Red Teaming and Malware Analysis
  • About
  • Red Teaming
  • Cheat Sheet
    • Web
      • Misc
      • File Upload bypass
      • Authentication bypass
      • SQL Injection
      • XSS
      • XXE
      • Reverse-shell
      • Webshell
      • (De)Serialization
    • Active Directory
    • Services by port
      • Enum
      • 5060 - SIP
      • 25 - SMTP
      • 135 - RPC
      • 445 - SMB
      • 11211 - PHPMemCached
      • ldap
    • Hardening
    • Stuff
      • Basic tips/scripts
      • OpenBSD & NetBSD
      • File Transfer
      • Pivoting
  • Active Directory 101
    • Dumping Active Directory DNS using adidnsdump
    • PrintNightmare
    • From DFSCoercer to DA
  • Fuzzing and Web
    • Server Side Template Injection (SSTI)
    • Finding SSRF (all scope)
    • Format String Exploitation
    • Cache Poisoning using Nuclei
  • Initial Foothold
    • Browser In The Browser (BITB) Attack
    • Phishing with Office
      • Weaponizing XLM 4.0 macros
  • Privilege Escalation (Privesc)
    • AV/EDR Bypass
      • Bypass AV/EDR using Safe Mode
      • Resources
    • UAC bypass
    • Process migration like meterpreter
  • Lateral Movement (Pivoting)
    • From Windows VPN + Kali VPN + DC
      • By using Proxifier
  • Persistence
  • Command and Control (C&C)
    • CobaltStrike 101
      • Pivoting DMZ: weevely + ngrok + CS Pivot COMBO via Linux
      • Extras + Plugins
      • Resources
  • Data Exfiltration
    • Extracting certs/private keys from Windows using mimikatz and intercepting calls with burpsuite
  • CVE & Exploits / CTF
    • Privilege Escalation
    • Serialization
    • CVEs
      • CHIYU IoT devices
      • Chamilo-lms-1.11.x - From XSS to account takeover && backdoor implantation
    • CVE - Submission Guides
  • Tools
    • Intel
    • OSINT
    • DNS
    • WEB
      • API and WS Hacking
      • Web Discovery
      • Web Fuzzing
      • Path Traversal
      • GraphQL
      • JWT
    • Infrastructure and Network
      • Scan and Discovery
        • Network mapper
      • Automated Scanners
      • Misc
      • Active Directory
        • Burpsuite with Kerberos Auth
      • Cloud & Azure
      • Command and Control (C&C)
      • (De)serialization
      • Lateral Movement
      • Powershell
    • Privilege Escalation
    • Exfiltration
    • Persistence
    • Password & Cracking
      • Wordlists
      • Tips
      • Rainbow Crackalack
    • Static Code Analysis
    • Reporting
  • Resources
  • Pwnage
    • WiFi
      • HOSTAPD-WPE
      • Rogue APP
      • WPA3 Downgrade attack
    • NRF
    • rubber ducky
  • Malware Analysis
  • Unpacking
  • Basic tips
  • Malware instrumentation with frida
  • Tools
    • Debuggers / Disassemblers
    • Decompilers
    • Detection and Classification
    • Deobfuscation
    • Debugging and Reverse Engineering
    • Memory
    • File Analysis
    • Emulators
    • Network Traffic Analysis
    • Other
    • Online Tools
  • Resources
    • DFIR FTK Imager
    • Convert IP Range into CIDR
    • Parsing Large Raw Files and Excluding Country IP Address Ranges
    • Windows Logs Automation
      • amcache.hve
    • Windows EventViewer Analysis | DFIR
    • Prevent Windows shutdown after license expire
    • Firewall raw Logs
  • Mobile
    • Tools
    • Reverse iOS ipa
      • Jailbreak
      • Install Frida iPhone 5S
      • Frida instrumentation
      • Resources / Extra features
    • Reverse Android APKs
      • Android Dynamic Analysis
      • Bypass root + Frida
      • SSL unpining frida + Fiddler/Burp
      • Backdooring/patch APKs
    • Basic tips
    • Resources
  • IoT / Reverse / Firmware
    • Basic tips
      • Repair NTFS dirty disks
    • Reverse IoT devices
      • Reverse TP-Link Router TL-WR841N
      • Reverse Trendnet TS-S402 firmware
      • Full emulate Netgear WNAP320
      • Reverse ASUS RT-AC5300
      • Reverse LinkOne devices
    • Tools
      • Qemu + buildroot 101
      • Kernel
    • Resources
Powered by GitBook
On this page
  • Emulator 1: Genymotion
  • Emulator 2: Memu Play
  • Install python3 - Windows 10
  • Python3 venv + Frida
  • frida-trace
  • fridump
  • adb logcat
  • References

Was this helpful?

  1. Mobile
  2. Reverse Android APKs

Android Dynamic Analysis

PreviousReverse Android APKsNextBypass root + Frida

Last updated 3 years ago

Was this helpful?

Emulator 1: Genymotion

If you need to execute ARM APK on Genymotion:

Click import/export CA certificate --> Export --> Certificate in DER format --> Choose a path and name it anything with a .cer extension --> Next

cd C:\Program Files\Genymobile\Genymotion\tools
.\adb.exe root
.\adb.exe remount
.\adb.exe push C:\Users\sirpe\Downloads\burp.cer /mnt/sdcard/
.\adb.exe shell

root@vbox86p:/ # cd /mnt/sdcard
root@vbox86p:/mnt/sdcard # ls
Alarms
Android
DCIM
Download
Movies
Music
Notifications
Pictures
Podcasts
Ringtones
burp.cer

--using adb standard--
 .\adb.exe connect localhost:21503
 .\adb.exe remount
 .\adb.exe push C:\Users\sirpe\Downloads\burp.cer /mnt/sdcard/
 .\adb.exe shell

Security > Install from SD Card

After that, install the certificate also inside the SYSTEM trusted certificates.

Export the .der certificate from burp.

--- PREPARE the CERT to import----
openssl x509 -inform DER -in burp -out burp_cert.pem
openssl x509 -inform PEM -subject_hash_old -in burp_cert.pem 
openssl x509 -inform PEM -subject_hash_old -in burp_cert.pem | head -n 1
9a5ba575
mv burp_cert.pem 9a5ba575.0

-- Import it--
.\adb.exe connect localhost:21503
.\adb.exe remount
.\adb.exe push 9a5ba575.0 /system/etc/security/cacerts/
C:\Users\sirpe\Downloads\9a5ba575.0: 1 file pushed, 0 skipped. 3.4 MB/s (1375 bytes in 0.000s)

Confirmation:

Configure also the proxy settings in the emulator:

Now, on the Wi-Fi settings:

Finally, install the target apk.

.\adb.exe install C:\Users\sirpe\Downloads\app.apk

Emulator 2: Memu Play

To configure it with burpsuite, use the same steps above.

ProxyDroid is also a good option to bypass some restrictions and filtering all the traffic via burp.

Don't forget of putting the Memu VM as "root".

Install python3 - Windows 10

4. At this step, make sure that there are checkmarks everywhere.

5. Here is the same thing, pay attention to the checkbox Add Python to environment variables and change the default folder, for example, to C: \ Python

6. We are waiting for the installer to do its job. 7. Removes restrictions on the length of the file name. 8. Further, in order for Python to work normally, go to Options-> Applications and Features-> Application Execution Aliases (App execution aliases) and remove the toggle switches

9. Next, open cmd as administrator and enter these two commands:

msiexec /unreg
msiexec /regserver
python --version

Python3 venv + Frida

Open a cmd.exe terminal with Administration privileges.

PS Set-ExecutionPolicy -Scope CurrentUser -ExecutionPolicy RemoteSigned
python -m venv .
PS C:\Tools\frida\frida_venv\Scripts> .\Activate.ps1

Open cmd with administrator rights and enter:

pip install frida
pip install objection
pip install frida-tools

Download adbtools and Frida-server + the rest

2. We save this script under the name fridascript.js in the adb folder

Java.perform(function() {         

var array_list = Java.use("java.util.ArrayList");
var ApiClient = Java.use('com.android.org.conscrypt.TrustManagerImpl');

ApiClient.checkTrustedRecursive.implementation = function(a1,a2,a3,a4,a5,a6) {
// console.log('Bypassing SSL Pinning');
var k = array_list.$new();
return k;
}

},0);

3. Go to the emulator Settings-> About tablet and click on the "Build number" tab a couple of times

4. Open cmd in the folder with adb and connect the device

adb connect 127.0.0.1:21503

5. Next, we need to download the Frida-server in accordance with the architecture of our device, so for this we will enter another command in cmdadb shell getprop ro.product.cpu.abi

PS C:\Tools\adb\platform-tools> .\adb.exe shell getprop ro.product.cpu.abi
x86

Unpack the contents of the archive in the folder with adb or 7zip

Now, upload frida-server into the device, for this we launch cmd from the adb folder and enter

.\adb.exe push .\frida-server-14.2.18-android-x86\ /data/local/temp
.\adb.exe shell chmod 777 /data/local/temp/frida-server-14.2.18-android-x86

Start the frida server:

.\adb.exe shell '/data/local/temp/frida-server-14.2.18-android-x86 &'

--or-- (physical device)
.\adb.exe shell "su -c '/data/local/tmp/frida-server-14.2.18-android-arm &'"

7. There will be no output from this command, and do not close this cmd window, we need to keep frida-server running while we intercept requests, now we will try to see all running services on the device, for this we open a new command line and enter frida-ps -U

(frida_venv) PS C:\Tools\frida> frida-ps.exe -U  
(frida_venv) PS frida.exe -U -l C:\Tools\adb\platform-tools\frida.js --no-pause -f com.instagram.android 

frida-trace

 frida-trace.exe -U -f 'com.xx.xx.xxx' -j 'android.util.Log!*'
 frida-trace -U -f 'com.xx.xxx.xxxx' -i '*Pesa*' -S frida.js 
 frida-trace -U -f 'com.xx.xxx.xxxx' -i '*Pesa*' 
 frida-trace -U -f 'com.xx.xxx.xxxx' -i '*Pesa*' -T 

After that, a folder named "__handlers__" is created where you executed the frida-trace command.

You can add your code to intercept a specific call, and re-run the trace.

fridump

frida-ps -U
python .\fridump.py -U com.xx.xx.xxxx

adb logcat

adb.exe logcat

References

1. Go to the website and download the latest version of Python 2. After downloading the file, run the installation file. 3. Put a checkmark on Add Python to PATH and then on Customize Installation

Download the latest version of adbtools on the site here and unpack it into a convenient folder, in my case it is C:\Tools\adb

6. Go to the site and download, in my case it's frida-server-xx.xx.xx-android-x86.xz

After re-run it, you will get it

😎
https://www.python.org/downloads/
https://dl.google.com/android/repository/platform-tools-latest-windows.zip
https://github.com/frida/frida/releases/
https://github.com/m9rco/Genymotion_ARM_Translation
LogoGitHub - Nightbringer21/fridump: A universal memory dumper using FridaGitHub
Logo1 место - Android на POST\GET с помощью Frida-Server+BURPSuite и бонусZennoLab - Сообщество профессионалов автоматизации
LogoFrida TutorialHackTricks
LogoAndroid Applications PentestingHackTricks
LogoConfiguring Frida with BurpSuite and Genymotion to bypass SSL Pinning
LogoGitHub - hluwa/FRIDA-DEXDump: Fast search and dump dex on memory.GitHub
LogoPentesting Android Applications: Tools and Step-by-Step InstructionsApriorit
LogoFrida CodeShare