Skip to content

Instantly share code, notes, and snippets.

View eybisi's full-sized avatar
👀
hooking functions

Ahmet Bilal Can eybisi

👀
hooking functions
View GitHub Profile
//frida -U -f appinventor.ai_turkprogrammerman.rubiko -l ninja.js --no-pause
Java.perform(function() {
var f = Java.use("appinventor.ai_turkprogrammerman.rubiko.Screen1$frame")
f.apply0.implementation = function(a){
//send(a.selector)
return this.apply0(a)
}
var f2 = Java.use("com.tiziano1960.cryptoextension.cryptoextension")
@eybisi
eybisi / getsim.js
Last active November 23, 2019 22:23
hook getsimoperator function
Java.perform(function() {
var ThreadDef = Java.use('java.lang.Thread');
var ThreadObj = ThreadDef.$new();
var dalvik = Java.use("android.telephony.TelephonyManager")
dalvik.getSimOperator.overload().implementation = function(){
console.log("[+] sim operator Catched -> ")
stackTrace()
return "302"
@eybisi
eybisi / checkgp.py
Created October 30, 2019 10:36
check if app is on gplay
#/usr/bin/python
#python checkgp.py list.txt
import requests
import sys
f = open(sys.argv[1])
r = f.readlines()
for i in r:
try:
req = requests.get("https://play.google.com/store/apps/details?id="+i)
@eybisi
eybisi / pass.js
Created September 4, 2019 09:50
hydra time bypass
var unlinkPtr = Module.findExportByName(null, 'unlink');
// remove bypass
Interceptor.replace(unlinkPtr, new NativeCallback( function (a){
console.log("[+] Unlink : " + Memory.readUtf8String(ptr(a)))
}, 'int', ['pointer']));
var timePtr = Module.findExportByName(null, 'time');
// time bypass
Interceptor.replace(timePtr, new NativeCallback( function (){
@eybisi
eybisi / hydra_v2.py
Last active August 15, 2019 07:50
hydra dropper string decryption script for ghidra
import ghidra.app.script.GhidraScript
import exceptions
from ghidra.program.model.address import AddressOutOfBoundsException
from ghidra.program.model.symbol import SourceType
def xor_block(faddr,saddr,size):
first_block = getBytes(toAddr(faddr),size).tolist()
import frida
import sys
#inds isng llg w. e HthitheoftheAh,urnolik inefe yo blrhot in owace
#abcdefghijklmnopqrstuvwxyz., ABCDEFGHIJKLMNOPQRSTUVWXYZ
#abcdefghilnorstuwy.,AH
session = frida.attach("magic")
script = session.create_script("""
pool2 = ['e ',' H','is','no','of',' g','bl','ow','ur',' w','in','yo']
pool3 = ["ds ","hot","the",' yo',"ace","thi",'Ah,',' in',' bl','lik']
pool = 'abcdefghilnorstuwy.,AH '
#!/usr/bin/python
from androguard.misc import *
import sys
from Crypto.Cipher import ARC4
from androguard.core.androconf import show_logging
import logging
from base64 import b64decode
show_logging(level=logging.FATAL)
@eybisi
eybisi / get_payload.py
Created December 12, 2018 16:18
get decrypted payload from all apk files
#get apks from server? wget -np -e robots=off -m site.com/apk/folder/
#Place all apks in the same dir as py file or change os.listdir parameter
#you can get del.js from my repo https://github.com/eybisi/fridaScripts/blob/master/del.js
import os
from androguard.core.bytecodes import apk
import frida
import time
device = frida.get_usb_device()
files = [f for f in os.listdir("./")]
for f in files:
@eybisi
eybisi / idk.py
Created October 4, 2018 11:12
another packed malware c2 extractor
import lxml.etree as etree
from androguard.core.bytecodes import apk
import sys
def main():
# python x.py name.apk
a = apk.APK(sys.argv[1])
a2 = a.get_android_resources()
b = etree.fromstring(a2.get_string_resources(a.get_package()))
try:
@eybisi
eybisi / redalert.py
Created October 4, 2018 11:10
redalert c2 extract
import lxml.etree as etree
from androguard.core.bytecodes import apk
import sys
def main():
# python x.py name.apk
a = apk.APK(sys.argv[1])
a2 = a.get_android_resources()
b = etree.fromstring(a2.get_string_resources(a.get_package()))
try: