Android Reverse Approach (ii)

First, the Android app for analysis, it needs to be dynamically debugged. 1. IDA Add-on debugging

Push the Android_server in the IDA directory to your Android phone

ADB push android_server/data/local/tmp

1), Execution Android_server:

ADB shell/data/local/tmp/android_server

2), Port forwarding:

ADB forward tcp:23946 tcp:23946

3), debug mode start the program, the mobile interface will appear waiting for debugger page

Ddms

ADB shell am start-d-N Package Name/class name

4), open 32-bit Ida,ida attach and set debug options

Debugger, GO armlinux/android Debugger

Debugger-debugger Options

5) The command line executes:

DDMS (in order to use the JDB command)

Jdb-connect com.sun.jdi.socketattach:hostname=127.0.0.1,port=8700

One of the port=8700 is seen from the DDMS.

6), Next breakpoint

After the attach is complete, it is stopped in the so module. At this point, press CTRL + S, pop up the module list box, and search for the so file name.

Record the base address. The function to lower the breakpoint plus the offset address of Ida static analysis, get the address in memory, g jump to the function, F2 the breakpoint.

7), F9 run 8), broken down

Single-step debugging with F8, F7 stepping into the debug.

2, DD command directly dump the data in memory so

1), run the app

2), copy the data in memory.

ADB shell

Su

PS | grep Com.tyomcat.crackme Get the process ID of so

cat/proc/(PID)/maps | grep libcrackme.so get so in-memory base address

DD if=/proc/(PID)/mem of=/sdcard/1.mem Bs=1 skip= (So's base address) count= (so file size)

ADB Pull/sdcard/1.mem

3. Kill the process with kill command

1), execute android_server:adb shell/data/local/tmp/android_server

2), port forwarding adb forward tcp:23946 tcp:23946

3), run the program

4), PS get PID

5), command: kill-19 <pid> can let the process pause

6), Ida Add-on, dynamic debugging.

Second, anti-debugging technology 1, cyclic detection tracepid value, if it is 0, then on behalf of the app process is trace, then directly stop the program exit.

Ida is using Android_server in the root environment to be injected into the process of being debugged, so here is a technology that is Linux Ptrace, then Android if a process is ptrace by another process, There is a field in his status file: Tracerpid can identify which process trace is being used, we can use the command to view our debugged information.

cat/proc/(PID)/status

2, execute jdb command times wrong

Unable to connect to the target VM, most of this problem occurs when the debugger is not debugged and the androidmanifest.xml adds the Android:debuggable property:

Back to compile: Java-jar apktool.jar b-d out-o debug.apk

Signature Apk:java-jar. \sign\signapk.jar. \sign\testkey.x509.pem. \sign\testkey.pk8 debug.apk debug.sig.apk

Android Reverse Approach (ii)