Ahmet Bilal Can eybisi

## flutter_sslpin.js
var flutter = Module.getBaseAddress("libflutter.so")
// search ssl_client, add offset of found function
Interceptor.attach(flutter.add(0x5873D4),{
    onEnter: function (args) {
        console.log("ssl verify called")
    },
    onLeave:function(retval){
        console.log("retval value",retval.toInt32())
        retval.replace(0x1);
    }

## luac.ksy
meta:
  id: luac
  file-extension: luac
  endian: le

seq:
  - id: file_header
    type: header
  - id: top_level_function
    type: function

## extract_activity_application.py
from androguard.core.bytecodes import apk
import sys
import logging

logging.getLogger().setLevel(logging.ERROR)


a = apk.APK(sys.argv[1])
activities = a.get_activities()
application = a.get_attribute_value("application","name")

## del.js
Java.perform(function() {

    var f = Java.use("java.io.File")
    f.delete.implementation = function(a){
	console.log("[+] Delete catched =>" +this.getAbsolutePath())
        return true
    }
})

## hooky.js
// install package with adb install package.name
// do not open application
// use -f force option
// frida -U -f package.name -l del.js
Java.perform(function() {
    var ssl = Java.use("k.x$b")
    var channel = Java.use("f.e.c.b.g.f.g.a.c")
    var Integer = Java.use("java.lang.Integer");
    var ArrayList = Java.use("java.util.ArrayList");
    var ArrayList = Java.use("java.util.ArrayList");

## remove_app.sh
arr=($(adb shell "ls /data/app" | tr "\r\n" " " | sed 's/-[0-9]//g') "Quit")
echo "It's time to choose"
select opt in "${arr[@]}";do

	case $opt in
		"Quit")
		break
	esac
	re='^[0-9]+$'
	if ! [[ $REPLY =~ $re ]]; then

## darkcon_fire_in_the_androiddd.js
// send following command to trigger
// adb shell 'am broadcast -a flag_checker --es flag "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" -n com.application.darkcon/com.application.darkcon.MyReceiver'

var flag = ""
var looper = Module.getExportByName("libnative-lib.so","_Z6looperj")
var nlib = Module.getBaseAddress("libnative-lib.so")


function bytes2hex(array) {
    array = Java.array('byte',array)

## frida.vim
command! -nargs=+ FridaV call FridaV(<f-args>)
command! -nargs=+ Frida call Frida(<f-args>)

function! FridaV( ... )
    let class = split(a:1,"\\V.")
    let last = class[len(class)-1]
    let S = ":normal i"
    let S .= "\tvar %s = Java.use(\"%s\")\n"
    execute printf(S,last,a:1)
    call Frida(last,a:2,a:3)

## ra2.ts
var DEBUG = false
console.log('Starting ..')

const YourCountry = 'Americans'
const HACKS = ['Cost','BuildTime','Armor','income','speed','firepower']

function processCountry(rawCountry: NativePointer) {


  const buffer = rawCountry.readByteArray(0x1A9);

## get_payload.py
#get apks from server? wget -np -e robots=off -m site.com/apk/folder/
#Place all apks in the same dir as py file or change os.listdir parameter
#you can get del.js from my repo https://github.com/eybisi/fridaScripts/blob/master/del.js
import os
from androguard.core.bytecodes import apk
import frida
import time
device = frida.get_usb_device()
files = [f for f in os.listdir("./")]
for f in files:
	var flutter = Module.getBaseAddress("libflutter.so")
	// search ssl_client, add offset of found function
	Interceptor.attach(flutter.add(0x5873D4),{
	onEnter: function (args) {
	console.log("ssl verify called")
	},
	onLeave:function(retval){
	console.log("retval value",retval.toInt32())
	retval.replace(0x1);
	}
	meta:
	id: luac
	file-extension: luac
	endian: le

	seq:
	- id: file_header
	type: header
	- id: top_level_function
	type: function
	from androguard.core.bytecodes import apk
	import sys
	import logging

	logging.getLogger().setLevel(logging.ERROR)


	a = apk.APK(sys.argv[1])
	activities = a.get_activities()
	application = a.get_attribute_value("application","name")
	Java.perform(function() {

	var f = Java.use("java.io.File")
	f.delete.implementation = function(a){
	console.log("[+] Delete catched =>" +this.getAbsolutePath())
	return true
	}
	})
	// install package with adb install package.name
	// do not open application
	// use -f force option
	// frida -U -f package.name -l del.js
	Java.perform(function() {
	var ssl = Java.use("k.x$b")
	var channel = Java.use("f.e.c.b.g.f.g.a.c")
	var Integer = Java.use("java.lang.Integer");
	var ArrayList = Java.use("java.util.ArrayList");
	var ArrayList = Java.use("java.util.ArrayList");
	arr=($(adb shell "ls /data/app" \| tr "\r\n" " " \| sed 's/-[0-9]//g') "Quit")
	echo "It's time to choose"
	select opt in "${arr[@]}";do

	case $opt in
	"Quit")
	break
	esac
	re='^[0-9]+$'
	if ! [[ $REPLY =~ $re ]]; then
	// send following command to trigger
	// adb shell 'am broadcast -a flag_checker --es flag "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" -n com.application.darkcon/com.application.darkcon.MyReceiver'

	var flag = ""
	var looper = Module.getExportByName("libnative-lib.so","_Z6looperj")
	var nlib = Module.getBaseAddress("libnative-lib.so")


	function bytes2hex(array) {
	array = Java.array('byte',array)
	command! -nargs=+ FridaV call FridaV(<f-args>)
	command! -nargs=+ Frida call Frida(<f-args>)

	function! FridaV( ... )
	let class = split(a:1,"\\V.")
	let last = class[len(class)-1]
	let S = ":normal i"
	let S .= "\tvar %s = Java.use(\"%s\")\n"
	execute printf(S,last,a:1)
	call Frida(last,a:2,a:3)
	var DEBUG = false
	console.log('Starting ..')

	const YourCountry = 'Americans'
	const HACKS = ['Cost','BuildTime','Armor','income','speed','firepower']

	function processCountry(rawCountry: NativePointer) {


	const buffer = rawCountry.readByteArray(0x1A9);
	#get apks from server? wget -np -e robots=off -m site.com/apk/folder/
	#Place all apks in the same dir as py file or change os.listdir parameter
	#you can get del.js from my repo https://github.com/eybisi/fridaScripts/blob/master/del.js
	import os
	from androguard.core.bytecodes import apk
	import frida
	import time
	device = frida.get_usb_device()
	files = [f for f in os.listdir("./")]
	for f in files: