Xamarin Reverse Engineering

xamarin-reverse-engineering.md

Notes:

• Application does not consume system proxy configuration -> Solution: Modify /etc/hosts to redirect inbound requests (Burp)
• On Android the AOT Compilation option requires an Enterprise license or higher, is available only when the project is configured for Release mode, and it is disabled by default.(Source)

Regarding the interception of HTTP:

• https://docs.microsoft.com/en-us/xamarin/android/app-fundamentals/http-stack?tabs=macos

We did it through USB reverse tunneling and iptable rules local to the phone.

# Setup USB reverse tunnel for port 8080 (MITM)
adb reverse tcp:8080 tcp:8080

# Add rules to redirect HTTP through the reverse tunnel (Phone)
iptables -t nat -A OUTPUT -p tcp --dport 80 -j DNAT --to-destination 127.0.0.1:8080
iptables -t nat -A OUTPUT -p tcp --dport 443 -j DNAT --to-destination 127.0.0.1:8080

Blog Posts:

• https://withinrafael.com/2019/07/09/notes-from-reverse-engineering-a-mono-aot-compiled-app-on-ios/
• https://orangewirelabs.wordpress.com/2019/05/30/hacking-ios-xamarin-apps-with-frida/
• https://www.gosecure.net/blog/2020/04/06/bypassing-xamarin-certificate-pinning-on-android/

GitHub:

• https://github.com/NorthwaveNL/fridax
• https://github.com/freehuntx/frida-mono-api (doesn't look like it's getting any updates)
• freehuntx/frida-mono-api#6
• https://github.com/icsharpcode/ILSpy
• https://github.com/0xd4d/dnSpy (to edit the decompilled code and recompille)
• https://github.com/iddoeldor/mplus/blob/master/engine.js - Unity Related code that could be useful
• https://github.com/GoSecure/frida-xamarin-unpin

Documentation:

• https://docs.microsoft.com/en-us/xamarin/ios/internals/architecture
• https://docs.microsoft.com/en-us/xamarin/android/internals/architecture
• http://docs.go-mono.com/

hello trying to contact you but seems cant find any details... can you help me to reverse engineer a xamarin app?