#0x00 某多数据库
在某多数据库中其中的t_mall_conversation表中的message字段数据内容被加密了。
提取相应关键字:t_mall_conversation,message
#0x01 逆向分析
查壳
先用Android APK查壳工具,对某多APK进行查壳。如果有被加固需要进行下一步的脱壳操作,如下图:某多APK并未被加固。
反编译、关键字定位根据关键字t_mall_conversation定位到处理该表与message加密字段的类。
在该类下继续找到getMessage 与 setMessage方法,其中getMessage为获取Pdd数据库t_mall_conversation表中Message的字段(所以解密函数也在该方法中),而setMessage为相反的设置Message字段的内容(加密函数在该方法中)。
a.b(message) //解密函数a.a(str) //加密函数
反编译、加密算法解析采用AES加密算法,向量为{0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0},密钥为用户UID的MD5加密取前16位,UID的值在data/data/com.xunmeng.pinduoduo/files/pinUserFile文件中。
IV = new byte {0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0};uid = 5564948642776;MD5(uid) = 479EE2A088591D9856CCDC451C1B4515;KEY = 479EE2A088591D98;
AES加密算法
UID值
POC 编写、破解过程验证
import android.util.Base64;import java.security.Key;import javax.crypto.Cipher;//解密函数public String PddMsgDecrypt(String msg) {if (TextUtils.isEmpty(msg)) {return msg;}//MD5加密(uid)String md5Text = MD5Utils.digest("5564948642776");if (TextUtils.isEmpty(md5Text)) {return msg;}//IVbyte[] iv = new byte[]{0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0};//KEY 取MD5前16位byte[] key = md5Text.substring(0,16).getBytes();//AES解密try{SecretKeySpec v1 = new SecretKeySpec(key, "AES");IvParameterSpec v0_2 = new IvParameterSpec(iv);Cipher v2 = Cipher.getInstance("AES/CBC/PKCS5Padding");v2.init(2, ((Key)v1), ((AlgorithmParameterSpec)v0_2));return new String(v2.doFinal(Base64.decode(msg, 2)));}catch(Throwable unstd) {Log.v("Lee", "Fail to decrypt data with aes key through java");return msg;}//POC 破解过程验证[mw_shl_code=python,true]import android.util.Base64;import java.security.Key;import javax.crypto.Cipher;//解密函数public String PddMsgDecrypt(String msg) {if (TextUtils.isEmpty(msg)) {return msg;}//MD5加密(uid)String md5Text = MD5Utils.digest("5564948642776");if (TextUtils.isEmpty(md5Text)) {return msg;}//IVbyte[] iv = new byte[]{0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0};//KEY 取MD5前16位byte[] key = md5Text.substring(0,16).getBytes();//AES解密try{SecretKeySpec v1 = new SecretKeySpec(key, "AES");IvParameterSpec v0_2 = new IvParameterSpec(iv);Cipher v2 = Cipher.getInstance("AES/CBC/PKCS5Padding");v2.init(2, ((Key)v1), ((AlgorithmParameterSpec)v0_2));return new String(v2.doFinal(Base64.decode(msg, 2)));}catch(Throwable unstd) {Log.v("Lee", "Fail to decrypt data with aes key through java");return msg;}//POC 破解过程验证PddMsgDecrypt("fKt3i73/hNjTPjEL/AIFhMLxuEd1XX0p9sfQ7++CPjgnTDnRzG+1dsiZ6S4f5/HlfCw4XL3/Oisudg2I+i2maQzjaoRGxa0iCtCWrKLwbZU5zkt4J0JCKtV3CZC5JQeVvfn++p8EjsHluhwidX7zg8hqA3wueZYUmwfHdyzMUultYeNOLYDfcmYXHhaFet0NUNvUKaBvwDZm2ah6Drpo9W1UK9GN6rntX58idkPULZnzZErIGHCnPIpJ5cVb8sIAo6iLOMSPPTmGyePfx35veXKVFm38u7o8jkWKOCFC6puHncyFu53f/wBNa0LmQINq5Qf62mgZFbXY+lcT9g+vqVhaW7oA2OsJh7bp+1Xrwv0OdZE1B04bFnpP14Z/1INz3MeMMutA48DoCDyJ2jqQTzFv94WiCnLTtFdoGpIy5bAFMg4zRwzyRYo5Z2kD2+EeyF/lXS+r3QBOACJrw3LEx1kLglyfSqJbdJU9CbQGNmCciZ5ec/glTHRvtefNIe2KHYYMPupxbwHbWHSSQCDyL5IgnfAbTc0jMk82KKlk2LyrlJxeTo4s5yk4njnAhLesGoaGfevnnpx12Unk3FpcQ+rrNC+zMjsjXM5wL5ly8o21x/KLAlGsOfM4YSJaH9f4QS3xU1x8jKZMDYr3LnBcNOU+5dRp3gUdEUFJgDN5wUhsjw5UyPDGZmETHG+pJOt8z9kOOJeuldOEfAAx7sJEor8dM6qJwGLI43LnapnwWYXeAkMfH7pR8coD6IrZgJW9sjt6EoFJa7NU1JTykSP3T7okQyEvk8fVdcHF+Hf6BawhXC2Xy6bWmymQKFXJhhzUeJeQEzZi9FU+TqyeTc7AYCYzrsHsjBHnJxC+P4hdexJXYDCue3qxsrz4zC3R+ZE50QpPUTjdrY3bmUmhk+RxgnUp+TpsUhVbb2p/m4017SWGJV+XPPdnG21uGoxcmNHwGN78jWmkI8kg/09+vBiqV4X8U8tXaD2dHKtJf5ZOr7nyADsqekX6EVrCXcKVlecGHvs0zJgScxb9fTS6bEfa2TW+4aZPVD/Zd9gK7+LD/kP0Lupx+9gQPTO4ElCVJ/hoYD2sBhc7Mmu9iLNKuTHOZ8pidvIoyEMj/4/CyZRUoS2eifc+L39xyEnB/P9+2k+a/xTS3gvkfYAD+OIUbok4uU0K1Rko1SLPoNdcxDOmbbcAl8oDOWH7Qd/qTfj4PQ3weIEgV6/p5ZZkPQi8UJi2Z21UO5M4aOyJVugwcDHvEAyJiVaOAPHd7I4CNj5B0LETEhc4NlOqoN2GvF9ztqdkk03Neb1YCZGT+Lgv8mzumyOccOM/K2wQfS7s9iNU4uGskFGYxUXOBhHLaRARhHny/EFiSbvZOtkqKEA9uRupHDjRzW+1ubRJfF++EubkwpvSQVhJfLZa4AWUS3PFUHP1cnwfwUUEKzaFXSLu6F+sPBb796KxK+Ulr7W8lBRsdmHZL60b7Zz582HAZnx+JFUcjiJKlqy2JqcEEyJAQ4S5B2M1WvFWCkQfaBrGrcd32WIGcEhL7ee5AhNLD+f8hfYwQXm2JLwWA9zg87Lt6MgQvumyjzKfH4NP9UTHuthcI3eM+AKHZoHXNeKVBEmvSApHUs5zQ44xwIfXby/m9pMBrRc/Wl+wHc80SGngLfK3JSmbD9KcTVxPez6qzjBUOlL2dZix5BY4pLZKCQhplMV9FljpTkweBxB8ya75vigSDveW6pcPtnxH4a23kuV3TP/6ba4k8cf40kWPXlx3RmZObp6c71Q69kSAnmtPi0O5bguSvBY/cnYHxyLj6Os**EVYIECqOVPoioPeJ/0nAPMO2cs2cbsMRFqeWsYGUeFsu4tkeU21r8/G/FyR9CjCN7VX9ny0u37y1iVa6eh3TouzyP1CY7iZBo2NtR87cCqckAV9QphlK/FkZ5+IqkWohMHLyds+ezigvmHNaz4MQQ+QU7SIaHX/+juOxGcO8Gj83lb/n99FCx5Oyi58NfCRaocxsfFDQqoCOjrWs/ig+WTm6E=");
验证成功、成功解密
{"auto_click":1,"content":"亲,欢迎来到,今后您在多遇到的任何问题都可以咨询我哦~快快开启“多实惠,多乐趣”的购物之旅吧!","from":{"mall_id":"606","role":"mall_cs","uid":"606"},"is_aut":0,"is_rich_text":1,"mallName":"多官方客服","msg_id":"1579261690080","rich_text":{"content":[{"text":"亲,欢迎来到多,今后您在多遇到的任何问题都可以咨询我哦~快快开启“多实惠,多乐趣”的购物之旅吧!","type":"text"},{"click_action":{"name":"send_message","params":{"content":"如何搜索商品"}},"hide":0,"text":"如何搜索商品","type":"menu_item"},{"click_action":{"name":"send_message","params":{"content":"怎么在多下单"}},"hide":0,"text":"怎么在多下单","type":"menu_item"},{"click_action":{"name":"send_message","params":{"content":"下单后如何支付"}},"hide":0,"text":"下单后如何支付","type":"menu_item"},{"click_action":{"name":"send_message","params":{"content":"哪里可以看到我的订单"}},"hide":0,"text":"哪里可以看到我的订单","type":"menu_item"},{"click_action":{"name":"send_message","params":{"content":"有哪些活动"}},"hide":0,"text":"多有哪些活动","type":"menu_item"}],"template":"text_with_menu_items","version":1},"status":"unread","template_name":"parrot_rich_text_with_menu_item","to":{"role":"user","uid":"5564948642776"},"ts":"1579261690","type":0,"unread_count":1,"user_has_read":true}禁止非法,后果自负
欢迎关注公众号:逆向有你
欢迎关注视频号:之乎者也吧
原文始发于微信公众号(web安全工具库):安卓逆向 -- 某多加密数据库研究分析
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论