Skip to content

Instantly share code, notes, and snippets.

View SeeFlowerX's full-sized avatar

SeeFlowerX SeeFlowerX

495 followers · 294 following
View GitHub Profile
@SeeFlowerX
SeeFlowerX / demo.py
Last active April 25, 2021 03:40
20210424解题
# 算法还原
import binascii
from Crypto.Cipher import AES
from Crypto.Util import Padding
def get_cipher():
key = b'goodl-aes-key124'
iv = b'goodl-aes-iv1235'
return AES.new(key, AES.MODE_CBC, iv=iv)
@SeeFlowerX
SeeFlowerX / poxy_star.js
Created July 16, 2021 15:23
libpoxy_star.so分析hook脚本
let jni_struct_array = [
"reserved0", "reserved1", "reserved2", "reserved3", "GetVersion", "DefineClass", "FindClass", "FromReflectedMethod", "FromReflectedField", "ToReflectedMethod", "GetSuperclass", "IsAssignableFrom", "ToReflectedField", "Throw", "ThrowNew",
"ExceptionOccurred", "ExceptionDescribe", "ExceptionClear", "FatalError", "PushLocalFrame", "PopLocalFrame", "NewGlobalRef", "DeleteGlobalRef", "DeleteLocalRef", "IsSameObject", "NewLocalRef", "EnsureLocalCapacity", "AllocObject", "NewObject",
"NewObjectV", "NewObjectA", "GetObjectClass", "IsInstanceOf", "GetMethodID", "CallObjectMethod", "CallObjectMethodV", "CallObjectMethodA", "CallBooleanMethod", "CallBooleanMethodV", "CallBooleanMethodA", "CallByteMethod", "CallByteMethodV",
"CallByteMethodA", "CallCharMethod", "CallCharMethodV", "CallCharMethodA", "CallShortMethod", "CallShortMethodV", "CallShortMethodA", "CallIntMethod", "CallIntMethodV", "CallIntMethodA", "CallLongMethod", "CallLongMethodV", "CallLongMethodA",
"CallFloatMet
@SeeFlowerX
SeeFlowerX / fmt_log.js
Created July 23, 2021 01:30
针对自定义格式化输出函数的hook,直接打印结果而不关心最后的输出逻辑
let funcs = {};
let sprintf_ptr = Module.findExportByName("libc.so", "sprintf");
Interceptor.attach(base_addr.add(0x58E490), {
onEnter: function (args) {
let fmt = args[1].readUtf8String();
let count = (fmt.split("%%").join("").match(/%/g) || []).length;
if(count == 0) return;
if (!funcs[count]){
funcs[count] = new NativeFunction(sprintf_ptr, 'int', new Array(2 + count).fill("pointer"));
}
@SeeFlowerX
SeeFlowerX / nativeGenerate2.java
Last active November 12, 2023 05:50
unidbg通过签名调用native方法,这样不用去看方法的地址是多少~~
public void nativeGenerate2() {
System.out.println("start call nativeGenerate2");
DvmClass SecureNative_cls = vm.resolveClass("com/xunmeng/pinduoduo/secure/SecureNative");
DvmObject<?> context = vm.resolveClass("android/content/Context").newObject(null);
int context_ptr = vm.addLocalObject(context);
int str1_ptr = vm.addLocalObject(new StringObject(vm, ""));
int str2_ptr = vm.addLocalObject(new StringObject(vm, "Ck5UqWFzreofeABcWvkAAg=="));
int str3_ptr = vm.addLocalObject(new StringObject(vm, "1Hdy4cQW"));
int str4_ptr = vm.addLocalObject(new StringObject(vm, "/storage/emulated/0"));
int str5_ptr = vm.addLocalObject(new StringObject(vm, "version=134&info=g6iUSuzNlWeDi%2FxPng%2FN%2B8ZyQEP%2FnQuHC42hkmSWvCOg79IqfkRW5Lu3jsAh0QwizbgZZSg1FOEI%0Ao4R%2F6pw6XXsv%2FxH%2FzUDXzxJ5UXUYGMSYhF%2BULFIhbWMihyiUWSRA%2FamuTFPOOd17oppNLL6QvlSp%0A9rC2BHcgOMfMaYgq0uuiVDJB4cXNREX10fgGf20jz56kh%2B6ejh1iHIEYffs3OKbtp9M7FqmSpiQY%0AuAHzn7rCorHuZDP8tyvStvBqpdDxO92eeEt%2BprLDqsM1HfA%2BX3ItGURbaT4%2BQ
@SeeFlowerX
SeeFlowerX / trace_smali.js
Created October 30, 2021 12:05
frida跟踪应用中所有运行在解释模式的java函数
// from https://bbs.pediy.com/thread-263210.htm
function hook_Impl() {
var module_libart = Process.findModuleByName("libart.so");
var symbols = module_libart.enumerateSymbols();
var ArtMethod_ExecuteSwitchImpltt = null;
var ArtMethod_ExecuteSwitchImpltf = null;
var ArtMethod_ExecuteSwitchImplff = null;
var ArtMethod_ExecuteMterpImpl = null;
//_ZN3art11interpreter17ExecuteSwitchImplILb1ELb1EEENS_6JValueEPNS_6ThreadEPKNS_7DexFile8CodeItemERNS_11ShadowFrameES2_b ; art::interpreter::ExecuteSwitchImpl<true,true>(art::Thread *,art::DexFile::CodeItem const*,art::ShadowFrame &,art::JValue,bool)
@SeeFlowerX
SeeFlowerX / cc
Created November 3, 2021 04:33
cc
MODEL=Pixel 4
PRODUCT=flame
DEVICE=flame
FINGERPRINT=google/flame/flame:10/QQ1B.200105.004/6031802:user/release-keys
MANUFACTURER=Google
BRAND=google
@SeeFlowerX
SeeFlowerX / dx_jar2dex.bat
Last active June 13, 2022 15:45
将此bat放入Android Sdk的build-tools/{版本号}文件夹下 然后把jar拖到bat上即可转换到dex,原dx.bat逻辑和命令有问题,改了下方便转换,记得修改JAVA_HOME。
@echo off
setlocal
set prog=%~f0
set JAVA_HOME=C:\Users\see\Documents\android-studio\jre
set java_exe=%JAVA_HOME%\bin\java.exe
set jarfile=dx.jar
@SeeFlowerX
SeeFlowerX / fuzzing.md
Created November 19, 2021 06:35
fuzz资料
@SeeFlowerX
SeeFlowerX / UiccUnlock.cpp
Created November 19, 2021 07:12 — forked from tewilove/UiccUnlock.cpp
#include <android/log.h>
#include <jni.h>
#include <binder/Binder.h>
#include <binder/Parcel.h>
#include <binder/IServiceManager.h>
#include <dlfcn.h>
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
@SeeFlowerX
SeeFlowerX / qbdi_android.cpp
Created November 22, 2021 01:52 — forked from romainthomas/qbdi_android.cpp
QBDI API example
#include <iostream>
#include <iomanip>
#include <cstdlib>
#include <cstdint>
#include <cstring>
#include <jni.h>
#include <set>
#include "LIEF/ELF.hpp"