 into 18. So this is just 14.2.18. So this is exactly the same version. This is fine. We have to install, of course, the malware because it's dynamic analysis. So we need to have the malware on the emulator. And yeah, as I was seeing, house is a little bit like the Excalibur on this point. It's a great software and everything, but it's a bit buggy from time to time. So I find that it is better that you remove everything from config this directory. I hope that you were seeing my screen. I'm just going to check that's everything. Now you're not seeing my screen yet. So this is why there I do. I share my screen. That's better now. Okay. So in house do rm on config. This kind of cleans up your install. And why doesn't it? Yeah, everything in config. And if you go in config, you will have no longer anything in here. Okay. And now once you've done this, you are ready to run house. It runs like that. It's a Python flask application. So it runs again on ports 8000 by default. But you can change that. You just can put the port number after app. And it will work. So we go over here 8000 and you get this kind of screen there. Okay. So if you do have an emulator like me there, which is running, you will see it over there. Do check out there for this workshop. It's better that you only have one emulator. Again, don't plug in your smartphone unless you really want to risk it. Okay. But don't do that. So you click on this there. And then after that, we're going to go further on and click on can you have your package name? But this is for the next question. So let me do a little bit further on here. Sorry. This is in the way. Okay. And then in the manual, you've got exactly everything you can answer. So click on start tab. This is the name of the package. So we can put that here. Beware that if you were doing a copy paste from the PDF, you see, I've got a space in here. Okay. So beware of that. And there's got to remain a trading point. This should be okay. And here it is happy. And if we go and see the emulator, we see actually that it has launched the application there. We can do refresh over here and there this should show up correctly. Okay. So now it's your turn a little bit to get up to here. And when you've done that, we can continue and navigate to the hook tab. The hook tab is over here. And here you're going to create a hook so that we can decrypt those obfuscated strings. Okay. That's all folks. We only have one remaining quarter of an hour until the end of the workshop. But I'm confident we can we can do it in 15 minutes. No problem. It's not very difficult until there. But please now head to discord. Ask me any question you have up to now on this exercise or any other exercise. And I'll get back online in a few minutes, hopefully with one of you participants to share your screen and show to others how to do this. Okay. Thanks. See you. And I'm going you. Hey, we're going to try and solve the last few steps for for this exercise. I'm looking for again a volunteer to do this. So let me just share my screen just a moment with the exercise. There it is. Okay. So we have already done the first part, which is starting the starting the executable in in house. Now what we need to do is to to hook that method be why be because we saw in the previous exercise that B was the method which was used to de obfuscate the strings, right? So we're going to hook that one and see what happens in using using house. So anybody willing to share the screen? We are no longer that many over here. Okay. So it looks like not. I'm going to show you. But if ever somebody jumps in, just say so, and we can I can read you it again with you in front of everybody or just in private if you prefer. So that you see how it really works on your on your host. So I've got my and later, which is not that's not my and later and later is hidden behind there. I've got so many apps in there. So my emulator is not showing very well. There it is. Okay. Okay. And it is actually running, but we can still hook the the the method that de obfuscate strings and hope to run into it and do and do and decrypt well de obfuscate the strings online. So house is here. We said that we need to put the class name of the hook. Okay. So this is kind of a screen for house, which is going to generate you're going to see the freedom hook for for you. So there we go. Just copy. That's the name of the class. I copy that again beware if you're doing a copy based from the PDF. You might have some spaces. The name of the method is B. If we had had several methods names named B in our class, we would have had to specify the exact signature of the method B. But here we only have one. Okay. So we don't need to do it. So this is good. And in here, well, whatever that says, actually, where I don't understand it well, actually, we don't have to put anything in here. We just have to click now on add. So this is this is not this is not a freedom hook, but it's something for house to prepare the freedom hook. And now you click on generate script. And that generates the freedom hook for you. Okay. So the code is a little bit kind of difficult to read. But if you've already done some freedom hooks, you will understand it. However, and you can tune it over here without any problem if you wish. Okay. It's JavaScript in that case. And now you click on load script. There it goes. You see that we've got in here some things and then that's the difficult part because it runs so fast that I have difficulties to get it to see the things over there. So I'm going to stop the application and stop the script. And we can see that way. Sorry, make an install. And then we can try and also know that's not what I wanted to do. Go in the web developer here and stop the JavaScript from running because it's kind of bugging a little bit my the output of my browser. However, I can show you probably a screenshot. Where is it? Yes, it's going to be in here. Get workshop and videos and it's x03 house solution. Okay. So that might be a little bit small. But if you manage to scroll on the right hand side of the table, you have in this column in the middle column, you have the obfuscated string. And on the right column, you have the de obfuscated version of it. So I know it's a bit small, but this one, for instance, the obfuscates in Q equal new devices and WS equal this one in another thing info device and WS. This one is attacker and WS and you get all the translations that way. Hopefully, we will get it in here as well. Now it's still lagging a little bit. I had the same issue that that other time. Basically, you've got to wait quite a long time till you can freeze house and and see what is in there. But you do see some results in the end. And I need to scroll down there. Yeah, I'm trying to maybe I actually I'm using Firefox wondering if you have the same issue on your side, perhaps some people over there with Chrome or Safari. I don't know. It might be a browser issue. Okay. And anyway, you do have the decrypted string which appears in a column on the on the on the right. So that's a way to decrypt your strings automatically without having to do with yourself. Okay. And then you can find the plain value of plenty of obfuscated strings. And that's about all folks for this workshop. If you want to continue a little bit more on obfuscated strings, well, there's a final exercise over there. I'll just work work through it a little bit quickly so that you see how how it works. This one was basically to show you that the malware was abusing Android accessibility services. And this is the obfuscated code. Okay. It's in class I, I, G, U, W. Hopefully I can show you that it's in here. And it is method a method. We have several method a so it's the one with two parameters. So it's not that one. It's this one. Okay. There it is. Let me put this full screen. I'm not sure that's the method I was looking for. It is one of those using accessibility nodes, but I'm not sure it's the exact one I was. Oh, yes, it is. It is. Sorry. It's in here. And this part's there. So there are, there's several things. Of course, when you read this and that you have obfuscated strings like that, it's difficult to understand what it is doing. Right. So the first step is that you're going to have to de obfuscate those strings. Okay. If you want to de obfuscate those strings, well, you can do it. You can do it with house, of course, but you can also write a script. And so do it on your own. So this is what I have in the lab solutions. You can find one. I have written, didn't I put it in there? Gosh, I forgot. I think I have, but I probably don't have the most recent version in my mind. Okay. There is a Python script in the zip that you provided. Yes. It is in D07. There it is. Okay. It's this one. So if you have a look at that Python script, it is going to decrypt those strings, those obfuscated strings that we see in here, here, here, here, it's like that. So we can run that. And it tells you what it means. And you see those are actually strings for play protect settings. So then the next step is to understand I'm going really quickly because maybe some of you want to follow another workshop to understand what perform action 16. So you will have a look in the documentation, but the value 16 is action click. So actually this is clicking on the, on the windows of Android, which are for play protect. And it is clicking automatically. So the victim is not clicking, but the program is clicking step of the victim to disable play protect. So that it can install further malware, for instance, or do whatever it wants. So that's, that's a nice strike. So you can go into that. So by yourselves, if you want, or you can have a look at the solution. I hope you, you enjoyed the workshop. If you do have a few questions, well, I can take a few perhaps online. Do we have time for that? Maxim? Yes. Yes, there's no problem. So we have a few minutes for that. Otherwise you can ask a person on discord, or if it's really later, well, just send me, yeah, send me an email or send me a chat on Twitter. I can share my contact information. It's there, but I know you're not seeing it yet, but I'm going to share my screen. There it is. Okay, so thank you for attending. And you've got my email and my Twitter or Discord handle. If it's later on, please prefer Twitter to contact me because I'm not always on Discord. So I might not see your messages, of course. So yeah, if you do have any question live you want to ask, or if you have a way to pass on your question to Maxim, please do. And I'll do my best to answer. So I had a question online. Why can't we use the Excalibur to de-applicate? You can, but the Excalibur doesn't show automatically the input and the output of methods, whereas how does it? Okay, so if you want to show the input and the output in the Excalibur, you've got to modify the hook. You can do it when you are hooking. When you are hooking, you click on the hook, then you get to the code of the hook, and you can modify the code a little bit just to print out the output version, the output of your hook, and then you will be able to see the de-applicated string. So yes, you can do it with the Excalibur. It's slightly more complicated because it's not immediate like house, but it works. And I also see from another participant that using another browser, which is Brave, he didn't have the problem that I have with that infinite kind of scrolling with house. By the way, is it better now? Oh yeah, I can show you the screen because now I've got... I'm into a point where we can see quite easily the de-applicated strings. So let me find again I'm lost in my various screens. There we go. Yeah, I'm gonna share the desktop. Sorry, so this is in the way. I'm gonna put it there. So you see here the strings, save accessibility events, connecting rat command, ring zero dot apk enable, click me to activate and plenty of country codes perhaps. And if I scroll down, services, c dot x y z dot flash player, service, SS. So you can get that way absolutely the description of everything. Okay, okay, stop sharing there. I'm gonna have a look if there is any other question. That looks like it's okay. There is a question in chat. Is there a way to call arbitrary functions in house? I'm thinking. I don't think so. I know you can only hook, but you cannot call a function that way. Well, of course, in your hook, you can do whatever you like. So in your hook, if you want to call an arbitrary function, you can. And you can modify the hook for that to call whatever function you need. There is also another question. Do you have any references to a good guide on Frida scripting? Not that much, but there are, yeah, I'm having a look at that. There are a few pages. Let me find the link quite quickly. Actually, maybe I put that in the Frida section of the manual. Oh, no, I didn't put the Frida section. So it's not in there. It might be in another one. Okay, so I'm copy pasting on this quote, the two links that I have. It's not really, doesn't really, it's not really a tutorial, but it's a collection of plenty of scripts for Frida. And then most of the time, I use that to prepare my own scripts. So it's one on GitHub, Felix Ho19. And the other one is co-chairfrida.re, where you also have some other Frida scripts. And so, yeah, it gives you ideas of how to do that. All right. And one last question. If you still have time, can we use House for analyzing SSL pinning and automatically hook to bypass it? I can use the Excalibur for that. For House, I'm not exactly sure it's going to be very, again, the same thing, because as usual, it's going to be about tuning your Frida hook. So you can possibly do it, but I'm not sure it's the most appropriate. I think I would probably do it rather with Excalibur. And I think this is the last question I had in chat. So with that, thank you very much, everybody, for being here. Merci beaucoup, Axel, pour la présentation. It was really great. Merci beaucoup à vous aussi. And thank you very much, everybody. Okay. Well, bye-bye. And if you have any other questions afterwards, yeah, DM on Twitter and see you around. Bye-bye. Thank you. Have a good day.