Skip to content

Decompiling an Android Application Written in .NET MAUI 9 (X... #2037

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
carlospolop wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Decompiling an Android Application Written in .NET MAUI 9 (X... #2037

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
49 changes: 48 additions & 1 deletion src/mobile-pentesting/xamarin-apps.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -42,7 +42,50 @@ pyxamstore unpack -d /path/to/decompressed/apk/assemblies/
pyxamstore pack
```

Some recent Xamarin/MAUI builds store compressed assemblies using the **XALZ** format inside `/assemblies.blob` or `/resources/assemblies`. You can quickly decompress them with the [xamarout](https://pypi.org/project/xamarout/) library:
#### .NET MAUI 9 / .NET for Android assembly stores inside ELF `.so`

Recent Android MAUI 9 builds no longer expose `assemblies.blob` directly. Instead, each ABI ships an ELF container such as `lib/arm64-v8a/libassemblies.arm64-v8a.blob.so`. This is a valid shared library with a custom `payload` section that contains the managed assembly store.

Quick workflow:

```bash
unzip app.apk -d app_unpacked
llvm-readelf --section-headers app_unpacked/lib/arm64-v8a/libassemblies.arm64-v8a.blob.so
llvm-objcopy --dump-section=payload=payload.bin \
app_unpacked/lib/arm64-v8a/libassemblies.arm64-v8a.blob.so
hexdump -c -n 4 payload.bin # XABA
```

If `llvm-readelf` shows a `payload` section, dump it and verify the extracted blob starts with `XABA` (`0x41424158`). That payload is the assembly store documented by .NET for Android, not a single DLL.

The store layout is useful when you need to carve assemblies manually or validate an extractor:

- Header: `struct.unpack('<5I', ...)` for `magic`, `version`, `entry_count`, `index_entry_count`, `index_size`
- Descriptors: `entry_count` records of `struct.unpack('<7I', ...)` with `data_offset` / `data_size` and optional debug/config offsets
- Index: skip `index_size` bytes
- Names: `uint32 length` + UTF-8 bytes
- Data: seek to each `data_offset` and write `data_size` bytes as `<name>.dll`

Some extracted entries still won't open directly in dnSpy/ILSpy/dotPeek because they are additionally wrapped with **XALZ**. In that case:

- Check the first 4 bytes of each extracted file for `XALZ`
- Read the uncompressed size from bytes `8:12` as little-endian `uint32`
- Decompress bytes `12:` with `lz4.block.decompress(...)`

Minimal decompression logic:

```python
import struct
import lz4.block

def decompress_xalz(data):
size = struct.unpack('<I', data[8:12])[0]
return lz4.block.decompress(data[12:], uncompressed_size=size)
```

If you don't want to parse the store manually, [pymauistore](https://github.com/mwalkowski/pymauistore/tree/main) automates ELF payload extraction, `XABA` store parsing, and `XALZ` decompression for MAUI 9 APKs.

Some older Xamarin/MAUI builds store compressed assemblies using the **XALZ** format inside `/assemblies.blob` or `/resources/assemblies`. You can quickly decompress them with the [xamarout](https://pypi.org/project/xamarout/) library:

```python
from xamarout import xalz
Expand Down Expand Up @@ -106,5 +149,9 @@ The tool [Uber APK Signer](https://github.com/patrickfav/uber-apk-signer) simpli
- [https://github.com/GoSecure/frida-xamarin-unpin](https://github.com/GoSecure/frida-xamarin-unpin)
- [https://gist.github.com/Diefunction/e26fce039efcab57aac342a4b2d48ff6](https://gist.github.com/Diefunction/e26fce039efcab57aac342a4b2d48ff6)
- [https://reverseengineering.stackexchange.com/questions/31716/deobfuscating-ios-dll-file-i-think-arm64](https://reverseengineering.stackexchange.com/questions/31716/deobfuscating-ios-dll-file-i-think-arm64)
- [https://mwalkowski.com/post/decompiling-an-android-application-written-in-net-maui-9-xamarin/](https://mwalkowski.com/post/decompiling-an-android-application-written-in-net-maui-9-xamarin/)
- [https://github.com/dotnet/android/blob/main/Documentation/project-docs/AssemblyStores.md](https://github.com/dotnet/android/blob/main/Documentation/project-docs/AssemblyStores.md)
- [https://github.com/dotnet/android/blob/main/Documentation/project-docs/ApkSharedLibraries.md](https://github.com/dotnet/android/blob/main/Documentation/project-docs/ApkSharedLibraries.md)
- [https://github.com/mwalkowski/pymauistore/tree/main](https://github.com/mwalkowski/pymauistore/tree/main)

{{#include ../banners/hacktricks-training.md}}