DAS

1eamac

查壳发现无壳直接打开IDA找到main
找到主要加密逻辑

__int64 __fastcall sub_100000634(_QWORD a1, _QWORD a2, _QWORD a3, _QWORD a4, _QWORD a5, __int64 n57)
{
  unsigned __int8 *v6; // x21
  char v7; // w3
  unsigned __int8 *v8; // x21
  int v9; // t1
  unsigned __int8 v11; // w3
  unsigned __int8 *v12; // x21

  while ( 1 )
  {
    v9 = *v6;
    v8 = v6 + 1;
    v7 = v9;
    if ( !v9 )
      break;
    v11 = v7 ^ n57;
    LOBYTE(n57) = n57 + 1;
    v12 = v8 - 1;
    *v12 = v11;
    v6 = v12 + 1;
  }
  return sub_100000654();
}

很简单的加密逻辑以57为初始的密钥来异或
写解密

# 密文数据（十六进制）
ciphertext = [
    0x7D, 0x7B, 0x68, 0x7F, 0x69, 0x78, 0x44, 0x78, 0x72, 0x21, 0x74, 0x76,
    0x75, 0x22, 0x26, 0x7B, 0x7C, 0x7E, 0x78, 0x7A, 0x2E, 0x2D, 0x7F, 0x2D
]

# 起始密钥
key = 57

# 解密每个字节
flag_chars = []
for i, byte in enumerate(ciphertext):
    # 使用当前密钥进行XOR解密
    decrypted = byte ^ (key + i)
    flag_chars.append(chr(decrypted))

# 组合成字符串
flag = ''.join(flag_chars)
print(f"Flag: {flag}")

2androidfile

打开mainactivity
可以知道是有混淆的用jadx自带的去混淆之后是

package com.dasctf.androidfile;



import android.content.res.Resources;

import android.os.Build;

import android.os.Bundle;

import android.util.Base64;

import android.view.View;

import android.view.Window;

import android.widget.Button;

import android.widget.TextView;

import androidx.activity.AbstractC0426p;

import androidx.activity.AbstractC0433w;

import androidx.activity.C0409J;

import androidx.activity.C0410K;

import java.security.KeyFactory;

import java.security.PublicKey;

import java.security.spec.X509EncodedKeySpec;

import java.util.Random;

import javax.crypto.Cipher;

import javax.crypto.spec.IvParameterSpec;

import javax.crypto.spec.SecretKeySpec;

import p002B.AbstractC0027h;

import p033R0.AbstractC0330c;

import p053c0.C0618a;

import p057f.AbstractActivityC0681h;

import p057f.C0680g;

import p062i0.ViewOnClickListenerC0766a;



/* loaded from: classes.dex */

public class MainActivity extends AbstractActivityC0681h {



    /* renamed from: A */

    public TextView f2053A;



    /* renamed from: y */

    public Button f2054y;



    /* renamed from: z */

    public TextView f2055z;



    static {

        System.loadLibrary(AbstractC0433w.m986i("ZLIbw2UnROtssBo=\n", "Bdx/sQpOII0=\n"));

    }



    public MainActivity() {

        this.f921d.f2051b.m1674f("androidx:appcompat", new C0618a(this));

        m960i(new C0680g(this));

    }



    /* renamed from: A */

    public static String m1679A() {

        String m986i = AbstractC0433w.m986i("EDXRQcjNLspDYIYUm5BxwktojhyTiGnaU3CWBIu9Xu9oTak5sLVW53BVsSGorU7/eF25\n", "IATjcvz4GKg=\n");

        StringBuffer stringBuffer = new StringBuffer();

        Random random = new Random();

        for (int i2 = 0; i2 < 16; i2++) {

            stringBuffer.append(m986i.charAt(random.nextInt(m986i.length())));

        }

        return stringBuffer.toString();

    }



    /* renamed from: C */

    public static String m1681C(String str, String str2, String str3) {

        byte[] bytes = str2.getBytes();

        byte[] bytes2 = str3.getBytes();

        SecretKeySpec secretKeySpec = new SecretKeySpec(bytes, AbstractC0433w.m986i("Udks\n", "EJx/huJaZmg=\n"));

        IvParameterSpec ivParameterSpec = new IvParameterSpec(bytes2);

        Cipher cipher = Cipher.getInstance(AbstractC0433w.m986i("BchPNMUH8BUUxl9IsxXSXiDkcnw=\n", "RI0cG4ZFszo=\n"));

        cipher.init(1, secretKeySpec, ivParameterSpec);

        return Base64.encodeToString(cipher.doFinal(str.getBytes(AbstractC0433w.m986i("yd86S2M=\n", "nIt8ZlvsRB4=\n"))), 0);

    }



    /* renamed from: D */

    public static String m1682D(String str) {

        byte[] bytes = str.getBytes();

        PublicKey generatePublic = KeyFactory.getInstance(AbstractC0433w.m986i("asEy\n", "OJJz9SnyFic=\n")).generatePublic(new X509EncodedKeySpec(Base64.decode(AbstractC0433w.m986i("QMXCGE8qPL1G7O8mYw0GuUzS8C1JKiSzXvT0GFg6L7VMyYYubTo33EXs/gEzEjSWS9eNF2EoKZxH\n5Z4aQw49wmnQ/UBsCCmkTO/EJmAtALZJy81YZBA3tmvvgDo5CCaSPcKaXVgiXIRJ9scoRDcto1Tg\n2CdKDiC0TPTwLkoqWMo=\n", "DYO1bwt7Zfc=\n"), 0)));

        Cipher cipher = Cipher.getInstance(AbstractC0433w.m986i("sSby\n", "43WztTWiQRk=\n"));

        cipher.init(1, generatePublic);

        return Base64.encodeToString(cipher.doFinal(bytes), 0);

    }



    /* JADX INFO: Access modifiers changed from: private */

    public native String a_p(String str);



    /* JADX WARN: Multi-variable type inference failed */

    /* JADX WARN: Type inference failed for: r10v10, types: [B.h] */

    /* JADX WARN: Type inference failed for: r10v24 */

    /* JADX WARN: Type inference failed for: r10v25 */

    /* JADX WARN: Type inference failed for: r10v26 */

    /* JADX WARN: Type inference failed for: r10v27 */

    /* JADX WARN: Type inference failed for: r10v28 */

    @Override // p057f.AbstractActivityC0681h, androidx.activity.AbstractActivityC0424n, p092y.AbstractActivityC1040f, android.app.Activity

    public final void onCreate(Bundle bundle) {

        AbstractC0027h abstractC0027h;

        super.onCreate(bundle);

        int i2 = AbstractC0426p.f938a;

        C0409J c0409j = C0409J.f881a;

        C0410K c0410k = new C0410K(0, 0, c0409j);

        C0410K c0410k2 = new C0410K(AbstractC0426p.f938a, AbstractC0426p.f939b, c0409j);

        View decorView = getWindow().getDecorView();

        AbstractC0330c.m874d(decorView, "window.decorView");

        Resources resources = decorView.getResources();

        AbstractC0330c.m874d(resources, "view.resources");

        boolean booleanValue = ((Boolean) c0409j.mo844b(resources)).booleanValue();

        Resources resources2 = decorView.getResources();

        AbstractC0330c.m874d(resources2, "view.resources");

        boolean booleanValue2 = ((Boolean) c0409j.mo844b(resources2)).booleanValue();

        int i3 = Build.VERSION.SDK_INT;

        if (i3 >= 30) {

            abstractC0027h = new Object();

        } else if (i3 >= 29) {

            abstractC0027h = new Object();

        } else if (i3 >= 28) {

            abstractC0027h = new Object();

        } else if (i3 >= 26) {

            abstractC0027h = new Object();

        } else {

            abstractC0027h = new Object();

        }

        Window window = getWindow();

        AbstractC0330c.m874d(window, "window");

        abstractC0027h.mo155C0(c0410k, c0410k2, window, decorView, booleanValue, booleanValue2);

        Window window2 = getWindow();

        AbstractC0330c.m874d(window2, "window");

        abstractC0027h.mo177d(window2);

        setContentView(R.layout.activity_main);

        this.f2054y = (Button) findViewById(R.id.mybutton1);

        this.f2055z = (TextView) findViewById(R.id.edit_text_1);

        this.f2053A = (TextView) findViewById(R.id.edit_text_2);

        String m986i = AbstractC0433w.m986i("ZKIxD0oa9odiixwxZj3Mg2i1AzpMGu6JepMHD10K5Y9ornU5aAr95mGLDRY2Iv6sb7B+AGQY46Zj\ngm0NRj73+E23DldpOOOeaIg3MWUdyoxtrD5PYSD9jE+Icy08OOyoGaVpSl0Slr5tkTQ/QQfnmXCH\nKzBPPuqOaJMDOU8akvA=\n", "KeRGeA5Lr80=\n");

        AbstractC0433w.m986i("r2hpyBZCQnOjZWHEAnRgQIpKSc15ZDtzo3BlzAFSWHKjdRj9J3ROBqNGZcsBeE5wjEJisgJbP1SF\nUEbzClFkZ7JbZ8QJZlpdzRcU73V1ZwCrRwvJN2dCcrVOSdgWJ0p8hGlV4xJWSRq6TXTrN1k8YKYO\nesAqIXx+1FJ5vjN3RVmbeEPJdEJCdaNwYcgBeE5wihkRzSR0IFqBZ2jlBCpKQoBKctJvcn9Et1VD\n/Rh4Un3WRmu4DF5fWZJFZcwIWkQGsUJSoRNKbUaTTE2lDF5/WoBOSs8HVmV/jWhG5y9ffXaESXjr\nAUJCWaNvZN0vK0Rir3JxzC5lYwDQGEPMKUVtaKlNc74lcDkFi1lWzAQrbWSmFXPYAXpOcJV2Yv8a\nIGBemhBOuHFSeGWjWU/na1Y4S9dqdd8PQF5bsnlWzXZnUXOFd2XJCVdEYdBYEP4Tej0ek2hM5nZR\neneaTFjNeXZYX6EVcMcmclpaj05O0gJcQ2OjSGLnCkZbQrdmTeB4PG5pmkpOyTAkfWKheFOzE0k4\neaVCZOYwIz57j0REsglCQlmja07PcUNFVNtNY78PcnFWsHhI2QclaXahdULsBltfB61UV8kWWnNj\nsVkU2g==\n", "4iEgikATCzE=\n");

        this.f2054y.setOnClickListener(new ViewOnClickListenerC0766a(this, m1679A(), m986i, m1679A()));

    }

}

那么看到关键的是方法m986i和ViewOnClickListenerC0766a
打开看看分别是

public static String m986i(String str, String str2) {

     byte[] m2057a = AbstractC0798a.m2057a(str);

     byte[] m2057a2 = AbstractC0798a.m2057a(str2);

     int length = m2057a.length;

     int length2 = m2057a2.length;

     int i2 = 0;

     int i3 = 0;

     while (i2 < length) {

         if (i3 >= length2) {

             i3 = 0;

         }

         m2057a[i2] = (byte) (m2057a[i2] ^ m2057a2[i3]);

         i2++;

         i3++;

     }

     return new String(m2057a, StandardCharsets.UTF_8);

m986i主要就是把两个base64的参数进行异或可以分别异或得到相应的内容.会发现是 System.loadLibrary(AbstractC0433w.m986i(“ZLIbw2UnROtssBo=\n”, “Bdx/sQpOII0=\n”));加载native代码的地方打开看看

__int64 __fastcall Java_com_dasctf_androidfile_MainActivity_a_1p(__int64 a1, __int64 a2, __int64 a3)
{
  unsigned __int64 n256; // r15
  const char *s; // r14
  size_t v6; // rcx
  unsigned __int64 v7; // rsi
  __int64 n256_1; // rax
  signed int v9; // edx
  int v10; // esi
  int v11; // edx
  int v12; // edi
  int v13; // r8d
  int v14; // edx
  signed int v15; // eax
  __int64 v16; // rdx
  unsigned __int8 v17; // si
  int v18; // r8d
  char v19; // r8
  int v20; // eax
  __int64 v21; // rax
  _QWORD v24[33]; // [rsp+8h] [rbp-230h] BYREF
  _OWORD v25[16]; // [rsp+110h] [rbp-128h] BYREF
  unsigned __int64 v26; // [rsp+218h] [rbp-20h]

  v26 = __readfsqword(0x28u);
  v24[0] = 'ESREVER';
  n256 = 0;
  s = (*(*a1 + 1352LL))(a1, a3, 0);
  v6 = strlen(s);
  memset(v25, 0, sizeof(v25));
  v7 = 1;
  do
  {
    *(&v24[1] + n256) = n256;
    *(v25 + n256) = *(v24 + n256 + -7 * (n256 / 7));
    *(&v24[1] + n256 + 1) = n256 + 1;
    *(v25 + n256 + 1) = *(v24 + n256 + -7 * (v7 / 7) + 1);
    v7 += 2LL;
    n256 += 2LL;
  }
  while ( n256 != 256 );
  n256_1 = 0;
  v9 = 0;
  do
  {
    v10 = *(&v24[1] + n256_1);
    v11 = v10 + v9;
    v12 = *(v25 + n256_1);
    v13 = v12 + v11 + 255;
    v14 = v12 + v11;
    if ( v14 >= 0 )
      v13 = v14;
    v9 = v14 - (v13 & 0xFFFFFF00);
    *(&v24[1] + n256_1) = *(&v24[1] + v9);
    *(&v24[1] + v9) = v10;
    ++n256_1;
  }
  while ( n256_1 != 256 );
  if ( v6 )
  {
    v15 = 0;
    v16 = 0;
    v17 = 0;
    do
    {
      v18 = v15 + 256;
      if ( v15 + 1 >= 0 )
        v18 = v15 + 1;
      v15 = v15 - (v18 & 0xFFFFFF00) + 1;
      v19 = *(&v24[1] + v15);
      v17 += v19;
      *(&v24[1] + v15) = *(&v24[1] + v17);
      *(&v24[1] + v17) = v19;
      s[v16++] ^= *(&v24[1] + (*(&v24[1] + v15) + v19));
    }
    while ( v6 != v16 );
  }
  v20 = strlen(s);
  v21 = base64_encode(s, v20);
  return (*(*a1 + 1336LL))(a1, v21, __readfsqword(0x28u));
}

很简单的逻辑经过标准RC4和BASE64的加密逻辑,RC4的密钥是REVERSE

package p062i0;



import android.util.Log;

import android.view.View;

import android.widget.TextView;

import android.widget.Toast;

import androidx.activity.AbstractC0433w;

import com.dasctf.androidfile.MainActivity;



/* renamed from: i0.a */

/* loaded from: classes.dex */

public final class ViewOnClickListenerC0766a implements View.OnClickListener {



    /* renamed from: a */

    public final /* synthetic */ String f2939a;



    /* renamed from: b */

    public final /* synthetic */ String f2940b;



    /* renamed from: c */

    public final /* synthetic */ MainActivity f2941c;



    public ViewOnClickListenerC0766a(MainActivity mainActivity, String str, String str2, String str3) {

        this.f2941c = mainActivity;

        this.f2939a = str;

        this.f2940b = str3;

    }



    @Override // android.view.View.OnClickListener

    public final void onClick(View view) {

        String a_p;

        String str = this.f2940b;

        String str2 = this.f2939a;

        MainActivity mainActivity = this.f2941c;

        String charSequence = mainActivity.f2055z.getText().toString();

        if (charSequence.length() != 40) {

            Toast.makeText(mainActivity, AbstractC0433w.m986i("UW1BjiM3du9PekCb\n", "PQgv6VdfVoo=\n"), 1).show();

            return;

        }

        try {

            String str3 = AbstractC0433w.m986i("WpRWV0c7\n", "P/o9Mj5kh8w=\n") + MainActivity.m1682D(str2) + AbstractC0433w.m986i("apcRF1g=\n", "D/l4YQdZTS4=\n") + MainActivity.m1682D(str);

            String m1681C = MainActivity.m1681C(charSequence, str2, str);

            TextView textView = mainActivity.f2053A;

            StringBuilder sb = new StringBuilder();

            a_p = mainActivity.a_p(str3);

            sb.append(a_p);

            sb.append(AbstractC0433w.m986i("rcslnY23zQPljy6Dm7GZTQ==\n", "keZA8+7FtHM=\n"));

            sb.append(m1681C);

            textView.setText(sb.toString());

        } catch (Exception unused) {

            Log.i(AbstractC0433w.m986i("Pea57E0g2gg0+bHuTA==\n", "UJ/YgilStWE=\n"), AbstractC0433w.m986i("Rb1FBTs=\n", "IM83akkWYKo=\n"));

        }

    }

}

这里就是的逻辑
写个脚本把那些异或的给修复上去

import base64

def w_i(s1: str, s2: str) -> str:
    """实现w.i()方法：两个base64字符串解码后循环异或"""
    # 清理字符串，移除换行符和空格
    s1 = ''.join(s1.split())
    s2 = ''.join(s2.split())
    
    # Base64解码
    try:
        b1 = base64.b64decode(s1)
        b2 = base64.b64decode(s2)
    except Exception as e:
        return f"Base64解码错误: {e}"
    
    # 循环异或
    result = bytearray()
    for i in range(len(b1)):
        result.append(b1[i] ^ b2[i % len(b2)])
    
    # 尝试解码为UTF-8字符串
    try:
        return result.decode('utf-8')
    except UnicodeDecodeError:
        # 如果是二进制数据，以十六进制显示
        return f"[Binary Data: {result.hex()}]"

# 测试字符集字符串的解密
print("=== 测试字符集解密 ===")
charset_result = w_i(
    "EDXRQcjNLspDYIYUm5BxwktojhyTiGnaU3CWBIu9Xu9oTak5sLVW53BVsSGorU7/eF25\n",
    "IATjcvz4GKg=\n"
)
print(f"字符集解密结果: {charset_result}")
print(f"字符集长度: {len(charset_result)}")

print("\n=== 解密其他字符串 ===")

# 1. 库名
lib_result = w_i("ZLIbw2UnROtssBo=\n", "Bdx/sQpOII0=\n")
print(f"1. 库名: {lib_result}")

# 2. URL部分
url1 = w_i("WpRWV0c7\n", "P/o9Mj5kh8w=\n")
url2 = w_i("apcRF1g=\n", "D/l4YQdZTS4=\n")
print(f"2. URL第一部分: '{url1}'")
print(f"3. URL第二部分: '{url2}'")

# 3. 固定后缀
suffix = w_i("rcslnY23zQPljy6Dm7GZTQ==\n", "keZA8+7FtHM=\n")
print(f"4. 固定后缀: '{suffix}'")

# 4. Toast消息
toast = w_i("UW1BjiM3du9PekCb\n", "PQgv6VdfVoo=\n")
print(f"5. Toast消息: '{toast}'")

# 5. i4字符串
i4_result = w_i(
    "ZKIxD0oa9odiixwxZj3Mg2i1AzpMGu6JepMHD10K5Y9ornU5aAr95mGLDRY2Iv6sb7B+AGQY46Zjgm0NRj73+E23DldpOOOeaIg3MWUdyoxtrD5PYSD9jE+Icy08OOyoGaVpSl0Slr5tkTQ/QQfnmXCHKzBPPuqOaJMDOU8akvA=",
    "KeRGeA5Lr80="
)
print(f"6. i4字符串: {i4_result}")

# 6. 长字符串
long_result = w_i(
    "r2hpyBZCQnOjZWHEAnRgQIpKSc15ZDtzo3BlzAFSWHKjdRj9J3ROBqNGZcsBeE5wjEJisgJbP1SFUEbzClFkZ7JbZ8QJZlpdzRcU73V1ZwCrRwvJN2dCcrVOSdgWJ0p8hGlV4xJWSRq6TXTrN1k8YKYOesAqIXx+1FJ5vjN3RVmbeEPJdEJCdaNwYcgBeE5wihkRzSR0IFqBZ2jlBCpKQoBKctJvcn9Et1VD/Rh4Un3WRmu4DF5fWZJFZcwIWkQGsUJSoRNKbUaTTE2lDF5/WoBOSs8HVmV/jWhG5y9ffXaESXjrAUJCWaNvZN0vK0Rir3JxzC5lYwDQGEPMKUVtaKlNc74lcDkFi1lWzAQrbWSmFXPYAXpOcJV2Yv8aIGBemhBOuHFSeGWjWU/na1Y4S9dqdd8PQF5bsnlWzXZnUXOFd2XJCVdEYdBYEP4Tej0ek2hM5nZReneaTFjNeXZYX6EVcMcmclpaj05O0gJcQ2OjSGLnCkZbQrdmTeB4PG5pmkpOyTAkfWKheFOzE0k4eaVCZOYwIz57j0REsglCQlmja07PcUNFVNtNY78PcnFWsHhI2QclaXahdULsBltfB61UV8kWWnNjsVkU2g==",
    "4iEgikATCzE="
)
print(f"7. 长字符串: {long_result[:200]}...")

得到的信息:

1. 库名: androidfile
2. URL第一部分: ‘enkey_’
3. URL第二部分: ‘eniv_’
4. 固定后缀: ‘<-encryptinput->’
5. Toast消息: ‘length error’
   附件就是密文了,并且encryptinpu就是需要的密文,那么前面的就应该是AES的iv和key
   接下来就是解密了.
   
   
   
   

3login

IDA打开可以看到
有一个使用RC4加密所有网络数据，密钥为qwertyui
sub_5302是响应的函数
主要的加密位置
其中的参数已经在注释了.

_d73b03a9b0c4b7e9236d56938d6264e6c8ecaab709effcf02f4e5ec2631027 = sub_5042(
                                                                    *&off_90A0,// "9a49428cadd84b7a81cb80f916e645a6a9dd23c2fe679f93af6a77eff0f0bb1309b77fb7861275f07ab41e98ae5c2ecf933f27d47b9ce0a55a3e06569cacbb4c9183f8ee9a47f2cfbb3a5965c9326f45d2d608cfeabea1a1879eae95b70224d2e7736b9bc4109756f55a3f70f11a9b9c6564fb6456d329c336fbb59859db5fde1f2338294e863c4f05b4a89e6c3b761d52a2081a0af0a320fde831daa741fad77aa7ef2dd30b3e33d1a6e7b44ed44ef40de4557a4fd65b63db63d105386bbd81071739ec3d0fe44b6a0952a2b065bededfecea6e22229fea32adfc9a6e2ccfdf5da437a56ad41d7ef08c2c4635d3a0218aab2a5ed6e9dd42d684bc918efe24d3"
                                                                    *&off_90A8,// "10001"
                                                                    *&off_90B0,// "b782eca6a75067d398dd8ef00e9d024cc554f292d7820a72848d3c619dafaf61ab8f7d719d4cd8ac44351281afd64f8cf23bc8aa5ec48bbd9eb301af50b96f528a108e6643223130a84addd5b9e1ad108c44d706adc5fb097a17ab990f395f3781296e356ac60d64b9a2a641c3e2f593bbe98d38df528a1c67e583ef623b667f"
                                                                    *&off_90B8,// "d73b03a9b0c4b7e9236d56938d6264e6c8ecaab709effcf02f4e5ec26310273b81089e1cb3d4c050e852721d3daf1d5b7a2be2df02bafcffb77e17d1a8e6428bf87579c859cbe778d3b9ea93aff0d934a0e7b83a1d7a39d0a1779ea18db5fffd99b118c4c2361a22308f54f7ae568e7bf2de6d1b6eb0be1d77eca8edd94f9fad"
                                                                    *&off_90C0,// "0"
                                                                    s_,
                                                                    ptr);// "d73b03a9b0c4b7e9236d56938d6264e6c8ecaab709effcf02f4e5ec26310273b81089e1cb3d4c050e852721d3daf1d5b7a2be2df02bafcffb77e17d1a8e6428bf87579c859cbe778d3b9ea93aff0d934a0e7b83a1d7a39d0a1779ea18db5fffd99b118c4c2361a22308f54f7ae568e7bf2de6d1b6eb0be1d77eca8edd94f9fad"

那就直接解RSA其中

公钥n = 9a49428cadd84b7a81cb80f916e645a6a9dd23c2fe679f93af6a77eff0f0bb1309b77fb7861275f07ab41e98ae5c2ecf933f27d47b9ce0a55a3e06569cacbb4c9183f8ee9a47f2cfbb3a5965c9326f45d2d608cfeabea1a1879eae95b70224d2e7736b9bc4109756f55a3f70f11a9b9c6564fb6456d329c336fbb59859db5fde1f2338294e863c4f05b4a89e6c3b761d52a2081a0af0a320fde831daa741fad77aa7ef2dd30b3e33d1a6e7b44ed44ef40de4557a4fd65b63db63d105386bbd81071739ec3d0fe44b6a0952a2b065bededfecea6e22229fea32adfc9a6e2ccfdf5da437a56ad41d7ef08c2c4635d3a0218aab2a5ed6e9dd42d684bc918efe24d3
e = 10001
私钥的参数
p = b782eca6a75067d398dd8ef00e9d024cc554f292d7820a72848d3c619dafaf61ab8f7d719d4cd8ac44351281afd64f8cf23bc8aa5ec48bbd9eb301af50b96f528a108e6643223130a84addd5b9e1ad108c44d706adc5fb097a17ab990f395f3781296e356ac60d64b9a2a641c3e2f593bbe98d38df528a1c67e583ef623b667f
q = d73b03a9b0c4b7e9236d56938d6264e6c8ecaab709effcf02f4e5ec26310273b81089e1cb3d4c050e852721d3daf1d5b7a2be2df02bafcffb77e17d1a8e6428bf87579c859cbe778d3b9ea93aff0d934a0e7b83a1d7a39d0a1779ea18db5fffd99b118c4c2361a22308f54f7ae568e7bf2de6d1b6eb0be1d77eca8edd94f9fad

然后在 sub_49DD(s__2, 42, s__1, s_, p_req_login…);中的函数往下找下去可以找到AES的相关账号的登录参数
exp

from Crypto.PublicKey import RSA
from Crypto.Cipher import PKCS1_OAEP, AES

n = int("9a49428cadd84b7a81cb80f916e645a6a9dd23c2fe679f93af6a77eff0f0bb1309b77fb7861275f07ab41e98ae5c2ecf933f27d47b9ce0a55a3e06569cacbb4c9183f8ee9a47f2cfbb3a5965c9326f45d2d608cfeabea1a1879eae95b70224d2e7736b9bc4109756f55a3f70f11a9b9c6564fb6456d329c336fbb59859db5fde1f2338294e863c4f05b4a89e6c3b761d52a2081a0af0a320fde831daa741fad77aa7ef2dd30b3e33d1a6e7b44ed44ef40de4557a4fd65b63db63d105386bbd81071739ec3d0fe44b6a0952a2b065bededfecea6e22229fea32adfc9a6e2ccfdf5da437a56ad41d7ef08c2c4635d3a0218aab2a5ed6e9dd42d684bc918efe24d3", 16)
e = 0x10001
d = int("28c7df24a5798679db2a44979275f5f3179db180d91335702942fb1b70e985de825da90f2eb65d20ddf8be1d9d4e15bc1d84e95795ff8c0c28ce3c33fde054f6e82a4f4cc22597b350c9c62ccc0188bd4152a701a3601558f22aa9fae8b9fdac6c2bc09b1637f71e0511805e04b203c4fdb2b36ad232fe819b06ed4e57c74f39fd9b72623c16ff2100f148f622bf12876260c4859672360dc0da3da6b45c5c8c6215ccda072765840c213fba11a91d6bf598a8a8065797566c8950a34ea0a072a9ed0c38bdc58662f186ec578ca55d5098443fd566cc722ace9c4e89afc4e302c8a4870e11a003b935f4a102695bfd64bb0fa74dcc372682e2b24ff45a1a69", 16)
p = int("b782eca6a75067d398dd8ef00e9d024cc554f292d7820a72848d3c619dafaf61ab8f7d719d4cd8ac44351281afd64f8cf23bc8aa5ec48bbd9eb301af50b96f528a108e6643223130a84addd5b9e1ad108c44d706adc5fb097a17ab990f395f3781296e356ac60d64b9a2a641c3e2f593bbe98d38df528a1c67e583ef623b667f", 16)
q = int("d73b03a9b0c4b7e9236d56938d6264e6c8ecaab709effcf02f4e5ec26310273b81089e1cb3d4c050e852721d3daf1d5b7a2be2df02bafcffb77e17d1a8e6428bf87579c859cbe778d3b9ea93aff0d934a0e7b83a1d7a39d0a1779ea18db5fffd99b118c4c2361a22308f54f7ae568e7bf2de6d1b6eb0be1d77eca8edd94f9fad", 16)

byte_C1A0 = bytes([
    0x16, 0x38, 0xE0, 0xEB, 0x93, 0x61, 0x40, 0xB5, 0x52, 0x70,
    0x33, 0x29, 0x2C, 0xBE, 0xFC, 0xD7, 0x3B, 0x55, 0xCF, 0xC7,
    0xFB, 0x79, 0xDF, 0x51, 0xAE, 0x37, 0x68, 0xA0, 0xDD, 0x9C,
    0x84, 0xAE, 0x45, 0x80, 0xE4, 0x7A, 0x51, 0x33, 0xB4, 0x25,
    0xF4, 0xC9, 0x3E, 0xAC, 0x97, 0xE4, 0xB1, 0xAA, 0x0B, 0x4C,
    0xD3, 0x05, 0x89, 0xD0, 0x04, 0xF6, 0xD0, 0xD1, 0x9F, 0xCB,
    0xC7, 0x09, 0xE8, 0x6C, 0xC2, 0x99, 0x6B, 0x43, 0x3D, 0x29,
    0xF6, 0x50, 0xB6, 0x99, 0x87, 0xA4, 0x66, 0xF0, 0x5B, 0xEF,
    0x7F, 0x69, 0x94, 0x58, 0x60, 0xDC, 0xC4, 0x47, 0x42, 0xA5,
    0x11, 0xF3, 0x62, 0x13, 0x85, 0xC8, 0x9F, 0xBD, 0x4D, 0x73,
    0x15, 0x36, 0x15, 0x78, 0x96, 0x34, 0xB2, 0x5C, 0xFC, 0x31,
    0x51, 0xA4, 0x11, 0x5B, 0xC3, 0x0C, 0x96, 0x97, 0x9E, 0x5F,
    0x96, 0x52, 0x90, 0xF3, 0x6A, 0x86, 0x3E, 0x33, 0x78, 0xB5,
    0xCF, 0xC9, 0xBA, 0x31, 0x43, 0x8C, 0x4B, 0xAE, 0x22, 0xB2,
    0x3E, 0xF8, 0x15, 0xED, 0xF7, 0xCF, 0x17, 0x71, 0x80, 0x3B,
    0xD3, 0x92, 0xA5, 0x07, 0x2B, 0x46, 0x89, 0x00, 0xB7, 0x5F,
    0x5A, 0x43, 0x77, 0xD1, 0xDA, 0xF3, 0xD6, 0xF7, 0xB7, 0xB6,
    0x85, 0x0D, 0x1A, 0x4A, 0x41, 0x34, 0xF2, 0xF6, 0x58, 0x40,
    0xEF, 0xAA, 0x9B, 0x83, 0xD3, 0x10, 0x83, 0x05, 0x1D, 0xF0,
    0xFC, 0x80, 0xA7, 0x86, 0x52, 0x91, 0x59, 0x48, 0x4F, 0x62,
    0xBB, 0xB9, 0x52, 0x4F, 0x68, 0x28, 0x5F, 0x48, 0xC7, 0xAB,
    0x8E, 0x03, 0xBD, 0xFE, 0xCA, 0x1A, 0x60, 0x25, 0xAA, 0xED,
    0x9F, 0x97, 0x28, 0xB3, 0x90, 0x68, 0x9C, 0x0C, 0x96, 0x39,
    0x20, 0xC7, 0x28, 0xEB, 0x56, 0x95, 0xFC, 0xB9, 0x41, 0x3F,
    0x9F, 0x4E, 0x06, 0xD3, 0xB9, 0x3D, 0xB4, 0x0E, 0x26, 0xD6,
    0x27, 0x5C, 0x84, 0xE6, 0x12, 0x6A
])

byte_C0A0 = bytes([
    0x37, 0x3A, 0x2A, 0x27, 0xB3, 0x8F, 0xD7, 0x78, 0xC7, 0x16,
    0x72, 0x8E, 0xBB, 0x95, 0xBE, 0x89, 0xA0, 0xA0, 0x57, 0x10,
    0x91, 0x19, 0xA0, 0x8D, 0x5C, 0xE4, 0x92, 0x61, 0xEB, 0xB0,
    0xE0, 0x77, 0x6D, 0x25, 0x4A, 0x40, 0xC4, 0xD2, 0x1B, 0xD2,
    0x46, 0x3E, 0x61, 0x60, 0x87, 0x71, 0xDE, 0x40, 0x1E, 0xED,
    0x13, 0xAC, 0x66, 0x60, 0xD9, 0x96, 0xBE, 0xA8, 0xC8, 0xB8,
    0x2B, 0xDD, 0x0E, 0xAF, 0x56, 0xC3, 0x84, 0x66, 0x77, 0x6E,
    0xBA, 0x31, 0xF7, 0xB2, 0x21, 0x92, 0x30, 0xB6, 0x54, 0xA7,
    0x7E, 0xC0, 0xAF, 0x39, 0x5A, 0x01, 0xC3, 0x1C, 0x13, 0x9A,
    0x4F, 0x6B, 0x7B, 0x8B, 0xA8, 0x45, 0x19, 0x20, 0x96, 0x16,
    0x5D, 0xD7, 0xAC, 0xD0, 0x33, 0x1E, 0x79, 0xDB, 0xE4, 0x34,
    0xED, 0x8C, 0x9A, 0x66, 0x58, 0x1D, 0x26, 0xF6, 0x9E, 0x5F,
    0xAA, 0x29, 0x5F, 0x66, 0x01, 0x00, 0x76, 0xB9, 0x1A, 0x6D,
    0xD6, 0x1D, 0xB7, 0xAB, 0xD3, 0x25, 0xF8, 0xBD, 0x25, 0xD9,
    0x28, 0xDE, 0xBC, 0xC0, 0x2E, 0x55, 0x55, 0xFF, 0x81, 0xF7,
    0xAE, 0x3E, 0x54, 0x8E, 0x3E, 0x46, 0x59, 0xA3, 0x7F, 0x5D,
    0x3D, 0x3C, 0x39, 0xFB, 0xCA, 0xD1, 0xB5, 0x83, 0xE4, 0x2F,
    0xB0, 0x4F, 0xA3, 0x28, 0xEB, 0xB7, 0x7E, 0x78, 0x41, 0xF4,
    0x5B, 0x71, 0x1E, 0x77, 0xEE, 0x23, 0xE1, 0x19, 0x89, 0xDB,
    0x2C, 0x0E, 0x06, 0xB8, 0x19, 0x1A, 0x45, 0x6D, 0x56, 0xBD,
    0x1A, 0x7D, 0x42, 0xC4, 0x7F, 0xDF, 0xDF, 0x11, 0x79, 0x22,
    0x8B, 0x57, 0xC6, 0xEF, 0xCA, 0x9B, 0x9B, 0x6A, 0x7D, 0x22,
    0x68, 0x2E, 0x5B, 0x67, 0xC7, 0xC4, 0x6A, 0x87, 0x7F, 0xB6,
    0x77, 0xF5, 0xF3, 0x17, 0xB4, 0x82, 0x3F, 0xCD, 0xC8, 0x12,
    0xF0, 0x36, 0x2B, 0xE2, 0x7C, 0x0F, 0x54, 0x53, 0x03, 0x71,
    0x48, 0xED, 0x30, 0x12, 0x7B, 0x26
])

byte_C2A0 = bytes([
    0xAD, 0xD1, 0xD1, 0x19, 0x60, 0xC2, 0x2D, 0x91, 0x66, 0xDA,
    0xC3, 0xC2, 0x67, 0x25, 0xC8, 0x19, 0x09, 0x17, 0x6B, 0x23,
    0x8E, 0x30, 0x03, 0xAA, 0x57, 0xAA, 0xCB, 0xA0, 0xA2, 0x26,
    0xB7, 0xC3, 0x1C, 0x22, 0x0B, 0x8D, 0x20, 0x9C, 0xB4, 0x95,
    0xB5, 0x5D, 0xB4, 0xE2, 0x7D, 0x4E, 0x43, 0x8E
])


key = RSA.construct((n, e, d, p, q))
cipher_rsa = PKCS1_OAEP.new(key)
account = cipher_rsa.decrypt(byte_C1A0)
cipher_rsa = PKCS1_OAEP.new(key)
aes_key = cipher_rsa.decrypt(byte_C0A0)
cipher_aes = AES.new(aes_key, AES.MODE_CBC, account)
result = cipher_aes.decrypt(byte_C2A0)
text = result.decode('utf-8', errors='ignore')
print(f"{text}")