set keybox real func

This commit is contained in:
hyugogirubato 2024-10-29 20:29:01 +01:00
parent e47910819b
commit 2246a641e6
1 changed files with 58 additions and 52 deletions

View File

@ -1,5 +1,5 @@
/** /**
* Date: 2024-10-27 * Date: 2024-10-29
* Description: DRM key extraction for research and educational purposes. * Description: DRM key extraction for research and educational purposes.
* Source: https://github.com/hyugogirubato/KeyDive * Source: https://github.com/hyugogirubato/KeyDive
*/ */
@ -123,7 +123,12 @@ const disableLibrary = (name) => {
// @Libraries // @Libraries
const UsePrivacyMode = (address) => { const UsePrivacyMode = (address) => {
// wvcdm::Properties::UsePrivacyMode /*
wvcdm::Properties::UsePrivacyMode
Args:
args[0]: std::string const&
*/
Interceptor.replace(address, new NativeCallback(function () { Interceptor.replace(address, new NativeCallback(function () {
return 0; return 0;
}, 'int', [])); }, 'int', []));
@ -139,7 +144,12 @@ const UsePrivacyMode = (address) => {
} }
const GetCdmClientPropertySet = (address) => { const GetCdmClientPropertySet = (address) => {
// wvcdm::Properties::GetCdmClientPropertySet /*
wvcdm::Properties::GetCdmClientPropertySet
Args:
args[0]: std::string const&
*/
Interceptor.replace(address, new NativeCallback(function () { Interceptor.replace(address, new NativeCallback(function () {
return 0; return 0;
}, 'int', [])); }, 'int', []));
@ -155,7 +165,18 @@ const GetCdmClientPropertySet = (address) => {
} }
const PrepareKeyRequest = (address) => { const PrepareKeyRequest = (address) => {
// wvcdm::CdmLicense::PrepareKeyRequest /*
wvcdm::CdmLicense::PrepareKeyRequest
Args:
args[0]: wvcdm::CdmLicense *this
args[1]: wvcdm::InitializationData const&
args[2]: wvcdm::CdmLicenseType
args[3]: std::map<std::string
args[4]: std::string> const&
args[5]: std::string*
args[6]: std::string*
*/
Interceptor.attach(address, { Interceptor.attach(address, {
onEnter: function (args) { onEnter: function (args) {
print(Level.DEBUG, '[+] onEnter: PrepareKeyRequest'); print(Level.DEBUG, '[+] onEnter: PrepareKeyRequest');
@ -240,8 +261,15 @@ const getKeyLength = (key) => {
return pos + lengthValue; return pos + lengthValue;
} }
const GetDeviceID = (address, name) => { const GetDeviceId = (address, name) => {
// wvdash::OEMCrypto::GetDeviceID /*
wvcdm::_oecc07
Args:
args[0]: uchar *
args[1]: ulong *
args[3]: wvcdm::SecurityLevel
*/
Interceptor.attach(address, { Interceptor.attach(address, {
onEnter: function (args) { onEnter: function (args) {
// print(Level.DEBUG, '[+] onEnter: GetDeviceID'); // print(Level.DEBUG, '[+] onEnter: GetDeviceID');
@ -250,54 +278,41 @@ const GetDeviceID = (address, name) => {
}, },
onLeave: function (retval) { onLeave: function (retval) {
// print(Level.DEBUG, '[-] onLeave: GetDeviceID'); // print(Level.DEBUG, '[-] onLeave: GetDeviceID');
try {
const size = Memory.readPointer(this.size).toInt32(); const size = Memory.readPointer(this.size).toInt32();
const data = Memory.readByteArray(this.data, size); const data = Memory.readByteArray(this.data, size);
print(Level.DEBUG, `[*] GetDeviceID: ${name}`); if (data) {
print(Level.DEBUG, `[*] GetDeviceId: ${name}`);
send('device_id', data); send('device_id', data);
} catch (e) {
// print(Level.ERROR, `Failed to dump device ID.`);
} }
} }
}); });
} }
const FileSystemRead = (address) => {
/*
wvoec3::OEMCrypto_Level3AndroidFileSystem::Read
const memcpy = (address) => { Args:
// libc::memcpy args[0]: wvoec3::OEMCrypto_Level3AndroidFileSystem *this
args[1]: char const*
args[2]: void *
args[3]: ulong
*/
Interceptor.attach(address, { Interceptor.attach(address, {
onEnter: function (args) { onEnter: function (args) {
// Convert size argument from hexadecimal to integer // print(Level.DEBUG, '[+] onEnter: FileSystemRead');
const size = parseInt(args[2], 16); const size = args[3].toInt32();
const data = Memory.readByteArray(args[2], size);
// Check if the size matches known keybox sizes (128 or 132 bytes) // Check if the size matches known keybox sizes (128 or 132 bytes)
if ([128, 132].includes(size)) { if ([128, 132].includes(size) && data) {
const data = Memory.readByteArray(args[1], size); print(Level.DEBUG, '[*] FileSystemRead');
// Define the target bytes for "kbox"
const targetBytes = [0x6b, 0x62, 0x6f, 0x78]; // "kbox" in hex
// Function to check if target bytes are present
function containsTargetBytes(buffer, target) {
const dataArray = Array.from(new Uint8Array(buffer));
for (let i = 0; i <= dataArray.length - target.length; i++) {
if (target.every((byte, index) => dataArray[i + index] === byte)) {
return true;
}
}
return false;
}
// Check if "kbox" is present in the data
if (data && containsTargetBytes(data, targetBytes)) {
print(Level.DEBUG, `[*] Keybox: memcpy`);
send('keybox', data); send('keybox', data);
} }
}
}, },
onLeave: function (retval) { onLeave: function (retval) {
// print(Level.DEBUG, `[-] onLeave: memcpy`); // print(Level.DEBUG, '[-] onLeave: FileSystemRead');
} }
}); });
} }
@ -337,9 +352,11 @@ const hookLibrary = (name) => {
} else if (funcName.includes('PrepareKeyRequest')) { } else if (funcName.includes('PrepareKeyRequest')) {
PrepareKeyRequest(funcAddr); PrepareKeyRequest(funcAddr);
} else if (funcName.includes('lcc07') || funcName.includes('oecc07') || funcName.includes('getOemcryptoDeviceId')) { } else if (funcName.includes('lcc07') || funcName.includes('oecc07') || funcName.includes('getOemcryptoDeviceId')) {
GetDeviceID(funcAddr, funcName); GetDeviceId(funcAddr, funcName);
} else if (targets.includes(funcName) || (!targets.length && funcName.match(/^[a-z]+$/))) { } else if (targets.includes(funcName) || (!targets.length && funcName.match(/^[a-z]+$/))) {
LoadDeviceRSAKey(funcAddr, funcName); LoadDeviceRSAKey(funcAddr, funcName);
} else if (funcName.includes('OEMCrypto_Level3AndroidFileSystem') && funcName.includes('Read')) {
FileSystemRead(funcAddr);
} else { } else {
/* /*
1. wvcdm::CdmEngine::GetProvisioningRequest 1. wvcdm::CdmEngine::GetProvisioningRequest
@ -364,18 +381,7 @@ const hookLibrary = (name) => {
return false; return false;
} }
// Keybox (experimental) // TODO: Libraries? (https://github.com/wvdumper/dumper/blob/main/Helpers/Scanner.py#L23)
library = getLibrary('libc.so');
targets = getFunctions(library).find(func => func.name === 'memcpy' && func.type === 'function');
if (targets) {
try {
memcpy(targets.address);
print(Level.DEBUG, `Hooked (${targets.address}): ${targets.name}`);
} catch (e) {
print(Level.ERROR, `${e.message} for ${targets.name}`);
}
}
// https://github.com/hzy132/liboemcryptodisabler/blob/master/customize.sh#L33 // https://github.com/hzy132/liboemcryptodisabler/blob/master/customize.sh#L33
disableLibrary('liboemcrypto.so'); disableLibrary('liboemcrypto.so');
return true; return true;