Comments (8)
@ta1bbty I think it's because of the classname you've given. Maybe pasting the class and method definition here would help.
from brida.
@mr-m0nst3r
It's com.tabbty.myexample.PayloadRequest
.
from brida.
@ta1bbty I mean the definition, which should be like:
class xxxx {
public static int abc(){}
}
from brida.
@mr-m0nst3r
Sorry, for that.
Here it is :
package com.tabbty.myexample;
import android.util.Base64;
import com.android.volley.NetworkResponse;
import com.android.volley.Request;
import com.android.volley.Response;
import com.android.volley.Response.ErrorListener;
import com.android.volley.Response.Listener;
import com.android.volley.VolleyError;
import java.security.Key;
import java.security.SecureRandom;
import java.security.spec.AlgorithmParameterSpec;
import java.util.HashMap;
import java.util.Map;
import javax.crypto.Cipher;
import javax.crypto.spec.IvParameterSpec;
import javax.crypto.spec.SecretKeySpec;
import org.json.JSONObject;
public class PayloadRequest extends Request<String> {
private final Listener<String> mListener;
private final HashMap<String, String> mParams = new HashMap();
public PayloadRequest(JSONObject jSONObject, final Listener<String> listener) throws Exception {
super(1, "url_here", new ErrorListener() {
public void onErrorResponse(VolleyError volleyError) {
listener.onResponse("Connection failed");
}
});
this.mListener = listener;
this.mParams.put("d", buildPayload(jSONObject));
}
public Map<String, String> getParams() {
return this.mParams;
}
protected Response<String> parseNetworkResponse(NetworkResponse networkResponse) {
try {
Object decode = Base64.decode(new String(networkResponse.data), 0);
Object obj = new byte[16];
System.arraycopy(decode, 0, obj, 0, 16);
Object obj2 = new byte[(decode.length - 16)];
System.arraycopy(decode, 16, obj2, 0, decode.length - 16);
Key secretKeySpec = new SecretKeySpec(new byte[]{(byte) 56, (byte) 79, (byte) 46, (byte) 106, (byte) 26, (byte) 5, (byte) -27, (byte) 34, (byte) 59, Byte.MIN_VALUE, (byte) -23, (byte) 96, (byte) -96, (byte) -90, (byte) 80, (byte) 116}, "AES");
AlgorithmParameterSpec ivParameterSpec = new IvParameterSpec(obj);
Cipher instance = Cipher.getInstance("AES/CBC/PKCS5Padding");
instance.init(2, secretKeySpec, ivParameterSpec);
JSONObject jSONObject = new JSONObject(new String(instance.doFinal(obj2)));
if (jSONObject.getBoolean("success")) {
return Response.success(null, getCacheEntry());
}
return Response.success(jSONObject.getString("error"), getCacheEntry());
} catch (Exception unused) {
return Response.success("Unknown", getCacheEntry());
}
}
protected void deliverResponse(String str) {
this.mListener.onResponse(str);
}
private String buildPayload(JSONObject jSONObject) throws Exception {
Key secretKeySpec = new SecretKeySpec(new byte[]{(byte) 56, (byte) 79, (byte) 46, (byte) 106, (byte) 26, (byte) 5, (byte) -27, (byte) 34, (byte) 59, Byte.MIN_VALUE, (byte) -23, (byte) 96, (byte) -96, (byte) -90, (byte) 80, (byte) 116}, "AES");
Object obj = new byte[16];
new SecureRandom().nextBytes(obj);
AlgorithmParameterSpec ivParameterSpec = new IvParameterSpec(obj);
Cipher instance = Cipher.getInstance("AES/CBC/PKCS5Padding");
instance.init(1, secretKeySpec, ivParameterSpec);
Object doFinal = instance.doFinal(jSONObject.toString().getBytes());
Object obj2 = new byte[(doFinal.length + 16)];
System.arraycopy(obj, 0, obj2, 0, 16);
System.arraycopy(doFinal, 0, obj2, 16, doFinal.length);
return Base64.encodeToString(obj2, 0);
}
}
from brida.
private String buildPayload
, it's not static method, so, you may want to new an instance before using it.
Try this:
contextcustom2: function(message) {
if(Java.available){
var hexDecodedInput = hexToString(message);
var payloadRequestClass = Java.use("com.package.name.ClassName");
var payloadInstance = payloadRequestClass.$new(); // add this because it's not static method
var encryptedPayload = payloadInstance.buildPayload(hexDecodedInput); // use the instance to call the method
return stringToHex(encryptedPayload);
}
},
Let me know if this works or not.
from brida.
@mr-m0nst3r
Thanks for the swift reply.
I tried these two variations :
contextcustom1: function(message) {
if(Java.available){
var argsTargetClassMethod = hexToString(message);
var payloadClass = Java.use("com.tabbty.myexample.PayloadRequest");
//var jsObj = '{"cmd":"setTemp","temp":72}';
obj = Java.use("org.json.JSONObject");
var jsOBJ = obj.$new(argsTargetClassMethod);
var payloadClassInstance = payloadClass.$new(jsOBJ, null);
var ret_value = payloadClassInstance.buildPayload(jsOBJ);
console.log(ret_value);
return ret_value;
}
},
// Function executed when executed Brida contextual menu option 2.
// Input is passed from Brida encoded in ASCII HEX and must be returned in ASCII HEX (because Brida will decode the output
// from ASCII HEX). Use auxiliary functions for the conversions.
contextcustom2: function(message) {
console.log("2 : "+message);
if(Java.available){
var hexDecodedInput = hexToString(message);
var payloadRequestClass = Java.use("com.tabbty.myexample.PayloadRequest");
var payloadInstance = payloadRequestClass.$new(); // add this because it's not static method
var encryptedPayload = payloadInstance.buildPayload(hexDecodedInput); // use the instance to call the method
return stringToHex(encryptedPayload);
}
},
But both of them gives the same error :
Exception with custom context application net.razorvine.pyro.PyroException: [frida.core.RPCException] VM::GetEnv failed: -2
net.razorvine.pyro.serializer.PyroExceptionSerpent.FromSerpentDict(PyroExceptionSerpent.java:32)
net.razorvine.pyro.serializer.SerpentSerializer$DictConverter.convert(SerpentSerializer.java:58)
net.razorvine.serpent.ObjectifyVisitor.visit(ObjectifyVisitor.java:69)
net.razorvine.serpent.ast.DictNode.accept(DictNode.java:8)
I tried googling it but didn't find much on the topic.
Also, my device is attached and running.
I tried the same script using frida-python and it works fine :
script_text = """
Java.perform(function x(){ // Silently fails without the sleep from the python code
//console.log("Inside java perform function");
//get a wrapper for our class
var payloadClass = Java.use("com.tabbty.myexample.PayloadRequest");
obj = Java.use("org.json.JSONObject");
var jsObj = 'PAYLOAD';
console.log("Testing : " + jsObj);
var jsOBJ = obj.$new(jsObj);
var payloadClassInstance = payloadClass.$new(jsOBJ, null);
var ret_value = payloadClassInstance.buildPayload(jsOBJ);
//console.log(ret_value);
send(ret_value);
return ret_value;
});
"""
device = frida.get_usb_device()
pid = long(raw_input("Enter PID : ")) # Cause I am using this script after I have spawned the app
session = device.attach(pid)
def my_message_handler(message , payload): #define our handler
pprint(message)
with open('payloads.txt', 'r') as f:
payloads = f.read().split("\n")
for payload in payloads:
try:
script = session.create_script(script_text.replace("PAYLOAD",payload))
script.on("message" , my_message_handler) #register our handler to be called
script.load()
except Exception as e:
print(e)
pass
from brida.
@mr-m0nst3r any ideas ?
from brida.
Hi ta1bbty!
Excuse me a lot for the delay in the answer but I had some busy monthes.
Try to put your code inside a "Java.perform(" block in this way:
contextcustom1: function(message) {
if(Java.available){
Java.perform(
...
)
}
Let me know if this fix solve your issue!
Have a nice day,
Federico
P.S. Please note that Java.perform may be asynchronous. Refer to this Frida issue if you have troubles.
from brida.
Related Issues (20)
- Why is the alarm timeout? HOT 4
- env: node: No such file or directory HOT 1
- error: unknown option '-x' HOT 6
- Exception with attach application HOT 5
- frida-compile: error: unrecognized arguments: -x
- Spawn Application function is not available HOT 5
- Custom plugin not shows encrypted or decrypted result HOT 4
- Exception with execute method HOT 9
- Exception with getting info Android/iOS HOT 6
- It will cause burpsuite to get stuck. HOT 2
- Entrypoint must be inside the project root (ERROR)
- there is an error when crypt response HOT 1
- Stop server did not work with last Java versions HOT 1
- If I enable the hook crypto stuff option, burp suite crashes. HOT 3
- Parameter cannot be passed HOT 1
- Cant use inspect or inspect with backtrace HOT 1
- Kill server button not working HOT 1
- How to install Brida Frida etc
- Error during frida-compile, potentially caused by compilation errors. Aborting. HOT 1
- Failed Get Result Custom Plugin HOT 5
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from brida.