APP加解密对抗实战教学文档<\/h1>

一、环境准备<\/h2>

1.1 工具安装<\/h3>
Frida框架安装<\/strong>：<\/p>
pip install frida
<\/span><\/span>pip install frida-tools
<\/span><\/span>pip install Pyro4
<\/span><\/span><\/code><\/pre><\/li>

Frida-server<\/strong>：<\/p>

版本需与Python安装的frida版本一致<\/li>
获取模拟器架构：
adb shell getprop ro.product.cpu.abi
<\/span><\/span><\/code><\/pre><\/li>
<\/ul>
<\/li>
<\/ul>
1.2 部署Frida-server<\/h3>


上传frida-server到设备：<\/p>
adb push frida-server \/data\/local\/tmp\/
<\/span><\/span><\/code><\/pre><\/li>

启动frida-server：<\/p>
adb root
<\/span><\/span>adb shell
<\/span><\/span>cd \/data\/local\/tmp
<\/span><\/span>chmod +x frida-server
<\/span><\/span>.\/frida-server
<\/span><\/span><\/code><\/pre><\/li>

验证连接：<\/p>
frida-ps -U
<\/span><\/span><\/code><\/pre><\/li>
<\/ol>
二、目标APP分析<\/h2>
2.1 获取目标APP信息<\/h3>
frida-ps -Ua
<\/span><\/span><\/code><\/pre>示例输出：calm.pjtuep.zzdokmht<\/code><\/p>
2.2 初步Hook测试<\/h3>
编写基础Hook脚本hook_key.js<\/code>：<\/p>
Java<\/span>.perform<\/span>(function<\/span> () {
<\/span><\/span>    var<\/span> StringCls<\/span> =<\/span> Java<\/span>.use<\/span>("java.lang.String"<\/span>);
<\/span><\/span>    
<\/span><\/span>    StringCls<\/span>.getBytes<\/span>.overload<\/span>().implementation<\/span> =<\/span> function<\/span> () {
<\/span><\/span>        var<\/span> result<\/span> =<\/span> this<\/span>.getBytes<\/span>();
<\/span><\/span>        if<\/span> (this<\/span>.length<\/span>() ><\/span> 16<\/span>) {
<\/span><\/span>            console<\/span>.log<\/span>("[*] Stack trace:\n"<\/span> +<\/span> 
<\/span><\/span>                Java<\/span>.use<\/span>("android.util.Log"<\/span>).getStackTraceString<\/span>(
<\/span><\/span>                    Java<\/span>.use<\/span>("java.lang.Exception"<\/span>).$new<\/span>()
<\/span><\/span>                ));
<\/span><\/span>            console<\/span>.log<\/span>("[*] getBytes() called with: "<\/span> +<\/span> this<\/span>);
<\/span><\/span>        }
<\/span><\/span>        return<\/span> result<\/span>;
<\/span><\/span>    };
<\/span><\/span>});
<\/span><\/span><\/code><\/pre>执行Hook：<\/p>
frida -U -f "calm.pjtuep.zzdokmht"<\/span> -l hook_key.js
<\/span><\/span><\/code><\/pre>三、加密算法分析<\/h2>
3.1 定位关键加密类<\/h3>
通过Hook输出定位到关键类：ApiEncryptUtil.java<\/code><\/p>
3.2 加密算法分析<\/h3>
\/\/ 解密函数
<\/span><\/span><\/span><\/span>public<\/span> static<\/span> String a<\/span>(<\/span>String str)<\/span> {<\/span>
<\/span><\/span>    try<\/span> {<\/span>
<\/span><\/span>        byte<\/span>[]<\/span> decode =<\/span> Base64.<\/span>decode<\/span>(<\/span>str,<\/span> 0<\/span>);<\/span> \/\/ Base64解码
<\/span><\/span><\/span><\/span>        byte<\/span>[]<\/span> bytes =<\/span> "0nxG8fD2kqlrEv5M"<\/span>.<\/span>getBytes<\/span>();<\/span> \/\/ AES密钥
<\/span><\/span><\/span><\/span>        byte<\/span>[]<\/span> bytes2 =<\/span> "u0r3GcsdXsYmAfhT"<\/span>.<\/span>getBytes<\/span>();<\/span> \/\/ AES IV
<\/span><\/span><\/span><\/span>        
<\/span><\/span>        SecretKeySpec secretKeySpec =<\/span> new<\/span> SecretKeySpec(<\/span>bytes,<\/span> "AES"<\/span>);<\/span>
<\/span><\/span>        IvParameterSpec ivParameterSpec =<\/span> new<\/span> IvParameterSpec(<\/span>bytes2);<\/span>
<\/span><\/span>        Cipher cipher =<\/span> Cipher.<\/span>getInstance<\/span>(<\/span>"AES\/CBC\/PKCS5Padding"<\/span>);<\/span>
<\/span><\/span>        cipher.<\/span>init<\/span>(<\/span>2<\/span>,<\/span> secretKeySpec,<\/span> ivParameterSpec);<\/span> \/\/ 2=解密模式
<\/span><\/span><\/span><\/span>        return<\/span> new<\/span> String(<\/span>cipher.<\/span>doFinal<\/span>(<\/span>decode),<\/span> "UTF-8"<\/span>);<\/span>
<\/span><\/span>    }<\/span> catch<\/span> (<\/span>Exception e2)<\/span> {<\/span>
<\/span><\/span>        e2.<\/span>printStackTrace<\/span>();<\/span>
<\/span><\/span>        return<\/span> ""<\/span>;<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span>
<\/span><\/span>\/\/ 加密函数
<\/span><\/span><\/span><\/span>public<\/span> static<\/span> String b<\/span>(<\/span>String str)<\/span> {<\/span>
<\/span><\/span>    try<\/span> {<\/span>
<\/span><\/span>        byte<\/span>[]<\/span> bytes =<\/span> str.<\/span>getBytes<\/span>();<\/span>
<\/span><\/span>        byte<\/span>[]<\/span> bytes2 =<\/span> "0nxG8fD2kqlrEv5M"<\/span>.<\/span>getBytes<\/span>(<\/span>"UTF-8"<\/span>);<\/span> \/\/ AES密钥
<\/span><\/span><\/span><\/span>        byte<\/span>[]<\/span> bytes3 =<\/span> "u0r3GcsdXsYmAfhT"<\/span>.<\/span>getBytes<\/span>(<\/span>"UTF-8"<\/span>);<\/span> \/\/ AES IV
<\/span><\/span><\/span><\/span>        
<\/span><\/span>        SecretKeySpec secretKeySpec =<\/span> new<\/span> SecretKeySpec(<\/span>bytes2,<\/span> "AES"<\/span>);<\/span>
<\/span><\/span>        IvParameterSpec ivParameterSpec =<\/span> new<\/span> IvParameterSpec(<\/span>bytes3);<\/span>
<\/span><\/span>        Cipher cipher =<\/span> Cipher.<\/span>getInstance<\/span>(<\/span>"AES\/CBC\/PKCS5Padding"<\/span>);<\/span>
<\/span><\/span>        cipher.<\/span>init<\/span>(<\/span>1<\/span>,<\/span> secretKeySpec,<\/span> ivParameterSpec);<\/span> \/\/ 1=加密模式
<\/span><\/span><\/span><\/span>        return<\/span> new<\/span> String(<\/span>Base64.<\/span>encode<\/span>(<\/span>cipher.<\/span>doFinal<\/span>(<\/span>bytes),<\/span> 0<\/span>));<\/span>
<\/span><\/span>    }<\/span> catch<\/span> (<\/span>Exception e2)<\/span> {<\/span>
<\/span><\/span>        e2.<\/span>printStackTrace<\/span>();<\/span>
<\/span><\/span>        return<\/span> ""<\/span>;<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>算法特点：<\/p>

AES-CBC模式<\/li>
PKCS5Padding填充<\/li>
固定密钥：0nxG8fD2kqlrEv5M<\/code><\/li>
固定IV：u0r3GcsdXsYmAfhT<\/code><\/li>
数据先Base64编码\/解码<\/li>
<\/ul>
四、高级Hook实现<\/h2>
4.1 加解密函数Hook<\/h3>
Java<\/span>.perform<\/span>(function<\/span>(){
<\/span><\/span>    var<\/span> targetClass<\/span> =<\/span> Java<\/span>.use<\/span>('c.h.a.m.r'<\/span>); \/\/ 根据实际反编译结果填写
<\/span><\/span><\/span><\/span>    
<\/span><\/span>    \/\/ Hook解密函数
<\/span><\/span><\/span><\/span>    targetClass<\/span>.a<\/span>.implementation<\/span> =<\/span> function<\/span>(str<\/span>){
<\/span><\/span>        console<\/span>.log<\/span>("解密前数据: "<\/span> +<\/span> str<\/span> +<\/span> "\n\n\n"<\/span>);
<\/span><\/span>        var<\/span> result<\/span> =<\/span> this<\/span>.a<\/span>(str<\/span>);
<\/span><\/span>        console<\/span>.log<\/span>('解密后数据: '<\/span> +<\/span> result<\/span> +<\/span> "\n\n\n"<\/span>);
<\/span><\/span>        return<\/span> result<\/span>;
<\/span><\/span>    }
<\/span><\/span>    
<\/span><\/span>    \/\/ Hook加密函数
<\/span><\/span><\/span><\/span>    targetClass<\/span>.b<\/span>.implementation<\/span> =<\/span> function<\/span>(str<\/span>){
<\/span><\/span>        console<\/span>.log<\/span>("加密前数据: "<\/span> +<\/span> str<\/span> +<\/span> "\n\n\n"<\/span>);
<\/span><\/span>        var<\/span> result<\/span> =<\/span> this<\/span>.b<\/span>(str<\/span>);
<\/span><\/span>        console<\/span>.log<\/span>('加密后数据: '<\/span> +<\/span> result<\/span> +<\/span> "\n\n\n"<\/span>);
<\/span><\/span>        return<\/span> result<\/span>;
<\/span><\/span>    }
<\/span><\/span>});
<\/span><\/span><\/code><\/pre>五、Burp自动加解密集成<\/h2>
5.1 设备准备<\/h3>


获取设备信息：<\/p>
import<\/span> frida
<\/span><\/span>frida.<\/span>get_device_manager().<\/span>enumerate_devices()
<\/span><\/span><\/code><\/pre>示例输出：Device(id="127.0.0.1:16384", name="PGBM10", type='usb')<\/code><\/p>
<\/li>

端口转发：<\/p>
adb forward tcp:27043 tcp:27043
<\/span><\/span>adb forward tcp:27042 tcp:27042
<\/span><\/span><\/code><\/pre><\/li>
<\/ol>
5.2 RPC Hook脚本<\/h3>
decrypt1.js<\/code>：<\/p>
Java<\/span>.perform<\/span>(function<\/span> () {
<\/span><\/span>    var<\/span> targetClass<\/span> =<\/span> Java<\/span>.use<\/span>('c.h.a.m.r'<\/span>);
<\/span><\/span>    
<\/span><\/span>    rpc<\/span>.exports<\/span> =<\/span> {
<\/span><\/span>        init<\/span>:<\/span> function<\/span> () {
<\/span><\/span>            console<\/span>.log<\/span>("[Frida] rpc.exports 初始化成功!"<\/span>);
<\/span><\/span>            return<\/span> "rpc.exports 已加载"<\/span>;
<\/span><\/span>        },
<\/span><\/span>        enc<\/span>:<\/span> function<\/span> (str<\/span>) {
<\/span><\/span>            try<\/span> {
<\/span><\/span>                console<\/span>.log<\/span>("开始加密"<\/span>);
<\/span><\/span>                console<\/span>.log<\/span>("加密前数据: "<\/span> +<\/span> str<\/span>);
<\/span><\/span>                var<\/span> result<\/span> =<\/span> targetClass<\/span>.b<\/span>(str<\/span>);
<\/span><\/span>                console<\/span>.log<\/span>("加密后数据: "<\/span> +<\/span> result<\/span>);
<\/span><\/span>                return<\/span> result<\/span> ||<\/span> "防止返回 null"<\/span>;
<\/span><\/span>            } catch<\/span> (e<\/span>) {
<\/span><\/span>                console<\/span>.log<\/span>("[Frida] enc 方法执行出错: "<\/span> +<\/span> e<\/span>);
<\/span><\/span>                return<\/span> "防止卡住"<\/span>;
<\/span><\/span>            }
<\/span><\/span>        },
<\/span><\/span>        dec<\/span>:<\/span> function<\/span> (str<\/span>) {
<\/span><\/span>            try<\/span> {
<\/span><\/span>                console<\/span>.log<\/span>("开始解密"<\/span>);
<\/span><\/span>                console<\/span>.log<\/span>("解密前数据: "<\/span> +<\/span> str<\/span>);
<\/span><\/span>                var<\/span> result<\/span> =<\/span> targetClass<\/span>.a<\/span>(str<\/span>);
<\/span><\/span>                console<\/span>.log<\/span>("解密后数据: "<\/span> +<\/span> result<\/span>);
<\/span><\/span>                return<\/span> result<\/span> ||<\/span> "防止返回 null"<\/span>;
<\/span><\/span>            } catch<\/span> (e<\/span>) {
<\/span><\/span>                console<\/span>.log<\/span>("[Frida] dec 方法执行出错: "<\/span> +<\/span> e<\/span>);
<\/span><\/span>                return<\/span> "防止卡住"<\/span>;
<\/span><\/span>            }
<\/span><\/span>        }
<\/span><\/span>    };
<\/span><\/span>});
<\/span><\/span><\/code><\/pre>5.3 Burpy脚本<\/h3>
burpy.py<\/code>：<\/p>
import<\/span> frida
<\/span><\/span>import<\/span> time
<\/span><\/span>from<\/span> urllib.parse import<\/span> unquote, parse_qs, quote
<\/span><\/span>import<\/span> json
<\/span><\/span>
<\/span><\/span>class<\/span> Burpy<\/span>:
<\/span><\/span>    def<\/span> __init__(self):
<\/span><\/span>        device =<\/span> self.<\/span>_get_android_usb_device()
<\/span><\/span>        pid =<\/span> device.<\/span>spawn("calm.pjtuep.zzdokmht"<\/span>)
<\/span><\/span>        self.<\/span>session =<\/span> device.<\/span>attach(pid)
<\/span><\/span>        device.<\/span>resume(pid)
<\/span><\/span>        self.<\/span>rpc =<\/span> self.<\/span>load_rpc()
<\/span><\/span>    
<\/span><\/span>    def<\/span> _get_android_usb_device<\/span>(self):
<\/span><\/span>        for<\/span> x in<\/span> frida.<\/span>get_device_manager().<\/span>enumerate_devices():
<\/span><\/span>            if<\/span> "PGBM10"<\/span> in<\/span> x.<\/span>name:
<\/span><\/span>                print(f<\/span>"设备信息=====> <\/span>{<\/span>x}<\/span>"<\/span>)
<\/span><\/span>                return<\/span> x
<\/span><\/span>    
<\/span><\/span>    def<\/span> load_rpc<\/span>(self):
<\/span><\/span>        with<\/span> open("D:<\/span>\\<\/span>secTools<\/span>\\<\/span>BurpSuite V2023.2.2<\/span>\\<\/span>BurpSuite V2023.2.2<\/span>\\<\/span>Burpy<\/span>\\<\/span>js<\/span>\\<\/span>decrypt1.js"<\/span>,
<\/span><\/span>                 encoding=<\/span>"utf-8"<\/span>, errors=<\/span>"ignore"<\/span>) as<\/span> f:
<\/span><\/span>            script =<\/span> self.<\/span>session.<\/span>create_script(f.<\/span>read())
<\/span><\/span>            script.<\/span>load()
<\/span><\/span>            self.<\/span>rpc =<\/span> script.<\/span>exports_sync
<\/span><\/span>            time.<\/span>sleep(3<\/span>)
<\/span><\/span>            self.<\/span>rpc.<\/span>init()
<\/span><\/span>            return<\/span> self.<\/span>rpc
<\/span><\/span>    
<\/span><\/span>    def<\/span> convert_to_json<\/span>(self, body):
<\/span><\/span>        try<\/span>:
<\/span><\/span>            if<\/span> body.<\/span>strip().<\/span>startswith('{'<\/span>) and<\/span> body.<\/span>strip().<\/span>endswith('}'<\/span>):
<\/span><\/span>                json_body =<\/span> json.<\/span>loads(body)
<\/span><\/span>                if<\/span> 'data'<\/span> in<\/span> json_body:
<\/span><\/span>                    return<\/span> json_body['data'<\/span>]
<\/span><\/span>            else<\/span>:
<\/span><\/span>                parsed_data =<\/span> parse_qs(body)
<\/span><\/span>                return<\/span> parsed_data['data'<\/span>][0<\/span>]
<\/span><\/span>        except<\/span> Exception<\/span> as<\/span> e:
<\/span><\/span>            print(f<\/span>"转换失败:<\/span>{<\/span>str(e)}<\/span>"<\/span>)
<\/span><\/span>            return<\/span> None<\/span>
<\/span><\/span>    
<\/span><\/span>    def<\/span> rebuild_body<\/span>(self, body, data):
<\/span><\/span>        try<\/span>:
<\/span><\/span>            if<\/span> body.<\/span>strip().<\/span>startswith('{'<\/span>) and<\/span> body.<\/span>strip().<\/span>endswith('}'<\/span>):
<\/span><\/span>                json_body =<\/span> json.<\/span>loads(body)
<\/span><\/span>                if<\/span> 'data'<\/span> in<\/span> json_body:
<\/span><\/span>                    json_body['data'<\/span>] =<\/span> data
<\/span><\/span>                    return<\/span> str(json_body).<\/span>encode("gbk"<\/span>).<\/span>decode("gbk"<\/span>)
<\/span><\/span>            else<\/span>:
<\/span><\/span>                parsed_data =<\/span> parse_qs(body)
<\/span><\/span>                string_body =<\/span> "timestamp="<\/span> +<\/span> str(parsed_data['timestamp'<\/span>][0<\/span>]) +<\/span> \
<\/span><\/span>                             "&data="<\/span> +<\/span> data +<\/span> \
<\/span><\/span>                             "&sign="<\/span> +<\/span> str(parsed_data['sign'<\/span>][0<\/span>])
<\/span><\/span>                return<\/span> string_body
<\/span><\/span>        except<\/span> Exception<\/span> as<\/span> e:
<\/span><\/span>            print(f<\/span>"转换失败:<\/span>{<\/span>str(e)}<\/span>"<\/span>)
<\/span><\/span>            return<\/span> None<\/span>
<\/span><\/span>    
<\/span><\/span>    def<\/span> encrypt<\/span>(self, header, body):
<\/span><\/span>        try<\/span>:
<\/span><\/span>            process_data =<\/span> self.<\/span>convert_to_json(body)
<\/span><\/span>            enc_data =<\/span> self.<\/span>rpc.<\/span>enc(process_data)
<\/span><\/span>            body =<\/span> self.<\/span>rebuild_body(body, enc_data)
<\/span><\/span>        except<\/span> Exception<\/span> as<\/span> e:
<\/span><\/span>            print(f<\/span>"无法找到 enc 方法:<\/span>{<\/span>str(e)}<\/span>"<\/span>)
<\/span><\/span>        return<\/span> header, body
<\/span><\/span>    
<\/span><\/span>    def<\/span> decrypt<\/span>(self, header, body):
<\/span><\/span>        try<\/span>:
<\/span><\/span>            process_data =<\/span> self.<\/span>convert_to_json(body)
<\/span><\/span>            dec_data =<\/span> self.<\/span>rpc.<\/span>dec(process_data)
<\/span><\/span>            body =<\/span> self.<\/span>rebuild_body(body, dec_data)
<\/span><\/span>        except<\/span> Exception<\/span> as<\/span> e:
<\/span><\/span>            print(f<\/span>"无法找到 dec 方法:<\/span>{<\/span>str(e)}<\/span>"<\/span>)
<\/span><\/span>        return<\/span> header, body
<\/span><\/span><\/code><\/pre>5.4 Burp配置<\/h3>

安装Burpy插件<\/li>
配置：

Python路径<\/li>
burpy.py脚本路径<\/li>
勾选"Enable processor"<\/li>
<\/ul>
<\/li>
<\/ol>
六、实战测试流程<\/h2>

启动frida-server<\/li>
启动Burpy服务<\/li>
在Burp中：

右键请求 -> 扩展 -> Burpy -> decrypt 查看解密内容<\/li>
在Repeater中修改明文后发送，自动加密<\/li>
查看响应自动解密<\/li>
<\/ul>
<\/li>
<\/ol>
七、关键概念解释<\/h2>
7.1 Frida<\/h3>

动态插桩技术框架<\/li>
支持多平台：Android、Windows、iOS等<\/li>
使用Python\/Node.js编写执行脚本<\/li>
使用JavaScript编写注入代码<\/li>
<\/ul>
7.2 Hook技术<\/h3>

本质<\/strong>：动态代码注入或函数劫持技术<\/li>
应用<\/strong>：

拦截系统API调用<\/li>
修改应用逻辑<\/li>
监视应用行为<\/li>
<\/ul>
<\/li>
<\/ul>
7.3 ADB端口转发<\/h3>

目的<\/strong>：允许主机Frida客户端与设备frida-server通信<\/li>
常用命令<\/strong>：
adb forward tcp:27042 tcp:27042
<\/span><\/span>adb forward tcp:27043 tcp:27043
<\/span><\/span><\/code><\/pre><\/li>
必要性<\/strong>：建立主机与设备间的通信通道<\/li>
<\/ul>
八、常见问题解决<\/h2>


Burp卡死<\/strong>：<\/p>

Python脚本出错可能导致Burp卡死<\/li>
解决方案：关闭Burp重新启动<\/li>
<\/ul>
<\/li>

中文乱码<\/strong>：<\/p>

Repeater中可能出现中文乱码<\/li>
解决方案：使用encode("gbk").decode("gbk")<\/code>转换<\/li>
<\/ul>
<\/li>

路径问题<\/strong>：<\/p>

Burpy脚本路径需使用绝对路径<\/li>
确保路径中不包含中文或特殊字符<\/li>
<\/ul>
<\/li>
<\/ol>
APP加解密对抗实战教学文档<\/h1>

一、环境准备<\/h2>

二、目标APP分析<\/h2>

三、加密算法分析<\/h2>

3.1 定位关键加密类<\/h3> 通过Hook输出定位到关键类：ApiEncryptUtil.java<\/code><\/p>

四、高级Hook实现<\/h2>

五、Burp自动加解密集成<\/h2>

七、关键概念解释<\/h2>

3.1 定位关键加密类<\/h3>
通过Hook输出定位到关键类：`ApiEncryptUtil.java<\/code><\/p>`
