搜索关键字 QDSign,可以直接找到对应的类,可以看到参数经过加密得到
进一步跟踪,发现了c类中有如下三个so方法,还有3个loadlibrary,分别进行了hook,发现c-lib动态注册了sign,sos动态注册了s,没有发现crypto有动态注册,使用frida对3个so函数进行了hook,证实sign是QDSign的加密函数,s是AegisSign的加密函数,SignNew并没有调用,搜索java代码,也没有发现调用的地方,猜测可能该函数没有实现,暂时不管了。
先用frida进行hook看看返回结果
C0025c.sign.implementation = function(v1,v2,v3,v4,v5,v6,v7) {
var ret = this.sign(v1,v2,v3,v4,v5,v6,v7)
console.log("sign params:", v1,v2,v3,v4,v5,v6,v7);
console.log("sign:", Base64Util.a(ret));
return ret;
}
确认结果确实为QDSign的值
通过 jnitrace -l libsos.so 包名 -i RegisterNatives 可以看到是动态注册的函数
直接再执行 jnitrace -l libsos.so 包名 发现程序卡在了闪屏页,原因不明,这种方法在很多应用上都会这样,有大神知道原因吗?
换成程序启动后,进行attach的方式, jnitrace -l libc-lib.so 应用名 -m attach ,貌似没有结果,这个方法在自己的程序上可以正常获取trace,但是在最近逆向的应用上都没有任何输出,原因不明,有没有知道的大佬解答一下?
祭出unidbg大杀器试试,使用模拟23版本,会报错
JNIEnv->FindClass(android/content/ContextWrapper) was called from RX@0x40002629[libc-lib.so]0x2629
JNIEnv->GetMethodID(android/content/ContextWrapper.getPackageManager()Landroid/content/pm/PackageManager;) => 0x53f2c391 was called from RX@0x4000263f[libc-lib.so]0x263f
[14:16:09 117] WARN [com.github.unidbg.linux.ARM32SyscallHandler] (ARM32SyscallHandler:530) - handleInterrupt intno=2, NR=-1073744244, svcNumber=0x11f, PC=unidbg@0xfffe0284, LR=RX@0x40000af5[libc-lib.so]0xaf5, syscall=null
com.github.unidbg.arm.backend.BackendException: dvmObject=android.content.Context@5f2050f6, dvmClass=class android/content/Context, jmethodID=unidbg@0x53f2c391
报以上错误,猜想是不是用的applcationContext、看了下日志,替换为android/content/ContextWrapper后,继续执行,又报错
Invalid address 0x40344000 passed to free: value not allocated
[crash]A/libc: Invalid address 0x40344000 passed to free: value not allocated
Exception in thread "main" java.lang.NullPointerException
搜了一圈,没找到有用的信息。
最后想不到办法了,抱着侥幸心理、死马当活马医,换成19版本。。!!!居然成功了!!!
模拟执行sign方法,得到如下结果
JNIEnv->FindClass(a/c) was called from RX@0x40000b57[libc-lib.so]0xb57
JNIEnv->RegisterNatives(a/c, RW@0x40007000[libc-lib.so]0x7000, 1) was called from RX@0x40000b6d[libc-lib.so]0xb6d
RegisterNative(a/c, sign(Landroid/content/Context;Ljava/lang/String;Ljava/lang/String;Ljava/lang/String;Ljava/lang/String;Ljava/lang/String;I)[B, RX@0x400025a9[libc-lib.so]0x25a9)
Find native function Java_a_c_sign => RX@0x400025a9[libc-lib.so]0x25a9
JNIEnv->GetStringUtfChars("bookid=1021617576&isoutbook=0") was called from RX@0x40002519[libc-lib.so]0x2519
JNIEnv->ReleaseStringUTFChars("bookid=1021617576&isoutbook=0") was called from RX@0x4000257f[libc-lib.so]0x257f
JNIEnv->NewStringUTF("bf0fd95eb2cf2d1750cb5ff9364c5f49") was called from RX@0x4000258d[libc-lib.so]0x258d
JNIEnv->GetStringUtfChars("bf0fd95eb2cf2d1750cb5ff9364c5f49") was called from RX@0x400025cf[libc-lib.so]0x25cf
JNIEnv->GetStringUtfChars("1641450591209") was called from RX@0x400025df[libc-lib.so]0x25df
JNIEnv->GetStringUtfChars("0") was called from RX@0x400025fb[libc-lib.so]0x25fb
JNIEnv->GetStringUtfChars("9e450ea5f3dd0b8a") was called from RX@0x4000260b[libc-lib.so]0x260b
JNIEnv->GetStringUtfChars("0") was called from RX@0x4000261b[libc-lib.so]0x261b
JNIEnv->FindClass(android/content/ContextWrapper) was called from RX@0x40002629[libc-lib.so]0x2629
JNIEnv->GetMethodID(android/content/ContextWrapper.getPackageManager()Landroid/content/pm/PackageManager;) => 0x53f2c391 was called from RX@0x4000263f[libc-lib.so]0x263f
JNIEnv->CallObjectMethodV(android.content.ContextWrapper@26ba2a48, getPackageManager() => android.content.pm.PackageManager@17550481) was called from RX@0x40000af5[libc-lib.so]0xaf5
JNIEnv->GetMethodID(android/content/ContextWrapper.getPackageName()Ljava/lang/String;) => 0x8bcc2d71 was called from RX@0x40002665[libc-lib.so]0x2665
JNIEnv->CallObjectMethodV(android.content.ContextWrapper@26ba2a48, getPackageName() => "com.xx") was called from RX@0x40000af5[libc-lib.so]0xaf5
JNIEnv->GetMethodID(android/content/pm/PackageManager.getPackageInfo(Ljava/lang/String;I)Landroid/content/pm/PackageInfo;) => 0x3bca8377 was called from RX@0x4000268f[libc-lib.so]0x268f
JNIEnv->CallObjectMethodV(android.content.pm.PackageManager@17550481, getPackageInfo("com.xx", 0x40) => android.content.pm.PackageInfo@180bc464) was called from RX@0x40000af5[libc-lib.so]0xaf5
JNIEnv->GetFieldID(android/content/pm/PackageInfo.versionName Ljava/lang/String;) => 0xbcc0232a was called from RX@0x400026c5[libc-lib.so]0x26c5
JNIEnv->GetObjectField(android.content.pm.PackageInfo@180bc464, versionName Ljava/lang/String; => "7.9.178") was called from RX@0x400026d3[libc-lib.so]0x26d3
JNIEnv->GetStringUtfChars("7.9.178") was called from RX@0x400026e3[libc-lib.so]0x26e3
JNIEnv->GetFieldID(android/content/pm/PackageInfo.signatures [Landroid/content/pm/Signature;) => 0x25f17218 was called from RX@0x400026fb[libc-lib.so]0x26fb
JNIEnv->GetObjectField(android.content.pm.PackageInfo@180bc464, signatures [Landroid/content/pm/Signature; => [android.content.pm.Signature@3a82f6ef]) was called from RX@0x4000270b[libc-lib.so]0x270b
JNIEnv->GetArrayLength([android.content.pm.Signature@3a82f6ef] => 1) was called from RX@0x40002719[libc-lib.so]0x2719
JNIEnv->GetObjectArrayElement([android.content.pm.Signature@3a82f6ef], 0) => android.content.pm.Signature@3a82f6ef was called from RX@0x40002727[libc-lib.so]0x2727
JNIEnv->GetMethodID(android/content/pm/Signature.toCharsString()Ljava/lang/String;) => 0x7a908191 was called from RX@0x40002745[libc-lib.so]0x2745
JNIEnv->CallObjectMethodV(android.content.pm.Signature@3a82f6ef, toCharsString() => "308202253082018ea00302010202044e239460300d06092a864886f70d0101050500305731173015060355040a0c0ec386c3b0c2b5c3a3c396c390c38e311d301b060355040b0c14c386c3b0c2b5c3a3c396c390c38ec384c38dc3b8311d301b06035504030c14c386c3b0c2b5c3a3c396c390c38ec384c38dc3b8301e170d3131303731383032303331325a170d3431303731303032303331325a305731173015060355040a0c0ec386c3b0c2b5c3a3c396c390c38e311d301b060355040b0c14c386c3b0c2b5c3a3c396c390c38ec384c38dc3b8311d301b06035504030c14c386c3b0c2b5c3a3c396c390c38ec384c38dc3b830819f300d06092a864886f70d010101050003818d0030818902818100a3d47f8bfd8d54de1dfbc40a9caa88a43845e287e8f40da2056be126b17233669806bfa60799b3d1364e79a78f355fd4f72278650b377e5acc317ff4b2b3821351bcc735543dab0796c716f769c3a28fedc3bca7780e5fff6c87779f3f3cdec6e888b4d21de27df9e7c21fc8a8d9164bfafac6df7d843e59b88ec740fc52a3c50203010001300d06092a864886f70d0101050500038181001f7946581b8812961a383b2d860b89c3f79002d46feb96f2a505bdae57097a070f3533c42fc3e329846886281a2fbd5c87685f59ab6dd71cc98af24256d2fbf980ded749e2c35eb0151ffde993193eace0b4681be4bcee5f663dd71dd06ab64958e02a60d6a69f21290cb496dd8784a4c31ebadb1b3cc5cb0feebdaa2f686ee2") was called from RX@0x40000af5[libc-lib.so]0xaf5
JNIEnv->GetStringUtfChars("308202253082018ea00302010202044e239460300d06092a864886f70d0101050500305731173015060355040a0c0ec386c3b0c2b5c3a3c396c390c38e311d301b060355040b0c14c386c3b0c2b5c3a3c396c390c38ec384c38dc3b8311d301b06035504030c14c386c3b0c2b5c3a3c396c390c38ec384c38dc3b8301e170d3131303731383032303331325a170d3431303731303032303331325a305731173015060355040a0c0ec386c3b0c2b5c3a3c396c390c38e311d301b060355040b0c14c386c3b0c2b5c3a3c396c390c38ec384c38dc3b8311d301b06035504030c14c386c3b0c2b5c3a3c396c390c38ec384c38dc3b830819f300d06092a864886f70d010101050003818d0030818902818100a3d47f8bfd8d54de1dfbc40a9caa88a43845e287e8f40da2056be126b17233669806bfa60799b3d1364e79a78f355fd4f72278650b377e5acc317ff4b2b3821351bcc735543dab0796c716f769c3a28fedc3bca7780e5fff6c87779f3f3cdec6e888b4d21de27df9e7c21fc8a8d9164bfafac6df7d843e59b88ec740fc52a3c50203010001300d06092a864886f70d0101050500038181001f7946581b8812961a383b2d860b89c3f79002d46feb96f2a505bdae57097a070f3533c42fc3e329846886281a2fbd5c87685f59ab6dd71cc98af24256d2fbf980ded749e2c35eb0151ffde993193eace0b4681be4bcee5f663dd71dd06ab64958e02a60d6a69f21290cb496dd8784a4c31ebadb1b3cc5cb0feebdaa2f686ee2") was called from RX@0x40002519[libc-lib.so]0x2519
JNIEnv->ReleaseStringUTFChars("308202253082018ea00302010202044e239460300d06092a864886f70d0101050500305731173015060355040a0c0ec386c3b0c2b5c3a3c396c390c38e311d301b060355040b0c14c386c3b0c2b5c3a3c396c390c38ec384c38dc3b8311d301b06035504030c14c386c3b0c2b5c3a3c396c390c38ec384c38dc3b8301e170d3131303731383032303331325a170d3431303731303032303331325a305731173015060355040a0c0ec386c3b0c2b5c3a3c396c390c38e311d301b060355040b0c14c386c3b0c2b5c3a3c396c390c38ec384c38dc3b8311d301b06035504030c14c386c3b0c2b5c3a3c396c390c38ec384c38dc3b830819f300d06092a864886f70d010101050003818d0030818902818100a3d47f8bfd8d54de1dfbc40a9caa88a43845e287e8f40da2056be126b17233669806bfa60799b3d1364e79a78f355fd4f72278650b377e5acc317ff4b2b3821351bcc735543dab0796c716f769c3a28fedc3bca7780e5fff6c87779f3f3cdec6e888b4d21de27df9e7c21fc8a8d9164bfafac6df7d843e59b88ec740fc52a3c50203010001300d06092a864886f70d0101050500038181001f7946581b8812961a383b2d860b89c3f79002d46feb96f2a505bdae57097a070f3533c42fc3e329846886281a2fbd5c87685f59ab6dd71cc98af24256d2fbf980ded749e2c35eb0151ffde993193eace0b4681be4bcee5f663dd71dd06ab64958e02a60d6a69f21290cb496dd8784a4c31ebadb1b3cc5cb0feebdaa2f686ee2") was called from RX@0x4000257f[libc-lib.so]0x257f
JNIEnv->NewStringUTF("f189adc92b816b3e9da29ea304d4a7e4") was called from RX@0x4000258d[libc-lib.so]0x258d
JNIEnv->GetStringUtfChars("f189adc92b816b3e9da29ea304d4a7e4") was called from RX@0x40002767[libc-lib.so]0x2767
JNIEnv->ReleaseStringUTFChars("0") was called from RX@0x400027e1[libc-lib.so]0x27e1
JNIEnv->ReleaseStringUTFChars("9e450ea5f3dd0b8a") was called from RX@0x400027ef[libc-lib.so]0x27ef
JNIEnv->ReleaseStringUTFChars("0") was called from RX@0x400027fd[libc-lib.so]0x27fd
JNIEnv->ReleaseStringUTFChars("7.9.178") was called from RX@0x4000280b[libc-lib.so]0x280b
JNIEnv->NewByteArray(128) was called from RX@0x400024b9[libc-lib.so]0x24b9
JNIEnv->SetByteArrayRegion([B@2a5ca609, 0, 128, unidbg@0x8048d38) was called from RX@0x400024cf[libc-lib.so]0x24cf
JNIEnv->ReleaseStringUTFChars("bf0fd95eb2cf2d1750cb5ff9364c5f49") was called from RX@0x4000283d[libc-lib.so]0x283d
JNIEnv->ReleaseStringUTFChars("f189adc92b816b3e9da29ea304d4a7e4") was called from RX@0x4000284d[libc-lib.so]0x284d
观察在sign方法中获取了参数、版本号、签名,然后进行了两次md5,最后输出了一个128位的字节数组,经过测试,两个md5分别为对请求参加md5,对签名进行md5。
sign函数返回的是字节数组,看了下jadx解析出来的工具类的名字为Base64Util,遂想到先用android的Base64一下,看看结果如何。可以看出,应用的base64函数做过特殊处理,在中间插入了两个空格,看来需要直接使用它原来的方法比较好。
//m39789a(ret.getValue())
R7TCs6Tou2X528j+NblfBuhFR2mLg5WEyNivv5UU4IC0wPHa6I06PG69U9DL 3dCj1aYsauB5Fkf6kQJy57OjgGSf2EXDkAcm2Rvoe8vyU7K+oimgA0khxrjZ Tqqj7rjhmQzKcbXBnRQDC3cssqP8oyU0V/kcuXoJmeS5vvMPB8o=
//Base64Android.encode(ret.getValue(),2)
R7TCs6Tou2X528j+NblfBuhFR2mLg5WEyNivv5UU4IC0wPHa6I06PG69U9DL3dCj1aYsauB5Fkf6kQJy57OjgGSf2EXDkAcm2Rvoe8vyU7K+oimgA0khxrjZTqqj7rjhmQzKcbXBnRQDC3cssqP8oyU0V/kcuXoJmeS5vvMPB8o=
此时需要逆向 包名.core.util.e(这个类是Base64Util)下的public static String m39789a(byte[] bArr)函数,可以看出,该函数逻辑恢复不正确;
public static String m39789a(byte[] bArr) {
AppMethodBeat.m13386i(132653);
int length = bArr.length;
StringBuilder sb = new StringBuilder((bArr.length * 3) / 2);
int i = length - 3;
int i2 = 0;
loop0: while (true) {
int i3 = 0;
while (i2 > 18) & 63]);
sb.append(cArr[(i4 >> 12) & 63]);
sb.append(cArr[(i4 >> 6) & 63]);
sb.append(cArr[i4 & 63]);
i2 += 3;
int i5 = i3 + 1;
if (i3 >= 14) {
break;
}
i3 = i5;
}
sb.append(" ");
}
int i6 = 0 + length;
if (i2 == i6 - 2) {
int i7 = ((bArr[i2 + 1] & UByte.MAX_VALUE) > 18) & 63]);
sb.append(cArr2[(i7 >> 12) & 63]);
sb.append(cArr2[(i7 >> 6) & 63]);
sb.append(ContainerUtils.KEY_VALUE_DELIMITER);
} else if (i2 == i6 - 1) {
int i8 = (bArr[i2] & UByte.MAX_VALUE) > 18) & 63]);
sb.append(cArr3[(i8 >> 12) & 63]);
sb.append("==");
}
String sb2 = sb.toString();
AppMethodBeat.m13385o(132653);
return sb2;
}
于是通过jadx的信息,定位该dex位于classes3.dex中,通过dex2jar,获得了对应的jar压缩包;
由于压缩包中其他的类,并不是本次关注对象,单独提取 包名.core.util.e.class,扔到在线反编译网站,选择Procyon引擎进行逆向后得到
public static String m39789a(byte[] array) {
System.out.println(leviathan.bytesToHexString(array));
final int length = array.length;
final StringBuilder sb = new StringBuilder(array.length * 3 / 2);
int i = 0;
Label_0025:
while (true) {
int n = 0;
while (i > 18 & 0x3F]);
sb.append(a[n2 >> 12 & 0x3F]);
sb.append(a[n2 >> 6 & 0x3F]);
sb.append(a[n2 & 0x3F]);
i += 3;
if (n >= 14) {
sb.append(" ");
continue Label_0025;
}
++n;
}
break;
}
final int n3 = 0 + length;
if (i == n3 - 2) {
final int n4 = (array[i + 1] & 0xFF) > 18 & 0x3F]);
sb.append(a2[n4 >> 12 & 0x3F]);
sb.append(a2[n4 >> 6 & 0x3F]);
sb.append("=");
} else if (i == n3 - 1) {
final int n5 = (array & 0xFF) > 18 & 0x3F]);
sb.append(a3[n5 >> 12 & 0x3F]);
sb.append("==");
}
final String string = sb.toString();
return string;
}
通过该函数解析字节数组,得到了最终的加密参数。
下面该还原so中的具体加密细节了。
打开IDA查看函数,通过unidbg模拟可以看到动态注册函数位置位于0x25a9,查看伪代码,可以看到对参数进行了拼接
这些参数通过对比unidbg日志,除了src不知道是什么,其余都对应上了,那接下来,hook下strcat
xHook.register("libc-lib.so", "strcat", new ReplaceCallback() {
@Override
public HookStatus onCall(Emulator emulator, HookContext context, long originFunction) {
Pointer pointer1 = context.getPointerArg(0);
Pointer pointer = context.getPointerArg(1);
String str = pointer0.getString(0);
String str1 = pointer1.getString(0);
System.out.println("strcat=" + str + ":" + str1);
return HookStatus.RET(emulator, originFunction);
}
@Override
public void postCall(Emulator emulator, HookContext context) {
System.out.println("strcat=" + ", ret=" + context.getPointerArg(0).getString(0));
}
}, true);
可以得出src的值
再往下分析,得出2488函数是最终进行加密的函数,继续跟进,看到如下代码
可以看到DES_ede3_cbc_encrypt关键字,搜索google,发现有一个openssl库一模一样的函数,参数个数也对应上了,
得出v24是输入参数,v27、v26、v25分别为秘钥1、2、3,v21为初始化向量。懒得找一个openssl库来实验了,我先想办法得到秘钥,向量已经在代码中看到了,既是01234567。
hook函数DES_ede3_cbc_encrypt
xHook.register("libc-lib.so", "DES_ede3_cbc_encrypt", new ReplaceCallback() {
@Override
public HookStatus onCall(Emulator emulator, HookContext context, long originFunction) {
Pointer pointer0 = context.getPointerArg(0);
Pointer pointer3 = context.getPointerArg(3);
Pointer pointer4 = context.getPointerArg(4);
Pointer pointer5 = context.getPointerArg(5);
Pointer pointer6 = context.getPointerArg(6);
byte[] str = pointer0.getByteArray(0,8);
byte[] str3 = pointer3.getByteArray(0,8);
byte[] str4 = pointer4.getByteArray(0,8);
byte[] str5 = pointer5.getByteArray(0,8);
byte[] str6 = pointer6.getByteArray(0,8);
Inspector.inspect(str, "memcpy src=" + pointer0);
Inspector.inspect(str3, "memcpy v3=" + pointer3);
Inspector.inspect(str4, "memcpy v4=" + pointer4);
Inspector.inspect(str5, "memcpy v5=" + pointer5);
Inspector.inspect(str6, "memcpy v6=" + pointer6);
// System.out.println("DES_ede3_cbc_encrypt=" + str + ":" + str3+":"+str4 +":"+str5+":"+str6);
return HookStatus.RET(emulator, originFunction);
}
@Override
public void postCall(Emulator emulator, HookContext context) {
// System.out.println("DES_ede3_cbc_encrypt=" + ", ret=" + context.getPointerArg(0).getString(0));
}
}, true);
结果如下
[17:48:46 063]memcpy v3=unidbg@0xbffff598, md5=7e504a51a397f262e2e74221ac9c0ed2, hex=105cbc14004d0409
size: 8
0000: 10 5C BC 14 00 4D 04 09 .\...M..
^-----------------------------------------------------------------------------^
>------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
看这个日志输出,三个秘钥都不相同,看不出是个啥,往回看秘钥来源于0xb88函数,hook这个函数
hookZz.wrap(module.base + 0x00000b88 + 1, new WrapCallback() {
@Override
public void preCall(Emulator emulator, RegisterContext ctx, HookEntryInfo info) {
System.out.println(ctx.getPointerArg(0) +" b88=" + ctx.getPointerArg(1) + ", R10=0x" + ctx.getPointerArg(2));
}
@Override
public void postCall(Emulator emulator, RegisterContext ctx, HookEntryInfo info) {
super.postCall(emulator, ctx, info);
System.out.println("b88: " + ctx.getPointerArg(0).getString(0));
}
});
得到了一个字符串,搜索google找到DES_ede3_cbc_encrypt对应的java方法实验一下
public static void encrypt_des_ede_cbc_pkcs(String content) throws Exception
{
byte[] in = content.getBytes("UTF-8");
Cipher cipher = Cipher.getInstance("DESede/CBC/PKCS5Padding");
SecretKeyFactory skf = SecretKeyFactory.getInstance("DESede");
SecretKey sk = skf.generateSecret(new DESedeKeySpec("xxxx".getBytes()));
IvParameterSpec ips = new IvParameterSpec("xxx".getBytes());
cipher.init(Cipher.ENCRYPT_MODE, sk, ips);
byte[] out = cipher.doFinal(in);
}
然后把两个字节比较之后发现一模一样,说明秘钥正确。
到此算法分析结束。
