> For the complete documentation index, see [llms.txt](https://summit-labs.frida.ninja/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://summit-labs.frida.ninja/lab/4c-pin-bruteforce/4c.1-pin-bruteforce-in-depth.md). # \[4c.1] PIN bruteforce (in depth) This page is intended to cover how the PIN bruteforce works and how it all goes together. The requirements of our bruteforcing function can be summed up as: iterate every possible combinations of PINs, starting with 0000 and working our way up to 9999, and invoke the `pinsMatch` function on each combination until we get a `true` result. ``` function bruteforcePIN() { Java.perform(() => { var CryptoUtils = Java.use('com.github.browep.privatephotovault.crypto.CryptoUtils'); var StringUtils = Java.use('org.apache.commons.lang.StringUtils'); var context = getApplicationContext(); for (var i = 0; i < 10000; i++) { if (i % 1000 == 0) { console.log('Tried', i, 'PINs'); } var currentPin = StringUtils.leftPad(i.toString(), 4, '0'); if (CryptoUtils.pinsMatch(currentPin, 'pin', context)) { console.log('found it!', currentPin); break; } } }); } ``` ### Line 2 - Java.perform ``` Java.perform(() => { // do stuff }); ``` Wrapping code in a Java.perform are a necessary evil whenever we use frida on Android. You can bank on needing to wrap just about every call you make inside of one. ![The good news is, frida will let you know quite definitively if you forget.](/files/-M4FkCbKeIRNAdbwo3LJ) ### Lines 3 and 4 - Java.use ``` var CryptoUtils = Java.use('com.github.browep.privatephotovault.crypto.CryptoUtils'); var StringUtils = Java.use('org.apache.commons.lang.StringUtils'); ``` Java.use statements are necessary whenever you want to interact with Java classes. This goes for both classes that are part of the target app, and also classes that are part of the standard libraries. Java.use provides a wrapper with which you can do fun things with like invoking functions! In this case, we are obtaining two wrappers: CryptoUtils, and StringUtils. If you consider the namespaces, you may note that StringUtils is not part of the "privatephotovault" but rather part of the Apache Commons library. ### Line 5 - getApplicationContext() ``` var context = getApplicationContext(); ``` At the risk of delving too far into the programming concepts, I want to explain the purpose of this call very simply to start: we need a Context to pass to our `pinsMatch` function (argument 3). That's it. That's the only reason! *Ok, that makes sense, but what is a Context?* Essentially, every single Android app is going to have Application Context. [This article on mindorks.com](https://blog.mindorks.com/understanding-context-in-android-application-330913e32514) provides a decent explanation. One last thing -- the getApplicationContext function is actually defined earlier in our `privatePhotoVault.js` script. ``` function getApplicationContext() { const ActivityThread = Java.use("android.app.ActivityThread"); const currentApplication = ActivityThread.currentApplication(); var ret = currentApplication.getApplicationContext(); return ret; } ``` As you can see, it is doing more of the same of what we've done earlier in the script. We're getting a wrapper to `android.app.ActivityThread`, then invoking two functions and ultimately returning our Application Context. ### Line 6 - For loop ``` for (var i = 0; i < 10000; i++) { // Loop stuff... } ``` Now we finally get to the good stuff! This loop starts at 0, and works its way up to 9999, and incrementing by one at a time. ### Lines 7-9 - Update Progress ``` if (i % 1000 == 0) { console.log('Tried', i, 'PINs'); } ``` This section isn't necessary -- it's just for information. Every 1000 entries, we want to let the console know how many tries we've done. {% hint style="info" %} If you're wondering what the % operator is, it's called [modulo](https://en.wikipedia.org/wiki/Modulo_operation). Essentially, what if anything left over after dividing by a number. {% endhint %} ### Line 10 - Preparing our PIN attempt ``` var currentPin = StringUtils.leftPad(i.toString(), 4, '0'); ``` We're tantalizingly close to trying our PIN now! We have one final step: currently, our loop is counting from 0 to 9999, but the passcode we need to try is "0000", "0001", etc. --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter: ``` GET https://summit-labs.frida.ninja/lab/4c-pin-bruteforce/4c.1-pin-bruteforce-in-depth.md?ask=&goal= ``` `ask` is the immediate question: it should be specific, self-contained, and written in natural language. `goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.