-
Notifications
You must be signed in to change notification settings - Fork 2
/
Copy pathcatalina-tls-keylogger.js
70 lines (61 loc) · 2.16 KB
/
catalina-tls-keylogger.js
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
/*
* catalina-tls-keylogger.js
*
* (c) 2021 arusson
*
* MIT License
*
* based on the script from Andy Davies (see below)
*/
/*
* ios-tls-keylogger.js
*
* Extracts secrets from TLS sessions so packet captures can be decrypted
*
* See https://andydavies.me/blog/2019/12/12/capturing-and-decrypting-https-traffic-from-ios-apps/
*
* Copyright (c) 2019 Andy Davies, @andydavies, http://andydavies.me
*
* Released under MIT License, feel free to fork it, incorporate into other software etc.
*/
/*
* Offset of keylog_callback pointer in SSL struct
*
* Derived from dissassembly of ssl_log_secret in ssl_lib.c on iOS 12.4.3
*
* 0000000181d4e214 sub sp, sp, #0x60
* 0000000181d4e218 stp x22, x21, [sp, #0x30]
* 0000000181d4e21c stp x20, x19, [sp, #0x40]
* 0000000181d4e220 stp x29, x30, [sp, #0x50]
* 0000000181d4e224 add x29, sp, #0x50
* 0000000181d4e228 ldr x8, [x0, #0x68]
* 0000000181d4e22c ldr x8, [x8, #0x2a8] ; Offset of keylog_callback pointer
* 0000000181d4e230 cbz x8, loc_181d4e338
*
* TODO: Is it possible to make this less fragile?
*/
/* var CALLBACK_OFFSET = 0x2A8; */
/*
* CALLBACK OFFSET adapted for Catalina
*/
var CALLBACK_OFFSET = 0x2c0;
// Logging function, reads null terminated string from address in line
function key_logger(ssl, line) {
console.log(new NativePointer(line).readCString());
}
// Wrap key_logger JS function in NativeCallback
var key_log_callback = new NativeCallback(key_logger, 'void', ['pointer', 'pointer']);
/*
* SSL_CTX_set_keylog_callback isn't implemented in iOS version of boringssl
*
* Hook SSL_CTX_set_info_callback as it can access SSL_CTX and
* directly set SSL_CTX->keylog_callback to address of logging callback above
*/
var SSL_CTX_set_info_callback = Module.findExportByName("libboringssl.dylib", "SSL_CTX_set_info_callback");
Interceptor.attach(SSL_CTX_set_info_callback, {
onEnter: function (args) {
var ssl = new NativePointer(args[0]);
var callback = new NativePointer(ssl).add(CALLBACK_OFFSET);
callback.writePointer(key_log_callback);
}
});