CyberTruckChallenge19 Solutions (Frida)

truck.js

Process.enumerateModules({
  onMatch: function(module){
    console.log('Module name: ' + module.name + " - " + "Base Address: " + module.base.toString());
    if (module.name=="libnative-lib.so"){
      var secret=""
      Interceptor.attach(module.base.add(0x06cf), function() {  
        var x = this.context.eax;
        var y = this.context.ecx;
        var z = x ^ y;
        secret+=String.fromCharCode(z)
        send(secret)  
      });     
    }
  }, 
  onComplete: function(){}
});

Java.perform(function () {
 
  function ba2hex(bufArray) {
      var uint8arr = new Uint8Array(bufArray);
      if (!uint8arr) {
          return '';
      }
      var hexStr = '';
      for (var i = 0; i < uint8arr.length; i++) {
          var hex = (uint8arr[i] & 0xff).toString(16);
          hex = (hex.length === 1) ? '0' + hex : hex;
          hexStr += hex;
      }
      return hexStr.toLowerCase();
  }

  // Class to hook is defined here
  var hookDetector = Java.use('org.nowsecure.cybertruck.detections.HookDetector');
  var challenge1 = Java.use('org.nowsecure.cybertruck.keygenerators.Challenge1')
  var challenge2 = Java.use('org.nowsecure.cybertruck.keygenerators.a')

  hookDetector.isFridaServerInDevice.implementation = function (v) {
    console.log('[hook] isFridaServerInDevice')
    return false
  };

  challenge1.generateDynamicKey.implementation = function (v) {
    var secret=this.generateDynamicKey(v)
    send(ba2hex(secret));
    return secret
   };

  challenge2.a.overload('[B', '[B').implementation = function (v1,v2) {
    var secret=this.a.overload('[B', '[B').call(this,v1,v2)
    send(ba2hex(secret));
    return secret
   };

});

https://www.verso.re/