Hook all a-z functions

This commit is contained in:
Diazole 2022-10-07 13:13:10 +01:00
parent 6f2a34ad01
commit e410803617
2 changed files with 38 additions and 31 deletions

View File

@ -22,10 +22,12 @@ class Device:
self.name = self.usb_device.name self.name = self.usb_device.name
def export_key(self, key, client_id): def export_key(self, key, client_id):
system_id = client_id.Token._DeviceCertificate.SystemId
save_dir = os.path.join( save_dir = os.path.join(
'key_dumps', 'key_dumps',
f'{self.name}/private_keys/{system_id}/{str(key.n)[:10]}' f'{self.name}',
'private_keys',
f'{client_id.Token._DeviceCertificate.SystemId}',
f'{str(key.n)[:10]}'
) )
if not os.path.exists(save_dir): if not os.path.exists(save_dir):
@ -39,11 +41,14 @@ class Device:
self.logger.info('Key pairs saved at %s', save_dir) self.logger.info('Key pairs saved at %s', save_dir)
def on_message(self, msg, data): def on_message(self, msg, data):
if 'payload' in msg:
if msg['payload'] == 'private_key': if msg['payload'] == 'private_key':
key = RSA.import_key(data) key = RSA.import_key(data)
if key.n not in self.saved_keys: if key.n not in self.saved_keys:
encoded_key = base64.b64encode(data).decode('utf-8') self.logger.debug(
self.logger.debug('Retrieved key: %s', encoded_key) 'Retrieved key: \n\n%s\n',
key.export_key().decode("utf-8")
)
self.saved_keys[key.n] = key self.saved_keys[key.n] = key
elif msg['payload'] == 'device_info': elif msg['payload'] == 'device_info':
self.license_request_message(data) self.license_request_message(data)
@ -51,13 +56,13 @@ class Device:
self.logger.info(data.decode()) self.logger.info(data.decode())
def license_request_message(self, data): def license_request_message(self, data):
self.logger.debug(
'Retrieved build info: \n\n%s\n',
base64.b64encode(data).decode('utf-8')
)
root = SignedLicenseRequest() root = SignedLicenseRequest()
root.ParseFromString(data) root.ParseFromString(data)
public_key = root.Msg.ClientId.Token._DeviceCertificate.PublicKey public_key = root.Msg.ClientId.Token._DeviceCertificate.PublicKey
self.logger.debug(
'Retrieved key: %s',
base64.b64encode(public_key).decode('utf-8')
)
key = RSA.importKey(public_key) key = RSA.importKey(public_key)
cur = self.saved_keys.get(key.n) cur = self.saved_keys.get(key.n)
self.export_key(cur, root.Msg.ClientId) self.export_key(cur, root.Msg.ClientId)

View File

@ -1,5 +1,4 @@
const DYNAMIC_FUNCTION_NAME = 'CHANGE_ME' const CDM_VERSION = ''
const CDM_VERSION = 'CHANGE_ME'
// The TextEncoder/Decoder API isn't supported so it has to be polyfilled. // The TextEncoder/Decoder API isn't supported so it has to be polyfilled.
// Taken from https://gist.github.com/Yaffle/5458286#file-textencodertextdecoder-js // Taken from https://gist.github.com/Yaffle/5458286#file-textencodertextdecoder-js
@ -48,10 +47,14 @@ function getPrivateKey(address) {
const bytes = new Uint8Array(buf); const bytes = new Uint8Array(buf);
// The first two bytes of the DER encoding are 0x30 and 0x82 (MII). // The first two bytes of the DER encoding are 0x30 and 0x82 (MII).
if (bytes[0] === 0x30 && bytes[1] === 0x82) { if (bytes[0] === 0x30 && bytes[1] === 0x82) {
try {
const binaryString = a2bs(bytes) const binaryString = a2bs(bytes)
const keyLength = getKeyLength(binaryString); const keyLength = getKeyLength(binaryString);
const key = bytes.slice(0, keyLength); const key = bytes.slice(0, keyLength);
send('private_key', key); send('private_key', key);
} catch (error) {
console.log(error)
}
} }
} }
} }
@ -73,6 +76,7 @@ function prepareKeyRequest(address) {
Interceptor.attach(ptr(address), { Interceptor.attach(ptr(address), {
onEnter: function (args) { onEnter: function (args) {
switch (CDM_VERSION) { switch (CDM_VERSION) {
case '14.0.0':
case '15.0.0': case '15.0.0':
case '16.0.0': case '16.0.0':
this.ret = args[4]; this.ret = args[4];
@ -103,19 +107,17 @@ function hookLibFunctions(lib) {
send('message_info', new TextEncoder().encode(message)) send('message_info', new TextEncoder().encode(message))
Module.enumerateExportsSync(name).forEach(function (module) { Module.enumerateExportsSync(name).forEach(function (module) {
const privacy_mode = 'UsePrivacyMode'
const prepare_key_request = 'PrepareKeyRequest'
try { try {
let hookedModule; let hookedModule;
if (module.name.includes(DYNAMIC_FUNCTION_NAME)) { if (module.name.includes('UsePrivacyMode')) {
getPrivateKey(module.address);
hookedModule = DYNAMIC_FUNCTION_NAME
} else if (module.name.includes(privacy_mode)) {
disablePrivacyMode(module.address); disablePrivacyMode(module.address);
hookedModule = privacy_mode hookedModule = module.name
} else if (module.name.includes(prepare_key_request)) { } else if (module.name.includes('PrepareKeyRequest')) {
prepareKeyRequest(module.address); prepareKeyRequest(module.address);
hookedModule = prepare_key_request hookedModule = module.name
} else if (module.name.match(/^[a-z]+$/)) {
getPrivateKey(module.address);
hookedModule = module.name
} }
if (hookedModule) { if (hookedModule) {