killchain-compendium/reverse engineering/android/misc.md

Misc

• Dalvik is the JVM of Android

SMALI

• SMALI is the byte code derived from Java.
• Types

V void
Z boolean
B byte
S short
C char
F float
I int
J long
D double
[ array

Registers

• Registers are 32 bits

• Type long and double use two registers 32+32=64 bits

• .registers, total number of regs in method

• .locals, non parameter regs in method

• Arguments of a method are put into registers from highest to lowest.

• The object itself is a parameter to its method.

• Register naming schemes are

• Normal local register are name v0, v1, v2 ...

• Parameter register are a second naming on top, e.g.v2 and p0 or v3 and p1 are the same registers.

APK Structure

• AndroidManifest.xml, binary XML
• classes.dex, app code compilation as dex
• resource.arsc, precompiled resources in XML
• res, resource dir
• assets app assets
• lib, libraries
• META/INF, contains metadata file MANIFEST.MF and signature of the apk.

Tools

• jadx -d <outdir> <apk or dex> as a decompiler
• dex2jar to convert apk to jar

d2j-dex2jar.sh /path/application.apk

• Dex to smali with d2j-dex2smali

• jd-gui as decompiler

• apktool smali source from apk

• Firebase scanner

• Mara reversing framework

• Mobile Security Framework

• Proguard deobfuscates code

• PID Cat log reader

• Burpsuite listener on Android emulator

• Drozer

adb forward tcp:31415 tcp:31415
drozer console connect
run app.package.list -> see all the packages installed
run app.package.info -a -> view package information.
run app.package.attacksurface package_name
run app.activity.info -f package_name
run app.activity.start --component package name component_name

run app.provider.info -a package_name
run scanner.provider.finduris -a package_name
run app.provider.query uri
run app.provider.update uri --selection conditions selection_arg column data
run scanner.provider.sqltables -a package_name
run scanner.provider.injection -a package_name
run scanner.provider.traversal -a package_name