Stop Struggling with Hidden .so Files! Extract Them Live with soSaver
Stop Struggling with Hidden .so Files! Extract Them Live with soSaver
You've spent hours reverse-engineering that Android app. You've decompiled the APK, sifted through smali code, and finally reached the native layer—only to discover the .so libraries are encrypted, packed, or simply not there.
Sound familiar? Here's the brutal truth: modern Android applications are weaponizing native code protection like never before. Packers like UPX, custom encryption schemes, and dynamic loading mechanisms have turned static analysis into a frustrating game of whack-a-mole. The libraries you need aren't sitting pretty in the APK's lib/ folder anymore. They're decrypted in memory at runtime, loaded from remote servers, or generated on-the-fly by sophisticated unpackers.
What if you could bypass all of this protection and grab those native libraries straight from the application's live memory?
Enter soSaver—a Frida-based utility that doesn't ask permission from the APK's defenses. It extracts native .so libraries directly from running Android processes, capturing everything: encrypted payloads, dynamically loaded modules, and even libraries that never touch the filesystem. This isn't just another static extraction tool. It's a dynamic analysis weapon that operates at runtime, where the secrets are actually exposed.
In this deep dive, you'll discover why soSaver is becoming the secret weapon of mobile security researchers, how its dual-architecture design outsmarts modern protection schemes, and exactly how to wield it against your toughest Android reverse-engineering challenges. Let's pull back the curtain.
What is soSaver? The Dynamic Extraction Engine You Didn't Know You Needed
soSaver is a specialized utility for dynamic extraction of native ELF libraries (.so files) from Android application memory using the Frida dynamic instrumentation framework. Created by TheQmaks and distributed under the MIT license, this open-source tool addresses a critical gap in the mobile security researcher's toolkit: the inability to reliably obtain native libraries through static analysis alone.
The project's timing couldn't be more relevant. As Android malware sophistication has exploded—think banking trojans with multi-stage payloads, gaming cheats with server-side library delivery, and enterprise apps with custom packers—researchers have found themselves increasingly blind to the actual code executing at the native layer. Traditional tools like apktool, jadx, and even advanced unpackers struggle when libraries are:
- Encrypted at rest and decrypted only by a custom loader at runtime
- Downloaded dynamically from command-and-control servers based on device fingerprinting
- Generated procedurally during execution to evade signature-based detection
- Protected by anti-tampering systems that detect and respond to filesystem access
soSaver sidesteps every one of these defenses by operating in vivo—inside the running process itself. By leveraging Frida's powerful JavaScript injection capabilities, it becomes an invisible observer within the target application's address space, capturing libraries as they exist in their fully-unpacked, decrypted, executable form.
The tool has gained significant traction in the mobile security community, with its PyPI distribution enabling one-command installation and its clean CLI interface lowering the barrier to entry for researchers who might otherwise struggle with manual Frida scripting. Its dual-component architecture—a Python orchestrator paired with a TypeScript Frida agent—represents a mature, maintainable approach to complex dynamic instrumentation tasks.
Key Features: Why soSaver Outperforms Conventional Extraction Methods
soSaver's feature set is deliberately focused on solving real extraction problems that researchers encounter in the wild. Here's what makes it technically superior:
Multi-Vector Library Detection
The tool doesn't rely on a single detection method. Instead, it employs three complementary strategies:
-
Runtime hook interception: soSaver places Frida hooks on standard library loading functions—
dlopenandandroid_dlopen_ext—capturing libraries the moment they're loaded by the legitimate Android linker. This catches the vast majority of conventionally-loaded native code. -
Periodic memory scanning: For libraries that bypass standard loading (think manual
mmap+ ELF parsing, reflective loading, or custom linker implementations), soSaver performs memory sweeps for ELF header signatures (\x7fELF). This non-standard loading detection is crucial against sophisticated packers and malware. -
Filesystem fallback: When memory reads fail due to protection mechanisms or memory mapping quirks, soSaver gracefully falls back to reading from
/proc/[pid]/mapsand associated file descriptors, maximizing recovery rates.
Intelligent Data Transfer
Extracted libraries aren't dumped haphazardly. The Frida agent reads memory in manageable blocks, transfers via Frida's optimized message passing, and the Python component reconstructs complete, valid ELF files. This block-based approach prevents the memory corruption and truncation issues that plague naive extraction attempts.
Informative Operational Feedback
soSaver provides real-time statistics on extraction progress: modules discovered, successfully extracted, fallback activations, and error conditions. The --debug flag reveals the internal decision-making process, invaluable when analyzing novel protection schemes.
Flexible Targeting
Specify targets by package name (automatically resolved to PID) or direct PID for cases where the application isn't conventionally launched or runs in isolated processes.
Real-World Use Cases: Where soSaver Becomes Indispensable
Use Case 1: Banking Trojan Analysis
Modern Android banking malware like Anubis, Cerberus, or TeaBot heavily encrypt their native payloads. The .so files in the APK are encrypted blobs; only a small stub decrypts and loads the real functionality at runtime. With soSaver, you simply:
sosaver com.fake.bank.app --debug
The tool captures the fully-decrypted payload as it's loaded into memory, revealing the actual C2 communication logic, overlay injection code, and credential harvesting routines that static analysis would never expose.
Use Case 2: Game Security and Cheat Detection
Mobile games using Unity or Unreal Engine increasingly deploy server-side library delivery—downloading .so files post-install based on device capabilities or regional requirements. These libraries contain anti-cheat mechanisms that researchers need to analyze. soSaver intercepts these dynamic loads:
sosaver -o ./game_libs com.publisher.unitygame
You obtain the exact library versions delivered to specific devices, enabling accurate vulnerability research and cheat detection algorithm analysis.
Use Case 3: Proprietary SDK and Framework Extraction
Enterprise applications often integrate third-party SDKs with restrictive licensing that obfuscate or encrypt their native components. When investigating data exfiltration or compliance violations, soSaver extracts these hidden libraries for behavioral analysis—revealing what data is actually being collected and transmitted.
Use Case 4: Custom Packer and Protector Research
Security vendors develop custom packers (like Promon Shield, Arxan, or DexGuard native protections) that transform .so files into unrecognizable formats. soSaver's memory scanning bypasses the packer's transformation entirely, yielding the original, unpacked library for comparative analysis against the protected version.
Step-by-Step Installation & Setup Guide
Getting soSaver operational requires proper environment preparation. Follow these steps precisely:
Prerequisites
Before installation, verify you have:
- Python 3.10+ installed on your host machine
- An Android device with root access (physical or emulator like Android Studio's emulator with
-writable-system) - ADB (Android Debug Bridge) configured and device authorized
- Frida server matching your device's architecture running on the target
Installing Frida Server on Android
First, ensure Frida server is operational on your target device:
# Download appropriate frida-server for your device architecture
# (arm64, arm, x86_64, x86) from https://github.com/frida/frida/releases
# Push to device
adb push frida-server /data/local/tmp/
# Set executable and launch as root
adb shell "su -c 'chmod 755 /data/local/tmp/frida-server'"
adb shell "su -c '/data/local/tmp/frida-server &'"
# Verify Frida connectivity from host
frida-ps -U
Installing soSaver
The simplest installation is via PyPI:
# Install soSaver globally or in a virtual environment
pip install sosaver
# Verify installation
sosaver --help
Development Installation (For Modification)
If you need to customize the Frida agent or contribute:
# Clone the repository
git clone https://github.com/TheQmaks/soSaver.git
cd soSaver
# Build the TypeScript Frida agent
cd agent && npm install && npm run build
# Install Python package in editable mode with dev dependencies
cd .. && pip install -e ".[dev]"
The pre-built agent resides at sosaver/frida/scripts/agent.js; rebuilding only necessary for modifications.
Environment Verification
Confirm your setup:
# List running processes to verify Frida connectivity
frida-ps -U | grep com.
# Test soSaver with a known application
sosaver com.android.chrome --debug
REAL Code Examples: soSaver in Action
Let's examine soSaver's actual implementation through its documented usage patterns and architecture.
Example 1: Basic Package-Based Extraction
The fundamental operation—extracting libraries by package name:
# Extract all discoverable native libraries from target application
sosaver com.example.app
What's happening under the hood: The Python CLI resolves com.example.app to its running PID via Android's ActivityManager, attaches the Frida agent, and initiates the three-phase detection process. Libraries are saved to the current working directory with sanitized filenames based on their original module names.
Example 2: PID-Based Targeting with Custom Output
For applications running in unusual contexts or when package resolution fails:
# Target specific process by PID with designated output directory
sosaver -o /path/to/output 1234
Critical use case: Some malware spawns multiple processes or uses process hollowing techniques. Direct PID targeting bypasses package name ambiguity. The -o flag ensures organized, permission-controlled output—essential when processing sensitive samples.
Example 3: Debug-Mode Deep Analysis
When extraction fails or produces incomplete results, enable comprehensive logging:
# Enable debug output for troubleshooting extraction issues
sosaver --debug com.unity.game
Debug output reveals:
- Frida script injection success/failure
- Hook installation on
dlopen/android_dlopen_ext - Memory scan progress and ELF header discovery locations
- Block transfer statistics and fallback activations
- File reconstruction status
This verbosity is indispensable when analyzing novel protection schemes or debugging device-specific Frida compatibility issues.
Example 4: Game-Focused Extraction Pattern
A documented pattern for gaming applications with heavy native code:
# Extract from a game with typical native library architecture
sosaver com.example.game
Games frequently load dozens of .so files through multiple mechanisms: Unity's libmain.so bootstrap, plugin architectures, and downloadable content modules. soSaver's periodic scanning catches post-initial-load dynamic libraries that single-shot tools miss.
Example 5: Building from Source (Advanced)
For researchers modifying the Frida agent's detection heuristics:
# Clone repository for modification
git clone https://github.com/TheQmaks/soSaver.git
cd soSaver
# Rebuild agent after TypeScript modifications
cd agent && npm install && npm run build
# Install modified package
cd .. && pip install -e .
The agent architecture (agent/ directory) contains TypeScript modules handling:
Moduleenumeration andProcess.findModuleByNamefor initial stateInterceptor.attachonModule.loadand linker functionsMemory.scanwith ELF magic number patterns for memory sweeps- Chunked
Memory.readByteArrayoperations with error boundaries - Frida
send()protocol for host communication
Modifying these enables custom detection logic—perhaps targeting specific packer signatures or extracting non-ELF executable formats.
Advanced Usage & Best Practices
Timing Your Extraction
Library loading often occurs at specific lifecycle moments. For maximum coverage:
- Launch the target application normally
- Wait for initial loading to complete (splash screen dismissal, main activity visible)
- Trigger functionality that loads additional libraries (open specific features, trigger game levels)
- Run soSaver during or immediately after these triggers
Consider scripting this with Frida's -f spawn mode for precise injection timing.
Handling Large Applications
Memory-constrained devices may struggle with complete extraction. Strategies:
- Use
-oto an external storage path with ample space - Extract specific libraries by modifying the agent's filtering logic
- Increase Frida's message buffer sizes if encountering transfer truncation
Anti-Detection Evasion
Sophisticated protections detect Frida presence. Countermeasures:
- Use Frida's gadget mode (embedded frida-gadget.so) instead of server for stealthier injection
- Apply Frida anti-detection scripts before soSaver's agent
- Consider Magisk-frida-server for system-level hiding on rooted devices
Verification and Analysis
Extracted libraries require validation:
# Verify ELF integrity
readelf -h extracted_lib.so
# Check for expected symbols
nm -D extracted_lib.so | grep T
# Analyze with your reverse engineering toolchain
# (Ghidra, IDA Pro, Binary Ninja, radare2)
Comparison with Alternatives: Why soSaver Wins
| Tool/Method | Approach | Encrypted .so | Dynamic Loading | Ease of Use | Real-time |
|---|---|---|---|---|---|
| soSaver | Frida memory extraction | ✅ Captures decrypted | ✅ Intercepts + scans | ✅ Simple CLI | ✅ Yes |
| Static APK extraction | Filesystem analysis | ❌ Fails | ❌ Misses entirely | ✅ Trivial | N/A |
| Manual Frida scripting | Custom JS injection | ✅ Possible | ⚠️ Requires expertise | ❌ Complex | ✅ Yes |
dd from /proc/[pid]/maps |
Direct memory read | ✅ Possible | ⚠️ Race conditions | ❌ Error-prone | ⚠️ Partial |
ltrace/strace on Android |
Syscall tracing | ❌ Post-decryption only | ⚠️ Path reconstruction | ❌ Setup heavy | ❌ No |
| Commercial mobile forensics | Proprietary tools | Varies | Varies | ✅ GUI-based | ❌ Typically no |
soSaver's decisive advantages:
- Zero custom Frida knowledge required versus manual scripting
- Multi-method reliability versus single-technique tools
- Active maintenance and PyPI distribution versus abandoned alternatives
- Open-source extensibility versus black-box commercial solutions
FAQ: Your soSaver Questions Answered
Does soSaver require root access?
Yes. Frida server requires root privileges for process injection on standard Android. Alternative: use Frida gadget mode (requires repackaging the target APK) for non-root scenarios.
Can soSaver extract libraries from obfuscated or packed apps?
Absolutely—this is its primary purpose. Since extraction occurs from memory after the packer has done its work, the recovered libraries are in their executable, unpacked form. The packer's obfuscation is irrelevant post-decryption.
What Android versions are supported?
soSaver works where Frida works—generally Android 5.0+ (API 21+). Specific compatibility depends on your Frida server version matching the target device's architecture and Android version.
How do I handle applications that detect Frida?
Apply anti-detection measures before soSaver: use frida-server with Magisk hiding, inject via gadget mode, or employ Frida configuration to mask presence. Some protections require case-specific bypass research.
Are extracted libraries immediately analyzable?
Usually yes—they're valid ELF files. However, some protections employ code virtualization or additional runtime decryption of functions. The .so is correct, but further unpacking may be needed for complete analysis.
Can I use soSaver for iOS applications?
No. soSaver targets Android's ELF-based .so libraries and Android-specific linker functions. iOS uses Mach-O format and different loading mechanisms. Frida supports iOS, but soSaver's agent is Android-specific.
Is commercial use permitted under the MIT license?
Yes. The MIT license allows commercial use, modification, and distribution with minimal requirements. Include the original copyright notice in derivative works.
Conclusion: Make soSaver Your Android Reverse Engineering Secret Weapon
The arms race between Android application protection and security research isn't slowing down—it's accelerating. Every month brings new packers, novel encryption schemes, and increasingly aggressive anti-analysis techniques. Static tools alone are no longer sufficient for comprehensive native layer examination.
soSaver represents the evolution of extraction methodology: dynamic, resilient, and operationally practical. By meeting protected applications on their own battlefield—live memory—it renders encryption and packing irrelevant, delivering the actual executable code researchers need to analyze.
Whether you're dissecting banking malware, investigating data-harvesting SDKs, or simply trying to understand how a game implements its physics engine, soSaver transforms an hours-long frustration into a minutes-long extraction. Its thoughtful architecture, clean interface, and open-source extensibility make it suitable for both rapid incident response and deep research projects.
Ready to stop fighting packers and start winning?
👉 Get soSaver on GitHub — star the repository, report your findings, and contribute to the most capable native library extraction tool in the Android security ecosystem.
👉 Install now: pip install sosaver
The libraries you couldn't extract yesterday are waiting in memory right now. Go get them.
Have you used soSaver in an interesting research scenario? Share your extraction stories—tag the community and help fellow researchers overcome their toughest native code challenges.
Comments (0)
No comments yet. Be the first to share your thoughts!
