2023APP加密数据资料

1解密APP加密数据1介绍案例⼀：案例⼆：使⽤objection介绍如今，在做APP安全测试的时候，越来越多的APP数据使⽤加密传输，⼀般的做法都需要去逆向APP并寻找到加解密算法今天主要介绍⼀下iOS的⼀些逆向基础知识，教⼤家碰到加密数据的APP后该如何去解密今天主要是针对两款有不同加密⽅式的iOS应⽤，难度由低到⾼案例⼀：⾸先解决挂代理抓不到包的问题使⽤objectioniossslpinningdisable绕过证书绑定PAGEPAGE10在登录处抓包发现，request包和response包都为加密传输：appmon提供的scriptshack.lu提供的scripts通过参考github上的js脚本，改写了个较为全⾯的hook.js脚本:PlainText

复制代码//IntercepttheCCCryptcall.Interceptor.attach(Module.findExportByName('libcommonCrypto.dylib',pt'),{onEnter:function(args){//Savetheargumentsthis.operation =args[0]this.CCAlgorithm=args[1]this.CCOptions =args[2]this.keyBytes =args[3]this.keyLength =args[4]this.ivBuffer =args[5]this.inBuffer =args[6]this.inLength =args[7]this.outBuffer =args[8]this.outLength =args[9]this.outCountPtr=16console.log('CCCrypt('+'operation:' +this.operation +','+'CCAlgorithm:'+this.CCAlgorithm+','+'CCOptions:' +this.CCOptions +','+'keyBytes:' +this.keyBytes +','+'keyLength:' +this.keyLength +','+'ivBuffer:' +this.ivBuffer +','+'inBuffer:' +this.inBuffer +','+'inLength:' +this.inLength +','+'outBuffer:' +this.outBuffer +','+'outLength:' +this.outLength +','+'outCountPtr:'+this.outCountPtr29if(this.operation==0){//Showthebuffershereifthisanencryptionoperationconsole.log("Inbuffer:")console.log(hexdump(ptr(this.inBuffer),{length:this.inLength.toInt32(),header:true,ansi:true37 }))console.log("Key:")console.log(hexdump(ptr(this.keyBytes),{length:this.keyLength.toInt32(),header:true,ansi:true43 }))44 console.log("IV:")46474846474849505152535455565758596061626364656667686970717273747545ansi:true}))}},onLeave:function(retVal){if(this.operation==1)//Showthebuffershereifthisadecryptionoperationconsole.log("Outbuffer:")console.log(hexdump(ptr(this.outBuffer),{length:Memory.readUInt(this.outCountPtr),header:true,ansi:true}))console.log("Key:")console.log(hexdump(ptr(this.keyBytes),{length:this.keyLength.toInt32(),header:true,ansi:true}))console.log("IV:")console.log(hexdump(ptr(this.ivBuffer),{length:this.keyLength.toInt32(),header:true,ansi:true}))}}})使⽤fridahookCCCrypt函数operation:0x0代表加密，0x1代表解密，CCAlgorithm:0x0指加密⽅式是kCCAlgorithmAES128，CCOptions:0x1指模式是cbc，key=DATA_KEY20150116和iv=20150116参阅CommonCryptor.h各参数意义案例⼆：在登录处抓包发现，request包和response包都为加密传输：使⽤hook.js脚本发现hook不到⽼⽅法，⾸先使⽤frida-ios-dump对该APP进⾏⼀键dumpfrida-ios-dump，该⼯具基于frida提供的强⼤功能通过注⼊js实现内存dump然后通过python⾃动拷⻉到电脑⽣成ipa⽂件，通过配置完成之后真的就是⼀条命令砸壳砸壳完成后会⽣成ipa⽂件，我们解压缩然后使⽤IDA加载完⼆进制⽂件然后在String窗⼝搜索loginbypassword（这个是登录时的信息），搜索后进⼊对应的类，接下来我们进⼊这个类看它⽤了哪些⽅法找到这个字符串引⽤的代码位置之后双击callWebAPI:data:method:ssl:completionHandler:找到[WebServicecallWebAPI:data:method:ssl:completionHandler:]然后F5⼀下浏览该类发现可以看到data等关键加密信息，接着我们尝试搜索data前⾯的setValue:forKey[_priv_NBSSafeMutableDictionarysetValue:forKey:]查看该类发现⽆结果，返回上⼀步重新查看加密所在的类v87由v86WebServicereturnDictionaryWithDataPath:](v11,returnDictionaryWithDataPath:,v201)返回查看returnDictionaryWithDataPath:v8=+[RSAencryptString:privateKey:](&OBJC_CLASS___RSA, encryptString:privateKey:,v4,v6);v4由convertToJsonData:返回（明⽂）v6由AppPrivate返回（密钥）查看密钥返回函数AppPrivate和encryptString:privateKey函数然后使⽤frida进⾏hook使⽤objectionPlainPlainText复制代码ioshookingwatchmethod“+[RSAencryptString:privateKey:]”–dump-argsioshookingwatchmethod“+[RSAencryptString:privateKey:]”–dump-return直接使⽤objection的这两句命令可以达到同样的效果附JS：PlainText

复制代码if(ObjC.available){try{varclassName="RSA";varfuncName="+encryptString:privateKey:"; varhook=eval('ObjC.classes.'+className+'["'+funcName'"]');console.log("[*]ClassName:"+className);console.log("[*]MethodName:"+funcName);Interceptor.attach(hook.implementation,{onEnter:function(args){varparam1=newObjC.Object(args[2]);console.log("args[2]->"+param1);12varparam2=newObjC.Object(args[3]);console.log("args[3]->"+param2);15 },on