null-vector-cbcmode
4 views
a3567a6e...
Description
Script to check if vector is null when cbc mode of encryption is used
How to Use
Download the script and run it with Frida CLI:
Download ScriptThen run with Frida:
frida -U -f YOUR_PACKAGE_NAME -l null-vector-cbcmode.js
Replace YOUR_PACKAGE_NAME with the target app's package name.
Source Code
JavaScript
//python3 frida -f com.test.sampleiOS -U -l ~/Downloads/null.js
const libraryName = "libcommonCrypto.dylib";
const functionName = "CCCrypt";
const CCCryptCreatePtr = Module.findExportByName(libraryName, functionName);
if (CCCryptCreatePtr !== null) {
console.log("[*] Hooking " + functionName);
Interceptor.attach(CCCryptCreatePtr, {
onEnter: function(args) {
this.op = args[0].toInt32(); // 0 = Encrypt, 1 = Decrypt
this.dataIn = args[6];
this.dataInLength = args[7].toInt32();
this.dataOut = args[8];
console.log("[*] Intercepted CCCryptCreate");
//console.log(args[1].toInt32());
//console.log(args[2].toInt32());
if (args[1].toInt32() == 0){
if (args[2].toInt32() == 1 || args[2].toInt32() == 3 ) {
var iv = Memory.readByteArray(args[5], 16);
if (iv == null) {
//console.log(args[2].toInt32());
console.log("mode is kCCOptionPKCS7Padding of CBC used and iv is null");
}
}
}
},
onLeave: function(retval) {
console.log("[*] CCCryptorCreate returned:", retval);
if (this.op === 0) {
// Encrypting - we capture plaintext input
var plaintext = Memory.readByteArray(this.dataIn, this.dataInLength);
console.log("Plaintext input:", hexdump(plaintext));
}
}
});
} else {
console.log("[-] Unable to find " + functionName + " function to hook.");
}
Comments