AndrewTsui

Source: Knownsec Forum

1. Analyze the HTTP protocol using packet capture tools such as Charles and Wireshark to find signatures and check for obvious standard algorithm characteristics.
2. Decompile DEX and APK files using tools like JADX-GUI, GDA, and APKTool to view Java and Smali code.
3. Find a universal unpacking point to unpack, compile, and modify Android source code, actively call functions to restore extracted functions.
4. Use tools like Xposed and Frida to dynamically instrument native and Java layers, peek into memory data.
5. Conduct static analysis on shared objects (SO) using tools like IDA, Hyper, and Ghidra, set memory breakpoints and hardware breakpoints for dynamic debugging, analyze SO signatures and trace.
6. Find the entry function address protected by VMP, dynamically debug to find the target jump address, then analyze the source code at the offset address using static analysis tools.
7. Analyze string encryption, control flow flattening, instruction substitution, and fake control flow introduced by OLLVM obfuscation by printing memory addresses values with Frida and analyzing with IDA trace.
8. Determine the signature algorithm based on signature characteristics and identified constants.
9. Set up a signature server using Spring and perform stress testing.
10. Detect the risk control strategy of the target interface through a large number of interface calls in the early stage, and make deployment and invocation strategies accordingly.
11. For scenarios requiring mobile deployment and IP switching by group, automatic proxy switching can be implemented on OpenWRT for software routing.
12. Modify open-source proxy apps for automatic proxy switching on mobile devices for scenarios with single machine and single IP.
13. For protocols using protobuf, decompile and dynamically instrument to find protocol classes, then write corresponding .proto files based on tag types to generate corresponding classes.