unzip -l base.apk|grep client |grep assets|grep p12
2525 11-23-2020 13:58 assets/client.p12
unzip -l base.apk|grep client |grep assets|grep cer
1306 11-23-2020 13:58 assets/client.cer
unzip base.apk "assets/client.p12*" -d demo
Archive: base.apk
inflating: demo/assets/client.p12
unzip base.apk "assets/client.cer*" -d demo
Archive: base.apk
inflating: demo/assets/client.cer
tree demo
demo
└── assets
├── client.cer
└── client.p12
file demo/assets/client.cer
demo/assets/client.cer: PEM certificate
file demo/assets/client.p12
demo/assets/client.p12: data
use tracer_keystore.js get keystore password
frida -U -l tracer_keystore.js -f cn.xxxapp.android
____
/ _ | Frida 14.1.3 - A world-class dynamic instrumentation toolkit
| (_| |
> _ | Commands:
/_/ |_| help -> Displays the help system
. . . . object? -> Display information about 'object'
. . . . exit/quit -> Exit
. . . .
. . . . More info at https://www.frida.re/docs/home/
Spawning `cn.xxxapp.android`...
KeyStore hooks loaded!
Spawned `cn.xxxapp.android`. Use %resume to let the main thread start executing!
[Pixel 2::cn.xxxapp.android]-> %resume
[Pixel 2::cn.xxxapp.android]-> [Keystore.getInstance()]: type: PKCS12
[Keystore.load(InputStream, char[])]: keystoreType: PKCS12, password: '}%2R+\OSsjpP!w%X', inputSteam: android.content.res.AssetManager$AssetInputStream@af4064b
[Keystore.getInstance()]: type: BKS
[Keystore.load(LoadStoreParameter)]: keystoreType: BKS, param: null
[Keystore.getEntry()]: alias: a9f6f85c72b2504a172054fd64ccc2029370f81b, protection: 'Unknown protection parameter type: java.security.KeyStore$PasswordProtection'
[getEntry()]: Entry: java.security.KeyStore$PrivateKeyEntry [implement key dumping if needed] com.android.org.bouncycastle.jcajce.provider.asymmetric.rsa.BCRSAPrivateCrtKey
[Keystore.getInstance()]: type: AndroidKeyStore
[Keystore.load(LoadStoreParameter)]: keystoreType: AndroidKeyStore, param: null
Collection of useful FRIDA Mobile Scripts