반응형
카카오톡 End-to-End Encryption
const crypto = require('crypto');
const eccrypto = require('eccrypto');
const BSON = require('bson');
var base64 = require('base-64');
console.log('@@@@@@@ script start()! @@@@@@@');
// Generate Key Pair
console.log("Generating asymmetric key...");
var privateKey = eccrypto.generatePrivate();
var publicKey = eccrypto.getPublic(privateKey);
var NpublicKey;
console.log('\npublicKey : \n',publicKey.toString('hex'));
console.log('\nprivateKey : \n',privateKey.toString('hex'));
// Allocate Memory Space
const mysend = new NativeFunction(ptr(0xD1fe20), 'int', ['pointer', 'int', 'int']);
const Free = new NativeFunction(Module.findExportByName( null, 'free'), 'void', ['pointer']);
const alloc_send = Memory.alloc(0x1000);
const alloc_request = Memory.alloc(0x100);
const alloc_receive = Memory.alloc(0x1000);
var List = {};
var KeyExchange_fin = false;
console.log('Free', Free);
console.log('alloc_send', alloc_send);
console.log('alloc_request', alloc_request);
console.log('alloc_receive', alloc_receive);
var request_msg = {"chatId":{"low":862162125,"high":39896,"unsigned":false},"msg":"AAAA","msgId":{"low":783662842,"high":0,"unsigned":false},"type":1};
var ecx = null;
var context_send;
var context_receive;
var secure_flag = false;
setImmediate(function(){
var sendAddr = ptr(0xd1fe20);
console.log(" [+] sendAddr @ " + sendAddr);
Interceptor.attach(sendAddr, {
onEnter : function(args){
console.log(JSON.stringify(this.context));
console.log(ecx);
var buf = ptr(args[0]);
if (ecx == null) ecx = ptr(this.context.ecx);
else this.context.ecx = ptr(ecx);
var cmd = Memory.readCString(buf.add(0x6));
if (cmd == "WRITE"){
console.log("\n========== SEND! ==========");
// Print Meta data
//console.log("Args : ", args[0], args[1], args[2]);
//console.log(JSON.stringify(this.context));
//console.log(hexdump(args[0], { offset: 0, length: 0x100, header: true, ansi: false }));
// Read Message
var bson_data = Memory.readByteArray(ptr(parseInt(args[0])+0x16), parseInt(args[1])-0x16);
// Create New Message
var bson_data_de = BSON.deserialize(new Buffer(bson_data), {promoteLongs: false});
console.log(JSON.stringify(bson_data_de));
if(!(Buffer.from(bson_data_de.msg, 'utf8', 12).compare(Buffer.from('/secure stop'))) && secure_flag){
secure_flag = false;
}
if (!(Buffer.from(bson_data_de.msg, 'utf8', 12).compare(Buffer.from('/secure help')))){
var tmp = BSON.serialize( {protocol: 3} );
var newData = [];
for (var i=0; i<tmp.length; i++)
newData.push(tmp[i]);
bson_data_de.msg = base64.encode(newData);
//console.log('request', JSON.stringify(bson_data_de));
var serialized = BSON.serialize( bson_data_de );
var data = [];
for (var i=0; i<serialized.length; i++)
data.push(serialized[i]);
var head = Memory.readByteArray(buf, 0x16);
Memory.writeByteArray(alloc_request, head);
Memory.writeInt(alloc_request.add(0x12), data.length);
Memory.writeByteArray(alloc_request.add(0x16), data);
args[0] = alloc_request;
args[1] = ptr(data.length).add(0x16);
}
else if(secure_flag)
{
//console.log("ENCRYPTONG!!");
var encrypted = eccrypto.encrypt(NpublicKey, bson_data_de.msg);
console.log('encrypted', JSON.stringify(encrypted));
var tmp = BSON.serialize( { protocol: 2, iv: encrypted.iv, ephemPublicKey: encrypted.ephemPublicKey, ciphertext: encrypted.ciphertext, mac: encrypted.mac} );
var newData = [];
for (var i=0; i<tmp.length; i++)
newData.push(tmp[i]);
bson_data_de.msg = base64.encode(newData);
// bson_data_de.msg = 'A';
console.log( JSON.stringify(bson_data_de));
var newSerialized = BSON.serialize( bson_data_de );
newData = [];
for (var i=0; i<newSerialized.length; i++)
newData.push(newSerialized[i]);
// Change Message
var header = Memory.readByteArray(buf, 0x16);
Memory.writeByteArray(alloc_send, header);
Memory.writeInt(alloc_send.add(0x12), newData.length);
Memory.writeByteArray(alloc_send.add(0x16), newData);
//console.log(Free);
//Free(ptr(args[0]));
args[0] = alloc_send;
args[1] = ptr(newData.length).add(0x16);
//args[2] = ptr(0);
}
else if (!(Buffer.from(bson_data_de.msg, 'utf8', 13).compare(Buffer.from('/secure start'))) && !secure_flag)
{
secure_flag = true;
var tmp = BSON.serialize( {protocol: 1, key: publicKey} );
var newData = [];
for (var i=0; i<tmp.length; i++)
newData.push(tmp[i]);
bson_data_de.msg = base64.encode(newData);
var serialized = BSON.serialize( bson_data_de );
var data = [];
for (var i=0; i<serialized.length; i++)
data.push(serialized[i]);
var head = Memory.readByteArray(buf, 0x16);
Memory.writeByteArray(alloc_request, head);
Memory.writeInt(alloc_request.add(0x12), data.length);
Memory.writeByteArray(alloc_request.add(0x16), data);
args[0] = alloc_request;
args[1] = ptr(data.length).add(0x16);
//args[2] = ptr(0x0);
}
}
}
});
// RECEIVE MESSAGE
// var recvAddr = Module.findExportByName("ws2_32.dll", "WSARecv");
// console.log(" [+] recvAddr @ " + recvAddr);
Interceptor.attach(ptr(0xD3AF70), {
onEnter : function(args){
console.log(JSON.stringify(this.context));
console.log(ecx);
if (ecx == null) ecx = ptr(this.context.ecx);
else this.context.ecx = ptr(ecx);
const buf = ptr(args[0]);
var bson_data = Memory.readByteArray(buf, args[1].toInt32());
var bson_data_de = BSON.deserialize(new Buffer(bson_data), {promoteLongs: false});
console.log('Receive 1',JSON.stringify(bson_data_de));
if (bson_data_de.chatLog != undefined){
console.log("\n========== RECEIVE! ==========");
//console.log("Args : ", args[0], args[1], args[2]);
//console.log(JSON.stringify(this.context));
//console.log(hexdump(args[0], { offset: 0, length: 0x100, header: true, ansi: false }));
var encrypted = base64.decode(bson_data_de.chatLog.message);
var tmp = Buffer.from(encrypted.split(','));
var encrypted_de = BSON.deserialize( tmp, {promoteLongs: false} );
if (encrypted_de.protocol == 1){ // start
console.log('public key',encrypted_de.key);
NpublicKey = new Buffer.from(encrypted_de.key.toString('base64'), 'base64');
}
else if (encrypted_de.protocol == 2){
var encryption = {iv: new Buffer.from(encrypted_de.iv.toString('base64'), 'base64'), ephemPublicKey: Buffer.from(encrypted_de.ephemPublicKey.toString('base64'), 'base64'), ciphertext: Buffer.from(encrypted_de.ciphertext.toString('base64'), 'base64'), mac: Buffer.from(encrypted_de.mac.toString('base64'), 'base64')};
console.log(JSON.stringify(encryption));
var msg = eccrypto.decrypt(privateKey , encryption);
console.log(msg);
bson_data_de.chatLog.message = msg.toString('utf8');
var newserialized = BSON.serialize( bson_data_de );
var newData = [];
for (var i = 0; i < newserialized.length; i++) newData.push(newserialized[i]);
//var newData = decryptAES(bson_data);
Memory.writeByteArray(alloc_receive, newData);
args[0] = alloc_receive;
args[1] = ptr(newData.length);
}
else if (encrypted_de.protocol == 3){
var msg = Buffer.from("Help\n /secure start\n /secure stop\n /secure help");
bson_data_de.chatLog.message = msg.toString('utf8');
var newserialized = BSON.serialize( bson_data_de );
var newData = [];
for (var i = 0; i < newserialized.length; i++) newData.push(newserialized[i]);
// setTimeout(function(){
//...
//})
//var newData = decryptAES(bson_data);
Memory.writeByteArray(alloc_receive, newData);
args[0] = alloc_receive;
args[1] = ptr(newData.length);
}
}
}
})
});
반응형
'Programming$' 카테고리의 다른 글
| [python] membership 관련 (0) | 2022.11.02 |
|---|---|
| python exception 처리 (0) | 2022.10.21 |
| python byte reverse하기 (307) | 2018.11.19 |
| tensorflow 설치하기 (31) | 2018.09.19 |
| [python] organize -1 (0) | 2018.06.18 |