安卓渗透中流量加密的绕过方法：修改SO文件实现SM4加密绕过<\/h1>

0x1 背景概述<\/h2>
在对银行APP进行渗透测试时，遇到了两个主要防护措施：<\/p>
APP被加壳保护<\/li>
网络流量被加密传输<\/li> <\/ol>
本文详细记录了如何通过修改SO文件的方式绕过这些防护措施，特别是针对SM4加密流量的处理方案。<\/p>
0x2 反编译与DEX提取<\/h2>

2.1 加固识别与处理<\/h3>
初步判断为"娜迦加固"，但实际分析后发现MT管理器提供的加固识别可能有误<\/li>
关键函数分析发现了一个可疑的
copyAssets<\/code>方法，其中包含DEX文件处理逻辑<\/li>
<\/ul>
2.2 DEX文件提取关键代码分析<\/h3>
private<\/span> static<\/span> void<\/span> copyAssets<\/span>(<\/span>String output,<\/span> String input,<\/span> Context context)<\/span> {<\/span>
<\/span><\/span>    try<\/span> {<\/span>
<\/span><\/span>        InputStream inputStream =<\/span> context.<\/span>getAssets<\/span>().<\/span>open<\/span>(<\/span>input);<\/span>
<\/span><\/span>        File localFile =<\/span> new<\/span> File(<\/span>output);<\/span>
<\/span><\/span>        byte<\/span>[]<\/span> bytes =<\/span> new<\/span> byte<\/span>[<\/span>65536<\/span>];<\/span>
<\/span><\/span>        BufferedInputStream bufferedInput =<\/span> new<\/span> BufferedInputStream(<\/span>inputStream);<\/span>
<\/span><\/span>        BufferedOutputStream bufferedOutput =<\/span> new<\/span> BufferedOutputStream(<\/span>new<\/span> FileOutputStream(<\/span>localFile));<\/span>
<\/span><\/span>        boolean<\/span> first =<\/span> true<\/span>;<\/span>
<\/span><\/span>        byte<\/span>[]<\/span> nagic =<\/span> {<\/span>78<\/span>,<\/span> 71<\/span>,<\/span> 0<\/span>,<\/span> 0<\/span>};<\/span>
<\/span><\/span>        byte<\/span>[]<\/span> magic =<\/span> {<\/span>100<\/span>,<\/span> 101<\/span>,<\/span> 120<\/span>,<\/span> 10<\/span>};<\/span>
<\/span><\/span>        
<\/span><\/span>        while<\/span> (<\/span>true<\/span>)<\/span> {<\/span>
<\/span><\/span>            int<\/span> i =<\/span> bufferedInput.<\/span>read<\/span>(<\/span>bytes);<\/span>
<\/span><\/span>            if<\/span> (<\/span>first)<\/span> {<\/span>
<\/span><\/span>                first =<\/span> false<\/span>;<\/span>
<\/span><\/span>                if<\/span> (!(<\/span>output.<\/span>endsWith<\/span>(<\/span>Defines.<\/span>_DEX<\/span>)<\/span> &&<\/span> bytes[<\/span>0<\/span>]<\/span> ==<\/span> nagic[<\/span>0<\/span>]<\/span> &&<\/span> bytes[<\/span>1<\/span>]<\/span> ==<\/span> nagic[<\/span>1<\/span>]<\/span> &&<\/span> bytes[<\/span>2<\/span>]<\/span> ==<\/span> nagic[<\/span>2<\/span>]<\/span> &&<\/span> bytes[<\/span>3<\/span>]<\/span> ==<\/span> nagic[<\/span>3<\/span>])<\/span> 
<\/span><\/span>                    &&<\/span> output.<\/span>endsWith<\/span>(<\/span>Defines.<\/span>_DEX<\/span>)<\/span> &&<\/span> bytes[<\/span>0<\/span>]<\/span> ==<\/span> 110<\/span> &&<\/span> bytes[<\/span>1<\/span>]<\/span> ==<\/span> 97<\/span> &&<\/span> bytes[<\/span>2<\/span>]<\/span> ==<\/span> 103<\/span> &&<\/span> bytes[<\/span>3<\/span>]<\/span> ==<\/span> 97<\/span>)<\/span> {<\/span>
<\/span><\/span>                    System.<\/span>arraycopy<\/span>(<\/span>magic,<\/span> 0<\/span>,<\/span> bytes,<\/span> 0<\/span>,<\/span> magic.<\/span>length<\/span>);<\/span>
<\/span><\/span>                }<\/span>
<\/span><\/span>            }<\/span>
<\/span><\/span>            if<\/span> (<\/span>i <=<\/span> 0<\/span>)<\/span> {<\/span>
<\/span><\/span>                bufferedOutput.<\/span>flush<\/span>();<\/span>
<\/span><\/span>                bufferedOutput.<\/span>close<\/span>();<\/span>
<\/span><\/span>                bufferedInput.<\/span>close<\/span>();<\/span>
<\/span><\/span>                return<\/span>;<\/span>
<\/span><\/span>            }<\/span>
<\/span><\/span>            bufferedOutput.<\/span>write<\/span>(<\/span>bytes,<\/span> 0<\/span>,<\/span> i);<\/span>
<\/span><\/span>        }<\/span>
<\/span><\/span>    }<\/span> catch<\/span> (<\/span>Exception e)<\/span> {}<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>关键点：<\/p>

magic<\/code>字段{100, 101, 120, 10}<\/code>对应ASCII码"dex"，是DEX文件头<\/li>
文件最终写入应用程序数据目录的.cache<\/code>目录下<\/li>
安装运行APP后，可在该目录找到原生DEX文件<\/li>
<\/ul>
0x3 加密流量分析<\/h2>
3.1 加密函数定位<\/h3>

通过抓包发现API路径以"mobile"开头<\/li>
搜索相关API找到加密函数telecomSMEncrypt<\/code><\/li>
该函数通过JNI调用SO文件中的原生函数进行加解密<\/li>
<\/ul>
3.2 SO文件分析<\/h3>
使用IDA分析SO文件步骤：<\/p>

首先搜索getNativeSM4EncryptValue<\/code>函数，未找到<\/li>
转而搜索JNI_OnLoad<\/code>函数（幸运的是该函数未被混淆）<\/li>
通过JNI_OnLoad<\/code>定位到实际加密函数_Z10getSMValueP7_JNIEnvP8_jobjectP8_jstringS4_<\/code><\/li>
<\/ol>
3.3 SM4加密分析<\/h3>
关键发现：<\/p>

加密使用SM4算法，ECB模式（无IV）<\/li>
密钥byte_1FFDB9<\/code>是32位随机值，来自byte_18703A<\/code>数组<\/li>
密钥生成依据byte_1FFDB8<\/code>值为0的情况，推测每次打开APP都会初始化新密钥<\/li>
<\/ul>
3.4 加密数据格式<\/h3>
请求体格式为%s|%s|%s<\/code>，分析发现：<\/p>

第一个%s<\/code>(v12)：SM2加密的密钥值（非对称加密，需私钥解密）<\/li>
第二个%s<\/code>(v13)：SM4加密的密文<\/li>
第三个%s<\/code>(v8)：HMAC签名值（推测为SM3哈希）<\/li>
<\/ol>
0x4 绕过加密方案<\/h2>
4.1 固定密钥策略<\/h3>
由于服务端需要解密数据，但客户端每次生成随机密钥，解决方案：<\/p>

修改SO文件，固定SM4加密密钥为已知值<\/li>
将byte_18703A<\/code>数组所有值改为大写'A'（0x41）<\/li>
这样密钥将固定为32个'A'，便于后续解密<\/li>
<\/ul>
4.2 SO文件修改步骤<\/h3>

使用IDA定位到byte_18703A<\/code>数组<\/li>
将所有数组值修改为0x41（大写'A'的ASCII码）<\/li>
使用IDA的补丁功能保存修改：

Edit → Patch program → Apply patches to input file...<\/li>
<\/ul>
<\/li>
<\/ol>
4.3 替换SO文件<\/h3>
将修改后的SO文件替换到APK的库目录：<\/p>
\/data\/app\/~~xxxxxxxxx==\/lib\/arm\/
<\/code><\/pre>
替换后重启应用程序，即可捕获使用固定密钥加密的流量。<\/p>
0x5 总结<\/h2>
该方法通过以下步骤实现加密流量绕过：<\/p>

提取被加固保护的DEX文件<\/li>
分析加密逻辑，定位关键SO文件<\/li>
逆向SO文件，理解加密算法和密钥生成机制<\/li>
修改SO文件固定加密密钥<\/li>
替换SO文件并重启应用<\/li>
<\/ol>
关键点：<\/p>

识别SM4 ECB模式加密，无需IV<\/li>
理解密钥生成机制并固定密钥<\/li>
正确修改和替换SO文件<\/li>
<\/ul>
这种方法不仅适用于SM4加密，对其他类似加密机制的APP也有参考价值。<\/p>