安卓逆向 -- 自吐算法（DES）

Posted 2021-10-17 web安全工具库

一、DES算法源码

DESKeySpec deskey = new DESKeySpec("123456789".getBytes(StandardCharsets.UTF_8));//将密钥实例化SecretKeyFactory key = SecretKeyFactory.getInstance("DES");//加密算法SecretKey secretKey = key.generateSecret(deskey);//处理成系统可识别的密钥Cipher cipher = Cipher.getInstance("DES/ECB/PKCS5Padding");//加密方式cipher.init(1,secretKey);//1是加密，2是解密，初始化加密byte[] desres = cipher.doFinal(bs.getBytes());System.out.println("DES加密（字节）："+Arrays.toString(desres));System.out.println("DES加密（Hex）："+bytes2HexString(desres));System.out.println("DES加密（Base64）："+Base64.getEncoder().encodeToString(desres));cipher.init(2,secretKey);//初始化解密byte[] jmdesres = cipher.doFinal(Base64.getDecoder().decode("R7R5cToMh5QxnyoH/32OQw==".getBytes(StandardCharsets.UTF_8)));System.out.println("DES解密（Base64）："+new String(jmdesres));byte[] deshexbyte =hexString2Bytes("47B479713A0C8794319F2A07FF7D8E43");jmdesres=cipher.doFinal(deshexbyte);System.out.println("DES解密（Hex）："+new String(jmdesres));

二、分析源码，需hook的内容

1、hook的类：javax.crypto.spec.DESKeySpec，javax.crypto.spec.IvParameterSpec，javax.crypto.Cipher

2、hook的方法：key，IV，doFinal

三、hook源码

XposedBridge.hookAllConstructors(XposedHelpers.findClass(        "javax.crypto.spec.DESKeySpec",        loadPackageParam.classLoader),        new XC_MethodHook() {            @Override            protected void beforeHookedMethod(MethodHookParam param) throws Throwable {                Log.e("逆向有你", "Stack:", new Throwable("stack dump"));                byte[] keybyte = new byte[8];                int offset = 0;                if (param.args.length != 1) {                    offset = ((Integer) param.args[1]).intValue();                }                System.arraycopy((byte[])param.args[0], offset, keybyte, 0, 8);                String keyHex = b2s(keybyte);                String keyB64 = Base64.encodeToString(keybyte, 0);                Log.d("逆向有你", "DESKey:" + new String(keybyte));                Log.d("逆向有你", "DESKeyHex:" + keyHex);                Log.d("逆向有你", "DESKeyB64:" + keyB64);                Log.d("逆向有你", "=============DES密钥================");            }        });XposedBridge.hookAllConstructors(XposedHelpers.findClass(        "javax.crypto.spec.IvParameterSpec",        loadPackageParam.classLoader),        new XC_MethodHook() {            /* access modifiers changed from: protected */            public void beforeHookedMethod(XC_MethodHook.MethodHookParam param) throws Throwable {                Log.e("逆向有你", "Stack:", new Throwable("stack dump"));                byte[] ivParameter = (byte[]) param.args[0];                int offset = 0;                int size = 0;                if (param.args.length != 1) {                    offset = ((Integer) param.args[1]).intValue();                    size = ((Integer) param.args[2]).intValue();                } else {                    size = ivParameter.length;                }                byte[] ivbyte = new byte[size];                System.arraycopy(ivParameter, offset, ivbyte, 0, size);                String ivHex = b2s(ivbyte);                String ivB64 = Base64.encodeToString(ivbyte, 0);                Log.d("逆向有你", "ivParameter:" + new String(ivbyte));                Log.d("逆向有你", "ivParameterHex:" + ivHex);                Log.d("逆向有你", "ivParameterB64:" + ivB64);                Log.d("逆向有你", "======================IV向量===============================");            }        });XposedBridge.hookAllMethods(XposedHelpers.findClass(        "javax.crypto.Cipher",        loadPackageParam.classLoader),        "doFinal",        new XC_MethodHook() {            public void afterHookedMethod(XC_MethodHook.MethodHookParam param) throws Throwable {                Log.e("逆向有你", "Stack:", new Throwable("stack dump"));                if (param.args.length == 0 || param.args.length == 1 || param.args.length == 3) {                    Cipher cip = (Cipher) param.thisObject;                    String Algorithm = cip.getAlgorithm();                    byte[] dataAll = (byte[]) param.args[0];                    if (param.args.length == 3) {                        int offset = ((Integer) param.args[1]).intValue();                        int size = ((Integer) param.args[2]).intValue();                        byte[] databyte = new byte[size];                        System.arraycopy(dataAll, offset, databyte, 0, size);                        Log.d("逆向有你", Algorithm + "Data" + new String(databyte));                        String data = new String(databyte);                        String dataHex = b2s(databyte);                        String dataB64 = Base64.encodeToString(databyte, 0);                        Log.d("逆向有你", String.valueOf(Algorithm) + " Data:\\n" + data);                        Log.d("逆向有你", String.valueOf(Algorithm) + " DataHex:\\n" + dataHex);                        Log.d("逆向有你", String.valueOf(Algorithm) + " DataB64:\\n" + dataB64);                    } else if (param.args.length == 1) {                        String data2 = new String(dataAll);                        String dataHex2 = b2s(dataAll);                        String dataB642 = Base64.encodeToString(dataAll, 0);                        Log.d("逆向有你", String.valueOf(Algorithm) + " Data:\\n" + data2);                        Log.d("逆向有你", String.valueOf(Algorithm) + " DataHex:\\n" + dataHex2);                        Log.d("逆向有你", String.valueOf(Algorithm) + " DataB64:\\n" + dataB642);                    }                    byte[] res = (byte[]) param.getResult();                    String resHex = b2s(res);                    String resB64 = Base64.encodeToString(res, 0);                    Log.d("逆向有你", String.valueOf(Algorithm) + " resultHex: " + resHex);                    Log.d("逆向有你", String.valueOf(Algorithm) + " resultB64: " + resB64);                    Log.d("逆向有你", "================Cipher=============================");                }            }        });

四、运行结果

禁止非法，后果自负

欢迎关注公众号：逆向有你

欢迎关注视频号：之乎者也吧