基于Xposed Hook实现的Android App的协议算法分析小工具-CryptoFucker
Posted Fly20141201
tags:
篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了基于Xposed Hook实现的Android App的协议算法分析小工具-CryptoFucker相关的知识,希望对你有一定的参考价值。
本文博客地址:https://blog.csdn.net/QQ1084283172/article/details/80962121
在进行android应用的网络协议分析的时候,不可避免涉及到网络传输数据的加密算法的分析,这里分享一下作者无名侠写的一个小工具 CryptoFucker,看雪论坛的原帖子《[推荐]【Tools】CryptoFucker》.
CryptoFucker工具的github地址:https://github.com/Chenyuxin/CryptoFucker
CryptoFucker工具的使用说明:
Xposed Hook的结果日志存放路径为 /sdcard/ydsec/packgeName.txt,日志文件的格式如下图所示:
关键代码 TestHook.java 的注释和学习:
package com.example.a14473.xp;
import android.os.Bundle;
import android.support.annotation.NonNull;
import android.util.Log;
import java.io.File;
import java.io.FileWriter;
import java.io.IOException;
import java.lang.reflect.Array;
import java.util.HashMap;
import java.nio.ByteBuffer;
import java.security.Key;
import java.security.MessageDigest;
import java.security.SecureRandom;
import java.security.cert.Certificate;
import java.security.spec.KeySpec;
import java.util.Map.Entry;
import java.util.HashMap;
import java.util.Objects;
import javax.crypto.Cipher;
import javax.crypto.SecretKey;
import javax.crypto.spec.DESKeySpec;
import javax.crypto.spec.IvParameterSpec;
import javax.crypto.spec.PBEKeySpec;
import javax.crypto.spec.SecretKeySpec;
import de.robv.android.xposed.IXposedHookLoadPackage;
import de.robv.android.xposed.XC_MethodHook;
import de.robv.android.xposed.XposedBridge;
import de.robv.android.xposed.XposedHelpers;
import de.robv.android.xposed.callbacks.XC_LoadPackage;
import static de.robv.android.xposed.XposedHelpers.findAndHookConstructor;
import static de.robv.android.xposed.XposedHelpers.findAndHookMethod;
import com.example.a14473.xp.HexDumper;
/**
* Created by 14473 on 2017/7/2.
*/
public class TestHook implements IXposedHookLoadPackage
@Override
public void handleLoadPackage(final XC_LoadPackage.LoadPackageParam loadPackageParam) throws Throwable
// 打印当前Android应用的进程的名字和包名
String logstr = " W:" + loadPackageParam.processName + "-"+loadPackageParam.packageName;
XposedBridge.log(logstr);
// 这里其实可以增加一下指定名称的Android应用程序的包名的过滤
try
// 先调用函数XposedHelpers.findClass进行类的加载处理
// java Hook处理类javax.crypto.spec.DESKeySpec的所有构造函数
XposedBridge.hookAllConstructors(XposedHelpers.findClass("javax.crypto.spec.DESKeySpec", loadPackageParam.classLoader),
new XC_MethodHook()
@Override
protected void beforeHookedMethod(MethodHookParam param) throws Throwable
super.beforeHookedMethod(param);
String keystr;
// 申请内存空间存放数据
byte[] keybyte = new byte[8];
int offset = 0;
// 如果有两个参数的构造函数,第二个参数是偏移
// param.args.length获取函数的传入参数的个数
if(param.args.length != 1)
offset = (int)param.args[1];
// 拷贝数据到申请的内存空间中
System.arraycopy((byte[])param.args[0], offset, keybyte, 0, 8);
// log日志文件中前置tag
keystr = "DES KEY";
// 打印数据到指定的log日志文件中
Util.MyLog(loadPackageParam.packageName, keystr, keybyte);
);
// java Hook处理类"javax.crypto.spec.DESedeKeySpec"的所有构造函数
XposedBridge.hookAllConstructors(XposedHelpers.findClass("javax.crypto.spec.DESedeKeySpec", loadPackageParam.classLoader),
new XC_MethodHook()
@Override
protected void beforeHookedMethod(MethodHookParam param) throws Throwable
super.beforeHookedMethod(param);
String keystr;
// 申请内存空间存放数据
byte[] keybyte = new byte[24];
int offset = 0;
// 如果有两个参数的构造函数,第二个参数是偏移
if(param.args.length != 1)
offset = (int)param.args[1];
// 拷贝数据到申请的内存空间中
System.arraycopy((byte[])param.args[0], offset, keybyte, 0, 24);
// log日志文件中前置tag
keystr = "3DES KEY";
// 打印数据到指定的log日志文件中
Util.MyLog(loadPackageParam.packageName,keystr,keybyte);
);
// java Hook处理类"javax.crypto.spec.SecretKeySpec"的所有构造函数
XposedBridge.hookAllConstructors(XposedHelpers.findClass("javax.crypto.spec.SecretKeySpec", loadPackageParam.classLoader),
new XC_MethodHook()
@Override
protected void beforeHookedMethod(MethodHookParam param) throws Throwable
super.beforeHookedMethod(param);
int offset = 0;
int size = 0;
String Algorithm;
if(param.args.length != 2)
offset = (int)param.args[1];
size = (int)param.args[2];
Algorithm = (String)param.args[3];
else
Algorithm = (String) param.args[1];
size = ((byte[])param.args[0]).length;
byte[] data = new byte[size];
System.arraycopy((byte[])param.args[0], offset, data, 0, size);
String str ;
// log日志文件中前置tag
str = Algorithm + " Key";
Util.MyLog(loadPackageParam.packageName,str,data);
);
// IV 向量
// java Hook处理类"javax.crypto.spec.IvParameterSpec"的所有构造函数
XposedBridge.hookAllConstructors(XposedHelpers.findClass("javax.crypto.spec.IvParameterSpec", loadPackageParam.classLoader),
new XC_MethodHook()
@Override
protected void beforeHookedMethod(MethodHookParam param) throws Throwable
super.beforeHookedMethod(param);
String keystr;
byte[] IVByte;
byte[] tmp;
int offset = 0;
int size;
tmp = (byte[])param.args[0];
size = tmp.length;
// 如果有两个参数的构造函数,第二个参数是偏移
if(param.args.length != 1)
offset = (int)param.args[1];
size = (int)param.args[2];
IVByte = new byte[size];
System.arraycopy(tmp, offset, IVByte, 0, size);
// log日志文件中前置tag
keystr = "Iv";
Util.MyLog(loadPackageParam.packageName,keystr,IVByte);
);
// java Hook处理类"javax.crypto.Cipher"中所有名称为"doFinal"的类方法
XposedBridge.hookAllMethods(XposedHelpers.findClass("javax.crypto.Cipher", loadPackageParam.classLoader),
"doFinal", new XC_MethodHook()
@Override
protected void afterHookedMethod(MethodHookParam param) throws Throwable
super.afterHookedMethod(param);
Cipher cip = (Cipher)param.thisObject;
if(param.args.length >= 1)
// log日志文件中前置tag
String str = cip.getAlgorithm() + " Data:";
Util.MyLog(loadPackageParam.packageName,str,(byte[])param.args[0]);
// log日志文件中前置tag
str = cip.getAlgorithm() + " result:";
Util.MyLog(loadPackageParam.packageName, str, (byte[])param.getResult());
);
// java Hook处理类"java.security.MessageDigest"中所有名称为"update"的类方法
XposedBridge.hookAllMethods(XposedHelpers.findClass("java.security.MessageDigest", loadPackageParam.classLoader), "update",
new XC_MethodHook()
@Override
protected void beforeHookedMethod(MethodHookParam param) throws Throwable
super.beforeHookedMethod(param);
MessageDigest md = (MessageDigest)param.thisObject;
String str = md.getAlgorithm() + " update data:";
Util.MyLog(loadPackageParam.packageName, str, (byte[])param.args[0]);
);
// java Hook处理类"java.security.MessageDigest"中所有名称"digest"的类方法
XposedBridge.hookAllMethods(XposedHelpers.findClass("java.security.MessageDigest", loadPackageParam.classLoader), "digest",
new XC_MethodHook()
@Override
protected void afterHookedMethod(MethodHookParam param) throws Throwable
super.afterHookedMethod(param);
if (param.args.length >= 1)
MessageDigest md = (MessageDigest)param.thisObject;
String str;
str = md.getAlgorithm() + " data:";
Util.MyLog(loadPackageParam.packageName,str,(byte[])param.args[0]);
str = md.getAlgorithm() + " result:";
Util.MyLog(loadPackageParam.packageName,str,(byte[])param.getResult());
);
catch (Exception e)
e.printStackTrace();
class Util
// 将字节数组数据转换为16进制的大写字符串
@NonNull
public static String byteArrayToString(byte[] bytes)
String hs = "";
String tmp = "";
for (int n = 0; n < bytes.length; n++)
//整数转成十六进制表示
tmp = (java.lang.Integer.toHexString(bytes[n] & 0XFF));
if (tmp.length() == 1)
hs = hs + "0" + tmp;
else
hs = hs + tmp;
tmp = null;
//转成大写
return hs.toUpperCase();
// 获取类方法堆栈调用的信息字符串
public static String GetStack()
String result = "";
Throwable ex = new Throwable();
StackTraceElement[] stackElements = ex.getStackTrace();
if (stackElements != null)
int range_start = 3;
int range_end = Math.min(stackElements.length, 7);
if(range_end < range_start)
return "";
// 获取合理调用层次的堆栈信息
for (int i = range_start; i < range_end; i++)
result = result + (stackElements[i].getClassName()+"->"); // 类的名称
result = result + (stackElements[i].getMethodName())+" "; // 类方法的名称
result = result + (stackElements[i].getFileName()+"("); // 源码文件的名称
result = result + (stackElements[i].getLineNumber()+")\\n"); // 源码在文件中的行号
result = result + ("----------------------------------\\n");
return result;
// 打印的log日志文件的名称格式为/sdcard/ydsec/packgeName.txt
// ++++++ 注意是否有对sdcard文件目录的写操作权限 +++++++++++
public static void MyLog(String packname, String info, byte[] data)
// 创建文件目录"/sdcard/ydsec/"
String path = "/sdcard/ydsec/";
File pather = new File(path);
if(!pather.exists())
pather.mkdir();
// 拼接字符串得到log日志文件的路径
String filename = path + packname+".txt";
if(data.length >= 256)
return;
try
// 1.前置tag显示字符串
info = info + "\\n";
// 2.类方法调用堆栈的信息
info = info + GetStack() + "\\n";
// 3.需要打印的关键加密算法的数据信息
info = info + HexDumper.dumpHexString(data) + "\\n-------------------------------------------------\\n\\n";
// 创建保存Log日志的文件/sdcard/ydsec/packgeName.txt
FileWriter fw = new FileWriter(filename, true);
// 将需要保存的数据信息写入到Log日志文件/sdcard/ydsec/packgeName.txt中
fw.write(info);
fw.close();
// 打印log日志
Log.d("q_"+packname,info);
XposedBridge.log("["+ packname+"]"+info);
catch(IOException e)
e.printStackTrace();
格式化打印Log日志的代码文件 HexDumper.java 的注释和学习:
package com.example.a14473.xp;
public class HexDumper
private final static char[] HEX_DIGITS = '0', '1', '2', '3', '4', '5', '6', '7', '8', '9',
'A', 'B', 'C', 'D', 'E', 'F' ;
// 将字节数组的数据转换为16进制的字符串数据
public static String dumpHexString(byte[] array)
if (array.equals(null))
return "null";
// 申请内存空间
byte[] byte2 = new byte[array.length + 0x10];
// 内存空间清零
for(int i = 0; i < byte2.length; i++)
byte2[i] = 0;
// 将传入的字节数组中的数据拷贝到新数组中
for(int i = 0; i < array.length; i++)
byte2[i] = array[i];
// 将字节数组数据转换为16进制的字符串数据
return dumpHexString(byte2, 0, byte2.length);
// 将字节数组数据转换为16进制的字符串数据
public static String dumpHexString(byte[] array, int offset, int length)
StringBuilder result = new StringBuilder();
byte[] line = new byte[16];
int lineIndex = 0;
// 打印数据的偏移
result.append("\\n0x");
// 将整型字节数组偏移转换为16进制字符串数据
result.append(toHexString(offset));
for (int i = offset; i < offset + length; i++)
if (lineIndex == 16)
result.append(" ");
for (int j = 0 ; j < 16 ; j++)
if (line[j] > ' ' && line[j] < '~')
result.append(new String(line, j, 1));
else
result.append(".");
// 打印数据的偏移
result.append("\\n0x");
result.append(toHexString(i));
lineIndex = 0;
byte b = array[i];
result.append(" ");
result.append(HEX_DIGITS[(b >>> 4) & 0x0F]);
result.append(HEX_DIGITS[b & 0x0F]);
line[lineIndex++] = b;
if (lineIndex != 16)
int count = (16 - lineIndex) * 3;
count++;
for (int i = 0 ; i < count ; i++)
result.append(" ");
for (int i = 0 ; i < lineIndex ; i++)
if (line[i] > ' ' && line[i] < '~')
result.append(new String(line, i, 1));
else
result.append(".");
return result.toString();
// 将单字节数组转化为16进制的字符串
public static String toHexString(byte b)
// 将字节数组转换为16进制的字符串数据
return toHexString(toByteArray(b));
// 将字节数组转换为16进制的字符串数据
public static String toHexString(byte[] array)
// 将指定字节数组的指定偏移位置指定长度的字节数据转换为16进制字符串进行显示
return toHexString(array, 0, array.length);
// 将指定字节数组的指定偏移位置指定长度的字节数据转换为16进制字符串进行显示
public static String toHexString(byte[] array, int offset, int length)
// 申请内存空间存放字符数组
char[] buf = new char[length * 2];
int bufIndex = 0;
for (int i = offset ; i < offset + length; i++)
// 取传入数组中的1字节数据
byte b = array[i];
// 取字节数据中高4位的数据转换为16进制字符串
buf[bufIndex++] = HEX_DIGITS[(b >>> 4) & 0x0F];
// 取字节数据中低4位的数据转换为16进制字符串
buf[bufIndex++] = HEX_DIGITS[b & 0x0F];
// 返回最终转换成功的字符串
return new String(buf);
// 将int整型数组转换为16进制的字符串进行显示
public static String toHexString(int i)
// 将字节数组转换为16进制的字符串数据
return toHexString(toByteArray(i));
// 将单字节数组转化为字节数组进行存储
public static byte[] toByteArray(byte b)
byte[] array = new byte[1];
array[0] = b;
return array;
// 将int整型数转换为4字节的字节数组
public static byte[] toByteArray(int i)
byte[] array = new byte[4];
array[3] = (byte)(i & 0xFF);
array[2] = (byte)((i >> 8) & 0xFF);
array[1] = (byte)((i >> 16) & 0xFF);
array[0] = (byte)((i >> 24) & 0xFF);
return array;
// 将单个字符转换为整型
private static int toByte(char c)
if (c >= '0' && c <= '9') return (c - '0');
if (c >= 'A' && c <= 'F') return (c - 'A' + 10);
if (c >= 'a' && c <= 'f') return (c - 'a' + 10);
throw new RuntimeException ("Invalid hex char '" + c + "'");
// 将字符串数据转换为相应的字节数组数据进行存储
public static byte[] hexStringToByteArray(String hexString)
int length = hexString.length();
byte[] buffer = new byte[length / 2];
// 每次处理2个字符的字符串
for (int i = 0 ; i < length ; i += 2)
// 例如将"23"转换为0x23
buffer[i / 2] = (byte)((toByte(hexString.charAt(i)) << 4) | toByte(hexString.charAt(i+1)));
return buffer;
后面我会再写个类似的简单小工具~
以上是关于基于Xposed Hook实现的Android App的协议算法分析小工具-CryptoFucker的主要内容,如果未能解决你的问题,请参考以下文章
Android中Xposed框架篇---基于Xposed的一款脱壳神器ZjDroid工具原理解析
Android基础项目 Xposed HOOK MAC地址与详细的hook入门
Android基础项目 Xposed HOOK MAC地址与详细的hook入门