e55c9d15ae8ded25cb167258e0877fa3382b766ed3e5488a8de0f4ee46fb4de81fed41d64a87ab9c5910a6aac4d21a69cb3e4536fa538e66c4ff563d3969410cfa72f9e1048b33b60e44b98d8f4c87b66ad173227c42f821c973e74d3d906c6a8fe1a2b4f1e8b75345d65bc3c26b5f7ba2a7c6423380374a5c8c96a943e13a895f3c341a112c9e5f54b9207d6d546da582080e4582a3c13a19a12e1839bf489544042f92a2b4ce75b585b1a28b78993a95da04e1392141809a38d717b80e9a037d50041c79f5669edf5ac991e572e5c377821682ab0883f6b31f973bd9c0bd20777676faf11b5c904c751feeac1eee419da7b83e42a67823ef58349f72fad0a575eb963fff684f790cb848059a699adcbdedf09aeb665baddf975a3c3f31fc4372048fd4169e2eba17b018bd52a9dd5d41fc641ad1e42bc9d9569b476e421fa10fcd8c80dae8f1f4c32dc5f1a5fcd4ffb23d052b122b4cff6814b32aa5654c96fb2189706cc72174c7e9a42dace68bcb09e9aeca3583e01b05498e05a80043b798e50ea98c34906b8d0c45089903f2f8f37e752e5cd3c27ae96fb003aae3baaa87c721325521fca1cf5b0938ae517937dbf8d77685c888859e247bca2db726fb8b27869d14eee65b430c75d7a4448c3dc6af7cd18268edb069134f332adb74c8fb38f1c17084ccdf8dac7e17562a9ce5f25cf57f35f4ddca39b3b8bddc7fe568d4608a47f4b7b33174ad9f4a82df5eec6b67e3503ab706d3264216a9aac5097e308847354d5ebc4107739d7f537acc9d3e00fed84cff810eeb6cf4a9d0d6be8468c4495d1bd4bbdad6b678ec8d775fe20a7ca8580688e590ba3fc24afe2ca0dd99ad8a462ad2d8770b62b9f6dc0c38cacd8089346272ccc05e22581b323dced19d6b604c6d222b017d70d6f0ac2b95ec64eca41983aadebb0a62abefa05af26d5adca4c67d16741b9fb47262d8571a9cee0ed5f906b8786b249a7c2a6ce264d09ec7c57420b8274847f3dc6284416ec3ea1437234eaa2a0269306ea1c574ab4e8cdba3e1d96bc9db15dfa39b05cb74ff8bcb92b855b899b037b62b82ede76f51a0c683b3ec9699fa9b4ea76e5e02a59e69350f606b6d3b94aa9b23b8ac976f4bd2f10a45c169c145e682f97f55e0fa30f5020b1c333e02d7f89516e047b0d82a8569da5485f3ada40c26fdfc77d8468949a8996fe72274ee096a38e29b31da7f65fb65984e28719086eb6e5c8d06c110689d311142c269870ed7478863bd054485a4c43ca267b84c94d3aca52d80da606ca203f9e87918c91632d40d620376ebfa5704a14303f36d116bb248324f278179f40d3df9f99a8109d45df0f9d7d917384bc291edfb02b6a5cb65ed0e1295e90ff7cf9af7375f9455aa928716427b8958152ff99c81440827fabf26c362472cb50f2bce5629ebc9608ffd67fc7d86d24c4dba6158ca7086fc0f4b373ffedd7deb7f1174e6ccda1094125d06c019ee9d78593822e3018d79bb80f5fca2f958275c38fed6d3fd1f37195125a6da5d864f0ed2d035d9e5299490db5dbcc0cc4f0c69dcec1e847d11cd4e0b6d381864fd9d7e8154366dd77e915a6fee23b2a4462850770e8333bff0120c4e9627153eee8bbf4c07864abd4d58210220a44086638d8cbe7ad80b15f2d9a88938649e19f7f540642ced7cb67ef6d29663e65f2cd3bbded2d43cdb69323c5eaa2762a92320356475538c7101acaa21e203c340675b842533093ddd422a320964d363fea05f015213ada30f1170849c01e9b881a7432986866731f8458f5070a81de2f756cf2f9ef37347f7671255443e73ed5f09d36ab69a3bd0f0e8b094fccd21323e69278b888a7c09bc344da9cce46bd5a9fcea67eec5de861b8d8e5e0a84b03ead022c2931cf1e30e398e55d1c0edb10a6a4cf2e7824d006f6e929ff7c0d6b00270cfc015c0e8041cbb86ccb8dfdd0357373b2e2a0c77d99916a9d4dedd61cf5ce9b56ead0854fe7726d80f2062e2862247f0673870f1604fd1307c378280c3f7647dd2aa8c9725e670096e1823dfe6fc08bcd2ff69a60958d14ca63d923f9397cb17ba5e00bcfe6666978577abdd45c334593867a4814bbe188e91697d3e86a3e9c552fd3fda5b89fec4e69e27ee05261bf5ba876d4d90398376ef15b5f63a450275e571872118fc162160326a51599499f827df175815778b8e2ad715b74946c04144d9cceef22fee5e03ee3d42811b3153828afe62b1be9bd0fab75be7a204cbeaf9d6ca00bc5f6381ab1fcaa22a0a58eaa01e3e94d388670b5dfc4f4097cb54ac4e36d8c194c642421f64c97ad0330213097e51790941466ba81edda0be12147f13b40497876ee53c7b867c397447d3a5b1f72a8b9fcd2e340ac12822c84c12daf4f0ad858d8dc89cabd6db12d0842bf57d43d0678db102ce2af8bc2507546de64782553b505f5753dc4a3be181d24fdb9fe541bb13f5478b0772a89fea96c22ddda9fb5cae5d2cc436fc4d7116eff588682f8253337a2fb18e47f000160c94bff3b811ae2e41b46b5f8455b80c5ffe7a09451c8a715dc7a5cf1e3a

与上图中 AES_cbc_encrypt 函数返回的加密结果能够对应上
我们对加密的请求体进行解密来验证Aes加密的key与iv是否正确

如上，能够正确得到明文，即设备指纹参数

多次验证发现，Aes加密所用的key与iv是变化的，那么是怎么变的呢，服务端收到加密的请求体后又是怎么解密的？
可以猜测，Aes加密所用的key与iv必定藏在请求的某个参数中。上文提到的 参数p 就是重点怀疑的对象了

阶段性总结下，请求体是通过Aes算法对设备指纹参加进行加密得到的，其中Aes算法的key与iv是变化的，具体变化逻辑与请求 参数p 有关，参数p 也是加密的，并且长度固定为256，可以猜测是通过Rsa算法加密的。这不就是经典的Aes+Rsa的经典加密组合么

参数p加密还原

加密定位

上文猜测参数p是由Rsa算法加密得到的，通过查看libcrypto_kg.so文件的导出函数窗口，可以看到Rsa加密函数入口有 RSA_public_encrypt 与 RSA_private_encrypt 两个函数

通过查看汇编指令流中的偏移地址可以确认 参数p 是由 RSA_public_encrypt 函数加密得到的

Frida脚本中加入以下代码进行验证

function inline_hook_7F5B2() {var libnative_lib_addr = Module.findBaseAddress("libcrypto_kg.so");if (libnative_lib_addr) {var addr_7F5B2 = libnative_lib_addr.add(0x7F5B3);console.log("addr_7F5B2:", addr_7F5B2);var ptr_func = new NativePointer(addr_7F5B2);Interceptor.attach(ptr_func, {onEnter: function (args) {arg1 = args[0];arg2 = args[1];arg3 = args[2];arg4 = args[3];console.log("==========================================================================================RSA_PUBLIC_ENCRYPT");console.log("arg1:")console.log(arg1);console.log("arg2:")console.log(hexdump(arg2, {offset: 0,length: 256,header: true,ansi: true}));console.log("arg3:")console.log(hexdump(arg3, {offset: 0,length: 256,header: true,ansi: true}));console.log("arg4:")console.log(hexdump(arg4, {offset: 0,length: 256,header: true,ansi: true}));},onLeave: function (retval) {console.log("RSA_PUBLIC_ENCRYPT return");console.log(hexdump(arg3, {offset: 0,length: 256,header: true,ansi: true}));console.log(hexdump(arg4, {offset: 0,length: 256,header: true,ansi: true}));}})}
}

再次运行Frida hook程序，可得新的Aes key为 d328********53b6 ，iv为 467f********cedf，而RSA加密的参数为 {"aes":"cr**J8"}，那么Aes key、iv变化有什么关系。

分析可知，md5(cr**J8)=d328********53b6467f********cedf 的前16位即是key d328********53b6，后16位即是iv 467f********cedf
所以只要 RSA_public_encrypt 函数参数变了，Aes的key与iv也会变化

加密还原

还原 RSA_public_encrypt 函数的关键就是要找到Rsa加密的公钥，或者是指数和模数，本次逆向样本中的 RSA_public_encrypt 函数是通过openssl实现的，因此我们需要hook RSA_public_encrypt 函数以及 BN_mod_exp_mont 函数，为什么要hook BN_mod_exp_mont 函数？
查阅资料可知，BN_mod_exp_mont 函数的参数2为基数（明文），参数3为指数，参数4为模数

下面我们尝试使用上文编写的unidbg代码hook RSA_public_encrypt 函数以及 BN_mod_exp_mont 函数。我们已经实现了unidbg调用libj.so文件偏移位置 0xef59 处的函数，那么能否通过该程序hook到其他so文件的函数呢？答案是可以的
首先我们把汇编指令流的打印范围扩大

// 汇编指令流打印范围为libj.so文件所产生的汇编指令流
emulator.traceCode(module.base, module.base+module.size).setRedirect(traceStream);

上述代码改为下面这样

// 不限制汇编指令流的打印位置
emulator.traceCode(module.base, module.base+0xFFFFFFF).setRedirect(traceStream);

这样就能打印出加密过程至所有的汇编指令了，从汇编指令流中可以查到偏移地址为 0x7F5B3 处的 RSA_public_encrypt 函数以及偏移地址为 0x4A8D5 处的 BN_mod_exp_mont 函数


可知 RSA_public_encrypt 函数相对于libj.so文件的基地址偏移位置为 0x2195b2， BN_mod_exp_mont 函数相对于libj.so文件的基地址偏移位置为 0x1e48d4

在unidbg程序中加入以下hook函数，打印 RSA_public_encrypt 函数的参数与结果

public void hookSubRSAEncrypt(){IHookZz hookZz = HookZz.getInstance(emulator);hookZz.wrap(module.base + 0x2195b3, new WrapCallback<HookZzArm32RegisterContext>() {@Override// 类似于 frida onEnterpublic void preCall(Emulator<?> emulator, HookZzArm32RegisterContext ctx, HookEntryInfo info) {System.out.println(ctx.getR0Long());System.out.println(ctx.getR1Long());System.out.println(ctx.getR2Long());System.out.println(ctx.getR3Long());// RSA加密明文Pointer input2 = ctx.getPointerArg(1);Inspector.inspect(input2.getByteArray(0, 0x150), "hookSubRSAEncrypt 明文");// 用于保存加密结果Pointer input3 = ctx.getPointerArg(2);Inspector.inspect(input3.getByteArray(0, 0x150), "hookSubRSAEncrypt 用于保存结果");Pointer input4 = ctx.getPointerArg(3);Inspector.inspect(input4.getByteArray(0, 0x150), "hookSubRSAEncrypt arg4");ctx.push(input3);};@Override// 打印加密结果，类似于 frida onLeavepublic void postCall(Emulator<?> emulator, HookZzArm32RegisterContext ctx, HookEntryInfo info) {Pointer output3 = ctx.pop();Inspector.inspect(output3.getByteArray(0, 0x150), "hookSubRSAEncrypt 加密结果");}});
}

在unidbg程序中加入以下hook函数，打印 BN_mod_exp_mont 函数的参数与结果

public void hookSubBN_mod_exp_mont(){IHookZz hookZz = HookZz.getInstance(emulator);hookZz.wrap(module.base + 0x1e48d5, new WrapCallback<HookZzArm32RegisterContext>() {@Override// 类似于 frida onEnterpublic void preCall(Emulator<?> emulator, HookZzArm32RegisterContext ctx, HookEntryInfo info) {System.out.println(ctx.getR0Long());System.out.println(ctx.getR1Long());System.out.println(ctx.getR2Long());System.out.println(ctx.getR3Long());// RSA加密基数Pointer input2 = ctx.getPointerArg(1);Pointer input2_pointer = input2.getPointer(0);Inspector.inspect(input2_pointer.getByteArray(0, 0x150), "hookSubBN_mod_exp_mont 基数");// 指数Pointer input3 = ctx.getPointerArg(2);Pointer input3_pointer = input3.getPointer(0);Inspector.inspect(input3_pointer.getByteArray(0, 0x150), "hookSubBN_mod_exp_mont 指数");Pointer input4 = ctx.getPointerArg(3);Pointer input4_pointer = input4.getPointer(0);System.out.println(input4_pointer.getDouble(0));Inspector.inspect(input4_pointer.getByteArray(0, 0x200), "hookSubBN_mod_exp_mont 模数");Pointer sp = ctx.getStackPointer();Pointer input5_pointer = sp.getPointer(0);Pointer input6_pointer = sp.getPointer(4);Inspector.inspect(input5_pointer.getByteArray(0, 0x150), "hookSubBN_mod_exp_mont arg5");Inspector.inspect(input6_pointer.getByteArray(0, 0x150), "hookSubBN_mod_exp_mont arg6");};@Override// 类似于 frida onLeavepublic void postCall(Emulator<?> emulator, HookZzArm32RegisterContext ctx, HookEntryInfo info) {}});}

RSA_public_encrypt 函数打印结果如下


BN_mod_exp_mont函数打印结果如下

可用以下程序验证下

class RsaTest():def __init__(self):self.data = bytes.fromhex('7D2235316C364566223A22736561227B001E1AAA2AC0DAFEDC4EC4E458391F3721FF64ECD5D0EFFA487D514E5890041CBAAA23B1D5429061AAFE651301C926C37F2A21139B730F4F2AD8ECD008753F31A4174F34FBAABEDB86D40DE2592C2AC44F88AADDAFFAF6E81553C4501D7A340D70396A0EA309256E81FB25A352DF0200')self.rsa_exponent = bytes.fromhex('01000100')self.rsa_modulus = bytes.fromhex('8D50380D4361DB2654CC73A8E19A7E4FC0ECFF160ADC40F9FD01FE2CCE6E026A*********************************C8E5A2BBBA3C66DB5192ADFC50E07AE8005C9C550FC11408AFD25205999BA08715C0FE7FB784DBAA0D12FF1E320C9CD958D5C1451464FF1F1D8AA8D4E54723B7')def encrypt(self):res = int(bytes.hex(self.data[::-1]), 16) ** int(bytes.hex(self.rsa_exponent[::-1]), 16) % int(bytes.hex(self.rsa_modulus[::-1]), 16)return format(res, 'x').zfill(256)if __name__ == "__main__":print(RsaTest().encrypt())

输出结果为，与 RSA_public_encrypt 函数打印的结果一致

2d97ca0e29adc0aaee06eb2e9c15658f5526a774cb759e4f0a540cf44a61ac76426a25a3a3805aa0aacb1f3447adc68be282200b99d0b88df763eb2f9ca4d90532c698cee28da1de2500709e73828fae34a684e98551f07696b4143bf2450dfe54200b57685a6e86bddaa4b64783b4e3dd6a0b5a73aac569301e94a82edc6870

现在我们已经知道 参数p 是怎么加密生成的了，对于下图红色框出明文，感兴趣的读者可继续研究，个人认为这对整个设备注册过程中涉及的加密校验影响不大

总结

最后简单总结下，酷狗设备注册协议上传的请求体，是由设备指纹参数通过Aes加密生成的，Aes的key和iv都是变化的，其变化与设备注册协议中的 参数p 有关（具体关系由上文可知）。参数p 是由一段具有随机特性的字符串 {"aes":"fE**15"} 通过Rsa加密函数加密产生的（其中fE**15是随机的），Rsa加密涉及的指数与模数也由上文可知

全文完。