Support output of Android byte[]s

[aph3rson]

There's some preliminary information here on outputting a byte[] from Frida's JS environment.

[leonjza]

Hey, does this relate to using a byte array instead of the base64 encoding used for file transfers, or does this relate to something else?

[aph3rson]

This is related to hooking an Android method - a custom encryption method I'm trying to reverse takes in/outputs an array of bytes. These are outputted in the Objection console as [object Object].

[leonjza]

I think I understand! We will have to sniff the argument type on the hook I think and handle byte arrays if we come across them separately. Keeping this one open.

[mirkorobocop]

+1, would love to see this function in objection

[leonjza]

I would need a test case to replicate to work on this.

[mirkorobocop]

@leonjza
so here i have sample apk with this code:

public class MainActivity extends AppCompatActivity {

    private Button mButton;

    public byte[] a(){
        byte[] bArr = new byte[8];
        new SecureRandom().nextBytes(bArr);
        return bArr;
    }

    @Override
    protected void onCreate(Bundle savedInstanceState)
    {
        super.onCreate(savedInstanceState);
        setContentView(R.layout.activity_main);

        mButton = findViewById(R.id.clickButton);
        mButton.setOnClickListener(new View.OnClickListener() {
            @Override
            public void onClick(View view)
            {
                a();
            }
        });
    }
}

apk link: https://mega.nz/#!aUR3AQgA!v8klzQvZpaVcUO-g2m9svkYKLCYzcmEA0bG7OBDJRNQ

adb install app-debug.apk
objection -g com.example.myapplication explore
Using USB device `Samsung XXX`
Agent injected and responds ok!

     _   _         _   _
 ___| |_|_|___ ___| |_|_|___ ___
| . | . | | -_|  _|  _| | . |   |
|___|___| |___|___|_| |_|___|_|_|
      |___|(object)inject(ion) v1.7.5

     Runtime Mobile Exploration
        by: @leonjza from @sensepost

[tab] for command suggestions
com.example.myapplication on (samsung: 9) [usb] # android hooking watch class_method com.example.myapplication.MainActivity.a --dump-args --dump-return
(agent) Attempting to watch class com.example.myapplication.MainActivity and method a.
(agent) Hooking com.example.myapplication.MainActivity.a()
(agent) Registering job pbjx954xbxb. Type: watch-method for: com.example.myapplication.MainActivity.a

now i click on button in app and get console output:

com.example.myapplication on (samsung: 9) [usb] # (agent) [pbjx954xbxb] Called com.example.myapplication.MainActivity.a()
(agent) [pbjx954xbxb] Return Value: [object Object]

[jj0e]

Hey guys, I’m bumping this hoping to see if it’s still on the radar. I would love to contribute to this myself since it’s something that I need quite urgently, however I’m not expert enough with objection codebase or frida to implement in a timely manner. With that being said, I’m willing to contribute financially if you’re able to implement this ASAP. Please let me know if/what example cases you may need. Thanks

[leonjza]

This being an open issue means it's still on the radar. However, I am just spread too thin at the moment to look at this right now.