How to get DES/AES encryption Key by IDA decompiler : Target MobileYonyou <掌上用友>

Few days ago, one of my friend who working at Yonyou Corp asked me to hack into their MobileYonyou App.

She told me her company using MobileYonyou app check in for their work, but need to upload the user location to the server.


She is a lazy girl, she want to check in for work but on her bed.

So i have to made a litter work.

Here are my work step,

  1. She sent me a message of client sent to server.


First thought it is a Base64 code, and then I decode this Base64 code but some binary data went out.

  1. Then i analysis the binary data and the wireshark cap data.  I know the binary data need to unzip. Because the client using gzip before send the POST data.

屏幕快照 2015-12-07 12.33.33

  1. After unzip, the new binary comes out.  But looks like encrypted.

So i need to download a decompiler such as IDA.



  1. Open IDA Pro, and select the file MobileYonyou.  But IDA said the Binary file has beed encrypted.

*( I download the file from AppStore, so this file has packing by Apple)

I have to unpacking the binary first. Thanks to god I finally find a jailbreaked iPod Touch.

Tutorial Googled by Google: how to crack ipa file


  1. Open unpacked binary MobileYouyou, and waiting IDA analysis.

After it’s done ( wait bottom-left status change to “AU:idle”)

屏幕快照 2015-12-07 12.47.08

  1. Click menu View -> Open Subview -> Functions.
  2. Press “Ctrl+F” search the magic word in the function window,屏幕快照 2015-12-07 12.49.50


Now, we know Youyon using 3DES to encrypt the data before POST.


  1. Look at the function [DESEncryption TripleDES:encryptOrDecrypt:key],

The key is send as a parameter into this function, so the key mustn’t be in this function.


  1. Right click on the function compilation code, and select graph view, and click jump to xref and click OK.

屏幕快照 2015-12-07 13.03.06

  1. Right Click the function name and click Xref to.Look at the new window bumped out

We know that AFNetwork was using this 3DES function,

屏幕快照 2015-12-07 13.05.26



  1. Researching the functions view using new magic word “requestBySerializingRequest”

and look into [AFHTTPRequestSerializer requestBySerializingRequest:WithParameters….] function,

Press F5 into pseudocode mode,

Finally GOT IT.

The DES key is  CFSTR(“G51-NIPR”)


屏幕快照 2015-12-07 13.08.35



All done, and now, just create a new project by simulation the whole checkin step and post the data to request URI:

and buy some condoms prepare for accept her thanks.  ^_^


电子邮件地址不会被公开。 必填项已用*标注