jadx VS postgrest

The best way is to just start practicing. I would say pick some simple apps on your (Android) phone and dig straight in.

The great thing about Android applications is that often they generally decompile quite nice into human readable Java soo the barrier of entry can be quite low to start reversing.

Grab a copy of JADX[1] - it will decompress and decompile the APK files. If you don't have an Android handset, use an emulator and/or grab APKs from apkpure[2]

Dynamic analysis is a bit more challenging. In my blog post I use Frida[3] extensively.

If you get started on something and get stuck/looking for support, feel free to DM me on Twitter[4], more then happy to help.

[1] https://github.com/skylot/jadx

[2] https://frida.re/docs/android/

[3] https://m.apkpure.com/

[4] https://twitter.com/haxrob

This may be overkill but you can use an oscilloscope to manually calculate the baudrate, i.e. like this. It looks like it could be UART serial data, but this is a good resource to reference. Sometimes http is used as a means for communicating, and not necessarily directly to a browser see here. This is pretty common in embedded applications actually. You can try using dirbuster to see what hidden endpoints there are that may be used for video. If there's an RC, you can try and do what you were doing before on the drone for that (see what dmesg says when plugged in, check any open ports, etc). If it's a phone you connect to, you can RE the mobile app. I like using jadx for APKs to get a lay of the land. If you don't want to pop the SPI flash like i suggested earlier (and I suggest don't do that except for last resort), you can grep for firmware urls in the mobile app to see if it does OTA updates, and see if you can directly download it and analyze it with a disassembler like Ghidra. Since it's WiFi, you can also MiTM the traffic from an AP you control like your computer. I'm guessing video is probably going to be something like RTSP at an IP address, so you can grep in the mobile app for that, and that might be good enough to get your video feed honestly.

Jadx - skylot/jadx: Dex to Java decompiler (github.com) - Used for decompiling the apk - make the code readable

I realized when app is decompiled using JADX class names are recreated as shown in this screenshot of sample app

Not sure. I started reverse engineering Java apps very early in my life — initially it was J2ME games. Decompilers of the time sucked but that didn't stop me from modding Gravity Defied :P

I honestly don't know what's a good way of getting started on reverse engineering. There's a bunch of everything about Windows executables in particular, including "crackmes", but native machine code is a level up from JVM bytecode. Java classes and Android dex files can be decompiled back to sensible source with a good chance that you get something that can be compiled again. No such luck for native code — C/C++ compilation is a lossy process by its nature, especially the optimizations. Ghidra does a decent job but still requires a non-zero amount of manual assistance. Flash games also were good to hone one's reverse engineering skills since ActionScript decompilers did a pretty darn good job.

Anyway. To decompile dex to Java source, there's jadx: https://github.com/skylot/jadx

Since decompilation is sometimes lossy, there's apktool for when you want to put the app back together after tinkering with it: https://github.com/iBotPeaches/Apktool

It goes without saying that you also need a JDK and the Android SDK. In particular, you need apksigner form the SDK to sign the unsigned apks generated by apktool. You can also automate things a bit and use adb to deploy them to your device.

What I usually do is get a high-level overview of the app in jadx, and then modify the smali (dalvik bytecode in text form, very assembly-like) files generated by apktool.

A week ago I purchased a bluetooth device that takes some measurements. You require an Android or iOS application. The first thing the iOS app did was request permission for your location. Immediate fired up MITMproxy [1] running in transparent `--mode wireguard` and installed it's certificate in the iOS trust store. It was sending a whole bunch of data to China and HK. Since I don't have a jailbroken iPhone, it's off to Android.

For BLE scanning, Android does require permissions for location, but this application is using a Chinese branded tracking SDK and sending encrypted (within already encrypted TLS). So it's time to start reversing and instrumenting the runtime.

Well - not so easy, they used a commercial packer that encrypts their compiled bytecode and decrypts and runs it within a C++ library. I managed to bull the Dalvik out of memory using Frida[2], covert it to java bytecode with dex2jar[3] then into decompiled java with jadx [3].

Since the developer relied on the packer to hide/obfuscate their software, it's quite easy to follow. The libraries that do the location tracking on the otherhand are obfuscated so now I'm at the stage of identifying where to hook before the encrypted blobs are sent to servers in China.

I've sunk about 8 hours into this so far. The message here is that to understand what some applications on your phone does you need to really invest time and effort. The developers increase the cost to the consumer to know what their application is doing by obfuscation, encryption and packing. It's asymmetric.

[1] https://mitmproxy.org/posts/wireguard-mode/

[2] https://frida.re/docs/android/

[3] https://github.com/skylot/jadx

[3] https://github.com/pxb1988/dex2jar

jadx: View the generated Java code for an app. This tool tries to recreate Java code from the smali bytecode, but keep in mind that sometimes it may not work because Java -> Smali conversion is not fully backwards compatible.

If you haven't tried Jadx [1], give it a shot. It's by far the easiest way to reverse Android APKs. I doesn't do patching or reassembly, but I used it for reversing the Delong'hi APK for longshot [2][3] and the quality of output was fantastic.

[1] https://github.com/skylot/jadx

[2] https://github.com/mmastrac/longshot

[3] https://grack.com/blog/2022/12/02/hacking-bluetooth-to-brew-...

Smali is a low level language for Dalvik bytecode and it can be quite a headache to interpret it correctly and achieve what you want. That's why I recommend another tool called jadx which can mostly recover Java code from a dex file, but unfortunately the conversion is not 100% possible. Also, editing is not possible with jadx.

hey hn, supabase ceo her

we just announced GA, after ~4 years of beta. for those who don't know: supabase is a postgres hosting company. we also host other open source "backend" tools that make it easy to get started with postgres (tools like PostgREST for auto-generate APIs [0])

we owe a lot to the HN community. you launched us 4 years ago [1], when we were just a few developers. since then HN has been a staple in our journey, one of the best sources of product feedback [2]

the GA badge is mostly to signify organizational readiness. we're at a stage where we can take any profile of customer. we have a support team that works 24/7, and a success team that will help customers improve their postgres usage. we released our Index Advisor [3] yesterday, and we'll be releasing a few more products this week that helps customer with performance and security.

on a personal note: i read HN most days, and love going through the ShowHN's to see what devs are building. thanks for being an awesome community and my favorite place to lurk on the internet. i'll stick around to answer any questions

[0] PostgREST: https://postgrest.org

[1] Launch: https://news.ycombinator.com/item?id=23319901

[2] HN journey: https://hn.algolia.com/?dateRange=all&page=0&prefix=false&qu...

[3] Index Advisor: https://news.ycombinator.com/item?id=40028111

If you use PostgreSQL and are proficient with using its row-level security feature, you can choose from several tools/services built above RLS, including Supabase, PostgREST, and PostGraphile. They all provide a way to expose database CRUD as a web API, assuming you've configured the RLS rules to properly secure the access.

wget 'https://github.com/PostgREST/postgrest/releases/download/v11.2.0/postgrest-v11.2.0-linux-static-x64.tar.xz'

SupaBase is entirely based upon PostgREST. In fact, PostgREST is arguably 49% of their value proposition according to their own website. The other 49% is PostgreSQL. PostgreSQL of course is a super mature database, and some would argue the best RDBMS on the planet, so let's ignore that part for a moment, and consider it a mature thing and move on to PostgREST.

You don't need this PHP snippet:

To get the same functionality without the extra step, simply use PostgREST [1]

[1] https://postgrest.org/

PostgREST is a standalone web server that turns your PostgreSQL database into a RESTful API using the database's structural constraints and permissions to define the API's endpoints and operations. In this tutorial, you will create a simple note-taking app by leveraging PostgREST to construct a RESTful API for the app and using htmx to deliver HTML content.

You might find some info in the docs of PostgREST [1] or in the previous discussions on HN about it [2].

For the versioning, I just have a git repo where I keep every role, schema, table, view, function, trigger, etc. definitions. Every time I change something in the database I first change it in the git repo too to have an history.

[1] https://postgrest.org

[2] https://hn.algolia.com/?q=postgrest

Don't know if you would call this a "program" but PostgREST is written is Haskell too.

https://github.com/PostgREST/postgrest