声明:本文只作学习研究,禁止用于非法用途,否则后果自负,如有侵犯了您的合法权益,请告知,我将及时更正、删除,谢谢。邮箱地址:lc1139411732@163.com
文章目录:
一、项目准备
二、静态分析
三、frida hook
四、本地实现java加密算法
一、项目准备
作者环境:win10,node.js14.16.1 、python3.9.1、java8
开发工具:pycharm、idea、fiddler、夜神模拟器、jadx
目标app:今日镇江
二、静态分析
1.点击登录后fiddler抓包,可以看出加密的内容只有一个"sign",从密文得到表现形式上可以预估是MD5加密。
2. jadx反编译apk,定位加密位置。根据下图所示,可以看到a方法里面的 com.cmstop.cloud.b.b.a(map, timestamp + "")就是加密位置
三、frida hook
1.frida-hook查看结果 -确定我们以上的推断是对的。传入参数共两个x=map,xx=时间戳
hook-a方法代码
Java.perform(
function() {
var b = Java.use('com.cmstop.cloud.b.b');
console.log('--- start frida hook ---');
b.a.overload('java.util.HashMap', 'java.lang.String').implementation = function(x,xx){
console.log('sign加密前参数1-明文:' + x);
console.log('sign加密前参数2-明文:' + xx);
var result = this.a(x,xx);
console.log('sign加密后:' + result);
return result;
}
})
4.扣java代码实现本地加密-成功实现
1.a方法
package 今日镇江md5;
import java.io.UnsupportedEncodingException;
import java.net.URLEncoder;
import java.util.Arrays;
import java.util.HashMap;
import java.util.LinkedHashMap;
import java.util.Map;
public class DesSecurity {
public static void main(String[] args) {
HashMap<String, String> map = new HashMap<>();
map.put("password","666666");
map.put("device_id","08:00:27:e6:e0:44");
map.put("system_name","android");
map.put("siteid","10001");
map.put("ip","172.17.100.15");
map.put("account","17701150278");
map.put("clientid","1");
map.put("modules","cloudlogin:1");
map.put("type","android");
DesSecurity ds = new DesSecurity();
System.out.println(ds.a(map,"1656817497345"));
}
public static String a(HashMap<String, String> paramsMap, String time) {
LinkedHashMap<String, String> sortParams = new LinkedHashMap<>();
Object[] key_arr = paramsMap.keySet().toArray();
Arrays.sort(key_arr);
for (Object key : key_arr) {
try {
sortParams.put(key.toString(), URLEncoder.encode(paramsMap.get(key).toString(), "UTF-8"));
} catch (UnsupportedEncodingException e) {
e.printStackTrace();
}
}
StringBuilder result = new StringBuilder();
for (Map.Entry<String, String> entry : sortParams.entrySet()) {
if (result.length() > 0) {
result.append("&");
}
result.append(entry.getKey());
result.append("=");
result.append(entry.getValue());
}
String replace = result.toString().replace("*", "%2A").replace("%7E", "~").replace("+", "%20");
// return replace;
// crack.log(replace);
System.out.println(replace);
String resultMD5 = MD5.md5(replace);
// crack.log(resultMD5);
String str = resultMD5 + "1fa50ba25ed527f3fd1eb9467686f2bb" + time;
// crack.log(str);
String md5Result = MD5.md5(str);
// crack.log(md5Result);
return md5Result;
}
}
2.MD5算法
package 今日镇江md5;
//import com.netease.youliao.newsfeeds.utils.f;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
public class MD5 {
public static final String dddd = "MD5";
public static void main(String[] args) {
MD5 m = new MD5();
System.out.println(m.md5("{password=666666, device_id=08:00:27:e6:e0:44, system_name=android, siteid=10001, ip=172.17.100.15, account=17701160333, clientid=1, modules=cloudlogin:1, type=android}1fa50ba25ed527f3fd1eb9467686f2bb1656817497345"));
}
public static String toMd5(byte[] bytes) {
if (bytes == null) {
return "";
}
try {
MessageDigest algorithm = MessageDigest.getInstance(dddd);
algorithm.reset();
algorithm.update(bytes);
return toHexString(algorithm.digest(), "");
} catch (NoSuchAlgorithmException e) {
throw new RuntimeException(e);
}
}
private static String toHexString(byte[] bytes, String separator) {
StringBuilder hexString = new StringBuilder();
for (byte b : bytes) {
hexString.append(Integer.toHexString(b & 255)).append(separator);
}
return hexString.toString();
}
public static final String md5(String s) {
char[] hexDigits = {'0', '1', '2', '3', '4', '5', '6', '7', '8', '9', 'a', 'b', 'c', 'd', 'e', 'f'};
try {
byte[] strTemp = s.getBytes();
MessageDigest mdTemp = MessageDigest.getInstance(dddd);
mdTemp.update(strTemp);
byte[] md = mdTemp.digest();
int j = md.length;
char[] str = new char[j * 2];
int k = 0;
for (byte byte0 : md) {
int k2 = k + 1;
str[k] = hexDigits[(byte0 >>> 4) & 15];
k = k2 + 1;
str[k2] = hexDigits[byte0 & 15];
}
return new String(str);
} catch (Exception e) {
return null;
}
}
}