Dynamic Binary Instrumentation

Why?

Requests to APIs are further encrypted or signed or MITM is not available.
- MITM and packet sniffers are useless.
Application has obfuscated values in RAM, created dynamically, and received from the network.
- Static analysis and Decompilation are useless.
Code is loaded dynamically with objects received.
- Static analysis and Decompilation will have no code to analyze.
Many values are hard coded (keys, urls…).
- Patching takes too long and becomes expensive.

Custom Signatures are used.

POST /login HTTP/1.1
Host: social.io
Proxy-Connection: keep-alive
Content-Length: X
Accept: text/html, application/xhtml-
xml,application/xml;q=0.9,image/webp,*/*,q=0.8
Origin: http://social.io
Content-Type: application/x-www-form-urlencoded
Cookie: SessionId=O+qxnaYZLjpnLwHBcKmRcTexTWk=

username=john&password=xpto&signature=2rf+roJPEdCOSL0XXusHBcA0BGk=

Data is encrypted.

POST /login HTTP/1.1
Host: social.io
Proxy-Connection: keep-alive
Content-Length: X
Accept: text/html, application/xhtml-
xml,application/xml;q=0.9,image/webp,*/*,q=0.8
Origin: http://social.io
Content-Type: application/x-www-form-urlencoded
Cookie: SessionId=O+qxnaYZLjpnLwHBcKmRcTexTWk=

authData=3NH71S+7P8YeafgnBvXzJ1RzJdXm51VNPQYMWFiIMl8ZNr7+vGDNTcms8LHDUaC/lK2xRF/L
bPMwQ0pB+ZyB6PfYNaf5fIh/IGdlQZJrgXXgDDT7Mn2d259vzcdmBA3pJ04cLxGNnLSvdorYF+mLN7yik
zEagUWGfQe1nYzu3OT3947kqSORQuc4PTzuFKUXlolCcuVYvr5gt6ykfk9ACGVwyywGBG3OeFxNKi0kme
iBYxB8EJlmCF/xojM59gcGDv61ytidhVs=

Other purposes

Retrieving a call flow.
- Map which methods are used, and what is the actual code execution flow.
Identify arguments of Android API methods.
- Log traffic and calls.
- Allows intercepting data even with encrypted connections.
  - Interception happens before data is encrypted.
Modify arguments of Android API methods.
- Fuzzing.
- Filter/modify data to trigger additional behaviour.
- Trigger custom events.
Circumvent protections to enable further analysis.
The application is obfuscated and it is difficult to obtain the actual algorithm.

Last updated 1 year ago

Why?

Requests to APIs are further encrypted or signed or MITM is not available.

MITM and packet sniffers are useless.

Application has obfuscated values in RAM, created dynamically, and received from the network.

Static analysis and Decompilation are useless.

Code is loaded dynamically with objects received.

Static analysis and Decompilation will have no code to analyze.

Many values are hard coded (keys, urls…).

Patching takes too long and becomes expensive.

Custom Signatures are used.

POST /login HTTP/1.1
Host: social.io
Proxy-Connection: keep-alive
Content-Length: X
Accept: text/html, application/xhtml-
xml,application/xml;q=0.9,image/webp,*/*,q=0.8
Origin: http://social.io
Content-Type: application/x-www-form-urlencoded
Cookie: SessionId=O+qxnaYZLjpnLwHBcKmRcTexTWk=

username=john&password=xpto&signature=2rf+roJPEdCOSL0XXusHBcA0BGk=

Data is encrypted.

POST /login HTTP/1.1
Host: social.io
Proxy-Connection: keep-alive
Content-Length: X
Accept: text/html, application/xhtml-
xml,application/xml;q=0.9,image/webp,*/*,q=0.8
Origin: http://social.io
Content-Type: application/x-www-form-urlencoded
Cookie: SessionId=O+qxnaYZLjpnLwHBcKmRcTexTWk=

authData=3NH71S+7P8YeafgnBvXzJ1RzJdXm51VNPQYMWFiIMl8ZNr7+vGDNTcms8LHDUaC/lK2xRF/L
bPMwQ0pB+ZyB6PfYNaf5fIh/IGdlQZJrgXXgDDT7Mn2d259vzcdmBA3pJ04cLxGNnLSvdorYF+mLN7yik
zEagUWGfQe1nYzu3OT3947kqSORQuc4PTzuFKUXlolCcuVYvr5gt6ykfk9ACGVwyywGBG3OeFxNKi0kme
iBYxB8EJlmCF/xojM59gcGDv61ytidhVs=

Other purposes

Retrieving a call flow.

Map which methods are used, and what is the actual code execution flow.

Identify arguments of Android API methods.

Log traffic and calls.
Allows intercepting data even with encrypted connections.
- Interception happens before data is encrypted.

Modify arguments of Android API methods.

Fuzzing.
Filter/modify data to trigger additional behaviour.
Trigger custom events.

Circumvent protections to enable further analysis.

The application is obfuscated and it is difficult to obtain the actual algorithm.