Let's say you want to access the application shared preferences in /data/data/com.mypackage.
You could try to run adb shell and then run-as com.mypackage
( or adb shell run-as com.mypackge ls /data/data/com.mypackage/shared_prefs),
but on a production release app downloaded from an app store you're most likely to see:
run-as: Package 'com.mypackage' is not debuggable
| #!/bin/bash | |
| # sudo apt install iw curl jq | |
| ALIVE="$1" | |
| check_public_ip() { | |
| INTERFACE="$1" | |
| PUBLIC_IP=$(curl -s https://httpbin.org/ip | jq -r .origin) | |
| if ! [[ -z $PUBLIC_IP ]]; then | |
| echo "[+] Found Public IP $PUBLIC_IP for $INTERFACE" | |
| fi |
If you run Ghidra on a high DPI screen, you will probably find the GUI to be scaled down so small to be almost of no use.
There is a setting that you can adjust to scale the Ghidra GUI:
in $GHIDRA_ROOT/support is a file named launch.properties. In this launch.properties file is the following configuration key:
VMARGS_LINUX=-Dsun.java2d.uiScale=1
| # this command searches all PHP files in a directory for vulnerable shell functions | |
| egrep -r --include "*.php" -e "(system|exec|popen|pcntl_exec|proc_open)\(" . | |
| # this command searches all PHP files in a directory for certain vulnerable php execution functions | |
| egrep -r --include "*.php" -e "(eval|assert|preg_replace)\(" . | |
| # this command returns instances where variables are echoed out without htmlspecialchars() | |
| # it can be useful for finding XSS vulnerabilities in PHP code | |
| egrep -r --include "*.php" -e "echo\s*\\$.*;" . |
| # this command will return instances where the child_process module is loaded. | |
| # that module is generally a good signal that the application is shelling out | |
| egrep -r --exclude-dir "node_modules" --include "*.js" --exclude "*.min.*" -e "require(\s*)\((\s*)'child_process'(\s*))" . | |
| # this command will return instances where code is dynamically executed. | |
| egrep -r --exclude-dir "node_modules" --include "*.js" --exclude "*.min.*" -e "eval(\s*)\(" . | |
| # this command will check common dangerous functions and report when strings are arguments | |
| egrep -r --exclude-dir "node_modules" --include "*.js" --exclude "*.min.*" -e "(setInterval|setTimeout|new(\s*)Function)(\s*)\((\s*)\".*\"" . |
This brief tutorial will show you how to go about analyzing a raw binary firmware image in Ghidra.
I was recently interested in reversing some older Cisco IOS images. Those images come in the form of a single binary blob, without any sort of ELF, Mach-o, or PE header to describe the binary.
While I am using Cisco IOS Images in this example, the same process should apply to other Raw Binary Firmware Images.
I recently ran into a situation where binwalk -M -e $FIRMWARE failed me. This was for a Netgear firmware image that ended in a .chkextension.
The firmware file name was R7960P-V1.0.1.34_1.0.20.chk.
This is the output when I ran binwalk R7960P-V1.0.1.34_1.0.20.chk:
$ binwalk R7960P-V1.0.1.34_1.0.20.chk
| #!/bin/sh | |
| # | |
| # A Small Shell script to check a binary for different microcontroller cpu architectures. | |
| # | |
| # This works by importing the binary into a project in Ghidra | |
| # And then iteratively attempting to analyze chunks of the binary firmare | |
| # all while timing the analysis. | |
| # | |
| # The theory is Ghidra should take noticeably longer to analyze a valid |
I've recently been working on JavaScript Obfuscation. I've read as much as I can from the internet about options and capabilities. It is clear there is one winner out of all the offerings available.
JScrambler (https://jscrambler.com/) is a paid product featuring JavaScript Obfuscation capabilities. When it comes to obfuscating JavaScript, it is the gold standard.
This is what the internet proclaimed as I read it [1]. However, it was truly difficult to assess how accurate these claims are; essentially the only public obfuscation examples they provide are:
https://jscrambler.com/products/code-integrity/javascript-obfuscation
There are at least two valid, signed TLS certificates that are bundled with publicly available Netgear device firmware.
These certificates are trusted by browsers on all platforms, but will surely be added to revocation lists shortly.
The firmware images that contained these certificates along with their private keys were publicly available for download through Netgear's support website, without authentication; thus anyone in the world could have retrieved these keys.