Problem with [Compile & Reload JS]

Question

Problem with [Compile & Reload JS]

mr-r3bot opened this issue 3 years ago · 7 comments

I'm new to Brida, can anyone please help me to understand that what this message mean ?

Traceback:

Exception reloading script net.razorvine.pyro.PyroException: [frida.InvalidOperationError] session is gone net.razorvine.pyro.serializer.PyroExceptionSerpent.FromSerpentDict(PyroExceptionSerpent.java:32) net.razorvine.pyro.serializer.SerpentSerializer$DictConverter.convert(SerpentSerializer.java:58) net.razorvine.serpent.ObjectifyVisitor.visit(ObjectifyVisitor.java:69) net.razorvine.serpent.ast.DictNode.accept(DictNode.java:8) net.razorvine.serpent.ast.Ast.accept(Ast.java:51) net.razorvine.serpent.ast.Ast.getData(Ast.java:45) net.razorvine.pyro.serializer.SerpentSerializer.deserializeData(SerpentSerializer.java:47) net.razorvine.pyro.PyroProxy.internal_call(PyroProxy.java:272) net.razorvine.pyro.PyroProxy.call(PyroProxy.java:178) burp.BurpExtender$17.run(BurpExtender.java:2814) java.base/java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:515) java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264) java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1130) java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:630) java.base/java.lang.Thread.run(Thread.java:831)

Answer 1 · 2022-02-28T09:46:19.000Z

Hi @mr-r3bot,

"Compile and Reload JS" tries to compile Frida JS files and reload them when the application is running and Brida is attached. That errors means that Brida is no more attached to the application and consequently it cannot reload the JS (maybe the app is crashed or something similar)

Federico

Answer 2 · 2022-02-28T10:08:18.000Z

Hi @federicodotta ,
Thanks for fast response, it's working find now.
The function that I'm trying to hook to receive 4 params ( body, key, mode, d ). So should I place the params in:

encryptrequest: function ( body, key, mode, d )

or:

 encryptrequest: function () {
    Java.perform(function () {
      Java.use("class.EncryptAES").encryptDecrypt.implementation = function (body, key, mode, d) {
        console.log("ABC");
        return this.encryptDecrypt(body, key, mode, d);
      }
    });
  },

Answer 3 · 2022-03-01T10:23:06.000Z

Hi @mr-r3bot,

Your goal is to call the encryptrequest from a plugin or to add only a Frida interception hook? In the latter case you can simply put your hook as usual in brida.js and you don't need to put it in an exported function.

If you want to call the encryptrequest from a Brida plugin you have to change your code to something like this (if "encryptDecrypt" is a static method, otherwise you need an instance of it) and you need to pass the four parameters to the function when you call it (you cannot return from a Java.perform block):

 encryptrequest: function (body, key, mode, d) {
     var ret = null;
    Java.perform(function () {
        var encryptAES_Class = Java.use("class.EncryptAES");
        ret = encryptAES_Class.encryptDecrypt(body, key, mode, d);
       console.log("ABC");
    });
    return ret;
  },

You can find more details in the Wiki, some demo application with plugins and Frida code in the "Demo" folder and a video that presents the demos here.

Federico

Answer 4 · 2022-03-02T04:34:01.000Z

Hi @federicodotta ,

My goal is to call encryptrequest from a custom plugin, like your demo. Is it possible if I ask you more about the tool and the plugins here in this thread ?. Because I find the documentation do not have what I needed :(, so I have a lot of confusion.

Thanks so much for helping and your tool is great

Answer 5 · 2022-03-02T08:33:16.000Z

In the Mobile Application I work with:

Mobile app using AES encryption, generate keys and IV at run time
Mode: there are 2 modes encrypt and decrypt

Params explain:

Body: unencrypted body || encrypted body ( depends on the `mode` )
Mode: Encrypt || Decrypt
Key: key to encrypt body
d: IV

I cannot get the key and mode in Burp plugin to call encryptrequest ( body, key, mode ,d ). I only have access to those params at

encryptAES_Class.encryptDecrypt.implementation = function (body, key, mode, d) {}

So when mode is encrypt:

Body param contained unencrypted body message ( this is what I want, I want to send unencrypted body to Brida plugin )
Because I'm changing its implementation, I will have to call return this.encryptDecrypt(body, key, mode ,d) to make sure the function still run correctly

Is it possible for me to use Frida JS API send (message,[..data]) (https://frida.re/docs/javascript-api/#communication-send ) to Brida custom plugin ?

Answer 6 · 2022-03-04T02:40:45.000Z

Hi @federicodotta ,

Also, how can I pass params to exported Frida functions ?

JS file:

 encryptdecryptaes: function (message, mode, requestKey) {
}

Plugin code:

 String ret = (String)pp.call("callexportfunction","encryptdecryptaes", body, "DECRYPT", requestKey);

PLugin setting:

I don't see any config in Burp UI to let me specify the parameters from plugin,
I'm quite stuck right now ;(

Answer 7 · 2022-03-10T07:30:03.000Z

I solved all the issues above. Thanks for helping