What's new

Debugging Firefox Based Applications ;)

B0NNiE

Enthusiast
Messages
142
Reaction score
42
Well guys, ive been playing around with a custom debugger~! It allows me to monitor the datastream of this specific application before the data is encrypted in the processor. My target program is of course still IMVU as it has been for many years now. I have my debugger in a working state, it simply logs all the data the cmd outputs to a file.




So far i can search for anything in the datastream, hoping to add more functionality to it over time.
Logfile output:

DEBUG:root:tongue:re-Encrypted: aster/ForcePingUI:AudioMaster/ShowQueueMessageUI:AudioMaster/InitUI:AudioMaster/ResizeUI:AudioMaster/SquelchUI:AudioMaster/DisconnectUI:AudioMaster/ConnectToStreamUI:AudioMaster/GotStreamUI:AudioMaster/QueueChangedUI:AudioMaster/GotStreamLength!UI:AudioMaster/StreamStatusChange!UI:AudioMaster/AddPlayListToQueue&UI:AudioMaster/RemovePlayListFromQueueUI:AudioMaster/Refresh&UI:AudioMaster/UI:AutoRefreshInventoryUI:AudioMaster/GetUserLibraryUI:AudioMaster/GotUserLibraryUI:AudioMaster/UpdateRemoteUI:AudioMaster/Synchronize&UI.Buttons:AudioStopPlay/AudioStopPlay UI.Buttons:AudioStopPlay/OnClick*UI.Buttons:AudioStopPlay/UI.Buttons:frame1*UI.Buttons:EditMixesButton/EditMixesButton"UI.Buttons:EditMixesButton/OnClick(UI.Buttons:LibraryRefresh/LibraryRefresh!UI.Buttons:LibraryRefresh/OnClickUI:HeaderBar/HeaderBarUI:HeaderBar/ResizeContentsUI:HeaderBar/BuyTrackUI:HeaderBar/GoToUserUI:HeaderBar/ClearUI:HeaderBar/ShowUI:HeaderBar/HideSpinnerUI:HeaderBar/ShowSpinnerUI:HeaderBar/ShowExplicitUI:HeaderBar/ShowGeoUI:HeaderBar/UdateDisplayUI:HeaderBar/UI:frame1UI:MessageWindow/MessageWindowUI:MessageWindow/ShowMessageUI:MessageWindow/LinkUI:MessageWindow/ResizeUI:MessageWindow/Hide"UI:MessageWindow/private:UserCloseUI:tongue:laylist/PlaylistUI:tongue:laylist/OnOverUI:tongue:laylist/OnOutUI:tongue:laylist/DeleteUI:tongue:laylist/RezizeContentUI:tongue:laylist/OnClickUI:tongue:laylist/GetDataUI.AbstractClassesPlaylistContainerUI:tongue:laylist/PopulateUI:tongue:laylist/GoToAuthorUI:tongue:laylist/ExpandUI:tongue:laylist/CollapseUI:tongue:laylist/AddToQueueTrackUI:tongue:laylist/AddTrackUI:tongue:laylist/UpdateCurrentUI:tongue:laylist/UI:frame1UI:Toggle/ToggleUI:Toggle/OnOverUI:Toggle/OnDownUI:Toggle/OnOffUI:Toggle/UI:frame1UI:Track/TrackUI:Track/OnOverUI:Track/OnOutUI:Track/OnClickUI:Track/ResizeContentUI:Track/GetDataUI:Track/PopulateUI:Track/ShowDataUI:Track/ShowExplicitUI:Track/ShowGeoUI:Track/HideDataUI:Track/HighlightUI:Track/UnHighlightUI:Track/UI:frame1UI:VolumeSlider/VolumeSliderUI:VolumeSlider/MuteUI:VolumeSlider/OnDragUI:VolumeSlider/SetVolumeUI:VolumeSlider/GetVolumeUI:VolumeSlider/GrabSlideUI:VolumeSlider/ReleaseSlideUI:VolumeSlider/MuteOverUI:VolumeSlider/MuteOutfocusRectSkin/focusRectSkin
fl.containers
ScrollPaneBitmap)

Source....

Code:
from pydbg import *
from pydbg.defines import *
import logging
import struct
import utils
import sys
import datetime
import thread
now = datetime.datetime.now()
class _Getch:    
    def __init__(self):
        try:
            self.impl = _GetchWindows()
        except ImportError:
            self.impl = _GetchUnix()

    def __call__(self): return self.impl()
class _GetchUnix:
    def __init__(self):
        import tty, sys
    def __call__(self):
        import sys, tty, termios
        fd = sys.stdin.fileno()
        old_settings = termios.tcgetattr(fd)
        try:
            tty.setraw(sys.stdin.fileno())
            ch = sys.stdin.read(1)
        finally:
            termios.tcsetattr(fd, termios.TCSADRAIN, old_settings)
        return ch
class _GetchWindows:
    def __init__(self):
        import msvcrt

    def __call__(self):
        import msvcrt
        return msvcrt.getch()
getch = _Getch()
#this code left intentionally undocumented
dbg           = pydbg()
found_imvu = False
inkey = _Getch()
logging.basicConfig(filename='hook.log',level=logging.DEBUG)
def readinput():
    for i in xrange(sys.maxint):
        k=inkey()
        if k >='':break
    if k == "q":print "QUITTING! IMVU WILL PROBABLY CRASH!",sys.exit(-1)
   # if k == "r":
    #if k == "":
print "\n\nIMVU HOOK by Exploit\n\n\n\n"
print "press p to pause execution\npress r to search for a new string\npress q to quit\n\n^ none of these work yet..."
pattern       = raw_input("\n\n[?] What string to search for? >   \n")
logme = raw_input("\n[?] Would you like to log my output to a text file?  ( y/n )")
#readinput() 
if logme == "y":
    print "[@] OUTPUT LOGGING ENABLED!"
    print "[@] Placing search string in log..."
    logging.debug("Searched on %s for the string: %s" % (now,pattern))
print '\n[!] Searching for pattern: %s'% (pattern)
def ssl_sniff( dbg, args ):
    buffer  = ""
    offset  = 0

    while 1:
        byte = dbg.read_process_memory( args[1] + offset, 1 )

        if byte != "\x00":
            buffer  += byte
            offset  += 1
            continue
        else:
            break

    if pattern in buffer:
        if logme == "y":
            logging.debug("[>] Pre-Encrypted:  %s %s" %(now,buffer) )
            print "[>] Pre-Encrypted: %s" % buffer
        else:
            print "[>] Pre-Encrypted: %s" % buffer

    return DBG_CONTINUE
for (pid, name) in dbg.enumerate_processes():

    if name.lower() == "imvuclient.exe":

        found_imvu = True
        hooks = utils.hook_container()

        dbg.attach(pid)
        print "[!] Attaching to IMVU with PID: %d..." % pid

        
        hook_address  = dbg.func_resolve_debuggee("nspr4.dll","PR_Write")

        if hook_address:
            hooks.add( dbg, hook_address, 2, ssl_sniff, None)
            print "[*] nspr4.PR_Write hooked at: 0x%08x" % hook_address
            break
        else:
            print "[!] Error: Couldn't resolve hook address."
            sys.exit(-1)


if found_imvu:   
    print "[*] Hook set, continuing process.\n\n"
    dbg.run()
else:    
    print "[!] Error: Couldn't find the  process. Please fire up IMVU first."
    sys.exit(-1)
 
Top Bottom