Today, we will analyze an app which uses DES in CBC mode to encrypt the password and sends it to the server. Ok, let’s start.
First, we tried to login in and Fiddler caught the packet.
Let’s check that webform.
Yeah. Today’s topic will be this password. And we can open the apk in disassembly tool. I am using android killer which is a Chinese software but you can use JEB which should work well in this case. After that you can just search for “user-login” in the tool. This is the key word in the post url. And through a series of process we can find the native library which contains the encryption algorithm.
Ok, we can see that the native library is libm4399.so. We can open it in the IDA.
If the library has an export function for DesCbcDecrypt, the function name should begin with JAVA but there isn’t one like this. So the function should be dynamically loaded. We have to find that function in Jni_Onload.
And if you want load the jni header, you will find that the off_11058 is the 3 element tuple which points to that function we need. After several double clicks, we will come to the final encryption function. And at the beginning you will find it get the input string here.
If you have an android phone you can just debug the app and find that password in the memory at this place. Because we can see that it load the result into the R0.
Then it get the length of the password and allocate some memory on the stack. Just step forward, you will get to the DES encryption finally.
Double click and get there.
Well, actually if we debug that on the phone and the code should be a little different here which we should see the Initial vector and the key for the DES. But here we can’t see it. But we almost know how it encrypt that password. There is one more thing. It actually not just encrypt that password. There is a padding. Check it out.
In the code marked 1, we see that it calculates the padding of the password. And in the code marked 2, it calculates the length of the padding.
So, that’s all for it today. Any question, please contact me at firstname.lastname@example.org