安卓逆向 -- 自吐算法（MAC）

Posted 2021-10-17 web安全工具库

一、MAC算法源码

import javax.crypto.Macimport javax.crypto.spec.SecretKeySpecString bs= "逆向有你a";SecretKeySpec key = new SecretKeySpec("12345".getBytes(StandardCharsets.UTF_8), "HmacSHA256");//申请一个密钥，长度内容随便写Mac mac = Mac.getInstance("HmacSHA256");//告诉系统我用的加密码方式是HmacSHA256mac.init(key);byte[] macres = mac.doFinal(bs.getBytes(StandardCharsets.UTF_8));//开始加密System.out.println("HmacSHA1加密（字节）："+Arrays.toString(macres));System.out.println("HmacSHA1加密（字符串）："+bytes2HexString(macres));SecretKeySpec key1 = new SecretKeySpec("12345".getBytes(StandardCharsets.UTF_8), "HmacSHA256");//申请一个密钥，长度内容随便写Mac mac1 = Mac.getInstance("HmacSHA256");//告诉系统我用的加密码方式是HmacSHA256mac1.init(key1);mac1.update("逆向".getBytes(StandardCharsets.UTF_8));mac1.update("有你".getBytes(StandardCharsets.UTF_8));byte[] macres1 = mac1.doFinal("a".getBytes(StandardCharsets.UTF_8));System.out.println(bytes2HexString(macres1));

二、分析源码，需hook的内容

1、hook类是javax.crypto.Mac，javax.crypto.spec.SecretKeySpec

2、hook的方法：SecretKeySpec，doFinal

三、hook源码

XposedBridge.hookAllMethods(XposedHelpers.findClass("javax.crypto.Mac", loadPackageParam.classLoader)        , "doFinal",        new XC_MethodHook() {            @Override            protected void afterHookedMethod(MethodHookParam param) throws Throwable {                super.afterHookedMethod(param);                Log.e("逆向有你", "Stack：", new Throwable("stack dump"));                if(param.args.length==2) return;                Mac mc = (Mac) param.thisObject;//实例化                String algorithm = mc.getAlgorithm();//获取加密算法的名称                if (param.args.length == 2) {                    byte[] params = (byte[]) param.args[0];                    String data = new String(params);                    String datahex = b2s(params);                    String datab64 = Base64.encodeToString(params, 0);                    Log.d("逆向有你",algorithm+"data:"+data);                    Log.d("逆向有你",algorithm+"datahex:"+datahex);                    Log.d("逆向有你",algorithm+"datab64:"+datab64);                }                byte[] res=(byte[])param.getResult();                String reshex = b2s(res);                String resb64 = Base64.encodeToString(res, 0);                Log.d("逆向有你",algorithm+"resulthex:"+reshex);                Log.d("逆向有你",algorithm+"resultb64:"+resb64);                Log.d("逆向有你","========================================================================");            }        });XposedBridge.hookAllConstructors(XposedHelpers.findClass("javax.crypto.spec.SecretKeySpec", loadPackageParam.classLoader)        , new XC_MethodHook() {            @Override            protected void afterHookedMethod(MethodHookParam param) throws Throwable {                super.afterHookedMethod(param);                Log.e("逆向有你", "Stack：", new Throwable("stack dump"));                byte[] secretKey = (byte[]) param.args[0];                int offset=0;                int size=0;                String algorithm=null;                if (param.args.length != 2) {                    offset = ((Integer) param.args[1]).intValue();                    size = ((Integer) param.args[2]).intValue();                    algorithm = (String) param.args[3];                }else                {                    size=secretKey.length;                    algorithm= (String) param.args[1];                }                byte[] keyres=new byte[size];                System.arraycopy(secretKey,offset,keyres,0,size);                String keyreshex = b2s(keyres);                String keyresb64 = Base64.encodeToString(keyres, 0);                Log.d("逆向有你",algorithm+"secretkey:"+new String(keyres));                Log.d("逆向有你",algorithm+"secretkeyhex:"+keyreshex);                Log.d("逆向有你",algorithm+"secretkeyb64:"+keyresb64);                Log.d("逆向有你","========================================================================");            }        });

四、运行结果

禁止非法，后果自负

欢迎关注公众号：逆向有你

欢迎关注视频号：之乎者也吧