inject(); | |
function inject() { | |
Process.enumerateModules({ | |
onMatch: function (module) { | |
if (module.name === "libg.so") { | |
console.log(JSON.stringify(module)); | |
var base = module.base; | |
var keypair = ptr(parseInt(base) + 1 + 0x1BC65C); | |
var loginBuilder = ptr(parseInt(base) + 1 + 0x243578); | |
var nm = ptr(parseInt(base) + 1 + 0x12AD64); | |
var finalNm = ptr(parseInt(base) + 1 + 0x148378); | |
var b2finishwrap = ptr(parseInt(base) + 1 + 0x002B0884); | |
var b2updatewrap = ptr(parseInt(base) + 1 + 0x002E251A); | |
Interceptor.attach(Module.findExportByName("libg.so", "send"), { | |
onEnter: function (args) { | |
var buf = Memory.readByteArray(args[1], 2); | |
console.log(buf); | |
buf = Memory.readUShort(ptr(args[1])); | |
if (buf === 29735) { | |
console.log("SENT HELLO!"); | |
Interceptor.attach(loginBuilder, { | |
onEnter: function (args) { | |
console.log("LOGIN!"); | |
var pk; | |
var sk; | |
Interceptor.attach(keypair, { | |
onEnter: function (args) { | |
console.log("ENTERING KEYPAIR"); | |
pk = args[0]; | |
sk = args[1]; | |
}, | |
onLeave: function (retval) { | |
console.log("LEAVING KEYPAIR!"); | |
var buf = Memory.readByteArray(pk, 32); | |
console.log(hexdump(buf, { | |
offset: 0, | |
length: 32, | |
header: true, | |
ansi: true | |
})); | |
buf = Memory.readByteArray(sk, 32); | |
console.log(hexdump(buf, { | |
offset: 0, | |
length: 32, | |
header: true, | |
ansi: true | |
})); | |
Interceptor.detachAll(); | |
Interceptor.attach(b2updatewrap, { | |
onEnter: function (args) { | |
console.log("UPDATING B2"); | |
var buf = Memory.readByteArray(args[1], 32); | |
console.log(hexdump(buf, { | |
offset: 0, | |
length: 32, | |
header: true, | |
ansi: true | |
})); | |
}, | |
onLeave: function (retval) { | |
} | |
}); | |
Interceptor.attach(b2finishwrap, { | |
onEnter: function (args) { | |
console.log("B2 FINISH!"); | |
var buf = Memory.readByteArray(args[0], 200); | |
console.log(hexdump(buf, { | |
offset: 0, | |
length: 200, | |
header: true, | |
ansi: true | |
})); | |
}, | |
onLeave: function (retval) { | |
Interceptor.detachAll(); | |
var i = 0; | |
Interceptor.attach(nm, { | |
onEnter: function (args) { | |
if (i !== 1) { | |
i++; | |
} else { | |
console.log("ENTERING NM"); | |
var buf = Memory.readByteArray(args[1], 24); | |
console.log(hexdump(buf, { | |
offset: 0, | |
length: 24, | |
header: true, | |
ansi: true | |
})); | |
buf = Memory.readByteArray(args[2], 32); | |
console.log(hexdump(buf, { | |
offset: 0, | |
length: 32, | |
header: true, | |
ansi: true | |
})); | |
i++; | |
} | |
}, | |
onLeave: function (retval) { | |
} | |
}); | |
Interceptor.attach(finalNm, { | |
onEnter: function (args) { | |
}, | |
onLeave: function (retval) { | |
Interceptor.attach(Module.findExportByName("libg.so", "send"), { | |
onEnter: function (args) { | |
var buf = Memory.readUShort(ptr(args[1])); | |
if (buf === 29991) { | |
buf = Memory.readByteArray(args[1], | |
parseInt(args[2])); | |
console.log(hexdump(buf, { | |
offset: 0, | |
length: parseInt(args[2]), | |
header: true, | |
ansi: true | |
})); | |
Interceptor.detachAll(); | |
} | |
}, | |
onLeave: function (retval) { | |
} | |
}); | |
} | |
}); | |
} | |
}); | |
} | |
}); | |
}, | |
onLeave: function (retval) { | |
} | |
}); | |
} | |
}, | |
onLeave: function (retval) { | |
} | |
}); | |
} | |
}, | |
onComplete: function () { | |
} | |
}); | |
} | |
SENT HELLO! | |
LOGIN! | |
ENTERING KEYPAIR | |
LEAVING KEYPAIR! | |
0 1 2 3 4 5 6 7 8 9 A B C D E F 0123456789ABCDEF | |
00000000 9f 67 08 7c 81 96 48 48 4f 9b ce d7 98 15 ae b7 .g.|..HHO....... | |
00000010 f8 34 2e 36 14 15 7e 1a b8 a2 35 a4 d8 dc ad 50 .4.6..~...5....P | |
0 1 2 3 4 5 6 7 8 9 A B C D E F 0123456789ABCDEF | |
00000000 2f e1 c7 59 ef e0 41 22 64 a9 7d cc d0 59 96 a4 /..Y..A"d.}..Y.. | |
00000010 fe e3 d7 a1 51 fb d8 89 16 c7 1c dc 33 b3 3b eb ....Q.......3.;. | |
UPDATING B2 | |
0 1 2 3 4 5 6 7 8 9 A B C D E F 0123456789ABCDEF | |
00000000 9f 67 08 7c 81 96 48 48 4f 9b ce d7 98 15 ae b7 .g.|..HHO....... | |
00000010 f8 34 2e 36 14 15 7e 1a b8 a2 35 a4 d8 dc ad 50 .4.6..~...5....P | |
UPDATING B2 | |
0 1 2 3 4 5 6 7 8 9 A B C D E F 0123456789ABCDEF | |
00000000 81 dc 6b 89 6f b5 c9 36 0a fb 9f 51 41 db ae 21 ..k.o..6...QA..! | |
00000010 41 c1 ab 94 17 66 84 b0 0b 8e e6 76 29 a8 74 00 A....f.....v).t. | |
B2 FINISH! | |
0 1 2 3 4 5 6 7 8 9 A B C D E F 0123456789ABCDEF | |
00000000 18 00 00 00 10 c9 bd f2 67 e6 09 6a 3b a7 ca 84 ........g..j;... | |
00000010 85 ae 67 bb 2b f8 94 fe 72 f3 6e 3c f1 36 1d 5f ..g.+...r.n<.6._ | |
00000020 3a f5 4f a5 d1 82 e6 ad 7f 52 0e 51 1f 6c 3e 2b :.O......R.Q.l>+ | |
00000030 8c 68 05 9b 6b bd 41 fb ab d9 83 1f 79 21 7e 13 .h..k.A.....y!~. | |
00000040 19 cd e0 5b 00 00 00 00 00 00 00 00 00 00 00 00 ...[............ | |
00000050 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ | |
00000060 00 00 00 00 9f 67 08 7c 81 96 48 48 4f 9b ce d7 .....g.|..HHO... | |
00000070 98 15 ae b7 f8 34 2e 36 14 15 7e 1a b8 a2 35 a4 .....4.6..~...5. | |
00000080 d8 dc ad 50 f6 e0 7c 02 b7 28 df ee 9a 84 92 04 ...P..|..(...... | |
00000090 b2 ac 1a 30 04 ae 3c e1 91 09 2a e9 ae 51 88 db ...0..<...*..Q.. | |
000000a0 41 76 85 28 00 00 00 00 00 00 00 00 00 00 00 00 Av.(............ | |
000000b0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ | |
000000c0 00 00 00 00 00 00 00 00 ........ | |
ENTERING NM | |
0 1 2 3 4 5 6 7 8 9 A B C D E F 0123456789ABCDEF | |
00000000 f9 a3 d2 d5 de cb b9 e0 c7 81 c1 0f f5 ed ad a2 ................ | |
00000010 f0 b9 8b 50 aa 59 df 79 ...P.Y.y | |
0 1 2 3 4 5 6 7 8 9 A B C D E F 0123456789ABCDEF | |
00000000 0c 81 48 d4 66 40 7e 47 a7 23 11 b7 ea 03 af 1b ..H.f@~G.#...... | |
00000010 49 a3 bb 0c 0c d4 5f e6 b9 95 24 fa e1 6a 6f d2 I....._...$..jo. | |
0 1 2 3 4 5 6 7 8 9 A B C D E F 0123456789ABCDEF | |
// login encrypted | |
00000000 27 75 00 01 81 00 03 9f 67 08 7c 81 96 48 48 4f 'u......g.|..HHO | |
00000010 9b ce d7 98 15 ae b7 f8 34 2e 36 14 15 7e 1a b8 ........4.6..~.. | |
00000020 a2 35 a4 d8 dc ad 50 cd 69 40 a7 64 48 54 69 7a .5....P.i@.dHTiz | |
00000030 c4 ad a2 95 32 42 2a d0 4a 37 66 8c cd 85 6b 76 ....2B*.J7f...kv | |
00000040 fb da f0 cf ba fb c3 8e 24 c1 b2 b4 3b e4 08 5c ........$...;..\ | |
00000050 3b fd 19 b3 c4 9d 2b 97 45 e4 9f 78 7a 88 2d 2c ;.....+.E..xz.-, | |
00000060 aa 07 19 bf 33 98 13 7f 42 e6 04 9c f5 71 dd 7c ....3...B....q.| | |
00000070 c7 f0 54 cc c6 60 d3 87 1c 08 82 1c 8f 5a 0d 23 ..T..`.......Z.# | |
00000080 c4 7f d7 5a 2a 22 bf 79 35 24 56 d5 47 a4 6f 26 ...Z*".y5$V.G.o& | |
00000090 8e cd 0b 20 05 90 1f cb c4 24 58 37 83 3b 4d a9 ... .....$X7.;M. | |
000000a0 7f c3 8f 5d e1 55 e7 b7 eb 34 e0 82 41 90 73 a6 ...].U...4..A.s. | |
000000b0 6f 84 74 89 ab de ea 7a b3 90 25 29 7d 88 d0 63 o.t....z..%)}..c | |
000000c0 de 23 ec 7d 55 ee 65 bf e9 c6 c0 68 3d 4e 96 90 .#.}U.e....h=N.. | |
000000d0 30 05 d8 88 a2 d6 32 af 21 c8 98 f1 18 22 4d 64 0.....2.!...."Md | |
000000e0 41 0e 02 67 42 39 05 80 01 38 57 94 74 35 93 37 A..gB9...8W.t5.7 | |
000000f0 a9 84 9a 63 e1 a0 99 52 58 c1 39 50 47 b6 5a 70 ...c...RX.9PG.Zp | |
00000100 97 08 88 b9 af ec aa cb f7 ad 41 1b 7c a1 c1 e3 ..........A.|... | |
00000110 8f af f0 d0 2d a4 5c f3 ee fc e4 d3 5b 68 36 5d ....-.\.....[h6] | |
00000120 db 53 d0 47 a0 b9 0f 6a 29 23 e7 c7 14 29 f8 ce .S.G...j)#...).. | |
00000130 83 c9 88 96 d9 eb 57 fd 0a 6e 62 cf 22 e2 b8 97 ......W..nb."... | |
00000140 fa 4d f3 fd 1a 4c ba 3e 4c 7a ee c0 09 7c 77 bc .M...L.>Lz...|w. | |
00000150 a1 47 7f d4 22 da bb 1d 87 77 2b f6 99 44 bf 14 .G.."....w+..D.. | |
00000160 44 97 b8 f2 a7 5d ea c4 57 39 77 c1 05 1a 23 32 D....]..W9w...#2 | |
00000170 b6 e3 a9 9b f5 54 79 72 4f f7 ca 8a 97 b7 93 63 .....TyrO......c | |
00000180 ef 6b 75 6d 99 ce 13 08 .kum.... | |
// decrypted | |
00000004e0000002862396661313536326161363932313562656632376334313037626263373065356433616332633037000000000000001034633363346630623835346630623361000000074c472d48383530001e84840000000569742d49540000002431636261356432312d336139352d343830322d623035392d32353436303331303333343800000003372e30020000000000000010346333633466306238353466306233610000002430646464633864632d646233622d346635632d626233652d3530313431633335316637370000000001000000020000000000000000ffffff88 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment