/tag/Lost

0x0 样本： play.google.com Lost Sword - Google Play 上的应用 波涛胸涌&华丽冒险传说！好胸的冒... Free 正主： largosoft.co.kr 라르고소프트|LARGOSOFT 라르고소프트는 게임 보안 솔루션 개발에 특화된 기업으로, 게임 환경에서 발생하는 다양한 보안 위협을 효과적으로 방어하는 기술을 제공합니다. 非常非常简单的反作弊，很适合新手入门，完全没任何难度 0x1 整体流程 base.apk 里面的 Dalvik字节码 拉起 libATG_D.so libATG_D.so 解密 e8Hk2vi4CH 为正常的 Dalvik字节码，然后注入进去，后续执行的是注入进去的 Dalvik字节码 解密后的 e8Hk2vi4CH Dalvik字节码 拉起正常的Unity进程，同时拉起 libATG_L.so libATG_L.so 根据架构解密拉起 ATG_E 来进行环境检测，日志上报等等 0x2 libATG_D.so com/bishopsoft/Presto/SDK/Loader.java 载入 libATG_D.so public class Loader extends Application // class@00018b from classes.dex { private String mAppName; private Application mDelegate; private boolean mIsBindReal; private static ByteBuffer[] Buffers; private static Context mContext; static { System.loadLibrary("ATG_D"); } System.loadLibrary 会调用 libATG_D.so 的 JNI_OnLoad ，随后调用 JNI_OnLoad.54 JNI_OnLoad.54 开头有些垃圾代码狙击IDA的反编译 缓存运行环境信息 找到 Java 类 注册两个 native 方法 Loader.InitBuffer signature: (Landroid/content/Context;Ljava/lang/String;Ljava/lang/String;Landroid/content/res/AssetManager;)Ljava/lang/Object; native: 0x79004 -> real body 0x75660 Loader.native_InitLib signature: (Landroid/content/Context;Landroid/content/res/AssetManager;Z)I native: 0x77594 -> real body 0x740f8 JNI_OnLoad 返回到 Java，调用 InitBuffer 解密 Dalvik字节码 public native Object InitBuffer(Context p0,String p1,String p2,AssetManager p3); public void attachBaseContext(Context paramContext){ try{ super.attachBaseContext(paramContext); AssetManager assets = paramContext.getAssets(); this.native_InitLib(paramContext, assets, false); Loader.Buffers = this.InitBuffer(paramContext, paramContext.getApplicationInfo().dataDir, paramContext.getApplicationInfo().nativeLibraryDir, assets); if (Loader.Buffers != null) { this.loadDex(paramContext); } }catch(java.lang.NoSuchFieldException e1){ e1.printStackTrace(); }catch(java.lang.IllegalAccessException e1){ e1.printStackTrace(); }catch(java.lang.NoSuchMethodException e1){ e1.printStackTrace(); }catch(java.lang.reflect.InvocationTargetException e1){ e1.printStackTrace(); } return; } 开头依旧狙击IDA反编译 取 e8Hk2vi4CH 的路径 派生密钥 用派生出来的密钥跑AES解密 e8Hk2vi4CH 扫描 embedded Dalvik字节码 生成 + 返回 解密后的buffer 0x3 libATG_L.so java/stage2/code/com/bishopsoft/Presto/SDK/Presto.java 载入 libATG_L.so public class Presto extends Application // class@0000ff from classes2.dex { private static String EGdataPath; public static String SDK_version = "2025091801"; static CallBackReLogin callback; private static int checked_emul = 0; private static Context mContext; public static String packageList = ""; private static Presto presto; public static String rootPath = ""; private static String sData = ""; static boolean scanning = true; static { Presto.presto = new Presto(); System.loadLibrary("ATG_L"); } 开头依旧狙击IDA反编译 依旧注册函数查询CPU架构 fork/ptrace 保护+反调试 JNI_OnLoad 返回到 Java 开始 init，最终调用 WorkThread public void Presto_Init(Context context){ Presto.mContext = context; Presto.scanning = true; if (Presto.EGdataPath == null) { Presto.EGdataPath = Utils.getCPUABI(Presto.mContext); } Presto.rootPath = Utils.execByRuntime("pm path "+Presto.mContext.getPackageName()); if (Presto.rootPath != null && !Presto.rootPath.isEmpty()) { Presto.rootPath = Presto.rootPath.replace("package:", ""); } Presto.packageList = Utils.execByRuntime("pm list package"); if (Presto.packageList != null && !Presto.packageList.isEmpty()) { Presto.packageList = Presto.packageList.replaceAll("\npackage:", ","); } Log.i("Presto", "SDK_Ver = "+Presto.SDK_version); Integer[] integerArray = new Integer[0]; new ThreadScan(Presto.mContext, 0).execute(integerArray); return; } public class ThreadScan extends AsyncTask // class@000102 from classes2.dex { private Context mContext; private int option; private String result; public static String ResultScan = ""; static { } public void ThreadScan(Context context,int _option){ super(); this.mContext = context; this.option = _option; } protected Object doInBackground(Object[] p0){ return this.doInBackground(p0); } protected String doInBackground(Integer[] arg0){ int recovery = 1; this.result = Presto.WorkThread(this.mContext, recovery); return this.result; } } 根据CPU架构选择模块 CpuFamily = android_getCpuFamily(); if ( CpuFamily == ANDROID_CPU_FAMILY_X86_64 ) { strcpy(&filename[strlen(filename)], "/ATG_E_x86_64.sec"); } else { if ( CpuFamily == ANDROID_CPU_FAMILY_ARM64 ) { v25 = strlen(filename); v26 = "/ATG_E_x64.sec"; } else { if ( CpuFamily != ANDROID_CPU_FAMILY_X86 ) { strcpy(&filename[strlen(filename)], "/ATG_E.sec"); goto LABEL_64; } v25 = strlen(filename); v26 = "/ATG_E_x86.sec"; } v27 = &filename[v25]; v28 = *v26; v29 = *(v26 + 7); *v27 = v28; *(v27 + 7) = v29; } 解出临时 ._ATG_B.sec strcpy(file, g_dataPath); qmemcpy(v206, "FF8F2A6CDD9B3DB72CD301FB87035E34", sizeof(v206)); strcpy(szHex, "2CD301FB87035E34FF8F2A6CDD9B3DB7"); v30 = strlen(szHex); v31 = v30; if ( v30 >= 1 && (v30 & 0xF) == 0 && v30 >= 2 ) { v32 = v30 >> 1; v33 = operator new(v32); memset(v33, 0, v31 >> 1); v34 = 0; v35 = szHex; v36 = v33; while ( Hex2Char(v35, &s) ) { v37 = 0xFFFFFFFE - v34 - (~v34 | 0xFFFFFFFE); v35 += 2; v34 = (v37 ^ (v34 + 1)) + (v34 | 1) + 2 * (v37 & (v34 + 1)); *v36++ = s.erk[0]; if ( v34 >= v32 ) { v38 = operator new(v31 >> 1); memset(v38, 0, v31 >> 1); *name = WzrBpTHKGekFnEGBsJVCCbpW(char *,int)::iv_key; aes_set_key(&s, "e38d99fb4434d3d485794c6b34cd5d1fB3B4801D0A7AC103B2BC08C10BC017E6", 0x100); v39 = 0; do { v40 = &v33[v39]; aes_decrypt(&s, v40, &v38[v39]); v41 = 0; do { v42 = name[v41]; v43 = ((v41 + v39) ^ -(v41 | v39)) + (v41 | v39) + 2 * ((v41 + v39) & -(v41 | v39)); v44 = v38[v43]; v45 = v44 | v42; v46 = -(((v44 + v42) ^ -v45) + 2 * ((v44 + v42) & -v45)); v47 = 0xFFFFFFFE - v41 - (~v41 | 0xFFFFFFFE); v41 = (v47 ^ (v41 + 1)) + (v41 | 1) + 2 * (v47 & (v41 + 1)); v38[v43] = (v46 ^ v45) + 2 * (v46 & v45); } while ( v41 < 0x10 ); v39 = (v39 | 0x10) + ~v39 + (v39 | 1) + (v39 & 1) + ((0xFFFFFFEF - v39 - (~v39 | 0xFFFFFFEF)) ^ (v39 + 0x10)) + 2 * ((0xFFFFFFEF - v39 - (~v39 | 0xFFFFFFEF)) & (v39 + 0x10)); *name = *v40; } while ( v39 < v32 ); memset(&szHex[v32], 0, v31 - v32); memcpy(szHex, v38, v31 >> 1); memset(v33, 0, v31 >> 1); operator delete(v38); break; } } operator delete(v33); } strcat(file, szHex); v48 = fopen(filename, "rb"); v49 = fopen(file, "wb"); if ( v48 ) { v50 = v49; fseek(v48, 0xFFFFFFFFFFFFFFFCLL, 2); v51 = ftell(v48); fread(&ptr, 1u, 8u, v48); v52 = ptr; v53 = v51 - v52 + ((v52 - 1) | ~v51); v54 = ((v53 + 1) ^ (v52 - v51 + (v51 | -v52))) + 2 * (((v53 + 1) & (v52 - v51 + (v51 | -v52))) + (v53 ^ ~(v51 - ptr)) + 2 * ((v51 - ptr) & ~v53)); v55 = calloc(v54, 1u); v56 = calloc(v51, 1u); if ( v55 ) { v57 = v56; if ( v56 ) { fseek(v48, 0, 0); fread(v57, 1u, v51, v48); fseek(v48, v52, 0); fread(v55, 1u, v54, v48); fclose(v48); if ( v54 >= 1 ) { v58 = 0; for ( i = 0; i < v54; v58 = i ) { v60 = v55[v58]; v61 = v57[v58]; v62 = v61 | v60; v63 = -(((v61 + v60) ^ -v62) + 2 * ((v61 + v60) & -v62)); v64 = 0xFFFFFFFE - i - (~i | 0xFFFFFFFE); i = (v64 ^ (i + 1)) + (i | 1) + 2 * (v64 & (i + 1)); v55[v58] = (v63 ^ v62) + 2 * (v63 & v62); } } fwrite(v55, 1u, v54, v50); fclose(v50); free(v55); free(v57); } } } 完整性检查 v277 = 0; v276 = 0u; v275 = 0u; v274 = 0u; v273 = 0u; v272 = 0u; v271 = 0u; v270 = 0u; v269 = 0u; v268 = 0u; v267 = 0u; v266 = 0u; v265 = 0u; v264 = 0u; v263 = 0u; *v262 = 0u; *filename = 0u; memcpy(name, "B3B4801D0A7AC103B2BC08C10BC017E6", 0x104u); strcpy(file, g_dataPath); szHex[0x20] = 0; memset(v243, 0, sizeof(v243)); v242 = 0u; v241 = 0u; v240 = 0u; v239 = 0u; v238 = 0u; v237 = 0u; v236 = 0u; v235 = 0u; v234 = 0u; v233 = 0u; v232 = 0u; v231 = 0u; v230 = 0u; *szHex = v206[1]; *&szHex[0x10] = v206[0]; v65 = strlen(szHex); v66 = v65; v67 = v209; if ( v65 >= 1 && (v65 & 0xF) == 0 && v65 >= 2 ) { v68 = v65 >> 1; v69 = operator new(v68); memset(v69, 0, v66 >> 1); v70 = 0; v71 = szHex; v72 = v69; while ( Hex2Char(v71, &s) ) { v73 = 0xFFFFFFFE - v70 - (~v70 | 0xFFFFFFFE); v71 += 2; v70 = (v73 ^ (v70 + 1)) + (v70 | 1) + 2 * (v73 & (v70 + 1)); *v72++ = s.erk[0]; if ( v70 >= v68 ) { v74 = operator new(v66 >> 1); memset(v74, 0, v66 >> 1); ptr = WzrBpTHKGekFnEGBsJVCCbpW(char *,int)::iv_key; aes_set_key(&s, "e38d99fb4434d3d485794c6b34cd5d1fB3B4801D0A7AC103B2BC08C10BC017E6", 0x100); v75 = 0; do { v76 = &v69[v75]; aes_decrypt(&s, v76, &v74[v75]); v77 = 0; do { v78 = *(&ptr + v77); v79 = ((v77 + v75) ^ -(v77 | v75)) + (v77 | v75) + 2 * ((v77 + v75) & -(v77 | v75)); v80 = v74[v79]; v81 = v80 | v78; v82 = -(((v80 + v78) ^ -v81) + 2 * ((v80 + v78) & -v81)); v83 = 0xFFFFFFFE - v77 - (~v77 | 0xFFFFFFFE); v77 = (v83 ^ (v77 + 1)) + (v77 | 1) + 2 * (v83 & (v77 + 1)); v74[v79] = (v82 ^ v81) + 2 * (v82 & v81); } while ( v77 < 0x10 ); v75 = (v75 | 0x10) + ~v75 + (v75 | 1) + (v75 & 1) + ((0xFFFFFFEF - v75 - (~v75 | 0xFFFFFFEF)) ^ (v75 + 0x10)) + 2 * ((0xFFFFFFEF - v75 - (~v75 | 0xFFFFFFEF)) & (v75 + 0x10)); ptr = *v76; } while ( v75 < v68 ); memset(&szHex[v68], 0, v66 - v68); memcpy(szHex, v74, v66 >> 1); memset(v69, 0, v66 >> 1); operator delete(v74); break; } } operator delete(v69); } strcat(file, szHex); v84 = dlopen(file, 1); v85 = obja; if ( v84 ) { v86 = v84; v87 = strlen(name); v88 = v87; if ( v87 >= 1 && (v87 & 0xF) == 0 && v87 >= 2 ) { v89 = v87 >> 1; v90 = operator new(v89); memset(v90, 0, v88 >> 1); v91 = 0; v92 = name; v93 = v90; while ( Hex2Char(v92, &s) ) { v94 = 0xFFFFFFFE - v91 - (~v91 | 0xFFFFFFFE); v92 += 2; v91 = (v94 ^ (v91 + 1)) + (v91 | 1) + 2 * (v94 & (v91 + 1)); *v93++ = s.erk[0]; if ( v91 >= v89 ) { v95 = operator new(v88 >> 1); memset(v95, 0, v88 >> 1); ptr = WzrBpTHKGekFnEGBsJVCCbpW(char *,int)::iv_key; aes_set_key(&s, "e38d99fb4434d3d485794c6b34cd5d1fB3B4801D0A7AC103B2BC08C10BC017E6", 0x100); v96 = 0; do { v97 = &v90[v96]; aes_decrypt(&s, v97, &v95[v96]); v98 = 0; do { v99 = *(&ptr + v98); v100 = ((v98 + v96) ^ -(v98 | v96)) + (v98 | v96) + 2 * ((v98 + v96) & -(v98 | v96)); v101 = v95[v100]; v102 = v101 | v99; v103 = -(((v101 + v99) ^ -v102) + 2 * ((v101 + v99) & -v102)); v104 = 0xFFFFFFFE - v98 - (~v98 | 0xFFFFFFFE); v98 = (v104 ^ (v98 + 1)) + (v98 | 1) + 2 * (v104 & (v98 + 1)); v95[v100] = (v103 ^ v102) + 2 * (v103 & v102); } while ( v98 < 0x10 ); v96 = (v96 | 0x10) + ~v96 + (v96 | 1) + (v96 & 1) + ((0xFFFFFFEF - v96 - (~v96 | 0xFFFFFFEF)) ^ (v96 + 0x10)) + 2 * ((0xFFFFFFEF - v96 - (~v96 | 0xFFFFFFEF)) & (v96 + 0x10)); ptr = *v97; } while ( v96 < v89 ); memset(&name[v89], 0, v88 - v89); memcpy(name, v95, v88 >> 1); memset(v90, 0, v88 >> 1); operator delete(v95); v67 = v209; break; } } operator delete(v90); v85 = obja; } 启动模块 LABEL_249: g_result[0] = 0; memset(&s, 0, 0x104); if ( p_result ) { free(p_result); p_result = nullptr; } strcpy(&s, g_dataPath); *(s.erk + strlen(&s)) = 0x2F; if ( family == ANDROID_CPU_FAMILY_X86_64 ) { strcpy(&s + strlen(&s), "ATG_E_x86_64.sec"); } else { if ( family == ANDROID_CPU_FAMILY_ARM64 ) { v152 = strlen(&s); v153 = "ATG_E_x64.sec"; } else { if ( family != ANDROID_CPU_FAMILY_X86 ) { strcpy(&s + strlen(&s), "ATG_E.sec"); goto LABEL_259; } v152 = strlen(&s); v153 = "ATG_E_x86.sec"; } v154 = (s.erk + v152); v155 = *v153; v156 = *(v153 + 6); *v154 = v155; *(v154 + 6) = v156; } LABEL_259: if ( g_Ehandle || (g_Ehandle = dlopen(&s, 1)) != nullptr ) { unlink(&s); if ( g_isScanning ) return v67->functions->NewStringUTF(v67, g_result); v157 = dlsym(g_Ehandle, "WorkThread"); if ( v157 ) { g_isScanning = 1; m_infect_cnt = v157(v67, v85, m_option); if ( (m_infect_cnt & 0x80000000) == 0 ) return v67->functions->NewStringUTF(v67, g_result); memset(&s, 0, 0x104); v158 = operator new(0xF0u); v262[0] = v158; 虚拟机检测（非常全的特征，可以抄过来用 ） Build.BRAND == “generic” Build.BRAND == “sdk” Build.BRAND == “Microvirt” Build.BRAND == “AMIDuOS” Build.BRAND == “TTVM” Build.MODEL == “AMIDuOS” Build.MODEL == “Memu” Build.MODEL == “TiantianVM” Build.MODEL == “Droid4X” Build.MODEL == “vmos” Build.HARDWARE == “andy” Build.HARDWARE == “vbox86” Build.HARDWARE == “nox” Build.HARDWARE == “windroye” Build.HARDWARE == “goldfish” Build.HARDWARE == “ttVM_x86” Build.HARDWARE == “android_x86” Build.HARDWARE == “android_x86_64” Build.BOOTLOADER == “nox” 文件存在 /system/bin/droid4x 文件存在 /system/bin/droid4x-prop 文件存在 /system/bin/androVM-prop 文件存在 /system/bin/androVM-vbox-sf 文件存在 /fstab.intel 文件存在 /fstab.vbox86 文件存在 /fstab.vbox64 文件存在 /fstab.android_x86 文件存在 /fstab.android_x86_64 文件存在 /system/app/EmuCoreService/EmuCoreService.apk 文件存在 /system/app/EmuInputService/EmuInputService.apk 文件存在 /system/app/gpLogin/gpLogin.apk 文件存在 /system/app/gpLogin/gpLogin_new.apk 文件存在 /system/app/Helper/helper.apk 文件存在 /system/app/Helper/NoxHelp_en.apk 文件存在 /system/app/Helper/NoxHelp_en_new.apk 文件存在 /bin/nox-vbox-sf 文件存在 /bin/noxd 文件存在 /data/app/com.android.ld.appstore-1/base.apk 文件存在 /data/app/com.android.ld.appstore-2/base.apk 文件存在 /system/app/Launcher3/Launcher3.apk 文件存在 /system/priv-app/LDAppStore/LDAppStore.apk 文件存在 /data/user_de/0/com.android.flysilkworm 文件存在 /data/misc/profiles/ref/com.android.flysilkworm 目录可打开 /mnt/windows/BstSharedFolder 文件存在 system/app/IME/IME.apk 上一条 APK 的包名等于 com.microvirt.memuime 文件存在 /system/app/MuMuAudio/MuMuAudio.apk 文件存在 /system/app/com.mumu.store/com.mumu.store.apk 文件存在 /system/priv-app/MuMuAudio/MuMuAudio.apk 文件存在 /system/priv-app/com.mumu.store_overseas/com.mumu.store_overseas.apk 文件存在 /system/app/KiwiIntentSink/KiwiIntentSink.apk 0x3 libATG_E.so WorkThread 入口塞了一坨特征码 然后启动了两个线程 iCEcaaLIRKlGfNDwLLDLVlwO 还是做虚拟机检测，增加了下面的特征： com.gspace.android com.excean.gspace com.excean.splay com.excean.parallelspace io.va.exposed parallel.space com.ludashi.dualspace com.ludashi.superboost com.app.hider.master.dual.app com.app.hider.master.pro com.hidespps.apphider com.app.calculator.vault.hider com.excelliance.multiaccount multi.parallel.dualspace.cloner do.multiple.cloner com.lulu.luluboxpro com.cloneapp.parallelspace.dualspace com.pan.parallelspace com.dualspace.multispace.android com.pengyou.cloneapp 做crc32校验 初始化 libData.so ，解出来是作弊工具的名称 AlphaGameBooster CheatEngine Freedom Freedom Freedom Freedom Freedom Freedom Freedom Freedom Freedom GameCheater GameCheater GameCIH GameGuardian GameGuardian GameGuardian GameGuardian GameGuardian GameGuardian GameHackerSpeed GameHackerSpeed GameHacker GameHacker GameHacker GameHacker GameHacker GameHacker GameHacker GameKiller GameKiller GameKiller GameKiller GameKiller GameKiller GameMaster2 GameMaster2 GameMaster GameMaster_opda GameMaster_opda GameMaster_opda GameMaster_opda GGAssistant HoistMan HoistMan HoistMan HoistMan Huang Huang Huang Huang igamecool igamecool LuckyPatcher MemSpector MemSpector MuzhiwanGamehelper MuzhiwanGamehelper PacketSniffer PacketSniffer RootCloakPlus RootCloakPlus RootCloak RootCloak RootCloak RootCloak SlashGameBuster SlashGameBuster SlashGameBuster TcgameGamecheater Touch18 Touch18 WoodPecker Xiaojianjian Xiaojianjian xxAssistant xxAssistant xxAssistant xxAssistant Youxia Youxia Zhangkongapp Zhangkongapp Zhangkongapp Zhangkongapp SHBUoTIkyKmlbYGMbbWeIYeB 只负责轮询配置 0x4 global-metadata.dat 读进内存变换一下文件头，做一下xor完事 0xF 反作弊力度和LIAPP坐一桌，CrackProof比这玩意稍强 libunity.so 和 libil2cpp.so 不加壳，没有云下发，甚至安全模块包含完整的DWARF 2 个帖子 - 2 位参与者 阅读完整话题

The Lost Treasure 遗失的宝藏 是一款点击式探险智力游戏，踏上更漫长的探秘之旅，继续遗失海盗船的探险，寻找海盗丢失的宝藏。 探索海盗的洞穴、古庙和古时树栖居民的建筑物。发现一路上遇到的暗道、线索和谜题！ 正版链接 https://play.google.com/store/apps/details?id=com.lonewolfgames.losttreasure 觉得不错来个互动哇 1 个帖子 - 1 位参与者 阅读完整话题

IT之家 5 月 14 日消息，由独立团队打造的科幻生存恐怖游戏 Lost in the Hole 目前已在 Epic 游戏商城开启限时免费领取活动， 本作在国区定价为 47 元 ，玩家可以在北京时间 5 月 17 日上午 7 点前领取。 需要注意的是，本次限免并非 Epic 官方活动，而是由开发团队自行发起的特别促销，IT之家附游戏商品页（ https://store.epicgames.com/p/lost-in-the-hole-3e0586 ）。 据介绍，《Lost in the Hole》的故事背景设定在 1970 年代的美国华盛顿一处废弃地下研究设施中。由于某项生物实验失控，研究所内的工作人员全部发生变异，成为恐怖怪物。玩家将扮演被困在设施中的幸存者，深入这座早已废弃、却仿佛仍“活着”的地下研究基地，寻找神秘实验样本，并设法逃离这场灾难。 游戏整体采用偏压抑、阴暗的科幻恐怖风格，强调探索与生存体验。玩家需要在遍布变异生物的地下走廊中求生，同时应对各种致命陷阱与突发危机。 游戏图赏：

TechCrunch – 8 May 26 San Francisco's housing market has lost its mind | TechCrunch The invisible force behind all of this is no mystery to anyone paying attention to the city's tech economy. San Francisco is home to some of the most valuable private companies in the world, and their employees have been quietly accumulating — and,... Est. reading time: 3 minutes 旧金山的房地产市场向来高不可攀。但目前该市高端市场创纪录的销售业绩，正在挑战这座以高房价著称的城市此前认为的房价上限。 想象一下位于旧金山最令人向往的街区之一------牛谷（Cow Hollow）的一栋六卧五卫、面积达5700平方英尺（约530平方米）的豪宅。两周前，它的挂牌价为795万美元，价格不菲。而最终，它以1500万美元的价格成交。卖家在2020年夏天以780万美元的价格购入这处房产，当时正值疫情肆虐，居民纷纷离开城市。不到六年时间，他们的投资几乎翻了一番。 数据印证了坊间传闻。Redfin 的最新数据显示，旧金山豪宅销量在 3 月份同比增长 22%，房屋成交周期中位数仅为 12 天，低于去年同期的 28 天。近三分之二的豪宅在两周内就完成了交易。相比之下，非豪宅销量增幅不到 4%，价格基本持平。高端市场仿佛置身于一个完全不同的世界。 这一切背后的无形力量对于任何关注旧金山科技经济的人来说都不是什么秘密。旧金山拥有一些世界上最有价值的私营公司，而这些公司的员工一直在悄悄地积累财富------而且越来越多地将财富变现。 OpenAI 和 Anthropic 是有史以来最有价值的两家人工智能公司，近年来，它们允许员工在二级市场出售部分股份，这使得大量资金流入那些在很多情况下已经居住在本地并希望改善住房条件的人手中。这笔流动性直接流入了房地产市场，市场也做出了相应的反应。 真正令人震惊的部分或许还在后头。SpaceX、OpenAI、Anthropic 以及其他众多科技巨头尚未上市。一旦它们上市------普遍认为其中一些公司很快就会上市------释放出的财富可能会让当下的局面相形见绌。数千名持有价值数千亿美元公司股权的员工，其资产几乎一夜之间将变得更加灵活。 2 个帖子 - 2 位参与者 阅读完整话题