search

m0bilesecurity / RMS-Runtime-Mobile-Security

Runtime Mobile Security (RMS) 📱🔥 - is a powerful web interface that helps you to manipulate Android and iOS Apps at Runtime
https://twitter.com/mobilesecurity_
GNU General Public License v3.0
2.62k stars 376 forks source link

Help wanted #19

Closed balramrexwal closed 4 years ago

balramrexwal commented 4 years ago

Hi,

I am analysing Android Malware named as SimpleLocker which encrypt the files in .enc format.you can get the sample at https://we.tl/t-bc487mbWG9 On Analysing its source code, On calling function b() at org.simplelocker.d, this b can decrypt files. So, run these code in RMS tool

Java.performNow(function () {
    var classname = "org.simplelocker.d"
    var classmethod = "b";
    var methodsignature = "public final void b()";

    Java.choose(classname, {
        onMatch: function (instance) {
            try 
            {
                var returnValue;
                //public final void b()
                returnValue = instance.b(); //<-- replace v[i] with the value that you want to pass

                //Output
                var s = "";
                s=s+"[Heap_Search]\n"
                s=s + "[*] Heap Search - START\n"

                s=s + "Instance Found: " + instance.toString() + "\n";
                s=s + "Calling method: \n";
                s=s + "   Class: " + classname + "\n"
                s=s + "   Method: " + methodsignature + "\n"
                s=s + "-->Output: " + returnValue + "\n";

                s = s + "[*] Heap Search - END\n"

                send(s);
            } 
            catch (err) 
            {
                var s = "";
                s=s+"[Heap_Search]\n"
                s=s + "[*] Heap Search - START\n"
                s=s + "Instance NOT Found or Exception while calling the method\n";
                s=s + "   Class: " + classname + "\n"
                s=s + "   Method: " + methodsignature + "\n"
                s=s + "-->Exception: " + err + "\n"
                s=s + "[*] Heap Search - END\n"
                send(s)
            }

        }
    });

});

It decrypt the files in device. But running same code using Frida-CLI by saving it in decrypt.js file and run frida script as 

frida -U -l decrypt.js -f org.simplelocker --no-pause

It fails to decrypt.Can any one sugguest why? Also,when i use below code in Frida-CLI, it does not execute till i make some changes in file dynamically.

Java.perform(function x() {
// console.log("[ * ] Starting Decrypting, please wait...");
 Java.choose("org.simplelocker.d", {
  onMatch: function(instance) {
   console.log("[ * ] Instance found in memory: " + instance);
   // var i=instance.b();
     console.log("[ + ] " + instance.b());
     console.log("[ + ] " + instance.b());
     send(instance.b());
   },
onComplete: function x() {}
 });
});

I want it to excute Automatically on script load.

oleavr commented 4 years ago

Perhaps you're running the code too early, before the class has been loaded?