This Frida script can be used to find the public RSA key used in the encryption process in Akamai BMP 3.3.0. Since version 3.3.0, Akamai uses a shared library to handle the encryption process, rather than in Java.
It can also be used to inspect the sensor data before it goes through the AES-CBC-128 encryption routine.
The public key is encrypted inside the shared library, and a function called rotate_string decrypts it into the public key. This Frida scripts hooks into a function called Crypto::RSAEncrypt that takes the clear text RSA key as a parameter, and dumps it out.
This script was tested on an Android ARM device. You will need to adjust the memory addresses for any other architectures.
This script assumes that you have already rooted and installed Frida on your Android device.
frida -l "D:\akamai-bmp-rsa-hook.js" -f com.ihg.apps.android -U
Below is an example of the output from the script (screenshot purposly cropped to stop you being lazy...)
- Unzip an APK that uses Akamai BMP 3.3.0
- Load the
libakamaibmp.sofile from/lib/arm64-v8a(if using an ARM device, if not, select the correct file for your architecture) in Ghidra - Search for
RSAEncryptin the Symbol Tree - Replace the memory address in the script (variable
rsaEncryptAddr) with the one highlighted in the screenshot - Ensure the base image address is correct by clicking; Window -> Memory Map -> Set Image Base. If it is different, replace the correct value in the Frida script (
ghidraImageBase)
