在Java中,我们用MD5对数据进行加密,代码大概是这样的:
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
public class MD5Utils {
public static void main(String[] args) {
String md5 = md5("luoyesiqiu".getBytes());
System.out.println(md5);
System.out.println(md5.substring(8,24));
}
public static String md5(byte[] input){
String md5 = "";
try {
MessageDigest messageDigest = MessageDigest.getInstance("md5");
byte[] buf = messageDigest.digest(input);
for (byte b : buf){
int val = b;
if(val < 0){
val += 256;
}
String str = "" + Integer.toHexString(val);
if(str.length() == 1){
str = "0" + str;
}
md5 += str;
}
} catch (
NoSuchAlgorithmException e) {
e.printStackTrace();
}
return md5;
}
}以上代码会输出32位的MD5值和16位的MD5值,16位MD5值是从32位中截取的:
10ff0971d5ce668c3a9c20a8c96ba43e
d5ce668c3a9c20a8众所周知,MD5加密是不可逆的,也就是不能解密。如果,我们想要得到加密前的数据该怎么办?想得到加密前的数据,我们可以Hook呀!Hook MessageDigest类的digest方法,这个方法输入要加密的内容,返回加密的结果,只要Hook这个方法就能得到加密前的数据和加密后的数据了,完美!Hook工具这里用的frida。
对于frida,如果要Hook,要写两份代码,一份JavaScript代码,一份Python代码。frida具体使用方法可以去看我以前写的博文:frida的用法--Hook Java代码篇
hookMD5.py:
import frida
import sys
def read_file_all(file):
fp=open(file)
text=fp.read()
fp.close()
return text
pass
def on_message(message, data):
if message['type'] == 'error':
print("[!] " + message['stack'])
elif message['type'] == 'send':
print(message['payload'])
if data != None:
print("[data] " + format_bytes(data))
else:
print(message)
pass
def format_bytes(bytes):
string='['
for b in bytes:
string=string+str(b)+','
return string[:len(string)-1]+"]"
pass
def main():
dev = frida.get_usb_device()
session = dev.attach("com.xxxx.xxxx")
text = read_file_all("hookMD5.js")
script = session.create_script(text)
script.on('message', on_message)
script.load()
sys.stdin.read()
pass
main()注:
com.xxxx.xxxx改成自己想要Hook的App包名
digest方法有两个重载方式,我们都把它们都Hook了。
hookMD5.js:
if(Java.available)
{
Java.perform(function(){
var MessageDigest= Java.use('java.security.MessageDigest');
var Integer= Java.use('java.lang.Integer');
var String= Java.use('java.lang.String');
var digest1 = MessageDigest.digest.overload("[B","int","int");
digest1.implementation=function(buf,offset,len){
var ret = digest2.call(this,buf);
var md5 = "";
for(var i = 0;i<ret.length;i++){
var val = ret[i];
if(val < 0){
val += 256;
}
var str = Integer.toHexString(val);
if(String.$new(str).length()==1){
str = "0" + str;
}
md5 += str;
}
try{
console.log("original:"+String.$new(buf));
}catch(e){
console.log("Original isn't a string.");
}
console.log("MD5(32):" + md5);
console.log("MD5(16):" + md5.substring(8,24));
console.log("");
return ret;
}
var digest2 = MessageDigest.digest.overload("[B");
digest2.implementation=function(buf){
var ret = digest2.call(this,buf);
var md5 = "";
for(var i = 0;i<ret.length;i++){
var val = ret[i];
if(val < 0){
val += 256;
}
var str = Integer.toHexString(val);
if(String.$new(str).length()==1){
str = "0" + str;
}
md5 += str;
}
try{
console.log("original:"+String.$new(buf));
}catch(e){
console.log("Original isn't a string.");
}
console.log("MD5(32):" + md5);
console.log("MD5(16):" + md5.substring(8,24));
console.log("");
return ret;
}
});
}写好后把两个脚本放在同一个目录,运行Python脚本:
python hookMD5.pyHook某App运行结果如下:
原文:https://www.cnblogs.com/luoyesiqiu/p/11527676.html