eybisi/darkcon_fire_in_the_androiddd.js

## darkcon_fire_in_the_androiddd.js
// send following command to trigger
// adb shell 'am broadcast -a flag_checker --es flag "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" -n com.application.darkcon/com.application.darkcon.MyReceiver'

var flag = ""
var looper = Module.getExportByName("libnative-lib.so","_Z6looperj")
var nlib = Module.getBaseAddress("libnative-lib.so")


function bytes2hex(array) {
    array = Java.array('byte',array)
    let result = '';
    for (let i = 0; i < array.length; ++i)
            result += ('0' + (array[i] & 0xFF).toString(16)).slice(-2);
    return result;
};


if(looper){
    Interceptor.attach(looper,{
        onEnter: function (args) {
            this.i = args[0].toInt32()

        },
        onLeave: function(retval){
            // iVar2 = _JNIEnv::GetArrayLength((_JNIEnv *)param_1,param_3);
            // my = _JNIEnv::GetArrayLength((_JNIEnv *)param_1,param_4);
            // if (iVar2 == my) {
            //   my = _JNIEnv::GetByteArrayElements((_JNIEnv *)param_1,(_jbyteArray *)param_3,(uchar *)0x0);
            //   enc = _JNIEnv::GetLongArrayElements((_JNIEnv *)param_1,(_jlongArray *)param_4,(uchar *)0x0);
            //   i = 0;
            //   while ((int)i < iVar2) {
            //     enc_i = *(uint *)(enc + i * 8);
            //     uVar1 = *(uint *)(enc + 4 + i * 8);
            //     my_i = *(char *)(my + i);
            //     loop_r = looper(i);
            //     if ((enc_i ^ (int)my_i ^ loop_r | uVar1) != 0) {
            //       return 0;
            //     }
            //     i = i + 1;
            //   }
            //   local_15 = 1;
            // }
            var a = [101, 96, 112, 110, 77, 101, 202, 470, 1506, 4758, 16815, 58877, 208123, 742855, 2674489, 9694735, 35357570, 129644713, 477638735, 1767263206, 2269153033, 2991430638, 1288250377, 3757197244, 1413958429, 43422424, 2072914473, 2325361044, 2600037558, 3008195127, 3276256895, 4169229947, 300814809, 3929270464, 2526730686, 2527522239, 645964816, 1351610749, 573153031, 1347646066, 1945953402, 3824419424, 480774039, 2833665279, 2366904092, 2809807660, 3295802436, 3644429150, 720643560, 906311378,
                992169127, 1211139059, 1465960990, 4269303883, 3179939394, 4095898594, 580984841, 3596758568, 1063564231, 3288906933]

            // console.log(hexdump(nlib.add(0x32e50).add(2*this.i-52115),{length:10,ansi:true}))
            var v5 = a[this.i] & 0xffffffff00000000 >> 8
            // console.log(v5)
            var looper_r = retval.toInt32()
            var xor_res = looper_r ^ 97 ^ a[this.i] & 0x00000000ffffffff
            var or_res = v5 | looper_r ^ 97 ^ a[this.i]  & 0x00000000ffffffff
            for(var t = 0;t<256;t++){
                var xor_t = v5 | looper_r ^ t ^ a[this.i] & 0x00000000ffffffff
                if((xor_t) == 0){
                    flag += String.fromCharCode(t)
                    console.log(flag)
                    //hacky way to force native library to continue
                    //replaciing retval such that `enc_i ^ my_i ^ loop_r | uVar1` will be 0
                    retval.replace(ptr(looper_r^97^t))
                }
            }
            // console.log("XOR result : ",xor_res)
            // console.log("OR1 Result : ",String.fromCharCode(or_res))
            // console.log("OR2 Result : ",v5|xor_res)
            // console.log(retval.toInt32())


        }
    })
}
Java.perform(function(){
    var q = Java.use("com.application.darkcon.MyReceiver")
    q.magic.implementation = function(my,enc_flag){
        // console.log("Sending ",bytes2hex(my))
        // send(enc_flag)
        var rv = this.magic(my,enc_flag)
        // console.log("Return : ",rv)
        return rv

    }

})
	// send following command to trigger
	// adb shell 'am broadcast -a flag_checker --es flag "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" -n com.application.darkcon/com.application.darkcon.MyReceiver'

	var flag = ""
	var looper = Module.getExportByName("libnative-lib.so","_Z6looperj")
	var nlib = Module.getBaseAddress("libnative-lib.so")


	function bytes2hex(array) {
	array = Java.array('byte',array)
	let result = '';
	for (let i = 0; i < array.length; ++i)
	result += ('0' + (array[i] & 0xFF).toString(16)).slice(-2);
	return result;
	};


	if(looper){
	Interceptor.attach(looper,{
	onEnter: function (args) {
	this.i = args[0].toInt32()

	},
	onLeave: function(retval){
	// iVar2 = _JNIEnv::GetArrayLength((_JNIEnv *)param_1,param_3);
	// my = _JNIEnv::GetArrayLength((_JNIEnv *)param_1,param_4);
	// if (iVar2 == my) {
	// my = _JNIEnv::GetByteArrayElements((_JNIEnv )param_1,(_jbyteArray )param_3,(uchar *)0x0);
	// enc = _JNIEnv::GetLongArrayElements((_JNIEnv )param_1,(_jlongArray )param_4,(uchar *)0x0);
	// i = 0;
	// while ((int)i < iVar2) {
	// enc_i = (uint )(enc + i * 8);
	// uVar1 = (uint )(enc + 4 + i * 8);
	// my_i = (char )(my + i);
	// loop_r = looper(i);
	// if ((enc_i ^ (int)my_i ^ loop_r \| uVar1) != 0) {
	// return 0;
	// }
	// i = i + 1;
	// }
	// local_15 = 1;
	// }
	var a = [101, 96, 112, 110, 77, 101, 202, 470, 1506, 4758, 16815, 58877, 208123, 742855, 2674489, 9694735, 35357570, 129644713, 477638735, 1767263206, 2269153033, 2991430638, 1288250377, 3757197244, 1413958429, 43422424, 2072914473, 2325361044, 2600037558, 3008195127, 3276256895, 4169229947, 300814809, 3929270464, 2526730686, 2527522239, 645964816, 1351610749, 573153031, 1347646066, 1945953402, 3824419424, 480774039, 2833665279, 2366904092, 2809807660, 3295802436, 3644429150, 720643560, 906311378,
	992169127, 1211139059, 1465960990, 4269303883, 3179939394, 4095898594, 580984841, 3596758568, 1063564231, 3288906933]

	// console.log(hexdump(nlib.add(0x32e50).add(2*this.i-52115),{length:10,ansi:true}))
	var v5 = a[this.i] & 0xffffffff00000000 >> 8
	// console.log(v5)
	var looper_r = retval.toInt32()
	var xor_res = looper_r ^ 97 ^ a[this.i] & 0x00000000ffffffff
	var or_res = v5 \| looper_r ^ 97 ^ a[this.i] & 0x00000000ffffffff
	for(var t = 0;t<256;t++){
	var xor_t = v5 \| looper_r ^ t ^ a[this.i] & 0x00000000ffffffff
	if((xor_t) == 0){
	flag += String.fromCharCode(t)
	console.log(flag)
	//hacky way to force native library to continue
	//replaciing retval such that `enc_i ^ my_i ^ loop_r \| uVar1` will be 0
	retval.replace(ptr(looper_r^97^t))
	}
	}
	// console.log("XOR result : ",xor_res)
	// console.log("OR1 Result : ",String.fromCharCode(or_res))
	// console.log("OR2 Result : ",v5\|xor_res)
	// console.log(retval.toInt32())


	}
	})
	}
	Java.perform(function(){
	var q = Java.use("com.application.darkcon.MyReceiver")
	q.magic.implementation = function(my,enc_flag){
	// console.log("Sending ",bytes2hex(my))
	// send(enc_flag)
	var rv = this.magic(my,enc_flag)
	// console.log("Return : ",rv)
	return rv

	}

	})