Decryption fails
Issue #38
new
On the jodel version 4.92.2 there are three folders called libd.so, libe.so and libimagepipeline.so.
$ ./decrypt-liba-readelf.sh /path/to/libd.so
$ ./decrypt-liba-readelf.sh /path/to/libe.so
$ ./decrypt-liba-readelf.sh /path/to/libimagepipeline.so
All three of them doesnt return anything. I even tried it with the other path /path/to/lib/armeabi-v7a/ because its containing the three files too (with the same name)
Can someone give me a hint what Iam doing wrong? Thank you! :)
Comments (11)
-
repo owner
-
reporter
Thanks for your quick reply!
Now im getting some results. For the libe.so and libimagepipeline.so the script does not find keys, but for the libd.so im getting following error:
$ ./decrypt-liba-readelf.sh /path/to/libd.so/tmp/tmp.7vHLcOokfz: In function ‘main’: /tmp/tmp.7vHLcOokfz:8:14: error: expected expression before ‘;’ token int offset = ; ^ -
repo owner
Which system are you on? Do you have all the prerequisites installed?
perl, gcc, objdump, readelf are necessary.
This behavior comes from line 71 in
decrypt-liba-readelf.sh, whereoffsetis calculated. Something causesoffset=$(sed -r 's/mov[bl]\s+\$(0x[0-9a-f]+),(0x[0-9a-f]+).*/\2/'"$asmtemp" | sort | head -1)
to return nothing, so maybe something is wrong with $asmtemp, which is created in line 54, which is created from $bintemp.
I pushed a new version with some more error checks, so try out that one.
-
reporter
I am using the linux subsystem for windows (Ubuntu 16.04)
$ perl -v This is perl 5, version 22, subversion 1 (v5.22.1) built for x86_64-linux-gnu-thread-multi (with 69 registered patches, see perl -V for more detail) $ gcc -v Using built-in specs. COLLECT_GCC=gcc COLLECT_LTO_WRAPPER=/usr/lib/gcc/x86_64-linux-gnu/5/lto-wrapper Target: x86_64-linux-gnu Configured with: ../src/configure -v --with-pkgversion='Ubuntu 5.4.0-6ubuntu1~16.04.10' --with-bugurl=file:///usr/share/doc/gcc-5/README.Bugs --enable-languages=c,ada,c++,java,go,d,fortran,objc,obj-c++ --prefix=/usr --program-suffix=-5 --enable-shared --enable-linker-build-id --libexecdir=/usr/lib --without-included-gettext --enable-threads=posix --libdir=/usr/lib --enable-nls --with-sysroot=/ --enable-clocale=gnu --enable-libstdcxx-debug --enable-libstdcxx-time=yes --with-default-libstdcxx-abi=new --enable-gnu-unique-object --disable-vtable-verify --enable-libmpx --enable-plugin --with-system-zlib --disable-browser-plugin --enable-java-awt=gtk --enable-gtk-cairo --with-java-home=/usr/lib/jvm/java-1.5.0-gcj-5-amd64/jre --enable-java-home --with-jvm-root-dir=/usr/lib/jvm/java-1.5.0-gcj-5-amd64 --with-jvm-jar-dir=/usr/lib/jvm-exports/java-1.5.0-gcj-5-amd64 --with-arch-directory=amd64 --with-ecj-jar=/usr/share/java/eclipse-ecj.jar --enable-objc-gc --enable-multiarch --disable-werror --with-arch-32=i686 --with-abi=m64 --with-multilib-list=m32,m64,mx32 --enable-multilib --with-tune=generic --enable-checking=release --build=x86_64-linux-gnu --host=x86_64-linux-gnu --target=x86_64-linux-gnu Thread model: posix gcc version 5.4.0 20160609 (Ubuntu 5.4.0-6ubuntu1~16.04.10) $ readelf -v GNU readelf (GNU Binutils for Ubuntu) 2.26.1 $ objdump -v GNU objdump (GNU Binutils for Ubuntu) 2.26.1with the new version of your scipt i get:
$ ./decrypt-liba-readelf.sh /path/to/libd.so <No key decrypted (Could not create binary dump)>EDIT:
$ uname -a Linux DESKTOP-HRAA1DH 4.4.0-17134-Microsoft #112-Microsoft Thu Jun 07 22:57:00 PST 2018 x86_64 x86_64 x86_64 GNU/LinuxEDIT: I am getting some results, when I execute line 40 without the perl code in bash with the $variables manually evaluated
0x000048b0 5589e583 e4fce800 00000058 81c04df6 U..........X..M. 0x000048c0 0000c680 54010000 93c78050 010000ec ....T......P.... 0x000048d0 d4b5a9c6 80590100 002ac780 55010000 .....Y...*..U... 0x000048e0 e1d01ea5 c6805e01 000000c7 805a0100 ......^......Z.. 0x000048f0 0039249d 77c68063 0100007d c7805f01 .9$.w..c...}.._. 0x00004900 00002410 288fc680 68010000 3bc78064 ..$.(...h...;..d 0x00004910 0100006c f70726c6 806d0100 0053c780 ...l..&..m...S.. 0x00004920 69010000 724da3ab c6807201 000091c7 i...rM....r..... 0x00004930 806e0100 00dd32ca 5cc68077 010000be .n....2.\..w.... 0x00004940 c7807301 000019aa e21689ec 5dc36690 ..s.........].f.but with the perl code from line 41-46 it outputs nothing (ofc i removed the $bintemp from the code when trying in bash)
-
reporter
I actually got so far that I manually executed the commands and saved the outputs in some files. From the scriptfile line 75 I got:
#include <stdint.h> #include <stdio.h> #include "decrypt.h" int main (void) { uint8_t buf[100]; int offset = 0x150; *(char *)(buf + 0x154 - offset) = 0x93; *(int32_t *)(buf + 0x150 - offset) = 0x480000ec; *(char *)(buf + 0x159 - offset) = 0x2a; *(int32_t *)(buf + 0x155 - offset) = 0xe0480000; *(char *)(buf + 0x15e - offset) = 0x0; *(int32_t *)(buf + 0x15a - offset) = 0xf04800; *(int32_t *)(buf + 0x173 - offset) = 0x16e2aa19; return decrypt(buf); }as output.c. Using this as input for the line 77 from the script
cc -I"." -std=c11 -x c output.c "./decrypt.c" -o outputexecutable$ ./outputexecutablereturns nothing.
From some debugging printf's in the decrypt.c file do I know, that the function isalpha from line 50 is responsible that the script exits with return -1.
EDIT: Executing without the isalpha if-case giving me this as output:
OPk~/sli}S@?HKb 8QLEDIT: Line 63 in decrypt.c increasing the third argument from fwrite from 1 to 2:
(void) fwrite(clientSecret,CLIENT_SECRET_SIZE,1,stdout);->(void) fwrite(clientSecret,CLIENT_SECRET_SIZE,2,stdout);executing it returns:OPk~/sli}S@?HKb 8QL ?v a _}A5"&e?O#ms(z4ۉ|But I dont know what to do with it
EDIT: I forgot to mention that i used xxd instead of the perl code.
$READELF -x .text $libfile | sed -nr "/^\s+$function_start/,/^\s+$function_end/p" | xxd -r -p - $bintempexecuting this (without the isaplha if-caseand the increased buffer size from 1 to 2) returns (above I used a different xxd command):
zƱN?zk6?/sl_}?6}JW+' G8HFdZ?Xa_}A5"&e?O#ms(z4ۉ| -
reporter
I solved my problem by writing an own perl script.
unfortunately there is a new version released 4.93.2 and with the new version I get a complete different error:
<No key decrypted (Function 'HmacInterceptor_init' not found)>Problem is that "HmacInterceptor_init" is not existent anymore in 4.93.2
-
repo owner
Hey, now that was a nice bug...
If you run
echo "0x1234" | perl -e 'while(<> =~ /^0x[[:xdigit;]]+/) { print "Found a hex number\n"; }'on Perl 5.22.1 (Ubuntu 16.04 LTS), the Regex doesn't match (note the semicolon).
Under Perl 5.26.2 (Debian Testing, my machine), the Regex matches.
I fixed the problem, try again please...
EDIT: Formatting
-
reporter
With the new version it worked for jodel version 4.92.2 but not for 4.93.2 because of the error I mentioned above. should I open a new issue for that?
EDIT: Solved by just take the other file (libe.so). Thank for your help! Issue can be closed now :)
-
reporter
With the new Version of jodel 5.1.1 this does not work anymore. In this version we have 4 files: libcrashlytics.so, libimagepipeline.so, libhmac.so, libruntime.so but for every file I get "HmacInterceptor_init" could not found error. I tried to decrypt manually but even at the beginning when I try
$ readelf -s --wide libcrashlytics.sofor every file I get no output
-
repo owner
OK, the libhmac.so now does only contain the dynamic symbol table and no .text section.
I've pushed a new branch 'version5' that uses the dynamic symbol table. Try if that works for you...
https://bitbucket.org/cfib90/ojoc-keyhack/src/version5/x86/decrypt-liba-readelf.sh
-
reporter
It works. Thank you very much!
- Log in to comment
Hmmm, it works on my end with
lib/x86/libd.so(Returns "zesPNK....")I updated
decrypt-liba-readelf.sh, it now can be called with multiple file arguments which will be tried one after another.containing the three files too (with the same name)
The implemented decryption flow only works with the x86 .so file, so at least that's not surprising