AndrewTsui

Source: Knownsec Forum

1. Analyze the HTTP protocol using packet capture tools such as Charles and Wireshark to find signatures and check for obvious standard algorithm characteristics.
2. Decompile DEX and APK files using tools like JADX-GUI, GDA, and APKTool to view Java and Smali code.
3. Find a universal unpacking point to unpack, compile, and modify Android source code, actively call functions to restore extracted functions.
4. Use tools like Xposed and Frida to dynamically instrument native and Java layers, peek into memory data.
5. Perform static analysis on shared objects (SO) using tools like IDA, Hyper, and Ghidra, set memory breakpoints and hardware breakpoints for dynamic debugging, analyze SO signatures and trace.
6. Find the entry function address protected by VMP, dynamically debug to find the target jump address, then analyze the source code at the offset address using static analysis tools.
7. Analyze string encryption, control flow flattening, instruction replacement, and fake control flow introduced by OLLVM obfuscation by printing memory addresses with Frida and analyzing with IDA trace.
8. Determine the signature algorithm based on signature characteristics and identified constants.
9. Set up a signature server using Spring and perform stress testing.
10. Detect the risk control strategy of the target interface through a large number of interface calls in the early stage, and deploy and call strategies accordingly.
11. For scenarios requiring mobile deployment and IP rotation by group, automatic proxy rotation can be implemented on OpenWRT for software routing.
12. For scenarios with a single machine and IP, modify open-source proxy apps to achieve automatic proxy rotation on mobile devices.
13. For protocols using Protobuf, decompile and dynamically instrument to find protocol classes, then generate corresponding .proto files based on tag types.