Skip to content

Instantly share code, notes, and snippets.

View nfalliere's full-sized avatar

Nicolas Falliere nfalliere

View GitHub Profile
@nfalliere
nfalliere / JebUnitReparseExample.java
Created November 12, 2018 21:17
Sample code showing how to reparse unit's binary data as another format
// sample code, needs adjusting/customizing (see TODO tags)
// call reparse() with input information set in a ReparseInformation object
public class ReparseInformation {
IUnit unit;
String subUnitName;
String wantedType;
long offset;
long size;
}
// reference: https://www.pnfsoftware.com/jeb/apidoc
// Print all identifiers supported by the currently instantiated JEB engines
void printAllAvailableIdentifiers(IEnginesContext engctx) {
for(IUnitIdentifier id: engctx.getUnitIdentifiers()) {
logger.info(id.getFormatType());
}
}
// ... or:
from com.pnfsoftware.jeb.client.api import IScript
from com.pnfsoftware.jeb.core.units.code.android import IDexUnit
"""
Sample showing:
- how a script can be invoked after a cmdline-provided file has been processed by the JEB UI client
- currently, this script simply searches for a Dex code unit, attempts to find a disassembly fragment for it, and navigate to the cmdline-provided address
How to use:
$ jeb_startup_script --script=ScriptPath -- InputFile AddressToJumpTo
from com.pnfsoftware.jeb.client.api import IScript
from com.pnfsoftware.jeb.core.units import INativeCodeUnit
from com.pnfsoftware.jeb.core.units.code import ICodeUnit
class RenameRoutines(IScript):
def run(self, ctx):
prj = ctx.getMainProject()
code = prj.findUnit(INativeCodeUnit)
code.getInternalMethod(0x401000).setName('foo')
# ...
#?description=
#?shortcut=
from com.pnfsoftware.jeb.client.api import IScript
from com.pnfsoftware.jeb.core.units.code.android import IDexUnit
from com.pnfsoftware.jeb.core.actions import ActionContext, ActionTypeHierarchyData, Actions
class PrintDexHierarchy(IScript):
def run(self, ctx):
prj = ctx.getMainProject()
#?description=
#?shortcut=
from com.pnfsoftware.jeb.client.api import IScript
from com.pnfsoftware.jeb.core.units.code.android import IDexUnit
from com.pnfsoftware.jeb.core.actions import Actions, ActionContext, ActionOverridesData
class PrintDexOverrides(IScript):
def run(self, ctx):
prj = ctx.getMainProject()
@nfalliere
nfalliere / gist:a8723af39762db6263bae870ab4b63d6
Created December 8, 2021 17:13
JEB EVM decompiler, special conversions
Initially, those opcodes are converted by default to equivalent pseudo-methods: FOO -> FOO():
SIGNEXTEND
STOP
ADDMOD
MULMOD
SHA3/KECCAK256
ADDRESS
BALANCE
ORIGIN
CALLER
@nfalliere
nfalliere / extzips.py
Created March 30, 2022 17:55
Extract the zip files that are contained in a binary file (e.g. memory dump)
#!/usr/bin/env python
import os
import sys
from struct import unpack
def extract(buf, ibeg, iend):
name = 'sub%08X.zip' % ibeg
print('Dumping: %s' % name)
@nfalliere
nfalliere / DGReplaceApiCalls.py
Last active August 29, 2022 03:14
Updated script, will go in JEB 4.4
from com.pnfsoftware.jeb.core.units.code.android.ir import AbstractDOptimizer, IDVisitor
from com.pnfsoftware.jeb.core.units.code.java import JavaOperatorType
'''
This JEB's dexdec IR optimizer will attempt to resolve artificial Android library invocations added
by Android app protectors, designed to hamper the string auto-decryption process.
This Python plugin is executed during the decompilation pipeline of a method.
Needs JEB 4.2 or above.
letterToPrim = {
'Z': 'boolean',
'B': 'byte',
'C': 'char',
'S': 'short',
'I': 'int',
'J': 'long',
'F': 'float',
'D': 'double',
}