Lost In Memory
EasyMobile Security
Overview
The app hides a secret by encrypting it in memory using a native function and a stored key. Your goal is to uncover the original value by analyzing how the app handles these variables at runtime. Dig into the app's memory, trace where values are stored, and uncover what’s "lost in memory."
Lab Details
Prerequisites & Requirements
- Android Variable Scope & Lifecycle:
- Understanding the difference between local variables and Class Fields (Instance Variables) .
- Knowing that the onCreate method is the entry point for Activities where variables are often initialized.
- Frida JavaScript API (Intermediate):
- Beyond basic method hooking, you need to know how to access Fields of a class instance.
- Understanding the syntax difference between calling a function (
e.g.,this.method()) and reading a variable (e.g.,this.field.value).
- JNI (Java Native Interface) Basics:
- Recognizing that some data is generated in C/C++ layers (native-lib) and passed to the Java layer, making static analysis of the Java code insufficient for finding the actual value.
What will you learn?
- Runtime Memory Inspection:
- Learning how to "freeze" the application state (by hooking onCreate) to peek into memory before the app creates the UI or encrypts the data.
- Extracting values that are generated dynamically and stored in memory, rather than trying to reverse the generation logic itself.
- Frida Field Access:
- Mastering the specific Frida syntax for reading instance variables. You will learn that while methods are called directly, fields must be accessed via the .value property (
e.g.,this.xorKey.value).
- Mastering the specific Frida syntax for reading instance variables. You will learn that while methods are called directly, fields must be accessed via the .value property (
- Hybrid Execution Flow:
- Combining the execution of the original code (
this.onCreate(bundle)) with custom logic to dump internal state (logging the xorKey and the result of stringFromJNI) without crashing the application.
- Combining the execution of the original code (
Tools
- JADX (Dex to Java Decompiler):
- Used for Static Analysis . It allows you to identify the class name (
com.titoot.lostinmemory.MainActivity) and the specific field names (xorKey, flag) that hold the sensitive data. It also reveals that the logic relies on a native library, hinting that dynamic analysis is a faster route than static reversing.
- Used for Static Analysis . It allows you to identify the class name (
- Frida:
- Used for Dynamic Instrumentation .
- It allows you to attach to the running process and inject a JavaScript payload.
Job Positions
Mobile Security Engineer
Tags
Static AnalysisDynamic AnalysisDecompilerHookingApi CallsFunction ProbesMemory DumpCode FlowStrings