{"id":410,"date":"2021-02-13T17:09:27","date_gmt":"2021-02-13T17:09:27","guid":{"rendered":"https:\/\/lyhinslab.org\/?p=410"},"modified":"2021-02-13T17:09:27","modified_gmt":"2021-02-13T17:09:27","slug":"lifehacks-for-hackers-how-to-monitor-mobile-devices-filesystem-dynamically","status":"publish","type":"post","link":"https:\/\/lscp.llc\/index.php\/2021\/02\/13\/lifehacks-for-hackers-how-to-monitor-mobile-devices-filesystem-dynamically\/","title":{"rendered":"Lifehacks for hackers: how to monitor mobile devices’ filesystem dynamically"},"content":{"rendered":"\n

I suppose you want to discover how the pre-defined mobile application interacts with the filesystem and precisely understand what happens on the filesystem when this application is active. This guide describes this process for both major platforms – iOS and Android, as of February 13, 2021. <\/p>\n\n\n\n

iOS<\/h3>\n\n\n\n

TL;DR<\/p>\n\n\n\n

wget https:\/\/github.com\/nowsecure\/fsmon\/releases\/download\/1.6.1\/fsmon-ios -O fsmon161\nchmod 755 fsmon161\nldid -e $(which bash) >entitlement.xml\nldid -Sentitlement.xml fsmon161\nps aux | grep \"NAME\"\n.\/fsmon161 -c -p $(ps aux | grep NAME | tr -s \" \" | cut -d\" \" -f2 | head -1)<\/pre>\n\n\n\n
1 – Jailbreak the device – it’s still legal. For example, use checkra1n<\/a>.<\/p>\n\n\n\n
2 – Download fsmon <\/a>v1.6.1 application on the device. We emphasize that the latest version might not work.<\/p>\n\n\n\n
wget https:\/\/github.com\/nowsecure\/fsmon\/releases\/download\/1.6.1\/fsmon-ios -O fsmon161\nchmod 755 fsmon161<\/pre>\n\n\n\n
3 – \u00a0On the device, make some adjustments:<\/p>\n\n\n\n
ldid -e $(which bash) >entitlement.xml\nldid -Sentitlement.xml fsmon161<\/pre>\n\n\n\n
4 – Use the fsmon application.<\/p>\n\n\n\n
ps aux | grep \"NAME\" #validate the name\n.\/fsmon161 -c -p $(ps aux | grep NAME | tr -s \" \" | cut -d\" \" -f2 | head -1)<\/pre>\n\n\n\n
Android<\/h3>\n\n\n\n
For android, we suggest to substitute fsmon tool with inotifywait tool, because fsmon might now work correctly.<\/p>\n\n\n\n
TL;DR<\/p>\n\n\n\n
git clone --depth=1 https:\/\/github.com\/dstmath\/inotifywait-for-Android.git \ncd inotifywait-for-Android\nndk-build \nadb push \/libs\/armeabi-v7a\/inotifywatch \/data\/local\/tmp\/\nadb push \/libs\/armeabi-v7a\/inotifywait \/data\/local\/tmp\/\nadb shell\nsu\nmount -o rw,remount \/system\n\/data\/local\/tmp\/inotifywait -r \/data -m | grep -v base.apk<\/pre>\n\n\n\n
1 – Root the device,<\/p>\n\n\n\n
2 – Download ndk-build<\/a>,<\/p>\n\n\n\n
3 – Clone inotifywait git repository and compile the application,<\/p>\n\n\n\n
git clone --depth=1 https:\/\/github.com\/dstmath\/inotifywait-for-Android.git  <\/pre>\n\n\n\n
4 – You probably need to modify .\/jni\/Application.mk, change “armeabi” to “armeabi-v7a”,<\/p>\n\n\n\n
5 – Build the application,<\/p>\n\n\n\n
cd inotifywait-for-Android\nndk-build<\/pre>\n\n\n\n
6 – Push both binaries to an android device,<\/p>\n\n\n\n
adb push \/libs\/armeabi-v7a\/inotifywatch \/data\/local\/tmp\/\nadb push \/libs\/armeabi-v7a\/inotifywait \/data\/local\/tmp\/<\/pre>\n\n\n\n
7 – If needed, ask the \/system partition to be writeable,<\/p>\n\n\n\n
adb shell\nsu\nmount -o rw,remount \/system<\/pre>\n\n\n\n
8 – Use the inotifywait application. <\/p>\n\n\n\n
 \/data\/local\/tmp\/inotifywait -r \/data -m | grep -v base.apk<\/pre>\n\n\n\n
Use case<\/h3>\n\n\n\n
An open-source android game Pixel Dungeon<\/a> has the achievment system, and I suppose that it stores the achievments locally, so we may try to modify them and get more achievments in an easy way. It could be done relatively quickly:<\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
To repeat:<\/p>\n\n\n\n
0 – Install the application, <\/p>\n\n\n\n
1 – Start the filesystem monitoring,<\/p>\n\n\n\n
\/data\/local\/tmp\/inotifywait -r \/data\/data\/com.watabou.pixeldungeon\/ -m | grep -v base.apk<\/pre>\n\n\n\n
2 – At the moment of getting any achievment, press CTRL+C on adb shell to stop the inotifywait process,<\/p>\n\n\n\n
\/data\/local\/tmp\/inotifywait -r \/data\/data\/com.watabou.pixeldungeon\/ -m | grep -v base.apk\nSetting up watches.  Beware: since -r was given, this may take a while!\nWatches established.\n\/data\/data\/com.watabou.pixeldungeon\/ CREATE,ISDIR shared_prefs\n\/data\/data\/com.watabou.pixeldungeon\/ ATTRIB,ISDIR shared_prefs\n\/data\/data\/com.watabou.pixeldungeon\/ OPEN,ISDIR shared_prefs\n\/data\/data\/com.watabou.pixeldungeon\/ CLOSE_NOWRITE,CLOSE,ISDIR shared_prefs\n\/data\/data\/com.watabou.pixeldungeon\/ CREATE,ISDIR files\n\/data\/data\/com.watabou.pixeldungeon\/ OPEN,ISDIR files\n\/data\/data\/com.watabou.pixeldungeon\/ CLOSE_NOWRITE,CLOSE,ISDIR files\n\/data\/data\/com.watabou.pixeldungeon\/ ATTRIB,ISDIR files\n\/data\/data\/com.watabou.pixeldungeon\/files\/ ATTRIB,ISDIR\n\/data\/data\/com.watabou.pixeldungeon\/shared_prefs\/ CREATE PixelDungeon.xml\n\/data\/data\/com.watabou.pixeldungeon\/shared_prefs\/ OPEN PixelDungeon.xml\n\/data\/data\/com.watabou.pixeldungeon\/shared_prefs\/ MODIFY PixelDungeon.xml\n\/data\/data\/com.watabou.pixeldungeon\/shared_prefs\/ CLOSE_WRITE,CLOSE PixelDungeon.xml\n\/data\/data\/com.watabou.pixeldungeon\/shared_prefs\/ ATTRIB PixelDungeon.xml\n\/data\/data\/com.watabou.pixeldungeon\/shared_prefs\/ MOVED_FROM PixelDungeon.xml\n\/data\/data\/com.watabou.pixeldungeon\/shared_prefs\/ MOVED_TO PixelDungeon.xml.bak\n\/data\/data\/com.watabou.pixeldungeon\/shared_prefs\/ CREATE PixelDungeon.xml\n\/data\/data\/com.watabou.pixeldungeon\/shared_prefs\/ OPEN PixelDungeon.xml\n\/data\/data\/com.watabou.pixeldungeon\/shared_prefs\/ MODIFY PixelDungeon.xml\n\/data\/data\/com.watabou.pixeldungeon\/shared_prefs\/ CLOSE_WRITE,CLOSE PixelDungeon.xml\n\/data\/data\/com.watabou.pixeldungeon\/shared_prefs\/ ATTRIB PixelDungeon.xml\n\/data\/data\/com.watabou.pixeldungeon\/shared_prefs\/ DELETE PixelDungeon.xml.bak\n\/data\/data\/com.watabou.pixeldungeon\/files\/ CREATE warrior1.dat\n\/data\/data\/com.watabou.pixeldungeon\/files\/ OPEN warrior1.dat\n\/data\/data\/com.watabou.pixeldungeon\/files\/ ATTRIB warrior1.dat\n\/data\/data\/com.watabou.pixeldungeon\/files\/ MODIFY warrior1.dat\n\/data\/data\/com.watabou.pixeldungeon\/files\/ MODIFY warrior1.dat\n\/data\/data\/com.watabou.pixeldungeon\/files\/ MODIFY warrior1.dat\n\/data\/data\/com.watabou.pixeldungeon\/files\/ CLOSE_WRITE,CLOSE warrior1.dat\n\/data\/data\/com.watabou.pixeldungeon\/files\/ CREATE warrior2.dat\n\/data\/data\/com.watabou.pixeldungeon\/files\/ OPEN warrior2.dat\n\/data\/data\/com.watabou.pixeldungeon\/files\/ ATTRIB warrior2.dat\n\/data\/data\/com.watabou.pixeldungeon\/files\/ MODIFY warrior2.dat\n\/data\/data\/com.watabou.pixeldungeon\/files\/ MODIFY warrior2.dat\n\/data\/data\/com.watabou.pixeldungeon\/files\/ MODIFY warrior2.dat\n\/data\/data\/com.watabou.pixeldungeon\/files\/ CLOSE_WRITE,CLOSE warrior2.dat\n\/data\/data\/com.watabou.pixeldungeon\/files\/ CREATE warrior3.dat\n\/data\/data\/com.watabou.pixeldungeon\/files\/ OPEN warrior3.dat\n\/data\/data\/com.watabou.pixeldungeon\/files\/ ATTRIB warrior3.dat\n\/data\/data\/com.watabou.pixeldungeon\/files\/ MODIFY warrior3.dat\n\/data\/data\/com.watabou.pixeldungeon\/files\/ MODIFY warrior3.dat\n\/data\/data\/com.watabou.pixeldungeon\/files\/ MODIFY warrior3.dat\n\/data\/data\/com.watabou.pixeldungeon\/files\/ CLOSE_WRITE,CLOSE warrior3.dat\n\/data\/data\/com.watabou.pixeldungeon\/files\/ CREATE warrior.dat\n\/data\/data\/com.watabou.pixeldungeon\/files\/ OPEN warrior.dat\n\/data\/data\/com.watabou.pixeldungeon\/files\/ ATTRIB warrior.dat\n\/data\/data\/com.watabou.pixeldungeon\/files\/ MODIFY warrior.dat\n\/data\/data\/com.watabou.pixeldungeon\/files\/ CLOSE_WRITE,CLOSE warrior.dat\n\/data\/data\/com.watabou.pixeldungeon\/files\/ CREATE warrior4.dat\n\/data\/data\/com.watabou.pixeldungeon\/files\/ OPEN warrior4.dat\n\/data\/data\/com.watabou.pixeldungeon\/files\/ ATTRIB warrior4.dat\n\/data\/data\/com.watabou.pixeldungeon\/files\/ MODIFY warrior4.dat\n\/data\/data\/com.watabou.pixeldungeon\/files\/ MODIFY warrior4.dat\n\/data\/data\/com.watabou.pixeldungeon\/files\/ CLOSE_WRITE,CLOSE warrior4.dat\n\/data\/data\/com.watabou.pixeldungeon\/files\/ CREATE badges.dat\n\/data\/data\/com.watabou.pixeldungeon\/files\/ OPEN badges.dat\n\/data\/data\/com.watabou.pixeldungeon\/files\/ ATTRIB badges.dat\n\/data\/data\/com.watabou.pixeldungeon\/files\/ MODIFY badges.dat\n\/data\/data\/com.watabou.pixeldungeon\/files\/ CLOSE_WRITE,CLOSE badges.dat<\/pre>\n\n\n\n
File badges.dat looks promising. <\/p>\n\n\n\n
cat \/data\/data\/com.watabou.pixeldungeon\/files\/badges.dat\n{\"badges\":[\"NO_MONSTERS_SLAIN\"]}<\/pre>\n\n\n\n
3 – Google the words “NO_MONSTERS_SLAIN”, find all badges in the source code, and modify the file badges.dat.<\/p>\n","protected":false},"excerpt":{"rendered":"
I suppose you want to discover how the pre-defined mobile application interacts with the filesystem and precisely understand what happens on […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-410","post","type-post","status-publish","format-standard","hentry","category-uncategorized"],"_links":{"self":[{"href":"https:\/\/lscp.llc\/index.php\/wp-json\/wp\/v2\/posts\/410","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/lscp.llc\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/lscp.llc\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/lscp.llc\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/lscp.llc\/index.php\/wp-json\/wp\/v2\/comments?post=410"}],"version-history":[{"count":0,"href":"https:\/\/lscp.llc\/index.php\/wp-json\/wp\/v2\/posts\/410\/revisions"}],"wp:attachment":[{"href":"https:\/\/lscp.llc\/index.php\/wp-json\/wp\/v2\/media?parent=410"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/lscp.llc\/index.php\/wp-json\/wp\/v2\/categories?post=410"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/lscp.llc\/index.php\/wp-json\/wp\/v2\/tags?post=410"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}