You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
In cases where after decompiling the APK it's possible to see the unknown/assemblies/ folder with the `.dll` files inside it, so it's posible to use [**dnSpy**](https://github.com/dnSpy/dnSpy) directly over the `.dlls` to analyze them.\
38
-
However, sometimes, it's found the `assemblies.blob` and `assemblies.manifest` files inside the unknown/assemblies/ folder. The tool [pyxamstore](https://github.com/jakev/pyxamstore) can be used for unpacking the `assemblies.blob` file in Xamarin apps, allowing access to the .NET assemblies for further analysis:
37
+
In cases where after decompiling the APK it's possible to see the unknown/assemblies/ folder with the `.dll` files inside it, it's possible to use [**dnSpy**](https://github.com/dnSpy/dnSpy) directly over the `.dlls` to analyze them. However, sometimes the `assemblies.blob` and `assemblies.manifest` files are inside the unknown/assemblies/ folder. The tool [pyxamstore](https://github.com/jakev/pyxamstore) can unpack the `assemblies.blob` file in Xamarin apps, allowing access to the .NET assemblies for further analysis:
Some recent Xamarin/MAUI builds store compressed assemblies using the **XALZ** format inside `/assemblies.blob` or `/resources/assemblies`. You can quickly decompress them with the [xamarout](https://pypi.org/project/xamarout/) library:
xa = xalz.XamarinCompressedAssembly(os.path.join(root, f))
54
+
xa.write("decompressed/"+ f)
42
55
```
43
56
44
57
iOS dll files are readily accessible for decompilation, revealing significant portions of the application code, which often shares a common base across different platforms.
45
58
59
+
> **AOT on iOS**: managed IL is compiled into native `*.aotdata.*` files. Patching the DLL alone will not change logic; you need to hook native stubs (e.g., with Frida) because the IL bodies are empty placeholders.
60
+
46
61
### Static Analysis
47
62
48
-
Once the `.dll`s are obtained it's possible to analyze the .Net code statically using tools such as [**dnSpy**](https://github.com/dnSpy/dnSpy)**or**[**ILSpy**](https://github.com/icsharpcode/ILSpy)**t**hat will allow to modify the code of the app. This can be super useful to tamper the application to bypass protections for example.\
63
+
Once the `.dll`s are obtained it's possible to analyze the .Net code statically using tools such as [**dnSpy**](https://github.com/dnSpy/dnSpy)or[**ILSpy**](https://github.com/icsharpcode/ILSpy)that will allow modifying the code of the app. This can be super useful to tamper the application to bypass protections for example.\
49
64
Note that after modifying the app you will need to pack it back again and sign it again.
50
65
66
+
> dnSpy is archived; maintained forks like **dnSpyEx** keep working with .NET 8/MAUI assemblies and preserve debug symbols when re-saving.
67
+
51
68
### Dynamic Analysis
52
69
53
70
Dynamic analysis involves checking for SSL pinning and using tools like [Fridax](https://github.com/NorthwaveSecurity/fridax) for runtime modifications of the .NET binary in Xamarin apps. Frida scripts are available to bypass root detection or SSL pinning, enhancing analysis capabilities.
@@ -58,17 +75,36 @@ Other interesting Frida scripts:
Updated **Frida-xamarin-unpin** (Mono >=6) hooks `System.Net.Http.HttpClient.SendAsync` and swaps the handler to a permissive one, so it still works even when pinning is implemented in custom handlers. Run it after the app starts:
The tool [Uber APK Signer](https://github.com/patrickfav/uber-apk-signer) simplifies signing multiple APKs with the same key, and can be used to resign an app after changes have been performed to it.
0 commit comments