Add more Recon

RECON.md

@@ -1,5 +1,26 @@
 # Recon
 
+- [General Infos](#general-infos)
+- [Files](#files)
+- [Rest APIs](#rest-apis)
+- [WebViews](#webviews)
+- [Intents](#intents)
+- [Native Libs](#native-libs)
+- [Open-Source Libs](#open-source-libs)
+- [Crypto](#crypto)
+  - [E2E](#e2e)
+
+## General infos
+
+```
+Package name: com.kakao.talk
+Version: 10.1.7
+SHA256: 8a27e29ba35a06ec9a997260bad6f28cd181fecd6fc9abb71986f2716d18232f
+Main Activity: com.kakao.talk.activity.SplashActivity
+```
+
+## Files
+
 File directories:
 
 ```
@@ -13,9 +34,9 @@ obbDir                  /storage/emulated/0/Android/obb/com.kakao.talk
 packageCodePath         /data/app/com.kakao.talk-wRI5HzbljAi9o-6SZLN55g==/base.apk
 ```
 
-Shared Preferences:
+Monitor file system access: `$ frida -U --codeshare FrenchYeti/android-file-system-access-hook -f com.kakao.talk`
 
-**TO-DO**: Check Shared Prefs for sensitive information.
+Shared Preferences:
 
 ```
 FirebaseHeartBeatW0RFRkFVTFRd+MTo1NTIzNjczMDMxMzc6YW5kcm9pZDpiNjUwZmVmOGI2MDY1MzVm.xml
@@ -53,6 +74,10 @@ voiceMode.xml
 zzng.xml
 ```
 
+**TO-DO**: Check Shared Prefs for sensitive information.
+
+Trace Shared Prefs usage with this [Frida script](https://github.com/m0bilesecurity/Frida-Mobile-Scripts/blob/master/Android/shared_preferences_monitor.js). See [example trace](./recon/frida_trace_shared_prefs.log).
+
 SQL databases (in `/data/user/0/com.kakao.talk/databases`):
 
 ```
@@ -66,7 +91,11 @@ kakao_talk_pass.db
 multi_profile_database.db
 ```
 
-**TO-DO**: Find the password for the `crypto_database`.
+One can decrypt the contents of `KakaoTalk.db` and `KakaoTalk2.db` with this [script](https://github.com/jiru/kakaodecrypt).
+
+**TO-DO**: Find the password for the `crypto_database`. Hook `TrustStore` or `sqlite3_key` after a fresh app install and before login. Implementation in `com.kakao.talk.database.CryptoDatabase`.
+
+## Rest APIs
 
 Java interfaces with interesting Rest APIs (interface names generated by `jadx`):
 
@@ -96,6 +125,8 @@ p360hh.AuthApi
 
 **TO-DO**: Check for interesting [Intents](./recon/nuclei_android_results.txt).
 
+There are many many (exported) Activities, Services, Content Providers and Broadcast Receivers.
+
 ## Native Libs
 
 **TO-DO**: Check for memory corruption bugs in native libs (located in `/data/app/com.kakao.talk-wRI5HzbljAi9o-6SZLN55g==/lib/arm64`):
@@ -114,12 +145,22 @@ libVoxCore.so                   libjingle_peerconnection_so.so  libtoyger.so
 libYaft.so                      libmcache.so
 ```
 
-The code for `libed25519_android.so` can be found [here](https://github.com/dazoe/Android.Ed25519).
+The code for `libed25519_android.so` can be found [here](https://github.com/dazoe/Android.Ed25519). Main implementation in `com.github.dazoe.android.Ed25519`.
+
+Only `libdialoid-apklib.so`, `libdream.so`, and `libsqlcipher.so` seem to be actively loaded in idle state.
+
+Trace calls to native libs with [jnitrace](https://github.com/chame1eon/jnitrace). See example [trace](./recon/jnitrace_output.json).
+
+## Open-Source Libs
+
+[See here](./recon/open_source_libs.txt).
 
 ## Crypto
 
 Android KeyStore
 
+Dump it with `https://codeshare.frida.re/@ceres-c/extract-keystore/`.
+
 ```
 Alias                     Key   Certificate
 ------------------------  ----  -----------
@@ -267,3 +308,7 @@ Version: 3
 *******************************************
 *******************************************
 ```
+
+### E2E
+
+Main implementation in package `com.kakao.talk.secret` and the `LocoCipherHelper ` class.