“ 前言:初学逆向 请多多指教”
学习到的内容
—
1、编写Xposed模块实现对java层的加密库进行hook
Xposed API介绍
—
什么是自吐算法模块?
1、对jdk自带的加密类的包中的类的构造函数进行hook
2、对jdk自带的加密类的包中的类的加密函数进行hook
如何实现自吐算法模块?
1、XposedBridge.hookAllMethods
public static Set hookAllMethods(Class> hookClass, String methodName, XC_MethodHook callback) { Set unhooks = new HashSet(); for (Member method : hookClass.getDeclaredMethods()) if (method.getName().equals(methodName)) unhooks.add(hookMethod(method, callback)); return unhooks; }
2、XposedBridge.hookAllConstructors
public static Set hookAllConstructors(Class> hookClass, XC_MethodHook callback) { Set unhooks = new HashSet(); for (Member constructor : hookClass.getDeclaredConstructors()) unhooks.add(hookMethod(constructor, callback)); return unhooks; }
通过XposedBridge.jar包中可知这两个对指定的class通过反射获得所有的相关的构造函数和方法,然后对每个进行hookMethod函数操作
最后对该方法进行hookMethodNative,该方法在so层实现,自己现在也了解不多
比如实现一个消息摘要算法md5的hook,正常实现加密的代码如下:
MessageDigest md = MessageDigest.getInstance("MD5"); byte[] bRes = md.digest("@admin".getBytes()); System.out.println("bRes字节数组的长度为:" + bRes.length); String szMd5String = byteToString(bRes); System.out.println(szMd5String);
所以一般都对该类的digest方法进行hook,从而获取到参数和返回值从而进行分析
需要注意的是,有时候digest也会为空,当如下的情况:
MessageDigest md = MessageDigest.getInstance("MD5"); md.update("aaaaa".getBytes()); byte[] bRes = md.digest(); System.out.println("bRes字节数组的长度为:" + bRes.length); String szMd5String = byteToString(bRes); System.out.println(szMd5String);
那为什么不hook update方法呢?update的定义如下,因为update方法没有返回值所以如果需要hook的话是会死循环的(小肩膀在视频中有提到,但是自己没用亲手去试),如果真要去hook也就只能单独功能写一个模块去hook,无法实现通用hook模块
void update(byte[] input)使用指定的字节数组更新摘要。void update(byte[] input, int offset, int len)使用指定的字节数组从指定的偏移量开始更新摘要。
XposedBridge.hookAllMethods(findClass("java.security.MessageDigest", loadPackageParam.classLoader), "digest", new XC_MethodHook() { @Override protected void afterHookedMethod(MethodHookParam param) throws Throwable { Log.d("MyHook", " = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = ="); Log.d("MyHook", " = = = = = = = = = =java.security.MessageDigest's digest hooking was Starting = = = = = = = = = ="); Log.e("MyHook", "The Stack: ", new Throwable("Stack Dump")); // 首先拿到MessageDigest对象 MessageDigest messageDigest = (MessageDigest) param.thisObject; byte[] before_data; // 函数的参数是否大于1 比如digest("a12345678".getBytes()) if (param.args.length >= 1) { before_data = (byte[])param.args[0]; Log.d("MyHook", "Algorithm: " + messageDigest.getAlgorithm() + " Normal digest function's args[0]: " + new String(before_data)); Log.d("MyHook", "Algorithm: " + messageDigest.getAlgorithm() + " Base64 digest function's args[0]: " + Base64.encodeToString(before_data, 0)); Log.d("MyHook", "Algorithm: " + messageDigest.getAlgorithm() + " Hex digest function's args[0]: " + byteToHexString(before_data)); } byte[] bRes = (byte[])param.getResult(); // 正常数据 Log.d("MyHook", "Algorithm: " + messageDigest.getAlgorithm() + " Normal Data: " + new String(bRes)); // 打印Base64数据 Log.d("MyHook", "Algorithm: " + messageDigest.getAlgorithm() + " Base64 Data: " + Base64.encodeToString(bRes, 0)); // HexString数据 Log.d("MyHook", "Algorithm: " + messageDigest.getAlgorithm() + " Hex Data: " + byteToHexString(bRes)); Log.d("MyHook", " = = = = = = = = = =java.security.MessageDigest's digest hooking was Ending = = = = = = = = = ="); Log.d("MyHook", " = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = ="); } });
APP实战
—
抓取相关登陆数据包,如下显示:
POST /api/sns/v2/user/login HTTP/1.1X-Tingyun-Lib-Type-N-ST: 3;1602599093071User-Agent: Dalvik/1.6.0 (Linux; U; Android 4.4.4; Nexus 5 Build/KTU84Q) Resolution/1080*1776 Version/5.14.0 Build/5140002 Device/(LGE;Nexus 5)Content-Type: application/x-www-form-urlencodedContent-Length: 377Host: www.xiaohongshu.comConnection: closeAccept-Encoding: gzip, deflateandroid_id=86a2e5fff2b395d&phone=19817353426&type=phone&lang=zh&password=e9bc0e13a8a16cbb07b175d92a113126&zone=86&imei=358240050430040&platform=Android&deviceId=c4e6b1a6-6891-3314-ad08-7e08f5da0063&device_fingerprint=202010121332200be9f24f860e8356e0ab8037a7b69cd70008c4435e510fcc&versionName=5.14.0&channel=Store360&lang=zh-CN&t=1602598918&sign=816f8034f5bf8bcc0238478c2d2d05b4
sign:816f8034f5bf8bcc0238478c2d2d05b4
通过编写xposed模块记录的日志中进行查询该特征值
直接分析即可:
at com.xingin.skynet.XYValueRewrite.a(SourceFile:124) at com.xingin.skynet.XYValueRewrite.a(SourceFile:91)