白猫Project/白猫プロジェクト作死

fffonion

10 年前

这货貌似是卖萌黑猫的根本不是续作

我开始想不加壳就算了，java不混淆就算了，加密的so一模一样的是来坑爹的吧www MD5都一样的摔

后来我发现被坑了

原来那一段AES密钥不是给游戏通信用的233

然后我就发现了原来不是这样的2333

但是终究还是搞定了23333

CryptoPrefs

用于加密userHash和登陆token，保存在key=md5(‘Account’)的shared_prefs中；AES-128-CBC, ZerosPadding

private static string sIV = "4rZymEMfa/PpeJ89qY4gyA==";
private static string sKEY = "ZTdkNTNmNDE2NTM3MWM0NDFhNTEzNzU1";

1 2	private static string sIV = "4rZymEMfa/PpeJ89qY4gyA=="; private static string sKEY = "ZTdkNTNmNDE2NTM3MWM0NDFhNTEzNzU1";

Cipher

DEFAULT_IV_128 = "=q$f]p&(K.3_#hHk";
DEFAULT_NETWORKHASH = "Y.u=M,N-!8Jd2`RXE)k!]y<w2TFg-[4Z";

1 2	DEFAULT_IV_128 = "=q$f]p&(K.3_#hHk"; DEFAULT_NETWORKHASH = "Y.u=M,N-!8Jd2`RXE)k!]y<w2TFg-[4Z";

除首次进入游戏外，以后登陆都是用userHash做key；AES-256-CBC, PKCS7

好好好可以作死了

←Click me

附：ARM F5之后的getKeySpec伪代码，证明之前的猜想是正确的

int __fastcall Java_jp_colopl_util_Crypto_getKeySpec(int a1)
{
  int v1; // r5@1
  int v2; // r2@1
  int v3; // r7@2
  int v4; // r0@3
  int v5; // r0@4
  int v6; // r6@4
  int v7; // r0@4

  v1 = a1;
  v2 = (*(int (**)(void))(*(_DWORD *)a1 + 668))();
  if ( v2 )
  {
    v2 = (*(int (__fastcall **)(int, signed int))(*(_DWORD *)v1 + 704))(v1, 32);
    v3 = v2;
    if ( v2 )
    {
      v4 = (*(int (__fastcall **)(int, int, _DWORD))(*(_DWORD *)v1 + 736))(v1, v2, 0);
      v2 = v4;
      if ( v4 )
      {
        *(_BYTE *)v4 = 48;
        *(_BYTE *)(v4 + 1) = 108;
        *(_BYTE *)(v4 + 2) = 113;
        *(_BYTE *)(v4 + 3) = 71;
        *(_BYTE *)(v4 + 6) = 102;
        *(_BYTE *)(v4 + 4) = 84;
        *(_BYTE *)(v4 + 8) = 75;
        *(_BYTE *)(v4 + 5) = 121;
        *(_BYTE *)(v4 + 7) = 121;
        *(_BYTE *)(v4 + 9) = 57;
        *(_BYTE *)(v4 + 23) = 121;
        *(_BYTE *)(v4 + 10) = 73;
        *(_BYTE *)(v4 + 24) = 119;
        *(_BYTE *)(v4 + 11) = 50;
        *(_BYTE *)(v4 + 25) = 72;
        *(_BYTE *)(v4 + 12) = 107;
        *(_BYTE *)(v4 + 26) = 76;
        *(_BYTE *)(v4 + 13) = 118;
        *(_BYTE *)(v4 + 14) = 53;
        *(_BYTE *)(v4 + 17) = 87;
        *(_BYTE *)(v4 + 21) = 118;
        *(_BYTE *)(v4 + 27) = 98;
        *(_BYTE *)(v4 + 29) = 98;
        *(_BYTE *)(v4 + 15) = 46;
        *(_BYTE *)(v4 + 18) = 110;
        *(_BYTE *)(v4 + 22) = 99;
        *(_BYTE *)(v4 + 30) = 122;
        *(_BYTE *)(v4 + 16) = 89;
        *(_BYTE *)(v4 + 20) = 89;
        *(_BYTE *)(v4 + 31) = 74;
        *(_BYTE *)(v4 + 19) = 83;
        *(_BYTE *)(v4 + 28) = 90;
        (*(void (__fastcall **)(int, int))(*(_DWORD *)v1 + 768))(v1, v3);
        v5 = (*(int (__fastcall **)(int, _DWORD))(*(_DWORD *)v1 + 24))(v1, "javax/crypto/spec/SecretKeySpec");
        v6 = v5;
        v7 = (*(int (__fastcall **)(int, int, _DWORD, _DWORD))(*(_DWORD *)v1 + 132))(
               v1,
               v5,
               "<init>",
               "([BLjava/lang/String;)V");
        v2 = (*(int (__fastcall **)(int, int, int, int))(*(_DWORD *)v1 + 112))(v1, v6, v7, v3);
      }
    }
  }
  return v2;
}

int __fastcall Java_jp_colopl_util_Crypto_getKeySpec(int a1)

{

int v1; // r5@1

int v2; // r2@1

int v3; // r7@2

int v4; // r0@3

int v5; // r0@4

int v6; // r6@4

int v7; // r0@4

v1 = a1;

v2 = (*(int (**)(void))(*(_DWORD *)a1 + 668))();

if ( v2 )

{

v2 = (*(int (__fastcall **)(int, signed int))(*(_DWORD *)v1 + 704))(v1, 32);

v3 = v2;

if ( v2 )

{

v4 = (*(int (__fastcall **)(int, int, _DWORD))(*(_DWORD *)v1 + 736))(v1, v2, 0);

v2 = v4;

if ( v4 )

{

*(_BYTE *)v4 = 48;

*(_BYTE *)(v4 + 1) = 108;

*(_BYTE *)(v4 + 2) = 113;

*(_BYTE *)(v4 + 3) = 71;

*(_BYTE *)(v4 + 6) = 102;

*(_BYTE *)(v4 + 4) = 84;

*(_BYTE *)(v4 + 8) = 75;

*(_BYTE *)(v4 + 5) = 121;

*(_BYTE *)(v4 + 7) = 121;

*(_BYTE *)(v4 + 9) = 57;

*(_BYTE *)(v4 + 23) = 121;

*(_BYTE *)(v4 + 10) = 73;

*(_BYTE *)(v4 + 24) = 119;

*(_BYTE *)(v4 + 11) = 50;

*(_BYTE *)(v4 + 25) = 72;

*(_BYTE *)(v4 + 12) = 107;

*(_BYTE *)(v4 + 26) = 76;

*(_BYTE *)(v4 + 13) = 118;

*(_BYTE *)(v4 + 14) = 53;

*(_BYTE *)(v4 + 17) = 87;

*(_BYTE *)(v4 + 21) = 118;

*(_BYTE *)(v4 + 27) = 98;

*(_BYTE *)(v4 + 29) = 98;

*(_BYTE *)(v4 + 15) = 46;

*(_BYTE *)(v4 + 18) = 110;

*(_BYTE *)(v4 + 22) = 99;

*(_BYTE *)(v4 + 30) = 122;

*(_BYTE *)(v4 + 16) = 89;

*(_BYTE *)(v4 + 20) = 89;

*(_BYTE *)(v4 + 31) = 74;

*(_BYTE *)(v4 + 19) = 83;

*(_BYTE *)(v4 + 28) = 90;

(*(void (__fastcall **)(int, int))(*(_DWORD *)v1 + 768))(v1, v3);

v5 = (*(int (__fastcall **)(int, _DWORD))(*(_DWORD *)v1 + 24))(v1, "javax/crypto/spec/SecretKeySpec");

v6 = v5;

v7 = (*(int (__fastcall **)(int, int, _DWORD, _DWORD))(*(_DWORD *)v1 + 132))(

v1,

v5,

"<init>",

"([BLjava/lang/String;)V");

v2 = (*(int (__fastcall **)(int, int, int, int))(*(_DWORD *)v1 + 112))(v1, v6, v7, v3);

}

return v2;

}