کشف مقایر متغیر های Plain Text از حافظه در سیستم عامل اندروید

1. Upload the file$ adb push gdbserver /sdcard 

2. Enter a shell and become root
$ adb shell
$ su

3. Remount /system as read/write
$ mount -o rw,remount /system

4. Copy file to /system/xbin (or /system/bin)
$ cp /sdcard/gdbserver /system/xbin

5. Change permissions to ensure that it is executable
$ chmod 555 /system/xbin

6. Clean up
$ mount -o ro,remount /system
$ rm /sdcard/gdbserver

7. Download and compile gdb
$ wget http://ftp.gnu.org/gnu/gdb/gdb-7.7.tar.bz2
$ bunzip2 gdb-7.7.tar.bz2
$ tar xf gdb-7.7.tar
$ cd gdb-7.7/ 
$ ./configure –target=arm-linux-gnueabi
$ make

8. Find the keystore pid
$ ps | grep key
$ cd /proc/228

9. Find the heap
What we’ll normally find are is the code that makes up the process and its libraries and then a copy of the important bits of the process:
– heap   – memory assigned by the VM or by the kernel for data storage
– stack  – memory used during function calls etc.
 So above we can see that the heap runs from 0xb7712000(start of heap) – 0xb771f000(end of heap)

10. Start gdbserver on the process listening on a port on the device
$ gdbserver –attach :1234 228
1234 => any Port
228 => any PID

11. Use adb to forward the port on the device to a local port
$ adb forward tcp:1234 tcp:1234

This will now allow us to talk to the device on port 1234/tcp by connecting to 1234/tcp on the host device. 

12. Use a third party program to forward the local port to the device where you will be running gdb
> Use program “Port Forwarding for Windows” to forward from my native OS to the virtual machine I run gdb on 



13. Connect via gdb
$ ./gdb
$ gdb> target remote 192.168.0.41:1234 


14. Dump the memory
$ gdb> dump memory /tmp/heapout 0xb7712000 0xb771f000 



15. Look for some strings that can be user, password
$ strings /tmp/heapout | more

About Mahyar

OrcID: 0000-0001-8875-3362 ​PhD Candidate (National Academy of Sciences of Ukraine - Institute for Telecommunications and Global Information) MCP - MCSA - MCSE - MCTS Azure Security Engineer Associate MCITP: Enterprise Administrator CCNA, CCNP (R&S , Security) ISO/IEC 27001 Lead Auditor CHFI v10 ECIH v2

Check Also

Howto: use Metasploit in Kali2

1. Initial metasploit database (First time Only) # systemctl start postgresql  # msfdb init # …