├── .gitignore
├── AES_Killer - Mobile App Demo
    ├── aes-hook.js
    ├── android
    │   ├── app-release.apk
    │   └── my_activity.java
    ├── frida-hook.py
    └── node js server
    │   └── nodejs-server.js
├── AES_Killer-NodeJS-DemoApp
    ├── demo.html
    └── server.js
└── SRePlay
    ├── api
        └── v9
        │   └── api.php
    └── index.php


/.gitignore:
--------------------------------------------------------------------------------
1 | AES_Killer-NodeJS-DemoApp/node_modules
2 | AES_Killer-NodeJS-DemoApp/package-lock.json
3 | 


--------------------------------------------------------------------------------
/AES_Killer - Mobile App Demo/aes-hook.js:
--------------------------------------------------------------------------------
  1 | // code borrowed from https://zhuanlan.zhihu.com/p/320229007
  2 | 
  3 | 'use strict;'
  4 | 
  5 | console.log("Script loaded successfully ..... ");
  6 | 
  7 | function bytesToString(arr) {
  8 |     var str = '';
  9 |     arr = new Uint8Array(arr);
 10 |     for (var i in arr) {
 11 |         str += String.fromCharCode(arr[i]);
 12 |     }
 13 |     return str;
 14 | }
 15 | 
 16 | function bytesToHex(arr) {
 17 |     var str = '';
 18 |     var k, j;
 19 |     for (var i = 0; i < arr.length; i++) {
 20 |         k = arr[i];
 21 |         j = k;
 22 |         if (k < 0) {
 23 |             j = k + 256;
 24 |         }
 25 |         if (j < 16) {
 26 |             str += "0";
 27 |         }
 28 |         str += j.toString(16);
 29 |     }
 30 |     return str;
 31 | }
 32 | 
 33 | var base64EncodeChars = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/',
 34 |     base64DecodeChars = new Array((-1), (-1), (-1), (-1), (-1), (-1), (-1), (-1), (-1), (-1), (-1), (-1), (-1), (-1), (-1), (-1), (-1), (-1), (-1), (-1), (-1), (-1), (-1), (-1), (-1), (-1), (-1), (-1), (-1), (-1), (-1), (-1), (-1), (-1), (-1), (-1), (-1), (-1), (-1), (-1), (-1), (-1), (-1), 62, (-1), (-1), (-1), 63, 52, 53, 54, 55, 56, 57, 58, 59, 60, 61, (-1), (-1), (-1), (-1), (-1), (-1), (-1), 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, (-1), (-1), (-1), (-1), (-1), (-1), 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51, (-1), (-1), (-1), (-1), (-1));
 35 | 
 36 | function bytesToBase64(e) {
 37 |     var r, a, c, h, o, t;
 38 |     for (c = e.length, a = 0, r = ''; a < c;) {
 39 |         if (h = 255 & e[a++], a == c) {
 40 |             r += base64EncodeChars.charAt(h >> 2),
 41 |                 r += base64EncodeChars.charAt((3 & h) << 4),
 42 |                 r += '==';
 43 |             break
 44 |         }
 45 |         if (o = e[a++], a == c) {
 46 |             r += base64EncodeChars.charAt(h >> 2),
 47 |                 r += base64EncodeChars.charAt((3 & h) << 4 | (240 & o) >> 4),
 48 |                 r += base64EncodeChars.charAt((15 & o) << 2),
 49 |                 r += '=';
 50 |             break
 51 |         }
 52 |         t = e[a++],
 53 |             r += base64EncodeChars.charAt(h >> 2),
 54 |             r += base64EncodeChars.charAt((3 & h) << 4 | (240 & o) >> 4),
 55 |             r += base64EncodeChars.charAt((15 & o) << 2 | (192 & t) >> 6),
 56 |             r += base64EncodeChars.charAt(63 & t)
 57 |     }
 58 |     return r
 59 | }
 60 | 
 61 | 
 62 | 
 63 | Java.perform(function () {
 64 |     var secretKeySpec = Java.use('javax.crypto.spec.SecretKeySpec');
 65 |     secretKeySpec.$init.overload('[B', 'java.lang.String').implementation = function (a, b) {
 66 |         var result = this.$init(a, b);
 67 |         console.log("================= SecretKeySpec =====================");
 68 |         console.log("SecretKeySpec :: bytesToString :: " + bytesToString(a));
 69 |         console.log("SecretKeySpec :: bytesToBase64 :: " + bytesToBase64(a));
 70 |         console.log("SecretKeySpec :: bytesToBase64 :: " + bytesToHex(a));
 71 |         return result;
 72 |     }
 73 | 
 74 | 
 75 |     var ivParameterSpec = Java.use('javax.crypto.spec.IvParameterSpec');
 76 |     ivParameterSpec.$init.overload('[B').implementation = function (a) {
 77 |         var result = this.$init(a);
 78 |         console.log("\n================== IvParameterSpec ====================");
 79 |         console.log("IvParameterSpec :: bytesToString :: " + bytesToString(a));
 80 |         console.log("IvParameterSpec :: bytesToBase64 :: " + bytesToBase64(a));
 81 |         console.log("IvParameterSpec :: bytesToBase64 :: " + bytesToHex(a));
 82 |         return result;
 83 |     }
 84 | 
 85 |     var cipher = Java.use('javax.crypto.Cipher');
 86 |     cipher.getInstance.overload('java.lang.String').implementation = function (a) {
 87 |         var result = this.getInstance(a);
 88 |         console.log("\n======================================");
 89 |         console.log("Cipher :: " + a);
 90 |         return result;
 91 |     }
 92 | 
 93 |     cipher.init.overload('int', 'java.security.Key', 'java.security.spec.AlgorithmParameterSpec').implementation = function (a, b, c) {
 94 |         var result = this.init(a, b, c);
 95 |         console.log("\n================ cipher.init() ======================");
 96 |         
 97 |         if (N_ENCRYPT_MODE == '1') 
 98 |         {
 99 |             console.log("init :: Encrypt Mode");    
100 |         }
101 |         else if(N_DECRYPT_MODE == '2')
102 |         {
103 |             console.log("init :: Decrypt Mode");    
104 |         }
105 |      
106 |         console.log("Mode :: " + a);
107 |         console.log("Secret Key :: " + bytesToHex(b));
108 |         console.log("Secret Key :: " + bytesToBase64(b));
109 |         console.log("IV Param :: " + bytesToHex(c));
110 |         console.log("IV Param :: " + bytesToBase64(c));
111 | 
112 |         return result;
113 |     }
114 | 
115 |     cipher.doFinal.overload("[B").implementation = function (x) {
116 |         console.log("\n================ doFinal() ======================");
117 |         var ret = cipher.doFinal.overload("[B").call(this, x);
118 |         console.log("doFinal :: data to encrypt/decrypt - base64 :: " + bytesToBase64(x));
119 |         console.log("doFinal :: data ro encrypt/decrypt - string :: " + bytesToString(x));
120 |         
121 |         return ret;
122 |     }
123 | 
124 | 
125 |  
126 |  
127 | 
128 | });


--------------------------------------------------------------------------------
/AES_Killer - Mobile App Demo/android/app-release.apk:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/d3vilbug/demo-example-code-snippets/dca9b79eae78e45092954a062e33404916e2a8a4/AES_Killer - Mobile App Demo/android/app-release.apk


--------------------------------------------------------------------------------
/AES_Killer - Mobile App Demo/android/my_activity.java:
--------------------------------------------------------------------------------
  1 | package com.example.a11x256.frida_test;
  2 | 
  3 | import android.os.Bundle;
  4 | import android.support.v7.app.AppCompatActivity;
  5 | import android.util.Base64;
  6 | import android.view.View;
  7 | import android.widget.Button;
  8 | import android.widget.EditText;
  9 | import android.widget.TextView;
 10 | 
 11 | import java.io.BufferedReader;
 12 | import java.io.DataOutputStream;
 13 | import java.io.IOException;
 14 | import java.io.InputStreamReader;
 15 | import java.io.UnsupportedEncodingException;
 16 | import java.net.HttpURLConnection;
 17 | import java.net.MalformedURLException;
 18 | import java.net.URL;
 19 | import java.security.InvalidAlgorithmParameterException;
 20 | import java.security.InvalidKeyException;
 21 | import java.security.NoSuchAlgorithmException;
 22 | 
 23 | import javax.crypto.BadPaddingException;
 24 | import javax.crypto.Cipher;
 25 | import javax.crypto.IllegalBlockSizeException;
 26 | import javax.crypto.NoSuchPaddingException;
 27 | import javax.crypto.spec.IvParameterSpec;
 28 | import javax.crypto.spec.SecretKeySpec;
 29 | 
 30 | public class my_activity extends AppCompatActivity {
 31 |     EditText username_et;
 32 |     EditText password_et;
 33 |     TextView message_tv;
 34 |     HttpURLConnection conn;
 35 | 
 36 |     @Override
 37 |     protected void onCreate(Bundle savedInstanceState) {
 38 |         super.onCreate(savedInstanceState);
 39 |         setContentView(R.layout.activity_my_activity);
 40 |         message_tv = ((TextView) findViewById(R.id.textView));
 41 |         username_et = (EditText) findViewById(R.id.editText);
 42 |         password_et = (EditText) findViewById(R.id.editText2);
 43 |         ((Button) findViewById(R.id.button)).setOnClickListener(new View.OnClickListener() {
 44 |             @Override
 45 |             public void onClick(View v) {
 46 |                 send_data(username_et.getText() + ":" + password_et.getText());
 47 |             }
 48 |         });
 49 | 
 50 |     }
 51 | 
 52 |     void send_data(final String data) {
 53 |         URL url = null;
 54 |         try {
 55 |             url = new URL("http://192.168.18.134");
 56 |             final HttpURLConnection conn = (HttpURLConnection) url.openConnection();
 57 |             conn.setRequestMethod("POST");
 58 |             conn.setDoOutput(true);
 59 |             new Thread(new Runnable() {
 60 |                 @Override
 61 |                 public void run() {
 62 |                     try {
 63 |                         DataOutputStream out = new DataOutputStream(conn.getOutputStream());
 64 |                         out.writeBytes(enc(data));
 65 |                         BufferedReader in = new BufferedReader(new InputStreamReader(conn.getInputStream()));
 66 |                         final String text = in.readLine();
 67 |                         runOnUiThread(new Runnable() {
 68 |                             @Override
 69 |                             public void run() {
 70 |                                 ((TextView) findViewById(R.id.textView)).setText(text);
 71 |                                 dec(text);
 72 |                             }
 73 |                         });
 74 |                     } catch (IOException e) {
 75 |                         e.printStackTrace();
 76 |                     }
 77 |                 }
 78 |             }).start();
 79 | 
 80 |         } catch (MalformedURLException e) {
 81 |             e.printStackTrace();
 82 |         } catch (IOException e) {
 83 |             e.printStackTrace();
 84 |         }
 85 | 
 86 |     }
 87 | 
 88 |     String enc(String data) {
 89 |         try {
 90 |             String pre_shared_key = "aaaaaaaaaaaaaaaa"; //assume that this key was not hardcoded
 91 |             String generated_iv = "bbbbbbbbbbbbbbbb";
 92 |             Cipher my_cipher = Cipher.getInstance("AES/CBC/PKCS5PADDING");
 93 |             my_cipher.init(Cipher.ENCRYPT_MODE, new SecretKeySpec(pre_shared_key.getBytes("UTF-8"), "AES"), new IvParameterSpec(generated_iv.getBytes("UTF-8")));
 94 |             byte[] x = my_cipher.doFinal(data.getBytes());
 95 | 
 96 |             System.out.println(new String(Base64.encode(x, Base64.DEFAULT)));
 97 |             return new String(Base64.encode(x, Base64.DEFAULT));
 98 |         } catch (NoSuchAlgorithmException e) {
 99 |             e.printStackTrace();
100 |         } catch (InvalidKeyException e) {
101 |             e.printStackTrace();
102 |         } catch (InvalidAlgorithmParameterException e) {
103 |             e.printStackTrace();
104 |         } catch (NoSuchPaddingException e) {
105 |             e.printStackTrace();
106 |         } catch (BadPaddingException e) {
107 |             e.printStackTrace();
108 |         } catch (UnsupportedEncodingException e) {
109 |             e.printStackTrace();
110 |         } catch (IllegalBlockSizeException e) {
111 |             e.printStackTrace();
112 |         }
113 |         return null;
114 |     }
115 | 
116 |     String dec(String data) {
117 |         try {
118 |             byte[] decoded_data = Base64.decode(data.getBytes(), Base64.DEFAULT);
119 |             String pre_shared_key = "aaaaaaaaaaaaaaaa"; //assume that this key was not hardcoded
120 |             String generated_iv = "bbbbbbbbbbbbbbbb";
121 |             Cipher my_cipher = Cipher.getInstance("AES/CBC/PKCS5PADDING");
122 |             my_cipher.init(Cipher.DECRYPT_MODE, new SecretKeySpec(pre_shared_key.getBytes("UTF-8"), "AES"), new IvParameterSpec(generated_iv.getBytes("UTF-8")));
123 |             String plain = new String(my_cipher.doFinal(decoded_data));
124 |             return plain;
125 |         } catch (UnsupportedEncodingException e) {
126 |             e.printStackTrace();
127 |         } catch (NoSuchPaddingException e) {
128 |             e.printStackTrace();
129 |         } catch (InvalidAlgorithmParameterException e) {
130 |             e.printStackTrace();
131 |         } catch (NoSuchAlgorithmException e) {
132 |             e.printStackTrace();
133 |         } catch (InvalidKeyException e) {
134 |             e.printStackTrace();
135 |         } catch (BadPaddingException e) {
136 |             e.printStackTrace();
137 |         } catch (IllegalBlockSizeException e) {
138 |             e.printStackTrace();
139 |         }
140 |         return "";
141 |     }
142 | }


--------------------------------------------------------------------------------
/AES_Killer - Mobile App Demo/frida-hook.py:
--------------------------------------------------------------------------------
 1 | import time
 2 | import sys
 3 | import frida
 4 | 
 5 | 
 6 | def on_message(a, b):
 7 |     print("on message ....... ")
 8 | 
 9 | 
10 | 
11 | # Android Application borrowed from 
12 | # https://github.com/11x256/frida-android-examples/tree/master/examples/5
13 | 
14 | 
15 | device = frida.get_usb_device()
16 | pid = device.spawn(["com.example.a11x256.frida_test"])
17 | device.resume(pid)
18 | time.sleep(1) 
19 | session = device.attach(pid)
20 | 
21 | # session = frida.get_usb_device().attach('com.example.a11x256.frida_test')
22 | with open("aes-hook.js") as f:
23 |     script = session.create_script(f.read())
24 | script.on("message", on_message)
25 | script.load()
26 | 
27 | sys.stdin.read()
28 | 
29 | 


--------------------------------------------------------------------------------
/AES_Killer - Mobile App Demo/node js server/nodejs-server.js:
--------------------------------------------------------------------------------
 1 | var http = require("http");
 2 | var crypto = require('crypto');
 3 | var qs = require('querystring');
 4 | 
 5 | var key= 'aaaaaaaaaaaaaaaa';
 6 | var iv = 'bbbbbbbbbbbbbbbb';
 7 | http.createServer(function(request , response)
 8 | 		{
 9 | 			var body = '';
10 | 			request.on('data' , function(data){
11 | 
12 | 				body+=data;
13 | 			});
14 | 
15 | 			console.log(body)
16 | 				response.writeHead(200,"");
17 | 			request.on('end', function(){
18 | 				console.log(body);
19 | 				var enc = '' ;
20 | 				var cipher = crypto.createCipheriv('aes-128-cbc' , key , iv);
21 | 				enc +=cipher.update("Can you see this secret message too !!!","utf8" , "binary");
22 | 				enc += cipher.final("binary");
23 | 				console.log(enc);
24 | 				response.end(new Buffer(enc, 'binary').toString('base64'));
25 | 			});
26 | 
27 | 
28 | 
29 | 		}
30 | 
31 | 
32 | 		).listen(1337, "127.0.0.1");
33 | console.log("NodeJS server started on port 127.0.0.1:1337 .......");


--------------------------------------------------------------------------------
/AES_Killer-NodeJS-DemoApp/demo.html:
--------------------------------------------------------------------------------
  1 | <html>
  2 |     <head>
  3 |         <title>AES Killer - Demo App</title>
  4 |         <link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/materialize/1.0.0/css/materialize.min.css">
  5 |         <script src="https://cdnjs.cloudflare.com/ajax/libs/materialize/1.0.0/js/materialize.min.js"></script>
  6 | 
  7 |         <script src="https://code.jquery.com/jquery-3.6.0.min.js" integrity="sha256-/xUj+3OJU5yExlq6GSYGSHk7tPXikynS7ogEvDej/m4=" crossorigin="anonymous"></script>
  8 |         <script src="https://cdnjs.cloudflare.com/ajax/libs/crypto-js/4.0.0/crypto-js.min.js" integrity="sha512-nOQuvD9nKirvxDdvQ9OMqe2dgapbPB7vYAMrzJihw5m+aNcf0dX53m6YxM4LgA9u8e9eg9QX+/+mPu8kCNpV2A==" crossorigin="anonymous"></script>
  9 | 
 10 |         <script type="text/javascript">
 11 | 
 12 |             $(function(){
 13 |                 
 14 |                 var _secret_key = "aaaaaaaaaaaaaaaa";
 15 |                 var _iv_param = "bbbbbbbbbbbbbbbb";
 16 |                 var _host = "http://127.0.0.1:3000";
 17 | 
 18 |                 function do_encrypt(_str){
 19 |                     var key = CryptoJS.enc.Utf8.parse(_secret_key);
 20 |                     var iv = CryptoJS.enc.Utf8.parse(_iv_param);
 21 |                     var enc_data = CryptoJS.AES.encrypt(CryptoJS.enc.Utf8.parse(_str), key, { keySize: 128 / 8, iv: iv, mode: CryptoJS.mode.CBC, padding: CryptoJS.pad.Pkcs7 });
 22 |                     return enc_data.toString();
 23 |                 }
 24 | 
 25 |                 function do_decrypt(_str){
 26 |                     var key = CryptoJS.enc.Utf8.parse(_secret_key);
 27 |                     var iv = CryptoJS.enc.Utf8.parse(_iv_param);
 28 |                     var plain_text = CryptoJS.AES.decrypt(_str, key, { keySize: 128 / 8, iv: iv, mode: CryptoJS.mode.CBC, padding: CryptoJS.pad.Pkcs7 });
 29 |                     return plain_text.toString(CryptoJS.enc.Utf8);
 30 |                 }
 31 | 
 32 |                 var _string = "admin";
 33 |                 var enc_str = do_encrypt(_string);
 34 |                 var dec_str = do_decrypt(enc_str);
 35 |                 
 36 |                 console.log("_string :: " + _string);
 37 |                 console.log("enc_str :: " + enc_str);
 38 |                 console.log("dec_str :: " + dec_str);
 39 | 
 40 | 
 41 |                 $("#v1_login").click(function(){
 42 | 
 43 |                     var _username = $("#v1_username").val();
 44 |                     var _password = $("#v1_password").val();
 45 | 
 46 |                     var req_body = "username="+_username+"&password="+_password;
 47 |                     console.log(req_body);
 48 | 
 49 |                     var enc_req_body = do_encrypt(req_body).toString();
 50 |                     var enc_data = do_decrypt(enc_req_body);
 51 |                     console.log(enc_req_body);
 52 |                     console.log(enc_data);
 53 |                     
 54 | 
 55 |                     $.ajax({
 56 |                         type: "POST",
 57 |                         url: _host + "/v1_login",
 58 |                         dataType: "text",
 59 |                         data: enc_req_body,
 60 |                         success: function(){
 61 |                             console.log("request sent .... success");
 62 |                         },
 63 |                         error: function(){
 64 |                             console.log("request sent .... failed");
 65 |                         }
 66 |                     });
 67 |                 });
 68 | 
 69 |                 $("#v3_login").click(function(){
 70 | 
 71 |                     var _username = $("#v3_username").val();
 72 |                     var _password = $("#v3_password").val();
 73 | 
 74 |                     var req_body = {
 75 |                         username: do_encrypt(_username),
 76 |                         password: do_encrypt(_password)
 77 |                     };
 78 |                     console.log(req_body);
 79 | 
 80 |                     $.ajax({
 81 |                         type: "POST",
 82 |                         url: _host + "/v3_login",
 83 |                         dataType: "json",
 84 |                         contentType: "application/json",
 85 |                         data: JSON.stringify(req_body),
 86 |                         success: function(){
 87 |                             console.log("request sent .... success");
 88 |                         },
 89 |                         error: function(){
 90 |                             console.log("request sent .... failed");
 91 |                         }
 92 |                     });
 93 |                 });
 94 | 
 95 | 
 96 |                 $("#v2_login").click(function(){
 97 | 
 98 |                     var _username = $("#v2_username").val();
 99 |                     var _password = $("#v2_password").val();
100 | 
101 |                     var req_body = "username="+do_encrypt(_username)+"&password="+do_encrypt(_password);
102 |                     console.log(req_body);
103 | 
104 |                     $.ajax({
105 |                         type: "POST",
106 |                         url: _host + "/v2_login",
107 |                         dataType: "application/x-www-form-urlencoded",
108 |                         data: req_body,
109 |                         success: function(){
110 |                             console.log("request sent .... success");
111 |                         },
112 |                         error: function(){
113 |                             console.log("request sent .... failed");
114 |                         }
115 |                     });
116 |                 });
117 | 
118 | 
119 | 
120 | 
121 |                 $("#v4_login").click(function(){
122 | 
123 |                     var _username = $("#v4_username").val();
124 |                     var _password = $("#v4_password").val();
125 | 
126 |                     var req_body = {
127 |                         username: do_encrypt(_username),
128 |                         password: do_encrypt(_password)
129 |                     };
130 |                     console.log(req_body);
131 | 
132 |                     $.ajax({
133 |                         type: "POST",
134 |                         url: _host + "/v4_login",
135 |                         dataType: "json",
136 |                         contentType: "application/json",
137 |                         data: JSON.stringify(req_body),
138 |                         success: function(){
139 |                             console.log("request sent .... success");
140 |                         },
141 |                         error: function(){
142 |                             console.log("request sent .... failed");
143 |                         }
144 |                     });
145 |                 });
146 | 
147 | 
148 |                 $("#v5_login").click(function(){
149 | 
150 |                     var _username = $("#v5_username").val();
151 |                     var _password = $("#v5_password").val();
152 | 
153 |                     var req_body = {
154 |                         username: _username,
155 |                         password: _password
156 |                     };
157 | 
158 |                     var enc_req_body = "data=" + do_encrypt(JSON.stringify(req_body));
159 |                     console.log(enc_req_body);
160 | 
161 |                     $.ajax({
162 |                         type: "POST",
163 |                         url: _host + "/v5_login",
164 |                         dataType: "text",
165 |                         data: enc_req_body,
166 |                         success: function(){
167 |                             console.log("request sent .... success");
168 |                         },
169 |                         error: function(){
170 |                             console.log("request sent .... failed");
171 |                         }
172 |                     });
173 |                 });
174 | 
175 | 
176 |                 $("#v6_login").click(function(){
177 | 
178 |                     var _username = $("#v6_username").val();
179 |                     var _password = $("#v6_password").val();
180 | 
181 |                     var req_body = {
182 |                         username: _username,
183 |                         password: _password
184 |                     };
185 | 
186 |                     var json_req_body = { data: do_encrypt(JSON.stringify(req_body))};
187 |                     console.log(json_req_body);
188 | 
189 |                     $.ajax({
190 |                         type: "POST",
191 |                         url: _host + "/v6_login",
192 |                         dataType: "json",
193 |                         contentType: "application/json",
194 |                         data: JSON.stringify(json_req_body),
195 |                         success: function(){
196 |                             console.log("request sent .... success");
197 |                         },
198 |                         error: function(){
199 |                             console.log("request sent .... failed");
200 |                         }
201 |                     });
202 |                 });
203 | 
204 | 
205 |             });
206 | 
207 | 
208 | 
209 |         </script>
210 | 
211 | 
212 | 
213 | 
214 | 
215 |     </head>
216 | 
217 |     <body class="blue-grey darken-4">
218 |         <div class="container">
219 |             <div class="row">
220 |                 <h1 class="white-text">AES Killer Demo App</h1>
221 |             </div>
222 | 
223 |             <!-- // -------------------------- First Row --------------------------------------------- -->
224 |             <div class="row">
225 |                 <div class="col l5">
226 | 
227 |                     <div class="row">
228 |                         <h5 class="white-text">Complete Request & Response request</h5>
229 |                     </div>
230 |                     
231 |                     <div class="row">
232 |                         <div class="input-field col">
233 |                             <input value="admin" id="v1_username" type="text" class="validate">
234 |                             <label class="active" for="v1_username">User Name</label>
235 |                         </div>
236 |                     </div>
237 | 
238 |                     <div class="row">
239 |                         <div class="input-field col">
240 |                             <input value="admin" id="v1_password" type="password" class="validate">
241 |                             <label class="active" for="v1_password">Password</label>
242 |                         </div>
243 |                     </div>
244 | 
245 |                     <div class="row">
246 |                         <input class="btn black" type="button" value="Login" id="v1_login">
247 |                     </div>
248 | 
249 |                 </div>
250 |                 <div class="col l2"></div>
251 |                 <div class="col l5">
252 | 
253 |                     <div class="row">
254 |                         <h5 class="white-text">Specific Request Parameters and complete response</h5>
255 |                     </div>
256 | 
257 |                     <div class="row">
258 |                         <div class="input-field col">
259 |                             <input value="admin" id="v2_username" type="text" class="validate">
260 |                             <label class="active" for="v2_username">User Name</label>
261 |                         </div>
262 |                     </div>
263 | 
264 |                     <div class="row">
265 |                         <div class="input-field col">
266 |                             <input value="admin" id="v2_password" type="password" class="validate">
267 |                             <label class="active" for="v2_password">Password</label>
268 |                         </div>
269 |                     </div>
270 | 
271 |                     <div class="row">
272 |                         <input class="btn black" type="button" value="Login" id="v2_login">
273 |                     </div>
274 | 
275 |                 </div>
276 | 
277 |             </div>
278 | 
279 |             
280 |             
281 |         <hr>
282 |             
283 |             
284 |             <!-- ---------------------------------- Second Row --------------------------------------- -->
285 | 
286 |             <div class="row">
287 |                 <div class="col l5">
288 | 
289 |                     <div class="row">
290 |                         <h5 class="white-text">Specific JSON Request parameters & complete response</h5>
291 |                     </div>
292 |                     
293 |                     <div class="row">
294 |                         <div class="input-field col">
295 |                             <input value="admin" id="v3_username" type="text" class="validate">
296 |                             <label class="active" for="v3_username">User Name</label>
297 |                         </div>
298 |                     </div>
299 | 
300 |                     <div class="row">
301 |                         <div class="input-field col">
302 |                             <input value="admin" id="v3_password" type="password" class="validate">
303 |                             <label class="active" for="v3_password">Password</label>
304 |                         </div>
305 |                     </div>
306 | 
307 |                     <div class="row">
308 |                         <input class="btn black" type="button" value="Login" id="v3_login">
309 |                     </div>
310 | 
311 |                 </div>
312 |                 <div class="col l2"></div>
313 |                 <div class="col l5">
314 | 
315 |                     <div class="row">
316 |                         <h5 class="white-text">Specific Request and Response Parameters </h5>
317 |                     </div>
318 | 
319 |                     <div class="row">
320 |                         <div class="input-field col">
321 |                             <input value="admin" id="v4_username" type="text" class="validate">
322 |                             <label class="active" for="v4_username">User Name</label>
323 |                         </div>
324 |                     </div>
325 | 
326 |                     <div class="row">
327 |                         <div class="input-field col">
328 |                             <input value="admin" id="v4_password" type="password" class="validate">
329 |                             <label class="active" for="v4_password">Password</label>
330 |                         </div>
331 |                     </div>
332 | 
333 |                     <div class="row">
334 |                         <input class="btn black" type="button" value="Login" id="v4_login">
335 |                     </div>
336 | 
337 |                 </div>
338 | 
339 |             </div>
340 | 
341 | 
342 | 
343 | 
344 |             <hr>
345 | 
346 | 
347 | 
348 |             <!-- ------------------------------- Third Row -------------------------------------------- -->
349 | 
350 |             <div class="row">
351 |                 <div class="col l5">
352 | 
353 |                     <div class="row">
354 |                         <h5 class="white-text">Override Request & Response (Variant-01)</h5>
355 |                     </div>
356 |                     
357 |                     <div class="row">
358 |                         <div class="input-field col">
359 |                             <input value="admin" id="v5_username" type="text" class="validate">
360 |                             <label class="active" for="v5_username">User Name</label>
361 |                         </div>
362 |                     </div>
363 | 
364 |                     <div class="row">
365 |                         <div class="input-field col">
366 |                             <input value="admin" id="v5_password" type="password" class="validate">
367 |                             <label class="active" for="v5_password">Password</label>
368 |                         </div>
369 |                     </div>
370 | 
371 |                     <div class="row">
372 |                         <input class="btn black" type="button" value="Login" id="v5_login">
373 |                     </div>
374 | 
375 |                 </div>
376 | 
377 |                 <div class="col l2"></div>
378 |                 <div class="col l5">
379 | 
380 |                     <div class="row">
381 |                         <h5 class="white-text">Override Request & Response (Variant-02)</h5>
382 |                     </div>
383 |                     
384 |                     <div class="row">
385 |                         <div class="input-field col">
386 |                             <input value="admin" id="v6_username" type="text" class="validate">
387 |                             <label class="active" for="v6_username">User Name</label>
388 |                         </div>
389 |                     </div>
390 | 
391 |                     <div class="row">
392 |                         <div class="input-field col">
393 |                             <input value="admin" id="v6_password" type="password" class="validate">
394 |                             <label class="active" for="v6_password">Password</label>
395 |                         </div>
396 |                     </div>
397 | 
398 |                     <div class="row">
399 |                         <input class="btn black" type="button" value="Login" id="v6_login">
400 |                     </div>
401 | 
402 |                 </div>
403 | 
404 |             </div>
405 | 
406 | 
407 |         </div>
408 |     </body>
409 | 
410 | </html>


--------------------------------------------------------------------------------
/AES_Killer-NodeJS-DemoApp/server.js:
--------------------------------------------------------------------------------
  1 | const express = require("express")
  2 | const path = require("path")
  3 | const bodyParser = require('body-parser');
  4 | const CryptoJS = require("crypto-js");
  5 | const cors = require("cors");
  6 | 
  7 | const _secret_key = "aaaaaaaaaaaaaaaa"; // YWFhYWFhYWFhYWFhYWFhYQ==
  8 | const _iv_param = "bbbbbbbbbbbbbbbb";  // YmJiYmJiYmJiYmJiYmJiYg==
  9 | 
 10 | function do_encrypt(_str){
 11 |     var key = CryptoJS.enc.Utf8.parse(_secret_key);
 12 |     var iv = CryptoJS.enc.Utf8.parse(_iv_param);
 13 |     var enc_data = CryptoJS.AES.encrypt(CryptoJS.enc.Utf8.parse(_str), key, { keySize: 128 / 8, iv: iv, mode: CryptoJS.mode.CBC, padding: CryptoJS.pad.Pkcs7 });
 14 |     return enc_data.toString();
 15 | }
 16 | 
 17 | function do_decrypt(_str){
 18 |     var key = CryptoJS.enc.Utf8.parse(_secret_key);
 19 |     var iv = CryptoJS.enc.Utf8.parse(_iv_param);
 20 |     var plain_text = CryptoJS.AES.decrypt(_str, key, { keySize: 128 / 8, iv: iv, mode: CryptoJS.mode.CBC, padding: CryptoJS.pad.Pkcs7 });
 21 |     return plain_text.toString(CryptoJS.enc.Utf8);
 22 | }
 23 | 
 24 | 
 25 | const app = express();
 26 | app.use("/v1_login", bodyParser.text({type:"*/*"}));
 27 | app.use("/v2_login", bodyParser.urlencoded({ extended: true }));
 28 | app.use("/v3_login", bodyParser.json());
 29 | app.use("/v4_login", bodyParser.json());
 30 | app.use("/v6_login", bodyParser.json());
 31 | app.use(bodyParser.urlencoded({ extended: true }));
 32 | 
 33 | app.use(cors({ origin: '*'}));
 34 | 
 35 | 
 36 | app.get("/", (req, res) =>{
 37 |     res.sendFile(path.join(__dirname + "/demo.html"));
 38 | })
 39 | 
 40 | app.post("/v1_login", (req, res) => {
 41 |     // console.log(req.body);
 42 |     var dec_body = (do_decrypt(req.body));
 43 |     console.log(dec_body);
 44 |     var res_data = "you sent :: " + dec_body.toString();
 45 |     var enc_res_data = do_encrypt(res_data).toString(); 
 46 |     // console.log(res_data);
 47 |     // console.log(enc_res_data);
 48 |     res.write(enc_res_data);
 49 |     // res.sendStatus(200);
 50 |     res.end();
 51 |     
 52 | });
 53 | 
 54 | 
 55 | app.post("/v2_login", (req, res) => {
 56 |     console.log("username :: " + req.body.username);
 57 |     console.log("password :: " + req.body.password);
 58 | 
 59 |     var _username = do_decrypt(req.body.username);
 60 |     var _password = do_decrypt(req.body.password);
 61 | 
 62 |     var res_body = "you sent :: username=" + _username + " :: password="+_password
 63 |     res.write(do_encrypt(res_body));
 64 |     res.end();
 65 |     
 66 | });
 67 | 
 68 | app.post("/v3_login", (req, res) => {
 69 |     console.log("username :: " + req.body.username);
 70 |     console.log("password :: " + req.body.password);
 71 | 
 72 |     var _username = do_decrypt(req.body.username);
 73 |     var _password = do_decrypt(req.body.password);
 74 | 
 75 |     var res_body = "you sent :: username=" + _username + " :: password="+_password
 76 |     
 77 |     res.write(res_body);
 78 |     res.end();
 79 |     
 80 | });
 81 | 
 82 | app.post("/v4_login", (req, res) => {
 83 |     console.log("username :: " + req.body.username);
 84 |     console.log("password :: " + req.body.password);
 85 | 
 86 |     var _username = do_decrypt(req.body.username);
 87 |     var _password = do_decrypt(req.body.password);
 88 | 
 89 |     var res_body = '{ "username":"' + do_encrypt(_username) + '","password":"' + do_encrypt(_password) + '"}';
 90 |     
 91 |     res.write(res_body);
 92 |     res.end();
 93 |     
 94 | });
 95 | 
 96 | app.post("/v5_login", (req, res) => {
 97 |     console.log("data :: " + req.body.data);    
 98 |     var _data = do_decrypt(req.body.data);
 99 |     
100 |     console.log(_data);
101 |     res.write("{\"data\":\"" + do_encrypt(_data) + "\"}");
102 |     res.end();
103 |     
104 | });
105 | 
106 | app.post("/v6_login", (req, res) => {
107 |     console.log("data :: " + req.body.data);    
108 |     var _data = do_decrypt(req.body.data);
109 |     
110 |     console.log(_data);
111 |     res.write("data=" + do_encrypt(_data));
112 |     res.end();
113 |     
114 | });
115 | 
116 | 
117 | 
118 | app.listen(3000)
119 | console.log("Express server started on port 3000 ...... ");
120 | 
121 | 
122 | 


--------------------------------------------------------------------------------
/SRePlay/api/v9/api.php:
--------------------------------------------------------------------------------
 1 | <?php
 2 | 
 3 | session_start();
 4 | 
 5 | function generateRandomString($length = 10) {
 6 |     $characters = '0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ';
 7 |     $charactersLength = strlen($characters);
 8 |     $randomString = '';
 9 |     for ($i = 0; $i < $length; $i++) {
10 |         $randomString .= $characters[rand(0, $charactersLength - 1)];
11 |     }
12 |     return $randomString;
13 | }
14 | 
15 | //header("Content-Type: application/json");
16 | 
17 | // Create a new CSRF token.
18 | if (! isset($_SESSION['csrf_token'])) {
19 |     $_SESSION['csrf_token'] = base64_encode(generateRandomString(32));
20 | }
21 | 
22 | function genToken(){
23 | 	$_SESSION['csrf_token'] = base64_encode(generateRandomString(32));
24 | 	return $_SESSION['csrf_token'];
25 | }
26 | 
27 | if (isset($_POST['csrf_token']) && $_POST['csrf_token'] === $_SESSION['csrf_token']) {
28 |     // POST data is valid.
29 | 	unset($_SESSION['csrf_token']);
30 | 	$q = '';
31 | 	
32 | 	if(isset($_POST['q']) && !empty($_POST['q'])){
33 | 		$q = $_POST['q'];
34 | 	}
35 | 	
36 | 	$data = 'Select car';
37 | 	
38 | 	switch($q){
39 | 		case "volvo":
40 | 			$data = 'Volvo revolvo';
41 | 			break;
42 | 		case "saab":
43 | 			$data = 'Saab besaab';
44 | 			break;
45 | 		case "mercedes":
46 | 			$data = 'Mercedes ease';
47 | 			break;
48 | 		case "audi":
49 | 			$data = 'Audi body';
50 | 			break;
51 | 	}
52 | 	
53 | 	$res = array("success"=>true, "data"=>$data, "token"=>genToken());
54 | 
55 | } else {
56 | 	$res = array("success"=>false, "data"=>"Invalid Token");
57 | }
58 | 
59 | echo json_encode($res);
60 | 
61 | ?>


--------------------------------------------------------------------------------
/SRePlay/index.php:
--------------------------------------------------------------------------------
 1 | <?php
 2 | 
 3 | session_start();
 4 | 
 5 | // Create a new CSRF token.
 6 | if (! isset($_SESSION['csrf_token'])) {
 7 |     $_SESSION['csrf_token'] = base64_encode(openssl_random_pseudo_bytes(32));
 8 | }
 9 | 
10 | ?>
11 | 
12 | <!DOCTYPE html>
13 | <html lang="en">
14 | <head>
15 |     <meta charset="utf-8" /> 
16 |     <title>PHP Replay Protection</title>
17 | 	<script src="https://ajax.googleapis.com/ajax/libs/jquery/3.5.1/jquery.min.js"></script>
18 |     <script>
19 | 	
20 | 	var token = "<?php echo $_SESSION['csrf_token']; ?>";
21 | 	
22 |     </script>
23 | 	
24 | <script>
25 | $(document).ready(function(){
26 |   $("#search").click(function(){
27 | 	event.preventDefault();
28 | 		var query = $("#q").val();
29 |         $.post('/www/api/v9/api.php', { action: 'search', q: query, csrf_token: token  }, function(data) {
30 |             console.log(data);
31 | 			var obj = JSON.parse(data);
32 | 			console.log(obj);
33 | 			token = obj.token;
34 | 			console.log(obj.token);
35 | 			alert(obj.data);
36 |         });
37 |   });
38 | });
39 | </script>
40 | 	
41 | 	
42 | </head>
43 | <body>
44 |     <form action="/www/index.php" method="post" accept-charset="utf-8">
45 | 	
46 | 		<label for="q">Choose a car:</label>
47 | 
48 | 		<select name="q" id="q">
49 | 		  <option value="volvo">Volvo</option>
50 | 		  <option value="saab">Saab</option>
51 | 		  <option value="mercedes">Mercedes</option>
52 | 		  <option value="audi">Audi</option>
53 | 		</select>
54 | 	
55 |         <!--<input type="text" id="q" name="q" />-->
56 |         <input type="hidden" name="csrf_token" value="<?php echo $_SESSION['csrf_token']; ?>" />
57 |         <!--<input type="submit" id ="" value="Submit" />-->
58 | 		<button id="search">Get Something</button>
59 |     </form>
60 | </body>
61 | </html>


--------------------------------------------------------------------------------