Skip to content

Instantly share code, notes, and snippets.

Avatar
:shipit:
hacking intensifies

Tim Strazzere strazzere

:shipit:
hacking intensifies
View GitHub Profile
View pmlistf
package:/data/app/org.prowl.torquescan-1/base.apk=org.prowl.torquescan
package:/system/priv-app/FontServer/FontServer.apk=com.hy.system.fontserver
package:/system/priv-app/LGStartupwizard/LGStartupwizard.apk=com.android.LGSetupWizard
package:/system/priv-app/LGVidClip/LGVidClip.apk=com.lge.videotool
package:/system/app/RootPA/RootPA.apk=com.gd.mobicore.pa
package:/data/app/com.google.android.youtube-1/base.apk=com.google.android.youtube
package:/system/app/LGWeatherService/LGWeatherService.apk=com.lge.sizechangable.weather.platform
package:/system/priv-app/LGTelephonyProvider/LGTelephonyProvider.apk=com.android.providers.telephony
package:/data/app/com.onelouder.baconreader-1/base.apk=com.onelouder.baconreader
package:/data/app/com.google.android.googlequicksearchbox-1/base.apk=com.google.android.googlequicksearchbox
View extract_gnu_debugdata_for_ida.sh
#!/bin/bash
# quick and dirty bash script to extract .gnu_debugdata section
# from ELF binaries to generate an IDC script that adds these
# names as symbols
# --rpw, 2020-06-21
SYMBOLFILE=debugdata_symbols.elf
if [ $# -lt 1 ]; then
echo "you need to supply a path to a binary"
@strazzere
strazzere / ADVDeobfuscator.py
Created May 17, 2018
Use unicorn to deobfuscate simple ADVobfuscator string encryptions, used by secneo
View ADVDeobfuscator.py
#!/usr/bin/env python
# fsck secneo
from __future__ import print_function
from unicorn import *
from unicorn.arm_const import *
from capstone import *
import binascii
DEBUG = False
@strazzere
strazzere / decrypt.py
Last active Mar 25, 2020
Dump encoded compress powershell stream
View decrypt.py
#!/usr/bin/python
#
#
# Decompling something being loaded in through powershell
#
#
# diff <diff@sentinalone.com>
#
#
View to_decrypt
This file has been truncated, but you can view the full file.
antistatic/spinnerwheel/AbstractWheel$1
antistatic/spinnerwheel/AbstractWheel$2
antistatic/spinnerwheel/AbstractWheel$3
antistatic/spinnerwheel/AbstractWheel$SavedState
antistatic/spinnerwheel/g$1
antistatic/spinnerwheel/g$2
bolts/AndroidExecutors$UIThreadExecutor
bolts/BoltsExecutors$ImmediateExecutor
bolts/CancellationTokenSource$1
@strazzere
strazzere / gist:506a592b44c9d228d697
Last active Jun 6, 2018
Attaching to fast loading JNI/native code from an Android app without debugging the Dalvik code
View gist:506a592b44c9d228d697
The original issue was that some applications (ex. packers) launch the JNI/native code too fast for a person
to attach an IDA Pro instance to the process. The original solution was wrapping the jni code with your own
"surrogate" application so you could load it slower.
New process is to launch the Android/Dalvik activity with the debugger flag;
# adb shell am start -D com.play.goo_w/com.android.netservice.MainActivity
Which will cause the "Waiting for debugger..." mode to start. This starts the process, allowing you to
attach IDA Pro to the process for the native code.
View backdoor.go
package main
import (
"fmt"
"net"
"os"
"sync"
"time"
)
View filename_validation.py
#!/usr/bin/env python
# diff
from __future__ import print_function
from unicorn import *
from unicorn.arm_const import *
import binascii
import sys
# code to be emulated
@strazzere
strazzere / diff.patch
Last active Mar 4, 2018
rsakeyfinder
View diff.patch
[35%]tstrazzere@bebop:[rsakeyfind] $ diff rsakeyfind.cpp-fixed rsakeyfind/rsakeyfind.cpp-original
colordiff 1.0.10 (http://colordiff.sourceforge.net/)
(C)2002-2012 Dave Ewart, davee@sungate.co.uk
4,5d3
<
< #include <unistd.h>
8a7
> #include <fcntl.h>
View test.config
# sample synergy configuration file
#
# comments begin with the # character and continue to the end of
# line. comments may appear anywhere the syntax permits.
# +-------+ +--------+ +---------+
# |Laptop | |Desktop1| |iMac |
# | | | | | |
# +-------+ +--------+ +---------+
section: screens