eybisi

                for (const field of ItemBase.fields) {
                    if (field.isStatic) continue;


                    try{
                        console.log(`${field} ${field.name} \x1b[32m${item_data.field(field.name).value}\x1B[0m`);
                    } catch (error) {
                        console.log(`${field} \x1b[31m${error}\x1B[0m`);
                    }

eybisi

/*
 * Copyright (C) 2008 The Android Open Source Project
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *      http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software

eybisi

from datetime import datetime
import hashlib


def gen_dga_from_day(day):
    # https://twitter.com/_CPResearch_/status/1603375823448317953?s=20&t=TkPpJYjVudhg2JnHbeVQFQ
    """
    int i2 = 5;
    int i3 = calendar.get(5);
    int i4 = calendar.get(1);

eybisi

#!/bin/sh
gum style --border normal --border-foreground 55 "Hello, there! Give me the $(gum style --foreground 57 'package name') you would like to install/pull."
package_name=$(gum input --placeholder "Package name")
sleep 0.5; clear

pull_apk(){
    gum style --border normal --border-foreground 128 "Looks like $(gum style --foreground 128 $package_name) is installed."
    gum input --placeholder "Press any key to pull apk"
    path=$(adb shell pm path $package_name)
    clear;

eybisi

CFF definition (Sample : 92ae23580c83642ad0e50f19979b9d2122f28d8b3a9d4b17539ce125ae8d93eb)

cff blocks is equal to number of sparse-switch-payload count

• first bytecode of function is initialization for cff which sets str

1a00(switch reg) ????(strId) -> const string v0, "xxxx"string@strId 

• each block dispatcher startswith

eybisi

#pragma pattern_limit 0x20000

struct StringDataItem {
        u8 size[[hidden]];
        char string[size];
}[[inline]];

struct StringIdItem {
    StringDataItem *stringData : u32;
}[[inline]];

eybisi

// https://cryptax.medium.com/multidex-trick-to-unpack-android-bianlian-ed52eb791e56
// https://android.googlesource.com/platform/frameworks/multidex/+/refs/heads/master/library/src/androidx/multidex/MultiDex.java#716
// https://android.googlesource.com/platform/libcore/+/master/dalvik/src/main/java/dalvik/system/DexPathList.java#397
// copy file works reeeealy slow, sorry for that. Instead you can hook file.delete since multidex will remove temp dexes.
//  https://android.googlesource.com/platform/frameworks/multidex/+/refs/heads/master/library/src/androidx/multidex/MultiDexExtractor.java#418
Java.deoptimizeBootImage()
Java.deoptimizeEverything()

function copyFile(destPath,sourcePath){
    const File = Java.use('java.io.File');

eybisi

from androguard.core.bytecodes import apk
import sys
import logging

logging.getLogger().setLevel(logging.ERROR)


a = apk.APK(sys.argv[1])
activities = a.get_activities()
application = a.get_attribute_value("application","name")

eybisi

#!/usr/bin/python3
import os
from androguard.core.apk import APK
import frida
import time
import sys
frida_script = """
Java.perform(function() {

    var f = Java.use("java.io.File")

eybisi

var flutter = Module.getBaseAddress("libflutter.so")
// search ssl_client, add offset of found function
Interceptor.attach(flutter.add(0x5873D4),{
    onEnter: function (args) {
        console.log("ssl verify called")
    },
    onLeave:function(retval){
        console.log("retval value",retval.toInt32())
        retval.replace(0x1);
    }