Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Unable to log TLS keys or traffic with an android app #22

Open
thecoder8324 opened this issue Feb 18, 2024 · 8 comments
Open

Unable to log TLS keys or traffic with an android app #22

thecoder8324 opened this issue Feb 18, 2024 · 8 comments
Assignees
@monkeywave
Labels
bug Something isn't working

Comments

@thecoder8324
Copy link

I am testing the app "Rucoy Online" for http data upon character login.
Fritap spawns the app just fine, but it does not log any TLS traffic or keys relating to the log in.

Screenshot (4)

Screenshot (5)

It does however, log firebase TLS keys when you first install the app, but these keys are unrelated to the actual game server connection.
I assume the hooked functions correspond to this.

This app is on the playstore, feel free to give it a try!
@yoshimo
Copy link

yoshimo commented Feb 18, 2024

I guess we have another game engine (LibGDX) here that , like Unity, comes with its own network stack. (https://libgdx.com/wiki/networking)
It is just not supported at this point in time .

@hyrathon
Copy link

On some Android devices the following code will return since SSL_get_fd return -1

        Interceptor.attach(this.addresses["SSL_write"],
        {
            onEnter: function (args: any) {
                if (!ObjC.available){
                this.fd = OpenSSL_BoringSSL.SSL_get_fd(args[0])
                if(this.fd < 0) {
                    return
                }
                var message = getPortsAndAddresses(this.fd as number, false, lib_addesses)
                message["ssl_session_id"] = OpenSSL_BoringSSL.getSslSessionId(args[0])
                message["function"] = "SSL_write"
                message["contentType"] = "datalog"

I don't know if it is because of the lack of permission or some Android OEM quirks. The google ssl_logger just ignore this so they can log traffic without ip/port.

@monkeywave monkeywave self-assigned this Mar 5, 2024
@monkeywave monkeywave added the bug Something isn't working label Mar 5, 2024
@monkeywave
Copy link
Collaborator

Hi,

On some Android devices the following code will return since SSL_get_fd return -1

        Interceptor.attach(this.addresses["SSL_write"],
        {
            onEnter: function (args: any) {
                if (!ObjC.available){
                this.fd = OpenSSL_BoringSSL.SSL_get_fd(args[0])
                if(this.fd < 0) {
                    return
                }
                var message = getPortsAndAddresses(this.fd as number, false, lib_addesses)
                message["ssl_session_id"] = OpenSSL_BoringSSL.getSslSessionId(args[0])
                message["function"] = "SSL_write"
                message["contentType"] = "datalog"

I don't know if it is because of the lack of permission or some Android OEM quirks. The google ssl_logger just ignore this so they can log traffic without ip/port.

Originally, friTap was designed with live forensics in mind, aiming to preserve socket information for thorough analysis. We've since introduced a new feature, --enable_default_fd, which supplies default socket information when writing to the pcap file. This enhancement ensures that users have access to essential data, even when specific socket details are unavailable, thereby maintaining the utility and effectiveness of forensic investigations.

@monkeywave
Copy link
Collaborator

I am testing the app "Rucoy Online" for http data upon character login. Fritap spawns the app just fine, but it does not log any TLS traffic or keys relating to the log in.

Screenshot (4)

Screenshot (5)

It does however, log firebase TLS keys when you first install the app, but these keys are unrelated to the actual game server connection. I assume the hooked functions correspond to this.

This app is on the playstore, feel free to give it a try!

Can you retry it with the latest friTap version (1.1.0.5). Also consider the following:
https://github.com/fkie-cad/friTap?tab=readme-ov-file#problems

@thecoder8324
Copy link
Author

Hello,

Thank you for the update, I tried using the new version of Fritap on the same app, but now I am receiving these errors:

Screenshot (6)

Screenshot (7)

Screenshot (8)

Screenshot (9)

As you can see, I have run the command for both key logging and pcap traffic, with and without the --enable_default_fd flag for each case. Do you know what these errors mean?

The device I am using is a Genymotion emulated Google Nexus 4. If anyone can somehow succesfully log the TLS keys/traffic for this app, help would be appreciated. Thanks!

@monkeywave
Copy link
Collaborator

Hi,

there was a bug how friTap hooked Conscrypt and other Android related libraries in the past which should be solved in the latest version of friTap (version 1.1.1.0) .

Can you try to log the keys in the latest version of friTap?

@thecoder8324
Copy link
Author

Hi, thank you for the response

This is my result after trying fritap -m -k rucoykeys.log -v -s com.mmo.android -d with current latest version of friTap (1.1.1.2):

Screenshot (11)

@monkeywave
Copy link
Collaborator

monkeywave commented Sep 27, 2024
edited
Loading

Hi @thecoder8324 ,

you can test it again with the latest release of friTap to log the keys (1.2.2.0).

If it is still not working it would help use if you could provide us the result of Process.enumerateModules() when connected with frida itself.

All the best

Daniel

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@monkeywave monkeywave

Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@yoshimo @hyrathon @monkeywave @thecoder8324