Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Process.setExceptionHandler(function (details) {
console.log(base);
console.log(JSON.stringify(details));
});
Memory.protect(m.base, m.size, 'rwx');
var svc_send = Memory.scanSync(m.base, m.size, '14 70 9F E5 00 00 00 EF');
var svc_recv = Memory.scanSync(m.base, m.size, '49 7F A0 E3 00 00 00 EF');
Interceptor.attach(svc_send[0]['address'], function () {
send('o', Memory.readByteArray(this.context.r1, parseInt(this.context.r2)));
if (sw(Memory.readUShort(this.context.r1)) === 10101) {
var pkey = ba2hex(Memory.readByteArray(this.context.r1.add(7), 32));
console.log('[+] bruting private key.... it will take some seconds :S <3');
var r = Process.enumerateRangesSync('rw-');
for (var k in r) {
if (typeof r[k]['file'] === 'undefined') {
var res = Memory.scanSync(r[k].base, r[k].size,
pkey);
if (res.length > 0) {
for (var t in res) {
send('tk', Memory.readByteArray(res[t].address.add(32), 32));
}
}
}
}
}
});
var buf;
var len;
Interceptor.attach(svc_recv[0]['address'], function () {
buf = this.context.r1;
len = parseInt(this.context.r2);
});
Interceptor.attach(svc_recv[0]['address'].add(8), function () {
if (len === 7) {
send('ih', Memory.readByteArray(this.context.r1, len));
} else {
send('ip', Memory.readByteArray(this.context.r1, len));
}
});
function sw(val) {
return ((val & 0xFF) << 8) | ((val >> 8) & 0xFF);
}
function ba2hex(bufArray) {
var uint8arr = new Uint8Array(bufArray);
if (!uint8arr) {
return '';
}
var hexStr = '';
for (var i = 0; i < uint8arr.length; i++) {
var hex = (uint8arr[i] & 0xff).toString(16);
hex = (hex.length === 1) ? '0' + hex : hex;
if (hexStr.length > 0) {
hexStr += ' ';
}
hexStr += hex;
}
return hexStr.toUpperCase();
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.