├── README.md ├── argus.py ├── bfi.py ├── clusterbr.py ├── cronets ├── enumerate.py ├── eor.py ├── gorgon ├── gorgon-demo.py ├── gorgon-test.py └── gorgon-works.py ├── ida └── nopclean.py ├── images ├── lagon-loop.txt ├── lldb_cmd.py ├── log ├── log-old.txt ├── log.txt.bak ├── log2.txt ├── loop.txt ├── looptrace1 ├── looptrace2 ├── looptrace3 ├── notes ├── notes2 ├── proto ├── .proto.swo ├── c │ ├── compile.sh │ └── emulator.c ├── code ├── dump │ ├── libmetasec │ ├── result │ ├── stack │ ├── x1_1 │ └── x1_2 ├── encrypt-result-hex ├── hex ├── hexdump.sh ├── jmp_table1 ├── jmp_table2 ├── jmp_table3 ├── jmp_table4 ├── key-hex ├── new-proto-decoded ├── outproto ├── proto ├── proto-cmd.sh ├── proto-decoded └── vm ├── research ├── run ├── script.js ├── setup.py ├── trace └── utils ├── cut.sh └── string /README.md: -------------------------------------------------------------------------------- 1 | This is WIP reverse engineering the Tiktok app HTTP headers. I was able to everse engineer many of the protobuf fields used in X-Gorgon/X-Argus, while some I used an emulator to calculate. 2 | This was an exercise for me to get back into reverse engineering after many years I haven't practiced it. Discontinued my research as I needed tooling I didn't have to finish the few fields I haven't cracked in X-Argus. 3 | 4 | If you're working on cracking X-Argus, this file will help you out with the fields I've already deciphered: 5 | https://github.com/tsarpaul/tiktok-x-argus/blob/main/proto/proto-decoded 6 | -------------------------------------------------------------------------------- /argus.py: -------------------------------------------------------------------------------- 1 | import struct 2 | from pysmx.SM3 import SM3 3 | 4 | 5 | def bfi(rd, rn, lsb, width): 6 | rn = (rn & ls) << lsb 7 | ls = ~(ls << lsb) 8 | rd = rd & ls 9 | return rd 10 | 11 | class Argus: 12 | def __init__(self, signKey1, signKey2, signKey3, signKey4): 13 | self._signKey1 = signKey1 14 | self._signKey2 = signKey2 15 | self._signKey3 = signKey3 16 | self._signKey4 = signKey4 17 | 18 | def _gen_key(self): 19 | data = ( 20 | self._signKey1 21 | + self._signKey2 22 | + self._signKey3 23 | + self._signKey4 24 | ) 25 | sm3 = SM3() 26 | sm3.update(bytes(data)) 27 | res = sm3.hexdigest() 28 | 29 | res_list = [] 30 | for i in range(0, len(res), 2): 31 | res_list.append(int(res[i : i + 2], 16)) 32 | sm3_list = [] 33 | for i in range(0, len(res_list), 4): 34 | c = struct.unpack("= 0: 42 | B = 0x3DC94C3A >> off_1 43 | H = (sm3_list[6] >> 3) & 0xFFFFFFFF 44 | H |= (sm3_list[7] << 29) & 0xFFFFFFFF 45 | C = H ^ sm3_list[2] 46 | bfi_v = bfi(B, 0x7FFFFFFE, 1, 0x1F) 47 | H = (sm3_list[7] >> 3) & 0xFFFFFFFF 48 | H |= (sm3_list[6] << 29) & 0xFFFFFFFF 49 | E = H ^ sm3_list[3] 50 | if E & 1: 51 | B = (C >> 1) | 0x80000000 52 | else: 53 | B = C >> 1 54 | F = (E >> 1) | H 55 | G = F ^ sm3_list[1] ^ E 56 | A = ~G & 0xFFFFFFFF 57 | F = D ^ B 58 | for j in range(6): 59 | sm3_list[j] = sm3_list[j + 2] 60 | sm3_list[6] = F 61 | sm3_list[7] = A 62 | for j in range(2): 63 | for d in list(struct.pack("Q", key1))[0] 79 | argus = Argus(key1, key2, key3, key4) 80 | key = argus._gen_key() 81 | print(key) 82 | 83 | -------------------------------------------------------------------------------- /bfi.py: -------------------------------------------------------------------------------- 1 | w9 = 0x0000000f 2 | w8 = 0x000007f4 3 | 4 | # BFI W9, W8, #4, #0x1C 5 | def bfi(int2, int1, skip, width): 6 | bins1 = bin(int1)[2:].zfill(32) 7 | bins1 = list(bins1)[::-1] 8 | bins2 = bin(int2)[2:].zfill(32) 9 | bins2 = list(bins2)[::-1] 10 | bins2[skip:skip+width] = bins1[:width] 11 | bins2 = ''.join(bins2[::-1]) 12 | final = int(bins2, 2) 13 | return final 14 | 15 | final1 = bfi(w9, w8, 4, 0x1c) 16 | final2 = bfi(0xe, 0xee, 4, 8) 17 | print(hex(final1)) 18 | print(hex(final2)) 19 | -------------------------------------------------------------------------------- /clusterbr.py: -------------------------------------------------------------------------------- 1 | for i in range(0, 0xffa00, 0x500): 2 | lldb.debugger.HandleCommand(f'b -s libmetasec_ov.so -a {hex(i)} -C "bt" --one-shot 1 --auto-continue 1 -N libmetacluster') 3 | -------------------------------------------------------------------------------- /enumerate.py: -------------------------------------------------------------------------------- 1 | import frida, sys 2 | 3 | 4 | def on_message(message, data): 5 | if message['type'] == 'send': 6 | print("[*] {0}".format(message['payload'])) 7 | else: 8 | print(message) 9 | 10 | with open('./enumerate.js') as f: 11 | jscode = f.read() 12 | 13 | pid = int(sys.argv[1]) 14 | process = frida.get_usb_device().attach(pid) 15 | script = process.create_script(jscode) 16 | script.on('message', on_message) 17 | print('[*] Running') 18 | script.load() 19 | sys.stdin.read() 20 | 21 | 22 | -------------------------------------------------------------------------------- /eor.py: -------------------------------------------------------------------------------- 1 | def eor(val): 2 | string = [] 3 | key=[0xa5, 0x10, 0x71, 0xc7, 0x50, 0x90] 4 | for i in range(len(val)): 5 | j = i & 7 6 | v = val[j] ^ key[j] 7 | if v != 0: string.append(chr(v)) 8 | else: print('x00') 9 | return "".join(string) 10 | 11 | # mov w8, 0x72c4 12 | # mov w9, 0x71 13 | val = [0xc4, 0x72, 0x71] 14 | eor(val) 15 | -------------------------------------------------------------------------------- /gorgon/gorgon-demo.py: -------------------------------------------------------------------------------- 1 | import hashlib 2 | 3 | def bfi(int2, int1, skip, width): 4 | bins1 = bin(int1)[2:].zfill(32) 5 | bins1 = list(bins1)[::-1] 6 | bins2 = bin(int2)[2:].zfill(32) 7 | bins2 = list(bins2)[::-1] 8 | bins2[skip:skip+width] = bins1[:width] 9 | bins2 = ''.join(bins2[::-1]) 10 | final = int(bins2, 2) 11 | return final 12 | 13 | def tohex(i:str): 14 | # format int to %2x 15 | num = ord(i) 16 | return hex(num)[2:].zfill(2) 17 | 18 | def get_gorgon_raw(url_params, ts=None, rev=False): 19 | # md5 of url_params 20 | md5 = hashlib.md5() 21 | md5.update(url_params.encode()) 22 | md5 = md5.digest() 23 | # turn md5 to hex string with \x 24 | md5 = md5.decode('latin') 25 | gorgon_raw = md5[0:4] + "\x00" * 8 + "\x20\x00\x05\x04" 26 | if not ts: 27 | ts = int(time.time()) 28 | # turn ts to hex string with \x 29 | ts = hex(ts)[2:] 30 | ts = ts.zfill(8) 31 | ts = [ts[i:i+2] for i in range(0, len(ts), 2)] 32 | if rev: ts = ts[::-1] 33 | ts = [chr(int(i, 16)) for i in ts] 34 | ts = ''.join(ts) 35 | gorgon_raw += ts 36 | return gorgon_raw 37 | 38 | 39 | url_params = "sdk_version=1.2.0-rc.5-ttp&iid=7288879573570406150&device_id=7288878770684577285&ac=wifi&channel=googleplay&aid=1233&app_name=musical_ly&version_code=310503&version_name=31.5.3&device_platform=android&os=android&ab_version=31.5.3&ssmix=a&device_type=ONEPLUS+A5000&device_brand=OnePlus&language=en&os_api=28&os_version=9&openudid=0be4f51f3d59138c&manifest_version_code=2023105030&resolution=1080*1920&dpi=420&update_version_code=2023105030&_rticket=1699191765469&is_pad=0¤t_region=IL&app_type=normal&sys_region=US&timezone_name=America%2FNew_York&residence=IL&app_language=en&ac2=wifi5g&uoo=0&op_region=IL&timezone_offset=-18000&build_number=31.5.3&host_abi=arm64-v8a&locale=en®ion=US&ts=1699191760&cdid=2a169839-9b90-4b09-9a15-1de763ce5917" 40 | 41 | rand1_gorgon7 = "\xe0" 42 | rand2_gorgon3 = "\x61" 43 | #seed1 = "\x00" 44 | #seed2 = "\x02" 45 | seed1 = "\x14" 46 | seed2 = "\x01" 47 | 48 | # gorgon raw calculated from timestamp + md5 of url_params 49 | #gorgon_raw = "\x5e\xc4\xe6\xaa\x00\x00\x00\x00\x00\x00\x00\x00\x20\x00\x05\x04\x65\x46\x8c\x5f" 50 | gorgon_raw = get_gorgon_raw(url_params, ts=1699191770) 51 | gorgon_buf = "\x4a" + seed1 + "\x16" + rand2_gorgon3 + "\x47\x6c" + seed2 + rand1_gorgon7 52 | gorgon_raw = [ord(g) for g in gorgon_raw] 53 | gorgon_buf = [ord(g) for g in gorgon_buf] 54 | gorgon_out = gorgon_raw.copy() 55 | var_test = 0 56 | 57 | state = [] 58 | final = [] 59 | for i in range(0x100): 60 | state.append(i) 61 | 62 | w22 = 0 63 | for i in range(0x100): 64 | w8 = state[i] 65 | x9 = i % 8 66 | w9 = gorgon_buf[x9] 67 | w8 += w22 68 | w8 += w9 69 | w9 = w8 // 0x100 70 | w22 = w8 - (w9 << 8) 71 | w26 = state[w22&0xff] 72 | w8 = i + 0x22 73 | w8 %= 0x100 74 | x20 = w22 75 | state[i] = w26 76 | state[x20&0xff] = w26 77 | 78 | x23 = 0 79 | w25 = 0 80 | x21 = 0x14 81 | w27 = x21 82 | w26 = 0 83 | while x23 < x21: 84 | w8 = w25 + 1 85 | w9 = w8 // 0x100 86 | w25 = w8 - (w9 << 8) 87 | w8 = state[w25] 88 | w8 += w26 89 | w9 = w8 // 0x100 90 | w26 = w8 - (w9 << 8) 91 | w8 = state[w26] 92 | state[w25] = w8 93 | state[w26] = w8 94 | w9 = state[w25] 95 | w10 = gorgon_out[x23] 96 | w8 += w9 97 | w8 %= 0x100 98 | w8 = state[w8] 99 | w8 ^= w10 100 | gorgon_out[x23] = w8 101 | x23 += 1 102 | 103 | x8 = 0 104 | w20 = 0xffffffeb 105 | #x9 = w27 - 1 106 | x9 = 0x13 107 | w26 = 0x33 108 | w28 = 1 109 | w12 = 0x23 110 | w13 = 0x1bd 111 | w14 = 7 112 | w15 = 0xFFFFFFAA 113 | w16 = 0x55 114 | gorgon_raw_var = x9 115 | print(x21) 116 | while x8 < x21: 117 | w11 = gorgon_out[x8] 118 | w25 = x8 + 1 119 | i = x8 120 | w8 = x8 121 | w9 = w11 >> 4 122 | w9 = bfi(w9, w11, 4, 8) 123 | gorgon_out[i] = w9 & 0xff 124 | if x21 <= w25: 125 | if w8 == 0: pass 126 | else: 127 | w10 = gorgon_raw_var 128 | if w10 != w8: pass 129 | else: 130 | w10 = gorgon_out[0] 131 | w9 ^= w10 132 | gorgon_out[i] = w9 & 0xff 133 | else: 134 | w9 = gorgon_out[i+1] 135 | w10 = gorgon_out[i] 136 | w9 ^= w10 137 | gorgon_out[i] = w9 & 0xff 138 | 139 | w8 = gorgon_out[i] 140 | w9 = w15 & (w8 << 1) 141 | w8 = w16 & (w8 >> 1) 142 | w8 |= w9 143 | w9 = w8 << 2 144 | w9 &= 0xFFFFFFCF 145 | w8 = w26 & (w8 >> 2) 146 | w8 |= w9 147 | # UBFX W9, W8, #4, #4 148 | w9 = (w8 >> 4) & 0xf 149 | w9 = bfi(w9, w8, 4, 0x1c) 150 | w8 = w9 ^ w20 151 | gorgon_out[i] = w8 & 0xff 152 | x8 = w25 153 | 154 | final = "".join([hex(i)[2:].zfill(2) for i in gorgon_out]) 155 | final = "8404" + tohex(rand1_gorgon7) + tohex(rand2_gorgon3) + tohex(seed1) + tohex(seed2) + final 156 | print(final) 157 | 158 | expect = "8404e0db00021c36d7e3c4ad8babb3446fd543bba303012c6107" 159 | -------------------------------------------------------------------------------- /gorgon/gorgon-test.py: -------------------------------------------------------------------------------- 1 | def bfi(int2, int1, skip, width): 2 | bins1 = bin(int1)[2:].zfill(32) 3 | bins1 = list(bins1)[::-1] 4 | bins2 = bin(int2)[2:].zfill(32) 5 | bins2 = list(bins2)[::-1] 6 | bins2[skip:skip+width] = bins1[:width] 7 | bins2 = ''.join(bins2[::-1]) 8 | final = int(bins2, 2) 9 | return final 10 | 11 | def tohex(i:str): 12 | # format int to %2x 13 | num = ord(i) 14 | return hex(num)[2:].zfill(2) 15 | 16 | gorgon_out = [0x17, 0x50] 17 | x21 = 0x14 18 | x8 = 0 19 | w20 = 0xffffffeb 20 | x9 = 0x13 21 | w26 = 0x33 22 | w28 = 1 23 | w12 = 0x23 24 | w13 = 0x1bd 25 | w14 = 7 26 | w15 = 0xFFFFFFAA 27 | w16 = 0x55 28 | gorgon_raw_var = x9 29 | while x8 < x21: 30 | w11 = gorgon_out[x8] 31 | w25 = x8 + 1 32 | i = x8 33 | w8 = x8 34 | w9 = w11 >> 4 35 | w9 = bfi(w9, w11, 4, 8) 36 | gorgon_out[i] = w9 & 0xff 37 | import pdb; pdb.set_trace() 38 | if x21 <= w25: 39 | if w8 == 0: pass 40 | else: 41 | w10 = gorgon_raw_var 42 | if w10 != w8: pass 43 | else: 44 | w10 = gorgon_out[0] 45 | w9 ^= w10 46 | gorgon_out[i] = w9 & 0xff 47 | else: 48 | w9 = gorgon_out[i+1] 49 | w10 = gorgon_out[i] 50 | w9 ^= w10 51 | gorgon_out[i] = w9 & 0xff 52 | 53 | w8 = gorgon_out[i] 54 | w9 = w15 & (w8 << 1) 55 | w8 = w16 & (w8 >> 1) 56 | w8 |= w9 57 | w9 = w8 << 2 58 | w9 &= 0xFFFFFFCF 59 | w8 = w26 & (w8 >> 2) 60 | w8 |= w9 61 | # UBFX W9, W8, #4, #4 62 | w9 = (w8 >> 4) & 0xf 63 | w9 = bfi(w9, w8, 4, 0x1c) 64 | w8 = w9 ^ w20 65 | gorgon_out[i] = w8 & 0xff 66 | x8 = w25 67 | 68 | final = "".join([hex(i)[2:] for i in gorgon_out]) 69 | 70 | -------------------------------------------------------------------------------- /gorgon/gorgon-works.py: -------------------------------------------------------------------------------- 1 | import hashlib 2 | import struct 3 | 4 | def bfi(int2, int1, skip, width): 5 | bins1 = bin(int1)[2:].zfill(32) 6 | bins1 = list(bins1)[::-1] 7 | bins2 = bin(int2)[2:].zfill(32) 8 | bins2 = list(bins2)[::-1] 9 | bins2[skip:skip+width] = bins1[:width] 10 | bins2 = ''.join(bins2[::-1]) 11 | final = int(bins2, 2) 12 | return final 13 | 14 | def tohex(i:str): 15 | # format int to %2x 16 | num = ord(i) 17 | return hex(num)[2:].zfill(2) 18 | 19 | def get_gorgon_raw(url_params, ts=None): 20 | # md5 of url_params 21 | md5 = hashlib.md5() 22 | md5.update(url_params.encode()) 23 | md5 = md5.digest() 24 | # turn md5 to hex string with \x 25 | md5 = md5.decode('latin') 26 | gorgon_raw = md5[0:4] + "\x00" * 8 + "\x20\x00\x05\x04" 27 | if not ts: 28 | ts = int(time.time()) 29 | # turn ts to hex string with \x 30 | 31 | ts = hex(ts)[2:] 32 | ts = ts.zfill(8) 33 | ts = [ts[i:i+2] for i in range(0, len(ts), 2)] 34 | ts = [chr(int(i, 16)) for i in ts] 35 | ts = ''.join(ts) 36 | gorgon_raw += ts 37 | return gorgon_raw 38 | 39 | 40 | #url_params = "aid=1233&source_type=0&group_id=40031_1699122162646" 41 | #ts = 1699122271 42 | 43 | url_params = "app_name=musical_ly&app_version=31.5.3&channel=googleplay&sdk_version=2.3.3.i1 8n&version_code=31.5.3&lang=en&aid=1233" 44 | ts = 1702172429 45 | 46 | rand1_gorgon7 = "\xe0" 47 | rand2_gorgon3 = "\xdb" 48 | seed1 = "\x00" 49 | seed2 = "\x02" 50 | #seed1 = "\x14" 51 | #seed2 = "\x01" 52 | 53 | # gorgon raw calculated from timestamp + md5 of url_params 54 | #gorgon_raw = "\x5e\xc4\xe6\xaa\x00\x00\x00\x00\x00\x00\x00\x00\x20\x00\x05\x04\x65\x46\x8c\x5f" 55 | gorgon_raw = get_gorgon_raw(url_params, ts) 56 | gorgon_buf = "\x4a" + seed1 + "\x16" + rand2_gorgon3 + "\x47\x6c" + seed2 + rand1_gorgon7 57 | gorgon_raw = [ord(g) for g in gorgon_raw] 58 | gorgon_buf = [ord(g) for g in gorgon_buf] 59 | gorgon_out = gorgon_raw.copy() 60 | var_test = 0 61 | 62 | state = [] 63 | final = [] 64 | for i in range(0x100): 65 | state.append(i) 66 | 67 | w22 = 0 68 | for i in range(0x100): 69 | w8 = state[i] 70 | x9 = i % 8 71 | w9 = gorgon_buf[x9] 72 | w8 += w22 73 | w8 += w9 74 | w9 = w8 // 0x100 75 | w22 = w8 - (w9 << 8) 76 | w26 = state[w22&0xff] 77 | w8 = i + 0x22 78 | w8 %= 0x100 79 | x20 = w22 80 | state[i] = w26 81 | state[x20&0xff] = w26 82 | 83 | x23 = 0 84 | w25 = 0 85 | x21 = 0x14 86 | w27 = x21 87 | w26 = 0 88 | while x23 < x21: 89 | w8 = w25 + 1 90 | w9 = w8 // 0x100 91 | w25 = w8 - (w9 << 8) 92 | w8 = state[w25] 93 | w8 += w26 94 | w9 = w8 // 0x100 95 | w26 = w8 - (w9 << 8) 96 | w8 = state[w26] 97 | state[w25] = w8 98 | state[w26] = w8 99 | w9 = state[w25] 100 | w10 = gorgon_out[x23] 101 | w8 += w9 102 | w8 %= 0x100 103 | w8 = state[w8] 104 | w8 ^= w10 105 | gorgon_out[x23] = w8 106 | x23 += 1 107 | 108 | x8 = 0 109 | w20 = 0xffffffeb 110 | #x9 = w27 - 1 111 | x9 = 0x13 112 | w26 = 0x33 113 | w28 = 1 114 | w12 = 0x23 115 | w13 = 0x1bd 116 | w14 = 7 117 | w15 = 0xFFFFFFAA 118 | w16 = 0x55 119 | gorgon_raw_var = x9 120 | print(x21) 121 | while x8 < x21: 122 | w11 = gorgon_out[x8] 123 | w25 = x8 + 1 124 | i = x8 125 | w8 = x8 126 | w9 = w11 >> 4 127 | w9 = bfi(w9, w11, 4, 8) 128 | gorgon_out[i] = w9 & 0xff 129 | if x21 <= w25: 130 | if w8 == 0: pass 131 | else: 132 | w10 = gorgon_raw_var 133 | if w10 != w8: pass 134 | else: 135 | w10 = gorgon_out[0] 136 | w9 ^= w10 137 | gorgon_out[i] = w9 & 0xff 138 | else: 139 | w9 = gorgon_out[i+1] 140 | w10 = gorgon_out[i] 141 | w9 ^= w10 142 | gorgon_out[i] = w9 & 0xff 143 | 144 | w8 = gorgon_out[i] 145 | w9 = w15 & (w8 << 1) 146 | w8 = w16 & (w8 >> 1) 147 | w8 |= w9 148 | w9 = w8 << 2 149 | w9 &= 0xFFFFFFCF 150 | w8 = w26 & (w8 >> 2) 151 | w8 |= w9 152 | # UBFX W9, W8, #4, #4 153 | w9 = (w8 >> 4) & 0xf 154 | w9 = bfi(w9, w8, 4, 0x1c) 155 | w8 = w9 ^ w20 156 | gorgon_out[i] = w8 & 0xff 157 | x8 = w25 158 | 159 | final = "".join([hex(i)[2:].zfill(2) for i in gorgon_out]) 160 | final = "8404" + tohex(rand1_gorgon7) + tohex(rand2_gorgon3) + tohex(seed1) + tohex(seed2) + final 161 | print(final) 162 | 163 | expect = "8404e0db00021c36d7e3c4ad8babb3446fd543bba303012c6107" 164 | -------------------------------------------------------------------------------- /ida/nopclean.py: -------------------------------------------------------------------------------- 1 | import idc 2 | import idaapi 3 | import ida_bytes 4 | import ida_auto 5 | 6 | start = 0x1cc80 7 | end = 0xff9fc 8 | 9 | def get_mnem(addr): return idc.GetDisasm(addr).split(' ')[0] 10 | def get_last_op(addr): return idc.GetDisasm(addr).split(' ')[-1] 11 | def get_imm(addr): return idc.GetDisasm(addr).split('#')[-1].split(' ')[0] 12 | 13 | for i in range(start, end, 4): 14 | # addr1 -> BL within 0x40 15 | # addr2 -> MOV reg1, X0 16 | # addr3 -> ADD reg2, reg1, #num 17 | # addr4 -> BR/B reg2 18 | # OR: 19 | # addr2 -> ADD reg1, X0, #num 20 | # addr3 -> BR/B reg1 21 | addr = i 22 | inst1 = idc.GetDisasm(addr) 23 | mnem = inst1.split(' ')[0] 24 | dest = inst1.split(' ')[-1] 25 | try: dest = int(dest.split('sub_')[-1], 16) 26 | except: continue 27 | if mnem == 'BL' and dest-addr < 0x40: 28 | mnem2 = get_mnem(addr+4) 29 | reg2 = get_last_op(addr+4) 30 | end_bad_addr = 0 31 | 32 | # option 1 33 | if mnem2 == 'MOV' and reg2 == 'X0': 34 | mnem3 = get_mnem(addr+8) 35 | if mnem3 == 'ADD': 36 | offset = get_imm(addr+8) 37 | try: offset = int(offset, 16) 38 | except: continue 39 | end_bad_addr = addr + offset 40 | 41 | # option 2 42 | if mnem2 == 'ADD' and idc.print_operand(addr+4, 1) == 'X0': 43 | dest = idc.print_operand(addr+4, 0) 44 | offset = get_imm(addr+4) 45 | try: offset = int(offset, 16) 46 | except: continue 47 | 48 | cmd3 = get_mnem(addr+8) 49 | if cmd3 in ['BR', 'B'] and idc.print_operand(addr+8, 0) == dest: 50 | end_bad_addr = addr + offset 51 | 52 | # if found 53 | if end_bad_addr != 0: 54 | delta = end_bad_addr - i 55 | if delta > 0x40: continue 56 | print(f'{hex(i)} - {hex(end_bad_addr)}') 57 | div = int((end_bad_addr-addr)/4) 58 | div = f'{div:02x}' 59 | patch_data = bytes.fromhex(div) + b'\x00\x00\x14' 60 | #patch_data = b'\xe0\x03\x00\xaa' 61 | #for j in range(i, end_bad_addr, 4): 62 | # ida_bytes.patch_bytes(j, patch_data) 63 | ida_bytes.patch_bytes(addr+4, patch_data) 64 | idc.auto_mark_range(i, end_bad_addr, ida_auto.AU_CODE) 65 | idc.plan_and_wait(i, end_bad_addr) 66 | 67 | -------------------------------------------------------------------------------- /images: -------------------------------------------------------------------------------- 1 | [ 0] AC5AE111-889D-8B83-AAC9-EF040807A1BC 0x0000005d97127000 /home/polka/.lldb/module_cache/remote-android/.cache/AC5AE111-889D-8B83-AAC9-EF040807A1BC/app_process64 2 | [ 1] CF1E6ABC 0x0000007aa652d000 [vdso] (0x0000007aa652d000) 3 | [ 2] 00983E1F-D8B1-A3BE-7C6C-123162722E4D 0x0000007aa63d9000 /home/polka/.lldb/module_cache/remote-android/.cache/00983E1F-D8B1-A3BE-7C6C-123162722E4D/linker64 4 | [ 3] 3AC2926C-5D5C-5ACB-17C9-CD40D030BB0A 0x0000007aa4c50000 /home/polka/.lldb/module_cache/remote-android/.cache/3AC2926C-5D5C-5ACB-17C9-CD40D030BB0A/libandroid_runtime.so 5 | [ 4] F2A857BD-7D0D-EE26-D603-FDABD4D15387 0x0000007aa59c2000 /home/polka/.lldb/module_cache/remote-android/.cache/F2A857BD-7D0D-EE26-D603-FDABD4D15387/libbase.so 6 | [ 5] 14FABC40-2A4A-AF30-45D4-14B187F126F1 0x0000007aa3d94000 /home/polka/.lldb/module_cache/remote-android/.cache/14FABC40-2A4A-AF30-45D4-14B187F126F1/libbinder.so 7 | [ 6] 917920FB-0CE0-486F-BDF5-484617B586E6 0x0000007aa044e000 /home/polka/.lldb/module_cache/remote-android/.cache/917920FB-0CE0-486F-BDF5-484617B586E6/libcutils.so 8 | [ 7] C3589366 0x0000007aa4f10000 /home/polka/.lldb/module_cache/remote-android/.cache/C3589366/libhwbinder.so 9 | [ 8] 7BDB74DF-833A-CB39-E9AD-7331E28EFE8C 0x0000007aa0747000 /home/polka/.lldb/module_cache/remote-android/.cache/7BDB74DF-833A-CB39-E9AD-7331E28EFE8C/liblog.so 10 | [ 9] 11C0C95F-6911-D0DE-1EFC-730E0B972EF9 0x0000007aa5548000 /home/polka/.lldb/module_cache/remote-android/.cache/11C0C95F-6911-D0DE-1EFC-730E0B972EF9/libnativeloader.so 11 | [ 10] 7DA3D283-1CC8-344E-240B-F4300C8EEF1C 0x0000007aa508d000 /home/polka/.lldb/module_cache/remote-android/.cache/7DA3D283-1CC8-344E-240B-F4300C8EEF1C/libutils.so 12 | [ 11] 99CD8C38-B06E-2B9C-16BC-CB0DB1791B8D 0x0000007aa5358000 /home/polka/.lldb/module_cache/remote-android/.cache/99CD8C38-B06E-2B9C-16BC-CB0DB1791B8D/libwilhelm.so 13 | [ 12] 80F4168E-4D26-C8E4-E081-E2CD53BDB17C 0x0000007aa0d80000 /home/polka/.lldb/module_cache/remote-android/.cache/80F4168E-4D26-C8E4-E081-E2CD53BDB17C/libc++.so 14 | [ 13] 1D4A25C5-C7D4-DC45-0ECF-69DE6F346B81 0x0000007aa27cd000 /home/polka/.lldb/module_cache/remote-android/.cache/1D4A25C5-C7D4-DC45-0ECF-69DE6F346B81/libc.so 15 | [ 14] 810D7C00-603C-97DA-DF2F-F21FA38E1CDA 0x0000007aa2708000 /home/polka/.lldb/module_cache/remote-android/.cache/810D7C00-603C-97DA-DF2F-F21FA38E1CDA/libm.so 16 | [ 15] FA394DDF-D86F-B8DF-1A57-1C581BA6F75E 0x0000007aa26d8000 /home/polka/.lldb/module_cache/remote-android/.cache/FA394DDF-D86F-B8DF-1A57-1C581BA6F75E/libdl.so 17 | [ 16] A355E73D-27C7-8C79-68B9-36C9916AFCAB 0x0000007aa0f80000 /home/polka/.lldb/module_cache/remote-android/.cache/A355E73D-27C7-8C79-68B9-36C9916AFCAB/libbpf.so 18 | [ 17] 3914A3B9-04EE-AC30-3495-C943F1D37E4E 0x0000007aa410b000 /home/polka/.lldb/module_cache/remote-android/.cache/3914A3B9-04EE-AC30-3495-C943F1D37E4E/libnetdutils.so 19 | [ 18] 13DC14BF-7E4B-13B3-131D-B51D81BEFA64 0x0000007aa4495000 /home/polka/.lldb/module_cache/remote-android/.cache/13DC14BF-7E4B-13B3-131D-B51D81BEFA64/libmemtrack.so 20 | [ 19] 9EEEBB6B-7249-8E01-27B6-F5B9F32154F8 0x0000007aa06c0000 /home/polka/.lldb/module_cache/remote-android/.cache/9EEEBB6B-7249-8E01-27B6-F5B9F32154F8/libandroidfw.so 21 | [ 20] C8CB39D0-4A2A-7480-318A-F401732CFDB0 0x0000007aa2ed0000 /home/polka/.lldb/module_cache/remote-android/.cache/C8CB39D0-4A2A-7480-318A-F401732CFDB0/libappfuse.so 22 | [ 21] 98F6C760-6E45-9C51-8CC6-7637DEE737FB 0x0000007aa098f000 /home/polka/.lldb/module_cache/remote-android/.cache/98F6C760-6E45-9C51-8CC6-7637DEE737FB/libcrypto.so 23 | [ 22] AFD8E19C-3462-8A68-9F18-2213A810FD6B 0x0000007aa55db000 /home/polka/.lldb/module_cache/remote-android/.cache/AFD8E19C-3462-8A68-9F18-2213A810FD6B/libnativehelper.so 24 | [ 23] B266655E-3590-7C82-C2A1-1E9649867670 0x0000007aa451c000 /home/polka/.lldb/module_cache/remote-android/.cache/B266655E-3590-7C82-C2A1-1E9649867670/libdebuggerd_client.so 25 | [ 24] BCB409AE-6F48-CA69-51E6-25FAAB73E22F 0x0000007aa3c04000 /home/polka/.lldb/module_cache/remote-android/.cache/BCB409AE-6F48-CA69-51E6-25FAAB73E22F/libui.so 26 | [ 25] 7DE4A749-8E52-1E68-E7A1-05BE1E0F5FC4 0x0000007aa0780000 /home/polka/.lldb/module_cache/remote-android/.cache/7DE4A749-8E52-1E68-E7A1-05BE1E0F5FC4/libgraphicsenv.so 27 | [ 26] 045FAA61-F2C2-A5F0-58E0-B1C449DCC04B 0x0000007aa41c1000 /home/polka/.lldb/module_cache/remote-android/.cache/045FAA61-F2C2-A5F0-58E0-B1C449DCC04B/libgui.so 28 | [ 27] 7DD8AF7D-13EC-7E74-DB83-F2E39CA83614 0x0000007aa0908000 /home/polka/.lldb/module_cache/remote-android/.cache/7DD8AF7D-13EC-7E74-DB83-F2E39CA83614/libsensor.so 29 | [ 28] 29D14933-11AD-76D8-2326-5B23F3455D26 0x0000007aa0c86000 /home/polka/.lldb/module_cache/remote-android/.cache/29D14933-11AD-76D8-2326-5B23F3455D26/libinput.so 30 | [ 29] AB87F447 0x0000007aa049a000 /home/polka/.lldb/module_cache/remote-android/.cache/AB87F447/libcamera_client.so 31 | [ 30] 23E0D4E9-BD8A-2CB9-4867-0FD14DEB1E0E 0x0000007aa43d9000 /home/polka/.lldb/module_cache/remote-android/.cache/23E0D4E9-BD8A-2CB9-4867-0FD14DEB1E0E/libcamera_metadata.so 32 | [ 31] BC659124-7A08-42FF-A54E-2703C7D34250 0x0000007aa53ef000 /home/polka/.lldb/module_cache/remote-android/.cache/BC659124-7A08-42FF-A54E-2703C7D34250/libsqlite.so 33 | [ 32] FF69E233-4089-4C72-79F5-A08214F4F97A 0x0000007aa40a9000 /home/polka/.lldb/module_cache/remote-android/.cache/FF69E233-4089-4C72-79F5-A08214F4F97A/libEGL.so 34 | [ 33] 2CF4CF7C-96E5-1232-C1D7-F5F9D9091B4B 0x0000007aa2795000 /home/polka/.lldb/module_cache/remote-android/.cache/2CF4CF7C-96E5-1232-C1D7-F5F9D9091B4B/libGLESv1_CM.so 35 | [ 34] 15A8E9E5-17F9-761A-09A8-358EF5F41B9F 0x0000007aa1ec6000 /home/polka/.lldb/module_cache/remote-android/.cache/15A8E9E5-17F9-761A-09A8-358EF5F41B9F/libGLESv2.so 36 | [ 35] 85D38AA7-2F15-E4A7-38E2-98AEBCFBF6E9 0x0000007aa4c00000 /home/polka/.lldb/module_cache/remote-android/.cache/85D38AA7-2F15-E4A7-38E2-98AEBCFBF6E9/libvulkan.so 37 | [ 36] CC1BF9B7 0x0000007aa054f000 /home/polka/.lldb/module_cache/remote-android/.cache/CC1BF9B7/libziparchive.so 38 | [ 37] 8F8DAE47-E822-30E5-E104-20350CB8C4DE 0x0000007aa5057000 /home/polka/.lldb/module_cache/remote-android/.cache/8F8DAE47-E822-30E5-E104-20350CB8C4DE/libETC1.so 39 | [ 38] C0F3921A-12F8-9754-4F61-C861191488F4 0x0000007aa45d7000 /home/polka/.lldb/module_cache/remote-android/.cache/C0F3921A-12F8-9754-4F61-C861191488F4/libhardware.so 40 | [ 39] 8DA67DC1-0968-C606-BF7E-06AB5887E96D 0x0000007aa08cc000 /home/polka/.lldb/module_cache/remote-android/.cache/8DA67DC1-0968-C606-BF7E-06AB5887E96D/libhardware_legacy.so 41 | [ 40] 26A446EB-92F1-4E5B-CC0D-D0774E822778 0x0000007aa5a84000 /home/polka/.lldb/module_cache/remote-android/.cache/26A446EB-92F1-4E5B-CC0D-D0774E822778/libselinux.so 42 | [ 41] AA000936-456D-48AC-D3A7-00E6ABD50F3E 0x0000007aa3e97000 /home/polka/.lldb/module_cache/remote-android/.cache/AA000936-456D-48AC-D3A7-00E6ABD50F3E/libicuuc.so 43 | [ 42] 785D4350 0x0000007aa4f57000 /home/polka/.lldb/module_cache/remote-android/.cache/785D4350/libmedia.so 44 | [ 43] A4388590 0x0000007aa47eb000 /home/polka/.lldb/module_cache/remote-android/.cache/A4388590/libmediametrics.so 45 | [ 44] FFDD30CB 0x0000007aa0ba4000 /home/polka/.lldb/module_cache/remote-android/.cache/FFDD30CB/libaudioclient.so 46 | [ 45] BCA60CA9-960C-9FE1-D4F8-E01047040E38 0x0000007aa50d7000 /home/polka/.lldb/module_cache/remote-android/.cache/BCA60CA9-960C-9FE1-D4F8-E01047040E38/libjpeg.so 47 | [ 46] 1F3A4191-2DA5-A10C-FAEA-484D4C147AE0 0x0000007aa5b45000 /home/polka/.lldb/module_cache/remote-android/.cache/1F3A4191-2DA5-A10C-FAEA-484D4C147AE0/libusbhost.so 48 | [ 47] 6416D2A1-518E-0F68-5AFE-4ECAAF08C28E 0x0000007aa4307000 /home/polka/.lldb/module_cache/remote-android/.cache/6416D2A1-518E-0F68-5AFE-4ECAAF08C28E/libharfbuzz_ng.so 49 | [ 48] 4F8F4B0C-6189-6C2D-2F3F-A7C05BA680C1 0x0000007aa5607000 /home/polka/.lldb/module_cache/remote-android/.cache/4F8F4B0C-6189-6C2D-2F3F-A7C05BA680C1/libz.so 50 | [ 49] 124E5B99-DBDF-87E6-61E0-DF08DA2A0379 0x0000007aa2912000 /home/polka/.lldb/module_cache/remote-android/.cache/124E5B99-DBDF-87E6-61E0-DF08DA2A0379/libpdfium.so 51 | [ 50] C6915F84 0x0000007aa4153000 /home/polka/.lldb/module_cache/remote-android/.cache/C6915F84/libimg_utils.so 52 | [ 51] CFEA3952-FF62-12DC-3BD3-8143329E19F5 0x0000007aa4783000 /home/polka/.lldb/module_cache/remote-android/.cache/CFEA3952-FF62-12DC-3BD3-8143329E19F5/libnetd_client.so 53 | [ 52] 4A0B52A4-21A1-CE69-51F6-30F07772163D 0x0000007aa564a000 /home/polka/.lldb/module_cache/remote-android/.cache/4A0B52A4-21A1-CE69-51F6-30F07772163D/libsoundtrigger.so 54 | [ 53] B6C2645E 0x0000007aa5c40000 /home/polka/.lldb/module_cache/remote-android/.cache/B6C2645E/libminikin.so 55 | [ 54] 93A9B9B2-6BB7-4193-5F28-95DE26F4A149 0x0000007aa041d000 /home/polka/.lldb/module_cache/remote-android/.cache/93A9B9B2-6BB7-4193-5F28-95DE26F4A149/libprocessgroup.so 56 | [ 55] 38C98582-AF69-2716-8079-7EE4C2622284 0x0000007aa5296000 /home/polka/.lldb/module_cache/remote-android/.cache/38C98582-AF69-2716-8079-7EE4C2622284/libnativebridge.so 57 | [ 56] BFBB85D1-36F2-B6A1-D96A-ADCD79965D5B 0x0000007aa2f31000 /home/polka/.lldb/module_cache/remote-android/.cache/BFBB85D1-36F2-B6A1-D96A-ADCD79965D5B/libmemunreachable.so 58 | [ 57] 4E65179D-8E0A-BBB6-2F6A-49C421EABD4F 0x0000007aa0584000 /home/polka/.lldb/module_cache/remote-android/.cache/4E65179D-8E0A-BBB6-2F6A-49C421EABD4F/libhidlbase.so 59 | [ 58] EDC07347-9AEA-7C4D-D196-B0CF15891B69 0x0000007aa46c1000 /home/polka/.lldb/module_cache/remote-android/.cache/EDC07347-9AEA-7C4D-D196-B0CF15891B69/libhidltransport.so 60 | [ 59] 11C717FE-9BE0-AC47-1487-694B64A3796E 0x0000007aa1192000 /home/polka/.lldb/module_cache/remote-android/.cache/11C717FE-9BE0-AC47-1487-694B64A3796E/libvintf.so 61 | [ 60] 127A5A87-ED06-ADDB-70CB-EA91D0DB37D1 0x0000007aa5597000 /home/polka/.lldb/module_cache/remote-android/.cache/127A5A87-ED06-ADDB-70CB-EA91D0DB37D1/libnativewindow.so 62 | [ 61] AC401BD8 0x0000007aa14cf000 /home/polka/.lldb/module_cache/remote-android/.cache/AC401BD8/libhwui.so 63 | [ 62] 8DB119B2-6189-0F36-5FFF-60202293E562 0x0000007aa2fc7000 /home/polka/.lldb/module_cache/remote-android/.cache/8DB119B2-6189-0F36-5FFF-60202293E562/libstatslog.so 64 | [ 63] 84D4D756-D9A4-E56D-046B-01BDA4A0C2F0 0x0000007aa5317000 /home/polka/.lldb/module_cache/remote-android/.cache/84D4D756-D9A4-E56D-046B-01BDA4A0C2F0/libassert_tip_service.so 65 | [ 64] C76ABF58-9316-5CD2-06D7-61B4E84D6700 0x0000007aa4593000 /home/polka/.lldb/module_cache/remote-android/.cache/C76ABF58-9316-5CD2-06D7-61B4E84D6700/liboem_jni.so 66 | [ 65] 1D19A3C6-22A1-DB07-DDAC-149440C351E8 0x0000007aa1147000 /home/polka/.lldb/module_cache/remote-android/.cache/1D19A3C6-22A1-DB07-DDAC-149440C351E8/libopdiagnose.so 67 | [ 66] 815947DE-0C9E-99A6-36FB-3C8C89C32089 0x0000007aa2653000 /home/polka/.lldb/module_cache/remote-android/.cache/815947DE-0C9E-99A6-36FB-3C8C89C32089/libutilscallstack.so 68 | [ 67] 7958C851-A75F-6222-AFF3-F78778AB3D07 0x0000007aa5a5f000 /home/polka/.lldb/module_cache/remote-android/.cache/7958C851-A75F-6222-AFF3-F78778AB3D07/libvndksupport.so 69 | [ 68] C2680376 0x0000007aa5ac2000 /home/polka/.lldb/module_cache/remote-android/.cache/C2680376/libmedia_omx.so 70 | [ 69] F3166E65 0x0000007aa0953000 /home/polka/.lldb/module_cache/remote-android/.cache/F3166E65/libmediaextractor.so 71 | [ 70] E1FC4E3C-DAED-7F88-669C-EEB2B5659016 0x0000007aa4749000 /home/polka/.lldb/module_cache/remote-android/.cache/E1FC4E3C-DAED-7F88-669C-EEB2B5659016/libaudiomanager.so 72 | [ 71] 21C539E6 0x0000007aa4959000 /home/polka/.lldb/module_cache/remote-android/.cache/21C539E6/libstagefright.so 73 | [ 72] 77E2F9A6 0x0000007aa1f29000 /home/polka/.lldb/module_cache/remote-android/.cache/77E2F9A6/libstagefright_foundation.so 74 | [ 73] ABEA09D4 0x0000007aa52ee000 /home/polka/.lldb/module_cache/remote-android/.cache/ABEA09D4/libstagefright_http_support.so 75 | [ 74] 66755CAB-5664-C6FA-F067-35DB56F5AD4A 0x0000007aa524a000 /home/polka/.lldb/module_cache/remote-android/.cache/66755CAB-5664-C6FA-F067-35DB56F5AD4A/android.hardware.memtrack@1.0.so 76 | [ 75] C89ACD6D-45E9-F3C1-AB55-FD3BDD45D587 0x0000007aa5a0e000 /home/polka/.lldb/module_cache/remote-android/.cache/C89ACD6D-45E9-F3C1-AB55-FD3BDD45D587/android.hardware.graphics.allocator@2.0.so 77 | [ 76] BEC67703-5A58-C1CA-7A89-837D74145240 0x0000007aa12c7000 /home/polka/.lldb/module_cache/remote-android/.cache/BEC67703-5A58-C1CA-7A89-837D74145240/android.hardware.graphics.common@1.1.so 78 | [ 77] 5A9F12DC-F62E-CBBC-59D7-C2F66734E7DF 0x0000007aa598f000 /home/polka/.lldb/module_cache/remote-android/.cache/5A9F12DC-F62E-CBBC-59D7-C2F66734E7DF/android.hardware.graphics.mapper@2.0.so 79 | [ 78] 4E025BEF-4C35-6829-134D-171D19E4E3C8 0x0000007aa0807000 /home/polka/.lldb/module_cache/remote-android/.cache/4E025BEF-4C35-6829-134D-171D19E4E3C8/android.hardware.graphics.mapper@2.1.so 80 | [ 79] 5ABD2D10-745C-46E9-BDD3-C81C97CBBE08 0x0000007aa4ec6000 /home/polka/.lldb/module_cache/remote-android/.cache/5ABD2D10-745C-46E9-BDD3-C81C97CBBE08/android.hardware.configstore@1.0.so 81 | [ 80] EF8523B1-F23F-9539-9206-86CC426A4189 0x0000007aa484c000 /home/polka/.lldb/module_cache/remote-android/.cache/EF8523B1-F23F-9539-9206-86CC426A4189/android.hardware.configstore-utils.so 82 | [ 81] AA45B063-1528-E47F-898C-696A1F9767B3 0x0000007aa3bc6000 /home/polka/.lldb/module_cache/remote-android/.cache/AA45B063-1528-E47F-898C-696A1F9767B3/libsync.so 83 | [ 82] D41E1730-0063-CA55-02FF-972692BA921F 0x0000007aa42c3000 /home/polka/.lldb/module_cache/remote-android/.cache/D41E1730-0063-CA55-02FF-972692BA921F/libbufferhubqueue.so 84 | [ 83] 7B9B5689-D07B-0286-7A66-CE97ECF1A2DA 0x0000007aa0ed0000 /home/polka/.lldb/module_cache/remote-android/.cache/7B9B5689-D07B-0286-7A66-CE97ECF1A2DA/libpdx_default_transport.so 85 | [ 84] AD616C62-BA02-7B98-33AA-802D44818F96 0x0000007aa3d40000 /home/polka/.lldb/module_cache/remote-android/.cache/AD616C62-BA02-7B98-33AA-802D44818F96/android.hidl.token@1.0-utils.so 86 | [ 85] 9B070F97-73CD-5091-5186-5EABE226F512 0x0000007aa0b18000 /home/polka/.lldb/module_cache/remote-android/.cache/9B070F97-73CD-5091-5186-5EABE226F512/android.hardware.graphics.bufferqueue@1.0.so 87 | [ 86] C4CE6F75 0x0000007aa301b000 /home/polka/.lldb/module_cache/remote-android/.cache/C4CE6F75/libclang_rt.ubsan_standalone-aarch64-android.so 88 | [ 87] 31636954-2C90-CA1C-C3D6-049D09AE6B33 0x0000007aa56a6000 /home/polka/.lldb/module_cache/remote-android/.cache/31636954-2C90-CA1C-C3D6-049D09AE6B33/libicui18n.so 89 | [ 88] 666DB3B5-2293-1031-A120-634F6800E1A6 0x0000007aa4608000 /home/polka/.lldb/module_cache/remote-android/.cache/666DB3B5-2293-1031-A120-634F6800E1A6/libbacktrace.so 90 | [ 89] 96E1B2E1-DC16-B910-66E7-42AE5A7AC67F 0x0000007aa3cc4000 /home/polka/.lldb/module_cache/remote-android/.cache/96E1B2E1-DC16-B910-66E7-42AE5A7AC67F/android.hardware.graphics.common@1.0.so 91 | [ 90] 2C90916C-7B49-B52F-4FA7-F3E4A2CC9AD1 0x0000007aa51f0000 /home/polka/.lldb/module_cache/remote-android/.cache/2C90916C-7B49-B52F-4FA7-F3E4A2CC9AD1/libpcre2.so 92 | [ 91] E99A2DFB-0DA9-B404-D359-66CDB9180166 0x0000007aa4691000 /home/polka/.lldb/module_cache/remote-android/.cache/E99A2DFB-0DA9-B404-D359-66CDB9180166/libpackagelistparser.so 93 | [ 92] 0F6B87B2-B200-DF74-7536-0D6E2623DEB5 0x0000007aa0381000 /home/polka/.lldb/module_cache/remote-android/.cache/0F6B87B2-B200-DF74-7536-0D6E2623DEB5/libsonivox.so 94 | [ 93] 4FE325D7-7B16-4695-334F-5FBD4CB75B34 0x0000007aa4436000 /home/polka/.lldb/module_cache/remote-android/.cache/4FE325D7-7B16-4695-334F-5FBD4CB75B34/libexpat.so 95 | [ 94] 567588D1-FFF6-5713-7A02-8C14F8435D1A 0x0000007aa464c000 /home/polka/.lldb/module_cache/remote-android/.cache/567588D1-FFF6-5713-7A02-8C14F8435D1A/libaudioutils.so 96 | [ 95] 596E16EB 0x0000007aa3d05000 /home/polka/.lldb/module_cache/remote-android/.cache/596E16EB/libmedia_helper.so 97 | [ 96] A13C4AB9-A412-ECBA-C4CE-B677A8CE2863 0x0000007aa1de5000 /home/polka/.lldb/module_cache/remote-android/.cache/A13C4AB9-A412-ECBA-C4CE-B677A8CE2863/libft2.so 98 | [ 97] 24187A2A-791E-BC9C-162F-22C8A7F4A618 0x0000007aa063d000 /home/polka/.lldb/module_cache/remote-android/.cache/24187A2A-791E-BC9C-162F-22C8A7F4A618/libhidl-gen-utils.so 99 | [ 98] D062DBEE 0x0000007aa034f000 /home/polka/.lldb/module_cache/remote-android/.cache/D062DBEE/libtinyxml2.so 100 | [ 99] 21AC444D-3BB4-CCAC-EEF7-D20D8958E2D6 0x0000007aa1cac000 /home/polka/.lldb/module_cache/remote-android/.cache/21AC444D-3BB4-CCAC-EEF7-D20D8958E2D6/libdng_sdk.so 101 | [100] E1A7B8A5 0x0000007aa44dc000 /home/polka/.lldb/module_cache/remote-android/.cache/E1A7B8A5/libheif.so 102 | [101] 9E18A4BC-94F3-5411-6AB4-A9E3B19C082E 0x0000007aa0d48000 /home/polka/.lldb/module_cache/remote-android/.cache/9E18A4BC-94F3-5411-6AB4-A9E3B19C082E/libpiex.so 103 | [102] 97C4B961-9784-878F-E9B1-6A98BDC596E4 0x0000007aa1254000 /home/polka/.lldb/module_cache/remote-android/.cache/97C4B961-9784-878F-E9B1-6A98BDC596E4/libpng.so 104 | [103] FFE682E8-E5DA-263A-6998-5A2592F08907 0x0000007aa48d3000 /home/polka/.lldb/module_cache/remote-android/.cache/FFE682E8-E5DA-263A-6998-5A2592F08907/libprotobuf-cpp-lite.so 105 | [104] 7730A593-D30E-BEC5-D334-D5923E0D0ED4 0x0000007aa1349000 /home/polka/.lldb/module_cache/remote-android/.cache/7730A593-D30E-BEC5-D334-D5923E0D0ED4/libRScpp.so 106 | [105] 082F10E8-6389-E0F8-F638-FFA437CCD1F1 0x0000007aa1f83000 /home/polka/.lldb/module_cache/remote-android/.cache/082F10E8-6389-E0F8-F638-FFA437CCD1F1/libskiaso.so 107 | [106] 4E49C122-DA47-1BC6-3B59-4B32C25BF664 0x0000007aa10c5000 /home/polka/.lldb/module_cache/remote-android/.cache/4E49C122-DA47-1BC6-3B59-4B32C25BF664/android.hardware.media.omx@1.0.so 108 | [107] 3FECB8BC-5F58-225A-5C1E-6BA56BF1F589 0x0000007aa0e82000 /home/polka/.lldb/module_cache/remote-android/.cache/3FECB8BC-5F58-225A-5C1E-6BA56BF1F589/libdrmframework.so 109 | [108] A42B2F93-E3F1-9A4E-B55C-996FA6009B1C 0x0000007aa089a000 /home/polka/.lldb/module_cache/remote-android/.cache/A42B2F93-E3F1-9A4E-B55C-996FA6009B1C/libion.so 110 | [109] 089306B1 0x0000007aa455f000 /home/polka/.lldb/module_cache/remote-android/.cache/089306B1/libmediautils.so 111 | [110] DE06DF6E 0x0000007aa3e4d000 /home/polka/.lldb/module_cache/remote-android/.cache/DE06DF6E/libstagefright_codecbase.so 112 | [111] 78AA20AB 0x0000007aa4184000 /home/polka/.lldb/module_cache/remote-android/.cache/78AA20AB/libstagefright_omx_utils.so 113 | [112] CEFEF506 0x0000007aa2686000 /home/polka/.lldb/module_cache/remote-android/.cache/CEFEF506/libstagefright_xmlparser.so 114 | [113] A3849ED4-DFD0-D312-C086-9DB920DC823E 0x0000007aa4897000 /home/polka/.lldb/module_cache/remote-android/.cache/A3849ED4-DFD0-D312-C086-9DB920DC823E/libhidlallocatorutils.so 115 | [114] 32BB1058-0140-9BE6-FD05-B9A2B3600F76 0x0000007aa5188000 /home/polka/.lldb/module_cache/remote-android/.cache/32BB1058-0140-9BE6-FD05-B9A2B3600F76/libhidlmemory.so 116 | [115] D10A3F0C-E52A-0E7F-04FB-2C8F95D991AD 0x0000007aa3c88000 /home/polka/.lldb/module_cache/remote-android/.cache/D10A3F0C-E52A-0E7F-04FB-2C8F95D991AD/android.hidl.allocator@1.0.so 117 | [116] 58E4AAC8-C625-1DEA-F5A4-F7F712DBBDC8 0x0000007aa07c0000 /home/polka/.lldb/module_cache/remote-android/.cache/58E4AAC8-C625-1DEA-F5A4-F7F712DBBDC8/android.hidl.memory@1.0.so 118 | [117] ABAF7E86-2689-9109-369E-80880603C184 0x0000007aa2f89000 /home/polka/.lldb/module_cache/remote-android/.cache/ABAF7E86-2689-9109-369E-80880603C184/android.hardware.cas.native@1.0.so 119 | [118] 80C7E2EB-0FDD-45A8-6C41-AF23D4961580 0x0000007aa4811000 /home/polka/.lldb/module_cache/remote-android/.cache/80C7E2EB-0FDD-45A8-6C41-AF23D4961580/android.hardware.configstore@1.1.so 120 | [119] D201F4BE-FC32-D7AC-0E71-F2B30302BBDE 0x0000007aa5950000 /home/polka/.lldb/module_cache/remote-android/.cache/D201F4BE-FC32-D7AC-0E71-F2B30302BBDE/android.hidl.token@1.0.so 121 | [120] B15FEBDF-3953-D805-4387-BD62777D2C53 0x0000007aa0848000 /home/polka/.lldb/module_cache/remote-android/.cache/B15FEBDF-3953-D805-4387-BD62777D2C53/android.hardware.media@1.0.so 122 | [121] 56FFBEB6-F912-44B7-C220-828B365DFBDB 0x0000007aa5b9e000 /home/polka/.lldb/module_cache/remote-android/.cache/56FFBEB6-F912-44B7-C220-828B365DFBDB/libunwind.so 123 | [122] 0E07BD0B-9B1F-C8EF-4E72-CD20F7406CD2 0x0000007aa0fc7000 /home/polka/.lldb/module_cache/remote-android/.cache/0E07BD0B-9B1F-C8EF-4E72-CD20F7406CD2/libunwindstack.so 124 | [123] A2594C7E-7212-23C3-717C-A6D8EBA60E79 0x0000007aa1442000 /home/polka/.lldb/module_cache/remote-android/.cache/A2594C7E-7212-23C3-717C-A6D8EBA60E79/libdexfile.so 125 | [124] BD9AB15D-45D1-EEA9-E10C-A2364E953272 0x0000007aa0d0c000 /home/polka/.lldb/module_cache/remote-android/.cache/BD9AB15D-45D1-EEA9-E10C-A2364E953272/libstdc++.so 126 | [125] 030866C7-8341-000D-5412-60BB391C9BB6 0x0000007aa05dd000 /home/polka/.lldb/module_cache/remote-android/.cache/030866C7-8341-000D-5412-60BB391C9BB6/libspeexresampler.so 127 | [126] 86DD74E7-9B13-2B6F-1009-9BA3846F72CF 0x0000007aa1310000 /home/polka/.lldb/module_cache/remote-android/.cache/86DD74E7-9B13-2B6F-1009-9BA3846F72CF/android.hidl.memory.token@1.0.so 128 | [127] B044F9C7-344E-216A-01F5-03291E6F80CE 0x0000007aa1056000 /home/polka/.lldb/module_cache/remote-android/.cache/B044F9C7-344E-216A-01F5-03291E6F80CE/android.hardware.cas@1.0.so 129 | [128] 59C120B1-70AB-4B67-C64F-6D39A17E417E 0x0000007aa13f3000 /home/polka/.lldb/module_cache/remote-android/.cache/59C120B1-70AB-4B67-C64F-6D39A17E417E/liblzma.so 130 | [129] 1E4A7A11-B95D-7088-7B63-A5BDDFD088EA 0x0000007a2025e000 /home/polka/.lldb/module_cache/remote-android/.cache/1E4A7A11-B95D-7088-7B63-A5BDDFD088EA/libavenhancements.so 131 | [130] 9028A27A 0x0000007a1f9ca000 /home/polka/.lldb/module_cache/remote-android/.cache/9028A27A/libstagefright_httplive.so 132 | [131] 0DDDF350 0x0000007a1fc51000 /home/polka/.lldb/module_cache/remote-android/.cache/0DDDF350/libmediaplayerservice.so 133 | [132] 31038824 0x0000007a1fba6000 /home/polka/.lldb/module_cache/remote-android/.cache/31038824/libstagefright_omx.so 134 | [133] 7641FFE8-9447-6CEE-DC3A-6134D83552C7 0x0000007a1fb0e000 /home/polka/.lldb/module_cache/remote-android/.cache/7641FFE8-9447-6CEE-DC3A-6134D83552C7/libmediadrm.so 135 | [134] 686E8616-7F7D-A487-C10F-5A30E21A313E 0x0000007a1fa91000 /home/polka/.lldb/module_cache/remote-android/.cache/686E8616-7F7D-A487-C10F-5A30E21A313E/libpowermanager.so 136 | [135] A68866B9 0x0000007aa60c0000 /home/polka/.lldb/module_cache/remote-android/.cache/A68866B9/libstagefright_bufferqueue_helper.so 137 | [136] 731E6A39-0686-B8F7-D0CD-8639CAEB0E7B 0x0000007a1fac0000 /home/polka/.lldb/module_cache/remote-android/.cache/731E6A39-0686-B8F7-D0CD-8639CAEB0E7B/libmediadrmmetrics_lite.so 138 | [137] E56C8703-6755-595A-F8DC-4E90FE2DB062 0x0000007a1f94a000 /home/polka/.lldb/module_cache/remote-android/.cache/E56C8703-6755-595A-F8DC-4E90FE2DB062/android.hardware.drm@1.0.so 139 | [138] 7AD7B232-CE86-0A47-71E9-212BB27F251D 0x0000007a202db000 /home/polka/.lldb/module_cache/remote-android/.cache/7AD7B232-CE86-0A47-71E9-212BB27F251D/android.hardware.drm@1.1.so 140 | [139] 5F95CDFF-154C-3C5A-509E-19E741D451B6 0x0000007a1f2c6000 /home/polka/.lldb/module_cache/remote-android/.cache/5F95CDFF-154C-3C5A-509E-19E741D451B6/libart.so 141 | [140] DB26196F-6227-569C-36C7-91332C7717BF 0x0000007a1f246000 /home/polka/.lldb/module_cache/remote-android/.cache/DB26196F-6227-569C-36C7-91332C7717BF/liblz4.so 142 | [141] 68A0ECB4-7F78-AF6E-F94A-053DF710F8C1 0x0000007a1f206000 /home/polka/.lldb/module_cache/remote-android/.cache/68A0ECB4-7F78-AF6E-F94A-053DF710F8C1/libmetricslogger.so 143 | [142] D2C0E359-05EF-7771-A81E-811BE353A050 0x0000007a1f909000 /home/polka/.lldb/module_cache/remote-android/.cache/D2C0E359-05EF-7771-A81E-811BE353A050/libtombstoned_client.so 144 | [143] A4F10DD5-3616-AB14-EFF2-652E8FF42B59 0x0000007a1f28c000 /home/polka/.lldb/module_cache/remote-android/.cache/A4F10DD5-3616-AB14-EFF2-652E8FF42B59/libsigchain.so 145 | [144] 5270BF98-2961-25CF-F0F5-433423636822-06BAF2FB 0x0000000070d4c000 /home/polka/.lldb/module_cache/remote-android/.cache/5270BF98-2961-25CF-F0F5-433423636822-06BAF2FB/boot.oat 146 | /home/polka/.lldb/module_cache/remote-android/.cache/5270BF98-2961-25CF-F0F5-433423636822-06BAF2FB/boot.oat.sym 147 | [145] 29C7E1E1-3A59-56B6-5D9E-4BE684259130-E59C2E48 0x0000000070d58000 /home/polka/.lldb/module_cache/remote-android/.cache/29C7E1E1-3A59-56B6-5D9E-4BE684259130-E59C2E48/boot-com.qualcomm.qti.camera.oat 148 | /home/polka/.lldb/module_cache/remote-android/.cache/29C7E1E1-3A59-56B6-5D9E-4BE684259130-E59C2E48/boot-com.qualcomm.qti.camera.oat.sym 149 | [146] CFBA5C9E-F4CC-977C-CD9B-B9769905E2A4-0FD11211 0x0000000070d60000 /home/polka/.lldb/module_cache/remote-android/.cache/CFBA5C9E-F4CC-977C-CD9B-B9769905E2A4-0FD11211/boot-QPerformance.oat 150 | /home/polka/.lldb/module_cache/remote-android/.cache/CFBA5C9E-F4CC-977C-CD9B-B9769905E2A4-0FD11211/boot-QPerformance.oat.sym 151 | [147] 9F6191F8-E3C9-5DE1-7E25-CC6045EA8FEB-92601277 0x0000000070d6a000 /home/polka/.lldb/module_cache/remote-android/.cache/9F6191F8-E3C9-5DE1-7E25-CC6045EA8FEB-92601277/boot-UxPerformance.oat 152 | /home/polka/.lldb/module_cache/remote-android/.cache/9F6191F8-E3C9-5DE1-7E25-CC6045EA8FEB-92601277/boot-UxPerformance.oat.sym 153 | [148] 57A13F49-BA50-F8E4-C73C-A55F2C37D966-13B66462 0x0000000070d73000 /home/polka/.lldb/module_cache/remote-android/.cache/57A13F49-BA50-F8E4-C73C-A55F2C37D966-13B66462/boot-core-oj.oat 154 | /home/polka/.lldb/module_cache/remote-android/.cache/57A13F49-BA50-F8E4-C73C-A55F2C37D966-13B66462/boot-core-oj.oat.sym 155 | [149] 8B26786E-183E-FE99-9BE8-920934C484B9-7FC4486D 0x0000000071644000 /home/polka/.lldb/module_cache/remote-android/.cache/8B26786E-183E-FE99-9BE8-920934C484B9-7FC4486D/boot-core-libart.oat 156 | /home/polka/.lldb/module_cache/remote-android/.cache/8B26786E-183E-FE99-9BE8-920934C484B9-7FC4486D/boot-core-libart.oat.sym 157 | [150] BB443866-5BAD-B643-E683-776E80F8210A-04C91DB0 0x0000000071b07000 /home/polka/.lldb/module_cache/remote-android/.cache/BB443866-5BAD-B643-E683-776E80F8210A-04C91DB0/boot-conscrypt.oat 158 | /home/polka/.lldb/module_cache/remote-android/.cache/BB443866-5BAD-B643-E683-776E80F8210A-04C91DB0/boot-conscrypt.oat.sym 159 | [151] B8E0D641-FB0F-9401-E2F5-D01F805FD9A9-3A1D2096 0x0000000071bb4000 /home/polka/.lldb/module_cache/remote-android/.cache/B8E0D641-FB0F-9401-E2F5-D01F805FD9A9-3A1D2096/boot-okhttp.oat 160 | /home/polka/.lldb/module_cache/remote-android/.cache/B8E0D641-FB0F-9401-E2F5-D01F805FD9A9-3A1D2096/boot-okhttp.oat.sym 161 | [152] 4FED344E-3843-52DD-32A5-515B4109767C-545C0AD6 0x0000000071c74000 /home/polka/.lldb/module_cache/remote-android/.cache/4FED344E-3843-52DD-32A5-515B4109767C-545C0AD6/boot-bouncycastle.oat 162 | /home/polka/.lldb/module_cache/remote-android/.cache/4FED344E-3843-52DD-32A5-515B4109767C-545C0AD6/boot-bouncycastle.oat.sym 163 | [153] 9A4C29B8-1B86-AD60-6BC7-3EA0B13B376C-C80D2698 0x0000000071e12000 /home/polka/.lldb/module_cache/remote-android/.cache/9A4C29B8-1B86-AD60-6BC7-3EA0B13B376C-C80D2698/boot-apache-xml.oat 164 | /home/polka/.lldb/module_cache/remote-android/.cache/9A4C29B8-1B86-AD60-6BC7-3EA0B13B376C-C80D2698/boot-apache-xml.oat.sym 165 | [154] 14F75798-BE23-32EE-551C-9EFDFFB7840E-5BF281D6 0x0000000071f5f000 /home/polka/.lldb/module_cache/remote-android/.cache/14F75798-BE23-32EE-551C-9EFDFFB7840E-5BF281D6/boot-ext.oat 166 | /home/polka/.lldb/module_cache/remote-android/.cache/14F75798-BE23-32EE-551C-9EFDFFB7840E-5BF281D6/boot-ext.oat.sym 167 | [155] F93DDA5E-D72A-4507-48FB-FE69F38A89FF-37D35283 0x0000000072078000 /home/polka/.lldb/module_cache/remote-android/.cache/F93DDA5E-D72A-4507-48FB-FE69F38A89FF-37D35283/boot-framework.oat 168 | /home/polka/.lldb/module_cache/remote-android/.cache/F93DDA5E-D72A-4507-48FB-FE69F38A89FF-37D35283/boot-framework.oat.sym 169 | [156] 43E29B78-F861-401A-373C-A07981F7C09D-8FE99CFB 0x0000000074378000 /home/polka/.lldb/module_cache/remote-android/.cache/43E29B78-F861-401A-373C-A07981F7C09D-8FE99CFB/boot-telephony-common.oat 170 | /home/polka/.lldb/module_cache/remote-android/.cache/43E29B78-F861-401A-373C-A07981F7C09D-8FE99CFB/boot-telephony-common.oat.sym 171 | [157] 0687B4DD-F7C5-D766-0B83-06407426B2EC-2E677006 0x0000000074866000 /home/polka/.lldb/module_cache/remote-android/.cache/0687B4DD-F7C5-D766-0B83-06407426B2EC-2E677006/boot-voip-common.oat 172 | /home/polka/.lldb/module_cache/remote-android/.cache/0687B4DD-F7C5-D766-0B83-06407426B2EC-2E677006/boot-voip-common.oat.sym 173 | [158] 0D966718-C355-9701-5C37-A0FAE5B35879-0EAF951C 0x0000000074894000 /home/polka/.lldb/module_cache/remote-android/.cache/0D966718-C355-9701-5C37-A0FAE5B35879-0EAF951C/boot-ims-common.oat 174 | /home/polka/.lldb/module_cache/remote-android/.cache/0D966718-C355-9701-5C37-A0FAE5B35879-0EAF951C/boot-ims-common.oat.sym 175 | [159] D89B0695-48D5-27C4-5307-B218D6A6197F-5F3BBB7B 0x00000000748d3000 /home/polka/.lldb/module_cache/remote-android/.cache/D89B0695-48D5-27C4-5307-B218D6A6197F-5F3BBB7B/boot-android.hidl.base-V1.0-java.oat 176 | /home/polka/.lldb/module_cache/remote-android/.cache/D89B0695-48D5-27C4-5307-B218D6A6197F-5F3BBB7B/boot-android.hidl.base-V1.0-java.oat.sym 177 | [160] DC1193E2-D26B-0D59-AABE-7FE4CC72DB74-52F2F499 0x00000000748dd000 /home/polka/.lldb/module_cache/remote-android/.cache/DC1193E2-D26B-0D59-AABE-7FE4CC72DB74-52F2F499/boot-android.hidl.manager-V1.0-java.oat 178 | /home/polka/.lldb/module_cache/remote-android/.cache/DC1193E2-D26B-0D59-AABE-7FE4CC72DB74-52F2F499/boot-android.hidl.manager-V1.0-java.oat.sym 179 | [161] 0B9576E8-E1F7-A698-0E88-ED4DB15CEEAA-3048D129 0x00000000748ed000 /home/polka/.lldb/module_cache/remote-android/.cache/0B9576E8-E1F7-A698-0E88-ED4DB15CEEAA-3048D129/boot-framework-oahl-backward-compatibility.oat 180 | /home/polka/.lldb/module_cache/remote-android/.cache/0B9576E8-E1F7-A698-0E88-ED4DB15CEEAA-3048D129/boot-framework-oahl-backward-compatibility.oat.sym 181 | [162] A430A174-D8F6-DE54-9E90-414FBC6BC3B2-EE44ECCD 0x00000000748f5000 /home/polka/.lldb/module_cache/remote-android/.cache/A430A174-D8F6-DE54-9E90-414FBC6BC3B2-EE44ECCD/boot-android.test.base.oat 182 | /home/polka/.lldb/module_cache/remote-android/.cache/A430A174-D8F6-DE54-9E90-414FBC6BC3B2-EE44ECCD/boot-android.test.base.oat.sym 183 | [163] 81838FF6-73F2-01EE-00CE-347FE47BDF5B-55926000 0x0000000074904000 /home/polka/.lldb/module_cache/remote-android/.cache/81838FF6-73F2-01EE-00CE-347FE47BDF5B-55926000/boot-oneplus_sdk_utils.oat 184 | /home/polka/.lldb/module_cache/remote-android/.cache/81838FF6-73F2-01EE-00CE-347FE47BDF5B-55926000/boot-oneplus_sdk_utils.oat.sym 185 | [164] 34D6A65B-B02D-D1AC-4525-DB9DD39136B3-65186062 0x000000007490e000 /home/polka/.lldb/module_cache/remote-android/.cache/34D6A65B-B02D-D1AC-4525-DB9DD39136B3-65186062/boot-oneplus_sdk_wrapper.oat 186 | /home/polka/.lldb/module_cache/remote-android/.cache/34D6A65B-B02D-D1AC-4525-DB9DD39136B3-65186062/boot-oneplus_sdk_wrapper.oat.sym 187 | [165] 1EC5FDAC-7E20-10A7-A67A-8AA3DDED3CC2-7EBF7A63 0x0000000074916000 /home/polka/.lldb/module_cache/remote-android/.cache/1EC5FDAC-7E20-10A7-A67A-8AA3DDED3CC2-7EBF7A63/boot-com.nxp.nfc.oat 188 | /home/polka/.lldb/module_cache/remote-android/.cache/1EC5FDAC-7E20-10A7-A67A-8AA3DDED3CC2-7EBF7A63/boot-com.nxp.nfc.oat.sym 189 | [166] FB64A9A7-14E9-D155-E073-7FEABDC1CA2E-38E3B055 0x000000007493a000 /home/polka/.lldb/module_cache/remote-android/.cache/FB64A9A7-14E9-D155-E073-7FEABDC1CA2E-38E3B055/boot-tcmiface.oat 190 | /home/polka/.lldb/module_cache/remote-android/.cache/FB64A9A7-14E9-D155-E073-7FEABDC1CA2E-38E3B055/boot-tcmiface.oat.sym 191 | [167] 0D210957-F7B4-6245-7520-9138A719F427-20E8C7BF 0x0000000074942000 /home/polka/.lldb/module_cache/remote-android/.cache/0D210957-F7B4-6245-7520-9138A719F427-20E8C7BF/boot-telephony-ext.oat 192 | /home/polka/.lldb/module_cache/remote-android/.cache/0D210957-F7B4-6245-7520-9138A719F427-20E8C7BF/boot-telephony-ext.oat.sym 193 | [168] A2021A01-8A6D-5DFF-D0DA-DF57D8F1236E-B51B8636 0x000000007494f000 /home/polka/.lldb/module_cache/remote-android/.cache/A2021A01-8A6D-5DFF-D0DA-DF57D8F1236E-B51B8636/boot-qcnvitems.oat 194 | /home/polka/.lldb/module_cache/remote-android/.cache/A2021A01-8A6D-5DFF-D0DA-DF57D8F1236E-B51B8636/boot-qcnvitems.oat.sym 195 | [169] C677913B-DEA2-A6FC-5045-7D16A4CBD830-6107B49D 0x0000000074974000 /home/polka/.lldb/module_cache/remote-android/.cache/C677913B-DEA2-A6FC-5045-7D16A4CBD830-6107B49D/boot-qcrilhook.oat 196 | /home/polka/.lldb/module_cache/remote-android/.cache/C677913B-DEA2-A6FC-5045-7D16A4CBD830-6107B49D/boot-qcrilhook.oat.sym 197 | [170] E5B3B320-6FF7-479F-4BE0-49FCC421513D-8C5D7BB7 0x00000000749a4000 /home/polka/.lldb/module_cache/remote-android/.cache/E5B3B320-6FF7-479F-4BE0-49FCC421513D-8C5D7BB7/boot-WfdCommon.oat 198 | /home/polka/.lldb/module_cache/remote-android/.cache/E5B3B320-6FF7-479F-4BE0-49FCC421513D-8C5D7BB7/boot-WfdCommon.oat.sym 199 | [171] 6A625B8E-09F1-A9A6-6A6F-DC8E43C1FF15-23261F74 0x00000000749c2000 /home/polka/.lldb/module_cache/remote-android/.cache/6A625B8E-09F1-A9A6-6A6F-DC8E43C1FF15-23261F74/boot-oem-services.oat 200 | /home/polka/.lldb/module_cache/remote-android/.cache/6A625B8E-09F1-A9A6-6A6F-DC8E43C1FF15-23261F74/boot-oem-services.oat.sym 201 | [172] AD1E4B33-1799-D520-1970-55E0D31172EA-373E721A 0x00000000749ca000 /home/polka/.lldb/module_cache/remote-android/.cache/AD1E4B33-1799-D520-1970-55E0D31172EA-373E721A/boot-wapicertstore.oat 202 | /home/polka/.lldb/module_cache/remote-android/.cache/AD1E4B33-1799-D520-1970-55E0D31172EA-373E721A/boot-wapicertstore.oat.sym 203 | [173] 2038FCEC-B74E-FC0C-4871-769A746AD41A 0x0000007a1bf04000 /home/polka/.lldb/module_cache/remote-android/.cache/2038FCEC-B74E-FC0C-4871-769A746AD41A/libadbconnection.so 204 | [174] 7722CF55-3E0A-FC1C-BCE3-376F71F243FC 0x0000007a1bed2000 /home/polka/.lldb/module_cache/remote-android/.cache/7722CF55-3E0A-FC1C-BCE3-376F71F243FC/libandroid.so 205 | [175] 055DAB9C 0x0000007a1be5d000 /home/polka/.lldb/module_cache/remote-android/.cache/055DAB9C/libaaudio.so 206 | [176] A6BA343C 0x0000007a1be07000 /home/polka/.lldb/module_cache/remote-android/.cache/A6BA343C/libcamera2ndk.so 207 | [177] 3B926612 0x0000007a1bcc2000 /home/polka/.lldb/module_cache/remote-android/.cache/3B926612/libmediandk.so 208 | [178] 4E1B46C9-6EE4-3427-37F0-2D8982308C73 0x0000007a1bba0000 /home/polka/.lldb/module_cache/remote-android/.cache/4E1B46C9-6EE4-3427-37F0-2D8982308C73/libmedia_jni.so 209 | [179] 0C32045A-1D26-932C-2793-6CEA28BFABEF 0x0000007a1bd45000 /home/polka/.lldb/module_cache/remote-android/.cache/0C32045A-1D26-932C-2793-6CEA28BFABEF/libmidi.so 210 | [180] DEFB8ADA 0x0000007a1bc4e000 /home/polka/.lldb/module_cache/remote-android/.cache/DEFB8ADA/libmtp.so 211 | [181] F7FE0068-6E08-C709-CCC5-7CE7F2748D07 0x0000007a1bd93000 /home/polka/.lldb/module_cache/remote-android/.cache/F7FE0068-6E08-C709-CCC5-7CE7F2748D07/libexif.so 212 | [182] 0E8200C6-880B-E41D-6040-FE045726469A 0x0000007a1bd00000 /home/polka/.lldb/module_cache/remote-android/.cache/0E8200C6-880B-E41D-6040-FE045726469A/libasyncio.so 213 | [183] 1152C723-0E1C-7EA0-AD40-69E40C065C90 0x0000007a1bb43000 /home/polka/.lldb/module_cache/remote-android/.cache/1152C723-0E1C-7EA0-AD40-69E40C065C90/libGLESv3.so 214 | [184] 9270F4FD-0346-53F9-FA4D-8D7AF76D6E22 0x0000007a1bb0b000 /home/polka/.lldb/module_cache/remote-android/.cache/9270F4FD-0346-53F9-FA4D-8D7AF76D6E22/libjnigraphics.so 215 | [185] B35BDF75-41BC-C986-A1AD-F58DC88EE652 0x0000007a1b746000 /home/polka/.lldb/module_cache/remote-android/.cache/B35BDF75-41BC-C986-A1AD-F58DC88EE652/libneuralnetworks.so 216 | [186] 050D9BF6-23AE-9A39-102B-3844B665C9E1 0x0000007a1ba1e000 /home/polka/.lldb/module_cache/remote-android/.cache/050D9BF6-23AE-9A39-102B-3844B665C9E1/libtextclassifier_hash.so 217 | [187] A0B5CFD2-EE49-183B-9215-8614C347A4F2 0x0000007a1ba8d000 /home/polka/.lldb/module_cache/remote-android/.cache/A0B5CFD2-EE49-183B-9215-8614C347A4F2/android.hardware.neuralnetworks@1.0.so 218 | [188] 9A0D283D-2ED7-52DB-FF94-3C8C45EFDAA0 0x0000007a1ba41000 /home/polka/.lldb/module_cache/remote-android/.cache/9A0D283D-2ED7-52DB-FF94-3C8C45EFDAA0/android.hardware.neuralnetworks@1.1.so 219 | [189] CEC5396F-DA04-4DDC-4A8D-2D5D624AA24D 0x0000007a1b71f000 /home/polka/.lldb/module_cache/remote-android/.cache/CEC5396F-DA04-4DDC-4A8D-2D5D624AA24D/libOpenMAXAL.so 220 | [190] C06E5D75-061D-2634-11AD-5A3A1B44AF84 0x0000007a1b6cd000 /home/polka/.lldb/module_cache/remote-android/.cache/C06E5D75-061D-2634-11AD-5A3A1B44AF84/libOpenSLES.so 221 | [191] BF3F8F74-F2A3-96BC-8CE3-8FBFF1202C6C 0x0000007a1b60d000 /home/polka/.lldb/module_cache/remote-android/.cache/BF3F8F74-F2A3-96BC-8CE3-8FBFF1202C6C/libRS.so 222 | [192] 27F9A1B1-CA18-40F6-FCAE-F4D9291967BB 0x0000007a1b654000 /home/polka/.lldb/module_cache/remote-android/.cache/27F9A1B1-CA18-40F6-FCAE-F4D9291967BB/android.hardware.renderscript@1.0.so 223 | [193] 5AB5F68C-E179-C188-D754-14A23F9883DB 0x0000007a1b5c0000 /home/polka/.lldb/module_cache/remote-android/.cache/5AB5F68C-E179-C188-D754-14A23F9883DB/libwebviewchromium_plat_support.so 224 | [194] 425D03BA-7D4F-3728-94B3-EE48CDE1FADF 0x0000007a1b55b000 /home/polka/.lldb/module_cache/remote-android/.cache/425D03BA-7D4F-3728-94B3-EE48CDE1FADF/libjavacore.so 225 | [195] 32E0B332-42B8-274E-087C-29404F70BD89 0x0000007a19de6000 /home/polka/.lldb/module_cache/remote-android/.cache/32E0B332-42B8-274E-087C-29404F70BD89/libopenjdk.so 226 | [196] 2F17F2EC-8B93-A013-D9CA-AE8A47CE14B4 0x0000007a19d13000 /home/polka/.lldb/module_cache/remote-android/.cache/2F17F2EC-8B93-A013-D9CA-AE8A47CE14B4/libssl.so 227 | [197] 48376FD5-52EC-3890-AE75-84E1707BAA16 0x0000007a19d8a000 /home/polka/.lldb/module_cache/remote-android/.cache/48376FD5-52EC-3890-AE75-84E1707BAA16/libopenjdkjvm.so 228 | [198] A6E0BCE3-CC1F-4B0E-7CCB-80516BE078C1 0x0000007a199e2000 /home/polka/.lldb/module_cache/remote-android/.cache/A6E0BCE3-CC1F-4B0E-7CCB-80516BE078C1/libart-compiler.so 229 | [199] F56B5E5C-237E-B1FC-32DD-C74930006A05 0x0000007a19786000 /home/polka/.lldb/module_cache/remote-android/.cache/F56B5E5C-237E-B1FC-32DD-C74930006A05/libvixl-arm.so 230 | [200] 1337E76D-5E7B-89F7-72E8-FFB3AD9F73A1 0x0000007a198c7000 /home/polka/.lldb/module_cache/remote-android/.cache/1337E76D-5E7B-89F7-72E8-FFB3AD9F73A1/libvixl-arm64.so 231 | [201] 33921111-AC1E-43A7-7479-5CC94B93D1D9 0x0000007a19053000 /home/polka/.lldb/module_cache/remote-android/.cache/33921111-AC1E-43A7-7479-5CC94B93D1D9/libqti-at.so 232 | [202] 6D597935-524F-672C-63F6-36C98900CE55 0x0000007a18e8d000 /home/polka/.lldb/module_cache/remote-android/.cache/6D597935-524F-672C-63F6-36C98900CE55/libxml2.so 233 | [203] 07116828-D3FB-8DDF-EBF2-8021A90C187A 0x0000007a18e53000 /home/polka/.lldb/module_cache/remote-android/.cache/07116828-D3FB-8DDF-EBF2-8021A90C187A/libqti-util_system.so 234 | [204] 1E52AC2A-3358-0AF6-C6F5-EB04652FC0A3 0x0000007a19017000 /home/polka/.lldb/module_cache/remote-android/.cache/1E52AC2A-3358-0AF6-C6F5-EB04652FC0A3/libqti-perfd-client_system.so 235 | [205] 0B92E204-ED3B-7A9E-3F34-CD28F083A1A9 0x0000007a19090000 /home/polka/.lldb/module_cache/remote-android/.cache/0B92E204-ED3B-7A9E-3F34-CD28F083A1A9/vendor.qti.hardware.perf@1.0.so 236 | [206] 25A191FE-A9C9-0EE7-B823-1F53918D51C7 0x0000007a10d5c000 /home/polka/.lldb/module_cache/remote-android/.cache/25A191FE-A9C9-0EE7-B823-1F53918D51C7/libsoundpool.so 237 | [207] 7AFD1BBE-3CB7-744C-67BE-1FE1802E9B50 0x0000007a10cd8000 /home/polka/.lldb/module_cache/remote-android/.cache/7AFD1BBE-3CB7-744C-67BE-1FE1802E9B50/libjavacrypto.so 238 | [208] F2D50CAB-89DE-3F7C-AF34-91627A73BAE2 0x0000007a0fa0e000 /home/polka/.lldb/module_cache/remote-android/.cache/F2D50CAB-89DE-3F7C-AF34-91627A73BAE2/android.hardware.graphics.mapper@2.0-impl.so 239 | [209] 3FBA4E7E-3D12-132B-6B73-7CF4239BF914 0x0000007a0f98e000 /home/polka/.lldb/module_cache/remote-android/.cache/3FBA4E7E-3D12-132B-6B73-7CF4239BF914/android.hardware.graphics.mapper@2.0.so 240 | [210] 2C5A7C89-C7DE-A21A-ACEB-8ACCBE8A3EBF 0x0000007a0f796000 /home/polka/.lldb/module_cache/remote-android/.cache/2C5A7C89-C7DE-A21A-ACEB-8ACCBE8A3EBF/android.hardware.graphics.common@1.0.so 241 | [211] B8A81BA2-CBB0-0CF5-1D27-CA7E059CCA83 0x0000007a0f8c6000 /home/polka/.lldb/module_cache/remote-android/.cache/B8A81BA2-CBB0-0CF5-1D27-CA7E059CCA83/libhidlbase.so 242 | [212] 3C8DEE3A-7852-4657-6607-DDEC26BFF0CD 0x0000007a0f707000 /home/polka/.lldb/module_cache/remote-android/.cache/3C8DEE3A-7852-4657-6607-DDEC26BFF0CD/libhidltransport.so 243 | [213] B63116FC 0x0000007a0f9c8000 /home/polka/.lldb/module_cache/remote-android/.cache/B63116FC/libhwbinder.so 244 | [214] 409FB954-CADE-F3C4-95C1-C11A4CAF7322 0x0000007a0f90f000 /home/polka/.lldb/module_cache/remote-android/.cache/409FB954-CADE-F3C4-95C1-C11A4CAF7322/libutils.so 245 | [215] 1A96D01B-E63A-7F2C-B507-81B606D9E77F 0x0000007a0f6c4000 /home/polka/.lldb/module_cache/remote-android/.cache/1A96D01B-E63A-7F2C-B507-81B606D9E77F/libcutils.so 246 | [216] 8E1D5C5F-C5B0-88A0-4C74-40A29B353C2F 0x0000007a0f7c2000 /home/polka/.lldb/module_cache/remote-android/.cache/8E1D5C5F-C5B0-88A0-4C74-40A29B353C2F/libc++.so 247 | [217] B0E4C124-699F-55DF-F802-2153162C39D9 0x0000007a0fa43000 /home/polka/.lldb/module_cache/remote-android/.cache/B0E4C124-699F-55DF-F802-2153162C39D9/libbase.so 248 | [218] 36EF3280-2F74-4F73-53B2-4F6CA910353F 0x0000007a0f942000 /home/polka/.lldb/module_cache/remote-android/.cache/36EF3280-2F74-4F73-53B2-4F6CA910353F/libhardware.so 249 | [219] B0197D2A 0x0000007a0f683000 /home/polka/.lldb/module_cache/remote-android/.cache/B0197D2A/libEGL_adreno.so 250 | [220] 745C3594 0x0000007a0f64c000 /home/polka/.lldb/module_cache/remote-android/.cache/745C3594/libadreno_utils.so 251 | [221] C2C3EDD6 0x0000007a0f48b000 /home/polka/.lldb/module_cache/remote-android/.cache/C2C3EDD6/libgsl.so 252 | [222] 074672BE-E589-8401-AAD7-75625A4CAB27 0x0000007a0f60d000 /home/polka/.lldb/module_cache/remote-android/.cache/074672BE-E589-8401-AAD7-75625A4CAB27/libz.so 253 | [223] 6201EFE8 0x0000007a0f442000 /home/polka/.lldb/module_cache/remote-android/.cache/6201EFE8/libGLESv1_CM_adreno.so 254 | [224] 0497365D 0x0000007a0ef48000 /home/polka/.lldb/module_cache/remote-android/.cache/0497365D/libGLESv2_adreno.so 255 | [225] C870A764-799B-76B4-CDB4-1A6B96C3B56E 0x0000007a0e00f000 /home/polka/.lldb/module_cache/remote-android/.cache/C870A764-799B-76B4-CDB4-1A6B96C3B56E/libllvm-glnext.so 256 | [226] 67E82478 0x0000007a0f422000 /home/polka/.lldb/module_cache/remote-android/.cache/67E82478/eglSubDriverAndroid.so 257 | [227] 661F1C1A-B356-3F28-C8DF-CAF4D5B36444 0x0000007a0df47000 /home/polka/.lldb/module_cache/remote-android/.cache/661F1C1A-B356-3F28-C8DF-CAF4D5B36444/libcompiler_rt.so 258 | [228] 159A67B0-E691-E4DB-12C2-6DBB7CE24EB9 0x0000007a0df0d000 /home/polka/.lldb/module_cache/remote-android/.cache/159A67B0-E691-E4DB-12C2-6DBB7CE24EB9/libwebviewchromium_loader.so 259 | [229] 49FB315B-E25C-E1E9-BD5A-EDF95C3303F8-1698B82E 0x0000007a05f8c000 /home/polka/.lldb/module_cache/remote-android/.cache/49FB315B-E25C-E1E9-BD5A-EDF95C3303F8-1698B82E/embryo.odex 260 | /home/polka/.lldb/module_cache/remote-android/.cache/49FB315B-E25C-E1E9-BD5A-EDF95C3303F8-1698B82E/embryo.odex.sym 261 | [230] 22755DC0-0CA8-366E-07AF-2B0CCA40E74D-7BCB3577 0x0000007a05f56000 /home/polka/.lldb/module_cache/remote-android/.cache/22755DC0-0CA8-366E-07AF-2B0CCA40E74D-7BCB3577/android.test.mock.odex 262 | /home/polka/.lldb/module_cache/remote-android/.cache/22755DC0-0CA8-366E-07AF-2B0CCA40E74D-7BCB3577/android.test.mock.odex.sym 263 | [231] ABDA897A-9E2C-E385-8B02-C7CA1AA00102-FE3C184A 0x0000007a05d91000 /home/polka/.lldb/module_cache/remote-android/.cache/ABDA897A-9E2C-E385-8B02-C7CA1AA00102-FE3C184A/org.apache.http.legacy.boot.odex 264 | /home/polka/.lldb/module_cache/remote-android/.cache/ABDA897A-9E2C-E385-8B02-C7CA1AA00102-FE3C184A/org.apache.http.legacy.boot.odex.sym 265 | [232] 4B4A550C-3EF1-693C-581B-03EDA8FF65A5-CDB97BA9 0x0000007a05d5c000 /home/polka/.lldb/module_cache/remote-android/.cache/4B4A550C-3EF1-693C-581B-03EDA8FF65A5-CDB97BA9/android.test.runner.odex 266 | /home/polka/.lldb/module_cache/remote-android/.cache/4B4A550C-3EF1-693C-581B-03EDA8FF65A5-CDB97BA9/android.test.runner.odex.sym 267 | [233] 70D04C0B 0x00000079fb992000 /data/app/com.zhiliaoapp.musically-H56ldDWhbvT6pJYMYIuUjA==/oat/arm64/base.odex (0x00000079fb992000) 268 | [234] 4703E5CC-5CE8-159E-43FC-697BCF2F8551 0x00000079f6c50000 /home/polka/.lldb/module_cache/remote-android/.cache/4703E5CC-5CE8-159E-43FC-697BCF2F8551/libqti_performance.so 269 | [235] 46A38321-C072-51FD-6B9C-1B6E6140D24E 0x00000079f6c10000 /home/polka/.lldb/module_cache/remote-android/.cache/46A38321-C072-51FD-6B9C-1B6E6140D24E/vendor.qti.hardware.iop@2.0.so 270 | [236] 006E6155-6EE7-9B23-40DE-01CD02D9A81F-F49690E2 0x00000079f684b000 /home/polka/.lldb/module_cache/remote-android/.cache/006E6155-6EE7-9B23-40DE-01CD02D9A81F-F49690E2/libjato.so 271 | [237] F32F22E0-0070-510C-C1FA-315F268C0550-15611D3B 0x00000079f682f000 /home/polka/.lldb/module_cache/remote-android/.cache/F32F22E0-0070-510C-C1FA-315F268C0550-15611D3B/libnpth_dl.so 272 | [238] 44167D57-240D-FBAA-B4EA-3578C2055549-83206EBC 0x00000079f6781000 /home/polka/.lldb/module_cache/remote-android/.cache/44167D57-240D-FBAA-B4EA-3578C2055549-83206EBC/libbytehook.so 273 | [239] 8EDE233E-94C7-BE14-8118-8751CF78EAC5-A6C10B08 0x00000079f6751000 /home/polka/.lldb/module_cache/remote-android/.cache/8EDE233E-94C7-BE14-8118-8751CF78EAC5-A6C10B08/libart_sym.so 274 | [240] 79756BA3-599A-6FC0-9BE3-9828B4327658-C7B0C4F1 0x00000079f68a3000 /home/polka/.lldb/module_cache/remote-android/.cache/79756BA3-599A-6FC0-9BE3-9828B4327658-C7B0C4F1/libshadowhook.so 275 | [241] 31ABEBC1-B564-ADD5-4FE4-3B52CE69ACAC-326BE4FE 0x00000079f68d7000 /home/polka/.lldb/module_cache/remote-android/.cache/31ABEBC1-B564-ADD5-4FE4-3B52CE69ACAC-326BE4FE/libc++_shared.so 276 | [242] 6CC5CC47-9968-B7EB-D68A-671284F4F74F-B2F2A99F 0x00000079f64cd000 /home/polka/.lldb/module_cache/remote-android/.cache/6CC5CC47-9968-B7EB-D68A-671284F4F74F-B2F2A99F/libkeva.so 277 | [243] D3D7524C-80A9-8FD4-B28D-90BFC96F6EFC-7A87F10C 0x00000079f64a5000 /home/polka/.lldb/module_cache/remote-android/.cache/D3D7524C-80A9-8FD4-B28D-90BFC96F6EFC-7A87F10C/libalog.so 278 | 279 | -------------------------------------------------------------------------------- /lagon-loop.txt: -------------------------------------------------------------------------------- 1 | 0x9e290 - rand 2 | 0x9e25c - deref and copy MTP -> ptr to "1233" 3 | 0x9dc7c - dereference_MTP -> "1233" 4 | 0x9dc98 - string::copy 5 | 0x9dca4 - MTP release string 6 | 0x9dc4c - new string size=0x28 7 | 0x9e9e8 - string append?? 8 | 0x9dc20 - new_string 9 | 0x9e558 - string::append2 10 | 0x9dc60 - create_md5 - x0: "1233"+rand: 0x333332316f831820, x1: hexlify=true 11 | 0x9dc7c - dereference_MTP 12 | 0x9dc98 - string::copy 13 | 0x9dca4 - MTP release string 14 | 0x9dd0c - string::destroy 15 | 0x9dd0c - string::destroy 16 | 0x9dc20 - new_string 17 | 0x9dc4c - new string size=0x28 18 | 0x9e9fc - ladon_encryption - x0: string "1702314954-2142840551-1233" (ts-licenseId-appId), x1: output (will become 0x20), x2: md5 from line 10 19 | 0x9ea0c - string::append -> x0 (rdm) + x1 (ladon encryption) 20 | 0x9e944 - base64_encode - x0: string from line19 21 | 0x9dc7c - dereference_MTP 22 | 0x9dc98 - string::copy 23 | 0x9dca4 - MTP release string 24 | 0x9e19c - memcpy 25 | 0x9e19c - memcpy 26 | 0x9e19c - memcpy 27 | 0x9e19c - memcpy 28 | 0x9e804 - decrypt_func4 -> %s 29 | 0x9e5d4 - decrypt_func1 -> X-Ladon 30 | 0x9ea2c - sprintf 31 | 0x9e958 - eor_thingy -> %s 32 | 0x9ea4c - sprintf 33 | 0x9dd0c - string::destroy 34 | 0x9dd0c - string::destroy 35 | 0x9dd0c - string::destroy 36 | 0x9dd0c - string::destroy 37 | 0x9dd0c - string::destroy 38 | 0x9dd0c - string::destroy 39 | -------------------------------------------------------------------------------- /lldb_cmd.py: -------------------------------------------------------------------------------- 1 | import lldb 2 | import subprocess 3 | 4 | def sh(debugger, command, result, internal_dict): 5 | commands = command.split("|") 6 | lldb_cmd = commands[0] 7 | 8 | if lldb_cmd == '': 9 | print("No LLDB command given. Use: 'sh | '") 10 | return 11 | 12 | interpreter = debugger.GetCommandInterpreter() 13 | rto = lldb.SBCommandReturnObject() 14 | interpreter.HandleCommand(lldb_cmd, rto) 15 | 16 | if not rto.Succeeded(): 17 | raise Exception("failed to execute lldb command!") 18 | if not rto.GetOutput(): 19 | return 20 | 21 | if len(commands) == 1: 22 | # `sh command` is equivalent to `command` 23 | print(rto.GetOutput()) 24 | return 25 | elif len(commands) == 2: 26 | # TODO support chaining? 27 | shell_cmd = commands[1] 28 | 29 | # TODO: Not sure what the underlying buffer is for HandleCommand, but 30 | # ideally do some check/optim for really large output. 31 | output = rto.GetOutput().encode('UTF-8') 32 | proc = subprocess.Popen(shell_cmd, shell=True, stdin=subprocess.PIPE) 33 | 34 | # TODO? 35 | # Not using a timer here allows piping to a pager. However, 36 | # it also means that the shell-out process may not be killable. 37 | try: 38 | out, errs = proc.communicate(output) 39 | except: 40 | print("Unexpected exit, killing subprocess") 41 | proc.kill() 42 | outs, errs = proc.communicate() 43 | 44 | def __lldb_init_module (debugger, internal_dict): 45 | res = lldb.SBCommandReturnObject() 46 | interpreter = debugger.GetCommandInterpreter() 47 | interpreter.HandleCommand('command script delete sh', res) 48 | debugger.HandleCommand('command script add -f lldbsh.sh sh ') 49 | 50 | -------------------------------------------------------------------------------- /log: -------------------------------------------------------------------------------- 1 | 0x23cb672c 2 | 0xde6ee159 3 | 0x7a852b69 4 | 0xa95cc278 5 | 0xeb134a51 6 | 0xb42a1441 7 | 0xd44f57e1 8 | 0xeb134a51 9 | 0xb42a1441 10 | 0xd44f57e1 11 | 0xeb134a51 12 | 0xb42a1441 13 | 0xd44f57e1 14 | 0xeb134a51 15 | 0xb42a1441 16 | 0xd44f57e1 17 | 0xeb134a51 18 | 0xb42a1441 19 | 0xd44f57e1 20 | 0xeb134a51 21 | 0xb42a1441 22 | 0xd44f57e1 23 | 0xeb134a51 24 | 0xb42a1441 25 | 0xd44f57e1 26 | 0xeb134a51 27 | 0xb42a1441 28 | 0xd44f57e1 29 | 0xeb134a51 30 | 0xb42a1441 31 | 0xd44f57e1 32 | 0xeb134a51 33 | 0xb42a1441 34 | 0xd44f57e1 35 | 0xeb134a51 36 | 0xb42a1441 37 | 0xd44f57e1 38 | 0xeb134a51 39 | 0xb42a1441 40 | 0xd44f57e1 41 | 0xeb134a51 42 | 0xb42a1441 43 | 0xd44f57e1 44 | 0xeb134a51 45 | 0xb42a1441 46 | 0xd44f57e1 47 | 0xeb134a51 48 | 0xb42a1441 49 | 0xd44f57e1 50 | 0xeb134a51 51 | 0xb42a1441 52 | 0xd44f57e1 53 | 0xeb134a51 54 | 0xb42a1441 55 | 0xd44f57e1 56 | 0xeb134a51 57 | 0xb42a1441 58 | 0xd44f57e1 59 | 0xeb134a51 60 | 0xb42a1441 61 | 0xd44f57e1 62 | 0xeb134a51 63 | 0xb42a1441 64 | 0xd44f57e1 65 | 0xeb134a51 66 | 0xe19414c9 67 | 0xe6bb0864 68 | -------------------------------------------------------------------------------- /log.txt.bak: -------------------------------------------------------------------------------- 1 | 0x9e19c - memcpy 2 | 0x9dc4c - new string size=0x8 3 | 0x9dc4c - new string size=0x8 4 | 0x9df50 - scaryjmptbl1 - x0: ptr to url params, x8: output ptr (0x20 length string) 5 | 0x9e1b8 - struct unpack 6 | 0x9e1e8 - sm3_encrypt - x0: ptr to url params, x1: url params length, x2: ptr to output (0x20 length). 7 | 0x9dc20 - new_string 8 | 0x9e22c - string::assign 9 | 0x9dd0c - string::destroy 10 | 0x9df50 - scaryjmptbl1 - x0: ptr to string with length 0x10 but its zeroed out, x8: output ptr (0x20 length string) 11 | 0x9e1b8 - struct unpack 12 | 0x9e1e8 - sm3_encrypt - x0: zeroed string, x1: length (0x10), x2: output ptr to string, will always be: 106e34a2b8c7bb13156cfdd0d91379dcc47543dcf9787c68ae5eb582620ae6e8 13 | 0x9dc20 - new_string - new string from line 12 14 | 0x9e22c - string::assign 15 | 0x9dd0c - string::destroy 16 | 0x9e24c - struct unpack2 17 | 0x9e1ac - string::init 18 | 0x9e25c - MTP::Copy_mutex 19 | 0x9e1dc - MTP::Copy 20 | 0x9e270 - MTP something 21 | 0x9dca4 - MTP release string 22 | 0x9dc7c - dereference_MTP 23 | 0x9e22c - string::assign 24 | 0x9e290 - rand 25 | 0x9e2a8 - MTP::Copy_mutex 26 | 0x9e2bc - MTP::Copy_mutex 27 | 0x9e1ac - string::init 28 | 0x9e1dc - MTP::Copy 29 | 0x9e270 - MTP something 30 | 0x9dca4 - MTP release string 31 | 0x9dc7c - dereference_MTP 32 | 0x9e22c - string::assign 33 | 0x9e2d0 - dereference_MTP_twice -> one of the derefs produces "1233" 34 | 0x9e31c - MTP::Copy_mutex 35 | 0x9e328 - dereference_MTP 36 | 0x9e344 - MTP::Copy 37 | 0x9e358 - MTP delete 38 | 0x9dcac - dereference_MTP 39 | 0x9e360 - inarg_loop - return app consts: x8: ptr to ptr that filled with app version on output (31.5.3), x0 - array of strings, first contains x8, second contains ptr to "2142840551" (licenseId) 40 | 0x9dcac - dereference_MTP 41 | 0x9e374 - generate_const_ -> 0x04050020 (Argus Version, gets reduced to 0x2 later) 42 | 0x9e38c - decrypt_something -> android version (v04.05.00-ov-android) 43 | 0x9e1b8 - struct unpack -> 0x00000008, not sure what use 44 | 0x9e19c - memcpy 45 | 0x9e19c - memcpy 46 | 0x9e19c - memcpy 47 | 0x9e19c - memcpy 48 | 0x9e19c - memcpy 49 | 0x9e19c - memcpy 50 | 0x9e3a4 - get_sign_key -> is this get_sign_class? 51 | 0x9e3bc - deref_sign_key 52 | 0x9e1ac - string::init - init "sign" string 53 | 0x9e3d8 - TODO: debug init_export_class - x0: output struct from line 51, x1: "sign" string, returns length of something (0x23) 54 | 0x9dd0c - string::destroy 55 | 0x9e3a4 - get_sign_key 56 | 0x9e3bc - deref_sign_key 57 | 0x9e1ac - string::init - init "setting" string 58 | 0x9e3d8 - TODO (doesnt seem serious) 59 | 0x9dd0c - string::destroy 60 | 0x9e3a4 - get_sign_key 61 | 0x9e3bc - deref_sign_key 62 | 0x9e1ac - string::init - init "report" string 63 | 0x9e3d8 64 | 0x9dd0c - string::destroy 65 | 0x9e3a4 - get_sign_key 66 | 0x9e3bc - deref_sign_key 67 | 0x9e1ac - string::init - init "reportFail" string 68 | 0x9e3d8 69 | 0x9dd0c - string::destroy 70 | 0x9e3f8 - string::is_eq - "1233" and "3019" 71 | 0x9e3f8 - string::is_eq - "1233" and null 72 | 0x9e3a4 - get_sign_key 73 | 0x9e3bc - deref_sign_key 74 | 0x9dc98 - string::copy - "1233" to empty 75 | 0x9e41c - multithread_init_shit 76 | 0x9e438 - dereference_6c - dereference x0+0x6c, returns 0x1 when i ran this 77 | 0x9e454 - TODO: debug - x0 = struct from 74??, x1="1233", w2=0, w3=1, returns w0=0x82 78 | 0x9dd0c - string::destroy 79 | 0x9e3a4 - get_sign_key 80 | 0x9e3bc - deref_sign_key 81 | 0x9dc98 - string::copy - copy "1233" to empty 82 | 0x9e41c - multithread_init_shit 83 | 0x9e438 - dereference_6c - dereference x0+0x6c, returns 0x1 when i ran this 84 | 0x9e478 - some string manipulation, not sure TODO - x0=weird struct, x1= "1233" string, w2=0, w3=1. returns 0x1bf in w0 85 | 0x9dd0c - string::destroy - destroy "1233" 86 | 0x9e19c - memcpy - copy a struct of size 0x38, something to do with protobuf (internal struct has 0x28aaeef9 - protobuf magic) 87 | 0x9e4c0 - MPT::Copy 88 | 0x9dc7c - dereference_MTP 89 | 0x9dc98 - string::copy - copies string with "googleplay" 90 | 0x9dca4 - MTP release string 91 | 0x9e4d4 - decrypt4_and_system_property - returns phone model "ONEPLUS A5000" 92 | 0x9e4e8 - scary_jmp_tbl2_vmcode - returns 0x5 in w0 93 | 0x9e500 - scary_jmp_tbl2_vmcode0 - returns 0x0c507c00, const? 94 | 0x9e518 - decrypt2 -> returns "none" (part of protobuf) 95 | 0x9dc4c - new string size=0x8 96 | 0x9dc4c - new string size=0x8 97 | 0x9e538 - string::is_null 98 | 0x9e574 - new_4 99 | 0x9dc54 - MTP::new 100 | 0x9e580 - scary_jmp_tbl - x0: ptr to ptr of protobuf struct, x1: url params, x2: key?, w3=1, x8=output ptr, returns 2 ptrs, first is to a 0xc length encrypted string, second is to 0x1 101 | 0x9dbf8 - memset 102 | 0x9dc0c - rev - reverses second string (0x1) from line 100 -> 0x01000000 103 | 0x9dc20 - new_string string of length 0x4 from line 102 (0x01000000) 104 | 0x9dc30 - new 105 | 0x9dc4c - new string size=0x8 106 | 0x9dc54 - MTP::new 107 | 0x9dc60 - create_md5 - x0: ptr to url params string, w1: 0 (dont hexlify), x8: ptr to two ptrs: first is string with length 0x10 (the md5), second is 0x1 108 | 0x9dc7c - dereference_MTP 109 | 0x9dc98 - string::copy 110 | 0x9dca4 - MTP release string 111 | 0x9dc60 - create_md5 - x0: string of length 0x10 (sometimes with 0x00's), w1: 0. this string is input to line 10 too. incase 00's, x8 points to string(lsb): 0xbff94be43613e74a 0xa51848232e75d279 and second ptr to 0x01 112 | 0x9dc7c - dereference_MTP 113 | 0x9dc98 - string::copy 114 | 0x9dca4 - MTP release string 115 | 0x9dd14 - malloc_and_memset 116 | 0x9dcac - dereference_MTP 117 | 0x9dd14 - malloc_and_memset 118 | 0x9dcac - dereference_MTP 119 | 0x9dc60 - create_md5 - x0: string of length 4: 0x01000000, w1: 0 -> 0xa5247651060345f1 0x855999edf8bbaf7e 120 | 0x9dc7c - dereference_MTP 121 | 0x9dd14 - malloc_and_memset 122 | 0x9dcac - dereference_MTP 123 | 0x9dcc8 - finalize_md5_hashes - takes the last 3 hashes, and their first 4 bytes and appends into new string 124 | 0x9dcec - MTP release string no_mutex 125 | 0x9dca4 - MTP release string 126 | 0x9dca4 - MTP release string 127 | 0x9dca4 - MTP release string 128 | 0x9dca4 - MTP release string 129 | 0x9dca4 - MTP release string 130 | 0x9dd0c - string::destroy 131 | 0x9dd0c - string::destroy 132 | 0x9e178 - MTP::is_null 133 | 0x9dcac - dereference_MTP 134 | 0x9dbf8 - memset 135 | 0x9e19c - memcpy 136 | 0x9dc0c - rev - from line 24 (whats the point reving a random string?) 137 | 0x9dcac - dereference_MTP 138 | 0x9e1b8 - struct unpack - extract length from string (md5 combo hash?) and place at next to i 139 | 0x9dc30 - new 140 | 0x9e1c8 - std::string::init - empty string with length 0xc 141 | 0x9dc54 - MTP::new 142 | 0x9dcac - dereference_MTP 143 | 0x9dcac - dereference_MTP 144 | 0x9dcac - dereference_MTP 145 | 0x9dcac - dereference_MTP 146 | 0x9dcac - dereference_MTP 147 | 0x9dcac - dereference_MTP 148 | 0x9dcac - dereference_MTP 149 | 0x9dcac - dereference_MTP 150 | 0x9dcac - dereference_MTP 151 | 0x9dcac - dereference_MTP 152 | 0x9dcac - dereference_MTP 153 | 0x9dcac - dereference_MTP 154 | 0x9dcac - dereference_MTP 155 | 0x9dcac - dereference_MTP 156 | 0x9dcac - dereference_MTP 157 | 0x9dcac - dereference_MTP 158 | 0x9dcac - dereference_MTP 159 | 0x9dcac - dereference_MTP 160 | 0x9dcac - dereference_MTP 161 | 0x9dcac - dereference_MTP 162 | 0x9dcac - dereference_MTP 163 | 0x9dcac - dereference_MTP 164 | 0x9dcac - dereference_MTP 165 | 0x9dcac - dereference_MTP 166 | 0x9e1dc - MTP::Copy - // (probably wrong): copy MTP with string with "googleplay" 167 | 0x9dca4 - MTP release string 168 | 0x9dca4 - MTP release string 169 | 0x9dd0c - string::destroy 170 | 0x9dcec - MTP release string no_mutex 171 | 0x9dca4 - MTP release string 172 | 0x9dc30 - new 173 | 0x9e1dc - MTP::Copy - copy MTP with 0xc md5 hash 174 | 0x9e5a0 - MTP::Copy with some unpacking - again 0xc md5 hash, and 0x1 stored before 175 | 0x9e5b4 - release_MTP_and_new_MTP 176 | 0x9dca4 - MTP release string 177 | 0x9e5d4 - decrypt_func1 -> "android" 178 | 0x9e1ac - string::init 179 | 0x9dc98 - string::copy 180 | 0x9dc98 - string::copy 181 | 0x9dc7c - dereference_MTP 182 | 0x9dc98 - string::copy 183 | 0x9dc7c - dereference_MTP 184 | 0x9dc98 - string::copy 185 | 0x9dc7c - dereference_MTP 186 | 0x9dc98 - string::copy 187 | 0x9dc98 - string::copy 188 | 0x9dc98 - string::copy 189 | 0x9e1b8 - struct unpack 190 | 0x9e1b8 - struct unpack 191 | 0x9e1b8 - struct unpack 192 | 0x9e1b8 - struct unpack 193 | 0x9e1b8 - struct unpack 194 | 0x9e1b8 - struct unpack 195 | 0x9e1b8 - struct unpack 196 | 0x9e5f4 - not sure, seems to trigger for specific urls? - x0: url path (e.g. /ies/speed) x1: struct, *x1 = url params without path 197 | 0x9e610 - cmp_MTP_and_ptr 198 | 0x9e19c - memcpy 199 | 0x9dbf8 - memset 200 | 0x9e19c - memcpy 201 | 0x9e19c - memcpy 202 | 0x9e670 - cmp_MTP_and_ptr 203 | 0x9e698 - dereference_MTP 204 | 0x9e6b4 - MTP::is_null 205 | 0x9e6dc - get 0x28AAEEF9 (protobuf magic) 206 | 0x9e698 - dereference_MTP 207 | 0x9e698 - dereference_MTP 208 | 0x9dcac - dereference_MTP 209 | 0x9e1b8 - struct unpack 210 | 0x9e698 - dereference_MTP 211 | 0x9dcac - dereference_MTP 212 | 0x9e610 - cmp_MTP_and_ptr 213 | 0x9e778 - create_global_struct_with_fastVM 214 | 0x9e790 - dereference_MTP 215 | 0x9e7ac - deref_x0_0x50 216 | 0x9e7c8 - hummus_loop - x0: protobuf struct, returns x0: 0x184 217 | 0x9e1c8 - std::string::init - x0: ptr where string will be init, w1: length of string (line 216), w2: initial char (0) 218 | 0x9e7e4 - super_loop (has another one nested) - x0: protobuf struct, x1: ptr to 0x00's; returns 0x184/0x181 (create protobuf) 219 | 0x9e290 - rand 220 | 0x9e31c - MTP::Copy_mutex 221 | 0x9e328 - dereference_MTP 222 | 0x9e804 - decrypt_func4 -> "sign_key" 223 | 0x9e1ac - string::init -> returns empty string 224 | 0x9e824 - NEW_JMP_TBL! -> RUNS A VM, returns empty string; calls inside: 0xb6d70,0xb6d7c,0xbdc4c,0xbdc7c,0xbdc98,0xbdcac,0xbdcb8(not sure)... 0xb6e10 225 | 0x9dc7c - dereference_MTP -> dereference to get string like: "7288878770684577285" (used in protobuf) 226 | 0x9e840 - not sure, check - x0: const hash string "wC8lD4bMTxmNVwY5jSkqi3QWmrphr/58ugLko7UZgWM="; returns 0x20 length string with key: c02f250f86cc4f198d5706398d292a8b74169aba61affe7cba02e4a3b5198163 227 | 0x9dc7c - dereference_MTP - gets string from line 226 228 | 0x9dc98 - string::copy - copies string from line 227 229 | 0x9dca4 - MTP release string 230 | 0x9dca4 - MTP release string 231 | 0x9dd0c - string::destroy 232 | 0x9e358 - MTP delete 233 | 0x9dc20 - new_string 234 | 0x9dc60 - create_md5 - x0: ptr to encrypted string of length 0x10, w1: 0 -> create md5 from c02f250f86cc4f198d5706398d (half of string 227) -> 0xdb069b950d975282 0xafc10e5cd8172e10 235 | 0x9dc7c - dereference_MTP - gets string 234 236 | 0x9dc98 - string::copy 237 | 0x9dca4 - MTP release string 238 | 0x9dd0c - string::destroy 239 | 0x9dc20 - new_string 240 | 0x9dc60 - create_md5 - x0: ptr to second half of the encrypted string -> 0x7d9f417aa37e204d 0x9435f5a2c6812f62 241 | 0x9dc7c - dereference_MTP 242 | 0x9dc7c - dereference_MTP 243 | 0x9dc98 - string::copy 244 | 0x9dca4 - MTP release string 245 | 0x9dd0c - string::destroy 246 | 0x9e854 - string::new 247 | 0x9e558 - string::append2 - adds 0x34e20241 (random?) to string 226 (<226>), length 0x24 now 248 | 0x9e558 - string::append2 - adds string 226 to string 247 (<226><226), length 0x44 now 249 | 0x9df50 - scaryjmptbl1 - x0: string 248 -> 0x20 length hash 250 | 0x9e1b8 - struct unpack 251 | 0x9e1e8 - sm3_encrypt - x0: ptr to encrypted string, x1: length (0x44), x2: ptr to output (0x20 length). 252 | 0x9dc20 - new_string 253 | 0x9dd0c - string::destroy 254 | 0x9dd0c - string::destroy 255 | 0x9dd0c - string::destroy 256 | 0x9e1b8 - struct unpack - 0x33, not sure where from 257 | 0x9e8a0 - argus_vm2 - input: const key, returns 0x737616ec (const) 258 | 0x9dc4c - new string size=0x8 259 | 0x9e41c - multithread_init_shit 260 | 0x9e41c - multithread_init_shit 261 | 0x9e19c - memcpy 262 | 0x9dc4c - new string size=0x8 263 | 0x9e8e8 - mainEncrypt - SOLVED: input: x2=0x20 len string key, x1=empty 0x8 capacity string, x0=0x181 len string with protobuf struct in it. sets a string of len 0x190 in x1. 264 | 0x9e558 - string::append2 - append string:263 and TODO (0x100/0x200/0x300) -> assigns to x0 265 | 0x9e22c - string::assign - assign string:264 266 | 0x9dd0c - string::destroy 267 | 0x9dd0c - string::destroy 268 | 0x9e8a0 - argus_vm2 - input: 2 first bytes from line 219 (self.rdm), returns EOR key 269 | 0x9e1b8 - struct unpack - gets length for string for next func 270 | 0x9e1c8 - std::string::init - initializes string with zeros with length 0x198; this strings is filled in the jmp table, 0x9fbb4->0x9f338 271 | 0x9e1b8 - struct unpack - gets length for string for next func, after this, INLINE editing of string:264 into string:270 (09FBB0) + inline creation of string in line 275 0x18049001 (0xa00b4) 272 | 0x9e41c - multithread_init_shit - some rwlock shit - inline prepare 0x18049001 273 | 0x9e290 - rand - returns rand of length 0x4 274 | 0x9dc20 - new_string - create string of 0x1 length (from where?) = 0xec (1st bye from first argus_vm2?) 275 | 0x9dc20 - new_string - 0x8 length int (from where?) - lsb: first 4 bytes are rand:273, last 4 bytes=0x18049001/0x18003301 (where is this from, nonce??) 276 | 0x9e558 - string::append2 - append those two strings from before -> string of len 0x9 277 | 0x9e558 - string::append2 - append string of len 0x9 (first) with string from line 270 (which isnt empty now) 278 | 0x9e8f8 - string::new - create string of 0x2 length (from where?) 279 | 0x9e558 - string::append2 - append string:277 with string:278 280 | 0x9dd0c - string::destroy 281 | 0x9dd0c - string::destroy 282 | 0x9dd0c - string::destroy 283 | 0x9dd0c - string::destroy 284 | 0x9dd0c - string::destroy 285 | 0x9e05c - aes_encrypt -> create X-Argus value from string:279 and keys/iv (x1/x2) from TODO 286 | 0x9dc7c - dereference_MTP 287 | 0x9dc98 - string::copy - appends short 0x2 length key to the base of the XArgus value 288 | 0x9dca4 - MTP release string 289 | 0x9e8f8 - string::new 290 | 0x9e558 - string::append2 291 | 0x9e944 - base64 encode -> b64 encode X-Argus value?? seems to encode 0x24 length string 292 | 0x9dc7c - dereference_MTP 293 | 0x9dc98 - string::copy 294 | 0x9dca4 - MTP release string 295 | 0x9dd0c - string::destroy 296 | 0x9dd0c - string::destroy 297 | 0x9e19c - memcpy 298 | 0x9e19c - memcpy 299 | 0x9e19c - memcpy 300 | 0x9e19c - memcpy 301 | 0x9e5d4 - decrypt_func1 -> returns %s 302 | 0x9e958 - eor_thingy -> returns %s 303 | 0x9e978 - sprintf2 304 | 0x9e998 - decrypt_func3 -> returns %s 305 | 0x9e9b8 - sprintf (finalizes X-Argus value, not sure what really does) 306 | 0x9dd0c - string::destroy 307 | 0x9dd0c - string::destroy 308 | 0x9dd0c - string::destroy 309 | 0x9dd0c - string::destroy 310 | 0x9dd0c - string::destroy 311 | 0x9dd0c - string::destroy 312 | 0x9dd0c - string::destroy 313 | 0x9dd0c - string::destroy 314 | 0x9dd0c - string::destroy 315 | 0x9dd0c - string::destroy 316 | 0x9e9d8 - MTP delete 317 | 0x9dd0c - string::destroy 318 | 0x9dd0c - string::destroy 319 | 0x9dd0c - string::destroy 320 | 0x9dd0c - string::destroy 321 | 0x9dd0c - string::destroy 322 | 0x9dd0c - string::destroy 323 | 0x9dd0c - string::destroy 324 | 0x9dd0c - string::destroy 325 | 0x9dca4 - MTP release string 326 | 0x9e9e0 - MTP delete2 327 | 0x9dd0c - string::destroy 328 | 0x9dd0c - string::destroy 329 | 0x9dd0c - string::destroy 330 | 0x9dd0c - string::destroy 331 | 0x9dca4 - MTP release string 332 | 0x9dca4 - MTP release string 333 | 0x9dd0c - string::destroy 334 | 0x9dca4 - MTP release string 335 | 0x9dca4 - MTP release string 336 | 0x9dca4 - MTP release string 337 | 0x9dd0c - string::destroy 338 | 0x9dd0c - string::destroy 339 | 0x9dd0c - string::destroy 340 | 341 | 342 | 0x9dc60 - create_md5 - not sure where, but this is called with length x0 and w1=1 343 | 344 | 268->273(write rand)->274 345 | -------------------------------------------------------------------------------- /log2.txt: -------------------------------------------------------------------------------- 1 | 0x9ea0c 2 | 0x9e944 3 | 0x9dc7c 4 | 0x9dc98 5 | 0x9dca4 6 | 0x9e19c 7 | 0x9e19c 8 | 0x9e19c 9 | 0x9e19c 10 | 0x9e804 11 | 0x9e5d4 12 | 0x9ea2c 13 | 0x9e958 14 | 0x9ea4c 15 | 0x9dd0c 16 | 0x9dd0c 17 | 0x9dd0c 18 | 0x9dd0c 19 | 0x9dd0c 20 | 0x9dd0c 21 | -------------------------------------------------------------------------------- /loop.txt: -------------------------------------------------------------------------------- 1 | 0x9e19c - memcpy 2 | 0x9dc4c - new string size=0x8 - this later gets assigned "1233" 3 | 0x9dc4c - new string size=0x8 - this later gets assigned "1233" 4 | 0x9df50 - scaryjmptbl1 - x0: ptr to url params, x8: output ptr (0x20 length string) 5 | 0x9e1b8 - struct unpack 6 | 0x9e1e8 - sm3_encrypt - x0: ptr to url params, x1: url params length, x2: ptr to output (0x20 length). 7 | 0x9dc20 - new_string 8 | 0x9e22c - string::assign 9 | 0x9dd0c - string::destroy 10 | 0x9df50 - scaryjmptbl1 - x0: ptr to string with length 0x10 but its zeroed out, x8: output ptr (0x20 length string) 11 | 0x9e1b8 - struct unpack 12 | 0x9e1e8 - sm3_encrypt - x0: zeroed string, x1: length (0x10), x2: output ptr to string, will always be: 106e34a2b8c7bb13156cfdd0d91379dcc47543dcf9787c68ae5eb582620ae6e8 13 | 0x9dc20 - new_string - new string from line 12 14 | 0x9e22c - string::assign 15 | 0x9dd0c - string::destroy 16 | 0x9e24c - struct unpack2 17 | 0x9e1ac - string::init 18 | 0x9e25c - MTP::Copy_mutex 19 | 0x9e1dc - MTP::Copy 20 | 0x9e270 - MTP something 21 | 0x9dca4 - MTP release string 22 | 0x9dc7c - dereference_MTP -> "1233" 23 | 0x9e22c - string::assign 24 | 0x9e290 - rand 25 | 0x9e2a8 - MTP::Copy_mutex 26 | 0x9e2bc - MTP::Copy_mutex 27 | 0x9e1ac - string::init 28 | 0x9e1dc - MTP::Copy 29 | 0x9e270 - MTP something 30 | 0x9dca4 - MTP release string 31 | 0x9dc7c - dereference_MTP -> "7288878770684577285" 32 | 0x9e22c - string::assign 33 | 0x9e2d0 - dereference_MTP_twice -> one of the derefs produces "1233" 34 | 0x9e31c - MTP::Copy_mutex 35 | 0x9e328 - dereference_MTP -> ptr to some class 36 | 0x9e344 - MTP::Copy 37 | 0x9e358 - MTP delete 38 | 0x9dcac - dereference_MTP -> "2142840551" (const) 39 | 0x9e360 - inarg_loop - return app consts: x8: ptr to ptr that filled with app version on output (31.5.3), x0 - array of strings, first contains x8, second contains ptr to "2142840551" (licenseId) 40 | 0x9dcac - dereference_MTP -> some class with strings?? 41 | 0x9e374 - generate_const_ -> 0x04050020 (Argus Version, gets reduced to 0x2 later) 42 | 0x9e38c - decrypt_something -> android version (v04.05.00-ov-android) 43 | 0x9e1b8 - struct unpack -> 0x00000008, not sure what use 44 | 0x9e19c - memcpy 45 | 0x9e19c - memcpy 46 | 0x9e19c - memcpy 47 | 0x9e19c - memcpy 48 | 0x9e19c - memcpy 49 | 0x9e19c - memcpy 50 | 0x9e3a4 - get_sign_key -> is this get_sign_class? 51 | 0x9e3bc - deref_sign_key 52 | 0x9e1ac - string::init - init "sign" string 53 | 0x9e3d8 - TODO: debug init_export_class - x0: output struct from line 51, x1: "sign" string, returns length of something (0x23) 54 | 0x9dd0c - string::destroy 55 | 0x9e3a4 - get_sign_key 56 | 0x9e3bc - deref_sign_key 57 | 0x9e1ac - string::init - init "setting" string 58 | 0x9e3d8 - TODO (doesnt seem serious) 59 | 0x9dd0c - string::destroy 60 | 0x9e3a4 - get_sign_key 61 | 0x9e3bc - deref_sign_key 62 | 0x9e1ac - string::init - init "report" string 63 | 0x9e3d8 64 | 0x9dd0c - string::destroy 65 | 0x9e3a4 - get_sign_key 66 | 0x9e3bc - deref_sign_key 67 | 0x9e1ac - string::init - init "reportFail" string 68 | 0x9e3d8 69 | 0x9dd0c - string::destroy 70 | 0x9e3f8 - string::is_eq - "1233" and "3019" 71 | 0x9e3f8 - string::is_eq - "1233" and null 72 | 0x9e3a4 - get_sign_key 73 | 0x9e3bc - deref_sign_key 74 | 0x9dc98 - string::copy - "1233" to empty 75 | 0x9e41c - multithread_init_shit 76 | 0x9e438 - dereference_6c - dereference x0+0x6c, returns 0x1 when i ran this 77 | 0x9e454 - TODO: debug - x0 = struct from 74??, x1="1233", w2=0, w3=1, returns w0=0x82 -> field15.5=this<<1 78 | 0x9dd0c - string::destroy 79 | 0x9e3a4 - get_sign_key 80 | 0x9e3bc - deref_sign_key 81 | 0x9dc98 - string::copy - copy "1233" to empty 82 | 0x9e41c - multithread_init_shit 83 | 0x9e438 - dereference_6c - dereference x0+0x6c, returns 0x1 when i ran this 84 | 0x9e478 - some string manipulation, not sure TODO - x0=weird struct, x1= "1233" string, w2=0, w3=1. returns 0x1bf/0x284/others in w0 -> in practice gets *($x0+0xd4) -> this is field15.6 << 1 85 | 0x9dd0c - string::destroy - destroy "1233", inline: copy weird ts 86 | 0x9e19c - memcpy - copy a struct of size 0x38, something to do with protobuf (internal struct has 0x28aaeef9 - protobuf magic) 87 | 0x9e4c0 - MTP::Copy -> copy class stuff (vptr) 88 | 0x9dc7c - dereference_MTP -> "googleplay" 89 | 0x9dc98 - string::copy - copies string with "googleplay" 90 | 0x9dca4 - MTP release string 91 | 0x9e4d4 - decrypt4_and_system_property - returns phone model "ONEPLUS A5000" 92 | 0x9e4e8 - scary_jmp_tbl2_vmcode - returns 0x5 in w0 (field23.2>>1) 93 | 0x9e500 - scary_jmp_tbl2_vmcode0 - returns 0x0c507c00, const? (field23.4>>1) 94 | 0x9e518 - decrypt2 -> returns "none" (field20?) 95 | 0x9dc4c - new string size=0x8 96 | 0x9dc4c - new string size=0x8 97 | 0x9e538 - string::is_null 98 | 0x9e574 - new_4 99 | 0x9dc54 - MTP::new 100 | 0x9e580 - scary_jmp_hash - x0: ptr to ptr of protobuf struct, x1: url params, x2: key - input from line 10, w3=1, x8=output ptr, returns 2 ptrs, first is to a 0xc length encrypted string, second is to 0x1 101 | 0x9dbf8 - memset 102 | 0x9dc0c - rev - reverses second string (0x1) from line 100 -> 0x01000000 103 | 0x9dc20 - new_string string of length 0x4 from line 102 (0x01000000) 104 | 0x9dc30 - new 105 | 0x9dc4c - new string size=0x8 106 | 0x9dc54 - MTP::new 107 | 0x9dc60 - create_md5 - x0: ptr to url params string, w1: 0 (dont hexlify), x8: ptr to two ptrs: first is string with length 0x10 (the md5), second is 0x1 108 | 0x9dc7c - dereference_MTP -> 0x10 length string (md5) 109 | 0x9dc98 - string::copy 110 | 0x9dca4 - MTP release string 111 | 0x9dc60 - create_md5 - x0: string of length 0x10 (sometimes with 0x00's->sm3 of data?), w1: 0. this string is input to line 10 too. incase 00's, x8 points to string(lsb): 0xbff94be43613e74a 0xa51848232e75d279 and second ptr to 0x01 112 | 0x9dc7c - dereference_MTP -> md5 113 | 0x9dc98 - string::copy 114 | 0x9dca4 - MTP release string 115 | 0x9dd14 - malloc_and_memset 116 | 0x9dcac - dereference_MTP 117 | 0x9dd14 - malloc_and_memset 118 | 0x9dcac - dereference_MTP -> "31.5.3" 119 | 0x9dc60 - create_md5 - x0: string of length 4: 0x01000000, w1: 0 -> 0xa5247651060345f1 0x855999edf8bbaf7e 120 | 0x9dc7c - dereference_MTP -> "7288878770684577285" 121 | 0x9dd14 - malloc_and_memset 122 | 0x9dcac - dereference_MTP -> line 119 string 123 | 0x9dcc8 - finalize_md5_hashes - takes the last 3 hashes, and their first 4 bytes and appends into new string 124 | 0x9dcec - MTP release string no_mutex 125 | 0x9dca4 - MTP release string 126 | 0x9dca4 - MTP release string 127 | 0x9dca4 - MTP release string 128 | 0x9dca4 - MTP release string 129 | 0x9dca4 - MTP release string 130 | 0x9dd0c - string::destroy 131 | 0x9dd0c - string::destroy 132 | 0x9e178 - MTP::is_null 133 | 0x9dcac - dereference_MTP -> 0xc length string 134 | 0x9dbf8 - memset 135 | 0x9e19c - memcpy 136 | 0x9dc0c - rev - from line 24 (whats the point reving a random string?) 137 | 0x9dcac - dereference_MTP -> same string in line 133 138 | 0x9e1b8 - struct unpack - extract length from string (md5 combo hash?) and place at next to i 139 | 0x9dc30 - new 140 | 0x9e1c8 - std::string::init - empty string with length 0xc 141 | 0x9dc54 - MTP::new 142 | 0x9dcac - dereference_MTP -> same as line 133 143 | 0x9dcac - dereference_MTP -> 0xc length string which is empty 144 | 0x9dcac - dereference_MTP -> same as line 133 145 | 0x9dcac - dereference_MTP -> same as line 143 with new byte 146 | 0x9dcac - dereference_MTP -> same as line 133 147 | 0x9dcac - dereference_MTP -> 0xc length string with 0x1c3b string (little endian) 148 | 0x9dcac - dereference_MTP -> same as line 133 149 | 0x9dcac - dereference_MTP -> 1c3b4e (not const!) 150 | 0x9dcac - dereference_MTP -> same as line 133 151 | 0x9dcac - dereference_MTP -> 1c3b4e08 152 | 0x9dcac - dereference_MTP -> same as line 133 153 | 0x9dcac - dereference_MTP -> +2c (around 0106A04) 154 | 0x9dcac - dereference_MTP -> same as line 133 155 | 0x9dcac - dereference_MTP -> +2b 156 | 0x9dcac - dereference_MTP -> same as line 133 157 | 0x9dcac - dereference_MTP -> +ec 158 | 0x9dcac - dereference_MTP -> same as line 133 159 | 0x9dcac - dereference_MTP -> +b3 160 | 0x9dcac - dereference_MTP -> same as line 133 161 | 0x9dcac - dereference_MTP -> +e5 162 | 0x9dcac - dereference_MTP -> same as line 133 163 | 0x9dcac - dereference_MTP -> +75 164 | 0x9dcac - dereference_MTP -> same as line 133 165 | 0x9dcac - dereference_MTP -> +26 166 | 0x9e1dc - MTP::Copy - // (probably wrong): copy MTP with string with "googleplay" 167 | 0x9dca4 - MTP release string 168 | 0x9dca4 - MTP release string 169 | 0x9dd0c - string::destroy 170 | 0x9dcec - MTP release string no_mutex 171 | 0x9dca4 - MTP release string 172 | 0x9dc30 - new 173 | 0x9e1dc - MTP::Copy - copy MTP with 0xc md5 hash 174 | 0x9e5a0 - MTP::Copy with some unpacking - again 0xc md5 hash, and 0x1 stored before 175 | 0x9e5b4 - release_MTP_and_new_MTP 176 | 0x9dca4 - MTP release string 177 | 0x9e5d4 - decrypt_func1 -> "android" 178 | 0x9e1ac - string::init 179 | 0x9dc98 - string::copy 180 | 0x9dc98 - string::copy 181 | 0x9dc7c - dereference_MTP -> "1233" (somewhere before here i missed a deref with 7288878770684577285) 182 | 0x9dc98 - string::copy 183 | 0x9dc7c - dereference_MTP -> "31.5.3" 184 | 0x9dc98 - string::copy 185 | 0x9dc7c - dereference_MTP -> "wC8lD4bMTxmNVwY5jSkqi3QWmrphr/58ugLko7UZgWM=" 186 | 0x9dc98 - string::copy -> copy "31.5.3" 187 | 0x9dc98 - string::copy -> "android" 188 | 0x9dc98 - string::copy -> 0x20 length key 0x5c639194463269fc 0x9c7368f17157ef67 189 | 0x9e1b8 - struct unpack -> 0x1c0 190 | 0x9e1b8 - struct unpack -> 0x20 191 | 0x9e1b8 - struct unpack -> 0x13 192 | 0x9e1b8 - struct unpack -> 0x4 193 | 0x9e1b8 - struct unpack -> 0x6 194 | 0x9e1b8 - struct unpack -> 0x7 195 | 0x9e1b8 - struct unpack -> 0x20 196 | 0x9e5f4 - not sure, seems to trigger for specific urls? - x0: url path (e.g. /ies/speed) x1: struct, *x1 = url params without path 197 | 0x9e610 - cmp_MTP_and_ptr 198 | 0x9e19c - memcpy -> copy 0x180 length of protobuf struct (1st member is ptr to 0x28AAEEF9) 199 | 0x9dbf8 - memset 200 | 0x9e19c - memcpy -> copy 0xd of some hash 201 | 0x9e19c - memcpy -> copy 0x9 of some hash 202 | 0x9e670 - cmp_MTP_and_ptr 203 | 0x9e698 - dereference_MTP -> 0x4 (field25??) 204 | 0x9e6b4 - MTP::is_null 205 | 0x9e6dc - get 0x28AAEEF9 (protobuf magic) 206 | 0x9e698 - dereference_MTP -> ptr to struct, with 2nd member holding 0xc length key 207 | 0x9e698 - dereference_MTP -> same 208 | 0x9dcac - dereference_MTP -> line 165 +d8 209 | 0x9e1b8 - struct unpack -> store 0xc (key length) 210 | 0x9e698 - dereference_MTP -> same as line 206/207 211 | 0x9dcac - dereference_MTP -> line 208 212 | 0x9e610 - cmp_MTP_and_ptr 213 | 0x9e778 - create_global_struct_with_fastVM 214 | 0x9e790 - dereference_MTP -> dereference some struct (of type 0x159658, global struct?) 215 | 0x9e7ac - deref_x0_0x50 -> places 0 (const?) 216 | 0x9e7c8 - hummus_loop - x0: protobuf struct, returns x0: 0x184 217 | 0x9e1c8 - std::string::init - x0: ptr where string will be init, w1: length of string (line 216), w2: initial char (0) 218 | 0x9e7e4 - super_loop (has another one nested) - x0: protobuf struct, x1: ptr to 0x00's; returns 0x184/0x181 (create protobuf) 219 | 0x9e290 - rand 220 | 0x9e31c - MTP::Copy_mutex 221 | 0x9e328 - dereference_MTP -> ptr to some class 222 | 0x9e804 - decrypt_func4 -> "sign_key" 223 | 0x9e1ac - string::init -> returns empty string 224 | 0x9e824 - NEW_JMP_TBL! -> RUNS A VM, x1: "sign_key"; calls inside: 0xb6d70,0xb6d7c,0xbdc4c,0xbdc7c,0xbdc98,0xbdcac,0xbdcb8(not sure)... 0xb6e10 -> produces wC8lD4bMTxmNVwY5jSkqi3QWmrphr/58ugLko7UZgWM= (this is base64 key) 225 | 0x9dc7c - dereference_MTP -> dereference to get string like: "7288878770684577285" (used in protobuf) - got here wC8lD4bMTxmNVwY5jSkqi3QWmrphr/58ugLko7UZgWM 226 | 0x9e840 - base64_decode - x0: const hash string "wC8lD4bMTxmNVwY5jSkqi3QWmrphr/58ugLko7UZgWM="; returns 0x20 length string with key: c02f250f86cc4f198d5706398d292a8b74169aba61affe7cba02e4a3b5198163 227 | 0x9dc7c - dereference_MTP - gets string from line 226 228 | 0x9dc98 - string::copy - copies string from line 227 229 | 0x9dca4 - MTP release string 230 | 0x9dca4 - MTP release string 231 | 0x9dd0c - string::destroy 232 | 0x9e358 - MTP delete 233 | 0x9dc20 - new_string 234 | 0x9dc60 - create_md5 - x0: ptr to encrypted string of length 0x10, w1: 0 -> create md5 from c02f250f86cc4f198d5706398d (half of string 227) -> 0xdb069b950d975282 0xafc10e5cd8172e10 235 | 0x9dc7c - dereference_MTP - gets string 234 236 | 0x9dc98 - string::copy 237 | 0x9dca4 - MTP release string 238 | 0x9dd0c - string::destroy 239 | 0x9dc20 - new_string 240 | 0x9dc60 - create_md5 - x0: ptr to second half of the encrypted string -> 0x7d9f417aa37e204d 0x9435f5a2c6812f62 241 | 0x9dc7c - dereference_MTP -> 0x1b length string (md5?) 242 | 0x9dc7c - dereference_MTP -> long base64 string (0x244) 243 | 0x9dc98 - string::copy 244 | 0x9dca4 - MTP release string 245 | 0x9dd0c - string::destroy 246 | 0x9e854 - string::new 247 | 0x9e558 - string::append2 - adds 0x34e20241 (random?) to string 226 (<226>), length 0x24 now 248 | 0x9e558 - string::append2 - adds string 226 to string 247 (<226><226), length 0x44 now 249 | 0x9df50 - scaryjmptbl1 - x0: string 248 -> 0x20 length hash 250 | 0x9e1b8 - struct unpack 251 | 0x9e1e8 - sm3_encrypt - x0: ptr to encrypted string, x1: length (0x44), x2: ptr to output (0x20 length). 252 | 0x9dc20 - new_string 253 | 0x9dd0c - string::destroy 254 | 0x9dd0c - string::destroy 255 | 0x9dd0c - string::destroy 256 | 0x9e1b8 - struct unpack - 0x33, not sure where from 257 | 0x9e8a0 - argus_vm2 - input: const key, returns 0x737616ec (const) 258 | 0x9dc4c - new string size=0x8 259 | 0x9e41c - multithread_init_shit 260 | 0x9e41c - multithread_init_shit 261 | 0x9e19c - memcpy 262 | 0x9dc4c - new string size=0x8 263 | 0x9e8e8 - mainEncrypt - SOLVED: input: x2=0x20 len string key, x1=empty 0x8 capacity string, x0=0x181 len string with protobuf struct in it. sets a string of len 0x190 in x1. 264 | 0x9e558 - string::append2 - append string:263 and TODO (0x100/0x200/0x300) -> assigns to x0 265 | 0x9e22c - string::assign - assign string:264 266 | 0x9dd0c - string::destroy 267 | 0x9dd0c - string::destroy 268 | 0x9e8a0 - argus_vm2 - input: 2 first bytes from line 219 (self.rdm), returns EOR key 269 | 0x9e1b8 - struct unpack - gets length for string for next func 270 | 0x9e1c8 - std::string::init - initializes string with zeros with length 0x198; this strings is filled in the jmp table, 0x9fbb4->0x9f338 271 | 0x9e1b8 - struct unpack - gets length for string for next func, after this, INLINE editing of string:264 into string:270 (09FBB0) + inline creation of string in line 275 0x18049001 (0xa00b4). this is argus header sign 272 | 0x9e41c - multithread_init_shit - some rwlock shit - inline prepare 0x18049001 273 | 0x9e290 - rand - returns rand of length 0x4 274 | 0x9dc20 - new_string - create string of 0x1 length (from where?) = 0xec (1st bye from first argus_vm2?) 275 | 0x9dc20 - new_string - 0x8 length int (from where?) - lsb: first 4 bytes are rand:273, last 4 bytes=0x18049001/0x18003301 (where is this from, nonce??) 276 | 0x9e558 - string::append2 - append those two strings from before -> string of len 0x9 277 | 0x9e558 - string::append2 - append string of len 0x9 (first) with string from line 270 (which isnt empty now) 278 | 0x9e8f8 - string::new - create string of 0x2 length (from 2nd rand) 279 | 0x9e558 - string::append2 - append string:277 with string:278 280 | 0x9dd0c - string::destroy 281 | 0x9dd0c - string::destroy 282 | 0x9dd0c - string::destroy 283 | 0x9dd0c - string::destroy 284 | 0x9dd0c - string::destroy 285 | 0x9e05c - aes_encrypt -> create X-Argus value from string:279 and keys/iv (x1/x2). x2: md5 from line 240, x1: md5 from line 234 286 | 0x9dc7c - dereference_MTP -> "1233" 287 | 0x9dc98 - string::copy - appends short 0x2 length key to the base of the XArgus value 288 | 0x9dca4 - MTP release string 289 | 0x9e8f8 - string::new 290 | 0x9e558 - string::append2 291 | 0x9e944 - base64 encode -> b64 encode X-Argus value?? seems to encode 0x24 length string 292 | 0x9dc7c - dereference_MTP -> "96534c2f045dbb80b5b56d7e92223ba4" (changes?) 293 | 0x9dc98 - string::copy 294 | 0x9dca4 - MTP release string 295 | 0x9dd0c - string::destroy 296 | 0x9dd0c - string::destroy 297 | 0x9e19c - memcpy 298 | 0x9e19c - memcpy 299 | 0x9e19c - memcpy 300 | 0x9e19c - memcpy 301 | 0x9e5d4 - decrypt_func1 -> returns %s 302 | 0x9e958 - eor_thingy -> returns %s 303 | 0x9e978 - sprintf2 304 | 0x9e998 - decrypt_func3 -> returns %s 305 | 0x9e9b8 - sprintf (finalizes X-Argus value, not sure what really does) 306 | 0x9dd0c - string::destroy 307 | 0x9dd0c - string::destroy 308 | 0x9dd0c - string::destroy 309 | 0x9dd0c - string::destroy 310 | 0x9dd0c - string::destroy 311 | 0x9dd0c - string::destroy 312 | 0x9dd0c - string::destroy 313 | 0x9dd0c - string::destroy 314 | 0x9dd0c - string::destroy 315 | 0x9dd0c - string::destroy 316 | 0x9e9d8 - MTP delete 317 | 0x9dd0c - string::destroy 318 | 0x9dd0c - string::destroy 319 | 0x9dd0c - string::destroy 320 | 0x9dd0c - string::destroy 321 | 0x9dd0c - string::destroy 322 | 0x9dd0c - string::destroy 323 | 0x9dd0c - string::destroy 324 | 0x9dd0c - string::destroy 325 | 0x9dca4 - MTP release string 326 | 0x9e9e0 - MTP delete2 327 | 0x9dd0c - string::destroy 328 | 0x9dd0c - string::destroy 329 | 0x9dd0c - string::destroy 330 | 0x9dd0c - string::destroy 331 | 0x9dca4 - MTP release string 332 | 0x9dca4 - MTP release string 333 | 0x9dd0c - string::destroy 334 | 0x9dca4 - MTP release string 335 | 0x9dca4 - MTP release string 336 | 0x9dca4 - MTP release string 337 | 0x9dd0c - string::destroy 338 | 0x9dd0c - string::destroy 339 | 0x9dd0c - string::destroy 340 | 341 | 342 | 0x9dc60 - create_md5 - not sure where, but this is called with length x0 and w1=1 343 | 344 | 268->273(write rand)->274 345 | -------------------------------------------------------------------------------- /looptrace1: -------------------------------------------------------------------------------- 1 | 0x8ab374d9 2 | 0xd8ecf362 3 | 0x5a7d0109 4 | 0x78b6a6cf 5 | 0xef44ad19 6 | 0xe6877a22 7 | 0x79f137d3 8 | 0x72d01ce5 9 | 0x6f1ab7f1 10 | 0xf1281f4d 11 | 0x289c3603 12 | 0x573853f7 13 | 0x5e5b04b7 14 | 0x60f57150 15 | 0xa43b692d 16 | 0xea4c149f 17 | 0xa3fe1444 18 | 0xb47a9f68 19 | 0x266564ae 20 | 0xef6f62b0 21 | 0x266564ae 22 | 0xef6f62b0 23 | 0x266564ae 24 | 0xef6f62b0 25 | 0x266564ae 26 | 0xa96a8ed4 27 | 0x66f9ab41 28 | 0x0e43fbf5 29 | 0x980737d1 30 | 0x300984ad 31 | 0x2a8c05cf 32 | 0x4a141fac 33 | -------------------------------------------------------------------------------- /looptrace2: -------------------------------------------------------------------------------- 1 | 0xa10fa29c 2 | 0xe896558c 3 | 0x85d827c2 4 | 0x4bcd6aac 5 | 0x76fcfb71 6 | 0xbc9fd311 7 | 0xe142a4ea 8 | 0x3b3f24b5 9 | 0xb6d27258 10 | 0x33422b18 11 | 0x9bda97bd 12 | 0x9556e66c 13 | 0x11b22bcf 14 | 0x4a60654b 15 | 0x9558cd48 16 | 0x9bfdb7e3 17 | 0xb939795b 18 | 0xee92f197 19 | 0xfa874e22 20 | 0x14e3efa1 21 | 0x2b72a516 22 | 0x40dc9196 23 | 0xedbdd1c2 24 | 0xcf721dbe 25 | 0x7f6ae558 26 | 0x1da9cd56 27 | 0x402286bc 28 | 29 | -------------------------------------------------------------------------------- /looptrace3: -------------------------------------------------------------------------------- 1 | 0x23cb672c - secblock1 (default) 2 | 0xde6ee159 - secblock2 3 | 0x7a852b69 - secblock3 4 | 0xa95cc278 - secblock4 5 | 0xeb134a51 - secblock5 6 | 0xb42a1441 - secblock6 7 | 0xd44f57e1 - secblock7 8 | 0xe19414c9 - secblock8 9 | 0xe6bb0864 - secblock9 10 | -------------------------------------------------------------------------------- /notes: -------------------------------------------------------------------------------- 1 | ./data/lldb-server p --server --listen '0.0.0.0:10000' 2 | command script import ./setup.py 3 | 4 | b -s libmetasec_ov.so -a 03BAD0 -C 'p/x $w9' --auto-continue 1 5 | adb am start -n com.zhiliaoapp.musically 6 | setprop debug.db.uid 32767 7 | 8 | run in join_headers (x1): 9 | x/s *(long*)(*(long*)(*(long*)(*(long*)($sp+0x50+8)+0x20))+0x10) 10 | from x19<-globalstruct: 11 | x1 = x/s *(long*)*(long*)(*(long*)($x19)+0x20)+0x10 12 | and then do above, or directly: 13 | x/s *(long*)(*(long*)(*(long*)(*(long*)(*(long*)*(long*)(*(long*)($x19)+0x20)+0x10)+0x20))+0x10) 14 | 15 | in innersec: 16 | x/s *(long*)(*(long*)(*(long*)(*(long*)(*(long*)*(long*)(*(long*)(*(long*)($x19+0x38))+0x20)+0x10)+0x20))+0x10) 17 | 18 | on address: 19 | x/s *(long*)(*(long*)(*(long*)(*(long*)(*(long*)*(long*)(*(long*)(*(long*)($x23))+0x20)+0x10)+0x20))+0x10) 20 | 21 | $x1 in innersec: 22 | x/s *(long*)(*(long*)(*(long*)(*(long*)(*(long*)*(long*)(*(long*)($x1)+0x20)+0x10)+0x20))+0x10) 23 | $x23: 24 | x/s *(long*)(*(long*)(*(long*)(*(long*)(*(long*)*(long*)(*(long*)(*(long*)($x23+0x18))+0x20)+0x10)+0x20))+0x10) 25 | 26 | Get value string from headervalue: 27 | x/s *(long*)(*(long*)(*(long*)($x8+0x20))+0x10) 28 | 29 | In blabla (in the start this is $sp+0x28+0x2a0): 30 | x/s *(long*)(*(long*)(*(long*)(*(long*)(*(long*)*(long*)(*(long*)(*(long*)(*(long*)($sp+0x28)+0x18))+0x20)+0x10)+0x20))+0x10) 31 | 32 | 08BA1C: 33 | x/s (*(long*)(*(long*)($sp+0x8)+8)+0x10) 34 | x/s (*(long*)(*(long*)($sp+0x8)+8)+0x10)+0x8 35 | 36 | 37 | 38 | 39 | 40 | GORGON: 41 | 0x7b39a684c0: 0x63 0x61 0xb9 0xde 0x00 0x00 0x00 0x00 42 | 0x7b39a684c8: 0x00 0x00 0x00 0x00 0x20 0x00 0x05 0x04 43 | 0x7b39a684d0: 0x65 0x3e 0xe4 0xf5 44 | 45 | 46 | encrypt simulation: 47 | memory read --binary --outfile vm/key-hex *(long*)($x1) *(long*)($x1)+74*8 48 | memory read --binary --outfile vm/protobuf-hex *(long*)($x1+8) *(long*)($x1+8)+0x1b0 49 | 50 | 51 | sim dump: 52 | register read 53 | memory read --force --binary --outfile dump/stack $sp-0x10000 $sp+0x10000 54 | memory read --force --binary --outfile dump/libmetasec 0x7baa240000 0x7baa393ef0 55 | memory read --force --binary --outfile dump/x1_1 0x0000007bb01e4800 0x0000007bb01e4800+0x1000 56 | memory read --force --binary --outfile dump/x1_2 0x0000007bb01e4800 0x0000007bb01e4800+0x1000 57 | -------------------------------------------------------------------------------- /notes2: -------------------------------------------------------------------------------- 1 | 2: address = libmetasec_ov.so[0x000000000009e29c], locations = 1, resolved = 1, hit count = 5 Options: disabled 2 | Names: 3 | rand 4 | 5 | 2.1: where = libmetasec_ov.so`___lldb_unnamed_symbol3247 + 12, address = 0x0000007baaee829c, resolved, hit count = 5 6 | 7 | 4: address = libmetasec_ov.so[0x000000000009dc2c], locations = 1, resolved = 1, hit count = 1 Options: disabled 8 | Names: 9 | new_string 10 | 11 | 4.1: where = libmetasec_ov.so`___lldb_unnamed_symbol3205 + 12, address = 0x0000007baaee7c2c, resolved, hit count = 1 12 | 13 | 5: address = libmetasec_ov.so[0x000000000009ec00], locations = 1, resolved = 1, hit count = 2 Options: disabled 14 | 5.1: where = libmetasec_ov.so`___lldb_unnamed_symbol3327 + 180, address = 0x0000007baaee8c00, resolved, hit count = 2 15 | 16 | 8: address = libmetasec_ov.so[0x000000000009e42c], locations = 1, resolved = 1, hit count = 2 Options: disabled 17 | Names: 18 | multithread_init_shit 19 | 20 | 8.1: where = libmetasec_ov.so`___lldb_unnamed_symbol3262 + 16, address = 0x0000007baaee842c, resolved, hit count = 2 21 | 22 | 11: address = libmetasec_ov.so[0x000000000009e1c4], locations = 1, resolved = 1, hit count = 6 Options: disabled 23 | Names: 24 | struct_unpack 25 | 26 | 11.1: where = libmetasec_ov.so`___lldb_unnamed_symbol3238 + 12, address = 0x0000007baaee81c4, resolved, hit count = 6 27 | 28 | 15: address = libmetasec_ov.so[0x000000000009ec10], locations = 1, resolved = 1, hit count = 1 Options: disabled 29 | Condition: *(char*)($x21+0x17)==0x18 30 | 31 | Names: 32 | jmpback 33 | 34 | 15.1: where = libmetasec_ov.so`___lldb_unnamed_symbol3327 + 196, address = 0x0000007baaee8c10, resolved, hit count = 1 35 | 36 | 16: address = libmetasec_ov.so[0x000000000009e8e8], locations = 1, resolved = 1, hit count = 0 Options: disabled 37 | Names: 38 | mainencrypt 39 | 40 | 16.1: where = libmetasec_ov.so`___lldb_unnamed_symbol3305, address = 0x0000007baaee88e8, resolved, hit count = 0 41 | 42 | weird_ts: 43 | bm 0x9e5f4 -N not_sure 44 | dumpit 45 | bm 0x9E7D4 -N hummus -C 'x/4gx $x0-0x150' 46 | bm 0x9e5d4 -N decrypt1 47 | 48 | 85:86 49 | 50 | aes: 51 | bm 0x9E070 -N aes_enc 52 | bm 0x9DC70 -N create_md5 -C 'x/4gx $x0' 53 | 54 | loop: 55 | bm 0xa01a0 -N caller 56 | bm 0x9ec14 -N mainloop 57 | 58 | hash: 59 | bm 0x9DCE0 -N hash_finalize 60 | bm 0x9dcbc -N deref 61 | 62 | hummus: 63 | bm 0xd0334 -N saver1 -C 'p/x $x0' 64 | bm 0xd0324 -N saver2 -C 'p/x $x0' 65 | bm 0x9e7d4 -N humus -C 'x/30gx $x0' 66 | 67 | bm 0x9e8e8 -N mainencrypt 68 | bm 0x9e1c4 -N struct_unpack 69 | bm 0x9e42c -N multithread_init_shit 70 | bm 0xA027C -N chkpt 71 | bm 0x9f250 -N chkpt_key 72 | bm 0x9DF58 -N scaryjmp 73 | bm 0x9ec10 -N jmpback -c '*(char*)($x21+0x17)==0x18' 74 | bm 0x9ec10 -N jmpback -c '*(char*)(0x7ba0c96a2f)==0x18' 75 | bm 0x9EF84 -N change -c '*(char*)($x21+0x17)==0x18' 76 | 77 | bm 09E29C -N rand -C 'p/x $w0' 78 | 79 | wa set expr $x21+0x10 80 | wa modify 1 -c '*(char*)($x21+0x17)==0x18' 81 | 82 | IDEA: rewrite vmcode which will trap?? 83 | action: trace where 0x00 leads, then last instr and check if 0x18 appears in stack :) 84 | 85 | 86 | timestamp integers are written at the beginning of the program. 87 | the edited timestamp for hummus_loop is also given at the beginning 88 | just guess its original timestamp minus 24 89 | 90 | 91 | 92 | -------------------------------------------------------------------------------- /proto/.proto.swo: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tsarpaul/tiktok-x-argus/1743467bcfcac0e7454ca0f0da0b8163704e004f/proto/.proto.swo -------------------------------------------------------------------------------- /proto/c/compile.sh: -------------------------------------------------------------------------------- 1 | gcc -g c/emulator.c -o emulator -lunicorn && ./emulator 2 | 3 | -------------------------------------------------------------------------------- /proto/c/emulator.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | 6 | // Assuming these are defined somewhere 7 | #define EMU_BASE 0x7babb4b000 8 | #define START_ADDRESS (EMU_BASE + 0x9EB4C) 9 | #define END_ADDRESS (EMU_BASE + 0xA05D8) 10 | 11 | // Function to read a file into a buffer 12 | unsigned char *read_file(const char *filename, size_t *length) { 13 | FILE *file = fopen(filename, "rb"); 14 | if (!file) { 15 | perror("Error opening file"); 16 | return NULL; 17 | } 18 | 19 | // Get the size of the file 20 | fseek(file, 0, SEEK_END); 21 | *length = ftell(file); 22 | fseek(file, 0, SEEK_SET); 23 | 24 | // Allocate memory for the file content 25 | unsigned char *buffer = malloc(*length); 26 | if (!buffer) { 27 | perror("Error allocating memory"); 28 | fclose(file); 29 | return NULL; 30 | } 31 | 32 | // Read the file into the buffer 33 | if (fread(buffer, 1, *length, file) != *length) { 34 | perror("Error reading file"); 35 | fclose(file); 36 | free(buffer); 37 | return NULL; 38 | } 39 | 40 | fclose(file); 41 | return buffer; 42 | } 43 | 44 | typedef struct { 45 | uc_engine *uc; 46 | uint64_t base; 47 | uint64_t start_address; 48 | uint64_t end_address; 49 | uint64_t sp; 50 | uint64_t x0; 51 | uint64_t x1; 52 | uint64_t x2; 53 | uint64_t x3; 54 | uint64_t x4; 55 | uint64_t x1_1_address; 56 | uint64_t x1_2_address; 57 | uint64_t x1_3_address; 58 | char *stack; 59 | char *lib; 60 | } MainEncryptEmulator; 61 | 62 | uint64_t kb4_align(uint64_t addr) { 63 | return (addr + 0xFFF) & 0xFFFFFFFFFFFFF000; 64 | } 65 | 66 | uint64_t kb4_round_down(uint64_t addr) { 67 | return addr & 0xFFFFFFFFFFFFF000; 68 | } 69 | 70 | void kb4_prepare(uint64_t *addr, uint64_t *size) { 71 | *addr = kb4_round_down(*addr); 72 | *size = kb4_align(*size + 0xFFF); 73 | } 74 | 75 | void debugger(uc_engine *uc, uint64_t address, uint32_t size, void *user_data) { 76 | MainEncryptEmulator *emu = (MainEncryptEmulator *)user_data; 77 | 78 | if (address == END_ADDRESS) { 79 | // Stop the emulation 80 | uc_emu_stop(uc); 81 | 82 | // Read memory at x1_3_address 83 | unsigned char result[16]; 84 | if (uc_mem_read(uc, emu->x1_3_address, result, sizeof(result)) == UC_ERR_OK) { 85 | printf("Memory at 0x%llx: ", emu->x1_3_address); 86 | for (int i = 0; i < sizeof(result); i++) { 87 | printf("%02x ", result[i]); 88 | } 89 | printf("\n"); 90 | } else { 91 | printf("Failed to read memory at 0x%llx\n", emu->x1_3_address); 92 | } 93 | } 94 | } 95 | 96 | void initialize_emulator(MainEncryptEmulator *emu) { 97 | // Initialize base, start and end addresses 98 | emu->base = EMU_BASE; // Example base address 99 | emu->start_address = START_ADDRESS; // Example start address 100 | emu->end_address = END_ADDRESS+4; // Example end address 101 | 102 | // read lib and stack and assign to emu 103 | size_t lib_length, stack_length; 104 | emu->lib = read_file("dump/libmetasec", &lib_length); 105 | emu->stack = read_file("dump/stack", &stack_length); 106 | 107 | // Initialize registers 108 | emu->sp = 0x0000007ba19822c0; 109 | emu->x0 = 0x0000007babc569b0; 110 | emu->x1 = 0x0000007ba19822c8; 111 | emu->x2 = EMU_BASE + 0x9DBEC; 112 | emu->x3 = 0; 113 | emu->x4 = 0x0000007ba19822e0; 114 | 115 | // Initialize the Unicorn engine 116 | if (uc_open(UC_ARCH_ARM64, UC_MODE_ARM, &emu->uc)) { 117 | fprintf(stderr, "Failed to initialize Unicorn engine!\n"); 118 | exit(-1); 119 | } 120 | 121 | // Map memory for the executable 122 | uint64_t exec_size = kb4_align(sizeof(emu->lib)); // Adjust size as per your actual executable size 123 | uint64_t exec_addr = emu->base; 124 | kb4_prepare(&exec_addr, &exec_size); 125 | uc_mem_map(emu->uc, exec_addr, exec_size, UC_PROT_ALL); 126 | uc_mem_write(emu->uc, exec_addr, emu->lib, sizeof(emu->lib)); 127 | 128 | // Map memory for the stack 129 | uint64_t stack_size = 0x20000; // Example size, adjust as needed 130 | uint64_t stack_addr = emu->sp - stack_size; 131 | uc_mem_map(emu->uc, stack_addr, stack_size, UC_PROT_ALL); 132 | uc_mem_write(emu->uc, stack_addr, emu->stack, sizeof(emu->stack)); 133 | } 134 | 135 | void setup_registers(MainEncryptEmulator *emu, const unsigned char* key, const unsigned char* protobuf) { 136 | uc_reg_write(emu->uc, UC_ARM64_REG_SP, &emu->sp); 137 | uc_reg_write(emu->uc, UC_ARM64_REG_X0, &emu->x0); 138 | uc_reg_write(emu->uc, UC_ARM64_REG_X1, &emu->x1); 139 | uc_reg_write(emu->uc, UC_ARM64_REG_X2, &emu->x2); 140 | uc_reg_write(emu->uc, UC_ARM64_REG_X3, &emu->x3); 141 | uc_reg_write(emu->uc, UC_ARM64_REG_X4, &emu->x4); 142 | 143 | // Read memory at x1 and unpack into three addresses 144 | uint64_t val[3]; 145 | if (uc_mem_read(emu->uc, emu->x1, val, sizeof(val)) != UC_ERR_OK) { 146 | fprintf(stderr, "Failed to read memory at 0x%llx\n", emu->x1); 147 | exit(-1); 148 | } 149 | emu->x1_1_address = val[0]; 150 | emu->x1_2_address = val[1]; 151 | emu->x1_3_address = val[2]; 152 | 153 | // Map and write to the memory locations 154 | uint64_t size1 = 0x1000, size2 = 0x10, size3 = 0x10; 155 | kb4_prepare(&emu->x1_1_address, &size1); 156 | uc_mem_map(emu->uc, emu->x1_1_address, size1, UC_PROT_ALL); 157 | uc_mem_write(emu->uc, emu->x1_1_address, key, size1); 158 | 159 | kb4_prepare(&emu->x1_2_address, &size2); 160 | uc_mem_map(emu->uc, emu->x1_2_address, size2, UC_PROT_ALL); 161 | uc_mem_write(emu->uc, emu->x1_2_address, protobuf, size2); 162 | 163 | kb4_prepare(&emu->x1_3_address, &size3); 164 | uc_mem_map(emu->uc, emu->x1_3_address, size3, UC_PROT_ALL); 165 | } 166 | 167 | void run_emulation(const unsigned char *key, const unsigned char *protobuf) { 168 | MainEncryptEmulator emu; 169 | uc_err err; 170 | 171 | // Initialize the emulator 172 | initialize_emulator(&emu); 173 | setup_registers(&emu, key, protobuf); 174 | 175 | // Start the emulation 176 | err = uc_emu_start(emu.uc, emu.start_address, emu.end_address, 0, 0); 177 | 178 | // Check for errors 179 | if (err) { 180 | fprintf(stderr, "Failed on uc_emu_start() with error returned: %u (%s)\n", 181 | err, uc_strerror(err)); 182 | 183 | // Retrieve and print the program counter and stack pointer 184 | uint64_t pc; 185 | uc_reg_read(emu.uc, UC_ARM64_REG_PC, &pc); 186 | uint64_t sp; 187 | uc_reg_read(emu.uc, UC_ARM64_REG_SP, &sp); 188 | fprintf(stderr, "Error at 0x%llx (SP: 0x%llx)\n", pc, sp); 189 | 190 | exit(-1); 191 | } 192 | 193 | // Clean up 194 | uc_close(emu.uc); 195 | } 196 | 197 | int main() { 198 | size_t key_length, protobuf_length; 199 | unsigned char *key = read_file("dump/x1_1", &key_length); 200 | unsigned char *protobuf = read_file("dump/x1_2", &protobuf_length); 201 | 202 | if (!key || !protobuf) { 203 | fprintf(stderr, "Failed to read key or protobuf files\n"); 204 | free(key); 205 | free(protobuf); 206 | return -1; 207 | } 208 | 209 | // Process protobuf in chunks of 0x10 bytes 210 | for (size_t i = 0; i < protobuf_length; i += 0x10) { 211 | if (memcmp(&protobuf[i], "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00", 0x10) == 0) { 212 | break; // Stop if the chunk is all zeros 213 | } 214 | 215 | run_emulation(key, &protobuf[i]); 216 | } 217 | 218 | free(key); 219 | free(protobuf); 220 | 221 | return 0; 222 | } 223 | 224 | -------------------------------------------------------------------------------- /proto/code: -------------------------------------------------------------------------------- 1 | 07048200070083000702810007022700070025002F0004002402810440032000013CE000010426E0013426FC4102E180410C2580012426F8410C258007006500413C2580390263006F00840089010000012CC08038024600010DE00338004500 2 | -------------------------------------------------------------------------------- /proto/dump/libmetasec: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tsarpaul/tiktok-x-argus/1743467bcfcac0e7454ca0f0da0b8163704e004f/proto/dump/libmetasec -------------------------------------------------------------------------------- /proto/dump/result: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tsarpaul/tiktok-x-argus/1743467bcfcac0e7454ca0f0da0b8163704e004f/proto/dump/result -------------------------------------------------------------------------------- /proto/dump/stack: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tsarpaul/tiktok-x-argus/1743467bcfcac0e7454ca0f0da0b8163704e004f/proto/dump/stack -------------------------------------------------------------------------------- /proto/dump/x1_1: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tsarpaul/tiktok-x-argus/1743467bcfcac0e7454ca0f0da0b8163704e004f/proto/dump/x1_1 -------------------------------------------------------------------------------- /proto/dump/x1_2: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tsarpaul/tiktok-x-argus/1743467bcfcac0e7454ca0f0da0b8163704e004f/proto/dump/x1_2 -------------------------------------------------------------------------------- /proto/encrypt-result-hex: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tsarpaul/tiktok-x-argus/1743467bcfcac0e7454ca0f0da0b8163704e004f/proto/encrypt-result-hex -------------------------------------------------------------------------------- /proto/hex: -------------------------------------------------------------------------------- 1 | 0x7bb132a880: 0x08 0xd2 0xa4 0x80 0x82 0x04 0x10 0x02 2 | 0x7bb132a888: 0x18 0xd6 0x82 0xe3 0xd2 0x0a 0x22 0x04 3 | 0x7bb132a890: 0x31 0x32 0x33 0x33 0x2a 0x13 0x37 0x32 4 | 0x7bb132a898: 0x38 0x38 0x38 0x37 0x38 0x37 0x37 0x30 5 | 0x7bb132a8a0: 0x36 0x38 0x34 0x35 0x37 0x37 0x32 0x38 6 | 0x7bb132a8a8: 0x35 0x32 0x0a 0x32 0x31 0x34 0x32 0x38 7 | 0x7bb132a8b0: 0x34 0x30 0x35 0x35 0x31 0x3a 0x06 0x33 8 | 0x7bb132a8b8: 0x31 0x2e 0x35 0x2e 0x33 0x42 0x14 0x76 9 | 0x7bb132a8c0: 0x30 0x34 0x2e 0x30 0x35 0x2e 0x30 0x30 10 | 0x7bb132a8c8: 0x2d 0x6f 0x76 0x2d 0x61 0x6e 0x64 0x72 11 | 0x7bb132a8d0: 0x6f 0x69 0x64 0x48 0xc0 0x80 0xa8 0x40 12 | 0x7bb132a8d8: 0x52 0x08 0x00 0x02 0x00 0x00 0x00 0x00 13 | 0x7bb132a8e0: 0x00 0x00 0x60 0xaa 0xfd 0x83 0xd9 0x0c 14 | 0x7bb132a8e8: 0x6a 0x06 0x10 0x6e 0x34 0xa2 0xb8 0xc7 15 | 0x7bb132a8f0: 0x72 0x06 0x20 0x2d 0xbf 0xbe 0x8c 0x6d 16 | 0x7bb132a8f8: 0x7a 0x11 0x08 0x06 0x20 0xcc 0x01 0x28 17 | 0x7bb132a900: 0xf0 0x03 0x30 0x9c 0x0a 0x38 0xb4 0xf6 18 | 0x7bb132a908: 0x83 0xd9 0x0c 0x82 0x01 0x19 0x41 0x70 19 | 0x7bb132a910: 0x66 0x59 0x73 0x32 0x37 0x4f 0x65 0x71 20 | 0x7bb132a918: 0x4f 0x5f 0x37 0x75 0x5f 0x2d 0x30 0x70 21 | 0x7bb132a920: 0x6f 0x46 0x67 0x47 0x50 0x4d 0x70 0x88 22 | 0x7bb132a928: 0x01 0xaa 0xfd 0x83 0xd9 0x0c 0xa2 0x01 23 | 0x7bb132a930: 0x04 0x6e 0x6f 0x6e 0x65 0xa8 0x01 0xe2 24 | 0x7bb132a938: 0x05 0xba 0x01 0x23 0x0a 0x0d 0x4f 0x4e 25 | 0x7bb132a940: 0x45 0x50 0x4c 0x55 0x53 0x20 0x41 0x35 26 | 0x7bb132a948: 0x30 0x30 0x30 0x10 0x0a 0x1a 0x0a 0x67 27 | 0x7bb132a950: 0x6f 0x6f 0x67 0x6c 0x65 0x70 0x6c 0x61 28 | 0x7bb132a958: 0x79 0x20 0x80 0xf0 0x83 0xc5 0x01 0xc2 29 | 0x7bb132a960: 0x01 0x84 0x01 0x4d 0x44 0x47 0x6b 0x47 30 | 0x7bb132a968: 0x35 0x6e 0x54 0x70 0x48 0x49 0x50 0x4c 31 | 0x7bb132a970: 0x54 0x77 0x78 0x68 0x44 0x35 0x70 0x77 32 | 0x7bb132a978: 0x39 0x54 0x6c 0x7a 0x72 0x4e 0x35 0x48 33 | 0x7bb132a980: 0x6e 0x64 0x33 0x56 0x44 0x49 0x76 0x70 34 | 0x7bb132a988: 0x66 0x59 0x4f 0x54 0x30 0x76 0x63 0x4b 35 | 0x7bb132a990: 0x78 0x32 0x46 0x46 0x32 0x42 0x72 0x51 36 | 0x7bb132a998: 0x51 0x41 0x76 0x51 0x52 0x72 0x34 0x66 37 | 0x7bb132a9a0: 0x55 0x33 0x72 0x33 0x2b 0x34 0x45 0x49 38 | 0x7bb132a9a8: 0x41 0x4c 0x41 0x77 0x68 0x4f 0x62 0x38 39 | 0x7bb132a9b0: 0x30 0x4b 0x43 0x53 0x76 0x65 0x6b 0x57 40 | 0x7bb132a9b8: 0x51 0x75 0x65 0x6b 0x6a 0x53 0x55 0x51 41 | 0x7bb132a9c0: 0x37 0x64 0x55 0x66 0x38 0x52 0x2b 0x6d 42 | 0x7bb132a9c8: 0x68 0x52 0x44 0x38 0x53 0x46 0x6e 0x71 43 | 0x7bb132a9d0: 0x73 0x6b 0x4a 0x44 0x37 0x7a 0x6b 0x72 44 | 0x7bb132a9d8: 0x69 0x39 0x45 0x4d 0x79 0x72 0x62 0x37 45 | 0x7bb132a9e0: 0x64 0x50 0x4e 0x5a 0x66 0x49 0x3d 0xc8 46 | 0x7bb132a9e8: 0x01 0x06 0xd2 0x01 0x10 0x08 0x08 0x12 47 | 0x7bb132a9f0: 0x0c 0x35 0xec 0xc2 0x24 0x39 0xe4 0x87 48 | 0x7bb132a9f8: 0xf9 0xc2 0x05 0x65 0x43 0xe0 0x01 0xf0 49 | 0x7bb132aa00: 0x07 50 | 51 | -------------------------------------------------------------------------------- /proto/hexdump.sh: -------------------------------------------------------------------------------- 1 | cat hex | cut -c 15- | sed 's/0x//g' | tr '\n' ' ' | sed 's/ //g' > out 2 | -------------------------------------------------------------------------------- /proto/jmp_table1: -------------------------------------------------------------------------------- 1 | 1D00C1000000D9001D001D00330000001D02800048001D001D001D02000048001D021D020000F900000033001D001D001D001D0248001D021D020000000033005B001D0233001D0230011D020000800033001D021D021D021D0200005B005B003E011D02000048001D024F010000000033005B001D0200001D0233005D013300 2 | -------------------------------------------------------------------------------- /proto/jmp_table2: -------------------------------------------------------------------------------- 1 | 0000A001A001A0016E017101A001A001A001A001A00176017B01A001A001A001A001A001A0018201A001A00188018C01AB01 2 | -------------------------------------------------------------------------------- /proto/jmp_table3: -------------------------------------------------------------------------------- 1 | 00000B020B020B020B0257010B020B020B020B020B020B025A010B020B020B025D010B0200000B020B020B020B020B020B020B020B0260016E010B020B020B020B020B020B020B0271010B020B020B020B020B020B0274010B020B020B020B0277010B020B020B0280018D01 2 | -------------------------------------------------------------------------------- /proto/jmp_table4: -------------------------------------------------------------------------------- 1 | 0000D801D801D801D801D801D801D801D801D801D801D801D801D801D8015D01D801D801D801D801D801D801D801D801D8016001D801D8016C01D801D801D801D801D8017901D801D801D801D801D801D801D801D801D801D801D801D801D801D801D8018701D801D801D801D8018A01D8019701 2 | -------------------------------------------------------------------------------- /proto/key-hex: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tsarpaul/tiktok-x-argus/1743467bcfcac0e7454ca0f0da0b8163704e004f/proto/key-hex -------------------------------------------------------------------------------- /proto/new-proto-decoded: -------------------------------------------------------------------------------- 1 | 1: 1077940818 2 | 2: 2 3 | 3: 1185963504 4 | 4: {"1233"} 5 | 5: {"7288878770684577285"} 6 | 6: {"2142840551"} 7 | 7: {"31.5.3"} 8 | 8: {"v04.05.00-ov-android"} 9 | 9: 134873152 10 | 10: {`3403000000000000`} 11 | 12: 3409866316 12 | 13: {"ytKqpk"} 13 | 14: { 14 | 11:SGROUP 15 | 1: -23517.107i32 # 0xc6b7ba37i32 16 | } 17 | 15: { 18 | 1: 558 19 | 2: 4 20 | 4: 208 21 | 5: 496 22 | 6: 1312 23 | 7: 3409863296 24 | } 25 | 16: {"ApfYs27OeqO_7u_-0poFgGPMp"} 26 | 17: 3409866316 27 | 20: {"none"} 28 | 21: 738 29 | 23: { 30 | 1: {"ONEPLUS A5000"} 31 | 2: 10 32 | 3: {"googleplay"} 33 | 4: 413202432 34 | } 35 | 24: { 36 | "MDGkG5nTpHIPLTwxhD5pw9TlzrN5Hnd3VDIvpfYOT0vcKx2FF2BrQQAvQRr4fU3r3+4EIALAwhOb80KC" 37 | "SvekWQuekjSUQ7dUf8R+mhRD8SFnqskJD7zkri9EMyrb7dPNZfI=" 38 | } 39 | 25: 8 40 | 26: { 41 | 1: 8 42 | 2: {`43988c770490aee8a12a49df`} 43 | } 44 | 28: 1008 45 | 46 | -------------------------------------------------------------------------------- /proto/outproto: -------------------------------------------------------------------------------- 1 | 1: 1077940818 2 | 2: 2 3 | 3: 43581862 4 | 4: {"1233"} 5 | 5: {"7288878770684577285"} 6 | 6: {"2142840551"} 7 | 7: {"31.5.3"} 8 | 8: {"v04.05.00-ov-android"} 9 | 9: 134873152 10 | 10: {`0000000000000000`} 11 | 12: 3401054666 12 | 13: {`106e34a2b8c7`} 13 | 14: {`a8e343a40336`} 14 | 15: { 15 | 1: 80 16 | 4: 236 17 | 5: 260 18 | 6: 810 19 | 7: 3401054578 20 | } 21 | 16: {"ApfYs27OeqO_7u_-0poFgGPMp"} 22 | 17: 3401054666 23 | 20: {"none"} 24 | 21: 738 25 | 23: { 26 | 1: {"ONEPLUS A5000"} 27 | 2: 10 28 | 3: {"googleplay"} 29 | 4: 413202432 30 | } 31 | 24: { 32 | "MDGkG5nTpHIPLTwx1mthloTjzLwuFXB8VDV+9PcMGkmGeRfTRG05RwV1FU34eE3r3ucOIwTDwBGY80KC" 33 | "T/agUArBlWKUTLIGLcR+nxJL8Xhk/sEJWu3m9HFCNincutXJZfI=" 34 | } 35 | 25: 8 36 | 26: { 37 | 1: 2 38 | 2: {`074fc522375f6799de8a929f`} 39 | } 40 | 28: 1008 41 | -------------------------------------------------------------------------------- /proto/proto: -------------------------------------------------------------------------------- 1 | 08d2a4808204100218f0bbc1b5042204313233332a1337323838383738373730363834353737323835320a323134323834303535313a0633312e352e3342147630342e30352e30302d6f762d616e64726f696448c080a8405208340300000000000060ccdcf9d90c6a0679744b71706b72065b0d37bab7c67a1408ae04100420d00128f00330a00a3880c5f9d90c820119417066597332374f65714f5f37755f2d30706f466747504d708801ccdcf9d90ca201046e6f6e65a801e205ba01230a0d4f4e45504c5553204135303030100a1a0a676f6f676c65706c61792080f083c501c20184014d44476b47356e54704849504c547778684435707739546c7a724e35486e6433564449767066594f543076634b78324646324272515141765152723466553372332b344549414c4177684f6238304b435376656b575175656b6a5355513764556638522b6d6852443853466e71736b4a44377a6b726939454d7972623764504e5a66493dc80108d201100808120c43988c770490aee8a12a49dfe001f007 2 | -------------------------------------------------------------------------------- /proto/proto-cmd.sh: -------------------------------------------------------------------------------- 1 | xxd -r -ps proto | protoscope 2 | -------------------------------------------------------------------------------- /proto/proto-decoded: -------------------------------------------------------------------------------- 1 | 1: 1077940818 = argus header (const) 2 | 2: 2 = argus version (const) 3 | 3: 1507028614 = random? 4 | 4: {"1233"} = appId 5 | 5: {"7288878770684577285"} = const, has to do with deviceId? 6 | 6: {"2142840551"} = licenseId (const) 7 | 7: {"31.5.3"} = appVersion (const) 8 | 8: {"v04.05.00-ov-android"} = MSSDKVersion (const) 9 | 9: 134873152 = MSSDKVersionCode 10 | 10: {`0002000000000000`} = unknown10 (spotted being 0000000000000000) 11 | 12: 3401036926 = ts<<1 12 | 13: {`106e34a2b8c7`} = data_sm3 13 | 14: {`819a5827f4ee`} = url_params_sm3 14 | 15: { 15 | 1: 74 = TODO 16 | 4: 236 = TODO 17 | 5: 260 = TODO 18 | 6: 808 = TODO 19 | 7: 3401036878 = TODO, has to do with ts it seems 20 | } 21 | 16: {"ApfYs27OeqO_7u_-0poFgGPMp"} = hash calculated earlier, const; I think I saw AonA5lMAipOb79vijCaYW5VMA? 22 | 17: 3401036926 = ts<<1 23 | 20: {"none"} = unknown20 (const) 24 | 21: 738 = unknown21 (const) 25 | 23: { 26 | 1: {"ONEPLUS A5000"} = const 27 | 2: 10 = ? const 28 | 3: {"googleplay"} = const 29 | 4: 413202432 = ? const 30 | } 31 | 24: { = TODO 32 | "MDGkG5nTpHIPLTwx1mthloTjzLwuFXB8VDV+9PcMGkmGeRfTRG05RwV1FU34eE3r3ucOIwTDwBGY80KC" 33 | "T/agUArBlWKUTLIGLcR+nxJL8Xhk/sEJWu3m9HFCNincutXJZfI=" 34 | } 35 | 25: 8 = TODO 36 | 26: { 37 | 1: 2 = ? (3rd hashed string + shift left 1?) 38 | 2: {`2aeaf2b21afa5009709e793c`} = hash from line 100/line 142 manipulation 39 | } 40 | 28: 1008 = const 41 | -------------------------------------------------------------------------------- /proto/vm: -------------------------------------------------------------------------------- 1 | FF0302D1FC6F02A9FA6703A9F85F04A9F65705A9F44F06A9FD7B07A9FDC30191965C40A9390300D01B0483523C0300D0E8C204D1E92205D1FF821CF81F0100F928ED7C92EA4204D1E8821BF8E82204D1FF021EF8410100F9E80700F9020100F9E35A30A9930840F9340300D0380300D039C312913A0080521B11A0729C43189194921691F5E204D118C31491E88204D1F3821CF8A00200F9E0821FF8E82B01A91F0013EB2101005472060014E0825EF8FF021EF8A00200F91F0016EB40AC00541F0013EB60CD005420AD00B40E0040B9E5025EF8BF0800F1E0AC0054C81500121FFD007168470054C97D0B53C10104122C011F12CB1540922D011E12277C1A53CC7D1F33D101031226011D128C010D2A7E0200102D7B6B78DE0B0D8BC76D1A33CA651553C8511053D001021229011C128C01062AED68512ACF010112C3010612C2010512C42D0653AB4E2A8BAD69502A8901092AAC4E288BC0031FD6C8150012080900511FD5007148430054C90D1412697C14332901042A2951422A6A0540F92951412A2951512A2951502A29514F2AAB0000108D7A68786B090D8B48A1298B60011FD609F17D92290140F908711D538A0540F908097D920B0780526B0108CB0DE0FF92A825C89A2921CB9A60010014054000B5C91500123F610071A83F0054C80D1412687C14330801042A0851422A0851412A0851512A0851502A4A23C91A08514F2A5F011B6A083D1E13A10800542D0280520D28A0725F010D6A00110054890540F940000014C8150012081900511FE50071E83C0054C90D1412697C14332901042A2951422A6A0540F92951412A2951512A2951502A29514F2AAB0000100D7B68786B090D8B48A1298B60011FD6890940B9090100B9D6010014C90D1412697C14332901042A2951422A2951412A2951512ACB1500122951502A7F65007129514F2AEC0A00547F290071603100547F3D0071E1380054283D1053087D4093880500F9C3010014C90D1412697C14332901042A2951422A2951412A2951512ACB1500122951502A7F81007129514F2AC00900547FE50071800900547FBD007181360054AB2200914AF17DD36A69AAB8293D001349C1298B695928F8AD010014E9031FAACA1500125F610071283500546B0540F9CA15409208110011AC0000108D7B6A788C090D8B08C0288B80011FD67F0109EB412E005476010014A53300B5C8150012092500513F79007128330054CD3514126D7C1433AD01042AAD51422AAD51412AAD51512A310300D0AD51502A310A1991AD514F2AEF000010307A6978EF09108BE8031F2AEA031FAAA9751E53E0011FD68A0540F9C8150012082D00511F350071683000546B0540F92E0300D0CE011A9109C0298BAC000010CD7968788C090D8B2911009180011FD67F0100F16D620054EB031F2AEA031F2AE20100147F690071602700547FCD0071212E0054AB2200916A596AF8293D00124901098A695928F86B010014AB2200916A596AF849A1298B695928F8660100143F250071812C0054EC825FF8EB031F2AEA031F2AE9031F2A8801088B2C00805250010014CF2D0012F0050151111A90133FF60071B04E298B687D0054230300D063281D9181000010627871782108028B20001FD6CB2D00127F012571AD4D00547FBD31718D5E00547FC13171203C00547F053271C05F00547F0539716073005445010014C9351412C87D1453C96914330A011912C92D06330B01181229010A2A0C01171229010B2A0D01161229010C2A0801151229010D2ACA0500902801082A090380524A013F910829A99B010140B93F54007128670054080940F92B0300B06B711A91890000106A79617829090A8B20011FD6E80F40F9000140FD0800789E77030014E8078052E803A072CA01080A484D0051084188131F6D0071C823005429049C524823C81A8910A1721F01096A20230054052300B5C80D1412687C14330801042A0851422A0851412A0851512A0851502A4902805208514F2AA900A0725F01096B083D1E132C2600545F9D0071282100542E0300B0CE211B91CD000010CC796A78AD090C8BE9031F2AEC0300AAA0011FD6EC031FAA6B0540F94902805208110011A900A0725F01096B08C0288B0C2600545F610071E81E00542E0300B0CE611C9189000010CD796A7829090D8B20011FD67F010CEBC1560054BA020014C90D1412697C14332901042AAB2200912951422A2951412A6A596AF82951512A2951502A29514F2A5FA129EBE9A79F1A695928F8E0000014CB2D00127FBD2971AD1E00547FC12971403200547FC13171002E00547FC13D71E11A0054A92200914AF17DD308F17DD3EB825DB8EC025DB82A69AAB82869A8B8F2000014C90D1412697C14332901042AAB2200912951422A2951412A6A596AF82951512A2951502A29514F2A5FA129EBE9279F1A695928F8C1000014CF2D0012FFF52A71AC190054FFF51771AD210054FFF91771C0220054FFF91871E03D0054FFF92371203F0054B5000014080140F9880500F9B200001408014079880500F9AF000014080140B9880500F9AC00001409F57E92290140B908711D538A0940B908057D920B0380526B01084B0DE0BF12A825C89A2921CB1A4801088A080109AA880500F99E00001408018039880500F99B00001408018079880500F998000014080180B9880500F99500001409F17D9208711D538A0540F9290140F908097D92EB0308CB0D008092AB21CB9A0900001409F57E9208711D538A0940B9290140B908057D92EB03084B0D008012AB21CB1A2825C89A49010B8A280108AA880500F97F00001408014039880500F97C000014890940B909010039790000148A0940B909F57E922B0140B908051D53EC03084B4821C81A0A0080124A25CC1A6A010A0A4801082A280100B96D0000148A0540F909F17D9208711D532B0140F908097D92EC0308CB4821C89A0A0080924A25CC9A6A010A8A480108AA280100F9600000148A0540F909F17D9208711D5308097D922B0140F90C0780528C0108CB4A25CC9AEC1F80928821C89A6801088A08010AAA280100F952000014890540F9090100F94F0000148A0940B909F57E9208051D532B0140B90C0380528C01084B4A25CC1AEC1F80128821C81A6801080A08010A2A280100B942000014890940B9090100793F000014AB2200916A596AF8293D0012490109CA695928F839000014AB2200916A596AF8293D0012490109AA695928F8330000147F0109EB80000054080000147F0500F1CB000054E9031F2AEA031F2A1B0000147F0100F18DFFFF54EB031F2AEA031F2A050000147F0100F12A0080524D020054EB031F2AE9031F2A2C00805212000014E90380522A0080528B01F8B7EB031F2A2C0080520C0000147F0109EB2A00805281FEFF54040000147F0500F12A0080520BFEFF54E9031F2AEC031F2A082000912B0080525F010071ED079F1A6B010D0AE8821EF88B0000376A00003488010D0A880000347F01007148179A9AE8021EF83F0500716A3E0054A90240F9E8025EF8201100911F0900F1A00200F9E0B6FF541F0D00F100B6FF541F0500F121B6FF54ADFDFF177F0109EB2A00805220FAFF54E1FFFF17FFF52C71ED080054FFF92C7100260054FFF92F7160280054FFF93C7120110054E9FFFF177FC10071C01400547FC12171A1FCFF54A92200914AF17DD308F17DD3EB825DB8EC025DB82A696AB8286968B86C7D60B308310A9BA300001449028052E901A0725F01096B6D14005449028052E902A0725F01096B2C1D005469028052E901A0725F01096BE0D9FF54690280524902A0725F01096B60D9FF54CAFFFF1749028052E901A0725F01096BED13005449028052E902A0725F01096BCC1D005469028052E901A0725F01096B20370054690280524902A0725F01096B41F7FF542A0080522B33F8B689010014E8038052EC825FF8EB031F2AEA031F2A8941298B2C00805231000014FFF90571401E0054FFF9077181F5FF5429011B3206000014FFF92A71E0080054FFF92B71C1F4FF54AD011B32A801090B1FFD00714CF4FF54680540F93FFD0071C0000054290500110A0080920825CD9A4921C99A0801298A880500F998FFFF177F0100F12A0080524D020054EB031F2AE8031F2A2C00805212000014E80380522A0080528B01F8B7EB031F2A2C0080520C0000147F010AEB2A00805281FEFF54040000147F0500F12A0080520BFEFF54E8031F2AEC031F2A092000912B0080525F010071ED079F1A6B010D0AE9821EF88B0000376A00003489010D0A890000347F01007149179A9AE9021EF81F0500716BEEFF5409200091A84E288B090500F9E9021FF86EFFFF177F010AEB2A008052E0FAFF54E7FFFF17AB2200914AF17DD308F17DD36A69AAB86869A8B8087D0A9B685929F862FFFF17EAFF81520A80AF72ABE78152CA010A0A0B00A8725F010B6B4D1B0054CBE781520B00A8725F010B6BE0390054CBE781520B80A8725F010B6BA03A0054CB5781520B00A9725F010B6BE1E9FF54AA22009108F17DD34869A878485929F84AFFFF17A92200914AF17DD308F17DD3EB825DB8EC025DB82A69AAB82869A8B808000014A92200914AF17DD308F17DD3EB825DB8EC025DB82A696AB8286968B86C7D60B308B10A9B097D409208FD60D3E9223DA935FFFF1769028052A900A0725F01096B20C6FF5469028052A901A0725F01096BA0C5FF5469028052C901A0725F01096B20C5FF5428FFFF1769028052A900A0725F01096B2024005469028052A901A0725F01096BE023005469028052C901A0725F01096B81E3FF542A0080528B1DF8B6FA000014ECFF81520C04A072CA010C0A8BF901515F010B6B6F018F1A8BF92F515F010B6B6F018F1A8BF92A515F010B6BC1000054AA22009108F17DD3486968B8082DCD1A74020014FF0117714C120054FF0110710C2C0054FF050171404B0054FF050A71C04B0054FF050B71C1DFFF54AA220091485968F80829CD9A485929F8F9FEFF17CB2D00127F0130718C1200547F050971204400547F05137141DEFF54AB2200916A596AF8685968F808010AAAE80328AA685929F8EBFEFF17690280526903A0725F01096BE0BCFF5469028052E902A0725F01096B60BCFF54E2FEFF177F011D714C1200547F051871600000547F051A7181DBFF54AB2200914AF17DD308F17DD36A696AB8686968B808010A0B8501001469028052E902A0725F01096BA01A0054690280526903A0725F01096BA1D9FF54E90380526B12F8B6D000001428010D0B1F7D0071E8D8FF54680940B93F7D0071E09FFF542A0080120825CD1A4921C91A0801290AFAFCFF17AD011B3229011B322B010D6B6BD7FF54AC2200918A596AF808F17DD38E6968F86B0500110F008092EB21CB9A4A012B8AE921C99AEB21CD9AC901098A4A21CD9ACB012B8A29010AAA29010BAA896928F8AAFEFF172B010D6B03D5FF54AC2200914AF17DD38A696AB808F17DD38E6968B86B0500110F008012EB21CB1A4A012B0AE921C91AEB21CD1AC901090A4A21CD1ACB012B0A29010A2A29010B2A297D4093896928F895FEFF17E80F40F9000140FD0800799EE3000014E80F40F9000140BD0800389EDF000014E80F40F9000140BD0800399EDB0000142C9881520C80A0728BF90C11CB010B0A7F010C6B8F018F1A2A010014CB5781520B00A4725F010B6B20210054CB5781520B00A8725F010B6B41CFFF54AA22009108F17DD34869A838485929F875FEFF170A8080520A04A072FF010A6B0C1B0054FF051771403A0054FF052C71A03A0054FF053E7161CDFF54AA220091485968F80825CD9A485929F866FEFF17E8031F2AEA031F2AE1FEFF177F053071803200547F053171E1CBFF54AB2200916A596AF8685968F808010ACA685929F859FEFF177F052571600000547F052971A1CAFF54AB2200916A596AF8685968F8480108CB685929F84FFEFF177F051D71401400547F05227161C9FF54AB2200916A596AF8685968F808010A8B685929F845FEFF17E9038052EC825FF8EB031F2AEA031F2A8801088B130000147F010CEB80000054080000147F0500F1CB000054E9031F2AEA031F2A190000147F0100F18DFFFF54EB031F2AEA031F2A050000147F0100F12A0080520D020054EB031F2AE9031F2A2C00805210000014E90380522A0080524B05F8B6090000147F010CEB2A008052A0000054F5FFFF177F0500F12A0080524BFEFF54E9031F2AEC031F2A082000912B0080525F010071ED079F1A6B010D0AE8821EF88B0000376A00003488010D0A48C2FF347F01007148179A9AE8021EF83F050071EBC1FF5408200091A94E298B280500F9E8021FF80AFEFF177F010CEB2A00805201FDFF54D8FFFF172BFAFFB6CBFFFF174BF9FFB6CEFFFF17E90380522A0080522BFCFFB6EB031F2AD1FFFF17E90380526BF8FFB7EB031F2AEA031F2ACCFFFF1700030090007C3B9146F3FD97F4FDFF17E90F40F9200140FDE90740F9210140FD00013FD620000014E90F40F9200140BDE90740F9210140BD00013FD6E80B40F9000100BDE6FDFF17E90F40F9200140BD00013FD614000014E90F40F9200140FD00013FD622000014E80F40F9000140BD03000014E80F40F9000140FD00D8617E09000014E80F40F9000140BD00A4200F00D8615E04000014E80F40F9000140FD00D8615EE80B40F9000100FDCCFDFF17E80F40F9000140BD00D8217E0C000014E80F40F9080140F90001239E08000014E80F40F9000140BD00D8215E04000014E80F40F9080140F90001229E0800261E0D000014E90F40F9200140FDE90740F9210140FD00013FD606000014E90F40F9200140BDE90740F9210140BD00013FD6087C4093E90B40F9280100F9ACFDFF17AB2200914AF17DD308F17DD36A696AB8686968B84801084B55000014FF05107140220054FF051471C0220054FF051571E1B3FF54AA22009108F17DD3486968B80825CD1A060100142A8080520A04A072FF010A6B202200542AA880520A04A072FF010A6BC0D0FF542AF081520A04A072FF010A6BC1B1FF54AA220091485968F8082DCD9A485929F889FDFF17AA220091485968F80BFD50D308BD70D36B3D0092083D109208010BAA0881C893485929F87FFDFF17AA220091485968F80BFD48D308DD78D36B9D0092089D089208010BAA485929F876FDFF17AA22009108F17DD3486968B80B7D0853085D18536B9D0012089D081208010B2AD9000014FF0120718D140054FF012F714C1D0054FF012871AC210054FF052071202C0054FF05217161ACFF54A92200914AF17DD308F17DD32A696AB8286968B8F50000142C9881520C80A0728BF90C11CB010B0A8C0130517F010C6B21010054AB22009108F17DD36A596AF8686968B8082DCA1A087D4093685929F84EFDFF17FF013371AC010054FF010D71EC090054FF050371C0110054FF050671C1A8FF54AB22009108F17DD36A596AF8686968B80829CA1AF0FFFF170B1880520B80A072FF010B6B6C090054FF053371C0100054FF05367101A7FF54AB2200916A596AF8685968F80829CA9A685929F832FDFF17ECFF81520C04A072CA010C0A1CFEFF17ECFF81520C04A072CA010C0A1BFEFF17AB2200916A596AF8685968F85F0108EB684D298B230100541F0100F922FDFF17AB2200916A596AF8685968F85F0108EB684D298B2AFFFF541A0100F91AFDFF1725A3FFB5CA2D00125F9D0071E8031F2A281600542F030090C92D4092EF191F912CA2FF10EA7969788C090A8BEA031FAA80011FD60A0640F9C82D00121F61007128A1FF546B0540F9C92D40922E030090CE592091A81100116CA0FF10CD7969788C090D8B0900088B80011FD67F010AEBE1180054CB000014FF050D7180090054FF052471019FFF54AB22009108F17DD36A596AF8686968B80821CA1AA2FFFF172B1880520B80A072FF010B6B20F3FF542B9881520B80A072FF010B6B419DFF54AB2200916A596AF8685968F8082DCA9A685929F8E4FCFF17E80F40F9000140F9E80740F9010140F9C0023FD6E0025FF8A00200F91F0013EB2153FF5402010014EE031F2A98FAFF176800805265008052E8021EF897FAFF17AB2200916A596AF8685968F808010A8A685929F8CEFCFF17AB2200916A596AF8685968F808010AAA685929F8C8FCFF17FF0105716D0A0054FF010F712C0E0054FF05057120180054FF0508710198FF54A92200912A596AF8285968F8097D4A9BC5000014AB22009108F17DD36A596AF8686968B80825CA1A65FFFF17AB2200916A596AF8685968F80825CA9A685929F8AFFCFF17AB2200916A596AF8685968F80821CA9A685929F8A9FCFF17AA220091485968F8AB011B320821CB9A485929F8A3FCFF17AA22009108F17DD3486968B80821CD1A0A000014AA220091485968F80821CD9A485929F899FCFF17AA22009108F17DD3486968B80829CD1A087D4093485929F892FCFF17AA220091485968F8AB011B320825CB9A485929F88CFCFF17AA220091485968F8AB011B320829CB9A485929F886FCFF17AA220091485968F8AB011B32082DCB9A485929F880FCFF17FF013D71AC060054FF052F7140100054FF053471418FFF54258FFFB5680540F90010009149008052E9223EA997FFFF17FF050071E00F0054FF05027140100054FF050471C18DFF54A92200914AF17DD308F17DD32A69AAB82869A8B8087D0A9B097D409308FD60932FFDFF175F053471800000545F053C71218CFF54E803092A690540F9EC031F2AEA031F2A2B00805245000014FF052871A00E0054FF052E71E18AFF54880540F9A88AFFB507000014FF050F71200E0054FF051F71018AFF54880540F9C889FFB4A82200910A596AF80A5929F84AFCFF17FF053D71400D0054FF053F71C188FF54E8025DF8080600F943FCFF17E8038052E9825FF8EC031F2AEA031F2A2B00805229010D8B260000147F010AEB80000054080000147F0500F1CB000054E8031F2AEA031F2A1B0000147F0100F18DFFFF54EC031F2AEA031F2A050000147F0100F12A0080524D020054EC031F2AE8031F2A2B00805212000014E80380522A0080528B01F8B7EC031F2A2B0080520C0000147F010AEB2A00805281FEFF54040000147F0500F12A0080520BFEFF54E8031F2AEB031F2A092000912C0080525F010071ED079F1A8C010D0AE9821EF88C0000376A00003469010D0A6993FF349F01007149179A9AE9021EF81F0500714B81FF5497FCFF177F010AEB2A00805260FBFF54EBFFFF17680540F9E8821DF802FCFF17A92200914AF17DD308F17DD32A696AB8286968B84909C81A13000014A92200912A596AF8285968F8097DCA9B087D0A9BE8263DA9F4FBFF17A92200912A596AF8285968F84909C89A15000014A92200914AF17DD308F17DD32A696AB8286968B8490DC81A28A9081B297D4093087D4093AFFCFF17680540F9E8021DF8E2FBFF17E8825DF8080600F9DFFBFF17A92200912A596AF8285968F8490DC89A28A9089BA3FCFF17FD7B47A9F44F46A9F65745A9F85F44A9FA6743A9FC6F42A9FF030291C0035FD6 2 | -------------------------------------------------------------------------------- /research: -------------------------------------------------------------------------------- 1 | goal: 2 | 1. find how libsscornet speaks with libmetasec_ov.so 3 | 2. debug those communications 4 | 5 | side goals: 6 | 1. find a way to trace calls from other libraries into 7 | 2. setup cluster breakpoints with -N, EXCLUDE disactivity thread. 8 | maybe we can get better stacktraces 9 | 10 | Tools: 11 | automatic command population 12 | 13 | * thread #40, name = 'DisActivityM-1', stop reason = breakpoint 860.1 14 | * frame #0: 0x0000007e3bc1c000 libmetasec_ov.so`___lldb_unnamed_symbol5136 + 256 15 | frame #1: 0x0000007e3bc14714 libmetasec_ov.so`___lldb_unnamed_symbol4745 + 416 16 | frame #2: 0x0000007e3bc1e8a4 libmetasec_ov.so`___lldb_unnamed_symbol5314 + 252 17 | frame #3: 0x0000007ef1c1dfcc libc.so`__pthread_start(void*) + 40 18 | frame #4: 0x0000007ef1bb196c libc.so`__start_thread + 72 19 | 20 | commands: 21 | ./lldb-server p --listen 0.0.0.0:10000 22 | b -s libmetasec_ov.so -a 0xcd000 -C "bt" --one-shot 1 --auto-continue 1 23 | b -s libsscronet.so -a 0x3ffdc0 24 | x -s4 -fx -c4 0x0000007e3bc1c130 25 | 26 | cronet: 27 | 0x94c00 28 | 0x95b00 29 | 0x95100 30 | 0x96a00 31 | 0x2d500 32 | 0xcc100 33 | 0xcc600 34 | 0x2e400 35 | 0x3d400 36 | 37 | Used in push (notifications?) process: 38 | Cronet - 0x3ffdc0: 39 | Websocket? 40 | X-Cylons: 41 | jumps to metasec: 0x76d91a3e70->0x95e70->0x95f00->0x95f90->0x96024->0x96088->0x96094 42 | returns (X0): X-Cylons\r\nRcUhvFYl+rtyo3OztGWpbneU\r\n 43 | 44 | -- Useful info: 45 | aid=1233 46 | version=v04.05.00? 47 | secret=corp;90Xc215:sse? 48 | 49 | -- TODO: 50 | check cronet[0x3e88ac] 51 | consider debugging new threads? 52 | 53 | investigate: 0x000000737c71d954 (0x96954) 54 | 55 | functions to investigate on metasec (those with decryption): 56 | B9120 57 | 58 | -- ARGUS FUNCTION: 59 | x5 contains in wide string: 60 | g4dBX5jw9FAK0z6nB78ESysPhVT4PZxEJp8Fw4iJQCYIf5rhWEA9aCwZn2rPx-iuTOOB9B7wljOptTKe0dutu07HxCKyoEyl1r; msToken=Dl0g4G3hp7N3B3gZxhjr6L2uMu7TRz4ecUNxl8rHkHk9w5H7nxFjMe3ETDAQJzT01h5x6sYIfRi67E4zEeLCMtB4FKz TmuBY1Gc3uMYE5cwkpUbS075io8KuP7Jg 61 | x21 contains url 62 | x22 contains cookies 63 | 64 | 65 | DEBUG FIRST BLOCK MORE THOROUGHLY! 66 | 67 | cronet req: 68 | 0x23cb672c 69 | ... 70 | 0xe19414c9-->95218/**94F8C**/94A9C 71 | 0xe6bb0864 72 | 73 | Next step: 74 | figure what each block does 75 | 76 | secblock: 77 | 0x23cb672c - secblock1 (init) 78 | 0xde6ee159 - secblock2 - does nothing 79 | 0x7a852b69 - secblock3 - interesting 80 | 0xa95cc278 - secblock4 - 1 minor function, doesnt seem interesting 81 | 0xeb134a51 - secblock5 -- 21x - copying? 82 | 0xb42a1441 - secblock6 -- 21x - copying? 83 | 0xd44f57e1 - secblock7 -- 21x - copying? 84 | 0xe19414c9 - secblock8 - not interesting 85 | 0xe6bb0864 - secblock9 - does nothing 86 | 87 | headblock: 88 | 89 | 0xe465c564 - headblock2 - not interesting 90 | 0xc46808dc - headblock3 - not interesting 91 | 0x1bc4fa5d - headblock4 - interesting 92 | 0x2bc79262 - headblock5 - short encryption? 93 | 0xc4baa443 - headblock6 - interesting -> creates secheaders (0x3b984) 94 | 0x5c0b07bd - headblock7 - short encryption? 95 | 0xc430fece - headblock8 - not interesting 96 | 0x625cca1a - headblock9 - interesting 97 | 0xfb5272c0 - headblock10 - not interesting 98 | 0x8c0db5ae - headblock11 - same as headblock9 99 | 0x796540a6 - headblock12 - not interesting 100 | 0x8b522469 - headblock13 - same as headblock9 101 | 0xd91b380c - headblock14 - short encryption? 102 | 0xe01d7a61 - headblock15 - like headblock9/13 but with two func calls 103 | 0xb1776650 - headblock16 - end 104 | 105 | setprop debug.db.uid 32767 (default null) 106 | 107 | inner_secheaders: 108 | 0xa10fa29c - init 109 | 0xe896558c - 1 110 | 0x85d827c2 - 2 111 | 0x4bcd6aac - 3 112 | 0x76fcfb71 - 4 113 | 0xbc9fd311 - 5 114 | 0xe142a4ea - 6 115 | 0x3b3f24b5 - 7 116 | 0xb6d27258 - 8 117 | 0x33422b18 - 9 118 | 0x9bda97bd - 10 119 | 0x9556e66c - 11 - main block 120 | 0x11b22bcf 121 | 0x4a60654b 122 | 0x9558cd48 123 | 0x9bfdb7e3 124 | 0xb939795b 125 | 0xee92f197 126 | 0xfa874e22 127 | 0x14e3efa1 128 | 0x2b72a516 - 21 - 129 | 0x40dc9196 - 22 - registers 130 | 0xedbdd1c2 - 23 - vital registers 131 | 0xcf721dbe - 24 - registers 132 | 0x7f6ae558 - 25 - important (decryption) 133 | 0x1da9cd56 - 26 - registers 134 | 0x402286bc - 27 - delete block 135 | 136 | blabla: 137 | 0x8ab374d9 - init 138 | blabla7 - interesting, decryption? 139 | blabla19 + blabla20 - loop 140 | blabla20 - interesting a loop with strings 141 | TODO: finish this 142 | 143 | Interim conclusions: 144 | 1. When researching new code, you MUST declare structs ASAP. TBD: How to track them properly during debugging. 145 | 2. Create aliases to help you out with repetetive code, e.g. extracting the X-Argus header: 146 | *(long*)(*(long*)(*(long*)(0x7cbca56ff0+0x20))+0x10) 147 | 148 | globalStruct: deref x0 (globalStruct ptr) first: 149 | *(long*)(*(long*)(*(long*)(*(long*)($x0)+0x20))+0x10) 150 | 151 | 152 | I need to find a new way to reverse this stuff. 153 | Maybe put breakpoints after the decryption? 154 | 155 | signkey: 2142840551? 156 | 157 | *** X-GORGON *** 158 | raw: 159 | 4 byte: first 4 bytes in hex of the md5 digest of the url parameters (e.g. host=api16-core.tiktokv.com&ttl=1&aid=1233&p=android&did=7288878770684577285&f=0&cache_stale_reason=-1&cache_expire_time_delta=-1&sdk_id=0) 160 | 8 byte: 0x00 161 | 4 byte: 0x4050020 (0x20 0x00 0x05 0x04) 162 | 4 byte: big endian timestamp (e.g. 0x65 0x3e 0xb8 0x00) 163 | 164 | final: 165 | header1(4): 8404 166 | header2(4): 2 random hex bytes (1st divisible by 4): 2x{random_number:02x} 167 | header3(4): Comes from outer thread, TBD. So far seen: 1401/1403/0000/0002 168 | 0000 - logs/static stuff(e.g. package info) 169 | 0002 - logs 170 | 1401 - normal requests 171 | hash(40): 172 | 173 | I need var_230 174 | 175 | gorgon_buf: 176 | 4a seed1 16 rand1 47 6c seed2 rand2(div_4) 177 | 178 | 179 | 180 | 0x9dbec-> 181 | 1:0x9e19c->memcpy - of size 0x118 not sure the point 182 | 2,3:0x9dc4c->new string of size 0x8 183 | 4:0x9df50->scaryjmptbl-> input: {ptr1: idk, ptr2: url params string, ptr3: not sure if part of struct..} 184 | 1: 0x9e1b8 (extend url_params string) 185 | 2: 0x9e1e8->seems like it encrypts soemthing->scaryjmptbl->ret; x1 = ptr of url_params buf -- > ENCRYPT_AND_HASH 186 | 3: 0x9dc20 (new string) -> {string_obj, string_buf, size} -> creates string from encrypted buf probably 187 | 5: 0x9e22c (string::assign) -> x1 = ptr of encrypted shit of length 0x20, assigns to $x1+0x10 188 | 6: 0x9dd0c (string::destroy) -> x1 = old string 189 | 7: 0x9df50->scaryjmptbl -> x1 = empty string of length 0x10 190 | 1: 0x9e1b8 (struct unpack) 191 | 2: 0x9e1e8->scaryjmptbl 192 | 8:0x9dc20 (new string) -> {string_obj, string_buf, size} 193 | 9:ret 194 | other invocations: 0x9e998/0x9dd0c 195 | 0x9e998->decrypt_func_3->eor_thingy 196 | 197 | 0x9e24c - struct unpack: *($x1+0x8)=*(*(x0)+0xd0) = 0x1f8 on my test 198 | 0x9e1ac - string init, not sure which 199 | 0x9e25c - debug this, seems like some mtp copying 200 | 0x9e1dc - MTP copy of a complex struct 201 | 0x9e270 - MTP check over 0x112800? not sure 202 | 0x9dca4 - release str in MTP ("1233", this is also aid) 203 | 0x9dc7c - dereference MTP (-> "1233") and place in $x1+8 204 | 0x9e22c - string assign (1233) 205 | 0x9e290 - rand 206 | 207 | Special Argus VM commands: 208 | $x22 (e.g. 0x9dbec, this is initial $x2) - external call, dynamic (ptr to this is checked) 209 | $x19 (frame from last call) - RET (ptr to this is checked) 210 | 211 | 212 | -------------------------------------------------------------------------------- /run: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | pid=$(adb shell ps -A | grep musically | awk -F ' ' '{print $2}' | head -n 1) 3 | frida -l ./script.js -U -p$pid 4 | -------------------------------------------------------------------------------- /script.js: -------------------------------------------------------------------------------- 1 | var mod = Process.getModuleByName("libmetasec_ov.so"); 2 | var baseAddr = mod.base; 3 | var sz = mod.size; 4 | console.log(baseAddr); 5 | console.log(sz); 6 | 7 | // for every 100 bytes, try place a breakpoint 8 | for (var i = 0; i < sz; i += 1000) { 9 | var addr = baseAddr.add(i); 10 | try{ 11 | Interceptor.attach(addr, { 12 | onEnter: function(args) { 13 | console.log("Hit: " + addr); 14 | var offset = addr - baseAddr; 15 | if(offset == 1511000){ 16 | // dump the memory at the address 17 | console.log(hexdump(addr.sub(24), { 18 | offset: 0, 19 | length: 64, 20 | header: true, 21 | ansi: true 22 | })); 23 | } 24 | } 25 | }); 26 | console.log("Attached: " + addr); 27 | } catch(err){} 28 | } 29 | 30 | -------------------------------------------------------------------------------- /setup.py: -------------------------------------------------------------------------------- 1 | import lldb 2 | import subprocess 3 | import os 4 | import struct 5 | from time import sleep 6 | 7 | def pack_reg(exe_ctx, f, reg): 8 | reg = exe_ctx.frame.FindRegister(reg).value 9 | reg = int(reg, 16) 10 | b = struct.pack(' [outfile]') 240 | return 241 | start_addr = int(args[0], 16) 242 | size = int(args[1], 16) 243 | outfile = 'dump.bin' 244 | if len(args) == 3: outfile = args[2] 245 | 246 | addr = lldb.SBAddress(start_addr, exe_ctx.target) 247 | memory = exe_ctx.target.ReadMemory(addr, size, lldb.SBError()) 248 | with open(outfile, 'wb') as f: f.write(memory) 249 | 250 | def __lldb_init_module(debugger, internal_dict): 251 | debugger.HandleCommand('command script add -o -f setup.tiktok_connect tiktok_connect') 252 | debugger.HandleCommand('command script add -o -f setup.addrs addrs') 253 | debugger.HandleCommand('command script add -o -f setup.vm vm') 254 | debugger.HandleCommand('command script add -o -f setup.vc vc') 255 | debugger.HandleCommand('command script add -o -f setup.jmp_c jmp_c') 256 | debugger.HandleCommand('command script add -o -f setup.jmp_str jmp_str') 257 | debugger.HandleCommand('command script add -o -f setup.new_bp new_bp') 258 | debugger.HandleCommand('command script add -o -f setup.new_bp_log new_bp_log') 259 | debugger.HandleCommand('command script add -o -f setup.sigstuff sigstuff') 260 | debugger.HandleCommand('command script add -o -f setup.appup appup') 261 | debugger.HandleCommand('command script add -o -f setup.dump dump') 262 | debugger.HandleCommand('command script add -o -f setup.dumpit dumpit') 263 | debugger.HandleCommand('command script add -o -f setup.log_jmp_tbl log_jmp_tbl') 264 | print('Commands installed: tiktok_connect, addrs, vm, vc, jmp_c, jmp_str, new_bp, new_bp_log, sigstuff, appup, dump, dumpit, log_jmp_tbl') 265 | 266 | debugger.HandleCommand('command alias bm b -s libmetasec_ov.so -a') 267 | debugger.HandleCommand('command alias vma vm $pc') 268 | print('Aliases added: bm, vma') 269 | 270 | debugger.HandleCommand("command regex ref 's/(.+)/memory read --gdb-format 4gx *(long*)(%1)/'") 271 | print('Macros added: ref') 272 | 273 | 274 | -------------------------------------------------------------------------------- /trace: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | pid=$(adb shell ps -A | grep musically | awk -F ' ' '{print $2}' | head -n 1) 3 | echo "frida-trace -U -p$pid $@" 4 | frida-trace -U -p$pid $@ 5 | # print all arguments with echo 6 | -------------------------------------------------------------------------------- /utils/cut.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | cat string | cut -c 14- | sed 's/0x//g' | sed 's/ //g' | tr -d '\n' 3 | -------------------------------------------------------------------------------- /utils/string: -------------------------------------------------------------------------------- 1 | 0x7baeca3040: 0x08 0xd2 0xa4 0x80 0x82 0x04 0x10 0x02 2 | 0x7baeca3048: 0x18 0xf0 0xbb 0xc1 0xb5 0x04 0x22 0x04 3 | 0x7baeca3050: 0x31 0x32 0x33 0x33 0x2a 0x13 0x37 0x32 4 | 0x7baeca3058: 0x38 0x38 0x38 0x37 0x38 0x37 0x37 0x30 5 | 0x7baeca3060: 0x36 0x38 0x34 0x35 0x37 0x37 0x32 0x38 6 | 0x7baeca3068: 0x35 0x32 0x0a 0x32 0x31 0x34 0x32 0x38 7 | 0x7baeca3070: 0x34 0x30 0x35 0x35 0x31 0x3a 0x06 0x33 8 | 0x7baeca3078: 0x31 0x2e 0x35 0x2e 0x33 0x42 0x14 0x76 9 | 0x7baeca3080: 0x30 0x34 0x2e 0x30 0x35 0x2e 0x30 0x30 10 | 0x7baeca3088: 0x2d 0x6f 0x76 0x2d 0x61 0x6e 0x64 0x72 11 | 0x7baeca3090: 0x6f 0x69 0x64 0x48 0xc0 0x80 0xa8 0x40 12 | 0x7baeca3098: 0x52 0x08 0x34 0x03 0x00 0x00 0x00 0x00 13 | 0x7baeca30a0: 0x00 0x00 0x60 0xcc 0xdc 0xf9 0xd9 0x0c 14 | 0x7baeca30a8: 0x6a 0x06 0x79 0x74 0x4b 0x71 0x70 0x6b 15 | 0x7baeca30b0: 0x72 0x06 0x5b 0x0d 0x37 0xba 0xb7 0xc6 16 | 0x7baeca30b8: 0x7a 0x14 0x08 0xae 0x04 0x10 0x04 0x20 17 | 0x7baeca30c0: 0xd0 0x01 0x28 0xf0 0x03 0x30 0xa0 0x0a 18 | 0x7baeca30c8: 0x38 0x80 0xc5 0xf9 0xd9 0x0c 0x82 0x01 19 | 0x7baeca30d0: 0x19 0x41 0x70 0x66 0x59 0x73 0x32 0x37 20 | 0x7baeca30d8: 0x4f 0x65 0x71 0x4f 0x5f 0x37 0x75 0x5f 21 | 0x7baeca30e0: 0x2d 0x30 0x70 0x6f 0x46 0x67 0x47 0x50 22 | 0x7baeca30e8: 0x4d 0x70 0x88 0x01 0xcc 0xdc 0xf9 0xd9 23 | 0x7baeca30f0: 0x0c 0xa2 0x01 0x04 0x6e 0x6f 0x6e 0x65 24 | 0x7baeca30f8: 0xa8 0x01 0xe2 0x05 0xba 0x01 0x23 0x0a 25 | 0x7baeca3100: 0x0d 0x4f 0x4e 0x45 0x50 0x4c 0x55 0x53 26 | 0x7baeca3108: 0x20 0x41 0x35 0x30 0x30 0x30 0x10 0x0a 27 | 0x7baeca3110: 0x1a 0x0a 0x67 0x6f 0x6f 0x67 0x6c 0x65 28 | 0x7baeca3118: 0x70 0x6c 0x61 0x79 0x20 0x80 0xf0 0x83 29 | 0x7baeca3120: 0xc5 0x01 0xc2 0x01 0x84 0x01 0x4d 0x44 30 | 0x7baeca3128: 0x47 0x6b 0x47 0x35 0x6e 0x54 0x70 0x48 31 | 0x7baeca3130: 0x49 0x50 0x4c 0x54 0x77 0x78 0x68 0x44 32 | 0x7baeca3138: 0x35 0x70 0x77 0x39 0x54 0x6c 0x7a 0x72 33 | 0x7baeca3140: 0x4e 0x35 0x48 0x6e 0x64 0x33 0x56 0x44 34 | 0x7baeca3148: 0x49 0x76 0x70 0x66 0x59 0x4f 0x54 0x30 35 | 0x7baeca3150: 0x76 0x63 0x4b 0x78 0x32 0x46 0x46 0x32 36 | 0x7baeca3158: 0x42 0x72 0x51 0x51 0x41 0x76 0x51 0x52 37 | 0x7baeca3160: 0x72 0x34 0x66 0x55 0x33 0x72 0x33 0x2b 38 | 0x7baeca3168: 0x34 0x45 0x49 0x41 0x4c 0x41 0x77 0x68 39 | 0x7baeca3170: 0x4f 0x62 0x38 0x30 0x4b 0x43 0x53 0x76 40 | 0x7baeca3178: 0x65 0x6b 0x57 0x51 0x75 0x65 0x6b 0x6a 41 | 0x7baeca3180: 0x53 0x55 0x51 0x37 0x64 0x55 0x66 0x38 42 | 0x7baeca3188: 0x52 0x2b 0x6d 0x68 0x52 0x44 0x38 0x53 43 | 0x7baeca3190: 0x46 0x6e 0x71 0x73 0x6b 0x4a 0x44 0x37 44 | 0x7baeca3198: 0x7a 0x6b 0x72 0x69 0x39 0x45 0x4d 0x79 45 | 0x7baeca31a0: 0x72 0x62 0x37 0x64 0x50 0x4e 0x5a 0x66 46 | 0x7baeca31a8: 0x49 0x3d 0xc8 0x01 0x08 0xd2 0x01 0x10 47 | 0x7baeca31b0: 0x08 0x08 0x12 0x0c 0x43 0x98 0x8c 0x77 48 | 0x7baeca31b8: 0x04 0x90 0xae 0xe8 0xa1 0x2a 0x49 0xdf 49 | 0x7baeca31c0: 0xe0 0x01 0xf0 0x07 50 | --------------------------------------------------------------------------------