joshbalfour/extract.js

## extract.js
const fs = require('fs')
const path = require('path')
const fse = require('fs-extra')

const code = fs.readFileSync('app.code.json', 'utf-8')

const obj = JSON.parse(code)

Object.entries(obj).forEach(([loc, contents]) => {
	const absPath = path.resolve('.', 'output', loc)
	fse.outputFile(absPath, contents)
})

console.log('done')

## inject.js
var package = 'com.target.app'

if(Java.available) {
	Java.perform(function(){
		var AssetCryptImpl = Java.use(package+".AssetCryptImpl")
		var assetCryptImpl = AssetCryptImpl.$new()
		var assetPaths = assetCryptImpl.getAssetPaths()
		var outputFile = package+".code.json"
		var outputPath = "/data/data/"+outputFile

		var results = {}

		for(var i=0; i<assetPaths.length; i++) {
			var path = assetPaths[i]
			var asset = assetCryptImpl.readAsset(path)

			results[path] = asset
		}

		var file = new File(outputPath,"w")
		file.write(JSON.stringify(results, null, '\t'))
		file.close()

		console.log('dumped ',assetPaths.length, ' assets to ', outputPath)

		console.log('extract using adb:')
		console.log('`adb shell`')
		console.log('`cp '+outputPath+' /sdcard/ ')
		console.log('`adb pull /sdcard/'+outputFile+' .`')
	})
}

## instructions.md

      
    Raw
  

              instructions.md
            
          
    RiKroll

Extract assets protected using Kroll's AssetCrypt using runtime code injection.
Specifically org.appcelerator.kroll.util.KrollAssetHelper.AssetCrypt
hope this is useful to someone!
You'll need:

a rooted android device
frida set up and running
your target app installed and running (doesn't matter what state it's in so long as it's running)


grab the files from the gist, replacing com.target.app with your app's package
get the resources by running frida -U -l inject.js com.target.app
use adb shell to copy the code.json to /sdcard/ the adb pull it to your machine
rename your {package}.code.json to app.code.json
extract the .js files from the app.code.json by running npm install fs-extra && node extract.js
???
profit

NB: this will give you the JS code from their app, however the other resources (images, fonts, etc.) will have to be extracted from the apk using JadX or such (they should be in assets/resources)
<3 to frida for making this possible
	const fs = require('fs')
	const path = require('path')
	const fse = require('fs-extra')

	const code = fs.readFileSync('app.code.json', 'utf-8')

	const obj = JSON.parse(code)

	Object.entries(obj).forEach(([loc, contents]) => {
	const absPath = path.resolve('.', 'output', loc)
	fse.outputFile(absPath, contents)
	})

	console.log('done')
	var package = 'com.target.app'

	if(Java.available) {
	Java.perform(function(){
	var AssetCryptImpl = Java.use(package+".AssetCryptImpl")
	var assetCryptImpl = AssetCryptImpl.$new()
	var assetPaths = assetCryptImpl.getAssetPaths()
	var outputFile = package+".code.json"
	var outputPath = "/data/data/"+outputFile

	var results = {}

	for(var i=0; i<assetPaths.length; i++) {
	var path = assetPaths[i]
	var asset = assetCryptImpl.readAsset(path)

	results[path] = asset
	}

	var file = new File(outputPath,"w")
	file.write(JSON.stringify(results, null, '\t'))
	file.close()

	console.log('dumped ',assetPaths.length, ' assets to ', outputPath)

	console.log('extract using adb:')
	console.log('`adb shell`')
	console.log('`cp '+outputPath+' /sdcard/ ')
	console.log('`adb pull /sdcard/'+outputFile+' .`')
	})
	}