Frida SSL intercept

Overview

The output from these Frida scripts should be entered into Wirehark's '(Pre)-Master-Secret log filename' field under 'TLS' in 'Protocol Preferences'. The files should contain one set of keys per line. The window is shown below.

(https://wiki.jacknet.io/loading.gif#uploadimage-0d081da3cd6e28)

To quickly navigate to this window, right click on a TLS frame and follow the screenshot below.

SSLv3 and TLSv1.0

In order to

function buf2hex(buffer) { // buffer is an ArrayBuffer
  return [...new Uint8Array(buffer)]
      .map(x => x.toString(16).padStart(2, '0'))
      .join('');
}

Interceptor.attach(Module.findExportByName('libssl.so.1.0.0', 'SSL_read'), {
  onEnter(args) {
    const ssl = ptr(args[0])

    const s3 = ssl.add(128).readPointer()
    const client_random = s3.add(196).readByteArray(32)

    const session = ssl.add(304).readPointer()
    const master_key = session.add(20).readByteArray(48)

    console.log(`CLIENT_RANDOM ${buf2hex(client_random)} ${buf2hex(master_key)}`)
  }
})