Android 服务端证书校验分析与绕过实战指南<\/h1>

前言<\/h2>
本教程详细记录了对一个使用 org.conscrypt 库进行服务端证书校验的 Android 应用的逆向分析过程。通过该案例，您将学习到如何识别、分析和绕过复杂的证书校验机制，特别是针对使用 OpenSSL 封装库的应用。<\/p>

准备工作<\/h2>

所需工具<\/h3>

逆向工具<\/strong>：Jadx-gui (用于反编译 APK)<\/li>
抓包工具<\/strong>：Burp Suite (用于拦截和分析网络请求)<\/li>
Hook 工具<\/strong>：Frida (用于动态分析应用行为)<\/li>
证书工具<\/strong>：XCA (用于证书管理和分析)<\/li>
脚本工具<\/strong>：r0capture (用于自动化抓包)<\/li>

代理工具<\/strong>：Proxifier (用于强制应用流量通过代理)<\/li> <\/ol>
环境配置<\/h3>

已 root 的 Android 设备<\/li>
Burp 证书已安装至系统信任区<\/li>
Frida-server 运行在设备上<\/li> <\/ol>
初步分析<\/h2>
1. 设置代理<\/h3>

使用 Proxifier 开启 VPN 让目标应用流量走 Burp 代理<\/li>
配置 Burp 代理监听端口<\/li> <\/ul>
2. 识别证书校验<\/h3>

应用请求返回 400 No required SSL certificate was sent<\/code> 错误<\/li>
表明服务端要求客户端提供有效的证书<\/li> <\/ul> 静态分析<\/h2> 1. 解包 APK<\/h3> 使用 Jadx-gui 反编译 APK，重点关注以下文件：<\/p> grp_sp.bks<\/code><\/li> hmsincas.bks<\/code><\/li> hmsrootcas.bks<\/code><\/li> trust.crt<\/code><\/li> <\/ul> 2. 分析证书文件<\/h3> 使用 XCA 查看 trust.crt<\/code> 内容<\/li> 发现包含多个公钥证书和 CA 证书<\/li> 确认这些是证书信任链，非客户端证书<\/li> <\/ul> 动态分析<\/h2> 1. 尝试 Frida 自吐脚本<\/h3> 使用 android-keystore-audit<\/a> 中的 tracer-keystore.js 脚本：<\/p> adb forward tcp:28042 tcp:28042 <\/span><\/span>frida -H 127.0.0.1:28042 -f <包名> -l hook.js <\/span><\/span><\/code><\/pre>2. 手动抛出异常<\/h3> 通过打印堆栈发现关键类：<\/p> ak.<\/span>im<\/span>.<\/span>module<\/span>.<\/span>AkeyChatX509PrivateCA<\/span>.<\/span>clientBootstrapCertInfo<\/span> <\/span><\/span><\/code><\/pre>3. 尝试 r0capture<\/h3> python r0capture.py -H 127.0.0.1:28042 -f <包名> -v <\/span><\/span><\/code><\/pre>发现数据仍加密，证书未导出<\/p> 深入分析<\/h2> 1. Hook 证书相关方法<\/h3> 针对 AkeyChatX509PrivateCA.clientBootstrapCertInfo<\/code> 方法编写 Hook 脚本：<\/p> function<\/span> hook<\/span>() { <\/span><\/span> Java<\/span>.perform<\/span>(function<\/span>() { <\/span><\/span> let<\/span> AkeyChatX509PrivateCA<\/span> =<\/span> Java<\/span>.use<\/span>("ak.im.module.AkeyChatX509PrivateCA"<\/span>); <\/span><\/span> AkeyChatX509PrivateCA<\/span>["clientBootstrapCertInfo"<\/span>].implementation<\/span> =<\/span> function<\/span>() { <\/span><\/span> console<\/span>.log<\/span>(`AkeyChatX509PrivateCA.clientBootstrapCertInfo is called`<\/span>); <\/span><\/span> let<\/span> result<\/span> =<\/span> this<\/span>["clientBootstrapCertInfo"<\/span>](); <\/span><\/span> console<\/span>.log<\/span>(`AkeyChatX509PrivateCA.clientBootstrapCertInfo result=<\/span>${<\/span>result<\/span>}<\/span>`<\/span>); <\/span><\/span> return<\/span> result<\/span>; <\/span><\/span> }; <\/span><\/span> }); <\/span><\/span>} <\/span><\/span><\/code><\/pre>2. 导出证书<\/h3> 成功获取 X509 证书，包含 "Web Client Authentication" 用途标识：<\/p> let<\/span> cert<\/span> =<\/span> result<\/span>.getEncoded<\/span>(); <\/span><\/span>let<\/span> bytes<\/span> =<\/span> Memory<\/span>.readByteArray<\/span>(cert<\/span>, cert<\/span>.length<\/span>); <\/span><\/span>const<\/span> file<\/span> =<\/span> new<\/span> File<\/span>("\/sdcard\/Download\/private.pem"<\/span>, "wb"<\/span>); <\/span><\/span>file<\/span>.write<\/span>(bytes<\/span>); <\/span><\/span><\/code><\/pre>获取私钥<\/h2> 1. 分析 org.conscrypt 库<\/h3> 下载源码：https:\/\/github.com\/google\/conscrypt<\/li> 搜索关键词发现关键函数：EVP_parse_private_key<\/code><\/li> <\/ul> 2. Hook So 层函数<\/h3> 针对 libconscrypt_jni.so<\/code> 编写 Hook 脚本：<\/p> function<\/span> hookFunc<\/span>(funcAddr<\/span>, name<\/span>) { <\/span><\/span> Interceptor<\/span>.attach<\/span>(funcAddr<\/span>, { <\/span><\/span> onEnter<\/span>:<\/span> function<\/span>(args<\/span>) { <\/span><\/span> console<\/span>.log<\/span>(name<\/span> +<\/span> " enter"<\/span>); <\/span><\/span> const<\/span> bytes<\/span> =<\/span> Memory<\/span>.readByteArray<\/span>(args<\/span>[1<\/span>], 0x1000<\/span>); <\/span><\/span> const<\/span> file<\/span> =<\/span> new<\/span> File<\/span>("\/sdcard\/Download\/private.pem"<\/span>, "wb"<\/span>); <\/span><\/span> file<\/span>.write<\/span>(bytes<\/span>); <\/span><\/span> } <\/span><\/span> }); <\/span><\/span>} <\/span><\/span> <\/span><\/span>function<\/span> hook<\/span>() { <\/span><\/span> Interceptor<\/span>.attach<\/span>(Module<\/span>.findExportByName<\/span>(null<\/span>, "android_dlopen_ext"<\/span>), { <\/span><\/span> onEnter<\/span>:<\/span> function<\/span>(args<\/span>) { <\/span><\/span> var<\/span> pathptr<\/span> =<\/span> args<\/span>[0<\/span>]; <\/span><\/span> if<\/span> (pathptr<\/span> !==<\/span> undefined<\/span> &&<\/span> pathptr<\/span> !=<\/span> null<\/span>) { <\/span><\/span> var<\/span> path<\/span> =<\/span> ptr<\/span>(pathptr<\/span>).readCString<\/span>(); <\/span><\/span> if<\/span> (path<\/span>.indexOf<\/span>("libconscrypt_jni.so"<\/span>) !==<\/span> -<\/span>1<\/span>) { <\/span><\/span> console<\/span>.log<\/span>("dlopen: "<\/span> +<\/span> path<\/span>); <\/span><\/span> this<\/span>.path<\/span> =<\/span> path<\/span>; <\/span><\/span> } <\/span><\/span> } <\/span><\/span> }, <\/span><\/span> onLeave<\/span>:<\/span> function<\/span>(retval<\/span>) { <\/span><\/span> if<\/span> (this<\/span>.path<\/span> !==<\/span> undefined<\/span>) { <\/span><\/span> var<\/span> baseAddress<\/span> =<\/span> Module<\/span>.findBaseAddress<\/span>(this<\/span>.path<\/span>); <\/span><\/span> if<\/span> (baseAddress<\/span> !==<\/span> null<\/span>) { <\/span><\/span> Module<\/span>.enumerateExports<\/span>(this<\/span>.path<\/span>, { <\/span><\/span> onMatch<\/span>:<\/span> function<\/span>(symbol<\/span>) { <\/span><\/span> if<\/span> (symbol<\/span>.name<\/span>.indexOf<\/span>("EVP_parse_private_key"<\/span>) !==<\/span> -<\/span>1<\/span>) { <\/span><\/span> console<\/span>.log<\/span>(symbol<\/span>.name<\/span> +<\/span> "---"<\/span> +<\/span> symbol<\/span>.address<\/span>.toString<\/span>()); <\/span><\/span> hookFunc<\/span>(symbol<\/span>.address<\/span>, symbol<\/span>.name<\/span>) <\/span><\/span> } <\/span><\/span> } <\/span><\/span> }); <\/span><\/span> } <\/span><\/span> } <\/span><\/span> } <\/span><\/span> }); <\/span><\/span>} <\/span><\/span>hook<\/span>(); <\/span><\/span><\/code><\/pre>证书与私钥配对<\/h2> 使用 XCA 导入导出的私钥<\/li> 验证私钥与之前获取的证书是否匹配<\/li> 在 XCA 中将证书和私钥导出为 PKCS#12 (.p12) 格式<\/li> <\/ol> 配置 Burp Suite<\/h2> 将导出的 PKCS#12 证书导入 Burp<\/li> 配置 Burp 使用该客户端证书<\/li> 重新发送请求，成功绕过证书校验<\/li> <\/ol> 总结<\/h2> 关键点<\/h3> 证书定位<\/strong>：通过堆栈分析找到关键证书类<\/li> Hook 技巧<\/strong>：Java 层和 Native 层结合 Hook<\/li> 私钥提取<\/strong>：针对 org.conscrypt 库的特定函数进行 Hook<\/li> 证书配对<\/strong>：确保证书和私钥匹配<\/li> <\/ol> 适用性<\/h3> 该方法可能适用于其他使用 org.conscrypt 库的应用，但需要根据具体实现调整 Hook 点。<\/p> 后续研究方向<\/h2> 自动化识别 org.conscrypt 的关键函数<\/li> 研究其他 OpenSSL 封装库的类似方法<\/li> 探索不依赖 root 的证书提取方法<\/li> <\/ol> 通过本教程，您应该掌握了分析复杂证书校验机制的基本方法，特别是针对使用 OpenSSL 封装库的应用。记住在实际应用中要遵守相关法律法规，仅将此技术用于合法授权的安全测试。<\/p>

Android 服务端证书校验分析与绕过实战指南<\/h1>

前言<\/h2> 本教程详细记录了对一个使用 org.conscrypt 库进行服务端证书校验的 Android 应用的逆向分析过程。通过该案例，您将学习到如何识别、分析和绕过复杂的证书校验机制，特别是针对使用 OpenSSL 封装库的应用。<\/p>

准备工作<\/h2>

初步分析<\/h2>

静态分析<\/h2>

动态分析<\/h2>

深入分析<\/h2>

获取私钥<\/h2>

总结<\/h2>

适用性<\/h3> 该方法可能适用于其他使用 org.conscrypt 库的应用，但需要根据具体实现调整 Hook 点。<\/p>

前言<\/h2>
本教程详细记录了对一个使用 org.conscrypt 库进行服务端证书校验的 Android 应用的逆向分析过程。通过该案例，您将学习到如何识别、分析和绕过复杂的证书校验机制，特别是针对使用 OpenSSL 封装库的应用。<\/p>

适用性<\/h3>
该方法可能适用于其他使用 org.conscrypt 库的应用，但需要根据具体实现调整 Hook 点。<\/p>