[4b] Cast a wide net with DBI

Previous[4a] Moar Static Analysis Next[4c] PIN bruteforce

Last updated 5 years ago

Was this helpful?

[4b] Cast a wide net with DBI

Back in DBI land, we are ready to 'cast a wider net' by doing a less specific trace.

This time, instead of using traceMethod, we will instead use traceClass.

Tracing com.github.browep.privatephotovault.crypto.CryptoUtils.decrypt [2 overload(s)] Tracing com.github.browep.privatephotovault.crypto.CryptoUtils.encrypt [2 overload(s)] Tracing com.github.browep.privatephotovault.crypto.CryptoUtils.encryptPin [1 overload(s)] Tracing com.github.browep.privatephotovault.crypto.CryptoUtils.getBucketIdForPin [1 overload(s)] Tracing com.github.browep.privatephotovault.crypto.CryptoUtils.getEncryptedKeysForPin [1 overload(s)] Tracing com.github.browep.privatephotovault.crypto.CryptoUtils.getPinKeyForPin [1 overload(s)] Tracing com.github.browep.privatephotovault.crypto.CryptoUtils.padKeyForDes [1 overload(s)] Tracing com.github.browep.privatephotovault.crypto.CryptoUtils.patternMatches [1 overload(s)] Tracing com.github.browep.privatephotovault.crypto.CryptoUtils.persistPin [1 overload(s)] Tracing com.github.browep.privatephotovault.crypto.CryptoUtils.pinsMatch [1 overload(s)] Tracing com.github.browep.privatephotovault.crypto.CryptoUtils.setEncryptedKeysForPin [1 overload(s)]

Perfect - looks like everything got hooked. Let's try entering a bad PIN again.

Frida has turned our app into quite the storyteller! If we peruse the list, it looks like the functions are called in this order:

getBucketIdForPin - eventually returns null
pinsMatch - eventually returns false
encryptPin - returns "7110eda4d09e062aa5e4a390b0a572ac0d2c0220"
pinsMatch - returns false

Previous[4a] Moar Static Analysis Next[4c] PIN bruteforce

Last updated 5 years ago

Was this helpful?