接上节课
安卓逆向 -- Frida环境搭建(HOOK实例)
安卓逆向 -- FridaHook某车udid的加密值
一、上节课分析到一个encode3Des函数,看到CBC模式,首先要找iv和key的值
public static String encode3Des(Context context, String str) { String desKey = AHAPIHelper.getDesKey(context); byte[] bArr = null; if (TextUtils.isEmpty(desKey)) { return null; } try { SecretKey generateSecret = SecretKeyFactory.getInstance("desede").generateSecret(new DESedeKeySpec(desKey.getBytes())); Cipher cipher = Cipher.getInstance("desede/CBC/PKCS5Padding"); cipher.init(1, generateSecret, new IvParameterSpec(f882iv.getBytes())); bArr = cipher.doFinal(str.getBytes("UTF-8")); } catch (Exception unused) { } return encode(bArr).toString(); }
二、通过上下文,直接可以看到iv的值,常量:appapich
三、通过下面代码,我们进入getDeskey函数,查看key
String desKey = AHAPIHelper.getDesKey(context);
四、getdesk又来自于getSigndeskey,继续进入该函数查看
private static void getSignDesKey(Context context) { mDesKey = CheckSignUtil.get3desKey(context); }
五、继续进入get3desKey函数查看,来自于原生函数
六、分析so有点难度,所以直接hook getDesKey函数,获取key
let AHAPIHelper = Java.use("com.autohome.ahkit.AHAPIHelper"); AHAPIHelper["getDesKey"].implementation = function (context) { console.log(`AHAPIHelper.getDesKey is called: context=${context}`); let result = this["getDesKey"](context); console.log(`AHAPIHelper.getDesKey result=${result}`); return result; }; 运行结果: AHAPIHelper.getDesKey result=appapiche168comappapiche168comap encode3Des ret value is Emf/VNnohOKgDGg18QXBQF8lIyfQHAikW7L132/afUxHsE0uu7TFiA==
七、实现3DES
1、安装需要的库文件
pip install pycryptodome 注意 ....\Python\Python310\Lib\site-packages将里面Crypto文件夹的C改为大写C
2、代码实现
import base64 from Crypto.Cipher import DES3 BS = 8 pad = lambda s: s + (BS - len(s) % BS) * chr(BS - len(s) % BS) #des加密看前8位,3des加密看前24位 key = b'appapiche168comappapiche168comap'[0:24] iv = b'appapich' 加密数据='869394024096718|233068977599|357590' plaintext = pad(加密数据).encode("utf-8") cipher = DES3.new(key, DES3.MODE_CBC, iv) result = cipher.encrypt(plaintext) print(base64.b64encode(result).decode('utf-8'))
