ios-ssl-key-steal2
5 views
6ffe249f...
Description
2
How to Use
Download the script and run it with Frida CLI:
Download ScriptThen run with Frida:
frida -U -f YOUR_PACKAGE_NAME -l ios-ssl-key-steal2.js
Replace YOUR_PACKAGE_NAME with the target app's package name.
Source Code
JavaScript
var CALLBACK_OFFSET = 0x2b8; //ios 14
// Logging function, reads null terminated string from address in line
function key_logger(ssl, line) {
console.log(new NativePointer(line).readCString());
}
// Wrap key_logger JS function in NativeCallback
var key_log_callback = new NativeCallback(key_logger, 'void', ['pointer', 'pointer']);
/*
* SSL_CTX_set_keylog_callback isn't implemented in iOS version of boringssl
*
* Hook SSL_CTX_set_info_callback as it can access SSL_CTX and
* directly set SSL_CTX->keylog_callback to address of logging callback above
*/
var SSL_CTX_set_info_callback = Module.findExportByName("libboringssl.dylib", "SSL_CTX_set_info_callback");
Interceptor.attach(SSL_CTX_set_info_callback, {
onEnter: function(args) {
var ssl = new NativePointer(args[0]);
var callback = new NativePointer(ssl).add(CALLBACK_OFFSET);
callback.writePointer(key_log_callback);
}
});
Comments