schirrmacher’s gists

schirrmacher / ProtoAttack.js

Last active March 6, 2019 14:18

__proto__ attack example

	// has the Object prototype
	const someObject = {};

	// request input is parsed
	const maliciousInput = JSON.parse('{ "__proto__": { "toString": "xxx" } }');

	// somewhere a bad copy or merge library is used which copies ALL properties including __proto__
	someObject.__proto__.toString = maliciousInput.__proto__.toString;

	// at some other place

schirrmacher / frida-struct-pointer-pointer.js

Last active February 3, 2024 12:32

Frida: How to read a struct or a struct pointer or a pointer of a struct pointer?

schirrmacher / proofOfWork.js

Created September 12, 2019 12:50

Proof of Work Example

	const crypto = require("crypto");

	// PROOF OF WORK EXAMPLE

	const RANDOM_SIZE = 32;

	const HARDNESS = 6;
	const hardnessPrefix = "0".repeat(HARDNESS);

	const start = new Date().getTime();

schirrmacher / .gitconfig

Last active November 6, 2019 07:24

My git config

	[core]
	editor = nano
	[alias]
	a = add
	aa = add .
	ap = add -p
	ag = "!add_grep() { for param in "$@"; do git add $(git ls-files -o -m --exclude-standard \| grep "$param"); done }; add_grep"
	amend = commit --amend
	b = branch
	bv = branch -vv

schirrmacher / WAHKDF.js

Last active February 5, 2020 12:42

The WAHKDF class is used to derive keys, salts and nonces for initializing SRTP streams.

	const crypto = require("crypto");

	// master secret
	const keyMaterial = new Buffer(
	"09a38e76fe90e4f126ed66d05a6783bad48776b61daaf7c939c005ea2d8ccdf6",
	"hex"
	);
	// JID param: [email protected]
	const info = "3439313539303537373136323040732e77686174736170702e6e6574";
	const salt = new Buffer(

schirrmacher / srtp_aes_icm_context_init.js

Last active February 5, 2020 22:50

Tracing srtp_aes_icm_context_init in WhatsApp with Frida

	const apiResolver = new ApiResolver("objc");
	const resolvedMatches = apiResolver.enumerateMatches(
	"+[NSURL URLWithUnicodeString:]"
	);

	const SCAN_SIZE = 100000;
	const scanStart = resolvedMatches[0].address;
	const scanResults = Memory.scanSync(
	ptr(scanStart),
	SCAN_SIZE,

schirrmacher / srtp_hmac_compute.js

Last active February 5, 2020 11:40

Overwrite output of srtp_hmac_compute

	const scanStart = new ApiResolver("objc").enumerateMatches(
	"+[NSURL URLWithUnicodeString:]"
	)[0].address;

	console.log("search srtp_hmac_compute in memory from: " + scanStart);

	const size = 100000;
	const matches = Memory.scanSync(
	ptr(scanStart),
	size,

schirrmacher / WAHKDF.deriveSecretsFromInputKeyMaterial.js

Created February 4, 2020 08:52

Log deriveSecretsFromInputKeyMaterial params

	{
	onEnter: function (log, args, state) {
	log("+[ WAHKDF deriveSecretsFromInputKeyMaterial: " +
	ObjC.Object( args[2] ).toString() + "\n" +
	" salt: " + ObjC.Object( args[3] ).toString() + "\n" +
	" info: " + ObjC.Object( args[4] ).toString() + "\n" +
	" bytes : " + args[5].toInt32 () + "\n" +
	" withMessageVersion : " + args[6].toInt32 () + "\n]");
	}
	}

schirrmacher / signal_encrypt_header.c

Last active February 4, 2020 09:28

	int signal_encrypt(signal_context *context,
	signal_buffer **output,
	int cipher,
	const uint8_t *key, size_t key_len,
	const uint8_t *iv, size_t iv_len,
	const uint8_t *plaintext, size_t plaintext_len);

schirrmacher / srtp_aes_icm_context_init_pseudocode.c

Created February 4, 2020 10:14

Marvin Schirrmacher schirrmacher