Shulou(Shulou.com)05/31 Report--

Today, I will talk to you about how to grab hook packages in Frida-brida. Many people may not know much about it. In order to make you understand better, the editor has summarized the following contents for you. I hope you can get something according to this article.

Environmental preparation

1. Install npm

Install https://nodejs.org/en/download/ directly after downloading the official website

2. Install frida:

Pip install frida

Pip install frida-tools

Npm install frida-compile@9.3.0

Note: the lack of brida compilation parameters in the newer version of Frida-compile will report an error. If you remove the parameters after that version, you can try by yourself.

3. Install birda and dependency:

Github download v.0.4 into burp extension: https://github.com/federicodotta/Brida/releases/tag/v0.4

Pip install Pyro4

Note: burp store also comes with brida. When I don't mind installing Brida directly in the store, the js script of hook cannot explain the parameters when I install Brida directly in the hook store. Finally, I change the package on the official website to solve the problem. Ben Mengxin doesn't know the reason, so ask for the boss's advice.

4. Build the test apk environment

Test apk download address: https://pan.baidu.com/s/1r2pKkbsB22FMfu_bD2vhtw

Installation: Adb install-t eseBrida.apk

Note: the test app of the boss is used in accordance with the principle of explaining the use as soon as possible. (well, in fact, I am not very good at finding the function of adding solutions. I will practice my hands with the test app first, and then I may continue to write a learning process after learning the encryption posture.)

Build the server environment:

As shown in the figure above, after downloading the four files, there is a hook.js script and server processing code, and another is a script to open the frida service. If you need to use it, please refer to the actual environment.

For the sake of efficiency, we can build the service directly using phpstudy and put the php file into the web root directory of phpstudy.

The results of the visit are as follows:

Note: if you visit and see the source code or blank page, it may be the php version problem, just change the version, I use 5.4.45 here

Set the service address within the apk:

Start

Download the corresponding frida-server version and transfer it to the test machine to run:

Port forwarding:

Go to burp to open services and applications:

Js just load the default js script directly and modify it in the default js. You can choose the installation path for the two paths. You can't find the path you can find by searching the file name with everything and other tools.

The package name can be found by using the command in the following figure or by using adb shell dumpsys window w | findstr\ / | findstr name= after opening the software.

Script debugging

Check the boss's js file:

Compare decompiled encryption algorithms:

Key value:

Load the default brida.js:

Write the js code in the following figure:

Save and recompile the js, and then debug it (save and compile each time the js code is modified):

Run the contextcustom1 method to add data to confirm whether there is a problem with brida:

Run the contextcustom2 method to compare whether the encryption and decryption function is correct:

Debug with Big Boss's js code:

Check the output and find that there is a problem. Look at the js code and find that the js transmits hexadecimal byte stream data. Change the code to transmit string data to see the result:

Similarly, modify the decryption script:

According to theory, there should be no problem with the boss's js. It is not clear whether the mechanism has changed after the call or the update of brida. If you are interested, you can study it, and then hope that the boss who knows the reason will point you to Ben Mengxin.

Plug-in use

Bridav0.4 directly comes with several plug-ins that use scripts, which is very convenient and easy to use.

IHttpListener

The IhttpListener plug-in is a plug-in that automatically calls js plus resolution according to the conditions:

The following is what the plug-in represents:

Plug-in name: BridaEncryptPassword

Plug-in type: IHttpListener

The name of the Frida export function: (the name of the JS function we defined in the previous step. Do not use uppercase characters in exported function names)

Execute on: request / response

Burp Suite tools: Repeater,Intruder and Scanner (to be able to manually test password parameters, perform brute force with Intruder and scan with Scanner)

Handle only requests / responses within scope: yes (to avoid encrypting unexpected requests)

Execute: (we can give the plug-in a regular expression or check all requests / responses to choose whether the plug-in should enable plain text strings, in order to run our plug-in only on the specified request / response. In our case, we are only interested in login requests)

Parameter: regular expression. We can define a regular expression, which can include any number of regular expression group parameters in our plug-in, the parameters we want to pass to Frida export function only password fields and our regular expressions can accomplish this task Brida provides many different options for passing parameters, such as full request / response, body, header, dynamic Feed,... with pop-up windows)

Encoding function argument: none. (we can encode the extracted parameter before sending it to the Frida export function, but it is not necessary in this case. This is important for binary input: in this case, it is best to use ASCII-HEX to encode parameters or Base64 and decode them in the Frida export function. When clicked, all encoding / decoding options for the custom plug-in open a pop-up window in which you can select one or more encoding / compression algorithms, such as Base64,ASCII-HEX,URL, GZIP,...)

Decode function output: none (we can decode the output returned by Frida. As for parameters, if the output is binary, it is best to use the Frida export function to encode it and use this option to decode it in the plug-in. For example, our iOS function for the plug-in + cryptoPassword: returns Base64 output. The back end is waiting for encrypted data encoded with the same function, so we don't need to decode it)

Plug-in output: use a regular expression (parenthesized) (we replace the encrypted value returned by Frida with his unencrypted form, which we insert in Repeater or Burp in "intruder / scanner". As for parameters, we use the REGEX group to select the insertion point)

Plug-in output coding: (this menu allows us to encode the Frida output before inserting it into the request / response. )

Rules such as rules are particularly important in this plug-in, and mismatches will make mistakes.

IcontextMenu

IcontextMenu this plug-in is a plug-in that adds right-click encryption and decryption options:

The following is what the plug-in represents:

Plug-in name:

Plug-in type: IContextMenu

The name of the Frida export function: (the name of the JS function we defined in the previous step. Do not use uppercase characters in the exported feature name)

Execution: right-click the name of the decryption function

Parameters: the highlighted value in the request / response (the highlighted part of the request / response by clicking and dragging the left mouse button is provided as an argument to the Fridaexport function. Brida provides many other different options to pass parameters, such as full request / response, regular expression with group, body, title, dynamic Feed,... with pop-up window)

Encoding function argument: none. (we can encode the parameter before sending it to the mobile application, but it is not necessary in this case. This is important for binary input: in this case, it is best to use ASCII-HEX or Base64 to encode the parameters and decode them in functions exported by Frida. When clicked, all encoding / decoding options of the Custom plug-in open a pop-up window where you can select one or more encoding / compression algorithms, such as Base64,ASCII-HEX,URL,GZIP.)

Decode function output: none (we can decode the output returned by Frida. As for parameters, if the output is binary, it is best to use the Frida export function to encode it and use this option to decode it in the plug-in. In our plug-in, the iOS function + cryptoResponse:, we use for the plug-in returns the results of the search operation as an ASCII string, so we don't need to decode it)

Plug-in output: replace the highlighted value in the request / response (the output of the Frida export function replaces the highlighted value provided as a parameter)

Plug-in output coding: none. (this menu allows us to encode Frida output before inserting it into the selected location. However, in our current plug-in, this is not required, we set it to none)

After reading the above, do you have any further understanding of how to grab hook packages in Frida-brida? If you want to know more knowledge or related content, please follow the industry information channel, thank you for your support.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.