Android————加密解密

Openssl

1. 原理

之前我们介绍SSL工作原理了解到当你在浏览器的地址栏上输入https开头的网址后，浏览器和服务器之间会在接下来的几百毫秒内进行大量的通信。这些复杂的步骤的第一步，就是浏览器与服务器之间协商一个在后续通信中使用的密钥算法。这个过程简单来说是这样的：

浏览器把自身支持的一系列Cipher Suite（密钥算法套件，后文简称Cipher）[C1,C2,C3, …]发给服务器；

服务器接收到浏览器的所有Cipher后，与自己支持的套件作对比，如果找到双方都支持的Cipher，则告知浏览器；

浏览器与服务器使用匹配的Cipher进行后续通信。如果服务器没有找到匹配的算法，浏览器（以Firefox 30为例，后续例子中使用的浏览器均为此版本的Firefox）将给出错误信息:

2. 浏览器

浏览器支持哪些Cipher？这取决于浏览器支持的SSL/TLS协议的版本。习惯上，我们通常把HTTPS与SSL协议放到一起；事实上，SSL协议是Netcape公司于上世纪90年代中期提出的协议，自身发展到3.0版本。1999年该协议由ITEL接管，进行了标准化，改名为TLS。可以说，TLS 1.0就是SSL 3.1版本。

目前TLS最新版本是1.2。互联网上有超过99%的网站支持TLS 1.0，而支持TLS 1.2的网站尚不足40%。打开Firefox浏览器，在地址栏中输入about:config，然后搜索tls.version，会看到下面的选项:

其中security.tls.version.min和security.tls.version.max两项决定了Firefox支持的SSL/TLS版本，根据Firefox文档的介绍，这两项的可选值及其代表的协议是：

0 – SSL 3.0

1 – TLS 1.0

2 – TLS 1.1

3 – TLS 1.2

因此上图的设置说明当前浏览器支持协议的下限是SSL 3.0，上限是TLS 1.2。现在，如果把security.tls.version.min一项改为3，那么浏览器就只支持TLS 1.2了。前文提到，目前只有不足40%的网站支持TLS 1.2，比如Amazon就不在这40%之列，所以此时访问https://amazon.com，就会收到“Secure Connection Failed”的错误信息，如图1所示。

了解了SSL/TLS协议后，可以使用Wireshark（或类似的可以抓去网络包的工具）通过分析网络包的信息，来查看浏览器发送给服务器的所有Cipher。

浏览器会首先发起握手协议，既一个“ClientHello”消息，在消息体中，可以找到Firefox支持的Cipher。在Wireshark中，按照Protocol协议排序，然后从TLS 1.2协议的报文中找到一个Info为“Client Hello”的。选中这个，然后在下面的报文信息窗口中依次找到Secure Sockets Layer -> TLSv1.2 Record Layer -> Handshake Protocal -> Cipher Suites。例子中的第一个Cipher是TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256，一共有23个:

如果继续找一个Info为“ServerHello”的报文，可以在类似的位置找到服务器返回的Cipher，在本例中是TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA:

关于密钥算法这一长串名字的含义，后面说明。接下来，浏览器就要等待服务器响应它的请求。我们来看一看服务器端都做了些什么。

3. 服务器

让我们以Windows为例。若要查看操作系统支持哪些密钥算法，可以运行gpedit.msc，依次进入”Computer Configuration” -> ”Administrative Templates” -> “Network” -> “SSL Configuration Settings”，这时可以在窗口右边看到”SSL Cipher Suite Order”项：

点击该项后进入”SSL Cipher Suite Order”。这里可以看到操作系统支持的Cipher的集合，以及对不同Cipher的排序

如果需要调整这里排序，或者去掉一些弱的Cipher，可以点击左上角的“Enabled”，然后在“Options”中重写编辑Cipher的列表。如果喜欢命令行，可以通过下面的Powershell命令修改密钥算法套件：

Set-ItemProperty -path HKLM:\SOFTWARE\Policies\Microsoft\Cryptography\Configuration\SSL\0001002 -name Functions -value "XXX,XXX,XXX"

　　那么Cipher的这一长串名字是什么含义呢？其实，每种Cipher的名字里包含了四部分信息，分别是

密钥交换算法，用于决定客户端与服务器之间在握手的过程中如何认证，用到的算法包括RSA，Diffie-Hellman，ECDH，PSK等

加密算法，用于加密消息流，该名称后通常会带有两个数字，分别表示密钥的长度和初始向量的长度，比如DES 56/56, RC2 56/128, RC4 128/128, AES 128/128, AES 256/256

报文认证信息码（MAC）算法，用于创建报文摘要，确保消息的完整性（没有被篡改），算法包括MD5，SHA等。

PRF（伪随机数函数），用于生成“master secret”。

　　完全搞懂上面的内容似乎还需要一本书的介绍（我已经力不从心了）。不过大致了解一下，有助于理解Cipher的名字，比如前面服务器发回给客户端的Cipher，

　　TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA

　　从其名字可知，它是

基于TLS协议的；

使用ECDHE、RSA作为密钥交换算法；

加密算法是AES（密钥和初始向量的长度都是256）；

MAC算法（这里就是哈希算法）是SHA。

熟悉了Cipher名字背后的含义后，让我们看看像IIS这样的Web服务器如何选择一个密钥算法呢？假如浏览器发来的密钥算法套件为[C1, C2, C3]，而Windows Server支持的套件为[C4, C2, C1, C3]时，C1和C2都是同时被双方支持的算法，IIS是优先返回C1，还是C2呢？答案是C2。IIS会遍历服务器的密钥算法套件，取出第一个C4，发现浏览器并不支持；接下来取第二个C2，这个被浏览器支持！于是，IIS选择了C2算法，并将它包含在一个“ServerHello”握手协议中，发回给客户端。这就有了图5中的结果。

4. 选择

作为浏览器的使用者，你可以让浏览器只能访问支持TLS 1.2协议的站点，以获得更好的安全性，以及更差的体验。作为服务器的维护者，似乎将最强壮的Cipher排在前面是正确的选择。SSL证书部署成功后，易维信技术会帮用户检查服务器端的加密套件，在我们的安全检查中，常常被报出的问题之一就是服务器默认的Cipher太弱（RC4-based）

5.指令

tls握手

openssl s_client -connect 220.181.38.148:443 -servername baidu.com -msg

base64 编码: openssl enc -base64 -in plain.txt -out base64.txt
enc： 通用加密指令
-base64: 指定加密方式为 base64
-in 文件名: 需要进行 base64 的文件
-out 文件名: base64 后的文件保存到哪里
-e(默认): 表示当前需要执行编码操作

base64 解码: openssl enc -d -base64 -in plain.txt -out base64.txt
-d: 表示当前需要执行解码操作

查看 md5 输出到控制台: openssl dgst -md5 demo.exe
查看 md5 输出到文件中: openssl dgst -md5 -out md5.txt demo.exe
-md5: 指定使用 md5 算法计算消息摘要，通过 help 查看支持的所有算法

对称加密: openssl enc -des-cbc -in demo.png -out encrypt.png -pass pass:12345678
-des-cbc: 指定加密方式和分组模式，使用 help 查看所有
-pass: 指定对称加密使用的 key

生成公钥：
openssl rsa -in pri.pem -pubout pub.pem
生成私钥：
openssl genrsa -out private.pem 1024
加密文件：
openssl rsautl -encrypt -in md5.txt -inkey pub.pem -pubin -out md5.en
解密文件：
openssl rsautl -decrypt -inkey private.pem -in file.rsa -out file

Java加解密

今天分享的是frida hook AES DES RSA 自吐算法

视频演示：https://space.bilibili.com/430241559

在分析通信协议的时候 经常遇到的加密算法就是那几个

1. AES
2. DES
3. 3DES
4. RSA

在hook AES DES RSA这些常见的加密算法之前
这里先看一下3个算法的java实现

1 AES加解密 java代码实现

1.1 AES加密

//bytesContent 要加密的数据
//key 密钥
public static byte[] aes_enc(byte[] bytesContent, String key) throws Exception
{
    //key相关
    byte[] raw = key.getBytes("utf-8");
    SecretKeySpec skeySpec = new SecretKeySpec(raw, "AES");

    //"算法/模式/补码方式" 初始化cipher
    Cipher cipher = Cipher.getInstance("AES/ECB/PKCS5Padding");
    cipher.init(Cipher.ENCRYPT_MODE, skeySpec);

    //执行加密
    byte[] enc = cipher.doFinal(bytesContent);
    return enc;
}

1.2 AES解密

//bytesContent 要解密的数据
//key 密钥
public byte[] aes_dec(byte[] bytesContent, String key) throws Exception
{
    //key相关
    byte[] raw = key.getBytes("utf-8");
    SecretKeySpec skeySpec = new SecretKeySpec(raw, "AES");

    //"算法/模式/补码方式" 初始化cipher
    Cipher cipher = Cipher.getInstance("AES/ECB/PKCS5Padding");
    cipher.init(Cipher.DECRYPT_MODE, skeySpec);

    //执行解密
    byte[] dec = cipher.doFinal(bytesContent);
    return dec;
}

这里AES加解密的区别只有一点

//Cipher.DECRYPT_MODE为解密  
//Cipher.ENCRYPT_MODE 加密
cipher.init(Cipher.DECRYPT_MODE, skeySpec)

2. DES加解密 java实现代码

2.1 DES加密

private static byte[] des_enc(byte[] data, byte[] key) throws Exception {
    // 生成一个可信任的随机数源
    SecureRandom sr = new SecureRandom();

    // 从原始密钥数据创建DESKeySpec对象
    DESKeySpec dks = new DESKeySpec(key);

    // 创建一个密钥工厂，然后用它把DESKeySpec转换成SecretKey对象
    SecretKeyFactory keyFactory = SecretKeyFactory.getInstance("DES");
    SecretKey securekey = keyFactory.generateSecret(dks);

    // Cipher对象实际完成加密操作
    Cipher cipher = Cipher.getInstance("DES");

    // 用密钥初始化Cipher对象
    cipher.init(Cipher.ENCRYPT_MODE, securekey, sr);

    return cipher.doFinal(data);
}

2.2 DES解密

private static byte[] des_dec(byte[] data, byte[] key) throws Exception {
    // 生成一个可信任的随机数源
    SecureRandom sr = new SecureRandom();

    // 从原始密钥数据创建DESKeySpec对象
    DESKeySpec dks = new DESKeySpec(key);

    // 创建一个密钥工厂，然后用它把DESKeySpec转换成SecretKey对象
    SecretKeyFactory keyFactory = SecretKeyFactory.getInstance("DES");
    SecretKey securekey = keyFactory.generateSecret(dks);

    // Cipher对象实际完成解密操作
    Cipher cipher = Cipher.getInstance("DES");

    // 用密钥初始化Cipher对象
    cipher.init(Cipher.DECRYPT_MODE, securekey, sr);

    return cipher.doFinal(data);
}

这里DES加解密的区别只有一点

//Cipher.DECRYPT_MODE为解密  
//Cipher.ENCRYPT_MODE 加密
cipher.init(Cipher.DECRYPT_MODE, securekey, sr);

3. RSA加解密 java代码实现

RSA加解密代码实现

public static void RSA(byte[] bytesData) throws Exception
{
    //秘钥长度为1024 生成秘钥对
    KeyPairGenerator keyPairGenerator=KeyPairGenerator.getInstance("RSA");
    keyPairGenerator.initialize(1024);
    KeyPair keyPair= keyPairGenerator.generateKeyPair();

    //获取公钥 私钥
    PublicKey publicKey=keyPair.getPublic();
    PrivateKey privateKey=keyPair.getPrivate();

    //公钥加密 java默认"RSA"="RSA/ECB/PKCS1Padding"
    Cipher cipher=Cipher.getInstance("RSA");
    cipher.init(Cipher.ENCRYPT_MODE, publicKey);
    byte[] encBytes = cipher.doFinal(bytesData);

    //私钥解密 java默认"RSA"="RSA/ECB/PKCS1Padding"
    Cipher cipher1=Cipher.getInstance("RSA");
    cipher1.init(Cipher.DECRYPT_MODE, privateKey);
    byte[] decBytes = cipher1.doFinal(encBytes);
    Log.d("xxx",new String(decBytes));
}

这里忽略前面RSA加解密都需要的生成公钥私钥的部分
核心功能代码如下

3.1 RSA加密代码

//公钥加密 java默认"RSA"="RSA/ECB/PKCS1Padding"
Cipher cipher=Cipher.getInstance("RSA");
cipher.init(Cipher.ENCRYPT_MODE, publicKey);
byte[] encBytes = cipher.doFinal(bytesData);

3.2 RSA解密代码

//私钥解密 java默认"RSA"="RSA/ECB/PKCS1Padding"Cipher cipher1=Cipher.getInstance("RSA");cipher1.init(Cipher.DECRYPT_MODE, privateKey);byte[] decBytes = cipher1.doFinal(encBytes);

这里RSA加解密的区别也只有一点

//Cipher.DECRYPT_MODE为解密   publicKey  公钥加密//Cipher.ENCRYPT_MODE为加密   privateKey 私钥解密cipher.init(Cipher.ENCRYPT_MODE, publicKey);

看了上面的一些代码 这里可以找到一些共性
虽然实现处有些区别 但大体架构和使用的java接口是可以找到一些规律的

这里出镜率比较高的有

1. secretKeySpec
2. Cipher.getInstance
3. cipher.init
4. cipher.doFinal
5. DESKeySpec
   …(后续还有 这里不一一列举)

查阅java帮助文档可以发现, 这些API都是一些加密算法常用的接口, 那么实现自吐 就是hook加密算法常用的API,打印相关参数,以便于快速的定位算法和相关参数 加密模式等

在网上查找 相关资料 我找到了一份frida自吐算法的源码 链接如下
[https://blog.csdn.net/weixin_34365417/article/details/93088342]

看了上面的源码 作者写的还是不错的 而且不仅hook了 我上面提到的加密算法 还hook了一些消息摘要算法 MAC家族和md家族等 也就是 md5 sha 等通信协议中常用的hash算法 另外也有对 IV这种加密中用到的向量成员的hook

这里 我修改了下源码
修改的部分主要分为下面几点

1. 针对上面的打印堆栈的代码做了修改 修复在高版本 打印堆栈不换行的问题
2. 增加了一些hook api
3. 把原来的 python脚本换成了js
4. 修复一个bug
5. ui调整 增加显示 加密模式 解密模式 把原脚本的dec结果 改成str结果 增加dofinal str显示

4 修改后的源码

var N_ENCRYPT_MODE = 1
var N_DECRYPT_MODE = 2

function showStacks() {
    var Exception = Java.use("java.lang.Exception");
    var ins = Exception.$new("Exception");
    var straces = ins.getStackTrace();

    if (undefined == straces || null == straces) {
        return;
    }

    console.log("============================= Stack strat=======================");
    console.log("");

    for (var i = 0; i < straces.length; i++) {
        var str = "   " + straces[i].toString();
        console.log(str);
    }

    console.log("");
    console.log("============================= Stack end=======================\r\n");
    Exception.$dispose();
}

//工具相关函数 
var base64EncodeChars = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/',
    base64DecodeChars = new Array((-1), (-1), (-1), (-1), (-1), (-1), (-1), (-1), (-1), (-1), (-1), (-1), (-1), (-1), (-1), (-1), (-1), (-1), (-1), (-1), (-1), (-1), (-1), (-1), (-1), (-1), (-1), (-1), (-1), (-1), (-1), (-1), (-1), (-1), (-1), (-1), (-1), (-1), (-1), (-1), (-1), (-1), (-1), 62, (-1), (-1), (-1), 63, 52, 53, 54, 55, 56, 57, 58, 59, 60, 61, (-1), (-1), (-1), (-1), (-1), (-1), (-1), 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, (-1), (-1), (-1), (-1), (-1), (-1), 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51, (-1), (-1), (-1), (-1), (-1));

function stringToBase64(e) {
    var r, a, c, h, o, t;
    for (c = e.length, a = 0, r = ''; a < c;) {
        if (h = 255 & e.charCodeAt(a++), a == c) {
            r += base64EncodeChars.charAt(h >> 2),
                r += base64EncodeChars.charAt((3 & h) << 4),
                r += '==';
            break
        }
        if (o = e.charCodeAt(a++), a == c) {
            r += base64EncodeChars.charAt(h >> 2),
                r += base64EncodeChars.charAt((3 & h) << 4 | (240 & o) >> 4),
                r += base64EncodeChars.charAt((15 & o) << 2),
                r += '=';
            break
        }
        t = e.charCodeAt(a++),
            r += base64EncodeChars.charAt(h >> 2),
            r += base64EncodeChars.charAt((3 & h) << 4 | (240 & o) >> 4),
            r += base64EncodeChars.charAt((15 & o) << 2 | (192 & t) >> 6),
            r += base64EncodeChars.charAt(63 & t)
    }
    return r
}
function base64ToString(e) {
    var r, a, c, h, o, t, d;
    for (t = e.length, o = 0, d = ''; o < t;) {
        do
            r = base64DecodeChars[255 & e.charCodeAt(o++)];
        while (o < t && r == -1);
        if (r == -1)
            break;
        do
            a = base64DecodeChars[255 & e.charCodeAt(o++)];
        while (o < t && a == -1);
        if (a == -1)
            break;
        d += String.fromCharCode(r << 2 | (48 & a) >> 4);
        do {
            if (c = 255 & e.charCodeAt(o++), 61 == c)
                return d;
            c = base64DecodeChars[c]
        } while (o < t && c == -1);
        if (c == -1)
            break;
        d += String.fromCharCode((15 & a) << 4 | (60 & c) >> 2);
        do {
            if (h = 255 & e.charCodeAt(o++), 61 == h)
                return d;
            h = base64DecodeChars[h]
        } while (o < t && h == -1);
        if (h == -1)
            break;
        d += String.fromCharCode((3 & c) << 6 | h)
    }
    return d
}
function hexToBase64(str) {
    return base64Encode(String.fromCharCode.apply(null, str.replace(/\r|\n/g, "").replace(/([\da-fA-F]{2}) ?/g, "0x$1 ").replace(/ +$/, "").split(" ")));
}
function base64ToHex(str) {
    for (var i = 0, bin = base64Decode(str.replace(/[ \r\n]+$/, "")), hex = []; i < bin.length; ++i) {
        var tmp = bin.charCodeAt(i).toString(16);
        if (tmp.length === 1)
            tmp = "0" + tmp;
        hex[hex.length] = tmp;
    }
    return hex.join("");
}
function hexToBytes(str) {
    var pos = 0;
    var len = str.length;
    if (len % 2 != 0) {
        return null;
    }
    len /= 2;
    var hexA = new Array();
    for (var i = 0; i < len; i++) {
        var s = str.substr(pos, 2);
        var v = parseInt(s, 16);
        hexA.push(v);
        pos += 2;
    }
    return hexA;
}
function bytesToHex(arr) {
    var str = '';
    var k, j;
    for (var i = 0; i < arr.length; i++) {
        k = arr[i];
        j = k;
        if (k < 0) {
            j = k + 256;
        }
        if (j < 16) {
            str += "0";
        }
        str += j.toString(16);
    }
    return str;
}
function stringToHex(str) {
    var val = "";
    for (var i = 0; i < str.length; i++) {
        if (val == "")
            val = str.charCodeAt(i).toString(16);
        else
            val += str.charCodeAt(i).toString(16);
    }
    return val
}
function stringToBytes(str) {
    var ch, st, re = [];
    for (var i = 0; i < str.length; i++) {
        ch = str.charCodeAt(i);
        st = [];
        do {
            st.push(ch & 0xFF);
            ch = ch >> 8;
        }
        while (ch);
        re = re.concat(st.reverse());
    }
    return re;
}
//将byte[]转成String的方法
function bytesToString(arr) {
    var str = '';
    arr = new Uint8Array(arr);
    for (var i in arr) {
        str += String.fromCharCode(arr[i]);
    }
    return str;
}
function bytesToBase64(e) {
    var r, a, c, h, o, t;
    for (c = e.length, a = 0, r = ''; a < c;) {
        if (h = 255 & e[a++], a == c) {
            r += base64EncodeChars.charAt(h >> 2),
                r += base64EncodeChars.charAt((3 & h) << 4),
                r += '==';
            break
        }
        if (o = e[a++], a == c) {
            r += base64EncodeChars.charAt(h >> 2),
                r += base64EncodeChars.charAt((3 & h) << 4 | (240 & o) >> 4),
                r += base64EncodeChars.charAt((15 & o) << 2),
                r += '=';
            break
        }
        t = e[a++],
            r += base64EncodeChars.charAt(h >> 2),
            r += base64EncodeChars.charAt((3 & h) << 4 | (240 & o) >> 4),
            r += base64EncodeChars.charAt((15 & o) << 2 | (192 & t) >> 6),
            r += base64EncodeChars.charAt(63 & t)
    }
    return r
}
function base64ToBytes(e) {
    var r, a, c, h, o, t, d;
    for (t = e.length, o = 0, d = []; o < t;) {
        do
            r = base64DecodeChars[255 & e.charCodeAt(o++)];
        while (o < t && r == -1);
        if (r == -1)
            break;
        do
            a = base64DecodeChars[255 & e.charCodeAt(o++)];
        while (o < t && a == -1);
        if (a == -1)
            break;
        d.push(r << 2 | (48 & a) >> 4);
        do {
            if (c = 255 & e.charCodeAt(o++), 61 == c)
                return d;
            c = base64DecodeChars[c]
        } while (o < t && c == -1);
        if (c == -1)
            break;
        d.push((15 & a) << 4 | (60 & c) >> 2);
        do {
            if (h = 255 & e.charCodeAt(o++), 61 == h)
                return d;
            h = base64DecodeChars[h]
        } while (o < t && h == -1);
        if (h == -1)
            break;
        d.push((3 & c) << 6 | h)
    }
    return d
}
//stringToBase64 stringToHex stringToBytes
//base64ToString base64ToHex base64ToBytes
//               hexToBase64  hexToBytes    
// bytesToBase64 bytesToHex bytesToString


Java.perform(function () {
    var secretKeySpec = Java.use('javax.crypto.spec.SecretKeySpec');
    secretKeySpec.$init.overload('[B', 'java.lang.String').implementation = function (a, b) {
        showStacks();
        var result = this.$init(a, b);
        console.log("======================================");
        console.log("算法名：" + b + "|str密钥:" + bytesToString(a));
        console.log("算法名：" + b + "|Hex密钥:" + bytesToHex(a));
        return result;
    }

    var DESKeySpec = Java.use('javax.crypto.spec.DESKeySpec');
    DESKeySpec.$init.overload('[B').implementation = function (a) {
        showStacks();
        var result = this.$init(a);
        console.log("======================================");
        var bytes_key_des = this.getKey();
        console.log("des密钥  |str " + bytesToString(bytes_key_des));
        console.log("des密钥  |hex " + bytesToHex(bytes_key_des));
        return result;
    }

    DESKeySpec.$init.overload('[B', 'int').implementation = function (a, b) {
        showStacks();
        var result = this.$init(a, b);
        console.log("======================================");
        var bytes_key_des = this.getKey();
        console.log("des密钥  |str " + bytesToString(bytes_key_des));
        console.log("des密钥  |hex " + bytesToHex(bytes_key_des));
        return result;
    }

    var mac = Java.use('javax.crypto.Mac');
    mac.getInstance.overload('java.lang.String').implementation = function (a) {
        showStacks();
        var result = this.getInstance(a);
        console.log("======================================");
        console.log("算法名：" + a);
        return result;
    }
    mac.update.overload('[B').implementation = function (a) {
        //showStacks();
        this.update(a);
        console.log("======================================");
        console.log("update:" + bytesToString(a))
    }
    mac.update.overload('[B', 'int', 'int').implementation = function (a, b, c) {
        //showStacks();
        this.update(a, b, c)
        console.log("======================================");
        console.log("update:" + bytesToString(a) + "|" + b + "|" + c);
    }
    mac.doFinal.overload().implementation = function () {
        //showStacks();
        var result = this.doFinal();
        console.log("======================================");
        console.log("doFinal结果: |str  :"     + bytesToString(result));
        console.log("doFinal结果: |hex  :"     + bytesToHex(result));
        console.log("doFinal结果: |base64  :"  + bytesToBase64(result));
        return result;
    }
    mac.doFinal.overload('[B').implementation = function (a) {
        //showStacks();
        var result = this.doFinal(a);
        console.log("======================================");
        console.log("doFinal参数: |str  :"     + bytesToString(a));
        console.log("doFinal参数: |hex  :"     + bytesToHex(a));
        console.log("doFinal结果: |str  :"     + bytesToString(result));
        console.log("doFinal结果: |hex  :"     + bytesToHex(result));
        console.log("doFinal结果: |base64  :"  + bytesToBase64(result));
        return result;
    }

    var md = Java.use('java.security.MessageDigest');
    md.getInstance.overload('java.lang.String', 'java.lang.String').implementation = function (a, b) {
        //showStacks();
        console.log("======================================");
        console.log("算法名：" + a);
        return this.getInstance(a, b);
    }
    md.getInstance.overload('java.lang.String').implementation = function (a) {
        //showStacks();
        console.log("======================================");
        console.log("算法名：" + a);
        return this.getInstance(a);
    }
    md.update.overload('[B').implementation = function (a) {
        //showStacks();
        console.log("======================================");
        console.log("update:" + bytesToString(a))
        return this.update(a);
    }
    md.update.overload('[B', 'int', 'int').implementation = function (a, b, c) {
        //showStacks();
        console.log("======================================");
        console.log("update:" + bytesToString(a) + "|" + b + "|" + c);
        return this.update(a, b, c);
    }
    md.digest.overload().implementation = function () {
        //showStacks();
        console.log("======================================");
        var result = this.digest();
        console.log("digest结果 |hex:" + bytesToHex(result));
        console.log("digest结果 |base64:" + bytesToBase64(result));
        return result;
    }
    md.digest.overload('[B').implementation = function (a) {
        //showStacks();
        console.log("======================================");
        console.log("digest参数 |str:" + bytesToString(a));
        console.log("digest参数 |hex:" + bytesToHex(a));
        var result = this.digest(a);
        console.log("digest结果: |hex" + bytesToHex(result));
        console.log("digest结果: |base64" + bytesToBase64(result));
        return result;
    }

    var ivParameterSpec = Java.use('javax.crypto.spec.IvParameterSpec');
    ivParameterSpec.$init.overload('[B').implementation = function (a) {
        //showStacks();
        var result = this.$init(a);
        console.log("======================================");
        console.log("iv向量: |str:" + bytesToString(a));
        console.log("iv向量: |hex:" + bytesToHex(a));
        return result;
    }

    var cipher = Java.use('javax.crypto.Cipher');
    cipher.getInstance.overload('java.lang.String').implementation = function (a) {
        //showStacks();
        var result = this.getInstance(a);
        console.log("======================================");
        console.log("模式填充:" + a);
        return result;
    }
    cipher.init.overload('int', 'java.security.Key').implementation = function (a, b) {
        //showStacks();
        var result = this.init(a, b);
        console.log("======================================");
        if (N_ENCRYPT_MODE == a) 
        {
            console.log("init  | 加密模式");    
        }
        else if(N_DECRYPT_MODE == a)
        {
            console.log("init  | 解密模式");    
        }

        var bytes_key = b.getEncoded();
        console.log("init key:" + "|str密钥:" + bytesToString(bytes_key));
        console.log("init key:" + "|Hex密钥:" + bytesToHex(bytes_key));
        return result;
    }
    cipher.init.overload('int', 'java.security.cert.Certificate').implementation = function (a, b) {
        //showStacks();
        var result = this.init(a, b);
        console.log("======================================");
        
        if (N_ENCRYPT_MODE == a) 
        {
            console.log("init  | 加密模式");    
        }
        else if(N_DECRYPT_MODE == a)
        {
            console.log("init  | 解密模式");    
        }

        return result;
    }
    cipher.init.overload('int', 'java.security.Key', 'java.security.spec.AlgorithmParameterSpec').implementation = function (a, b, c) {
        //showStacks();
        var result = this.init(a, b, c);
        console.log("======================================");
        
        if (N_ENCRYPT_MODE == a) 
        {
            console.log("init  | 加密模式");    
        }
        else if(N_DECRYPT_MODE == a)
        {
            console.log("init  | 解密模式");    
        }
     
        var bytes_key = b.getEncoded();
        console.log("init key:" + "|str密钥:" + bytesToString(bytes_key));
        console.log("init key:" + "|Hex密钥:" + bytesToHex(bytes_key));

        return result;
    }
    cipher.init.overload('int', 'java.security.cert.Certificate', 'java.security.SecureRandom').implementation = function (a, b, c) {
        //showStacks();
        var result = this.init(a, b, c);
        if (N_ENCRYPT_MODE == a) 
        {
            console.log("init  | 加密模式");    
        }
        else if(N_DECRYPT_MODE == a)
        {
            console.log("init  | 解密模式");    
        }
        return result;
    }
    cipher.init.overload('int', 'java.security.Key', 'java.security.SecureRandom').implementation = function (a, b, c) {
        //showStacks();
        var result = this.init(a, b, c);
        if (N_ENCRYPT_MODE == a) 
        {
            console.log("init  | 加密模式");    
        }
        else if(N_DECRYPT_MODE == a)
        {
            console.log("init  | 解密模式");    
        }

         var bytes_key = b.getEncoded();
        console.log("init key:" + "|str密钥:" + bytesToString(bytes_key));
        console.log("init key:" + "|Hex密钥:" + bytesToHex(bytes_key));
        return result;
    }
    cipher.init.overload('int', 'java.security.Key', 'java.security.AlgorithmParameters').implementation = function (a, b, c) {
        //showStacks();
        var result = this.init(a, b, c);
        if (N_ENCRYPT_MODE == a) 
        {
            console.log("init  | 加密模式");    
        }
        else if(N_DECRYPT_MODE == a)
        {
            console.log("init  | 解密模式");    
        }

        var bytes_key = b.getEncoded();
        console.log("init key:" + "|str密钥:" + bytesToString(bytes_key));
        console.log("init key:" + "|Hex密钥:" + bytesToHex(bytes_key));
        return result;
    }
    cipher.init.overload('int', 'java.security.Key', 'java.security.AlgorithmParameters', 'java.security.SecureRandom').implementation = function (a, b, c, d) {
        //showStacks();
        var result = this.init(a, b, c, d);
        if (N_ENCRYPT_MODE == a) 
        {
            console.log("init  | 加密模式");    
        }
        else if(N_DECRYPT_MODE == a)
        {
            console.log("init  | 解密模式");    
        }

        var bytes_key = b.getEncoded();
        console.log("init key:" + "|str密钥:" + bytesToString(bytes_key));
        console.log("init key:" + "|Hex密钥:" + bytesToHex(bytes_key));
        return result;
    }
    cipher.init.overload('int', 'java.security.Key', 'java.security.spec.AlgorithmParameterSpec', 'java.security.SecureRandom').implementation = function (a, b, c, d) {
        //showStacks();
        var result = this.init(a, b, c, d);
        if (N_ENCRYPT_MODE == a) 
        {
            console.log("init  | 加密模式");    
        }
        else if(N_DECRYPT_MODE == a)
        {
            console.log("init  | 解密模式");    
        }

         var bytes_key = b.getEncoded();
        console.log("init key:" + "|str密钥:" + bytesToString(bytes_key));
        console.log("init key:" + "|Hex密钥:" + bytesToHex(bytes_key));
        return result;
    }

    cipher.update.overload('[B').implementation = function (a) {
        //showStacks();
        var result = this.update(a);
        console.log("======================================");
        console.log("update:" + bytesToString(a));
        return result;
    }
    cipher.update.overload('[B', 'int', 'int').implementation = function (a, b, c) {
        //showStacks();
        var result = this.update(a, b, c);
        console.log("======================================");
        console.log("update:" + bytesToString(a) + "|" + b + "|" + c);
        return result;
    }
    cipher.doFinal.overload().implementation = function () {
        //showStacks();
        var result = this.doFinal();
        console.log("======================================");
        console.log("doFinal结果: |str  :"     + bytesToString(result));
        console.log("doFinal结果: |hex  :"     + bytesToHex(result));
        console.log("doFinal结果: |base64  :"  + bytesToBase64(result));
        return result;
    }
    cipher.doFinal.overload('[B').implementation = function (a) {
        //showStacks();
        var result = this.doFinal(a);
        console.log("======================================");
        console.log("doFinal参数: |str  :"     + bytesToString(a));
        console.log("doFinal参数: |hex  :"     + bytesToHex(a));
        console.log("doFinal结果: |str  :"     + bytesToString(result));
        console.log("doFinal结果: |hex  :"     + bytesToHex(result));
        console.log("doFinal结果: |base64  :"  + bytesToBase64(result));
        return result;
    }

    var x509EncodedKeySpec = Java.use('java.security.spec.X509EncodedKeySpec');
    x509EncodedKeySpec.$init.overload('[B').implementation = function (a) {
        //showStacks();
        var result = this.$init(a);
        console.log("======================================");
        console.log("RSA密钥:" + bytesToBase64(a));
        return result;
    }

    var rSAPublicKeySpec = Java.use('java.security.spec.RSAPublicKeySpec');
    rSAPublicKeySpec.$init.overload('java.math.BigInteger', 'java.math.BigInteger').implementation = function (a, b) {
        //showStacks();
        var result = this.$init(a, b);
        console.log("======================================");
        //console.log("RSA密钥:" + bytesToBase64(a));
        console.log("RSA密钥N:" + a.toString(16));
        console.log("RSA密钥E:" + b.toString(16));
        return result;
    }

    var KeyPairGenerator = Java.use('java.security.KeyPairGenerator');
    KeyPairGenerator.generateKeyPair.implementation = function () 
    {
        //showStacks();
        var result = this.generateKeyPair();
        console.log("======================================");
        
        var str_private = result.getPrivate().getEncoded();
        var str_public = result.getPublic().getEncoded();
        console.log("公钥  |hex" + bytesToHex(str_public));
        console.log("私钥  |hex" + bytesToHex(str_private));

        return result;
    }

    KeyPairGenerator.genKeyPair.implementation = function () 
    {
        //showStacks();
        var result = this.genKeyPair();
        console.log("======================================");

        var str_private = result.getPrivate().getEncoded();
        var str_public = result.getPublic().getEncoded();
        console.log("公钥  |hex" + bytesToHex(str_public));
        console.log("私钥  |hex" + bytesToHex(str_private));

        return result;
    }
});

视频演示：
https://space.bilibili.com/430241559

Hook 加解密

需hook的内容

1、hook类是javax.crypto.Mac，javax.crypto.spec.SecretKeySpec

2、hook的方法：SecretKeySpec，doFinal

Frida Hook

Java.perform(function () {
    var ClassName = Java.use('javax.crypto.Mac');
    console.log("Find ClassName Successfully!");//定位类成功！
    ClassName.doFinal.overload('[B').implementation=function(param_1){
        console.log("Hook Start...")
        console.log("param_1:"+param_1)

        var resoult = this.doFinal(param_1)
        console.log("resoult:"+resoult)
        return resoult
    }
});

Xposed hook

import android.util.Base64;
import android.util.Log;
import javax.crypto.Mac;

import de.robv.android.xposed.IXposedHookLoadPackage;
import de.robv.android.xposed.XC_MethodHook;
import de.robv.android.xposed.XposedBridge;
import de.robv.android.xposed.XposedHelpers;
import de.robv.android.xposed.callbacks.XC_LoadPackage;


public class Test implements IXposedHookLoadPackage{

    private  String HOOK_APP_NAME = "xxx.xxx.xxx";

    @Override
    public void handleLoadPackage(XC_LoadPackage.LoadPackageParam loadPackageParam) throws Throwable {
        //性能优化，避免操作无关app
        if (!loadPackageParam.packageName.equals(HOOK_APP_NAME))
            return;
        if (loadPackageParam.packageName.equals("HOOK_APP_NAME"))
        {
            XposedBridge.log(" 劫持成功！！!");
            XposedBridge.log("XposedMainInit handleLoadPackage 执行");

            XposedBridge.hookAllMethods(XposedHelpers.findClass("javax.crypto.Mac", loadPackageParam.classLoader) , "doFinal",new XC_MethodHook() {
                @Override
                protected void afterHookedMethod(MethodHookParam param) throws Throwable {
                    super.afterHookedMethod(param);

                    Log.e("测试", "Stack：", new Throwable("stack dump"));
                    if (param.args.length == 2) return;
                    Mac mc = (Mac) param.thisObject;
                    //实例化
                    String algorithm = mc.getAlgorithm();
                    //获取加密算法的名称
                    if (param.args.length == 2) {
                        byte[] params = (byte[]) param.args[0];
                        String data = new String(params);
                        String datahex = b2s(params);
                        String datab64 = Base64.encodeToString(params, 0);
                        Log.d("测试",algorithm+"data:"+data);
                        Log.d("测试",algorithm+"datahex:"+datahex);
                        Log.d("测试",algorithm+"datab64:"+datab64);
                    }
                    byte[] res=(byte[])param.getResult();
                    String reshex = b2s(res);
                    String resb64 = Base64.encodeToString(res, 0);
                    Log.d("测试",algorithm+"resulthex:"+reshex);
                    Log.d("测试",algorithm+"resultb64:"+resb64);
                }
            });
            XposedBridge.hookAllConstructors(XposedHelpers.findClass("javax.crypto.spec.SecretKeySpec", loadPackageParam.classLoader) , new XC_MethodHook() {
                @Override
                protected void afterHookedMethod(MethodHookParam param)throws Throwable {
                    super.afterHookedMethod(param);
                    Log.e("逆向有你", "Stack：", new Throwable("stack dump"));
                    byte[] secretKey = (byte[]) param.args[0];int offset=0;int size=0;
                    String algorithm=null;if (param.args.length != 2) {
                        offset = ((Integer) param.args[1]).intValue();
                        size = ((Integer) param.args[2]).intValue();
                        algorithm = (String) param.args[3]; }else {
                        size=secretKey.length; algorithm= (String) param.args[1];
                    }
                    byte[] keyres=new byte[size];
                    System.arraycopy(secretKey,offset,keyres,0,size);
                    String keyreshex = b2s(keyres);
                    String keyresb64 = Base64.encodeToString(keyres, 0);
                    Log.d("逆向有你",algorithm+"secretkey:"+new String(keyres));
                    Log.d("逆向有你",algorithm+"secretkeyhex:"+keyreshex);
                    Log.d("逆向有你",algorithm+"secretkeyb64:"+keyresb64);
                }
            });

        }
        
        
        
    }
    private static String b2s(byte b[]) {
        // Converts C string to Java String
        int len = 0;
        while (b[len] != 0)
            ++len;
        return new String(b, 0, len);

    }
}

Other Hook

教程链接：https://space.bilibili.com/439348342

package com.example.demo3;
 
import android.app.Application;
import android.content.Context;
import android.net.wifi.WifiManager;
import android.util.Base64;
import android.util.Log;
 
import java.lang.reflect.Method;
import java.lang.reflect.Modifier;
import java.math.BigInteger;
import java.security.MessageDigest;
import java.util.ArrayList;
import java.util.Map;
 
import javax.crypto.Cipher;
import javax.crypto.Mac;
import javax.crypto.spec.IvParameterSpec;
 
import de.robv.android.xposed.IXposedHookLoadPackage;
import de.robv.android.xposed.XC_MethodHook;
import de.robv.android.xposed.XposedBridge;
import de.robv.android.xposed.XposedHelpers;
import de.robv.android.xposed.callbacks.XC_LoadPackage;
 
/**
 * @author glsite.com
 * @version $Rev$
 * @des ${TODO}
 * @updateAuthor $Author$
 * @updateDes ${TODO}
 */
public class HelloXp implements IXposedHookLoadPackage {
 
    public static String byteToHexString(byte[] by) {
        StringBuffer SB = new StringBuffer();
        for (byte k : by) {
            int j = k;
            if (k < 0) {
                j = k + 256;
            }
            if (j < 16) {
                SB.append("0");
            }
            SB.append(Integer.toHexString(j));
        }
        return SB.toString();
    }
 
 
    @Override
    public void handleLoadPackage(final XC_LoadPackage.LoadPackageParam loadPackageParam) throws Throwable {
        //HOOK所有方法
        // if (loadPackageParam.packageName.equals("com.muyang.xposeddemo")) {
 
        //            XposedHelpers.findAndHookMethod(ClassLoader.class, "loadClass", String.class, new XC_MethodHook() {
        //                    @Override
        //                protected void afterHookedMethod(MethodHookParam param) throws Throwable {
        //                    //super.afterHookedMethod(param);
        //
        //                    Class clzz = (Class) param.getResult();
        //                    //获取类名称
        //                    String className = clzz.getName();
        //                    Log.d("muyang", "获取到的类名称" + className);
        //                    //判断类名
        //                    if(className.contains("com.muyang")){
        //                        Method[] mds = clzz.getDeclaredMethods();
        //                        for (int i = 0; i < mds.length; i++) {
        //                            final Method md = mds[i];
        //                            //反射获取修饰符
        //                            int mod = mds[i].getModifiers();
        //                            //循环判断
        //                            if (!Modifier.isAbstract(mod) && !Modifier.isNative(mod) && !Modifier.isInterface(mod)) {
        //
        //                                XposedBridge.hookMethod(mds[i], new XC_MethodHook() {
        //                                    @Override
        //                                    protected void beforeHookedMethod(MethodHookParam param) throws Throwable {
        //                                       // super.beforeHookedMethod(param);
        //                                        //这里就可以打印出所有的方法名称
        //                                        if (md.getName().equals("complexParameterFunc")) {
        //                                            for(Object obj:param.args){
        //                                                Log.d("muyang",obj.getClass().getName());
        //                                            }
        //                                        }
        //                                    }
        //                                });
        //                            }
        //                        }
        //                    }
        //                }
        //            });
 
        //Hook多dex的方法
        //            XposedHelpers.findAndHookMethod(Application.class,"attach", Context.class ,new XC_MethodHook() {
        //                @Override
        //                protected void afterHookedMethod(MethodHookParam param) throws Throwable {
        //                    //获取类加载器
        //                    ClassLoader cl = ((Context)param.args[0]).getClassLoader();
        //                    Class hookClass = null;
        //                    try {
        //                        hookClass = cl.loadClass("com.muyang.xposeddemo.Demo");
        //                    } catch (Exception e) {
        //                        //e.printStackTrace();
        //                        Log.d("muyang","寻找出错");
        //                        return;
        //                    }
        //                    Log.d("muyang","寻找成功");
        //                    //  private void complexParameterFunc(String value, String[][] str, Map<String, String> map, ArrayList arrayList)
        //
        //                    XposedHelpers.findAndHookMethod(hookClass, "complexParameterFunc",
        //                            String.class,
        //                            String[][].class,
        //                            Map.class,
        //                            ArrayList.class,
        //                            new XC_MethodHook() {
        //                        @Override
        //                        protected void afterHookedMethod(MethodHookParam param) throws Throwable {
        //                            //super.afterHookedMethod(param);
        //                            Log.d("muyang","HOOK成功"+param.args[0]);
        //                        }
        //                    });
        //                }
        //            });
 
        //HOOK md5和Sha的通杀方法
        //
        // XposedHelpers.findClass("java.security.MessageDigest",loadPackageParam.classLoader);
        XposedBridge.hookAllMethods(java.security.MessageDigest.class, "update", new XC_MethodHook() {
            @Override
            protected void beforeHookedMethod(MethodHookParam param) throws Throwable {
                //     super.beforeHookedMethod(param);
                MessageDigest mes = (MessageDigest) param.thisObject;
                //获取加密的类型
                String type = mes.getAlgorithm();
                Log.d("muyang", "upadte参数:" + param.args.length);
                byte[] params = (byte[]) param.args[0];
                String data = new String(params);
                String data64 = byteToHexString(params);
                String dataB64 = Base64.encodeToString(params, 0);
                Log.d("muyang", type + "update:" + data);
                Log.d("muyang", type + "update64:" + data64);
                Log.d("muyang", type + "updateB64:" + dataB64);
                Log.d("muyang", "======================================");
 
            }
        });
 
        XposedBridge.hookAllMethods(java.security.MessageDigest.class, "digest", new XC_MethodHook() {
            @Override
            protected void afterHookedMethod(MethodHookParam param) throws Throwable {
                //super.afterHookedMethod(param);
                MessageDigest mes = (MessageDigest) param.thisObject;
                String type = mes.getAlgorithm();
                Log.d("muyang", "传digest参数长度" + param.args.length);
                if (param.args.length >= 1) {
                    byte[] params = (byte[]) param.args[0];
                    String data = new String(params);
                    String data64 = byteToHexString(params);
                    String dataB64 = Base64.encodeToString(params, 0);
                    Log.d("muyang", type + "digest有参数:" + data);
                    Log.d("muyang", type + "digest有参数64:" + data64);
                    Log.d("muyang", type + "digest有参数B64:" + dataB64);
                    Log.d("muyang", "=======================================");
                }
                //获取加密后的返回值
                byte[] res = (byte[]) param.getResult();
                String data64 = byteToHexString(res);
                String dataB64 = Base64.encodeToString(res, 0);
                //Log.d("muyang",type+":"+data);
                Log.d("muyang", type + "digest返回值64:" + data64);
                Log.d("muyang", type + "digest返回值B64:" + dataB64);
                Log.d("muyang", "======================");
            }
        });
 
        //HOOKMAC算法(SecretKeySpec)  里面存放了密钥 和 算法名称
        XposedBridge.hookAllConstructors(javax.crypto.spec.SecretKeySpec.class, new XC_MethodHook() {
            @Override
            protected void beforeHookedMethod(MethodHookParam param) throws Throwable {
                // super.beforeHookedMethod(param);
                byte[] secreKey = (byte[]) param.args[0];  //存放第一个密钥
                int offset = 0;
                int size = 0;
 
                String algorithm = "";
 
                if (param.args.length == 4) {
                    //去取到了偏移和长度
                    offset = ((Integer) param.args[1]).intValue();
                    size = ((Integer) param.args[2]).intValue();
                    algorithm = (String) param.args[3];
                } else {
                    offset = 0;
                    size = secreKey.length;
                    algorithm = (String) param.args[1];
                }
                byte[] keybyte = new byte[size];
                //数组拷贝
                System.arraycopy(secreKey, offset, keybyte, 0, size);
                String data = new String(keybyte);
 
                Log.d("muyang", "SecretKeySpec:" + algorithm + "==" + data);
                Log.d("muyang", "SecretKeySpec64:" + algorithm + "==" + byteToHexString(keybyte));
                Log.d("muyang", "SecretKeySpecB64:" + algorithm + "==" + Base64.encodeToString(keybyte, 0));
                Log.d("muyang", "=====================================");
 
            }
        });
        //HOOKMAC(update)   里面存放了加密数据的明文
        XposedBridge.hookAllMethods(javax.crypto.Mac.class, "update", new XC_MethodHook() {
            @Override
            protected void afterHookedMethod(MethodHookParam param) throws Throwable {
                //     super.beforeHookedMethod(param);
                Mac mac = (Mac) param.thisObject;
                //获取加密的类型
                String type = mac.getAlgorithm();
                Log.d("muyang", type + "upadte参数长度:" + param.args.length);
                byte[] params = (byte[]) param.args[0];
                int offset = 0;
                int len = params.length;
                if (param.args.length == 3) {
                    offset = ((Integer) param.args[1]).intValue();
                    len = ((Integer) param.args[2]).intValue();
                }
 
                byte[] keybate = new byte[len];
                System.arraycopy(params, offset, keybate, 0, len);
 
 
                String data = new String(keybate);
                String data64 = byteToHexString(keybate);
                String dataB64 = Base64.encodeToString(keybate, 0);
                Log.d("muyang", type + "update:" + data);
                Log.d("muyang", type + "update64:" + data64);
                Log.d("muyang", type + "updateB64:" + dataB64);
                Log.d("muyang", "======================================");
 
            }
        });
 
        //HOOKMAC(doFinal)  里面有可能再次添加存放数据   并且有返回值
        XposedBridge.hookAllMethods(javax.crypto.Mac.class, "doFinal", new XC_MethodHook() {
            @Override
            protected void afterHookedMethod(MethodHookParam param) throws Throwable {
                //     super.beforeHookedMethod(param);
                Mac mac = (Mac) param.thisObject;
                //获取加密的类型
                String type = mac.getAlgorithm();
                Log.d("muyang", mac + "doFinal参数长度:" + param.args.length);
                if (param.args.length >= 1) {
                    byte[] params = (byte[]) param.args[0];
                    String data = new String(params);
                    String data64 = byteToHexString(params);
                    String dataB64 = Base64.encodeToString(params, 0);
                    Log.d("muyang", type + "doFinal有参数:" + data);
                    Log.d("muyang", type + "doFinal有参数64:" + data64);
                    Log.d("muyang", type + "doFinal有参数B64:" + dataB64);
                    Log.d("muyang", "=======================================");
                }
                //获取加密后的返回值
                byte[] res = (byte[]) param.getResult();
                String data64 = byteToHexString(res);
                String dataB64 = Base64.encodeToString(res, 0);
                //Log.d("muyang",type+":"+data);
                Log.d("muyang", type + "doFinal返回值64:" + data64);
                Log.d("muyang", type + "doFinal返回值B64:" + dataB64);
                Log.d("muyang", "======================");
            }
        });
 
 
        //HOOK des descode AES  密钥算法不用HOOK了  和之前的一样
        //HOOK IV向量
        XposedBridge.hookAllConstructors(javax.crypto.spec.IvParameterSpec.class, new XC_MethodHook() {
            @Override
            protected void afterHookedMethod(MethodHookParam param) throws Throwable {
                //     super.beforeHookedMethod(param);
                //byte[] getIV();
                //获取到IV对象
                IvParameterSpec Iv = (IvParameterSpec) param.thisObject;
                //获取加密的类型
                byte[] Ivdata = Iv.getIV();
                Log.d("muyang", "IV向量:" + new String(Ivdata));
                Log.d("muyang", "IV向量64:" + byteToHexString(Ivdata));
                Log.d("muyang", "IV向量B64" + Base64.encodeToString(Ivdata, 0));
 
                //还可以用其他方法 HOOK参数的方法
            }
        });
 
        //HOOK update  只hook参数1和3的
        XposedBridge.hookAllMethods(javax.crypto.Cipher.class, "update", new XC_MethodHook() {
            @Override
            protected void afterHookedMethod(MethodHookParam param) throws Throwable {
                //     super.beforeHookedMethod(param);
                if ((param.args.length != 1) || (param.args.length != 3))
                    return;
                Cipher cipher = (Cipher) param.thisObject;
                //获取加密的类型
                String type = cipher.getAlgorithm();
                Log.d("muyang", type + "upadte参数长度:" + param.args.length);
                byte[] params = (byte[]) param.args[0];
                int offset = 0;
                int len = params.length;
                if (param.args.length == 3) {
                    offset = ((Integer) param.args[1]).intValue();
                    len = ((Integer) param.args[2]).intValue();
                }
 
                byte[] keybate = new byte[len];
                System.arraycopy(params, offset, keybate, 0, len);
 
 
                String data = new String(keybate);
                String data64 = byteToHexString(keybate);
                String dataB64 = Base64.encodeToString(keybate, 0);
                Log.d("muyang", type + "update:" + data);
                Log.d("muyang", type + "update64:" + data64);
                Log.d("muyang", type + "updateB64:" + dataB64);
                Log.d("muyang", "======================================");
 
            }
        });
 
        //HOOK  doFinal
        XposedBridge.hookAllMethods(javax.crypto.Cipher.class, "doFinal", new XC_MethodHook() {
            @Override
            protected void afterHookedMethod(MethodHookParam param) throws Throwable {
                //     super.beforeHookedMethod(param);
                Cipher cipher = (Cipher) param.thisObject;
                //获取加密的类型
                String type = cipher.getAlgorithm();
                Log.d("muyang", cipher + "doFinal参数长度:" + param.args.length);
                int offset = 0;
                int len = 0;
                byte[] params = (byte[]) param.args[0];
                if (param.args.length == 1) {
                    params = (byte[]) param.args[0];
                    offset = 0;
                    len = params.length;
                } else if (param.args.length == 3) {
                    params = (byte[]) param.args[0];
                    offset = ((Integer) param.args[1]).intValue();
                    len = ((Integer) param.args[2]).intValue();
                }
                if (len > 0) {
                    byte[] newArray = new byte[len];
                    System.arraycopy(params, offset, newArray, 0, len);
 
                    String data = new String(newArray);
                    String data64 = byteToHexString(newArray);
                    String dataB64 = Base64.encodeToString(newArray, 0);
                    Log.d("muyang", type + "doFinal有参数:" + data);
                    Log.d("muyang", type + "doFinal有参数64:" + data64);
                    Log.d("muyang", type + "doFinal有参数B64:" + dataB64);
                    Log.d("muyang", "=======================================");
                }
 
 
                //获取加密后的返回值
                byte[] res = (byte[]) param.getResult();
                String data64 = byteToHexString(res);
                String dataB64 = Base64.encodeToString(res, 0);
                //Log.d("muyang",type+":"+data);
                Log.d("muyang", type + "doFinal返回值64:" + data64);
                Log.d("muyang", type + "doFinal返回值B64:" + dataB64);
                Log.d("muyang", "======================");
            }
        });
 
        XposedBridge.hookAllConstructors(java.security.spec.X509EncodedKeySpec.class, new XC_MethodHook() {
            @Override
            protected void beforeHookedMethod(MethodHookParam param) throws Throwable {
                //     super.beforeHookedMethod(param);
                byte[] params = (byte[]) param.args[0];
                String dataB64 = Base64.encodeToString(params, 0);
                Log.d("muyang", "RSA密钥64:" + dataB64);
                Log.d("muyang", "=================================");
 
            }
        });
        XposedBridge.hookAllConstructors(java.security.spec.RSAPublicKeySpec.class, new XC_MethodHook() {
            @Override
            protected void beforeHookedMethod(MethodHookParam param) throws Throwable {
                //     super.beforeHookedMethod(param);
                String n = ((BigInteger)(param.args[0])).toString();
                String e = ((BigInteger)(param.args[1])).toString();
               // String dataB64 = Base64.encodeToString(params, 0);
                Log.d("muyang", "RSA16密钥:" + n+":"+e);
                Log.d("muyang", "=================================");
 
            }
        });
 
        // }
    }
}