Reverse Engineering

Generate keystore

keytool -genkey -v -keystore my-key.keystore -storepass android  -dname "C=FR,ST=Internet,L=Internet,O=Redteams,OU=IT Department,CN=redteams.fr" -alias androiddebugkey -keypass android -keyalg RSA -keysize 2048 -validity 10000

In apkstudio :

apkstudio.png

Apktool : “no resource identifier found”

W: C:\Users\Eric\Desktop\com.crackme_2019-02-27_mod\AndroidManifest.xml:17: error: No resource identifier found for attribute 'appComponentFactory' in package 'android'

Need to update the framework use by apktool :

adb pull /system/framework/framework-res.apk 1.apk pathToFrameworkUseByApktool

Android HTTPS Interception

Generate (730 days : deal with NET::ERR_CERT_VALIDITY_TOO_LONG)

openssl req -x509 -days 730 -nodes -newkey rsa:2048 -outform der -keyout server.key -out ca.der -extensions v3_ca  -subj "/C=FR/ST=Internet/L=Internet/O=Redteams/OU=IT Department/CN=redteams.fr"

Convert the private key

openssl rsa -in server.key -inform pem -out server.key.der -outform der
openssl pkcs8 -topk8 -in server.key.der -inform der -out server.key.pkcs8.der -outform der -nocrypt

Convert the public key

openssl x509 -inform der -in ca.der -out ca.pem
openssl x509 -inform PEM -subject_hash_old -in ca.pem | head -1
cp ca.pem e5f4e075.0
openssl x509 -inform PEM -text -in ca.pem -out /dev/null>> e5f4e075.0

Copy the cert to the phone

adb push e5f4e075.0 /data/local/tmp
adb shell su -c mount -o rw,remount /system
adb shell su -c cp /data/local/tmp/e5f4e075.0 /system/etc/security/cacerts/
adb shell su -c 'chown root:root /system/etc/security/cacerts/e5f4e075.0'
adb shell su -c 'chmod 644 /system/etc/security/cacerts/e5f4e075.0'
reboot

Install cert in Burp

cert.png

Android smali code using Android Studio

~/reverse/src# apktool d -f fr.crackme.mobile.app.apk 

I: Using Apktool 2.3.1-dirty on fr.crackme.mobile.app.apk
I: Loading resource table...
I: Decoding AndroidManifest.xml with resources...
I: Loading resource table from file: /home/vak/.local/share/apktool/framework/1.apk
I: Regular manifest package...
I: Decoding file-resources...
I: Decoding values */* XMLs...
I: Baksmaling classes.dex...
I: Copying assets and libs...
I: Copying unknown files...
I: Copying original files...

android01.png android02.png android03.png android04.png android05.png android06.png

markAsSource.png

android07.png android08.png android09.png

Find port port.png

remote.png](./remote.png “remote”)

android19.png

  • Configure debugger

** Add in the section application of the manifest :

<application
android:debuggable="true"

** Start Android Dalvik Debug Monitor Server (DDMS)

(\xxx\Android\Sdk\tools\monitor)

androidDeviceMonitor.png

  • Connect the device to the host computer with a USB cable.

  • Set the target device to listen for a TCP/IP connection on port 5555.

    # adb tcpip 5555
    * daemon not running. starting it now on port 5037 *
    * daemon started successfully *
    restarting in TCP mode port: 5555
    
    adb connect 192.168.2.81:5555
    

Download smallidea plugin: https://bitbucket.org/JesusFreke/smali/downloads/

Installation : File -> Settings -> Plugins

smallIDEA.png

APK Analysis

File -> Profile or debug APK…

Run -> Debug (maj + F9)

Break on all exceptions, caught or uncaught

  1. Open the Breakpoints window via Run -> View Breakpoints.
  2. The Breakpoints dialog appears. In the left pane, scroll to the bottom. Select Any exception under Java Exception Breakpoints
  3. With Any exception selected, on the right pane, configure as follows:

    - Suspend: checked
    - All: selected
    - Condition: !(this instanceof java.lang.ClassNotFoundException)
    - Notifications: both Caught exception and Uncaught exception selected
    
  4. Define filters that specify namespaces of libraries that the debugger should break on:

  • Check the Class filters checkbox to enable class filtering (as mentioned by @Scott Barta).
  • Click the … (elipsis) button to open the Class Filters dialog.
  • Specify class namespace patterns by clicking on the Add Pattern (Add Pattern) button. Enter:

  • com.myapp.* (replace this with the namespace prefix of the app)

  • java.* (leave this out to NOT break on every Java libraries)

  • android.* (as above)

Press OK, then dismiss the Breakpoints dialog.

Frida

  • Installation of frida (client):

    pip install frida-tools
    

In case of : “Failed to load the Frida native extension: DLL load failed”

=> installation of python 3.7 is required

  • Installation of frida Server Windows/Linux

    pip install frida --upgrade
    
  • Installation of frida Server Android :

    adb push  frida-server-12.4.0-android-arm64 /data/local/tmp/frida
    adb shell su -c 'mount -o rw,remount /system'
    adb shell su -c 'cp /data/local/tmp/frida /sbin/frida'
    adb shell su -c 'chown root:root /sbin/frida'
    adb shell su -c 'chmod 755 /sbin/frida'
    nohup adb shell su -c "/sbin/frida -D"
    

Validate with : frida-ps -U