<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom"><channel><title>Posts on Avev</title><link>https://Avev.github.io/posts/</link><description>Recent content in Posts on Avev</description><generator>Hugo</generator><language>en</language><lastBuildDate>Thu, 11 Jun 2026 00:00:00 +0300</lastBuildDate><atom:link href="https://Avev.github.io/posts/index.xml" rel="self" type="application/rss+xml"/><item><title>Hooking .init_array Functions</title><link>https://Avev.github.io/posts/hooking_.init_array_functions/</link><pubDate>Thu, 11 Jun 2026 00:00:00 +0300</pubDate><guid>https://Avev.github.io/posts/hooking_.init_array_functions/</guid><description>&lt;p&gt;Many advanced Android apps hide their anti-tampering and anti-analysis checks
inside the &lt;code&gt;.init_array&lt;/code&gt;. If you try to attach Frida normally, these checks run
and kill the app before your script even loads.&lt;/p&gt;
&lt;p&gt;Here is how to deal with them.&lt;/p&gt;
&lt;h3 id="what-is-init_array"&gt;What is &lt;code&gt;.init_array&lt;/code&gt;?&lt;/h3&gt;
&lt;p&gt;Simply put: &lt;code&gt;.init_array&lt;/code&gt; is a section inside an ELF binary (&lt;code&gt;.so&lt;/code&gt; file) that
contains an array of function pointers.&lt;/p&gt;
&lt;p&gt;The Android dynamic linker executes these functions &lt;strong&gt;extremely early&lt;/strong&gt;—right
when &lt;code&gt;System.loadLibrary()&lt;/code&gt; is called, and long before &lt;code&gt;JNI_OnLoad&lt;/code&gt; fires.
Because it executes so early in the native lifecycle, it&amp;rsquo;s a prime spot for
developers to hide early anti-tampering mechanisms.&lt;/p&gt;</description></item></channel></rss>