David Manouchehri Manouchehri

## parse_pbzx2.py
# v2 pbzx stream handler
# My personal writeup on the differences here: https://gist.github.com/pudquick/29fcfe09c326a9b96cf5
#
# Pure python reimplementation of .cpio.xz content extraction from pbzx file payload originally here:
# http://www.tonymacx86.com/general-help/135458-pbzx-stream-parser.html
#
# Cleaned up C version (as the basis for my code) here, thanks to Pepijn Bruienne / @bruienne
# https://gist.github.com/bruienne/029494bbcfb358098b41

import struct, sys

## example.js
'use strict';

Module.enumerateExports('libssl.so', {
  onMatch(e) {
    if (e.type === 'function')
      Interceptor.attach(e.address, createHook(e.name, e.address));
  },
  onComplete() {
  }
});

## LICENSE
Copyright (c) 2016 Stefan Boesen


Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:

The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE O

## memwrite.py
import angr
import analysis

class MemoryWrite(analysis.Analysis):
    def __init__(self, option):
        super(MemoryWrite, self).__init__(option)
        self.mem_write_check()

    def mem_write_check(self):
        print("[+] Initializing memory write analysis")

## gist:6220d2c7fe44bfd9042f8bd671a203cf

<noscript id="textNS">
                |                                             |
                | a  w r i t e u p  r e l e a s e  b y  r o l |
                |      ________  ___  ________  ________      |
                |     <_  __   \/   \/        \/ ____   \     |
                |      T  T<___/\___/\_  /\  _/\ \__j  _/     |
                |      |  |     T   T T /  \ T__\____  T      |
                |      |  |     |   | | \  / |T T   T  |      |
                |      l__j_____l___j_l__><__j| |   |  |      |

## Dalvik-x86-execution.txt
/*
* author Huber Flores
*/


#Wrapping a java class into dex.
#Remember to add "dex" command to .bashrc file so that you can call the command from any place
#dex is an utility that comes with the Android SKD, and it's located in .../android-linux-x86_64/sdk/platform-tools/

#export PATH=$PATH:/home/ubuntu/android-sdk-linux/platform-tools:/home/ubuntu/CyanogenModBuild/environment/bin

## align-git.py
#!/usr/bin/env python

import os
import subprocess

# We want to reach back to a commit where the following file is identical in the tarball.
FILENAME="page_alloc.c"

# We created this file with: git log | grep '^commit' | awk '{ print $2}' > /tmp/commit-list.txt
commit_file = open("/tmp/commit-list.txt", "r")

## gist:2b8a06065a5960a836772a5770a2cb06
from pwn import *
#Setup context
context(arch='i386', os='linux')
context.log_level = 'debug'

#Open connection to the process

#Remote
sock = remote(<host>, <port>)

## gist:3e8cfd9327b15d026c90353523333164
from pwn import *
#Setup context
context(arch='i386', os='linux')
context.log_level = 'debug'

#Open connection to the process

#Remote
sock = remote(<host>, <port>)

## sitecrawler.js
	var targetAddress = 'http://www.autohotkey.com/board/';
	var fileCount = 0;

	phantom.onError = function(msg, trace) {
		var msgStack = ['PHANTOM ERROR: ' + msg];
		if (trace && trace.length) {
			msgStack.push('TRACE:');
			trace.forEach(function(t) {
				msgStack.push(' -> ' + (t.file || t.sourceURL) + ': ' + t.line + (t.function ? ' (in function ' + t.function +')' : ''));
			});
	# v2 pbzx stream handler
	# My personal writeup on the differences here: https://gist.github.com/pudquick/29fcfe09c326a9b96cf5
	#
	# Pure python reimplementation of .cpio.xz content extraction from pbzx file payload originally here:
	# http://www.tonymacx86.com/general-help/135458-pbzx-stream-parser.html
	#
	# Cleaned up C version (as the basis for my code) here, thanks to Pepijn Bruienne / @bruienne
	# https://gist.github.com/bruienne/029494bbcfb358098b41

	import struct, sys
	'use strict';

	Module.enumerateExports('libssl.so', {
	onMatch(e) {
	if (e.type === 'function')
	Interceptor.attach(e.address, createHook(e.name, e.address));
	},
	onComplete() {
	}
	});
	Copyright (c) 2016 Stefan Boesen


	Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:

	The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.

	THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE O
	import angr
	import analysis

	class MemoryWrite(analysis.Analysis):
	def __init__(self, option):
	super(MemoryWrite, self).__init__(option)
	self.mem_write_check()

	def mem_write_check(self):
	print("[+] Initializing memory write analysis")

	<noscript id="textNS">
	\| \|
	\| a w r i t e u p r e l e a s e b y r o l \|
	\| ________ ___ ________ ________ \|
	\| <_ __ \/ \/ \/ ____ \ \|
	\| T T<___/\___/\_ /\ _/\ \__j _/ \|
	\| \| \| T T T / \ T__\____ T \|
	\| \| \| \| \| \| \ / \|T T T \| \|
	\| l__j_____l___j_l__><__j\| \| \| \| \|
	/*
	* author Huber Flores
	*/


	#Wrapping a java class into dex.
	#Remember to add "dex" command to .bashrc file so that you can call the command from any place
	#dex is an utility that comes with the Android SKD, and it's located in .../android-linux-x86_64/sdk/platform-tools/

	#export PATH=$PATH:/home/ubuntu/android-sdk-linux/platform-tools:/home/ubuntu/CyanogenModBuild/environment/bin
	#!/usr/bin/env python

	import os
	import subprocess

	# We want to reach back to a commit where the following file is identical in the tarball.
	FILENAME="page_alloc.c"

	# We created this file with: git log \| grep '^commit' \| awk '{ print $2}' > /tmp/commit-list.txt
	commit_file = open("/tmp/commit-list.txt", "r")
	from pwn import *
	#Setup context
	context(arch='i386', os='linux')
	context.log_level = 'debug'

	#Open connection to the process

	#Remote
	sock = remote(<host>, <port>)
	var targetAddress = 'http://www.autohotkey.com/board/';
	var fileCount = 0;

	phantom.onError = function(msg, trace) {
	var msgStack = ['PHANTOM ERROR: ' + msg];
	if (trace && trace.length) {
	msgStack.push('TRACE:');
	trace.forEach(function(t) {
	msgStack.push(' -> ' + (t.file \|\| t.sourceURL) + ': ' + t.line + (t.function ? ' (in function ' + t.function +')' : ''));
	});