Ad

How To Decrypt Android JSON Payload?

- 1 answer

I am new to Android and java in general, i wanted to inspect how a specific app works, so i begun by de-compiling the app using apktool and then used jadx to browse the source files, everything makes sense so far, so i added a mitmproxy to inspect the network traffic from the app.

I know that the request reply is a JSON payload, however "some of them" are encrypted possibly using mcrypt or openssl? so tracing methods leads me to this file.

import java.security.NoSuchAlgorithmException;
import javax.crypto.Cipher;
import javax.crypto.NoSuchPaddingException;
import javax.crypto.spec.IvParameterSpec;
import javax.crypto.spec.SecretKeySpec;

public class MC {
    private IvParameterSpec a;
    private SecretKeySpec b;
    private Cipher c;

    private native int getint();

    public native String I6MOYF();

    static {
        System.loadLibrary("native-lib");
    }

    public MC(String str) {
        this.a = new IvParameterSpec(str.getBytes());
        this.b = new SecretKeySpec((I6MOYF() + String.valueOf(getint())).getBytes(), "AES");
        try {
            this.c = Cipher.getInstance("AES/CBC/NoPadding");
        } catch (NoSuchAlgorithmException e) {
            e.printStackTrace();
        } catch (NoSuchPaddingException e2) {
            e2.printStackTrace();
        }
    }

    public byte[] encrypt(String str) throws Exception {
        if (str == null || str.length() == 0) {
            throw new Exception("Empty string");
        }
        try {
            this.c.init(1, this.b, this.a);
            return this.c.doFinal(a(str).getBytes());
        } catch (Exception e) {
            throw new Exception("[encrypt] " + e.getMessage());
        }
    }

    private static String a(String str) {
        int length = 16 - (str.length() % 16);
        for (int i = 0; i < length; i++) {
            str = str + 0;
        }
        return str;
    }

    public byte[] des(String str) throws Exception {
        if (str == null || str.length() == 0) {
            throw new Exception("Empty string");
        }
        try {
            this.c.init(2, this.b, this.a);
            Object doFinal = this.c.doFinal(hexToBytes(str));
            if (doFinal.length > 0) {
                int i = 0;
                for (int length = doFinal.length - 1; length >= 0; length--) {
                    if (doFinal[length] == (byte) 0) {
                        i++;
                    }
                }
                if (i > 0) {
                    Object obj = new byte[(doFinal.length - i)];
                    System.arraycopy(doFinal, 0, obj, 0, doFinal.length - i);
                    return obj;
                }
            }
            return doFinal;
        } catch (Exception e) {
            throw new Exception("[decrypt] " + e.getMessage());
        }
    }

    public static byte[] hexToBytes(String str) {
        byte[] bArr = null;
        if (str != null && str.length() >= 2) {
            int length = str.length() / 2;
            bArr = new byte[length];
            for (int i = 0; i < length; i++) {
                bArr[i] = (byte) Integer.parseInt(str.substring(i * 2, (i * 2) + 2), 16);
            }
        }
        return bArr;
    }
}

i understand that it uses OpenSSL "AES/CBC/NoPadding" mode for for decrypting the payload, however i am at loss how to take the payload and do it manually.

here is an example of the payload the server gives, the app send key header, however changing and dropping it does not change the payload, so i concluded it's not using the key for the actual encryption

AwFpdchYa7twLSEwN884uGQ/CNoLKrGBxtwIXGcL9OQTPPh96I1uhuh85HXLw3XUikVCmKaKgnssGorqYuvHQELce3nAhnaeHDcEsMFIykeitgDWLXeCed6f9UXHn+XF8nC3arHVbhMgIW8bUlWMq6KygRb4jeUufRHJzJ7LK0q6TvY+rF+utv3i//3NCuKfmbiiMlBvyDdMWPIL83YywkdjLujbBn0RNaeqUDjE0I7xqYypWPjwPXH1DZPbnGFYHemJgNS8QKtFnbtiRwEhpzx2sEoe/NBIgvcXsYkRSgrt+Q==

So the main question is, how would you use the provided code to manually decrypt the payload?

EDIT:

as suggested by Mr. @Robert, i tried to see how the native functions being called, so i installed frida-server on android emulator, and here is the interesting call, not sure what to make of it

/* TID 0x10b1 */
15066 ms  open(pathname="/data/app/com.friga.gameapp-lPtwMqeZ36x47-Yo8YDzOg==/lib/x86/libnative-lib.so", flags=0x0)

i guess this supposed to be the key? -lPtwMqeZ36x47-Yo8YDzOg==

Ad

Answer

I managed to solve the problem using frida by following "Frida hooking android part 5: Bypassing AES encryption" post by 11x256 blog

Ad
source: stackoverflow.com
Ad