Ida Debugging. Init_array and Jni_onload

We know that the so file will be executed first when it is loaded. Init_array function, and then execute the jni_onload () function. The Jni_onload () function is very easy to find because it has a symbol table, but the function of the. Init_array needs to find out for itself. First open the View->open subviews->segments. Then click. init.array to see the functions in the. Init_array.

But generally, when we use Ida for attach, the. Init_array and Jni_onload () have already been executed, and it is not urgent to debug. At this time we can use jdb this tool to solve, this tool is installed after the JDK comes with, can be found in the JDK bin directory. Here we use the second question of Ali Mobile Security Challenge 2014 as an example to illustrate how to debug Jni_onload ().

After opening the program, the interface is like this:

Our goal is to get the password. Using Ida to decompile the so file will see that the password we entered will be compared to the string that off_628c this pointer to.

So we looked at the corresponding pointer to the OFF_628C address, and found that the corresponding string is "Wojiushidaan".

So we entered the password and found that the password was wrong. It seems that so files dynamically modify the password string when it is loaded. Now that we've modified it dynamically, we're going to use IDA to debug it, we open the program, then we use Ida to attach it, we find that the program is out of the way, and Ida doesn't have any useful information. This is the meaning of self-destruct program. So we dynamically debug jni_onload () to see what the program has done. The steps are as follows:

1 DDMS

Be sure to open DDMS, otherwise the debug port is off, and you cannot pause at the beginning of the program. I didn't know to open Ddms to use JDB, I thought the Android system or SDK problem, re-installed several times. Sweat.

2 adb push androidserver/data/local/tmp/

ADB shellsuchmod 777/data/local/tmp/androidserver/data/local/tmp/androidserver

Here we push Ida's androidserver to the phone and execute as root.

3 adb forward tcp:23946 tcp:23946

Forward the debug port of Ida so the PC-side Ida can connect to the phone.

4 adb shell am start-d-n com.yaotong.crackme/. Mainactivity

Here we start the program in debug mode. The program will appear waiting for debugger debug interface.

5 Ida Attach target app

This is when we start Ida and attach the app process.

6 Suspend on Libary loading

We checked suspend on library load in debugger setup. then click Continue.

7 Jdb-connect com.sun.jdi.socketattach:hostname=127.0.0.1,port=8700

Use JDB to restore the app to execution.

8 Add breakpoint at Jni_onload

The program will then stop when loading the so file libcrackme.so. At this time Ida will be unable to find the file hint, do not control him, click Cancel. Then can see in the modules libcrackme.so this so file, we point in, then at Jni_onload Place next breakpoint, then click Execute, the program enters Jni_onload () this function.

PS: Sometimes you can not F5 in a function, this time you need to press the "P" key, the program will be the code as a function analysis, and then click "F5", you can see the disassembly function.

Because the process is a bit cumbersome, I recorded a debug Jni_onload () video on my GitHub, interested classmates can go to download to watch. Because of the other techniques involved, we will continue to explain how to debug in the following "Ida double-Open Location" section. The function in Init_array.

Ida Debugging. Init_array and Jni_onload