iGio90/gist:fe8fef97f2c57bcb97339fd157444452 Secret

## gistfile1.txt
Process.setExceptionHandler(function (details) {
    console.log(base);
    console.log(JSON.stringify(details));
});

Memory.protect(m.base, m.size, 'rwx');

var svc_send = Memory.scanSync(m.base, m.size, '14 70 9F E5 00 00 00 EF');
var svc_recv = Memory.scanSync(m.base, m.size, '49 7F A0 E3 00 00 00 EF');

Interceptor.attach(svc_send[0]['address'], function () {
    send('o', Memory.readByteArray(this.context.r1, parseInt(this.context.r2)));

    if (sw(Memory.readUShort(this.context.r1)) === 10101) {
        var pkey = ba2hex(Memory.readByteArray(this.context.r1.add(7), 32));
        console.log('[+] bruting private key.... it will take some seconds :S <3');
        var r = Process.enumerateRangesSync('rw-');
        for (var k in r) {
            if (typeof r[k]['file'] === 'undefined') {
                var res = Memory.scanSync(r[k].base, r[k].size,
                   pkey);
                if (res.length > 0) {
                    for (var t in res) {
                        send('tk', Memory.readByteArray(res[t].address.add(32), 32));
                    }
                }
            }
        }
    }
});

var buf;
var len;

Interceptor.attach(svc_recv[0]['address'], function () {
    buf = this.context.r1;
    len = parseInt(this.context.r2);
});
Interceptor.attach(svc_recv[0]['address'].add(8), function () {
    if (len === 7) {
        send('ih', Memory.readByteArray(this.context.r1, len));
    } else {
        send('ip', Memory.readByteArray(this.context.r1, len));
    }
});

function sw(val) {
    return ((val & 0xFF) << 8) | ((val >> 8) & 0xFF);
}

function ba2hex(bufArray) {
    var uint8arr = new Uint8Array(bufArray);
    if (!uint8arr) {
        return '';
    }

    var hexStr = '';
    for (var i = 0; i < uint8arr.length; i++) {
        var hex = (uint8arr[i] & 0xff).toString(16);
        hex = (hex.length === 1) ? '0' + hex : hex;
        if (hexStr.length > 0) {
            hexStr += ' ';
        }
        hexStr += hex;
    }

    return hexStr.toUpperCase();
}
	Process.setExceptionHandler(function (details) {
	console.log(base);
	console.log(JSON.stringify(details));
	});

	Memory.protect(m.base, m.size, 'rwx');

	var svc_send = Memory.scanSync(m.base, m.size, '14 70 9F E5 00 00 00 EF');
	var svc_recv = Memory.scanSync(m.base, m.size, '49 7F A0 E3 00 00 00 EF');

	Interceptor.attach(svc_send[0]['address'], function () {
	send('o', Memory.readByteArray(this.context.r1, parseInt(this.context.r2)));

	if (sw(Memory.readUShort(this.context.r1)) === 10101) {
	var pkey = ba2hex(Memory.readByteArray(this.context.r1.add(7), 32));
	console.log('[+] bruting private key.... it will take some seconds :S <3');
	var r = Process.enumerateRangesSync('rw-');
	for (var k in r) {
	if (typeof r[k]['file'] === 'undefined') {
	var res = Memory.scanSync(r[k].base, r[k].size,
	pkey);
	if (res.length > 0) {
	for (var t in res) {
	send('tk', Memory.readByteArray(res[t].address.add(32), 32));
	}
	}
	}
	}
	}
	});

	var buf;
	var len;

	Interceptor.attach(svc_recv[0]['address'], function () {
	buf = this.context.r1;
	len = parseInt(this.context.r2);
	});
	Interceptor.attach(svc_recv[0]['address'].add(8), function () {
	if (len === 7) {
	send('ih', Memory.readByteArray(this.context.r1, len));
	} else {
	send('ip', Memory.readByteArray(this.context.r1, len));
	}
	});

	function sw(val) {
	return ((val & 0xFF) << 8) \| ((val >> 8) & 0xFF);
	}

	function ba2hex(bufArray) {
	var uint8arr = new Uint8Array(bufArray);
	if (!uint8arr) {
	return '';
	}

	var hexStr = '';
	for (var i = 0; i < uint8arr.length; i++) {
	var hex = (uint8arr[i] & 0xff).toString(16);
	hex = (hex.length === 1) ? '0' + hex : hex;
	if (hexStr.length > 0) {
	hexStr += ' ';
	}
	hexStr += hex;
	}

	return hexStr.toUpperCase();
	}