Debugging in Android
In this article, we are going to run the application over a debugger as well as modify internal parameters of the application to see how data is being parsed and reflect the modified parameters in live running application.
We need the following tools to perform this exploitation:
1. IntelliJ Softweare
2. Smalli IdeaJ plugin
3. ADB
1. IntelliJ Softweare
2. Smalli IdeaJ plugin
3. ADB
Install the Smali Idea plugin and get the process name(package name)
Enable a JDWP port and link it to HTTP port using ADB
Pull the apk from android using adb pull <location of apk>
Or
Manually download the apk and extract using apktool using apktool d <app.apk>
Pull the apk from android using adb pull <location of apk>
Or
Manually download the apk and extract using apktool using apktool d <app.apk>
Create a new project in IntelliJ and import the extracted folder in the project created.
Mark the smali src and the actual base folder as base folder.
Select dependent SDK
Mark the smali src and the actual base folder as base folder.
Select dependent SDK
Create a new configuration by clicking Add configuration and create a new JVM configuration.
Add the remote config port as the JVM HTTP port as defined earlier during the beginning of this article.
Add the remote config port as the JVM HTTP port as defined earlier during the beginning of this article.
Using Magisk to make any application show up as debuggable.
One of the ways Android determines if an application is debuggable is by checking a property called “ro.debuggable” that’s found in the boot.img.
Normally these values are read only and can’t be set, but with magisk and a bit of black magic we can modify them using the “resetprop” command.
Open a root shell using ADB and set the value of “ro.debuggable” to 1.
One of the ways Android determines if an application is debuggable is by checking a property called “ro.debuggable” that’s found in the boot.img.
Normally these values are read only and can’t be set, but with magisk and a bit of black magic we can modify them using the “resetprop” command.
Open a root shell using ADB and set the value of “ro.debuggable” to 1.
Then with the root shell still open, apply these changes by restarting part of the Android system.
Now convert the application into debuggable using ADB using the command adb shell am set-debug-app -w <package>
Add the --persistent flag to make the app debuggable until we manually stop it for every launch.
Add the --persistent flag to make the app debuggable until we manually stop it for every launch.
ttaching a debugger to the target application.
Now the target application will wait for a debugger to be attached, we can launch it and use the following command to locate the process ID.
adb shell ps | findstr "calculator"
Now the target application will wait for a debugger to be attached, we can launch it and use the following command to locate the process ID.
adb shell ps | findstr "calculator"
If you want to remove all adb forwards run the following command:
adb forward --remove-all
adb forward --remove-all
Add breakpoints where ever required, so that we can hold the internal strings and modify without actually changing the source code of the application.
