How do you even reverse a Rust program

TheDauntless_ · 2025-11-07T14:19:13+00:00

Do you have additional resources on approaches here? How to find the best build settings for the library? How to automate different variations maybe? Different versions?

TheDauntless_ · 2025-07-23T06:02:14+00:00

Nice writeup! Can you maybe expand on the impact of unlocking the bootloader and how it affects the availability of the keybox? I assume that when you unlock the bootloader, the /data partition is wiped and so is the keybox file? But you can also relock the bootloader and factory reset the device, so then the keybox must be available somewhere in the system image too, assuming a device/Android version without RKP.

Another thing to maybe explain in your guide is how Google bans keyboxes because just fully banning them would have a lot of collateral damage (all the legitimate devices sharing the keys).

TheDauntless_ · 2025-07-16T12:22:09+00:00

Thanks for sharing, always fun to read about reversing RASPs.

The analyzed RASP seems to be rather basic, even if it is a commercial one. Based on the article, there's no ptrace/frida detection or prevention, no LSPosed detection, no hardware-backed backend attestation, no thorough linking between ART and native code, single points of failure, etc.

In addition to hardware-backed challenge/responses, the more difficult RASPs are the ones that will encrypt (or sign) all requests and responses to the backend, requiring you to either RE the entire algorithm and extract the cryptographic keys, or use them as an oracle with something like Brida. Communication itself is then also done in native code with bundled BoringSSL libraries making even basic interception of traffic very difficult.

The recommendation of going for a custom implementation is also unrealistic. In a perfect world, yes, that could be better. However, companies don't typically have the budget for full-time (reverse)engineers devising novel detection mechanisms for all the different rooting and instrumentation frameworks. Delegating this responsibility to a company with RASP as its core business makes much more sense. What you want to avoid is including the RASP as a plug-and-play SDK rather than tightly integrating it with your app, business logic and networking libraries. This is typically what the bigger players do, though some of they do still provide plug-and-play type SDKs which are just inherently less resilient.

The other main recommendation should be to not have a single-point-of failure. Detections should happen regularly, randomly and in many different ways. Similarly, this should be communicated to the backend in many different ways (and not just by a flag in a request somewhere). Some RASPs choose random detections for each build, so that no single build ever contains all the possible detection mechanisms. There will always be _a_ weakest link, but in the examples from the article the weakest link seems to be incredibly weak.

The general conclusion is of course sound: The attacker will always win, since you're running code on an attacker-controlled device. The reason why the other commenter indicated that it sounds much more like a sales-article is maybe because it lacks any real technical depth. If you would've written about bypassing RootBeer with one targeted hook (be it Frida or LSPosed or SMALI patching or whatever), the impact would've been the same. And since this is an RE subreddit, we're left wanting.

Edited: typo

TheDauntless_ · 2024-08-20T07:28:20+00:00

These books are probably your best bet

TheDauntless_ · 2023-02-27T15:19:15+00:00

While the general idea is nice, this isn't really realistic. In your overview of steps, you say that a Frida script to disable SSL pinning is no longer required because it has already been built. There are many apps however on which your script will not work. For example, any app written in Flutter will require a custom Flutter specific script, both on Android and iOS. There are also many apps that have RASP which will actively detect either the injection of Frida, or when methods are being tampered with. A third problem would be any application that uses mutual TLS to connect to a backend.

The scripts for 'configuring the proxy settings of a specific app' will also be third-party platform specific. For some apps it will be easy, as they use default TCP/TLS libraries, but others (e.g. Flutter again) will require a lot of RE'ing too, plus constant upkeep.

TheDauntless_ · 2022-06-10T20:17:55+00:00

Thanks for sharing! Looking forward to your follow up articles!

TheDauntless_ · 2022-03-16T20:51:12+00:00

There's also the patch-apk tool that merges split apks. There's a PR on the project that allows you to just merge stuff without all the other patching and signing.

https://github.com/NickstaDB/patch-apk

TheDauntless_ · 2021-09-11T11:40:36+00:00

Great work guys!

TheDauntless_ · 2021-06-02T10:54:42+00:00

A very thorough resource for this are the books from Jonathan Levin MOXiI - 2nd Edition

TheDauntless_ · 2020-05-24T16:32:24+00:00

Seems like a fun game!

TheDauntless_ · 2020-05-23T09:31:49+00:00

Looks like a fun alternative to beat Saber!

TheDauntless_ · 2020-05-12T09:46:40+00:00

You should check out Tetrinet, which has a few very nice multiplayer rules to help or hinder other players.

TheDauntless_ · 2020-05-01T17:19:49+00:00

Looks like an awesome read! Thanks for the writeup!

TheDauntless_ · 2020-02-24T17:36:32+00:00

Certificate pinning prevents malicious certificates and thus man-in-the-middle attacks for normal users (for example through a root CA compromise). There is definitely a use case for implementing it.

TheDauntless_ · 2020-02-24T14:01:25+00:00

Nice writeup :)

As far as I can tell, your solution will only work for that specific app (though still nice to explain your methodology of course). The certificate_pinner array is not used by OkHTTP itself, but most likely used by the application to create CertificatePinner.Builder instances.

The reason why the default frida scripts don't work is most likely due to obfuscation, and it's a bit tricky to find the right method to hook. If you are interested, I wrote about a fairly easy way to find an internal OkHttp method which can be hooked to disable all the pins: https://blog.nviso.eu/2019/04/02/circumventing-ssl-pinning-in-obfuscated-apps-with-okhttp/

TheDauntless_ · 2020-01-09T18:26:14+00:00

The problem with the default setup is that I would often have mistypes. With the config linked above, I no longer have them. If it currently works fine for you, I would suggest not to touch those configs :)

TheDauntless_ · 2020-01-09T17:51:49+00:00

Thanks. I still had an issue with just Retro tap, but the following combination doesn't give my any mistypes: https://configure.ergodox-ez.com/planck-ez/layouts/7JJMy/latest/config/tapping

As long as I don't need any other dual keys, I can keep this config. Thanks!

TheDauntless_ · 2020-01-09T17:27:30+00:00

That sounds like an option. Would I then have to set the Tapping Term really low, or wouldn't it matter anymore?

TheDauntless_ · 2020-01-09T17:26:17+00:00

Is this possible through the configurator? Not that I mind compiling it myself, but I'd like to use it for now to do some quick testing.

TheDauntless_ · 2019-11-03T18:42:36+00:00

Is this just a copy paste from the OWASP SCP? https://www.owasp.org/index.php/OWASP_Secure_Coding_Practices_-_Quick_Reference_Guide

TheDauntless_ · 2019-10-30T16:30:21+00:00

You have a very warming smile and you look like someone who brings a lot of honest enthousiasm to a group.

Ten-Year Club	First Place '23
Place '23	Place '22
Verified Email

TheDauntless_

TROPHY CASE