Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Calling a method of a Java object passed as argument to hooked function in Frida

Tags:

java

android

frida

I am trying to obtain the SecretKey passed to the decryptAesCipherText function. I hooked the function in Frida to try to print out the arguments when the method is called but since SecretKey is an object, all attempts to print it out give output as [object Object]. However the SecretKey object has a method getEncoded() which will return a byte array which can be printed out in hex format. How can I call this method from Frida and get the result?

The java function, I am hooking to is given below

import javax.crypto.Cipher;
import javax.crypto.SecretKey;

private byte[] decryptAesCipherText(SecretKey secretKey, byte[] bArr) {
        Cipher instance = Cipher.getInstance("AES/ECB/PKCS5Padding");
        instance.init(2, secretKey);
        return decryptCipherText(instance, bArr);
}



The javascript snippet (incomplete) to hook the function

var target_class = Java.use('com.reactlibrary.securekeystore.RNSecureKeyStoreModule');

target_class.decryptAesCipherText.overload('javax.crypto.SecretKey','[B').implementation = function(key, array){
        console.log("Inside decrypt aes");

        //Call getEncoded method on key to get byte array

        var ret = my_class.decryptAesCipherText.overload('javax.crypto.SecretKey','[B').call(this, key, array);
        return ret;
}
like image 684
Abin K Paul Avatar asked Oct 22 '25 23:10

Abin K Paul

1 Answers

It seems like you can't call getEncoded on the javax.crypto.SecretKey interface.

Usually the SecretKey parameter is of type javax.crypto.spec.SecretKeySpec and if you type cast the key parameter to SecretKeySpec you can can call getEncoded() and print the used key:

function encodeHex(byteArray) {
    const HexClass = Java.use('org.apache.commons.codec.binary.Hex');
    const StringClass = Java.use('java.lang.String');
    const hexChars = HexClass.encodeHex(byteArray);
    return StringClass.$new(hexChars).toString();
}

Java.perform(function x() {
    const target_class = Java.use('com.example.myapplication.MainActivity');
    target_class.decryptAesCipherText.overload('javax.crypto.SecretKey', '[B').implementation = function (key, array) {
        console.log("Inside decrypt aes");

        const secretKeySpec = Java.cast(key, Java.use('javax.crypto.spec.SecretKeySpec'));
        const encodedKey = secretKeySpec.getEncoded();

        // print the key bytes as hex value
        console.log("KEY: " + encodeHex(encodedKey));

        var ret = my_class.decryptAesCipherText.overload('javax.crypto.SecretKey', '[B').call(this, key, array);
        return ret;
    }

});
like image 148
Robert Avatar answered Oct 24 '25 15:10

Robert
Sign in to Comment

Related questions

How to prevent IntelliJ from deleting import statements
Parse all jsons that are concatenated in one string in Java
How to check if a JsonNode is a single element or an Array in Java?
How to parse /getusereffectivepermissions sharepoint response in java?
How to change values of some elements and attributes in an XML file [Java]?
How to generate default values for a data class / POJO (in Kotlin/Java)?
Animate adding components to a pane
conditional update using HQL
Proguard issue with Gson and Volley
Wait for a page to fully load in Selenium
How to convert date format to UTC in Scala?
SonarQube does not collect code coverage
creating a jar and adding to another project as a library

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!