2023APP加密數(shù)據(jù)資料

1解密APP加密數(shù)據(jù)1介紹案例?：案例?：使?objection介紹如今，在做APP安全測試的時候，越來越多的APP數(shù)據(jù)使?加密傳輸，?般的做法都需要去逆向APP并尋找到加解密算法今天主要介紹?下iOS的?些逆向基礎(chǔ)知識，教?家碰到加密數(shù)據(jù)的APP后該如何去解密今天主要是針對兩款有不同加密?式的iOS應?，難度由低到?案例?：?先解決掛代理抓不到包的問題使?objectioniossslpinningdisable繞過證書綁定PAGEPAGE10在登錄處抓包發(fā)現(xiàn)，request包和response包都為加密傳輸：appmon提供的scriptshack.lu提供的scripts通過參考github上的js腳本，改寫了個較為全?的hook.js腳本:PlainText

復制代碼//IntercepttheCCCryptcall.Interceptor.attach(Module.findExportByName('libcommonCrypto.dylib',pt'),{onEnter:function(args){//Savetheargumentsthis.operation =args[0]this.CCAlgorithm=args[1]this.CCOptions =args[2]this.keyBytes =args[3]this.keyLength =args[4]this.ivBuffer =args[5]this.inBuffer =args[6]this.inLength =args[7]this.outBuffer =args[8]this.outLength =args[9]this.outCountPtr=16console.log('CCCrypt('+'operation:' +this.operation +','+'CCAlgorithm:'+this.CCAlgorithm+','+'CCOptions:' +this.CCOptions +','+'keyBytes:' +this.keyBytes +','+'keyLength:' +this.keyLength +','+'ivBuffer:' +this.ivBuffer +','+'inBuffer:' +this.inBuffer +','+'inLength:' +this.inLength +','+'outBuffer:' +this.outBuffer +','+'outLength:' +this.outLength +','+'outCountPtr:'+this.outCountPtr29if(this.operation==0){//Showthebuffershereifthisanencryptionoperationconsole.log("Inbuffer:")console.log(hexdump(ptr(this.inBuffer),{length:this.inLength.toInt32(),header:true,ansi:true37 }))console.log("Key:")console.log(hexdump(ptr(this.keyBytes),{length:this.keyLength.toInt32(),header:true,ansi:true43 }))44 console.log("IV:")46474846474849505152535455565758596061626364656667686970717273747545ansi:true}))}},onLeave:function(retVal){if(this.operation==1)//Showthebuffershereifthisadecryptionoperationconsole.log("Outbuffer:")console.log(hexdump(ptr(this.outBuffer),{length:Memory.readUInt(this.outCountPtr),header:true,ansi:true}))console.log("Key:")console.log(hexdump(ptr(this.keyBytes),{length:this.keyLength.toInt32(),header:true,ansi:true}))console.log("IV:")console.log(hexdump(ptr(this.ivBuffer),{length:this.keyLength.toInt32(),header:true,ansi:true}))}}})使?fridahookCCCrypt函數(shù)operation:0x0代表加密，0x1代表解密，CCAlgorithm:0x0指加密?式是kCCAlgorithmAES128，CCOptions:0x1指模式是cbc，key=DATA_KEY20150116和iv=20150116參閱CommonCryptor.h各參數(shù)意義案例?：在登錄處抓包發(fā)現(xiàn)，request包和response包都為加密傳輸：使?hook.js腳本發(fā)現(xiàn)hook不到??法，?先使?frida-ios-dump對該APP進??鍵dumpfrida-ios-dump，該?具基于frida提供的強?功能通過注?js實現(xiàn)內(nèi)存dump然后通過python?動拷?到電腦?成ipa?件，通過配置完成之后真的就是?條命令砸殼砸殼完成后會?成ipa?件，我們解壓縮然后使?IDA加載完?進制?件然后在String窗?搜索loginbypassword（這個是登錄時的信息），搜索后進?對應的類，接下來我們進?這個類看它?了哪些?法找到這個字符串引?的代碼位置之后雙擊callWebAPI:data:method:ssl:completionHandler:找到[WebServicecallWebAPI:data:method:ssl:completionHandler:]然后F5?下瀏覽該類發(fā)現(xiàn)可以看到data等關(guān)鍵加密信息，接著我們嘗試搜索data前?的setValue:forKey[_priv_NBSSafeMutableDictionarysetValue:forKey:]查看該類發(fā)現(xiàn)?結(jié)果，返回上?步重新查看加密所在的類v87由v86WebServicereturnDictionaryWithDataPath:](v11,returnDictionaryWithDataPath:,v201)返回查看returnDictionaryWithDataPath:v8=+[RSAencryptString:privateKey:](&OBJC_CLASS___RSA, encryptString:privateKey:,v4,v6);v4由convertToJsonData:返回（明?）v6由AppPrivate返回（密鑰）查看密鑰返回函數(shù)AppPrivate和encryptString:privateKey函數(shù)然后使?frida進?hook使?objectionPlainPlainText復制代碼ioshookingwatchmethod“+[RSAencryptString:privateKey:]”–dump-argsioshookingwatchmethod“+[RSAencryptString:privateKey:]”–dump-return直接使?objection的這兩句命令可以達到同樣的效果附JS：PlainText

復制代碼if(ObjC.available){try{varclassName="RSA";varfuncName="+encryptString:privateKey:"; varhook=eval('ObjC.classes.'+className+'["'+funcName'"]');console.log("[*]ClassName:"+className);console.log("[*]MethodName:"+funcName);Interceptor.attach(hook.implementation,{onEnter:function(args){varparam1=newObjC.Object(args[2]);console.log("args[2]->"+param1);12varparam2=newObjC.Object(args[3]);console.log("args[3]->"+param2);15 },on