Open thecoder8324 opened 4 months ago
yoshimo
commented
4 months ago I guess we have another game engine (LibGDX) here that , like Unity, comes with its own network stack. (https://libgdx.com/wiki/networking) It is just not supported at this point in time .
hyrathon
commented
4 months ago On some Android devices the following code will return since SSL_get_fd return -1
Interceptor.attach(this.addresses["SSL_write"],
{
onEnter: function (args: any) {
if (!ObjC.available){
this.fd = OpenSSL_BoringSSL.SSL_get_fd(args[0])
if(this.fd < 0) {
return
}
var message = getPortsAndAddresses(this.fd as number, false, lib_addesses)
message["ssl_session_id"] = OpenSSL_BoringSSL.getSslSessionId(args[0])
message["function"] = "SSL_write"
message["contentType"] = "datalog"I don't know if it is because of the lack of permission or some Android OEM quirks. The google ssl_logger just ignore this so they can log traffic without ip/port.
monkeywave
commented
4 months ago Hi,
On some Android devices the following code will return since SSL_get_fd return -1
Interceptor.attach(this.addresses["SSL_write"], { onEnter: function (args: any) { if (!ObjC.available){ this.fd = OpenSSL_BoringSSL.SSL_get_fd(args[0]) if(this.fd < 0) { return } var message = getPortsAndAddresses(this.fd as number, false, lib_addesses) message["ssl_session_id"] = OpenSSL_BoringSSL.getSslSessionId(args[0]) message["function"] = "SSL_write" message["contentType"] = "datalog"I don't know if it is because of the lack of permission or some Android OEM quirks. The google ssl_logger just ignore this so they can log traffic without ip/port.
Originally, friTap was designed with live forensics in mind, aiming to preserve socket information for thorough analysis. We've since introduced a new feature, --enable_default_fd, which supplies default socket information when writing to the pcap file. This enhancement ensures that users have access to essential data, even when specific socket details are unavailable, thereby maintaining the utility and effectiveness of forensic investigations.
monkeywave
commented
4 months ago I am testing the app "Rucoy Online" for http data upon character login. Fritap spawns the app just fine, but it does not log any TLS traffic or keys relating to the log in.
It does however, log firebase TLS keys when you first install the app, but these keys are unrelated to the actual game server connection. I assume the hooked functions correspond to this.
This app is on the playstore, feel free to give it a try!
Can you retry it with the latest friTap version (1.1.0.5). Also consider the following: https://github.com/fkie-cad/friTap?tab=readme-ov-file#problems
thecoder8324
commented
3 months ago Hello,
Thank you for the update, I tried using the new version of Fritap on the same app, but now I am receiving these errors:
As you can see, I have run the command for both key logging and pcap traffic, with and without the --enable_default_fd flag for each case. Do you know what these errors mean?
The device I am using is a Genymotion emulated Google Nexus 4. If anyone can somehow succesfully log the TLS keys/traffic for this app, help would be appreciated. Thanks!
monkeywave
commented
1 week ago Hi,
there was a bug how friTap hooked Conscrypt and other Android related libraries in the past which should be solved in the latest version of friTap (version 1.1.1.0) .
Can you try to log the keys in the latest version of friTap?
thecoder8324
commented
3 days ago Hi, thank you for the response
This is my result after trying fritap -m -k rucoykeys.log -v -s com.mmo.android -d with current latest version of friTap (1.1.1.2):
I am testing the app "Rucoy Online" for http data upon character login. Fritap spawns the app just fine, but it does not log any TLS traffic or keys relating to the log in.
It does however, log firebase TLS keys when you first install the app, but these keys are unrelated to the actual game server connection. I assume the hooked functions correspond to this.
This app is on the playstore, feel free to give it a try!