loop.txt

0x9e19c - memcpy
0x9dc4c - new string size=0x8 - this later gets assigned "1233"
0x9dc4c - new string size=0x8 - this later gets assigned "1233"
0x9df50 - scaryjmptbl1 - x0: ptr to url params, x8: output ptr (0x20 length string)
    0x9e1b8 - struct unpack
    0x9e1e8 - sm3_encrypt - x0: ptr to url params, x1: url params length, x2: ptr to output (0x20 length).
0x9dc20 - new_string
0x9e22c - string::assign
0x9dd0c - string::destroy
0x9df50 - scaryjmptbl1 - x0: ptr to string with length 0x10 but its zeroed out, x8: output ptr (0x20 length string)
    0x9e1b8 - struct unpack
    0x9e1e8 - sm3_encrypt - x0: zeroed string, x1: length (0x10), x2: output ptr to string, will always be: 106e34a2b8c7bb13156cfdd0d91379dcc47543dcf9787c68ae5eb582620ae6e8
0x9dc20 - new_string - new string from line 12
0x9e22c - string::assign
0x9dd0c - string::destroy
0x9e24c - struct unpack2
0x9e1ac - string::init
0x9e25c - MTP::Copy_mutex
0x9e1dc - MTP::Copy
0x9e270 - MTP something
0x9dca4 - MTP release string
0x9dc7c - dereference_MTP -> "1233"
0x9e22c - string::assign
0x9e290 - rand
0x9e2a8 - MTP::Copy_mutex
0x9e2bc - MTP::Copy_mutex
0x9e1ac - string::init
0x9e1dc - MTP::Copy
0x9e270 - MTP something
0x9dca4 - MTP release string
0x9dc7c - dereference_MTP -> "7288878770684577285"
0x9e22c - string::assign
0x9e2d0 - dereference_MTP_twice -> one of the derefs produces "1233"
0x9e31c - MTP::Copy_mutex
0x9e328 - dereference_MTP -> ptr to some class
0x9e344 - MTP::Copy
0x9e358 - MTP delete
0x9dcac - dereference_MTP -> "2142840551" (const)
0x9e360 - inarg_loop - return app consts: x8: ptr to ptr that filled with app version on output (31.5.3), x0 - array of strings, first contains x8, second contains ptr to "2142840551" (licenseId)
0x9dcac - dereference_MTP -> some class with strings??
0x9e374 - generate_const_ -> 0x04050020 (Argus Version, gets reduced to 0x2 later)
0x9e38c - decrypt_something -> android version (v04.05.00-ov-android)
0x9e1b8 - struct unpack -> 0x00000008, not sure what use
0x9e19c - memcpy
0x9e19c - memcpy
0x9e19c - memcpy
0x9e19c - memcpy
0x9e19c - memcpy
0x9e19c - memcpy
0x9e3a4 - get_sign_key -> is this get_sign_class?
0x9e3bc - deref_sign_key
0x9e1ac - string::init - init "sign" string 
0x9e3d8 - TODO: debug init_export_class - x0: output struct from line 51, x1: "sign" string, returns length of something (0x23)
0x9dd0c - string::destroy
0x9e3a4 - get_sign_key
0x9e3bc - deref_sign_key
0x9e1ac - string::init - init "setting" string
0x9e3d8 - TODO (doesnt seem serious)
0x9dd0c - string::destroy
0x9e3a4 - get_sign_key
0x9e3bc - deref_sign_key
0x9e1ac - string::init - init "report" string
0x9e3d8
0x9dd0c - string::destroy
0x9e3a4 - get_sign_key
0x9e3bc - deref_sign_key
0x9e1ac - string::init - init "reportFail" string
0x9e3d8
0x9dd0c - string::destroy
0x9e3f8 - string::is_eq - "1233" and "3019"
0x9e3f8 - string::is_eq - "1233" and null
0x9e3a4 - get_sign_key
0x9e3bc - deref_sign_key
0x9dc98 - string::copy - "1233" to empty
0x9e41c - multithread_init_shit
0x9e438 - dereference_6c - dereference x0+0x6c, returns 0x1 when i ran this
0x9e454 - TODO: debug - x0 = struct from 74??, x1="1233", w2=0, w3=1, returns w0=0x82 -> field15.5=this<<1
0x9dd0c - string::destroy
0x9e3a4 - get_sign_key
0x9e3bc - deref_sign_key
0x9dc98 - string::copy - copy "1233" to empty
0x9e41c - multithread_init_shit
0x9e438 - dereference_6c - dereference x0+0x6c, returns 0x1 when i ran this
0x9e478 - some string manipulation, not sure TODO - x0=weird struct, x1= "1233" string, w2=0, w3=1. returns 0x1bf/0x284/others in w0 -> in practice gets *($x0+0xd4) -> this is field15.6 << 1
0x9dd0c - string::destroy - destroy "1233", inline: copy weird ts
0x9e19c - memcpy - copy a struct of size 0x38, something to do with protobuf (internal struct has 0x28aaeef9 - protobuf magic)
0x9e4c0 - MTP::Copy -> copy class stuff (vptr)
0x9dc7c - dereference_MTP -> "googleplay"
0x9dc98 - string::copy - copies string with "googleplay"
0x9dca4 - MTP release string
0x9e4d4 - decrypt4_and_system_property - returns phone model "ONEPLUS A5000"
0x9e4e8 - scary_jmp_tbl2_vmcode - returns 0x5 in w0 (field23.2>>1)
0x9e500 - scary_jmp_tbl2_vmcode0 - returns 0x0c507c00, const? (field23.4>>1)
0x9e518 - decrypt2 -> returns "none" (field20?)
0x9dc4c - new string size=0x8
0x9dc4c - new string size=0x8
0x9e538 - string::is_null
0x9e574 - new_4 
0x9dc54 - MTP::new
0x9e580 - scary_jmp_hash - x0: ptr to ptr of protobuf struct, x1: url params, x2: key - input from line 10, w3=1, x8=output ptr, returns 2 ptrs, first is to a 0xc length encrypted string, second is to 0x1
    0x9dbf8 - memset
    0x9dc0c - rev - reverses second string (0x1) from line 100 -> 0x01000000
    0x9dc20 - new_string string of length 0x4 from line 102 (0x01000000)
    0x9dc30 - new
    0x9dc4c - new string size=0x8
    0x9dc54 - MTP::new
    0x9dc60 - create_md5 - x0: ptr to url params string, w1: 0 (dont hexlify), x8: ptr to two ptrs: first is string with length 0x10 (the md5), second is 0x1
    0x9dc7c - dereference_MTP -> 0x10 length string (md5)
    0x9dc98 - string::copy
    0x9dca4 - MTP release string
    0x9dc60 - create_md5 - x0: string of length 0x10 (sometimes with 0x00's->sm3 of data?), w1: 0. this string is input to line 10 too. incase 00's, x8 points to string(lsb): 0xbff94be43613e74a 0xa51848232e75d279 and second ptr to 0x01
    0x9dc7c - dereference_MTP -> md5
    0x9dc98 - string::copy
    0x9dca4 - MTP release string
    0x9dd14 - malloc_and_memset
    0x9dcac - dereference_MTP
    0x9dd14 - malloc_and_memset
    0x9dcac - dereference_MTP  -> "31.5.3"
    0x9dc60 - create_md5 - x0: string of length 4: 0x01000000, w1: 0 -> 0xa5247651060345f1 0x855999edf8bbaf7e
    0x9dc7c - dereference_MTP -> "7288878770684577285"
    0x9dd14 - malloc_and_memset
    0x9dcac - dereference_MTP -> line 119 string
    0x9dcc8 - finalize_md5_hashes - takes the last 3 hashes, and their first 4 bytes and appends into new string
    0x9dcec - MTP release string no_mutex
    0x9dca4 - MTP release string
    0x9dca4 - MTP release string
    0x9dca4 - MTP release string
    0x9dca4 - MTP release string
    0x9dca4 - MTP release string
    0x9dd0c - string::destroy
    0x9dd0c - string::destroy
    0x9e178 - MTP::is_null
    0x9dcac - dereference_MTP -> 0xc length string
    0x9dbf8 - memset
    0x9e19c - memcpy
    0x9dc0c - rev - from line 24 (whats the point reving a random string?)
    0x9dcac - dereference_MTP -> same string in line 133
    0x9e1b8 - struct unpack - extract length from string (md5 combo hash?) and place at next to i
    0x9dc30 - new
    0x9e1c8 - std::string::init - empty string with length 0xc
    0x9dc54 - MTP::new
    0x9dcac - dereference_MTP -> same as line 133
    0x9dcac - dereference_MTP -> 0xc length string which is empty
    0x9dcac - dereference_MTP -> same as line 133
    0x9dcac - dereference_MTP -> same as line 143 with new byte
    0x9dcac - dereference_MTP -> same as line 133
    0x9dcac - dereference_MTP -> 0xc length string with 0x1c3b string (little endian)
    0x9dcac - dereference_MTP -> same as line 133
    0x9dcac - dereference_MTP -> 1c3b4e (not const!)
    0x9dcac - dereference_MTP -> same as line 133
    0x9dcac - dereference_MTP -> 1c3b4e08
    0x9dcac - dereference_MTP -> same as line 133
    0x9dcac - dereference_MTP -> +2c (around 0106A04)
    0x9dcac - dereference_MTP -> same as line 133
    0x9dcac - dereference_MTP -> +2b
    0x9dcac - dereference_MTP -> same as line 133
    0x9dcac - dereference_MTP -> +ec
    0x9dcac - dereference_MTP -> same as line 133
    0x9dcac - dereference_MTP -> +b3
    0x9dcac - dereference_MTP -> same as line 133
    0x9dcac - dereference_MTP -> +e5
    0x9dcac - dereference_MTP -> same as line 133
    0x9dcac - dereference_MTP -> +75
    0x9dcac - dereference_MTP -> same as line 133
    0x9dcac - dereference_MTP -> +26
0x9e1dc - MTP::Copy - // (probably wrong): copy MTP with string with "googleplay"
0x9dca4 - MTP release string
0x9dca4 - MTP release string
0x9dd0c - string::destroy
0x9dcec - MTP release string no_mutex
0x9dca4 - MTP release string
0x9dc30 - new
0x9e1dc - MTP::Copy - copy MTP with 0xc md5 hash
0x9e5a0 - MTP::Copy with some unpacking - again 0xc md5 hash, and 0x1 stored before
0x9e5b4 - release_MTP_and_new_MTP
0x9dca4 - MTP release string
0x9e5d4 - decrypt_func1 -> "android"
0x9e1ac - string::init
0x9dc98 - string::copy
0x9dc98 - string::copy
0x9dc7c - dereference_MTP -> "1233" (somewhere before here i missed a deref with 7288878770684577285)
0x9dc98 - string::copy
0x9dc7c - dereference_MTP -> "31.5.3"
0x9dc98 - string::copy
0x9dc7c - dereference_MTP -> "wC8lD4bMTxmNVwY5jSkqi3QWmrphr/58ugLko7UZgWM="
0x9dc98 - string::copy -> copy "31.5.3"
0x9dc98 - string::copy -> "android"
0x9dc98 - string::copy -> 0x20 length key 0x5c639194463269fc 0x9c7368f17157ef67
0x9e1b8 - struct unpack -> 0x1c0
0x9e1b8 - struct unpack -> 0x20
0x9e1b8 - struct unpack -> 0x13
0x9e1b8 - struct unpack -> 0x4
0x9e1b8 - struct unpack -> 0x6 
0x9e1b8 - struct unpack -> 0x7
0x9e1b8 - struct unpack -> 0x20
0x9e5f4 - not sure, seems to trigger for specific urls? - x0: url path (e.g. /ies/speed) x1: struct, *x1 = url params without path
0x9e610 - cmp_MTP_and_ptr
0x9e19c - memcpy -> copy 0x180 length of protobuf struct (1st member is ptr to 0x28AAEEF9)
0x9dbf8 - memset
0x9e19c - memcpy -> copy 0xd of some hash
0x9e19c - memcpy -> copy 0x9 of some hash
0x9e670 - cmp_MTP_and_ptr
0x9e698 - dereference_MTP -> 0x4 (field25??)
0x9e6b4 - MTP::is_null
0x9e6dc - get 0x28AAEEF9 (protobuf magic)
0x9e698 - dereference_MTP -> ptr to struct, with 2nd member holding 0xc length key
0x9e698 - dereference_MTP -> same
0x9dcac - dereference_MTP -> line 165 +d8
0x9e1b8 - struct unpack -> store 0xc (key length)
0x9e698 - dereference_MTP -> same as line 206/207
0x9dcac - dereference_MTP -> line 208
0x9e610 - cmp_MTP_and_ptr
0x9e778 - create_global_struct_with_fastVM
0x9e790 - dereference_MTP -> dereference some struct (of type 0x159658, global struct?)
0x9e7ac - deref_x0_0x50 -> places 0 (const?)
0x9e7c8 - hummus_loop - x0: protobuf struct, returns x0: 0x184
0x9e1c8 - std::string::init - x0: ptr where string will be init, w1: length of string (line 216), w2: initial char (0)
0x9e7e4 - super_loop (has another one nested) - x0: protobuf struct, x1: ptr to 0x00's; returns 0x184/0x181 (create protobuf)
0x9e290 - rand
0x9e31c - MTP::Copy_mutex
0x9e328 - dereference_MTP -> ptr to some class
0x9e804 - decrypt_func4 -> "sign_key"
0x9e1ac - string::init -> returns empty string
0x9e824 - NEW_JMP_TBL! -> RUNS A VM, x1: "sign_key"; calls inside: 0xb6d70,0xb6d7c,0xbdc4c,0xbdc7c,0xbdc98,0xbdcac,0xbdcb8(not sure)... 0xb6e10 -> produces wC8lD4bMTxmNVwY5jSkqi3QWmrphr/58ugLko7UZgWM= (this is base64 key)
0x9dc7c - dereference_MTP -> dereference to get string like: "7288878770684577285" (used in protobuf) - got here wC8lD4bMTxmNVwY5jSkqi3QWmrphr/58ugLko7UZgWM
0x9e840 - base64_decode - x0: const hash string "wC8lD4bMTxmNVwY5jSkqi3QWmrphr/58ugLko7UZgWM="; returns 0x20 length string with key: c02f250f86cc4f198d5706398d292a8b74169aba61affe7cba02e4a3b5198163
0x9dc7c - dereference_MTP - gets string from line 226
0x9dc98 - string::copy - copies string from line 227
0x9dca4 - MTP release string
0x9dca4 - MTP release string
0x9dd0c - string::destroy
0x9e358 - MTP delete
0x9dc20 - new_string
0x9dc60 - create_md5 - x0: ptr to encrypted string of length 0x10, w1: 0 -> create md5 from c02f250f86cc4f198d5706398d (half of string 227) -> 0xdb069b950d975282 0xafc10e5cd8172e10
0x9dc7c - dereference_MTP - gets string 234
0x9dc98 - string::copy
0x9dca4 - MTP release string
0x9dd0c - string::destroy
0x9dc20 - new_string
0x9dc60 - create_md5 - x0: ptr to second half of the encrypted string -> 0x7d9f417aa37e204d 0x9435f5a2c6812f62
0x9dc7c - dereference_MTP -> 0x1b length string (md5?)
0x9dc7c - dereference_MTP -> long base64 string (0x244)
0x9dc98 - string::copy
0x9dca4 - MTP release string
0x9dd0c - string::destroy
0x9e854 - string::new
0x9e558 - string::append2 - adds 0x34e20241 (random?) to string 226 (<226><rand>), length 0x24 now
0x9e558 - string::append2 - adds string 226 to string 247 (<226><rand><226), length 0x44 now
0x9df50 - scaryjmptbl1 - x0: string 248 -> 0x20 length hash
    0x9e1b8 - struct unpack
    0x9e1e8 - sm3_encrypt - x0: ptr to encrypted string, x1: length (0x44), x2: ptr to output (0x20 length).
0x9dc20 - new_string
0x9dd0c - string::destroy
0x9dd0c - string::destroy
0x9dd0c - string::destroy
0x9e1b8 - struct unpack - 0x33, not sure where from
0x9e8a0 - argus_vm2 - input: const key, returns 0x737616ec (const)
0x9dc4c - new string size=0x8
0x9e41c - multithread_init_shit
0x9e41c - multithread_init_shit
0x9e19c - memcpy
0x9dc4c - new string size=0x8
0x9e8e8 - mainEncrypt - SOLVED: input: x2=0x20 len string key, x1=empty 0x8 capacity string, x0=0x181 len string with protobuf struct in it. sets a string of len 0x190 in x1.
0x9e558 - string::append2 - append string:263 and TODO (0x100/0x200/0x300) -> assigns to x0
0x9e22c - string::assign - assign string:264 
0x9dd0c - string::destroy
0x9dd0c - string::destroy
0x9e8a0 - argus_vm2 - input: 2 first bytes from line 219 (self.rdm), returns EOR key
0x9e1b8 - struct unpack - gets length for string for next func
0x9e1c8 - std::string::init - initializes string with zeros with length 0x198; this strings is filled in the jmp table, 0x9fbb4->0x9f338
0x9e1b8 - struct unpack - gets length for string for next func, after this, INLINE editing of string:264 into string:270 (09FBB0) + inline creation of string in line 275 0x18049001 (0xa00b4). this is argus header sign
0x9e41c - multithread_init_shit - some rwlock shit - inline prepare 0x18049001
0x9e290 - rand - returns rand of length 0x4
0x9dc20 - new_string - create string of 0x1 length (from where?) = 0xec (1st bye from first argus_vm2?)
0x9dc20 - new_string - 0x8 length int (from where?) - lsb: first 4 bytes are rand:273, last 4 bytes=0x18049001/0x18003301 (where is this from, nonce??) 
0x9e558 - string::append2 - append those two strings from before -> string of len 0x9
0x9e558 - string::append2 - append string of len 0x9 (first) with string from line 270 (which isnt empty now)
0x9e8f8 - string::new - create string of 0x2 length (from 2nd rand)
0x9e558 - string::append2 - append string:277 with string:278
0x9dd0c - string::destroy
0x9dd0c - string::destroy
0x9dd0c - string::destroy
0x9dd0c - string::destroy
0x9dd0c - string::destroy
0x9e05c - aes_encrypt -> create X-Argus value from string:279 and keys/iv (x1/x2). x2: md5 from line 240, x1: md5 from line 234
0x9dc7c - dereference_MTP -> "1233"
0x9dc98 - string::copy - appends short 0x2 length key to the base of the XArgus value
0x9dca4 - MTP release string
0x9e8f8 - string::new
0x9e558 - string::append2
0x9e944 - base64 encode -> b64 encode X-Argus value?? seems to encode 0x24 length string
0x9dc7c - dereference_MTP -> "96534c2f045dbb80b5b56d7e92223ba4" (changes?)
0x9dc98 - string::copy
0x9dca4 - MTP release string
0x9dd0c - string::destroy
0x9dd0c - string::destroy
0x9e19c - memcpy
0x9e19c - memcpy
0x9e19c - memcpy
0x9e19c - memcpy
0x9e5d4 - decrypt_func1 -> returns %s
0x9e958 - eor_thingy -> returns %s
0x9e978 - sprintf2
0x9e998 - decrypt_func3 -> returns %s
0x9e9b8 - sprintf (finalizes X-Argus value, not sure what really does)
0x9dd0c - string::destroy
0x9dd0c - string::destroy
0x9dd0c - string::destroy
0x9dd0c - string::destroy
0x9dd0c - string::destroy
0x9dd0c - string::destroy
0x9dd0c - string::destroy
0x9dd0c - string::destroy
0x9dd0c - string::destroy
0x9dd0c - string::destroy
0x9e9d8 - MTP delete
0x9dd0c - string::destroy
0x9dd0c - string::destroy
0x9dd0c - string::destroy
0x9dd0c - string::destroy
0x9dd0c - string::destroy
0x9dd0c - string::destroy
0x9dd0c - string::destroy
0x9dd0c - string::destroy
0x9dca4 - MTP release string
0x9e9e0 - MTP delete2
0x9dd0c - string::destroy
0x9dd0c - string::destroy
0x9dd0c - string::destroy
0x9dd0c - string::destroy
0x9dca4 - MTP release string
0x9dca4 - MTP release string
0x9dd0c - string::destroy
0x9dca4 - MTP release string
0x9dca4 - MTP release string
0x9dca4 - MTP release string
0x9dd0c - string::destroy
0x9dd0c - string::destroy
0x9dd0c - string::destroy


0x9dc60 - create_md5 - not sure where, but this is called with length x0 and w1=1

268->273(write rand)->274