Marvin Schirrmacher schirrmacher

## ProtoAttack.js
// has the Object prototype
const someObject = {};

// request input is parsed
const maliciousInput = JSON.parse('{ "__proto__": { "toString": "xxx" } }');

// somewhere a bad copy or merge library is used which copies ALL properties including __proto__
someObject.__proto__.toString = maliciousInput.__proto__.toString;

// at some other place

## frida-struct-pointer-pointer.js
/*

  typedef struct {

    int size;
    char* data;

  } test_struct;

  void some_func(test_struct **s);

## proofOfWork.js
const crypto = require("crypto");

// PROOF OF WORK EXAMPLE

const RANDOM_SIZE = 32;

const HARDNESS = 6;
const hardnessPrefix = "0".repeat(HARDNESS);

const start = new Date().getTime();

## .gitconfig
[core]
  editor = nano
[alias]
  a = add
  aa = add .
  ap = add -p
  ag = "!add_grep() { for param in "$@"; do git add $(git ls-files -o -m --exclude-standard | grep "$param"); done }; add_grep"
  amend = commit --amend
  b = branch
  bv = branch -vv

## WAHKDF.js
const crypto = require("crypto");

// master secret
const keyMaterial = new Buffer(
  "09a38e76fe90e4f126ed66d05a6783bad48776b61daaf7c939c005ea2d8ccdf6",
  "hex"
);
// JID param: 4915905771620@s.whatsapp.net
const info = "3439313539303537373136323040732e77686174736170702e6e6574";
const salt = new Buffer(

## srtp_aes_icm_context_init.js
const apiResolver = new ApiResolver("objc");
const resolvedMatches = apiResolver.enumerateMatches(
  "+[NSURL URLWithUnicodeString:]"
);

const SCAN_SIZE = 100000;
const scanStart = resolvedMatches[0].address;
const scanResults = Memory.scanSync(
  ptr(scanStart),
  SCAN_SIZE,

## srtp_hmac_compute.js
const scanStart = new ApiResolver("objc").enumerateMatches(
  "+[NSURL URLWithUnicodeString:]"
)[0].address;

console.log("search srtp_hmac_compute in memory from: " + scanStart);

const size = 100000;
const matches = Memory.scanSync(
  ptr(scanStart),
  size,

## WAHKDF.deriveSecretsFromInputKeyMaterial.js
{
  onEnter: function (log, args, state) {
    log("+[ WAHKDF deriveSecretsFromInputKeyMaterial: " +
                    ObjC.Object( args[2] ).toString() + "\n" +
        " salt: " + ObjC.Object( args[3] ).toString() + "\n" +
        " info: " + ObjC.Object( args[4] ).toString() + "\n" +
        " bytes : " +              args[5].toInt32 () + "\n" +
        " withMessageVersion : " + args[6].toInt32 () + "\n]");
  }
}

## signal_encrypt_header.c
int signal_encrypt(signal_context *context,
        signal_buffer **output,
        int cipher,
        const uint8_t *key, size_t key_len,
        const uint8_t *iv, size_t iv_len,
        const uint8_t *plaintext, size_t plaintext_len);

## srtp_aes_icm_context_init_pseudocode.c
int sub_100bbda00(int arg0, int arg1) {
  r31 = r31 - 0x60;
  var_30 = r24;
  stack[-56] = r23;
  var_20 = r22;
  stack[-40] = r21;
  var_10 = r20;
  stack[-24] = r19;
  saved_fp = r29;
  stack[-8] = r30;
	// has the Object prototype
	const someObject = {};

	// request input is parsed
	const maliciousInput = JSON.parse('{ "__proto__": { "toString": "xxx" } }');

	// somewhere a bad copy or merge library is used which copies ALL properties including __proto__
	someObject.__proto__.toString = maliciousInput.__proto__.toString;

	// at some other place
	/*

	typedef struct {

	int size;
	char* data;

	} test_struct;

	void some_func(test_struct **s);
	const crypto = require("crypto");

	// PROOF OF WORK EXAMPLE

	const RANDOM_SIZE = 32;

	const HARDNESS = 6;
	const hardnessPrefix = "0".repeat(HARDNESS);

	const start = new Date().getTime();
	[core]
	editor = nano
	[alias]
	a = add
	aa = add .
	ap = add -p
	ag = "!add_grep() { for param in "$@"; do git add $(git ls-files -o -m --exclude-standard \| grep "$param"); done }; add_grep"
	amend = commit --amend
	b = branch
	bv = branch -vv
	const crypto = require("crypto");

	// master secret
	const keyMaterial = new Buffer(
	"09a38e76fe90e4f126ed66d05a6783bad48776b61daaf7c939c005ea2d8ccdf6",
	"hex"
	);
	// JID param: 4915905771620@s.whatsapp.net
	const info = "3439313539303537373136323040732e77686174736170702e6e6574";
	const salt = new Buffer(
	const apiResolver = new ApiResolver("objc");
	const resolvedMatches = apiResolver.enumerateMatches(
	"+[NSURL URLWithUnicodeString:]"
	);

	const SCAN_SIZE = 100000;
	const scanStart = resolvedMatches[0].address;
	const scanResults = Memory.scanSync(
	ptr(scanStart),
	SCAN_SIZE,
	const scanStart = new ApiResolver("objc").enumerateMatches(
	"+[NSURL URLWithUnicodeString:]"
	)[0].address;

	console.log("search srtp_hmac_compute in memory from: " + scanStart);

	const size = 100000;
	const matches = Memory.scanSync(
	ptr(scanStart),
	size,
	{
	onEnter: function (log, args, state) {
	log("+[ WAHKDF deriveSecretsFromInputKeyMaterial: " +
	ObjC.Object( args[2] ).toString() + "\n" +
	" salt: " + ObjC.Object( args[3] ).toString() + "\n" +
	" info: " + ObjC.Object( args[4] ).toString() + "\n" +
	" bytes : " + args[5].toInt32 () + "\n" +
	" withMessageVersion : " + args[6].toInt32 () + "\n]");
	}
	}
	int signal_encrypt(signal_context *context,
	signal_buffer **output,
	int cipher,
	const uint8_t *key, size_t key_len,
	const uint8_t *iv, size_t iv_len,
	const uint8_t *plaintext, size_t plaintext_len);
	int sub_100bbda00(int arg0, int arg1) {
	r31 = r31 - 0x60;
	var_30 = r24;
	stack[-56] = r23;
	var_20 = r22;
	stack[-40] = r21;
	var_10 = r20;
	stack[-24] = r19;
	saved_fp = r29;
	stack[-8] = r30;