1

I'm trying to reverse engineering an app and I'm seeing that it encrypt an string using RSA/ECB/PKCS1Padding method

before this it's loading something similar to a private key from another string with a method called "1.2.840.113549.1.12.1.3" I googled this and found out that it's a PKCS12 key

I don't have access to the codes and I'm reading this data using frida so I don't understand what’s being done actually.

What I need to do is to be able to do the same rsa encryption so I need the key for rsa

I have a sample input and output to try and test if the key is right or not. I also have a hex string which I'm guessing it’s from a pfx file, another hex string generated from the previous one which looks like a private key and another smaller hex string which might be the password for pfx (I'm not sure about this)

On further investigation I found out that class name for the key is : com.android.org.bouncycastle.jcajce.PKCS12Key

This is also the second hex string (replaced part of it with X) that I think is kind of a private key but I wasn't able to verify it : 3082035f3082035b060b2a864886f70d010c0a0103a082031430820310060a2a864886f70d01091601a0820300048202fc308202f8308201e0a00302010202106fb86aeca71187a94a49a31d57f64795300d06092a864886f70d01010b05003018311630140603550403130d524e4430382e7365702e6e6574301e170d3230303331353038353030325XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX9d4d602c133addaa58422e3af20ee97c8a9936b3134301306092a864886f70d0109153106040401000000301d06092a864886f70d01091431101e0e003700320034004e006500770000

what I tried until now :

converted the first hex string to binary and saved it into a file and then used openssl pkcs12 -in -out command to get pem formatted file, but it failed with error 4630589100:error:0DFFF0A8:asn1 encoding routines:CRYPTO_internal:wrong tag

Mahdi
  • 144
  • 2
  • 13
  • 1
    Kindly note that Stackoverflow is not a free code breaking or reverse engineering service. – Michael Fehr Aug 07 '21 at 21:49
  • @MichaelFehr who asked about doing free reverse engineering? I just have a problem about private keys conversion :) – Mahdi Aug 08 '21 at 01:30
  • I don't know who wrote the first sentence in your question "I'm trying to reverse engineering an app" but that's off-topic here on SO, sorry. – Michael Fehr Aug 08 '21 at 06:15
  • @MichaelFehr I was just trying to describe my situation :) – Mahdi Aug 08 '21 at 10:41
  • 1
    What type of application do you hook into using Frida? Android, iOS, Java Windows/Linux native program? BTW: "1.2.840.113549.1.12.1.3" does not indicate that it is a PKCS#12 file, it just references a specific key generation method `pbeWithSHA1And3-KeyTripleDES-CBC` that is used in PKCS#12, but it can also be used outside of an PKCS#12 file. – Robert Aug 09 '21 at 14:51
  • @Robert it's Android, also on further investigation I found out the class name of the key : com.android.org.bouncycastle.jcajce.PKCS12Key But I'm not familiar with it ... So I'm kind of stuck in this step – Mahdi Aug 09 '21 at 16:18
  • This is probably your answer: https://stackoverflow.com/questions/15144046/converting-pkcs12-certificate-into-pem-using-openssl . Note that if you don't have the pkcs12 file password breaking it is not trivial and probably in the realm of black hats – ofirule Aug 11 '21 at 21:08
  • it would be easier to decompile the APK and search for it in the code because default android obfuscation just scrambles the keys and not the values. your lucky if they didn't put it in NDK because that gets converted to SO file which is not really easy to reverse engineer. – Ali Momeni Aug 17 '21 at 09:15
  • @ofirule no it's not – Mahdi Aug 17 '21 at 21:36
  • @AliMomeni I tried, but it is obfuscated and couldn't get much out of it. – Mahdi Aug 17 '21 at 21:38

0 Answers0