Android Dynamic Analysis

Emulator 1: Genymotion

Click import/export CA certificate --> Export --> Certificate in DER format --> Choose a path and name it anything with a .cer extension --> Next

cd C:\Program Files\Genymobile\Genymotion\tools
.\adb.exe root
.\adb.exe remount
.\adb.exe push C:\Users\sirpe\Downloads\burp.cer /mnt/sdcard/
.\adb.exe shell

root@vbox86p:/ # cd /mnt/sdcard
root@vbox86p:/mnt/sdcard # ls
Alarms
Android
DCIM
Download
Movies
Music
Notifications
Pictures
Podcasts
Ringtones
burp.cer

--using adb standard--
 .\adb.exe connect localhost:21503
 .\adb.exe remount
 .\adb.exe push C:\Users\sirpe\Downloads\burp.cer /mnt/sdcard/
 .\adb.exe shell

Security > Install from SD Card

After that, install the certificate also inside the SYSTEM trusted certificates.

Export the .der certificate from burp.

--- PREPARE the CERT to import----
openssl x509 -inform DER -in burp -out burp_cert.pem
openssl x509 -inform PEM -subject_hash_old -in burp_cert.pem 
openssl x509 -inform PEM -subject_hash_old -in burp_cert.pem | head -n 1
9a5ba575
mv burp_cert.pem 9a5ba575.0

-- Import it--
.\adb.exe connect localhost:21503
.\adb.exe remount
.\adb.exe push 9a5ba575.0 /system/etc/security/cacerts/
C:\Users\sirpe\Downloads\9a5ba575.0: 1 file pushed, 0 skipped. 3.4 MB/s (1375 bytes in 0.000s)

Confirmation:

Configure also the proxy settings in the emulator:

Now, on the Wi-Fi settings:

Finally, install the target apk.

.\adb.exe install C:\Users\sirpe\Downloads\app.apk

Emulator 2: Memu Play

To configure it with burpsuite, use the same steps above.

ProxyDroid is also a good option to bypass some restrictions and filtering all the traffic via burp.

Don't forget of putting the Memu VM as "root".

Install python3 - Windows 10

1. Go to the website and download the latest version of Pythonhttps://www.python.org/downloads/ 2. After downloading the file, run the installation file. 3. Put a checkmark on Add Python to PATH and then on Customize Installation

4. At this step, make sure that there are checkmarks everywhere.

5. Here is the same thing, pay attention to the checkbox Add Python to environment variables and change the default folder, for example, to C: \ Python

6. We are waiting for the installer to do its job. 7. Removes restrictions on the length of the file name. 8. Further, in order for Python to work normally, go to Options-> Applications and Features-> Application Execution Aliases (App execution aliases) and remove the toggle switches

9. Next, open cmd as administrator and enter these two commands:

msiexec /unreg
msiexec /regserver
python --version

Python3 venv + Frida

Open a cmd.exe terminal with Administration privileges.

PS Set-ExecutionPolicy -Scope CurrentUser -ExecutionPolicy RemoteSigned
python -m venv .
PS C:\Tools\frida\frida_venv\Scripts> .\Activate.ps1

Open cmd with administrator rights and enter:

pip install frida
pip install objection
pip install frida-tools

Download adbtools and Frida-server + the rest

1. Download the latest version of adbtools on the site here https://dl.google.com/android/repository/platform-tools-latest-windows.zip and unpack it into a convenient folder, in my case it is C:\Tools\adb

2. We save this script under the name fridascript.js in the adb folder

Java.perform(function() {         

var array_list = Java.use("java.util.ArrayList");
var ApiClient = Java.use('com.android.org.conscrypt.TrustManagerImpl');

ApiClient.checkTrustedRecursive.implementation = function(a1,a2,a3,a4,a5,a6) {
// console.log('Bypassing SSL Pinning');
var k = array_list.$new();
return k;
}

},0);

3. Go to the emulator Settings-> About tablet and click on the "Build number" tab a couple of times

4. Open cmd in the folder with adb and connect the device

adb connect 127.0.0.1:21503

5. Next, we need to download the Frida-server in accordance with the architecture of our device, so for this we will enter another command in cmdadb shell getprop ro.product.cpu.abi

PS C:\Tools\adb\platform-tools> .\adb.exe shell getprop ro.product.cpu.abi
x86

6. Go to the site https://github.com/frida/frida/releases/ and download, in my case it's frida-server-xx.xx.xx-android-x86.xz

Unpack the contents of the archive in the folder with adb or 7zip

Now, upload frida-server into the device, for this we launch cmd from the adb folder and enter

.\adb.exe push .\frida-server-14.2.18-android-x86\ /data/local/temp
.\adb.exe shell chmod 777 /data/local/temp/frida-server-14.2.18-android-x86

Start the frida server:

.\adb.exe shell '/data/local/temp/frida-server-14.2.18-android-x86 &'

--or-- (physical device)
.\adb.exe shell "su -c '/data/local/tmp/frida-server-14.2.18-android-arm &'"

7. There will be no output from this command, and do not close this cmd window, we need to keep frida-server running while we intercept requests, now we will try to see all running services on the device, for this we open a new command line and enter frida-ps -U

(frida_venv) PS C:\Tools\frida> frida-ps.exe -U  

(frida_venv) PS frida.exe -U -l C:\Tools\adb\platform-tools\frida.js --no-pause -f com.instagram.android 

frida-trace

 frida-trace.exe -U -f 'com.xx.xx.xxx' -j 'android.util.Log!*'
 frida-trace -U -f 'com.xx.xxx.xxxx' -i '*Pesa*' -S frida.js 
 frida-trace -U -f 'com.xx.xxx.xxxx' -i '*Pesa*' 
 frida-trace -U -f 'com.xx.xxx.xxxx' -i '*Pesa*' -T 

After that, a folder named "__handlers__" is created where you executed the frida-trace command.

You can add your code to intercept a specific call, and re-run the trace.

After re-run it, you will get it 😎

fridump

frida-ps -U
python .\fridump.py -U com.xx.xx.xxxx

GitHub - Nightbringer21/fridump: A universal memory dumper using FridaGitHub

GitHub - hluwa/FRIDA-DEXDump: Fast search and dump dex on memory.GitHub

adb logcat

adb.exe logcat

References

1 место - Android на POST\GET с помощью Frida-Server+BURPSuite и бонусZennoLab - Сообщество профессионалов автоматизации

Frida TutorialHackTricks

Configuring Frida with BurpSuite and Genymotion to bypass SSL Pinning

Android Applications PentestingHackTricks

Pentesting Android Applications: Tools and Step-by-Step InstructionsApriorit

Frida CodeShare