某某行APP逆向分析技术文档<\/h1>

前言<\/h2>

测试设备<\/strong>: Google Pixel 2 (Android 10)<\/li>
目标APP<\/strong>: 6IuPZeih{beihai}jDMuM{beihai}jMuMQ== (某某行APP)<\/li>

分析重点<\/strong>: 登录过程中的signature、random和password字段的加密算法<\/li> <\/ul>
一、环境准备与初步分析<\/h2>
1.1 抓包分析<\/h3>
使用抓包工具捕获登录请求，重点关注以下字段：<\/p>

signature<\/li>
random<\/li>
password<\/li> <\/ul>
1.2 脱壳处理<\/h3>

使用开发者助手检查APP信息，发现存在网易加固<\/li>
该APP未实现Frida检测机制，可直接运行脱壳脚本<\/li>
使用Frida脚本dump出尽可能多的dex文件<\/li> <\/ul>
二、签名(signature)和随机数(random)字段分析<\/h2>
2.1 定位关键函数<\/h3>
通过字符串搜索"signature"定位到关键类：
com.bwton.metro.network.strategy.impl.MSXLocalSignatureStrategy.generateSignature<\/code><\/p>
2.2 加密流程分析<\/h3> signature生成<\/strong>:<\/p> 对特定JSON字符串(str)取MD5哈希<\/li> 使用RSA公钥加密(MD5结果)<\/li> 对应函数: signReqJsonBody<\/code> → encryptByPublicKey<\/code><\/li> <\/ul> <\/li> random生成<\/strong>:<\/p> 使用相同RSA公钥加密另一个字符串(str2)<\/li> 对应函数: encryptByPublicKey<\/code><\/li> <\/ul> <\/li> <\/ul> 2.3 RSA加密细节<\/h3> 加密模式: ECB模式<\/li> 公钥获取: 通过getPublicKey<\/code>函数获取，经测试公钥固定不变<\/li> <\/ul> 2.4 参数来源分析<\/h3> str参数<\/strong>:<\/p> 固定JSON数据，包含password字段<\/li> 通过hook generateSignature<\/code>函数获取<\/li> <\/ul> <\/li> str2参数<\/strong>:<\/p> 来自HTTP headers中的HEADER_AES_KEY<\/code>字段<\/li> 实际值为headerAesKey<\/code><\/li> 由genAesKey<\/code>函数生成<\/li> <\/ul> <\/li> <\/ul> 2.5 AES Key生成算法<\/h3> genAesKey<\/code>函数逻辑：<\/p> 从自定义字符表中随机选取8个字符组成key<\/li> <\/ul> 三、密码(password)字段分析<\/h2> 3.1 加密流程<\/h3> 使用AES算法的ECB模式<\/li> 使用PKCS5填充方式<\/li> 加密函数: Aes.encryptByECBPKCS5<\/code><\/li> <\/ul> 3.2 关键参数<\/h3> 明文<\/strong>: 用户输入的原始密码<\/li> 密钥<\/strong>: 前述genAesKey<\/code>生成的8字符随机key<\/li> <\/ul> 四、完整加密流程总结<\/h2> 客户端生成随机AES Key:<\/p> 通过genAesKey<\/code>生成8字符随机字符串<\/li> 存入HTTP headers的HEADER_AES_KEY<\/code>字段<\/li> <\/ul> <\/li> 生成random字段:<\/p> 使用固定RSA公钥加密上述AES Key<\/li> <\/ul> <\/li> 生成signature字段:<\/p> 构造包含密码的固定JSON格式字符串<\/li> 计算该字符串的MD5哈希<\/li> 使用相同RSA公钥加密MD5结果<\/li> <\/ul> <\/li> 生成password字段:<\/p> 使用AES ECB模式加密原始密码<\/li> 密钥为前述生成的AES Key<\/li> <\/ul> <\/li> <\/ol> 五、技术验证方法<\/h2> 5.1 Hook关键函数<\/h3> \/\/ Hook generateSignature <\/span><\/span><\/span><\/span>Interceptor<\/span>.attach<\/span>(Module<\/span>.findExportByName<\/span>(null<\/span>, "com.bwton.metro.network.strategy.impl.MSXLocalSignatureStrategy.generateSignature"<\/span>), { <\/span><\/span> onEnter<\/span>:<\/span> function<\/span>(args<\/span>) { <\/span><\/span> console<\/span>.log<\/span>("generateSignature called"<\/span>); <\/span><\/span> console<\/span>.log<\/span>("headers: "<\/span> +<\/span> Memory<\/span>.readUtf8String<\/span>(args<\/span>[1<\/span>])); <\/span><\/span> console<\/span>.log<\/span>("str: "<\/span> +<\/span> Memory<\/span>.readUtf8String<\/span>(args<\/span>[2<\/span>])); <\/span><\/span> console<\/span>.log<\/span>("str2: "<\/span> +<\/span> Memory<\/span>.readUtf8String<\/span>(args<\/span>[3<\/span>])); <\/span><\/span> } <\/span><\/span>}); <\/span><\/span> <\/span><\/span>\/\/ Hook encryptByPublicKey <\/span><\/span><\/span><\/span>Interceptor<\/span>.attach<\/span>(Module<\/span>.findExportByName<\/span>(null<\/span>, "encryptByPublicKey"<\/span>), { <\/span><\/span> onEnter<\/span>:<\/span> function<\/span>(args<\/span>) { <\/span><\/span> console<\/span>.log<\/span>("encryptByPublicKey called"<\/span>); <\/span><\/span> console<\/span>.log<\/span>("input: "<\/span> +<\/span> Memory<\/span>.readUtf8String<\/span>(args<\/span>[1<\/span>])); <\/span><\/span> }, <\/span><\/span> onLeave<\/span>:<\/span> function<\/span>(retval<\/span>) { <\/span><\/span> console<\/span>.log<\/span>("output: "<\/span> +<\/span> Memory<\/span>.readUtf8String<\/span>(retval<\/span>)); <\/span><\/span> } <\/span><\/span>}); <\/span><\/span> <\/span><\/span>\/\/ Hook genAesKey <\/span><\/span><\/span><\/span>Interceptor<\/span>.attach<\/span>(Module<\/span>.findExportByName<\/span>(null<\/span>, "genAesKey"<\/span>), { <\/span><\/span> onLeave<\/span>:<\/span> function<\/span>(retval<\/span>) { <\/span><\/span> console<\/span>.log<\/span>("genAesKey output: "<\/span> +<\/span> Memory<\/span>.readUtf8String<\/span>(retval<\/span>)); <\/span><\/span> } <\/span><\/span>}); <\/span><\/span><\/code><\/pre>5.2 调用栈分析技巧<\/h3> 优先Hook基础类如HashMap和JsonObject<\/li> 在结果中搜索关键字段名(signature, headerAesKey等)<\/li> 根据调用栈向上追溯加密流程<\/li> <\/ul> 六、安全建议<\/h2> 加密改进建议<\/strong>:<\/p> 避免使用固定RSA公钥<\/li> 考虑使用更安全的加密模式如RSA-OAEP<\/li> AES应使用CBC或GCM模式而非ECB<\/li> <\/ul> <\/li> 混淆加固建议<\/strong>:<\/p> 增加Frida等调试工具检测<\/li> 加强关键函数的代码混淆<\/li> <\/ul> <\/li> 传输安全建议<\/strong>:<\/p> 考虑实现动态密钥交换机制<\/li> 增加时间戳防重放攻击<\/li> <\/ul> <\/li> <\/ol> 七、总结<\/h2> 本分析完整还原了某某行APP登录过程中关键字段的加密流程，包括：<\/p> RSA公钥加密的signature和random生成<\/li> AES加密的password处理<\/li> 随机AES Key的生成机制<\/li> <\/ul> 通过Hook关键函数和调用栈分析，验证了加密算法的实现细节，为安全评估和进一步研究提供了技术基础。<\/p>

某某行APP逆向分析技术文档<\/h1>

一、环境准备与初步分析<\/h2>

二、签名(signature)和随机数(random)字段分析<\/h2>

2.1 定位关键函数<\/h3> 通过字符串搜索"signature"定位到关键类： com.bwton.metro.network.strategy.impl.MSXLocalSignatureStrategy.generateSignature<\/code><\/p>

三、密码(password)字段分析<\/h2>

五、技术验证方法<\/h2>

2.1 定位关键函数<\/h3>
通过字符串搜索"signature"定位到关键类：
`com.bwton.metro.network.strategy.impl.MSXLocalSignatureStrategy.generateSignature<\/code><\/p>`