備忘録

備忘録

Fridaでjavax.crypto.spec.SecretKeySpecをhookする方法

Ⅰ. はじめに

タイトルの通り「Fridaでjavax.crypto.spec.SecretKeySpecをhookする方法」です。

Ⅱ. やり方

1. hook.js
var Base64a = {
  encode: (function(i, tbl) {
      for(i=0,tbl={64:61,63:47,62:43}; i<62; i++) {tbl[i]=i<26?i+65:(i<52?i+71:i-4);} //A-Za-z0-9+/=
      return function(arr) {
          var len, str, buf;
          if (!arr || !arr.length) {return "";}
          for(i=0,len=arr.length,buf=[],str=""; i<len; i+=3) { //6+2,4+4,2+6
              str += String.fromCharCode(
                  tbl[arr[i] >>> 2],
                  tbl[(arr[i]&3)<<4 | arr[i+1]>>>4],
                  tbl[i+1<len ? (arr[i+1]&15)<<2 | arr[i+2]>>>6 : 64],
                  tbl[i+2<len ? (arr[i+2]&63) : 64]
              );
          }
          return str;
      };
  }()),
  decode: (function(i, tbl) {
      for(i=0,tbl={61:64,47:63,43:62}; i<62; i++) {tbl[i<26?i+65:(i<52?i+71:i-4)]=i;} //A-Za-z0-9+/=
      return function(str) {
          var j, len, arr, buf;
          if (!str || !str.length) {return [];}
          for(i=0,len=str.length,arr=[],buf=[]; i<len; i+=4) { //6,2+4,4+2,6
              for(j=0; j<4; j++) {buf[j] = tbl[str.charCodeAt(i+j)||0];}
              arr.push(
                  buf[0]<<2|(buf[1]&63)>>>4,
                  (buf[1]&15)<<4|(buf[2]&63)>>>2,
                  (buf[2]&3)<<6|buf[3]&63
              );
          }
          if (buf[3]===64) {arr.pop();if (buf[2]===64) {arr.pop();}}
          return arr;
      };
  }())
};

function hookSecretKeySpec() {
    classSecretKeySpec = Java.use("javax.crypto.spec.SecretKeySpec");
    classSecretKeySpec.$init.overload('[B', 'java.lang.String').implementation = function(arg1, arg2) {
      this.$init(arg1, arg2);
      console.log(Base64a.encode(arg1));
      console.log("[*] SecretKeySpec called");
    }
    console.log("[*] SecretKeySpec modified")
  }
  
  setImmediate(function() {
    console.log("[*] Starting script");
  
    Java.perform(function() {
      hookSecretKeySpec();
    })
  })
2. 実行する
frida -U -l hook.js -f tld.hoge.app --no-pause

実行結果

[*] Starting script
[*] SecretKeySpec handler modified
ODdiOTI3MmQxMDliMWU2NDI4NTBmNDU1ZWVhNWIyYmE=
[*] SecretKeySpec called