Once a byte array or string array is found, additional checks can be performed. As such, one can iterate over the private static fields within all classes, as the variable and class names are randomised per sample. Note that both required fields are static, meaning they are assigned their value when the file is loaded. Within the Dot Net framework, the Assembly class can be used to interact with classes, functions, and fields within a Dot Net binary. The required fields are populated based on the string array, which the loader then uses to determine which functions need to be executed. ![]() ![]() Table of contentsĪs is described in the analysis, the loader’s payload is stored within a private static byte array, whereas the configuration is stored in a private static string array. This article covers the automatic extraction of both, based on the ReZer0 loader analysis which was analysed earlier on in this course.Īs a follow-up article, I dug deep into this loader’s details, as well as historical versions, can be found on McAfee’s Advanced Research Team’s blog. Automating the extraction of the payload and possible configuration of a loader is the ideal scenario. It also allows an analyst to create detection rules. Understanding how a loader works shortens the time an analyst needs when it is encountered again. This article was updated on the 8th of December 2021. The only system dependency is xz (LZMA lib).This article was published on the 17th of September 2020. Ssut/payload-dumper-go is a tool written in go. lineageos_extractor -partitions boot vendor_boot $ python scripts/update-payload-extractor/extract.py miui/payload.bin -output_dir. Launching the extraction is similar to the previous solution: 1 $ python scripts/update-payload-extractor/extract.py miui/payload.bin -list_partitions This time we only requires protobuf as a dpendency.īefore extracting you can list the available images: 1 LineageOS/scripts is a collection of Android python scripts from LineageOS. $ python payload_dumper/payload_dumper.py miui/payload.bin -out payload_dumper_test -images boot,vendor_boot If you are interested in a few images only, you can extract only those to save a lot of time and space: 1 $ python payload_dumper/payload_dumper.py miui/payload.bin -out payload_dumper_test the files once extracted have roughly the same size of 3.2 GB.$ pip install -user protobuf six bsdiff4īeware of the size of storage available you need to be able to extract, for example with my MIUI ROM: With pip (I advice using a virtual environment): 1 $ sudo pacman -S python-protobuf python-six -needed -asdeps & pikaur -S python-bsdiff4 -asdeps The requirements, outside of Python 3 itself, are: My hardware (for extraction time comparison): This article will cover only the case of full OTA (not incremental OTA). Various open-source tools allow to extract the images from payload.bin.įor the sake of this examples I extracted a MIUI ROM ( miui_ALIOTHGlobal_V13.0.3.0.SKHMIXM_07afcb74cd_12.0.zip) to a folder named miui. Nowadays, these update packages come with a single payload.bin file that contains the individual partition images. ![]() Earlier, these update packages came with partition images, which could easily be extracted and used for manual flashing. Payload.bin appeared when Google introduced the concept of A/B seamless system updates (Android Oreo (8)).Ī/B update mechanism introduced a new format for the Android OTA/firmware update files. Newer version of Android OTA packages come with a payload.bin file that contains the individual image files of different firmware partitions. Magisk's Patching Images method ask you to copy boot.img or recovery.img (depending on your boot ramdisk availability), but when you extract the ZIP archive of your favorite ROM you see only something like this: 1 Anyone that already tried to root their phone using Magisk's Patching Images method would have already encountered this issue.
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |