Android Dynamic Analysis

Emulator 1: Genymotion

If you need to execute ARM APK on Genymotion: https://github.com/m9rco/Genymotion_ARM_Translation
Click import/export CA certificate --> Export --> Certificate in DER format --> Choose a path and name it anything with a .cer extension --> Next
1
cd C:\Program Files\Genymobile\Genymotion\tools
2
.\adb.exe root
3
.\adb.exe remount
4
.\adb.exe push C:\Users\sirpe\Downloads\burp.cer /mnt/sdcard/
5
.\adb.exe shell
6
7
[email protected]:/ # cd /mnt/sdcard
8
[email protected]:/mnt/sdcard # ls
9
Alarms
10
Android
11
DCIM
12
Download
13
Movies
14
Music
15
Notifications
16
Pictures
17
Podcasts
18
Ringtones
19
burp.cer
20
21
--using adb standard--
22
.\adb.exe connect localhost:21503
23
.\adb.exe remount
24
.\adb.exe push C:\Users\sirpe\Downloads\burp.cer /mnt/sdcard/
25
.\adb.exe shell
Copied!
Security > Install from SD Card
After that, install the certificate also inside the SYSTEM trusted certificates.
Export the .der certificate from burp.
1
--- PREPARE the CERT to import----
2
openssl x509 -inform DER -in burp -out burp_cert.pem
3
openssl x509 -inform PEM -subject_hash_old -in burp_cert.pem
4
openssl x509 -inform PEM -subject_hash_old -in burp_cert.pem | head -n 1
5
9a5ba575
6
mv burp_cert.pem 9a5ba575.0
7
8
-- Import it--
9
.\adb.exe connect localhost:21503
10
.\adb.exe remount
11
.\adb.exe push 9a5ba575.0 /system/etc/security/cacerts/
12
C:\Users\sirpe\Downloads\9a5ba575.0: 1 file pushed, 0 skipped. 3.4 MB/s (1375 bytes in 0.000s)
Copied!
Confirmation:
Configure also the proxy settings in the emulator:
Now, on the Wi-Fi settings:
Finally, install the target apk.
1
.\adb.exe install C:\Users\sirpe\Downloads\app.apk
Copied!

Emulator 2: Memu Play

To configure it with burpsuite, use the same steps above.
ProxyDroid is also a good option to bypass some restrictions and filtering all the traffic via burp.
Don't forget of putting the Memu VM as "root".

Install python3 - Windows 10

1. Go to the website and download the latest version of Pythonhttps://www.python.org/downloads/ 2. After downloading the file, run the installation file. 3. Put a checkmark on Add Python to PATH and then on Customize Installation
4. At this step, make sure that there are checkmarks everywhere.
5. Here is the same thing, pay attention to the checkbox Add Python to environment variables and change the default folder, for example, to C: \ Python
6. We are waiting for the installer to do its job. 7. Removes restrictions on the length of the file name. 8. Further, in order for Python to work normally, go to Options-> Applications and Features-> Application Execution Aliases (App execution aliases) and remove the toggle switches
9. Next, open cmd as administrator and enter these two commands:
1
msiexec /unreg
2
msiexec /regserver
3
python --version
Copied!

Python3 venv + Frida

Open a cmd.exe terminal with Administration privileges.
1
PS Set-ExecutionPolicy -Scope CurrentUser -ExecutionPolicy RemoteSigned
2
python -m venv .
3
PS C:\Tools\frida\frida_venv\Scripts> .\Activate.ps1
Copied!
Open cmd with administrator rights and enter:
1
pip install frida
2
pip install objection
3
pip install frida-tools
Copied!
Download adbtools and Frida-server + the rest
    1.
    Download the latest version of adbtools on the site here https://dl.google.com/android/repository/platform-tools-latest-windows.zip and unpack it into a convenient folder, in my case it is C:\Tools\adb
2. We save this script under the name fridascript.js in the adb folder
1
Java.perform(function() {
2
3
var array_list = Java.use("java.util.ArrayList");
4
var ApiClient = Java.use('com.android.org.conscrypt.TrustManagerImpl');
5
6
ApiClient.checkTrustedRecursive.implementation = function(a1,a2,a3,a4,a5,a6) {
7
// console.log('Bypassing SSL Pinning');
8
var k = array_list.$new();
9
return k;
10
}
11
12
},0);
Copied!
3. Go to the emulator Settings-> About tablet and click on the "Build number" tab a couple of times
4. Open cmd in the folder with adb and connect the device
1
adb connect 127.0.0.1:21503
Copied!
5. Next, we need to download the Frida-server in accordance with the architecture of our device, so for this we will enter another command in cmdadb shell getprop ro.product.cpu.abi
1
PS C:\Tools\adb\platform-tools> .\adb.exe shell getprop ro.product.cpu.abi
2
x86
Copied!
6. Go to the site https://github.com/frida/frida/releases/ and download, in my case it's frida-server-xx.xx.xx-android-x86.xz
Unpack the contents of the archive in the folder with adb or 7zip
Now, upload frida-server into the device, for this we launch cmd from the adb folder and enter
1
.\adb.exe push .\frida-server-14.2.18-android-x86\ /data/local/temp
2
.\adb.exe shell chmod 777 /data/local/temp/frida-server-14.2.18-android-x86
Copied!
Start the frida server:
1
.\adb.exe shell '/data/local/temp/frida-server-14.2.18-android-x86 &'
2
3
--or-- (physical device)
4
.\adb.exe shell "su -c '/data/local/tmp/frida-server-14.2.18-android-arm &'"
Copied!
7. There will be no output from this command, and do not close this cmd window, we need to keep frida-server running while we intercept requests, now we will try to see all running services on the device, for this we open a new command line and enter frida-ps -U
1
(frida_venv) PS C:\Tools\frida> frida-ps.exe -U
Copied!
1
(frida_venv) PS frida.exe -U -l C:\Tools\adb\platform-tools\frida.js --no-pause -f com.instagram.android
Copied!

frida-trace

1
frida-trace.exe -U -f 'com.xx.xx.xxx' -j 'android.util.Log!*'
2
frida-trace -U -f 'com.xx.xxx.xxxx' -i '*Pesa*' -S frida.js
3
frida-trace -U -f 'com.xx.xxx.xxxx' -i '*Pesa*'
4
frida-trace -U -f 'com.xx.xxx.xxxx' -i '*Pesa*' -T
Copied!
After that, a folder named "__handlers__" is created where you executed the frida-trace command.
You can add your code to intercept a specific call, and re-run the trace.
After re-run it, you will get it
😎

fridump

1
frida-ps -U
2
python .\fridump.py -U com.xx.xx.xxxx
Copied!
GitHub - Nightbringer21/fridump: A universal memory dumper using Frida
GitHub
GitHub - hluwa/FRIDA-DEXDump: Fast search and dump dex on memory.
GitHub

adb logcat

1
adb.exe logcat
Copied!

References

https://zennolab.com/discussion/threads/android-na-post-get-s-pomoschju-frida-server-burpsuite-i-bonus.79264/
zennolab.com
Frida Tutorial
HackTricks
Configuring Frida with BurpSuite and Genymotion to bypass SSL Pinning
Android Applications Pentesting
HackTricks
Pentesting Android Applications: Tools and Step-by-Step Instructions
Apriorit
Frida CodeShare
Last modified 2mo ago