📲
Android Reversing with Frida for Examiners...
📲
Android Reversing with Frida for Examiners...
Authors:
M. Williamson
C. Atha
Android Reversing for Examiners
Setting Up
Prerequisites
Our Target: Private Photo Vault
Lab
[1] Lab setup and initial app exploration
[2] Perform static analysis to locate some functions of interest
[3] Deploy method hooks using frida REPL
[4a] Moar Static Analysis
[4b] Cast a wide net with DBI
[4c] PIN bruteforce
Bonus Labs
Ready for more?
Frida-tools Reference
Installation & Common Flags
frida
frida-ps
frida-trace
Other Processes Reference
Extracting an APK specimen from the device
Troubleshooting frida connectivity
What's Next
Recommended Toolkits and Scripts
Additional Resources / Questions
Contact Us
Powered by GitBook

[4a] Moar Static Analysis

Let's head back to the static analysis and see if this helps us to fill in the gaps any.

What do we know about pinsMatch? Well, it returns false when the PIN is wrong. But what else. Let's break it apart:

So in our incorrect PIN entry, we called pinsMatch with "1234", "pin" and a Context.

First line : String string

So our function begins with a variable string being declared and immediately assigned a value:

So what's happening here? You might think to right click PreferenceManager or getDefaultSharedPreferences, but you won't have the option to "Go to declaration" - it's disabled.

In this situation, it may be worth it to search Google. You can search for the class name, method name, or both. The results should be similar. I used: getDefaultSharedPreferences

Sure enough, the reason we can't view the declaration is because it's not part of our app - this is part of the Android API. The best part about that is it's well documented in the Android Developer docs. If we dig into the function, eventually we will be able to uncover a plain english explanation for what getString is doing.

Cool - so earlier in Lab 1 we located a number of keys for interest, including one called "pin" right?

So it would appear the value for "string" is actually going to be this hash, 2c357e386f80a13452cfec7ef58a6609034f5c08.

Return statement

If you try to read this function in place, even for someone with programming knowledge this one is a bit tricky.

It's unlikely this code was written like this. Remember, decompilers try to recreate what it might have looked like originally, but they don't have all the information, and occasionally constructs like the above result and can be quite difficult to interpret.

One technique I would recommend when dealing with a complex function body is to break it into a few pieces in NP++ and fill in the values. So start with a copy, format it, and then fill in what you know:

A couple of things you need to know about Java to understand the above:

  • when you see two vertical bars or || , these can be read as "OR". Its counterpart is && which is read "AND".

  • the symbol ! can be read as "NOT". In the case of a boolean, this means true becomes false, and false becomes true.

  • the word null means nothing - unset - no value.

  • The use of ? and : here is a shortcut for an if / else check. (expression) ? (action/value if true) : (action/value if false)

Ok, so let's fill in our known values.

Essentially, any of the three things in the brackets evaluating to true will result in the function returning false. Confused yet? We're not done!

We now know that str is our entered PIN, str2 is either "pin" or "pin_decoy".

The function returns boolean (true or false), takes two strings (str and str2) and a Context.

​

At the end of this, we've developed a pretty solid understanding, however, by casting a wider net with Frida, we can shore things up and confirm. Rather than tracing a list of functions one by one,

Lab - Previous
[3] Deploy method hooks using frida REPL
Next - Lab
[4b] Cast a wide net with DBI
Last updated 5 months ago