Xamarin Reverse Engineering

Notes:

Application does not consume system proxy configuration -> Solution: Modify /etc/hosts to redirect inbound requests (Burp)
On Android the AOT Compilation option requires an Enterprise license or higher, is available only when the project is configured for Release mode, and it is disabled by default.(Source)

Regarding the interception of HTTP:

https://docs.microsoft.com/en-us/xamarin/android/app-fundamentals/http-stack?tabs=macos

We did it through USB reverse tunneling and iptable rules local to the phone.

# Setup USB reverse tunnel for port 8080 (MITM)
adb reverse tcp:8080 tcp:8080

# Add rules to redirect HTTP through the reverse tunnel (Phone)
iptables -t nat -A OUTPUT -p tcp --dport 80 -j DNAT --to-destination 127.0.0.1:8080
iptables -t nat -A OUTPUT -p tcp --dport 443 -j DNAT --to-destination 127.0.0.1:8080

Blog Posts:

GitHub:

https://github.com/NorthwaveNL/fridax
https://github.com/freehuntx/frida-mono-api (doesn't look like it's getting any updates)
freehuntx/frida-mono-api#6
https://github.com/icsharpcode/ILSpy
https://github.com/0xd4d/dnSpy (to edit the decompilled code and recompille)
https://github.com/iddoeldor/mplus/blob/master/engine.js - Unity Related code that could be useful
https://github.com/GoSecure/frida-xamarin-unpin

Documentation:

Unpack assemblies.blob within Android Device: https://github.com/jakev/pyxamstore https://thecobraden.com/posts/unpacking_xamarin_assembly_stores/

Xamarin unpin

https://github.com/GoSecure/frida-xamarin-unpin

Additional information:

https://www.appknox.com/blog/xamarin-reverse-engineering-a-guide-for-penetration-testers

Xamarin antiroot

https://codeshare.frida.re/@Gand3lf/xamarin-antiroot/

IF patching of some assemblies is needed use:

ildasm.exe /out=output.il YourAssembly.dll

ilasm.exe /output=YourModifiedAssembly.dll output.il

Practical patching and IL Code disasm/C# decompilation can be done using DnSPY!!!

uriellberdeja/xamarin-reverse-engineering.md