Encryption and decryption analysis of returned data of an e-commerce app (IV)

One 、 The goal is

Recently, I was in charge of an e-commerce App When I found an encrypted data , When it makes a communication address request , The requested data is encrypted . The address information in the returned data is also ciphertext .

Our goal today is to encrypt and decrypt this data .

App edition : v10.3.0

Two 、 step

Look at the

1、 The end of the data is "==", That is the Base64 code , Then we can try to Hook Base64 Correlation function , Then print the stack .

2、 The return data format is json, Then we can try to Hook json Related analytic functions .

3、 Another way is to try to search CityName 、CountryName and Where These key strings .

Search the string first

Search the longest one "Where"

Found encrypted function encrypt3DESECB , No decryption function found . However, the approximate encryption and decryption rates are in the same class file .

Follow the clue , We found it here .

Don't say anything ,Hook And .

On Frida

var utilsCls = Java.use('com.xx.lib.productdetail.core.utils.PDUtils');
utilsCls.encrypt.overload('java.lang.String', 'boolean', 'java.lang.String').implementation = function(a,b,c){
        var result = this.encrypt(a,b,c);
        console.log(">>> encrypt a=" + a + ",b=" + b + ",c=" + c);
        console.log("rc=" + result);
        return result;
}

utilsCls.decrypt.overload('java.lang.String', 'boolean', 'java.lang.String').implementation = function(a,b,c){
        var result = this.decrypt(a,b,c);
        console.log(">>> decrypt a=" + a + ",b=" + b + ",c=" + c);
        console.log("rc=" + result);
        return result;

}

Run , This time, I used Attach Pattern , It may prompt that the package name cannot be found , I tried to use App Chinese name of , I can't believe it Attach On , Amazing .

TIP: Remember to refer to the previous article http://91fans.com.cn/post/ldqsignone/ hold frida Port number changed

Let's order " Address management ", Unfortunately , Wood has output . It seems that something is wrong .

Once again

Now expand the range , Search for where

Not many results 200 income , Finely seems , This big brother is the most suspicious .

1、 Class name AddressSelectView, It looks like an assignment to the address page .

2、 function setWhere, It looks like assigning a value to an address variable .

Click in and have a look

optString = optBoolean ? DesCbcCrypto.decrypt(optString, generateKey, (byte[]) null) : DesCommonUtils.decryptThreeDESECB(optString, generateKey);

Two more decryption functions are found , Let's get them both Hook once .

var StrCls = Java.use('java.lang.String');

var desCbcCls = Java.use('com.xx.xxsdk.security.DesCbcCrypto');
desCbcCls.encrypt.overload('java.lang.String','java.lang.String','[B','java.lang.String').implementation = function(a,b,c,d){
        var result = this.encrypt(a,b,c);

        console.log("### encrypt   original text =" + a + ", secret key =" + b + ",d=" + d);
        console.log("rc=" + bytesToBase64(result));
        return result;
}

desCbcCls.decrypt.overload('java.lang.String','java.lang.String','[B').implementation = function(a,b,c){
        var result = this.decrypt(a,b,c);
        console.log("### decrypt   Ciphertext =" + a + ", secret key =" + b);
        console.log("rc=" + StrCls.$new(result));
        return result;
}


var desCommonCls =  Java.use('com.xxngxxng.common.entity.DesCommonUtils');
desCommonCls.encryptThreeDESECB.implementation = function(a,b){
        var result = this.encryptThreeDESECB(a,b);

        console.log("### encryptThreeDESECB a=" + a + ",b=" + b ) ;
        console.log("rc=" + result);
        return result;
}

desCommonCls.decryptThreeDESECB.implementation = function(a,b){
        var result = this.decryptThreeDESECB(a,b);

        console.log("### decryptThreeDESECB a=" + a + ",b=" + b ) ;
        console.log("rc=" + result);
        return result;
}

Okay , Put your hands together this time , Run again .

No problem , Call it a day .

3、 ... and 、 summary

String search can appropriately expand the scope .

Base64 The algorithm is too easy to implement , therefore Hook The standard Base64 The algorithm may not work well . At this time, you can try to search the code Base64 This string , If you are lucky, you can App It's what it realizes Base64 The algorithm finds out .

Usually App After several rounds of version iteration , The encryption and decryption algorithm may have been upgraded for several rounds , So don't drill the horn , The algorithm you first see may be an old one , Don't be discouraged. , You can also continue to search .

The night never mistreats those who sleep late , It will give you dark circles , And a body about to die suddenly .

TIP: The only purpose of this paper is to learn more reverse skills and ideas , If someone uses this technology to carry out illegal business, the legal responsibility brought by the profit is borne by the operator himself , It has nothing to do with this article and the author , The code projects involved in this article can go to Feifei friends The planet of knowledge takes itself , Welcome to the knowledge planet to learn and explore technology .