Update reversing-native-libraries.md

carlospolop · web-flow · commit 92510d22bbd2 · 2025-10-25T19:09:04.000+02:00
diff --git a/src/mobile-pentesting/android-app-pentesting/reversing-native-libraries.md b/src/mobile-pentesting/android-app-pentesting/reversing-native-libraries.md
@@ -276,31 +276,18 @@ make
 ```
 </details>
 
-Why this enables “early” instrumentation
-- You can attach Frida/LLDB to the loader-stable process, set breakpoints and patch anti-debug/root checks before executing `INIT0()`.
-- Renaming `JNI_OnLoad` avoids crashes from JNI state that the constructor typically initializes.
-- Running outside the original app lifecycle reduces noise (UI/threads/classloader), making analysis reproducible.
 
-Pitfalls
+**Common Pitfalls:**
 - Constructor addresses change after patching due to re-layout; always recompute from `.rela.dyn` on the final binary.
 - Ensure `-Djava.class.path` covers every class used by `RegisterNatives` calls.
 - Behavior may vary with NDK/loader versions; the consistently reliable step was removing `INIT_ARRAY`/`INIT_ARRAYSZ` DYNAMIC tags.
 
-Defensive notes (blue team)
-- Validate DYNAMIC entries and library integrity at runtime; assert that expected init tags are present before proceeding.
-- Add post-init integrity checks confirming constructors executed.
-- Use runtime attestation and code-signing verification to detect modified native libraries.
 
----
-
-### Resources
+### References
 
 - **Learning ARM Assembly:** [Azeria Labs – ARM Assembly Basics](https://azeria-labs.com/writing-arm-assembly-part-1/)
 - **JNI & NDK Documentation:** [Oracle JNI Spec](https://docs.oracle.com/javase/7/docs/technotes/guides/jni/spec/jniTOC.html) · [Android JNI Tips](https://developer.android.com/training/articles/perf-jni) · [NDK Guides](https://developer.android.com/ndk/guides/)
 - **Debugging Native Libraries:** [Debug Android Native Libraries Using JEB Decompiler](https://medium.com/@shubhamsonani/how-to-debug-android-native-libraries-using-jeb-decompiler-eec681a22cf3)
-
-### References
-
 - Frida 16.x change-log (Android hooking, tiny-function relocation) – [frida.re/news](https://frida.re/news/)  
 - NVD advisory for `libwebp` overflow CVE-2023-4863 – [nvd.nist.gov](https://nvd.nist.gov/vuln/detail/CVE-2023-4863)
 - SoTap: Lightweight in-app JNI (.so) behavior logger – [github.com/RezaArbabBot/SoTap](https://github.com/RezaArbabBot/SoTap)
@@ -311,4 +298,4 @@ Defensive notes (blue team)
 - [LIEF Project](https://github.com/lief-project/LIEF)
 - [JNIInvocation](https://github.com/Ch0pin/JNIInvocation)
 
-{{#include ../../banners/hacktricks-training.md}}
+{{#include ../../banners/hacktricks-training.md}}
