找到并调用字符串解密函数m1.e.i
需求
之前用Frida调试某安卓app逆向期间,遇到:
/Users/crifan/dev/dev_root/androidReverse/keepAlive/360Wallpaper/staticAnalysis/360Wallpaper_jadx_showBadCode/sources/com/w/thsz/info/PaperEntry.java
Process.class.getDeclaredMethod(m1.e.i("NLP8E/uEo+4=\n", "R9aIUonj9d4=\n"), String.class).invoke(null, this.f12218h.f12227b);
method.invoke(obj2, m1.e.i("+w==\n", "t5Df7jb+QVo=\n"));
this.f12215e = a(m1.e.i("/o3etnXwGpjjkNGnVcU4vt6M+opQ2Dqp\n", "qt+f+CaxWcw=\n"), m1.e.i("zGS1mdUecVXNZr2IxB52Qt5+p4rCFWtf0Q==\n", "nzD0y4FBIhA=\n"));
throw new RuntimeException(m1.e.i("Fxh7otsj1IYTBjfh1i7fwhERY6LfK9OOExA=\n", "dnQXgrlKuuI=\n"));
obtain.writeInterfaceToken(m1.e.i("NS1YKceVjJs1M0x14b2LwT01VS/RsYnbNSRZKQ==\n", "VEM8W6j86LU=\n"));
发现m1.e.i,是通用的字符串加密解密函数。
而此处,想要搞清楚原始字符串是什么
所以就想要去:给上述加了密的字符串,比如:
m1.e.i("/o3etnXwGpjjkNGnVcU4vt6M+opQ2Dqp\n", "qt+f+CaxWcw=\n")m1.e.i("zGS1mdUecVXNZr2IxB52Qt5+p4rCFWtf0Q==\n", "nzD0y4FBIhA=\n")m1.e.i("8FiwfWoYxHDtRb9sWyvoRcBpkEBNEOlQwWSF\n", "pArxMzlZhyQ=\n")m1.e.i("4AOVevLN2/P2DpN14svU9P0FiHr43dvj9hiVdQ==\n", "olHaO7aOmqA=\n")m1.e.i("G6lVUTe7H3YGtFpAF449UDuyemwQiClPKpVgfhCTM0w=\n", "T/sUH2T6XCI=\n")m1.e.i("S6InM4wZvrtLojQ0lQO5oVmiLy6WGaOnWbg1IJsSvrpW\n", "GPZmYdhG9/U=\n")m1.e.i("+NDn2vFU9rvlzejL0WHUndjDxeDLY9yb1Q==\n", "rIKmlKIVte8=\n")m1.e.i("vamMtHb5b/y6tJuvdv9x67y8g7Vj5Xr2obM=\n", "7v3N5iKmLr8=\n")
去解密字符串
== 字符串反混淆
具体实现:解密字符串
/Users/crifan/dev/dev_root/androidReverse/keepAlive/360Wallpaper/dynamicDebug/Frida/frida/hook_360Wallpaper.js
// convert Object(dict/list/...) to JSON string
function toJsonStr(curObj, singleLine=false, space=2){
// console.log("toJsonStr: singleLine=" + singleLine)
// var jsonStr = JSON.stringify(curObj, null, 2)
var jsonStr = JSON.stringify(curObj, null, space)
if(singleLine) {
// jsonStr = jsonStr.replace(/\\n/g, '')
jsonStr = jsonStr.replace(/\n/g, '')
}
return jsonStr
// return curObj.toString()
}
var decryptedStrDict = {}
// example:
// str1=n+IwzFs/Og7X4DzE\n, str2=+YNTqTlQVWU=, decryptedStr=facebook.com
// str1=C0YO33gie94ALSCkCnQj2g5kDJVwaiqx\n, str2=WhVY8DINF4w= -->> decryptedStr=QSV/J/lRZ8xT8y4VTqTeBg==
function saveDecrptedString(str1, str2, decryptedStr){
var delimChar = ","
var curToDecryptStrGroup = str1 + delimChar + str2
// console.log("curToDecryptStrGroup=" + curToDecryptStrGroup)
// if (!(curToDecryptStrGroup in decryptedStrDict)){
if (!decryptedStrDict.hasOwnProperty(curToDecryptStrGroup)){
decryptedStrDict[curToDecryptStrGroup] = decryptedStr
console.log("Updated -> decryptedStrDict=" + toJsonStr(decryptedStrDict))
}
}
// manual decrypt obfuscated string
function manualDecryptString(m1ECls, m1EIFunc){
// /Users/crifan/dev/dev_root/androidReverse/keepAlive/360Wallpaper/staticAnalysis/360Wallpaper_jadx_showBadCode/sources/com/w/thsz/info/HomeEntry.java
// /Users/crifan/dev/dev_root/androidReverse/keepAlive/360Wallpaper/staticAnalysis/360Wallpaper_jadx_showBadCode/sources/com/w/thsz/info/PaperEntry.java
let toDecryptStrArr = [
// ["/o3etnXwGpjjkNGnVcU4vt6M+opQ2Dqp\n", "qt+f+CaxWcw=\n"],
// ["zGS1mdUecVXNZr2IxB52Qt5+p4rCFWtf0Q==\n", "nzD0y4FBIhA=\n"],
// ["8FiwfWoYxHDtRb9sWyvoRcBpkEBNEOlQwWSF\n", "pArxMzlZhyQ=\n"],
// ["4AOVevLN2/P2DpN14svU9P0FiHr43dvj9hiVdQ==\n", "olHaO7aOmqA=\n"],
// ["G6lVUTe7H3YGtFpAF449UDuyemwQiClPKpVgfhCTM0w=\n", "T/sUH2T6XCI=\n"],
// ["S6InM4wZvrtLojQ0lQO5oVmiLy6WGaOnWbg1IJsSvrpW\n", "GPZmYdhG9/U=\n"],
// ["+NDn2vFU9rvlzejL0WHUndjDxeDLY9yb1Q==\n", "rIKmlKIVte8=\n"],
// ["vamMtHb5b/y6tJuvdv9x67y8g7Vj5Xr2obM=\n", "7v3N5iKmLr8=\n"],
["dKEMTz+a/hF0vxgTGbL5S3y5AUkpvvtRdKgNT3Sg7kp3\n", "Fc9oPVDzmj8=\n"],
["G96QImCjHHQbwIR+RosbLhPGnSR2hxk0G9eRIg==\n", "erD0UA/KeFo=\n"],
["QA==\n", "DHIuWtcRHPM=\n"],
["97HxJBfO7nI=\n", "hNSFZWWpuEI=\n"],
["hQG5PXN9gEE=\n", "5GLNVAUU9Dg=\n"],
["6ibSaFhtSRDrJNp5SW1OB/g8wHtPZlMa9w==\n", "uXKTOgwyGlU=\n"],
["qbfO4YGsTom/usjukapBjrSx0+GLvE6Zv6zO7g==\n", "6+WBoMXvD9o=\n"],
["RGOVY5WGeT9EY4ZkjJx+JVZjnX6PhmQjVnmHcIKNeT5Z\n", "FzfUMcHZMHE=\n"],
["a/ZMVX/pp3Zv6AAWcuSsMm3/VFV74aB+b/4=\n", "CpogdR2AyRI=\n"],
["L1IU+CJsgCkvTACkBESHcydKGf40SIVpL1sV+A==\n", "Tjxwik0F5Ac=\n"],
["23Kbgc7H69HbbI/d6O/si9NqlofY4+6R23uagQ==\n", "uhz/86Guj/8=\n"],
["pMYKuJux1TCk2B7kvZnSaqzeB76NldBwpM8LuA==\n", "xahuyvTYsR4=\n"],
["a8JgfYSH7R9y/g==\n", "BowBCe3xiE8=\n"],
["jn6X/WJ9JeWOYIOhRFUiv4Zmmvt0WSCljneW/SlHNb6N\n", "7xDzjw0UQcs=\n"],
["dx2TBGOGukN3A4dYRa69GX8FngJ1or8DdxSSBA==\n", "FnP3dgzv3m0=\n"],
["NLP8E/uEo+4=\n", "R9aIUonj9d4=\n"],
["yIIUaCMNShs=\n", "qeFgAVVkPmI=\n"],
["+w==\n", "t5Df7jb+QVo=\n"],
["zGS1mdUecVXNZr2IxB52Qt5+p4rCFWtf0Q==\n", "nzD0y4FBIhA=\n"],
["4AOVevLN2/P2DpN14svU9P0FiHr43dvj9hiVdQ==\n", "olHaO7aOmqA=\n"],
["S6InM4wZvrtLojQ0lQO5oVmiLy6WGaOnWbg1IJsSvrpW\n", "GPZmYdhG9/U=\n"],
["vamMtHb5b/y6tJuvdv9x67y8g7Vj5Xr2obM=\n", "7v3N5iKmLr8=\n"],
["Fxh7otsj1IYTBjfh1i7fwhERY6LfK9OOExA=\n", "dnQXgrlKuuI=\n"],
["NS1YKceVjJs1M0x14b2LwT01VS/RsYnbNSRZKQ==\n", "VEM8W6j86LU=\n"],
["Kb+u3htr/+MpobqCPUP4uSGno9gNT/qjKbav3g==\n", "SNHKrHQCm80=\n"],
["ZIkFqddEwPhklxH18WzHomyRCK/BYMW4ZIAEqQ==\n", "Bedh27gtpNY=\n"],
["m7XwCB9NrZabq+RUOWWqzJOt/Q4JaajWm7zxCA==\n", "+tuUenAkybg=\n"],
["DdaB2+RT5g==\n", "bLXitJE9kn4=\n"],
["Mea6/fsOqEUx673g4Qm4GH7Bn+z3CLkFJMW/4fUAqRl026r69g==\n", "UIjej5RnzGs=\n"],
["wcIRcGqP4zrc3x5hS6vNAeP1EV1aodUA4dUoTlWnwwfh/Ck=\n", "lZBQPjnOoG4=\n"],
["Pzv0yGSqC/UUP+fPZJk=\n", "S1OGrQH1apY=\n"],
["5NI4MmJGDgjP1is1YnU=\n", "kLpKVwcZb2s=\n"],
["qZTwT62fXkCCiPtarQ==\n", "3fyCKsjAPyM=\n"],
["u+oaes1wGJO75x1n13cIzvTNP2vBdgnTrskfZsN+Gc8=\n", "2oR+CKIZfL0=\n"],
["7EI3G+06AmTzUww66DEVdQ==\n", "iydDWIJUdgE=\n"],
["j8OjMFDZCyyB3ukRWsIZa43IiiNR0QhnnOOmNlbGCg==\n", "7q3HQj+wbwI=\n"],
["whQiaETnSy/CBA4=\n", "o2drBjCCOUk=\n"],
["ee/hgMqVxoN97w==\n", "HoqV06/nsOo=\n"],
["vX0MZNDuohKzYEZF2vWwVb92JXfR5qFZrl0JYtbxow==\n", "3BNoFr+Hxjw=\n"],
["TMkZbWldkwpT2CJMbFaEGw==\n", "K6xtLgYz528=\n"],
["fkp5AgYdMph+WlU=\n", "HzkwbHJ4QP4=\n"],
["4gCYURyyJQDmAA==\n", "hWXsAnnAU2k=\n"],
["7Mysgi2Jd1Xo4bixMA==\n", "gYXf1ET/GAI=\n"],
]
if (m1EIFunc) {
toDecryptStrArr.forEach((curDecryptRow) => {
// console.log("curDecryptRow=" + curDecryptRow)
var str1 = curDecryptRow[0]
var str2 = curDecryptRow[1]
// console.log("str1=" + str1 + ", str2=" + str2)
var str1Stripped = str1.trim()
var str2Stripped = str2.trim()
// var decryptdStr = m1EIFunc(str1, str2)
var decryptdStr = m1ECls.i(str1, str2)
// console.log("str1=" + str1 + ", str2=" + str2 + " -->> " + decryptdStr)
console.log(decryptdStr + " <<<--- str1Stripped=" + str1Stripped + ", str2Stripped=" + str2Stripped)
})
// toDecryptStrArr.forEach((item, index, arr) => {
// console.log("item=" + item + ", index=" + index + ", arr=" + arr)
// toDecryptStrArr.forEach((curDecryptRow, curIdx) => {
// console.log("curDecryptRow=" + curDecryptRow + ", curIdx=" + curIdx)
// var str1 = curDecryptRow[0]
// var str2 = curDecryptRow[1]
// console.log("str1=" + str1 + ", str2=" + str2)
// // var decryptdStr = m1EIFunc(str1, str2)
// var decryptdStr = m1ECls.i(str1, str2)
// console.log("str1=" + str1 + ", str2=" + str2 + " -->> " + decryptdStr)
// })
}
}
// 360Wallpaper_jadx_showBadCode/sources/m1/e.java
var m1EClassName = "m1.e"
var m1ECls = Java.use(m1EClassName)
console.log("m1ECls=" + m1ECls)
// printClassAllMethodsFields(m1EClassName)
// print static propery value
var m1EC = m1ECls.c
var m1ED = m1ECls.d
var m1EE = m1ECls.e
console.log("m1EC=" + m1EC + ", m1ED=" + m1ED + ", m1EE=" + m1EE)
var m1ECValue = m1EC.value
var m1EDValue = m1ED.value
var m1EEValue = m1EE.value
console.log("m1ECValue=" + m1ECValue + ", m1EDValue=" + m1EDValue + ", m1EEValue=" + m1EEValue)
// public static String i(String str, String str2) {
var m1EIFunc = m1ECls.i
console.log("m1EIFunc=" + m1EIFunc)
manualDecryptString(m1EIFunc)
// hook function
if (m1EIFunc) {
m1EIFunc.implementation = function (str1, str2) {
// PrintStack(Throwable.$new())
var decryptedStr = this.i(str1, str2)
// console.log("m1.e.i(): str1=" + str1 + ", str2=" + str2 + " -> " + decryptedStr)
var str1Stripped = str1.trim()
var str2Stripped = str2.trim()
console.log("m1.e.i(): str1Stripped=" + str1Stripped + ", str2Stripped=" + str2Stripped + " -->> " + decryptedStr)
// saveDecrptedString(str1, str2, decryptedStr)
return decryptedStr
}
}
效果
...
Stack: m1.e.i(Native Method)
at a1.c.e(Unknown Source:4)
at a1.c$d.onReceive(OutHelper.kt:4)
at android.app.LoadedApk$ReceiverDispatcher$Args.lambda$getRunnable$0$android-app-LoadedApk$ReceiverDispatcher$Args(LoadedApk.java:1790)
at android.app.LoadedApk$ReceiverDispatcher$Args$$ExternalSyntheticLambda0.run(Unknown Source:2)
at android.os.Handler.handleCallback(Handler.java:942)
at android.os.Handler.dispatchMessage(Handler.java:99)
at android.os.Looper.loopOnce(Looper.java:201)
at android.os.Looper.loop(Looper.java:288)
at android.app.ActivityThread.main(ActivityThread.java:7918)
at java.lang.reflect.Method.invoke(Native Method)
at com.android.internal.os.RuntimeInit$MethodAndArgsCaller.run(RuntimeInit.java:548)
at com.android.internal.os.ZygoteInit.main(ZygoteInit.java:936)
m1.e.i(): str1=e5sBx5B3wHN5kg==
, str2=HPRuoPwSnwE=
...
m1.e.i(): str1Stripped=n+IwzFs/Og7X4DzE, str2Stripped=+YNTqTlQVWU= -->> facebook.com
curToDecryptStrGroup=n+IwzFs/Og7X4DzE
,+YNTqTlQVWU=
m1.e.i(): str1Stripped=6lmEOrkL, str2Stripped=iz3uT8p/p/4= -->> adjust
curToDecryptStrGroup=6lmEOrkL
,iz3uT8p/p/4=
m1.e.i(): str1Stripped=YWcBkgUT1ntlZQ==, str2Stripped=AANr53ZniQk= -->> adjust_ref
curToDecryptStrGroup=YWcBkgUT1ntlZQ==
,AANr53ZniQk=
m1.e.i(): str1Stripped=u9q6nVAL9A==, str2Stripped=1Kjd/D5il+I= -->> organic
curToDecryptStrGroup=u9q6nVAL9A==
,1Kjd/D5il+I=
m1.e.i(): str1Stripped=pfWjrvurbQ==, str2Stripped=yofEz5XCDjU= -->> organic
curToDecryptStrGroup=pfWjrvurbQ==
,yofEz5XCDjU=
m1.e.i(): str1Stripped=Zi8KGA==, str2Stripped=AE0+eZ9v58g= -->> fb4a
m1.e.i(): str1Stripped=n+IwzFs/Og7X4DzE, str2Stripped=+YNTqTlQVWU= -->> facebook.com
m1.e.i(): str1Stripped=6lmEOrkL, str2Stripped=iz3uT8p/p/4= -->> adjust
m1.e.i(): str1Stripped=YWcBkgUT1ntlZQ==, str2Stripped=AANr53ZniQk= -->> adjust_ref
m1.e.i(): str1Stripped=u9q6nVAL9A==, str2Stripped=1Kjd/D5il+I= -->> organic
m1.e.i(): str1Stripped=pfWjrvurbQ==, str2Stripped=yofEz5XCDjU= -->> organic
m1.e.i(): str1Stripped=GKcOvG5nbr4=, str2Stripped=We5Y7DwNBYM= -->> AIVPRjk=
m1.e.i(): str1Stripped=urwhs9CWsta5unHxh9K7n7ehIfKJ1bacuqw498eG5tY=, str2Stripped=3M9Jw7/gg+8= -->> fshpov19eu82828pknh1655sfcq4xfe9
m1.e.i(): str1Stripped=gBPhX4E=, str2Stripped=1UencrnGACo= -->> UTF-8
m1.e.i(): str1Stripped=C0YO33gie94ALSCkCnQj2g5kDJVwaiqx, str2Stripped=WhVY8DINF4w= -->> QSV/J/lRZ8xT8y4VTqTeBg==
m1.e.i(): str1Stripped=urwhs9CWsta5unHxh9K7n7ehIfKJ1bacuqw498eG5tY=, str2Stripped=3M9Jw7/gg+8= -->> fshpov19eu82828pknh1655sfcq4xfe9
m1.e.i(): str1Stripped=gBPhX4E=, str2Stripped=1UencrnGACo= -->> UTF-8
m1.e.i(): str1Stripped=lOLv8t576N2Tkc7T73ezi5Xc6KjjOL/Y2JHZxsEWyNau++vpzTm7hw==, str2Stripped=96i6h4hOhro= -->> cJUuV5ngd9tTg951btR/kv9b/9cAIXNlYSQnEw==
m1.e.i(): str1Stripped=urwhs9CWsta5unHxh9K7n7ehIfKJ1bacuqw498eG5tY=, str2Stripped=3M9Jw7/gg+8= -->> fshpov19eu82828pknh1655sfcq4xfe9
m1.e.i(): str1Stripped=gBPhX4E=, str2Stripped=1UencrnGACo= -->> UTF-8
m1.e.i(): str1Stripped=qrWDW7z7XA==, str2Stripped=ydrtL9mDKJI= -->> context
m1.e.i(): str1Stripped=0N9I, str2Stripped=s7M7XUPzvSY= -->> cls
m1.e.i(): str1Stripped=e5sBx5B3wHN5kg==, str2Stripped=HPRuoPwSnwE= -->> google_ref
m1.e.i(): str1Stripped=Zi8KGA==, str2Stripped=AE0+eZ9v58g= -->> fb4a
m1.e.i(): str1Stripped=n+IwzFs/Og7X4DzE, str2Stripped=+YNTqTlQVWU= -->> facebook.com
m1.e.i(): str1Stripped=6lmEOrkL, str2Stripped=iz3uT8p/p/4= -->> adjust
m1.e.i(): str1Stripped=YWcBkgUT1ntlZQ==, str2Stripped=AANr53ZniQk= -->> adjust_ref
m1.e.i(): str1Stripped=u9q6nVAL9A==, str2Stripped=1Kjd/D5il+I= -->> organic
m1.e.i(): str1Stripped=pfWjrvurbQ==, str2Stripped=yofEz5XCDjU= -->> organic
m1.e.i(): str1Stripped=GKcOvG5nbr4=, str2Stripped=We5Y7DwNBYM= -->> AIVPRjk=
m1.e.i(): str1Stripped=urwhs9CWsta5unHxh9K7n7ehIfKJ1bacuqw498eG5tY=, str2Stripped=3M9Jw7/gg+8= -->> fshpov19eu82828pknh1655sfcq4xfe9
m1.e.i(): str1Stripped=gBPhX4E=, str2Stripped=1UencrnGACo= -->> UTF-8
m1.e.i(): str1Stripped=C0YO33gie94ALSCkCnQj2g5kDJVwaiqx, str2Stripped=WhVY8DINF4w= -->> QSV/J/lRZ8xT8y4VTqTeBg==
m1.e.i(): str1Stripped=urwhs9CWsta5unHxh9K7n7ehIfKJ1bacuqw498eG5tY=, str2Stripped=3M9Jw7/gg+8= -->> fshpov19eu82828pknh1655sfcq4xfe9
m1.e.i(): str1Stripped=gBPhX4E=, str2Stripped=1UencrnGACo= -->> UTF-8
m1.e.i(): str1Stripped=lOLv8t576N2Tkc7T73ezi5Xc6KjjOL/Y2JHZxsEWyNau++vpzTm7hw==, str2Stripped=96i6h4hOhro= -->> cJUuV5ngd9tTg951btR/kv9b/9cAIXNlYSQnEw==
m1.e.i(): str1Stripped=urwhs9CWsta5unHxh9K7n7ehIfKJ1bacuqw498eG5tY=, str2Stripped=3M9Jw7/gg+8= -->> fshpov19eu82828pknh1655sfcq4xfe9
m1.e.i(): str1Stripped=gBPhX4E=, str2Stripped=1UencrnGACo= -->> UTF-8
Updated -> decryptedStrDict={"0mIyyw==\n,pQNbvzxsUjA=\n":"wait","qrWDW7z7XA==\n,ydrtL9mDKJI=\n":"context"}
Updated -> decryptedStrDict={"0mIyyw==\n,pQNbvzxsUjA=\n":"wait","qrWDW7z7XA==\n,ydrtL9mDKJI=\n":"context","0N9I\n,s7M7XUPzvSY=\n":"cls"}
...
Updated -> decryptedStrDict={
"RHk=\n,NEk26SxLQpY=\n": "p0",
"Ctg=\n,euj9oN1O89Q=\n": "p0",
"WNoEx1td\n,ZK5srihjjHA=\n": "<this>",
"6tol5TJn\n,xK1VtlcTvZ4=\n": ".wpSet",
"ybAkZWjlVXzbuzRjbuJWIYaNBUNTxX8V+w==\n,qN5AFweMMVI=\n": "android.settings.SETTINGS",
"iznC7BGVypmSDsLzOg==\n,/1Gxlk7zuPY=\n": "thsz_from_set",
"MzhD1Fyu+7sqD0PLdw==\n,R1AwrgPIidQ=\n": "thsz_from_set",
"TD0nYsjkP49UOAxS1vQ8\n,O014DbiBUdA=\n": "wp_open_out_num",
"NIU=\n,RLXuwslcso4=\n": "p0",
"v68=\n,z59QGAfzgVI=\n": "p0",
"10g=\n,p3jUwVR1TlE=\n": "p0",
"bTY=\n,HQYlg2SZsI8=\n": "p0",
"+pM=\n,iqNAgnhpDJw=\n": "p0",
"+mc=\n,ilcKLu3y9Hc=\n": "p0",
"qfk=\n,2ckbQ5GN/s8=\n": "p0",
"aog=\n,GrhJtEmflVA=\n": "p0",
"qjI=\n,2gK64i8EPUY=\n": "p0",
"ZNg=\n,FOgMtYm5CFA=\n": "p0",
"+5/dnwJs0ULhmcau\n,iPqpwGMcoR0=\n": "set_app_icon",
"b4w=\n,H7wXwoPm++I=\n": "p0",
"Z3U=\n,F0R7J/92o8c=\n": "p1",
"0mIyyw==\n,pQNbvzxsUjA=\n": "wait",
"qrWDW7z7XA==\n,ydrtL9mDKJI=\n": "context",
"0N9I\n,s7M7XUPzvSY=\n": "cls",
"e5sBx5B3wHN5kg==\n,HPRuoPwSnwE=\n": "google_ref",
"Zi8KGA==\n,AE0+eZ9v58g=\n": "fb4a",
"n+IwzFs/Og7X4DzE\n,+YNTqTlQVWU=\n": "facebook.com",
"6lmEOrkL\n,iz3uT8p/p/4=\n": "adjust",
"YWcBkgUT1ntlZQ==\n,AANr53ZniQk=\n": "adjust_ref",
"u9q6nVAL9A==\n,1Kjd/D5il+I=\n": "organic",
"pfWjrvurbQ==\n,yofEz5XCDjU=\n": "organic",
"GKcOvG5nbr4=\n,We5Y7DwNBYM=\n": "AIVPRjk=",
"urwhs9CWsta5unHxh9K7n7ehIfKJ1bacuqw498eG5tY=\n,3M9Jw7/gg+8=\n": "fshpov19eu82828pknh1655sfcq4xfe9",
"gBPhX4E=\n,1UencrnGACo=\n": "UTF-8",
"C0YO33gie94ALSCkCnQj2g5kDJVwaiqx\n,WhVY8DINF4w=\n": "QSV/J/lRZ8xT8y4VTqTeBg==",
"lOLv8t576N2Tkc7T73ezi5Xc6KjjOL/Y2JHZxsEWyNau++vpzTm7hw==\n,96i6h4hOhro=\n": "cJUuV5ngd9tTg951btR/kv9b/9cAIXNlYSQnEw==",
"lGsWeqSRpxScawZtpYztW5ZxG2el1oB2ulY3V5ihkG6wSC1MgrmPdbJW\n,9QVyCMv4wzo=\n": "android.intent.action.CLOSE_SYSTEM_DIALOGS"
}
-》手动解密:
m1EIFunc=function e() {
[native code]
}
TRANSACTION_startService <<<--- str1Stripped=/o3etnXwGpjjkNGnVcU4vt6M+opQ2Dqp, str2Stripped=qt+f+CaxWcw=
START_SERVICE_TRANSACTION <<<--- str1Stripped=zGS1mdUecVXNZr2IxB52Qt5+p4rCFWtf0Q==, str2Stripped=nzD0y4FBIhA=
TRANSACTION_broadcastIntent <<<--- str1Stripped=8FiwfWoYxHDtRb9sWyvoRcBpkEBNEOlQwWSF, str2Stripped=pArxMzlZhyQ=
BROADCAST_INTENT_TRANSACTION <<<--- str1Stripped=4AOVevLN2/P2DpN14svU9P0FiHr43dvj9hiVdQ==, str2Stripped=olHaO7aOmqA=
TRANSACTION_startInstrumentation <<<--- str1Stripped=G6lVUTe7H3YGtFpAF449UDuyemwQiClPKpVgfhCTM0w=, str2Stripped=T/sUH2T6XCI=
START_INSTRUMENTATION_TRANSACTION <<<--- str1Stripped=S6InM4wZvrtLojQ0lQO5oVmiLy6WGaOnWbg1IJsSvrpW, str2Stripped=GPZmYdhG9/U=
TRANSACTION_startActivity <<<--- str1Stripped=+NDn2vFU9rvlzejL0WHUndjDxeDLY9yb1Q==, str2Stripped=rIKmlKIVte8=
START_ACTIVITY_TRANSACTION <<<--- str1Stripped=vamMtHb5b/y6tJuvdv9x67y8g7Vj5Xr2obM=, str2Stripped=7v3N5iKmLr8=
/Users/crifan/dev/dev_root/androidReverse/keepAlive/360Wallpaper/staticAnalysis/360Wallpaper_jadx_showBadCode/sources/com/w/thsz/info/
* PaperEntry.java
* HomeEntry.java
-》字符串解密解码结果:
m1EIFunc=function e() {
[native code]
}
android.app.IActivityManager$Stub <<<--- str1Stripped=dKEMTz+a/hF0vxgTGbL5S3y5AUkpvvtRdKgNT3Sg7kp3, str2Stripped=Fc9oPVDzmj8=
android.app.IActivityManager <<<--- str1Stripped=G96QImCjHHQbwIR+RosbLhPGnSR2hxk0G9eRIg==, str2Stripped=erD0UA/KeFo=
L <<<--- str1Stripped=QA==, str2Stripped=DHIuWtcRHPM=
setArgV0 <<<--- str1Stripped=97HxJBfO7nI=, str2Stripped=hNSFZWWpuEI=
activity <<<--- str1Stripped=hQG5PXN9gEE=, str2Stripped=5GLNVAUU9Dg=
START_SERVICE_TRANSACTION <<<--- str1Stripped=6ibSaFhtSRDrJNp5SW1OB/g8wHtPZlMa9w==, str2Stripped=uXKTOgwyGlU=
BROADCAST_INTENT_TRANSACTION <<<--- str1Stripped=qbfO4YGsTom/usjukapBjrSx0+GLvE6Zv6zO7g==, str2Stripped=6+WBoMXvD9o=
START_INSTRUMENTATION_TRANSACTION <<<--- str1Stripped=RGOVY5WGeT9EY4ZkjJx+JVZjnX6PhmQjVnmHcIKNeT5Z, str2Stripped=FzfUMcHZMHE=
all binder code get failed <<<--- str1Stripped=a/ZMVX/pp3Zv6AAWcuSsMm3/VFV74aB+b/4=, str2Stripped=CpogdR2AyRI=
android.app.IActivityManager <<<--- str1Stripped=L1IU+CJsgCkvTACkBESHcydKGf40SIVpL1sV+A==, str2Stripped=Tjxwik0F5Ac=
android.app.IActivityManager <<<--- str1Stripped=23Kbgc7H69HbbI/d6O/si9NqlofY4+6R23uagQ==, str2Stripped=uhz/86Guj/8=
android.app.IActivityManager <<<--- str1Stripped=pMYKuJux1TCk2B7kvZnSaqzeB76NldBwpM8LuA==, str2Stripped=xahuyvTYsR4=
mNativePtr <<<--- str1Stripped=a8JgfYSH7R9y/g==, str2Stripped=BowBCe3xiE8=
android.app.IActivityManager$Stub <<<--- str1Stripped=jn6X/WJ9JeWOYIOhRFUiv4Zmmvt0WSCljneW/SlHNb6N, str2Stripped=7xDzjw0UQcs=
android.app.IActivityManager <<<--- str1Stripped=dx2TBGOGukN3A4dYRa69GX8FngJ1or8DdxSSBA==, str2Stripped=FnP3dgzv3m0=
setArgV0 <<<--- str1Stripped=NLP8E/uEo+4=, str2Stripped=R9aIUonj9d4=
activity <<<--- str1Stripped=yIIUaCMNShs=, str2Stripped=qeFgAVVkPmI=
L <<<--- str1Stripped=+w==, str2Stripped=t5Df7jb+QVo=
START_SERVICE_TRANSACTION <<<--- str1Stripped=zGS1mdUecVXNZr2IxB52Qt5+p4rCFWtf0Q==, str2Stripped=nzD0y4FBIhA=
BROADCAST_INTENT_TRANSACTION <<<--- str1Stripped=4AOVevLN2/P2DpN14svU9P0FiHr43dvj9hiVdQ==, str2Stripped=olHaO7aOmqA=
START_INSTRUMENTATION_TRANSACTION <<<--- str1Stripped=S6InM4wZvrtLojQ0lQO5oVmiLy6WGaOnWbg1IJsSvrpW, str2Stripped=GPZmYdhG9/U=
START_ACTIVITY_TRANSACTION <<<--- str1Stripped=vamMtHb5b/y6tJuvdv9x67y8g7Vj5Xr2obM=, str2Stripped=7v3N5iKmLr8=
all binder code get failed <<<--- str1Stripped=Fxh7otsj1IYTBjfh1i7fwhERY6LfK9OOExA=, str2Stripped=dnQXgrlKuuI=
android.app.IActivityManager <<<--- str1Stripped=NS1YKceVjJs1M0x14b2LwT01VS/RsYnbNSRZKQ==, str2Stripped=VEM8W6j86LU=
android.app.IActivityManager <<<--- str1Stripped=Kb+u3htr/+MpobqCPUP4uSGno9gNT/qjKbav3g==, str2Stripped=SNHKrHQCm80=
android.app.IActivityManager <<<--- str1Stripped=ZIkFqddEwPhklxH18WzHomyRCK/BYMW4ZIAEqQ==, str2Stripped=Bedh27gtpNY=
android.app.IActivityManager <<<--- str1Stripped=m7XwCB9NrZabq+RUOWWqzJOt/Q4JaajWm7zxCA==, str2Stripped=+tuUenAkybg=
account <<<--- str1Stripped=DdaB2+RT5g==, str2Stripped=bLXitJE9kn4=
android.accounts.IAccountManager$Stub <<<--- str1Stripped=Mea6/fsOqEUx673g4Qm4GH7Bn+z3CLkFJMW/4fUAqRl026r69g==, str2Stripped=UIjej5RnzGs=
TRANSACTION_removeAccountExplicitly <<<--- str1Stripped=wcIRcGqP4zrc3x5hS6vNAeP1EV1aodUA4dUoTlWnwwfh/Ck=, str2Stripped=lZBQPjnOoG4=
three_ac_label <<<--- str1Stripped=Pzv0yGSqC/UUP+fPZJk=, str2Stripped=S1OGrQH1apY=
three_ac_label <<<--- str1Stripped=5NI4MmJGDgjP1is1YnU=, str2Stripped=kLpKVwcZb2s=
three_ac_type <<<--- str1Stripped=qZTwT62fXkCCiPtarQ==, str2Stripped=3fyCKsjAPyM=
android.accounts.IAccountManager <<<--- str1Stripped=u+oaes1wGJO75x1n13cIzvTNP2vBdgnTrskfZsN+Gc8=, str2Stripped=2oR+CKIZfL0=
getContextObject <<<--- str1Stripped=7EI3G+06AmTzUww66DEVdQ==, str2Stripped=iydDWIJUdgE=
android.os.ServiceManagerNative <<<--- str1Stripped=j8OjMFDZCyyB3ukRWsIZa43IiiNR0QhnnOOmNlbGCg==, str2Stripped=7q3HQj+wbwI=
asInterface <<<--- str1Stripped=whQiaETnSy/CBA4=, str2Stripped=o2drBjCCOUk=
getService <<<--- str1Stripped=ee/hgMqVxoN97w==, str2Stripped=HoqV06/nsOo=
android.os.ServiceManagerNative <<<--- str1Stripped=vX0MZNDuohKzYEZF2vWwVb92JXfR5qFZrl0JYtbxow==, str2Stripped=3BNoFr+Hxjw=
getContextObject <<<--- str1Stripped=TMkZbWldkwpT2CJMbFaEGw==, str2Stripped=K6xtLgYz528=
asInterface <<<--- str1Stripped=fkp5AgYdMph+WlU=, str2Stripped=HzkwbHJ4QP4=
getService <<<--- str1Stripped=4gCYURyyJQDmAA==, str2Stripped=hWXsAnnAU2k=
mIsVivoWidget <<<--- str1Stripped=7Mysgi2Jd1Xo4bixMA==, str2Stripped=gYXf1ET/GAI=
m1.e: Found instance/object=m1.e@b55a893
m1.e: Found instance/object=m1.e@187c0d0
m1.e: Found instance/object=m1.e@46ca8c9
m1.e: onComplete
即可自动解密,得到我们要的原始的字符串的值了。