Android 某多加密数据库研究分析
本帖最后由 cracklee 于 2020-4-4 21:25 编辑买了飘大大的iOS逆向书哈哈哈 真香,内容很新很详细,Android 某多APP 加密数据库分析 大佬可以直接跳过,很水的分析。
#0x00 某多数据库
在某多数据库中其中的t_mall_conversation表中的message字段数据内容被加密了。
提取相应关键字t_mall_conversation
message
https://s1.ax1x.com/2020/04/04/G0NAJK.png
#0x01 逆向分析
查壳
先用Android APK查壳工具,对某多APK进行查壳。如果有被加固需要进行下一步的脱壳操作,如下图:某多APK并未被加固。
https://s1.ax1x.com/2020/04/04/G0agaR.png
反编译、关键字定位根据关键字t_mall_conversation定位到处理该表与message加密字段的类。
https://s1.ax1x.com/2020/04/04/G0NTSO.md.png
在该类下继续找到getMessage 与 setMessage方法,其中getMessage为获取Pdd数据库t_mall_conversation表中Message的字段(所以解密函数也在该方法中),而setMessage为相反的设置Message字段的内容(加密函数在该方法中)。
https://s1.ax1x.com/2020/04/04/G0U91S.png
a.b(message) //解密函数
a.a(str) //加密函数
反编译、加密算法解析采用AES加密算法,向量为{0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0},密钥为用户UID的MD5加密取前16位,UID的值在data/data/com.xunmeng.pinduoduo/files/pinUserFile文件中。
IV = new byte {0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0};
uid = 5564948642776;
MD5(uid) = 479EE2A088591D9856CCDC451C1B4515;
KEY = 479EE2A088591D98;
AES加密算法
https://s1.ax1x.com/2020/04/04/G0UlnJ.md.png
UID值
https://s1.ax1x.com/2020/04/04/G0NRm9.png
https://s1.ax1x.com/2020/04/04/G0UvDJ.png
POC 编写、破解过程验证
import android.util.Base64;
import java.security.Key;
import javax.crypto.Cipher;
//解密函数
publicString PddMsgDecrypt(String msg) {
if (TextUtils.isEmpty(msg)) {
return msg;
}
//MD5加密(uid)
String md5Text = MD5Utils.digest("5564948642776");
if (TextUtils.isEmpty(md5Text)) {
return msg;
}
//IV
byte[] iv = new byte[]{0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0};
//KEY 取MD5前16位
byte[] key = md5Text.substring(0,16).getBytes();
//AES解密
try{
SecretKeySpec v1 = new SecretKeySpec(key, "AES");
IvParameterSpec v0_2 = new IvParameterSpec(iv);
Cipher v2 = Cipher.getInstance("AES/CBC/PKCS5Padding");
v2.init(2, ((Key)v1), ((AlgorithmParameterSpec)v0_2));
return new String(v2.doFinal(Base64.decode(msg, 2)));
}
catch(Throwable unstd) {
Log.v("Lee", "Fail to decrypt data with aes key through java");
return msg;
}
//POC 破解过程验证
import android.util.Base64;
import java.security.Key;
import javax.crypto.Cipher;
//解密函数
publicString PddMsgDecrypt(String msg) {
if (TextUtils.isEmpty(msg)) {
return msg;
}
//MD5加密(uid)
String md5Text = MD5Utils.digest("5564948642776");
if (TextUtils.isEmpty(md5Text)) {
return msg;
}
//IV
byte[] iv = new byte[]{0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0};
//KEY 取MD5前16位
byte[] key = md5Text.substring(0,16).getBytes();
//AES解密
try{
SecretKeySpec v1 = new SecretKeySpec(key, "AES");
IvParameterSpec v0_2 = new IvParameterSpec(iv);
Cipher v2 = Cipher.getInstance("AES/CBC/PKCS5Padding");
v2.init(2, ((Key)v1), ((AlgorithmParameterSpec)v0_2));
return new String(v2.doFinal(Base64.decode(msg, 2)));
}
catch(Throwable unstd) {
Log.v("Lee", "Fail to decrypt data with aes key through java");
return msg;
}
//POC 破解过程验证
PddMsgDecrypt("fKt3i73/hNjTPjEL/AIFhMLxuEd1XX0p9sfQ7++CPjgnTDnRzG+1dsiZ6S4f5/HlfCw4XL3/Oisudg2I+i2maQzjaoRGxa0iCtCWrKLwbZU5zkt4J0JCKtV3CZC5JQeVvfn++p8EjsHluhwidX7zg8hqA3wueZYUmwfHdyzMUultYeNOLYDfcmYXHhaFet0NUNvUKaBvwDZm2ah6Drpo9W1UK9GN6rntX58idkPULZnzZErIGHCnPIpJ5cVb8sIAo6iLOMSPPTmGyePfx35veXKVFm38u7o8jkWKOCFC6puHncyFu53f/wBNa0LmQINq5Qf62mgZFbXY+lcT9g+vqVhaW7oA2OsJh7bp+1Xrwv0OdZE1B04bFnpP14Z/1INz3MeMMutA48DoCDyJ2jqQTzFv94WiCnLTtFdoGpIy5bAFMg4zRwzyRYo5Z2kD2+EeyF/lXS+r3QBOACJrw3LEx1kLglyfSqJbdJU9CbQGNmCciZ5ec/glTHRvtefNIe2KHYYMPupxbwHbWHSSQCDyL5IgnfAbTc0jMk82KKlk2LyrlJxeTo4s5yk4njnAhLesGoaGfevnnpx12Unk3FpcQ+rrNC+zMjsjXM5wL5ly8o21x/KLAlGsOfM4YSJaH9f4QS3xU1x8jKZMDYr3LnBcNOU+5dRp3gUdEUFJgDN5wUhsjw5UyPDGZmETHG+pJOt8z9kOOJeuldOEfAAx7sJEor8dM6qJwGLI43LnapnwWYXeAkMfH7pR8coD6IrZgJW9sjt6EoFJa7NU1JTykSP3T7okQyEvk8fVdcHF+Hf6BawhXC2Xy6bWmymQKFXJhhzUeJeQEzZi9FU+TqyeTc7AYCYzrsHsjBHnJxC+P4hdexJXYDCue3qxsrz4zC3R+ZE50QpPUTjdrY3bmUmhk+RxgnUp+TpsUhVbb2p/m4017SWGJV+XPPdnG21uGoxcmNHwGN78jWmkI8kg/09+vBiqV4X8U8tXaD2dHKtJf5ZOr7nyADsqekX6EVrCXcKVlecGHvs0zJgScxb9fTS6bEfa2TW+4aZPVD/Zd9gK7+LD/kP0Lupx+9gQPTO4ElCVJ/hoYD2sBhc7Mmu9iLNKuTHOZ8pidvIoyEMj/4/CyZRUoS2eifc+L39xyEnB/P9+2k+a/xTS3gvkfYAD+OIUbok4uU0K1Rko1SLPoNdcxDOmbbcAl8oDOWH7Qd/qTfj4PQ3weIEgV6/p5ZZkPQi8UJi2Z21UO5M4aOyJVugwcDHvEAyJiVaOAPHd7I4CNj5B0LETEhc4NlOqoN2GvF9ztqdkk03Neb1YCZGT+Lgv8mzumyOccOM/K2wQfS7s9iNU4uGskFGYxUXOBhHLaRARhHny/EFiSbvZOtkqKEA9uRupHDjRzW+1ubRJfF++EubkwpvSQVhJfLZa4AWUS3PFUHP1cnwfwUUEKzaFXSLu6F+sPBb796KxK+Ulr7W8lBRsdmHZL60b7Zz582HAZnx+JFUcjiJKlqy2JqcEEyJAQ4S5B2M1WvFWCkQfaBrGrcd32WIGcEhL7ee5AhNLD+f8hfYwQXm2JLwWA9zg87Lt6MgQvumyjzKfH4NP9UTHuthcI3eM+AKHZoHXNeKVBEmvSApHUs5zQ44xwIfXby/m9pMBrRc/Wl+wHc80SGngLfK3JSmbD9KcTVxPez6qzjBUOlL2dZix5BY4pLZKCQhplMV9FljpTkweBxB8ya75vigSDveW6pcPtnxH4a23kuV3TP/6ba4k8cf40kWPXlx3RmZObp6c71Q69kSAnmtPi0O5bguSvBY/cnYHxyLj6Os**EVYIECqOVPoioPeJ/0nAPMO2cs2cbsMRFqeWsYGUeFsu4tkeU21r8/G/FyR9CjCN7VX9ny0u37y1iVa6eh3TouzyP1CY7iZBo2NtR87cCqckAV9QphlK/FkZ5+IqkWohMHLyds+ezigvmHNaz4MQQ+QU7SIaHX/+juOxGcO8Gj83lb/n99FCx5Oyi58NfCRaocxsfFDQqoCOjrWs/ig+WTm6E=");
验证成功、成功解密
{"auto_click":1,"content":"亲,欢迎来到,今后您在多遇到的任何问题都可以咨询我哦~快快开启“多实惠,多乐趣”的购物之旅吧!","from":{"mall_id":"606","role":"mall_cs","uid":"606"},"is_aut":0,"is_rich_text":1,"mallName":"多官方客服","msg_id":"1579261690080","rich_text":{"content":[{"text":"亲,欢迎来到多,今后您在多遇到的任何问题都可以咨询我哦~快快开启“多实惠,多乐趣”的购物之旅吧!","type":"text"},{"click_action":{"name":"send_message","params":{"content":"如何搜索商品"}},"hide":0,"text":"如何搜索商品","type":"menu_item"},{"click_action":{"name":"send_message","params":{"content":"怎么在多下单"}},"hide":0,"text":"怎么在多下单","type":"menu_item"},{"click_action":{"name":"send_message","params":{"content":"下单后如何支付"}},"hide":0,"text":"下单后如何支付","type":"menu_item"},{"click_action":{"name":"send_message","params":{"content":"哪里可以看到我的订单"}},"hide":0,"text":"哪里可以看到我的订单","type":"menu_item"},{"click_action":{"name":"send_message","params":{"content":"有哪些活动"}},"hide":0,"text":"多有哪些活动","type":"menu_item"}],"template":"text_with_menu_items","version":1},"status":"unread","template_name":"parrot_rich_text_with_menu_item","to":{"role":"user","uid":"5564948642776"},"ts":"1579261690","type":0,"unread_count":1,"user_has_read":true}
学习了,感谢大佬分享过程 感谢表哥分享!~支持一下!~ 感谢楼主分享,干货很多 跟着学习了,谢谢楼主的分享 牛皮{:biggrin:}{:biggrin:}{:biggrin:}{:biggrin:}{:biggrin:}{:biggrin:} 很好啊,牛皮 看着有些还是不懂,但是感觉很厉害 学习了,感谢分享。 唉呀妈呀真香