-
-
Save owen800q/850b51c2bda8bceefcd644b669359b3b to your computer and use it in GitHub Desktop.
Revisions
-
FrankSpierings revised this gist
Apr 4, 2020 . 1 changed file with 102 additions and 102 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -94,97 +94,97 @@ const openssl = { var name = "BIO_new"; var address = Module.findExportByName(null, name); if (address) { var f = new NativeFunction(address, 'pointer', ['pointer']); var retval = f(BIO_METHOD); return retval; } else { throw("Function '" + name + "' not found"); } }, BIO_free: function(a) { var name = "BIO_free"; var address = Module.findExportByName(null, name); if (address) { var f = new NativeFunction(address, 'int', ['pointer']); var retval = f(a); return retval; } else { throw("Function '" + name + "' not found"); } }, BIO_s_mem: function() { var name = "BIO_s_mem"; var address = Module.findExportByName(null, name); if (address) { var f = new NativeFunction(address, 'pointer', []); var retval = f(); return retval; } else { throw("Function '" + name + "' not found"); } }, BIO_gets: function(b, buf, size) { var name = "BIO_gets"; var address = Module.findExportByName(null, name); if (address) { var f = new NativeFunction(address, 'int', ['pointer', 'pointer', 'int']); var retval = f(b, buf, size); return retval; } else { throw("Function '" + name + "' not found"); } }, EVP_PKEY_id: function(pkey) { var name = "EVP_PKEY_id"; var address = Module.findExportByName(null, name); if (address) { var f = new NativeFunction(address, 'int', ['pointer']); var retval = f(pkey); return retval; } else { throw("Function '" + name + "' not found"); } }, EVP_PKEY_get1_RSA: function(pkey) { var name = "EVP_PKEY_get1_RSA"; var address = Module.findExportByName(null, name); if (address) { var f = new NativeFunction(address, 'pointer', ['pointer']); var retval = f(pkey); return retval; } else { throw("Function '" + name + "' not found"); } }, PEM_write_bio_PrivateKey: function(bp, x, enc, kstr, klen, cb, u) { var name = "PEM_write_bio_PrivateKey"; var address = Module.findExportByName(null, name); if (address) { var f = new NativeFunction(address, 'int', ['pointer', 'pointer', 'pointer', 'pointer', 'int', 'pointer', 'pointer']); var retval = f(bp, x, enc, kstr, klen, cb, u); return retval; } else { throw("Function '" + name + "' not found"); } }, PEM_write_bio_PUBKEY: function(bp, x) { var name = "PEM_write_bio_PUBKEY"; var address = Module.findExportByName(null, name); if (address) { var f = new NativeFunction(address, 'int', ['pointer', 'pointer']); var retval = f(bp, x); return retval; } else { throw("Function '" + name + "' not found"); } }, PEM_write_bio_RSAPrivateKey: function(bp, x, enc, kstr, klen, cb, u) { var name = "PEM_write_bio_RSAPrivateKey"; @@ -199,36 +199,36 @@ const openssl = { } }, PEM_write_bio_RSAPublicKey: function(bp, x) { var name = "PEM_write_bio_RSAPublicKey"; var address = Module.findExportByName(null, name); if (address) { var f = new NativeFunction(address, 'int', ['pointer', 'pointer']); var retval = f(bp, x); return retval; } else { throw("Function '" + name + "' not found"); } }, EVP_PKEY_print_private: function(out, pkey, indent, pctx) { var name = "EVP_PKEY_print_private"; var address = Module.findExportByName(null, name); if (address) { var f = new NativeFunction(address, 'int', ['pointer', 'pointer', 'int', 'pointer']); var retval = f(out, pkey, indent, pctx); return retval; } else { throw("Function '" + name + "' not found"); } }, RSA_print: function(bp, x, offset) { var name = "RSA_print"; var address = Module.findExportByName(null, name); if (address) { var f = new NativeFunction(address, 'int', ['pointer', 'pointer', 'int']); var retval = f(bp, x, offset); return retval; } else { throw("Function '" + name + "' not found"); @@ -238,9 +238,9 @@ const openssl = { var name = "EVP_CIPHER_CTX_nid"; var address = Module.findExportByName(null, name); if (address) { var f = new NativeFunction(address, 'int', ['pointer']); var retval = f(ctx); return retval; } else { throw("Function '" + name + "' not found"); @@ -250,9 +250,9 @@ const openssl = { var name = "OBJ_nid2ln"; var address = Module.findExportByName(null, name); if (address) { var f = new NativeFunction(address, 'pointer', ['int']); var retval = f(n); return retval; } else { throw("Function '" + name + "' not found"); -
Apr 4, 2020 . 1 changed file with 404 additions and 163 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -1,63 +1,262 @@ const utils = { colors: { red: function(string) { return '\x1b[31m' + string + '\x1b[0m'; }, green: function(string) { return '\x1b[32m' + string + '\x1b[0m'; }, blue: function(string) { return '\x1b[34m' + string + '\x1b[0m'; }, cyan: function(string) { return '\x1b[36m' + string + '\x1b[0m'; }, }, backtrace: function(context) { return 'Backtrace:\n' + Thread.backtrace(context, Backtracer.FUZZY).map(DebugSymbol.fromAddress).join('\n') + '\n'; }, readstring: function(address, index) { address = ptr(address); if (index == undefined) { index = 0; } else { index += 1; } try { var char = address.add(index).readU8(); if ((char >= 0x20) && (char <= 0x7E)) { return this.readstring(address, index); } } catch (error) {} if (index < 4) { return undefined; } return address.readUtf8String(index); }, address_is_readable: function(address) { address = ptr(address); var protection = 'r--'; var ranges = Process.enumerateRanges(protection); for (var index in ranges) { var start = ranges[index]['base']; var stop = start.add(ranges[index]['size']); if ((address >= start) && (address <= stop)) { // console.log('Range: ' + start + ' - ' + stop); return true; } } return false; }, telescope: function(address, stack) { address = ptr(address); if (stack == undefined) { stack = [] stack.push('[' + address + ']'); } else { stack.push(address); } if (this.address_is_readable(address)) { var printable = this.readstring(address); if (printable != undefined) { stack.push(printable) } else { try { return this.telescope(address.readPointer(), stack); } catch (error) { //Ignore } } } return stack.join(' -> '); } } const openssl = { BIO_new: function(BIO_METHOD) { var name = "BIO_new"; var address = Module.findExportByName(null, name); if (address) { var f = new NativeFunction(address, 'pointer', ['pointer']); var retval = f(BIO_METHOD); return retval; } else { throw("Function '" + name + "' not found"); } }, BIO_free: function(a) { var name = "BIO_free"; var address = Module.findExportByName(null, name); if (address) { var f = new NativeFunction(address, 'int', ['pointer']); var retval = f(a); return retval; } else { throw("Function '" + name + "' not found"); } }, BIO_s_mem: function() { var name = "BIO_s_mem"; var address = Module.findExportByName(null, name); if (address) { var f = new NativeFunction(address, 'pointer', []); var retval = f(); return retval; } else { throw("Function '" + name + "' not found"); } }, BIO_gets: function(b, buf, size) { var name = "BIO_gets"; var address = Module.findExportByName(null, name); if (address) { var f = new NativeFunction(address, 'int', ['pointer', 'pointer', 'int']); var retval = f(b, buf, size); return retval; } else { throw("Function '" + name + "' not found"); } }, EVP_PKEY_id: function(pkey) { var name = "EVP_PKEY_id"; var address = Module.findExportByName(null, name); if (address) { var f = new NativeFunction(address, 'int', ['pointer']); var retval = f(pkey); return retval; } else { throw("Function '" + name + "' not found"); } }, EVP_PKEY_get1_RSA: function(pkey) { var name = "EVP_PKEY_get1_RSA"; var address = Module.findExportByName(null, name); if (address) { var f = new NativeFunction(address, 'pointer', ['pointer']); var retval = f(pkey); return retval; } else { throw("Function '" + name + "' not found"); } }, PEM_write_bio_PrivateKey: function(bp, x, enc, kstr, klen, cb, u) { var name = "PEM_write_bio_PrivateKey"; var address = Module.findExportByName(null, name); if (address) { var f = new NativeFunction(address, 'int', ['pointer', 'pointer', 'pointer', 'pointer', 'int', 'pointer', 'pointer']); var retval = f(bp, x, enc, kstr, klen, cb, u); return retval; } else { throw("Function '" + name + "' not found"); } }, PEM_write_bio_PUBKEY: function(bp, x) { var name = "PEM_write_bio_PUBKEY"; var address = Module.findExportByName(null, name); if (address) { var f = new NativeFunction(address, 'int', ['pointer', 'pointer']); var retval = f(bp, x); return retval; } else { throw("Function '" + name + "' not found"); } }, PEM_write_bio_RSAPrivateKey: function(bp, x, enc, kstr, klen, cb, u) { var name = "PEM_write_bio_RSAPrivateKey"; var address = Module.findExportByName(null, name); if (address) { var f = new NativeFunction(address, 'int', ['pointer', 'pointer', 'pointer', 'pointer', 'int', 'pointer', 'pointer']); var retval = f(bp, x, enc, kstr, klen, cb, u); return retval; } else { throw("Function '" + name + "' not found"); } }, PEM_write_bio_RSAPublicKey: function(bp, x) { var name = "PEM_write_bio_RSAPublicKey"; var address = Module.findExportByName(null, name); if (address) { var f = new NativeFunction(address, 'int', ['pointer', 'pointer']); var retval = f(bp, x); return retval; } else { throw("Function '" + name + "' not found"); } }, EVP_PKEY_print_private: function(out, pkey, indent, pctx) { var name = "EVP_PKEY_print_private"; var address = Module.findExportByName(null, name); if (address) { var f = new NativeFunction(address, 'int', ['pointer', 'pointer', 'int', 'pointer']); var retval = f(out, pkey, indent, pctx); return retval; } else { throw("Function '" + name + "' not found"); } }, RSA_print: function(bp, x, offset) { var name = "RSA_print"; var address = Module.findExportByName(null, name); if (address) { var f = new NativeFunction(address, 'int', ['pointer', 'pointer', 'int']); var retval = f(bp, x, offset); return retval; } else { throw("Function '" + name + "' not found"); } }, EVP_CIPHER_CTX_nid: function(ctx) { var name = "EVP_CIPHER_CTX_nid"; var address = Module.findExportByName(null, name); if (address) { var f = new NativeFunction(address, 'int', ['pointer']); var retval = f(ctx); return retval; } else { throw("Function '" + name + "' not found"); } }, OBJ_nid2ln: function(n) { var name = "OBJ_nid2ln"; var address = Module.findExportByName(null, name); if (address) { var f = new NativeFunction(address, 'pointer', ['int']); var retval = f(n); return retval; } else { throw("Function '" + name + "' not found"); } }, } @@ -115,100 +314,19 @@ const easy = { // console.log(hexdump(ctx)); // console.log(hexdump(pkey)); return this.export_pkey(pkey); }, evp_ciper_type_str: function(ctx) { var pstr = openssl.OBJ_nid2ln(openssl.EVP_CIPHER_CTX_nid(ctx)); if (pstr == null){ return 'Cipher: unknown'; } else { return 'Cipher: ' + pstr.readUtf8String(); } }, } function hooks() { (function() { var name = 'HMAC_Init_ex'; @@ -223,8 +341,9 @@ function hooks() { }, onLeave: function(result) { console.log(name + '(' + 'ctx=' + this.args[0] + ', ' + 'key=' + this.args[1] + ', ' + 'len=' + this.args[2] + ', ' + 'md=' + this.args[3] + ', ' + 'impl=' + this.args[4] + ') = ' + result); console.log(utils.colors.cyan('Key: ')); console.log(utils.colors.cyan(hexdump(ptr(this.args[1]), {length: this.args[2].toInt32()}))); console.log(utils.colors.red(utils.backtrace(this.context))); }, }); } @@ -234,30 +353,6 @@ function hooks() { } })(); (function() { var name = 'EVP_PKEY_encrypt'; var address = Module.findExportByName(null, name); @@ -271,10 +366,9 @@ function hooks() { }, onLeave: function(result) { console.log(name + '(' + 'ctx=' + this.args[0] + ', ' + 'out=' + this.args[1] + ', ' + 'outlen=' + this.args[2] + ', ' + 'in=' + this.args[3] + ', ' + 'inlen=' + this.args[4] + ') = ' + result); console.log(utils.colors.red(easy.export_pkey_from_ctx(this.args[0]))); console.log(utils.colors.cyan('Buffer in: ')); console.log(utils.colors.cyan(hexdump(ptr(this.args[3]), {length: this.args[4].toInt32()}))); }, }); } @@ -297,9 +391,9 @@ function hooks() { }, onLeave: function(result) { console.log(name + '(' + 'flen=' + this.args[0] + ', ' + 'from=' + this.args[1] + ', ' + 'to=' + this.args[2] + ', ' + 'rsa=' + this.args[3] + ', ' + 'padding=' + this.args[4] + ') = ' + result); console.log(utils.colors.red(easy.export_rsa(this.args[3]))); console.log(utils.colors.cyan('Buffer to: ')); console.log(utils.colors.cyan(hexdump(ptr(this.args[2]), {length: result.toInt32()}))); }, }); } @@ -324,8 +418,7 @@ function hooks() { onLeave: function(result) { console.log(name + '(' + 'ctx=' + this.args[0] + ', ' + 'ppkey=' + this.args[1] + ') = ' + result); var pkey = this.args[1].readPointer(); console.log(utils.colors.red(easy.export_pkey(pkey))); }, }); } @@ -335,8 +428,156 @@ function hooks() { } })(); (function() { var name = 'EVP_DecryptInit_ex'; var address = Module.findExportByName(null, name); if (address != null) { console.log('[!] Hooking: ' + name + ' @ 0x' + address.toString(16)); try { Interceptor.attach(address, { onEnter: function(args) { this.args = []; this.args.push(args[0]); this.args.push(args[1]); this.args.push(args[2]); this.args.push(args[3]); this.args.push(args[4]); }, onLeave: function(result) { console.log(name + '(' + 'ctx=' + this.args[0] + ', ' + 'cipher=' + this.args[1] + ', ' + 'impl=' + this.args[2] + ', ' + 'key=' + this.args[3] + ', ' + 'iv=' + this.args[4] + ') = ' + result); console.log(utils.colors.blue(easy.evp_ciper_type_str(this.args[0]))); console.log(utils.colors.blue('Key:')); console.log(utils.colors.blue(hexdump(this.args[3], {length: 32}))); console.log(utils.colors.blue('IV:')); console.log(utils.colors.blue(hexdump(this.args[4], {length: 16}))); }, }); } catch (error) { console.error(error); } } })(); (function() { var name = 'EVP_DecryptUpdate'; var address = Module.findExportByName(null, name); if (address != null) { console.log('[!] Hooking: ' + name + ' @ 0x' + address.toString(16)); try { Interceptor.attach(address, { onEnter: function(args) { this.args = []; this.args.push(args[0]); this.args.push(args[1]); this.args.push(args[2]); this.args.push(args[3]); this.args.push(args[4]); }, onLeave: function(result) { console.log(name + '(' + 'ctx=' + this.args[0] + ', ' + 'out=' + this.args[1] + ', ' + 'outl=' + this.args[2] + ', ' + 'in=' + this.args[3] + ', ' + 'inl=' + this.args[4] + ') = ' + result); console.log(utils.colors.cyan('Buffer out: ')); console.log(utils.colors.cyan(hexdump(ptr(this.args[1]), {length: this.args[2].readUInt()}))); }, }); } catch (error) { console.error(error); } } })(); (function() { var name = 'EVP_DecryptFinal_ex'; var address = Module.findExportByName(null, name); if (address != null) { console.log('[!] Hooking: ' + name + ' @ 0x' + address.toString(16)); try { Interceptor.attach(address, { onEnter: function(args) { this.args = []; this.args.push(args[0]); this.args.push(args[1]); this.args.push(args[2]); }, onLeave: function(result) { console.log(name + '(' + 'ctx=' + this.args[0] + ', ' + 'outm=' + this.args[1] + ', ' + 'outl=' + this.args[2] + ') = ' + result); console.log(utils.colors.cyan('Buffer out: ')); console.log(utils.colors.cyan(hexdump(ptr(this.args[1]), {length: this.args[2].readUInt()}))); }, }); } catch (error) { console.error(error); } } })(); (function() { var name = 'EVP_EncryptInit_ex'; var address = Module.findExportByName(null, name); if (address != null) { console.log('[!] Hooking: ' + name + ' @ 0x' + address.toString(16)); try { Interceptor.attach(address, { onEnter: function(args) { this.args = []; this.args.push(args[0]); this.args.push(args[1]); this.args.push(args[2]); this.args.push(args[3]); this.args.push(args[4]); }, onLeave: function(result) { console.log(name + '(' + 'ctx=' + this.args[0] + ', ' + 'cipher=' + this.args[1] + ', ' + 'impl=' + this.args[2] + ', ' + 'key=' + this.args[3] + ', ' + 'iv=' + this.args[4] + ') = ' + result); console.log(utils.colors.blue(easy.evp_ciper_type_str(this.args[0]))); console.log(utils.colors.blue('Key:')); console.log(utils.colors.blue(hexdump(this.args[3], {length: 32}))); console.log(utils.colors.blue('IV:')); console.log(utils.colors.blue(hexdump(this.args[4], {length: 16}))); }, }); } catch (error) { console.error(error); } } })(); (function() { var name = 'EVP_EncryptUpdate'; var address = Module.findExportByName(null, name); if (address != null) { console.log('[!] Hooking: ' + name + ' @ 0x' + address.toString(16)); try { Interceptor.attach(address, { onEnter: function(args) { this.args = []; this.args.push(args[0]); this.args.push(args[1]); this.args.push(args[2]); this.args.push(args[3]); this.args.push(args[4]); }, onLeave: function(result) { console.log(name + '(' + 'ctx=' + this.args[0] + ', ' + 'out=' + this.args[1] + ', ' + 'outl=' + this.args[2] + ', ' + 'in=' + this.args[3] + ', ' + 'inl=' + this.args[4] + ') = ' + result); console.log(utils.colors.cyan('Buffer in: ')); console.log(utils.colors.cyan(hexdump(ptr(this.args[3]), {length: this.args[4].toInt32()}))); }, }); } catch (error) { console.error(error); } } })(); (function() { var name = 'EVP_EncryptFinal_ex'; var address = Module.findExportByName(null, name); if (address != null) { console.log('[!] Hooking: ' + name + ' @ 0x' + address.toString(16)); try { Interceptor.attach(address, { onEnter: function(args) { this.args = []; this.args.push(args[0]); this.args.push(args[1]); this.args.push(args[2]); }, onLeave: function(result) { console.log(name + '(' + 'ctx=' + this.args[0] + ', ' + 'out=' + this.args[1] + ', ' + 'outl=' + this.args[2] + ') = ' + result); }, }); } catch (error) { console.error(error); } } })(); } function overrides() { (function() { @@ -350,7 +591,7 @@ function overrides() { this.mode = args[1]; //Replace the value! args[1] = ptr(0); console.log(utils.colors.green('[+] Setting ' + name + ' to mode = ' + args[1])); }, }); } @@ -365,7 +606,7 @@ function overrides() { onLeave: function(result) { //Replace the value! result.replace(1); console.log(utils.colors.green('[+] Setting ' + name + ' to result = ' + result)); } }); } @@ -375,4 +616,4 @@ function overrides() { hooks(); overrides(); console.log(utils.colors.green('[+] Loaded')); -
Apr 3, 2020 . 1 changed file with 292 additions and 350 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -1,401 +1,342 @@ const openssl = { BIO_new: function(BIO_METHOD) { var f = new NativeFunction(Module.findExportByName(null, "BIO_new"), 'pointer', ['pointer']); var retval = f(BIO_METHOD); return retval; }, BIO_free: function(a) { var f = new NativeFunction(Module.findExportByName(null, "BIO_free"), 'int', ['pointer']); var retval = f(a); return retval; }, BIO_s_mem: function() { var f = new NativeFunction(Module.findExportByName(null, "BIO_s_mem"), 'pointer', []); var retval = f(); return retval; }, BIO_gets: function(b, buf, size) { var f = new NativeFunction(Module.findExportByName(null, "BIO_gets"), 'int', ['pointer', 'pointer', 'int']); var retval = f(b, buf, size); return retval; }, EVP_PKEY_id: function(pkey) { var f = new NativeFunction(Module.findExportByName(null, "EVP_PKEY_id"), 'int', ['pointer']); var retval = f(pkey); return retval; }, EVP_PKEY_get1_RSA: function(pkey) { var f = new NativeFunction(Module.findExportByName(null, "EVP_PKEY_get1_RSA"), 'pointer', ['pointer']); var retval = f(pkey); return retval; }, PEM_write_bio_PrivateKey: function(bp, x, enc, kstr, klen, cb, u) { var f = new NativeFunction(Module.findExportByName(null, "PEM_write_bio_PrivateKey"), 'int', ['pointer', 'pointer', 'pointer', 'pointer', 'int', 'pointer', 'pointer']); var retval = f(bp, x, enc, kstr, klen, cb, u); return retval; }, PEM_write_bio_PUBKEY: function(bp, x) { var f = new NativeFunction(Module.findExportByName(null, "PEM_write_bio_PUBKEY"), 'int', ['pointer', 'pointer']); var retval = f(bp, x); return retval; }, PEM_write_bio_RSAPrivateKey: function(bp, x, enc, kstr, klen, cb, u) { var f = new NativeFunction(Module.findExportByName(null, "PEM_write_bio_RSAPrivateKey"), 'int', ['pointer', 'pointer', 'pointer', 'pointer', 'int', 'pointer', 'pointer']); var retval = f(bp, x, enc, kstr, klen, cb, u); return retval; }, PEM_write_bio_RSAPublicKey: function(bp, x) { var f = new NativeFunction(Module.findExportByName(null, "PEM_write_bio_RSAPublicKey"), 'int', ['pointer', 'pointer']); var retval = f(bp, x); return retval; }, EVP_PKEY_print_private: function(out, pkey, indent, pctx) { var f = new NativeFunction(Module.findExportByName(null, "EVP_PKEY_print_private"), 'int', ['pointer', 'pointer', 'int', 'pointer']); var retval = f(out, pkey, indent, pctx); return retval; }, RSA_print: function(bp, x, offset) { var f = new NativeFunction(Module.findExportByName(null, "RSA_print"), 'int', ['pointer', 'pointer', 'int']); var retval = f(bp, x, offset); return retval; }, } const easy = { export_pkey: function(pkey) { const BUFSIZE = 512; var buffer = Memory.alloc(BUFSIZE); var output = ''; //Create memory bio var mem = openssl.BIO_new(openssl.BIO_s_mem()); //Export the key openssl.EVP_PKEY_print_private(mem, pkey, 0, ptr(0)); while (openssl.BIO_gets(mem, buffer, BUFSIZE) > 0) { output += buffer.readUtf8String(); } if (openssl.PEM_write_bio_PUBKEY(mem, pkey) > 0) { while (openssl.BIO_gets(mem, buffer, BUFSIZE) > 0) { output += buffer.readUtf8String(); } } if (openssl.PEM_write_bio_PrivateKey(mem, pkey, ptr(0), ptr(0), 0, ptr(0), ptr(0)) > 0) { while (openssl.BIO_gets(mem, buffer, BUFSIZE) > 0) { output += buffer.readUtf8String(); } } openssl.BIO_free(mem); //Clean up return output; }, export_rsa: function(rsa) { const BUFSIZE = 512; var buffer = Memory.alloc(BUFSIZE); var output = ''; var mem = openssl.BIO_new(openssl.BIO_s_mem()); if (rsa != ptr(0)) { if (openssl.PEM_write_bio_RSAPublicKey(mem, rsa) > 0) { while (openssl.BIO_gets(mem, buffer, BUFSIZE) > 0) { output += buffer.readUtf8String(); } } if (openssl.PEM_write_bio_RSAPrivateKey(mem, rsa, ptr(0), ptr(0), 0, ptr(0), ptr(0)) > 0) { while (openssl.BIO_gets(mem, buffer, BUFSIZE) > 0) { output += buffer.readUtf8String(); } } } openssl.BIO_free(mem); //Clean up return output; }, export_pkey_from_ctx: function(ctx) { //This is a hack, if the structure changes, this will no longer work! // https://github.com/openssl/openssl/blob/master/include/crypto/evp.h#L21 var pkey = ctx.add(16).readPointer(); // console.log(hexdump(ctx)); // console.log(hexdump(pkey)); return this.export_pkey(pkey); } } function red(string) { return '\x1b[31m' + string + '\x1b[0m'; } function green(string) { return '\x1b[32m' + string + '\x1b[0m'; } function blue(string) { return '\x1b[34m' + string + '\x1b[0m'; } function cyan(string) { return '\x1b[36m' + string + '\x1b[0m'; } function backtrace(context) { return 'Backtrace:\n' + Thread.backtrace(context, Backtracer.FUZZY).map(DebugSymbol.fromAddress).join('\n') + '\n'; } function readstring(address, index) { address = ptr(address); if (index == undefined) { index = 0; } else { index += 1; } try { var char = address.add(index).readU8(); if ((char >= 0x20) && (char <= 0x7E)) { return readstring(address, index); } } catch (error) {} if (index < 4) { return undefined; } return address.readUtf8String(index); } function address_is_readable(address) { address = ptr(address); var protection = 'r--'; var ranges = Process.enumerateRanges(protection); for (var index in ranges) { var start = ranges[index]['base']; var stop = start.add(ranges[index]['size']); if ((address >= start) && (address <= stop)) { // console.log('Range: ' + start + ' - ' + stop); return true; } } return false; } function telescope(address, stack) { address = ptr(address); if (stack == undefined) { stack = [] stack.push('[' + address + ']'); } else { stack.push(address); } if (address_is_readable(address)) { var printable = readstring(address); if (printable != undefined) { stack.push(printable) } else { try { return telescope(address.readPointer(), stack); } catch (error) { //Ignore } } } return stack.join(' -> '); } function hooks() { (function() { var name = 'HMAC_Init_ex'; var address = Module.findExportByName(null, name); if (address != null) { console.log('[!] Hooking: ' + name + ' @ 0x' + address.toString(16)); try { Interceptor.attach(address, { onEnter: function(args) { this.args = []; this.args.push(args[0]); this.args.push(args[1]); this.args.push(args[2]); this.args.push(args[3]); this.args.push(args[4]); }, onLeave: function(result) { console.log(name + '(' + 'ctx=' + this.args[0] + ', ' + 'key=' + this.args[1] + ', ' + 'len=' + this.args[2] + ', ' + 'md=' + this.args[3] + ', ' + 'impl=' + this.args[4] + ') = ' + result); console.log(cyan('Key: ')); console.log(cyan(hexdump(ptr(this.args[1]), {length: this.args[2].toInt32()}))); }, }); } catch (error) { console.error(error); } } })(); // (function() { // var name = 'EVP_PKEY_CTX_new'; // var address = Module.findExportByName(null, name); // if (address != null) { // console.log('[!] Hooking: ' + name + ' @ 0x' + address.toString(16)); // try { // Interceptor.attach(address, { // onEnter: function(args) { // this.args = []; // this.args.push(args[0]); this.args.push(args[1]); // }, // onLeave: function(result) { // console.log(name + '(' + 'pkey=' + this.args[0] + ', ' + 'e=' + this.args[1] + ') = ' + result); // var pkey = this.args[0]; // console.log(red(easy.export_pkey(pkey))); // }, // }); // } // catch (error) { // console.error(error); // } // } // })(); (function() { var name = 'EVP_PKEY_encrypt'; var address = Module.findExportByName(null, name); if (address != null) { console.log('[!] Hooking: ' + name + ' @ 0x' + address.toString(16)); try { Interceptor.attach(address, { onEnter: function(args) { this.args = []; this.args.push(args[0]); this.args.push(args[1]); this.args.push(args[2]); this.args.push(args[3]); this.args.push(args[4]); }, onLeave: function(result) { console.log(name + '(' + 'ctx=' + this.args[0] + ', ' + 'out=' + this.args[1] + ', ' + 'outlen=' + this.args[2] + ', ' + 'in=' + this.args[3] + ', ' + 'inlen=' + this.args[4] + ') = ' + result); // console.log(red(backtrace(this.context))); console.log(red(easy.export_pkey_from_ctx(this.args[0]))); console.log(cyan('Buffer in: ')); console.log(cyan(hexdump(ptr(this.args[3]), {length: result.toInt32()}))); }, }); } catch (error) { console.error(error); } } })(); (function() { var name = 'RSA_public_decrypt'; var address = Module.findExportByName(null, name); if (address != null) { console.log('[!] Hooking: ' + name + ' @ 0x' + address.toString(16)); try { Interceptor.attach(address, { onEnter: function(args) { this.args = []; this.args.push(args[0]); this.args.push(args[1]); this.args.push(args[2]); this.args.push(args[3]); this.args.push(args[4]); }, onLeave: function(result) { console.log(name + '(' + 'flen=' + this.args[0] + ', ' + 'from=' + this.args[1] + ', ' + 'to=' + this.args[2] + ', ' + 'rsa=' + this.args[3] + ', ' + 'padding=' + this.args[4] + ') = ' + result); console.log(red(easy.export_rsa(this.args[3]))); console.log(cyan('Buffer to: ')); console.log(cyan(hexdump(ptr(this.args[2]), {length: result.toInt32()}))); }, }); } catch (error) { console.error(error); } } })(); (function() { var name = 'EVP_PKEY_keygen'; var address = Module.findExportByName(null, name); if (address != null) { console.log('[!] Hooking: ' + name + ' @ 0x' + address.toString(16)); try { Interceptor.attach(address, { onEnter: function(args) { this.args = []; this.args.push(args[0]); this.args.push(args[1]); }, onLeave: function(result) { console.log(name + '(' + 'ctx=' + this.args[0] + ', ' + 'ppkey=' + this.args[1] + ') = ' + result); var pkey = this.args[1].readPointer(); console.log(red(easy.export_pkey(pkey))); // console.log(red(backtrace(this.context))); }, }); } catch (error) { console.error(error); } } })(); } function overrides() { (function() { @@ -409,7 +350,7 @@ function overrides() { this.mode = args[1]; //Replace the value! args[1] = ptr(0); console.log(green('Setting ' + name + ' to mode = ' + args[1])); }, }); } @@ -424,11 +365,12 @@ function overrides() { onLeave: function(result) { //Replace the value! result.replace(1); console.log(green('Setting ' + name + ' to result = ' + result)); } }); } })(); } hooks(); -
Mar 31, 2020 . 1 changed file with 161 additions and 36 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -55,28 +55,45 @@ function hooks() { // } // })(); (function() { var name = 'RSA_public_decrypt'; var address = Module.findExportByName(null, name); if (address != null) { console.log('[!] Hooking: ' + name + ' @ 0x' + address.toString(16)); Interceptor.attach(address, { onEnter: function(args) { this.length = args[0]; this.data = args[2]; this.from = args[1]; this.rsa = args[3]; var f = new NativeFunction(Module.findExportByName(null, "fopen"), 'pointer', ['pointer', 'pointer']); var fp = f(Memory.allocUtf8String('/tmp/mycert' + this.rsa.toInt32() +'.pem'), Memory.allocUtf8String('w+')); console.log('FP: ' + fp); f = new NativeFunction(Module.findExportByName(null, 'PEM_write_RSAPublicKey'), 'int', ['pointer', 'pointer']); console.log('Result export: ' + f(fp, this.rsa)); f = new NativeFunction(Module.findExportByName(null, "fclose"), 'int', ['pointer']); f(fp); console.log('Encrypted: '); console.log(hexdump(ptr(this.from), { length: args[0].toInt32(), })); }, onLeave: function(result) { this.length = this.length.toInt32(); this.data = ptr(this.data); console.log(name + '()'); console.log('Length: ' + this.length); console.log('Decrypted: '); console.log(hexdump(this.data, { length: this.length, })); } }); } })(); (function() { var name = 'EVP_EncryptUpdate'; @@ -194,31 +211,81 @@ function hooks() { })(); // (function() { // var name = 'AES_cbc_encrypt'; // var address = Module.findExportByName(null, name); // if (address != null) { // console.log('[!] Hooking: ' + name + ' @ 0x' + address.toString(16)); // Interceptor.attach(address, { // onEnter: function(args) { // this.length = args[2]; // this.enc = args[5]; // if (this.enc == 0) { // //decrypt // this.data = args[1]; // } else { // this.data = args[0]; // } // }, // onLeave: function(result) { // this.length = this.length.toInt32(); // this.data = ptr(this.data); // console.log(name + '()'); // console.log('Length: ' + this.length); // console.log(hexdump(this.data, { // length: this.length, // })); // } // }); // } // })(); (function() { var name = 'BIO_read'; var address = Module.findExportByName(null, name); if (address != null) { console.log('[!] Hooking: ' + name + ' @ 0x' + address.toString(16)); Interceptor.attach(address, { onEnter: function(args) { this.length = args[2]; this.data = args[1]; }, onLeave: function(result) { this.length = result.toInt32(); if (this.length > 0) { this.data = ptr(this.data); console.log(name + '()'); console.log('Length: ' + this.length); console.log(hexdump(this.data, { length: this.length, })); } } }); } })(); (function() { var name = 'BIO_write'; var address = Module.findExportByName(null, name); if (address != null) { console.log('[!] Hooking: ' + name + ' @ 0x' + address.toString(16)); Interceptor.attach(address, { onEnter: function(args) { this.length = args[2]; this.data = args[1]; }, onLeave: function(result) { this.length = result.toInt32(); if (this.length > 0) { this.data = ptr(this.data); console.log(name + '()'); console.log('Length: ' + this.length); console.log(hexdump(this.data, { length: this.length, })); } } }); } @@ -307,5 +374,63 @@ function hooks() { } // function overrides() { // (function() { // var name = 'SSL_set_verify'; // var address = Module.findExportByName(null, name); // var native = new NativeFunction(address, 'void', ['pointer', 'int']); // if (address != null) { // console.log('[!] Hooking: ' + name + ' @ 0x' + address.toString(16)); // Interceptor.replace(address, // { // onEnter: function(args) { // this.ssl = args[0]; // this.mode = args[1]; // args[1] = new uint64(0); // console.log('Args mode: ' + args[1]); // }, // }); // } // })(); // } function overrides() { (function() { var name = 'SSL_set_verify'; var address = Module.findExportByName(null, name); if (address != null) { console.log('[!] Hooking: ' + name + ' @ 0x' + address.toString(16)); Interceptor.attach(address, { onEnter: function(args) { this.ssl = args[0]; this.mode = args[1]; //Replace the value! args[1] = ptr(0); console.log('Setting ' + name + ' to mode = ' + args[1]); }, }); } })(); (function() { var name = 'EVP_PKEY_verify'; var address = Module.findExportByName(null, name); if (address != null) { console.log('[!] Hooking: ' + name + ' @ 0x' + address.toString(16)); Interceptor.attach(address, { onLeave: function(result) { //Replace the value! result.replace(1); console.log('Setting ' + name + ' to result = ' + result); } }); } })(); } hooks(); overrides(); console.log('[+] Loaded'); -
Mar 30, 2020 . 1 changed file with 115 additions and 11 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -1,4 +1,60 @@ function hooks() { // (function() { // var name = 'open'; // var address = Module.findExportByName('libc.so.6', name); // if (address != null) { // console.log('[!] Hooking: ' + name + ' @ 0x' + address.toString(16)); // Interceptor.attach(address, { // onEnter: function(args) { // this.path = args[0]; // this.path = Memory.readUtf8String(this.path); // this.mode = args[1]; // console.log(name + '("' + this.path +'"' +", " + this.mode + ')'); // }, // }); // } // })(); // (function() { // var name = 'openat'; // var address = Module.findExportByName('libc.so.6', name); // if (address != null) { // console.log('[!] Hooking: ' + name + ' @ 0x' + address.toString(16)); // Interceptor.attach(address, { // onEnter: function(args) { // this.path = args[0]; // this.path = Memory.readUtf8String(this.path); // this.mode = args[1]; // console.log(name + '("' + this.path +'"' +", " + this.mode + ')'); // }, // }); // } // })(); // (function() { // var name = 'read'; // var address = Module.findExportByName('libc.so.6', name); // if (address != null) { // console.log('[!] Hooking: ' + name + ' @ 0x' + address.toString(16)); // Interceptor.attach(address, { // onEnter: function(args) { // this.fd = args[0]; // this.data = args[1]; // this.count = args[2]; // }, // onLeave: function(result) { // this.data = ptr(this.data); // this.length = result.toInt32(); // console.log(name + '()'); // console.log('Length: ' + this.length); // console.log(hexdump(this.data, { // length: this.length, // })); // } // }); // } // })(); (function() { var name = 'RSA_public_decrypt'; var address = Module.findExportByName(null, name); @@ -168,31 +224,46 @@ function hooks() { } })(); (function() { var name = 'SSL_read'; var address = Module.findExportByName(null, name); if (address != null) { console.log('[!] Hooking: ' + name + ' @ 0x' + address.toString(16)); Interceptor.attach(address, { onEnter: function(args) { this.length = args[2]; this.data = args[1]; }, onLeave: function(result) { this.length = this.length.toInt32(); this.data = ptr(this.data); console.log(name + '()'); console.log('Length: ' + this.length); console.log(hexdump(this.data, { length: this.length, })); } }); } })(); (function() { var name = 'SSL_write'; var address = Module.findExportByName(null, name); if (address != null) { console.log('[!] Hooking: ' + name + ' @ 0x' + address.toString(16)); Interceptor.attach(address, { onEnter: function(args) { this.length = args[2]; this.data = args[1]; }, onLeave: function(result) { this.length = this.length.toInt32(); this.data = ptr(this.data); console.log(name + '()'); console.log('Length: ' + this.length); console.log(hexdump(this.data, { length: this.length, })); @@ -201,6 +272,39 @@ function hooks() { } })(); // (function() { // // https://github.com/openssl/openssl/blob/master/crypto/aes/asm/aesni-x86_64.pl - 610 // var name = 'aesni_ecb_encrypt'; // var address = Module.findExportByName(null, name); // if (address != null) { // console.log('[!] Hooking: ' + name + ' @ 0x' + address.toString(16)); // Interceptor.attach(address, { // onEnter: function(args) { // this.length = args[2]; // this.enc = args[4]; // if (this.enc == 0) { // //decrypt // this.data = args[1]; // } else { // this.data = args[0]; // } // }, // onLeave: function(result) { // this.length = this.length.toInt32(); // this.data = ptr(this.data); // console.log(name + '()'); // console.log('Length: ' + this.length); // console.log('Enc: ' + this.enc); // console.log(hexdump(this.data, { // length: this.length, // })); // } // }); // } // })(); } hooks(); -
Mar 30, 2020 . 1 changed file with 165 additions and 141 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -1,180 +1,204 @@ function hooks() { (function() { var name = 'RSA_public_decrypt'; var address = Module.findExportByName(null, name); if (address != null) { console.log('[!] Hooking: ' + name + ' @ 0x' + address.toString(16)); Interceptor.attach(address, { onEnter: function(args) { this.length = args[0]; this.data = args[2]; }, onLeave: function(result) { this.length = this.length.toInt32(); this.data = ptr(this.data); console.log(name + '()'); console.log('Length: ' + this.length); console.log(hexdump(this.data, { length: this.length, })); } }); } })(); (function() { var name = 'EVP_EncryptUpdate'; var address = Module.findExportByName(null, name); if (address != null) { console.log('[!] Hooking: ' + name + ' @ 0x' + address.toString(16)); Interceptor.attach(address, { onEnter: function(args) { this.length = args[4]; this.data = args[3]; }, onLeave: function(result) { this.length = this.length.toInt32(); this.data = ptr(this.data); console.log(name + '()'); console.log(hexdump(this.data, { length: this.length, })); } }); } })(); (function() { var name = 'RSA_private_decrypt'; var address = Module.findExportByName(null, name); if (address != null) { console.log('[!] Hooking: ' + name + ' @ 0x' + address.toString(16)); Interceptor.attach(address, { onEnter: function(args) { this.length = args[0]; this.data = args[2]; }, onLeave: function(result) { this.length = this.length.toInt32(); this.data = ptr(this.data); console.log(name + '()'); console.log('Length: ' + this.length); console.log(hexdump(this.data, { length: this.length, })); } }); } })(); (function() { var name = 'RSA_public_encrypt'; var address = Module.findExportByName(null, name); if (address != null) { console.log('[!] Hooking: ' + name + ' @ 0x' + address.toString(16)); Interceptor.attach(address, { onEnter: function(args) { this.length = args[0]; this.data = args[1]; }, onLeave: function(result) { this.length = this.length.toInt32(); this.data = ptr(this.data); console.log(name + '()'); console.log('Length: ' + this.length); console.log(hexdump(this.data, { length: this.length, })); } }); } })(); (function() { var name = 'EVP_PKEY_encrypt'; var address = Module.findExportByName(null, name); if (address != null) { console.log('[!] Hooking: ' + name + ' @ 0x' + address.toString(16)); Interceptor.attach(address, { onEnter: function(args) { this.length = args[4]; this.data = args[3]; }, onLeave: function(result) { this.length = this.length.toInt32(); this.data = ptr(this.data); console.log(name + '()'); console.log('Length: ' + this.length); console.log(hexdump(this.data, { length: this.length, })); } }); } })(); (function() { var name = 'EVP_PKEY_decrypt'; var address = Module.findExportByName(null, name); if (address != null) { console.log('[!] Hooking: ' + name + ' @ 0x' + address.toString(16)); Interceptor.attach(address, { onEnter: function(args) { this.length = args[2]; this.data = args[1]; }, onLeave: function(result) { this.length = this.length.toInt32(); this.data = ptr(this.data); console.log(name + '()'); console.log('Length: ' + this.length); console.log(hexdump(this.data, { length: this.length, })); } }); } })(); (function() { var name = 'AES_cbc_encrypt'; var address = Module.findExportByName(null, name); if (address != null) { console.log('[!] Hooking: ' + name + ' @ 0x' + address.toString(16)); Interceptor.attach(address, { onEnter: function(args) { this.length = args[2]; this.enc = args[5]; if (this.enc == 0) { //decrypt this.data = args[1]; } else { this.data = args[0]; } }, onLeave: function(result) { this.length = this.length.toInt32(); this.data = ptr(this.data); console.log(name + '()'); console.log('Length: ' + this.length); console.log(hexdump(this.data, { length: this.length, })); } }); } })(); (function() { // https://github.com/openssl/openssl/blob/master/crypto/aes/asm/aesni-x86_64.pl - 610 var name = 'aesni_ecb_encrypt'; var address = Module.findExportByName(null, name); if (address != null) { console.log('[!] Hooking: ' + name + ' @ 0x' + address.toString(16)); Interceptor.attach(address, { onEnter: function(args) { this.length = args[2]; this.enc = args[4]; if (this.enc == 0) { //decrypt this.data = args[1]; } else { this.data = args[0]; } }, onLeave: function(result) { this.length = this.length.toInt32(); this.data = ptr(this.data); console.log(name + '()'); console.log('Length: ' + this.length); console.log('Enc: ' + this.enc); console.log(hexdump(this.data, { length: this.length, })); } }); } })(); } -
Mar 23, 2020 .There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -0,0 +1,183 @@ function hooks() { (function() { var name = 'RSA_public_decrypt'; console.log('[!] Hooking: ' + name); Interceptor.attach(Module.findExportByName(null, name), { onEnter: function(args) { this.length = args[0]; this.data = args[2]; }, onLeave: function(result) { this.length = this.length.toInt32(); this.data = ptr(this.data); console.log(name + '()'); console.log('Length: ' + this.length); console.log(hexdump(this.data, { length: this.length, })); } }); })(); (function() { var name = 'EVP_EncryptUpdate'; console.log('[!] Hooking: ' + name); Interceptor.attach(Module.findExportByName(null, name), { onEnter: function(args) { this.length = args[4]; this.data = args[3]; }, onLeave: function(result) { this.length = this.length.toInt32(); this.data = ptr(this.data); console.log(name + '()'); console.log(hexdump(this.data, { length: this.length, })); } }); })(); (function() { var name = 'RSA_private_decrypt'; console.log('[!] Hooking: ' + name); Interceptor.attach(Module.findExportByName(null, name), { onEnter: function(args) { this.length = args[0]; this.data = args[2]; }, onLeave: function(result) { this.length = this.length.toInt32(); this.data = ptr(this.data); console.log(name + '()'); console.log('Length: ' + this.length); console.log(hexdump(this.data, { length: this.length, })); } }); })(); (function() { var name = 'RSA_public_encrypt'; console.log('[!] Hooking: ' + name); Interceptor.attach(Module.findExportByName(null, name), { onEnter: function(args) { this.length = args[0]; this.data = args[1]; }, onLeave: function(result) { this.length = this.length.toInt32(); this.data = ptr(this.data); console.log(name + '()'); console.log('Length: ' + this.length); console.log(hexdump(this.data, { length: this.length, })); } }); })(); (function() { var name = 'EVP_PKEY_encrypt'; console.log('[!] Hooking: ' + name); Interceptor.attach(Module.findExportByName(null, name), { onEnter: function(args) { this.length = args[4]; this.data = args[3]; }, onLeave: function(result) { this.length = this.length.toInt32(); this.data = ptr(this.data); console.log(name + '()'); console.log('Length: ' + this.length); console.log(hexdump(this.data, { length: this.length, })); } }); })(); (function() { var name = 'EVP_PKEY_decrypt'; console.log('[!] Hooking: ' + name); Interceptor.attach(Module.findExportByName(null, name), { onEnter: function(args) { this.length = args[2]; this.data = args[1]; }, onLeave: function(result) { this.length = this.length.toInt32(); this.data = ptr(this.data); console.log(name + '()'); console.log('Length: ' + this.length); console.log(hexdump(this.data, { length: this.length, })); } }); })(); (function() { var name = 'AES_cbc_encrypt'; console.log('[!] Hooking: ' + name); Interceptor.attach(Module.findExportByName(null, name), { onEnter: function(args) { this.length = args[2]; this.enc = args[5]; if (this.enc == 0) { //decrypt this.data = args[1]; } else { this.data = args[0]; } }, onLeave: function(result) { this.length = this.length.toInt32(); this.data = ptr(this.data); console.log(name + '()'); console.log('Length: ' + this.length); console.log(hexdump(this.data, { length: this.length, })); } }); })(); (function() { // https://github.com/openssl/openssl/blob/master/crypto/aes/asm/aesni-x86_64.pl - 610 var name = 'aesni_ecb_encrypt'; console.log('[!] Hooking: ' + name); Interceptor.attach(Module.findExportByName(null, name), { onEnter: function(args) { this.length = args[2]; this.enc = args[4]; if (this.enc == 0) { //decrypt this.data = args[1]; } else { this.data = args[0]; } }, onLeave: function(result) { this.length = this.length.toInt32(); this.data = ptr(this.data); console.log(name + '()'); console.log('Length: ' + this.length); console.log('Enc: ' + this.enc); console.log(hexdump(this.data, { length: this.length, })); } }); })(); } hooks(); console.log('[+] Loaded');