Home

Welcome to Medusa's wiki. Please use the sidebar to navigate to a section:

Medusa Logo Final

Medusa Quick start

↘️ Summary

↘️ Searching for modules

Use the show command, followed one of the following options:

all to Display all available modules
mods to Display stashed modules
categories to Display the available module categories
mods [category] to Display the available modules for the selected category

Use the info [module name]to get help about a specific module

↘️ Stashing / Un-stashing

Use the use [module name]to add a module to the stashed ones:

medusa> use http_communications/multiple_unpinner

Use the rem [module name]to remove a module to the stashed ones

medusa> rem http_communications/multiple_unpinner

Use the add [full-path-to-module]to stash modules saved out of the default directory

medusa> add /full/path/to/module.med

Use the reset to empty the list of stashed modules and clear the unified script
Use the swap to change the compilation order of the stashed modules:

medusa> swap [index 1] [index 2]

↘️ Compilation

Use the compile to compile your stashed modules to a unified one:

medusa> compile

Use the compile -t X (X is the delay value in milliseconds) to add a loading delay:

medusa> compile -t 1000

↘️ Starting a session

Use the run -f [package name] or to run -n [package number] to start or restart an application and attach to it (you can use the list command to get the package number).

medusa> run -f com.foo.bar

Use the run [package name] to attach to an application.

In session menu

While 'in session' you can use one of the following commands:

    'c'  (c)lear the sreen
    'e'  (e)xit the session
    'r'  (r)eload the script in case it changed
    'rs' (r)e(s)et the scratchpad
    'i'  print (i)nformation about the application
    't'  (t)race a function and print the stack trace (e.g. t com.foo.bar.func)
    '?'  print this help message

↘️ Hooking beyond the modules

Use the hook command followed by one of the options bellow to intercept methods which are not present in the currently available modules:

-a [class name] : Set hooks for all the methods of the given class. Example:

medusa> hook -a com.foo.bar.className

-f : Set hooks for a single method. Example

medusa> hook -f 

Enter the full name of the method(s) class: com.foo.bar
Enter a method name (CTRL+C to Exit): fooMethod
Enable backtrace? (y/N) y
[+] Method: fooMethod hook added !
Enter a method name (CTRL+C to Exit):

Same result can be achieved with the jtrace command: medusa> jtrace full_path_to_method

-n : Set hooks for a native method. Example

medusa> hook -n
Library name (e.g.: libnative.so): libfoo.so
Imported or exported function? (i/e) e
Function name or offset (e.g.: 0x1234): 0x1234
Number of function arguments (0 to disable trace): 3
Enable backtrace? (y/N) y
Enable memory read? (y/N) y
Read Buffer size (0-1024): 128
Module scratchpad already added !

-r: Reset the hooks set so far

Use the pad command to edit the scratchpad

↘️ Working with native libraries

Use the libs command followed by one of the options bellow to list the application's native libraries:

-a : List all the application's libraries. -s : List only the system's libraries. -j : List only the application's libraries.

Add the --attach to attach to an already running instance of the application (usually has better results)

Example:

medusa> libs -j com.foo.bar libnative.so --attach

↘️ Working with the application's memory

You can read/write/search/dump the application's memory by using the memops or memmap command. The former needs a library name to be attached to, while the later uses memory regions.

In both cases the application must already be running !

memops example:

medusa> memops package_name libname.so

If the attachment is successful, medusa will start a session where you have the following options:

To get more details about the functionality of each option, please refer to the Basic Usage section

memmap example:

medusa> memmap package_name

Then choose a memory region from the submenu.

If the attachment is successful, medusa will start a session where you have the following options:

|(E)xit |r@offset |dump |:

To get more details about the functionality of each option, please refer to the Basic Usage section

↘️ Getting Class and Object snapshots

Use the describe_java_class to print a class's details, example:

medusa> describe_java_class full.path.to.class.name

Use the get to print the value of a field of a class, assuming that the class has been instantiated.

medusa> get package_name full.path.to.class.field

↘️ Useful utilities

Run a shell command

medusa> c ls -al

Run a shell command to the connected device

medusa> cc ls -al

Clear the screen

medusa> clear

Open an interactive shell

medusa> clear

Dump the dex files of an app

medusa> dump com.foo.bar

List the installed packages

medusa> list

List the paths of a package

medusa> list com.foo.bar path

Load or reload a device:

medusa> loaddevice

Reload the medusa modules. This option is useful in case you made a change to a medusa module.

medusa> reload

Load a saved session

medusa> reload -r session-filename

Print the current session status

medusa> status

Log system calls

medusa> strace package_name

Send text to the device

medusa> type 'text'

↘️ Saving a session

Save the current session

medusa> export file-name

To load back this session use one of the following options:

./medusa -r file-name
medusa> reload -r file-name

Mango Quick start

↘️ Summary

↘️ Starting a session

You can use an existing session file as an argument to the mango script (./mango session_file) or start mango without arguments and follow the prompt:

--------------------------------------------------
[?] What do you want to do ?
--------------------------------------------------

1 Start a new session
2 Continue an existing session
3 Exit

↘️ Loading an application

You can import:
- A downloaded APK: mango> import /full/path/to/foo.apk
- An APK installed in the connected device: mango> pull package_name and then mango>import base.apk
Or reload an APK that has already been analysed
- mango> load package_name

↘️ Working with application components

You can view an application's components (activities, services etc.) by using the show command followed by the component type.

Example:

mango> show activities

Other options are: activityAlias, services, receivers, providers, permissions, deeplinks and intentFilters.

Using the -e (when applicable) will print only the exported components.

Further than that, the show command supports the following additional options:
- exposure : Prints the application's "attack surface", including deeplinks, exported activities, activity aliases, services, receivers and providers.
- info : Prints handy information about the loaded application
- strings : Prints the application's string resources
- database : Prints the structure of the database file. The output can be used to construct raw sql queries (see query command).
- applications : This option can be used to load a different application or manage the existing applications.
You can issue "raw" SQL queries to the db of your current session by typing query followed by the query body:

query select permission, type from Permissions where app_sha256="a2e5bfac992ecac9c3b7013294936517330e9f6b2cfb1b6b98bf9a366eb31ff0"

↘️ Interacting with the application

You can force the currently loaded application to start an activity by typing start followed by tab or the full name of an activity:

mango> start com.foo.bar.ActivityA

Similarly you can force the application to start a service by typing startsrv followed by tab or the full name of a service:

mango> startsrv com.foo.bar.serviceA

Or stop a service by typing:

mango> stopsrv com.foo.bar.serviceA

To trigger a deeplink, type deeplink followed by tab or the full uri of the deeplink:

mango> deeplink example://mywebview

Additionally, you can kill or start an application by typing kill or spawn respectively followed by the application's name:

mango> spawn com.example.package

↘️ Interacting with the device

To install an application use the mango> install /full/path/to/foo.ak
To uninstall an application use the mango> uninstall [package name]
To install a burp certificate, type installBurpCert and follow the steps indicated by mango
To modify the device's proxy settings, type proxy followed by one of the following options:
get to print the current proxy configuration
set ip:port to set a proxy configuration. Adding -t (e.g. mango> proxy set -t 192.168.1.2:8080 will set a transparent proxy
reset will clear the device's proxy
To start an interactive adb session, type adb
To start an interactive shell with busybox support type box and follow the given instructions
To get a package specific logcat, type logcat [package name]. You can also get the device's native logs by using nlog or the Java crash logs by using jlog
To get a screenshot, type screencap -o [filename.png]
To run a shell command to the connected device, type: cc [command]
You can send a notification to the device by typing notify notification_title notification_body. The command requires the installation of the medusa agent which can be done by using the ìnstallagent command.

↘️ Patching an APK

Set the debuggable flag to true of a given APK: patch /full/path/to/foo.apk

This option requires the apksigner and zipalign to be installed in the device. If they aren't mango will download them locally and use them.

Dynamically debug an app using the jdwp [package name]
Start a frida-trace session, using the trace command and one of the following options:
-j to trace all the functions of a java class. Example: trace -j com.myapp.name* // Trace all the functions of the com.myapp.name* class
-n to trace a native function. Example: trace -n name*
-a to trace the all the functions of a native library. Example trace -a libfoo.so