Xamarin Apps

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

Taarifa za Msingi

Xamarin ni jukwaa la chanzo wazi lililotengenezwa kwa watengenezaji kujenga programu za iOS, Android, na Windows kwa kutumia mifumo ya .NET na C#. Jukwaa hili linatoa upatikanaji wa zana nyingi na viendelezi vya kuunda programu za kisasa kwa ufanisi.

Mimundombinu ya Xamarin

  • Kwa Android, Xamarin inaunganisha na namespaces za Android na Java kupitia .NET bindings, ikiendesha ndani ya mazingira ya utekelezaji ya Mono kando na Android Runtime (ART). Managed Callable Wrappers (MCW) na Android Callable Wrappers (ACW) husaidia mawasiliano kati ya Mono na ART, zote mbili zikiwa zimetengenezwa juu ya kernel ya Linux.
  • Kwa iOS, programu zinaendesha chini ya runtime ya Mono, zikitegemea utekelezaji kamili wa Ahead of Time (AOT) ili kubadilisha msimbo wa C# .NET kuwa lugha ya assembly ya ARM. Mchakato huu unaendesha kando na Objective-C Runtime kwenye kernel iliyofanana na UNIX.

.NET Runtime and Mono Framework

.NET framework inajumuisha assemblies, classes, na namespaces kwa maendeleo ya programu, huku .NET Runtime ikisimamia utekelezaji wa msimbo. Inatoa uhuru wa jukwaa na utangamano wa nyuma. Mono Framework ni toleo la chanzo wazi la .NET framework, lililoanzishwa mwaka 2005 ili kueneza .NET kwa Linux, sasa likiungwa mkono na Microsoft na kuongozwa na Xamarin.

Uchambuzi (Reverse Engineering) wa Programu za Xamarin

Decompilation ya assemblies za Xamarin

Decompilation hubadilisha msimbo uliokusanywa kurudi kuwa msimbo wa chanzo. Katika Windows, dirisha la Modules katika Visual Studio linaweza kutambua moduli kwa ajili ya decompilation, kuruhusu upatikanaji wa moja kwa moja wa msimbo wa wahusika wa tatu na uchimbaji wa msimbo wa chanzo kwa ajili ya uchambuzi.

JIT dhidi ya AOT Compilation

  • Android inaunga mkono Just-In-Time (JIT) na Ahead-Of-Time (AOT) compilation, ikiwa na mode ya Hybrid AOT kwa kasi bora ya utekelezaji. Full AOT inapatikana pekee kwa leseni za Enterprise.
  • iOS inatumia AOT compilation pekee kutokana na vikwazo vya Apple juu ya utekelezaji wa msimbo wa aina ya dynamic.

Kutoa faili za dll kutoka APK/IPA

Ili kupata assemblies ndani ya APK/IPA, vunja (unzip) faili na chunguza saraka ya assemblies. Kwa Android, zana kama XamAsmUnZ na xamarin-decompress zinaweza kuvunja faili za dll.

python3 xamarin-decompress.py -o /path/to/decompressed/apk

Katika baadhi ya kesi, baada ya decompiling APK, inawezekana kuona folda unknown/assemblies/ yenye faili .dll ndani yake; inawezekana kutumia dnSpy moja kwa moja kwenye .dlls ili kuichambua. Hata hivyo, wakati mwingine faili za assemblies.blob na assemblies.manifest ziko ndani ya folda unknown/assemblies/. Chombo pyxamstore kinaweza kufungua faili ya assemblies.blob katika apps za Xamarin, kuruhusu upatikanaji wa assemblies za .NET kwa uchambuzi zaidi:

pyxamstore unpack -d /path/to/decompressed/apk/assemblies/
# After patching DLLs, rebuild the store
pyxamstore pack

Baadhi ya builds za hivi karibuni za Xamarin/MAUI huhifadhi assemblies zilizokandamizwa kwa muundo wa XALZ ndani ya /assemblies.blob au /resources/assemblies. Unaweza kuzifungua (decompress) haraka kwa kutumia maktaba ya xamarout:

from xamarout import xalz
import os
for root, _, files in os.walk("."):
for f in files:
if open(os.path.join(root, f), 'rb').read(4) == b"XALZ":
xa = xalz.XamarinCompressedAssembly(os.path.join(root, f))
xa.write("decompressed/" + f)

iOS dll files are readily accessible for decompilation, revealing significant portions of the application code, which often shares a common base across different platforms.

AOT on iOS: managed IL is compiled into native *.aotdata.* files. Patching the DLL alone will not change logic; you need to hook native stubs (e.g., with Frida) because the IL bodies are empty placeholders.

Static Analysis

Mara .dlls zinapopatikana inawezekana kuchambua msimbo wa .Net kwa njia ya static kwa kutumia zana kama dnSpy au ILSpy ambazo zitakuwezesha kubadilisha msimbo wa app. Hii inaweza kuwa muhimu sana ku-modify programu ili ku- bypass protections, kwa mfano.
Kumbuka kwamba baada ya kubadilisha app utahitaji kui-pack tena na kuisaini tena.

dnSpy is archived; maintained forks like dnSpyEx keep working with .NET 8/MAUI assemblies and preserve debug symbols when re-saving.

Dynamic Analysis

Dynamic analysis inajumuisha kukagua kwa SSL pinning na kutumia zana kama Fridax kwa modifications za runtime za binary ya .NET katika apps za Xamarin. Frida scripts zinapatikana ili bypass root detection au SSL pinning, zikiboresha uwezo wa uchambuzi.

Other interesting Frida scripts:

Updated Frida-xamarin-unpin (Mono >=6) hooks System.Net.Http.HttpClient.SendAsync and swaps the handler to a permissive one, so it still works even when pinning is implemented in custom handlers. Run it after the app starts:

frida -U -l dist/xamarin-unpin.js com.target.app --no-pause

Kiolezo kifupi cha ku-hook managed methods kwa kutumia frida-mono-api iliyojumuishwa:

const mono = require('frida-mono-api');
Mono.ensureInitialized();
Mono.enumerateLoadedImages().forEach(i => console.log(i.name));
const klass = Mono.classFromName("Namespace", "Class");
const m = Mono.methodFromName(klass, "Method", 2);
Mono.intercept(m, { onEnter(args){ console.log(args[1].toInt32()); } });

Kusaini tena

Chombo Uber APK Signer kinarahisisha kusaini APK nyingi kwa kutumia kifunguo kimoja, na kinaweza kutumika kusaini tena app baada ya mabadiliko kufanywa kwenye yake.

Marejeleo

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks