Frida CodeShare

Project: bcryptdll-bcryptdecrypt

Try this code out now by running

$ frida --codeshare fhaag95/bcryptdll-bcryptdecrypt -f YOUR_BINARY

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
//Details on the function available here: https://learn.microsoft.com/en-us/windows/win32/api/bcrypt/nf-bcrypt-bcryptdecrypt
var bcryptdecrypt = Module.getExportByName("bcrypt.dll", "BCryptDecrypt");
Interceptor.attach(bcryptdecrypt, {
    onEnter: function(args) {
        this.plaintextPointer = args[6];
        this.plaintextSizeVal = args[7];
        if (this.plaintextPointer.isNull()) {
            this.abort = true;
            return;
        }
        try {
            this.plaintextSize = this.plaintextSizeVal.readU64();
        } catch (err) {
            //Enable for Debugging purposes
            //console.log('Error in onEnter: ' + err);
        }
    },
    onLeave: function(retval) {
        if (this.abort || this.plaintextSize == 0) {
            return;
        }
        try {
            let plaintext = this.plaintextPointer.readCString(this.plaintextSize);
            if (plaintext != null) {
                console.log('Obtained cleartext is: ' + plaintext);
            }
        } catch (err) {
            //Enable for Debugging purposes
            //console.log('Error in onLeave: ' + err);
        }
    }
});
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

Fingerprint: 32a5f13891dbeb504b8a5850fdefc2148869098cbfe283b2d87d6f263d2fc3da