dexcalibur-doc

Official Dexcalibur documentation

View on GitHub

Latest news can be found here.

8 may 2019 - Dexcalibur 0.7.0 : New release, Big update

Since several months i prepare the new Dexcalibur release (0.7). Today, i would share with you some improvements and new features.

Latest release can be found here : Github NPM

Each following improvement/feature:

1. Easy NPM Install / installer

Several users encountered issues caused by misconfiguration, missing dependencies or error related to dependencies version (mismatch of Frida or ADB major version, …).

Before v0.7, in order to install Dexcalibur, you had to fill a file manually with several absolute path and you had to have at least:

Today, Dexcalibur requires only :

Now, Dexcalibur can be installed by doing:

$ npm install -g dexcalibur
$ dexcalibur

At first run, Dexcalibur starts “Install mode”:

Step 1 : step1

Step 2 : step2

2. Dexcalibur launch / new project / project switching without restart

Previous versions required several options such as : –app= , --pull , --port= , ... If you use Dexcalibur for the first time, the correct value for each option was difficult to find.

Now, everythin have been autmated. Once you installed and create your workspace succesfully, just run command : dexcalibur If you want work with big application, then increase heap size by adding options : --max-heap <size in Mb> for exemple --max-heap 8192

By default, the web server listens on port 8000. Open your browser and visit http://127.0.0.1:8000.

The new “home page” (below) appears.

home page

As you can see into the screenshot below, this page offers several actions related to project management and engine configuration:

Project actions:

Engine actions using Dexcalibur marketplace:

You can start a new project by selecting an application into a connected device, or analyzing a side-loaded APK.

2.A List and select an application to analyze

Once you have enrolled your device, you can select an application installed and start to analyze it. If you hope to analyze vendor-specific app or system app, be aware some APK not contain bytecode (it will be detailled into a future post).

home page

It creates a new project and you will be able to share it with other peoples.

2.B Open an APK

home page

You can analyze local and remote APKs by using one of three options availables:

The name of you project can be anything, but it must be unique. The package name is detected automatically.

Next, you should select the target platform to help dexcalibur to detect methods from Android framework during static analysis. You have several choice :

Two firsts choices allow you to use Dexcalibur only for static analysis purpose if you have not default device.

3. Better control of frida-server and hooking session

Now you can start/stop frida-server from Hook > Dashboard page, and detect frida-server status. Several issues related to spawn/attach has been fixed.

home page

You can now Unload hooks, Clear hook messages, and Kill application from Hook > Logs page.

home page

4. Platform Manager

Why Dexcalibur was not able to hook automatically InMemoryDexClassLoader ? Because Dexcalibur was based by default on Android API 24 (which not contains this method).

Now you can install/select the Android API to use during analysis.

Use the Platform Manager to install additional Android API (called platforms). The list of platforms available is retrieved from Dexcalibur-registry. home page

Into Dexcalibur typology a platform is a collection of binaries/classes/symbols/… provided by a specific platform. There are commonly two source for such information:

When Dexcalibur scans an application it starts by a short static analysis of the target platform in order to index Android API classes, internal classes, and if possible constructor specfic classes. Platforms are used during this step.

5. Device Management

Now, for several reasons explained later, the device running frida-server is a master piece of Dexcalibur logic.

Before to start to use Dexcalibur, the device manager allows you to enroll a device. Device enrollment performs:

Once your device has been enrolled, it is ready for hooking !

Device Manager

02 December 2019 - New feature : auto save

Did you never be afraid to lost your work when Dexcalibur crashes/exits ? Actually, a backup mechanism already exists, however you need to go into Setting -> Save menu, so it can be boring…

New feature “Auto-save” allows you to automatically backup (into a file) Dexcalibur changes such as hook status, hook code, and aliases, when these are modified. At next Dexcalibur start, backuped data will be automatically restored.

Auto-save status

You can turn ON/OFF auto-save by clicking on corresponding switch at right of navbar.

Auto-save status

Auto-save backup data into a file when :

Link: https://github.com/FrenchYeti/dexcalibur/releases/tag/V0.6.1

06 November 2019 - Release v0.6 + Major update

Latest version comes with lot of new features and changes.

New features:

Fix:

Changes:

07 July 2019 - New feature : “just-in-time decompilation” is available :)

One of the main features of Dexcalibur have been implemented : “just-in-time decompilation”. Dexcalibur hooks DexClassLoader constructor in order to detect dynamic loading of additional Dex file, potentially deciphered at runtime. Then, when new bytecode chunk is detected, the chunk is sent back to the server, it is decompiled and the internal database (graph) is updated with discovered elements such as packages, classes, methods, fields, strings, byte array, and so.

The picture below shows the smali code of a function defined into a Dex file deciphered from a JNI library and loaded dynamically. Here, it is a crackme application and the static string is the flag.

JITD

Freshly discovered classes can be explored and its methods hooked :) JITD

26 June 2019 - UI Improvements : fields setter/getter

The views and queries involving cross references have been improved. The information is more accessible for API user : Field have now getters and setters properties.

The UI have been improved in order to display getters and setters. You can get xref for a field from the Class view.

Xrefs of a field

Explore fields from a class

When you search where a given symbol is referenced, if this symbol is a field, you can see if the instruction referencing this field sets or gets the value.

Results of searching call or use of a symbol

25 June 2019 - Dexcalibur dockerfile improvements

I patch a long term issue : frida cli was not installed -_-“ The PATH env variable is now more complete, so you don’t need to know the absolute path of ADB or Frida tools.

Theorically, the docker images contain the same major version of frida and node-frida, so there is probably lesser issue than a fresh install of Dexcalibur with an existing frida cli/server setup.

23 June 2019 - New inspector : Issue Inspector

Actually, this inspector catch the call to the SecurityException constructor and tags resulting logs as “Error”. It is usefull in order to catch permission issue without use “adb logcat”.