86 lines
2.4 KiB
Markdown
86 lines
2.4 KiB
Markdown
## Android Reverse Engineering
|
|
|
|
* [HTB's Android Hacking Guide](https://www.hackthebox.com/blog/intro-to-mobile-pentesting)
|
|
|
|
## APK Structure
|
|
|
|
* `AndroidManifest.xml`, binary XML
|
|
* `classes.dex`, app code compilation as dex
|
|
* `resource.arsc`, precompiled resources in XML
|
|
* `res`, resource dir
|
|
* `assets` app assets
|
|
* `lib`, libraries
|
|
* `META/INF`, contains metadata file `MANIFEST.MF` and signature of the apk.
|
|
|
|
## SMALI
|
|
|
|
* `SMALI` is the byte code derived from Java.
|
|
* Types
|
|
```
|
|
V void
|
|
Z boolean
|
|
B byte
|
|
S short
|
|
C char
|
|
F float
|
|
I int
|
|
J long
|
|
D double
|
|
[ array
|
|
```
|
|
|
|
# Misc
|
|
|
|
* `Dalvik` is the JVM of Android
|
|
|
|
### Registers
|
|
|
|
* Registers are 32 bits
|
|
* Type long and double use two registers 32+32=64 bits
|
|
* `.registers`, total number of regs in method
|
|
* `.locals`, non parameter regs in method
|
|
* Arguments of a method are put into registers from highest to lowest.
|
|
* The object itself is a parameter to its method.
|
|
|
|
* Register naming schemes are
|
|
* Normal local register are name v0, v1, v2 ...
|
|
* Parameter register are a second naming on top, e.g.v2 and p0 or v3 and p1 are the same registers.
|
|
|
|
## Tools
|
|
|
|
* `jadx -d <outdir> <apk or dex>` as a decompiler
|
|
* dex2jar to convert apk to jar
|
|
```sh
|
|
d2j-dex2jar.sh /path/application.apk
|
|
```
|
|
* Dex to smali with `d2j-dex2smali`
|
|
* jd-gui as decompiler
|
|
* `apktool` smali source from apk
|
|
|
|
* [Firebase scanner](https://github.com/shivsahni/FireBaseScanner.git)
|
|
* [Mara reversing framework](https://github.com/xtiankisutsa/MARA_Framework.git)
|
|
* [Mobile Security Framework](https://github.com/MobSF/Mobile-Security-Framework-MobSF.git)
|
|
* Proguard deobfuscates code
|
|
* [PID Cat log reader](https://github.com/JakeWharton/pidcat.git)
|
|
* Burpsuite listener on Android emulator
|
|
* [Drozer](https://github.com/FSecureLABS/drozer)
|
|
```sh
|
|
adb forward tcp:31415 tcp:31415
|
|
drozer console connect
|
|
run app.package.list -> see all the packages installed
|
|
run app.package.info -a -> view package information.
|
|
run app.package.attacksurface package_name
|
|
run app.activity.info -f package_name
|
|
run app.activity.start --component package name component_name
|
|
```
|
|
```sh
|
|
run app.provider.info -a package_name
|
|
run scanner.provider.finduris -a package_name
|
|
run app.provider.query uri
|
|
run app.provider.update uri --selection conditions selection_arg column data
|
|
run scanner.provider.sqltables -a package_name
|
|
run scanner.provider.injection -a package_name
|
|
run scanner.provider.traversal -a package_name
|
|
```
|
|
|