Created
November 2, 2018 06:25
-
-
Save d3vilbug/41deacfe52a476d68d6f21587c5f531d to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python3 | |
| from __future__ import print_function | |
| import frida | |
| import sys | |
| import json | |
| import time | |
| def on_message(message, payload): | |
| if(message['type'] == 'send'): | |
| rec_data = json.loads(message['payload']) | |
| if rec_data['my_type'] == 'IV': | |
| print("[$] IvParameterSpec :: {}".format(payload.decode('utf-8'))) | |
| elif rec_data['my_type'] == 'KEY': | |
| print("[$] SecretSpecKey :: {}".format(payload.decode('utf-8'))) | |
| else: | |
| print(message) | |
| else: | |
| print(message) | |
| js_code = """ | |
| console.log("Script loaded"); | |
| Java.perform(function x() { | |
| //hooking SecretKeySpec's constructor to get the SecretKeySpec | |
| var secret_key_spec = Java.use("javax.crypto.spec.SecretKeySpec"); | |
| secret_key_spec.$init.overload("[B", "java.lang.String").implementation = function (x, y) { | |
| send('{"my_type" : "KEY"}', new Uint8Array(x)); | |
| return this.$init(x, y); | |
| } | |
| //hooking IvParameterSpec's constructor to get the IV | |
| var iv_parameter_spec = Java.use("javax.crypto.spec.IvParameterSpec"); | |
| iv_parameter_spec.$init.overload("[B").implementation = function (x) { | |
| send('{"my_type" : "IV"}', new Uint8Array(x)); | |
| return this.$init(x); | |
| } | |
| }); | |
| """ | |
| # device = frida.get_usb_device() | |
| # pid = device.spawn(["com.example.a11x256.frida_test"]) | |
| # device.resume(pid) | |
| # time.sleep(1) | |
| # session = device.attach(pid) | |
| session = frida.get_usb_device().attach('com.example.a11x256.frida_test') | |
| script = session.create_script(js_code) | |
| script.on("message", on_message) | |
| script.load() | |
| sys.stdin.read() |
gurtej741
commented
Oct 10, 2019
via email
Yes, I tied with 5s.js file. I also checked the python complier online it shows the same issue.
Sent from Mail for Windows 10
From: Abdul Wahab
Sent: Thursday, October 10, 2019 1:49 PM
To: d3vilbug
Cc: gurtej741; Mention
Subject: Re: d3vilbug/frida-get-AES-keys
and did you also used the .js file from the same link?
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub, or unsubscribe.
Can you share your .js and .py files ??
Please find the attachment.you need to change .txt to .js
On Thu, Oct 10, 2019 at 8:18 PM Abdul Wahab ***@***.***> wrote:
Can you share your .js and .py files ??
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<https://gist.github.com/41deacfe52a476d68d6f21587c5f531d?email_source=notifications&email_token=AGGHBMHHSLYHYNKSI7V4SZTQN5IURA5CNFSM4I7INMKKYY3PNVWWK3TUL52HS4DFVNDWS43UINXW23LFNZ2KUY3PNVWWK3TUL5UWJTQAF2IPM#gistcomment-3051766>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AGGHBMEQDRITHZALTRVX3VTQN5IURANCNFSM4I7INMKA>
.
import time
import frida
import json
enc_cipher_hashcodes = [] #cipher objects with Cipher.ENCRYPT_MODE will be stored here
dec_cipher_hashcodes = [] #cipher objects with Cipher.ENCRYPT_MODE will be stored here
def my_message_handler(message, payload):
#mainly printing the data sent from the js code, and managing the cipher objects according to their operation mode
if message["type"] == "send":
# print message["payload"]
my_json = json.loads(message["payload"])
if my_json["my_type"] == "KEY":
print "Key sent to SecretKeySpec()", payload.encode("hex")
elif my_json["my_type"] == "IV":
print "Iv sent to IvParameterSpec()", payload.encode("hex")
elif my_json["my_type"] == "hashcode_enc":
enc_cipher_hashcodes.append(my_json["hashcode"])
elif my_json["my_type"] == "hashcode_dec":
dec_cipher_hashcodes.append(my_json["hashcode"])
elif my_json["my_type"] == "Key from call to cipher init":
print "Key sent to cipher init()", payload.encode("hex")
elif my_json["my_type"] == "IV from call to cipher init":
print "Iv sent to cipher init()", payload.encode("hex")
elif my_json["my_type"] == "before_doFinal" and my_json["hashcode"] in enc_cipher_hashcodes:
#if the cipher object has Cipher.MODE_ENCRYPT as the operation mode, the data before doFinal will be printed
#and the data returned (ciphertext) will be ignored
print "Data to be encrypted :", payload
elif my_json["my_type"] == "after_doFinal" and my_json["hashcode"] in dec_cipher_hashcodes:
print "Decrypted data :", payload
else:
print message
print '*' * 16
print payload
device = frida.get_usb_device()
pid = device.spawn(["com.example.a11x256.frida_test"])
device.resume(pid)
time.sleep(1) # Without it Java.perform silently fails
session = device.attach(pid)
with open("s5.js") as f:
script = session.create_script(f.read())
script.on("message", my_message_handler) # register the message handler
script.load()
raw_input()
console.log("Script loaded successfully 55");
Java.perform(function x(){
var secret_key_spec = Java.use("javax.crypto.spec.SecretKeySpec");
secret_key_spec.$init.overload("[B", "java.lang.String").implementation = function(x , y){
send('{"my_type" : "KEY"}' ,new Uint8Array(x));
//console.log(xx.join(" "))
return this.$init(x , y);
}
var iv_parameter_spec = Java.use("javax.crypto.spec.IvParameterSpec");
iv_parameter_spec.$init.overload("[B").implementation = function(x){
send('{"my_type" : "IV"}' , new Uint8Array(x));
return this.$init(x);
}
var cipher = Java.use("javax.crypto.Cipher");
cipher.init.overload("int" , "java.security.Key" , "java.security.spec.AlgorithmParameterSpec").implementation = function(x,y,z){
//console.log(z.getClass());
if (x == 1)
send('{"my_type" : "hashcode_enc", "hashcode" :"' +this.hashCode().toString() +'" }');
else
send('{"my_type" : "hashcode_dec", "hashcode" :"' +this.hashCode().toString() +'" }');
send('{"my_type" : "Key from call to cipher init"}', new Uint8Array(y.getEncoded()) );
send('{"my_type" : "IV from call to cipher init"}' , new Uint8Array(Java.cast(z , iv_parameter_spec).getIV() ));
return cipher.init.overload("int" , "java.security.Key" , "java.security.spec.AlgorithmParameterSpec").call(this,x,y,z);
}
cipher.doFinal.overload("[B").implementation = function(x){
send('{"my_type" : "before_doFinal" , "hashcode" :"' +this.hashCode().toString() +'" }' , new Uint8Array(x));
var ret = cipher.doFinal.overload("[B").call(this,x);
send('{"my_type" : "after_doFinal" , "hashcode" :"' +this.hashCode().toString() +'" }' , new Uint8Array(ret));
return ret;
}
});
HI,
Did you got any solution.
Sent from Mail for Windows 10
From: Gurtej SINGH
Sent: Thursday, October 10, 2019 8:46 PM
To: d3vilbug
Cc: d3vilbug; Mention
Subject: Re: d3vilbug/frida-get-AES-keys
Please find the attachment.you need to change .txt to .js
On Thu, Oct 10, 2019 at 8:18 PM Abdul Wahab <[email protected]> wrote:
Can you share your .js and .py files ??
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub, or unsubscribe.
Hello,
I was getting unfortunately application has stopped
did you found a solution?
Hi @Mr4FX
You can find the updated script from my blog post https://n00b.sh/posts/aes-killer-mobile-app-demo/
Hello,
I found a bypass for *AES/CBC/PKCS5Padding*, now I'm trying to reverse
engine a new application that is may using *AES/CBC/PKCS7Padding *or
*AES/GCM/NoPadding*
do have an idea, I've texted you on twitter, I really need a help from an
expert like you
thanks
…On Wed, Nov 17, 2021 at 7:52 PM Abdul Wahab ***@***.***> wrote:
***@***.**** commented on this gist.
------------------------------
Hi @Mr4FX <https://github.com/Mr4FX>
You can find the updated script from my blog post
https://n00b.sh/posts/aes-killer-mobile-app-demo/
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<https://gist.github.com/41deacfe52a476d68d6f21587c5f531d#gistcomment-3965814>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AK4TIBWOA3JR3T2Y4XQDHOTUMP2WTANCNFSM4I7INMKA>
.
Triage notifications on the go with GitHub Mobile for iOS
<https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675>
or Android
<https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub>.
Ohhh sorry, haven't noticed. Responding on twitter
The python code at link: https://11x256.github.io/Frida-hooking-android-part-5/
shows below error: \\\frida-AES-KEY-Script> .\frida-get-AES-keys_1.py File "D:\Android Testing Stuff\frida-AES-KEY-Script\frida-get-AES-keys_1.py", line 16 print "Key sent to SecretKeySpec()", payload.encode("hex")
moved to here
https://infosec-blog.com/frida/android-reversing/Frida-hooking-android-part-5/
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment