Skip to content

Instantly share code, notes, and snippets.

View enovella's full-sized avatar
🏊‍♂️
Swimming oceans

Eduardo Novella enovella

🏊‍♂️
Swimming oceans
View GitHub Profile

Zimperium zShield RE Notes

Newer versions of the Rabbit R1's APK are protected by https://www.zimperium.com/zshield/ (I don't know this for certain, somebody told me it is but I haven't really seen any identifying marks in the code yet)

Interesting assets within the APK:

lib/arm64-v8a/liboptipkawfn.so    ~3MB packed/encrypted ELF
assets/optipkawfn/0.odex          only 41 bytes (EDIT: I think this is part of an asset obfuscation scheme, the real file contents are likely elsewhere - inside the .szip maybe?)
assets/optipkawfn.szip ~8MB - I predict containing encrypted+compressed bytecode
@enovella
enovella / simpleceptor-arm.ts
Created September 17, 2023 17:51 — forked from oleavr/simpleceptor-arm.ts
Simplified Interceptor reimplemented in TypeScript
const THUMB_HOOK_REDIRECT_SIZE = 8;
const THUMB_BIT_REMOVAL_MASK = ptr(1).not();
const trampolines: NativePointer[] = [];
const replacements: NativePointer[] = [];
export function makeTrampoline(target: NativePointer): NativePointer {
const targetAddress = target.and(THUMB_BIT_REMOVAL_MASK);
const trampoline = Memory.alloc(Process.pageSize);
@enovella
enovella / EachDirectoryPath.md
Created September 13, 2023 10:22 — forked from granoeste/EachDirectoryPath.md
[Android] How to get the each directory path.

System directories

Method Result
Environment.getDataDirectory() /data
Environment.getDownloadCacheDirectory() /cache
Environment.getRootDirectory() /system

External storage directories

@enovella
enovella / mixunpin.js
Created December 13, 2022 16:16 — forked from incogbyte/mixunpin.js
Frida script to bypass common methods of sslpining Android
console.log("[*] SSL Pinning Bypasses");
console.log(`[*] Your frida version: ${Frida.version}`);
console.log(`[*] Your script runtime: ${Script.runtime}`);
/**
* by incogbyte
* Common functions
* thx apkunpacker, NVISOsecurity, TheDauntless
* Remember that sslpinning can be custom, and sometimes u need to reversing using ghidra,IDA or something like that.
* !!! THIS SCRIPT IS NOT A SILVER BULLET !!
@enovella
enovella / DexGuardStringDecoder.java
Created February 4, 2016 22:45 — forked from AKosterin/DexGuardStringDecoder.java
JEB Plugin for decrypt DexGuard encrypted Strings.
import jeb.api.IScript;
import jeb.api.JebInstance;
import jeb.api.ast.*;
import jeb.api.ast.Class;
import jeb.api.dex.Dex;
import jeb.api.dex.DexCodeItem;
import jeb.api.dex.DexFieldData;
import jeb.api.dex.DexMethod;
import jeb.api.ui.JavaView;
import jeb.api.ui.View;