SlideShare una empresa de Scribd logo

DBI-Assisted Android Application Reverse Engineering

S
Sahil Dhar

Slides from my talk discussing how DBI frameworks such as Frida can be used in understanding the runtime or in-process operations in case of heavily obfuscated android applications.

Software
1 de 35
Descargar para leer sin conexión
26 July 2019 DBI-Assisted Android Application Reverse Engineering Sahil Dhar
Whoami Sahil Dhar Security researcher My area of expertise include Web and Mobile application security. Prior to joining Xen1thLabs, I have worked on numerous projects involving the security assessment of Web, Mobile, Thick clients and Network and Cloud Infrastructure for multiple fortune 500 companies. @0x401 Security Engineer Security Consultant Security researcher @Xen1th LabsA former Currently Bug Bounty Hunter
Content 3 • What is DBI ? • What is Frida ? • Frida JavaScript APIs • Console • RPC • Java • Interceptor • Example Use cases • Frameworks built using Frida
4 Dynamic Binary Instrumentation 01
5 Dynamic Binary Instrumentation ? 1. #include<stdio.h> 2. #include<string.h> 3. 4. int main(int argc, char *argv[]){ 5. if (strcmp(argv[1], "adminx0a")){ 6. printf("Access Granted"); 7. }else{ 8. printf("Access Denied"); 9. } 10. }
6 Dynamic Binary Instrumentation ? 1. #include<stdio.h> 2. #include<string.h> 3. 4. int main(int argc, char *argv[]){ 5. printf("Inside main function"); 6. if (strcmp(argv[1], "adminx0a")){ 7. printf("comparison successful"); 8. printf("Access Granted"); 9. }else{ 10. printf("comparison failed"); 11. printf("Access Denied"); 12. } 13. }
7 Compile-time Instrumentation (AFL)
8 Frida 02
9 Getting Started ● Installation Commands • apt-get install python3 • pip3 install Frida • Download platform specific (x86, x64, ARM) Frida Server & Agents • https://github.com/frida/frida/releases • Transfer frida-server binary to /data/local/tmp using adb • adb push frida-server /data/local/tmp • adb shell; su • cd /data/local/tmp; chmod +x frida-server • ./frida-server &
10 Frida Command line Tools ● Common Options: ● frida-ps: List all running and installed applications on the mobile device. ● frida-ls-devices: Shows the list of attached devices. ● frida-kill: Kill the process running on the device by providing process name or process id. ● frida-discover: Tool for discovering internal functions in the program. ● frida-trace: Useful for tracing native function calls. This won’t work for high-level function calls such as loadLibrary() from java.lang.System class in java. 1. -D ID, --device=ID connect to device with the given ID 2. -U, --usb connect to USB device 3. -R, --remote connect to remote frida-server 4. -H HOST, --host=HOST connect to remote frida-server on HOST 5. -f FILE, --file=FILE spawn FILE 6. -n NAME, --attach-name=NAME
11 Frida Internals ● Hijack remote thread - ptrace() ● Allocating memory for Bootstrapper: frida_resolve_library_function - mmap() ● Load libpthread.so - dlopen() ● Create new thread - thread_create() - executing libpthread.so ● Notify debugger • Load frida-agent.so dlopen() in process memory • Locate entry point of frida-agent ● Resume hijacked thread execution • Execute entry point of frida-agent ● Resume execution
12 Frida Internals Source: https://www.frida.re/docs/presentations/osdc-2015-the-engineering-behind-the-reverse-engineering.pdf
13 Frida Internals
14 Operation Modes ● Injected ● Embedded • Interaction types • listen • script • script-directory ● Preloaded (LD_PRELOAD) Embedded mode automation: https://www.github.com/sahildhar/mlibinjector
1515 Frida JavaScript APIs 03
16 Frida Console – Hello World DEMO
17 RPC 1. import frida 2. 3. # Frida-python Api documentation can be found at ;) 4. # https://github.com/frida/frida-python/blob/master/frida/__init__.py 5. 6. rpc_hello = """ 7. rpc.exports = { 8. helloWorld: function (){ 9. return "Hello World"; 10. }, 11. }; 12. """ 13. 14. device = frida.get_usb_device(timeout=1); 15. pid = device.spawn("owasp.mstg.uncrackable1") 16. session = device.attach(pid) 17. script = session.create_script(rpc_hello) 18. script.load() 19. api = script.exports 20. print(api.hello_world());
18 Java ● Java.Perform(fn): fn will execute after the application class loader is initialized. ● Java.PerformNow(fn): Very useful for early instrumentation i.e. hooking the implementation of system classes and functions. ● Java.use(className): Get wrapper for className which can be initialized by calling $new() on it. ● Java.enumerateLoadedClasses(callback): Enumerate all the classes loaded and execute callback functions on each of them. ● Java.enumerateLoadedClassesSync(): Similar to enumerateLoadedClasses but returns an array of all of the loaded classes ● Java.scheduleOnMainThread(fn): Run fn on main thread, useful for tinkering around the objects that must execute in the main thread. Hint: UI ● Java.choose (classname, callbacks): Search for initialized instances of classname and execute the functions defined in the callbacks. ● Java.array(dataType, []): useful when dealing with java arrays.
19 Frida + Java Reflection API 04
20 Enumerating Class Methods 1. Java.perform(function(){ 2. Java.enumerateLoadedClasses({ 3. onMatch: function(className){ 4. try{ 5. var _class = Java.use(className); 6. if(className.includes("rootinspector")){ 7. var methods = _class.class.getDeclaredMethods(); 8. methods.map(function(methodName){ 9. if(methodName.toString().includes("native")){ 10. console.log(methodName); 11. } 12. }); 13. } 14. } 15. catch(err){} 16. }, 17. onComplete:function(){} 18. }); 19. });
21 Defining Method Implementation 1. Java.perform(function(){ 2. var _rootClass = Java.use("com.devadvance.rootinspector.Root"); 3. var _checkRootMethod0 = _rootClass.checkRootMethod0 4. _checkRootMethod0.implementation = function() 5. { 6. return false; 7. 8. } 9. });
22 Method Overloading 1. Java.performNow(function(){ 2. 3. var _alertDialog = Java.use("android.app.AlertDialog"); 4. _alertDialog.setMessage.overload("java.lang.CharSequence").implementation = function(message){ 5. console.error(message.toString()); 6. return _alertDialog.setMessage.overload("java.lang.CharSequence").apply(this,arguments); 7. } 8. }); Source: https://developer.android.com/reference/android/app/AlertDialog.Builder
23 Hooking Class Constructors 1.Java.perform(function () { 2. var mainactivity = Java.use("com.pragyan.circle.a"); 3. mainactivity.$init.overloads[0].implementation = function(a,b,c,d,e) { 4. console.log(d); 5. return mainactivity.$init.overloads[0].apply(this,arguments); 6. }; 7. 8. send("Hooks installed."); 9.});
24 Calling Pre-initialized Class Instances 1. Java.perform(function () { 2. var _javaString = Java.use("java.lang.String"); 3. var _hexValue = _javaString.$new("65544231587a52794d3138316458417a636c396d4e445 53343673d3d"); 4. Java.choose("com.pragyan.circle.Main",{ 5. onMatch: function(instance){ 6. var flag = instance.a(_hexValue); 7. console.log(flag); 8. }, 9. onComplete: function(){} 10. }); 11. });
25 ● Java Reflection API(s) ● Iterating over returned [Object Object] array. Making sense out of [Object ----] 1. Java.cast(obj.getClass(), Java.use("java.lang.Class")).getDeclaredFields(); 1. function getObjectDetails(obj){ 2. for (var k in obj){ 3. console.log(obj[k]); 4. } 5. console.log("done"); 6. }
26 Interceptor 1. Java.perform(function(){ 2. var checkfopen = Module.findExportByName("libnative2.so", "Java_com_devadvance_rootins pector_Root_checkfopen"); 3. if(checkfopen){ 4. console.log("checkfopen is at: "+checkfopen) 5. Interceptor.attach(checkfopen,{ 6. onEnter: function(args){ 7. //casting jstring object to String 8. console.log(Java.cast(ptr(args[2]), Java.use("java.lang.String"))); 9. console.log("checkfopen called"); 10. }, 11. onLeave: function(retval){ 12. // returning false for the check 13. retval.replace(ptr(0)); 14. } 15. }); 16. } 17. });
27 Some Use Cases 05
28 Root Detection Bypass 1. Java.performNow(function(){ 2. 3. var _system = Java.use("java.lang.System"); 4. _system.exit.implementation = function(){ 5. console.log("Exit called"); 6. } 7. 8. });
29 SQL Cipher – Find and Decrypt 1. Java.choose("net.sqlcipher.database.SQLiteDatabase",{ 2. onMatch: function(ins){ 3. var path_parts = ins.getPath().split("/"); 4. var db_name = path_parts[(path_parts.length -1)].split(".")[0] 5. console.log("DB Name: "+ db_name) 6. var rnd_db_name = db_name + "_" +random_name(5); 7. var sql1 = String.$new("ATTACH DATABASE '/data/user/0/com.test.production/databases/"+rnd _db_name+".sql.plaintext' as "+rnd_db_name+" KEY '';"); 8. var sql2 = String.$new("SELECT sqlcipher_export('"+rnd_db_name+"');"); 9. var sql3 = String.$new("DETACH DATABASE "+rnd_db_name); 10. ins.rawExecSQL(sql1); 11. ins.rawExecSQL(sql2); 12. ins.rawExecSQL(sql3); 13. console.log("Found SqlCipherDatabaseProvider instance"); 14. }, 15. onComplete: function(ins){} 16. });
30 Tracing arbitrary Java methods DEMO
31 Frameworks Built Over Frida 06
32 Awesome Frida Frameworks ● Appmon (https://github.com/dpnishant/appmon) ● House (https://github.com/nccgroup/house) ● Objection (https://github.com/sensepost/objection)
33 References ● https://www.frida.re ● https://github.com/frida/frida-core/blob/dd69ad9be80eda6e172d16d924c3db3080f6e40c/src/linux/frida-helper- backend-glue.c#L393 ● https://github.com/dweinstein/awesome-frida ● https://github.com/sahildhar/mlibinjector ● https://docs.oracle.com/javase/8/docs/technotes/guides/reflection/index.html ● https://codeshare.frida.re/@pcipolloni/universal-android-ssl-pinning-bypass-with-frida/ ● https://developer.android.com/reference/android/app/AlertDialog.Builder
34 Questions ?
35 Thank you 

Recomendados

Introduction to Frida
Introduction to FridaIntroduction to Frida
Introduction to FridaAbhishekJaiswal270
 
Hacking with frida
Hacking with fridaHacking with frida
Hacking with fridan|u - The Open Security Community
 
Pentesting Android Apps using Frida (Beginners)
Pentesting Android Apps using Frida (Beginners)Pentesting Android Apps using Frida (Beginners)
Pentesting Android Apps using Frida (Beginners)Chandrapal Badshah
 
Android pentesting the hackers-meetup
Android pentesting the hackers-meetupAndroid pentesting the hackers-meetup
Android pentesting the hackers-meetupkunwaratul hax0r
 
Android Security & Penetration Testing
Android Security & Penetration TestingAndroid Security & Penetration Testing
Android Security & Penetration TestingSubho Halder
 
APIsecure 2023 - Android Applications and API Hacking, Gabrielle Botbol
APIsecure 2023 - Android Applications and API Hacking, Gabrielle BotbolAPIsecure 2023 - Android Applications and API Hacking, Gabrielle Botbol
APIsecure 2023 - Android Applications and API Hacking, Gabrielle Botbolapidays
 
Pwning mobile apps without root or jailbreak
Pwning mobile apps without root or jailbreakPwning mobile apps without root or jailbreak
Pwning mobile apps without root or jailbreakAbraham Aranguren
 
Mobile Application Security Testing (Static Code Analysis) of Android App
Mobile Application Security Testing (Static Code Analysis) of Android AppMobile Application Security Testing (Static Code Analysis) of Android App
Mobile Application Security Testing (Static Code Analysis) of Android AppAbhilash Venkata
 

Recomendados

Introduction to Frida
Introduction to FridaIntroduction to Frida
Introduction to FridaAbhishekJaiswal270
 
Hacking with frida
Hacking with fridaHacking with frida
Hacking with fridan|u - The Open Security Community
 
Pentesting Android Apps using Frida (Beginners)
Pentesting Android Apps using Frida (Beginners)Pentesting Android Apps using Frida (Beginners)
Pentesting Android Apps using Frida (Beginners)Chandrapal Badshah
 
Android pentesting the hackers-meetup
Android pentesting the hackers-meetupAndroid pentesting the hackers-meetup
Android pentesting the hackers-meetupkunwaratul hax0r
 
Android Security & Penetration Testing
Android Security & Penetration TestingAndroid Security & Penetration Testing
Android Security & Penetration TestingSubho Halder
 
APIsecure 2023 - Android Applications and API Hacking, Gabrielle Botbol
APIsecure 2023 - Android Applications and API Hacking, Gabrielle BotbolAPIsecure 2023 - Android Applications and API Hacking, Gabrielle Botbol
APIsecure 2023 - Android Applications and API Hacking, Gabrielle Botbolapidays
 
Pwning mobile apps without root or jailbreak
Pwning mobile apps without root or jailbreakPwning mobile apps without root or jailbreak
Pwning mobile apps without root or jailbreakAbraham Aranguren
 
Mobile Application Security Testing (Static Code Analysis) of Android App
Mobile Application Security Testing (Static Code Analysis) of Android AppMobile Application Security Testing (Static Code Analysis) of Android App
Mobile Application Security Testing (Static Code Analysis) of Android AppAbhilash Venkata
 
Pentesting Android Applications
Pentesting Android ApplicationsPentesting Android Applications
Pentesting Android ApplicationsCláudio André
 
Dynamic Security Analysis & Static Security Analysis for Android Apps.
Dynamic Security Analysis & Static Security Analysis for Android Apps.Dynamic Security Analysis & Static Security Analysis for Android Apps.
Dynamic Security Analysis & Static Security Analysis for Android Apps.VodqaBLR
 
Android Pentesting
Android PentestingAndroid Pentesting
Android Pentestingn|u - The Open Security Community
 
Practical Application of the API Security Top Ten: A Tester's Perspective
Practical Application of the API Security Top Ten: A Tester's PerspectivePractical Application of the API Security Top Ten: A Tester's Perspective
Practical Application of the API Security Top Ten: A Tester's PerspectiveRajniHatti
 
Reversing Android Applications For Fun and Profit
Reversing Android Applications For Fun and ProfitReversing Android Applications For Fun and Profit
Reversing Android Applications For Fun and ProfitMaycon Vitali
 
Building an Empire with PowerShell
Building an Empire with PowerShellBuilding an Empire with PowerShell
Building an Empire with PowerShellWill Schroeder
 
Frida - Objection Tool Usage
Frida - Objection Tool UsageFrida - Objection Tool Usage
Frida - Objection Tool Usagen|u - The Open Security Community
 
Google SafetyNet API
Google SafetyNet APIGoogle SafetyNet API
Google SafetyNet APISana Rahim
 
Mobile security part 1(Android Apps Pentesting)- Romansh yadav
Mobile security part 1(Android Apps Pentesting)- Romansh yadavMobile security part 1(Android Apps Pentesting)- Romansh yadav
Mobile security part 1(Android Apps Pentesting)- Romansh yadavRomansh Yadav
 
iOS Application Pentesting
iOS Application PentestingiOS Application Pentesting
iOS Application Pentestingn|u - The Open Security Community
 
Android pentesting
Android pentestingAndroid pentesting
Android pentestingMykhailo Antonishyn
 
Android Boot Time Optimization
Android Boot Time OptimizationAndroid Boot Time Optimization
Android Boot Time OptimizationKan-Ru Chen
 
Android reverse engineering: understanding third-party applications. OWASP EU...
Android reverse engineering: understanding third-party applications. OWASP EU...Android reverse engineering: understanding third-party applications. OWASP EU...
Android reverse engineering: understanding third-party applications. OWASP EU...Internet Security Auditors
 
Lateral Movement: How attackers quietly traverse your Network
Lateral Movement: How attackers quietly traverse your NetworkLateral Movement: How attackers quietly traverse your Network
Lateral Movement: How attackers quietly traverse your NetworkEC-Council
 
Hunting malware with volatility v2.0
Hunting malware with volatility v2.0Hunting malware with volatility v2.0
Hunting malware with volatility v2.0Frank Boldewin
 
Android Security
Android SecurityAndroid Security
Android SecurityArqum Ahmad
 
Android Hacking + Pentesting
Android Hacking + Pentesting Android Hacking + Pentesting
Android Hacking + Pentesting Sina Manavi
 
Android Application Penetration Testing - Mohammed Adam
Android Application Penetration Testing - Mohammed AdamAndroid Application Penetration Testing - Mohammed Adam
Android Application Penetration Testing - Mohammed AdamMohammed Adam
 
Hacking Android OS
Hacking Android OSHacking Android OS
Hacking Android OSJimmy Software
 
How fun of privilege escalation Red Pill2017
How fun of privilege escalation Red Pill2017How fun of privilege escalation Red Pill2017
How fun of privilege escalation Red Pill2017Ammarit Thongthua ,CISSP CISM GXPN CSSLP CCNP
 
Development of Java tools using SWT and WALA af Hans Søndergaard, ViaUC
Development of Java tools using SWT and WALA af Hans Søndergaard, ViaUCDevelopment of Java tools using SWT and WALA af Hans Søndergaard, ViaUC
Development of Java tools using SWT and WALA af Hans Søndergaard, ViaUCInfinIT - Innovationsnetværket for it
 
Adv kvr -satya
Adv kvr -satyaAdv kvr -satya
Adv kvr -satyaJyothsna Sree
 

Más contenido relacionado

La actualidad más candente

Pentesting Android Applications
Pentesting Android ApplicationsPentesting Android Applications
Pentesting Android ApplicationsCláudio André
 
Dynamic Security Analysis & Static Security Analysis for Android Apps.
Dynamic Security Analysis & Static Security Analysis for Android Apps.Dynamic Security Analysis & Static Security Analysis for Android Apps.
Dynamic Security Analysis & Static Security Analysis for Android Apps.VodqaBLR
 
Practical Application of the API Security Top Ten: A Tester's Perspective
Practical Application of the API Security Top Ten: A Tester's PerspectivePractical Application of the API Security Top Ten: A Tester's Perspective
Practical Application of the API Security Top Ten: A Tester's PerspectiveRajniHatti
 
Reversing Android Applications For Fun and Profit
Reversing Android Applications For Fun and ProfitReversing Android Applications For Fun and Profit
Reversing Android Applications For Fun and ProfitMaycon Vitali
 
Building an Empire with PowerShell
Building an Empire with PowerShellBuilding an Empire with PowerShell
Building an Empire with PowerShellWill Schroeder
 
Google SafetyNet API
Google SafetyNet APIGoogle SafetyNet API
Google SafetyNet APISana Rahim
 
Mobile security part 1(Android Apps Pentesting)- Romansh yadav
Mobile security part 1(Android Apps Pentesting)- Romansh yadavMobile security part 1(Android Apps Pentesting)- Romansh yadav
Mobile security part 1(Android Apps Pentesting)- Romansh yadavRomansh Yadav
 
Android Boot Time Optimization
Android Boot Time OptimizationAndroid Boot Time Optimization
Android Boot Time OptimizationKan-Ru Chen
 
Android reverse engineering: understanding third-party applications. OWASP EU...
Android reverse engineering: understanding third-party applications. OWASP EU...Android reverse engineering: understanding third-party applications. OWASP EU...
Android reverse engineering: understanding third-party applications. OWASP EU...Internet Security Auditors
 
Lateral Movement: How attackers quietly traverse your Network
Lateral Movement: How attackers quietly traverse your NetworkLateral Movement: How attackers quietly traverse your Network
Lateral Movement: How attackers quietly traverse your NetworkEC-Council
 
Hunting malware with volatility v2.0
Hunting malware with volatility v2.0Hunting malware with volatility v2.0
Hunting malware with volatility v2.0Frank Boldewin
 
Android Security
Android SecurityAndroid Security
Android SecurityArqum Ahmad
 
Android Hacking + Pentesting
Android Hacking + Pentesting Android Hacking + Pentesting
Android Hacking + Pentesting Sina Manavi
 
Android Application Penetration Testing - Mohammed Adam
Android Application Penetration Testing - Mohammed AdamAndroid Application Penetration Testing - Mohammed Adam
Android Application Penetration Testing - Mohammed AdamMohammed Adam
 

La actualidad más candente (20)

Pentesting Android Applications
Pentesting Android ApplicationsPentesting Android Applications
Pentesting Android Applications
 
Dynamic Security Analysis & Static Security Analysis for Android Apps.
Dynamic Security Analysis & Static Security Analysis for Android Apps.Dynamic Security Analysis & Static Security Analysis for Android Apps.
Dynamic Security Analysis & Static Security Analysis for Android Apps.
 
Android Pentesting
Android PentestingAndroid Pentesting
Android Pentesting
 
Practical Application of the API Security Top Ten: A Tester's Perspective
Practical Application of the API Security Top Ten: A Tester's PerspectivePractical Application of the API Security Top Ten: A Tester's Perspective
Practical Application of the API Security Top Ten: A Tester's Perspective
 
Reversing Android Applications For Fun and Profit
Reversing Android Applications For Fun and ProfitReversing Android Applications For Fun and Profit
Reversing Android Applications For Fun and Profit
 
Building an Empire with PowerShell
Building an Empire with PowerShellBuilding an Empire with PowerShell
Building an Empire with PowerShell
 
Frida - Objection Tool Usage
Frida - Objection Tool UsageFrida - Objection Tool Usage
Frida - Objection Tool Usage
 
Google SafetyNet API
Google SafetyNet APIGoogle SafetyNet API
Google SafetyNet API
 
Mobile security part 1(Android Apps Pentesting)- Romansh yadav
Mobile security part 1(Android Apps Pentesting)- Romansh yadavMobile security part 1(Android Apps Pentesting)- Romansh yadav
Mobile security part 1(Android Apps Pentesting)- Romansh yadav
 
iOS Application Pentesting
iOS Application PentestingiOS Application Pentesting
iOS Application Pentesting
 
Android pentesting
Android pentestingAndroid pentesting
Android pentesting
 
Android Boot Time Optimization
Android Boot Time OptimizationAndroid Boot Time Optimization
Android Boot Time Optimization
 
Android reverse engineering: understanding third-party applications. OWASP EU...
Android reverse engineering: understanding third-party applications. OWASP EU...Android reverse engineering: understanding third-party applications. OWASP EU...
Android reverse engineering: understanding third-party applications. OWASP EU...
 
Lateral Movement: How attackers quietly traverse your Network
Lateral Movement: How attackers quietly traverse your NetworkLateral Movement: How attackers quietly traverse your Network
Lateral Movement: How attackers quietly traverse your Network
 
Hunting malware with volatility v2.0
Hunting malware with volatility v2.0Hunting malware with volatility v2.0
Hunting malware with volatility v2.0
 
Android Security
Android SecurityAndroid Security
Android Security
 
Android Hacking + Pentesting
Android Hacking + Pentesting Android Hacking + Pentesting
Android Hacking + Pentesting
 
Android Application Penetration Testing - Mohammed Adam
Android Application Penetration Testing - Mohammed AdamAndroid Application Penetration Testing - Mohammed Adam
Android Application Penetration Testing - Mohammed Adam
 
Hacking Android OS
Hacking Android OSHacking Android OS
Hacking Android OS
 
How fun of privilege escalation Red Pill2017
How fun of privilege escalation Red Pill2017How fun of privilege escalation Red Pill2017
How fun of privilege escalation Red Pill2017
 

Similar a DBI-Assisted Android Application Reverse Engineering

Development of Java tools using SWT and WALA af Hans Søndergaard, ViaUC
Development of Java tools using SWT and WALA af Hans Søndergaard, ViaUCDevelopment of Java tools using SWT and WALA af Hans Søndergaard, ViaUC
Development of Java tools using SWT and WALA af Hans Søndergaard, ViaUCInfinIT - Innovationsnetværket for it
 
Advance java kvr -satya
Advance java kvr -satyaAdvance java kvr -satya
Advance java kvr -satyaSatya Johnny
 
Advanced java jee material by KV Rao sir
Advanced java jee material by KV Rao sirAdvanced java jee material by KV Rao sir
Advanced java jee material by KV Rao sirAVINASH KUMAR
 
Java basic part 2 : Datatypes Keywords Features Components Security Exceptions
Java basic part 2 : Datatypes Keywords Features Components Security Exceptions Java basic part 2 : Datatypes Keywords Features Components Security Exceptions
Java basic part 2 : Datatypes Keywords Features Components Security Exceptions Soumen Santra
 
把鐵路開進視窗裡
把鐵路開進視窗裡把鐵路開進視窗裡
把鐵路開進視窗裡Wei Jen Lu
 
JavaScript Growing Up
JavaScript Growing UpJavaScript Growing Up
JavaScript Growing UpDavid Padbury
 
Atlassian Groovy Plugins
Atlassian Groovy PluginsAtlassian Groovy Plugins
Atlassian Groovy PluginsPaul King
 
GOTO Night with Charles Nutter Slides
GOTO Night with Charles Nutter SlidesGOTO Night with Charles Nutter Slides
GOTO Night with Charles Nutter SlidesAlexandra Masterson
 
Java programming basics
Java programming basicsJava programming basics
Java programming basicsHamid Ghorbani
 
Unit Testing RPG with JUnit
Unit Testing RPG with JUnitUnit Testing RPG with JUnit
Unit Testing RPG with JUnitGreg.Helton
 
Node.js Patterns for Discerning Developers
Node.js Patterns for Discerning DevelopersNode.js Patterns for Discerning Developers
Node.js Patterns for Discerning Developerscacois
 
Eric Lafortune - The Jack and Jill build system
Eric Lafortune - The Jack and Jill build systemEric Lafortune - The Jack and Jill build system
Eric Lafortune - The Jack and Jill build systemGuardSquare
 
Object Oriented Programming-JAVA
Object Oriented Programming-JAVAObject Oriented Programming-JAVA
Object Oriented Programming-JAVAHome
 
JavaScript code academy - introduction
JavaScript code academy - introductionJavaScript code academy - introduction
JavaScript code academy - introductionJaroslav Kubíček
 
In the Brain of Hans Dockter: Gradle
In the Brain of Hans Dockter: GradleIn the Brain of Hans Dockter: Gradle
In the Brain of Hans Dockter: GradleSkills Matter
 

Similar a DBI-Assisted Android Application Reverse Engineering (20)

Development of Java tools using SWT and WALA af Hans Søndergaard, ViaUC
Development of Java tools using SWT and WALA af Hans Søndergaard, ViaUCDevelopment of Java tools using SWT and WALA af Hans Søndergaard, ViaUC
Development of Java tools using SWT and WALA af Hans Søndergaard, ViaUC
 
Adv kvr -satya
Adv kvr -satyaAdv kvr -satya
Adv kvr -satya
 
Advance java kvr -satya
Advance java kvr -satyaAdvance java kvr -satya
Advance java kvr -satya
 
Advanced java jee material by KV Rao sir
Advanced java jee material by KV Rao sirAdvanced java jee material by KV Rao sir
Advanced java jee material by KV Rao sir
 
Java basic part 2 : Datatypes Keywords Features Components Security Exceptions
Java basic part 2 : Datatypes Keywords Features Components Security Exceptions Java basic part 2 : Datatypes Keywords Features Components Security Exceptions
Java basic part 2 : Datatypes Keywords Features Components Security Exceptions
 
把鐵路開進視窗裡
把鐵路開進視窗裡把鐵路開進視窗裡
把鐵路開進視窗裡
 
JavaScript Growing Up
JavaScript Growing UpJavaScript Growing Up
JavaScript Growing Up
 
Java Enterprise Edition
Java Enterprise EditionJava Enterprise Edition
Java Enterprise Edition
 
Atlassian Groovy Plugins
Atlassian Groovy PluginsAtlassian Groovy Plugins
Atlassian Groovy Plugins
 
Spock
SpockSpock
Spock
 
GOTO Night with Charles Nutter Slides
GOTO Night with Charles Nutter SlidesGOTO Night with Charles Nutter Slides
GOTO Night with Charles Nutter Slides
 
Java programming basics
Java programming basicsJava programming basics
Java programming basics
 
Unit Testing RPG with JUnit
Unit Testing RPG with JUnitUnit Testing RPG with JUnit
Unit Testing RPG with JUnit
 
Node.js Patterns for Discerning Developers
Node.js Patterns for Discerning DevelopersNode.js Patterns for Discerning Developers
Node.js Patterns for Discerning Developers
 
Eric Lafortune - The Jack and Jill build system
Eric Lafortune - The Jack and Jill build systemEric Lafortune - The Jack and Jill build system
Eric Lafortune - The Jack and Jill build system
 
Mastering Java ByteCode
Mastering Java ByteCodeMastering Java ByteCode
Mastering Java ByteCode
 
Object Oriented Programming-JAVA
Object Oriented Programming-JAVAObject Oriented Programming-JAVA
Object Oriented Programming-JAVA
 
JavaScript code academy - introduction
JavaScript code academy - introductionJavaScript code academy - introduction
JavaScript code academy - introduction
 
Gradle
GradleGradle
Gradle
 
In the Brain of Hans Dockter: Gradle
In the Brain of Hans Dockter: GradleIn the Brain of Hans Dockter: Gradle
In the Brain of Hans Dockter: Gradle
 

Último

The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...ICS
 
A Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxA Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxComplianceQuest1
 
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AISyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AIABDERRAOUF MEHENNI
 
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfThe Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfkalichargn70th171
 
TECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providerTECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providermohitmore19
 
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...harshavardhanraghave
 
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected WorkerHow To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected WorkerThousandEyes
 
Diamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with PrecisionDiamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with PrecisionSolGuruz
 
5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdfWave PLM
 
How To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.jsHow To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.jsAndolasoft Inc
 
Right Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsRight Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsJhone kinadey
 
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsUnveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsAlberto González Trastoy
 
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...MyIntelliSource, Inc.
 
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...MyIntelliSource, Inc.
 
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️Delhi Call girls
 
Optimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVOptimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVshikhaohhpro
 
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...OnePlan Solutions
 
Software Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsSoftware Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsArshad QA
 

Último (20)

The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
 
A Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxA Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docx
 
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AISyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
 
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfThe Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
 
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS LiveVip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
 
TECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providerTECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service provider
 
Microsoft AI Transformation Partner Playbook.pdf
Microsoft AI Transformation Partner Playbook.pdfMicrosoft AI Transformation Partner Playbook.pdf
Microsoft AI Transformation Partner Playbook.pdf
 
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
 
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected WorkerHow To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
 
Diamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with PrecisionDiamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with Precision
 
5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf
 
How To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.jsHow To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.js
 
Right Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsRight Money Management App For Your Financial Goals
Right Money Management App For Your Financial Goals
 
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsUnveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
 
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
 
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
 
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
 
Optimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVOptimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTV
 
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
 
Software Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsSoftware Quality Assurance Interview Questions
Software Quality Assurance Interview Questions
 

DBI-Assisted Android Application Reverse Engineering

  • 1. 26 July 2019 DBI-Assisted Android Application Reverse Engineering Sahil Dhar
  • 2. Whoami Sahil Dhar Security researcher My area of expertise include Web and Mobile application security. Prior to joining Xen1thLabs, I have worked on numerous projects involving the security assessment of Web, Mobile, Thick clients and Network and Cloud Infrastructure for multiple fortune 500 companies. @0x401 Security Engineer Security Consultant Security researcher @Xen1th LabsA former Currently Bug Bounty Hunter
  • 3. Content 3 • What is DBI ? • What is Frida ? • Frida JavaScript APIs • Console • RPC • Java • Interceptor • Example Use cases • Frameworks built using Frida
  • 5. 5 Dynamic Binary Instrumentation ? 1. #include<stdio.h> 2. #include<string.h> 3. 4. int main(int argc, char *argv[]){ 5. if (strcmp(argv[1], "adminx0a")){ 6. printf("Access Granted"); 7. }else{ 8. printf("Access Denied"); 9. } 10. }
  • 6. 6 Dynamic Binary Instrumentation ? 1. #include<stdio.h> 2. #include<string.h> 3. 4. int main(int argc, char *argv[]){ 5. printf("Inside main function"); 6. if (strcmp(argv[1], "adminx0a")){ 7. printf("comparison successful"); 8. printf("Access Granted"); 9. }else{ 10. printf("comparison failed"); 11. printf("Access Denied"); 12. } 13. }
  • 9. 9 Getting Started ● Installation Commands • apt-get install python3 • pip3 install Frida • Download platform specific (x86, x64, ARM) Frida Server & Agents • https://github.com/frida/frida/releases • Transfer frida-server binary to /data/local/tmp using adb • adb push frida-server /data/local/tmp • adb shell; su • cd /data/local/tmp; chmod +x frida-server • ./frida-server &
  • 10. 10 Frida Command line Tools ● Common Options: ● frida-ps: List all running and installed applications on the mobile device. ● frida-ls-devices: Shows the list of attached devices. ● frida-kill: Kill the process running on the device by providing process name or process id. ● frida-discover: Tool for discovering internal functions in the program. ● frida-trace: Useful for tracing native function calls. This won’t work for high-level function calls such as loadLibrary() from java.lang.System class in java. 1. -D ID, --device=ID connect to device with the given ID 2. -U, --usb connect to USB device 3. -R, --remote connect to remote frida-server 4. -H HOST, --host=HOST connect to remote frida-server on HOST 5. -f FILE, --file=FILE spawn FILE 6. -n NAME, --attach-name=NAME
  • 11. 11 Frida Internals ● Hijack remote thread - ptrace() ● Allocating memory for Bootstrapper: frida_resolve_library_function - mmap() ● Load libpthread.so - dlopen() ● Create new thread - thread_create() - executing libpthread.so ● Notify debugger • Load frida-agent.so dlopen() in process memory • Locate entry point of frida-agent ● Resume hijacked thread execution • Execute entry point of frida-agent ● Resume execution
  • 14. 14 Operation Modes ● Injected ● Embedded • Interaction types • listen • script • script-directory ● Preloaded (LD_PRELOAD) Embedded mode automation: https://www.github.com/sahildhar/mlibinjector
  • 16. 16 Frida Console – Hello World DEMO
  • 17. 17 RPC 1. import frida 2. 3. # Frida-python Api documentation can be found at ;) 4. # https://github.com/frida/frida-python/blob/master/frida/__init__.py 5. 6. rpc_hello = """ 7. rpc.exports = { 8. helloWorld: function (){ 9. return "Hello World"; 10. }, 11. }; 12. """ 13. 14. device = frida.get_usb_device(timeout=1); 15. pid = device.spawn("owasp.mstg.uncrackable1") 16. session = device.attach(pid) 17. script = session.create_script(rpc_hello) 18. script.load() 19. api = script.exports 20. print(api.hello_world());
  • 18. 18 Java ● Java.Perform(fn): fn will execute after the application class loader is initialized. ● Java.PerformNow(fn): Very useful for early instrumentation i.e. hooking the implementation of system classes and functions. ● Java.use(className): Get wrapper for className which can be initialized by calling $new() on it. ● Java.enumerateLoadedClasses(callback): Enumerate all the classes loaded and execute callback functions on each of them. ● Java.enumerateLoadedClassesSync(): Similar to enumerateLoadedClasses but returns an array of all of the loaded classes ● Java.scheduleOnMainThread(fn): Run fn on main thread, useful for tinkering around the objects that must execute in the main thread. Hint: UI ● Java.choose (classname, callbacks): Search for initialized instances of classname and execute the functions defined in the callbacks. ● Java.array(dataType, []): useful when dealing with java arrays.
  • 19. 19 Frida + Java Reflection API 04
  • 20. 20 Enumerating Class Methods 1. Java.perform(function(){ 2. Java.enumerateLoadedClasses({ 3. onMatch: function(className){ 4. try{ 5. var _class = Java.use(className); 6. if(className.includes("rootinspector")){ 7. var methods = _class.class.getDeclaredMethods(); 8. methods.map(function(methodName){ 9. if(methodName.toString().includes("native")){ 10. console.log(methodName); 11. } 12. }); 13. } 14. } 15. catch(err){} 16. }, 17. onComplete:function(){} 18. }); 19. });
  • 21. 21 Defining Method Implementation 1. Java.perform(function(){ 2. var _rootClass = Java.use("com.devadvance.rootinspector.Root"); 3. var _checkRootMethod0 = _rootClass.checkRootMethod0 4. _checkRootMethod0.implementation = function() 5. { 6. return false; 7. 8. } 9. });
  • 22. 22 Method Overloading 1. Java.performNow(function(){ 2. 3. var _alertDialog = Java.use("android.app.AlertDialog"); 4. _alertDialog.setMessage.overload("java.lang.CharSequence").implementation = function(message){ 5. console.error(message.toString()); 6. return _alertDialog.setMessage.overload("java.lang.CharSequence").apply(this,arguments); 7. } 8. }); Source: https://developer.android.com/reference/android/app/AlertDialog.Builder
  • 23. 23 Hooking Class Constructors 1.Java.perform(function () { 2. var mainactivity = Java.use("com.pragyan.circle.a"); 3. mainactivity.$init.overloads[0].implementation = function(a,b,c,d,e) { 4. console.log(d); 5. return mainactivity.$init.overloads[0].apply(this,arguments); 6. }; 7. 8. send("Hooks installed."); 9.});
  • 24. 24 Calling Pre-initialized Class Instances 1. Java.perform(function () { 2. var _javaString = Java.use("java.lang.String"); 3. var _hexValue = _javaString.$new("65544231587a52794d3138316458417a636c396d4e445 53343673d3d"); 4. Java.choose("com.pragyan.circle.Main",{ 5. onMatch: function(instance){ 6. var flag = instance.a(_hexValue); 7. console.log(flag); 8. }, 9. onComplete: function(){} 10. }); 11. });
  • 25. 25 ● Java Reflection API(s) ● Iterating over returned [Object Object] array. Making sense out of [Object ----] 1. Java.cast(obj.getClass(), Java.use("java.lang.Class")).getDeclaredFields(); 1. function getObjectDetails(obj){ 2. for (var k in obj){ 3. console.log(obj[k]); 4. } 5. console.log("done"); 6. }
  • 26. 26 Interceptor 1. Java.perform(function(){ 2. var checkfopen = Module.findExportByName("libnative2.so", "Java_com_devadvance_rootins pector_Root_checkfopen"); 3. if(checkfopen){ 4. console.log("checkfopen is at: "+checkfopen) 5. Interceptor.attach(checkfopen,{ 6. onEnter: function(args){ 7. //casting jstring object to String 8. console.log(Java.cast(ptr(args[2]), Java.use("java.lang.String"))); 9. console.log("checkfopen called"); 10. }, 11. onLeave: function(retval){ 12. // returning false for the check 13. retval.replace(ptr(0)); 14. } 15. }); 16. } 17. });
  • 28. 28 Root Detection Bypass 1. Java.performNow(function(){ 2. 3. var _system = Java.use("java.lang.System"); 4. _system.exit.implementation = function(){ 5. console.log("Exit called"); 6. } 7. 8. });
  • 29. 29 SQL Cipher – Find and Decrypt 1. Java.choose("net.sqlcipher.database.SQLiteDatabase",{ 2. onMatch: function(ins){ 3. var path_parts = ins.getPath().split("/"); 4. var db_name = path_parts[(path_parts.length -1)].split(".")[0] 5. console.log("DB Name: "+ db_name) 6. var rnd_db_name = db_name + "_" +random_name(5); 7. var sql1 = String.$new("ATTACH DATABASE '/data/user/0/com.test.production/databases/"+rnd _db_name+".sql.plaintext' as "+rnd_db_name+" KEY '';"); 8. var sql2 = String.$new("SELECT sqlcipher_export('"+rnd_db_name+"');"); 9. var sql3 = String.$new("DETACH DATABASE "+rnd_db_name); 10. ins.rawExecSQL(sql1); 11. ins.rawExecSQL(sql2); 12. ins.rawExecSQL(sql3); 13. console.log("Found SqlCipherDatabaseProvider instance"); 14. }, 15. onComplete: function(ins){} 16. });
  • 32. 32 Awesome Frida Frameworks ● Appmon (https://github.com/dpnishant/appmon) ● House (https://github.com/nccgroup/house) ● Objection (https://github.com/sensepost/objection)
  • 33. 33 References ● https://www.frida.re ● https://github.com/frida/frida-core/blob/dd69ad9be80eda6e172d16d924c3db3080f6e40c/src/linux/frida-helper- backend-glue.c#L393 ● https://github.com/dweinstein/awesome-frida ● https://github.com/sahildhar/mlibinjector ● https://docs.oracle.com/javase/8/docs/technotes/guides/reflection/index.html ● https://codeshare.frida.re/@pcipolloni/universal-android-ssl-pinning-bypass-with-frida/ ● https://developer.android.com/reference/android/app/AlertDialog.Builder