Skip to content

JButton internal plugin

Jump to bottom
Federico Dotta edited this page Apr 14, 2020 · 2 revisions

A practical example of JButton Brida plugin

JButton Brida plugins add a custom button to the Hooks and function tab of Brida.

Buttons can be of two different types:

  • Execute buttons, that, when clicked, execute a Frida exported function and return the output in the Brida console
  • Enable/disable buttons, that execute a Frida exported functions containing a Frida hook, that can be comfortably enabled and disabled from the button panel

Hooks and function tab of Brida contains many default buttons of both types. An example of Execute button is the Dump keychain one that, when clicked, prints the content of the keychain in the Brida console. An example of Enable/disable button is the SSL Pinning bypass one that, when enabled, hooks SSL/TLS functions in order to bypass SSL pinning.

Execute button

For this example, we will use the same functions used in the IMessageEditorTab example. To resume, we have some encrypted data in requests and responses and we found in the binary the functions that do the encryption/decryption. We want to add to Brida a button that, when clicked, opens a popup asking for the encrypted content and prints to Brida console the results of the decryption executed through a proper Frida exported function.

As for the IMessageEditorTab example, we write two simple Frida exported functions that will execute encryption/decryption for us (these functions are named this way because they call two iOS function using Frida name respectively + encryptRequest: and + decryptResponse: but can be used to encrypt/decrypt arbitrary content). In the current example we will use only the decryptresponse one:

jbutton-plugin-1

Our very simple plugin is the following:

jbutton-plugin-2

  • Plugin name: DecryptButton
  • Plugin type: JButton
  • Name of the Frida exported function: decryptresponse (the name of the JS function we defined in the previous steps. As we said before, we named the exported function decryptresponse because it is the name of the called mobile function, but it can be used to decrypt both requests and responses. DO NOT USE UPPERCASE CHARACTERS IN THE EXPORTED FUNCTION NAMES)
  • Execute on: Button name: - Decrypt (the name of the button that will appear in the Hooks and function tab of Brida)
  • Platform: iOS (the platform of our plugin that will be used to put the button in the right sub-tab of the Hooks and function tab of Brida)
  • Button type: Function (Function is to create an Execute button plugin, Hook to create a Enable/Disable button plugin)
  • Parameters: Ask to user with popup (#,# as separator) (when the user clicks on our button, a popup is shown, asking to the user to supply the parameter/parameters. In this example, we have a single parameter that is the encrypted value we want Brida to decrypt, but if we have multiple parameters we can use #,# as a separator. An example is parameter1#,#parameter2#,#parameter3. We can also create buttons without parameter, like the Dump Keychain button, or with fixed parameters supplied during the creation of the plugin)
  • Encode function parameters: none (we can encode supplied parameters before sending them to the mobile application but in this situation it is not necessary. All the encode/decode options of the Custom Plugins when clicked open a popup in which it is possible to choose one or more encoding/compression algorithm, like Base64, ASCII-HEX, URL, GZIP, ...)
  • Plugin output: print in Brida console (output of Brida JButton Custom Plugins can be only printed in Brida console)

Now we can click on "Add plugin" to create our plugin and then to "ENABLE" to enable it:

jbutton-plugin-3

To use our plugin we can go in the Hook and functions tab of Brida, iOS sub-tab, and click on the new Decrypt button. As parameter we can supply the encrypted body of one of the responses seen in the IMessageEditorTab example:

jbutton-plugin-4

And the result is shown in the Brida console:

jbutton-plugin-5

Enable/Disable button

For this example, we will add a hook that prints the arguments and the return value of the function + encryptRequest: of class Encryption, that we used in most examples of custom plugins. We add this standard Frida hooks in an exported function that we will call from our Enable/Disable button:

jbutton-plugin-6

Then we can create our plugin in the Custom plugins tab. The configuration is very similar to the one of the Execute button example (the only difference is that now the Button type is Hook and that it is not possible to pass parameters to Enable/Disable button Brida plugins):

jbutton-plugin-7

Now we can enable our hook by clicking on our newly created button:

jbutton-plugin-8

From now on, every time that our hooked function will be called in our mobile environment its arguments and its return value will be printed in the Brida console:

jbutton-plugin-9

Hooks executed by this type of plugin (if enabled) will be automatically reloaded on each spawn/attach operation. It is not possible to disable an enabled button plugin while the application is attached.

Clone this wiki locally