Ali 2014 Mobile Security Challenge second question debug note

0x00 Preface

Recently in learning Android security, see the 52 hack above with an analysis of the 2014 Ali Security Challenge's second Crackme article. Reminds me of my memory, it is my first time to participate in the security game, in the security of Android is not a long-in-depth study. The first question is relatively simple, directly in the logcat inside can see the output of the information, as long as the number and the text of the relationship between the corresponding relationship to understand can be solved. The second question I encountered difficulties, although temporarily learned how to use Ida debugging so, but as long as IDA attached to the process, the program exited, and tried. The heart also has to reverse debugging over there to think, but the skill is not able to reverse debugging to kill, finally stop at this problem. Now also see based on this problem debugging skills article, so take up practice practiced hand, practice dynamic debugging.

0x01 Static Analysis

The main interface that the application opens is

Drag the program to Jeb, you can see the main program code is relatively simple, is to obtain the input information, and then call native Securitycheck method to do comparisons, according to the results of the return to show different content. No useful information is provided.

Unzip the program, drag the libcrackme.so into Ida, find the Java_com_yaotong_crackme_mainactivity_securitycheck function directly F5, the code is not confused, the organization is very clear, Compare the values of V6 and V5.

Where V5 is the user's input, looks rather awkward, reference steamed rice "Android dynamic debugging seven kinds of weapons peacock feather –ida Pro" content: A pointer plus a number, such as v3+676. The address is then invoked as a method pointer, and the first parameter is the pointer itself, such as (v3+676) (V3 ...). This is actually the JNIEnv method we often use in JNI. Because IDA does not automatically recognize these methods, when we debug the so file we often see that it is not clear what this function is doing, because the function is too abstract. The workaround is very simple and only requires a type conversion of the jnienv pointer. For example, with the V3 pointer mentioned above, we select and click the "Y" key, then declare the type as "jnienv*".

You can see the contents of off_628c as

See the string as Wojiushidaan, the string input, and did not pass the validation, the visible program at run time to the comparison of the string has been modified, which requires us to dynamically debug the program.

0x02 Dynamic Commissioning

To the IDA installation directory. \ida 6.8\dbgsrv\ Copy the Android_server to the Android device

ADB push android_server/data/local/tmp/

Permissions to modify Files

ADB shell chmod 755/data/local/tmp/android_server

Start with 9000 as the debug port, modify the default port because some anti-debugging will read the information under/PROC/NET/TCP, the default port is easy to lie on the gun

ADB shell/data/local/tmp/android_server-p9000

Also open a window, in this window to do port forwarding

ADB forward tcp:900 tcp:9000

Modify the configuration in the Debugger-run-remotearmlinux/android debugger to debug, click OK

You can see all the running programs, basically we start the need to debug the application of the PID number is relatively large, can be sorted by PID convenient to find the debugging program.

The loading process is long, where the library loaded with a frame confirmation, skip directly, find the function in the modules box, the breakpoint under the function head

F9 run, program exits directly, IDA output is as follows

Several attempts are the result, so there must be anti-debugging.

0X03 Anti-Debug

We start an app in debug mode with the following command

ADB shell am start-d-n com.yaotong.crackme/. Mainactivity

Where the main activity can be seen in Logcat, or decompile manifest files can also be seen

The program starts to stop waiting for the debugger to state

Modify the configuration of the Debugger-debugger options to allow the program to break down when loading lib, so that we can debug the Jni_onload function, and some may put the counter-debug in the. Init_array, the load ratio of the function is Jni_ OnLoad is still early.

Then attach the process, and then F9 run the program, you can see the program or stop waiting for the debugger state

Jdb-connect com.sun.jdi.socketattach:hostname=127.0.0.1,port=8700

Let the program resume running, then the program will stop at linker, the Jni_oload function up and down the breakpoint, and then F9 run the program, F8 run, run to this function will exit, F7 follow-up to debug

is a Create thread library function, if the disassembly code can see the specific address directive is BLX R7,R7 value is the address of the Pthread_create function, if the game can be directly NOP BLX R7, and then go to try to have no anti-debugging.

Clicking on the DWORD_9BC882B4 function also allows you to see that the function has been positioned pthread_create

And in static only the symbolic information, does not do the corresponding mapping

So you can know that UNK_9BC836A4 is the function that executes after the thread is created, the breakpoint under the function, F9 execution, broken in the function

F5, it's more awkward than the original assembler code.

Can see there is an obvious loop body, where the main function call is BL unk_9bc8330c, can directly NOP this function call, and then go to try to debug is not already gone, but now is not a game, I want to continue to see how he did.

But the code inside is really ugly understand, anyway is debugging, instead of dynamic follow a step at a pace, found inside read/proc/pid/status tracepid field, and then do a string comparison, and finally executed to the

You can see that the R2 register points to the Kill function under Libc.so, which is the final step of anti-debugging, when the discovery is being debugged to kill the process, to achieve the purpose of self-destruction, in the flowchart can also see this a separate branch, then there is no code.

So we bge loc_9bc59600 this function and let the code of this branch not execute. Libcrackme.so Load base address is 0x9bc58000, the original file is modified to 0x9bc595d80-x9bc58000=0x15d8

Then repack the run, Ida append does not exit, stating that our anti-debug successfully, the Securitycheck function up and down the breakpoint, and then F8 single-Step debugging

At this point, R2 points to the saved password

Input Aiyou,bucuoo, the answer is correct

0x04 Other Ideas

Idea One:

Logcat has output information when we enter a password for comparison

So we can use this print message to print out the password.

This is the original code layout

The patch method chosen is to move the log function down directly, because at the 0X12A4 address there is exactly what we need to print the data address assigned to the R2 register, so the code snippet from 0x1284 to 0x129c place with NOP rewrite, in 0x12ac place call log function , at the same time in order not to affect the value of the R1, the 0x12a0 at the R1 changed to R3:9bc7f1a8, and by the previous dynamic debugging we also confirmed that the R2 point is the password, so the specific patch scheme is as follows:

①0x1284-0x129c:nop (0000A0E1)

②0x12a8:mov R0, #4 (0400A0E3)

③0X12AC:BL __android_log_print (88FFFFEB) Here 88 is derived from the beginning of the 92FFFFEB in 0x1284, two addresses 40 bytes apart, arm instruction 4 byte alignment, that is, the lowest two bits is 00, so the address right shift two bits, Should be divided by 4, corresponding to: 0x92-10=0x88.

④0x12a40-0x12a84:nop (0000A0E1)

Code layout after patch

RePack Run, enter the password, print out the log as follows

Idea two:

The offset of the static password is 0x4450

So we do not run after the attach process, directly in the libcrackme.so base address plus 0x4450 get the addresses for

0x9bc30000+0x4450=0x9bc34450

G Jump directly to that position, and then see the answer, please allow me to make a sad expression, why did not think.

0X05 Summary

In addition to reading/proc/pid/status below the Tracepid method, now anti-debugging also uses the read/PROC/NET/TCP the following TCP information, the common debugger debug port detection. There is also the running time of the function, reading the system time that enters the function and the function, then compares the difference with the predetermined value to determine whether it is in the debug state.
Now the anti-debugging is still in the large granularity above, the use of NOP thread open and NOP entire function call can go through the entire anti-debugging, is not able to use the way between the threads, the main thread depends on the child thread of the run, if the child thread does not run, then the main thread also exits, To refine a point is to mix the counter-debug function with normal function functions, such as using the producer consumer model to establish the relationship between the master and slave threads, so it is more difficult to get rid of the inverse function.

Reference:

Http://www.cnblogs.com/Reyzal/p/4857948.html

Http://www.52pojie.cn/thread-559205-1-1.html

http://www.wjdiankong.cn/android%E9%80%86%E5%90%91%E4%B9%8B%E6%97%85-%E5%8A%A8%E6%80%81%E6%96%B9%E5%BC%8F%E7% a0%b4%e8%a7%a3apk%e8%bf%9b%e9%98%b6%e7%af%87ida%e8%b0%83%e8%af%95so%e6%ba%90%e7%a0%81/

Http://wooyun.jozxing.cc/static/drops/mobile-5942.html

http://drops.wooyun.org/tips/6840

Ali 2014 Mobile Security Challenge second question debug note