I hereby claim:
- I am romainthomas on github.
- I am rh0main (https://keybase.io/rh0main) on keybase.
- I have a public key whose fingerprint is 15E3 4637 48FE 6F81 D8EE B0CE 1CD1 ECED EF86 C95E
To claim this, I am signing this object:
I hereby claim:
To claim this, I am signing this object:
#!/usr/bin/env python | |
# Script associated with the blog post: https://lief-project.github.io/blog/2022-05-08-macho/ | |
# It demonstrates code injection with shell-factory and LIEF | |
import lief | |
import pathlib | |
from pathlib import Path | |
CWD = Path(__file__).parent |
LIEF::Abstract::get_symbol() | |
LIEF::DEX::Method::cls() | |
LIEF::DEX::Method::prototype() | |
LIEF::DEX::Prototype::return_type() | |
LIEF::ELF::Binary::ad_object_relocation | |
LIEF::ELF::Binary::dynamic_section | |
LIEF::ELF::Binary::get(DYNAMIC_TAGS tag) | |
LIEF::ELF::Binary::get(ELF_SECTION_TYPES type) | |
LIEF::ELF::Binary::get(NOTE_TYPES type) | |
LIEF::ELF::Binary::get(SEGMENT_TYPES type) |
// Mangled as __dl__ZL10call_arrayIPFviPPcS1_EEvPKcPT_mbS5_ in /system/bin/linker64 | |
template <typename F> | |
static void call_array(const char* array_name __unused, | |
F* functions, | |
size_t count, | |
bool reverse, | |
const char* realpath) { | |
if (functions == nullptr) { | |
return; |
# Patch libg.so to remove Frida server checks | |
import lief | |
MOV_R0_ERROR = [0x4f, 0xf0, 0xff, 0x30] # MOV.W R0, #-1 | |
PATCHES = [ | |
# bind() syscall | |
(0x0BE000 - 2, MOV_R0_ERROR), # MOV R0, #-1 | |
(0x0bb2e2 - 2, MOV_R0_ERROR), # MOV R0, #-1 | |
(0x2518f6 - 2, MOV_R0_ERROR), # MOV R0, #-1 | |
] |
#include "frida-core.h" | |
#include "frida-gum.h" | |
uintptr_t handler(void) { | |
auto interceptor = gum_interceptor_obtain(); | |
GumInvocationContext* ctx = gum_interceptor_get_current_invocation(); | |
uintptr_t func_addr = reinterpret_cast<uintptr_t>(gum_invocation_context_get_replacement_data(ctx)); | |
// Remove Frida trampoline | |
gum_interceptor_begin_transaction(interceptor); |
[30902:30902:811825000] JNIEnv: 0xf0893480 | |
[30902:30902:129008000] 0x0b47b4 __errno() | |
[30902:30902:137396000] 0x0b47e0 malloc(0x2000): 0xafcb4000 | |
[30902:30902:146810000] 0x0b4a54 socket(PF_NETLINK, SOCK_RAW, 0) | |
[30902:30902:178269000] 0x0b496e write(10, 0xffe858cc, 0x14): | |
[30902:30902:223461000] 0x0b51d4 recvfrom(10, 0xafcb4000, 0x2000): xIlo !noqueue#'$`UUUU|x'hB@:QX`@'60$$4xbond0 !noop#'$zR`bond|x'hG@:QX`@'60$$4 | |
[30902:30902:262487000] 0x0b52ba .text!0x2a33e0 (#0) { | |
[30902:30902:268177000] 0x2a401c malloc(0x1b4): 0xf08bfd40 | |
[30902:30902:514395000] } |
diff --git a/jadx-core/src/main/java/jadx/core/Jadx.java b/jadx-core/src/main/java/jadx/core/Jadx.java | |
index 91ea0905..175b73ed 100644 | |
--- a/jadx-core/src/main/java/jadx/core/Jadx.java | |
+++ b/jadx-core/src/main/java/jadx/core/Jadx.java | |
@@ -47,6 +47,9 @@ import jadx.core.dex.visitors.shrink.CodeShrinkVisitor; | |
import jadx.core.dex.visitors.ssa.SSATransform; | |
import jadx.core.dex.visitors.typeinference.TypeInferenceVisitor; | |
+// Deobfuscation passes | |
+import jadx.core.dex.visitors.deobf.DecodeStrings; |
import arybo.lib.mba_exprs as EX | |
import sys | |
def f(x): | |
v0 = ((x & 343337308) ^ 0xFFFFFFFF) & (x | 343337308) | |
return v0 | |
mba32 = MBA(32) | |
X = mba32.var('X') | |
res = f(X) | |
VD = res.vectorial_decomp([X]) |
#include <iostream> | |
#include <iomanip> | |
#include <cstdlib> | |
#include <cstdint> | |
#include <cstring> | |
#include <jni.h> | |
#include <set> | |
#include "LIEF/ELF.hpp" |