Android Dynamic Analysis
Emulator 1: Genymotion
If you need to execute ARM APK on Genymotion: https://github.com/m9rco/Genymotion_ARM_Translation
Click import/export CA certificate --> Export --> Certificate in DER format --> Choose a path and name it anything with a .cer extension --> Next
cd C:\Program Files\Genymobile\Genymotion\tools
.\adb.exe root
.\adb.exe remount
.\adb.exe push C:\Users\sirpe\Downloads\burp.cer /mnt/sdcard/
.\adb.exe shell
root@vbox86p:/ # cd /mnt/sdcard
root@vbox86p:/mnt/sdcard # ls
Alarms
Android
DCIM
Download
Movies
Music
Notifications
Pictures
Podcasts
Ringtones
burp.cer
--using adb standard--
.\adb.exe connect localhost:21503
.\adb.exe remount
.\adb.exe push C:\Users\sirpe\Downloads\burp.cer /mnt/sdcard/
.\adb.exe shellSecurity > Install from SD Card
After that, install the certificate also inside the SYSTEM trusted certificates.
Export the .der certificate from burp.
--- PREPARE the CERT to import----
openssl x509 -inform DER -in burp -out burp_cert.pem
openssl x509 -inform PEM -subject_hash_old -in burp_cert.pem
openssl x509 -inform PEM -subject_hash_old -in burp_cert.pem | head -n 1
9a5ba575
mv burp_cert.pem 9a5ba575.0
-- Import it--
.\adb.exe connect localhost:21503
.\adb.exe remount
.\adb.exe push 9a5ba575.0 /system/etc/security/cacerts/
C:\Users\sirpe\Downloads\9a5ba575.0: 1 file pushed, 0 skipped. 3.4 MB/s (1375 bytes in 0.000s)Confirmation:
Configure also the proxy settings in the emulator:
Now, on the Wi-Fi settings:
Finally, install the target apk.
.\adb.exe install C:\Users\sirpe\Downloads\app.apkEmulator 2: Memu Play
To configure it with burpsuite, use the same steps above.
ProxyDroid is also a good option to bypass some restrictions and filtering all the traffic via burp.
Don't forget of putting the Memu VM as "root".
Install python3 - Windows 10
1. Go to the website and download the latest version of Pythonhttps://www.python.org/downloads/ 2. After downloading the file, run the installation file. 3. Put a checkmark on Add Python to PATH and then on Customize Installation
4. At this step, make sure that there are checkmarks everywhere.
5. Here is the same thing, pay attention to the checkbox Add Python to environment variables and change the default folder, for example, to C: \ Python
6. We are waiting for the installer to do its job. 7. Removes restrictions on the length of the file name. 8. Further, in order for Python to work normally, go to Options-> Applications and Features-> Application Execution Aliases (App execution aliases) and remove the toggle switches
9. Next, open cmd as administrator and enter these two commands:
msiexec /unreg
msiexec /regserver
python --versionPython3 venv + Frida
Open a cmd.exe terminal with Administration privileges.
PS Set-ExecutionPolicy -Scope CurrentUser -ExecutionPolicy RemoteSigned
python -m venv .
PS C:\Tools\frida\frida_venv\Scripts> .\Activate.ps1Open cmd with administrator rights and enter:
pip install frida
pip install objection
pip install frida-tools
Download adbtools and Frida-server + the rest
Download the latest version of adbtools on the site here https://dl.google.com/android/repository/platform-tools-latest-windows.zip and unpack it into a convenient folder, in my case it is C:\Tools\adb
2. We save this script under the name fridascript.js in the adb folder
Java.perform(function() {
var array_list = Java.use("java.util.ArrayList");
var ApiClient = Java.use('com.android.org.conscrypt.TrustManagerImpl');
ApiClient.checkTrustedRecursive.implementation = function(a1,a2,a3,a4,a5,a6) {
// console.log('Bypassing SSL Pinning');
var k = array_list.$new();
return k;
}
},0);
3. Go to the emulator Settings-> About tablet and click on the "Build number" tab a couple of times
4. Open cmd in the folder with adb and connect the device
adb connect 127.0.0.1:21503
5. Next, we need to download the Frida-server in accordance with the architecture of our device, so for this we will enter another command in cmdadb shell getprop ro.product.cpu.abi
PS C:\Tools\adb\platform-tools> .\adb.exe shell getprop ro.product.cpu.abi
x866. Go to the site https://github.com/frida/frida/releases/ and download, in my case it's frida-server-xx.xx.xx-android-x86.xz
Unpack the contents of the archive in the folder with adb or 7zip
Now, upload frida-server into the device, for this we launch cmd from the adb folder and enter
.\adb.exe push .\frida-server-14.2.18-android-x86\ /data/local/temp
.\adb.exe shell chmod 777 /data/local/temp/frida-server-14.2.18-android-x86Start the frida server:
.\adb.exe shell '/data/local/temp/frida-server-14.2.18-android-x86 &'
--or-- (physical device)
.\adb.exe shell "su -c '/data/local/tmp/frida-server-14.2.18-android-arm &'"7. There will be no output from this command, and do not close this cmd window, we need to keep frida-server running while we intercept requests, now we will try to see all running services on the device, for this we open a new command line and enter frida-ps -U
(frida_venv) PS C:\Tools\frida> frida-ps.exe -U 
(frida_venv) PS frida.exe -U -l C:\Tools\adb\platform-tools\frida.js --no-pause -f com.instagram.android frida-trace
frida-trace.exe -U -f 'com.xx.xx.xxx' -j 'android.util.Log!*'
frida-trace -U -f 'com.xx.xxx.xxxx' -i '*Pesa*' -S frida.js
frida-trace -U -f 'com.xx.xxx.xxxx' -i '*Pesa*'
frida-trace -U -f 'com.xx.xxx.xxxx' -i '*Pesa*' -T After that, a folder named "__handlers__" is created where you executed the frida-trace command.
You can add your code to intercept a specific call, and re-run the trace.
After re-run it, you will get it 😎
fridump
frida-ps -U
python .\fridump.py -U com.xx.xx.xxxx
adb logcat
adb.exe logcatReferences
References
Last updated
Was this helpful?