- Open the firmware binary in Ghidra
- Go to the data view and copy all the string addresses, and paste them into a Jupyter notebook with the code below
- Sort and copy all the possible pointers (probably
undefined4type) similarly
Yaakov Saxon YSaxon
YSaxon
/ cortexFirmwareFileNotes.md
Created
April 17, 2024 19:24
YSaxon
/ extract_dex_from_memdump.py
Created
December 18, 2023 17:30
extract a dexfile from a memory dump
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| def find_and_extract_dex(file_path, output_path): | |
| try: | |
| with open(file_path, 'rb') as file: | |
| data = file.read() | |
| # DEX file header magic number and offset for file size | |
| dex_magic = b'dex\n' | |
| size_offset = 32 | |
| size_length = 4 |
YSaxon
/ findObjectFromWindowBFS.js
Created
November 16, 2023 19:16
JS Console script to recursively find an object starting from the window object
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // a more generalized version of https://gist.github.com/YSaxon/bdd00ce836dee657518d1937047e4ec6 | |
| function createCriteriaFunction(propertyNames) { | |
| if (!Array.isArray(propertyNames)) { | |
| propertyNames = [propertyNames]; | |
| } | |
| return function(obj) { | |
| if (!obj || typeof obj !== 'object') return false; |
YSaxon
/ findReduxStoreBFS.js
Created
November 16, 2023 16:26
JS Console script to find the Redux store and state
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| function isReduxStore(obj) { | |
| return obj && typeof obj === 'object' && | |
| typeof obj.getState === 'function' && | |
| typeof obj.dispatch === 'function' && | |
| typeof obj.subscribe === 'function'; | |
| } | |
| function isValidIdentifier(key) { | |
| return /^[a-zA-Z_$][a-zA-Z_$0-9]*$/.test(key); | |
| } |
YSaxon
/ xor_decoder.py
Last active
January 9, 2024 17:52
Ghidra Xor Decoder script for a particular xor obfuscation type I encountered
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import re | |
| from ghidra.program.model.data import Undefined | |
| from java.io import File | |
| from ghidra.app.util.exporter import CppExporter | |
| from ghidra.util.task import TaskMonitor | |
| from ghidra.app.util import Option | |
| from ghidra.program.model.listing import Function | |
| from ghidra.program.database.symbol import FunctionSymbol | |
| from ghidra.app.decompiler import DecompInterface | |
| from ghidra.program.model.listing import CodeUnit |
YSaxon
/ get_hostnames_communicating_with.sh
Created
September 1, 2023 18:44
get hostnames currently communicating with
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| netstat -an | awk '{if ($5 ~ /[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+/) print $5}' | cut -d. -f1-4 | sort -u | while read -r line; do host $line; done | grep pointer | awk '{print $NF}' | sort -u |
YSaxon
/ export_from_mqtt_explorer.md
Last active
July 14, 2023 19:00
(copied from my comment here: thomasnordquist/MQTT-Explorer#632 (comment))
Open DevTools (should be an option in the file menu) Now in the JS Console
const reactRoot = document.querySelector('#app')._reactRootContainer;
const store = reactRoot._internalRoot.current.child.memoizedProps.store;
var tree = store.getState().connection.tree
YSaxon
/ xor_string_deobfuscator.py
Last active
July 6, 2023 21:06
Ghidra script to deobfuscate xor strings within legu unpacker library (probably adaptable for use elsewhere)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| from java.io import File | |
| from ghidra.app.util.exporter import CppExporter | |
| from ghidra.util.task import TaskMonitor | |
| from ghidra.app.util import Option | |
| from ghidra.program.model.listing import Function | |
| from ghidra.program.database.symbol import FunctionSymbol | |
| import re | |
| from ghidra.app.decompiler import DecompInterface | |
| from ghidra.program.model.listing import CodeUnit | |
| from ghidra.program.model.scalar import Scalar |
YSaxon
/ gist:e2e8ea4be1e4cc6bbdc3b0e50d730825
Last active
October 9, 2023 20:51
notes on dumping files from android
adb pull /
Here's a script which will do an adb pull of all the various apks into their normal tree and also softlink them all together. do a mkdir root; cd root; mkdir apk_softlinks before running this
adb shell 'pm list packages' | grep -vE "^package:(com.android|com.qualcomm|com.google|com.qti|android)" | awk -F':' '{print $2}' | xargs -I '{}' sh -c 'path=$(adb shell pm path {} | cut -d: -f2 | tr -d "\r"); mkdir -p $(dirname "./${path#/}"); adb pull "$path" "./${path#/}"; ln -s "../${path#/}" "./apk_softlinks/$(basename $(dirname "./${path#/}")).apk"'; for file in apk_softlinks/*; do [ -L "$file" ] && [ ! -e "$file" ] && mv "$file" "${file%.PULL_FAILED}.PULL_FAILED"; done
NewerOlder