Skip to content

Instantly share code, notes, and snippets.

I may be slow to respond.

Lucio Paiva luciopaiva

I may be slow to respond.
View GitHub Profile
luciopaiva /
Last active May 14, 2022
Android APK hacking how-to

Android APK hacking how-to

Install and configure SDK

  • install Android Studio (google it)

  • configure your shell (considering Linux+Bash):

    export ANDROID_HOME=$HOME/Android/Sdk
    export PATH=$PATH:$ANDROID_HOME/tools

export PATH=$PATH:$ANDROID_HOME/platform-tools

luciopaiva /
Last active Apr 26, 2022
Full client and server example

Full client and server example

Last updated: 2021-02-21, tested with v3.1.1

This is the simplest implementation you will find for a client/server WebSockets architecture using

To see a full explanation, read my answer on SO here:

If you're looking for examples using frameworks, check these links:

luciopaiva /
Last active Apr 8, 2022
Android APK HTTPS user certificates how-to

Android APK HTTPS user certificates how-to

Starting with Android Nougat, Google changed the way apps handle user certificates:

Apps that target API Level 24 and above no longer trust user or admin-added CAs for secure connections, by default.

This means that certificates issued by applications like [Charles][charles] or [mitmproxy][mitmproxy] are no longer accepted, so these proxies won't work for HTTPS traffic.

This tutorial explains what needs to be done to overcome that restriction and be able to sniff any Android app's HTTPS requests.

luciopaiva /
Last active Mar 5, 2022
How to build aseprite via CLion on Windows

ase128 clion_logo_300x300a

The aseprite docs help with building it from the command line. Here I show how to build it via CLion. It is surprinsingly simple!

First, follow the instrucions in I will summarize here what I had to follow when building tag v1.3-beta11:

  1. Clone the repo with its submodules;
  2. Either stay in the main branch or switch to the desired tag. For example, this is how I switched to v1.3-beta11:

git checkout tags/v1.3-beta11 -b v1.3-beta11

luciopaiva / gist:87b64d8d47a51d1bb6866b7c9df9bf23
Created Dec 23, 2020
Windows remote desktop access with simultaneous users
View gist:87b64d8d47a51d1bb6866b7c9df9bf23
General steps:
- download Microsoft Remote Desktop app on client machine (check the Apple store)
- enable remote access on host Windows (window key, type "allow remote access" to find the setting)
- test the connection using the Remote Desktop app. Notice that any current logged in users on the host machine will need to log out
- download [RDP Wrapper]( - I tested with v1.6.2. The msi installer did not work for me (got an error trying to execute it), but the zip worked fine
- unzip, run install.bat
- run the "*conf*.exe" app that comes with the zip
- it should show all green - if it shows a red "[not supported]", continue below
- get the ini file posted by Damasker [here]( As instructed, run `net stop TermService`, replace the ini file in `Program Files/RDP Wrapper`, then `net start TermService`

SSH tunneling quick example

General pattern:

ssh bridge-machine -L local-port:destination-machine:destination-port -N

Where bridge-machine is the machine providing an ssh server that will act as a bridge to the destionation-machine. The destionation machine could be, for instance, a database, a Redis server, etc, that is not accessible from your network, but is accessible via another server (the bridge) that you are able to access via SSH.

I always forget which port is the local one is which is the remote. One nice mnemonic is to remember that Left is Local, Right is Remote.

luciopaiva / index.css
Last active May 3, 2021
Read/write CSS variable in Javascript
View index.css
:root {
--app-width: 1000px;
--some-calculation: calc(var(--app-width) + 1);

CORS issues when running via Webstorm

Jetbrains had a Chrome extension where you could configure Webstorm to include CORS headers just fine, but it seems to not be working anymore (setting the field and hitting the apply button has no effect - reloading the extension configuration page shows that the field is still empty).

This comment was what helped me, but it was not enough. I reply to that comment with the extra instructions needed. Here's the full conversation in case that page goes down:

Ekaterina Prigara says:

luciopaiva / Simple way to get a concurrency issue using
Last active Jan 31, 2021
Simple way to get a concurrency issue using async/await
View Simple way to get a concurrency issue using

This is a simple example of how to get a concurrency issue in JavaScript while using async/await.

In the initial example, async-concurreny-issue.js, the main function starts two tasks that were supposed to run asynchronously. The big problem here is that runTask() has side effects and changes an internal state represented by currentTaskId. After going through a function call that requires awaiting on a promise (promiseMe()), the task expects currentTaskId to still have the same id assigned to it a couple of lines above. Even if promiseMe() does actually nothing, it will still execute asynchronously. That should be no problem because we are awaiting on it in runTask(), right? Yeah, but the problem is that main() is not doing its job and await is not being used there. This means that main() fires runTask(2) immediately after calling runTask(1), so it runs before the call to promiseMe() has the chance to return - it can only return in the next event loop tick, since it is behind a p

View Faking location on

Using apps to fake GPS location, like Fake GPS, is not enough to trick some apps into thinking they are somewhere else.

One obvious thing to do is to use a VPN to spoof your ISP location as well, but there's more.

Apps also rely on the "Improve location accurary" that you can find on your Android settings. When that is turned on, geolocation also uses info about nearby wifi and cellular signals. If you turn that option off, the app will tell you it needs location info to work and will refuse to continue. As far as I know, there's no way to circumvent that without rooting the phone or running the app on an emulator.

One easy option, though, is that sometimes apps have equivalent versions running as web apps, and web apps cannot fetch location info as easily. If the app you're trying to use has a web version, just turn the VPN on and you should be able to use it just fine.

If you need to cast to Chromecast, it will probably not work unless you configure the VPN directly into your home router.