android--native Layer so file debugging

Android so file Debug analysis

0x00: Preface

Before doing this problem found that there are seniors have done before, so the idea of preparing to write the process. After all, I am a novice, so write very wordy, which encountered a lot of details of the problem has plagued me for a long time, but also hope that through these to get into the Android friend less jump point pits, but also hope to correct.

This question is in Ali challenge game to strip down, debugging process encountered a lot of pits (after all, the first tune =_=). Originally intended to use the real machine debugging, but in the following steps because the problem of the phone ROM must be brush machine, so still use the simulator to tune.

0x01

This cm is mainly used to debug the native layer and patch so.

Install the APK in this way:

The goal is to crack the password.

The general idea is to look at the Java layer first, but the anti-compilation look:

No crack in the place, so had to consider native layer, debug so file.

You can see the validation function by throwing the anti-compiled libcrackme.so into Ida:

Then try Ida attach this so file, but attach on the program on the exit, so the following jni_onload () This load data function analysis.

0x02

First open the DDMS, do not open the debug port is closed, the back can not use the jdb.

Note that there is a pit here: it's best to cmd and then Netstat–ano | Find "8700" is not in use, otherwise the subsequent debugs cannot be performed.

　　 only occupied Ports 8700 The program is JAVAW when it's normal.

　　 tips: Ida generally has two android_server , one that supports Android5.0 or more (shorter characters), and one that is below Android5.0 (the character is a bit longer).

　　

I've changed the name of the Android_server to be used for convenience.

The Androidserver of IDA is then push to the simulator and run as root.

Next is port forwarding adb forward tcp:23946 tcp:23946

Then start the program in debug mode. There is also a hole here, to re-open a CMD to perform port forwarding and debug boot, otherwise error.

Then see the emulator on the program will show the waiting for debugger debugging interface.

Then Ida attach

Note: The attach must be set in the first

Attach

Then debug the option (Note: Be sure to hit this tick)

Next make sure to click Run in Ida (here I don't know so redo many times--!)

Using the JDB recovery program

Jdb–connect com.sun.jdi.socketattach:hostname=127.0.0.1,port=8700

   And then the breakpoint under Jni_onload.

0x03

When you press the p key in Ida, the code block is parsed as a function and then F5

Found is a dead loop debugging, reference to the next so debugging experience how to debug the dead loop method comparison, choose patch so the way is more convenient.

tips: The reason for choosing patch so here is that there is a android_log_print () function in the previous Ida

Fixed output for each run I/yaotong (XXX): Securitycheck Started ... So, by using patch so to modify the printed content,
You can use this android_log_print function directly to compare the output to the correct value.
Of course, you can debug the above-mentioned sub_130c () function is used to counter debug detection (that is, Ida attach quit the program), NOP out of this function can be normal debugging.

0x04

Because the ARM architecture does not have a separate NOP instruction, the method of movs R0,r0 , as described by the steamed rice ,

The corresponding machine code is xx A0 E1

To the location of sub_130c () , the FF FF EB is changed to the above instruction to NOP the function

　　

　　

Again F5 a look, found that has been successfully nop off

　　

Then save the so file, then overwrite the original so file, and then re-sign.

This time the attach did not exit to indicate that patch was successful, and then the validation function

Java_com_yaotong_crackme_mainactivity_securitycheck the breakpoint.
Then enter the password on the app and you'll be positioned to this point

　　

F5 in there, you can see the address where the encrypted string is located.

　　

Click in D to pointer mode and look at this address.

Aiyou,bucuoo is supposed to be flag.

0x05

Test it.

Cracked success!

0x06

Previous contact is the Java layer of things, is generally looking for the core verification function to write a register machine OK. The first commissioning of the native layer has allowed me to learn a lot and understand the power of IDA. Although there are many pits in the process, sometimes do not know how to check, but adhere to the completion of, for the future debugging so file laid the foundation.

0x07

　　Reference

Android Dynamic debugging Ida Pro

android--native Layer so file debugging