commit 346286b9e965fdb258508a7994f00ea1a6fed84d
Author: Sebastian <mail@sebastians.dev>
Date:   Wed Oct 23 18:15:05 2024 +0200

    initial commit

diff --git a/binder-trace.nix b/binder-trace.nix
new file mode 100644
index 0000000..6bbcb56
--- /dev/null
+++ b/binder-trace.nix
@@ -0,0 +1,26 @@
+{
+  lib,
+  buildPythonPackage,
+  fetchFromGitHub,
+  setuptools
+}:
+
+buildPythonPackage rec {
+  pname = "binder-trace";
+  version = "1.4.1";
+  pyproject = true;
+
+  src = fetchFromGitHub {
+    owner = "foundryzero";
+    repo = "binder-trace";
+    rev = "refs/tags/${version}";
+    hash = "sha256-PoarAeQ8+C43rdi5ZL9ntxvqaLP/aHWxmoBri/EDP9g=";
+  };
+
+  build-system = [ setuptools ];
+
+  meta = with lib; {
+    description = "Binder Trace is a tool for intercepting and parsing Android Binder messages. Think of it as \"Wireshark for Binder\".";
+    homepage = "https://github.com/foundryzero/binder-trace";
+  };
+}
diff --git a/dyldextractor.nix b/dyldextractor.nix
new file mode 100644
index 0000000..f9ef63c
--- /dev/null
+++ b/dyldextractor.nix
@@ -0,0 +1,32 @@
+{
+  lib,
+  buildPythonPackage,
+  fetchFromGitHub,
+  setuptools,
+  progressbar2,
+  capstone
+}:
+
+buildPythonPackage rec {
+  pname = "dyldextractor";
+  version = "v2.2.2";
+  pyproject = true;
+
+  src = fetchFromGitHub {
+    owner = "arandomdev";
+    repo = "dyldextractor";
+    rev = "d44855e8ae51c328847e500b5f52bacf563eb08a";
+    hash = "sha256-cIzQsEADveuof0L5a5CXC0KfdH9Ydxo7ajrPwHMWD6k=";
+  };
+
+  build-system = [ setuptools ];
+
+  dependencies = [ progressbar2 capstone ];
+
+  pythonRelaxDeps = [ "capstone" ];
+
+  meta = with lib; {
+    description = "Extract Binaries from Apple's Dyld Shared Cache";
+    homepage = "https://github.com/arandomdev/DyldExtractor";
+  };
+}
diff --git a/flake.lock b/flake.lock
new file mode 100644
index 0000000..d052ebf
--- /dev/null
+++ b/flake.lock
@@ -0,0 +1,27 @@
+{
+  "nodes": {
+    "nixpkgs": {
+      "locked": {
+        "lastModified": 1729256560,
+        "narHash": "sha256-/uilDXvCIEs3C9l73JTACm4quuHUsIHcns1c+cHUJwA=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "4c2fcb090b1f3e5b47eaa7bd33913b574a11e0a0",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "nixos-unstable",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "root": {
+      "inputs": {
+        "nixpkgs": "nixpkgs"
+      }
+    }
+  },
+  "root": "root",
+  "version": 7
+}
diff --git a/flake.nix b/flake.nix
new file mode 100644
index 0000000..3fd5d57
--- /dev/null
+++ b/flake.nix
@@ -0,0 +1,57 @@
+{
+  description = "Reverse Engineering Workshop flake";
+
+  inputs = {
+    nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";
+  };
+
+  outputs = { self, nixpkgs }:
+  let
+      allSystems = [
+        "x86_64-linux"
+        "aarch64-linux"
+        "x86_64-darwin"
+        "aarch64-darwin"
+      ];
+
+      forAllSystems = f: nixpkgs.lib.genAttrs allSystems (system: f {
+        pkgs = import nixpkgs { inherit system; config.allowUnfree = true; };
+      });
+
+  in {
+    devShells = forAllSystems ({ pkgs }: {
+        default = pkgs.mkShell {
+          packages = with pkgs; [
+            temurin-bin
+            ghidra-bin
+            (vscode-with-extensions.override { vscodeExtensions = pkgs.vscode-utils.extensionsFromVscodeMarketplace [
+                {
+                  name = "vscode-frida";
+                  publisher = "CodeColorist";
+                  version = "0.8.2";
+                  hash = "sha256-mCBnBguwg23Wc2PhefuagiG5ZI2GAW0DoEUWEhr+/PM=";
+                }
+              ];
+            })
+            swift
+            #frida-tools -> different version is already required by xpcspy
+            lief
+            libusbmuxd
+            libplist
+            ldid
+            radamsa
+            wireshark
+            android-tools
+            jadx
+            (python3.withPackages (pypkgs: with pypkgs; [
+              (pypkgs.callPackage ./xpcspy.nix {})
+              (pypkgs.callPackage ./pyimg4.nix {})
+              (pypkgs.callPackage ./dyldextractor.nix {})
+              (pypkgs.callPackage ./binder-trace.nix {})
+              (pypkgs.callPackage ./frida-python.nix {})
+            ]))
+          ];
+        };
+    });
+  };
+}
diff --git a/frida-python.nix b/frida-python.nix
new file mode 100644
index 0000000..fcb15ae
--- /dev/null
+++ b/frida-python.nix
@@ -0,0 +1,68 @@
+{
+  lib,
+  stdenv,
+  fetchurl,
+  fetchPypi,
+  buildPythonPackage,
+  typing-extensions,
+  darwin,
+}:
+let
+  version = "16.0.19";
+  format = "setuptools";
+
+  devkit = {
+    aarch64-darwin = fetchurl {
+      url = "https://github.com/frida/frida/releases/download/${version}/frida-core-devkit-${version}-macos-arm64.tar.xz";
+      hash = "sha256-5VAZnpHQ5wjl7IM96GhIKOfFYHFDKKOoSjN1STna2UA=";
+    };
+
+    x86_64-linux = fetchurl {
+      url = "https://github.com/frida/frida/releases/download/${version}/frida-core-devkit-${version}-linux-x86_64.tar.xz";
+      #hash = "sha256-7iptwk+Za9AgjX1rUYtvi9RSg823HV8ga7G09A6jImU=";
+      hash = "sha256-yNXNqv8eCbpdQKFShpAh6rUCEuItrOSNNLOjESimPdk=";
+    };
+  }.${stdenv.hostPlatform.system}
+    or (throw "Unsupported system: ${stdenv.hostPlatform.system}");
+
+in
+buildPythonPackage rec {
+  pname = "frida-python";
+  inherit version;
+
+  src = fetchPypi {
+    pname = "frida";
+    inherit version;
+    hash = "sha256-rikIjjn9wA8VL/St/2JJTcueimn+q/URbt9lw/+nalY=";
+  };
+
+  postPatch = ''
+    mkdir assets
+    pushd assets
+    tar xvf ${devkit}
+    export FRIDA_CORE_DEVKIT=$PWD
+    popd
+  '';
+
+  env.NIX_LDFLAGS = lib.optionalString stdenv.hostPlatform.isDarwin "-framework AppKit";
+
+  propagatedBuildInputs = [ typing-extensions ];
+
+  buildInputs = lib.optionals stdenv.hostPlatform.isDarwin [
+    darwin.apple_sdk.frameworks.AppKit
+  ];
+
+  pythonImportsCheck = [ "frida" ];
+
+  passthru = {
+    inherit devkit;
+  };
+
+  meta = {
+    description = "Dynamic instrumentation toolkit for developers, reverse-engineers, and security researchers (Python bindings)";
+    homepage = "https://www.frida.re";
+    license = lib.licenses.wxWindows;
+    maintainers = with lib.maintainers; [ s1341 ];
+    platforms = [ "aarch64-darwin" "x86_64-linux" ];
+  };
+}
diff --git a/frida-tools.nix b/frida-tools.nix
new file mode 100644
index 0000000..9a3bdee
--- /dev/null
+++ b/frida-tools.nix
@@ -0,0 +1,25 @@
+{ lib, fetchPypi, python3Packages }:
+
+python3Packages.buildPythonApplication rec {
+  pname = "frida-tools";
+  version = "12.3.0";
+
+  src = fetchPypi {
+    inherit pname version;
+    hash = "sha256-jtxn0a43kv9bLcY1CM3k0kf5K30Ne/FT10ohptWNwEU=";
+  };
+
+  propagatedBuildInputs = with python3Packages; [
+    pygments
+    prompt-toolkit
+    colorama
+    frida-python
+  ];
+
+  meta = {
+    description = "Dynamic instrumentation toolkit for developers, reverse-engineers, and security researchers (client tools)";
+    homepage = "https://www.frida.re/";
+    maintainers = with lib.maintainers; [ s1341 ];
+    license = lib.licenses.wxWindows;
+  };
+}
diff --git a/pyimg4.nix b/pyimg4.nix
new file mode 100644
index 0000000..5712ed7
--- /dev/null
+++ b/pyimg4.nix
@@ -0,0 +1,74 @@
+{
+  lib,
+  buildPythonPackage,
+  fetchFromGitHub,
+  fetchPypi,
+  poetry-core,
+  poetry-dynamic-versioning,
+  setuptools,
+  asn1,
+  click,
+  pycryptodome
+}:
+let
+  pylzss = buildPythonPackage rec {
+    pname = "pylzss";
+    version = "v0.3.8";
+    pyproject = true;
+
+    src = fetchFromGitHub {
+      owner = "m1stadev";
+      repo = "pylzss";
+      rev = "refs/tags/${version}";
+      hash = "sha256-Y0u9rFJWYWyJUVEgpLtQHsXu0JpTgRKxFJHB+B3EFyU=";
+    };
+
+    build-system = [ setuptools ];
+
+    meta = with lib; {
+      description = "LZSS library for CPython ";
+      homepage = "https://github.com/m1stadev/pylzss";
+    };
+  };
+
+  lzfse = buildPythonPackage rec {
+    pname = "lzfse";
+    version = "0.4.2";
+    pyproject = true;
+
+    src = fetchPypi{
+      inherit pname version;
+      hash = "sha256-xolfjKE+7dLhi24MmHyUaBFQMImECbxEp6qNT0pCzqs=";
+    };
+
+    build-system = [ setuptools ];
+  };
+in buildPythonPackage rec {
+  pname = "pyimg4";
+  version = "v0.8.6";
+  pyproject = true;
+
+  src = fetchFromGitHub {
+    owner = "m1stadev";
+    repo = "PyIMG4";
+    rev = "refs/tags/${version}";
+    hash = "sha256-jpI0R/OLyN9mh/E2hmn4f+KSM4UpuQ1anin8kZGqqzI=";
+  };
+
+  build-system = [ poetry-core poetry-dynamic-versioning ];
+
+  dependencies = [
+    asn1
+    click
+    pycryptodome
+    pylzss
+    lzfse
+  ];
+
+  pythonRelaxDeps = [ "pylzss" ];
+
+  meta = with lib; {
+    description = "A Python library/CLI tool for parsing Apple's Image4 format.";
+    homepage = "https://github.com/m1stadev/PyIMG4";
+  };
+}
diff --git a/xpcspy.nix b/xpcspy.nix
new file mode 100644
index 0000000..6c67e2f
--- /dev/null
+++ b/xpcspy.nix
@@ -0,0 +1,46 @@
+{
+  lib,
+  buildPythonPackage,
+  fetchFromGitHub,
+  fetchPypi,
+  setuptools,
+  frida-tools,
+  frida-python,
+  python3,
+  callPackage
+}:
+let python =
+  let packageOverrides = self: super: {
+    frida-python = (callPackage ./frida-python.nix {});
+    frida-tools = super.toPythonModule(callPackage ./frida-tools.nix {});
+  };
+  in python3.override {
+    inherit packageOverrides;
+    self = python;
+  };
+
+in buildPythonPackage rec {
+  pname = "xpcspy";
+  version = "v0.8.3";
+  pyproject = true;
+
+  src = fetchFromGitHub {
+    owner = "hot3eed";
+    repo = "xpcspy";
+    rev = "refs/tags/${version}";
+    hash = "sha256-/7nv1Xtsu4cGXai12d0fN6OR9d5mgV/0xK2UrlUv2rc=";
+  };
+
+  build-system = [ setuptools ];
+
+  nativeBuildInputs = [ python.pkgs.frida-tools ];
+  buildInputs = [ python.pkgs.frida-tools ];
+  dependencies = [ python.pkgs.frida-python python.pkgs.frida-tools ];
+
+  pythonRelaxDeps = [ "frida-tools" "frida" ];
+
+  meta = with lib; {
+    description = "Bidirectional XPC message interception and more. Powered by Frida";
+    homepage = "https://github.com/hot3eed/xpcspy";
+  };
+}