Created
July 6, 2020 20:51
-
-
Save cust0m/09d45b2fac81f27d46e8da1892fa3c1e to your computer and use it in GitHub Desktop.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| //Java.perform(hookInputStream); | |
| function inJava(){ | |
| var MAGHttpClient = Java.use("com.ca.mas.core.http.MAGHttpClient"); | |
| MAGHttpClient.execute.overload('com.ca.mas.foundation.MASRequest', 'javax.net.ssl.SSLSocketFactory').implementation = function (a,b) { | |
| console.log("===BEGIN REQUEST==="); | |
| var headers = a.getHeaders(); | |
| console.log(headers.$className); | |
| console.log(headers.values()); | |
| console.log(headers.entrySet().$className); | |
| console.log("===HEADERS==="); | |
| console.log("start"); | |
| //var HashMapNode = Java.use('java.util.HashMap$Node'); | |
| console.log(headers.entrySet().iterator().hasNext()); | |
| //while (headers.entrySet().iterator().hasNext()) { | |
| // console.log("ENTER THE VOID: "+headers.entrySet().iterator().hasNext()); | |
| // var entry = headers.entrySet().iterator().next();//Java.cast(iterator.next(), HashMapNode); | |
| //console.log(entry.getKey()); | |
| //console.log(entry.getValue()); | |
| //} | |
| //console.log(headers.values().$className); | |
| //var hookCls = Java.use("java.util.Map"); | |
| //var map = Java.cast(headers,hookCls) | |
| //console.log(map.$className); | |
| var body= a.getBody(); | |
| if (body) { | |
| body = body.getContentAsJsonValue() | |
| } | |
| console.log(body); | |
| console.log(a.getMethod()); | |
| console.log(a.getURL()); | |
| console.log("===END REQUEST==="); | |
| var response = this.execute(a,b); | |
| console.log(response.getResponseCode()); | |
| var header = response.getHeaders(); | |
| console.log(header); | |
| // var HashMap = Java.use("java.util.HashMap"); | |
| // var c = Java.cast(header,HashMap); | |
| // console.log(c) | |
| // var HashMapNode = Java.use('java.util.HashMap$Node'); | |
| // while (header.hasNext()) { | |
| // var entry = Java.cast(header.next(), HashMapNode); | |
| // console.log(entry.getKey()); | |
| // console.log(entry.getValue()); | |
| // } | |
| var body = response.getBody(); | |
| if (body) { | |
| body = body.getRawContent() | |
| var buffer = Java.array('byte', body); | |
| var result = ""; | |
| for(var i = 0; i < buffer.length; ++i){ | |
| result+= (String.fromCharCode(buffer[i])); | |
| } | |
| console.log(result); | |
| } | |
| // console.log(body); | |
| // console.log(response.getResponseMessage()); | |
| return response; | |
| //console.log("[*] EditText Return: " + retval); | |
| //return retval; | |
| }; | |
| } | |
| Java.perform(inJava); |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| //Java.perform(hookInputStream); | |
| var encoded_priv_key = hexToBytes("308204a30201000282010100f0d8415489694da7c84746cd6715bc823c74b44bd7392206a858830b59f7607438ee82783ad60151fff47bcd94ba4171eee1301242b0db2b68f3fb823ccadc89fe91176fbe74e1ff6e7c51a0af740f9d1c52b388b3c4f0613f53e3cd766998c02950eb36da8901c6514a50c8d57ee3960e76ff65a7d904f07deb0d02e1c708eb903917196c4131ff93a8fafcecb29b5764ee79728975fe5f3f954c09b513e75ca484c47fd354cea58d0844b15801729851935874fb3983e91f5ddd4c2aa5e37288bb1277e5bb70aa0f83cc01452a88674fd69d6ba86063f0066ae3c494e249603e3c757400e350f6a8576b7b1dd26ee4560f13e98dfff373c2f4dba6dd831115020301000102820100369d032b754160af9435bd736455c47a4fd532f123abbbf0808a19a520507d19bdb32ff8ad76cbb3d9738a03531f6d29b5be70952374512ea5ccf59251d0ba73bc3b10727160b5c2a33e23906958cb15984f9490821b3d5affee38f0e5520aa640782dee315df1fe137ee394b6fce004ade10406fc29b4fa07c39e1eb22ddcf285131bf3847a11f26c6d3a8bb62ac789e9f16a3abb876f539398f1c30ced9f6fbd2a144a94ee8864ad826accce4d4b80db5899ab07fe99f8ab5ecc8dc7e42e443c197ea6df2f654daa0042e0f841145d146fdd823a8ae8cb22f91a3b9c00861480447f2fc0c175e0a194eb6d6f950a5d9d02723923186f6ad65b8ff6228a71c102818100fa3124eaa5834a3f2befce4a1f73f9ca17516d6c5531bdfd5fdbdc76df88680674f9a2c177b5816bf096e6687b0225aa9417f88a13dd03ed98d13611de269f0b3c29737cd242c477cb002123a248ed3b2e24e17cc8472e38050e35de687b85d21df913b37856cecdd28e9f881017f4b7d16a777f7e971ede7124b9c880117ab102818100f66f8fcf4d02bbf897461ee24cb18d817eaf7e4d0af8e7fa0d66473f34b0fe26829ca03992e1dbc4dec33018da112ae30b93fda5ddd76d686ca20cb2a6baa92728c6f9a2ee916b1d47dfeefde618f18f3ce9ab38d3b5dc2890e32dbd8cbeed39a46c63cc36bcccd11390cb3844caede38eed13f8d38561fd3fecdc3a58440da502818100cac71c11a65653ce01915a544f4bd34f8d38ad0459c478252d1568895c411576ee460a38de0a593c20025dfa9e802e0124088da373d7f5401454b48b24cf8ea62f7bb5239cd30aa3c0ff78dc85c2afac008959cca612b30e2a62cb1c58f88c8cb148584464ab8eefd8d149d1a0a199f18624d1779f25629a8d7f63a872cc37f10281803da733875d70edae07ca97376e908d22749b5b31d328ea807891ba096a194dbc3cb90aacdcbe7cc90822350a42a440e284a705b25589ebe950244aa0f76d839c346b7350fbf68da1c9b590891ce3e8ab39460c7c2f1b347541aa546b33a7209a673466d3546e6f9f6f11ae85e9500babfeb9f9612b2a1795d04465e482e8a3b10281803f062ce2eb46e6e74da9bc44de95d6cc98ae58df4fa32d9430f04a7f18a69c03ba3b5cad6ca228652169d4438adf366af23bb8aaad3dfa05e98874ac827602fb270f7e17152746da635bbd25d7ed897453f6a1b96cf53722bc7b65814937919915c177d11c178cc456ab5106685aeebd577ec1e6f3648c11b7dd03eba10756ca"); | |
| var encoded_public_key = hexToBytes("30820122300d06092a864886f70d01010105000382010f003082010a0282010100f0d8415489694da7c84746cd6715bc823c74b44bd7392206a858830b59f7607438ee82783ad60151fff47bcd94ba4171eee1301242b0db2b68f3fb823ccadc89fe91176fbe74e1ff6e7c51a0af740f9d1c52b388b3c4f0613f53e3cd766998c02950eb36da8901c6514a50c8d57ee3960e76ff65a7d904f07deb0d02e1c708eb903917196c4131ff93a8fafcecb29b5764ee79728975fe5f3f954c09b513e75ca484c47fd354cea58d0844b15801729851935874fb3983e91f5ddd4c2aa5e37288bb1277e5bb70aa0f83cc01452a88674fd69d6ba86063f0066ae3c494e249603e3c757400e350f6a8576b7b1dd26ee4560f13e98dfff373c2f4dba6dd8311150203010001"); | |
| function inJava(){ | |
| var MAGHttpClient = Java.use("com.ca.mas.core.http.MAGHttpClient"); | |
| MAGHttpClient.execute.overload('com.ca.mas.foundation.MASRequest', 'javax.net.ssl.SSLSocketFactory').implementation = function (a,b) { | |
| console.log("TAMPER SSLSocketFactory"); | |
| var SSLSocketFactory = Java.use("android.net.SSLCertificateSocketFactory"); | |
| var insecure = SSLSocketFactory.getInsecure(0, null); | |
| return this.execute(a, insecure); | |
| //console.log("[*] EditText Return: " + retval); | |
| // return retval; | |
| }; | |
| var KeyUtilsAsymmetric = Java.use("com.ca.mas.core.util.KeyUtilsAsymmetric"); | |
| var PKCS8EncodedKeySpec = Java.use("java.security.spec.PKCS8EncodedKeySpec"); | |
| var KeyFactory = Java.use("java.security.KeyFactory"); | |
| KeyUtilsAsymmetric.getRsaPrivateKey.implementation = function(a) { | |
| console.log("TAMPER getRsaPrivateKey"); | |
| var buffer = Java.array('byte', encoded_priv_key); | |
| var keySpecPKCS8 = PKCS8EncodedKeySpec.$new(buffer); | |
| var kf = KeyFactory.getInstance("RSA"); | |
| console.log("PRIVKEY=="); | |
| console.log(bytesToHex(buffer)); | |
| console.log(a); | |
| console.log("PRIVKEY=="); | |
| var privKey = kf.generatePrivate(keySpecPKCS8); | |
| return privKey; | |
| }; | |
| var X509EncodedKeySpec = Java.use("java.security.spec.X509EncodedKeySpec"); | |
| KeyUtilsAsymmetric.getRsaPublicKey.implementation = function(a) { | |
| console.log("TAMPER getClientPublicKey"); | |
| console.log("PUBKEY=="); | |
| console.log(a); | |
| console.log("PUBKEY=="); | |
| if(a=="com.ca.mas.foundation.msso.DEVICE_IDENTIFIER"){ | |
| console.log("JUMP JEY"); | |
| return this.getRsaPublicKey(a); | |
| } | |
| var buffer = Java.array('byte', encoded_public_key); | |
| var keySpecX509 = X509EncodedKeySpec.$new(buffer); | |
| var kf = KeyFactory.getInstance("RSA"); | |
| var pubKey = kf.generatePublic(keySpecX509); | |
| return pubKey; | |
| }; | |
| KeyUtilsAsymmetric.getCertificateChain.implementation = function(a) { | |
| console.log("get cert chain"); | |
| console.log(a); | |
| return this.getCertificateChain(a); | |
| }; | |
| //var SSLSocketFactoryProvider = Java.use("com.ca.mas.core.http.SSLSocketFactoryProvider"); | |
| //SSLSocketFactoryProvider.createSSLSocketFactory.implementation = function(a) { | |
| // console.log("SOCKER PROVIDER"); | |
| // var SSLSocketFactory = Java.use("android.net.SSLCertificateSocketFactory"); | |
| // var insecure = SSLSocketFactory.getInsecure(0, null); | |
| // return insecure; | |
| //}; | |
| //var MAGSocketFactory = Java.use("com.ca.mas.core.io.ssl.MAGSocketFactory"); | |
| //MAGSocketFactory.createTLSSocketFactory.implementation = function(a) { | |
| // console.log("CREATE createTLSSocketFactory"); | |
| // var SSLSocketFactory = Java.use("android.net.SSLCertificateSocketFactory"); | |
| // var insecure = SSLSocketFactory.getInsecure(0, null); | |
| // return insecure; | |
| //}; | |
| //============================================================== | |
| var MAS = Java.use("com.ca.mas.foundation.MAS"); | |
| MAS.sign.overload('com.ca.mas.foundation.MASClaims', 'java.security.PrivateKey').implementation = function(a,b) { | |
| console.log("MAAAAAS SING"); | |
| return this.sign(a,b); | |
| }; | |
| var MAGSocketFactory = Java.use("com.ca.mas.core.io.ssl.MAGSocketFactory"); | |
| MAGSocketFactory.$init.implementation = function(a) { | |
| console.log("MAGSOCKET"); | |
| return this.$init(a); | |
| }; | |
| var DeviceRegistrationAssertion = Java.use("com.ca.mas.core.policy.DeviceRegistrationAssertion"); | |
| DeviceRegistrationAssertion.registerDevice.implementation = function(a,b) { | |
| console.log("registerDevice"); | |
| var rdev = this.registerDevice(a,b); | |
| console.log("back registerDevice"); | |
| return rdev; | |
| }; | |
| DeviceRegistrationAssertion.processRequest.implementation = function(a,b) { | |
| console.log("processRequest"); | |
| var preq = this.processRequest(a,b); | |
| console.log("out processRequest"); | |
| return preq; | |
| }; | |
| var cIs = Java.use("o.cIs"); | |
| cIs.$init.overload('java.lang.String', 'java.util.Map').implementation = function(a,b) { | |
| console.log("cIs=========="); | |
| console.log(a); | |
| return this.$init(a,b); | |
| }; | |
| var MASResponse = Java.use("com.ca.mas.foundation.MASResponse"); | |
| MASResponse.getBody.implementation = function() { | |
| console.log("getBody=========="); | |
| var body = this.getBody(); | |
| console.log(body.getContent()); | |
| return body; | |
| }; | |
| } | |
| function hexToBytes(hex) { | |
| for (var bytes = [], c = 0; c < hex.length; c += 2) | |
| bytes.push(parseInt(hex.substr(c, 2), 16)); | |
| return bytes; | |
| } | |
| function bytesToHex(bytes) { | |
| for (var hex = [], i = 0; i < bytes.length; i++) { hex.push(((bytes[i] >>> 4) & 0xF).toString(16).toUpperCase()); | |
| hex.push((bytes[i] & 0xF).toString(16).toUpperCase()); | |
| hex.push(" "); | |
| } | |
| return hex.join(""); | |
| } | |
| Java.perform(inJava); |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment