Would you like to inspect the original subtitles? These are the user uploaded subtitles that are being translated: 1 00:00:12,220 --> 00:00:15,140 Hey, guys, welcome back to another episode on How to Hack. 2 00:00:15,550 --> 00:00:20,650 So today we'll be discussing again about reverse engineering, a mobile application and looking into 3 00:00:20,650 --> 00:00:27,010 the source code to be able to find out more information about the application and sometimes even being 4 00:00:27,010 --> 00:00:31,930 able to get the username, password, credit card details and all these different details. 5 00:00:32,560 --> 00:00:36,340 So over here on the left side, I have a mobile phone running. 6 00:00:36,370 --> 00:00:39,700 And what we can do is we can open up this particular application. 7 00:00:40,120 --> 00:00:46,060 So we actually have this app called Devar that has been installed on duty, mobile phone, so I can 8 00:00:46,060 --> 00:00:47,110 go ahead and open it up. 9 00:00:48,010 --> 00:00:51,870 So once I open it up over here, we have input validation issues, button one. 10 00:00:52,330 --> 00:00:56,440 So of course, this is part of a mobile application penetration testing series. 11 00:00:56,830 --> 00:01:02,800 And of course, clicking on to input validation issues, Part one will be able to enter a specific name 12 00:01:02,800 --> 00:01:03,530 to search for it. 13 00:01:03,970 --> 00:01:10,120 So from the previous video, we actually went through how we could actually do a sequel injection directly 14 00:01:10,120 --> 00:01:10,860 into the system. 15 00:01:10,870 --> 00:01:17,380 So, for example, over here I can actually use a magnifier so it is easier for you to see. 16 00:01:18,050 --> 00:01:23,500 So of course, from the objective, we can see that we are trying to access to user data without knowing 17 00:01:23,500 --> 00:01:24,510 any of the user name. 18 00:01:24,820 --> 00:01:29,710 And of course, the user provided a hint for us to learn about mobile application penetration testing 19 00:01:30,160 --> 00:01:32,050 directly again, this mobile application. 20 00:01:32,200 --> 00:01:34,470 So, of course, we can go ahead and enter the user name. 21 00:01:34,630 --> 00:01:38,080 So in our case that we can enter, for example, Atman. 22 00:01:39,700 --> 00:01:45,550 So once I hit Etman, I can go ahead and click on Search and we'll be able to look at the username, 23 00:01:45,550 --> 00:01:47,230 password and credit card details. 24 00:01:47,500 --> 00:01:53,260 So of course, from the previous video, we actually learn about putting SQL injection into the mobile 25 00:01:53,260 --> 00:01:56,290 application in order to gain access into the data. 26 00:01:56,470 --> 00:02:01,980 So in our case, I can enter, for example, single quote or one equal one followed by semicolon. 27 00:02:02,380 --> 00:02:08,890 So I go ahead and click on Search and it will review to us all of those usernames, passwords and all 28 00:02:08,890 --> 00:02:11,230 those data directly inside the system. 29 00:02:11,770 --> 00:02:14,530 OK, so that is provided. 30 00:02:14,560 --> 00:02:21,580 The input query is subjective and vulnerable to SQL injection, but what if the mobile application is 31 00:02:21,580 --> 00:02:24,030 not vulnerable to sequel injection? 32 00:02:24,040 --> 00:02:28,210 So what we will need to do is to reverse engineer the mobile application. 33 00:02:28,840 --> 00:02:29,880 So on the right site. 34 00:02:29,920 --> 00:02:32,570 So as recommended on the members only video. 35 00:02:32,590 --> 00:02:39,730 So under decs tools we actually learn about how we could actually break down the apk fall into our fall 36 00:02:39,730 --> 00:02:41,480 and be able to view into the source code. 37 00:02:41,950 --> 00:02:49,180 So what we can do now is to actually go ahead and use the function to help us do the conversion of the 38 00:02:49,360 --> 00:02:54,420 file so D to J dash decks to JRA. 39 00:02:55,180 --> 00:02:58,720 So there's also a S.H. for you if you're on Linux system. 40 00:02:58,720 --> 00:03:02,120 So all you got to do is enter the APK file. 41 00:03:02,140 --> 00:03:06,950 So in our case we got Devar Dash Beta apk so go ahead and hit enter on deck. 42 00:03:07,780 --> 00:03:08,140 All right. 43 00:03:08,150 --> 00:03:09,790 So we can use a double dash force. 44 00:03:12,760 --> 00:03:15,980 And he'd enter a net, so that will begin the conversion process. 45 00:03:16,420 --> 00:03:22,530 So once the conversion process is complete, it will be able to get a fall as being specified over here. 46 00:03:22,960 --> 00:03:27,040 So we got Devar Dash beta dash decks to J.R.. 47 00:03:27,640 --> 00:03:32,150 J.R., so go back into the folder and scroll all the way down. 48 00:03:32,320 --> 00:03:35,070 And of course, over here we have a number of tutorials for you. 49 00:03:35,410 --> 00:03:44,100 So we are going to learn more about ops go droit, especially in terms of the Falgoust as well as financial. 50 00:03:44,350 --> 00:03:46,800 OK, so we'll be going through those details later on. 51 00:03:47,650 --> 00:03:50,770 And what we can see over here is that we have over here to follow. 52 00:03:50,970 --> 00:03:51,220 All right. 53 00:03:51,220 --> 00:03:55,330 So we got Devar Desh, Beitar Desh decks to J.R., J.R.. 54 00:03:55,330 --> 00:03:56,290 So this is the fall. 55 00:03:56,710 --> 00:04:01,510 And we have also downloaded as part of our previous video, one of the previous videos about mobile 56 00:04:01,510 --> 00:04:03,000 application penetration testing. 57 00:04:03,370 --> 00:04:06,990 So we actually have jadi guey so we can open this up. 58 00:04:07,840 --> 00:04:08,060 All right. 59 00:04:08,140 --> 00:04:15,640 So once we have it running, all we got to do is track the Devar Dash beta dash decks to J.R., J.R. 60 00:04:15,640 --> 00:04:17,820 into the DJAVAD compiler. 61 00:04:18,460 --> 00:04:23,860 So once you have done that on the left side, we can look at the more information about this J.R. fall. 62 00:04:23,890 --> 00:04:25,870 So we have Jacare Devar. 63 00:04:26,200 --> 00:04:29,770 So go in, opened it up and we can look at all the different classes. 64 00:04:30,370 --> 00:04:33,850 So we have API credentials, access, control. 65 00:04:34,120 --> 00:04:39,160 And of course, the one thing that we want to look at is the open up the sequel injection activity. 66 00:04:39,490 --> 00:04:41,080 So go ahead and click open on that. 67 00:04:41,680 --> 00:04:44,920 And over here we can immediately find more information. 68 00:04:44,980 --> 00:04:48,400 So we have schoolie I we have the drop table. 69 00:04:48,400 --> 00:04:53,650 If exists equal our user LLC would actually and would actually create a table. 70 00:04:53,930 --> 00:04:54,070 All right. 71 00:04:54,130 --> 00:04:56,410 So once you have dropped the table, it would create a table. 72 00:04:56,680 --> 00:05:01,960 And we have the user variable character, a variable character and credit card variable character. 73 00:05:01,960 --> 00:05:10,870 And immediately we can find all three user records inside this mobile application directly by viewing 74 00:05:10,870 --> 00:05:11,550 the source code. 75 00:05:11,560 --> 00:05:13,030 It has been hot code. 76 00:05:13,030 --> 00:05:17,410 It so hot code it sent into these skillfull. 77 00:05:17,410 --> 00:05:23,140 And that is how we actually gain access to those credentials where we will actually trying to do the 78 00:05:23,140 --> 00:05:23,920 sequel injection. 79 00:05:24,160 --> 00:05:24,490 All right. 80 00:05:24,490 --> 00:05:31,460 And of course, in our case, by being able to break down the jar file or the epic fall, we can gain 81 00:05:31,460 --> 00:05:37,750 direct entry into the source code and know exactly what kind of file, what kind of data is being stored 82 00:05:37,750 --> 00:05:39,650 or created insight to system. 83 00:05:40,660 --> 00:05:43,390 So once again, I hope you've learned something valuable in today's tutorial. 84 00:05:43,390 --> 00:05:47,140 And if I have any questions, feel free to leave a comment below and I'll try my best to answer any 85 00:05:47,140 --> 00:05:47,860 of your questions. 86 00:05:48,040 --> 00:05:49,240 Stromatolite sharing. 87 00:05:49,270 --> 00:05:53,260 Subscribe to the channel so that you can be kept abreast of the latest cybersecurity tutorial. 88 00:05:53,410 --> 00:05:54,760 Thank you so much once again for watching. 9094