A frida script that can be used to find the public RSA key used in the native libakamaibmp.so shared library, seen in version 3.3.0 of Akamai BMP

Related tags

Learning resource akamai-bmp-rsa-aes-frida-hook
Overview

Akamai BMP - RSA/AES Frida Hook

This Frida script can be used to find the public RSA key used in the encryption process in Akamai BMP 3.3.0. Since version 3.3.0, Akamai uses a shared library to handle the encryption process, rather than in Java.

It can also be used to inspect the sensor data before it goes through the AES-CBC-128 encryption routine.

The public key is encrypted inside the shared library, and a function called rotate_string decrypts it into the public key. This Frida scripts hooks into a function called Crypto::RSAEncrypt that takes the clear text RSA key as a parameter, and dumps it out.

How to use the script

This script was tested on an Android ARM device. You will need to adjust the memory addresses for any other architectures.

This script assumes that you have already rooted and installed Frida on your Android device.

frida -l "D:\akamai-bmp-rsa-hook.js" -f com.ihg.apps.android -U

Output

Below is an example of the output from the script (screenshot purposly cropped to stop you being lazy...)

enter image description here

Finding the memory address of RSAEncrypt

  1. Unzip an APK that uses Akamai BMP 3.3.0
  2. Load the libakamaibmp.so file from /lib/arm64-v8a (if using an ARM device, if not, select the correct file for your architecture) in Ghidra
  3. Search for RSAEncrypt in the Symbol Tree
  4. Replace the memory address in the script (variable rsaEncryptAddr) with the one highlighted in the screenshot
  5. Ensure the base image address is correct by clicking; Window -> Memory Map -> Set Image Base. If it is different, replace the correct value in the Frida script (ghidraImageBase)

enter image description here

You might also like...

Odoo Javascript Framework Training (public version)

Introduction to JS framework Introduction For this training, we will put ourselves in the shoes of the IT staff for the fictional Awesome T-Shirt comp

Dec 16, 2022

A community-centric site like you've never seen before.

Kleptonix A community-centric site like you've never seen before. Overview This section will be updated when basic posting and account creation functi

Apr 19, 2022

Unfurl links into rich cards, as seen in places like Slack and Twitter

eleventy-plugin-unfurl Turn URLs into rich cards. Show a preview image, page title, description and other meta information all inside a neatly present

Dec 16, 2022

A native, pure and exquisite web components library which can be used anywhere.

A native, pure and exquisite web components library which can be used anywhere.

What Is This ? This is a project on pure web components merely using native HTML、CSS and JavaScript technologies. It has features below: based on web

Nov 16, 2022

Shared eslint configuration for Strapi v4 plugins & applications.

This package is currently under development and should be consider ALPHA in terms of state. I/We are currently accepting contributions and/or dedicated contributors to help develop and maintain this package.

Oct 28, 2022

MultiSafe is a shared crypto wallet for managing Stacks (STX) and Bitcoin (BTC).

MultiSafe MultiSafe is a shared crypto wallet for managing Stacks (STX) and Bitcoin (BTC). Deploy a MultiSafe https://app.multisafe.xyz/ Features Curr

Dec 26, 2022

🧠 My second brain — Ideas, thoughts, resources, notes… All publicly shared in one place.

🧠 Second Brain Welcome to my second brain. This is a collection of notes, journals, and resources written or collected by me (@pixelsbyeryc), in an a

May 4, 2022

Example code for MFE routing, shared state, build-time & runtime deploy video

Turborepo starter with pnpm This is an official starter turborepo. What's inside? This turborepo uses pnpm as a packages manager. It includes the foll

Nov 2, 2022

iCloud Shared Album → GitHub Action → Jekyll data files

stories-feed-action A GitHub Action that fetches a from an iCloud shared album, commits the images into the repository, and then generate a data file

Nov 24, 2022
Comments
  • Add auto find of encryption functions

    Add auto find of encryption functions

    This improvements automates address finding of functions that we're interested in. It should work for every app where the shared library's export name includes RSAEncrypt and AESEncrypt, but I only checked Zalando. I removed "Finding the memory address of RSAEncrypt" section from README.md since it's no longer needed.

    opened by ignassew 0
Owner
yog
Discord: yog#6969
yog
GitHub
Vaultacks lets users store files off-chain on Gaia. Files are encrypted by default but also can be made public and shared

Vaultacks Vaultacks is built on the Stacks Chain. It lets users upload files to Gaia, a off-chain data storage system. Vaultacks currently uses the de

Anish De 5 Sep 14, 2022
This CLI tool allows you to convert the encrypted Akamai 2.0 sensor data payload back to its plaintext form.

Akamai 2.0 Sensor Data Decryption Tool This CLI tool allows you to convert the encrypted Akamai 2.0 sensor data payload back to its plaintext form. Us

null 41 Jan 1, 2023
A small utility server to exchange data and messages between clients. Comes complete with E2E public key encryption

Zenotta Intercom A small utility server to exchange arbitrary data between clients. Comes complete with E2E public key encryption Official documentati

Zenotta AG 7 Oct 2, 2022
⚙️ Monorepo for shared configurations used in Alphaworks

@alpha-dao/shared-config Usage Shared Config Wondering which configuration to use when starting a new project? Then you're probably looking for this m

Alphaworks 8 Nov 17, 2022
frida snippet generator firefox extension for developer.android.com

Frida Snippet Generator for developer.android.com Right click on function names (public methods section) or fields and it will automatically copy gene

Ahmet Bilal Can 22 Sep 4, 2022
A tracer based on frida for XPC messages in iOS and macOS.

XPC tracer A tracer based on frida for XPC messages in iOS and macOS. This project is a variant of xpcspy. In particular for my purpose I didn't devel

Lorenzo 12 Dec 31, 2022
jQuery plugin to show a tabs bar for navigation. The tabs can be defined once, and shared across multiple HTML pages.

jquery.simpletabs v1.2.3 The jquery.simpletabs plugin shows a tabs bar for navigation. The tabs can be defined once, and shared across multiple HTML p

Peter Thoeny 1 Feb 23, 2022
The Space Traveler's Hub is an application where users can check out availble space rockets and book them or cancel the previously made booking. Also users can find a list of current missions along with their brief description and can join the selected mission or leave the mission the user joined earlier.

Space-Travelers-Hub The Space Traveler's Hub is an application where users can check out available space rockets and book them or cancel the previousl

Tiago Lelinski Marin 7 Sep 22, 2022
Solid.js library adding a services layer for global shared state.

Solid Services Services are "global" objects useful for features that require shared state or persistent connections. Example uses of services might i

Maciej Kwaśniak 55 Dec 30, 2022
BestBuy Bot is an Add to cart and Auto Checkout Bot. This auto buying bot can search the item repeatedly on the ITEM page using one keyword. Once the desired item is available it can add to cart and checkout very fast. This auto purchasing BestBuy Bot can work on Firefox Browser so it can run in all Operating Systems. It can run for multiple items simultaneously.

BestBuy Bot — Open Source GPU/PS5/Xbox Bot I took bits from best open and closed sourced bots and made this simple bot. Please star my repo if this co

Karan Kapuria 585 Dec 31, 2022