某数据包AES加密逆向分析教学文档<\/h1>

1. 环境准备<\/h2>

1.1 应用信息<\/h3>

应用名称\/版本：5ZOI5ZWwdjYuNzQuMQ==<\/code> (Base64解码后为"某应用v6.74.1")<\/li>

测试设备：cGl4ZWwyIGFuZHJvaWQxMA==<\/code> (Base64解码后为"pixel2 android10")<\/li>
<\/ul>
1.2 工具准备<\/h3>

Frida：用于动态Hook和算法自吐<\/li>
Jadx：用于静态反编译APK<\/li>
IDA Pro：用于分析native层代码<\/li>
抓包工具：如Charles或Fiddler<\/li>
<\/ul>
2. 初步分析<\/h2>
2.1 抓包观察<\/h3>

大部分请求包和返回包都经过加密<\/li>
加密数据示例（未提供具体数据，但可推测为Base64编码的密文）<\/li>
<\/ul>
2.2 Frida检测绕过<\/h3>
该应用实现了Frida检测机制，位于libmsaoaidsec.so<\/code>库中。提供两种绕过方法：<\/p>
方法一：使用修改版Frida-server<\/h4>

推荐使用Floridahook<\/a><\/li>
修改特征后的Frida-server可避免被检测<\/li>
<\/ul>
方法二：直接删除检测库<\/h4>

定位到应用安装目录<\/li>
删除libmsaoaidsec.so<\/code>库文件<\/li>
重新启动应用即可正常使用Frida<\/li>
<\/ol>
3. 加密算法分析<\/h2>
3.1 加密流程<\/h3>

应用调用encrypt<\/code>函数对数据进行加密<\/li>
encrypt<\/code>函数内部调用genEAS<\/code>函数进行AES加密<\/li>
将genEAS<\/code>返回的结果进行Base64编码<\/li>
<\/ol>
3.2 genEAS函数分析<\/h3>

功能：使用AES算法对输入字符串数据进行加密<\/li>
参数：

src<\/code>：需要加密的原始字符串<\/li>
另一个字符串参数（具体用途需进一步分析）<\/li>
<\/ul>
<\/li>
返回：加密后的字节数组<\/li>
<\/ul>
3.3 AES加密细节<\/h3>

加密模式：CBC<\/li>
填充方式：PKCS5Padding<\/li>
完整算法标识：AES\/CBC\/PKCS5Padding<\/code><\/li>
<\/ul>
4. 密钥生成分析<\/h2>
4.1 密钥来源<\/h3>

密钥生成函数：m87066a<\/code><\/li>
该函数调用native层的m87064m<\/code>函数生成密钥<\/li>
<\/ul>
4.2 Native层分析<\/h3>
使用IDA反编译native-lib<\/code>库：<\/p>

搜索l_m<\/code>找到静态注册的函数<\/li>
分析m87064m<\/code>函数逻辑：

参数i<\/code>决定密钥类型：

当i=1<\/code>时，返回固定字符串：1234567890123456657aec76a8c97f98f08f<\/code><\/li>
当i=0<\/code>时，返回xmmword_A8AF0<\/code>指向的内容转换的字符串：0199bec97dfa5e0d<\/code><\/li>
<\/ul>
<\/li>
<\/ul>
<\/li>
<\/ol>
5. 完整加密流程总结<\/h2>

应用准备待加密数据<\/li>
调用Java层的encrypt<\/code>函数<\/li>
encrypt<\/code>函数调用genEAS<\/code>进行AES加密

使用m87066a<\/code>获取密钥<\/li>
m87066a<\/code>通过JNI调用native层的m87064m<\/code><\/li>
根据传入参数获取不同密钥<\/li>
<\/ul>
<\/li>
对加密结果进行Base64编码<\/li>
发送加密后的数据<\/li>
<\/ol>
6. 解密实现参考<\/h2>
基于分析结果，可编写解密代码：<\/p>
import<\/span> javax.crypto.Cipher;<\/span>
<\/span><\/span>import<\/span> javax.crypto.spec.IvParameterSpec;<\/span>
<\/span><\/span>import<\/span> javax.crypto.spec.SecretKeySpec;<\/span>
<\/span><\/span>import<\/span> java.util.Base64;<\/span>
<\/span><\/span>
<\/span><\/span>public<\/span> class<\/span> Decryptor<\/span> {<\/span>
<\/span><\/span>    private<\/span> static<\/span> final<\/span> String ALGORITHM =<\/span> "AES\/CBC\/PKCS5Padding"<\/span>;<\/span>
<\/span><\/span>    
<\/span><\/span>    \/\/ 根据i的值选择密钥
<\/span><\/span><\/span><\/span>    public<\/span> static<\/span> String getKey<\/span>(<\/span>int<\/span> i)<\/span> {<\/span>
<\/span><\/span>        return<\/span> i ==<\/span> 1<\/span> ?<\/span> "1234567890123456657aec76a8c97f98f08f"<\/span> :<\/span> "0199bec97dfa5e0d"<\/span>;<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>    
<\/span><\/span>    public<\/span> static<\/span> String decrypt<\/span>(<\/span>String encryptedData,<\/span> int<\/span> keyType)<\/span> throws<\/span> Exception {<\/span>
<\/span><\/span>        byte<\/span>[]<\/span> encryptedBytes =<\/span> Base64.<\/span>getDecoder<\/span>().<\/span>decode<\/span>(<\/span>encryptedData);<\/span>
<\/span><\/span>        String key =<\/span> getKey(<\/span>keyType);<\/span>
<\/span><\/span>        
<\/span><\/span>        \/\/ 假设IV全为0，实际情况可能需要从数据中提取或使用固定值
<\/span><\/span><\/span><\/span>        byte<\/span>[]<\/span> iv =<\/span> new<\/span> byte<\/span>[<\/span>16<\/span>];<\/span>
<\/span><\/span>        
<\/span><\/span>        SecretKeySpec secretKeySpec =<\/span> new<\/span> SecretKeySpec(<\/span>key.<\/span>getBytes<\/span>(),<\/span> "AES"<\/span>);<\/span>
<\/span><\/span>        IvParameterSpec ivParameterSpec =<\/span> new<\/span> IvParameterSpec(<\/span>iv);<\/span>
<\/span><\/span>        
<\/span><\/span>        Cipher cipher =<\/span> Cipher.<\/span>getInstance<\/span>(<\/span>ALGORITHM);<\/span>
<\/span><\/span>        cipher.<\/span>init<\/span>(<\/span>Cipher.<\/span>DECRYPT_MODE<\/span>,<\/span> secretKeySpec,<\/span> ivParameterSpec);<\/span>
<\/span><\/span>        
<\/span><\/span>        byte<\/span>[]<\/span> decryptedBytes =<\/span> cipher.<\/span>doFinal<\/span>(<\/span>encryptedBytes);<\/span>
<\/span><\/span>        return<\/span> new<\/span> String(<\/span>decryptedBytes);<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>7. Hook脚本示例<\/h2>
使用Frida Hook加密函数：<\/p>
Java<\/span>.perform<\/span>(function<\/span>() {
<\/span><\/span>    \/\/ Hook genEAS函数
<\/span><\/span><\/span><\/span>    var<\/span> targetClass<\/span> =<\/span> Java<\/span>.use<\/span>("com.example.encrypt.EncryptUtils"<\/span>);
<\/span><\/span>    
<\/span><\/span>    targetClass<\/span>.genEAS<\/span>.implementation<\/span> =<\/span> function<\/span>(src<\/span>, key<\/span>) {
<\/span><\/span>        console<\/span>.log<\/span>("genEAS called:"<\/span>);
<\/span><\/span>        console<\/span>.log<\/span>("  src: "<\/span> +<\/span> src<\/span>);
<\/span><\/span>        console<\/span>.log<\/span>("  key: "<\/span> +<\/span> key<\/span>);
<\/span><\/span>        
<\/span><\/span>        var<\/span> result<\/span> =<\/span> this<\/span>.genEAS<\/span>(src<\/span>, key<\/span>);
<\/span><\/span>        console<\/span>.log<\/span>("  result: "<\/span> +<\/span> result<\/span>);
<\/span><\/span>        
<\/span><\/span>        \/\/ 打印hex
<\/span><\/span><\/span><\/span>        var<\/span> hexResult<\/span> =<\/span> Array.prototype<\/span>.map<\/span>.call<\/span>(result<\/span>, function<\/span>(x<\/span>) {
<\/span><\/span>            return<\/span> ('00'<\/span> +<\/span> (x<\/span> &<\/span> 0xFF<\/span>).toString<\/span>(16<\/span>)).slice<\/span>(-<\/span>2<\/span>);
<\/span><\/span>        }).join<\/span>(''<\/span>);
<\/span><\/span>        console<\/span>.log<\/span>("  hex: "<\/span> +<\/span> hexResult<\/span>);
<\/span><\/span>        
<\/span><\/span>        return<\/span> result<\/span>;
<\/span><\/span>    };
<\/span><\/span>    
<\/span><\/span>    \/\/ Hook native密钥生成函数
<\/span><\/span><\/span><\/span>    var<\/span> nativeLib<\/span> =<\/span> Module<\/span>.findExportByName<\/span>("libnative-lib.so"<\/span>, "Java_com_example_encrypt_EncryptUtils_m87064m"<\/span>);
<\/span><\/span>    if<\/span> (nativeLib<\/span>) {
<\/span><\/span>        Interceptor<\/span>.attach<\/span>(nativeLib<\/span>, {
<\/span><\/span>            onEnter<\/span>:<\/span> function<\/span>(args<\/span>) {
<\/span><\/span>                console<\/span>.log<\/span>("Native key generator called with i="<\/span> +<\/span> args<\/span>[2<\/span>]);
<\/span><\/span>            },
<\/span><\/span>            onLeave<\/span>:<\/span> function<\/span>(retval<\/span>) {
<\/span><\/span>                console<\/span>.log<\/span>("Key generated: "<\/span> +<\/span> retval<\/span>.readUtf8String<\/span>());
<\/span><\/span>            }
<\/span><\/span>        });
<\/span><\/span>    }
<\/span><\/span>});
<\/span><\/span><\/code><\/pre>8. 注意事项<\/h2>

实际分析时IV可能不是全0，需要进一步确认<\/li>
密钥可能有动态生成的部分，需要验证所有调用路径<\/li>
不同版本应用加密实现可能有变化<\/li>
本文仅用于技术交流，请勿用于非法用途<\/li>
<\/ol>
9. 扩展分析建议<\/h2>

分析其他加密函数，确认是否有不同的加密路径<\/li>
检查网络请求中是否传输了IV或盐值<\/li>
验证不同API接口是否使用相同的加密方式<\/li>
分析签名机制，防止仅解密无法完成完整请求<\/li>
<\/ol>

某数据包AES加密逆向分析教学文档<\/h1>

1. 环境准备<\/h2>

2. 初步分析<\/h2>

2.2 Frida检测绕过<\/h3> 该应用实现了Frida检测机制，位于libmsaoaidsec.so<\/code>库中。提供两种绕过方法：<\/p>

3. 加密算法分析<\/h2>

4. 密钥生成分析<\/h2>

9. 扩展分析建议<\/h2> 分析其他加密函数，确认是否有不同的加密路径<\/li> 检查网络请求中是否传输了IV或盐值<\/li> 验证不同API接口是否使用相同的加密方式<\/li> 分析签名机制，防止仅解密无法完成完整请求<\/li> <\/ol>

2.2 Frida检测绕过<\/h3>
该应用实现了Frida检测机制，位于`libmsaoaidsec.so<\/code>库中。提供两种绕过方法：<\/p>`

9. 扩展分析建议<\/h2>

分析其他加密函数，确认是否有不同的加密路径<\/li>
检查网络请求中是否传输了IV或盐值<\/li>
验证不同API接口是否使用相同的加密方式<\/li>
分析签名机制，防止仅解密无法完成完整请求<\/li> <\/ol>