Last active
February 5, 2020 11:40
-
-
Save schirrmacher/6cd3b865cfb2805dc7dd55029e313736 to your computer and use it in GitHub Desktop.
Overwrite output of srtp_hmac_compute
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| const scanStart = new ApiResolver("objc").enumerateMatches( | |
| "+[NSURL URLWithUnicodeString:]" | |
| )[0].address; | |
| console.log("search srtp_hmac_compute in memory from: " + scanStart); | |
| const size = 100000; | |
| const matches = Memory.scanSync( | |
| ptr(scanStart), | |
| size, | |
| // first bytes of the hexadecimal representation of srtp_hmac_compute | |
| "E0 03 16 AA 4C 00 00 94 D5 02 01 91" | |
| ); | |
| const targetPtr = ptr(matches[0].address); | |
| console.log("found srtp_hmac_compute at: " + matches[0].address); | |
| const targetFunction = new NativeFunction(targetPtr, "int", [ | |
| "pointer", | |
| "pointer", | |
| "int", | |
| "int", | |
| "pointer" | |
| ]); | |
| const MANIPULATABLE_TAG_SIZE = 10; | |
| const manipulatedTag = Memory.alloc(MANIPULATABLE_TAG_SIZE); | |
| manipulatedTag.writeByteArray([0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0]); | |
| Interceptor.attach(ptr(targetFunction), { | |
| onEnter: function(args) { | |
| /* | |
| static srtp_err_status_t srtp_hmac_compute(void *statev, | |
| const uint8_t *message, | |
| int msg_octets, | |
| int tag_len, | |
| uint8_t *result) | |
| */ | |
| console.log("srtp_hmac_compute tag (" + args[3].toInt32() + "):"); | |
| const tag_len = args[3].toInt32(); | |
| if (tag_len === MANIPULATABLE_TAG_SIZE) { | |
| console.log( | |
| hexdump(args[1], { | |
| length: args[2].toInt32() | |
| }) | |
| ); | |
| args[3] = 0; | |
| args[4].writePointer(manipulatedTag); | |
| } | |
| } | |
| }); |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment