接上節課
安卓逆向 -- Frida環境搭建(HOOK執行個體)
安卓逆向 -- FridaHook某車udid的加密值
一、上節課分析到一個encode3Des函數,看到CBC模式,首先要找iv和key的值
public static String encode3Des(Context context, String str) {
String desKey = AHAPIHelper.getDesKey(context);
byte[] bArr = null;
if (TextUtils.isEmpty(desKey)) {
return null;
}
try {
SecretKey generateSecret = SecretKeyFactory.getInstance("desede").generateSecret(new DESedeKeySpec(desKey.getBytes()));
Cipher cipher = Cipher.getInstance("desede/CBC/PKCS5Padding");
cipher.init(1, generateSecret, new IvParameterSpec(f882iv.getBytes()));
bArr = cipher.doFinal(str.getBytes("UTF-8"));
} catch (Exception unused) {
}
return encode(bArr).toString();
}
二、通過上下文,直接可以看到iv的值,常量:appapich
三、通過下面代碼,我們進入getDeskey函數,檢視key
String desKey = AHAPIHelper.getDesKey(context);
四、getdesk又來自于getSigndeskey,繼續進入該函數檢視
private static void getSignDesKey(Context context) {
mDesKey = CheckSignUtil.get3desKey(context);
}
五、繼續進入get3desKey函數檢視,來自于原生函數
六、分析so有點難度,是以直接hook getDesKey函數,擷取key
let AHAPIHelper = Java.use("com.autohome.ahkit.AHAPIHelper");
AHAPIHelper["getDesKey"].implementation = function (context) {
console.log(`AHAPIHelper.getDesKey is called: context=${context}`);
let result = this["getDesKey"](context);
console.log(`AHAPIHelper.getDesKey result=${result}`);
return result;
};
運作結果:
AHAPIHelper.getDesKey result=appapiche168comappapiche168comap
encode3Des ret value is Emf/VNnohOKgDGg18QXBQF8lIyfQHAikW7L132/afUxHsE0uu7TFiA==
七、實作3DES
1、安裝需要的庫檔案
pip install pycryptodome
注意
....\Python\Python310\Lib\site-packages将裡面Crypto檔案夾的C改為大寫C
2、代碼實作
import base64
from Crypto.Cipher import DES3
BS = 8
pad = lambda s: s + (BS - len(s) % BS) * chr(BS - len(s) % BS)
#des加密看前8位,3des加密看前24位
key = b'appapiche168comappapiche168comap'[0:24]
iv = b'appapich'
加密資料='869394024096718|233068977599|357590'
plaintext = pad(加密資料).encode("utf-8")
cipher = DES3.new(key, DES3.MODE_CBC, iv)
result = cipher.encrypt(plaintext)
print(base64.b64encode(result).decode('utf-8'))