Android reverse-dynamic debugging summary, android dynamic debugging

[Switch] Android Reverse dynamic debugging summary, android dynamic debugging

1. enable or disable the breakpoint of key functions in SO

When I was just learning about reverse debugging. Most of them are satisfied with the breakpoint of a key function in SO. Then, trigger the breakpoint by operating the application, and debug it.

For detailed steps, see [Security and Reverse Analysis of Android software]

Put simply: There is a function jnicall1 in the libsyclover. so file. This function is called every time you click the button.

1. Load the so file statically and find the function offset address: 0x132C

2. Execute android_server3. port forwarding

Adb forward tcp: 23946 tcp: 23946

4. Run the program

5. IDA appending

Then it will pop up

Click OK and select the process to be appended in the pop-up list box.

6. breakpoint

After the attachment is complete, it will be parked in the libc. so module. Press Ctrl + S to display the module list box and search for the so file name.

Record base address: 0 × 76072000 (RX permission)
Add the offset address 0x132C to the static analysis to get 0x7607332C.
G jump to this location

F2 has a breakpoint!

7. Trigger breakpoint

After the breakpoint is completed, F9 is executed, and the status is runing.
At this point, click the button in the application, and the program will be disconnected from the breakpoint just completed ~

OK ~ This debugging method has many limitations and is suitable for preliminary debugging. This debugging method cannot meet the requirements now.

Ii. enable or disable a breakpoint in the JNI_OnLoad Function

The general function of the JNI_OnLoad function is to execute the JNI_OnLoad function and make a series of preparations when the program loads so.
In many cases, programmers put some important information in this function, rather than trigger it repeatedly through an event. This includes placing the anti-debugging function in this function. Therefore, the debugging methods have changed, and the above debugging methods are basically eliminated.
1. for static analysis, find the offset of the JNI_OnLoad function: 0 × 1504

2. Execute android_server3. port forwarding

Adb forward tcp: 23946 tcp: 23946

4. Start the program in debug mode

Adb shell am start-D-n com. example. mytestcm/. MainActivity
The Waiting For Debugger page appears on the mobile phone interface.

5. Open ddms or Eclipse (if necessary, in order to use the jdb command)

6. IDA appending

7. Set debugging options

Debugger-Debugger Options

8. Run the program F9

IDA, F9 runs the program, which is in the runing state.
Run jdb-connect com. sun. jdi. SocketAttach: hostname = 127.0.0.1, port = 8700 in the command line, where port = 8700 is seen in ddms.

At this time, the program will be disconnected

9. breakpoint

Ctrl + S and then search for the so file name

The recorded base address is: 0 × 76118000.
The offset address of the JNI_OnLoad function 0 × 1504 is 0 × 76119504.
G jumps to 0 × 76119504, with the next breakpoint

A. Trigger breakpoint

After the breakpoint is finished, run F9 directly to break it at the JNI_OnLoad function ~

When this debugging method appears, it is not that safe to put special functions or anti-debugging functions in JNI_OnLoad. At this time, the programmers found that the JNI_OnLoad function was not initially executed through the analysis system's loading link to the SO file. Before the JNI_OnLoad function is executed, a series of functions in the init segment and init_array are also executed.
Therefore, the current debugging method is to place the breakpoint in init_array ~
As for the method of breakpoint, it can be compared to the method of breakpoint under JNI_OnLoad, and breakpoint under the init_array function. Another method is to break a breakpoint under the function in the linker module, and then go to init_array to introduce in detail how to break a breakpoint for any system function.

3. breakpoint for any system function

1. You need to prepare:
The system source code that is consistent with your debugging environment can also be checked online at http://androidxref.com/website.
After the root, the mobile phone easily dumps some so files of the system to the local device, and obtains the offset address of the system function statically.

2. Process
Run android_server
Port forwarding adb forward tcp: 23946 tcp: 23946
Adb shell am start-D-n package name/Class Name
IDA appending
Statically locate the offset address of the module corresponding to the target function
Ctrl + S find the base address of the corresponding module, and add the two addresses to get the final address
G jumps to the address, and then disconnects
Run F9
Run jdb-connect com. sun. jdi. SocketAttach: hostname = 127.0.0.1, port = 8700
Disconnected for debugging

4. Break a breakpoint under the dvmDexFileOpenPartial function and dump the plaintext dex

Since its development, apk encryption and decryption has developed very rapidly since last year. Many shell protection solutions for apk are available in China. It is also reflected in dex protection and so protection!
For dex protection, for a long time, you can dump the plaintext dex file by breakpoint under the dvmDexFileOpenPartial function.
The third example of alictf shows how to break a breakpoint under the dvmDexFileOpenPartial function!
The other steps are the same. Here we mainly talk about how to locate the dvmDexFileOpenPartial function.
1. View Source Code

The dvmDexFileOpenPartial function is called in the rewriteDex function.

The key string information is Unable to create DexFile.
In this case, obtain libdvm. so from the/system/lib directory of the mobile phone.

2. Load IDA and search string: Unable to create DexFile

The obtained offset is 0x0005AE8A.

3. breakpoint

Search module libdvm. so

The base address is 0 × 41492000.
The offset is 0x414ECE8A.
G jump to the current position and click the breakpoint.

4. dump plaintext dex File

After the breakpoint is finished, run F9 and run jdb-connect com. sun. jdi. SocketAttach: hostname = 127.0.0.1, port = 8700.
Program disconnected

The value in the register window is:

R0 stores the start address of dex. R1 is the dex length.

Directly dump!

5. Follow-up

Dump the dex to perform anti-encoding.
The effect is as follows:

5. Write at the end

With the development of technology, apk protection is getting better and better! This greatly increases the difficulty of reverse analysis. At the same time, throughout the entire attack and defense process, it has a great experience for people at both ends of the attack and defense. Both parties have made great strides!
It also promoted the improvement of the overall reinforcement direction!
Among them, dynamic debugging is essential throughout the process.

All rights reserved. For more information, see the source.

Reprinted from <a href = "http://www.sanwho.com/671.html"> [turn] Android Reverse dynamic debugging summary | God Hu </a>