- Open the firmware binary in Ghidra
- Go to the data view and copy all the string addresses, and paste them into a Jupyter notebook with the code below
- Sort and copy all the possible pointers (probably
undefined4
type) similarly
undefined4
type) similarlydef find_and_extract_dex(file_path, output_path): | |
try: | |
with open(file_path, 'rb') as file: | |
data = file.read() | |
# DEX file header magic number and offset for file size | |
dex_magic = b'dex\n' | |
size_offset = 32 | |
size_length = 4 |
// a more generalized version of https://gist.github.com/YSaxon/bdd00ce836dee657518d1937047e4ec6 | |
function createCriteriaFunction(propertyNames) { | |
if (!Array.isArray(propertyNames)) { | |
propertyNames = [propertyNames]; | |
} | |
return function(obj) { | |
if (!obj || typeof obj !== 'object') return false; |
function isReduxStore(obj) { | |
return obj && typeof obj === 'object' && | |
typeof obj.getState === 'function' && | |
typeof obj.dispatch === 'function' && | |
typeof obj.subscribe === 'function'; | |
} | |
function isValidIdentifier(key) { | |
return /^[a-zA-Z_$][a-zA-Z_$0-9]*$/.test(key); | |
} |
import re | |
from ghidra.program.model.data import Undefined | |
from java.io import File | |
from ghidra.app.util.exporter import CppExporter | |
from ghidra.util.task import TaskMonitor | |
from ghidra.app.util import Option | |
from ghidra.program.model.listing import Function | |
from ghidra.program.database.symbol import FunctionSymbol | |
from ghidra.app.decompiler import DecompInterface | |
from ghidra.program.model.listing import CodeUnit |
netstat -an | awk '{if ($5 ~ /[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+/) print $5}' | cut -d. -f1-4 | sort -u | while read -r line; do host $line; done | grep pointer | awk '{print $NF}' | sort -u |
(copied from my comment here: thomasnordquist/MQTT-Explorer#632 (comment))
Open DevTools (should be an option in the file menu) Now in the JS Console
const reactRoot = document.querySelector('#app')._reactRootContainer;
const store = reactRoot._internalRoot.current.child.memoizedProps.store;
var tree = store.getState().connection.tree
from java.io import File | |
from ghidra.app.util.exporter import CppExporter | |
from ghidra.util.task import TaskMonitor | |
from ghidra.app.util import Option | |
from ghidra.program.model.listing import Function | |
from ghidra.program.database.symbol import FunctionSymbol | |
import re | |
from ghidra.app.decompiler import DecompInterface | |
from ghidra.program.model.listing import CodeUnit | |
from ghidra.program.model.scalar import Scalar |
adb pull /
Here's a script which will do an adb pull of all the various apks into their normal tree and also softlink them all together. do a mkdir root; cd root; mkdir apk_softlinks
before running this
adb shell 'pm list packages' | grep -vE "^package:(com.android|com.qualcomm|com.google|com.qti|android)" | awk -F':' '{print $2}' | xargs -I '{}' sh -c 'path=$(adb shell pm path {} | cut -d: -f2 | tr -d "\r"); mkdir -p $(dirname "./${path#/}"); adb pull "$path" "./${path#/}"; ln -s "../${path#/}" "./apk_softlinks/$(basename $(dirname "./${path#/}")).apk"'; for file in apk_softlinks/*; do [ -L "$file" ] && [ ! -e "$file" ] && mv "$file" "${file%.PULL_FAILED}.PULL_FAILED"; done