search

Dynamic Binary Instrumentation

hashtag
Why?

  • Requests to APIs are further encrypted or signed or MITM is not available.

    • MITM and packet sniffers are useless.

  • Application has obfuscated values in RAM, created dynamically, and received from the network.

    • Static analysis and Decompilation are useless.

  • Code is loaded dynamically with objects received.

    • Static analysis and Decompilation will have no code to analyze.

  • Many values are hard coded (keys, urls…).

    • Patching takes too long and becomes expensive.

Custom Signatures are used.

POST /login HTTP/1.1
Host: social.io
Proxy-Connection: keep-alive
Content-Length: X
Accept: text/html, application/xhtml-
xml,application/xml;q=0.9,image/webp,*/*,q=0.8
Origin: http://social.io
Content-Type: application/x-www-form-urlencoded
Cookie: SessionId=O+qxnaYZLjpnLwHBcKmRcTexTWk=

username=john&password=xpto&signature=2rf+roJPEdCOSL0XXusHBcA0BGk=

Data is encrypted.

hashtag
Other purposes

  • Retrieving a call flow.

    • Map which methods are used, and what is the actual code execution flow.

  • Identify arguments of Android API methods.

    • Log traffic and calls.

    • Allows intercepting data even with encrypted connections.

      • Interception happens before data is encrypted.

  • Modify arguments of Android API methods.

    • Fuzzing.

    • Filter/modify data to trigger additional behaviour.

    • Trigger custom events.

  • Circumvent protections to enable further analysis.

  • The application is obfuscated and it is difficult to obtain the actual algorithm.

Last updated