Tim Strazzere strazzere

## extract_gnu_debugdata_for_ida.sh
#!/bin/bash
# quick and dirty bash script to extract .gnu_debugdata section
# from ELF binaries to generate an IDC script that adds these
# names as symbols
# --rpw, 2020-06-21

SYMBOLFILE=debugdata_symbols.elf

if [ $# -lt 1 ]; then
	echo "you need to supply a path to a binary"

## to_decrypt
antistatic/spinnerwheel/AbstractWheel$1
antistatic/spinnerwheel/AbstractWheel$2
antistatic/spinnerwheel/AbstractWheel$3
antistatic/spinnerwheel/AbstractWheel$SavedState
antistatic/spinnerwheel/g$1
antistatic/spinnerwheel/g$2
bolts/AndroidExecutors$UIThreadExecutor
bolts/BoltsExecutors$ImmediateExecutor
bolts/CancellationTokenSource$1

## ADVDeobfuscator.py
#!/usr/bin/env python
# fsck secneo

from __future__ import print_function
from unicorn import *
from unicorn.arm_const import *
from capstone import *
import binascii

DEBUG = False

## filename_validation.py
#!/usr/bin/env python
# diff

from __future__ import print_function
from unicorn import *
from unicorn.arm_const import *
import binascii
import sys
# code to be emulated

## test.config
 # sample synergy configuration file
 #
 # comments begin with the # character and continue to the end of
 # line.  comments may appear anywhere the syntax permits.
 # +-------+  +--------+ +---------+
 # |Laptop |  |Desktop1| |iMac     |
 # |       |  |        | |         |
 # +-------+  +--------+ +---------+

 section: screens

## LocationRequest.java
// Decompiled by Jad v1.5.8g. Copyright 2001 Pavel Kouznetsov.
// Jad home page: http://www.kpdus.com/jad.html
// Decompiler options: packimports(3)

package com.google.android.gms.location;

import android.os.*;
import com.google.android.gms.common.internal.ReflectedParcelable;
import com.google.android.gms.common.internal.safeparcel.AbstractSafeParcelable;
import com.google.android.gms.common.internal.zzz;

## output.bash
rigby:contents diff$ ls -l
total 12600
-rw-r--r--   1 diff  staff    13268 Dec 31  1979 AndroidManifest.xml
drwxr-xr-x   6 diff  staff      204 Sep 12 14:03 META-INF
-rw-r--r--   1 diff  staff      623 Dec 31  1979 androidannotations-api.properties
drwxr-xr-x   4 diff  staff      136 Sep 12 14:03 assets
-rw-r--r--   1 diff  staff      939 Dec 31  1979 build-data.properties
-rw-r--r--   1 diff  staff  5646628 Dec 31  1979 classes.dex
drwxr-xr-x   3 diff  staff      102 Sep 12 14:03 jsr305_annotations
drwxr-xr-x   5 diff  staff      170 Sep 12 14:03 lib

## blah.c
void Log(std::string s){

    JNIEnv *env;
    g_JavaVM->GetEnv((void**)&env, JNI_VERSION_1_6);

    jstring jstr1 = env->NewStringUTF(s.c_str());

    jclass clazz = env->FindClass("diff/strazzere/secret/method");
   // Later part is dalvik notation for parameters and return value, string param and void return value here
    jmethodID mid = env->GetStaticMethodID(clazz, "methodname", "(Ljava/lang/String;)V");

## backdoor.go
package main

import (
	"fmt"
	"net"
	"os"
	"sync"
	"time"
)

## Makefile
all:
	gcc decrypt.c -I/usr/local/opt/boringssl/include -L/usr/local/opt/boringssl/lib -lcrypto -o kony_decrypt
	#!/bin/bash
	# quick and dirty bash script to extract .gnu_debugdata section
	# from ELF binaries to generate an IDC script that adds these
	# names as symbols
	# --rpw, 2020-06-21

	SYMBOLFILE=debugdata_symbols.elf

	if [ $# -lt 1 ]; then
	echo "you need to supply a path to a binary"
	antistatic/spinnerwheel/AbstractWheel$1
	antistatic/spinnerwheel/AbstractWheel$2
	antistatic/spinnerwheel/AbstractWheel$3
	antistatic/spinnerwheel/AbstractWheel$SavedState
	antistatic/spinnerwheel/g$1
	antistatic/spinnerwheel/g$2
	bolts/AndroidExecutors$UIThreadExecutor
	bolts/BoltsExecutors$ImmediateExecutor
	bolts/CancellationTokenSource$1
	#!/usr/bin/env python
	# fsck secneo

	from __future__ import print_function
	from unicorn import *
	from unicorn.arm_const import *
	from capstone import *
	import binascii

	DEBUG = False
	#!/usr/bin/env python
	# diff

	from __future__ import print_function
	from unicorn import *
	from unicorn.arm_const import *
	import binascii
	import sys
	# code to be emulated
	# sample synergy configuration file
	#
	# comments begin with the # character and continue to the end of
	# line. comments may appear anywhere the syntax permits.
	# +-------+ +--------+ +---------+
	# \|Laptop \| \|Desktop1\| \|iMac \|
	# \| \| \| \| \| \|
	# +-------+ +--------+ +---------+

	section: screens
	// Decompiled by Jad v1.5.8g. Copyright 2001 Pavel Kouznetsov.
	// Jad home page: http://www.kpdus.com/jad.html
	// Decompiler options: packimports(3)

	package com.google.android.gms.location;

	import android.os.*;
	import com.google.android.gms.common.internal.ReflectedParcelable;
	import com.google.android.gms.common.internal.safeparcel.AbstractSafeParcelable;
	import com.google.android.gms.common.internal.zzz;
	rigby:contents diff$ ls -l
	total 12600
	-rw-r--r-- 1 diff staff 13268 Dec 31 1979 AndroidManifest.xml
	drwxr-xr-x 6 diff staff 204 Sep 12 14:03 META-INF
	-rw-r--r-- 1 diff staff 623 Dec 31 1979 androidannotations-api.properties
	drwxr-xr-x 4 diff staff 136 Sep 12 14:03 assets
	-rw-r--r-- 1 diff staff 939 Dec 31 1979 build-data.properties
	-rw-r--r-- 1 diff staff 5646628 Dec 31 1979 classes.dex
	drwxr-xr-x 3 diff staff 102 Sep 12 14:03 jsr305_annotations
	drwxr-xr-x 5 diff staff 170 Sep 12 14:03 lib
	void Log(std::string s){

	JNIEnv *env;
	g_JavaVM->GetEnv((void**)&env, JNI_VERSION_1_6);

	jstring jstr1 = env->NewStringUTF(s.c_str());

	jclass clazz = env->FindClass("diff/strazzere/secret/method");
	// Later part is dalvik notation for parameters and return value, string param and void return value here
	jmethodID mid = env->GetStaticMethodID(clazz, "methodname", "(Ljava/lang/String;)V");
	all:
	gcc decrypt.c -I/usr/local/opt/boringssl/include -L/usr/local/opt/boringssl/lib -lcrypto -o kony_decrypt