Frida Hooking Journey Part 2

“Keep working hard, persevere to dive deeper until you know what you don’t know….” — Rock K

This is the answer I received when I informed my superior that I don’t know how to do a particular new assignment. -.-’’’

In this part 2, I will cover two more Frida hooking which can be powerful when you found a sweet spot to use it. So, let your imagination runs wild.

With the same setup details as my previous post on Frida, I have made minor change on the source code of OWASP MTSG Playground in order to demonstrate a particular example. In every effort, I’m trying to make the learning experience more practical and simple than just showing the static codes.

What you need:

1. Rooted Device

1.1 Download the frida-server-15.1.17-android-arm64.xz (https://github.com/frida/frida/releases)

1.2 Start the frida-server using the following command:

2. Linux VM (or any OS of your choice)

2.1 Objection 1.11.0

2.2 Frida 15.1.17

3. MSTG Hacking Playground (Modified)

3.1 Download app-debug.apk (https://github.com/gitashl/frida-exp/tree/main/Android/app)

Hook 1: Parse in Own Input Values

1. Inspect the codes and identify a class method to parse in your own value in encrypt() function and observe the results. The objective is to display the encrypted string of any value parsed to it and then base64 encoded it. Then used the encoded value to overwrite a declared variable.

2. The script to do that:

function getencryptedvalue(){
    Java.perform(function(){
console.log("Enter function");
var result = new Uint8Array(16);
        var stringClass = Java.use("java.lang.String");
Java.use("sg.vp.owasp_mobile.OMTG_Android.OMTG_DATAST_001_BadEncryption").encrypt.overload('java.lang.String').implementation = function (str){
//your own value to pass to encrypt()    
        var my_string = stringClass.$new("ownstring");   
        result = this.encrypt(my_string);
console.log("Original str: " + str);
        console.log("New str: " + my_string);
        console.log("Encrypted result: " + JSON.stringify(result));
bytesToBase64(result);
return result;
        }
    })
}
function bytesToBase64(e) {
    var r, a, c, h, o, t;
    var base64EncodeChars = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/',
    base64DecodeChars = new Array((-1), (-1), (-1), (-1), (-1), (-1), (-1), (-1), (-1), (-1), (-1), (-1), (-1), (-1), (-1), (-1), (-1), (-1), (-1), (-1), (-1), (-1), (-1), (-1), (-1), (-1), (-1), (-1), (-1), (-1), (-1), (-1), (-1), (-1), (-1), (-1), (-1), (-1), (-1), (-1), (-1), (-1), (-1), 62, (-1), (-1), (-1), 63, 52, 53, 54, 55, 56, 57, 58, 59, 60, 61, (-1), (-1), (-1), (-1), (-1), (-1), (-1), 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, (-1), (-1), (-1), (-1), (-1), (-1), 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51, (-1), (-1), (-1), (-1), (-1));
for (c = e.length, a = 0, r = ''; a < c;) {
        if (h = 255 & e[a++], a == c) {
            r += base64EncodeChars.charAt(h >> 2),
                r += base64EncodeChars.charAt((3 & h) << 4),
                r += '==';
            break
        }
        if (o = e[a++], a == c) {
            r += base64EncodeChars.charAt(h >> 2),
                r += base64EncodeChars.charAt((3 & h) << 4 | (240 & o) >> 4),
                r += base64EncodeChars.charAt((15 & o) << 2),
                r += '=';
            break
        }
        t = e[a++],
            r += base64EncodeChars.charAt(h >> 2),
            r += base64EncodeChars.charAt((3 & h) << 4 | (240 & o) >> 4),
            r += base64EncodeChars.charAt((15 & o) << 2 | (192 & t) >> 6),
            r += base64EncodeChars.charAt(63 & t)
    }
    console.log("Base64 result: " + r);      
}
setImmediate(getencryptedvalue)

3. Noted that the encrypted value of string “ownstring” is gJiBnJudhoGI

4. Why this is useful? In the event you are able to hook a decrypt function and obtain the output value, it is possible to modify and forge the clear text value and then hook the encrypt function to derive a signed value without knowing the encryption logic.

Hook 2: Overwrite Class Variable

1. With the encrypted value obtain from the previous example, we can now overwrite the class variable to alter the secret that declared through a variable.

2. The script to do that:

function hook2changevariable(){
    Java.perform(function(){
console.log("Enter function");
var my_class = Java.use("sg.vp.owasp_mobile.OMTG_Android.OMTG_DATAST_001_BadEncryption");
my_class.encrypted.value = "gJiBnJudhoGI";
console.log("Set new value: " + my_class.encrypted.value );
})
}
setImmediate(hook2changevariable)

3. Run the script as following:

4. Then verify password as “ownstring”, you will be greeted with login successful!

Conclusion

Hope you enjoy the content and if you do, stay tune for Part 3 or maybe Part 4 for more interesting hooking content which will cover .so native library file hooking and more!