luciopaiva

Android APK hacking how-to

Install and configure SDK

• install Android Studio (google it)

• configure your shell (considering Linux+Bash):

  export ANDROID_HOME=$HOME/Android/Sdk
  export PATH=$PATH:$ANDROID_HOME/tools
  

export PATH=$PATH:$ANDROID_HOME/platform-tools

luciopaiva

Android APK HTTPS user certificates how-to

Starting with Android Nougat, Google changed the way apps handle user certificates:

Apps that target API Level 24 and above no longer trust user or admin-added CAs for secure connections, by default.

This means that certificates issued by applications like [Charles][charles] or [mitmproxy][mitmproxy] are no longer accepted, so these proxies won't work for HTTPS traffic.

This tutorial explains what needs to be done to overcome that restriction and be able to sniff any Android app's HTTPS requests.

luciopaiva

Full socket.io client and server example

Last updated: 2021-02-21, tested with socket.io v3.1.1

This is the simplest implementation you will find for a client/server WebSockets architecture using socket.io.

To see a full explanation, read my answer on SO here: https://stackoverflow.com/a/24232050/778272.

If you're looking for examples using frameworks, check these links:

luciopaiva

Protobuffer-safe bytes for proprietary protocol formats

In a situation where peers can exchange messages in either protobuf or a proprietary format, there must be a way for the recipient to identify whether the incoming message is a protobuf or not.

The simplest solution for that would be to add a header to each message informing the recipient what the payload type is. Let's say, however, that there is an existing protocol using protobuf messages and a proprietary format option must be added without breaking compatibility with existing implementations.

The idea is to pick a byte that will be sent at the beginning of the message and will let the recipient know for sure if it's a protobuf or proprietary format. For that, one has to answer the question: what values are valid first bytes in a protobuf message?

From the documentation:

luciopaiva

CORS issues when running via Webstorm

Jetbrains had a Chrome extension where you could configure Webstorm to include CORS headers just fine, but it seems to not be working anymore (setting the field and hitting the apply button has no effect - reloading the extension configuration page shows that the field is still empty).

This comment was what helped me, but it was not enough. I reply to that comment with the extra instructions needed. Here's the full conversation in case that page goes down:

---

Ekaterina Prigara says:

luciopaiva

Conditionally add property to JavaScript object

I had to look this up on the internet so many times during the years that I decided to write this Gist to see if I memorize it once for all (or at least I have a quick place to look next time).

Say your code creates an object and there's a particular property that it sometimes needs to add, sometimes it doesn't. The straightforward way of coding this would be:

const x = {
  a: 1
};

luciopaiva

/*
 * This script changes the timestamps of a series of files in batch. The script will go through all files in
 * specified folder, ordering them by name. The first file will be stamped with given start date. The second one will
 * be stamped with start date plus 1 second, the third with start date plus 2 seconds, and so on.
 *
 * But why? I had a series of photos that I wanted to upload to the cloud and their timestamps did not represent the 
 * actual date when they were taken. The photos were all taken in the same day and I knew what day was that, so I just
 * needed a script to do it in batch for me. Also, files were sequentially named by the digital camera, and although I
 * didn't know the exact time of day each photo was taken, I could at least preserve the sequence, that's why I decided
 * to stamp each one second after the other, ordered by name.

luciopaiva

The aseprite docs help with building it from the command line. Here I show how to build it via CLion. It is surprinsingly simple!

First, follow the instrucions in INSTALLATION.md. I will summarize here what I had to follow when building tag v1.3-beta11:

1. Clone the repo with its submodules;
2. Either stay in the main branch or switch to the desired tag. For example, this is how I switched to v1.3-beta11:

git checkout tags/v1.3-beta11 -b v1.3-beta11

luciopaiva

General steps:

- download Microsoft Remote Desktop app on client machine (check the Apple store)
- enable remote access on host Windows (window key, type "allow remote access" to find the setting)
- test the connection using the Remote Desktop app. Notice that any current logged in users on the host machine will need to log out
- download [RDP Wrapper](https://github.com/stascorp/rdpwrap/releases) - I tested with v1.6.2. The msi installer did not work for me (got an error trying to execute it), but the zip worked fine
- unzip, run install.bat
- run the "*conf*.exe" app that comes with the zip
- it should show all green - if it shows a red "[not supported]", continue below
- get the ini file posted by Damasker [here](https://github.com/stascorp/rdpwrap/issues/1252). As instructed, run `net stop TermService`, replace the ini file in `Program Files/RDP Wrapper`, then `net start TermService`

luciopaiva

SSH tunneling quick example

General pattern:

ssh bridge-machine -L local-port:destination-machine:destination-port -N

Where bridge-machine is the machine providing an ssh server that will act as a bridge to the destionation-machine. The destionation machine could be, for instance, a database, a Redis server, etc, that is not accessible from your network, but is accessible via another server (the bridge) that you are able to access via SSH.

I always forget which port is the local one is which is the remote. One nice mnemonic is to remember that Left is Local, Right is Remote.