soSaver

[carlospolop]

🤖 Automated Content Update

This PR was automatically generated by the HackTricks News Bot based on a technical blog post.

📝 Source Information

• Blog URL: https://github.com/TheQmaks/soSaver
• Blog Title: soSaver
• Suggested Section: Mobile Pentesting -> Android Applications Pentesting -> Frida Tutorial (or a new page under Android RE/Dynamic analysis: "Dumping runtime-decrypted .so from memory with Frida")

🎯 Content Summary

soSaver is a Frida-based dynamic analysis utility designed to extract native Android libraries (.so, ELF) directly from a running app’s memory. This is specifically useful when conventional filesystem/APK extraction fails because the real libraries are not present on disk in usable form (e.g., they are encrypted/packed and only decrypted at runtime, dynamically downloaded, generated/unpacked during execution, or otherwise protected against standard extraction).
<br...

🔧 Technical Details

Runtime-decrypted native library recovery via in-process instrumentation: When Android apps keep real native code unavailable on disk (encrypted/packed in the APK, decrypted only at runtime; or downloaded/generated during execution), instrument the process with Frida and extract the mapped ELF images directly from memory. This converts “only exists decrypted in RAM” protections into an offline artifact (.so) suitable for static reverse engineering.

Load-time discovery with dynamic loader hooks: Hook native loader entry points such as dlopen and android_dlopen_ext to detect exactly when a library is loaded. Upon a hit, identify the corresponding mapped module and dump its bytes from memory, then exfiltrate the dump to a host tool via Frida’s message passing.

Non-standard load detection via periodic ELF header scanning: Some protections may map libraries without triggering the expected loader APIs. A generic count...

🤖 Agent Actions

Summary:

• Added a new section to the Android reversing native libraries page explaining how to dump runtime-decrypted .so modules directly from memory using the Frida-based soSaver tool, including workflow and usage commands.
• Updated references to include soSaver and its Frida agent repositories.

Tests:

• Not run (documentation-only changes).

---

This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.

[carlospolop]

🔗 Additional Context

Original Blog Post: https://github.com/TheQmaks/soSaver

Content Categories: Based on the analysis, this content was categorized under "Mobile Pentesting -> Android Applications Pentesting -> Frida Tutorial (or a new page under Android RE/Dynamic analysis: "Dumping runtime-decrypted .so from memory with Frida")".

Repository Maintenance:

• MD Files Formatting: 944 files processed

Review Notes:

• This content was automatically processed and may require human review for accuracy
• Check that the placement within the repository structure is appropriate
• Verify that all technical details are correct and up-to-date
• All .md files have been checked for proper formatting (headers, includes, etc.)

Bot Version: HackTricks News Bot v1.0