Search code examples
javascriptc++reverse-engineeringfrida

Read uchar value from hooked method using Frida

How can i read value of uchar* ?

I tried many ways, it's code which i used:

Interceptor.attach(Module.getExportByName('libsigning.so', 'EVP_DigestSignFinal'), {
    onEnter: function (args) {
        console.log("RSA.doFinal() [VALID]")
        console.log("arg0: OpenSSL object")
        console.log("arg1: " + Memory.readUtf8String(args[1]))
        console.log("arg2: " + args[2].readUInt())
    },
    onLeave: function (retval) {
        // simply replace the value to be returned with 0
        return retval
    }
});

What i got:

RSA.doFinal() [VALID]
arg0: RSA object
arg1: 
arg2: 512

How it looks in ghidra: enter image description here

In output I'm getting unknown character instead of real value

What is a proper way of doing this?

Solution

  • The method you hook is documented

    int EVP_DigestSignFinal(EVP_MD_CTX *ctx, unsigned char *sig, size_t *siglen);

    According to it's documentation the second argument receives the created signature:

    signs the data in ctx and places the signature in sig. If sig is NULL then the maximum size of the output buffer is written to the siglen parameter. If sig is not NULL then before the call the siglen parameter should contain the length of the sig buffer. If the call is successful the signature is written to sig and the amount of data written to siglen.

    (Cryptographic) signatures are binary data and in C the type unsigned char is often used to store such binary data. Therefore even if it contains the name char you won't find any printable characters or a complete string in it.

    Therefore if you want to print it as a string it will fail as the "real value" is binary data.

    To read binary data you can use Frida readByteArray from NativePointer