SMALL
1. target class 찾아보기
android.app --> 원하는 클래스 시작 명
|
1
2
3
4
5
6
7
8
9
10
11
|
Java.perform(function() {
Java.enumerateLoadedClasses({
onMatch: function(className) {
if (className.startsWith('android.app')){
console.log(className);
}
},
onComplete: function() {}
});
});
|
cs |
2. OWASP Uncracable_1
--> 해당 함수의 Class를 후킹하고 싶었는데 클래스 명이 다르다고함..
(public class C0002c.m2a, m3b, m4c) 해당 클래스 함수들 후킹해보기)
System func hooking, AES MODE get key and decrypt string
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
|
Java.perform(function () {
/*
Bytes to Hex convert Function
*/
function bytesToHex(bytes) {
for (var hex = [], i = 0; i < bytes.length; i++) { hex.push(((bytes[i] >>> 4) & 0xF).toString(16).toUpperCase());
hex.push((bytes[i] & 0xF).toString(16).toUpperCase());
hex.push(" ");
}
return hex.join("");
}
var stringClass = Java.use('java.lang.String');
stringClass.$init.overload('java.lang.String').implementation = function(a){
console.log('[*] String Class Hooking');
console.log(a);
return stringClass.$init.overload('java.lang.String').call(this, a);
}
/*
System.exit Function bypass
*/
var systemClass = Java.use('java.lang.System');
systemClass.exit.overload('int').implementation = function(a){
console.log('[*] hooking system class exit');
//systemClass.exit.overload('int').call(this, a);
return false;
}
/*
Get AES MODE , KEY Value of ECB MODE
*/
var secret_key_spec = Java.use("javax.crypto.spec.SecretKeySpec");
secret_key_spec.$init.overload("[B", "java.lang.String").implementation = function (arg0, arg1) {
console.log('[*] AES MODE : ', arg1);
var array = new Uint8Array(arg0);
console.log('[*] AES KEY :' , bytesToHex(array));
return secret_key_spec.$init.overload("[B", "java.lang.String").call(this,arg0,arg1);
}
var cipher = Java.use("javax.crypto.Cipher");
/*
>>> '49 20 77 61 6E 74 20 74 6F 20 62 65 6C 69 65 76 65'.replace(' ','').decode('hex')
'I want to believe'
*/
/*
Get Decrypt String
*/
cipher.doFinal.overload("[B").implementation = function (arg0) {
var array = new Uint8Array(arg0);
console.log('[*] Cipher dofinal Hook Ecnrypted: ', bytesToHex(array));
var ret = cipher.doFinal.overload("[B").call(this, arg0);
var array = new Uint8Array(ret);
console.log('[*] Cipher dofinal Hook Decrypted: ', bytesToHex(array));
return ret;
}
});
/* Result [*] Running Frida [*] hooking system class exit [*] AES MODE : AES/ECB/PKCS7Padding [*] AES KEY : 8D 12 76 84 CB C3 7C 17 61 6D 80 6C F5 04 73 CC [*] Cipher dofinal Hook Ecnrypted: E5 42 62 15 CB 5B 9A 06 C3 A0 B5 E6 A4 BD 76 9A 49 E8 F0 74 F8 2E FF 1D 95 AB 7C 17 14 76 18 E7 [*] Cipher dofinal Hook Decrypted: 49 20 77 61 6E 74 20 74 6F 20 62 65 6C 69 65 76 65 */ |
cs |
LIST
'reversing > android' 카테고리의 다른 글
| frida - fridalab (0) | 2020.12.01 |
|---|---|
| frida dynamic loader hook Script (0) | 2020.07.15 |