2.4 KiB
2.4 KiB
Android Reverse Engineering
APK Structure
AndroidManifest.xml, binary XMLclasses.dex, app code compilation as dexresource.arsc, precompiled resources in XMLres, resource dirassetsapp assetslib, librariesMETA/INF, contains metadata fileMANIFEST.MFand signature of the apk.
SMALI
SMALIis the byte code derived from Java.- Types
V void
Z boolean
B byte
S short
C char
F float
I int
J long
D double
[ array
Misc
Dalvikis the JVM of Android
Registers
-
Registers are 32 bits
-
Type long and double use two registers 32+32=64 bits
-
.registers, total number of regs in method -
.locals, non parameter regs in method -
Arguments of a method are put into registers from highest to lowest.
-
The object itself is a parameter to its method.
-
Register naming schemes are
-
Normal local register are name v0, v1, v2 ...
-
Parameter register are a second naming on top, e.g.v2 and p0 or v3 and p1 are the same registers.
Tools
jadx -d <outdir> <apk or dex>as a decompiler- dex2jar to convert apk to jar
d2j-dex2jar.sh /path/application.apk
-
Dex to smali with
d2j-dex2smali -
jd-gui as decompiler
-
apktoolsmali source from apk -
Proguard deobfuscates code
-
Burpsuite listener on Android emulator
adb forward tcp:31415 tcp:31415
drozer console connect
run app.package.list -> see all the packages installed
run app.package.info -a -> view package information.
run app.package.attacksurface package_name
run app.activity.info -f package_name
run app.activity.start --component package name component_name
run app.provider.info -a package_name
run scanner.provider.finduris -a package_name
run app.provider.query uri
run app.provider.update uri --selection conditions selection_arg column data
run scanner.provider.sqltables -a package_name
run scanner.provider.injection -a package_name
run scanner.provider.traversal -a package_name