Skip to content

Instantly share code, notes, and snippets.

View eybisi's full-sized avatar
👀
hooking functions

eyb eybisi

👀
hooking functions
View GitHub Profile
@eybisi
eybisi / il2cpp-bridge-frida.js
Created November 19, 2023 14:14
snippets for il2cpp-bridge-frida
for (const field of ItemBase.fields) {
if (field.isStatic) continue;
try{
console.log(`${field} ${field.name} \x1b[32m${item_data.field(field.name).value}\x1B[0m`);
} catch (error) {
console.log(`${field} \x1b[31m${error}\x1B[0m`);
}
@eybisi
eybisi / dex.h
Created August 14, 2023 22:35
Dex header file to use in IDA
/*
* Copyright (C) 2008 The Android Open Source Project
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
@eybisi
eybisi / dga_alien.py
Last active December 16, 2022 08:36
dga for alien sample
from datetime import datetime
import hashlib
def gen_dga_from_day(day):
# https://twitter.com/_CPResearch_/status/1603375823448317953?s=20&t=TkPpJYjVudhg2JnHbeVQFQ
"""
int i2 = 5;
int i3 = calendar.get(5);
int i4 = calendar.get(1);
@eybisi
eybisi / pullpackage.sh
Last active January 2, 2024 23:09
bash script with gum for pulling/installing package
#!/bin/sh
gum style --border normal --border-foreground 55 "Hello, there! Give me the $(gum style --foreground 57 'package name') you would like to install/pull."
package_name=$(gum input --placeholder "Package name")
sleep 0.5; clear
pull_apk(){
gum style --border normal --border-foreground 128 "Looks like $(gum style --foreground 128 $package_name) is installed."
gum input --placeholder "Press any key to pull apk"
path=$(adb shell pm path $package_name)
clear;

CFF definition (Sample : 92ae23580c83642ad0e50f19979b9d2122f28d8b3a9d4b17539ce125ae8d93eb)

cff blocks is equal to number of sparse-switch-payload count

  • first bytecode of function is initialization for cff which sets str
1a00(switch reg) ????(strId) -> const string v0, "xxxx"string@strId 
  • each block dispatcher startswith
@eybisi
eybisi / dex.hexpat
Created April 27, 2022 17:18
dex pattern file for imhex
#pragma pattern_limit 0x20000
struct StringDataItem {
u8 size[[hidden]];
char string[size];
}[[inline]];
struct StringIdItem {
StringDataItem *stringData : u32;
}[[inline]];
@eybisi
eybisi / hook_multidex.js
Created February 14, 2022 23:26
hook multi dex variant of android packers
// https://cryptax.medium.com/multidex-trick-to-unpack-android-bianlian-ed52eb791e56
// https://android.googlesource.com/platform/frameworks/multidex/+/refs/heads/master/library/src/androidx/multidex/MultiDex.java#716
// https://android.googlesource.com/platform/libcore/+/master/dalvik/src/main/java/dalvik/system/DexPathList.java#397
// copy file works reeeealy slow, sorry for that. Instead you can hook file.delete since multidex will remove temp dexes.
// https://android.googlesource.com/platform/frameworks/multidex/+/refs/heads/master/library/src/androidx/multidex/MultiDexExtractor.java#418
Java.deoptimizeBootImage()
Java.deoptimizeEverything()
function copyFile(destPath,sourcePath){
const File = Java.use('java.io.File');
from androguard.core.bytecodes import apk
import sys
import logging
logging.getLogger().setLevel(logging.ERROR)
a = apk.APK(sys.argv[1])
activities = a.get_activities()
application = a.get_attribute_value("application","name")
#!/usr/bin/python3
import os
from androguard.core.apk import APK
import frida
import time
import sys
frida_script = """
Java.perform(function() {
var f = Java.use("java.io.File")
var flutter = Module.getBaseAddress("libflutter.so")
// search ssl_client, add offset of found function
Interceptor.attach(flutter.add(0x5873D4),{
onEnter: function (args) {
console.log("ssl verify called")
},
onLeave:function(retval){
console.log("retval value",retval.toInt32())
retval.replace(0x1);
}