接上节课
安卓逆向 -- Frida环境搭建(HOOK实例)
安卓逆向 -- FridaHook某车udid的加密值
一、上节课分析到一个encode3Des函数,看到CBC模式,首先要找iv和key的值
public static String encode3Des(Context context, String str) {
String desKey = AHAPIHelper.getDesKey(context);
byte[] bArr = null;
if (TextUtils.isEmpty(desKey)) {
return null;
}
try {
SecretKey generateSecret = SecretKeyFactory.getInstance("desede").generateSecret(new DESedeKeySpec(desKey.getBytes()));
Cipher cipher = Cipher.getInstance("desede/CBC/PKCS5Padding");
cipher.init(1, generateSecret, new IvParameterSpec(f882iv.getBytes()));
bArr = cipher.doFinal(str.getBytes("UTF-8"));
} catch (Exception unused) {
}
return encode(bArr).toString();
}二、通过上下文,直接可以看到iv的值,常量:appapich
三、通过下面代码,我们进入getDeskey函数,查看key
String desKey = AHAPIHelper.getDesKey(context);四、getdesk又来自于getSigndeskey,继续进入该函数查看
private static void getSignDesKey(Context context) {
mDesKey = CheckSignUtil.get3desKey(context);
}五、继续进入get3desKey函数查看,来自于原生函数
六、分析so有点难度,所以直接hook getDesKey函数,获取key
let AHAPIHelper = Java.use("com.autohome.ahkit.AHAPIHelper");
AHAPIHelper["getDesKey"].implementation = function (context) {
console.log(`AHAPIHelper.getDesKey is called: context=${context}`);
let result = this["getDesKey"](context);
console.log(`AHAPIHelper.getDesKey result=${result}`);
return result;
};
运行结果:
AHAPIHelper.getDesKey result=appapiche168comappapiche168comap
encode3Des ret value is Emf/VNnohOKgDGg18QXBQF8lIyfQHAikW7L132/afUxHsE0uu7TFiA==七、实现3DES
1、安装需要的库文件
pip install pycryptodome
注意
....\Python\Python310\Lib\site-packages将里面Crypto文件夹的C改为大写C2、代码实现
import base64
from Crypto.Cipher import DES3
BS = 8
pad = lambda s: s + (BS - len(s) % BS) * chr(BS - len(s) % BS)
#des加密看前8位,3des加密看前24位
key = b'appapiche168comappapiche168comap'[0:24]
iv = b'appapich'
加密数据='869394024096718|233068977599|357590'
plaintext = pad(加密数据).encode("utf-8")
cipher = DES3.new(key, DES3.MODE_CBC, iv)
result = cipher.encrypt(plaintext)
print(base64.b64encode(result).decode('utf-8'))