killchain-compendium/reverse engineering/android/misc.md

2.2 KiB

Misc

  • Dalvik is the JVM of Android

SMALI

  • SMALI is the byte code derived from Java.
  • Types
V void
Z boolean
B byte
S short
C char
F float
I int
J long
D double
[ array

Registers

  • Registers are 32 bits

  • Type long and double use two registers 32+32=64 bits

  • .registers, total number of regs in method

  • .locals, non parameter regs in method

  • Arguments of a method are put into registers from highest to lowest.

  • The object itself is a parameter to its method.

  • Register naming schemes are

  • Normal local register are name v0, v1, v2 ...

  • Parameter register are a second naming on top, e.g.v2 and p0 or v3 and p1 are the same registers.

APK Structure

  • AndroidManifest.xml, binary XML
  • classes.dex, app code compilation as dex
  • resource.arsc, precompiled resources in XML
  • res, resource dir
  • assets app assets
  • lib, libraries
  • META/INF, contains metadata file MANIFEST.MF and signature of the apk.

Tools

  • jadx -d <outdir> <apk or dex> as a decompiler
  • dex2jar to convert apk to jar
d2j-dex2jar.sh /path/application.apk
adb forward tcp:31415 tcp:31415
drozer console connect
run app.package.list -> see all the packages installed
run app.package.info -a -> view package information.
run app.package.attacksurface package_name
run app.activity.info -f package_name
run app.activity.start --component package name component_name
run app.provider.info -a package_name
run scanner.provider.finduris -a package_name
run app.provider.query uri
run app.provider.update uri --selection conditions selection_arg column data
run scanner.provider.sqltables -a package_name
run scanner.provider.injection -a package_name
run scanner.provider.traversal -a package_name