gistfile1.txt

Process.setExceptionHandler(function (details) {
    console.log(base);
    console.log(JSON.stringify(details));
});

Memory.protect(m.base, m.size, 'rwx');

var svc_send = Memory.scanSync(m.base, m.size, '14 70 9F E5 00 00 00 EF');
var svc_recv = Memory.scanSync(m.base, m.size, '49 7F A0 E3 00 00 00 EF');

Interceptor.attach(svc_send[0]['address'], function () {
    send('o', Memory.readByteArray(this.context.r1, parseInt(this.context.r2)));

    if (sw(Memory.readUShort(this.context.r1)) === 10101) {
        var pkey = ba2hex(Memory.readByteArray(this.context.r1.add(7), 32));
        console.log('[+] bruting private key.... it will take some seconds :S <3');
        var r = Process.enumerateRangesSync('rw-');
        for (var k in r) {
            if (typeof r[k]['file'] === 'undefined') {
                var res = Memory.scanSync(r[k].base, r[k].size,
                   pkey);
                if (res.length > 0) {
                    for (var t in res) {
                        send('tk', Memory.readByteArray(res[t].address.add(32), 32));
                    }
                }
            }
        }
    }
});

var buf;
var len;

Interceptor.attach(svc_recv[0]['address'], function () {
    buf = this.context.r1;
    len = parseInt(this.context.r2);
});
Interceptor.attach(svc_recv[0]['address'].add(8), function () {
    if (len === 7) {
        send('ih', Memory.readByteArray(this.context.r1, len));
    } else {
        send('ip', Memory.readByteArray(this.context.r1, len));
    }
});

function sw(val) {
    return ((val & 0xFF) << 8) | ((val >> 8) & 0xFF);
}

function ba2hex(bufArray) {
    var uint8arr = new Uint8Array(bufArray);
    if (!uint8arr) {
        return '';
    }

    var hexStr = '';
    for (var i = 0; i < uint8arr.length; i++) {
        var hex = (uint8arr[i] & 0xff).toString(16);
        hex = (hex.length === 1) ? '0' + hex : hex;
        if (hexStr.length > 0) {
            hexStr += ' ';
        }
        hexStr += hex;
    }

    return hexStr.toUpperCase();
}