Skip to content

Instantly share code, notes, and snippets.

@iGio90 iGio90/gist:7656f3719ad8fe278dce6bfc09bdf439 Secret
Last active Oct 12, 2017

Embed
What would you like to do?
Learn more about clone URLs
Download ZIP
Raw
gistfile1.txt
inject();
function inject() {
Process.enumerateModules({
onMatch: function (module) {
if (module.name === "libg.so") {
console.log(JSON.stringify(module));
var base = module.base;
var keypair = ptr(parseInt(base) + 1 + 0x1BC65C);
var loginBuilder = ptr(parseInt(base) + 1 + 0x243578);
var nm = ptr(parseInt(base) + 1 + 0x12AD64);
var finalNm = ptr(parseInt(base) + 1 + 0x148378);
var b2finishwrap = ptr(parseInt(base) + 1 + 0x002B0884);
var b2updatewrap = ptr(parseInt(base) + 1 + 0x002E251A);
Interceptor.attach(Module.findExportByName("libg.so", "send"), {
onEnter: function (args) {
var buf = Memory.readByteArray(args[1], 2);
console.log(buf);
buf = Memory.readUShort(ptr(args[1]));
if (buf === 29735) {
console.log("SENT HELLO!");
Interceptor.attach(loginBuilder, {
onEnter: function (args) {
console.log("LOGIN!");
var pk;
var sk;
Interceptor.attach(keypair, {
onEnter: function (args) {
console.log("ENTERING KEYPAIR");
pk = args[0];
sk = args[1];
},
onLeave: function (retval) {
console.log("LEAVING KEYPAIR!");
var buf = Memory.readByteArray(pk, 32);
console.log(hexdump(buf, {
offset: 0,
length: 32,
header: true,
ansi: true
}));
buf = Memory.readByteArray(sk, 32);
console.log(hexdump(buf, {
offset: 0,
length: 32,
header: true,
ansi: true
}));
Interceptor.detachAll();
Interceptor.attach(b2updatewrap, {
onEnter: function (args) {
console.log("UPDATING B2");
var buf = Memory.readByteArray(args[1], 32);
console.log(hexdump(buf, {
offset: 0,
length: 32,
header: true,
ansi: true
}));
},
onLeave: function (retval) {
}
});
Interceptor.attach(b2finishwrap, {
onEnter: function (args) {
console.log("B2 FINISH!");
var buf = Memory.readByteArray(args[0], 200);
console.log(hexdump(buf, {
offset: 0,
length: 200,
header: true,
ansi: true
}));
},
onLeave: function (retval) {
Interceptor.detachAll();
var i = 0;
Interceptor.attach(nm, {
onEnter: function (args) {
if (i !== 1) {
i++;
} else {
console.log("ENTERING NM");
var buf = Memory.readByteArray(args[1], 24);
console.log(hexdump(buf, {
offset: 0,
length: 24,
header: true,
ansi: true
}));
buf = Memory.readByteArray(args[2], 32);
console.log(hexdump(buf, {
offset: 0,
length: 32,
header: true,
ansi: true
}));
i++;
}
},
onLeave: function (retval) {
}
});
Interceptor.attach(finalNm, {
onEnter: function (args) {
},
onLeave: function (retval) {
Interceptor.attach(Module.findExportByName("libg.so", "send"), {
onEnter: function (args) {
var buf = Memory.readUShort(ptr(args[1]));
if (buf === 29991) {
buf = Memory.readByteArray(args[1],
parseInt(args[2]));
console.log(hexdump(buf, {
offset: 0,
length: parseInt(args[2]),
header: true,
ansi: true
}));
Interceptor.detachAll();
}
},
onLeave: function (retval) {
}
});
}
});
}
});
}
});
},
onLeave: function (retval) {
}
});
}
},
onLeave: function (retval) {
}
});
}
},
onComplete: function () {
}
});
}
SENT HELLO!
LOGIN!
ENTERING KEYPAIR
LEAVING KEYPAIR!
0 1 2 3 4 5 6 7 8 9 A B C D E F 0123456789ABCDEF
00000000 9f 67 08 7c 81 96 48 48 4f 9b ce d7 98 15 ae b7 .g.|..HHO.......
00000010 f8 34 2e 36 14 15 7e 1a b8 a2 35 a4 d8 dc ad 50 .4.6..~...5....P
0 1 2 3 4 5 6 7 8 9 A B C D E F 0123456789ABCDEF
00000000 2f e1 c7 59 ef e0 41 22 64 a9 7d cc d0 59 96 a4 /..Y..A"d.}..Y..
00000010 fe e3 d7 a1 51 fb d8 89 16 c7 1c dc 33 b3 3b eb ....Q.......3.;.
UPDATING B2
0 1 2 3 4 5 6 7 8 9 A B C D E F 0123456789ABCDEF
00000000 9f 67 08 7c 81 96 48 48 4f 9b ce d7 98 15 ae b7 .g.|..HHO.......
00000010 f8 34 2e 36 14 15 7e 1a b8 a2 35 a4 d8 dc ad 50 .4.6..~...5....P
UPDATING B2
0 1 2 3 4 5 6 7 8 9 A B C D E F 0123456789ABCDEF
00000000 81 dc 6b 89 6f b5 c9 36 0a fb 9f 51 41 db ae 21 ..k.o..6...QA..!
00000010 41 c1 ab 94 17 66 84 b0 0b 8e e6 76 29 a8 74 00 A....f.....v).t.
B2 FINISH!
0 1 2 3 4 5 6 7 8 9 A B C D E F 0123456789ABCDEF
00000000 18 00 00 00 10 c9 bd f2 67 e6 09 6a 3b a7 ca 84 ........g..j;...
00000010 85 ae 67 bb 2b f8 94 fe 72 f3 6e 3c f1 36 1d 5f ..g.+...r.n<.6._
00000020 3a f5 4f a5 d1 82 e6 ad 7f 52 0e 51 1f 6c 3e 2b :.O......R.Q.l>+
00000030 8c 68 05 9b 6b bd 41 fb ab d9 83 1f 79 21 7e 13 .h..k.A.....y!~.
00000040 19 cd e0 5b 00 00 00 00 00 00 00 00 00 00 00 00 ...[............
00000050 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000060 00 00 00 00 9f 67 08 7c 81 96 48 48 4f 9b ce d7 .....g.|..HHO...
00000070 98 15 ae b7 f8 34 2e 36 14 15 7e 1a b8 a2 35 a4 .....4.6..~...5.
00000080 d8 dc ad 50 f6 e0 7c 02 b7 28 df ee 9a 84 92 04 ...P..|..(......
00000090 b2 ac 1a 30 04 ae 3c e1 91 09 2a e9 ae 51 88 db ...0..<...*..Q..
000000a0 41 76 85 28 00 00 00 00 00 00 00 00 00 00 00 00 Av.(............
000000b0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000000c0 00 00 00 00 00 00 00 00 ........
ENTERING NM
0 1 2 3 4 5 6 7 8 9 A B C D E F 0123456789ABCDEF
00000000 f9 a3 d2 d5 de cb b9 e0 c7 81 c1 0f f5 ed ad a2 ................
00000010 f0 b9 8b 50 aa 59 df 79 ...P.Y.y
0 1 2 3 4 5 6 7 8 9 A B C D E F 0123456789ABCDEF
00000000 0c 81 48 d4 66 40 7e 47 a7 23 11 b7 ea 03 af 1b ..H.f@~G.#......
00000010 49 a3 bb 0c 0c d4 5f e6 b9 95 24 fa e1 6a 6f d2 I....._...$..jo.
0 1 2 3 4 5 6 7 8 9 A B C D E F 0123456789ABCDEF
// login encrypted
00000000 27 75 00 01 81 00 03 9f 67 08 7c 81 96 48 48 4f 'u......g.|..HHO
00000010 9b ce d7 98 15 ae b7 f8 34 2e 36 14 15 7e 1a b8 ........4.6..~..
00000020 a2 35 a4 d8 dc ad 50 cd 69 40 a7 64 48 54 69 7a .5....P.i@.dHTiz
00000030 c4 ad a2 95 32 42 2a d0 4a 37 66 8c cd 85 6b 76 ....2B*.J7f...kv
00000040 fb da f0 cf ba fb c3 8e 24 c1 b2 b4 3b e4 08 5c ........$...;..\
00000050 3b fd 19 b3 c4 9d 2b 97 45 e4 9f 78 7a 88 2d 2c ;.....+.E..xz.-,
00000060 aa 07 19 bf 33 98 13 7f 42 e6 04 9c f5 71 dd 7c ....3...B....q.|
00000070 c7 f0 54 cc c6 60 d3 87 1c 08 82 1c 8f 5a 0d 23 ..T..`.......Z.#
00000080 c4 7f d7 5a 2a 22 bf 79 35 24 56 d5 47 a4 6f 26 ...Z*".y5$V.G.o&
00000090 8e cd 0b 20 05 90 1f cb c4 24 58 37 83 3b 4d a9 ... .....$X7.;M.
000000a0 7f c3 8f 5d e1 55 e7 b7 eb 34 e0 82 41 90 73 a6 ...].U...4..A.s.
000000b0 6f 84 74 89 ab de ea 7a b3 90 25 29 7d 88 d0 63 o.t....z..%)}..c
000000c0 de 23 ec 7d 55 ee 65 bf e9 c6 c0 68 3d 4e 96 90 .#.}U.e....h=N..
000000d0 30 05 d8 88 a2 d6 32 af 21 c8 98 f1 18 22 4d 64 0.....2.!...."Md
000000e0 41 0e 02 67 42 39 05 80 01 38 57 94 74 35 93 37 A..gB9...8W.t5.7
000000f0 a9 84 9a 63 e1 a0 99 52 58 c1 39 50 47 b6 5a 70 ...c...RX.9PG.Zp
00000100 97 08 88 b9 af ec aa cb f7 ad 41 1b 7c a1 c1 e3 ..........A.|...
00000110 8f af f0 d0 2d a4 5c f3 ee fc e4 d3 5b 68 36 5d ....-.\.....[h6]
00000120 db 53 d0 47 a0 b9 0f 6a 29 23 e7 c7 14 29 f8 ce .S.G...j)#...)..
00000130 83 c9 88 96 d9 eb 57 fd 0a 6e 62 cf 22 e2 b8 97 ......W..nb."...
00000140 fa 4d f3 fd 1a 4c ba 3e 4c 7a ee c0 09 7c 77 bc .M...L.>Lz...|w.
00000150 a1 47 7f d4 22 da bb 1d 87 77 2b f6 99 44 bf 14 .G.."....w+..D..
00000160 44 97 b8 f2 a7 5d ea c4 57 39 77 c1 05 1a 23 32 D....]..W9w...#2
00000170 b6 e3 a9 9b f5 54 79 72 4f f7 ca 8a 97 b7 93 63 .....TyrO......c
00000180 ef 6b 75 6d 99 ce 13 08 .kum....
// decrypted
00000004e0000002862396661313536326161363932313562656632376334313037626263373065356433616332633037000000000000001034633363346630623835346630623361000000074c472d48383530001e84840000000569742d49540000002431636261356432312d336139352d343830322d623035392d32353436303331303333343800000003372e30020000000000000010346333633466306238353466306233610000002430646464633864632d646233622d346635632d626233652d3530313431633335316637370000000001000000020000000000000000ffffff88
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.