安卓逆向 -- 自吐算法（DES）

一、DES算法源码

DESKeySpec deskey = new DESKeySpec("123456789".getBytes(StandardCharsets.UTF_8));//将密钥实例化
SecretKeyFactory key = SecretKeyFactory.getInstance("DES");//加密算法
SecretKey secretKey = key.generateSecret(deskey);//处理成系统可识别的密钥
Cipher cipher = Cipher.getInstance("DES/ECB/PKCS5Padding");//加密方式
cipher.init(1,secretKey);//1是加密，2是解密，初始化加密
byte[] desres = cipher.doFinal(bs.getBytes());
System.out.println("DES加密（字节）："+Arrays.toString(desres));
System.out.println("DES加密（Hex）："+bytes2HexString(desres));
System.out.println("DES加密（Base64）："+Base64.getEncoder().encodeToString(desres));
cipher.init(2,secretKey);//初始化解密
byte[] jmdesres = cipher.doFinal(Base64.getDecoder().decode("R7R5cToMh5QxnyoH/32OQw==".getBytes(StandardCharsets.UTF_8)));
System.out.println("DES解密（Base64）："+new String(jmdesres));
byte[] deshexbyte =hexString2Bytes("47B479713A0C8794319F2A07FF7D8E43");
jmdesres=cipher.doFinal(deshexbyte);
System.out.println("DES解密（Hex）："+new String(jmdesres));

二、分析源码，需hook的内容

1、hook的类：javax.crypto.spec.DESKeySpec，javax.crypto.spec.IvParameterSpec，javax.crypto.Cipher

2、hook的方法：key，IV，doFinal

三、hook源码

XposedBridge.hookAllConstructors(XposedHelpers.findClass(
        "javax.crypto.spec.DESKeySpec",
        loadPackageParam.classLoader),
        new XC_MethodHook() {
            @Override
            protected void beforeHookedMethod(MethodHookParam param) throws Throwable {
                Log.e("逆向有你", "Stack:", new Throwable("stack dump"));
                byte[] keybyte = new byte[8];
                int offset = 0;
                if (param.args.length != 1) {
                    offset = ((Integer) param.args[1]).intValue();
                }
                System.arraycopy((byte[])param.args[0], offset, keybyte, 0, 8);
                String keyHex = b2s(keybyte);
                String keyB64 = Base64.encodeToString(keybyte, 0);
                Log.d("逆向有你", "DESKey:" + new String(keybyte));
                Log.d("逆向有你", "DESKeyHex:" + keyHex);
                Log.d("逆向有你", "DESKeyB64:" + keyB64);
                Log.d("逆向有你", "=============DES密钥================");
            }
        });
XposedBridge.hookAllConstructors(XposedHelpers.findClass(
        "javax.crypto.spec.IvParameterSpec",
        loadPackageParam.classLoader),
        new XC_MethodHook() {
            /* access modifiers changed from: protected */
            public void beforeHookedMethod(XC_MethodHook.MethodHookParam param) throws Throwable {
                Log.e("逆向有你", "Stack:", new Throwable("stack dump"));
                byte[] ivParameter = (byte[]) param.args[0];
                int offset = 0;
                int size = 0;
                if (param.args.length != 1) {
                    offset = ((Integer) param.args[1]).intValue();
                    size = ((Integer) param.args[2]).intValue();
                } else {
                    size = ivParameter.length;
                }
                byte[] ivbyte = new byte[size];
                System.arraycopy(ivParameter, offset, ivbyte, 0, size);
                String ivHex = b2s(ivbyte);
                String ivB64 = Base64.encodeToString(ivbyte, 0);
                Log.d("逆向有你", "ivParameter:" + new String(ivbyte));
                Log.d("逆向有你", "ivParameterHex:" + ivHex);
                Log.d("逆向有你", "ivParameterB64:" + ivB64);
                Log.d("逆向有你", "======================IV向量===============================");
            }
        });
XposedBridge.hookAllMethods(XposedHelpers.findClass(
        "javax.crypto.Cipher",
        loadPackageParam.classLoader),
        "doFinal",
        new XC_MethodHook() {
            public void afterHookedMethod(XC_MethodHook.MethodHookParam param) throws Throwable {
                Log.e("逆向有你", "Stack:", new Throwable("stack dump"));
                if (param.args.length == 0 || param.args.length == 1 || param.args.length == 3) {
                    Cipher cip = (Cipher) param.thisObject;
                    String Algorithm = cip.getAlgorithm();
                    byte[] dataAll = (byte[]) param.args[0];
                    if (param.args.length == 3) {
                        int offset = ((Integer) param.args[1]).intValue();
                        int size = ((Integer) param.args[2]).intValue();
                        byte[] databyte = new byte[size];
                        System.arraycopy(dataAll, offset, databyte, 0, size);
                        Log.d("逆向有你", Algorithm + "Data" + new String(databyte));
                        String data = new String(databyte);
                        String dataHex = b2s(databyte);
                        String dataB64 = Base64.encodeToString(databyte, 0);
                        Log.d("逆向有你", String.valueOf(Algorithm) + " Data:\n" + data);
                        Log.d("逆向有你", String.valueOf(Algorithm) + " DataHex:\n" + dataHex);
                        Log.d("逆向有你", String.valueOf(Algorithm) + " DataB64:\n" + dataB64);
                    } else if (param.args.length == 1) {
                        String data2 = new String(dataAll);
                        String dataHex2 = b2s(dataAll);
                        String dataB642 = Base64.encodeToString(dataAll, 0);
                        Log.d("逆向有你", String.valueOf(Algorithm) + " Data:\n" + data2);
                        Log.d("逆向有你", String.valueOf(Algorithm) + " DataHex:\n" + dataHex2);
                        Log.d("逆向有你", String.valueOf(Algorithm) + " DataB64:\n" + dataB642);
                    }
                    byte[] res = (byte[]) param.getResult();
                    String resHex = b2s(res);
                    String resB64 = Base64.encodeToString(res, 0);
                    Log.d("逆向有你", String.valueOf(Algorithm) + " resultHex: " + resHex);
                    Log.d("逆向有你", String.valueOf(Algorithm) + " resultB64: " + resB64);
                    Log.d("逆向有你", "================Cipher=============================");
                }
            }
        });

四、运行结果

禁止非法，后果自负

欢迎关注公众号：逆向有你