某APP加密算法逆向分析教学文档<\/h1>

概述<\/h2>
本教学文档基于对某APP加密算法的逆向分析，详细解析其加密流程、实现原理及解密方法。<\/p>

一、环境准备与抓包分析<\/h2>

1.1 初始发现<\/h3>

在SRC漏洞挖掘过程中发现目标资产<\/li>
通过抓包分析发现关键参数phoneNum<\/code>被加密<\/li>

传统测试方法无法直接分析加密数据内容<\/li>
<\/ul>
1.2 工具准备<\/h3>

抓包工具：Burp Suite\/Charles<\/li>
逆向工具：JADX反编译工具<\/li>
动态调试：Frida框架<\/li>
开发环境：Python 3.x<\/li>
<\/ul>
二、静态代码分析<\/h2>
2.1 应用加固情况<\/h3>

目标APP未加固，可直接使用JADX进行反编译分析<\/li>
<\/ul>
2.2 关键代码定位<\/h3>

搜索关键词：aes<\/code>, encrypt<\/code>, decrypt<\/code><\/li>
定位到加密类：SecretHelper<\/code><\/li>
核心加密函数：encode<\/code><\/li>
密钥生成函数：getSecretKey<\/code><\/li>
<\/ul>
2.3 加密流程分析<\/h3>
2.3.1 加密函数调用链<\/h4>
encode() → getSecretKey() → c0.a()
<\/code><\/pre>
2.3.2 密钥生成机制<\/h4>

c0.a()<\/code>函数实现MD5哈希算法<\/li>
用于生成DES加密所需的密钥<\/li>
<\/ul>
三、加密算法详细解析<\/h2>
3.1 加密流程步骤<\/h3>


触发加密<\/strong><\/p>

输入参数：明文str<\/code>、业务标识str2<\/code><\/li>
<\/ul>
<\/li>

时间戳获取<\/strong><\/p>

获取当前系统时间戳<\/li>
<\/ul>
<\/li>

时间窗计算<\/strong><\/p>

计算公式：t = l \/ 500000<\/code><\/li>
其中l<\/code>为时间戳相关参数<\/li>
<\/ul>
<\/li>

DES密钥生成<\/strong><\/p>

通过MD5算法生成DES加密密钥<\/li>
<\/ul>
<\/li>

DES加密处理<\/strong><\/p>

使用生成的密钥对明文进行DES加密<\/li>
<\/ul>
<\/li>

结果编码处理<\/strong><\/p>

Base64编码 → UTF-8编码 → 返回最终结果<\/li>
<\/ul>
<\/li>
<\/ol>
3.2 关键算法实现<\/h3>
3.2.1 MD5密钥生成<\/h4>
\/\/ c0.a() 函数示例
<\/span><\/span><\/span><\/span>public<\/span> static<\/span> String a<\/span>(<\/span>String str)<\/span> {<\/span>
<\/span><\/span>    try<\/span> {<\/span>
<\/span><\/span>        MessageDigest instance =<\/span> MessageDigest.<\/span>getInstance<\/span>(<\/span>"MD5"<\/span>);<\/span>
<\/span><\/span>        instance.<\/span>update<\/span>(<\/span>str.<\/span>getBytes<\/span>());<\/span>
<\/span><\/span>        byte<\/span>[]<\/span> digest =<\/span> instance.<\/span>digest<\/span>();<\/span>
<\/span><\/span>        StringBuilder sb =<\/span> new<\/span> StringBuilder();<\/span>
<\/span><\/span>        for<\/span> (<\/span>byte<\/span> b :<\/span> digest)<\/span> {<\/span>
<\/span><\/span>            String hexString =<\/span> Integer.<\/span>toHexString<\/span>(<\/span>b &<\/span> 255<\/span>);<\/span>
<\/span><\/span>            if<\/span> (<\/span>hexString.<\/span>length<\/span>()<\/span> ==<\/span> 1<\/span>)<\/span> {<\/span>
<\/span><\/span>                sb.<\/span>append<\/span>(<\/span>'0'<\/span>);<\/span>
<\/span><\/span>            }<\/span>
<\/span><\/span>            sb.<\/span>append<\/span>(<\/span>hexString);<\/span>
<\/span><\/span>        }<\/span>
<\/span><\/span>        return<\/span> sb.<\/span>toString<\/span>();<\/span>
<\/span><\/span>    }<\/span> catch<\/span> (<\/span>Exception e)<\/span> {<\/span>
<\/span><\/span>        e.<\/span>printStackTrace<\/span>();<\/span>
<\/span><\/span>        return<\/span> null<\/span>;<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>3.2.2 DES加密核心<\/h4>
\/\/ encode函数核心逻辑
<\/span><\/span><\/span><\/span>public<\/span> static<\/span> String encode<\/span>(<\/span>String str,<\/span> String str2)<\/span> {<\/span>
<\/span><\/span>    long<\/span> currentTimeMillis =<\/span> System.<\/span>currentTimeMillis<\/span>();<\/span>
<\/span><\/span>    long<\/span> j =<\/span> currentTimeMillis \/<\/span> 500000<\/span>;<\/span> \/\/ 时间窗计算
<\/span><\/span><\/span><\/span>    String secretKey =<\/span> getSecretKey(<\/span>str2,<\/span> j);<\/span> \/\/ 生成密钥
<\/span><\/span><\/span><\/span>    \/\/ DES加密实现...
<\/span><\/span><\/span><\/span>    byte<\/span>[]<\/span> encrypt =<\/span> desEncrypt(<\/span>str.<\/span>getBytes<\/span>(),<\/span> secretKey.<\/span>getBytes<\/span>());<\/span>
<\/span><\/span>    return<\/span> new<\/span> String(<\/span>Base64.<\/span>encode<\/span>(<\/span>encrypt,<\/span> 0<\/span>),<\/span> "UTF-8"<\/span>);<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>四、动态调试验证<\/h2>
4.1 Frida Hook配置<\/h3>

使用命令：frida -U -f "包名" -l hook_script.js<\/code><\/li>
成功Hook加密函数并验证加密结果<\/li>
<\/ul>
4.2 Frida脚本示例<\/h3>
\/\/ 1.js - Frida Hook脚本
<\/span><\/span><\/span><\/span>Java<\/span>.perform<\/span>(function<\/span>() {
<\/span><\/span>    var<\/span> SecretHelper<\/span> =<\/span> Java<\/span>.use<\/span>("com.example.SecretHelper"<\/span>);
<\/span><\/span>    
<\/span><\/span>    SecretHelper<\/span>.encode<\/span>.implementation<\/span> =<\/span> function<\/span>(str<\/span>, str2<\/span>) {
<\/span><\/span>        console<\/span>.log<\/span>("加密输入: "<\/span>, str<\/span>);
<\/span><\/span>        console<\/span>.log<\/span>("业务标识: "<\/span>, str2<\/span>);
<\/span><\/span>        var<\/span> result<\/span> =<\/span> this<\/span>.encode<\/span>(str<\/span>, str2<\/span>);
<\/span><\/span>        console<\/span>.log<\/span>("加密结果: "<\/span>, result<\/span>);
<\/span><\/span>        return<\/span> result<\/span>;
<\/span><\/span>    }
<\/span><\/span>});
<\/span><\/span><\/code><\/pre>4.3 验证结果<\/h3>

Hook获取的加密结果与抓包数据一致<\/li>
确认逆向分析的正确性<\/li>
<\/ul>
五、解密算法实现<\/h2>
5.1 Python解密脚本<\/h3>
import<\/span> base64
<\/span><\/span>from<\/span> Crypto.Cipher import<\/span> DES
<\/span><\/span>import<\/span> hashlib
<\/span><\/span>
<\/span><\/span>def<\/span> decrypt<\/span>(encrypted_data, str2, l):
<\/span><\/span>    """
<\/span><\/span><\/span>    解密函数
<\/span><\/span><\/span>    :param encrypted_data: 加密数据
<\/span><\/span><\/span>    :param str2: 业务标识
<\/span><\/span><\/span>    :param l: 时间戳参数
<\/span><\/span><\/span>    """<\/span>
<\/span><\/span>    # 计算时间窗<\/span>
<\/span><\/span>    t =<\/span> l \/<\/span> 500000<\/span>
<\/span><\/span>    
<\/span><\/span>    # 生成MD5密钥<\/span>
<\/span><\/span>    key_str =<\/span> str2 +<\/span> str(t)
<\/span><\/span>    md5 =<\/span> hashlib.<\/span>md5()
<\/span><\/span>    md5.<\/span>update(key_str.<\/span>encode('utf-8'<\/span>))
<\/span><\/span>    des_key =<\/span> md5.<\/span>hexdigest()[:8<\/span>].<\/span>encode('utf-8'<\/span>)  # 取前8位作为DES密钥<\/span>
<\/span><\/span>    
<\/span><\/span>    # Base64解码<\/span>
<\/span><\/span>    encrypted_bytes =<\/span> base64.<\/span>b64decode(encrypted_data)
<\/span><\/span>    
<\/span><\/span>    # DES解密<\/span>
<\/span><\/span>    cipher =<\/span> DES.<\/span>new(des_key, DES.<\/span>MODE_ECB)
<\/span><\/span>    decrypted_bytes =<\/span> cipher.<\/span>decrypt(encrypted_bytes)
<\/span><\/span>    
<\/span><\/span>    # PKCS5Unpadding<\/span>
<\/span><\/span>    padding_len =<\/span> decrypted_bytes[-<\/span>1<\/span>]
<\/span><\/span>    decrypted_bytes =<\/span> decrypted_bytes[:-<\/span>padding_len]
<\/span><\/span>    
<\/span><\/span>    return<\/span> decrypted_bytes.<\/span>decode('utf-8'<\/span>)
<\/span><\/span>
<\/span><\/span># 使用示例<\/span>
<\/span><\/span>encrypted_phone =<\/span> "Base64加密后的手机号"<\/span>
<\/span><\/span>business_flag =<\/span> "业务标识字符串"<\/span>
<\/span><\/span>timestamp_param =<\/span> 时间戳参数
<\/span><\/span>
<\/span><\/span>decrypted_result =<\/span> decrypt(encrypted_phone, business_flag, timestamp_param)
<\/span><\/span>print("解密结果:"<\/span>, decrypted_result)
<\/span><\/span><\/code><\/pre>5.2 解密流程说明<\/h3>

时间窗计算：t = l \/ 500000<\/code><\/li>
密钥生成：MD5(业务标识 + 时间窗)<\/li>
Base64解码加密数据<\/li>
DES ECB模式解密<\/li>
PKCS5反填充处理<\/li>
返回解密结果<\/li>
<\/ol>
六、总结与防护建议<\/h2>
6.1 加密方案评估<\/h3>

使用DES算法，安全性较低<\/li>
ECB模式存在固有安全风险<\/li>
密钥生成依赖时间参数，可能存在时间同步问题<\/li>
整体加密强度不足<\/li>
<\/ul>
6.2 安全建议<\/h3>


算法升级<\/strong><\/p>

建议使用AES-256替代DES<\/li>
采用CBC或GCM模式代替ECB模式<\/li>
<\/ul>
<\/li>

密钥管理<\/strong><\/p>

使用更安全的密钥派生算法<\/li>
避免使用时间相关参数作为密钥因素<\/li>
<\/ul>
<\/li>

加固保护<\/strong><\/p>

建议对APP进行加固处理<\/li>
关键算法使用白盒加密技术<\/li>
<\/ul>
<\/li>

通信安全<\/strong><\/p>

建议使用完整的HTTPS通信<\/li>
实现证书绑定机制<\/li>
<\/ul>
<\/li>
<\/ol>
6.3 逆向分析技巧总结<\/h3>

关键词搜索是快速定位加密代码的有效方法<\/li>
静态分析与动态调试相结合提高分析效率<\/li>
Frida等工具在移动安全测试中极为重要<\/li>
理解加密流程后需要验证解密算法的正确性<\/li>
<\/ul>
附录：常见加密算法特征<\/h2>
识别特征表<\/h3>



算法<\/th>
密钥长度<\/th>
常见模式<\/th>
识别特征<\/th>
<\/tr>
<\/thead>


DES<\/td>
56位<\/td>
ECB\/CBC<\/td>
8字节密钥，64位分组<\/td>
<\/tr>

AES<\/td>
128\/192\/256位<\/td>
ECB\/CBC\/GCM<\/td>
16\/24\/32字节密钥<\/td>
<\/tr>

MD5<\/td>
128位哈希<\/td>
-<\/td>
32字符十六进制串<\/td>
<\/tr>

Base64<\/td>
-<\/td>
-<\/td>
结尾常有=或==填充<\/td>
<\/tr>
<\/tbody>
<\/table>
本教学文档详细记录了从发现加密参数到完整逆向分析的全过程，为类似加密算法的分析提供了可复用的方法论和实践指南。<\/p>

算法<\/th>	密钥长度<\/th>	常见模式<\/th>	识别特征<\/th> <\/tr> <\/thead>
DES<\/td>	56位<\/td>	ECB\/CBC<\/td>	8字节密钥，64位分组<\/td> <\/tr>
AES<\/td>	128\/192\/256位<\/td>	ECB\/CBC\/GCM<\/td>	16\/24\/32字节密钥<\/td> <\/tr>
MD5<\/td>	128位哈希<\/td>	-<\/td>	32字符十六进制串<\/td> <\/tr>
Base64<\/td>	-<\/td>	-<\/td>	结尾常有=或==填充<\/td> <\/tr> <\/tbody> <\/table> 本教学文档详细记录了从发现加密参数到完整逆向分析的全过程，为类似加密算法的分析提供了可复用的方法论和实践指南。<\/p>

某APP加密算法逆向分析教学文档<\/h1>

概述<\/h2> 本教学文档基于对某APP加密算法的逆向分析，详细解析其加密流程、实现原理及解密方法。<\/p>

一、环境准备与抓包分析<\/h2>

二、静态代码分析<\/h2>

2.3 加密流程分析<\/h3>

三、加密算法详细解析<\/h2>

3.2 关键算法实现<\/h3>

四、动态调试验证<\/h2>

五、解密算法实现<\/h2>

六、总结与防护建议<\/h2>

附录：常见加密算法特征<\/h2>

概述<\/h2>
本教学文档基于对某APP加密算法的逆向分析，详细解析其加密流程、实现原理及解密方法。<\/p>