Reverse a certain autumn aviation algorithm

According to packet capturing analysis, each page request of an autumn app will first send a request to / ECMember/secretKey/getSecret, most likely to obtain the key. The request and response are both base64 encoded ciphertext.

Capture analysis


Here we open it with jeb

As you can see from the figure, with shell added, you can see that the shell is a bang bang bang from the package name. We use IDA to debug dynamically, and dump the dex from memory to take off the shell, open and export the source code with jadx, and open it with idea

Looking for data and response message processing logic

Open the search directly in idea and enter "data"

We select method a of HttpRequestUtils and go in. The content is as follows

public static String a(ReselectSeatArg reselectSeatArg) throws RemoteAccessException {
        try {
            String[] a = DESCrypter.a();
            Map hashMap2 = new HashMap();
            hashMap2.put("data", DESCrypter.c(JsonConvert.a(hashMap), a[0]));
            String a2 = new HttpRequesterProxy(UrlConstant.Y, hashMap2, 30).a();
            if (a2.trim().length() != 0) {
                return a2;
            throw new RemoteAccessException(BasicUtils.a((int) R.string.ERR001));
        } catch (Exception e) {
            throw new RemoteAccessException(BasicUtils.a((int) R.string.ERR001));

Is a DES algorithm, enter DESCrypter.a()

public static String[] a() throws Exception {
        return a.getSecrets(new HttpRequesterProxy(UrlConstant.N, 30).a());

This is the same as the previous packet capturing analysis. It takes the key.
Enter the getSecrets method of descripterutil again

public java.lang.String[] getSecrets(java.lang.String r1) {

Reduction algorithm

public static String recvData(String str) throws IOException {

public static String decode(String arg10) throws Exception {
byte[] decode = Base64.decodeBase64(arg10);
return new String(v0.doFinal(decode), "utf-8");

public static String encode(String arg9) throws Exception {
        SecretKey v1 = SecretKeyFactory.getInstance("desede")
                .generateSecret(new DESedeKeySpec("**************)".getBytes()));
        Cipher v0 = Cipher.getInstance("***/***/****");
        v0.init(1, ((Key) v1), new IvParameterSpec("***".getBytes()));
        return Base64.encodeBase64String(v0.doFinal(arg9.getBytes("utf-8")));

Verify the correctness of the algorithm

By decrypting the request parameter data and the response message, the readable json string is restored, which indicates that the encryption and decryption are completely successful.

If you are interested in Android reverse, you can join the group: 912146030 to communicate and make progress together.