APP登录逆向解密过程教学文档<\/h1>

1. 逆向分析准备<\/h2>

1.1 环境搭建<\/h3>

测试设备<\/strong>：安装目标APP到测试机<\/li>

抓包工具<\/strong>：Burp Suite配置

电脑端配置BP代理端口<\/li>
手机端设置代理与电脑同网络<\/li> <\/ul> <\/li>
反编译工具<\/strong>：JADX用于反编译APK<\/li>
动态分析工具<\/strong>：Frida用于Hook验证<\/li> <\/ul>
1.2 基本流程<\/h3>

安装目标APP到测试设备<\/li>
抓取登录请求包<\/li>
识别加密字段<\/li>
反编译APP分析代码<\/li>
定位关键加密方法<\/li>
Hook验证加密逻辑<\/li>
还原加密算法<\/li> <\/ol>
2. 密码加密逆向分析<\/h2>
2.1 定位密码加密位置<\/h3>

搜索关键字：login\/login.ashx<\/code><\/li>
定位到UserModel<\/code>接口下的SecurityUtil.encodeMD5(str3)<\/code><\/li> <\/ul> 2.2 MD5加密验证<\/h3> 代码分析： SecurityUtil.<\/span>encodeMD5<\/span>(<\/span>passwordString)<\/span> <\/span><\/span><\/code><\/pre><\/li> Python验证： import<\/span> hashlib <\/span><\/span>md5 =<\/span> hashlib.<\/span>md5() <\/span><\/span>md5.<\/span>update(b<\/span>"123456"<\/span>) <\/span><\/span>print(md5.<\/span>hexdigest()) # e10adc3949ba59abbe56e057f20f883e<\/span> <\/span><\/span><\/code><\/pre><\/li> 通过对比抓包数据确认是标准MD5加密<\/li> <\/ul> 2.3 Frida Hook验证<\/h3> Java<\/span>.perform<\/span>(function<\/span>() { <\/span><\/span> var<\/span> SecurityUtil<\/span> =<\/span> Java<\/span>.use<\/span>("com.example.app.util.SecurityUtil"<\/span>); <\/span><\/span> SecurityUtil<\/span>.encodeMD5<\/span>.implementation<\/span> =<\/span> function<\/span>(str<\/span>) { <\/span><\/span> console<\/span>.log<\/span>("MD5 input: "<\/span> +<\/span> str<\/span>); <\/span><\/span> var<\/span> result<\/span> =<\/span> this<\/span>.encodeMD5<\/span>(str<\/span>); <\/span><\/span> console<\/span>.log<\/span>("MD5 output: "<\/span> +<\/span> result<\/span>); <\/span><\/span> return<\/span> result<\/span>; <\/span><\/span> }; <\/span><\/span>}); <\/span><\/span><\/code><\/pre>3. 签名(_sign)逆向分析<\/h2> 3.1 定位签名生成位置<\/h3> 搜索关键字：_sign<\/code><\/li> 关键类：SignManager<\/code><\/li> 关键方法：signByType<\/code><\/li> <\/ul> 3.2 签名生成逻辑<\/h3> 固定前缀字符串：W@oC!AH_6Ew1f6%8<\/code><\/li> 拼接请求参数（按字典序排序）<\/li> 再次拼接固定后缀字符串<\/li> 对拼接结果进行MD5加密<\/li> 结果转为大写<\/li> <\/ol> 3.3 Python实现<\/h3> import<\/span> hashlib <\/span><\/span> <\/span><\/span>def<\/span> generate_sign<\/span>(data_dict): <\/span><\/span> data =<\/span> "W@oC!AH_6Ew1f6%8"<\/span> <\/span><\/span> # 按key排序拼接<\/span> <\/span><\/span> result =<\/span> ""<\/span>.<\/span>join(["<\/span>{}{}<\/span>"<\/span>.<\/span>format(key, data_dict[key]) <\/span><\/span> for<\/span> key in<\/span> sorted(data_dict.<\/span>keys())]) <\/span><\/span> un_sign_string =<\/span> f<\/span>"<\/span>{<\/span>data}{<\/span>result}{<\/span>data}<\/span>"<\/span> <\/span><\/span> sign =<\/span> hashlib.<\/span>md5(un_sign_string.<\/span>encode()).<\/span>hexdigest().<\/span>upper() <\/span><\/span> return<\/span> sign <\/span><\/span><\/code><\/pre>4. UDID加密分析<\/h2> 4.1 UDID组成<\/h3> getIMEI(<\/span>context)<\/span> +<\/span> "|"<\/span> +<\/span> System.<\/span>nanoTime<\/span>()<\/span> +<\/span> "|"<\/span> +<\/span> SPUtils.<\/span>getDeviceId<\/span>()<\/span> <\/span><\/span><\/code><\/pre>4.2 IMEI获取逻辑<\/h3> 首先尝试从SharedPreferences读取<\/li> 若不存在则通过系统API获取： ((<\/span>TelephonyManager)<\/span>context.<\/span>getSystemService<\/span>(<\/span>"phone"<\/span>)).<\/span>getDeviceId<\/span>()<\/span> <\/span><\/span><\/code><\/pre><\/li> 若获取失败则使用WIFI MAC地址生成UUID<\/li> 最终回退到随机UUID<\/li> <\/ol> 4.3 3DES加密过程<\/h3> 加密方法：SecurityUtil.encode3Des<\/code><\/li> 关键参数： Key: appapiche168comappapiche168comap<\/code> (前24字节有效)<\/li> IV: appapich<\/code><\/li> 模式: CBC<\/li> <\/ul> <\/li> <\/ul> 4.4 Python实现<\/h3> from<\/span> Crypto.Cipher import<\/span> DES3 <\/span><\/span>import<\/span> base64 <\/span><\/span> <\/span><\/span>def<\/span> encrypt_3des<\/span>(plaintext): <\/span><\/span> BS =<\/span> 8<\/span> <\/span><\/span> pad =<\/span> lambda<\/span> s: s +<\/span> (BS -<\/span> len(s) %<\/span> BS) *<\/span> chr(BS -<\/span> len(s) %<\/span> BS) <\/span><\/span> <\/span><\/span> key =<\/span> b<\/span>'appapiche168comappapiche168comap'<\/span>[0<\/span>:24<\/span>] <\/span><\/span> iv =<\/span> b<\/span>'appapich'<\/span> <\/span><\/span> <\/span><\/span> cipher =<\/span> DES3.<\/span>new(key, DES3.<\/span>MODE_CBC, iv) <\/span><\/span> padded_text =<\/span> pad(plaintext).<\/span>encode('utf-8'<\/span>) <\/span><\/span> encrypted =<\/span> cipher.<\/span>encrypt(padded_text) <\/span><\/span> return<\/span> base64.<\/span>b64encode(encrypted).<\/span>decode() <\/span><\/span><\/code><\/pre>5. 完整登录请求构造<\/h2> 5.1 请求参数示例<\/h3> params =<\/span> { <\/span><\/span> "_appid"<\/span>: "atc.android"<\/span>, <\/span><\/span> "appversion"<\/span>: "3.37.0"<\/span>, <\/span><\/span> "channelid"<\/span>: "csy"<\/span>, <\/span><\/span> "pwd"<\/span>: md5("123456"<\/span>), # e10adc3949ba59abbe56e057f20f883e<\/span> <\/span><\/span> "udid"<\/span>: encrypt_3des("IMEI|nanoTime|deviceId"<\/span>), <\/span><\/span> "username"<\/span>: "13111111111"<\/span> <\/span><\/span>} <\/span><\/span><\/code><\/pre>5.2 签名生成<\/h3> sign =<\/span> generate_sign(params) <\/span><\/span>params["_sign"<\/span>] =<\/span> sign <\/span><\/span><\/code><\/pre>6. 关键Hook点总结<\/h2> 6.1 MD5加密Hook<\/h3> Java<\/span>.use<\/span>("com.example.app.util.SecurityUtil"<\/span>) <\/span><\/span> .encodeMD5<\/span>.implementation<\/span> =<\/span> function<\/span>(str<\/span>) { <\/span><\/span> \/\/ 打印输入输出 <\/span><\/span><\/span><\/span> return<\/span> this<\/span>.encodeMD5<\/span>(str<\/span>); <\/span><\/span> }; <\/span><\/span><\/code><\/pre>6.2 签名生成Hook<\/h3> Java<\/span>.use<\/span>("com.example.app.manager.SignManager"<\/span>) <\/span><\/span> .signByType<\/span>.implementation<\/span> =<\/span> function<\/span>(type<\/span>, map<\/span>) { <\/span><\/span> \/\/ 打印输入参数 <\/span><\/span><\/span><\/span> var<\/span> result<\/span> =<\/span> this<\/span>.signByType<\/span>(type<\/span>, map<\/span>); <\/span><\/span> \/\/ 打印签名结果 <\/span><\/span><\/span><\/span> return<\/span> result<\/span>; <\/span><\/span> }; <\/span><\/span><\/code><\/pre>6.3 3DES加密Hook<\/h3> Java<\/span>.use<\/span>("com.example.app.util.SecurityUtil"<\/span>) <\/span><\/span> .encode3Des<\/span>.implementation<\/span> =<\/span> function<\/span>(context<\/span>, str<\/span>) { <\/span><\/span> \/\/ 打印明文和context信息 <\/span><\/span><\/span><\/span> var<\/span> result<\/span> =<\/span> this<\/span>.encode3Des<\/span>(context<\/span>, str<\/span>); <\/span><\/span> \/\/ 打印加密结果 <\/span><\/span><\/span><\/span> return<\/span> result<\/span>; <\/span><\/span> }; <\/span><\/span><\/code><\/pre>7. 逆向技巧总结<\/h2> 关键字搜索<\/strong>：通过接口路径、参数名等快速定位关键代码<\/li> 静态分析<\/strong>：结合反编译工具理清代码逻辑<\/li> 动态验证<\/strong>：使用Frida Hook关键方法验证分析结果<\/li> 算法还原<\/strong>：通过输入输出对比确认加密算法<\/li> 参数追踪<\/strong>：对于依赖上下文(Context)的方法，注意参数来源<\/li> JNI处理<\/strong>：对于so文件加密，可考虑Hook获取关键值而非直接逆向<\/li> <\/ol> 8. 完整Python实现示例<\/h2> import<\/span> hashlib <\/span><\/span>from<\/span> Crypto.Cipher import<\/span> DES3 <\/span><\/span>import<\/span> base64 <\/span><\/span> <\/span><\/span>def<\/span> md5_encrypt<\/span>(text): <\/span><\/span> return<\/span> hashlib.<\/span>md5(text.<\/span>encode()).<\/span>hexdigest() <\/span><\/span> <\/span><\/span>def<\/span> encrypt_3des<\/span>(plaintext): <\/span><\/span> BS =<\/span> 8<\/span> <\/span><\/span> pad =<\/span> lambda<\/span> s: s +<\/span> (BS -<\/span> len(s) %<\/span> BS) *<\/span> chr(BS -<\/span> len(s) %<\/span> BS) <\/span><\/span> key =<\/span> b<\/span>'appapiche168comappapiche168comap'<\/span>[0<\/span>:24<\/span>] <\/span><\/span> iv =<\/span> b<\/span>'appapich'<\/span> <\/span><\/span> cipher =<\/span> DES3.<\/span>new(key, DES3.<\/span>MODE_CBC, iv) <\/span><\/span> padded_text =<\/span> pad(plaintext).<\/span>encode('utf-8'<\/span>) <\/span><\/span> encrypted =<\/span> cipher.<\/span>encrypt(padded_text) <\/span><\/span> return<\/span> base64.<\/span>b64encode(encrypted).<\/span>decode() <\/span><\/span> <\/span><\/span>def<\/span> generate_sign<\/span>(data_dict): <\/span><\/span> fixed_str =<\/span> "W@oC!AH_6Ew1f6%8"<\/span> <\/span><\/span> sorted_params =<\/span> ""<\/span>.<\/span>join(f<\/span>"<\/span>{<\/span>k}{<\/span>v}<\/span>"<\/span> for<\/span> k, v in<\/span> sorted(data_dict.<\/span>items())) <\/span><\/span> sign_str =<\/span> f<\/span>"<\/span>{<\/span>fixed_str}{<\/span>sorted_params}{<\/span>fixed_str}<\/span>"<\/span> <\/span><\/span> return<\/span> md5_encrypt(sign_str).<\/span>upper() <\/span><\/span> <\/span><\/span># 构造登录请求<\/span> <\/span><\/span>login_params =<\/span> { <\/span><\/span> "_appid"<\/span>: "atc.android"<\/span>, <\/span><\/span> "appversion"<\/span>: "3.37.0"<\/span>, <\/span><\/span> "channelid"<\/span>: "csy"<\/span>, <\/span><\/span> "pwd"<\/span>: md5_encrypt("123456"<\/span>), <\/span><\/span> "udid"<\/span>: encrypt_3des("cf15599b-5e93-3be5-a705-a39403227dfd|13359325995159|366586"<\/span>), <\/span><\/span> "username"<\/span>: "13111111111"<\/span> <\/span><\/span>} <\/span><\/span> <\/span><\/span>login_params["_sign"<\/span>] =<\/span> generate_sign(login_params) <\/span><\/span>print("Final login params:"<\/span>, login_params) <\/span><\/span><\/code><\/pre>通过以上步骤，我们完整还原了APP登录过程中的各个加密环节，包括密码的MD5加密、UDID的3DES加密以及请求签名的生成逻辑。<\/p>