cff blocks is equal to number of sparse-switch-payload count
- first bytecode of function is initialization for cff which sets str
1a00(switch reg) ????(strId) -> const string v0, "xxxx"string@strId
- each block dispatcher startswith
/* | |
* Copyright (C) 2008 The Android Open Source Project | |
* | |
* Licensed under the Apache License, Version 2.0 (the "License"); | |
* you may not use this file except in compliance with the License. | |
* You may obtain a copy of the License at | |
* | |
* http://www.apache.org/licenses/LICENSE-2.0 | |
* | |
* Unless required by applicable law or agreed to in writing, software |
#!/bin/sh | |
gum style --border normal --border-foreground 55 "Hello, there! Give me the $(gum style --foreground 57 'package name') you would like to install/pull." | |
package_name=$(gum input --placeholder "Package name") | |
sleep 0.5; clear | |
pull_apk(){ | |
gum style --border normal --border-foreground 128 "Looks like $(gum style --foreground 128 $package_name) is installed." | |
gum input --placeholder "Press any key to pull apk" | |
path=$(adb shell pm path $package_name) | |
clear; |
#!/usr/bin/python3 | |
import os | |
from androguard.core.apk import APK | |
import frida | |
import time | |
import sys | |
frida_script = """ | |
Java.perform(function() { | |
var f = Java.use("java.io.File") |
for (const field of ItemBase.fields) { | |
if (field.isStatic) continue; | |
try{ | |
console.log(`${field} ${field.name} \x1b[32m${item_data.field(field.name).value}\x1B[0m`); | |
} catch (error) { | |
console.log(`${field} \x1b[31m${error}\x1B[0m`); | |
} |
Java.perform(function(){ | |
let ThreadDef = Java.use('java.lang.Thread'); | |
let ThreadObj = ThreadDef.$new(); | |
function stackTrace() { | |
console.log('------------START STACK---------------') | |
let stack = ThreadObj.currentThread().getStackTrace(); | |
for (let i = 0; i < stack.length; i++) { | |
console.log(i + ' => ' + stack[i].toString()); | |
} | |
console.log('------------END STACK---------------'); |
// https://cryptax.medium.com/multidex-trick-to-unpack-android-bianlian-ed52eb791e56 | |
// https://android.googlesource.com/platform/frameworks/multidex/+/refs/heads/master/library/src/androidx/multidex/MultiDex.java#716 | |
// https://android.googlesource.com/platform/libcore/+/master/dalvik/src/main/java/dalvik/system/DexPathList.java#397 | |
// copy file works reeeealy slow, sorry for that. Instead you can hook file.delete since multidex will remove temp dexes. | |
// https://android.googlesource.com/platform/frameworks/multidex/+/refs/heads/master/library/src/androidx/multidex/MultiDexExtractor.java#418 | |
Java.deoptimizeBootImage() | |
Java.deoptimizeEverything() | |
function copyFile(destPath,sourcePath){ | |
const File = Java.use('java.io.File'); |
import { log } from "./logger"; | |
import { AssertionError } from "assert"; | |
const libil2cpp = Process.getModuleByName("libil2cpp.so"); | |
const libil2cppb = libil2cpp.base; | |
const playerinfo_serialize = libil2cppb.add(0x6c2e30); | |
const playerinfo_deserialize = libil2cppb.add(0x6c316c); | |
console.log("Starting script.."); | |
function readString(pointr:NativePointer){ |
from datetime import datetime | |
import hashlib | |
def gen_dga_from_day(day): | |
# https://twitter.com/_CPResearch_/status/1603375823448317953?s=20&t=TkPpJYjVudhg2JnHbeVQFQ | |
""" | |
int i2 = 5; | |
int i3 = calendar.get(5); | |
int i4 = calendar.get(1); |
cff blocks is equal to number of sparse-switch-payload count
1a00(switch reg) ????(strId) -> const string v0, "xxxx"string@strId
#pragma pattern_limit 0x20000 | |
struct StringDataItem { | |
u8 size[[hidden]]; | |
char string[size]; | |
}[[inline]]; | |
struct StringIdItem { | |
StringDataItem *stringData : u32; | |
}[[inline]]; |