BestHub
Sign in
Information Security 9 min read

Reverse Engineer Android Login: Hooking, MD5, DES & Recreating the Sign

This article walks through static analysis and Frida hooking of an Android app’s login flow, dissecting the JsonRequest, RequestUtil, and encryption steps, then reproduces the MD5‑based sign generation and DES‑CBC encryption in JavaScript, providing full code snippets and explanations.

Python Crawling & Data Mining
Python Crawling & Data Mining
Python Crawling & Data Mining
Reverse Engineer Android Login: Hooking, MD5, DES & Recreating the Sign

Preface

The author continues from a previous post that used Frida to hook a simple execution flow, now focusing on automating the login process of an Android application.

Process Analysis

login

login → requestNetwork → instantiate JsonRequest → call JsonRequest.addRequestMap

The final call is addRequestMap, which we inspect to see its inner workings.

addRequestMap

addRequestMap

simply forwards a map to RequestUtil.paraMap, whose return value is then passed to RequestUtil.encodeDesMap.

The addRequestMap implementation reveals the keyword Encrypt used in the request.

RequestUtil.paraMap

Inspecting RequestUtil.paraMap shows it calls md5 and returns an all‑uppercase string.

md5

The md5 function is a standard MD5 hash.

RequestUtil.encodeDesMap

encodeDesMap

takes three parameters: data, this.desKey, and this.desIV.

The values are:

this.desKey = 65102933
this.desIV = 32028092

Inside encodeDesMap a DesSecurity object is created and its encrypt64 method is called.

DesSecurity

This class implements DES/CBC encryption: the DES key is the MD5 hash of desKey, the IV is desIV, and the ciphertext is Base64‑encoded.

Frida Verification Flow

Static analysis suggests the above flow; to confirm, the author hooks the relevant methods with Frida.

Code

Java.perform(function () {
    let jsonRequest = Java.use("com.dodonew.online.http.JsonRequest");
    jsonRequest.addRequestMap.overload('java.util.Map', 'int').implementation = function (addMap, a) {
        console.log("==== jsonRequest.addRequestMap called");
        console.log("addMap:", addMap);
        console.log("a:", a);
        return this.addRequestMap(addMap, a);
    };

    let requestUtil = Java.use("com.dodonew.online.http.RequestUtil");
    requestUtil.paraMap.overload('java.util.Map', 'java.lang.String', 'java.lang.String').implementation = function (addMap, append, sign) {
        console.log("==== requestUtil.paraMap called");
        console.log("addMap:", addMap);
        console.log("append:", append);
        console.log("sign:", sign);
        return this.paraMap(addMap, append, sign);
    };

    let utils = Java.use("com.dodonew.online.util.Utils");
    utils.md5.implementation = function (string) {
        console.log("==== utils.md5 called");
        console.log("string:", string);
        let ret = this.md5(string);
        console.log("return:", ret);
        return ret;
    };

    requestUtil.encodeDesMap.overload('java.lang.String', 'java.lang.String', 'java.lang.String').implementation = function (data, desKey, desIV) {
        console.log("==== requestUtil.encodeDesMap called");
        console.log("data:", data);
        console.log("desKey:", desKey);
        console.log("desIV:", desIV);
        return this.encodeDesMap(data, desKey, desIV);
    };
});

Effect

The hooks confirm the static analysis; if the hook does not trigger, retry.

Algorithm Re‑implementation in JavaScript

The author reproduces the sign generation and DES encryption using CryptoJS, which can be called from any language.

getSign

function getSign(user, pass, time) {
    var signStr = "equtype=ANDROID&loginImei=Androidnull&timeStamp=" + time + "&userPwd=" + pass + "&username=" + user + "&key=sdlkjsdljf0j2fsjk";
    return CryptoJS.MD5(signStr).toString().toUpperCase();
}

encrypt

function encrypt(user, pass) {
    var time = '1624379089014';
    var sign = getSign(user, pass, time);
    var plainText = '{"equtype":"ANDROID","loginImei":"Androidnull","sign":"' + sign + '","timeStamp":"' + time + '","userPwd":"' + pass + '","username":"' + user + '"}';
    var key = CryptoJS.enc.Hex.parse(CryptoJS.MD5("65102933").toString());
    var iv = CryptoJS.enc.Utf8.parse("32028092");
    var result = CryptoJS.DES.encrypt(plainText, key, { iv: iv, mode: CryptoJS.mode.CBC, padding: CryptoJS.pad.Pkcs7 }).toString();
    return result;
}

Full Script (xxn.js)

The complete JavaScript file combines the above functions to produce the encrypted request payload.

Run Result

Conclusion

The article demonstrates static analysis and Frida hooking of an Android login flow, validates the findings, and provides a JavaScript recreation of the MD5‑based sign and DES‑CBC encryption, emphasizing the importance of repeated hooking and testing.

Original Source

Signed-in readers can open the original source through BestHub's protected redirect.

Sign in to view source
Republication Notice

This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactadmin@besthub.devand we will review it promptly.

JavaScriptAndroidencryptionreverse engineeringMD5FridaDES
Python Crawling & Data Mining
Written by

Python Crawling & Data Mining

Life's short, I code in Python. This channel shares Python web crawling, data mining, analysis, processing, visualization, automated testing, DevOps, big data, AI, cloud computing, machine learning tools, resources, news, technical articles, tutorial videos and learning materials. Join us!

0 followers
Reader feedback

How this landed with the community

Sign in to like

Rate this article

Was this worth your time?

Sign in to rate
Discussion

0 Comments

Thoughtful readers leave field notes, pushback, and hard-won operational detail here.

Sign in to comment