Skip to content

cryptax/misc-code

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

97 Commits
bianlian
bianlian
 
 
flubot
flubot
 
 
flutter
flutter
 
 
frida_hooks
frida_hooks
 
 
glucose-tools
glucose-tools
 
 
jeb
jeb
 
 
jsonpacker
jsonpacker
 
 
AlienBankbotDecrypt.py
AlienBankbotDecrypt.py
 
 
DbaXor.java
DbaXor.java
 
 
DeobfuscateZtorg.py
DeobfuscateZtorg.py
 
 
Dexunprotect.java
Dexunprotect.java
 
 
ErmacDecrypt.java
ErmacDecrypt.java
 
 
JEBAllatori.py
JEBAllatori.py
 
 
JokerDecryptPBE.java
JokerDecryptPBE.java
 
 
MoqHaoUnpacker.java
MoqHaoUnpacker.java
 
 
README.md
README.md
 
 
ReplaceAllatori.py
ReplaceAllatori.py
 
 
UnpackTousAntiCovid.java
UnpackTousAntiCovid.java
 
 
b64script.py
b64script.py
 
 
bahamutDecrypt.py
bahamutDecrypt.py
 
 
grab-oji.py
grab-oji.py
 
 
kangaunpack.py
kangaunpack.py
 
 
r2ztorg.py
r2ztorg.py
 
 
spyserv.py
spyserv.py
 
 
string-decode.py
string-decode.py
 
 
tous_decrypt.py
tous_decrypt.py
 
 

Repository files navigation

Miscellaenous code

Android/Flubot v3.6/v3.7 reverse engineering

  • ./flubot/CryptaxRocks.java: string de-obfuscation
  • ./flubot/flubot.js: Frida hook to display plaintext communication with C&C
  • ./frida-hook/michaelrocks.js: Frida hook to display de-obfuscated strings
  • ./flubot/DGA.java: standalone implementation of Flubot's DGA algorithm

Android/Ztorg reverse engineering

  • string-decode.py: standalone Python script to de-obfuscate Ztorg strings
  • DeobfuscateZtorg.py: JEB2 script to de-obfuscate Ztorg strings
  • r2ztorg.py : Radare2 r2pipe script to de-obfuscated Android/Ztorg strings

Android/MysteryBot reverse engineering

  • ReplaceAllatori.py: replace the ALLATORIxDEMO obfuscated string
  • JEBAllatori.py: de-obfuscation but not replacing

c1dd9c26671fddc83c9923493236d210d7461b29dd066f743bd4794c1d647549 (malicious Tous Anti Covid)

  • tous_anti.py: decrypt selected Base64+encrypted strings and put the result as comment

Android/Alien reverse engineering

  • aka Bankbot
  • sha256: ec3a10b4f38b45b7551807ba4342b111772c712c198e6a1a971dd043020f39a2
  • De-obfuscate strings: AlienBankbotDecrypt.py. Script for JEB4.

Android reverse engineering (general)

  • b64script.py: decode selected Base64 strings and put the result as comment

NFC Glucose sensor tools

See ./glucose-tools directory

Android/SpyAgent reverse engineering

  • spyserv.py: Dummy server to display uncompressed messages for Android malware for malware sha256: 885d07d1532dcce08ae8e0751793ec30ed0152eee3c1321e2d051b2f0e3fa3d7

Android/Oji.G!worm

  • grab-oji.py: Script to automatically grab fresh samples. This can be used to upload the samples to your favorite malware database for detection. Works as of May 7, 2021.

Android/MoqHao

Malware sha256: aad80d2ad20fe318f19b6197b76937bf7177dbb1746b7849dd7f05aab84e6724

  • MoqHaoUnpacker.java: program to unpack the sample. Provide as argument the encrypted asset. e.g. efl15a

Android/Bahamut

Malware sha256: fd1aac87399ad22234c503d8adb2ae9f0d950b6edf4456b1515a30100b5656a7

  • bahamutDecrypt.py: decrypts files or strings encrypted by the malware

Android/BianLian

Malware sha256: 5b9049c392eaf83b12b98419f14ece1b00042592b003a17e4e6f0fb466281368

JsonPacker

  • jsondecrypt.py: unpacked JsonPacked asset file, provided you know the short key.
  • Same, but Java implementation

Android/Joker

Malware sha256: afeb6efad25ed7bf1bc183c19ab5b59ccf799d46e620a5d1257d32669bedff6f

  • JokerDecryptPBE.java

KangaPack

  • Unpacker: kangaunpack.py
  • Malware sha256: 2c05efa757744cb01346fe6b39e9ef8ea2582d27481a441eb885c5c4dcd2b65b

Flutter

  • Radare 2 plugin to process byte arrays
  • Python script to parse Flutter AOT headers
  • Python script to search for Dart object usages in Object Pool of flutter libapp.so Aarch64

About

Miscellaneous code

Resources

Readme
Activity

Stars

97 stars

Watchers

12 watching

Forks

25 forks
Report repository

Releases

No releases published

Packages

No packages published

Contributors 3

Languages