openssl req -new -x509 -keyout server.pem -out server.pem -days 365 -nodes
Monat: Februar 2022
Sniffing HTTPS traffic
Still possible in 2022, thanks to a little tool going by the name „burpsuit“. It’s easy: Set up a proxy server and configure your end device to use that proxy.
Starting with Android Nougat the cert has to be installed at system-level. For this, you have to enable root debugging in the developer settings and transfer the file manually using adb. Full explanation here.
openssl x509 -inform der -in burp.der -out burp.pem
mv burp.pem openssl x509 -inform pem -subject_hash_old -in burp.pem | head -1.0
With adb root
move cert to /system/etc/security/cacerts/
and chmod 644
.
Patching APK’s
Ever run into a situation where you can no longer use an older version of an app because it forces you to update? Or the app tries to take money from for unlocking an already built-in but inaccessible „premium feature“?
Patching APK’s consists of these steps:
- Unpacking the APK:
apktool d -r some.apk -o output_dir
- Patching the smali byte-code: Remove or change using your favorite editor
- Packing the code back to an APK:
apktool b output_dir -o modded.apk
- Signing the new APK:
- Create key (only needed once):
keytool -genkey -v -keystore key.keystore -alias robocoffee -keyalg RSA -keysize 2048 -validity 10000
Sign with key:jarsigner -verbose -sigalg SHA1withRSA -digestalg SHA1 -keystore key.keystore modded.apk robocoffee
~/Android/Sdk/build-tools/<version>/apksigner sign --ks key.keystore modded.apk
- Create key (only needed once):
- Install new APK:
adb install modded.apk
Decompiling APK’s
You can decompile even minified / obfuscated APK’s using one of these tools (I prefer the latter). Why would you want to do that? For example, when you like a feature in an App and reverse-engineer how it’s done.
Decompile into Java source code using Procryon:
apktool d -s some.apk -o output_dir
dex2jar output_dir/classes.dex
procyon-decompiler classes-dex2jar.jar -o decompiled_dir
Or alternatively, one tool to rule them all: jadx --deobf some.apk
In my opinion JADX with the built-in deobfuscator gives the most readable results. Note however that some blocks might now be decompiled in either case, leaving you no other option but to read nasty byte-code.
- Short peripheral chip by applying the wrong voltage to either one of its inputs
- Connect the shorted chip to your micro controllers power outputs, effectively shorting it too
Lesson: Don’t mess with micro controllers in the middle of the night, especially not when you’re tired and lazy.