安卓逆向Xposed框架Hook常见加密算法

Java源代码

需要在Android studio上打开运行

如果不知道的话可以看教程

零基础学习Xposed框架安卓逆向Xposed框架Hook常见加密算法_第1张图片

教程链接:https://space.bilibili.com/439348342

下面是源代码

package com.example.demo3;

import android.app.Application;
import android.content.Context;
import android.net.wifi.WifiManager;
import android.util.Base64;
import android.util.Log;

import java.lang.reflect.Method;
import java.lang.reflect.Modifier;
import java.math.BigInteger;
import java.security.MessageDigest;
import java.util.ArrayList;
import java.util.Map;

import javax.crypto.Cipher;
import javax.crypto.Mac;
import javax.crypto.spec.IvParameterSpec;

import de.robv.android.xposed.IXposedHookLoadPackage;
import de.robv.android.xposed.XC_MethodHook;
import de.robv.android.xposed.XposedBridge;
import de.robv.android.xposed.XposedHelpers;
import de.robv.android.xposed.callbacks.XC_LoadPackage;

/**
 * @author glsite.com
 * @version $Rev$
 * @des ${TODO}
 * @updateAuthor $Author$
 * @updateDes ${TODO}
 */
public class HelloXp implements IXposedHookLoadPackage {

    public static String byteToHexString(byte[] by) {
        StringBuffer SB = new StringBuffer();
        for (byte k : by) {
            int j = k;
            if (k < 0) {
                j = k + 256;
            }
            if (j < 16) {
                SB.append("0");
            }
            SB.append(Integer.toHexString(j));
        }
        return SB.toString();
    }


    @Override
    public void handleLoadPackage(final XC_LoadPackage.LoadPackageParam loadPackageParam) throws Throwable {
        //HOOK所有方法
        // if (loadPackageParam.packageName.equals("com.muyang.xposeddemo")) {

        //            XposedHelpers.findAndHookMethod(ClassLoader.class, "loadClass", String.class, new XC_MethodHook() {
        //                    @Override
        //                protected void afterHookedMethod(MethodHookParam param) throws Throwable {
        //                    //super.afterHookedMethod(param);
        //
        //                    Class clzz = (Class) param.getResult();
        //                    //获取类名称
        //                    String className = clzz.getName();
        //                    Log.d("muyang", "获取到的类名称" + className);
        //                    //判断类名
        //                    if(className.contains("com.muyang")){
        //                        Method[] mds = clzz.getDeclaredMethods();
        //                        for (int i = 0; i < mds.length; i++) {
        //                            final Method md = mds[i];
        //                            //反射获取修饰符
        //                            int mod = mds[i].getModifiers();
        //                            //循环判断
        //                            if (!Modifier.isAbstract(mod) && !Modifier.isNative(mod) && !Modifier.isInterface(mod)) {
        //
        //                                XposedBridge.hookMethod(mds[i], new XC_MethodHook() {
        //                                    @Override
        //                                    protected void beforeHookedMethod(MethodHookParam param) throws Throwable {
        //                                       // super.beforeHookedMethod(param);
        //                                        //这里就可以打印出所有的方法名称
        //                                        if (md.getName().equals("complexParameterFunc")) {
        //                                            for(Object obj:param.args){
        //                                                Log.d("muyang",obj.getClass().getName());
        //                                            }
        //                                        }
        //                                    }
        //                                });
        //                            }
        //                        }
        //                    }
        //                }
        //            });

        //Hook多dex的方法
        //            XposedHelpers.findAndHookMethod(Application.class,"attach", Context.class ,new XC_MethodHook() {
        //                @Override
        //                protected void afterHookedMethod(MethodHookParam param) throws Throwable {
        //                    //获取类加载器
        //                    ClassLoader cl = ((Context)param.args[0]).getClassLoader();
        //                    Class hookClass = null;
        //                    try {
        //                        hookClass = cl.loadClass("com.muyang.xposeddemo.Demo");
        //                    } catch (Exception e) {
        //                        //e.printStackTrace();
        //                        Log.d("muyang","寻找出错");
        //                        return;
        //                    }
        //                    Log.d("muyang","寻找成功");
        //                    //  private void complexParameterFunc(String value, String[][] str, Map map, ArrayList arrayList)
        //
        //                    XposedHelpers.findAndHookMethod(hookClass, "complexParameterFunc",
        //                            String.class,
        //                            String[][].class,
        //                            Map.class,
        //                            ArrayList.class,
        //                            new XC_MethodHook() {
        //                        @Override
        //                        protected void afterHookedMethod(MethodHookParam param) throws Throwable {
        //                            //super.afterHookedMethod(param);
        //                            Log.d("muyang","HOOK成功"+param.args[0]);
        //                        }
        //                    });
        //                }
        //            });

        //HOOK md5和Sha的通杀方法
        //
        // XposedHelpers.findClass("java.security.MessageDigest",loadPackageParam.classLoader);
        XposedBridge.hookAllMethods(java.security.MessageDigest.class, "update", new XC_MethodHook() {
            @Override
            protected void beforeHookedMethod(MethodHookParam param) throws Throwable {
                //     super.beforeHookedMethod(param);
                MessageDigest mes = (MessageDigest) param.thisObject;
                //获取加密的类型
                String type = mes.getAlgorithm();
                Log.d("muyang", "upadte参数:" + param.args.length);
                byte[] params = (byte[]) param.args[0];
                String data = new String(params);
                String data64 = byteToHexString(params);
                String dataB64 = Base64.encodeToString(params, 0);
                Log.d("muyang", type + "update:" + data);
                Log.d("muyang", type + "update64:" + data64);
                Log.d("muyang", type + "updateB64:" + dataB64);
                Log.d("muyang", "======================================");

            }
        });

        XposedBridge.hookAllMethods(java.security.MessageDigest.class, "digest", new XC_MethodHook() {
            @Override
            protected void afterHookedMethod(MethodHookParam param) throws Throwable {
                //super.afterHookedMethod(param);
                MessageDigest mes = (MessageDigest) param.thisObject;
                String type = mes.getAlgorithm();
                Log.d("muyang", "传digest参数长度" + param.args.length);
                if (param.args.length >= 1) {
                    byte[] params = (byte[]) param.args[0];
                    String data = new String(params);
                    String data64 = byteToHexString(params);
                    String dataB64 = Base64.encodeToString(params, 0);
                    Log.d("muyang", type + "digest有参数:" + data);
                    Log.d("muyang", type + "digest有参数64:" + data64);
                    Log.d("muyang", type + "digest有参数B64:" + dataB64);
                    Log.d("muyang", "=======================================");
                }
                //获取加密后的返回值
                byte[] res = (byte[]) param.getResult();
                String data64 = byteToHexString(res);
                String dataB64 = Base64.encodeToString(res, 0);
                //Log.d("muyang",type+":"+data);
                Log.d("muyang", type + "digest返回值64:" + data64);
                Log.d("muyang", type + "digest返回值B64:" + dataB64);
                Log.d("muyang", "======================");
            }
        });

        //HOOKMAC算法(SecretKeySpec)  里面存放了密钥 和 算法名称
        XposedBridge.hookAllConstructors(javax.crypto.spec.SecretKeySpec.class, new XC_MethodHook() {
            @Override
            protected void beforeHookedMethod(MethodHookParam param) throws Throwable {
                // super.beforeHookedMethod(param);
                byte[] secreKey = (byte[]) param.args[0];  //存放第一个密钥
                int offset = 0;
                int size = 0;

                String algorithm = "";

                if (param.args.length == 4) {
                    //去取到了偏移和长度
                    offset = ((Integer) param.args[1]).intValue();
                    size = ((Integer) param.args[2]).intValue();
                    algorithm = (String) param.args[3];
                } else {
                    offset = 0;
                    size = secreKey.length;
                    algorithm = (String) param.args[1];
                }
                byte[] keybyte = new byte[size];
                //数组拷贝
                System.arraycopy(secreKey, offset, keybyte, 0, size);
                String data = new String(keybyte);

                Log.d("muyang", "SecretKeySpec:" + algorithm + "==" + data);
                Log.d("muyang", "SecretKeySpec64:" + algorithm + "==" + byteToHexString(keybyte));
                Log.d("muyang", "SecretKeySpecB64:" + algorithm + "==" + Base64.encodeToString(keybyte, 0));
                Log.d("muyang", "=====================================");

            }
        });
        //HOOKMAC(update)   里面存放了加密数据的明文
        XposedBridge.hookAllMethods(javax.crypto.Mac.class, "update", new XC_MethodHook() {
            @Override
            protected void afterHookedMethod(MethodHookParam param) throws Throwable {
                //     super.beforeHookedMethod(param);
                Mac mac = (Mac) param.thisObject;
                //获取加密的类型
                String type = mac.getAlgorithm();
                Log.d("muyang", type + "upadte参数长度:" + param.args.length);
                byte[] params = (byte[]) param.args[0];
                int offset = 0;
                int len = params.length;
                if (param.args.length == 3) {
                    offset = ((Integer) param.args[1]).intValue();
                    len = ((Integer) param.args[2]).intValue();
                }

                byte[] keybate = new byte[len];
                System.arraycopy(params, offset, keybate, 0, len);


                String data = new String(keybate);
                String data64 = byteToHexString(keybate);
                String dataB64 = Base64.encodeToString(keybate, 0);
                Log.d("muyang", type + "update:" + data);
                Log.d("muyang", type + "update64:" + data64);
                Log.d("muyang", type + "updateB64:" + dataB64);
                Log.d("muyang", "======================================");

            }
        });

        //HOOKMAC(doFinal)  里面有可能再次添加存放数据   并且有返回值
        XposedBridge.hookAllMethods(javax.crypto.Mac.class, "doFinal", new XC_MethodHook() {
            @Override
            protected void afterHookedMethod(MethodHookParam param) throws Throwable {
                //     super.beforeHookedMethod(param);
                Mac mac = (Mac) param.thisObject;
                //获取加密的类型
                String type = mac.getAlgorithm();
                Log.d("muyang", mac + "doFinal参数长度:" + param.args.length);
                if (param.args.length >= 1) {
                    byte[] params = (byte[]) param.args[0];
                    String data = new String(params);
                    String data64 = byteToHexString(params);
                    String dataB64 = Base64.encodeToString(params, 0);
                    Log.d("muyang", type + "doFinal有参数:" + data);
                    Log.d("muyang", type + "doFinal有参数64:" + data64);
                    Log.d("muyang", type + "doFinal有参数B64:" + dataB64);
                    Log.d("muyang", "=======================================");
                }
                //获取加密后的返回值
                byte[] res = (byte[]) param.getResult();
                String data64 = byteToHexString(res);
                String dataB64 = Base64.encodeToString(res, 0);
                //Log.d("muyang",type+":"+data);
                Log.d("muyang", type + "doFinal返回值64:" + data64);
                Log.d("muyang", type + "doFinal返回值B64:" + dataB64);
                Log.d("muyang", "======================");
            }
        });


        //HOOK des descode AES  密钥算法不用HOOK了  和之前的一样
        //HOOK IV向量
        XposedBridge.hookAllConstructors(javax.crypto.spec.IvParameterSpec.class, new XC_MethodHook() {
            @Override
            protected void afterHookedMethod(MethodHookParam param) throws Throwable {
                //     super.beforeHookedMethod(param);
                //byte[] getIV();
                //获取到IV对象
                IvParameterSpec Iv = (IvParameterSpec) param.thisObject;
                //获取加密的类型
                byte[] Ivdata = Iv.getIV();
                Log.d("muyang", "IV向量:" + new String(Ivdata));
                Log.d("muyang", "IV向量64:" + byteToHexString(Ivdata));
                Log.d("muyang", "IV向量B64" + Base64.encodeToString(Ivdata, 0));

                //还可以用其他方法 HOOK参数的方法
            }
        });

        //HOOK update  只hook参数1和3的
        XposedBridge.hookAllMethods(javax.crypto.Cipher.class, "update", new XC_MethodHook() {
            @Override
            protected void afterHookedMethod(MethodHookParam param) throws Throwable {
                //     super.beforeHookedMethod(param);
                if ((param.args.length != 1) || (param.args.length != 3))
                    return;
                Cipher cipher = (Cipher) param.thisObject;
                //获取加密的类型
                String type = cipher.getAlgorithm();
                Log.d("muyang", type + "upadte参数长度:" + param.args.length);
                byte[] params = (byte[]) param.args[0];
                int offset = 0;
                int len = params.length;
                if (param.args.length == 3) {
                    offset = ((Integer) param.args[1]).intValue();
                    len = ((Integer) param.args[2]).intValue();
                }

                byte[] keybate = new byte[len];
                System.arraycopy(params, offset, keybate, 0, len);


                String data = new String(keybate);
                String data64 = byteToHexString(keybate);
                String dataB64 = Base64.encodeToString(keybate, 0);
                Log.d("muyang", type + "update:" + data);
                Log.d("muyang", type + "update64:" + data64);
                Log.d("muyang", type + "updateB64:" + dataB64);
                Log.d("muyang", "======================================");

            }
        });

        //HOOK  doFinal
        XposedBridge.hookAllMethods(javax.crypto.Cipher.class, "doFinal", new XC_MethodHook() {
            @Override
            protected void afterHookedMethod(MethodHookParam param) throws Throwable {
                //     super.beforeHookedMethod(param);
                Cipher cipher = (Cipher) param.thisObject;
                //获取加密的类型
                String type = cipher.getAlgorithm();
                Log.d("muyang", cipher + "doFinal参数长度:" + param.args.length);
                int offset = 0;
                int len = 0;
                byte[] params = (byte[]) param.args[0];
                if (param.args.length == 1) {
                    params = (byte[]) param.args[0];
                    offset = 0;
                    len = params.length;
                } else if (param.args.length == 3) {
                    params = (byte[]) param.args[0];
                    offset = ((Integer) param.args[1]).intValue();
                    len = ((Integer) param.args[2]).intValue();
                }
                if (len > 0) {
                    byte[] newArray = new byte[len];
                    System.arraycopy(params, offset, newArray, 0, len);

                    String data = new String(newArray);
                    String data64 = byteToHexString(newArray);
                    String dataB64 = Base64.encodeToString(newArray, 0);
                    Log.d("muyang", type + "doFinal有参数:" + data);
                    Log.d("muyang", type + "doFinal有参数64:" + data64);
                    Log.d("muyang", type + "doFinal有参数B64:" + dataB64);
                    Log.d("muyang", "=======================================");
                }


                //获取加密后的返回值
                byte[] res = (byte[]) param.getResult();
                String data64 = byteToHexString(res);
                String dataB64 = Base64.encodeToString(res, 0);
                //Log.d("muyang",type+":"+data);
                Log.d("muyang", type + "doFinal返回值64:" + data64);
                Log.d("muyang", type + "doFinal返回值B64:" + dataB64);
                Log.d("muyang", "======================");
            }
        });

        XposedBridge.hookAllConstructors(java.security.spec.X509EncodedKeySpec.class, new XC_MethodHook() {
            @Override
            protected void beforeHookedMethod(MethodHookParam param) throws Throwable {
                //     super.beforeHookedMethod(param);
                byte[] params = (byte[]) param.args[0];
                String dataB64 = Base64.encodeToString(params, 0);
                Log.d("muyang", "RSA密钥64:" + dataB64);
                Log.d("muyang", "=================================");

            }
        });
        XposedBridge.hookAllConstructors(java.security.spec.RSAPublicKeySpec.class, new XC_MethodHook() {
            @Override
            protected void beforeHookedMethod(MethodHookParam param) throws Throwable {
                //     super.beforeHookedMethod(param);
                String n = ((BigInteger)(param.args[0])).toString();
                String e = ((BigInteger)(param.args[1])).toString();
               // String dataB64 = Base64.encodeToString(params, 0);
                Log.d("muyang", "RSA16密钥:" + n+":"+e);
                Log.d("muyang", "=================================");

            }
        });

        // }
    }
}

 

你可能感兴趣的:(安卓逆向Xposed框架Hook常见加密算法)