SeeFlowerX SeeFlowerX
SeeFlowerX
/ gist:b82dd134bb3b19a5e2668cafd92af8da
Created
July 11, 2022 06:23
— forked from floyd-fuh/gist:7a7d4c4aa0d479a1562feb962a579448
Automate fix on https://httptoolkit.tech/blog/chrome-android-certificate-transparency/
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # see https://httptoolkit.tech/blog/chrome-android-certificate-transparency/ | |
| # put your Burp cacert.der in the current working directory! | |
| FINGERPRINT=`openssl x509 -in cacert.der -inform der -pubkey -noout | openssl pkey -pubin -outform der | openssl dgst -sha256 -binary | openssl enc -base64` | |
| echo "chrome --ignore-certificate-errors-spki-list=$FINGERPRINT" > chrome.sh | |
| adb push chrome.sh /data/local/tmp/chrome.sh | |
| adb shell su -c cp /data/local/tmp/chrome.sh /data/local/chrome-command-line | |
| adb shell su -c cp /data/local/tmp/chrome.sh /data/local/android-webview-command-line |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import json | |
| from pathlib import Path | |
| import idautils | |
| import ida_nalt | |
| def get_libc_import(): | |
| info = {} | |
| nimps = ida_nalt.get_import_module_qty() |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| function get_call_function() { | |
| var call_function_addr = null; | |
| var symbols = Process.getModuleByName("linker").enumerateSymbols(); | |
| for (var m = 0; m < symbols.length; m++) { | |
| if (symbols[m].name == "__dl__ZL13call_functionPKcPFviPPcS2_ES0_") { | |
| call_function_addr = symbols[m].address; | |
| console.log("found call_function_addr => ", call_function_addr) | |
| hook_call_function(call_function_addr) | |
| } | |
| } |
SeeFlowerX
/ disable-flutter-tls.js
Created
August 19, 2022 02:39
https://github.com/NVISOsecurity/disable-flutter-tls-verification/blob/main/disable-flutter-tls.js
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| /** | |
| A Frida script that disables Flutter's TLS verification | |
| This script works on Android x86, Android x64 and iOS x64. It uses pattern matching to find [ssl_verify_peer_cert in handshake.cc](https://github.com/google/boringssl/blob/master/ssl/handshake.cc#L323) | |
| If the script can't find ssl_verify_peer_cert, please create an issue at https://github.com/NVISOsecurity/disable-flutter-tls-verification/issues | |
| */ | |
| var TLSValidationDisabled = false; | |
| var secondRun = false; | |
| if (Java.available) { | |
| console.log("[+] Java environment detected"); |
SeeFlowerX
/ gen_frida.py
Last active
April 22, 2024 05:59
IDA插件,用于生成 frida hook 代码,放入plugins目录后,手动在插件菜单激活然后右键双击、选中释放;或者直接在汇编界面右键使用,选择GenFrida
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| from typing import TYPE_CHECKING | |
| if TYPE_CHECKING: | |
| from ida_hexrays import cfunc_t | |
| from ida_kernwin import view_mouse_event_t | |
| import idc | |
| import idaapi | |
| import ida_lines |
SeeFlowerX
/ hook_snprintf_with_filter.js
Last active
December 28, 2022 07:06
有时候想hook一下libc中的函数,但是调用太多分不出来,我们可以使用lr来判断,通过下面的typescript脚本实现了对来自特定so特定偏移的调用;如果要直接获取lr信息,可以使用get_lr_info
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // 有时候想hook一下libc中的函数,但是调用太多分不出来,我们可以使用lr来判断,通过下面的typescript脚本实现了对来自特定so特定偏移的调用 | |
| function hook_snprintf(){ | |
| let libc = Process.getModuleByName("libc.so"); | |
| let libdemo = Process.getModuleByName("libdemo.so"); | |
| let symbol = "snprintf"; | |
| let symbol_addr = libc.getExportByName(symbol); | |
| log(`[${symbol}_addr] ${symbol_addr}`); | |
| Interceptor.attach(symbol_addr, { | |
| onEnter: function(args){ | |
| this.result = args[0]; |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| let mem_regions = []; | |
| function read_maps(){ | |
| let libc = Process.getModuleByName("libc.so"); | |
| let fopen = new NativeFunction(libc.getExportByName("fopen"), "pointer", ["pointer", "pointer"]); | |
| let fgets = new NativeFunction(libc.getExportByName("fgets"), "pointer", ["pointer", "int", "pointer"]); | |
| let fclose = new NativeFunction(libc.getExportByName("fclose"), "int", ["pointer"]); | |
| let filepath = Memory.allocUtf8String("/proc/self/maps"); | |
| let mode = Memory.allocUtf8String("r"); | |
| let file = fopen(filepath, mode); |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| @echo off | |
| set TmpRoot=%~dp0tmproot | |
| set TmpSys=%TmpRoot%\System32 | |
| set RealSys=%SystemRoot%\System32 | |
| if exist %TmpRoot% ( | |
| RMDIR /Q /S %TmpRoot% | |
| ) |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| .PHONY: all | |
| all: ebpf assets build | |
| @echo $(shell date) | |
| .ONESHELL: | |
| SHELL = /bin/bash | |
| # export PATH=/home/kali/Desktop/android-ndk-r25b/toolchains/llvm/prebuilt/linux-x86_64/bin:$PATH | |
| # export PATH=/home/kali/Desktop/android-ndk-r23c/toolchains/llvm/prebuilt/linux-x86_64/bin:$PATH | |
| GOARCH = arm64 |
SeeFlowerX
/ tmp.log
Created
November 10, 2022 15:26
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| stack_2022/11/10 15:10:32 StackMod module initialization | |
| stack_2022/11/10 15:10:32 StackMod Module.Run() | |
| stack_2022/11/10 15:10:32 StackMod BPF bytecode filename:user/bytecode/stack.o | |
| stack_2022/11/10 15:10:32 StackMod module started successfully | |
| stack_2022/11/10 15:10:32 start 1 modules | |
| stack_2022/11/10 15:10:33 PID:4524, Comm:com.sfx.ebpf, TID:4524, Regs: | |
| {"lr":"0x762ab3ac34","pc":"0x76557a1e50","sp":"0x7fdb20faa0","x0":"0x4b","x1":"0xb4000074e863e228","x10":"0x13559d4a5bcacde9","x11":"0x6","x12":"0xef5d","x13":"0x110ef0109a7f","x14":"0x7fdb20fef0","x15":"0x0","x16":"0x762ab50208","x17":"0x76557a1e50","x18":"0x7658bba000","x19":"0xb4000073c86823d0","x2":"0x928","x20":"0xb4000074e863e228","x21":"0xb4000074e863eba0","x22":"0xb4000074e863ebd0","x23":"0xb4000074e863e210","x24":"0xb4000074e863e22c","x25":"0xb4000074e863e228","x26":"0x2aaaaaaaaaaaaaab","x27":"0x762ab1006c","x28":"0xffffffff","x29":"0x7fdb20faa0","x3":"0x40","x4":"0x0","x5":"0x0","x6":"0x313c","x7":"0x309ff","x8":"0x0","x9":"0xb4000074e863ee50"} | |
| S |