From 3c5ee2787d367bec2d040d973dfac390244ffd55 Mon Sep 17 00:00:00 2001
From: Daniel Baier <admin@remoteshell-security.com>
Date: Mon, 30 Sep 2024 12:58:16 +0200
Subject: [PATCH] fixes in the offset feature of friTap

---
 README.md            |  2 +-
 agent/ssl_log.ts     |  5 +++++
 friTap/_ssl_log.js   | 11 ++++++++---
 friTap/about.py      |  2 +-
 friTap/ssl_logger.py |  4 +++-
 package.json         |  2 +-
 6 files changed, 19 insertions(+), 7 deletions(-)

diff --git a/README.md b/README.md
index a9133cb..f0a1730 100644
--- a/README.md
+++ b/README.md
@@ -3,7 +3,7 @@
 </p>
 
 # friTap
-![version](https://img.shields.io/badge/version-1.2.1.0-blue) [![PyPI version](https://d25lcipzij17d.cloudfront.net/badge.svg?id=py&r=r&ts=1683906897&type=6e&v=1.2.1.0&x2=0)](https://badge.fury.io/py/friTap)
+![version](https://img.shields.io/badge/version-1.2.1.1-blue) [![PyPI version](https://d25lcipzij17d.cloudfront.net/badge.svg?id=py&r=r&ts=1683906897&type=6e&v=1.2.1.1&x2=0)](https://badge.fury.io/py/friTap)
 
 The goal of this project is to help researchers to analyze traffic encapsulated in SSL or TLS. For details have a view into the [OSDFCon webinar slides](assets/friTapOSDFConwebinar.pdf) or in [this blog post](https://lolcads.github.io/posts/2022/08/fritap/).
 
diff --git a/agent/ssl_log.ts b/agent/ssl_log.ts
index 021a426..93b1d66 100644
--- a/agent/ssl_log.ts
+++ b/agent/ssl_log.ts
@@ -98,6 +98,11 @@ export let patterns: string = "{PATTERNS}";
 /* 
 Our way to get the JSON strings into the loaded frida script 
 */
+send("offset_hooking")
+const enable_offset_based_hooking_state = recv('offset_hooking', value => {
+    offsets = value.payload;
+});
+enable_offset_based_hooking_state.wait();
 
 send("pattern_hooking")
 const enable_pattern_based_hooking_state = recv('pattern_hooking', value => {
diff --git a/friTap/_ssl_log.js b/friTap/_ssl_log.js
index e331773..f860ded 100644
--- a/friTap/_ssl_log.js
+++ b/friTap/_ssl_log.js
@@ -1,6 +1,6 @@
 📦
-2469 /agent/ssl_log.js.map
-3329 /agent/ssl_log.js
+2651 /agent/ssl_log.js.map
+3504 /agent/ssl_log.js
 2755 /agent/android/android_agent.js.map
 3270 /agent/android/android_agent.js
 937 /agent/android/android_java_tls_libs.js.map
@@ -88,7 +88,7 @@
 1292 /agent/windows/wolfssl_windows.js.map
 1426 /agent/windows/wolfssl_windows.js
 ✄
-{"version":3,"file":"ssl_log.js","sourceRoot":"/Users/danielbaier/research/projects/github/issues/2024 fritap issues/friTap/","sources":["agent/ssl_log.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,0BAA0B,EAAE,MAAM,4BAA4B,CAAC;AACxE,OAAO,EAAE,sBAAsB,EAAE,MAAM,oBAAoB,CAAC;AAC5D,OAAO,EAAE,wBAAwB,EAAE,MAAM,wBAAwB,CAAC;AAClE,OAAO,EAAE,wBAAwB,EAAE,MAAM,wBAAwB,CAAC;AAClE,OAAO,EAAE,0BAA0B,EAAE,MAAM,4BAA4B,CAAC;AACxE,OAAO,EAAE,SAAS,EAAE,OAAO,EAAE,SAAS,EAAE,KAAK,EAAE,OAAO,EAAE,MAAM,yBAAyB,CAAC;AACxF,OAAO,EAAE,iBAAiB,EAAE,MAAM,qBAAqB,CAAC;AACxD,OAAO,EAAE,GAAG,EAAE,MAAM,eAAe,CAAC;AAEpC,6GAA6G;AAC5G,MAAc,CAAC,cAAc,GAAG,EAAE,CAAC;AACnC,MAAc,CAAC,cAAc,GAAG,CAAC,CAAC;AA2EnC,YAAY;AACZ,MAAM,CAAC,IAAI,OAAO,GAAa,WAAW,CAAC;AAC3C,YAAY;AACZ,MAAM,CAAC,IAAI,YAAY,GAAY,KAAK,CAAC;AACzC,YAAY;AACZ,MAAM,CAAC,IAAI,SAAS,GAAY,KAAK,CAAC;AACtC,YAAY;AACZ,MAAM,CAAC,IAAI,iBAAiB,GAAY,KAAK,CAAC;AAC9C,YAAY;AACZ,MAAM,CAAC,IAAI,QAAQ,GAAW,YAAY,CAAC;AAE3C;;EAEE;AAEF,IAAI,CAAC,iBAAiB,CAAC,CAAA;AACvB,MAAM,kCAAkC,GAAG,IAAI,CAAC,iBAAiB,EAAE,KAAK,CAAC,EAAE;IACvE,QAAQ,GAAG,KAAK,CAAC,OAAO,CAAC;AAC7B,CAAC,CAAC,CAAC;AACH,kCAAkC,CAAC,IAAI,EAAE,CAAC;AAG1C;;EAEE;AAEF,IAAI,CAAC,WAAW,CAAC,CAAA;AACjB,MAAM,uBAAuB,GAAG,IAAI,CAAC,WAAW,EAAE,KAAK,CAAC,EAAE;IACtD,iBAAiB,GAAG,KAAK,CAAC,OAAO,CAAC;AACtC,CAAC,CAAC,CAAC;AACH,uBAAuB,CAAC,IAAI,EAAE,CAAC;AAG/B,IAAI,CAAC,cAAc,CAAC,CAAA;AACpB,MAAM,cAAc,GAAG,IAAI,CAAC,cAAc,EAAE,KAAK,CAAC,EAAE;IAChD,YAAY,GAAG,KAAK,CAAC,OAAO,CAAC;AACjC,CAAC,CAAC,CAAC;AACH,cAAc,CAAC,IAAI,EAAE,CAAC;AAEtB,IAAI,CAAC,MAAM,CAAC,CAAA;AACZ,MAAM,mBAAmB,GAAG,IAAI,CAAC,UAAU,EAAE,KAAK,CAAC,EAAE;IACjD,SAAS,GAAG,KAAK,CAAC,OAAO,CAAC;AAC9B,CAAC,CAAC,CAAC;AACH,mBAAmB,CAAC,IAAI,EAAE,CAAC,CAAA,KAAK;AAIhC;;;;;;;EAOE;AAGF,MAAM,UAAU,UAAU;IACtB,OAAO,OAAO,CAAC;AACnB,CAAC;AAED,uDAAuD;AACvD,MAAM,UAAU,iBAAiB;IAC7B,gHAAgH;IAChH,OAAO,QAAQ,CAAC,MAAM,GAAG,EAAE,CAAC;AAChC,CAAC;AAGD,SAAS,sBAAsB;IAC3B,IAAG,SAAS,EAAE,EAAC;QACX,GAAG,CAAC,2BAA2B,CAAC,CAAA;QAChC,0BAA0B,EAAE,CAAA;KAC/B;SAAK,IAAG,SAAS,EAAE,EAAC;QACjB,GAAG,CAAC,2BAA2B,CAAC,CAAA;QAChC,IAAG,SAAS,EAAC;YACT,GAAG,CAAC,2BAA2B,CAAC,CAAC;YACjC,iBAAiB,EAAE,CAAC;SACvB;QACD,0BAA0B,EAAE,CAAA;KAC/B;SAAK,IAAG,OAAO,EAAE,EAAC;QACf,GAAG,CAAC,yBAAyB,CAAC,CAAA;QAC9B,wBAAwB,EAAE,CAAA;KAC7B;SAAK,IAAG,KAAK,EAAE,EAAC;QACb,GAAG,CAAC,uBAAuB,CAAC,CAAA;QAC5B,sBAAsB,EAAE,CAAA;KAC3B;SAAK,IAAG,OAAO,EAAE,EAAC;QACf,GAAG,CAAC,yBAAyB,CAAC,CAAA;QAC9B,wBAAwB,EAAE,CAAA;KAC7B;SAAI;QACD,GAAG,CAAC,qCAAqC,CAAC,CAAA;QAC1C,GAAG,CAAC,0HAA0H,CAAC,CAAA;KAClI;AAEL,CAAC;AAED,sBAAsB,EAAE,CAAA"}
+{"version":3,"file":"ssl_log.js","sourceRoot":"/Users/danielbaier/research/projects/github/issues/2024 fritap issues/friTap/","sources":["agent/ssl_log.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,0BAA0B,EAAE,MAAM,4BAA4B,CAAC;AACxE,OAAO,EAAE,sBAAsB,EAAE,MAAM,oBAAoB,CAAC;AAC5D,OAAO,EAAE,wBAAwB,EAAE,MAAM,wBAAwB,CAAC;AAClE,OAAO,EAAE,wBAAwB,EAAE,MAAM,wBAAwB,CAAC;AAClE,OAAO,EAAE,0BAA0B,EAAE,MAAM,4BAA4B,CAAC;AACxE,OAAO,EAAE,SAAS,EAAE,OAAO,EAAE,SAAS,EAAE,KAAK,EAAE,OAAO,EAAE,MAAM,yBAAyB,CAAC;AACxF,OAAO,EAAE,iBAAiB,EAAE,MAAM,qBAAqB,CAAC;AACxD,OAAO,EAAE,GAAG,EAAE,MAAM,eAAe,CAAC;AAEpC,6GAA6G;AAC5G,MAAc,CAAC,cAAc,GAAG,EAAE,CAAC;AACnC,MAAc,CAAC,cAAc,GAAG,CAAC,CAAC;AA2EnC,YAAY;AACZ,MAAM,CAAC,IAAI,OAAO,GAAa,WAAW,CAAC;AAC3C,YAAY;AACZ,MAAM,CAAC,IAAI,YAAY,GAAY,KAAK,CAAC;AACzC,YAAY;AACZ,MAAM,CAAC,IAAI,SAAS,GAAY,KAAK,CAAC;AACtC,YAAY;AACZ,MAAM,CAAC,IAAI,iBAAiB,GAAY,KAAK,CAAC;AAC9C,YAAY;AACZ,MAAM,CAAC,IAAI,QAAQ,GAAW,YAAY,CAAC;AAE3C;;EAEE;AACF,IAAI,CAAC,gBAAgB,CAAC,CAAA;AACtB,MAAM,iCAAiC,GAAG,IAAI,CAAC,gBAAgB,EAAE,KAAK,CAAC,EAAE;IACrE,OAAO,GAAG,KAAK,CAAC,OAAO,CAAC;AAC5B,CAAC,CAAC,CAAC;AACH,iCAAiC,CAAC,IAAI,EAAE,CAAC;AAEzC,IAAI,CAAC,iBAAiB,CAAC,CAAA;AACvB,MAAM,kCAAkC,GAAG,IAAI,CAAC,iBAAiB,EAAE,KAAK,CAAC,EAAE;IACvE,QAAQ,GAAG,KAAK,CAAC,OAAO,CAAC;AAC7B,CAAC,CAAC,CAAC;AACH,kCAAkC,CAAC,IAAI,EAAE,CAAC;AAG1C;;EAEE;AAEF,IAAI,CAAC,WAAW,CAAC,CAAA;AACjB,MAAM,uBAAuB,GAAG,IAAI,CAAC,WAAW,EAAE,KAAK,CAAC,EAAE;IACtD,iBAAiB,GAAG,KAAK,CAAC,OAAO,CAAC;AACtC,CAAC,CAAC,CAAC;AACH,uBAAuB,CAAC,IAAI,EAAE,CAAC;AAG/B,IAAI,CAAC,cAAc,CAAC,CAAA;AACpB,MAAM,cAAc,GAAG,IAAI,CAAC,cAAc,EAAE,KAAK,CAAC,EAAE;IAChD,YAAY,GAAG,KAAK,CAAC,OAAO,CAAC;AACjC,CAAC,CAAC,CAAC;AACH,cAAc,CAAC,IAAI,EAAE,CAAC;AAEtB,IAAI,CAAC,MAAM,CAAC,CAAA;AACZ,MAAM,mBAAmB,GAAG,IAAI,CAAC,UAAU,EAAE,KAAK,CAAC,EAAE;IACjD,SAAS,GAAG,KAAK,CAAC,OAAO,CAAC;AAC9B,CAAC,CAAC,CAAC;AACH,mBAAmB,CAAC,IAAI,EAAE,CAAC,CAAA,KAAK;AAIhC;;;;;;;EAOE;AAGF,MAAM,UAAU,UAAU;IACtB,OAAO,OAAO,CAAC;AACnB,CAAC;AAED,uDAAuD;AACvD,MAAM,UAAU,iBAAiB;IAC7B,gHAAgH;IAChH,OAAO,QAAQ,CAAC,MAAM,GAAG,EAAE,CAAC;AAChC,CAAC;AAGD,SAAS,sBAAsB;IAC3B,IAAG,SAAS,EAAE,EAAC;QACX,GAAG,CAAC,2BAA2B,CAAC,CAAA;QAChC,0BAA0B,EAAE,CAAA;KAC/B;SAAK,IAAG,SAAS,EAAE,EAAC;QACjB,GAAG,CAAC,2BAA2B,CAAC,CAAA;QAChC,IAAG,SAAS,EAAC;YACT,GAAG,CAAC,2BAA2B,CAAC,CAAC;YACjC,iBAAiB,EAAE,CAAC;SACvB;QACD,0BAA0B,EAAE,CAAA;KAC/B;SAAK,IAAG,OAAO,EAAE,EAAC;QACf,GAAG,CAAC,yBAAyB,CAAC,CAAA;QAC9B,wBAAwB,EAAE,CAAA;KAC7B;SAAK,IAAG,KAAK,EAAE,EAAC;QACb,GAAG,CAAC,uBAAuB,CAAC,CAAA;QAC5B,sBAAsB,EAAE,CAAA;KAC3B;SAAK,IAAG,OAAO,EAAE,EAAC;QACf,GAAG,CAAC,yBAAyB,CAAC,CAAA;QAC9B,wBAAwB,EAAE,CAAA;KAC7B;SAAI;QACD,GAAG,CAAC,qCAAqC,CAAC,CAAA;QAC1C,GAAG,CAAC,0HAA0H,CAAC,CAAA;KAClI;AAEL,CAAC;AAED,sBAAsB,EAAE,CAAA"}
 ✄
 import { load_android_hooking_agent } from "./android/android_agent.js";
 import { load_ios_hooking_agent } from "./ios/ios_agent.js";
@@ -114,6 +114,11 @@ export let patterns = "{PATTERNS}";
 /*
 Our way to get the JSON strings into the loaded frida script
 */
+send("offset_hooking");
+const enable_offset_based_hooking_state = recv('offset_hooking', value => {
+    offsets = value.payload;
+});
+enable_offset_based_hooking_state.wait();
 send("pattern_hooking");
 const enable_pattern_based_hooking_state = recv('pattern_hooking', value => {
     patterns = value.payload;
diff --git a/friTap/about.py b/friTap/about.py
index d83bbf7..2b8eb22 100644
--- a/friTap/about.py
+++ b/friTap/about.py
@@ -2,5 +2,5 @@
 # -*- coding: utf-8 -*-
 
 __author__ = "Daniel Baier, Francois Egner, Max Ufer"
-__version__ = "1.2.1.0"
+__version__ = "1.2.1.1"
 debug = False # are we running in debug mode?
\ No newline at end of file
diff --git a/friTap/ssl_logger.py b/friTap/ssl_logger.py
index cc36392..0393c22 100644
--- a/friTap/ssl_logger.py
+++ b/friTap/ssl_logger.py
@@ -115,6 +115,9 @@ def on_message(self, message, data):
 
         if self.startup and message['payload'] == 'pattern_hooking':
             script.post({'type':'pattern_hooking', 'payload': self.pattern_data})
+
+        if self.startup and message['payload'] == 'offset_hooking':
+            script.post({'type':'offset_hooking', 'payload': self.offsets_data})
         
         if self.startup and message['payload'] == 'anti':
             script.post({'type':'antiroot', 'payload': self.anti_root})
@@ -222,7 +225,6 @@ def instrument(self, process):
 
         if self.offsets_data is not None:
             print(f"[*] applying hooks at offset {self.offsets_data}")
-            #script_string = script_string.replace('"{OFFSETS}"', "'"+self.offsets_data+"'")
 
 
         if self.pattern_data is not None:
diff --git a/package.json b/package.json
index 0761a69..0b04fd3 100644
--- a/package.json
+++ b/package.json
@@ -1,6 +1,6 @@
 {
     "name": "friTap",
-    "version": "1.2.1.0",
+    "version": "1.2.1.1",
     "description": "Frida agent for logging SSL traffic as plaintext and extracting SSL keys",
     "private": true,
     "main": "agent/ssl_log.ts",