Yuriy Mysochenko sdex

Top HN posts

Android Phantom, Cached And Empty Processes

This has been moved to https://github.com/agnostic-apollo/Android-Docs/blob/master/en/docs/apps/processes/phantom-cached-and-empty-processes.md

Some important headings are kept so that users can redirect to new link if they land here.

Русская шпаргалка по Smali

Приветствую, любители реверс-инжинирить Android. Перед вами шпаргалка по Smali - аналогу ассемблера для Android-приложений.

Изначальный текст на русском взят отсюда. Там текст появился из машинного перевода официальной документации.

В итоге, оформил сухой текст + поправил небольшие опечатки и корявости перевода. По поводу замечаний и предложений можете писать либо мне в ЛС, либо оформлять PR на Gist.

	console.log("[*] SSL Pinning Bypasses");
	console.log(`[*] Your frida version: ${Frida.version}`);
	console.log(`[*] Your script runtime: ${Script.runtime}`);

	/**
	* by incogbyte
	* Common functions
	* thx apkunpacker, NVISOsecurity, TheDauntless
	* Remember that sslpinning can be custom, and sometimes u need to reversing using ghidra,IDA or something like that.
	* !!! THIS SCRIPT IS NOT A SILVER BULLET !!

	/**
	* Use this [ActivityResultContract] to seamlessly switch between
	* the new [MediaStore.ACTION_PICK_IMAGES] and [Intent.ACTION_GET_CONTENT]
	* based on the availability of the Photo Picker.
	*
	* Use [PickMultipleImages] if you'd like the user to be able to select multiple
	* photos/videos.
	*
	* Input: the mimeType you'd like to receive. This should generally be
	* either `image/\` or `video/\` for requesting only images or only videos

	# https://securitychops.com/2019/08/31/dev/random/one-liner-to-install-burp-cacert-into-android.html
	#
	curl --proxy http://127.0.0.1:8080 -o cacert.der http://burp/cert \
	&& openssl x509 -inform DER -in cacert.der -out cacert.pem \
	&& cp cacert.der $(openssl x509 -inform PEM -subject_hash_old -in cacert.pem \|head -1).0 \
	&& adb root \
	&& adb remount \
	&& adb push $(openssl x509 -inform PEM -subject_hash_old -in cacert.pem \|head -1).0 /sdcard/ \
	&& echo -n "mv /sdcard/$(openssl x509 -inform PEM -subject_hash_old -in cacert.pem \|head -1).0 /system/etc/security/cacerts/" \| adb shell \
	&& echo -n "chmod 644 /system/etc/security/cacerts/$(openssl x509 -inform PEM -subject_hash_old -in cacert.pem \|head -1).0" \| adb shell \

	// $ frida -l antiroot.js -U -f com.example.app --no-pause
	// CHANGELOG by Pichaya Morimoto ([email protected]):
	// - I added extra whitelisted items to deal with the latest versions
	// of RootBeer/Cordova iRoot as of August 6, 2019
	// - The original one just fucked up (kill itself) if Magisk is installed lol
	// Credit & Originally written by: https://codeshare.frida.re/@dzonerzy/fridantiroot/
	// If this isn't working in the future, check console logs, rootbeer src, or libtool-checker.so
	Java.perform(function() {

	var RootPackages = ["com.noshufou.android.su", "com.noshufou.android.su.elite", "eu.chainfire.supersu",

	/* Android ssl certificate pinning bypass script for various methods
	by Maurizio Siddu

	Run with:
	frida -U -f <APP_ID> -l frida_multiple_unpinning.js [--no-pause]
	*/

	setTimeout(function() {
	Java.perform(function() {
	console.log('');

Yuriy Mysochenko sdex

Android Phantom, Cached And Empty Processes

Русская шпаргалка по Smali

Общая информация

Виды(Types)

	// start with:
	// frida -U -l pinning.js -f [APP_ID] --no-pause

	Java.perform(function () {
	console.log('')
	console.log('===')
	console.log('* Injecting hooks into common certificate pinning methods *')
	console.log('===')

	var X509TrustManager = Java.use('javax.net.ssl.X509TrustManager');

	import android.annotation.SuppressLint;
	import android.media.MediaCodec;
	import android.media.MediaExtractor;
	import android.media.MediaFormat;
	import android.media.MediaMetadataRetriever;
	import android.media.MediaMuxer;
	import android.util.Log;

	import java.io.IOException;
	import java.nio.ByteBuffer;