├── .gitignore ├── AndroidCertificatePinningKiller ├── README.md └── bypassCertificatePinningAndroid.js ├── FridaScript ├── hook_art.js ├── hook_registerNative.js └── protocol_hook.js ├── LICENSE ├── README.md └── RegressionAlgorithm └── script ├── AES.java ├── AESUtils.java ├── HMACSHA256Util.java ├── HttpURLConnectionExample.java ├── MD5Utils.java ├── RASUtils.java ├── RASUtilsNew.java └── RSA.java /.gitignore: -------------------------------------------------------------------------------- 1 | # Byte-compiled / optimized / DLL files 2 | __pycache__/ 3 | *.py[cod] 4 | *$py.class 5 | 6 | # C extensions 7 | *.so 8 | 9 | # Distribution / packaging 10 | .Python 11 | build/ 12 | develop-eggs/ 13 | dist/ 14 | downloads/ 15 | eggs/ 16 | .eggs/ 17 | lib/ 18 | lib64/ 19 | parts/ 20 | sdist/ 21 | var/ 22 | wheels/ 23 | pip-wheel-metadata/ 24 | share/python-wheels/ 25 | *.egg-info/ 26 | .installed.cfg 27 | *.egg 28 | MANIFEST 29 | 30 | # PyInstaller 31 | # Usually these files are written by a python script from a template 32 | # before PyInstaller builds the exe, so as to inject date/other infos into it. 33 | *.manifest 34 | *.spec 35 | 36 | # Installer logs 37 | pip-log.txt 38 | pip-delete-this-directory.txt 39 | 40 | # Unit test / coverage reports 41 | htmlcov/ 42 | .tox/ 43 | .nox/ 44 | .coverage 45 | .coverage.* 46 | .cache 47 | nosetests.xml 48 | coverage.xml 49 | *.cover 50 | *.py,cover 51 | .hypothesis/ 52 | .pytest_cache/ 53 | 54 | # Translations 55 | *.mo 56 | *.pot 57 | 58 | # Django stuff: 59 | *.log 60 | local_settings.py 61 | db.sqlite3 62 | db.sqlite3-journal 63 | 64 | # Flask stuff: 65 | instance/ 66 | .webassets-cache 67 | 68 | # Scrapy stuff: 69 | .scrapy 70 | 71 | # Sphinx documentation 72 | docs/_build/ 73 | 74 | # PyBuilder 75 | target/ 76 | 77 | # Jupyter Notebook 78 | .ipynb_checkpoints 79 | 80 | # IPython 81 | profile_default/ 82 | ipython_config.py 83 | 84 | # pyenv 85 | .python-version 86 | 87 | # pipenv 88 | # According to pypa/pipenv#598, it is recommended to include Pipfile.lock in version control. 89 | # However, in case of collaboration, if having platform-specific dependencies or dependencies 90 | # having no cross-platform support, pipenv may install dependencies that don't work, or not 91 | # install all needed dependencies. 92 | #Pipfile.lock 93 | 94 | # PEP 582; used by e.g. github.com/David-OConnor/pyflow 95 | __pypackages__/ 96 | 97 | # Celery stuff 98 | celerybeat-schedule 99 | celerybeat.pid 100 | 101 | # SageMath parsed files 102 | *.sage.py 103 | 104 | # Environments 105 | .env 106 | .venv 107 | env/ 108 | venv/ 109 | ENV/ 110 | env.bak/ 111 | venv.bak/ 112 | 113 | # Spyder project settings 114 | .spyderproject 115 | .spyproject 116 | 117 | # Rope project settings 118 | .ropeproject 119 | 120 | # mkdocs documentation 121 | /site 122 | 123 | # mypy 124 | .mypy_cache/ 125 | .dmypy.json 126 | dmypy.json 127 | 128 | # Pyre type checker 129 | .pyre/ 130 | -------------------------------------------------------------------------------- /AndroidCertificatePinningKiller/README.md: -------------------------------------------------------------------------------- 1 | # AndroidCertificatePinningKiller 2 | 3 | ## Android证书杀手 4 | 5 | Frida代码修改脚本,可用于绕过Android环境中的证书。使用此脚本,所有证书都将被视为可信证书。可以使用此脚本绕过以下证书固定库: 6 | 7 | Android的默认库 8 | OKHttp库 9 | Frida可在无根和有根证书Android设备上使用。此脚本已在TLSConnector [2,3]上进行了测试。 10 | 11 | 用法:frida -U -l bypassCertificatePinningAndroid.js -f org.package.name --no-pause 12 | 13 | [1] = https://frida.re/ 14 | [2] = https://github.com/CeesMandjes/TLSConnector 15 | [3] = https://github.com/CeesMandjes/TLSConnectorServer 16 | 17 | -------------------------------------------------------------------------------- /AndroidCertificatePinningKiller/bypassCertificatePinningAndroid.js: -------------------------------------------------------------------------------- 1 | /* 2 | Bypass certificate pinning script for Android's default library and the OKHttp library. Using this script all certificates will be considered as trusted. 3 | 4 | $ frida -U -l bypassCertificatePinningAndroid.js -f org.package.name --no-pause 5 | 6 | @author Cees Mandjes 7 | */ 8 | Java.perform(function (){ 9 | console.log(""); 10 | console.log("-- Bypass certificate pinning for Android's default libary and OKHttp libary --"); 11 | 12 | //Bypass the OKHttp Library 13 | try { 14 | console.log("Looking for OKHttp library"); 15 | //Class config 16 | var CertificatePinnerBuilder = Java.use('okhttp3.CertificatePinner$Builder'); 17 | 18 | CertificatePinnerBuilder.add.implementation = function(host, pins) { 19 | console.log("OKHttp: remove pin for host: " + host); 20 | var fakeHostName = "x"; 21 | return this.add(fakeHostName, pins); 22 | } 23 | 24 | console.log("OKHttp library was succesfully hooked"); 25 | } catch (e) { 26 | console.log("OKHttp library was not found"); 27 | } 28 | 29 | //Bypass the Android's default Library 30 | try { 31 | console.log("Looking for Android's default library"); 32 | //Classes config 33 | var SSLContext = Java.use("javax.net.ssl.SSLContext"); 34 | var KeyStore = Java.use("java.security.KeyStore"); 35 | var TrustManagerImpl = Java.use('com.android.org.conscrypt.TrustManagerImpl'); 36 | 37 | 38 | //Create TrustManager instance by using the default KeyStore instance and the TrustManagerImpl class 39 | var keyStoreType = KeyStore.getDefaultType(); 40 | var keyStore = KeyStore.getInstance(keyStoreType); 41 | keyStore.load(null, null); 42 | var MyTrustManager = [TrustManagerImpl.$new(keyStore)]; 43 | 44 | //Makes sure that the TustManagerImpl is used as Trustmanager (default behavior), this class is hooked below 45 | SSLContext.init.overload('[Ljavax.net.ssl.KeyManager;', '[Ljavax.net.ssl.TrustManager;', 'java.security.SecureRandom').implementation = function(keyManager, trustManager, secureRandom) { 46 | console.log("Overriding TrustManager with default instance of TrustManagerImpl"); 47 | this.init(keyManager, MyTrustManager, secureRandom); 48 | }; 49 | 50 | //Skip certificate chain validation by returning the received certificate chain as a trusted chain 51 | TrustManagerImpl.checkTrustedRecursive.implementation = function(certs, ocspData, tlsSctData, host, clientAuth, untrustedChain, trustAnchorChain, used) { 52 | var certsList = Java.use('java.util.ArrayList').$new(); 53 | var i; 54 | for (i = 0; i < certs.length; i++) { 55 | certsList.add(certs[i]); 56 | } 57 | return certsList; 58 | } 59 | 60 | console.log("Android's default library was succesfully hooked"); 61 | } catch (e) { 62 | console.log("Android's default library was not found"); 63 | } 64 | 65 | //Information loging for Android SafetyNet 66 | try { 67 | console.log("Looking for Android SafetyNet Attestation library"); 68 | //Classes config 69 | var SafetyNetClient = Java.use("com.google.android.gms.safetynet.SafetyNetClient"); 70 | var SafetyNetAttestationResponse = Java.use("com.google.android.gms.safetynet.SafetyNetApi$AttestationResponse"); 71 | var Base64 = Java.use("java.util.Base64"); 72 | var String = Java.use("java.lang.String"); 73 | 74 | //Logs when SafetyNet Attestation evaluation starts and continues its regular behavior 75 | SafetyNetClient.attest.implementation = function(nonce, apiKey) { 76 | console.log("SafetyNet Attestation is called"); 77 | return this.attest(nonce, apiKey); 78 | } 79 | 80 | //Logs the payload of SafetyNet Attestation evaluation and continues its regular behavior 81 | SafetyNetAttestationResponse.getJwsResult.implementation = function() { 82 | var signedAttestation = this.getJwsResult(); 83 | var payloadEncoded = (signedAttestation.split(".")[1]); 84 | var payloadDecoded = String.$new(Base64.getDecoder().decode(payloadEncoded)); 85 | console.log("SafetyNet Attestion payload:\n" + payloadDecoded); 86 | return signedAttestation; 87 | } 88 | 89 | console.log("Android SafetyNet Attestation library was succesfully hooked"); 90 | } catch (e) { 91 | console.log("Android SafetyNet Attestation library was not found"); 92 | } 93 | 94 | console.log("-- Hooking complete --"); 95 | console.log(""); 96 | }); -------------------------------------------------------------------------------- /FridaScript/hook_art.js: -------------------------------------------------------------------------------- 1 | var ishook_libart = false; 2 | 3 | function hook_libart() { 4 | if (ishook_libart === true) { 5 | return; 6 | } 7 | var symbols = Module.enumerateSymbolsSync("libart.so"); 8 | var addrGetStringUTFChars = null; 9 | var addrNewStringUTF = null; 10 | var addrFindClass = null; 11 | var addrGetMethodID = null; 12 | var addrGetStaticMethodID = null; 13 | var addrGetFieldID = null; 14 | var addrGetStaticFieldID = null; 15 | var addrRegisterNatives = null; 16 | var addrAllocObject = null; 17 | var addrCallObjectMethod = null; 18 | var addrGetObjectClass = null; 19 | var addrReleaseStringUTFChars = null; 20 | for (var i = 0; i < symbols.length; i++) { 21 | var symbol = symbols[i]; 22 | if (symbol.name == "_ZN3art3JNI17GetStringUTFCharsEP7_JNIEnvP8_jstringPh") { 23 | addrGetStringUTFChars = symbol.address; 24 | console.log("GetStringUTFChars is at ", symbol.address, symbol.name); 25 | } else if (symbol.name == "_ZN3art3JNI12NewStringUTFEP7_JNIEnvPKc") { 26 | addrNewStringUTF = symbol.address; 27 | console.log("NewStringUTF is at ", symbol.address, symbol.name); 28 | } else if (symbol.name == "_ZN3art3JNI9FindClassEP7_JNIEnvPKc") { 29 | addrFindClass = symbol.address; 30 | console.log("FindClass is at ", symbol.address, symbol.name); 31 | } else if (symbol.name == "_ZN3art3JNI11GetMethodIDEP7_JNIEnvP7_jclassPKcS6_") { 32 | addrGetMethodID = symbol.address; 33 | console.log("GetMethodID is at ", symbol.address, symbol.name); 34 | } else if (symbol.name == "_ZN3art3JNI17GetStaticMethodIDEP7_JNIEnvP7_jclassPKcS6_") { 35 | addrGetStaticMethodID = symbol.address; 36 | console.log("GetStaticMethodID is at ", symbol.address, symbol.name); 37 | } else if (symbol.name == "_ZN3art3JNI10GetFieldIDEP7_JNIEnvP7_jclassPKcS6_") { 38 | addrGetFieldID = symbol.address; 39 | console.log("GetFieldID is at ", symbol.address, symbol.name); 40 | } else if (symbol.name == "_ZN3art3JNI16GetStaticFieldIDEP7_JNIEnvP7_jclassPKcS6_") { 41 | addrGetStaticFieldID = symbol.address; 42 | console.log("GetStaticFieldID is at ", symbol.address, symbol.name); 43 | } else if (symbol.name == "_ZN3art3JNI15RegisterNativesEP7_JNIEnvP7_jclassPK15JNINativeMethodi") { 44 | addrRegisterNatives = symbol.address; 45 | console.log("RegisterNatives is at ", symbol.address, symbol.name); 46 | } else if (symbol.name.indexOf("_ZN3art3JNI11AllocObjectEP7_JNIEnvP7_jclass") >= 0) { 47 | addrAllocObject = symbol.address; 48 | console.log("AllocObject is at ", symbol.address, symbol.name); 49 | } else if (symbol.name.indexOf("_ZN3art3JNI16CallObjectMethodEP7_JNIEnvP8_jobjectP10_jmethodIDz") >= 0) { 50 | addrCallObjectMethod = symbol.address; 51 | console.log("CallObjectMethod is at ", symbol.address, symbol.name); 52 | } else if (symbol.name.indexOf("_ZN3art3JNI14GetObjectClassEP7_JNIEnvP8_jobject") >= 0) { 53 | addrGetObjectClass = symbol.address; 54 | console.log("GetObjectClass is at ", symbol.address, symbol.name); 55 | } else if (symbol.name.indexOf("_ZN3art3JNI21ReleaseStringUTFCharsEP7_JNIEnvP8_jstringPKc") >= 0) { 56 | addrReleaseStringUTFChars = symbol.address; 57 | console.log("ReleaseStringUTFChars is at ", symbol.address, symbol.name); 58 | } 59 | } 60 | 61 | if (addrGetStringUTFChars != null) { 62 | Interceptor.attach(addrGetStringUTFChars, { 63 | onEnter: function (args) { }, 64 | onLeave: function (retval) { 65 | if (retval != null) { 66 | var bytes = Memory.readCString(retval); 67 | console.log("[GetStringUTFChars] result:" + bytes); 68 | } 69 | } 70 | }); 71 | } 72 | if (addrNewStringUTF != null) { 73 | Interceptor.attach(addrNewStringUTF, { 74 | onEnter: function (args) { 75 | if (args[1] != null) { 76 | var string = Memory.readCString(args[1]); 77 | console.log("[NewStringUTF] bytes:" + string); 78 | } 79 | }, 80 | onLeave: function (retval) { } 81 | }); 82 | } 83 | if (addrFindClass != null) { 84 | Interceptor.attach(addrFindClass, { 85 | onEnter: function (args) { 86 | if (args[1] != null) { 87 | var name = Memory.readCString(args[1]); 88 | console.log("[FindClass] name:" + name); 89 | } 90 | }, 91 | onLeave: function (retval) { } 92 | }); 93 | } 94 | if (addrGetMethodID != null) { 95 | Interceptor.attach(addrGetMethodID, { 96 | onEnter: function (args) { 97 | if (args[2] != null) { 98 | var name = Memory.readCString(args[2]); 99 | if (args[3] != null) { 100 | var sig = Memory.readCString(args[3]); 101 | console.log("[GetMethodID] name:" + name + ", sig:" + sig); 102 | } else { 103 | console.log("[GetMethodID] name:" + name); 104 | } 105 | 106 | } 107 | }, 108 | onLeave: function (retval) { } 109 | }); 110 | } 111 | if (addrGetStaticMethodID != null) { 112 | Interceptor.attach(addrGetStaticMethodID, { 113 | onEnter: function (args) { 114 | if (args[2] != null) { 115 | var name = Memory.readCString(args[2]); 116 | if (args[3] != null) { 117 | var sig = Memory.readCString(args[3]); 118 | console.log("[GetStaticMethodID] name:" + name + ", sig:" + sig); 119 | } else { 120 | console.log("[GetStaticMethodID] name:" + name); 121 | } 122 | 123 | } 124 | }, 125 | onLeave: function (retval) { } 126 | }); 127 | } 128 | if (addrGetFieldID != null) { 129 | Interceptor.attach(addrGetFieldID, { 130 | onEnter: function (args) { 131 | if (args[2] != null) { 132 | var name = Memory.readCString(args[2]); 133 | if (args[3] != null) { 134 | var sig = Memory.readCString(args[3]); 135 | console.log("[GetFieldID] name:" + name + ", sig:" + sig); 136 | } else { 137 | console.log("[GetFieldID] name:" + name); 138 | } 139 | 140 | } 141 | }, 142 | onLeave: function (retval) { } 143 | }); 144 | } 145 | if (addrGetStaticFieldID != null) { 146 | Interceptor.attach(addrGetStaticFieldID, { 147 | onEnter: function (args) { 148 | if (args[2] != null) { 149 | var name = Memory.readCString(args[2]); 150 | if (args[3] != null) { 151 | var sig = Memory.readCString(args[3]); 152 | console.log("[GetStaticFieldID] name:" + name + ", sig:" + sig); 153 | } else { 154 | console.log("[GetStaticFieldID] name:" + name); 155 | } 156 | 157 | } 158 | }, 159 | onLeave: function (retval) { } 160 | }); 161 | } 162 | 163 | if (addrRegisterNatives != null) { 164 | Interceptor.attach(addrRegisterNatives, { 165 | onEnter: function (args) { 166 | console.log("[RegisterNatives] method_count:", args[3]); 167 | var env = args[0]; 168 | var java_class = args[1]; 169 | 170 | var funcAllocObject = new NativeFunction(addrAllocObject, "pointer", ["pointer", "pointer"]); 171 | var funcGetMethodID = new NativeFunction(addrGetMethodID, "pointer", ["pointer", "pointer", "pointer", "pointer"]); 172 | var funcCallObjectMethod = new NativeFunction(addrCallObjectMethod, "pointer", ["pointer", "pointer", "pointer"]); 173 | var funcGetObjectClass = new NativeFunction(addrGetObjectClass, "pointer", ["pointer", "pointer"]); 174 | var funcGetStringUTFChars = new NativeFunction(addrGetStringUTFChars, "pointer", ["pointer", "pointer", "pointer"]); 175 | var funcReleaseStringUTFChars = new NativeFunction(addrReleaseStringUTFChars, "void", ["pointer", "pointer", "pointer"]); 176 | 177 | var clz_obj = funcAllocObject(env, java_class); 178 | var mid_getClass = funcGetMethodID(env, java_class, Memory.allocUtf8String("getClass"), Memory.allocUtf8String("()Ljava/lang/Class;")); 179 | var clz_obj2 = funcCallObjectMethod(env, clz_obj, mid_getClass); 180 | var cls = funcGetObjectClass(env, clz_obj2); 181 | var mid_getName = funcGetMethodID(env, cls, Memory.allocUtf8String("getName"), Memory.allocUtf8String("()Ljava/lang/String;")); 182 | var name_jstring = funcCallObjectMethod(env, clz_obj2, mid_getName); 183 | var name_pchar = funcGetStringUTFChars(env, name_jstring, ptr(0)); 184 | var class_name = ptr(name_pchar).readCString(); 185 | funcReleaseStringUTFChars(env, name_jstring, name_pchar); 186 | 187 | //console.log(class_name); 188 | 189 | var methods_ptr = ptr(args[2]); 190 | 191 | var method_count = parseInt(args[3]); 192 | for (var i = 0; i < method_count; i++) { 193 | var name_ptr = Memory.readPointer(methods_ptr.add(i * Process.pointerSize * 3)); 194 | var sig_ptr = Memory.readPointer(methods_ptr.add(i * Process.pointerSize * 3 + Process.pointerSize)); 195 | var fnPtr_ptr = Memory.readPointer(methods_ptr.add(i * Process.pointerSize * 3 + Process.pointerSize * 2)); 196 | 197 | var name = Memory.readCString(name_ptr); 198 | var sig = Memory.readCString(sig_ptr); 199 | var find_module = Process.findModuleByAddress(fnPtr_ptr); 200 | console.log("[RegisterNatives] java_class:", class_name, "name:", name, "sig:", sig, "fnPtr:", fnPtr_ptr, "module_name:", find_module.name, "module_base:", find_module.base, "offset:", ptr(fnPtr_ptr).sub(find_module.base)); 201 | 202 | } 203 | }, 204 | onLeave: function (retval) { } 205 | }); 206 | } 207 | 208 | ishook_libart = true; 209 | } 210 | 211 | hook_libart(); 212 | -------------------------------------------------------------------------------- /FridaScript/hook_registerNative.js: -------------------------------------------------------------------------------- 1 | var ishook_libart = false; 2 | 3 | function hook_libart() { 4 | if (ishook_libart === true) { 5 | return; 6 | } 7 | var symbols = Module.enumerateSymbolsSync("libart.so"); 8 | var addrGetStringUTFChars = null; 9 | var addrNewStringUTF = null; 10 | var addrFindClass = null; 11 | var addrGetMethodID = null; 12 | var addrGetStaticMethodID = null; 13 | var addrGetFieldID = null; 14 | var addrGetStaticFieldID = null; 15 | var addrRegisterNatives = null; 16 | var addrAllocObject = null; 17 | var addrCallObjectMethod = null; 18 | var addrGetObjectClass = null; 19 | var addrReleaseStringUTFChars = null; 20 | for (var i = 0; i < symbols.length; i++) { 21 | var symbol = symbols[i]; 22 | if (symbol.name == "_ZN3art3JNI17GetStringUTFCharsEP7_JNIEnvP8_jstringPh") { 23 | addrGetStringUTFChars = symbol.address; 24 | console.log("GetStringUTFChars is at ", symbol.address, symbol.name); 25 | } else if (symbol.name == "_ZN3art3JNI12NewStringUTFEP7_JNIEnvPKc") { 26 | addrNewStringUTF = symbol.address; 27 | console.log("NewStringUTF is at ", symbol.address, symbol.name); 28 | } else if (symbol.name == "_ZN3art3JNI9FindClassEP7_JNIEnvPKc") { 29 | addrFindClass = symbol.address; 30 | console.log("FindClass is at ", symbol.address, symbol.name); 31 | } else if (symbol.name == "_ZN3art3JNI11GetMethodIDEP7_JNIEnvP7_jclassPKcS6_") { 32 | addrGetMethodID = symbol.address; 33 | console.log("GetMethodID is at ", symbol.address, symbol.name); 34 | } else if (symbol.name == "_ZN3art3JNI17GetStaticMethodIDEP7_JNIEnvP7_jclassPKcS6_") { 35 | addrGetStaticMethodID = symbol.address; 36 | console.log("GetStaticMethodID is at ", symbol.address, symbol.name); 37 | } else if (symbol.name == "_ZN3art3JNI10GetFieldIDEP7_JNIEnvP7_jclassPKcS6_") { 38 | addrGetFieldID = symbol.address; 39 | console.log("GetFieldID is at ", symbol.address, symbol.name); 40 | } else if (symbol.name == "_ZN3art3JNI16GetStaticFieldIDEP7_JNIEnvP7_jclassPKcS6_") { 41 | addrGetStaticFieldID = symbol.address; 42 | console.log("GetStaticFieldID is at ", symbol.address, symbol.name); 43 | } else if (symbol.name == "_ZN3art3JNI15RegisterNativesEP7_JNIEnvP7_jclassPK15JNINativeMethodi") { 44 | addrRegisterNatives = symbol.address; 45 | console.log("RegisterNatives is at ", symbol.address, symbol.name); 46 | } else if (symbol.name.indexOf("_ZN3art3JNI11AllocObjectEP7_JNIEnvP7_jclass") >= 0) { 47 | addrAllocObject = symbol.address; 48 | console.log("AllocObject is at ", symbol.address, symbol.name); 49 | } else if (symbol.name.indexOf("_ZN3art3JNI16CallObjectMethodEP7_JNIEnvP8_jobjectP10_jmethodIDz") >= 0) { 50 | addrCallObjectMethod = symbol.address; 51 | console.log("CallObjectMethod is at ", symbol.address, symbol.name); 52 | } else if (symbol.name.indexOf("_ZN3art3JNI14GetObjectClassEP7_JNIEnvP8_jobject") >= 0) { 53 | addrGetObjectClass = symbol.address; 54 | console.log("GetObjectClass is at ", symbol.address, symbol.name); 55 | } else if (symbol.name.indexOf("_ZN3art3JNI21ReleaseStringUTFCharsEP7_JNIEnvP8_jstringPKc") >= 0) { 56 | addrReleaseStringUTFChars = symbol.address; 57 | console.log("ReleaseStringUTFChars is at ", symbol.address, symbol.name); 58 | } 59 | } 60 | 61 | if (addrRegisterNatives != null) { 62 | Interceptor.attach(addrRegisterNatives, { 63 | onEnter: function (args) { 64 | console.log("[RegisterNatives] method_count:", args[3]); 65 | var env = args[0]; 66 | var java_class = args[1]; 67 | 68 | var funcAllocObject = new NativeFunction(addrAllocObject, "pointer", ["pointer", "pointer"]); 69 | var funcGetMethodID = new NativeFunction(addrGetMethodID, "pointer", ["pointer", "pointer", "pointer", "pointer"]); 70 | var funcCallObjectMethod = new NativeFunction(addrCallObjectMethod, "pointer", ["pointer", "pointer", "pointer"]); 71 | var funcGetObjectClass = new NativeFunction(addrGetObjectClass, "pointer", ["pointer", "pointer"]); 72 | var funcGetStringUTFChars = new NativeFunction(addrGetStringUTFChars, "pointer", ["pointer", "pointer", "pointer"]); 73 | var funcReleaseStringUTFChars = new NativeFunction(addrReleaseStringUTFChars, "void", ["pointer", "pointer", "pointer"]); 74 | 75 | var clz_obj = funcAllocObject(env, java_class); 76 | var mid_getClass = funcGetMethodID(env, java_class, Memory.allocUtf8String("getClass"), Memory.allocUtf8String("()Ljava/lang/Class;")); 77 | var clz_obj2 = funcCallObjectMethod(env, clz_obj, mid_getClass); 78 | var cls = funcGetObjectClass(env, clz_obj2); 79 | var mid_getName = funcGetMethodID(env, cls, Memory.allocUtf8String("getName"), Memory.allocUtf8String("()Ljava/lang/String;")); 80 | var name_jstring = funcCallObjectMethod(env, clz_obj2, mid_getName); 81 | var name_pchar = funcGetStringUTFChars(env, name_jstring, ptr(0)); 82 | var class_name = ptr(name_pchar).readCString(); 83 | funcReleaseStringUTFChars(env, name_jstring, name_pchar); 84 | 85 | //console.log(class_name); 86 | 87 | var methods_ptr = ptr(args[2]); 88 | 89 | var method_count = parseInt(args[3]); 90 | for (var i = 0; i < method_count; i++) { 91 | var name_ptr = Memory.readPointer(methods_ptr.add(i * Process.pointerSize * 3)); 92 | var sig_ptr = Memory.readPointer(methods_ptr.add(i * Process.pointerSize * 3 + Process.pointerSize)); 93 | var fnPtr_ptr = Memory.readPointer(methods_ptr.add(i * Process.pointerSize * 3 + Process.pointerSize * 2)); 94 | 95 | var name = Memory.readCString(name_ptr); 96 | var sig = Memory.readCString(sig_ptr); 97 | var find_module = Process.findModuleByAddress(fnPtr_ptr); 98 | console.log("[RegisterNatives] java_class:", class_name, "name:", name, "sig:", sig, "fnPtr:", fnPtr_ptr, "module_name:", find_module.name, "module_base:", find_module.base, "offset:", ptr(fnPtr_ptr).sub(find_module.base)); 99 | 100 | } 101 | }, 102 | onLeave: function (retval) { } 103 | }); 104 | } 105 | 106 | ishook_libart = true; 107 | } 108 | 109 | hook_libart(); -------------------------------------------------------------------------------- /FridaScript/protocol_hook.js: -------------------------------------------------------------------------------- 1 | // start with: 2 | // frida -U -l pinning.js -f [APP_ID] --no-pause 3 | 4 | console.log("Script loaded successfully 55"); 5 | // Uint8Array 代表答应字符串 6 | // ByteArray2Hex 代表转换成16进制 7 | 8 | 9 | //**************************************************************************************************// 10 | //*****************************************MD5加密***************************************************// 11 | //**************************************************************************************************// 12 | 13 | 14 | // MD5 15 | Java.perform(function(){ 16 | var MessageDigest= Java.use('java.security.MessageDigest'); 17 | 18 | MessageDigest.getInstance.overload('java.lang.String').implementation=function(arg1){ 19 | // console.log(Java.use("android.util.Log").getStackTraceString(Java.use("java.lang.Exception").$new())); 20 | console.log(arg1); 21 | var ret = this.getInstance(arg1); 22 | return ret; 23 | } 24 | 25 | MessageDigest.update.overload('[B').implementation=function(arg1){ 26 | console.log("use update.overload('[B') "); 27 | parseIn(arg1); 28 | var ret = this.update(arg1); 29 | return ret; 30 | } 31 | 32 | MessageDigest.digest.overload().implementation=function(){ 33 | console.log('use digest.overload()'); 34 | var ret = this.digest(); 35 | parseOut(ret); 36 | return ret; 37 | } 38 | 39 | MessageDigest.digest.overload("[B","int","int").implementation=function(buf,offset,len){ 40 | console.log('use digest.overload("[B","int","int")'); 41 | parseIn(buf); 42 | var ret = this.digest(buf,offset,len); 43 | parseOut(ret); 44 | return ret; 45 | } 46 | 47 | MessageDigest.digest.overload("[B").implementation=function(buf){ 48 | console.log('use digest.overload("[B")'); 49 | parseIn(buf); 50 | var ret = this.digest(buf); 51 | parseOut(ret); 52 | return ret; 53 | } 54 | }); 55 | 56 | 57 | 58 | function parseIn(input){ 59 | var Integer= Java.use('java.lang.Integer'); 60 | var String= Java.use('java.lang.String'); 61 | try{ 62 | console.log("original:"+String.$new(input)); 63 | } 64 | catch(e){ 65 | console.log(parseHex(input)); 66 | } 67 | } 68 | 69 | function parseOut(ret){ 70 | var Integer= Java.use('java.lang.Integer'); 71 | var String= Java.use('java.lang.String'); 72 | var result = ""; 73 | for(var i = 0;i>>>>>>>>>>>>>> "+ByteArray2Hex(x)); 193 | var ret = cipher.doFinal.overload("[B").call(this, x); 194 | // 解密阶段 new String(ret) 为明文 195 | send('{"my_type" : "after_doFinal" , "hashcode" :"' + this.hashCode().toString() + '" }', new Uint8Array(ret)); 196 | send("after_doFinal <<<<<<<<<<<<<<<< "+ByteArray2Hex(ret)); 197 | return ret; 198 | } 199 | 200 | // 201 | var mac = Java.use("javax.crypto.Mac"); 202 | mac.doFinal.overload("[B").implementation = function (x) { 203 | send('{"my_type" : "before_doFinal" , "hashcode" :"' + this.hashCode().toString() + '" }', new Uint8Array(x)); 204 | var ret = mac.doFinal.overload("[B").call(this, x); 205 | var hexstr = ByteArray2Hex(ret); 206 | send("after_doFinal HEX: " + hexstr); 207 | send("after_doFinal HEX: " + hexstr.toUpperCase()); 208 | return ret; 209 | } 210 | 211 | }); 212 | 213 | function Uint8ArrayToString(fileData){ 214 | var dataString = ""; 215 | for (var i = 0; i < fileData.length; i++) { 216 | dataString += String.fromCharCode(fileData[i]); 217 | } 218 | 219 | return dataString 220 | } 221 | 222 | 223 | function ByteArray2Hex(ret){ 224 | var hexstr=""; 225 | for (var i=0;i>>0)&0xff; 228 | var n=b.toString(16); 229 | hexstr += ("00" + n).slice(-2)+""; 230 | } 231 | return hexstr; 232 | } 233 | 234 | 235 | //**************************************************************************************************// 236 | //*****************************************ssl ping抓包*********************************************// 237 | //**************************************************************************************************// 238 | 239 | 240 | // hook ssl pinning 241 | Java.perform(function () { 242 | console.log('') 243 | console.log('===') 244 | console.log('* Injecting hooks into common certificate pinning methods *') 245 | console.log('===') 246 | 247 | var X509TrustManager = Java.use('javax.net.ssl.X509TrustManager'); 248 | var SSLContext = Java.use('javax.net.ssl.SSLContext'); 249 | 250 | // build fake trust manager 251 | var TrustManager = Java.registerClass({ 252 | name: 'com.sensepost.test.TrustManager', 253 | implements: [X509TrustManager], 254 | methods: { 255 | checkClientTrusted: function (chain, authType) { 256 | }, 257 | checkServerTrusted: function (chain, authType) { 258 | }, 259 | getAcceptedIssuers: function () { 260 | return []; 261 | } 262 | } 263 | }); 264 | 265 | // pass our own custom trust manager through when requested 266 | var TrustManagers = [TrustManager.$new()]; 267 | var SSLContext_init = SSLContext.init.overload( 268 | '[Ljavax.net.ssl.KeyManager;', '[Ljavax.net.ssl.TrustManager;', 'java.security.SecureRandom' 269 | ); 270 | SSLContext_init.implementation = function (keyManager, trustManager, secureRandom) { 271 | console.log('! Intercepted trustmanager request'); 272 | SSLContext_init.call(this, keyManager, TrustManagers, secureRandom); 273 | }; 274 | 275 | console.log('* Setup custom trust manager'); 276 | 277 | // okhttp3 278 | try { 279 | var CertificatePinner = Java.use('okhttp3.CertificatePinner'); 280 | CertificatePinner.check.overload('java.lang.String', 'java.util.List').implementation = function (str) { 281 | console.log('! Intercepted okhttp3: ' + str); 282 | return; 283 | }; 284 | 285 | console.log('* Setup okhttp3 pinning') 286 | } catch(err) { 287 | console.log('* Unable to hook into okhttp3 pinner') 288 | } 289 | 290 | // trustkit 291 | try { 292 | var Activity = Java.use("com.datatheorem.android.trustkit.pinning.OkHostnameVerifier"); 293 | Activity.verify.overload('java.lang.String', 'javax.net.ssl.SSLSession').implementation = function (str) { 294 | console.log('! Intercepted trustkit{1}: ' + str); 295 | return true; 296 | }; 297 | 298 | Activity.verify.overload('java.lang.String', 'java.security.cert.X509Certificate').implementation = function (str) { 299 | console.log('! Intercepted trustkit{2}: ' + str); 300 | return true; 301 | }; 302 | 303 | console.log('* Setup trustkit pinning') 304 | } catch(err) { 305 | console.log('* Unable to hook into trustkit pinner') 306 | } 307 | 308 | // TrustManagerImpl 309 | try { 310 | var TrustManagerImpl = Java.use('com.android.org.conscrypt.TrustManagerImpl'); 311 | TrustManagerImpl.verifyChain.implementation = function (untrustedChain, trustAnchorChain, host, clientAuth, ocspData, tlsSctData) { 312 | console.log('! Intercepted TrustManagerImp: ' + host); 313 | return untrustedChain; 314 | } 315 | 316 | console.log('* Setup TrustManagerImpl pinning') 317 | } catch (err) { 318 | console.log('* Unable to hook into TrustManagerImpl') 319 | } 320 | 321 | // Appcelerator 322 | try { 323 | var PinningTrustManager = Java.use('appcelerator.https.PinningTrustManager'); 324 | PinningTrustManager.checkServerTrusted.implementation = function () { 325 | console.log('! Intercepted Appcelerator'); 326 | } 327 | 328 | console.log('* Setup Appcelerator pinning') 329 | } catch (err) { 330 | console.log('* Unable to hook into Appcelerator pinning') 331 | } 332 | }); -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | GNU GENERAL PUBLIC LICENSE 2 | Version 3, 29 June 2007 3 | 4 | Copyright (C) 2007 Free Software Foundation, Inc. 5 | Everyone is permitted to copy and distribute verbatim copies 6 | of this license document, but changing it is not allowed. 7 | 8 | Preamble 9 | 10 | The GNU General Public License is a free, copyleft license for 11 | software and other kinds of works. 12 | 13 | The licenses for most software and other practical works are designed 14 | to take away your freedom to share and change the works. By contrast, 15 | the GNU General Public License is intended to guarantee your freedom to 16 | share and change all versions of a program--to make sure it remains free 17 | software for all its users. We, the Free Software Foundation, use the 18 | GNU General Public License for most of our software; it applies also to 19 | any other work released this way by its authors. You can apply it to 20 | your programs, too. 21 | 22 | When we speak of free software, we are referring to freedom, not 23 | price. Our General Public Licenses are designed to make sure that you 24 | have the freedom to distribute copies of free software (and charge for 25 | them if you wish), that you receive source code or can get it if you 26 | want it, that you can change the software or use pieces of it in new 27 | free programs, and that you know you can do these things. 28 | 29 | To protect your rights, we need to prevent others from denying you 30 | these rights or asking you to surrender the rights. Therefore, you have 31 | certain responsibilities if you distribute copies of the software, or if 32 | you modify it: responsibilities to respect the freedom of others. 33 | 34 | For example, if you distribute copies of such a program, whether 35 | gratis or for a fee, you must pass on to the recipients the same 36 | freedoms that you received. You must make sure that they, too, receive 37 | or can get the source code. And you must show them these terms so they 38 | know their rights. 39 | 40 | Developers that use the GNU GPL protect your rights with two steps: 41 | (1) assert copyright on the software, and (2) offer you this License 42 | giving you legal permission to copy, distribute and/or modify it. 43 | 44 | For the developers' and authors' protection, the GPL clearly explains 45 | that there is no warranty for this free software. For both users' and 46 | authors' sake, the GPL requires that modified versions be marked as 47 | changed, so that their problems will not be attributed erroneously to 48 | authors of previous versions. 49 | 50 | Some devices are designed to deny users access to install or run 51 | modified versions of the software inside them, although the manufacturer 52 | can do so. This is fundamentally incompatible with the aim of 53 | protecting users' freedom to change the software. The systematic 54 | pattern of such abuse occurs in the area of products for individuals to 55 | use, which is precisely where it is most unacceptable. Therefore, we 56 | have designed this version of the GPL to prohibit the practice for those 57 | products. If such problems arise substantially in other domains, we 58 | stand ready to extend this provision to those domains in future versions 59 | of the GPL, as needed to protect the freedom of users. 60 | 61 | Finally, every program is threatened constantly by software patents. 62 | States should not allow patents to restrict development and use of 63 | software on general-purpose computers, but in those that do, we wish to 64 | avoid the special danger that patents applied to a free program could 65 | make it effectively proprietary. To prevent this, the GPL assures that 66 | patents cannot be used to render the program non-free. 67 | 68 | The precise terms and conditions for copying, distribution and 69 | modification follow. 70 | 71 | TERMS AND CONDITIONS 72 | 73 | 0. Definitions. 74 | 75 | "This License" refers to version 3 of the GNU General Public License. 76 | 77 | "Copyright" also means copyright-like laws that apply to other kinds of 78 | works, such as semiconductor masks. 79 | 80 | "The Program" refers to any copyrightable work licensed under this 81 | License. Each licensee is addressed as "you". "Licensees" and 82 | "recipients" may be individuals or organizations. 83 | 84 | To "modify" a work means to copy from or adapt all or part of the work 85 | in a fashion requiring copyright permission, other than the making of an 86 | exact copy. The resulting work is called a "modified version" of the 87 | earlier work or a work "based on" the earlier work. 88 | 89 | A "covered work" means either the unmodified Program or a work based 90 | on the Program. 91 | 92 | To "propagate" a work means to do anything with it that, without 93 | permission, would make you directly or secondarily liable for 94 | infringement under applicable copyright law, except executing it on a 95 | computer or modifying a private copy. Propagation includes copying, 96 | distribution (with or without modification), making available to the 97 | public, and in some countries other activities as well. 98 | 99 | To "convey" a work means any kind of propagation that enables other 100 | parties to make or receive copies. Mere interaction with a user through 101 | a computer network, with no transfer of a copy, is not conveying. 102 | 103 | An interactive user interface displays "Appropriate Legal Notices" 104 | to the extent that it includes a convenient and prominently visible 105 | feature that (1) displays an appropriate copyright notice, and (2) 106 | tells the user that there is no warranty for the work (except to the 107 | extent that warranties are provided), that licensees may convey the 108 | work under this License, and how to view a copy of this License. If 109 | the interface presents a list of user commands or options, such as a 110 | menu, a prominent item in the list meets this criterion. 111 | 112 | 1. Source Code. 113 | 114 | The "source code" for a work means the preferred form of the work 115 | for making modifications to it. "Object code" means any non-source 116 | form of a work. 117 | 118 | A "Standard Interface" means an interface that either is an official 119 | standard defined by a recognized standards body, or, in the case of 120 | interfaces specified for a particular programming language, one that 121 | is widely used among developers working in that language. 122 | 123 | The "System Libraries" of an executable work include anything, other 124 | than the work as a whole, that (a) is included in the normal form of 125 | packaging a Major Component, but which is not part of that Major 126 | Component, and (b) serves only to enable use of the work with that 127 | Major Component, or to implement a Standard Interface for which an 128 | implementation is available to the public in source code form. A 129 | "Major Component", in this context, means a major essential component 130 | (kernel, window system, and so on) of the specific operating system 131 | (if any) on which the executable work runs, or a compiler used to 132 | produce the work, or an object code interpreter used to run it. 133 | 134 | The "Corresponding Source" for a work in object code form means all 135 | the source code needed to generate, install, and (for an executable 136 | work) run the object code and to modify the work, including scripts to 137 | control those activities. However, it does not include the work's 138 | System Libraries, or general-purpose tools or generally available free 139 | programs which are used unmodified in performing those activities but 140 | which are not part of the work. For example, Corresponding Source 141 | includes interface definition files associated with source files for 142 | the work, and the source code for shared libraries and dynamically 143 | linked subprograms that the work is specifically designed to require, 144 | such as by intimate data communication or control flow between those 145 | subprograms and other parts of the work. 146 | 147 | The Corresponding Source need not include anything that users 148 | can regenerate automatically from other parts of the Corresponding 149 | Source. 150 | 151 | The Corresponding Source for a work in source code form is that 152 | same work. 153 | 154 | 2. Basic Permissions. 155 | 156 | All rights granted under this License are granted for the term of 157 | copyright on the Program, and are irrevocable provided the stated 158 | conditions are met. This License explicitly affirms your unlimited 159 | permission to run the unmodified Program. The output from running a 160 | covered work is covered by this License only if the output, given its 161 | content, constitutes a covered work. This License acknowledges your 162 | rights of fair use or other equivalent, as provided by copyright law. 163 | 164 | You may make, run and propagate covered works that you do not 165 | convey, without conditions so long as your license otherwise remains 166 | in force. You may convey covered works to others for the sole purpose 167 | of having them make modifications exclusively for you, or provide you 168 | with facilities for running those works, provided that you comply with 169 | the terms of this License in conveying all material for which you do 170 | not control copyright. Those thus making or running the covered works 171 | for you must do so exclusively on your behalf, under your direction 172 | and control, on terms that prohibit them from making any copies of 173 | your copyrighted material outside their relationship with you. 174 | 175 | Conveying under any other circumstances is permitted solely under 176 | the conditions stated below. Sublicensing is not allowed; section 10 177 | makes it unnecessary. 178 | 179 | 3. Protecting Users' Legal Rights From Anti-Circumvention Law. 180 | 181 | No covered work shall be deemed part of an effective technological 182 | measure under any applicable law fulfilling obligations under article 183 | 11 of the WIPO copyright treaty adopted on 20 December 1996, or 184 | similar laws prohibiting or restricting circumvention of such 185 | measures. 186 | 187 | When you convey a covered work, you waive any legal power to forbid 188 | circumvention of technological measures to the extent such circumvention 189 | is effected by exercising rights under this License with respect to 190 | the covered work, and you disclaim any intention to limit operation or 191 | modification of the work as a means of enforcing, against the work's 192 | users, your or third parties' legal rights to forbid circumvention of 193 | technological measures. 194 | 195 | 4. Conveying Verbatim Copies. 196 | 197 | You may convey verbatim copies of the Program's source code as you 198 | receive it, in any medium, provided that you conspicuously and 199 | appropriately publish on each copy an appropriate copyright notice; 200 | keep intact all notices stating that this License and any 201 | non-permissive terms added in accord with section 7 apply to the code; 202 | keep intact all notices of the absence of any warranty; and give all 203 | recipients a copy of this License along with the Program. 204 | 205 | You may charge any price or no price for each copy that you convey, 206 | and you may offer support or warranty protection for a fee. 207 | 208 | 5. Conveying Modified Source Versions. 209 | 210 | You may convey a work based on the Program, or the modifications to 211 | produce it from the Program, in the form of source code under the 212 | terms of section 4, provided that you also meet all of these conditions: 213 | 214 | a) The work must carry prominent notices stating that you modified 215 | it, and giving a relevant date. 216 | 217 | b) The work must carry prominent notices stating that it is 218 | released under this License and any conditions added under section 219 | 7. This requirement modifies the requirement in section 4 to 220 | "keep intact all notices". 221 | 222 | c) You must license the entire work, as a whole, under this 223 | License to anyone who comes into possession of a copy. This 224 | License will therefore apply, along with any applicable section 7 225 | additional terms, to the whole of the work, and all its parts, 226 | regardless of how they are packaged. This License gives no 227 | permission to license the work in any other way, but it does not 228 | invalidate such permission if you have separately received it. 229 | 230 | d) If the work has interactive user interfaces, each must display 231 | Appropriate Legal Notices; however, if the Program has interactive 232 | interfaces that do not display Appropriate Legal Notices, your 233 | work need not make them do so. 234 | 235 | A compilation of a covered work with other separate and independent 236 | works, which are not by their nature extensions of the covered work, 237 | and which are not combined with it such as to form a larger program, 238 | in or on a volume of a storage or distribution medium, is called an 239 | "aggregate" if the compilation and its resulting copyright are not 240 | used to limit the access or legal rights of the compilation's users 241 | beyond what the individual works permit. Inclusion of a covered work 242 | in an aggregate does not cause this License to apply to the other 243 | parts of the aggregate. 244 | 245 | 6. Conveying Non-Source Forms. 246 | 247 | You may convey a covered work in object code form under the terms 248 | of sections 4 and 5, provided that you also convey the 249 | machine-readable Corresponding Source under the terms of this License, 250 | in one of these ways: 251 | 252 | a) Convey the object code in, or embodied in, a physical product 253 | (including a physical distribution medium), accompanied by the 254 | Corresponding Source fixed on a durable physical medium 255 | customarily used for software interchange. 256 | 257 | b) Convey the object code in, or embodied in, a physical product 258 | (including a physical distribution medium), accompanied by a 259 | written offer, valid for at least three years and valid for as 260 | long as you offer spare parts or customer support for that product 261 | model, to give anyone who possesses the object code either (1) a 262 | copy of the Corresponding Source for all the software in the 263 | product that is covered by this License, on a durable physical 264 | medium customarily used for software interchange, for a price no 265 | more than your reasonable cost of physically performing this 266 | conveying of source, or (2) access to copy the 267 | Corresponding Source from a network server at no charge. 268 | 269 | c) Convey individual copies of the object code with a copy of the 270 | written offer to provide the Corresponding Source. This 271 | alternative is allowed only occasionally and noncommercially, and 272 | only if you received the object code with such an offer, in accord 273 | with subsection 6b. 274 | 275 | d) Convey the object code by offering access from a designated 276 | place (gratis or for a charge), and offer equivalent access to the 277 | Corresponding Source in the same way through the same place at no 278 | further charge. You need not require recipients to copy the 279 | Corresponding Source along with the object code. If the place to 280 | copy the object code is a network server, the Corresponding Source 281 | may be on a different server (operated by you or a third party) 282 | that supports equivalent copying facilities, provided you maintain 283 | clear directions next to the object code saying where to find the 284 | Corresponding Source. Regardless of what server hosts the 285 | Corresponding Source, you remain obligated to ensure that it is 286 | available for as long as needed to satisfy these requirements. 287 | 288 | e) Convey the object code using peer-to-peer transmission, provided 289 | you inform other peers where the object code and Corresponding 290 | Source of the work are being offered to the general public at no 291 | charge under subsection 6d. 292 | 293 | A separable portion of the object code, whose source code is excluded 294 | from the Corresponding Source as a System Library, need not be 295 | included in conveying the object code work. 296 | 297 | A "User Product" is either (1) a "consumer product", which means any 298 | tangible personal property which is normally used for personal, family, 299 | or household purposes, or (2) anything designed or sold for incorporation 300 | into a dwelling. In determining whether a product is a consumer product, 301 | doubtful cases shall be resolved in favor of coverage. For a particular 302 | product received by a particular user, "normally used" refers to a 303 | typical or common use of that class of product, regardless of the status 304 | of the particular user or of the way in which the particular user 305 | actually uses, or expects or is expected to use, the product. A product 306 | is a consumer product regardless of whether the product has substantial 307 | commercial, industrial or non-consumer uses, unless such uses represent 308 | the only significant mode of use of the product. 309 | 310 | "Installation Information" for a User Product means any methods, 311 | procedures, authorization keys, or other information required to install 312 | and execute modified versions of a covered work in that User Product from 313 | a modified version of its Corresponding Source. The information must 314 | suffice to ensure that the continued functioning of the modified object 315 | code is in no case prevented or interfered with solely because 316 | modification has been made. 317 | 318 | If you convey an object code work under this section in, or with, or 319 | specifically for use in, a User Product, and the conveying occurs as 320 | part of a transaction in which the right of possession and use of the 321 | User Product is transferred to the recipient in perpetuity or for a 322 | fixed term (regardless of how the transaction is characterized), the 323 | Corresponding Source conveyed under this section must be accompanied 324 | by the Installation Information. But this requirement does not apply 325 | if neither you nor any third party retains the ability to install 326 | modified object code on the User Product (for example, the work has 327 | been installed in ROM). 328 | 329 | The requirement to provide Installation Information does not include a 330 | requirement to continue to provide support service, warranty, or updates 331 | for a work that has been modified or installed by the recipient, or for 332 | the User Product in which it has been modified or installed. Access to a 333 | network may be denied when the modification itself materially and 334 | adversely affects the operation of the network or violates the rules and 335 | protocols for communication across the network. 336 | 337 | Corresponding Source conveyed, and Installation Information provided, 338 | in accord with this section must be in a format that is publicly 339 | documented (and with an implementation available to the public in 340 | source code form), and must require no special password or key for 341 | unpacking, reading or copying. 342 | 343 | 7. Additional Terms. 344 | 345 | "Additional permissions" are terms that supplement the terms of this 346 | License by making exceptions from one or more of its conditions. 347 | Additional permissions that are applicable to the entire Program shall 348 | be treated as though they were included in this License, to the extent 349 | that they are valid under applicable law. If additional permissions 350 | apply only to part of the Program, that part may be used separately 351 | under those permissions, but the entire Program remains governed by 352 | this License without regard to the additional permissions. 353 | 354 | When you convey a copy of a covered work, you may at your option 355 | remove any additional permissions from that copy, or from any part of 356 | it. (Additional permissions may be written to require their own 357 | removal in certain cases when you modify the work.) You may place 358 | additional permissions on material, added by you to a covered work, 359 | for which you have or can give appropriate copyright permission. 360 | 361 | Notwithstanding any other provision of this License, for material you 362 | add to a covered work, you may (if authorized by the copyright holders of 363 | that material) supplement the terms of this License with terms: 364 | 365 | a) Disclaiming warranty or limiting liability differently from the 366 | terms of sections 15 and 16 of this License; or 367 | 368 | b) Requiring preservation of specified reasonable legal notices or 369 | author attributions in that material or in the Appropriate Legal 370 | Notices displayed by works containing it; or 371 | 372 | c) Prohibiting misrepresentation of the origin of that material, or 373 | requiring that modified versions of such material be marked in 374 | reasonable ways as different from the original version; or 375 | 376 | d) Limiting the use for publicity purposes of names of licensors or 377 | authors of the material; or 378 | 379 | e) Declining to grant rights under trademark law for use of some 380 | trade names, trademarks, or service marks; or 381 | 382 | f) Requiring indemnification of licensors and authors of that 383 | material by anyone who conveys the material (or modified versions of 384 | it) with contractual assumptions of liability to the recipient, for 385 | any liability that these contractual assumptions directly impose on 386 | those licensors and authors. 387 | 388 | All other non-permissive additional terms are considered "further 389 | restrictions" within the meaning of section 10. If the Program as you 390 | received it, or any part of it, contains a notice stating that it is 391 | governed by this License along with a term that is a further 392 | restriction, you may remove that term. If a license document contains 393 | a further restriction but permits relicensing or conveying under this 394 | License, you may add to a covered work material governed by the terms 395 | of that license document, provided that the further restriction does 396 | not survive such relicensing or conveying. 397 | 398 | If you add terms to a covered work in accord with this section, you 399 | must place, in the relevant source files, a statement of the 400 | additional terms that apply to those files, or a notice indicating 401 | where to find the applicable terms. 402 | 403 | Additional terms, permissive or non-permissive, may be stated in the 404 | form of a separately written license, or stated as exceptions; 405 | the above requirements apply either way. 406 | 407 | 8. Termination. 408 | 409 | You may not propagate or modify a covered work except as expressly 410 | provided under this License. Any attempt otherwise to propagate or 411 | modify it is void, and will automatically terminate your rights under 412 | this License (including any patent licenses granted under the third 413 | paragraph of section 11). 414 | 415 | However, if you cease all violation of this License, then your 416 | license from a particular copyright holder is reinstated (a) 417 | provisionally, unless and until the copyright holder explicitly and 418 | finally terminates your license, and (b) permanently, if the copyright 419 | holder fails to notify you of the violation by some reasonable means 420 | prior to 60 days after the cessation. 421 | 422 | Moreover, your license from a particular copyright holder is 423 | reinstated permanently if the copyright holder notifies you of the 424 | violation by some reasonable means, this is the first time you have 425 | received notice of violation of this License (for any work) from that 426 | copyright holder, and you cure the violation prior to 30 days after 427 | your receipt of the notice. 428 | 429 | Termination of your rights under this section does not terminate the 430 | licenses of parties who have received copies or rights from you under 431 | this License. If your rights have been terminated and not permanently 432 | reinstated, you do not qualify to receive new licenses for the same 433 | material under section 10. 434 | 435 | 9. Acceptance Not Required for Having Copies. 436 | 437 | You are not required to accept this License in order to receive or 438 | run a copy of the Program. Ancillary propagation of a covered work 439 | occurring solely as a consequence of using peer-to-peer transmission 440 | to receive a copy likewise does not require acceptance. However, 441 | nothing other than this License grants you permission to propagate or 442 | modify any covered work. These actions infringe copyright if you do 443 | not accept this License. Therefore, by modifying or propagating a 444 | covered work, you indicate your acceptance of this License to do so. 445 | 446 | 10. Automatic Licensing of Downstream Recipients. 447 | 448 | Each time you convey a covered work, the recipient automatically 449 | receives a license from the original licensors, to run, modify and 450 | propagate that work, subject to this License. You are not responsible 451 | for enforcing compliance by third parties with this License. 452 | 453 | An "entity transaction" is a transaction transferring control of an 454 | organization, or substantially all assets of one, or subdividing an 455 | organization, or merging organizations. If propagation of a covered 456 | work results from an entity transaction, each party to that 457 | transaction who receives a copy of the work also receives whatever 458 | licenses to the work the party's predecessor in interest had or could 459 | give under the previous paragraph, plus a right to possession of the 460 | Corresponding Source of the work from the predecessor in interest, if 461 | the predecessor has it or can get it with reasonable efforts. 462 | 463 | You may not impose any further restrictions on the exercise of the 464 | rights granted or affirmed under this License. For example, you may 465 | not impose a license fee, royalty, or other charge for exercise of 466 | rights granted under this License, and you may not initiate litigation 467 | (including a cross-claim or counterclaim in a lawsuit) alleging that 468 | any patent claim is infringed by making, using, selling, offering for 469 | sale, or importing the Program or any portion of it. 470 | 471 | 11. Patents. 472 | 473 | A "contributor" is a copyright holder who authorizes use under this 474 | License of the Program or a work on which the Program is based. The 475 | work thus licensed is called the contributor's "contributor version". 476 | 477 | A contributor's "essential patent claims" are all patent claims 478 | owned or controlled by the contributor, whether already acquired or 479 | hereafter acquired, that would be infringed by some manner, permitted 480 | by this License, of making, using, or selling its contributor version, 481 | but do not include claims that would be infringed only as a 482 | consequence of further modification of the contributor version. For 483 | purposes of this definition, "control" includes the right to grant 484 | patent sublicenses in a manner consistent with the requirements of 485 | this License. 486 | 487 | Each contributor grants you a non-exclusive, worldwide, royalty-free 488 | patent license under the contributor's essential patent claims, to 489 | make, use, sell, offer for sale, import and otherwise run, modify and 490 | propagate the contents of its contributor version. 491 | 492 | In the following three paragraphs, a "patent license" is any express 493 | agreement or commitment, however denominated, not to enforce a patent 494 | (such as an express permission to practice a patent or covenant not to 495 | sue for patent infringement). To "grant" such a patent license to a 496 | party means to make such an agreement or commitment not to enforce a 497 | patent against the party. 498 | 499 | If you convey a covered work, knowingly relying on a patent license, 500 | and the Corresponding Source of the work is not available for anyone 501 | to copy, free of charge and under the terms of this License, through a 502 | publicly available network server or other readily accessible means, 503 | then you must either (1) cause the Corresponding Source to be so 504 | available, or (2) arrange to deprive yourself of the benefit of the 505 | patent license for this particular work, or (3) arrange, in a manner 506 | consistent with the requirements of this License, to extend the patent 507 | license to downstream recipients. "Knowingly relying" means you have 508 | actual knowledge that, but for the patent license, your conveying the 509 | covered work in a country, or your recipient's use of the covered work 510 | in a country, would infringe one or more identifiable patents in that 511 | country that you have reason to believe are valid. 512 | 513 | If, pursuant to or in connection with a single transaction or 514 | arrangement, you convey, or propagate by procuring conveyance of, a 515 | covered work, and grant a patent license to some of the parties 516 | receiving the covered work authorizing them to use, propagate, modify 517 | or convey a specific copy of the covered work, then the patent license 518 | you grant is automatically extended to all recipients of the covered 519 | work and works based on it. 520 | 521 | A patent license is "discriminatory" if it does not include within 522 | the scope of its coverage, prohibits the exercise of, or is 523 | conditioned on the non-exercise of one or more of the rights that are 524 | specifically granted under this License. You may not convey a covered 525 | work if you are a party to an arrangement with a third party that is 526 | in the business of distributing software, under which you make payment 527 | to the third party based on the extent of your activity of conveying 528 | the work, and under which the third party grants, to any of the 529 | parties who would receive the covered work from you, a discriminatory 530 | patent license (a) in connection with copies of the covered work 531 | conveyed by you (or copies made from those copies), or (b) primarily 532 | for and in connection with specific products or compilations that 533 | contain the covered work, unless you entered into that arrangement, 534 | or that patent license was granted, prior to 28 March 2007. 535 | 536 | Nothing in this License shall be construed as excluding or limiting 537 | any implied license or other defenses to infringement that may 538 | otherwise be available to you under applicable patent law. 539 | 540 | 12. No Surrender of Others' Freedom. 541 | 542 | If conditions are imposed on you (whether by court order, agreement or 543 | otherwise) that contradict the conditions of this License, they do not 544 | excuse you from the conditions of this License. If you cannot convey a 545 | covered work so as to satisfy simultaneously your obligations under this 546 | License and any other pertinent obligations, then as a consequence you may 547 | not convey it at all. For example, if you agree to terms that obligate you 548 | to collect a royalty for further conveying from those to whom you convey 549 | the Program, the only way you could satisfy both those terms and this 550 | License would be to refrain entirely from conveying the Program. 551 | 552 | 13. Use with the GNU Affero General Public License. 553 | 554 | Notwithstanding any other provision of this License, you have 555 | permission to link or combine any covered work with a work licensed 556 | under version 3 of the GNU Affero General Public License into a single 557 | combined work, and to convey the resulting work. The terms of this 558 | License will continue to apply to the part which is the covered work, 559 | but the special requirements of the GNU Affero General Public License, 560 | section 13, concerning interaction through a network will apply to the 561 | combination as such. 562 | 563 | 14. Revised Versions of this License. 564 | 565 | The Free Software Foundation may publish revised and/or new versions of 566 | the GNU General Public License from time to time. Such new versions will 567 | be similar in spirit to the present version, but may differ in detail to 568 | address new problems or concerns. 569 | 570 | Each version is given a distinguishing version number. If the 571 | Program specifies that a certain numbered version of the GNU General 572 | Public License "or any later version" applies to it, you have the 573 | option of following the terms and conditions either of that numbered 574 | version or of any later version published by the Free Software 575 | Foundation. If the Program does not specify a version number of the 576 | GNU General Public License, you may choose any version ever published 577 | by the Free Software Foundation. 578 | 579 | If the Program specifies that a proxy can decide which future 580 | versions of the GNU General Public License can be used, that proxy's 581 | public statement of acceptance of a version permanently authorizes you 582 | to choose that version for the Program. 583 | 584 | Later license versions may give you additional or different 585 | permissions. However, no additional obligations are imposed on any 586 | author or copyright holder as a result of your choosing to follow a 587 | later version. 588 | 589 | 15. Disclaimer of Warranty. 590 | 591 | THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY 592 | APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT 593 | HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY 594 | OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, 595 | THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 596 | PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM 597 | IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF 598 | ALL NECESSARY SERVICING, REPAIR OR CORRECTION. 599 | 600 | 16. Limitation of Liability. 601 | 602 | IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING 603 | WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS 604 | THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY 605 | GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE 606 | USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF 607 | DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD 608 | PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), 609 | EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF 610 | SUCH DAMAGES. 611 | 612 | 17. Interpretation of Sections 15 and 16. 613 | 614 | If the disclaimer of warranty and limitation of liability provided 615 | above cannot be given local legal effect according to their terms, 616 | reviewing courts shall apply local law that most closely approximates 617 | an absolute waiver of all civil liability in connection with the 618 | Program, unless a warranty or assumption of liability accompanies a 619 | copy of the Program in return for a fee. 620 | 621 | END OF TERMS AND CONDITIONS 622 | 623 | How to Apply These Terms to Your New Programs 624 | 625 | If you develop a new program, and you want it to be of the greatest 626 | possible use to the public, the best way to achieve this is to make it 627 | free software which everyone can redistribute and change under these terms. 628 | 629 | To do so, attach the following notices to the program. It is safest 630 | to attach them to the start of each source file to most effectively 631 | state the exclusion of warranty; and each file should have at least 632 | the "copyright" line and a pointer to where the full notice is found. 633 | 634 | 635 | Copyright (C) 636 | 637 | This program is free software: you can redistribute it and/or modify 638 | it under the terms of the GNU General Public License as published by 639 | the Free Software Foundation, either version 3 of the License, or 640 | (at your option) any later version. 641 | 642 | This program is distributed in the hope that it will be useful, 643 | but WITHOUT ANY WARRANTY; without even the implied warranty of 644 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 645 | GNU General Public License for more details. 646 | 647 | You should have received a copy of the GNU General Public License 648 | along with this program. If not, see . 649 | 650 | Also add information on how to contact you by electronic and paper mail. 651 | 652 | If the program does terminal interaction, make it output a short 653 | notice like this when it starts in an interactive mode: 654 | 655 | Copyright (C) 656 | This program comes with ABSOLUTELY NO WARRANTY; for details type `show w'. 657 | This is free software, and you are welcome to redistribute it 658 | under certain conditions; type `show c' for details. 659 | 660 | The hypothetical commands `show w' and `show c' should show the appropriate 661 | parts of the General Public License. Of course, your program's commands 662 | might be different; for a GUI interface, you would use an "about box". 663 | 664 | You should also get your employer (if you work as a programmer) or school, 665 | if any, to sign a "copyright disclaimer" for the program, if necessary. 666 | For more information on this, and how to apply and follow the GNU GPL, see 667 | . 668 | 669 | The GNU General Public License does not permit incorporating your program 670 | into proprietary programs. If your program is a subroutine library, you 671 | may consider it more useful to permit linking proprietary applications with 672 | the library. If this is what you want to do, use the GNU Lesser General 673 | Public License instead of this License. But first, please read 674 | . 675 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # AppProtocolReverse 2 | 3 | App传输协议逆向 4 | 利用frida hook java jdk 中的加密函数与方法,打印响应参数进行分析,还原算法, 5 | 脚本中包含了MD5 AES DES RSA 等一些列加密算法,以及解决app无法抓包的sslping脚本。 6 | 7 | ## Steps 8 | 9 | 1. frida启动脚本。 10 | 11 | frida -U -l protocol_hook.js -f libcms.so --no-pause 12 | 13 | 2. 启动app点击发送请求,查看响应日志。 14 | 15 | 3. 还原算法的测试代码在AppProtocolReverse\RegressionAlgorithm\script下。 16 | 17 | -------------------------------------------------------------------------------- /RegressionAlgorithm/script/AES.java: -------------------------------------------------------------------------------- 1 | package com.lang.script; 2 | 3 | import javax.crypto.Cipher; 4 | import javax.crypto.spec.SecretKeySpec; 5 | import java.io.UnsupportedEncodingException; 6 | import java.security.MessageDigest; 7 | import java.security.NoSuchAlgorithmException; 8 | import java.util.Arrays; 9 | import java.util.Base64; 10 | 11 | /******************************************************************************* 12 | * AES加解密算法 13 | * http://tools.lami.la/jiami/aes 14 | * 说明:AES数据块长度为128位,所以IV长度需要为16个字符(ECB模式不用IV),密钥根据指定密钥位数分别为16、24、32个字符,IV与密钥超过长度则截取,不足则在末尾填充'\0'补足 15 | *******************************************************************************/ 16 | public class AES { 17 | 18 | private static SecretKeySpec secretKey; 19 | private static byte[] key; 20 | 21 | public static void setKey(String myKey) 22 | { 23 | MessageDigest sha = null; 24 | try { 25 | key = myKey.getBytes("UTF-8"); 26 | sha = MessageDigest.getInstance("SHA-1"); 27 | key = sha.digest(key); 28 | key = Arrays.copyOf(key, 16); 29 | secretKey = new SecretKeySpec(key, "AES"); 30 | } 31 | catch (NoSuchAlgorithmException e) { 32 | e.printStackTrace(); 33 | } 34 | catch (UnsupportedEncodingException e) { 35 | e.printStackTrace(); 36 | } 37 | } 38 | 39 | public static String encrypt(String strToEncrypt, String secret) 40 | { 41 | try 42 | { 43 | setKey(secret); 44 | Cipher cipher = Cipher.getInstance("AES/ECB/PKCS5Padding"); 45 | cipher.init(Cipher.ENCRYPT_MODE, secretKey); 46 | return Base64.getEncoder().encodeToString(cipher.doFinal(strToEncrypt.getBytes("UTF-8"))); 47 | } 48 | catch (Exception e) 49 | { 50 | System.out.println("Error while encrypting: " + e.toString()); 51 | } 52 | return null; 53 | } 54 | 55 | public static String decrypt(String strToDecrypt, String secret) 56 | { 57 | try 58 | { 59 | setKey(secret); 60 | Cipher cipher = Cipher.getInstance("AES/ECB/PKCS5PADDING"); 61 | cipher.init(Cipher.DECRYPT_MODE, secretKey); 62 | return new String(cipher.doFinal(Base64.getDecoder().decode(strToDecrypt))); 63 | } 64 | catch (Exception e) 65 | { 66 | System.out.println("Error while decrypting: " + e.toString()); 67 | } 68 | return null; 69 | } 70 | } -------------------------------------------------------------------------------- /RegressionAlgorithm/script/AESUtils.java: -------------------------------------------------------------------------------- 1 | package com.lang.script; 2 | 3 | import javax.crypto.Cipher; 4 | import javax.crypto.spec.IvParameterSpec; 5 | import javax.crypto.spec.SecretKeySpec; 6 | import java.util.Base64; 7 | 8 | 9 | /******************************************************************************* 10 | * Frida调试逆向AES 11 | *******************************************************************************/ 12 | public class AESUtils { 13 | 14 | /** 15 | * 16进制转byte[] 16 | * @param s 17 | * @return 18 | */ 19 | public static byte[] hexStringToByteArray(String s) { 20 | 21 | int len = s.length(); 22 | byte[] data = new byte[len / 2]; 23 | for (int i = 0; i < len; i += 2) { 24 | data[i / 2] = (byte) ((Character.digit(s.charAt(i), 16) << 4) 25 | + Character.digit(s.charAt(i+1), 16)); 26 | } 27 | System.out.println("(key不一定可逆)hexStringToByteArray:"+new String(data)); 28 | return data; 29 | } 30 | 31 | // 加密 32 | public static String Encrypt(String Src) throws Exception { 33 | String Key = "5565504004055655"; 34 | byte[] key = Key.getBytes(); 35 | SecretKeySpec keySpec = new SecretKeySpec(hexStringToByteArray("a2f85a04b49048153c9e61f93be968f5"), "AES"); 36 | Cipher cipher = Cipher.getInstance("AES/ECB/PKCS5Padding");//"算法/模式/补码方式" 37 | 38 | // IvParameterSpec iv = new IvParameterSpec(hexStringToByteArray("0a010b05040f070917030106080c0d5b")); 39 | // cipher.init(Cipher.ENCRYPT_MODE, keySpec,iv); 40 | 41 | cipher.init(Cipher.ENCRYPT_MODE, keySpec); 42 | return Base64.getEncoder().encodeToString(cipher.doFinal(Src.getBytes("UTF-8"))); 43 | } 44 | 45 | 46 | // AES/CBC/PKCS5Padding 解密 47 | public static String Decrypt(String Src) throws Exception { 48 | try { 49 | String Key = "5565504004055655"; 50 | byte[] key = Key.getBytes("ASCII"); 51 | SecretKeySpec keySpec = new SecretKeySpec(hexStringToByteArray("a2f85a04b49048153c9e61f93be968f5"), "AES"); 52 | Cipher cipher = Cipher.getInstance("AES/ECB/PKCS5Padding");//"算法/模式/补码方式" 53 | 54 | // IvParameterSpec iv = new IvParameterSpec(hexStringToByteArray("33626539303734623433363932616363")); 55 | // cipher.init(Cipher.DECRYPT_MODE, keySpec,iv); 56 | 57 | cipher.init(Cipher.DECRYPT_MODE, keySpec); 58 | return new String(cipher.doFinal(Base64.getDecoder().decode(Src))); 59 | } catch (Exception ex) { 60 | ex.printStackTrace(); 61 | return null; 62 | } 63 | } 64 | 65 | /** 66 | * 67 | * @param src 68 | * @return 69 | * @throws Exception 70 | */ 71 | public static String HDecrypt(String src) throws Exception { 72 | System.out.println("HDecrypt"); 73 | try { 74 | SecretKeySpec keySpec = new SecretKeySpec(hexStringToByteArray("d8ef94301cd8e477562d121342b0457b"), "AES"); 75 | Cipher cipher = Cipher.getInstance("AES/CBC/PKCS5Padding");//"算法/模式/补码方式" 76 | 77 | IvParameterSpec iv = new IvParameterSpec(hexStringToByteArray("37313865646437643239633038386234")); 78 | cipher.init(Cipher.DECRYPT_MODE, keySpec,iv); 79 | 80 | return new String(cipher.doFinal(hexStringToByteArray(src))); 81 | } catch (Exception ex) { 82 | ex.printStackTrace(); 83 | return null; 84 | } 85 | } 86 | 87 | 88 | 89 | 90 | public static void main(String[] args) throws Exception { 91 | 92 | 93 | /* 94 | * 加密用的Key 可以用26个字母和数字组成,最好不要用保留字符,虽然不会错,至于怎么裁决,个人看情况而定 95 | * 此处使用AES-128-CBC加密模式,key需要为16位。 96 | */ 97 | // 需要加密的字串 98 | String Src = "howtodoinjava.com"; 99 | System.out.println(Src); 100 | // 加密 101 | String enString = AESUtils.Encrypt(Src); 102 | System.out.println("加密后的字串是:" + enString); 103 | 104 | 105 | // 解密 106 | String DeString = AESUtils.Decrypt(enString); 107 | System.out.println("解密后的字串是:" + DeString); 108 | 109 | // 逆向复制 110 | String result=AESUtils.HDecrypt("aef24dbb6e865e821e72a4d6709c717f530e6e5cfd84aba9826ae2685684f5178c7f5e89dad1fd6d59a34d8e052e200d78ba2ffe78b518076d1044082c3eec142c2f0a01e895ac960e8e7472f83052a90dce40bac02572cafa50169aa90c952667e682907de745b51fd84a995d57dfe3dc3f56d5e7a09fe4b58d80ab29c05e177b5edd87732fb4eeb49ed3715ad9b9becc9c769dfb1cf62d3b259666023cac0a60717bb806c8f9038ccda93a82d75924bc8a61e2b180680f2cca6bfdac3aa9b0c99b767e2f980c26f2ce86bb4cdd56fcb1598aefae38ed1f0e9d7c523d953aff784b56c365aae05731aa5a5da506c61da88ee1711f9663b4a3db0897e5a6e56d040321bd4ed4940c09f74fd387a96bb3410986adcab10bff69c5a1d37790ac6f"); 111 | System.out.println("解密后的字串是:" + result); 112 | 113 | } 114 | } -------------------------------------------------------------------------------- /RegressionAlgorithm/script/HMACSHA256Util.java: -------------------------------------------------------------------------------- 1 | package com.lang.script; 2 | 3 | import javax.crypto.Mac; 4 | import javax.crypto.spec.SecretKeySpec; 5 | 6 | public class HMACSHA256Util { 7 | // SECRET KEY 8 | private final static String secret_key = "J1r852d15X2jva8cdS97N121H8903097"; 9 | /** 10 | * 将加密后的字节数组转换成字符串 11 | * 12 | * @param b 字节数组 13 | * @return 字符串 14 | */ 15 | private static String byteArrayToHexString(byte[] b) { 16 | StringBuilder hs = new StringBuilder(); 17 | String stmp; 18 | for (int n = 0; b!=null && n < b.length; n++) { 19 | stmp = Integer.toHexString(b[n] & 0XFF); 20 | if (stmp.length() == 1) 21 | hs.append('0'); 22 | hs.append(stmp); 23 | } 24 | return hs.toString().toLowerCase(); 25 | } 26 | /** 27 | * sha256_HMAC加密 28 | * @param message 消息 29 | * @param secret 秘钥 30 | * @return 加密后字符串 31 | */ 32 | public static String sha256_HMAC(String message, String secret) { 33 | String hash = ""; 34 | try { 35 | Mac sha256_HMAC = Mac.getInstance("HmacSHA256"); 36 | SecretKeySpec secret_key = new SecretKeySpec(secret.getBytes(), "HmacSHA256"); 37 | sha256_HMAC.init(secret_key); 38 | byte[] bytes = sha256_HMAC.doFinal(message.getBytes()); 39 | hash = byteArrayToHexString(bytes); 40 | System.out.println(hash); 41 | } catch (Exception e) { 42 | System.out.println("Error HmacSHA256 ===========" + e.getMessage()); 43 | } 44 | return hash; 45 | } 46 | } 47 | -------------------------------------------------------------------------------- /RegressionAlgorithm/script/HttpURLConnectionExample.java: -------------------------------------------------------------------------------- 1 | package com.lang.script; 2 | 3 | import javax.net.ssl.HttpsURLConnection; 4 | import java.io.BufferedReader; 5 | import java.io.DataOutputStream; 6 | import java.io.InputStreamReader; 7 | import java.net.HttpURLConnection; 8 | import java.net.URL; 9 | 10 | public class HttpURLConnectionExample { 11 | 12 | private final String USER_AGENT = "Mozilla/5.0"; 13 | 14 | public static void main(String[] args) throws Exception { 15 | 16 | HttpURLConnectionExample http = new HttpURLConnectionExample(); 17 | 18 | System.out.println("Testing 1 - Send Http GET request"); 19 | http.sendGet(); 20 | 21 | System.out.println("\nTesting 2 - Send Http POST request"); 22 | http.sendPost(); 23 | 24 | } 25 | 26 | // HTTP GET请求 27 | private void sendGet() throws Exception { 28 | 29 | String url = "http://www.google.com/search?q=mkyong"; 30 | 31 | URL obj = new URL(url); 32 | HttpURLConnection con = (HttpURLConnection) obj.openConnection(); 33 | 34 | //默认值我GET 35 | con.setRequestMethod("GET"); 36 | 37 | //添加请求头 38 | con.setRequestProperty("User-Agent", USER_AGENT); 39 | 40 | int responseCode = con.getResponseCode(); 41 | System.out.println("\nSending 'GET' request to URL : " + url); 42 | System.out.println("Response Code : " + responseCode); 43 | 44 | BufferedReader in = new BufferedReader( 45 | new InputStreamReader(con.getInputStream())); 46 | String inputLine; 47 | StringBuffer response = new StringBuffer(); 48 | 49 | while ((inputLine = in.readLine()) != null) { 50 | response.append(inputLine); 51 | } 52 | in.close(); 53 | 54 | //打印结果 55 | System.out.println(response.toString()); 56 | 57 | } 58 | 59 | // HTTP POST请求 60 | private void sendPost() throws Exception { 61 | 62 | String url = "https://selfsolve.apple.com/wcResults.do"; 63 | URL obj = new URL(url); 64 | HttpsURLConnection con = (HttpsURLConnection) obj.openConnection(); 65 | 66 | //添加请求头 67 | con.setRequestMethod("POST"); 68 | con.setRequestProperty("User-Agent", USER_AGENT); 69 | con.setRequestProperty("Accept-Language", "en-US,en;q=0.5"); 70 | 71 | String urlParameters = "sn=C02G8416DRJM&cn=&locale=&caller=&num=12345"; 72 | 73 | //发送Post请求 74 | con.setDoOutput(true); 75 | DataOutputStream wr = new DataOutputStream(con.getOutputStream()); 76 | wr.writeBytes(urlParameters); 77 | wr.flush(); 78 | wr.close(); 79 | 80 | int responseCode = con.getResponseCode(); 81 | System.out.println("\nSending 'POST' request to URL : " + url); 82 | System.out.println("Post parameters : " + urlParameters); 83 | System.out.println("Response Code : " + responseCode); 84 | 85 | BufferedReader in = new BufferedReader( 86 | new InputStreamReader(con.getInputStream())); 87 | String inputLine; 88 | StringBuffer response = new StringBuffer(); 89 | 90 | while ((inputLine = in.readLine()) != null) { 91 | response.append(inputLine); 92 | } 93 | in.close(); 94 | 95 | //打印结果 96 | System.out.println(response.toString()); 97 | 98 | } 99 | 100 | } -------------------------------------------------------------------------------- /RegressionAlgorithm/script/MD5Utils.java: -------------------------------------------------------------------------------- 1 | package com.lang.script; 2 | 3 | import java.security.MessageDigest; 4 | import java.security.NoSuchAlgorithmException; 5 | 6 | /***************************************************************************************** 7 | * MD5加密 8 | *****************************************************************************************/ 9 | public class MD5Utils { 10 | private static final char[] HEX_DIGITS = { 48, 49, 50, 51, 52, 53, 54, 55, 56, 57, 97, 98, 99, 100, 101, 102 }; 11 | 12 | public static String getMD5String(String str) { 13 | byte[] paramArrayOfByte = str.getBytes(); 14 | String result = null; 15 | 16 | try { 17 | //首先进行实例化和初始化 18 | MessageDigest md = MessageDigest.getInstance("MD5"); 19 | //得到一个操作系统默认的字节编码格式的字节数组 20 | //对得到的字节数组进行处理 21 | md.update(paramArrayOfByte); 22 | //进行哈希计算并返回结果 23 | byte[] btResult = md.digest(); 24 | result = bytesToHex(btResult,0, btResult.length); 25 | } catch (NoSuchAlgorithmException e) { 26 | e.printStackTrace(); 27 | } 28 | return result; 29 | 30 | } 31 | 32 | public static String bytesToHex(byte[] bytedata, int starRatingStyle, int encyptBody) { 33 | StringBuilder stringBuilder = new StringBuilder(); 34 | for (int i = starRatingStyle; i < starRatingStyle + encyptBody; i++) { 35 | stringBuilder.append(byteToHex(bytedata[i])); 36 | } 37 | return stringBuilder.toString(); 38 | } 39 | 40 | public static String byteToHex(byte paramByte) 41 | { 42 | return HEX_DIGITS[((paramByte & 0xF0) >> 4)] + "" + HEX_DIGITS[(paramByte & 0xF)]; 43 | } 44 | 45 | 46 | 47 | } -------------------------------------------------------------------------------- /RegressionAlgorithm/script/RASUtils.java: -------------------------------------------------------------------------------- 1 | package com.lang.script; 2 | 3 | import javax.crypto.Cipher; 4 | import java.security.KeyFactory; 5 | import java.security.PrivateKey; 6 | import java.security.PublicKey; 7 | import java.security.spec.PKCS8EncodedKeySpec; 8 | import java.security.spec.X509EncodedKeySpec; 9 | import java.util.Base64; 10 | 11 | 12 | /******************************************************************************* 13 | * frida调试逆向RSA 14 | *******************************************************************************/ 15 | public class RASUtils { 16 | 17 | 18 | /** 19 | * 16进制转byte[] 20 | * @param s 21 | * @return 22 | */ 23 | public static byte[] hexStringToByteArray(String s) { 24 | int len = s.length(); 25 | byte[] data = new byte[len / 2]; 26 | for (int i = 0; i < len; i += 2) { 27 | data[i / 2] = (byte) ((Character.digit(s.charAt(i), 16) << 4) 28 | + Character.digit(s.charAt(i+1), 16)); 29 | } 30 | System.out.println(new String(data)); 31 | return data; 32 | } 33 | 34 | /** 35 | * BASE64 解码 36 | * @param key 需要Base64解码的字符串 37 | * @return 字节数组 38 | */ 39 | public static byte[] decryptBase64(String key) { 40 | return Base64.getDecoder().decode(key); 41 | } 42 | 43 | /** 44 | * BASE64 编码 45 | * @param key 需要Base64编码的字节数组 46 | * @return 字符串 47 | */ 48 | public static String encryptBase64(byte[] key) { 49 | return new String(Base64.getEncoder().encode(key)); 50 | } 51 | 52 | /** 53 | * 确定对方用公钥加密 54 | * @param encryptingStr 55 | * @param publicKeyStr 56 | * @return 57 | */ 58 | public static String encryptByPublic(String encryptingStr, String publicKeyStr){ 59 | try { 60 | // 将公钥由字符串转为UTF-8格式的字节数组 61 | byte[] publicKeyBytes = hexStringToByteArray(publicKeyStr); 62 | // 获得公钥 63 | X509EncodedKeySpec keySpec = new X509EncodedKeySpec(publicKeyBytes); 64 | // 取得待加密数据 65 | byte[] data = encryptingStr.getBytes("UTF-8"); 66 | KeyFactory keyFactory = KeyFactory.getInstance("RSA"); 67 | PublicKey publicKey = keyFactory.generatePublic(keySpec); 68 | 69 | System.out.println(keyFactory.getAlgorithm()); 70 | // 对数据加密 71 | Cipher cipher = Cipher.getInstance(keyFactory.getAlgorithm()); 72 | cipher.init(Cipher.ENCRYPT_MODE, publicKey); 73 | // 返回加密后由Base64编码的加密信息 74 | return encryptBase64(cipher.doFinal(data)); 75 | } catch (Exception e) { 76 | e.printStackTrace(); 77 | } 78 | return null; 79 | } 80 | 81 | /** 82 | * 确定对方用私钥加密 or 解密 83 | * @param encryptingStr 84 | * @param privateKeyStr 85 | * @return 86 | */ 87 | public static String encryptByPrivate(String encryptingStr, String privateKeyStr){ 88 | try { 89 | // 将公钥由字符串转为UTF-8格式的字节数组 90 | byte[] publicKeyBytes = hexStringToByteArray(privateKeyStr); 91 | // 获得公钥 92 | PKCS8EncodedKeySpec keySpec = new PKCS8EncodedKeySpec(publicKeyBytes); 93 | // 取得待加密数据 94 | byte[] data = encryptingStr.getBytes("UTF-8"); 95 | KeyFactory keyFactory = KeyFactory.getInstance("RSA"); 96 | PrivateKey privateKey = keyFactory.generatePrivate(keySpec); 97 | // 对数据加密 98 | Cipher cipher = Cipher.getInstance(keyFactory.getAlgorithm()); 99 | cipher.init(Cipher.ENCRYPT_MODE, privateKey); 100 | // 返回加密后由Base64编码的加密信息 101 | return encryptBase64(cipher.doFinal(data)); 102 | } catch (Exception e) { 103 | e.printStackTrace(); 104 | } 105 | return null; 106 | } 107 | 108 | /** 109 | * 确定对方用公钥加密 or 解密 110 | * @param encryptedStr 111 | * @param publicKeyStr frida 打印出的key 112 | * @return 113 | */ 114 | public static String decryptByPublic(String encryptedStr, String publicKeyStr){ 115 | try { 116 | // 对公钥解密 117 | byte[] publicKeyBytes = hexStringToByteArray(publicKeyStr); 118 | // 取得公钥 119 | X509EncodedKeySpec keySpec = new X509EncodedKeySpec(publicKeyBytes); 120 | // 取得待加密数据 121 | KeyFactory factory = KeyFactory.getInstance("RSA"); 122 | PublicKey publicKey = factory.generatePublic(keySpec); 123 | // 对数据解密 124 | Cipher cipher = Cipher.getInstance(factory.getAlgorithm()); 125 | cipher.init(Cipher.DECRYPT_MODE, publicKey); 126 | // 返回UTF-8编码的解密信息 127 | return new String(cipher.doFinal(hexStringToByteArray(encryptedStr))); 128 | } catch (Exception e) { 129 | e.printStackTrace(); 130 | } 131 | 132 | return null; 133 | } 134 | 135 | public static void main(String[] args) throws Exception { 136 | /* 137 | * 加密用的Key 可以用26个字母和数字组成,最好不要用保留字符,虽然不会错,至于怎么裁决,个人看情况而定 138 | * 此处使用AES-128-CBC加密模式,key需要为16位。 139 | */ 140 | String Key = "30820122300d06092a864886f70d01010105000382010f003082010a0282010100bbc9efcf4a734e3bb6427c25098f7c727a259ec84ed2ec495d9908307b8840dacea846eae57e869264f55a49dcd8eb34b44a92b483d75b1986b24eee7adc98d440ba1f5558c326b9fb5f7d2820d4d4a546c18c2b550fcd0d1c4c20c61e0fe84cb31e3e2393b7adbe266ccef4ab608414e922982f9ecf123e56ba78d87094348cb2a205abde105ccfce4db720a9ce6388076afc884abc53b0f16974cd8cd74d546dc9bea5e7793e7f66507edd366ef82adf32d65f8db1094728929c438c04b938d5cfe48d6cbcf097fb5fe1e4a31c0d11e6caf8c6b61dc6b514b4387403c212fec12be4286b08de38855528a475363d403c73248305bf6644f9c4a9a799406a4d0203010001"; 141 | // 需要加密的字串 142 | String Src = "This is a secret message"; 143 | System.out.println(Src); 144 | // 加密 145 | // String enString = RASUtils.encryptByPrivate(Src, Key); 146 | // System.out.println("加密后的字串是:" + enString); 147 | 148 | String encodeBody="79e7825c7dad8dc813118aff2c31122aaac9578a4c0c3bb5ce058d919fa5bd4256f9ea43a38b4e334c78e3bd993be05487d02a3261909d02bebd48a9c6691915b053e700478f33b48cf1a4613f5093daf0e2b897d60090cd8d399cb803eee1d86e5523db27c4cc619b3d170f8673d5cae507498b3a13cb05e1dbd79b23ba84b6255a71b7763042d69b401143b6906e9ecc79803d87e0cad0441d074a12f44acd65e6c0f66a8135d11994b8c45d9356f3e1bbecbdbd6b4852c65fe65f020a2f8b8a29d53f4d8cbe001992d30ac623bea9ee195a38cd0af381dbf8be51a4b5788df578f29f6ba881498dd491f3515ed7b762522fe9a0f7d216a4fdddf51e28d6ed"; 149 | String eString = RASUtils.decryptByPublic(encodeBody, Key); 150 | System.out.println("解密后的字串是:" + eString); 151 | } 152 | } -------------------------------------------------------------------------------- /RegressionAlgorithm/script/RASUtilsNew.java: -------------------------------------------------------------------------------- 1 | package com.lang.script; 2 | 3 | import javax.crypto.*; 4 | import java.security.*; 5 | import java.security.spec.X509EncodedKeySpec; 6 | import java.util.Base64; 7 | 8 | /******************************************************************************* 9 | * AES加解密算法 10 | * http://tools.lami.la/jiami/aes 11 | * 说明:AES数据块长度为128位,所以IV长度需要为16个字符(ECB模式不用IV),密钥根据指定密钥位数分别为16、24、32个字符,IV与密钥超过长度则截取,不足则在末尾填充'\0'补足 12 | *******************************************************************************/ 13 | 14 | 15 | public class RASUtilsNew { 16 | 17 | public static void encrypt() { 18 | 19 | 20 | try { 21 | KeyGenerator generator = KeyGenerator.getInstance("AES"); 22 | generator.init(128); // The AES key size in number of bits 23 | SecretKey secKey = generator.generateKey(); 24 | 25 | String plainText = "Please encrypt me urgently..."; 26 | Cipher aesCipher = Cipher.getInstance("AES"); 27 | aesCipher.init(Cipher.ENCRYPT_MODE, secKey); 28 | byte[] byteCipherText = aesCipher.doFinal(plainText.getBytes()); 29 | 30 | KeyPairGenerator kpg = KeyPairGenerator.getInstance("RSA"); 31 | kpg.initialize(2048); 32 | KeyPair keyPair = kpg.generateKeyPair(); 33 | 34 | PublicKey puKey = keyPair.getPublic(); 35 | PrivateKey prKey = keyPair.getPrivate(); 36 | 37 | Cipher cipher = Cipher.getInstance("RSA/ECB/PKCS1Padding"); 38 | cipher.init(Cipher.PUBLIC_KEY, puKey); 39 | byte[] encryptedKey = cipher.doFinal(secKey.getEncoded()/*Seceret Key From Step 1*/); 40 | 41 | } catch (NoSuchAlgorithmException | NoSuchPaddingException | InvalidKeyException | IllegalBlockSizeException | BadPaddingException e) { 42 | e.printStackTrace(); 43 | } 44 | 45 | 46 | 47 | } 48 | 49 | public static byte[] hexStringToByteArray(String s) { 50 | int len = s.length(); 51 | byte[] data = new byte[len / 2]; 52 | for (int i = 0; i < len; i += 2) { 53 | data[i / 2] = (byte) ((Character.digit(s.charAt(i), 16) << 4) 54 | + Character.digit(s.charAt(i+1), 16)); 55 | } 56 | return data; 57 | } 58 | 59 | /** 60 | * BASE64 解码 61 | * @param key 需要Base64解码的字符串 62 | * @return 字节数组 63 | */ 64 | public static byte[] decryptBase64(String key) { 65 | return Base64.getDecoder().decode(key); 66 | } 67 | 68 | /** 69 | * BASE64 编码 70 | * @param key 需要Base64编码的字节数组 71 | * @return 字符串 72 | */ 73 | public static String encryptBase64(byte[] key) { 74 | return new String(Base64.getEncoder().encode(key)); 75 | } 76 | 77 | /** 78 | * 公钥加密 79 | * @param encryptingStr 80 | * @param publicKeyStr 81 | * @return 82 | */ 83 | public static String encryptByPublic(String encryptingStr, String publicKeyStr){ 84 | try { 85 | // 将公钥由字符串转为UTF-8格式的字节数组 86 | // byte[] publicKeyBytes = decryptBase64(publicKeyStr); 87 | byte[] publicKeyBytes = hexStringToByteArray(publicKeyStr); 88 | // 获得公钥 89 | X509EncodedKeySpec keySpec = new X509EncodedKeySpec(publicKeyBytes); 90 | // 取得待加密数据 91 | byte[] data = encryptingStr.getBytes("UTF-8"); 92 | KeyFactory factory; 93 | factory = KeyFactory.getInstance("RSA"); 94 | PublicKey publicKey = factory.generatePublic(keySpec); 95 | // 对数据加密 96 | Cipher cipher = Cipher.getInstance(factory.getAlgorithm()); 97 | cipher.init(Cipher.ENCRYPT_MODE, publicKey); 98 | // 返回加密后由Base64编码的加密信息 99 | return encryptBase64(cipher.doFinal(data)); 100 | } catch (Exception e) { 101 | e.printStackTrace(); 102 | } 103 | return null; 104 | } 105 | 106 | /** 107 | * 公钥解密 108 | * @param encryptedStr 109 | * @param publicKeyStr 110 | * @return 111 | */ 112 | public static String decryptByPublic(String encryptedStr, String publicKeyStr){ 113 | try { 114 | // 对公钥解密 115 | byte[] publicKeyBytes = decryptBase64(publicKeyStr); 116 | // 取得公钥 117 | X509EncodedKeySpec keySpec = new X509EncodedKeySpec(publicKeyBytes); 118 | // 取得待加密数据 119 | byte[] data = decryptBase64(encryptedStr); 120 | KeyFactory factory = KeyFactory.getInstance("RSA"); 121 | PublicKey publicKey = factory.generatePublic(keySpec); 122 | // 对数据解密 123 | Cipher cipher = Cipher.getInstance(factory.getAlgorithm()); 124 | cipher.init(Cipher.DECRYPT_MODE, publicKey); 125 | // 返回UTF-8编码的解密信息 126 | return new String(cipher.doFinal(data), "UTF-8"); 127 | } catch (Exception e) { 128 | e.printStackTrace(); 129 | } 130 | 131 | return null; 132 | } 133 | 134 | public static void main(String[] args) throws Exception { 135 | /* 136 | * 加密用的Key 可以用26个字母和数字组成,最好不要用保留字符,虽然不会错,至于怎么裁决,个人看情况而定 137 | * 此处使用AES-128-CBC加密模式,key需要为16位。 138 | */ 139 | String Key = "30819f300d06092a864886f70d010101050003818d0030818902818100d65b8500176d70d40b6986cb15c9e6b11835e44744582a176cc4f2cb5a91f792fa3245b69f280825eeba967bc69dd1ee962323daa9cc8493502042c4c2cf87d3ea798015213fd06ea266f2f2c04d467d02e757e6377d1754dfc4b2f8545f3c805131bf02b03373088ba63c5e39674d70886711557699fd472158ddda7bdb17f30203010001"; 140 | // 需要加密的字串 141 | String Src = "17611597504"; 142 | System.out.println(Src); 143 | // 加密 144 | String enString = RASUtilsNew.encryptByPublic(Src, Key); 145 | System.out.println("加密后的字串是:" + enString); 146 | 147 | 148 | 149 | 150 | } 151 | } -------------------------------------------------------------------------------- /RegressionAlgorithm/script/RSA.java: -------------------------------------------------------------------------------- 1 | package com.lang.script; 2 | 3 | import javax.crypto.Cipher; 4 | import java.io.BufferedWriter; 5 | import java.io.FileWriter; 6 | import java.io.IOException; 7 | import java.nio.charset.Charset; 8 | import java.security.*; 9 | import java.security.interfaces.RSAPrivateKey; 10 | import java.security.interfaces.RSAPublicKey; 11 | import java.security.spec.InvalidKeySpecException; 12 | import java.security.spec.PKCS8EncodedKeySpec; 13 | import java.security.spec.X509EncodedKeySpec; 14 | import java.util.Base64; 15 | 16 | /******************************************************************************* 17 | 加解密:公钥加密,私钥解密 18 | 签名验证:私钥签名,公钥验签 19 | *******************************************************************************/ 20 | public class RSA { 21 | public static final String RSA_ALGORITHM = "RSA"; 22 | public static final Charset UTF8 = Charset.forName("UTF-8"); 23 | 24 | public static void main(String [] args) throws Exception { 25 | // generate public and private keys 26 | KeyPair keyPair = buildKeyPair(); 27 | PublicKey publicKey = keyPair.getPublic(); 28 | PrivateKey privateKey = keyPair.getPrivate(); 29 | RSA.savePrivateKey(privateKey); 30 | RSA.savePublicKey(publicKey); 31 | 32 | // encrypt the message 33 | String encrypted=encrypt(privateKey, "This is a secret message"); 34 | System.out.println(encrypted); // <> 35 | 36 | // decrypt the message 37 | System.out.println(decrypt(publicKey, encrypted)); // This is a secret message 38 | } 39 | 40 | public static KeyPair buildKeyPair() throws NoSuchAlgorithmException { 41 | final int keySize = 2048; 42 | KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance(RSA_ALGORITHM); 43 | keyPairGenerator.initialize(keySize); 44 | return keyPairGenerator.genKeyPair(); 45 | } 46 | 47 | public static String encrypt(PrivateKey privateKey, String message) throws Exception { 48 | Cipher cipher = Cipher.getInstance(RSA_ALGORITHM); 49 | cipher.init(Cipher.ENCRYPT_MODE, privateKey); 50 | return Base64.getEncoder().encodeToString(cipher.doFinal(message.getBytes(UTF8))); 51 | } 52 | 53 | public static String decrypt(PublicKey publicKey, String encrypted) throws Exception { 54 | Cipher cipher = Cipher.getInstance(RSA_ALGORITHM); 55 | cipher.init(Cipher.DECRYPT_MODE, publicKey); 56 | return new String(cipher.doFinal(Base64.getDecoder().decode(encrypted))); 57 | } 58 | 59 | /** 60 | * 从字符串中加载公钥 61 | * 62 | */ 63 | public static RSAPublicKey loadPublicKey(String publicKeyStr) throws Exception { 64 | try { 65 | byte[] buffer = base64Decode(publicKeyStr); 66 | KeyFactory keyFactory = KeyFactory.getInstance(RSA_ALGORITHM); 67 | X509EncodedKeySpec keySpec = new X509EncodedKeySpec(buffer); 68 | return (RSAPublicKey) keyFactory.generatePublic(keySpec); 69 | } catch (NoSuchAlgorithmException e) { 70 | throw new RuntimeException(e); 71 | } catch (InvalidKeySpecException e) { 72 | throw new RuntimeException(e); 73 | } 74 | } 75 | 76 | public static RSAPrivateKey loadPrivateKey(String privateKeyStr) throws Exception { 77 | try { 78 | byte[] buffer = base64Decode(privateKeyStr); 79 | PKCS8EncodedKeySpec keySpec = new PKCS8EncodedKeySpec(buffer); 80 | KeyFactory keyFactory = KeyFactory.getInstance(RSA_ALGORITHM); 81 | return (RSAPrivateKey) keyFactory.generatePrivate(keySpec); 82 | } catch (NoSuchAlgorithmException e) { 83 | throw new RuntimeException(e); 84 | } catch (InvalidKeySpecException e) { 85 | throw new RuntimeException(e); 86 | } 87 | } 88 | 89 | public static void savePublicKey(PublicKey publicKey) throws IOException { 90 | // 得到公钥字符串 91 | String publicKeyString = base64Encode(publicKey.getEncoded()); 92 | System.out.println("publicKeyString="+publicKeyString); 93 | FileWriter fw = new FileWriter("publicKey.keystore"); 94 | BufferedWriter bw = new BufferedWriter(fw); 95 | bw.write(publicKeyString); 96 | bw.close(); 97 | } 98 | 99 | public static void savePrivateKey(PrivateKey privateKey) throws IOException { 100 | // 得到私钥字符串 101 | String privateKeyString = base64Encode(privateKey.getEncoded()); 102 | System.out.println("privateKeyString="+privateKeyString); 103 | 104 | BufferedWriter bw = new BufferedWriter(new FileWriter("privateKey.keystore")); 105 | bw.write(privateKeyString); 106 | bw.close(); 107 | } 108 | 109 | public static String base64Encode(byte[] data) { 110 | return Base64.getEncoder().encodeToString(data); 111 | } 112 | public static byte[] base64Decode(String data) throws IOException { 113 | return Base64.getDecoder().decode(data); 114 | } 115 | } --------------------------------------------------------------------------------