Skip to content

Instantly share code, notes, and snippets.

@jcalabres jcalabres/truck.js
Last active Jan 12, 2020

Embed
What would you like to do?
CyberTruckChallenge19 Solutions (Frida)
Process.enumerateModules({
onMatch: function(module){
console.log('Module name: ' + module.name + " - " + "Base Address: " + module.base.toString());
if (module.name=="libnative-lib.so"){
var secret=""
Interceptor.attach(module.base.add(0x06cf), function() {
var x = this.context.eax;
var y = this.context.ecx;
var z = x ^ y;
secret+=String.fromCharCode(z)
send(secret)
});
}
},
onComplete: function(){}
});
Java.perform(function () {
function ba2hex(bufArray) {
var uint8arr = new Uint8Array(bufArray);
if (!uint8arr) {
return '';
}
var hexStr = '';
for (var i = 0; i < uint8arr.length; i++) {
var hex = (uint8arr[i] & 0xff).toString(16);
hex = (hex.length === 1) ? '0' + hex : hex;
hexStr += hex;
}
return hexStr.toLowerCase();
}
// Class to hook is defined here
var hookDetector = Java.use('org.nowsecure.cybertruck.detections.HookDetector');
var challenge1 = Java.use('org.nowsecure.cybertruck.keygenerators.Challenge1')
var challenge2 = Java.use('org.nowsecure.cybertruck.keygenerators.a')
hookDetector.isFridaServerInDevice.implementation = function (v) {
console.log('[hook] isFridaServerInDevice')
return false
};
challenge1.generateDynamicKey.implementation = function (v) {
var secret=this.generateDynamicKey(v)
send(ba2hex(secret));
return secret
};
challenge2.a.overload('[B', '[B').implementation = function (v1,v2) {
var secret=this.a.overload('[B', '[B').call(this,v1,v2)
send(ba2hex(secret));
return secret
};
});
@jcalabres

This comment has been minimized.

Copy link
Owner Author

jcalabres commented Sep 13, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.