CrackerCat/FartExt CrackerCat/FartExt

  • Stars
    star
    120
  • Rank 290,054 (Top 6 %)
  • Language
    Java
  • Created almost 3 years ago
  • Updated about 1 year ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
CrackerCat/FartExt
github

CrackerCat

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

在FART的基础上进行优化。实现更深的主动调用。适用AOSP10

FartExt

在FART的基础上进行优化并实现更深的主动调用,来实现脱抽取壳。适用AOSP10

本人的测试版本是android 10r2,测试手机是pixel3。如需其他版本,请自行编译。

编译的版本是sailfish Pixel binaries for Android 10.0.0 (QP1A.191005.007.A1)

下载

链接: https://pan.baidu.com/s/1lgG8P3H2Q5B6e7rZr58cXw 密码: 033p

使用

1、完整主动调用

echo "packageName" > /data/local/tmp/fext.config

打开应用等待60秒后开始完整的主动调用。

adb logcat |grep fartext查看日志。出现fart over就是脱壳完成了

2、指定类主动调用

将要dump的所有类名写入/data/local/tmp/目标进程包名中。

格式可以是com.myClass也可以是Lcom\myClass;内部会自动解析

3、frida辅助调用

可以使用fridaUiTools中的fart功能中的rom主动调用来触发

image-20210805100343385

也可以自己使用frida脚本

function romClassesInvoke(classes){
    Java.perform(function(){
        klog("romClassesInvoke start load");
        var fartExt=Java.use("cn.mik.Fartext");
        if(!fartExt.fartWithClassList){
            klog("fartExt中未找到fartWithClassList函数,可能是未使用Fartext的rom")
            return ;
        }
        fartExt.fartWithClassList(classes);
    })
}

function romFartAllClassLoader(){
    Java.perform(function(){
       var fartExt=Java.use("cn.mik.Fartext");
       if(!fartExt.fartWithClassLoader){
           klog("fartExt中未找到fartWithClassLoader函数,可能是未使用Fartext的rom");
           return;
       }
       Java.enumerateClassLoadersSync().forEach(function(loader){
           klog("romFartAllClassLoader to loader:"+loader);
           if(loader.toString().indexOf("BootClassLoader")==-1){
               klog("fart start loader:"+loader);
               fartExt.fartWithClassLoader(loader);
           }
       })
    });
}

4、修复dex

脱壳的结果是保存在/sdcard/fext/目标进程包名

使用dexfixer修复

java -jar ./dexfixer.jar dexpath binpath outpath

或者使用fridaUiTools的辅助功能进行修复

image-20210805100310939

5、日志查看

logcat搜索fartext即可搜到所有相关日志。

6、流程图

image-20210804190809645

7、实现原理及案例

FartExt之优化更深主动调用的FART10

More Repositories

1

video_decrypter

Decrypt video from a streaming site with MPEG-DASH Widevine DRM encryption.
C++
292
star
2

strongR-frida-android

An anti detection version frida-server for android.
217
star
3

simpread

简悦导入文章
192
star
4

JSPHorse

Super JSP Webshell
Java
69
star
5

Android-Injector

Inject so & apk to zygote on android. Support armv8 & armv7.
C++
52
star
6

YongyouNC-Unserialize-Tools

用友NC反序列化漏洞payload生成
Java
32
star
7

evildll

Malicious DLL (Reverse Shell) generator for DLL Hijacking
Shell
30
star
8

evilpdf

Embedding executable files in PDF Documents
Shell
28
star
9

sigFile

微软签名缺陷利用,老技术
C#
18
star
10

strong-frida

make frida strong, bypass frida detection.
Python
16
star
11

FridaInject

fridainject重新封装 frida脱机脚本 frida-rpc frida无需usb frida-sekiro结合使用
JavaScript
13
star
12

cve2019-2215-3.18

cve2019-2215 poc for 3.18 kernel
C
9
star
13

Virtualapp11

Java
7
star
14

ServiceCheater

PoC of CVE-2020-0108
Java
7
star
15

MemoryTool

用于读写Android下进程内存信息
C++
6
star
16

CVE-2021-30632

HTML
5
star
17

SuperWordlist

基于实战沉淀下的各种弱口令字典
5
star
18

1195777-chrome0day

HTML
4
star
19

JiaGu360

360加固插件
Groovy
4
star
20

Thanox-Magisk

Magisk module for thanox framework patching
Shell
3
star
21

HiveNightmare

HiveNightmare/SeriousSAM(CVE_2021_36934)
C#
3
star
22

Kernel-Security-Development

3
star
23

itool

iOS 设备管理工具
C
3
star
24

VMOSPro_ROM

ROMs ported from VMOS Pro server, including GEEK and LITE. Added some changes and removed Chinese keyboard!
3
star
25

ZetaSploit

ZetaSploit Framework is a powerful exploitation framework that contains a lot of modules and plugins for attacking targets, interacting with targets, spawning reverse shells and etc.
Python
3
star
26

CVE-2020-1020-Exploit

C++
2
star
27

frida_ssl_logger

ssl_logger based on frida
Python
2
star
28

WeChat78Xposed

WechatSpellbook的衍生项目 适配最新的微信
Java
2
star
29

dobc

dobc:反混淆编译器
C
2
star
30

CVE-2021-44228-Log4j-Payloads

2
star
31

PUBG-Mobile-ESP-External-Mod-Menu-With-Login

PUBG Mobile ESP External Mod Menu project for PUBG Mobile 1.3.0 with login screen
Java
2
star
32

GodzillaMemoryShellProject

Java
2
star
33

wintracer

JavaScript
2
star
34

WasmFuzz

Fuzz testing on JavaScriptCore and WebAssembly in WebKit
C
2
star
35

Riru-PunishingGrayRaven-Il2CppDumper

基于Riru的战双帕弥什哔哩哔哩版Il2CppDumper,在游戏运行时dump数据,用于绕过保护,加密以及混淆。
2
star
36

UAutoIDE

国内一流的Unity3D手游录制回放工具
JavaScript
2
star
37

Log4j2DoS

Log4j2 DoS Env
Java
2
star
38

CVE-2020-11492

C++
2
star
39

MacRootKit

macOS RootKit that can fuzz drivers, perform kernel r/w, hook kernel and userspace functions, set custom breakpoints, GDB stub (in progress), match KDK kernels with DWARF debug symbols to release kernels, MachOs of all kinds, dyld shared caches, Objective C/Swift metadata, dump libraries, library injection (e.g. cycript), and crawl iOS apps
C
2
star
40

AurumRE

Reverse engineering of Aurum anti-cheat driver
Assembly
2
star
41

twrp_device_m5c

Meizu M5c Device tree for building TWRP
Makefile
1
star
42

CVE-2021-26411

HTML
1
star
43

ARM64InlineHook

C++
1
star
44

CVE-2021-22006

CVE-2021-22005 - VMWare vCenter Server File Upload to RCE
Python
1
star
45

cve-2021-3157

脚本小子竟是我自己?
Python
1
star
46

nullshit

Simple Null's driver detector
C++
1
star
47

blackmarket-intelligence-monitoring

黑产情报监控
1
star
48

XXTouchApp

The official app of XXTouch 1.1.x.
Objective-C
1
star
49

nemo

ip,domain,资产收集平台
CSS
1
star
50

pysep

Split 64 bits sep-firmware images in Python
Python
1
star
51

excuseme

Information gathering tool to grab IP Address and local file full pathname
Shell
1
star
52

VA11

Java
1
star
53

windbgtool

Python
1
star
54

alive

方便调试和注释、优化。 同步源码:https://github.com/lcodecorex/KeepAlive
C++
1
star
55

GhidraAI

GhidraAI is an abstract interpretation plugin for Ghidra
Java
1
star
56

DobbyDemo

dobby学习的测试例子
C++
1
star
57

BurpSuitePro_Mac

Mac最新版BurpSuite
1
star
58

MyJavaSec

Java安全学习代码以及环境
Java
1
star
59

HiddenApiReflector

Android系统中有用的隐藏API列表; Useful hidden API list in Android OS
Java
1
star
60

Magisk_RAM_Swapper

Shell
1
star
61

BurpKL

burp keygen & loader all in one
1
star
62

AbsoluteZero

Python APT Backdoor-Botnet / Python MuddyWater Recreation
Python
1
star
63

AdminFinder

Admin Panel Finder For Windows
Visual Basic
1
star
64

awesome-frida-ui

This project for Frida-UI and make frida easier to use
JavaScript
1
star
65

umetrip_re

Crack all version of Umetrip by using Frida Tools
TypeScript
1
star
66

Kernel_Xiaomi_sm8250_S

Voyager Kernel for xiaomi/redmi sm8250 series, still work in progess (FORCE PUSH WARNING)
C
1
star
67

Ten-Seconds

10秒是一个使用Kotlin与C编写的用于生成和管理账号密码的Android应用
C
1
star
68

VMSec2

Obfuscation method using virtual machine. Continuation of VMPROTECT
1
star
69

PUBG-Mobile-ESP-External-Mod-Menu

PUBG Mobile ESP External Mod Menu project created by ANONYMOUS and KMODs.
Java
1
star
70

ida-winapi-helper

ida-winapi-helper: Quickly navigate to MSDN doc for a given function
Python
1
star
71

Android-S-Reacton-Enhancer

A Magisk module by enabling system-level Vulkan API rendering, FUSE-Passthrough and SmartDark to reduce response latency, improve performance, reduce CPU overhead when drawing graphics, and extend OLED screen and battery life. 一个Magisk模块,通过启用系统级Vulkan API渲染、FUSE-Passthrough和SmartDark来减少响应延迟,提高性能,减少绘制图形时的CPU开销,并延长OLED屏幕和电池寿命。
Shell
1
star
72

CodemaoDrive

你猫云,支持任意文件的全速上传与下载
C++
1
star
73

20210816-104304-529

抖音爬虫结合AndServer,实现抖音X-Gorgon算法,设备id生成接口
1
star