云闪付iOS逆向

云闪付iOS逆向

Android版本默认使用3DES加密,而iOS默认使用SM4-CTR加密。

image-20230116110745777

image-20230116110815859

使用frida Hook关键函数,查看参数明文与密文。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
try {
    var className = "UPComlibSM4";
    var funcName = "+ SM4EncryptData:withKey:inMode:padding:initVector:";
    var hook = eval('ObjC.classes.' + className + '["' + funcName + '"]');
    console.log("[*] Class Name: " + className);
    console.log("[*] Method Name: " + funcName);
    Interceptor.attach(hook.implementation, {
        onEnter: function (args) {
            // console.log("param0:"+args[0]+" type:"+typeof args[0]);
            // console.log("param1:"+args[1]+" type:"+typeof args[1]);
            // console.log("param2:"+args[2]+" type:"+typeof args[2]);

            // var str = new ObjC.Object(ptr(args[2])).toString()
            console.log('SM4EncryptData Data', new ObjC.Object(ptr(args[2])).toString())
                console.log('SM4EncryptData Key', new ObjC.Object(ptr(args[3])).toString())
                console.log('SM4EncryptData Mode', args[4])
                console.log('SM4EncryptData padding', args[5])
                console.log('SM4EncryptData initVector', new ObjC.Object(ptr(args[6])).toString())

        },
        onLeave: function (retval) {
            // var str2 = new ObjC.Object(ptr(retval)).toString()
            // console.log('+ encryptMessage:', str2)

        }
    });
}
catch (err) {
    console.log("[!] Exception2: " + err.message);
}

try {
    var className = "UPWNetCryptUtil";
    var funcName = "+ encryptMessage:";
    var hook = eval('ObjC.classes.' + className + '["' + funcName + '"]');
    console.log("[*] Class Name: " + className);
    console.log("[*] Method Name: " + funcName);
    Interceptor.attach(hook.implementation, {
        onEnter: function (args) {
            // console.log("param0:"+args[0]+" type:"+typeof args[0]);
            // console.log("param1:"+args[1]+" type:"+typeof args[1]);
            // console.log("param2:"+args[2]+" type:"+typeof args[2]);
            var str = new ObjC.Object(ptr(args[2])).toString()
                console.log('+ encryptMessage:', str)

        },
        onLeave: function (retval) {
            var str2 = new ObjC.Object(ptr(retval)).toString()
                console.log('+ encryptMessage:', str2)

        }
    });
}
catch (err) {
    console.log("[!] Exception2: " + err.message);
}

image-20230116111153600

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
def sm4_ctr_decrypt(key, iv, data):
    data = binascii.unhexlify(data)
    if not isinstance(key, bytes):
        key = key.encode()
    if not isinstance(iv, bytes):
        iv = iv.encode()
    cipher = Cipher(algorithms.SM4(key), modes.CTR(iv), backend=default_backend())
    result = cipher.decryptor().update(data)
    return result.decode()

def sm4_ctr_encrypt(key, iv, data):
    if not isinstance(key, bytes):
        key = key.encode()
    if not isinstance(iv, bytes):
        iv = iv.encode()
    if not isinstance(data, bytes):
        data = data.encode()
    cipher = Cipher(algorithms.SM4(key), modes.CTR(iv), backend=default_backend())
    result = cipher.encryptor().update(data)
    return binascii.hexlify(result).decode().upper()