某云机so层aes key少了一位数

cure888

app下载链接(控制台atob)

[JavaScript] 纯文本查看 复制代码

?

1	aHR0cHM6Ly9zeXN0YXRpYy5zaGFuZ3NoaXdsLmNvbS9oNXdlYi9jbG91ZHBob25lX2xhbmRfcGFnZS9pbmRleC5odG1sP2NoYW5uZWw9c3N5c2xfMjI4Ml8zOF8zNDAyXzM1MzBfOTY2NDk1X2Fk

java层路径: com.sswl.sdk.safe.SswlJNIUtils.aesEncrypt

java

so文件名称 : libopensslSafeLib.so
方法偏移 : 88368

so

hook图

key少了一位数，不知道什么原因，so层这个解密结果也打印不出来(技术不够)

[JavaScript] 纯文本查看 复制代码

?

01 02 03 04 05 06 07 08 09 10 11 12 13 14 15 16

function hook_native() {     var libsswlcrypto = Module.findBaseAddress("libopensslSafeLib.so");     var hsAddr = libsswlcrypto.add(0x88368);     Interceptor.attach(hsAddr, {         onEnter: function (args) {             console.log("args[0]: " + args[0].readCString());             console.log("args[1]: " + args[1].readCString());             console.log("args[2]: " + args[2].readCString());             console.log("args[3]: " + args[3].toInt32());             console.log("args[4]: " + args[4].readCString());                   },         onLeave: function (retval) {         }     }); }

laos

args[4]是用来接收base64结果指针~

你在onEnter输出肯定为空~

[JavaScript] 纯文本查看 复制代码

?

01 02 03 04 05 06 07 08 09 10 11 12 13 14 15 16 17 18 19 20

function hook_native() {   var libsswlcrypto = Module.findBaseAddress("libopensslSafeLib.so");   var hsAddr = libsswlcrypto.add(0x88368);   let output;   Interceptor.attach(hsAddr, {     onEnter: function (args) {       console.log("args[0]: " + args[0].readCString());       console.log("args[1]: " + args[1].readCString());       console.log("args[2]: " + args[2].readCString());       console.log("args[3]: " + args[3].toInt32());       this.output = args[4];     },     onLeave: function (retval) {       console.log(         "base64EncodeOut",         Memory.readCString(Memory.readPointer(this.output))       );     },   }); }

至于密钥长度15, 最后补\0即可

cure888

laos 发表于 2025-2-20 17:12
args[4]是用来接收base64结果指针~

你在onEnter输出肯定为空~

感谢大佬的帮助，终于解决了