romainthomas

Keybase proof

I hereby claim:

• I am romainthomas on github.
• I am rh0main (https://keybase.io/rh0main) on keybase.
• I have a public key whose fingerprint is 15E3 4637 48FE 6F81 D8EE B0CE 1CD1 ECED EF86 C95E

To claim this, I am signing this object:

romainthomas

#!/usr/bin/env python

# Script associated with the blog post: https://lief-project.github.io/blog/2022-05-08-macho/
# It demonstrates code injection with shell-factory and LIEF

import lief
import pathlib
from pathlib import Path

CWD = Path(__file__).parent

romainthomas

LIEF::Abstract::get_symbol()
LIEF::DEX::Method::cls()
LIEF::DEX::Method::prototype()
LIEF::DEX::Prototype::return_type()
LIEF::ELF::Binary::ad_object_relocation
LIEF::ELF::Binary::dynamic_section
LIEF::ELF::Binary::get(DYNAMIC_TAGS tag)
LIEF::ELF::Binary::get(ELF_SECTION_TYPES type)
LIEF::ELF::Binary::get(NOTE_TYPES type)
LIEF::ELF::Binary::get(SEGMENT_TYPES type)

romainthomas

// Mangled as __dl__ZL10call_arrayIPFviPPcS1_EEvPKcPT_mbS5_ in /system/bin/linker64

template <typename F>
static void call_array(const char* array_name __unused,
                       F* functions,
                       size_t count,
                       bool reverse,
                       const char* realpath) {
  if (functions == nullptr) {
    return;

romainthomas

# Patch libg.so to remove Frida server checks
import lief
MOV_R0_ERROR = [0x4f, 0xf0, 0xff, 0x30] # MOV.W R0, #-1

PATCHES = [
    # bind() syscall
    (0x0BE000 - 2, MOV_R0_ERROR), # MOV R0, #-1
    (0x0bb2e2 - 2, MOV_R0_ERROR), # MOV R0, #-1
    (0x2518f6 - 2, MOV_R0_ERROR), # MOV R0, #-1
]

romainthomas

#include "frida-core.h"
#include "frida-gum.h"

uintptr_t handler(void) {
  auto interceptor = gum_interceptor_obtain();
  GumInvocationContext* ctx = gum_interceptor_get_current_invocation();
  uintptr_t func_addr = reinterpret_cast<uintptr_t>(gum_invocation_context_get_replacement_data(ctx));

  // Remove Frida trampoline
  gum_interceptor_begin_transaction(interceptor);

romainthomas

[30902:30902:811825000] JNIEnv: 0xf0893480
[30902:30902:129008000] 0x0b47b4 __errno()
[30902:30902:137396000] 0x0b47e0 malloc(0x2000): 0xafcb4000
[30902:30902:146810000] 0x0b4a54 socket(PF_NETLINK, SOCK_RAW, 0)
[30902:30902:178269000] 0x0b496e write(10, 0xffe858cc, 0x14):
[30902:30902:223461000] 0x0b51d4 recvfrom(10, 0xafcb4000, 0x2000): xIlo !noqueue#'$`UUUU|x'hB@:QX`@'60$$4xbond0 !noop#'$zR`bond|x'hG@:QX`@'60$$4
[30902:30902:262487000] 0x0b52ba .text!0x2a33e0 (#0) {
[30902:30902:268177000]     0x2a401c malloc(0x1b4): 0xf08bfd40
[30902:30902:514395000] }
[30902:30902:518750000] 0x0b52ba .text!0x2a33e0 (#1) {

romainthomas

diff --git a/jadx-core/src/main/java/jadx/core/Jadx.java b/jadx-core/src/main/java/jadx/core/Jadx.java
index 91ea0905..175b73ed 100644
--- a/jadx-core/src/main/java/jadx/core/Jadx.java
+++ b/jadx-core/src/main/java/jadx/core/Jadx.java
@@ -47,6 +47,9 @@ import jadx.core.dex.visitors.shrink.CodeShrinkVisitor;
 import jadx.core.dex.visitors.ssa.SSATransform;
 import jadx.core.dex.visitors.typeinference.TypeInferenceVisitor;
 
+// Deobfuscation passes
+import jadx.core.dex.visitors.deobf.DecodeStrings;

romainthomas

import arybo.lib.mba_exprs as EX
import sys
def f(x):
    v0 = ((x & 343337308) ^ 0xFFFFFFFF) & (x | 343337308)
    return v0

mba32 = MBA(32)
X = mba32.var('X')
res = f(X)
VD = res.vectorial_decomp([X])

romainthomas

#include <iostream>
#include <iomanip>
#include <cstdlib>
#include <cstdint>
#include <cstring>
#include <jni.h>
#include <set>
#include "LIEF/ELF.hpp"