backward compatibility file read func

2024-11-01 21:13:28 +01:00 · 2024-11-01 21:13:28 +01:00 · a5e7528842
parent e2660a33dd
commit a5e7528842
2 changed files with 16 additions and 33 deletions
--- a/keydive/constants.py
+++ b/keydive/constants.py
@ -128,8 +128,8 @@ CDM_FUNCTION_API = {
    'lcc07',
    'oecc07',
    'Read',
-    'runningcrc',
-    'GetSystemId'
+    'x1c36',
+    'runningcrc'
 }

 # https://github.com/kaltura/kaltura-device-info-android
--- a/keydive/keydive.js
+++ b/keydive/keydive.js
@ -317,7 +317,7 @@ const FileSystemRead = (address) => {
    });
 }

-const FileRead = (address) => {
+const FileRead = (address, name) => {
    /*
    wvcdm::File::Read

@ -326,20 +326,28 @@ const FileRead = (address) => {
        args[1]: char *
        args[2]: uint
     */
+    /*
+    _x1c36
+
+    Args:
+        args[0]: char *filename
+        args[1]: void *ptr
+        args[2]: size_t n
+     */
    Interceptor.attach(address, {
        onEnter: function (args) {
-            // print(Level.DEBUG, '[+] onEnter: FileRead');
+            // print(Level.DEBUG, `[+] onEnter: FileRead: ${name}`);
            const size = args[2].toInt32();
            const data = Memory.readByteArray(args[1], size);

            // Check if the size matches known keybox sizes (128 or 132 bytes)
            if ([128, 132].includes(size) && data) {
-                print(Level.DEBUG, '[*] FileRead');
+                print(Level.DEBUG, `[*] FileRead: ${name}`);
                send('keybox', data);
            }
        },
        onLeave: function (retval) {
-            // print(Level.DEBUG, '[-] onLeave: FileRead');
+            // print(Level.DEBUG, `[-] onLeave: FileRead: ${name}`);
        }
    });
 }
@ -371,29 +379,6 @@ const RunningCRC = (address) => {
    });
 }

-const GetSystemId = (address) => {
-    /*
-    wvcdm::CryptoSession::GetSystemId
-
-    Args:
-        args[0]: wvcdm::CryptoSession *this
-        args[1]: uint *
-     */
-    Interceptor.attach(address, {
-        onEnter: function (args) {
-            // print(Level.DEBUG, '[+] onEnter: GetSystemId');
-
-            // read registry memory (__readgsdword(0x14u))
-            const data = Memory.readByteArray(args[2], 128);
-            print(Level.DEBUG, '[*] GetSystemId');
-            send('keybox', data);
-        },
-        onLeave: function (retval) {
-            // print(Level.DEBUG, '[-] onLeave: GetSystemId');
-        }
-    });
-}
-

 // @Hooks
 const hookLibrary = (name) => {
@ -439,13 +424,11 @@ const hookLibrary = (name) => {
                GetDeviceId(funcAddr, funcName);
            } else if (['FileSystem', 'Read'].every(n => funcName.includes(n))) {
                FileSystemRead(funcAddr);
-            } else if (['File', 'Read'].every(n => funcName.includes(n))) {
-                FileRead(funcAddr);
+            } else if (['File', 'Read'].every(n => funcName.includes(n)) || funcName.includes('x1c36')) {
+                FileRead(funcAddr, funcName);
            } else if (funcName.includes('runningcrc')) {
                // https://github.com/Avalonswanderer/widevinel3_Android_PoC/blob/main/PoCs/recover_l3keybox.py#L50
                RunningCRC(funcAddr);
-            } else if (['CryptoSession', 'GetSystemId'].every(n => funcName.includes(n))) {
-                GetSystemId(funcAddr); // Deprecated
            } else {
                return;
            }