python - 了解 CCCrypt
问题描述
我目前正在跟踪 CCCrypt 调用,因此为了提供更广泛的上下文,我正在对应用程序进行渗透测试,同时监视网络调用,我看到应用程序 API 发出的每个 POST 调用都有一个名为signature
. 我已经反编译了应用程序的 IPA 文件。我的印象是signature
,为 post BODY 生成的this 用于CCCrypt
生成签名。因此,我能够跟踪 CCCrypt 调用,并得到以下信息
CCCrypt(operation: 0x0, CCAlgorithm: 0x0, CCOptions: 0x1, keyBytes: 0x106e5ea49, keyLength: 0x10, ivBuffer: 0x106e5ea59, inBuffer: 0x2822e1840, inLength: 0x2f, outBuffer: 0x16ef2db60, outLength: 0x30, outCountPtr: 0x16ef2dbb0)
frida 钩子显示如下
如何使用密钥、IV 并能够加密/解密?
我有以下带有密钥和 IV 的脚本,但在我的情况下,密钥和 IV 以及其他相关字段是什么?
from cryptography.hazmat.primitives.ciphers import Cipher, algorithms, modes
from cryptography.hazmat.primitives import padding
from cryptography.hazmat.backends import default_backend
from base64 import b64decode, b64encode
import codecs
backend = default_backend()
padder = padding.PKCS7(128).padder()
unpadder = padding.PKCS7(128).unpadder()
data = b'demo'
data = padder.update(data) + padder.finalize()
key = b64decode('y_device=y_9068496B-C7DE-4EE8-B57D-BE91147662B2')
iv = b64decode(codecs.decode('3f2c593b7d469602af5a6fb718bc92cc', 'hex'))
# iv = b64decode('................')
cipher = Cipher(algorithms.AES(key), modes.CBC(iv), backend=backend)
encryptor = cipher.encryptor()
ct = encryptor.update(data) + encryptor.finalize()
ct_out = b64encode(ct)
print(ct_out)
decryptor = cipher.decryptor()
plain = decryptor.update(ct) + decryptor.finalize()
plain = unpadder.update(plain) + unpadder.finalize()
print(plain)
这是我的弗里达脚本:
// 拦截 CCCrypt 调用。
Interceptor.attach(Module.findExportByName('libcommonCrypto.dylib', 'CCCrypt'), {
onEnter: function (args) {
// Save the arguments
this.operation = args[0]
this.CCAlgorithm = args[1]
this.CCOptions = args[2]
this.keyBytes = args[3]
this.keyLength = args[4]
this.ivBuffer = args[5]
this.inBuffer = args[6]
this.inLength = args[7]
this.outBuffer = args[8]
this.outLength = args[9]
this.outCountPtr = args[10]
console.log('CCCrypt(' +
'operation: ' + this.operation +', ' +
'CCAlgorithm: ' + this.CCAlgorithm +', ' +
'CCOptions: ' + this.CCOptions +', ' +
'keyBytes: ' + this.keyBytes +', ' +
'keyLength: ' + this.keyLength +', ' +
'ivBuffer: ' + this.ivBuffer +', ' +
'inBuffer: ' + this.inBuffer +', ' +
'inLength: ' + this.inLength +', ' +
'outBuffer: ' + this.outBuffer +', ' +
'outLength: ' + this.outLength +', ' +
'outCountPtr: ' + this.outCountPtr +')')
if (this.operation == 0) {
// Show the buffers here if this an encryption operation
console.log("In buffer:")
console.log(hexdump(ptr(this.inBuffer), {
length: this.inLength.toInt32(),
}))
console.log("Key: ")
console.log(hexdump(ptr(this.keyBytes), {
length: this.keyLength.toInt32(),
// header: true,
// ansi: true
}))
console.log("IV: ")
console.log(hexdump(ptr(this.ivBuffer), {
length: this.keyLength.toInt32(),
header: true,
ansi: true
}))
}
},
onLeave: function (retVal) {
if (this.operation == 1) {
// Show the buffers here if this a decryption operation
console.log("Out buffer:")
console.log(hexdump(ptr(this.outBuffer), {
length: Memory.readUInt(this.outCountPtr),
header: true,
ansi: true
}))
console.log("Key: ")
console.log(hexdump(ptr(this.keyBytes), {
length: this.keyLength.toInt32(),
header: true,
ansi: true
}))
console.log("IV: ")
console.log(hexdump(ptr(this.ivBuffer), {
length: this.keyLength.toInt32(),
header: true,
ansi: true
}))
}
}
})
解决方案
推荐阅读
- vue.js - 带计时器的 vuetify 步进器
- node.js - 从同一个节点项目运行 2 个不同的容器
- c# - ApiController 未从 HttpRequest (Razor) 接收身份信息
- javascript - 如何通过嵌套值获取模型对象?
- c++builder - 仅使用 TMonthCalendar 数月和数年
- python-3.x - Python:ValueError:int() 的无效文字,基数为 10:'\x00
- machine-learning - 有多个分支时,caffe 是如何计算梯度的?
- reactjs - 如何在 React axios 中对这个函数进行开玩笑测试?
- ros - RTabMap 找不到节点
- python - 在同一列中具有不同格式的 Pandas 日期时间