SlideShare a Scribd company logo

NanoSec Conference 2019: Code Execution Analysis in Mobile Apps - Abdullah Joseph

Talk was presented by Abdullah Joseph at NanoSec Conference 2019, InterContinental Hotel Kuala Lumpur on the 9th of October 2019.

1 of 36
Download to read offline
CodeCode ExecutionExecution
AnalysisAnalysis
InIn MobileMobile AppsApps
Wait. I know GDB.Wait. I know GDB.
I don't need this...I don't need this...
So, let's try another title...So, let's try another title...
HowHow not to shootnot to shoot
yourself in the footyourself in the foot
while debuggingwhile debugging
MobileMobile appsapps
About MeAbout Me
Abdullah Joseph / @MalwareCheese
 
Mobile Security Team Lead @ Adjust
We do mobile attribution, ad fraud analysis and some data stuff (processing 25 petabytes
every 10 days received   )
I like binary stuff
Crypto stuff too. Not so much web and network stuff
About MeAbout Me
Abdullah Joseph / @MalwareCheese
 
Mobile Security Team Lead @ Adjust
We do mobile attribution, ad fraud analysis and some data stuff (processing 25 petabytes
every 10 days received   )
I like binary stuff
Crypto stuff too. Not so much web and network stuff
Bonus only for Nanosec: I graduated from APU. Bachelor's
in Game Design
Let's start with a CTFLet's start with a CTF

Recommended

How to reverse engineer Android applications
How to reverse engineer Android applicationsHow to reverse engineer Android applications
How to reverse engineer Android applicationshubx
 
Ať se z kódu nepráší! 2013
Ať se z kódu nepráší! 2013Ať se z kódu nepráší! 2013
Ať se z kódu nepráší! 2013Juraj Michálek
 
Android reverse engineering - Analyzing skype
Android reverse engineering - Analyzing skypeAndroid reverse engineering - Analyzing skype
Android reverse engineering - Analyzing skypeMário Almeida
 
Reverse engineering android apps
Reverse engineering android appsReverse engineering android apps
Reverse engineering android appsPranay Airan
 
Using the Android Native Development Kit (NDK)
Using the Android Native Development Kit (NDK)Using the Android Native Development Kit (NDK)
Using the Android Native Development Kit (NDK)Xavier Hallade
 

More Related Content

What's hot

Metasepi team meeting #19: ATS application on Arduino
Metasepi team meeting #19: ATS application on ArduinoMetasepi team meeting #19: ATS application on Arduino
Metasepi team meeting #19: ATS application on ArduinoKiwamu Okabe
 
Steelcon 2015 Reverse-Engineering Obfuscated Android Applications
Steelcon 2015 Reverse-Engineering Obfuscated Android ApplicationsSteelcon 2015 Reverse-Engineering Obfuscated Android Applications
Steelcon 2015 Reverse-Engineering Obfuscated Android ApplicationsTom Keetch
 
Droidcon Greece '15 - Reverse Engineering in Android: Countermeasures and Tools
Droidcon Greece '15 - Reverse Engineering in Android: Countermeasures and ToolsDroidcon Greece '15 - Reverse Engineering in Android: Countermeasures and Tools
Droidcon Greece '15 - Reverse Engineering in Android: Countermeasures and ToolsDario Incalza
 
Using the Android Native Development Kit (NDK)
Using the Android Native Development Kit (NDK)Using the Android Native Development Kit (NDK)
Using the Android Native Development Kit (NDK)DroidConTLV
 
Reverse engineering and instrumentation of android apps
Reverse engineering and instrumentation of android appsReverse engineering and instrumentation of android apps
Reverse engineering and instrumentation of android appsGaurav Lochan
 
Embedded application designed by ATS language
Embedded application designed by ATS languageEmbedded application designed by ATS language
Embedded application designed by ATS languageKiwamu Okabe
 
Griffon - Making Swing Fun Again
Griffon - Making Swing Fun AgainGriffon - Making Swing Fun Again
Griffon - Making Swing Fun AgainDanno Ferrin
 
Real-time OS system state captured by ATS language
Real-time OS system state captured by ATS languageReal-time OS system state captured by ATS language
Real-time OS system state captured by ATS languageKiwamu Okabe
 
Android Native Development Kit
Android Native Development KitAndroid Native Development Kit
Android Native Development KitPeter R. Egli
 
Metasepi team meeting #20: Start! ATS programming on MCU
Metasepi team meeting #20: Start! ATS programming on MCUMetasepi team meeting #20: Start! ATS programming on MCU
Metasepi team meeting #20: Start! ATS programming on MCUKiwamu Okabe
 
ShaREing Is Caring
ShaREing Is CaringShaREing Is Caring
ShaREing Is Caringsporst
 
Introduction to mobile reversing
Introduction to mobile reversingIntroduction to mobile reversing
Introduction to mobile reversingjduart
 
Native development kit (ndk) introduction
Native development kit (ndk)  introductionNative development kit (ndk)  introduction
Native development kit (ndk) introductionRakesh Jha
 
Android Developer Meetup
Android Developer MeetupAndroid Developer Meetup
Android Developer MeetupMedialets
 
Packer Genetics: The selfish code
Packer Genetics: The selfish codePacker Genetics: The selfish code
Packer Genetics: The selfish codejduart
 
The End of the world as we know it - AKA your last NullPointerException $1B b...
The End of the world as we know it - AKA your last NullPointerException $1B b...The End of the world as we know it - AKA your last NullPointerException $1B b...
The End of the world as we know it - AKA your last NullPointerException $1B b...Michael Vorburger
 

What's hot (20)

How to Add Original Library to Android NDK
How to Add Original Library to Android NDKHow to Add Original Library to Android NDK
How to Add Original Library to Android NDK
 
Metasepi team meeting #19: ATS application on Arduino
Metasepi team meeting #19: ATS application on ArduinoMetasepi team meeting #19: ATS application on Arduino
Metasepi team meeting #19: ATS application on Arduino
 
Steelcon 2015 Reverse-Engineering Obfuscated Android Applications
Steelcon 2015 Reverse-Engineering Obfuscated Android ApplicationsSteelcon 2015 Reverse-Engineering Obfuscated Android Applications
Steelcon 2015 Reverse-Engineering Obfuscated Android Applications
 
Droidcon Greece '15 - Reverse Engineering in Android: Countermeasures and Tools
Droidcon Greece '15 - Reverse Engineering in Android: Countermeasures and ToolsDroidcon Greece '15 - Reverse Engineering in Android: Countermeasures and Tools
Droidcon Greece '15 - Reverse Engineering in Android: Countermeasures and Tools
 
Android ndk
Android ndkAndroid ndk
Android ndk
 
Using the Android Native Development Kit (NDK)
Using the Android Native Development Kit (NDK)Using the Android Native Development Kit (NDK)
Using the Android Native Development Kit (NDK)
 
Reverse engineering and instrumentation of android apps
Reverse engineering and instrumentation of android appsReverse engineering and instrumentation of android apps
Reverse engineering and instrumentation of android apps
 
Embedded application designed by ATS language
Embedded application designed by ATS languageEmbedded application designed by ATS language
Embedded application designed by ATS language
 
Android ndk: Entering the native world
Android ndk: Entering the native worldAndroid ndk: Entering the native world
Android ndk: Entering the native world
 
Griffon - Making Swing Fun Again
Griffon - Making Swing Fun AgainGriffon - Making Swing Fun Again
Griffon - Making Swing Fun Again
 
Real-time OS system state captured by ATS language
Real-time OS system state captured by ATS languageReal-time OS system state captured by ATS language
Real-time OS system state captured by ATS language
 
Android Native Development Kit
Android Native Development KitAndroid Native Development Kit
Android Native Development Kit
 
Metasepi team meeting #20: Start! ATS programming on MCU
Metasepi team meeting #20: Start! ATS programming on MCUMetasepi team meeting #20: Start! ATS programming on MCU
Metasepi team meeting #20: Start! ATS programming on MCU
 
ShaREing Is Caring
ShaREing Is CaringShaREing Is Caring
ShaREing Is Caring
 
Introduction to mobile reversing
Introduction to mobile reversingIntroduction to mobile reversing
Introduction to mobile reversing
 
Native development kit (ndk) introduction
Native development kit (ndk)  introductionNative development kit (ndk)  introduction
Native development kit (ndk) introduction
 
Android Developer Meetup
Android Developer MeetupAndroid Developer Meetup
Android Developer Meetup
 
How to Make Android Native Application
How to Make Android Native ApplicationHow to Make Android Native Application
How to Make Android Native Application
 
Packer Genetics: The selfish code
Packer Genetics: The selfish codePacker Genetics: The selfish code
Packer Genetics: The selfish code
 
The End of the world as we know it - AKA your last NullPointerException $1B b...
The End of the world as we know it - AKA your last NullPointerException $1B b...The End of the world as we know it - AKA your last NullPointerException $1B b...
The End of the world as we know it - AKA your last NullPointerException $1B b...
 

Similar to NanoSec Conference 2019: Code Execution Analysis in Mobile Apps - Abdullah Joseph

MobSecCon 2015 - Dynamic Analysis of Android Apps
MobSecCon 2015 - Dynamic Analysis of Android AppsMobSecCon 2015 - Dynamic Analysis of Android Apps
MobSecCon 2015 - Dynamic Analysis of Android AppsRon Munitz
 
Joxean Koret - Database Security Paradise [Rooted CON 2011]
Joxean Koret - Database Security Paradise [Rooted CON 2011]Joxean Koret - Database Security Paradise [Rooted CON 2011]
Joxean Koret - Database Security Paradise [Rooted CON 2011]RootedCON
 
Android Internals (This is not the droid you’re loking for...)
Android Internals (This is not the droid you’re loking for...)Android Internals (This is not the droid you’re loking for...)
Android Internals (This is not the droid you’re loking for...)Giacomo Bergami
 
FRIDA 101 Android
FRIDA 101 AndroidFRIDA 101 Android
FRIDA 101 AndroidTony Thomas
 
Debugging Modern C++ Application with Gdb
Debugging Modern C++ Application with GdbDebugging Modern C++ Application with Gdb
Debugging Modern C++ Application with GdbSenthilKumar Selvaraj
 
Pwning mobile apps without root or jailbreak
Pwning mobile apps without root or jailbreakPwning mobile apps without root or jailbreak
Pwning mobile apps without root or jailbreakAbraham Aranguren
 
C# Production Debugging Made Easy
 C# Production Debugging Made Easy C# Production Debugging Made Easy
C# Production Debugging Made EasyAlon Fliess
 
Manish Chasta - Securing Android Applications
Manish Chasta - Securing Android ApplicationsManish Chasta - Securing Android Applications
Manish Chasta - Securing Android ApplicationsPositive Hack Days
 
Mobile development in 2020
Mobile development in 2020 Mobile development in 2020
Mobile development in 2020 Bogusz Jelinski
 
Performance #5 cpu and battery
Performance #5  cpu and batteryPerformance #5  cpu and battery
Performance #5 cpu and batteryVitali Pekelis
 
Building native Android applications with Mirah and Pindah
Building native Android applications with Mirah and PindahBuilding native Android applications with Mirah and Pindah
Building native Android applications with Mirah and PindahNick Plante
 
6-ZeroLab_decentralized_applications-2008.pptx
6-ZeroLab_decentralized_applications-2008.pptx6-ZeroLab_decentralized_applications-2008.pptx
6-ZeroLab_decentralized_applications-2008.pptxClaudioTebaldi2
 
Kandroid for nhn_deview_20131013_v5_final
Kandroid for nhn_deview_20131013_v5_finalKandroid for nhn_deview_20131013_v5_final
Kandroid for nhn_deview_20131013_v5_finalNAVER D2
 
Hacking the Codename One Source Code - Part I - Transcript.pdf
Hacking the Codename One Source Code - Part I - Transcript.pdfHacking the Codename One Source Code - Part I - Transcript.pdf
Hacking the Codename One Source Code - Part I - Transcript.pdfShaiAlmog1
 
Null Dubai Humla_Romansh_Yadav_Android_app_pentesting
Null Dubai Humla_Romansh_Yadav_Android_app_pentestingNull Dubai Humla_Romansh_Yadav_Android_app_pentesting
Null Dubai Humla_Romansh_Yadav_Android_app_pentestingRomansh Yadav
 
Dark Side of iOS [SmartDevCon 2013]
Dark Side of iOS [SmartDevCon 2013]Dark Side of iOS [SmartDevCon 2013]
Dark Side of iOS [SmartDevCon 2013]Kuba Břečka
 
Jailbreak Detector Detector
Jailbreak Detector DetectorJailbreak Detector Detector
Jailbreak Detector DetectorNick Mooney
 
Hacking & Securing of iOS Apps by Saurabh Mishra
Hacking & Securing of iOS Apps by Saurabh MishraHacking & Securing of iOS Apps by Saurabh Mishra
Hacking & Securing of iOS Apps by Saurabh MishraOWASP Delhi
 
Javaland 2017: "You´ll do microservices now". Now what?
Javaland 2017: "You´ll do microservices now". Now what?Javaland 2017: "You´ll do microservices now". Now what?
Javaland 2017: "You´ll do microservices now". Now what?André Goliath
 

Similar to NanoSec Conference 2019: Code Execution Analysis in Mobile Apps - Abdullah Joseph (20)

MobSecCon 2015 - Dynamic Analysis of Android Apps
MobSecCon 2015 - Dynamic Analysis of Android AppsMobSecCon 2015 - Dynamic Analysis of Android Apps
MobSecCon 2015 - Dynamic Analysis of Android Apps
 
Joxean Koret - Database Security Paradise [Rooted CON 2011]
Joxean Koret - Database Security Paradise [Rooted CON 2011]Joxean Koret - Database Security Paradise [Rooted CON 2011]
Joxean Koret - Database Security Paradise [Rooted CON 2011]
 
Android Internals (This is not the droid you’re loking for...)
Android Internals (This is not the droid you’re loking for...)Android Internals (This is not the droid you’re loking for...)
Android Internals (This is not the droid you’re loking for...)
 
FRIDA 101 Android
FRIDA 101 AndroidFRIDA 101 Android
FRIDA 101 Android
 
Debugging Modern C++ Application with Gdb
Debugging Modern C++ Application with GdbDebugging Modern C++ Application with Gdb
Debugging Modern C++ Application with Gdb
 
Pwning mobile apps without root or jailbreak
Pwning mobile apps without root or jailbreakPwning mobile apps without root or jailbreak
Pwning mobile apps without root or jailbreak
 
C# Production Debugging Made Easy
 C# Production Debugging Made Easy C# Production Debugging Made Easy
C# Production Debugging Made Easy
 
Manish Chasta - Securing Android Applications
Manish Chasta - Securing Android ApplicationsManish Chasta - Securing Android Applications
Manish Chasta - Securing Android Applications
 
Mobile development in 2020
Mobile development in 2020 Mobile development in 2020
Mobile development in 2020
 
Performance #5 cpu and battery
Performance #5  cpu and batteryPerformance #5  cpu and battery
Performance #5 cpu and battery
 
Building native Android applications with Mirah and Pindah
Building native Android applications with Mirah and PindahBuilding native Android applications with Mirah and Pindah
Building native Android applications with Mirah and Pindah
 
Getting Native with NDK
Getting Native with NDKGetting Native with NDK
Getting Native with NDK
 
6-ZeroLab_decentralized_applications-2008.pptx
6-ZeroLab_decentralized_applications-2008.pptx6-ZeroLab_decentralized_applications-2008.pptx
6-ZeroLab_decentralized_applications-2008.pptx
 
Kandroid for nhn_deview_20131013_v5_final
Kandroid for nhn_deview_20131013_v5_finalKandroid for nhn_deview_20131013_v5_final
Kandroid for nhn_deview_20131013_v5_final
 
Hacking the Codename One Source Code - Part I - Transcript.pdf
Hacking the Codename One Source Code - Part I - Transcript.pdfHacking the Codename One Source Code - Part I - Transcript.pdf
Hacking the Codename One Source Code - Part I - Transcript.pdf
 
Null Dubai Humla_Romansh_Yadav_Android_app_pentesting
Null Dubai Humla_Romansh_Yadav_Android_app_pentestingNull Dubai Humla_Romansh_Yadav_Android_app_pentesting
Null Dubai Humla_Romansh_Yadav_Android_app_pentesting
 
Dark Side of iOS [SmartDevCon 2013]
Dark Side of iOS [SmartDevCon 2013]Dark Side of iOS [SmartDevCon 2013]
Dark Side of iOS [SmartDevCon 2013]
 
Jailbreak Detector Detector
Jailbreak Detector DetectorJailbreak Detector Detector
Jailbreak Detector Detector
 
Hacking & Securing of iOS Apps by Saurabh Mishra
Hacking & Securing of iOS Apps by Saurabh MishraHacking & Securing of iOS Apps by Saurabh Mishra
Hacking & Securing of iOS Apps by Saurabh Mishra
 
Javaland 2017: "You´ll do microservices now". Now what?
Javaland 2017: "You´ll do microservices now". Now what?Javaland 2017: "You´ll do microservices now". Now what?
Javaland 2017: "You´ll do microservices now". Now what?
 

Recently uploaded

IE Application: Express Yourself - Sofia Merizalde
IE Application: Express Yourself - Sofia MerizaldeIE Application: Express Yourself - Sofia Merizalde
IE Application: Express Yourself - Sofia Merizaldesofiamerizaldev
 
TheSimpsons_Fandom_Assignment_4.5pc.pptx
TheSimpsons_Fandom_Assignment_4.5pc.pptxTheSimpsons_Fandom_Assignment_4.5pc.pptx
TheSimpsons_Fandom_Assignment_4.5pc.pptxStevenLuker3
 
Teams Nation 2024 - #Copilot & Teams or Just Premium.pptx
Teams Nation 2024 - #Copilot & Teams or Just Premium.pptxTeams Nation 2024 - #Copilot & Teams or Just Premium.pptx
Teams Nation 2024 - #Copilot & Teams or Just Premium.pptxKai Stenberg
 
Instructional Supervision - By Dr. Cherinet Aytenfsu Weldearegay.pdf
Instructional Supervision - By Dr. Cherinet Aytenfsu Weldearegay.pdfInstructional Supervision - By Dr. Cherinet Aytenfsu Weldearegay.pdf
Instructional Supervision - By Dr. Cherinet Aytenfsu Weldearegay.pdfDr. Cherinet Aytenfsu Weldearegay
 
Auditorium Session 3 - Resilience - Financial Resilience and Collaboration
Auditorium Session 3 - Resilience - Financial Resilience and CollaborationAuditorium Session 3 - Resilience - Financial Resilience and Collaboration
Auditorium Session 3 - Resilience - Financial Resilience and CollaborationMuseums Galleries Scotland
 
Garcia_RobertDaniel_SPCSTA_PB1_2024-02.pptx
Garcia_RobertDaniel_SPCSTA_PB1_2024-02.pptxGarcia_RobertDaniel_SPCSTA_PB1_2024-02.pptx
Garcia_RobertDaniel_SPCSTA_PB1_2024-02.pptx0461620
 
Freeman_Abigail Personal Brand Exploration
Freeman_Abigail Personal Brand ExplorationFreeman_Abigail Personal Brand Exploration
Freeman_Abigail Personal Brand Explorationabbytoliver
 
Auditorium Session 2 - Workforce - Diversity/Skills & Confidence
Auditorium Session 2 - Workforce - Diversity/Skills & ConfidenceAuditorium Session 2 - Workforce - Diversity/Skills & Confidence
Auditorium Session 2 - Workforce - Diversity/Skills & ConfidenceMuseums Galleries Scotland
 
Issues affecting LGBT as they grow older.pptx
Issues affecting LGBT as they grow older.pptxIssues affecting LGBT as they grow older.pptx
Issues affecting LGBT as they grow older.pptxbill846304
 
Monthly HSE Report March for overall HSE
Monthly HSE Report March for overall HSEMonthly HSE Report March for overall HSE
Monthly HSE Report March for overall HSEOlgaOliveaJohn
 

Recently uploaded (11)

IE Application: Express Yourself - Sofia Merizalde
IE Application: Express Yourself - Sofia MerizaldeIE Application: Express Yourself - Sofia Merizalde
IE Application: Express Yourself - Sofia Merizalde
 
TheSimpsons_Fandom_Assignment_4.5pc.pptx
TheSimpsons_Fandom_Assignment_4.5pc.pptxTheSimpsons_Fandom_Assignment_4.5pc.pptx
TheSimpsons_Fandom_Assignment_4.5pc.pptx
 
Teams Nation 2024 - #Copilot & Teams or Just Premium.pptx
Teams Nation 2024 - #Copilot & Teams or Just Premium.pptxTeams Nation 2024 - #Copilot & Teams or Just Premium.pptx
Teams Nation 2024 - #Copilot & Teams or Just Premium.pptx
 
Instructional Supervision - By Dr. Cherinet Aytenfsu Weldearegay.pdf
Instructional Supervision - By Dr. Cherinet Aytenfsu Weldearegay.pdfInstructional Supervision - By Dr. Cherinet Aytenfsu Weldearegay.pdf
Instructional Supervision - By Dr. Cherinet Aytenfsu Weldearegay.pdf
 
Auditorium Session 3 - Resilience - Financial Resilience and Collaboration
Auditorium Session 3 - Resilience - Financial Resilience and CollaborationAuditorium Session 3 - Resilience - Financial Resilience and Collaboration
Auditorium Session 3 - Resilience - Financial Resilience and Collaboration
 
Garcia_RobertDaniel_SPCSTA_PB1_2024-02.pptx
Garcia_RobertDaniel_SPCSTA_PB1_2024-02.pptxGarcia_RobertDaniel_SPCSTA_PB1_2024-02.pptx
Garcia_RobertDaniel_SPCSTA_PB1_2024-02.pptx
 
Freeman_Abigail Personal Brand Exploration
Freeman_Abigail Personal Brand ExplorationFreeman_Abigail Personal Brand Exploration
Freeman_Abigail Personal Brand Exploration
 
Auditorium Session 2 - Workforce - Diversity/Skills & Confidence
Auditorium Session 2 - Workforce - Diversity/Skills & ConfidenceAuditorium Session 2 - Workforce - Diversity/Skills & Confidence
Auditorium Session 2 - Workforce - Diversity/Skills & Confidence
 
Issues affecting LGBT as they grow older.pptx
Issues affecting LGBT as they grow older.pptxIssues affecting LGBT as they grow older.pptx
Issues affecting LGBT as they grow older.pptx
 
Monthly HSE Report March for overall HSE
Monthly HSE Report March for overall HSEMonthly HSE Report March for overall HSE
Monthly HSE Report March for overall HSE
 
Auditorium Session 1 - Connection - Inclusion
Auditorium Session 1 - Connection - InclusionAuditorium Session 1 - Connection - Inclusion
Auditorium Session 1 - Connection - Inclusion
 

NanoSec Conference 2019: Code Execution Analysis in Mobile Apps - Abdullah Joseph

  • 2. Wait. I know GDB.Wait. I know GDB. I don't need this...I don't need this... So, let's try another title...So, let's try another title...
  • 3. HowHow not to shootnot to shoot yourself in the footyourself in the foot while debuggingwhile debugging MobileMobile appsapps
  • 4. About MeAbout Me Abdullah Joseph / @MalwareCheese   Mobile Security Team Lead @ Adjust We do mobile attribution, ad fraud analysis and some data stuff (processing 25 petabytes every 10 days received   ) I like binary stuff Crypto stuff too. Not so much web and network stuff
  • 5. About MeAbout Me Abdullah Joseph / @MalwareCheese   Mobile Security Team Lead @ Adjust We do mobile attribution, ad fraud analysis and some data stuff (processing 25 petabytes every 10 days received   ) I like binary stuff Crypto stuff too. Not so much web and network stuff Bonus only for Nanosec: I graduated from APU. Bachelor's in Game Design
  • 6. Let's start with a CTFLet's start with a CTF
  • 9. FindingsFindings Code block takes input and puts it in [s] At 0x080486d3, our input and obj.sekrutBuffer get XORed together The result has to equal obj.greetingMessage which gets compared together in 0x080486e6 obj.sekrutBuffer holds the following byte  blob:  )x06x16O+50x1eQx1b[x14Kb]+Sx10TQCMT]
  • 10. What did we learn?What did we learn? Debugger == God ModeDebugger == God Mode
  • 11. Switching to MobileSwitching to Mobile Let's go for Android
  • 13. How do we get the output ofHow do we get the output of getSecretKey()getSecretKey() dynamically? dynamically?
  • 14. Disassemble the app (with “apktool” or similar tool) Set the “app:debuggable” flag to true Rebuild the app Sign the app (with Appium’s Sign.jar or similar) Decompile the app to get the Java sources (with CFR decompiler or jadx) Setup a gradle project inside the decompiled sources Setup an IDE, like Android Studio, and port the decompiled java code to it Setup the testing device to have that app in the “Wait for debugger” list of apps in “Settings” -> “Developer Mode” Setup breakpoints on the “getSecretKey()” function Run the app. It should say “Wait for Debugger” now Use JDWP to run the app and break at “getSecretKey()” function Examine the return value More info here: https://stackify.com/java-remote-debugging/
  • 16. Let's talk aboutLet's talk about binary instrumentationbinary instrumentation Also known as "Function Hooking"
  • 17. Let's talk aboutLet's talk about binary instrumentationbinary instrumentation Also known as "Function Hooking" “ The ability to insert a practically unlimited amount of code at any location in a binary to observe or modify that binary’s behavior   -- Dennis Andriesse - Practical Binary Analysis
  • 22. So now...So now... How do we get the output ofHow do we get the output of getSecretKey()getSecretKey() dynamically? dynamically?
  • 23. // myagent.js // =================== Java.perform(() => { let activity = Java.use("com.adjust.myapp.MainActivity"); Activity.getSecretKey.implementation = () => { var retval = this.getSecretKey(this, arguments); console.log("getSecretKey() called"); console.log(`retval = ${retval}`); return retval; }; }); // =================== // Run with: // $ frida -U -f com.adjust.myapp -l myagent.js
  • 26. FallbacksFallbacks AKA: What Frida cannot do / is not Not a ptrace-based debugger LLDB and GDB are debuggers capable of deep analysis of every Instruction Frida HAS a lot of debugger functionality, but its main purpose is to aid in binary analysis and hook into parts of the binary to execute arbitrary instructions What this means is that, if you're intending to step- into every function and analyze it's execution, it might be better to use LLDB/GDB
  • 28. FallbacksFallbacks AKA: What Frida cannot do / is not Not the only instrumentation framework DynamoRIO (open-source & free) Intel PIN (free but closed-source) However, it is the easiest one to use and the only one that supports multiple architectures and VM environments (AKA: Android and iOS) by default.
  • 29. Use Case #1Use Case #1 Analysis: Memory Dumper &Analysis: Memory Dumper & ScannerScanner
  • 30. $ memdumper/memdump.py -U -p com.myapp.adjust -v INFO:Starting Memory dump... DEBUG:Too big, splitting the dump into chunks DEBUG:Number of chunks: 80 DEBUG:Save bytes: 0x12C00000 till 0x13589680 DEBUG:Save bytes: 0x13589680 till 0x13F12D00 DEBUG:Save bytes: 0x13F12D00 till 0x1489C380 DEBUG:Save bytes: 0x1489C380 till 0x15225A00 DEBUG:Save bytes: 0x15225A00 till 0x15BAF080 ... DEBUG:Save bytes: 0x223F4900 till 0x22D7DF80 DEBUG:Save bytes: 0x22D7DF80 till 0x23707600 DEBUG:Save bytes: 0x23707600 till 0x24090C80 DEBUG:Save bytes: 0x24090C80 till 0x24A1A300 DEBUG:Save bytes: 0x24A1A300 till 0x253A3980 DEBUG:Save bytes: 0x253A3980 till 0x25D2D000 DEBUG:Save bytes: 0x25D2D000 till 0x266B6680 DEBUG:Save bytes: 0x266B6680 till 0x2703FD00 DEBUG:Save bytes: 0x2703FD00 till 0x279C9380 DEBUG:Save bytes: 0x279C9380 till 0x28352A00 $ strings -n 5 dump/*.data | uniq | ack -i secret THIS IS A SECRET STRING!!! THIS IS A SECRET STRING!!! THIS IS A SECRET STRING!!! THIS IS A SECRET STRING!!! 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26
  • 31. Use Case #2Use Case #2 Native Android FunctionNative Android Function HookerHooker 10x times easier than GDB or LLDB scripting (!)
  • 32. [0] % native_stalker/native_stalker.py --process com.myapp.adjust --library libnative-lib.so --addr 0x00009610 --binary /path/to/my/app/libnative-lib.so --verbose INFO:Analyzing with R2... INFO:Retrieving PLT section... INFO:.plt [0x8AE0] -> [0x92D0] INFO:Prepping Frida... INFO:Resuming process... INFO:Hooking library loaders... JS: loaders(): {"0":"libnative-lib.so","1":38416,"2":35552,"3":37584} INFO:Awaiting hook callbacks... JS: Library [native-lib] loaded with java.lang.String.loadLibrary [+] JS: stalk_func(): {"0":"libnative-lib.so","1":38416,"2":35552,"3":37584} [+] JS: Library base addr: 0x8b2c1000 [+] JS: Hooking [0x8b2ca610]... INFO:Tracing 38416@libnative-lib.so concluded with 11 calls: 0x8b80 -> sym.imp.free 0x8c40 -> fcn.00008c40 0x8b30 -> fcn.00008b30 0x8b90 -> fcn.00008b90 0x8c50 -> fcn.00008c50 0x8b40 -> sym.imp.fopen 0x8ba0 -> fcn.00008ba0 0x8bc0 -> fcn.00008bc0 0x8b70 -> sym.imp.getline 0x8c30 -> fcn.00008c30 0x8b20 -> sym.imp.__android_log_vprint INFO:Done. You can exit the script now... 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31
  • 33. MiscMisc Dynamic Analysis Trace any (Dalvik/Objc/Native) function Dump saved files Memory scanner Automated crypto keys scanner One-time watchpoints Monitor file system access SSL pinning bypass Code Execution Invoke app functionality under controlled circumstances Modify device properties (great for regression tests)
  • 34. MiscMisc Dynamic Analysis Trace any (Dalvik/Objc/Native) function Dump saved files Memory scanner Automated crypto keys scanner One-time watchpoints Monitor file system access SSL pinning bypass Code Execution Invoke app functionality under controlled circumstances Modify device properties (great for regression tests) https://github.com/afjoseph/mobsec_toolbox https://github.com/iddoeldor/frida-snippets https://awakened1712.github.io/hacking/hacking-frida/
  • 36. Abdullah JosephAbdullah Joseph Reach me @MalwareCheese We are hiring Binary Dudes and Dudettes!