练习algorithmbase_80.apk

先是用frida脚本跑几个数据看看加密特征

1
2
3
4
5
6
7
function call_encode80(input){
    Java.perform(function(){
        var MainActivity=Java.use("com.kanxue.algorithmbase.MainActivity");
        var res=MainActivity.encodeFromJni_80(input);
        console.log("input:",input,"output",res);
    });
}

然后加密几个测试数据看到了。当输入长度为16以下时。输出长度为128.输入长度为>=16并且<32时。输出长度为160。由此可以判断这应该是一个组合的非标准算法。前面组合的部分目测为某个hash算法

1
2
3
4
5
6
7
8
9
10
[AOSP on msm8996::com.kanxue.algorithmbase]-> call_encode80("0000")
input: 0000 output 23A92603A73333E2EE8DA421C319BB6743595D02CF5AC0CCD1AE26CDE40334589CA0983402D21FA53A1B6FB796328E9CC0B4A8CE1BB68F7E7A7C4C25B7667FA5 output len: 128
[AOSP on msm8996::com.kanxue.algorithmbase]-> call_encode80("000000000000000")
input: 000000000000000 output CF3FFB756CEC35BD04AACB520E23ED3BCF3E332956275DF8E2E0A5C6D88B88B2845CA6A4AF374AF2B7618074119E919F8A673BDCC60E5DFAEF0CF103CD71790C output len: 128
[AOSP on msm8996::com.kanxue.algorithmbase]-> call_encode80("0000000000000000")
input: 0000000000000000 output 5F5AB31F6BEF26F7FE5BA423B4B71D76357787C9E7DBFB39FAD9FE0BBB67587E6E8F24CAEF7EFFF52A539F37997FD51836824D20AD230940BFC5206145FD52434B72058D139812D5ADA7EBB12BD4333A output len: 160
[AOSP on msm8996::com.kanxue.algorithmbase]-> call_encode80("0000000000000000000000000000000")
input: 0000000000000000000000000000000 output D06F822D572D89CB569BA83A63E11A1800861418ED2CB432419B6FD36C1DFD5488067965E42841424E40DDE955974C16AECBF485F828DE38663C7923BF7003456A64EFCCF070DD817D13E137D0CC3471 output len: 160
[AOSP on msm8996::com.kanxue.algorithmbase]-> call_encode80("00000000000000000000000000000000")
input: 00000000000000000000000000000000 output 6E46BE17EB55AE1CCA05E85E542A9EC24A948CF9ECB563C932F98002C7AF2D214FA3625C9D1B8B163D59699EFBB0E698313560682808B623278697B8DB9477F82AC8F580971AD97A104177862B9E833B0DFC80A63852524BD3E183A4D0252061 output len: 192

由于这个起始长度特征很眼熟。128的长度sha256的长度一致的。所以直接测试一下。

image-20210203225936678

看到结果和上面的不一致。可能这不是sha256算法。或者是一个修改了的sha256。我们接下来验证一下。先搜索一下。看看sha256标准算法有哪些常量

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
static const uint32_t k[64] = {
    0x428a2f98, 0x71374491, 0xb5c0fbcf, 0xe9b5dba5, 0x3956c25b, 0x59f111f1, 0x923f82a4, 0xab1c5ed5,
    0xd807aa98, 0x12835b01, 0x243185be, 0x550c7dc3, 0x72be5d74, 0x80deb1fe, 0x9bdc06a7, 0xc19bf174,
    0xe49b69c1, 0xefbe4786, 0x0fc19dc6, 0x240ca1cc, 0x2de92c6f, 0x4a7484aa, 0x5cb0a9dc, 0x76f988da,
    0x983e5152, 0xa831c66d, 0xb00327c8, 0xbf597fc7, 0xc6e00bf3, 0xd5a79147, 0x06ca6351, 0x14292967,
    0x27b70a85, 0x2e1b2138, 0x4d2c6dfc, 0x53380d13, 0x650a7354, 0x766a0abb, 0x81c2c92e, 0x92722c85,
    0xa2bfe8a1, 0xa81a664b, 0xc24b8b70, 0xc76c51a3, 0xd192e819, 0xd6990624, 0xf40e3585, 0x106aa070,
    0x19a4c116, 0x1e376c08, 0x2748774c, 0x34b0bcb5, 0x391c0cb3, 0x4ed8aa4a, 0x5b9cca4f, 0x682e6ff3,
    0x748f82ee, 0x78a5636f, 0x84c87814, 0x8cc70208, 0x90befffa, 0xa4506ceb, 0xbef9a3f7, 0xc67178f2
};
void sha256(const unsigned char *data, size_t len, unsigned char *out) {
    uint32_t h0 = 0x6a09e667;
    uint32_t h1 = 0xbb67ae85;
    uint32_t h2 = 0x3c6ef372;
    uint32_t h3 = 0xa54ff53a;
    uint32_t h4 = 0x510e527f;
    uint32_t h5 = 0x9b05688c;
    uint32_t h6 = 0x1f83d9ab;
    uint32_t h7 = 0x5be0cd19;
    //省略掉其他逻辑的代码
}

然后搜索一下常量特征

image-20210203230322069

然后我们看看那个类似MD5_Init的常量是否发生了改变。搜索一下特征0x6a09e667

image-20210203232750391

没有啥变化。和上面的h0-h7的常量对比。是一致的。