Nicolas Falliere nfalliere
nfalliere
/ AndroidGlobalAnalysis.py
Created
December 1, 2022 17:19
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #?description=Perform a global analysis on a dex unit and display decompilation events | |
| #?shortcut= | |
| from com.pnfsoftware.jeb.client.api import IScript | |
| from com.pnfsoftware.jeb.core.units.code import DecompilationOptions, DecompilationContext | |
| from com.pnfsoftware.jeb.core.units.code.android import IDexUnit, IDexDecompilerUnit | |
| """ | |
| Sample script for JEB Decompiler. |
nfalliere
/ genUserFriendlySig.py
Created
October 25, 2022 16:37
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| letterToPrim = { | |
| 'Z': 'boolean', | |
| 'B': 'byte', | |
| 'C': 'char', | |
| 'S': 'short', | |
| 'I': 'int', | |
| 'J': 'long', | |
| 'F': 'float', | |
| 'D': 'double', | |
| } |
nfalliere
/ DartSnapshotHashToVersionTag.txt
Last active
January 17, 2025 01:08
List of Dart snapshot version hash (internal version) to version tag (public git tag)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # note: the hash is located at offset 0x14, after the int32 magic (0xDCDCF5F5), int64 size, and int64 snapshot kind fields. | |
| # last update: 2025/01/07 | |
| # snapshot_hash,dart_version_tag | |
| 19ac30c2bacca37ef7691604e75be559,2.0.0 | |
| d120342d48b35fc67901acb723bb6e9f,2.0.0-dev.0.0 | |
| d120342d48b35fc67901acb723bb6e9f,2.0.0-dev.0.1 | |
| 53db5f61774a5fbc5ee04696b38726f8,2.0.0-dev.1.0 | |
| 3cebf13e885ccde5bf5d36d308390ddf,2.0.0-dev.10.0 | |
| 4980a5a9e7247ed5f306c8c565d193cc,2.0.0-dev.11.0 | |
| 8ed2b9130065c72a181a9a40e17387bd,2.0.0-dev.12.0 |
nfalliere
/ extzips.py
Created
March 30, 2022 17:55
Extract the zip files that are contained in a binary file (e.g. memory dump)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python | |
| import os | |
| import sys | |
| from struct import unpack | |
| def extract(buf, ibeg, iend): | |
| name = 'sub%08X.zip' % ibeg | |
| print('Dumping: %s' % name) |
nfalliere
/ gist:a8723af39762db6263bae870ab4b63d6
Created
December 8, 2021 17:13
JEB EVM decompiler, special conversions
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Initially, those opcodes are converted by default to equivalent pseudo-methods: FOO -> FOO(): | |
| SIGNEXTEND | |
| STOP | |
| ADDMOD | |
| MULMOD | |
| SHA3/KECCAK256 | |
| ADDRESS | |
| BALANCE | |
| ORIGIN | |
| CALLER |
nfalliere
/ PrintDexOverrides.py
Created
August 27, 2021 15:50
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #?description= | |
| #?shortcut= | |
| from com.pnfsoftware.jeb.client.api import IScript | |
| from com.pnfsoftware.jeb.core.units.code.android import IDexUnit | |
| from com.pnfsoftware.jeb.core.actions import Actions, ActionContext, ActionOverridesData | |
| class PrintDexOverrides(IScript): | |
| def run(self, ctx): | |
| prj = ctx.getMainProject() |
nfalliere
/ PrintDexHierarchy.py
Created
August 27, 2021 15:42
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #?description= | |
| #?shortcut= | |
| from com.pnfsoftware.jeb.client.api import IScript | |
| from com.pnfsoftware.jeb.core.units.code.android import IDexUnit | |
| from com.pnfsoftware.jeb.core.actions import ActionContext, ActionTypeHierarchyData, Actions | |
| class PrintDexHierarchy(IScript): | |
| def run(self, ctx): | |
| prj = ctx.getMainProject() |
nfalliere
/ DGReplaceApiCalls.py
Last active
August 29, 2022 03:14
Updated script, will go in JEB 4.4
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| from com.pnfsoftware.jeb.core.units.code.android.ir import AbstractDOptimizer, IDVisitor | |
| from com.pnfsoftware.jeb.core.units.code.java import JavaOperatorType | |
| ''' | |
| This JEB's dexdec IR optimizer will attempt to resolve artificial Android library invocations added | |
| by Android app protectors, designed to hamper the string auto-decryption process. | |
| This Python plugin is executed during the decompilation pipeline of a method. | |
| Needs JEB 4.2 or above. |
nfalliere
/ RenameRoutines.py
Created
July 20, 2021 21:07
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| from com.pnfsoftware.jeb.client.api import IScript | |
| from com.pnfsoftware.jeb.core.units import INativeCodeUnit | |
| from com.pnfsoftware.jeb.core.units.code import ICodeUnit | |
| class RenameRoutines(IScript): | |
| def run(self, ctx): | |
| prj = ctx.getMainProject() | |
| code = prj.findUnit(INativeCodeUnit) | |
| code.getInternalMethod(0x401000).setName('foo') | |
| # ... |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| from com.pnfsoftware.jeb.client.api import IScript | |
| from com.pnfsoftware.jeb.core.units.code.android import IDexUnit | |
| """ | |
| Sample showing: | |
| - how a script can be invoked after a cmdline-provided file has been processed by the JEB UI client | |
| - currently, this script simply searches for a Dex code unit, attempts to find a disassembly fragment for it, and navigate to the cmdline-provided address | |
| How to use: | |
| $ jeb_startup_script --script=ScriptPath -- InputFile AddressToJumpTo |
NewerOlder