安卓逆向Xposed框架Hook常见加密算法
Java源代码
需要在Android studio上打开运行
如果不知道的话可以看教程
零基础学习Xposed框架
教程链接:https://space.bilibili.com/439348342
下面是源代码
package com.example.demo3;
import android.app.Application;
import android.content.Context;
import android.net.wifi.WifiManager;
import android.util.Base64;
import android.util.Log;
import java.lang.reflect.Method;
import java.lang.reflect.Modifier;
import java.math.BigInteger;
import java.security.MessageDigest;
import java.util.ArrayList;
import java.util.Map;
import javax.crypto.Cipher;
import javax.crypto.Mac;
import javax.crypto.spec.IvParameterSpec;
import de.robv.android.xposed.IXposedHookLoadPackage;
import de.robv.android.xposed.XC_MethodHook;
import de.robv.android.xposed.XposedBridge;
import de.robv.android.xposed.XposedHelpers;
import de.robv.android.xposed.callbacks.XC_LoadPackage;
/**
* @author glsite.com
* @version $Rev$
* @des ${TODO}
* @updateAuthor $Author$
* @updateDes ${TODO}
*/
public class HelloXp implements IXposedHookLoadPackage {
public static String byteToHexString(byte[] by) {
StringBuffer SB = new StringBuffer();
for (byte k : by) {
int j = k;
if (k < 0) {
j = k + 256;
}
if (j < 16) {
SB.append("0");
}
SB.append(Integer.toHexString(j));
}
return SB.toString();
}
@Override
public void handleLoadPackage(final XC_LoadPackage.LoadPackageParam loadPackageParam) throws Throwable {
//HOOK所有方法
// if (loadPackageParam.packageName.equals("com.muyang.xposeddemo")) {
// XposedHelpers.findAndHookMethod(ClassLoader.class, "loadClass", String.class, new XC_MethodHook() {
// @Override
// protected void afterHookedMethod(MethodHookParam param) throws Throwable {
// //super.afterHookedMethod(param);
//
// Class clzz = (Class) param.getResult();
// //获取类名称
// String className = clzz.getName();
// Log.d("muyang", "获取到的类名称" + className);
// //判断类名
// if(className.contains("com.muyang")){
// Method[] mds = clzz.getDeclaredMethods();
// for (int i = 0; i < mds.length; i++) {
// final Method md = mds[i];
// //反射获取修饰符
// int mod = mds[i].getModifiers();
// //循环判断
// if (!Modifier.isAbstract(mod) && !Modifier.isNative(mod) && !Modifier.isInterface(mod)) {
//
// XposedBridge.hookMethod(mds[i], new XC_MethodHook() {
// @Override
// protected void beforeHookedMethod(MethodHookParam param) throws Throwable {
// // super.beforeHookedMethod(param);
// //这里就可以打印出所有的方法名称
// if (md.getName().equals("complexParameterFunc")) {
// for(Object obj:param.args){
// Log.d("muyang",obj.getClass().getName());
// }
// }
// }
// });
// }
// }
// }
// }
// });
//Hook多dex的方法
// XposedHelpers.findAndHookMethod(Application.class,"attach", Context.class ,new XC_MethodHook() {
// @Override
// protected void afterHookedMethod(MethodHookParam param) throws Throwable {
// //获取类加载器
// ClassLoader cl = ((Context)param.args[0]).getClassLoader();
// Class hookClass = null;
// try {
// hookClass = cl.loadClass("com.muyang.xposeddemo.Demo");
// } catch (Exception e) {
// //e.printStackTrace();
// Log.d("muyang","寻找出错");
// return;
// }
// Log.d("muyang","寻找成功");
// // private void complexParameterFunc(String value, String[][] str, Map map, ArrayList arrayList)
//
// XposedHelpers.findAndHookMethod(hookClass, "complexParameterFunc",
// String.class,
// String[][].class,
// Map.class,
// ArrayList.class,
// new XC_MethodHook() {
// @Override
// protected void afterHookedMethod(MethodHookParam param) throws Throwable {
// //super.afterHookedMethod(param);
// Log.d("muyang","HOOK成功"+param.args[0]);
// }
// });
// }
// });
//HOOK md5和Sha的通杀方法
//
// XposedHelpers.findClass("java.security.MessageDigest",loadPackageParam.classLoader);
XposedBridge.hookAllMethods(java.security.MessageDigest.class, "update", new XC_MethodHook() {
@Override
protected void beforeHookedMethod(MethodHookParam param) throws Throwable {
// super.beforeHookedMethod(param);
MessageDigest mes = (MessageDigest) param.thisObject;
//获取加密的类型
String type = mes.getAlgorithm();
Log.d("muyang", "upadte参数:" + param.args.length);
byte[] params = (byte[]) param.args[0];
String data = new String(params);
String data64 = byteToHexString(params);
String dataB64 = Base64.encodeToString(params, 0);
Log.d("muyang", type + "update:" + data);
Log.d("muyang", type + "update64:" + data64);
Log.d("muyang", type + "updateB64:" + dataB64);
Log.d("muyang", "======================================");
}
});
XposedBridge.hookAllMethods(java.security.MessageDigest.class, "digest", new XC_MethodHook() {
@Override
protected void afterHookedMethod(MethodHookParam param) throws Throwable {
//super.afterHookedMethod(param);
MessageDigest mes = (MessageDigest) param.thisObject;
String type = mes.getAlgorithm();
Log.d("muyang", "传digest参数长度" + param.args.length);
if (param.args.length >= 1) {
byte[] params = (byte[]) param.args[0];
String data = new String(params);
String data64 = byteToHexString(params);
String dataB64 = Base64.encodeToString(params, 0);
Log.d("muyang", type + "digest有参数:" + data);
Log.d("muyang", type + "digest有参数64:" + data64);
Log.d("muyang", type + "digest有参数B64:" + dataB64);
Log.d("muyang", "=======================================");
}
//获取加密后的返回值
byte[] res = (byte[]) param.getResult();
String data64 = byteToHexString(res);
String dataB64 = Base64.encodeToString(res, 0);
//Log.d("muyang",type+":"+data);
Log.d("muyang", type + "digest返回值64:" + data64);
Log.d("muyang", type + "digest返回值B64:" + dataB64);
Log.d("muyang", "======================");
}
});
//HOOKMAC算法(SecretKeySpec) 里面存放了密钥 和 算法名称
XposedBridge.hookAllConstructors(javax.crypto.spec.SecretKeySpec.class, new XC_MethodHook() {
@Override
protected void beforeHookedMethod(MethodHookParam param) throws Throwable {
// super.beforeHookedMethod(param);
byte[] secreKey = (byte[]) param.args[0]; //存放第一个密钥
int offset = 0;
int size = 0;
String algorithm = "";
if (param.args.length == 4) {
//去取到了偏移和长度
offset = ((Integer) param.args[1]).intValue();
size = ((Integer) param.args[2]).intValue();
algorithm = (String) param.args[3];
} else {
offset = 0;
size = secreKey.length;
algorithm = (String) param.args[1];
}
byte[] keybyte = new byte[size];
//数组拷贝
System.arraycopy(secreKey, offset, keybyte, 0, size);
String data = new String(keybyte);
Log.d("muyang", "SecretKeySpec:" + algorithm + "==" + data);
Log.d("muyang", "SecretKeySpec64:" + algorithm + "==" + byteToHexString(keybyte));
Log.d("muyang", "SecretKeySpecB64:" + algorithm + "==" + Base64.encodeToString(keybyte, 0));
Log.d("muyang", "=====================================");
}
});
//HOOKMAC(update) 里面存放了加密数据的明文
XposedBridge.hookAllMethods(javax.crypto.Mac.class, "update", new XC_MethodHook() {
@Override
protected void afterHookedMethod(MethodHookParam param) throws Throwable {
// super.beforeHookedMethod(param);
Mac mac = (Mac) param.thisObject;
//获取加密的类型
String type = mac.getAlgorithm();
Log.d("muyang", type + "upadte参数长度:" + param.args.length);
byte[] params = (byte[]) param.args[0];
int offset = 0;
int len = params.length;
if (param.args.length == 3) {
offset = ((Integer) param.args[1]).intValue();
len = ((Integer) param.args[2]).intValue();
}
byte[] keybate = new byte[len];
System.arraycopy(params, offset, keybate, 0, len);
String data = new String(keybate);
String data64 = byteToHexString(keybate);
String dataB64 = Base64.encodeToString(keybate, 0);
Log.d("muyang", type + "update:" + data);
Log.d("muyang", type + "update64:" + data64);
Log.d("muyang", type + "updateB64:" + dataB64);
Log.d("muyang", "======================================");
}
});
//HOOKMAC(doFinal) 里面有可能再次添加存放数据 并且有返回值
XposedBridge.hookAllMethods(javax.crypto.Mac.class, "doFinal", new XC_MethodHook() {
@Override
protected void afterHookedMethod(MethodHookParam param) throws Throwable {
// super.beforeHookedMethod(param);
Mac mac = (Mac) param.thisObject;
//获取加密的类型
String type = mac.getAlgorithm();
Log.d("muyang", mac + "doFinal参数长度:" + param.args.length);
if (param.args.length >= 1) {
byte[] params = (byte[]) param.args[0];
String data = new String(params);
String data64 = byteToHexString(params);
String dataB64 = Base64.encodeToString(params, 0);
Log.d("muyang", type + "doFinal有参数:" + data);
Log.d("muyang", type + "doFinal有参数64:" + data64);
Log.d("muyang", type + "doFinal有参数B64:" + dataB64);
Log.d("muyang", "=======================================");
}
//获取加密后的返回值
byte[] res = (byte[]) param.getResult();
String data64 = byteToHexString(res);
String dataB64 = Base64.encodeToString(res, 0);
//Log.d("muyang",type+":"+data);
Log.d("muyang", type + "doFinal返回值64:" + data64);
Log.d("muyang", type + "doFinal返回值B64:" + dataB64);
Log.d("muyang", "======================");
}
});
//HOOK des descode AES 密钥算法不用HOOK了 和之前的一样
//HOOK IV向量
XposedBridge.hookAllConstructors(javax.crypto.spec.IvParameterSpec.class, new XC_MethodHook() {
@Override
protected void afterHookedMethod(MethodHookParam param) throws Throwable {
// super.beforeHookedMethod(param);
//byte[] getIV();
//获取到IV对象
IvParameterSpec Iv = (IvParameterSpec) param.thisObject;
//获取加密的类型
byte[] Ivdata = Iv.getIV();
Log.d("muyang", "IV向量:" + new String(Ivdata));
Log.d("muyang", "IV向量64:" + byteToHexString(Ivdata));
Log.d("muyang", "IV向量B64" + Base64.encodeToString(Ivdata, 0));
//还可以用其他方法 HOOK参数的方法
}
});
//HOOK update 只hook参数1和3的
XposedBridge.hookAllMethods(javax.crypto.Cipher.class, "update", new XC_MethodHook() {
@Override
protected void afterHookedMethod(MethodHookParam param) throws Throwable {
// super.beforeHookedMethod(param);
if ((param.args.length != 1) || (param.args.length != 3))
return;
Cipher cipher = (Cipher) param.thisObject;
//获取加密的类型
String type = cipher.getAlgorithm();
Log.d("muyang", type + "upadte参数长度:" + param.args.length);
byte[] params = (byte[]) param.args[0];
int offset = 0;
int len = params.length;
if (param.args.length == 3) {
offset = ((Integer) param.args[1]).intValue();
len = ((Integer) param.args[2]).intValue();
}
byte[] keybate = new byte[len];
System.arraycopy(params, offset, keybate, 0, len);
String data = new String(keybate);
String data64 = byteToHexString(keybate);
String dataB64 = Base64.encodeToString(keybate, 0);
Log.d("muyang", type + "update:" + data);
Log.d("muyang", type + "update64:" + data64);
Log.d("muyang", type + "updateB64:" + dataB64);
Log.d("muyang", "======================================");
}
});
//HOOK doFinal
XposedBridge.hookAllMethods(javax.crypto.Cipher.class, "doFinal", new XC_MethodHook() {
@Override
protected void afterHookedMethod(MethodHookParam param) throws Throwable {
// super.beforeHookedMethod(param);
Cipher cipher = (Cipher) param.thisObject;
//获取加密的类型
String type = cipher.getAlgorithm();
Log.d("muyang", cipher + "doFinal参数长度:" + param.args.length);
int offset = 0;
int len = 0;
byte[] params = (byte[]) param.args[0];
if (param.args.length == 1) {
params = (byte[]) param.args[0];
offset = 0;
len = params.length;
} else if (param.args.length == 3) {
params = (byte[]) param.args[0];
offset = ((Integer) param.args[1]).intValue();
len = ((Integer) param.args[2]).intValue();
}
if (len > 0) {
byte[] newArray = new byte[len];
System.arraycopy(params, offset, newArray, 0, len);
String data = new String(newArray);
String data64 = byteToHexString(newArray);
String dataB64 = Base64.encodeToString(newArray, 0);
Log.d("muyang", type + "doFinal有参数:" + data);
Log.d("muyang", type + "doFinal有参数64:" + data64);
Log.d("muyang", type + "doFinal有参数B64:" + dataB64);
Log.d("muyang", "=======================================");
}
//获取加密后的返回值
byte[] res = (byte[]) param.getResult();
String data64 = byteToHexString(res);
String dataB64 = Base64.encodeToString(res, 0);
//Log.d("muyang",type+":"+data);
Log.d("muyang", type + "doFinal返回值64:" + data64);
Log.d("muyang", type + "doFinal返回值B64:" + dataB64);
Log.d("muyang", "======================");
}
});
XposedBridge.hookAllConstructors(java.security.spec.X509EncodedKeySpec.class, new XC_MethodHook() {
@Override
protected void beforeHookedMethod(MethodHookParam param) throws Throwable {
// super.beforeHookedMethod(param);
byte[] params = (byte[]) param.args[0];
String dataB64 = Base64.encodeToString(params, 0);
Log.d("muyang", "RSA密钥64:" + dataB64);
Log.d("muyang", "=================================");
}
});
XposedBridge.hookAllConstructors(java.security.spec.RSAPublicKeySpec.class, new XC_MethodHook() {
@Override
protected void beforeHookedMethod(MethodHookParam param) throws Throwable {
// super.beforeHookedMethod(param);
String n = ((BigInteger)(param.args[0])).toString();
String e = ((BigInteger)(param.args[1])).toString();
// String dataB64 = Base64.encodeToString(params, 0);
Log.d("muyang", "RSA16密钥:" + n+":"+e);
Log.d("muyang", "=================================");
}
});
// }
}
}