andrewpedia

ELF Format Cheatsheet

Introduction

Executable and Linkable Format (ELF), is the default binary format on Linux-based systems.

Compilation

Android RE using Frida

I figured that I would write down my findings somewhere since this is my first time using Frida. This won't cover installing frida, adb, apktool because these are well covered in other sources.

Tools

Injecting Frida gadget into APKs

This is not a tutorial, just a small guide to myself but feel free to get some infos here.

Working on an iPhone 7 running iOS 14.5.1

Jailbreak an iPhone/iPad/whatever
If necessary, you'll need to bypass Jailbreak detection for some apps with tweaks like A-Bypass, Hestia, HideJB, etc.
Get the PID of the app you want to capture traffic from with frida-ps -Ua ( a is for showing running apps only, you can -U to show all running processes instead)

Disable Device Enrollment Notification on Mac.md

Restart the Mac in Recovery Mode by holding `Comment-R` during restart

Open Terminal in the recovery screen and type

csrutil disable

	# Load the contents of the receipt file
	receipt_file = open('./receipt_data.bin', 'rb').read()

	# Use asn1crypto's cms definitions to parse the PKCS#7 format
	from asn1crypto.cms import ContentInfo
	pkcs_container = ContentInfo.load(receipt_file)

	# Extract the certificates, signature, and receipt_data
	certificates = pkcs_container['content']['certificates']
	signer_info = pkcs_container['content']['signer_infos'][0]

	const Java = require('frida-java-bridge');
	const { getApi, withRunnableArtThread, ArtStackVisitor, translateMethod } = require('frida-java-bridge/lib/android');

	Java.perform(() => {
	const AccountManager = Java.use('android.accounts.AccountManager');

	const m = AccountManager.getAccounts;
	m.implementation = function (...args) {
	console.log('getAccounts() called from: ' + JSON.stringify(captureBacktrace(), null, 2));
	return m.apply(this, args);

	"""
	This POC is based on example from https://frida.re/news/#child-gating
	and is aimed to instrument child processes along with the main one.
	"""

	from __future__ import print_function
	import frida
	from frida_tools.application import Reactor
	import threading

	scriptencoding utf-8

	" This function originates from https://www.reddit.com/r/neovim/comments/eq1xpt/how_open_help_in_floating_windows/; it isn't mine
	function! CreateCenteredFloatingWindow() abort
	let width = min([&columns - 4, max([80, &columns - 20])])
	let height = min([&lines - 4, max([20, &lines - 10])])
	let top = ((&lines - height) / 2) - 1
	let left = (&columns - width) / 2
	let opts = {'relative': 'editor', 'row': top, 'col': left, 'width': width, 'height': height, 'style': 'minimal'}

	// 打印按钮的action及其target
	function actionWithTargets(button) {
	var allTargets = [button allTargets].allObjects();
	if (!allTargets) {
	return "is not a uicontrol"
	}
	var allShow = [];
	for (var i = 0; i < allTargets.length; i++) {
	var target = allTargets[i];
	var actions = [button actionsForTarget: target forControlEvent: UIControlEventTouchUpInside];

	@echo off

	echo * WELCOME TO EMUI 9.1 Flasher by Vorion and Pretoriano80 *
	echo.
	echo Thanks to @Ante0, @Atarii, @dkionline, @frantm, @lastfuckingdroid, @Mankindtw, @Pretoriano80, @shimp208, @zanooda123
	echo ... and of course to [email protected]
	echo.
	pause
	echo.
	echo ***** PLEASE READ EVERYTHING THIS TOOLS TELLS YOU TO DO! *****