# Android Dynamic Analysis ## **Emulator 1:** Genymotion ![](/files/-Mco4Hdl2P_UQip8wXqF) {% hint style="success" %} **If you need to execute ARM APK on Genymotion:** {% endhint %} ![](/files/-Mco4NOGOGavKKgvXrBg) ![](/files/-Mco4Y3tTe-otYx4kcj7) Click **import/export CA certificate** --> **Export** --> **Certificate in DER format** --> Choose a path and name it anything with a **.cer** extension --> **Next** ``` cd C:\Program Files\Genymobile\Genymotion\tools .\adb.exe root .\adb.exe remount .\adb.exe push C:\Users\sirpe\Downloads\burp.cer /mnt/sdcard/ .\adb.exe shell root@vbox86p:/ # cd /mnt/sdcard root@vbox86p:/mnt/sdcard # ls Alarms Android DCIM Download Movies Music Notifications Pictures Podcasts Ringtones burp.cer --using adb standard-- .\adb.exe connect localhost:21503 .\adb.exe remount .\adb.exe push C:\Users\sirpe\Downloads\burp.cer /mnt/sdcard/ .\adb.exe shell ``` **Security > Install from SD Card** ![](/files/-McoLnlrwJKF6MxgJaof) After that, **install the certificate also inside the SYSTEM trusted certificates.** Export the .der certificate from burp. ``` --- PREPARE the CERT to import---- openssl x509 -inform DER -in burp -out burp_cert.pem openssl x509 -inform PEM -subject_hash_old -in burp_cert.pem openssl x509 -inform PEM -subject_hash_old -in burp_cert.pem | head -n 1 9a5ba575 mv burp_cert.pem 9a5ba575.0 -- Import it-- .\adb.exe connect localhost:21503 .\adb.exe remount .\adb.exe push 9a5ba575.0 /system/etc/security/cacerts/ C:\Users\sirpe\Downloads\9a5ba575.0: 1 file pushed, 0 skipped. 3.4 MB/s (1375 bytes in 0.000s) ``` Confirmation: ![](/files/-Mcpd0iUp8CeO5n-0cn5) Configure also the proxy settings in the emulator: ![](/files/-Mco9AiacaDf8fNroo8G) Now, on the Wi-Fi settings: ![](/files/-Mco9FKhq5QbYneyj7pp) ![](/files/-Mco9Ixw_dranrdfFYlt) Finally, install the target apk. ``` .\adb.exe install C:\Users\sirpe\Downloads\app.apk ``` ## Emulator 2: Memu Play ![](/files/-McozSHIdQC0eDmdplVv) To configure it with burpsuite, use the same steps above. **ProxyDroid** is also a good option to bypass some restrictions and filtering all the traffic via burp. ![](/files/-Mcozr0ntydHQTPMOCoH) Don't forget of putting the Memu VM as "**root**". ![](/files/-Mcp-37xMhO3CfaEWBgg) ## Install python3 - Windows 10 1\. Go to the website and download the latest version of Python\ \ 2\. After downloading the file, run the installation file.\ \ 3\. Put a checkmark on Add Python to PATH and then on Customize Installation ![](/files/-Mcp-c9Gp7TdHoo27wdE) 4\. At this step, make sure that there are checkmarks everywhere. ![](/files/-Mcp-kP_yiY5TjjbcF1d) 5\. Here is the same thing, pay attention to the checkbox **Add Python to environment variables** and change the default folder, for example, to **C: \ Python** ![](/files/-Mcp-oqAeKoo22cgoVFy) 6\. We are waiting for the installer to do its job.\ \ 7\. Removes restrictions on the length of the file name.\ \ 8\. Further, in order for Python to work normally, go to **Options-> Applications and Features-> Application Execution Aliases (App execution aliases)** and remove the toggle switches
![](/files/-Mcp0-UlVeLfg-0A7qGI) 9\. Next, open cmd as administrator and enter these two commands: ``` msiexec /unreg msiexec /regserver python --version ``` ## Python3 venv + Frida Open a cmd.exe terminal with **Administration privileges**. ``` PS Set-ExecutionPolicy -Scope CurrentUser -ExecutionPolicy RemoteSigned python -m venv . PS C:\Tools\frida\frida_venv\Scripts> .\Activate.ps1 ``` Open cmd with administrator rights and enter: ``` pip install frida pip install objection pip install frida-tools ``` ![](/files/-Mcp0tT2r0Kw3-ZQTpSo) Download adbtools and Frida-server + the rest 1. Download the latest version of adbtools on the site here and unpack it into a convenient folder, in my case it is C:\Tools\adb ![](/files/-Mcp17MoDwsrXXzjaR03) 2\. We save this script under the name **fridascript.js** in the adb folder ```javascript Java.perform(function() { var array_list = Java.use("java.util.ArrayList"); var ApiClient = Java.use('com.android.org.conscrypt.TrustManagerImpl'); ApiClient.checkTrustedRecursive.implementation = function(a1,a2,a3,a4,a5,a6) { // console.log('Bypassing SSL Pinning'); var k = array_list.$new(); return k; } },0); ``` ![](/files/-Mcp1MMTTQI6PjoQvsfD) 3\. Go to the emulator **Settings-> About tablet** and click on the **"Build number"** tab a couple of times 4\. Open **cmd** in the folder with **adb** and connect the device ``` adb connect 127.0.0.1:21503 ``` ![](/files/-Mcp1msFJ94AKMdUo2hU) 5\. Next, we need to download the **Frida-server** in accordance with the architecture of our device, so for this we will enter another command in cmd`adb shell getprop ro.product.cpu.abi` ``` PS C:\Tools\adb\platform-tools> .\adb.exe shell getprop ro.product.cpu.abi x86 ``` 6\. Go to the site and download, in my case it's **frida-server-xx.xx.xx-android-x86.xz** Unpack the contents of the archive in the folder with adb or 7zip Now, upload frida-server into the device, for this we launch cmd from the adb folder and enter ``` .\adb.exe push .\frida-server-14.2.18-android-x86\ /data/local/temp .\adb.exe shell chmod 777 /data/local/temp/frida-server-14.2.18-android-x86 ``` Start the frida server: ``` .\adb.exe shell '/data/local/temp/frida-server-14.2.18-android-x86 &' --or-- (physical device) .\adb.exe shell "su -c '/data/local/tmp/frida-server-14.2.18-android-arm &'" ``` 7\. There will be no output from this command, and do not close this cmd window, we need to keep frida-server running while we intercept requests, now we will try to see all running services on the device, for this we open a new command line and enter `frida-ps -U` ``` (frida_venv) PS C:\Tools\frida> frida-ps.exe -U ``` ![](/files/-Mcp3A3l9N3m3HAY1s7m) ``` (frida_venv) PS frida.exe -U -l C:\Tools\adb\platform-tools\frida.js --no-pause -f com.instagram.android ``` ### frida-trace ``` frida-trace.exe -U -f 'com.xx.xx.xxx' -j 'android.util.Log!*' frida-trace -U -f 'com.xx.xxx.xxxx' -i '*Pesa*' -S frida.js frida-trace -U -f 'com.xx.xxx.xxxx' -i '*Pesa*' frida-trace -U -f 'com.xx.xxx.xxxx' -i '*Pesa*' -T ``` After that, a folder named "**\_\_*****handlers\_\_***" is created where you executed the **frida-trace** command. You can add your code to intercept a specific call, and re-run the trace. ![](/files/-McyfthzU9zn94YKvHnh) After re-run it, you will get it :sunglasses: ![](/files/-Mcyg9K162z6t7dA00pV) ### fridump ``` frida-ps -U python .\fridump.py -U com.xx.xx.xxxx ``` {% embed url="" %} {% embed url="" %} ### adb logcat ``` adb.exe logcat ``` ## `References` {% embed url="" %} {% embed url="" %} {% embed url="" %} {% embed url="" %} {% embed url="" %} {% embed url="" %} --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://gitbook.seguranca-informatica.pt/mobile/reverse-android-apks/android-dinamic-analysis.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.