xhlove/chrome_cdm_func_hook.py

## chrome_cdm_func_hook.py
from __future__ import print_function
import frida
import sys

session = frida.attach("chrome.exe")
script = session.create_script("""
var baseAddr = Module.findBaseAddress("chrome.exe");

print("chrome.exe baseAddress is at :"+baseAddr);

//!!!!!!!!!!!!!!!!!!!! You need modify CdmWrapperImpl hardcode address before hook ////////

var CdmWrapperImpl_Decrypt=baseAddr.add(0x6feb60); //CdmWrapperImpl::Decrypt hardcode Address

////////////////////////// CDM->Decrypt ///////////////////////////////////////////////////////
var CdmDecryptFunc = new NativeFunction(ptr(CdmWrapperImpl_Decrypt), 'int', [ 'pointer','pointer','pointer' ]);

print("CdmWrapperImpl::Decrypt Address is at :0x"+CdmWrapperImpl_Decrypt.toString(16));

////////////////////////////////Costumn Function list///////////////////////////////////////

    function print(info)
{
    console.log("\033[33m"+info);
}

    function tracelog(info)
{
    console.log("\033[32m"+info);
}

Interceptor.attach(ptr(CdmWrapperImpl_Decrypt), {
        onEnter: function(args) {

        tracelog("Cdm::Decrypt  is called ! " );

      this.decrypted_block= args[2] ;

    },
    onLeave:function(retval){

    }
});

""")

def on_message(message, data):

    if data != None:
        #print(message)
        #print(hex(len(data)))%
        if(message['payload']=='Audio'):
            f=open('a.aac','ab')   #save the acc stream to file.
            f.write(data)
            f.close()
        elif (message['payload']=='Video'):
            #yuv420p_to_mp4(data,720,404,832,8) #compress the yuv420p stream with x264.
            f=open('v.yuv','ab')   #save the decoded yuv stream to file.
            f.write(data);
            f.close()


script.on('message', on_message)
#script.on('write', on_write)

script.load()

try:
  sys.stdin.read()
except KeyboardInterrupt:
  archive.close()
	from __future__ import print_function
	import frida
	import sys

	session = frida.attach("chrome.exe")
	script = session.create_script("""
	var baseAddr = Module.findBaseAddress("chrome.exe");

	print("chrome.exe baseAddress is at :"+baseAddr);

	//!!!!!!!!!!!!!!!!!!!! You need modify CdmWrapperImpl hardcode address before hook ////////

	var CdmWrapperImpl_Decrypt=baseAddr.add(0x6feb60); //CdmWrapperImpl::Decrypt hardcode Address

	////////////////////////// CDM->Decrypt ///////////////////////////////////////////////////////
	var CdmDecryptFunc = new NativeFunction(ptr(CdmWrapperImpl_Decrypt), 'int', [ 'pointer','pointer','pointer' ]);

	print("CdmWrapperImpl::Decrypt Address is at :0x"+CdmWrapperImpl_Decrypt.toString(16));

	////////////////////////////////Costumn Function list///////////////////////////////////////

	function print(info)
	{
	console.log("\033[33m"+info);
	}

	function tracelog(info)
	{
	console.log("\033[32m"+info);
	}

	Interceptor.attach(ptr(CdmWrapperImpl_Decrypt), {
	onEnter: function(args) {

	tracelog("Cdm::Decrypt is called ! " );

	this.decrypted_block= args[2] ;

	},
	onLeave:function(retval){

	}
	});

	""")

	def on_message(message, data):

	if data != None:
	#print(message)
	#print(hex(len(data)))%
	if(message['payload']=='Audio'):
	f=open('a.aac','ab') #save the acc stream to file.
	f.write(data)
	f.close()
	elif (message['payload']=='Video'):
	#yuv420p_to_mp4(data,720,404,832,8) #compress the yuv420p stream with x264.
	f=open('v.yuv','ab') #save the decoded yuv stream to file.
	f.write(data);
	f.close()




	script.on('message', on_message)
	#script.on('write', on_write)

	script.load()

	try:
	sys.stdin.read()
	except KeyboardInterrupt:
	archive.close()