Bypassing KonyLab Code Protection: Hooking vs. Memory Dumping with Frida

In the realm of mobile application security, reverse engineering and bypassing code protection mechanisms are essential skills. Kony Visualizer, a popular cross-platform development framework, employs several techniques to protect its JavaScript code from being easily reverse-engineered. In this blog, we’ll explore two methods to bypass KonyLab’s code protection: hooking the loadFilesToVM function and memory dumping using Frida. Both methods have their strengths and limitations, and we’ll dive into the technical details of each approach. This blog builds on the work of Mahmoud Mosbah, who documented his journey in bypassing KonyLab’s protection via hooking the loadFilesToVM function. However, in my case, the hooking method didn’t work, so I turned to memory dumping as an alternative.

Understanding KonyLab Code Protection

Kony Visualizer is a powerful IDE that allows developers to create cross-platform mobile applications using a single codebase. One of its key features is the ability to package JavaScript code into the app, which is then loaded at runtime. To protect this code, Kony employs encryption and compression techniques, making it challenging to reverse engineer.

How Kony Works

• Code Packaging: JavaScript files are compressed into a ZIP file and encrypted.
• Runtime Execution: The encrypted files are decrypted and decompressed at runtime by the libkonyjsvm.so library.
• Protection Mechanisms: Kony uses AES encryption and LZF compression to obfuscate the JavaScript code.

Mahmoud Mosbah’s blog post details how he bypassed this protection by hooking the loadFilesToVM function using Frida. However, in my case, this approach didn’t yield the desired results, so I had to explore an alternative method: memory dumping.

Method 1: Hooking the loadFilesToVM Function

Mahmoud Mosbah’s approach involved hooking the loadFilesToVM function, which is responsible for loading and decrypting the JavaScript files at runtime. Here’s a summary of his method:

Step-by-Step Guide to Hooking loadFilesToVM

1. Identify the Target Function: The loadFilesToVM function in libkonyjsvm.so is responsible for decrypting and loading the JavaScript files.
2. Hook the Function Using Frida: Use Frida to hook the loadFilesToVM function and intercept the decrypted files.
3. Save the Decrypted Files: Once the files are intercepted, save them to disk for further analysis.

Here’s the Frida script used by Mahmoud to hook the loadFilesToVM function:

Java.perform(() => {
    var inc = 0;
    
    function waitForLibrary(name, callback) {
        var lib = null;
        var interval = setInterval(() => {
            try {
                lib = Module.ensureInitialized(name);
                console.log(`[+] ${name} is loaded`);
                clearInterval(interval);
                callback();
            } catch (e) {
                console.log(`[+] Waiting for ${name} to be loaded...`);
            }
        }, 100);  // Check every 100ms
    }
    waitForLibrary("libkonyjsvm.so", () => {
        Interceptor.attach(Module.getExportByName("libkonyjsvm.so", "lzf"), {
            onEnter: function(args) {
                console.log("[+] Hooked zip files!");
                this.zipfiles = args[2];
                this.ziplength = args[3];
            },
            onLeave: function(retval) {
                send("================");
                console.log("zip files length", this.ziplength);
                var readzipfiles = Memory.readByteArray(this.zipfiles, this.ziplength.toInt32());
                var file = new File("/data/data/com.victim.app/" + inc + ".zip", "w");
                inc += 1;
                file.write(readzipfiles);
            }
        });
    });
});

Challenges with Hooking

While this method worked for Mahmoud, it didn’t work in my case. Possible reasons include:

• Function Changes: The loadFilesToVM function might have been modified or obfuscated in newer versions of Kony.
• Timing Issues: The decrypted files might only exist in memory for a short period, making it difficult to intercept them via hooking.

Method 2: Memory Dumping with Frida

When hooking the loadFilesToVM function didn’t work, I turned to memory dumping as a way to extract the decrypted JavaScript files directly from the app’s memory. This method involves using Frida to dump the memory of the running process and then searching for the decrypted code.

Step-by-Step Guide to Memory Dumping

1. Set Up Frida: Install Frida on your system and the target device.
2. Identify the Target Process: Use Frida to identify the process you want to dump.
3. Dump Memory with Fridump: Use Fridump to dump the memory of the target process.
4. Analyze the Dumped Memory: Search for decrypted JavaScript files in the dumped memory.

Here’s how to use Fridump to dump the memory of a Kony app:

# Clone the Fridump repository
git clone https://github.com/Nightbringer21/fridump.git
​
# Run Fridump on the target process
python fridump.py -U com.victim.app -o dump

Analyzing the Dumped Memory

Once the memory is dumped, search for patterns such as eval( or function( to identify the JavaScript code. You can use tools like strings or grep to search through the dumped files:

strings dump/* | grep "function("

Advantages of Memory Dumping

• Direct Access: Memory dumping allows you to access the decrypted code directly from the app’s runtime memory.
• Bypass Hooking Limitations: If hooking specific functions fails, memory dumping provides an alternative way to extract the code.
• Comprehensive Extraction: This method can capture all decrypted files, including those that might not be accessible via hooking.

Comparing the Two Methods

Conclusion

Bypassing KonyLab’s code protection mechanisms is a challenging but rewarding task. While hooking the loadFilesToVM function is a common approach, it doesn’t always work, as I discovered. In such cases, memory dumping with Frida provides a viable alternative. By dumping the app’s memory and analyzing it, you can extract the decrypted JavaScript code and uncover hidden secrets.

Both methods have their strengths and limitations, and the choice between them depends on the specific scenario. If hooking works, it’s a more efficient and precise method. However, if hooking fails, memory dumping can serve as a reliable fallback.

This blog builds on the foundational work of Mahmoud Mosbah and others in the security community. If you’re interested in learning more, I highly recommend checking out Mahmoud’s blog post for additional insights.

References

1. Mahmoud Mosbah, How Bypassed KonyLab Code Protection
2. Frida Documentation, https://frida.re/docs/
3. Fridump GitHub Repository, https://github.com/Nightbringer21/fridump

By combining these techniques, you can effectively bypass KonyLab’s code protection and gain access to the underlying JavaScript code. Whether you’re a security researcher or a developer, understanding these methods is crucial for securing mobile applications in today’s threat landscape.

Happy hacking!