一
获取升级apk
二
获取解密Key
三
获取解密Key的解密token
int __fastcall Java_com_weichen_whitebox_encrytion_WhiteBoxNativeImpl_connectionToNativeVerifyDigest(JNIEnv *a1, int a2, int a3, size_t a4, int a5, int a6, size_t a7, int a8, int a9, int a10, int a11)
{
_DWORD *v13; // r9
const char *v14; // r5
const char *v15; // r10
int v16; // r0
const char *v17; // r5
jbyte *v18; // r4
jbyte *v19; // r6
jstring (*v20)(JNIEnv *, const char *); // r2
const char *v21; // r1
const char *v23; // r4
void *v24; // r9
const char *v25; // r10
jbyte *v26; // r4
jbyte *v27; // r5
const char *v28; // [sp+1Ch] [bp-2Ch]
const char *v29; // [sp+24h] [bp-24h]
v13 = malloc(0x20u);
v14 = (*a1)->GetStringUTFChars(a1, a9, 0);
v15 = (*a1)->GetStringUTFChars(a1, a5, 0);
if ( !j_readFileFromApk(v14, v15, v13) )
{
_android_log_print(4, "LeosinAcsctl: digest", "can't find file, LINE = %d", 275);
LABEL_8:
v20 = (*a1)->NewStringUTF;
v21 = "can't find file";
return (int)v20(a1, v21);
}
v29 = v14;
v16 = j_calculateDigest(a1, v13, a10);
if ( !v16 || (v17 = (const char *)v16, !v13[4]) )
{
_android_log_print(4, "LeosinAcsctl: digest", "unsupproted signAlg, LINE = %d", 281);
v20 = (*a1)->NewStringUTF;
v21 = "unsupproted signAlg";
return (int)v20(a1, v21);
}
v18 = (*a1)->GetByteArrayElements(a1, a3, 0);
v19 = (jbyte *)malloc(a4);
qmemcpy(v19, v18, a4);
if ( strncmp(v17, v19, a4) )
{
_android_log_print(4, "LeosinAcsctl: digest", "mainfiestFileDigest is wrong, LINE = %d", 290);
v20 = (*a1)->NewStringUTF;
v21 = "mainfiestFileDigest is wrong";
return (int)v20(a1, v21);
}
(*a1)->ReleaseByteArrayElements(a1, (jbyteArray)a3, v18, 2);
(*a1)->ReleaseStringUTFChars(a1, (jstring)a5, v15);
free(v19);
free(v13);
v23 = (*a1)->GetStringUTFChars(a1, a8, 0);
v24 = malloc(0x20u);
if ( !j_readFileFromApk(v29, v23, v24) )
{
_android_log_print(4, "LeosinAcsctl: digest", "can't find file, LINE = %d", 301);
goto LABEL_8;
}
v28 = v23;
v25 = (const char *)j_calculateDigest(a1, v24, a11);
v26 = (*a1)->GetByteArrayElements(a1, a6, 0);
v27 = (jbyte *)malloc(a4);
qmemcpy(v27, v26, a7);
__android_log_print(4, "LeosinAcsctl: digest", "dexClassDigestLen is %d", a7);
__android_log_print(4, "LeosinAcsctl: digest", "dexClassDigestArr is %s", v27);
__android_log_print(4, "LeosinAcsctl: digest", "dexClassDigest is %s", v25);
if ( !strncmp(v27, v25, a7) )
{
(*a1)->ReleaseByteArrayElements(a1, (jbyteArray)a6, v26, 2);
(*a1)->ReleaseStringUTFChars(a1, (jstring)a8, v28);
free(v27);
free(v24);
(*a1)->ReleaseStringUTFChars(a1, (jstring)a9, v29);
v20 = (*a1)->NewStringUTF;
v21 = "@ABCDEFG";
}
else
{
_android_log_print(4, "LeosinAcsctl: digest", "can't find file, LINE = %d", 313);
v20 = (*a1)->NewStringUTF;
v21 = "dexclass digest is wrong";
}
return (int)v20(a1, v21);
}
四
解密Key
前面既然已经拿到了 token ,那我们直接使用Unidbg 将 token 值,和ckey 的值传入,计算出结果即可。
public byte[] key() {
String y2 = "decryptUsingNative([BLjava/lang/String;)[B";
//参数1 ckey的值,参数2 token 值
DvmObject<?> dvmObject = UmeJni.callStaticJniMethodObject(emulator, y2, Base64.getDecoder().decode("j3AR4u/J4hedDbN8gkrqbbj7ibVPSX695NCfhVxSQWc="), "@ABCDEFG");
return (byte[]) dvmObject.getValue();
}
五
解密
六
总结
看雪ID:ty1937
https://bbs.kanxue.com/user-home-857508.htm
#
原文始发于微信公众号(看雪学苑):车机OTA包解密
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论