Nicolas Falliere nfalliere
nfalliere
/ AndroidGlobalAnalysis.py
Created
December 1, 2022 17:19
View AndroidGlobalAnalysis.py
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #?description=Perform a global analysis on a dex unit and display decompilation events | |
| #?shortcut= | |
| from com.pnfsoftware.jeb.client.api import IScript | |
| from com.pnfsoftware.jeb.core.units.code import DecompilationOptions, DecompilationContext | |
| from com.pnfsoftware.jeb.core.units.code.android import IDexUnit, IDexDecompilerUnit | |
| """ | |
| Sample script for JEB Decompiler. |
nfalliere
/ genUserFriendlySig.py
Created
October 25, 2022 16:37
View genUserFriendlySig.py
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| letterToPrim = { | |
| 'Z': 'boolean', | |
| 'B': 'byte', | |
| 'C': 'char', | |
| 'S': 'short', | |
| 'I': 'int', | |
| 'J': 'long', | |
| 'F': 'float', | |
| 'D': 'double', | |
| } |
nfalliere
/ DartSnapshotHashToVersionTag.txt
Created
October 12, 2022 23:23
List of Dart snapshot version hash (internal version) to version tag (public git tag)
View DartSnapshotHashToVersionTag.txt
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # note: the hash is located at offset 0x14, after the int32 magic (0xDCDCF5F5), int64 size, and int64 snapshot kind fields. | |
| # snapshot_hash,dart_version_tag | |
| 19ac30c2bacca37ef7691604e75be559,2.0.0 | |
| d120342d48b35fc67901acb723bb6e9f,2.0.0-dev.0.0 | |
| d120342d48b35fc67901acb723bb6e9f,2.0.0-dev.0.1 | |
| 53db5f61774a5fbc5ee04696b38726f8,2.0.0-dev.1.0 | |
| 3cebf13e885ccde5bf5d36d308390ddf,2.0.0-dev.10.0 | |
| 4980a5a9e7247ed5f306c8c565d193cc,2.0.0-dev.11.0 | |
| 8ed2b9130065c72a181a9a40e17387bd,2.0.0-dev.12.0 | |
| 42c99258b896ea28162a3634ab9893c3,2.0.0-dev.13.0 |
nfalliere
/ extzips.py
Created
March 30, 2022 17:55
Extract the zip files that are contained in a binary file (e.g. memory dump)
View extzips.py
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python | |
| import os | |
| import sys | |
| from struct import unpack | |
| def extract(buf, ibeg, iend): | |
| name = 'sub%08X.zip' % ibeg | |
| print('Dumping: %s' % name) |
nfalliere
/ gist:a8723af39762db6263bae870ab4b63d6
Created
December 8, 2021 17:13
JEB EVM decompiler, special conversions
View gist:a8723af39762db6263bae870ab4b63d6
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Initially, those opcodes are converted by default to equivalent pseudo-methods: FOO -> FOO(): | |
| SIGNEXTEND | |
| STOP | |
| ADDMOD | |
| MULMOD | |
| SHA3/KECCAK256 | |
| ADDRESS | |
| BALANCE | |
| ORIGIN | |
| CALLER |
nfalliere
/ PrintDexOverrides.py
Created
August 27, 2021 15:50
View PrintDexOverrides.py
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #?description= | |
| #?shortcut= | |
| from com.pnfsoftware.jeb.client.api import IScript | |
| from com.pnfsoftware.jeb.core.units.code.android import IDexUnit | |
| from com.pnfsoftware.jeb.core.actions import Actions, ActionContext, ActionOverridesData | |
| class PrintDexOverrides(IScript): | |
| def run(self, ctx): | |
| prj = ctx.getMainProject() |
nfalliere
/ PrintDexHierarchy.py
Created
August 27, 2021 15:42
View PrintDexHierarchy.py
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #?description= | |
| #?shortcut= | |
| from com.pnfsoftware.jeb.client.api import IScript | |
| from com.pnfsoftware.jeb.core.units.code.android import IDexUnit | |
| from com.pnfsoftware.jeb.core.actions import ActionContext, ActionTypeHierarchyData, Actions | |
| class PrintDexHierarchy(IScript): | |
| def run(self, ctx): | |
| prj = ctx.getMainProject() |
nfalliere
/ DGReplaceApiCalls.py
Last active
August 29, 2022 03:14
Updated script, will go in JEB 4.4
View DGReplaceApiCalls.py
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| from com.pnfsoftware.jeb.core.units.code.android.ir import AbstractDOptimizer, IDVisitor | |
| from com.pnfsoftware.jeb.core.units.code.java import JavaOperatorType | |
| ''' | |
| This JEB's dexdec IR optimizer will attempt to resolve artificial Android library invocations added | |
| by Android app protectors, designed to hamper the string auto-decryption process. | |
| This Python plugin is executed during the decompilation pipeline of a method. | |
| Needs JEB 4.2 or above. |
nfalliere
/ RenameRoutines.py
Created
July 20, 2021 21:07
View RenameRoutines.py
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| from com.pnfsoftware.jeb.client.api import IScript | |
| from com.pnfsoftware.jeb.core.units import INativeCodeUnit | |
| from com.pnfsoftware.jeb.core.units.code import ICodeUnit | |
| class RenameRoutines(IScript): | |
| def run(self, ctx): | |
| prj = ctx.getMainProject() | |
| code = prj.findUnit(INativeCodeUnit) | |
| code.getInternalMethod(0x401000).setName('foo') | |
| # ... |
View JumpTo.py
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| from com.pnfsoftware.jeb.client.api import IScript | |
| from com.pnfsoftware.jeb.core.units.code.android import IDexUnit | |
| """ | |
| Sample showing: | |
| - how a script can be invoked after a cmdline-provided file has been processed by the JEB UI client | |
| - currently, this script simply searches for a Dex code unit, attempts to find a disassembly fragment for it, and navigate to the cmdline-provided address | |
| How to use: | |
| $ jeb_startup_script --script=ScriptPath -- InputFile AddressToJumpTo |
NewerOlder