frida-fusion 0.1.15__tar.gz → 0.1.16__tar.gz

{frida_fusion-0.1.15 → frida_fusion-0.1.16}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: frida-fusion
-Version: 0.1.15
+Version: 0.1.16
 Summary: Hook your mobile tests with Frida
 Author-email: "Helvio Junior (M4v3r1ck)" <helvio_junior@hotmail.com>
 Maintainer-email: "Helvio Junior (M4v3r1ck)" <helvio_junior@hotmail.com>
@@ -101,6 +101,9 @@ void    fusion_printStackTrace();
 # Print all methods of class 'name'
 void    fusion_printMethods(String name);
 
+# Get value of a field inside an class instance
+Object fusion_getFieldValue(Object obj, String fieldName);
+
 # Wait until the class 'name' exists in memory to execute the callback function
 void    fusion_waitForClass(String name, CallbackFunction onReady)
 

{frida_fusion-0.1.15 → frida_fusion-0.1.16}/README.md

@@ -66,6 +66,9 @@ void    fusion_printStackTrace();
 # Print all methods of class 'name'
 void    fusion_printMethods(String name);
 
+# Get value of a field inside an class instance
+Object fusion_getFieldValue(Object obj, String fieldName);
+
 # Wait until the class 'name' exists in memory to execute the callback function
 void    fusion_waitForClass(String name, CallbackFunction onReady)
 

{frida_fusion-0.1.15 → frida_fusion-0.1.16}/frida_fusion/__meta__.py

@@ -1,8 +1,8 @@
-__version__ = '0.1.15'
+__version__ = '0.1.16'
 __title__ = "Frida Fusion"
 __description__ = "📱 frida-fusion - runtime mobile exploration"
 __url__ = "https://github.com/helviojunior/frida-fusion"
-__build__ = 0xef43fce
+__build__ = 0xfe136e5
 __author__ = "Helvio Junior (M4v3r1ck)"
 __author_email__ = "helvio_junior@hotmail.com"
 __license__ = "GPL-3.0"

{frida_fusion-0.1.15 → frida_fusion-0.1.16}/frida_fusion/libs/helpers.js

@@ -128,22 +128,26 @@ function fusion_getCallerInfo() {
 }
 
 function fusion_sendKeyValueData(module, items) {
-    var st = fusion_getB64StackTrace();
-
-    var data = [];
+    try{
+      var st = fusion_getB64StackTrace();
 
-    // Force as String
-    for (let i = 0; i < items.length; i++) {
-        data = data.concat([{key: `${items[i].key}`, value:`${items[i].value}`}]);
-    }
+      var data = [];
 
-    fusion_Send({
-      type: "key_value_data",
-      module: module,
-      data: data,
-      stack_trace: st
-    }, null);
+      // Force as String
+      for (let i = 0; i < items.length; i++) {
+          data = data.concat([{key: `${items[i].key}`, value:`${items[i].value}`}]);
+      }
 
+      fusion_Send({
+        type: "key_value_data",
+        module: module,
+        data: data,
+        stack_trace: st
+      }, null);
+    } catch (err) {
+      fusion_sendMessage("W", `Error: ${err}`)
+    }
+    return null;
 }
 
 function fusion_sendMessage(level, message){
@@ -160,7 +164,7 @@ function fusion_sendMessage(level, message){
           message: b64Msg
         }, null)
     } catch (err) {
-        fusion_sendMessage("W", err)
+        fusion_sendMessage("W", `Error: ${err}`)
     }
 }
 
@@ -184,7 +188,7 @@ function fusion_sendMessageWithTrace(level, message){
           message: b64Msg
         }, null)
     } catch (err) {
-        fusion_sendMessage("W", err)
+        fusion_sendMessage("W", `Error: ${err}`)
     }
 }
 
@@ -218,7 +222,7 @@ function fusion_getB64StackTrace(){
         return b64Msg
 
     } catch (err) {
-        fusion_sendMessage("W", err);
+        fusion_sendMessage("W", `Error: ${err}`)
         return '';
     }
 }
@@ -256,12 +260,32 @@ function fusion_getClassName(obj)
         // Se for algo não Java, apenas retorna tipo do JS
         return typeof obj;
     } catch (err) {
-        fusion_sendMessage("W", err);
+        fusion_sendMessage("W", `Error: ${err}`)
         return '';
     }
 
 }
 
+function fusion_getFieldValue(obj, fieldName) {
+  if (obj === null || obj === undefined) return "";
+  try {
+    var cls = obj.getClass();
+    while (cls != null) {
+      try {
+        var f = cls.getDeclaredField(fieldName);
+        f.setAccessible(true);
+        return f.get(obj);
+      } catch (e) {
+        cls = cls.getSuperclass();
+      }
+    }
+  } catch (err) {
+      fusion_sendMessage("W", `Error: ${err}`)
+      return '';
+  }
+}
+
+
 function fusion_getReadableRange(p) {
   try { p = ptr(p); } catch (_) { return null; }
   const range = Process.findRangeByAddress(p); // não lança exceção

{frida_fusion-0.1.15 → frida_fusion-0.1.16}/frida_fusion/modules/crypto/crypto.js

@@ -3,7 +3,8 @@ const CRYPTO_MODULES = {
     KeyGenerator: true,
     KeyPairGenerator: true,
     SecretKeySpec: true,
-    MessageDigest: true,
+    MessageDigest: false,
+    KeyFactory: true,
     SecretKeyFactory: true,
     Signature: true,
     Cipher: true,
@@ -12,7 +13,7 @@ const CRYPTO_MODULES = {
     IvParameterSpec: true,
     GCMParameterSpec: true,
     PBEParameterSpec: true,
-    X509EncodedKeySpec: true
+    X509EncodedKeySpec: true,
 };
 
 setTimeout(function() {
@@ -144,6 +145,53 @@ setTimeout(function() {
 
         }
 
+        if (CRYPTO_MODULES.KeyFactory) {
+            fusion_sendMessage('*', "Module attached: java.security.KeyFactory");
+            const keyFactory = Java.use("java.security.KeyFactory");
+            keyFactory.getInstance.overload("java.lang.String").implementation = function (arg0) {
+                fusion_sendKeyValueData("KeyFactory.getInstance", [
+                    {key: "Algorithm", value: arg0}
+                ]);
+                return this.getInstance(arg0);
+            };
+
+            keyFactory.getInstance.overload("java.lang.String", "java.lang.String").implementation = function (arg0, arg1) {
+                fusion_sendKeyValueData("KeyFactory.getInstance", [
+                    {key: "Algorithm", value: arg0},
+                    {key: "Provider", value: arg1}
+                ]);
+                return this.getInstance(arg0, arg1);
+            };
+
+            keyFactory.getInstance.overload("java.lang.String", "java.security.Provider").implementation = function (arg0, arg1) {
+                fusion_sendKeyValueData("KeyFactory.getInstance", [
+                    {key: "Algorithm", value: arg0},
+                    {key: "Provider", value: arg1}
+                ]);
+                return this.getInstance(arg0, arg1);
+            };
+
+
+            keyFactory.generatePrivate.overload('java.security.spec.KeySpec').implementation = function (keySpec) {
+                fusion_sendKeyValueData("KeyFactory.generatePrivate", [
+                    {key: "ClassType", value: fusion_getClassName(this)},
+                    {key: "KeySpecClassType", value: fusion_getClassName(keySpec)},
+                    {key: "Algorithm", value: this.getAlgorithm()},
+                    {key: "Key", value: fusion_keyToBase64(keySpec)},
+                ]);
+                return this.generatePrivate(keySpec);
+            };
+
+            keyFactory.generatePublic.overload('java.security.spec.KeySpec').implementation = function (keySpec) {
+                fusion_sendKeyValueData("KeyFactory.generatePublic", [
+                    {key: "ClassType", value: fusion_getClassName(this)},
+                    {key: "KeySpecClassType", value: fusion_getClassName(keySpec)},
+                    {key: "Algorithm", value: this.getAlgorithm()},
+                ]);
+                return this.generatePublic(keySpec);
+            };
+        }
+
         if (CRYPTO_MODULES.SecretKeyFactory) {
             fusion_sendMessage('*', "Module attached: javax.crypto.SecretKeyFactory");
             const secretKeyFactory = Java.use("javax.crypto.SecretKeyFactory");
@@ -281,26 +329,73 @@ setTimeout(function() {
             }
 
             cipher.getInstance.overload("java.lang.String").implementation = function (arg0) {
-                fusion_sendKeyValueData("cipher.getInstance", [
+
+                var data = [
                     {key: "Algorithm", value: arg0}
-                ]);
-                return this.getInstance(arg0);
+                ];
+
+                var instance = this.getInstance(arg0);
+                try{
+                    data = data.concat([
+                        {key: "HashCode", value: instance.hashCode().toString()},
+                    ]);
+                    data = data.concat([
+                        {key: "Algorithm", value: instance.getAlgorithm()}
+                    ]);
+                } catch (err1) {
+                    fusion_sendError(err1)
+                }
+
+                fusion_sendKeyValueData("cipher.getInstance", data);
+                return instance;
             };
 
             cipher.getInstance.overload("java.lang.String", "java.lang.String").implementation = function (arg0, arg1) {
-                fusion_sendKeyValueData("cipher.getInstance", [
+
+                var data = [
                     {key: "Algorithm", value: arg0},
                     {key: "Provider", value: arg1}
-                ]);
-                return this.getInstance(arg0, arg1);
+                ];
+
+                var instance = this.getInstance(arg0, arg1);
+                try{
+                    data = data.concat([
+                        {key: "HashCode", value: instance.hashCode().toString()},
+                    ]);
+                    data = data.concat([
+                        {key: "Algorithm", value: instance.getAlgorithm()}
+                    ]);
+                } catch (err1) {
+                    fusion_sendError(err1)
+                }
+
+                fusion_sendKeyValueData("cipher.getInstance", data);
+                return instance;
+
             };
 
             cipher.getInstance.overload("java.lang.String", "java.security.Provider").implementation = function (arg0, arg1) {
-                fusion_sendKeyValueData("cipher.getInstance", [
+                
+                var data = [
                     {key: "Algorithm", value: arg0},
                     {key: "Provider", value: arg1}
-                ]);
-                return this.getInstance(arg0, arg1);
+                ];
+
+                var instance = this.getInstance(arg0, arg1);
+                try{
+                    data = data.concat([
+                        {key: "HashCode", value: instance.hashCode().toString()},
+                    ]);
+                    data = data.concat([
+                        {key: "Algorithm", value: instance.getAlgorithm()}
+                    ]);
+                } catch (err1) {
+                    fusion_sendError(err1)
+                }
+
+                fusion_sendKeyValueData("cipher.getInstance", data);
+                return instance;
+                
             };
 
             cipher.doFinal.overload("[B").implementation = function (arg0) {
@@ -568,12 +663,39 @@ setTimeout(function() {
 
 function fusion_keyToBase64(key){
     if (key === null || key === undefined) return "IA==";
+    const cName = fusion_getClassName(key);
     try{
+
+        try{
+            if (cName == "java.security.spec.RSAPrivateKeySpec" || (cName == "javax.crypto.spec.SecretKeySpec" && key.getAlgorithm() == "RSA")){
+                return {
+                    classType: cName,
+                    modulus: key.getModulus(),
+                    privateExponent: key.getPrivateExponent(),
+                }
+            }
+        } catch (e1) {}
+
+        /*
+        const cName = fusion_getClassName(key);
+
+        if ("com.android.org.conscrypt.OpenSSLRSAPrivateKey" == cName) return "IA==";
+
+        fusion_sendMessageWithTrace("W", "fusion_keyToBase64\n" + fusion_getClassName(key));
+
+        if ("javax.crypto.spec.SecretKeySpec" == cName) {
+            var algo = key.getAlgorithm();
+            if (algo == "AES") return "IA==";
+        }
+        
+        var tst = key.getEncoded();
+        fusion_sendMessageWithTrace("W", "fusion_keyToBase64\n" + fusion_getClassName(tst));
+        */
         
-        return fusion_bytesToBase64(key.getEncoded())
+        return fusion_bytesToBase64(key.getEncoded());
 
     } catch (err) {
-        fusion_sendMessage("W", err);
-        return "IA==";
+        //fusion_sendMessage("W", `Error: ${err}`)
+        return fusion_stringToBase64(`Error getting key from class (${cName}): ${err}`);
     }
 }

{frida_fusion-0.1.15 → frida_fusion-0.1.16}/frida_fusion/modules/crypto/crypto.py

@@ -457,6 +457,24 @@ class Crypto(ModuleBase):
                     message=f"Cipher init received\nHashcode: {hashcode}\nOpmode: {opmode}\nKeytype: {key_class}",
                     script_location=script_location
                 )
+        
+        elif module == "cipher.getInstance":
+            hashcode = received_data.get('hashcode', None)
+            algorithm = received_data.get('algorithm', None)
+
+            self._crypto_db.insert_crypto(
+                package=self._package,
+                hashcode=hashcode,
+                algorithm=algorithm,
+                init_key=None
+            )
+            
+            if not self._suppress_messages:
+                Logger.print_message(
+                    level="D",
+                    message=f"Cipher getInstance received\n{stack_trace}",
+                    script_location=script_location
+                )
 
         elif module == "cipher.doFinal":
             hashcode = received_data.get('hashcode', None)
@@ -516,6 +534,18 @@ class Crypto(ModuleBase):
                         script_location=script_location
                     )
 
+        elif module == "KeyFactory.generatePrivate":
+            #print(received_data)
+            pass
+
+        elif module == "KeyFactory.generatePublic":
+            #print(received_data)
+            pass
+
+        elif module == "org.bouncycastle.asn1!init":
+            #print(received_data)
+            pass
+
         return True
 
     def data_event(self,

{frida_fusion-0.1.15 → frida_fusion-0.1.16}/frida_fusion.egg-info/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: frida-fusion
-Version: 0.1.15
+Version: 0.1.16
 Summary: Hook your mobile tests with Frida
 Author-email: "Helvio Junior (M4v3r1ck)" <helvio_junior@hotmail.com>
 Maintainer-email: "Helvio Junior (M4v3r1ck)" <helvio_junior@hotmail.com>
@@ -101,6 +101,9 @@ void    fusion_printStackTrace();
 # Print all methods of class 'name'
 void    fusion_printMethods(String name);
 
+# Get value of a field inside an class instance
+Object fusion_getFieldValue(Object obj, String fieldName);
+
 # Wait until the class 'name' exists in memory to execute the callback function
 void    fusion_waitForClass(String name, CallbackFunction onReady)