Decompiling an Android Application Written in .NET MAUI 9 (X...

[carlospolop]

🤖 Automated Content Update

This PR was automatically generated by the HackTricks News Bot based on a technical blog post.

📝 Source Information

• Blog URL: https://mwalkowski.com/post/decompiling-an-android-application-written-in-net-maui-9-xamarin/
• Blog Title: Decompiling an Android Application Written in .NET MAUI 9 (Xamarin)
• Suggested Section: Mobile Pentesting -> Android Applications Pentesting (or a new subsection under Android Reversing/Decompiling) -> "Decompiling .NET MAUI/Xamarin apps (MAUI 9 ELF assembly store: XABA/XALZ)"

🎯 Content Summary

Title / goal
The post explains how to reverse engineer (extract and decompile) managed .NET assemblies from Android apps built with .NET MAUI 9 (successor to Xamarin). It is not a CVE/vulnerability disclosure, but it is a practical, low-level technique that defeats a packaging change intended to make library extraction harder.

Why this matters (security impact / severity)
Even though .NET MAUI 9 moved DLLs into an ELF container to raise the bar, the a...

🔧 Technical Details

Trick 1 — Recover managed .NET MAUI 9 assemblies hidden inside an ELF container:
When a MAUI 9 Android build stores its assemblies inside libassemblies.<arch>.blob.so, treat the file as an ELF container and enumerate sections with llvm-readelf --section-headers. Identify the MAUI-specific payload section (type PROGBITS), then extract it losslessly using llvm-objcopy --dump-section=payload=payload.bin libassemblies.<arch>.blob.so. Validate correct extraction by checking for the XABA magic (0x41424158) at offset 0.

Trick 2 — Parse the “assembly store” container format to carve individual DLLs:
Interpret payload.bin as a structured store: parse a 20-byte little-endian header (struct.unpack('<5I')) to obtain entry_count and index_size; parse entry_count 28-byte descriptors (struct.unpa...

🤖 Agent Actions

Updated xamarin-apps.md with the missing MAUI 9 Android reversing workflow. The new content fits that existing page better than creating a new file because the repo already used it for Xamarin/.NET managed assembly extraction, and this blog extends that same technique rather than introducing a separate category.

The addition covers the MAUI 9 libassemblies.<abi>.blob.so ELF container, payload extraction with llvm-readelf/llvm-objcopy, XABA validation, the assembly-store layout needed to carve DLLs, and the per-entry XALZ LZ4 decompression path. I also added the blog, official .NET Android docs, and pymauistore to the file’s ## References section.

Validation: re-read the edited section, checked that ## References is still at the end of the file, and reviewed the final diff.

---

This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.

[carlospolop]

🔗 Additional Context

Original Blog Post: https://mwalkowski.com/post/decompiling-an-android-application-written-in-net-maui-9-xamarin/

Content Categories: Based on the analysis, this content was categorized under "Mobile Pentesting -> Android Applications Pentesting (or a new subsection under Android Reversing/Decompiling) -> "Decompiling .NET MAUI/Xamarin apps (MAUI 9 ELF assembly store: XABA/XALZ)"".

Repository Maintenance:

• MD Files Formatting: 954 files processed

Review Notes:

• This content was automatically processed and may require human review for accuracy
• Check that the placement within the repository structure is appropriate
• Verify that all technical details are correct and up-to-date
• All .md files have been checked for proper formatting (headers, includes, etc.)

Bot Version: HackTricks News Bot v1.0