Yakit针对流量加密APP的Frida RPC解决方案教学文档<\/h1>

1. 基础知识<\/h2>

1.1 案例APP介绍<\/h3>

本教学使用一个具有登录加密功能的APP作为案例，该APP具有以下特点：<\/p>

功能简单：仅包含用户名密码登录功能<\/li>
加密方式：请求参数和响应报文均使用AES加密<\/li>
加密类：com.ese.http.encrypt.AesEncryptionBase64<\/code><\/li>

加密密钥："9876543210123456"<\/code><\/li>
<\/ul>
1.2 Frida RPC基础<\/h3>
Frida RPC (Remote Procedure Call) 允许我们从Python代码中调用运行在目标进程中的JavaScript函数，这是实现流量加解密的关键技术。<\/p>
2. Python RPC接口准备<\/h2>
2.1 Python服务端代码<\/h3>
import<\/span> frida
<\/span><\/span>import<\/span> json
<\/span><\/span>from<\/span> flask import<\/span> Flask, jsonify, request
<\/span><\/span>
<\/span><\/span>def<\/span> message<\/span>(message, data):
<\/span><\/span>    if<\/span> message['type'<\/span>] ==<\/span> 'send'<\/span>:
<\/span><\/span>        print(f<\/span>"[*] <\/span>{<\/span>message['payload'<\/span>]}<\/span>"<\/span>)
<\/span><\/span>    else<\/span>:
<\/span><\/span>        print(message)
<\/span><\/span>
<\/span><\/span># 连接到目标APP进程<\/span>
<\/span><\/span>session =<\/span> frida.<\/span>get_usb_device().<\/span>attach("eseBrida"<\/span>)
<\/span><\/span>
<\/span><\/span># 加载JavaScript代码<\/span>
<\/span><\/span>with<\/span> open("1.js"<\/span>) as<\/span> f:
<\/span><\/span>    jsCode =<\/span> f.<\/span>read()
<\/span><\/span>
<\/span><\/span>script =<\/span> session.<\/span>create_script(jsCode)
<\/span><\/span>script.<\/span>on("message"<\/span>, message)
<\/span><\/span>script.<\/span>load()
<\/span><\/span>
<\/span><\/span>app =<\/span> Flask(__name__)
<\/span><\/span>
<\/span><\/span># 加密接口<\/span>
<\/span><\/span>@app<\/span>.<\/span>route('\/encrypt'<\/span>, methods=<\/span>['GET'<\/span>])
<\/span><\/span>def<\/span> decrypt_class<\/span>():
<\/span><\/span>    plaintext =<\/span> request.<\/span>args.<\/span>get('plaintext'<\/span>)
<\/span><\/span>    print("1111"<\/span>, plaintext)
<\/span><\/span>    plaintext =<\/span> plaintext.<\/span>replace(" "<\/span>, ""<\/span>)
<\/span><\/span>    print("222"<\/span>, plaintext)
<\/span><\/span>    res =<\/span> script.<\/span>exports.<\/span>invokemethoden(plaintext)
<\/span><\/span>    print(res)
<\/span><\/span>    return<\/span> res
<\/span><\/span>
<\/span><\/span># 解密接口<\/span>
<\/span><\/span>@app<\/span>.<\/span>route('\/decrypt'<\/span>, methods=<\/span>['GET'<\/span>])
<\/span><\/span>def<\/span> encrypt_class<\/span>():
<\/span><\/span>    encrypttext =<\/span> request.<\/span>args.<\/span>get('encrypttxt'<\/span>)
<\/span><\/span>    print("1111"<\/span>, encrypttext)
<\/span><\/span>    encrypttext =<\/span> encrypttext.<\/span>replace(" "<\/span>, ""<\/span>)
<\/span><\/span>    print("222"<\/span>, encrypttext)
<\/span><\/span>    res =<\/span> script.<\/span>exports.<\/span>invokemethodde(encrypttext)
<\/span><\/span>    return<\/span> res
<\/span><\/span>
<\/span><\/span>if<\/span> __name__ ==<\/span> "__main__"<\/span>:
<\/span><\/span>    app.<\/span>run(port=<\/span>5001<\/span>)
<\/span><\/span><\/code><\/pre>2.2 JavaScript代码 (1.js)<\/h3>
\/\/ 加密函数
<\/span><\/span><\/span><\/span>function<\/span> fridamethod01<\/span>(cleartext<\/span>) {
<\/span><\/span>    var<\/span> result<\/span> =<\/span> null<\/span>;
<\/span><\/span>    var<\/span> key<\/span> =<\/span> "9876543210123456"<\/span>
<\/span><\/span>    Java<\/span>.perform<\/span>(function<\/span>() {
<\/span><\/span>        let<\/span> AesEncryptionBase64<\/span> =<\/span> Java<\/span>.use<\/span>("com.ese.http.encrypt.AesEncryptionBase64"<\/span>);
<\/span><\/span>        result<\/span> =<\/span> AesEncryptionBase64<\/span>.encrypt<\/span>(key<\/span>, cleartext<\/span>)
<\/span><\/span>    });
<\/span><\/span>    return<\/span> result<\/span>;
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>\/\/ 解密函数
<\/span><\/span><\/span><\/span>function<\/span> fridamethod02<\/span>(encrypted<\/span>) {
<\/span><\/span>    var<\/span> result<\/span> =<\/span> null<\/span>;
<\/span><\/span>    var<\/span> key<\/span> =<\/span> "9876543210123456"<\/span>
<\/span><\/span>    Java<\/span>.perform<\/span>(function<\/span>() {
<\/span><\/span>        let<\/span> AesEncryptionBase64<\/span> =<\/span> Java<\/span>.use<\/span>("com.ese.http.encrypt.AesEncryptionBase64"<\/span>);
<\/span><\/span>        result<\/span> =<\/span> AesEncryptionBase64<\/span>.decrypt<\/span>(key<\/span>, encrypted<\/span>)
<\/span><\/span>    });
<\/span><\/span>    return<\/span> result<\/span>;
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>\/\/ 导出RPC方法
<\/span><\/span><\/span><\/span>rpc<\/span>.exports<\/span> =<\/span> {
<\/span><\/span>    invokemethoden<\/span>:<\/span> fridamethod01<\/span>,  \/\/ 加密方法
<\/span><\/span><\/span><\/span>    invokemethodde<\/span>:<\/span> fridamethod02<\/span>,  \/\/ 解密方法
<\/span><\/span><\/span><\/span>}
<\/span><\/span><\/code><\/pre>3. Yakit热加载脚本实现<\/h2>
3.1 MITM界面热加载脚本<\/h3>
3.1.1 热加载脚本原理<\/h4>

在请求生命周期中的特定点插入Hook<\/li>
选择在服务器响应后、存入数据库前对请求body和响应body进行解密<\/li>
优点：不影响实际通信，仅影响展示<\/li>
注意：数据库中将存储解密后的数据而非原始密文<\/li>
<\/ul>
3.1.2 实现步骤<\/h4>

在Yakit的MITM界面找到热加载脚本模板<\/li>
编写Hook代码，主要针对以下时机：

请求发送前：可对请求进行加密<\/li>
响应接收后：对响应进行解密<\/li>
数据存储前：对数据进行处理<\/li>
<\/ul>
<\/li>
<\/ol>
3.2 Fuzzer界面热加载脚本<\/h3>
3.2.1 实现要点<\/h4>

在发送请求前自动加密请求参数<\/li>
在接收响应后自动解密响应内容<\/li>
与MITM界面类似，但需要处理更复杂的请求构造场景<\/li>
<\/ol>
4. 完整工作流程<\/h2>

启动Python RPC服务<\/strong>：运行Python脚本启动Flask服务(端口5001)<\/li>
注入Frida脚本<\/strong>：Python脚本会自动注入JavaScript到目标APP进程<\/li>
配置Yakit<\/strong>：

设置MITM代理<\/li>
加载热加载脚本<\/li>
<\/ul>
<\/li>
流量处理流程<\/strong>：

请求流程：明文 → Yakit加密 → 发送到服务器<\/li>
响应流程：服务器密文 → Yakit解密 → 展示明文<\/li>
<\/ul>
<\/li>
数据存储<\/strong>：解密后的数据存入Yakit数据库<\/li>
<\/ol>
5. 关键点与注意事项<\/h2>

密钥处理<\/strong>：确保JavaScript中的密钥与APP使用的密钥一致<\/li>
错误处理<\/strong>：在Python和JavaScript中添加适当的错误处理<\/li>
性能考虑<\/strong>：RPC调用有一定开销，避免在高频请求场景使用<\/li>
数据一致性<\/strong>：注意数据库存储的是解密后数据，可能影响后续分析<\/li>
多线程安全<\/strong>：确保Flask服务能处理并发请求<\/li>
<\/ol>
6. 扩展应用<\/h2>

动态密钥<\/strong>：可修改脚本支持动态获取密钥<\/li>
多种算法<\/strong>：扩展支持RSA等其他加密算法<\/li>
自动化测试<\/strong>：结合Yakit的自动化测试功能实现全流程测试<\/li>
批量处理<\/strong>：支持批量加解密操作<\/li>
<\/ol>
7. 调试技巧<\/h2>

使用console.log<\/code>或print<\/code>输出调试信息<\/li>
在Yakit中查看热加载脚本的执行日志<\/li>
使用Frida的message<\/code>回调处理调试信息<\/li>
分阶段测试：先测试单独加解密，再集成到Yakit中<\/li>
<\/ol>
通过以上方案，可以有效解决流量加密APP的安全测试难题，实现流量的可视化分析和测试。<\/p>

Yakit针对流量加密APP的Frida RPC解决方案教学文档<\/h1>

1. 基础知识<\/h2>

1.2 Frida RPC基础<\/h3> Frida RPC (Remote Procedure Call) 允许我们从Python代码中调用运行在目标进程中的JavaScript函数，这是实现流量加解密的关键技术。<\/p>

2. Python RPC接口准备<\/h2>

3. Yakit热加载脚本实现<\/h2>

3.1 MITM界面热加载脚本<\/h3>

3.2 Fuzzer界面热加载脚本<\/h3>

1.2 Frida RPC基础<\/h3>
Frida RPC (Remote Procedure Call) 允许我们从Python代码中调用运行在目标进程中的JavaScript函数，这是实现流量加解密的关键技术。<\/p>