Skip to content

Instantly share code, notes, and snippets.

Avatar

Nicolas Falliere nfalliere

View GitHub Profile
View AndroidGlobalAnalysis.py
#?description=Perform a global analysis on a dex unit and display decompilation events
#?shortcut=
from com.pnfsoftware.jeb.client.api import IScript
from com.pnfsoftware.jeb.core.units.code import DecompilationOptions, DecompilationContext
from com.pnfsoftware.jeb.core.units.code.android import IDexUnit, IDexDecompilerUnit
"""
Sample script for JEB Decompiler.
View genUserFriendlySig.py
letterToPrim = {
'Z': 'boolean',
'B': 'byte',
'C': 'char',
'S': 'short',
'I': 'int',
'J': 'long',
'F': 'float',
'D': 'double',
}
@nfalliere
nfalliere / DartSnapshotHashToVersionTag.txt
Created October 12, 2022 23:23
List of Dart snapshot version hash (internal version) to version tag (public git tag)
View DartSnapshotHashToVersionTag.txt
# note: the hash is located at offset 0x14, after the int32 magic (0xDCDCF5F5), int64 size, and int64 snapshot kind fields.
# snapshot_hash,dart_version_tag
19ac30c2bacca37ef7691604e75be559,2.0.0
d120342d48b35fc67901acb723bb6e9f,2.0.0-dev.0.0
d120342d48b35fc67901acb723bb6e9f,2.0.0-dev.0.1
53db5f61774a5fbc5ee04696b38726f8,2.0.0-dev.1.0
3cebf13e885ccde5bf5d36d308390ddf,2.0.0-dev.10.0
4980a5a9e7247ed5f306c8c565d193cc,2.0.0-dev.11.0
8ed2b9130065c72a181a9a40e17387bd,2.0.0-dev.12.0
42c99258b896ea28162a3634ab9893c3,2.0.0-dev.13.0
@nfalliere
nfalliere / extzips.py
Created March 30, 2022 17:55
Extract the zip files that are contained in a binary file (e.g. memory dump)
View extzips.py
#!/usr/bin/env python
import os
import sys
from struct import unpack
def extract(buf, ibeg, iend):
name = 'sub%08X.zip' % ibeg
print('Dumping: %s' % name)
@nfalliere
nfalliere / gist:a8723af39762db6263bae870ab4b63d6
Created December 8, 2021 17:13
JEB EVM decompiler, special conversions
View gist:a8723af39762db6263bae870ab4b63d6
Initially, those opcodes are converted by default to equivalent pseudo-methods: FOO -> FOO():
SIGNEXTEND
STOP
ADDMOD
MULMOD
SHA3/KECCAK256
ADDRESS
BALANCE
ORIGIN
CALLER
View PrintDexOverrides.py
#?description=
#?shortcut=
from com.pnfsoftware.jeb.client.api import IScript
from com.pnfsoftware.jeb.core.units.code.android import IDexUnit
from com.pnfsoftware.jeb.core.actions import Actions, ActionContext, ActionOverridesData
class PrintDexOverrides(IScript):
def run(self, ctx):
prj = ctx.getMainProject()
View PrintDexHierarchy.py
#?description=
#?shortcut=
from com.pnfsoftware.jeb.client.api import IScript
from com.pnfsoftware.jeb.core.units.code.android import IDexUnit
from com.pnfsoftware.jeb.core.actions import ActionContext, ActionTypeHierarchyData, Actions
class PrintDexHierarchy(IScript):
def run(self, ctx):
prj = ctx.getMainProject()
@nfalliere
nfalliere / DGReplaceApiCalls.py
Last active August 29, 2022 03:14
Updated script, will go in JEB 4.4
View DGReplaceApiCalls.py
from com.pnfsoftware.jeb.core.units.code.android.ir import AbstractDOptimizer, IDVisitor
from com.pnfsoftware.jeb.core.units.code.java import JavaOperatorType
'''
This JEB's dexdec IR optimizer will attempt to resolve artificial Android library invocations added
by Android app protectors, designed to hamper the string auto-decryption process.
This Python plugin is executed during the decompilation pipeline of a method.
Needs JEB 4.2 or above.
View RenameRoutines.py
from com.pnfsoftware.jeb.client.api import IScript
from com.pnfsoftware.jeb.core.units import INativeCodeUnit
from com.pnfsoftware.jeb.core.units.code import ICodeUnit
class RenameRoutines(IScript):
def run(self, ctx):
prj = ctx.getMainProject()
code = prj.findUnit(INativeCodeUnit)
code.getInternalMethod(0x401000).setName('foo')
# ...
View JumpTo.py
from com.pnfsoftware.jeb.client.api import IScript
from com.pnfsoftware.jeb.core.units.code.android import IDexUnit
"""
Sample showing:
- how a script can be invoked after a cmdline-provided file has been processed by the JEB UI client
- currently, this script simply searches for a Dex code unit, attempts to find a disassembly fragment for it, and navigate to the cmdline-provided address
How to use:
$ jeb_startup_script --script=ScriptPath -- InputFile AddressToJumpTo