SeeFlowerX SeeFlowerX

## build.bat
@echo on

set PATH=%PATH%;C:\Users\....\AppData\Local\Android\Sdk\cmake\3.22.1\bin
set ANDROID_NDK=C:/Users/..../AppData/Local/Android/Sdk/ndk/25.1.8937393

mkdir build
cd build

cmake -DCMAKE_TOOLCHAIN_FILE=%ANDROID_NDK%/build/cmake/android.toolchain.cmake ^
	-DANDROID=1 ^

## iptables.sh
#!/system/bin/sh

set -ex

# ENABLE ipv4 forward
sysctl -w net.ipv4.ip_forward=1

# DISABLE ipv6
sysctl -w net.ipv6.conf.all.disable_ipv6=1
sysctl -w net.ipv6.conf.default.disable_ipv6=1

## wasm逆向的资料收集.md

      
              1 file
            
          
              0 forks
            
          
              0 comments
            
          
              0 stars
            
          
                SeeFlowerX
                / wasm逆向的资料收集.md
            
            
              Created
              August 9, 2023 06:52
            
          
一步步学习Webassembly逆向分析方法
chrome-wasm-debugger
用idawasm IDA Pro逆向WebAssembly模块
执行 wasm 转换出来的 C 代码
执行 wasm 转换出来的 C 代码，代码例子


## 脚本.md

      
              1 file
            
          
              0 forks
            
          
              0 comments
            
          
              0 stars
            
          
                SeeFlowerX
                / 脚本.md
            
            
              Created
              July 19, 2023 02:19
            
              
                宿主机和虚拟机同时使用adb + 右键菜单
              
          
    vm_adb.reg 下面的路径要根据自己放的位置改下
Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\Directory\Background\shell\OpenBat]
@="vm_adb"

[HKEY_CLASSES_ROOT\Directory\Background\shell\OpenBat\command]
@="cmd /c D: &amp;&amp; cd D:\\ &amp;&amp; vm_adb.vbs"

  
## objectdump.js
function log(msg) {
    console.log(msg);
}

let handleCache = [];

function getRealClassName(object) {
    const objClass = Java.use("java.lang.Object").getClass.apply(object);
    return Java.use("java.lang.Class").getName.apply(objClass)
}

## poc_frida_bug.js
function log(msg) {
    console.log(msg);
}

function getRealClassNameByHandle (handle) {
    let obj = Java.use("java.lang.Object");
    log(`[getRealClassNameByHandle] obj => ${obj}`);
    let jObject = Java.cast(ptr(handle), obj);
    log(`[getRealClassNameByHandle] jObject => ${jObject}`);
    let objClass = jObject.getClass();

## LLDB动态调试步骤.md

      
              1 file
            
          
              0 forks
            
          
              4 comments
            
          
              0 stars
            
          
                SeeFlowerX
                / LLDB动态调试步骤.md
            
            
              Last active
              May 11, 2023 13:58
            
          
    和IDA类似，记录一些内容
全局调试，root下
magisk resetprop ro.debuggable 1
stop
start

  
## IDA动态调试步骤.md

      
              1 file
            
          
              0 forks
            
          
              0 comments
            
          
              0 stars
            
          
                SeeFlowerX
                / IDA动态调试步骤.md
            
            
              Last active
              May 8, 2023 01:54
            
              
                IDA动态调试步骤
              
          
将dbgsrv/android_server64推送到/data/local/tmp

adb push android_server64 /data/local/tmp/ida_android_server64

授予权限

adb shell chmod +x /data/local/tmp/ida_android_server64

  
## crash.log
04-23 23:23:31.322 10756 10756 F DEBUG   : *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
04-23 23:23:31.322 10756 10756 F DEBUG   : Build fingerprint: 'google/flame/flame:11/RQ3A.210805.001.A1/7474174:user/release-keys'
04-23 23:23:31.322 10756 10756 F DEBUG   : Revision: 'MP1.0'
04-23 23:23:31.322 10756 10756 F DEBUG   : ABI: 'arm64'
04-23 23:23:31.323 10756 10756 F DEBUG   : Timestamp: 2023-04-23 23:23:31+0800
04-23 23:23:31.323 10756 10756 F DEBUG   : pid: 10736, tid: 10736, name: main  >>> ./wxharness <<<
04-23 23:23:31.323 10756 10756 F DEBUG   : uid: 0
04-23 23:23:31.323 10756 10756 F DEBUG   : signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 0x0
04-23 23:23:31.323 10756 10756 F DEBUG   : Cause: null pointer dereference
04-23 23:23:31.323 10756 10756 F DEBUG   :     x0  b4000075d0d7c48f  x1  0000000000000000  x2  0000000000000001  x3  616600474f4c5241

## InMemoryDexClassLoaderFactory.java
import android.app.AppComponentFactory;
import android.content.pm.ApplicationInfo;
import android.util.Log;

import java.io.IOException;
import java.nio.ByteBuffer;
import java.nio.channels.Channels;
import java.util.ArrayList;
import java.util.List;
import java.util.zip.ZipFile;
	@echo on

	set PATH=%PATH%;C:\Users\....\AppData\Local\Android\Sdk\cmake\3.22.1\bin
	set ANDROID_NDK=C:/Users/..../AppData/Local/Android/Sdk/ndk/25.1.8937393

	mkdir build
	cd build

	cmake -DCMAKE_TOOLCHAIN_FILE=%ANDROID_NDK%/build/cmake/android.toolchain.cmake ^
	-DANDROID=1 ^
	#!/system/bin/sh

	set -ex

	# ENABLE ipv4 forward
	sysctl -w net.ipv4.ip_forward=1

	# DISABLE ipv6
	sysctl -w net.ipv6.conf.all.disable_ipv6=1
	sysctl -w net.ipv6.conf.default.disable_ipv6=1
	function log(msg) {
	console.log(msg);
	}

	let handleCache = [];

	function getRealClassName(object) {
	const objClass = Java.use("java.lang.Object").getClass.apply(object);
	return Java.use("java.lang.Class").getName.apply(objClass)
	}
	function log(msg) {
	console.log(msg);
	}

	function getRealClassNameByHandle (handle) {
	let obj = Java.use("java.lang.Object");
	log(`[getRealClassNameByHandle] obj => ${obj}`);
	let jObject = Java.cast(ptr(handle), obj);
	log(`[getRealClassNameByHandle] jObject => ${jObject}`);
	let objClass = jObject.getClass();
	04-23 23:23:31.322 10756 10756 F DEBUG : * * * * * * * * * * * * * * * *
	04-23 23:23:31.322 10756 10756 F DEBUG : Build fingerprint: 'google/flame/flame:11/RQ3A.210805.001.A1/7474174:user/release-keys'
	04-23 23:23:31.322 10756 10756 F DEBUG : Revision: 'MP1.0'
	04-23 23:23:31.322 10756 10756 F DEBUG : ABI: 'arm64'
	04-23 23:23:31.323 10756 10756 F DEBUG : Timestamp: 2023-04-23 23:23:31+0800
	04-23 23:23:31.323 10756 10756 F DEBUG : pid: 10736, tid: 10736, name: main >>> ./wxharness <<<
	04-23 23:23:31.323 10756 10756 F DEBUG : uid: 0
	04-23 23:23:31.323 10756 10756 F DEBUG : signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 0x0
	04-23 23:23:31.323 10756 10756 F DEBUG : Cause: null pointer dereference
	04-23 23:23:31.323 10756 10756 F DEBUG : x0 b4000075d0d7c48f x1 0000000000000000 x2 0000000000000001 x3 616600474f4c5241
	import android.app.AppComponentFactory;
	import android.content.pm.ApplicationInfo;
	import android.util.Log;

	import java.io.IOException;
	import java.nio.ByteBuffer;
	import java.nio.channels.Channels;
	import java.util.ArrayList;
	import java.util.List;
	import java.util.zip.ZipFile;