extractkeys
4 views
b5d601d2...
Description
A script that will extract/intercept private keys from the Android+OpenSSL based binary by hooking the i2d_PrivateKey and PEM_read_bio_PrivateKey functions.
How to Use
Download the script and run it with Frida CLI:
Download ScriptThen run with Frida:
frida -U -f YOUR_PACKAGE_NAME -l extractkeys.js
Replace YOUR_PACKAGE_NAME with the target app's package name.
Source Code
JavaScript
setTimeout(function() {
Java.perform(function() {
var libopenssl = "MONITORED_OPENSSL_LIB.so"; // CHANGEME
function writePrivateKeyToFile(pkey) {
if (!pkey || pkey.isNull()) {
console.error("Invalid EVP_PKEY pointer");
return;
}
var i2d_PrivateKey = new NativeFunction(Module.findExportByName(libopenssl, 'i2d_PrivateKey'), 'int', ['pointer', 'pointer']);
console.log(">>>> i2d_PrivateKey called! <<<<");
var derLength = i2d_PrivateKey(pkey, NULL);
if (derLength > 0) {
var derData = Memory.alloc(derLength);
i2d_PrivateKey(pkey, derData);
var derBuffer = Memory.readByteArray(ptr(derData).readPointer(), derLength);
var filename = "/data/local/tmp/certs/pke";
var file = new File(filename, "wb");
file.write(derBuffer);
file.flush();
file.close();
console.log("Private key written to file: " + filename);
}
}
Interceptor.attach(Module.findExportByName(libopenssl, 'PEM_read_bio_PrivateKey'), {
onEnter: function(args) {
console.log(">>>> PEM_read_bio_PrivateKey called! <<<<");
},
onLeave: function(retval) {
console.log("PEM_read_bio_PrivateKey retval: " + retval);
if (!retval || retval.isNull()) {
console.error("Invalid PEM_read_bio_PrivateKey return value");
return;
}
console.log("Writing private key to file...");
writePrivateKeyToFile(retval);
},
});
});
}, 60);
Comments