## Android Reverse Engineering

* [HTB's Android Hacking Guide](https://www.hackthebox.com/blog/intro-to-mobile-pentesting)

## APK Structure

* `AndroidManifest.xml`, binary XML
* `classes.dex`, app code compilation as dex
* `resource.arsc`, precompiled resources in XML
* `res`, resource dir 
* `assets` app assets
* `lib`, libraries
* `META/INF`, contains metadata file `MANIFEST.MF` and signature of the apk.

## SMALI

* `SMALI` is the byte code derived from Java.
* Types
```
V void
Z boolean
B byte
S short
C char
F float
I int
J long
D double
[ array
```

# Misc

* `Dalvik` is the JVM of Android

### Registers

* Registers are 32 bits
* Type long and double use two registers 32+32=64 bits
* `.registers`, total number of regs in method
* `.locals`, non parameter regs in method
* Arguments of a method are put into registers from highest to lowest.
* The object itself is a parameter to its method.

* Register naming schemes are
* Normal local register are name v0, v1, v2 ...
* Parameter register are a second naming on top, e.g.v2 and p0 or v3 and p1 are the same registers.

## Tools

* `jadx -d <outdir> <apk or dex>` as a decompiler
* dex2jar to convert apk to jar
```sh
d2j-dex2jar.sh /path/application.apk
```
* Dex to smali with `d2j-dex2smali`
* jd-gui as decompiler
* `apktool` smali source from apk

* [Firebase scanner](https://github.com/shivsahni/FireBaseScanner.git)
* [Mara reversing framework](https://github.com/xtiankisutsa/MARA_Framework.git) 
* [Mobile Security Framework](https://github.com/MobSF/Mobile-Security-Framework-MobSF.git)
* Proguard deobfuscates code
* [PID Cat log reader](https://github.com/JakeWharton/pidcat.git)
* Burpsuite listener on Android emulator
* [Drozer](https://github.com/FSecureLABS/drozer)
```sh
adb forward tcp:31415 tcp:31415
drozer console connect
run app.package.list -> see all the packages installed
run app.package.info -a -> view package information.
run app.package.attacksurface package_name
run app.activity.info -f package_name
run app.activity.start --component package name component_name
```
```sh
run app.provider.info -a package_name
run scanner.provider.finduris -a package_name
run app.provider.query uri
run app.provider.update uri --selection conditions selection_arg column data
run scanner.provider.sqltables -a package_name
run scanner.provider.injection -a package_name
run scanner.provider.traversal -a package_name
```