A, goals,

Recently, an encrypted data was found in the packet capture of an e-commerce App, and the requested data was encrypted when it made a communication address request. The address information in the returned data is also ciphertext.

Our goal today is to encrypt and decrypt this data.

App version: V10.3.0

Second, the steps

Look at the

1, The end of the data is “==”, indicating that it is Base64 encoding, so we can try to Hook Base64 related functions, and print the stack.

2, the return data format is JSON, so we can try to Hook json related parsing functions.

3. Another method is to try to search CityName, CountryName, and Where.

Let’s search for strings first

Search for the longest “Where”

Encrypt3DESECB found, no decrypted function found. But encryption and decryption probability is in the same class file inside.

The trail led us here.

Don’t say a word, Hook.

On Frida

var utilsCls = Java.use('com.xx.lib.productdetail.core.utils.PDUtils');
utilsCls.encrypt.overload('java.lang.String', 'boolean', 'java.lang.String').implementation = function(a,b,c){
        var result = this.encrypt(a,b,c);
        console.log(">>> encrypt a=" + a + ",b=" + b + ",c=" + c);
        console.log("rc=" + result);
        return result;
}

utilsCls.decrypt.overload('java.lang.String', 'boolean', 'java.lang.String').implementation = function(a,b,c){
        var result = this.decrypt(a,b,c);
        console.log(">>> decrypt a=" + a + ",b=" + b + ",c=" + c);
        console.log("rc=" + result);
        return result;

}
Copy the code

Run, this time we use Attach mode, it may prompt that the package name cannot be found, I tried to use the Chinese name of App, it can Attach unexpectedly, it is amazing.

TIP: remember the article 91 fans.com.cn/post/ldqsig reference before… Change the frida port number

Let’s click on “Address Management”. Unfortunately, nothing comes out. I don’t think I found the right one.

Once again

So I’m going to zoom out and search where

The result is not a lot of 200 items, looking at it carefully, this big brother is the most suspicious.

Class name AddressSelectView, which looks like an assignment to the address page.

2. The function setWhere looks like an assignment to the address variable.

Click inside

optString = optBoolean ? DesCbcCrypto.decrypt(optString, generateKey, (byte[]) null) : DesCommonUtils.decryptThreeDESECB(optString, generateKey);
Copy the code

We found two more decryption functions. Hook them both first.

var StrCls = Java.use('java.lang.String'); var desCbcCls = Java.use('com.xx.xxsdk.security.DesCbcCrypto'); desCbcCls.encrypt.overload('java.lang.String','java.lang.String','[B','java.lang.String').implementation = Function (a, b, c, d) {var result = this. Encrypt (a, b, c); the console. The log (" # # # encrypt the original = "+ a +" key = "+ b +", d = "+ d);  console.log("rc=" + bytesToBase64(result)); return result;  } desCbcCls.decrypt.overload('java.lang.String','java.lang.String','[B').implementation = function(a,b,c){ var result = Enclosing the decrypt (a, b, c); the console. The log (" # # # decrypt the cipher = "+ a +" key = "+ b); the console. The log (" rc =" + StrCls. $new (result);  return result; } var desCommonCls = Java.use('com.xxngxxng.common.entity.DesCommonUtils');  desCommonCls.encryptThreeDESECB.implementation = function(a,b){ var result = this.encryptThreeDESECB(a,b);  console.log("### encryptThreeDESECB a=" + a + ",b=" + b ) ; console.log("rc=" + result); return result;  } desCommonCls.decryptThreeDESECB.implementation = function(a,b){ var result = this.decryptThreeDESECB(a,b);  console.log("### decryptThreeDESECB a=" + a + ",b=" + b ) ; console.log("rc=" + result); return result; }Copy the code

All right, this time, put your hands together and run again.

Nothing’s wrong. Knock it off.

Third, summary

String searches can be scaled appropriately.

The Base64 algorithm is too easy to implement, so the Hook standard Base64 algorithm may not work. At this point, you can try to search the string Base64 in the code, and if you are lucky, you can find the Base64 algorithm implemented by yourself in the App.

Usually App after several iterations of version, encryption and decryption algorithm may also be upgraded several rounds, so don’t get bogged down, the first algorithm you see may be an old algorithm, don’t be discouraged, can continue to look for.

Night is never unkind to those who go to bed late. It may bestow dark circles under your eyes and a body ready for sudden death.

TIP: The purpose of this article is only one is learning more backward techniques and train of thought, if anyone use this technology to get illegal commercial interests the legal liabilities are their operators, and the author and it doesn’t matter, this paper involves the knowledge of code project can go to my friends to fly star come undone, welcome to join star learn together to explore technology knowledge. Have a problem can add me WX: FENfei331 discussion.

Wechat public account: Fenfei safety, the latest technology dry goods real-time push