1

Recently i tried to get value of secret key used to HMAC but i'm unable to hook into constructor. Here is my frida code:

    var secretKey = Java.use("javax.crypto.spec.SecretKeySpec")
    var mac = Java.use("javax.crypto.Mac")

    mac.init.overload('java.security.Key').implementation = function (bytes) {
        console.log("Mac init..")
        return this.init(bytes)
    }

    secretKey.$init.overload('[B', 'java.lang.String').implementation = function (keyBytes, algo) {
        console.log("SecretKey (" + algo + ") -> ")
        return this.$init(keyBytes, algo)
    }

    secretKey.$init.overload('[B', 'int', 'int', 'java.lang.String').implementation = function (keyBytes, i, i2, algo) {
        console.log("SecretKey (" + algo + ") -> ")
        return this.$init(keyBytes, i, i2, algo)
    }

But any of those hooks works. I don't know what can be a reason. I checked that this app using Enum to create Mac instance, and it's probably executed during runtime. That's how code looks:

 public static void m26694i(Type type, String str) throws Exception {
        synchronized (f21525a) {
            if (f21526b == null) {
                f21526b = type.getMacEnc(str);
            }
        }
    }

#2

public enum Type {
    KEY {
        @Override 
        /* renamed from: getMac */
        public Mac getMacEnc(String str) throws Exception {
            return HmacUtil.m26681a(str);
        }
    },
    FILE {
        @Override 
        /* renamed from: getMac */
        public Mac getMacEnc(String str) throws Exception {
            Properties properties = new Properties();
            InputStream inputStream = null;
            try {
                inputStream = MACManager.class.getResourceAsStream(str);
                if (inputStream != null) {
                    properties.load(inputStream);
                    return HmacUtil.m26681a((String) properties.elements().nextElement());
                }
                throw new FileNotFoundException(str);
            } finally {
                if (inputStream != null) {
                    inputStream.close();
                }
            }
        }
    };

    /* renamed from: getMac */
    public abstract Mac getMacEnc(String str) throws Exception;
}

#3

public static Mac m26681a(String str) throws NoSuchAlgorithmException, InvalidKeyException {
        SecretKeySpec secretKeySpec = new SecretKeySpec(str.getBytes(), "HmacSHA1");
        Mac instance = Mac.getInstance("HmacSHA1");
        instance.init(secretKeySpec);
        return instance;
    }

Any ideas how to hook into SecretKeySpec constructor?

Kaspek
  • 159
  • 1
  • 11
  • are you sure `m26681a` is invoked ? – whoopdedoo Jul 18 '21 at 12:00
  • Well, I'm not sure at 100% but creating new instance of SecretKeySpec is obvious, and it's not hooked by Frida – Kaspek Jul 18 '21 at 12:12
  • Your code of #3 works without problems for me, it prints `SecretKey (HmacSHA1)` and `Mac init..`. – Robert Jul 18 '21 at 12:59
  • Yeah but not works for me... – Kaspek Jul 18 '21 at 15:44
  • @Kaspek Then it is not a problem with the Frida code but with the app. May be it implements counter measures against Frida? Use a self-written stand-alone app but make sure to manually install the full APK (Android Studio supports modification of running apps, not sure if Frida can handle this). And last please use the @ handle when answering in comments when there are more than two participants, otherwise nobody will get a notification of your comment. – Robert Jul 19 '21 at 11:41

0 Answers0