about encode/decode for non-ascii chars about brida HOT 18 CLOSED

Uhm, I don't think but maybe one function that I use executes a convertion... When you use non-ascii chars do you have an exception? Can you please paste me the exception?

from brida.

@federicodotta Hi there,
There're no exceptions, but all the chinese chars are not converted right.
It's a context menu function, I don't know where to start.
Maybe there're these parts:
Repeater selection --1--> context memu function --2--> Brida plugin--3--> Pyro4 proxy --4--> Frida

If using frida hooks, it's converted well in the console, which is zsh on mac.

So, I guess maybe 1/2 are possible, because I recall that the plugin is receiving hex coded payloads, which may not be affected by locales.
But I'm terrible at Java.

I will update more as soon as I got back to work.

Thank you for the feedback and help.

from brida.

@federicodotta Hi there,

Today, I've met another app which is under our pentesting (approved), and came across the same problem:

RSP_MSG is Chinese, if using frida hooks in commandline, I can see the Chinese chars:

But Burp is not showing them correctly.

The brida hook is:

		if(Java.available){
			var res = null;
			var data = hexToString(message);

			Java.perform(function () {
				
				var SecurityEncrypt = Java.use("xxx.utils.dx.TransDataEncry");
			     var dec_ret = SecurityEncrypt.decodeEncry(data);
			     res = dec_ret;
							
			});	

			
			return stringToHex(res);
		}

And setting burp's user options won't help:

Also tried to set character sets to utf-8, no luck. Same with other sets.

Sorry for the late reply because usually it's english ascii chars after hooks.

Looking forward.

Thank you for your time.

from brida.

Update:
when I added console.log(res) before the last return, I saw exceptions from the console of brida:

Traceback (most recent call last):  File "/usr/local/lib/python2.7/site-packages/frida/core.py", line 289, in _on_message  
self._log_handler(level, text)  
File "/usr/local/lib/python2.7/site-packages/frida/core.py", line 304, in _on_log  
print(text, file=sys.stdout)  
UnicodeEncodeError: 'ascii' codec can't encode characters in position 92-100: ordinal not in range(128)

I run some tests, change core.py line 304 to :

1. print(text.encode("utf-8"), file=sys.stdout)

2. print(text.decode("utf-8"), file=sys.stdout)

and Change character sets in burp. No luck.

I think it should be Brida's implementation's problem, because frida is functioning well when running in console and can display Chinese chars, and BurpSuite can display Chinese chars correctly:

Thus only left Brida extention's implementation.

Would you like to take a look? I can't code java....

Thank you.

from brida.

update:
I added some chinese char in BurpExtender.java:
JOptionPane.showMessageDialog(null, new JScrollPane(ta), "Custom invocation response响应", JOptionPane.INFORMATION_MESSAGE);

the dialog is showing chinese correctly.

So, maybe it's the byteArrayToHexString and hexStringToByteArray functions' problem.

Or, maybe jython's problem, I did some search and see one discussion about chinese chars problem with jython.
Link Here

Also, tried to change the above two functions as follows, but still no luck:

	static String byteArrayToHexString(byte[] src) {
		StringBuilder stringBuilder = new StringBuilder("");
        if (src == null || src.length <= 0) {
            return null;
        }
        for (int i = 0; i < src.length; i++) {
            int v = src[i] & 0xFF;
            String hv = Integer.toHexString(v);
            if (hv.length() < 2) {
                stringBuilder.append(0);
            }
            stringBuilder.append(hv);
        }
        return stringBuilder.toString();
    }

private static byte[] hexStringToByteArray(String hexString) {
		if (hexString == null || hexString.equals("")) {
            return null;
        }
        hexString = hexString.toUpperCase();
        int length = hexString.length() / 2;
        char[] hexChars = hexString.toCharArray();
        byte[] d = new byte[length];
        for (int i = 0; i < length; i++) {
            int pos = i * 2;
            d[i] = (byte) (charToByte(hexChars[pos]) << 4 | charToByte(hexChars[pos + 1]));
        }
        return d;
		
   }

And just tried another way:

I simply shows the hexstring in the dialog and I got this:

7b22424f4459223a7b2250524f445543545f4c495354223a5b5d7d2c2253595348454144223a7b225452414e535f54494d45223a22323032302d30322d31322030353a31343a3237222c225253505f434f4445223a2230303030303030303030222c225253505f4d5347223a22a413109f227d7d

And using console hook to decrypt the data shows the result string with showing the chinese chars correctly below:

{"BODY":{"PRODUCT_LIST":[]},"SYSHEAD":{"TRANS_TIME":"2020-02-12 05:14:27","RSP_CODE":"0000000000","RSP_MSG":"交易成功"}}

And finally it's a task to change the hex to the str in BurpExtender.java, and the problem will be solved.

from brida.

update:

And, if I directly setText to some chinese chars, it's showing good.

I'm lost.

I think it's frida/core.py problem.

from brida.

Hi mr-m0nst3r!

Sorry for the delay in the response.

I don't know if this fix can help with your problem, but you can try to change the beginning of the brydaServicePyro.py file ("res" folder) as follow:

# -*- coding: utf-8 -*-
import frida
import codecs
import Pyro4
import sys
import time

reload(sys)   
sys.setdefaultencoding('utf-8')

@Pyro4.expose
class BridaServicePyro:
...

from brida.

hi, @federicodotta , thank you for your response.

I found a solution when scripting custom brida plugins.
It's because of the convertion between hex string to string.

It's fixed by using apache commons's Hex methods. The default hex decode of Java is not suitable for Chinese chars.

Plan to make a pull request when I have time.

Great job and thank you!

from brida.

@federicodotta Hi there, I just created a pull request to fix this issue. Using org.apache.commons.codec.binary.Hex to do the hex decode. I found this method during developing custom plugin using Brida.

Appreciate your excellent work.

from brida.

Hi Mr. Monster! Sorry for the delay! Thank you for your work!

I have not already merged your pull request because I'm working on the new major version of Brida, that I will release in June for HackInParis (my local branch is ahead of the public one of a lot of commit).

Anyhow, the new release will have your fix applied! :)

from brida.

Hi @federicodotta ,

that's great!

Waiting for your new release.
Your plugin is excellent!

My PR maybe buggy, I'm new on Java, major in pentest, so pls double check the pr.

And, some recommendations:

1. add function for the frida-gadget method. sometimes I have to use gadget to get correct injection point.
2. maybe use another version of syntax editor, I mean for the js part.
3. and python3. I found python3 was not working well with the current version, maybe the pyro4's problem, but I know too little about programming to identify the problem.

Your plugin has been playing an quite important role in my work. Thank you a lot for your work!

from brida.

Hi mr-monster!

Thank you for you recommendations!

1. I will try Brida with the frida-gadget, fixing bugs if present
2. For the next release I will not change the syntax editor
3. I have already implemented Python 3 compatibility. If you need Python 3 before June, I posted the code in this issue: #39 (comment)

Thank you again!

Federico

from brida.

Hi @mr-m0nst3r,

one thing. You can already use Brida with frida-gadget (I tried with the old and the new versions of Brida). Procedure:

Android:

If you want to use Brida and Frida on a non-rooted device you must have the APK of the application. You need to patch the application with the Frida library ("Frida Gadget") and then install the patched application on your device. The most comfortable way to accomplish this task is to use the great Objection tool, released by Leon Jacobs. You can find a detailed guide on how patch the application here.

After patching the application, you can install it using adb ("adb install app-patched.apk").

After launching the application by clicking it in the device, it remains stucked waiting for Frida. Now you can follow the Brida spawn procedure, setting re.frida.Gadget as Application ID.

iOS:

If you want to use Brida and Frida on a non-Jailbroken device you must have the IPA of the application. You need to patch the application with the Frida library ("Frida Gadget") and then install the patched application on your device. The most comfortable way to accomplish this task is to use the great Objection tool, released by Leon Jacobs. You can find a detailed guide on how patch the application here.

After patching the application, you can install and execute it following this guide.

After launching the application, it remains stucked waiting for Frida. Now you can follow the Brida spawn procedure, setting re.frida.Gadget as Application ID.

Federico

from brida.

@federicodotta Great, thank you mate. Looking forward to your new version. excited.

from brida.

@federicodotta ,

I modified your plugin to another plugin, named Burpy, and I found that by adding the following code to the script, burpsuite can show utf-8 charactors correctly:

import sys 
reload(sys)
sys.setdefaultencoding('utf-8') 

But Burpy loads python script, not js as Brida, I'm not sure where should I put it to, maybe into the pyroservice script.

Haven't got a project to test on, maybe update tests later.

Looking forward to your new version release.

from brida.

Hi @mr-m0nst3r!

yes, I tried this fix but gave me some issues in some environments. As you can see in Python 3 fix I linked you last month (#39 (comment)), I inserted those lines but then I commented them. Anyhow, I will execute other checks on those lines. By the way, it is always better to encode frida input/output (base64, hex, etc.) before passing through Pyro4, in order to pass only UTF-8 characters in Pyro4 bridge. In the new version of Brida this will be easier.

Anyhow, thank you for the tip and to help improve Brida!

A little news: due the current worldwide situation the HackInParis conference has been postponed and consequently I will release Brida this week or the next one. :)

Have a nice day,
Federico

from brida.

@federicodotta
it's a little tricky since Brida is handling variables among java, python and js. I'm lost analyzing it, but I guess it's python2's fault.

Hah, I should thank corona in a way that I can see your new release earlier than normal.

Great work, and take good care.

from brida.

Hi @mr-m0nst3r!

Yesterday I released the new version of Brida. Now you can create custom plugins using a graphical interface using various encoding/compression algorithms, including ASCII-HEX, Base64, gzip, etc. You can find many examples in the new Wiki.

Please try the new version and let me know if it solves you encoding issues, using one of the supplied encoding algorithms when Chinese characters or binary data are send from Burp Suite to Frida and viceversa.

I wait for a feedback! Thank you!

Take good care,
Federico

from brida.