eybisi

/*
 * Copyright (C) 2008 The Android Open Source Project
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *      http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software

eybisi

#!/bin/sh
gum style --border normal --border-foreground 55 "Hello, there! Give me the $(gum style --foreground 57 'package name') you would like to install/pull."
package_name=$(gum input --placeholder "Package name")
sleep 0.5; clear

pull_apk(){
    gum style --border normal --border-foreground 128 "Looks like $(gum style --foreground 128 $package_name) is installed."
    gum input --placeholder "Press any key to pull apk"
    path=$(adb shell pm path $package_name)
    clear;

eybisi

#!/usr/bin/python3
import os
from androguard.core.apk import APK
import frida
import time
import sys
frida_script = """
Java.perform(function() {

    var f = Java.use("java.io.File")

eybisi

                for (const field of ItemBase.fields) {
                    if (field.isStatic) continue;


                    try{
                        console.log(`${field} ${field.name} \x1b[32m${item_data.field(field.name).value}\x1B[0m`);
                    } catch (error) {
                        console.log(`${field} \x1b[31m${error}\x1B[0m`);
                    }

eybisi

Java.perform(function(){
    let ThreadDef = Java.use('java.lang.Thread');
    let ThreadObj = ThreadDef.$new();
    function stackTrace() {
                console.log('------------START STACK---------------')
                let stack = ThreadObj.currentThread().getStackTrace();
                for (let i = 0; i < stack.length; i++) {
                                console.log(i + ' => ' + stack[i].toString());
                            }
                console.log('------------END STACK---------------');

eybisi

// https://cryptax.medium.com/multidex-trick-to-unpack-android-bianlian-ed52eb791e56
// https://android.googlesource.com/platform/frameworks/multidex/+/refs/heads/master/library/src/androidx/multidex/MultiDex.java#716
// https://android.googlesource.com/platform/libcore/+/master/dalvik/src/main/java/dalvik/system/DexPathList.java#397
// copy file works reeeealy slow, sorry for that. Instead you can hook file.delete since multidex will remove temp dexes.
//  https://android.googlesource.com/platform/frameworks/multidex/+/refs/heads/master/library/src/androidx/multidex/MultiDexExtractor.java#418
Java.deoptimizeBootImage()
Java.deoptimizeEverything()

function copyFile(destPath,sourcePath){
    const File = Java.use('java.io.File');

eybisi

import { log } from "./logger";
import { AssertionError } from "assert";

const libil2cpp = Process.getModuleByName("libil2cpp.so");
const libil2cppb = libil2cpp.base;
const playerinfo_serialize = libil2cppb.add(0x6c2e30);
const playerinfo_deserialize = libil2cppb.add(0x6c316c);

console.log("Starting script..");
function readString(pointr:NativePointer){

eybisi

from datetime import datetime
import hashlib


def gen_dga_from_day(day):
    # https://twitter.com/_CPResearch_/status/1603375823448317953?s=20&t=TkPpJYjVudhg2JnHbeVQFQ
    """
    int i2 = 5;
    int i3 = calendar.get(5);
    int i4 = calendar.get(1);

eybisi

CFF definition (Sample : 92ae23580c83642ad0e50f19979b9d2122f28d8b3a9d4b17539ce125ae8d93eb)

cff blocks is equal to number of sparse-switch-payload count

• first bytecode of function is initialization for cff which sets str

1a00(switch reg) ????(strId) -> const string v0, "xxxx"string@strId 

• each block dispatcher startswith

eybisi

#pragma pattern_limit 0x20000

struct StringDataItem {
        u8 size[[hidden]];
        char string[size];
}[[inline]];

struct StringIdItem {
    StringDataItem *stringData : u32;
}[[inline]];