Lobotomy: Android Reverse Engineering Framework (Part2)

Lobotomy: Android Reverse Engineering Framework (Part2)

0 × 01 Overview

InPart 1, We explained how to load the applicationLobotomyAnd how the Lobotomy global loader works. In the second part (this article), we will introduce how to use Lobotomy to decompile the APK, and how to convert undebuggable Android appsDebuggable.

0 × 02 APK Decompilation

Lobotomy provides an Apktool self-built package that supports APK decompilation. By using the built-in help function, we can understand the environment required for running the decompilation module:

 

Now that we know the required conditions, we will add the path of the target APK to this module, and leave the rest to it:

 

The execution result will be saved in the Lobotomy output directory:

[~/Tools/android/lobotomy/output]> lsd2j     thunder  ┌[rotlogix@carcass] [/dev/ttys005] [1.2 ?]└[~/Tools/android/lobotomy/output]> cd thunder┌[rotlogix@carcass] [/dev/ttys005] [1.2 ?]└[~/Tools/android/lobotomy/output/thunder]> ls -latotal 32  drwxr-xr-x   8 rotlogix  staff   272 Jan  9 10:33 .  drwxr-xr-x   5 rotlogix  staff   170 Jan  9 10:33 ..  -rw-r--r--   1 rotlogix  staff  9902 Jan  9 10:33 AndroidManifest.xml-rw-r--r--   1 rotlogix  staff   309 Jan  9 10:33 apktool.ymldrwxr-xr-x   5 rotlogix  staff   170 Jan  9 10:33 assets  drwxr-xr-x   4 rotlogix  staff   136 Jan  9 10:33 original  drwxr-xr-x  73 rotlogix  staff  2482 Jan  9 10:33 res  drwxr-xr-x   6 rotlogix  staff   204 Jan  9 10:33 smali

0 × 03 convert to a debuggable APK

Generally, attributes that can be debugged by an android application are deleted from AndroidManifest. xml before it is generated, signed, and submitted to the app store. However, when this property exists and is set to "true", this will allow the program to connect to the debugger, for example, connecting to the Java debugger through the Java debug line protocol. As you can imagine, you can download the APK from the App Store, convert it into a debuggable APK, and debug it. This will be very helpful for dynamic analysis.

I personally think that if you do not have an automatic execution method, it will be very painful to manually convert the target APK to a debugable state. Fortunately, we have Lobotomy in our hands:

The debugging module requires the same conditions as the decompilation module. Next, specify the path of the target APK that cannot be debugged, and then start the conversion process:

(lobotomy) debuggable thunder /Users/rotlogix/android-browser-research/thunder-web-browser/apk/thunder-browser.apk[2016-01-09 10:57:35.463305] Decompiling : /Users/rotlogix/android-browser-research/thunder-web-browser/apk/thunder-browser.apkI: Using Apktool 2.0.2-027e13-SNAPSHOT on thunder-browser.apk  I: Loading resource table...  I: Decoding AndroidManifest.xml with resources...  I: Loading resource table from file: /Users/rotlogix/Library/apktool/framework/1.apk  I: Regular manifest package...  I: Decoding file-resources...  I: Decoding values */* XMLs...  I: Baksmaling classes.dex...  I: Copying assets and libs...  I: Copying unknown files...  I: Copying original files...  [2016-01-09 10:57:38.290216] Adding android:debuggable="true"[2016-01-09 10:57:38.298917] Building APK : thunderI: Using Apktool 2.0.2-027e13-SNAPSHOT  I: Checking whether sources has changed...  I: Smaling smali folder into classes.dex...  I: Checking whether resources has changed...  I: Building resources...  I: Building apk file...  [2016-01-09 10:57:44.165020] Building completed

First, Lobotomy will decompile the target APK, add the property "Android: debuggable = true" to the AndroidManifest. xml file, and then recreate the application.

[2016-01-09 10:57:44.165116] APK signing process initiatedEnter keystore password:  Re-enter new password:  What is your first and last name?    [Unknown]:  Benjamin WatsonWhat is the name of your organizational unit?    [Unknown]:  LifeFormLabsWhat is the name of your organization?    [Unknown]:  LifeFormLabsWhat is the name of your City or Locality?    [Unknown]:  ATLWhat is the name of your State or Province?    [Unknown]:  GAWhat is the two-letter country code for this unit?    [Unknown]:  USIs CN=Benjamin Watson, OU=LifeFormLabs, O=LifeFormLabs, L=ATL, ST=GA, C=US correct?    [no]:  yesGenerating 2,048 bit RSA key pair and self-signed certificate (SHA256withRSA) with a validity of 10,000 days      for: CN=Benjamin Watson, OU=LifeFormLabs, O=LifeFormLabs, L=ATL, ST=GA, C=USEnter key password for 
 
        (RETURN if same as keystore password):Re-enter new password:  [Storing lobotomy-key.keystore]Enter Passphrase for keystore:     adding: META-INF/MANIFEST.MF   adding: META-INF/LOBOTOMY.SF   adding: META-INF/LOBOTOMY.RSA  signing: AndroidManifest.xml  signing: assets/cachejson.txt  signing: assets/f.html  signing: assets/hosts.txt  ...  ..  .
 

After rebuilding the target application, Lobotomy began to sign the APK based on the requirements below, so that the APK file can be reinstalled to our target device or simulator. So now, if we check the Lobotomy output directory, we should be able to see the generated debugable APK file:

[~/Tools/android/lobotomy/output/thunder]> ls -latotal 4904  drwxr-xr-x  10 rotlogix  staff      340 Jan  9 10:58 .  drwxr-xr-x   5 rotlogix  staff      170 Jan  9 10:57 ..  -rw-r--r--   1 rotlogix  staff     9894 Jan  9 10:57 AndroidManifest.xml-rw-r--r--   1 rotlogix  staff      309 Jan  9 10:57 apktool.ymldrwxr-xr-x   5 rotlogix  staff      170 Jan  9 10:57 assets  drwxr-xr-x   3 rotlogix  staff      102 Jan  9 10:57 build  drwxr-xr-x   4 rotlogix  staff      136 Jan  9 10:57 original  drwxr-xr-x  73 rotlogix  staff     2482 Jan  9 10:57 res  drwxr-xr-x   6 rotlogix  staff      204 Jan  9 10:57 smali  -rw-r--r--   1 rotlogix  staff  2494443 Jan  9 10:58 thunder.apk

To verify this, we use Apktool to decompile the generated APK and observe the changes in androidmanifest. xml:

└[~/Tools/android/lobotomy/output/thunder]> apktool d thunder.apkI: Using Apktool 2.0.3-0649d5-SNAPSHOT on thunder.apk  I: Loading resource table...  I: Decoding AndroidManifest.xml with resources...  I: Loading resource table from file: /Users/rotlogix/Library/apktool/framework/1.apk  I: Regular manifest package...  I: Decoding file-resources...  I: Decoding values */* XMLs...  I: Baksmaling classes.dex...  I: Copying assets and libs...  I: Copying unknown files...  I: Copying original files...  ┌[rotlogix@carcass] [/dev/ttys005] [1.2 ?]└[~/Tools/android/lobotomy/output/thunder]> lsthunder     thunder.apk  ┌[rotlogix@carcass] [/dev/ttys005] [1.2 ?]└[~/Tools/android/lobotomy/output/thunder]> cd thunder┌[rotlogix@carcass] [/dev/ttys005] [1.2 ?]└[~/Tools/android/lobotomy/output/thunder/thunder]> lsAndroidManifest.xml apktool.yml         assets              original            res                 smali  ┌[rotlogix@carcass] [/dev/ttys005] [1.2 ?]└[~/Tools/android/lobotomy/output/thunder/thunder]> open AndroidManifest.xml

0 × 04 conclusion

In this section, we explain how to decompile Android applications and convert them to a debug state. In the third part, we will go into the Lobotomy module for analyzing and enumerating applications.