51friend模块逆向分析第二弹

## 前言
上一篇我们成功解密了dex的字符串加密，接下来主要分析一下软件的请求加密过程以及可能的修改方法。[post cid="38" /]
## 加密分析
### raw值的构造
[hide]
因为只有/we/st/stats链接里存在加密的raw，所以我们直接搜索这个链接（当然也可以直接搜索raw），出来了十几个结果，随便点进去一个，将该方法转换成Java分析,其中部分代码如下：
```
                String j = avpVar.j();
                avpVar.r(avtVar.c("https://wechatbot.pp.ua:8086/we/st/stat"));
                String str5 = amw.h;
                Map t = axy.t(new aqu[]{apu.a(amw.a, avpVar.o()), apu.a(amw.b, avpVar.k()), apu.a(amw.c, avpVar.l()), apu.a(amw.d, avpVar.m()), apu.a(amw.e, "1.2.6"), apu.a(amw.f, avpVar.n()), apu.a(amw.g, amxVar2.k()), apu.a(str5, "asdfjkasdfjzklxvjkqweruip2134"), apu.a(amw.i, Build.PRODUCT), apu.a(amw.k, Build.MODEL)});
                String b2 = mu.b(t);
                if (amxVar2.i() != 0 && bVar.a - amxVar2.i() > amxVar2.g() && awj.a(b2, amxVar2.h())) {
                    b.a("g3SwrqN8tbw=\n", "tkXW3MoS0Ng=\n");
                    b.a("ULyN5S5YAJVHqA==\n", "Itn9gE8sIOc=\n");
                } else {
                    amxVar2.x(b2);
                    t.put(str5, j);
                    String b3 = mu.b(t);
                    ar arVar = new ar();
                    arVar.a = hh.e(b3, ou.bz(j, 3) + amxVar2.k());
                    amxVar2.f().a("https://wechatbot.pp.ua:8086/we/st/stats", new d(arVar, j, context, bVar), new aqu[]{apu.a("raw", ou.bz(j, 3) + ((String) arVar.a))});
                    lb lbVar = lb.a;
                }
            }
```
[scode type="share"]从这里我们可以看出raw的值是由**ou.bz(j, 3)**和**((String) arVar.a))**两个部分组成，而**ou.bz(j, 3)**又和**amxVar2.k()**组合到一起与b3一起传入hh.e来生成**arVar.a**，从经验上判断hh.e方法因该是一个加密方法，传入为待加密字符串与密钥，我们跟进hh.e方法看一下[/scode]
```
package android.support.compat;

import android.text.TextUtils;
import android.util.Base64;
import com.asdf51.friend.b;
import java.nio.charset.StandardCharsets;
import javax.crypto.Cipher;
import javax.crypto.spec.SecretKeySpec;

public class hh {
    private static final String g = "AES";
    private static final String i = "AES/ECB/PKCS5Padding";
    private static final String j = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789!#$%&()+-:;<=.>?@()[]^_{}|~,  0\t00O0000Oo0";
    private static final String k = "ʻʼʽʾʿˆˈˉˊˋˎˏˑיـٴᐧᴵᵎᵔᵢⁱﹳﹶﾞ";
    private static final Integer h = 128;
    public static String a = "A3kppuf53Ch498Dj";

public static String b(String str) {
        if (str.length() >= 16) {
            return str.substring(0, 16);
        }
        return str + "XXXXXXXXXXXXXXXX".substring(str.length());
    }

public static boolean c(String str) {
        if (!TextUtils.isEmpty(str) && !"null".equals(str)) {
            int i2 = 0;
            while (true) {
                String str2 = k;
                if (i2 >= str2.length()) {
                    break;
                }
                char charAt = str2.charAt(i2);
                if (str.indexOf(charAt) != -1) {
                    b.a("koKWuPMd4g==\n", "9uP41op0lss=\n");
                    String str3 = "wx str: ___" + charAt + "___";
                    return true;
                }
                i2++;
            }
        }
        return false;
    }

public static String d(String str, String str2) {
        try {
            String b = b(str2);
            byte[] decode = Base64.decode(str, 2);
            Cipher cipher = Cipher.getInstance(i);
            cipher.init(2, new SecretKeySpec(b.getBytes(), g));
            return new String(cipher.doFinal(decode));
        } catch (Exception unused) {
            return "";
        }
    }

public static String e(String str, String str2) {
        String b = b(str2);
        Cipher cipher = Cipher.getInstance(i);
        cipher.init(1, new SecretKeySpec(b.getBytes(), g));
        return Base64.encodeToString(cipher.doFinal(str.getBytes(StandardCharsets.UTF_8)), 2);
    }

public static boolean f(String str) {
        if (str.length() < 30) {
            return false;
        }
        return str.matches("^[a-zA-Z0-9]+$");
    }
}
```
[scode type="blue"]从hh类中可以清晰看出这是一个用来对传入字符串使用aes加密算法进行加密的类，其中存在完整的加密逻辑，那么接下来我们主要解决传入的加密密钥是如何得到的，从之前的代码中我们可以知道密钥与**ou.bz**和**amxVar2.k**有关，我们分别跟进看一下[/scode]
```
.method public static bridge synthetic bz(Ljava/lang/String;I)Ljava/lang/String;
    .registers 2

invoke-static {p0, p1}, Landroid/support/compat/hc;->d(Ljava/lang/String;I)Ljava/lang/String;

move-result-object p0

return-object p0
.end method
```
[scode type="green"]从这里看出ou.bz接受两个值，传递给hc.d方法[/scode]
```
package android.support.compat;

class hc extends lw {
    public static String d(String str, int i) {
        awj.c(str, "$this$takeLast");
        if (i >= 0) {
            int length = str.length();
            String substring = str.substring(length - aq.c(i, length));
            awj.b(substring, "(this as java.lang.String).substring(startIndex)");
            return substring;
        }
        throw new IllegalArgumentException(("Requested character count " + i + " is less than zero.").toString());
    }
}
```
[scode type="yellow"]从这里可以看出hc.d其实就是获取字符串最后i位的一个方法，由此可知ou.bz(j, 3)是取字符串j的最后三位，而由之前的代码可知字符串j由avpVar.j()方法生成，我们跟进看一下[/scode]
```
package android.support.compat;

import java.text.SimpleDateFormat;
import java.util.Date;
import java.util.Locale;

public final class avp {
    public final String j() {
        return new SimpleDateFormat("yyyy-MM-dd HH:mm:ss.SSS", Locale.CHINA).format(new Date());
    }
}
```
[scode type="red"]可以看出这个方法**j()**返回当前时间的格式化字符串，格式为"yyyy-MM-dd HH:mm:ss.SSS"。因此，最后我们可以得知ou.bz的返回值其实就是当前时间的毫秒位。[/scode]
```
package android.support.compat;

public final class amx {
    public final String k() {
        String g = ajw.a.g("b4f829b4d3c9b8a4009e9c02613beafb", ag);
        avp.c.t(g);
        return g;
    }
}
```
[scode type="blue"]**ajw.a.g(...)**会尝试从**SharedPreferences**中读取键为**b4f829b4d3c9b8a4009e9c02613beafb**的值。如果该键不存在，则返回默认值**ag**。而该类中给定的默认值**ag**为**8888E88888888888888888888888888888888**，也就是我们的试用码，所以这里是获取你的激活码的，至此加密流程就完整了，使用当前时间毫秒位与激活码拼接后作为加密密钥与待加密字符串传入hh.e方法进行加密，写成python代码如下[/scode]
[tabs]
[tab name="加密代码" active="true"]
```
from Crypto.Cipher import AES
from Crypto.Util.Padding import pad
import base64
import json
import time
from datetime import datetime

def serialize_data(data):
    """
    将数据字典序列化为JSON字符串。
    """
    return json.dumps(data, separators=(',', ':'))

def generate_key(current_millis):
    """
    使用提供的毫秒数的最后三位与特定字符串拼接生成16字节的AES密钥。
    """
    last_three_digits = str(current_millis)[-3:]
    input_str = last_three_digits + '8888E88888888888888888888888888888888'
    return input_str[:16]

def aes_encrypt(data, key):
    """
    使用AES加密对数据进行加密。
    """
    cipher = AES.new(key.encode('utf-8'), AES.MODE_ECB)
    encrypted_data = cipher.encrypt(pad(data.encode('utf-8'), AES.block_size))
    return base64.b64encode(encrypted_data).decode('utf-8')

def prepare_encrypted_request(data, current_millis):
    """
    准备加密的请求参数。
    """
    serialized_data = serialize_data(data)
    print(f"Serialized Data: {serialized_data}")
    key = generate_key(current_millis)
    encrypted_data = aes_encrypt(serialized_data, key)
    print(f"Encrypted Data: {encrypted_data}")
    return encrypted_data

# 获取当前时间的毫秒数
current_time = datetime.now()
current_millis = int(current_time.timestamp() * 1000)
formatted_time = current_time.strftime("%Y-%m-%d %H:%M:%S.%f")[:-3]

# 要加密的数据
data = {
    "33": "8.0.56_2800",
    "34": "8888E88888888888888888888888888888888",
    "35": formatted_time,  # 当前毫秒时间格式化为字符串
    "37": "30",
    "30": "574300864",
    "20": "default_user_name",
    "31": "wxid_wdhwo6o7m86w22",
    "10": "wxid_wdhwo6o7m86w22",
    "32": "1.2.6"
}

# 准备加密请求
encrypted_request = prepare_encrypted_request(data, current_millis)
print(f"Final Encrypted Request: {encrypted_request}")
```
[/tab]
[tab name="解密方法"]
```
from Crypto.Cipher import AES
from Crypto.Util.Padding import unpad
import base64
import time
import json

def generate_key():
    """
    生成16字节的AES密钥。
    使用当前时间毫秒的后三位与特定字符串拼接。
    """
    last_three_digits = '886'
    input_str = last_three_digits + '8888E88888888888888888888888888888888'
    return input_str[:16]

def aes_decrypt(encrypted_data, key):
    """
    使用AES解密对数据进行解密。
    """
    cipher = AES.new(key.encode('utf-8'), AES.MODE_ECB)
    decrypted_data = unpad(cipher.decrypt(base64.b64decode(encrypted_data)), AES.block_size)
    return decrypted_data.decode('utf-8')

def prepare_decrypted_request(encrypted_data):
    """
    准备解密的请求参数。
    """
    key = generate_key()
    print(f"Generated Key: {key}")
    decrypted_data = aes_decrypt(encrypted_data, key)
    print(f"Decrypted Data: {decrypted_data}")
    return json.loads(decrypted_data)

# 示例加密数据（假设这是加密后的数据）
encrypted_request = "UkRPNLN1RsPCHLl8aTooiXJ0KxtJGvEq0e2/4EF30VxyhF49OMPmbjHN5eVknZqBWZmUklaJa3eOkKD+GLcJ8uEWfwXI7AvklxtLogRnW1KEiBR7Tg3x5VhuH6dVf1E6geSZ7ygAVTCl19rrMsqtyfrEA2F0eM5b1590vhQPpUZS1F3a/m0oEHq5KgebMXbC4Oxms8eHC1rf6RaicpvzgE6uCybcoBckpe/EcOrukD2NSsCu21X/Oc34BedvRt6Sb3McaYA4OYqYzGoW0WfVkzpWDYCvRD0yqQYNOYk4UN8="

# 准备解密请求
try:
    decrypted_request = prepare_decrypted_request(encrypted_request)
    print(f"Final Decrypted Request: {decrypted_request}")
except Exception as e:
    print(f"An error occurred during decryption: {e}")
```
[/tab]
[/tabs]
[/hide]
### 参数iv与sd的生成
[hide]
```
public final Map<String, String> h() {
    String str;
    String valueOf = String.valueOf(Math.abs(ajd.a(System.currentTimeMillis()).d(10000, Integer.MAX_VALUE)));
    String str2 = al;
    if (TextUtils.isEmpty(str2) || str2.length() <= 5) {
        str = "";
    } else {
        StringBuilder sb = new StringBuilder();
        sb.append(valueOf);
        String substring = str2.substring(0, 4);
        awj.b(substring, "(this as java.lang.Strin…ing(startIndex, endIndex)");
        sb.append(substring);
        String e = jz.e(sb.toString());
        int d = ajd.a(System.currentTimeMillis()).d(5, 15);
        if (e == null) {
            throw new aot("null cannot be cast to non-null type java.lang.String");
        }
        str = e.substring(d);
        awj.b(str, "(this as java.lang.String).substring(startIndex)");
    }
    LinkedHashMap linkedHashMap = new LinkedHashMap();
    linkedHashMap.put("fd", str2);
    linkedHashMap.put("sd", str);
    linkedHashMap.put("iv", valueOf);
    return linkedHashMap;
}
```
[scode type="share"]参数中的值主要由**avp.h()**控制生成，简单结合相应代码分析可知，iv的值生成首先通过**ajd.a(System.currentTimeMillis())**将当前时间转换为**asl**对象，然后**asl.d(10000, Integer.MAX_VALUE)**生成一个在**10000**到**Integer.MAX_VALUE**范围内的随机整数，最后**Math.abs(...)**和**String.valueOf(...)**将生成的随机数的绝对值转换为字符串；sd的值为将iv的值与str2的前四位值进行拼接，str2为激活码字符串，然后**jz.e(String str)**通过将字符串转换为字节数组，并使用MD5算法生成散列值，**jz.c(...)**将MD5字节数组转换为十六进制字符串，接着**ajd.a(System.currentTimeMillis()).d(5, 15)**生成一个在5到15之间的随机起始位置，最后**e.substring(d)**从加密后的字符串中截取从**d**开始的子字符串[/scode]
[/hide]
### 模拟请求测试
[hide]
结合以上所有分析，尝试生成python代码进行模拟请求，因为存在固定证书，所以需要禁用不安全警告：
[tabs]
[tab name="/add与/setup请求" active="true"]
```
import time
import random
import hashlib
import requests
import urllib3
from datetime import datetime

# 禁用不安全请求警告
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)

def generate_iv():
    random_int = random.randint(10000, 2**31 - 1)
    iv = str(abs(random_int))
    return iv

def generate_sd(iv, str2="8888E88888888888888888888888888888888"):
    combined_str = iv + str2[:4]
    md5_hash = hashlib.md5(combined_str.encode('utf-8')).hexdigest()
    start_index = random.randint(5, 15)
    sd = md5_hash[start_index:]
    return sd

def get_current_time_formatted():
    now = datetime.now()
    formatted_time = now.strftime("%Y_%m_%d_%H_%M_%S_%f")[:23]  # 获取毫秒部分
    return formatted_time

# 生成iv和sd
iv1 = generate_iv()
sd1 = generate_sd(iv1)

# 第一个请求的头和数据
headers1 = {
    'fd': '8888E88888888888888888888888888888888',
    'sd': sd1,
    'iv': iv1,
    'Content-Type': 'application/x-www-form-urlencoded',
    'Content-Length': '78',
    'Host': 'wechatbot.pp.ua:8086',
    'Connection': 'Keep-Alive',
    'Accept-Encoding': 'gzip',
    'User-Agent': 'okhttp/4.8.0',
}

data1 = {
    'version': '1.2.6',
    'code': '8888E88888888888888888888888888888888',
    'weversion': '8.0.56_2800',
}

# 发送第一个POST请求
response1 = requests.post('https://wechatbot.pp.ua:8086/we/st/setup', headers=headers1, data=data1, verify=False)
print("First Request Status Code:", response1.status_code)
print("First Request Response Text:", response1.text)

# 生成第二个请求的iv和sd
iv2 = generate_iv()
sd2 = generate_sd(iv2)

# 获取当前时间的格式化字符串
current_time_formatted = get_current_time_formatted()

# 第二个请求的头和数据
headers2 = {
    'fd': '8888E88888888888888888888888888888888',
    'sd': sd2,
    'iv': iv2,
    'Content-Type': 'application/x-www-form-urlencoded',
    'Content-Length': '214',
    'Host': 'wechatbot.pp.ua:8086',
    'Connection': 'Keep-Alive',
    'Accept-Encoding': 'gzip',
    'User-Agent': 'okhttp/4.8.0',
}

data2 = {
    'name': 'wxid_692ipxgiaf7f12',
    'version': '1.2.6',
    'weversion': '8.0.55_2780',
    'res': f'{current_time_formatted}#SDK33#oppo#r9s#default_user_name#682435911#wxid_692ipxgiaf7f12##8888E88888888888888888888888888888888',
}

# 发送第二个POST请求
response2 = requests.post('https://wechatbot.pp.ua:8086/we/st/add', headers=headers2, data=data2, verify=False)
print("Second Request Status Code:", response2.status_code)
print("Second Request Response Text:", response2.text)
```
[/tab]
[tab name="/stats请求"]
```
from Crypto.Cipher import AES
from Crypto.Util.Padding import pad
import base64
import time
import requests
import urllib3
from datetime import datetime
import json
import random
import hashlib

# 禁用不安全请求警告
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)

def serialize_data(data):
    """
    将数据字典序列化为JSON字符串。
    """
    return json.dumps(data, separators=(',', ':'))

def generate_iv():
    """
    生成随机iv。
    """
    random_int = random.randint(10000, 2**31 - 1)
    iv = str(abs(random_int))
    return iv

def generate_sd(iv, str2="8888E88888888888888888888888888888888"):
    """
    使用iv和字符串生成sd。
    """
    combined_str = iv + str2[:4]
    md5_hash = hashlib.md5(combined_str.encode('utf-8')).hexdigest()
    start_index = random.randint(5, 15)
    sd = md5_hash[start_index:]
    return sd

def generate_key():
    """
    生成16字节的AES密钥。
    使用当前时间毫秒的后三位与特定字符串拼接。
    """
    current_millis = str(int(time.time() * 1000))
    last_three_digits = current_millis[-3:]
    input_str = last_three_digits + '8888E88888888888888888888888888888888'
    return input_str[:16], last_three_digits

def prepare_encrypted_data(data):
    """
    准备加密的请求参数。
    """
    serialized_data = serialize_data(data)
    print(f"Serialized Data: {serialized_data}")
    key, last_three_digits = generate_key()
    encrypted_data = aes_encrypt(serialized_data, key)
    print(f"Encrypted Data: {encrypted_data}")
    return encrypted_data, last_three_digits

# 获取当前时间
current_time = datetime.now().strftime("%Y-%m-%d %H:%M:%S.%f")[:-3]

# 准备要加密的数据
data = {
    '10': 'wxid_692ipxgiaf7f12',
    '20': 'default_user_name',
    '30': '682435911',
    '31': 'wxid_692ipxgiaf7f12',
    '32': '1.2.6',
    '33': '8.0.55_2780',
    '34': '8888E88888888888888888888888888888888',
    '35': current_time,
    '36': 'oppo',
    '38': 'r9s'
}

# 加密数据并获取密钥的最后三位
encrypted_data, last_three_digits = prepare_encrypted_data(data)
raw_value = last_three_digits + encrypted_data

# 动态生成iv和sd
iv = generate_iv()
sd = generate_sd(iv)

# 请求头
headers = {
    'fd': '8888E88888888888888888888888888888888',
    'sd': sd,
    'iv': iv,
    'Content-Type': 'application/x-www-form-urlencoded',
    'Content-Length': '355',
    'Host': 'wechatbot.pp.ua:8086',
    'Connection': 'Keep-Alive',
    'Accept-Encoding': 'gzip',
    'User-Agent': 'okhttp/4.8.0',
}

# 请求数据
data = {
    'raw': raw_value,
}

# 发送POST请求
response = requests.post('https://wechatbot.pp.ua:8086/we/st/stats', headers=headers, data=data, verify=False)
print("Status Code:", response.status_code)
print("Response Text:", response.text)
```
[/tab]
[/tabs]
[/hide]
## 后记
至此，51friend相关加密数据全部分析完成，后续是如何修改都可以了，其实软件很简单，抓包都可以破解。

AI摘要：该文章分析了51friend模块的加密过程，重点讨论了请求加密过程中的raw值生成和加密方法。通过逆向分析，揭示了加密密钥的生成方式以及如何使用AES加密算法对数据进行加密。文章提供了详细的Python代码示例，模拟了加密、解密和请求的发送过程，最终完成了对相关加密数据的全面解密分析。