Tuesday, February 8, 2022

Operating with ArrayBuffers in Frida

 Lots of situations will require working directly with ArrayBuffers but operating with them might not be straightforward because data might not always be simple strings. To get a better understanding of how to operate with them in Frida we will use the `fprintf` function and replace the contents of the second argument (our aim is to replace "target" to "foobar").

int main(int argc, char *argv[])

{

if(argc < 3){


        fprintf(stderr, "Usage: %s <target> <port>\n", argv[0]);

        exit(1);


}

return 0;

}

This C program calls the `fprintf` function that is defined as: 

int fprintf(FILE *stream, const char *format, ...);

Usually, functions will provide us with the length of the string but this is not the case so to get around this limitation `.readCString()` will provide us the length of the `*format` parameter.

const fprintfPtr = Module.getExportByName(null, "fprintf");


function str2ab(str) {


  var buf = new ArrayBuffer(str.length);


  var bufView = new Uint8Array(buf);


  for (var i=0, strLen=str.length; i < strLen; i++) {


    bufView[i] = str.charCodeAt(i);


  }


  return buf;


}


Interceptor.attach(fPrintfPtr, {


onEnter: function (args) {


  let buffer_size = args[1].readCString().length + 1;


  let arrayBuf = args[1].readByteArray(buffer_size);


  let str = String.fromCharCode.apply(null, new Uint8Array(arrayBuf));


  str = str.replace("target", "foobar");


  args[1] = str2ab(str).unwrap();


},


});

To understand how this instrumentation code works we will examine it step by step.

str2ab is an auxiliary function that converts a string back to an Uint8Array.

let buffer_size = args[1].readCString().length + 1;

console.log("buffer_size:" + buffer_size);

let arrayBuf = args[1].readByteArray(buffer_size);

readCString() returns the contents of the format* string and gives us the length of the content (+ 1 for the null terminator). Having the size allows us to call readByteArray with the correct size.

let str = String.fromCharCode.apply(null, new Uint8Array(arrayBuf));

str = str.replace("target", "foobar");

When the ArrayBuffer is obtained by calling readByteArray we use String.fromCharCode.apply(null, new Uint8Array) to convert it to a human-readable string (you can skip this step and modify the ArrayBuffer directly).

args[1] = str2ab(str).unwrap();

Once the string is modified the str2ab function transforms the string back to an Uint8Array but we cannot just reassign this Uint8Array to args[1] because it is expecting a pointer. To do so, Frida has an auxiliary method called .unwrap() that returns a pointer to the first element of the `ArrayBuffer`.

Then, it is possible to verify the output:

frida -f a.out -l ins.js --no-pause -q

. . . .   Connected to Local System (id=local)

Spawned a.out. Resuming main thread!

Usage: a.out <foobar> <port>

The str2ab (String to ArrayBuffer) function is a slightly modified version of the one found in developers.google.com adapted to Uint8Arrays.

Sunday, February 6, 2022

The entering Japan experience with COVID prevention measures

As of the time of writing this post, this our last day under Japan's quarantine, yay! 

What I am going to write from now on is our experience when entering Japan, before arriving to the airport and after it. Hope this is an interesting read or is useful for whoever reads it. 

There are a some requirements to enter Japan at the moment, which must be fulfilled before being able to even board:

  • Having a valid VISA, which as of know is restricted to close family members and some student categories.
  • Filling a pledge where you agree to obey to all the rules the Japanese government has set for new arrivals.
  • Installing the required applications: 
    • MySOS: An application to track our location and to receive notifications (quite useful since we don't have a phone number yet). Location checks, video checks and phone calls are all received through this app.
    • COCOA新型コロナウイルス: This app is used to monitor and report close contacts(濃厚接触者 、のうこうせっしょくしゃ) that have tested positive. 
    • A health form application which must be fulfilled before arrival and provides a QR code that the Japanese authorities will check on arrival.
  • A location to continue the quarantine after the government sponsored one, and a government approved transportation means.
  • A valid plane ticket.

Zanubis updates their list of targets, author nickname

 In recent changes the actors behind the Zanubis banking trojan have broadened their list of targets: The basic configuration has been updat...