Reverse phone core, bypass tracepid anti-debug
Reference article: 1. Http://bbs.pediy.com/thread-207538.htm2. Http://www.wjdiankong.cn/android requirements: The common Android Anti-debugging solution is not many, just a few, one of the scenarios through the rotation tracepid, the specific implementation of the following: For this kind of non-reverse debugging, Our usual practice is to find this rotation thread, by modifying the code, by not letting this run, or by doing something else. But these practices require us to analyze the code and modify the code. Time is precious, how to save these time, let us put more experience into the logic analysis of the program. Imagine that adding our mobile phone itself has the anti-debug antibody, we can save time.
Anti-Reverse debugging principle && implementationHow to make our mobile phone with such anti-debugging antibodies, imagine the state of Tracepid debugging, Tracepid is still 0, not OK!!! We need to modify the logic inside the phone's kernel,if you own the kernel source code, you can compile and build zimage to replace the kernel can be normal operation, but unfortunately, many of the core of the mobile phone is not open source, only the core of Google phone, for this only to reverse modification. Difficulty: 1. How to extract kernel code from your phone 2. Find the logic about Tracepid 3. Replace the modified kernel with the phone
Extracting kernel code
1. First you have to have a root Android phone, The author uses the test machine in the company Lenvorn KT-30first to find the system boot file location, this path must be related to the specific device. Boot file location :/dev/block/platform/[Each Device directory is different]/by-name 2. Then go to by-name, use ls-l command View details, find a boot, remember link's path address, here is/dev/block/mmcblk0p22 Some people here may encounter a problem is, see multiple boot, such as Boot1,boot2, here can choose boot, and some will find that there is no option, then can only be used to brush other systems to operate the 3. then use the command to export the boot file as boot.img
Modify the code for the TRACEPID setup logic
1. We have extracted the phone core from the root of the mobile phone, we can not directly reverse analysis of the boot.img file, because this file is an img file, the file structure is as follows:
2. We use the Bootimag tool to extract the Boot.img file. In fact, these tools are simple in principle, is to parse the boot.img file format, because the boot and recovery images are not a complete file system, they are an Android custom file format that includes a 2K file header, followed by a kernel with gzip compression, followed by a RAMDisk memory disk, and then tightly Follow the second stage of the loader program (this loader program is optional and may not have this part in some images):Unzip the file results as follows:after decompression there is a kernel file, this is the kernel file, and ramdisk.gz is released to the device directory content, that is, the INITRD directory, access to view content:
See, this is the final device directory structure, you can see here are init.rc boot files, default.prop configuration files, etc.
3.Next we are going to special deal with the kernel kernel file: Copy the kernel file to a file named zimage.gz, and use the 010Editor tool, ctrl+f shortcut key to find the hexadecimal content 1F 8B 08 00, find the front of the data are all deleted, so that the zimage.gz file into the standard gzip compressed files, this way you can use Gunzip decompression. Command: Gunzip zimage.gz; getting to know the zimage after pressure is the final file we're going to deal with.
4. Ida opens the Zimage kernel file for modification, with the kernel file Zimage from the previous step, and opens it directly with IDA, but you need to be aware of the setting options when you open it:
then set the start address to 0xc0008000: Why do you want to set this starting address here, because the Linux boot kernel address is 0xc0008000 ;
5. After opening, we can directly Shift+f12, look at the string contents, because we want to change tracerpid value, so we search the string "tracerpid" value directly : Double-click to enter, this time we can write down this address, and then subtract just our offset address 0xc0008000:
View the string reference code, Find the directive of this parameter: mov R7, R0: after I analyze to get the modification method is the Mov R7, R0 replaced with mov R7, #0, machine code for the A0 A0 E3, instruction file offset for (c022ebe8-c0008 ) at least, kernel file modification succeeded
swipe back to your phoneThe boot.img file needs to be packaged before brushing back
1. Use commands to compress into Z.gz:gzip-n-f-9 zimage2. Use 010editor to overwrite z.gz binary data to 1F 8B 08 of the original Zimage file 00 location (The new z.gz file must be smaller than the original z.gz file, and back to write back can not change the size of the original Zimage file and modify the contents of the original Zimage file, otherwise it will be very troublesome), then got the Zimage file.
3. Brush the machine boot.img file. There is a pit here, the FastBoot command is used when the machine is being brushed, but the most common problem is this error:
This is because the device has not started fastboot, about each device start fastboot different operation, such as Millet is the power key + volume minus, Samsung is the volume minus +home key + Power key, the specific equipment can be self-search online. To the FastBoot interface to run FastBoot again: fastboot flash boot boot-new.img
then restart the device by running FastBoot reboot. Some students in the operation, always into the fastboot failure, resulting in fastboot command run error, this really can't solve that will change a phone to try it. This time we start the device, and then debug an app, found that his tracerpid value is always 0, because I previously changed tracerpid to ' 00 ' string, is also possible:
Because the feeling is not normal, so there is a re-change to the ' 0\t ' value. It's all possible.
Note: Be sure to save the original extracted kernel file boot.img, when you turn the device into a brick start failure, you can be the original boot.img brush back!
Null
Android Modify Kernel
