-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathtest.py
More file actions
executable file
·145 lines (110 loc) · 3.81 KB
/
Copy pathtest.py
File metadata and controls
executable file
·145 lines (110 loc) · 3.81 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
#!/usr/bin/env python3
'''
Consider:
pip install pure-python-adb
pip install androguard
pip install frida frida_tools
pip install pyaxml
'''
import asyncio
from thirdparty.jdwp import Jdwp, Byte, Boolean, Int, String, ReferenceTypeID
import thirdparty.sandbox as __sandbox__
from thirdparty.sandbox.repl import Repl
import thirdparty.debug.dalvik
from thirdparty.debug.dalvik.state import *
from pydantic import BaseModel
from typing import Optional, List, Tuple
# Utility imports
import multiprocessing
import pdb
from fuzzyfinder import fuzzyfinder
from pprint import pprint
'''
adb shell am set-debug-app -w sh.kau.playground ; \
adb shell am start \
-n $(adb shell cmd package resolve-activity \
-c android.intent.category.LAUNCHER sh.kau.playground | \
grep -oP 'name=\K\S+' | head -n 1 | \
sed -s 's/sh.kau.playground/sh.kau.playground\//') ; \
adb forward \
tcp:8700 \
jdwp:$(adb shell ps -A | grep sh.kau.playground | awk '{print $2}') ; \
sleep 3 && ./test.py
'''
'''
await dbg.cli_frame(26092)
await dbg.cli_frame_values(26092, 131072)
await dbg.cli_object_values()
'''
class DumbObject():
def __repr__(self):
return '\n'.join(self.__dict__.keys())
async def __thirdparty_sandbox_async_def(): pass
# We're keeping jdwp, dbg, and dbg_state in global scope so
# they remain accessible to REPL mechanisms.
jdwp = None
dbg = thirdparty.debug.dalvik.Debugger()
dbg_state = dbg.state
bp = DumbObject()
async def main():
global dbg
global jdwp
global bp
print("Connecting debugger to localhost:8700")
await dbg.start('127.0.0.1', 8700)
jdwp = dbg.jdwp
dbg.print_summary()
async def handle_breakpoint(event, composite, args):
bp, = args
print(f"{bp.location_str(event)}")
await bp.wait()
await bp.dbg.resume_vm()
bp.fetchQuote = dbg.create_breakpoint(**{
'class_signature': 'Lsh/kau/playground/quoter/QuotesRepoImpl;',
'method_name': 'fetchQuote',
'method_signature': '(Lkotlin/coroutines/Continuation;)Ljava/lang/Object;',
}, callback=None)
await bp.fetchQuote.set_breakpoint()
bp.quoteForTheDay = dbg.create_breakpoint(**{
'class_signature': 'Lsh/kau/playground/quoter/QuotesRepoImpl;',
'method_name': 'quoteForTheDay',
'method_signature': '(Lkotlin/coroutines/Continuation;)Ljava/lang/Object;',
}, callback=None)
#await bp.quoteForTheDay.set_breakpoint()
await dbg.resume_vm()
try:
print("Waiting for events... Ctrl-C to quit.")
while True:
await asyncio.sleep(1)
except KeyboardInterrupt:
exit(0)
async def main_with_sandbox():
socket_path = "/tmp/asyncrepl.sock"
repl_coro = Repl(namespace=globals()).start_repl_server(socket_path=socket_path)
repl_task = asyncio.create_task(repl_coro)
main_task = asyncio.create_task(main())
await asyncio.gather(repl_task, main_task)
def reload_dbg():
global dbg
global dbg_state
dbg = thirdparty.debug.dalvik.Debugger(dbg_state)
if __name__ == "__main__":
asyncio.run(main_with_sandbox())
'''
##### Misc Notes #####
pprint(list(fuzzyfinder('playground', dbg.classes_by_signature)))
# Watch for new Throwable classes.
print("EventRequest.Set(CLASS_PREPARE)")
evt_req = jdwp.EventRequest.SetRequest()
evt_req.eventKind = Byte(Jdwp.EventKind.CLASS_PREPARE)
evt_req.suspendPolicy = Byte(Jdwp.SuspendPolicy.ALL)
print(" ClassMatch = \"java.lang.Throwable\"")
mod = jdwp.EventRequest.SetClassMatchModifier()
mod.classPattern = String("java.lang.Throwable")
evt_req.modifiers.append(mod)
mod = jdwp.EventRequest.SetCountModifier()
mod.count = Int(1)
evt_req.modifiers.append(mod)
throwable_reqid = await jdwp.EventRequest.Set(evt_req)
print(f" RequestID = {throwable_reqid}")
'''