Android reverse dynamic debug So library jni_onload function-----based on IDA implementation

Source: Internet
Author: User

I've seen my Love crack forum a summary of the experience of Android ' reverse dynamic debugging, the post is well written, on the android shelling and cracking very helpful, before our teacher in class also talked about the method of centralized debugging, but now not very practical. I love to crack the forum of the paste, I also looked at many times, I also checked a lot of information, but I always feel more cumbersome, and a lot of details of the place did not notice, according to the Post tried several times but there was a mistake (mentioned later), this weekend to pick up to try, Finally to solve the problems encountered, by the way to make a record to avoid forgetting, some of the details I am not too clear, forget to know the person to point out.

The first step, add the system environment variables to the Meke.exe tool

For Android dynamic debugging, in order to manually input commands in the CMD console, more cumbersome, I will be lazy to use a simple method. In order to be lazy, we need to place the Make.exe tool provided by ANDROIDNDK in the installation directory C:\AndroidDevlopment\android-ndk-r9d-windows-x86_64\ Android-ndk-r9d\prebuilt\windows-x86_64\bin (the specific path is determined by its own installation directory), before the Android dynamic debugging, You need to add the path to the system or to a temporary PATH environment variable by doing the following:


Add the path to the system environment in the PATH variable:


Step two, prepare the Android_server file and write the Mk file required for Android dynamic debugging

The Android_server file is provided by Ida 6.6, and the specific file path is under the IDA 6.6\dbgsrv Directory of the IDA installation path, Copy it directly here (only the IDA6.1 version supports Android dynamic debugging). The specific MK file I have written, you can copy the code directly to the . Mk suffix file to use, as for the makefile file writing I do not know.

cmd console 1 uses the listen.mk file to write:

#说明 (console 1) #使用Android-NDK provided by the Make.exe program, the path of the program needs to xx\android-ndk-r9d-windows-x86_64\android-ndk-r9d\prebuilt\ Windows-x86_64\bin Add to environment variable # Remember to start the Android emulator or connect the developed phone to the computer # here Android_server is the IDA 6.6 # Use Command (console 1) make-f listen.mk# File name modale_name=crackme.apk# installer to phone listen:adb push $ (modale_name)/data/local/tmpadb shell chmod 755/data/local/tmp/ $ (modale_name) adb push android_server/data/local/tmpadb shell chmod 755/data/local/tmp/android_server #调试模式启动程序 # at this time, The phone interface will appear waiting for debugger page # format adb shell am start-d-N Package name/. class name ADB shell am start-d-n com.yaotong.crackme/. mainactivity# Port forwarding adb forward tcp:23946 tcp:23946# start android_server#adb shell suadb shell/data/local/tmp/android_ Server

cmd console 2 uses the conn.mk file to write :

#接下来 Ida Attach, set debug options (console 2) #静态找到目标函数对应所在模块的偏移地址, ctrl+s find the base address of the corresponding module, add two addresses to get the final address #g jump to address, then down, F9 run # where port= 8700 is seen from the Ddms #ida, F9 run the program, at this time is the runing state conn:jdb-connect com.sun.jdi.socketattach:hostname=127.0.0.1,port=8700

A brief talk about the role of the commands in the. mk File:

#使用命令 (console 1)make-f listen.mk
Note Make-f listen.mk description is the command format used by the Listen.mk file in the console
#文件名称
modale_name=crackme.apk
CRACKME.APK is the target apk app that we want to debug dynamically
ADB push $ (modale_name)/data/local/tmp
Use the ADB program to debug the target APK app to copy the Android system files under the/data/local/tmp directory
adb shell chmod 755/data/local/tmp/$ (modale_name)
The adb shell command means getting into the Android system
The function of the above command is to modify the target APK application under the/data/local/tmp directory with a file permission of 755
ADB push android_server/data/local/tmp
Use the ADB program to copy the Android_server program files to the file/data/local/tmp directory of the Android system
ADB shell chmod 755/data/local/tmp/android_server
Modify the permissions of the Android_server program file under Android system directory/data/local/tmp to 755
#格式 adb shell am start-d-N Package name/. class name or adb shell am start-d-N Package name/package name. Class Name
ADB shell am start-d-n com.yaotong.crackme/. Mainactivity
Use the ADB shell am start-d-N Package name/. class name command to start the APK application in-D debug mode, and after the APK application debug mode starts, it stops at the waiting for debugger interface. The specific use of the AM Start command URL: Http://developer.android.com/tools/help/adb.html#IntentSpec
ADB forward tcp:23946 tcp:23946
ADB Port forwarding
ADB shell/data/local/tmp/android_server
Start Copy to Android system Android_server program, wait for IDA6.6 program to connect
#使用命令 (console 2)make-f conn.mk
Note Make-f conn.mk description is the command format used by the Conn.mk file in the console
Jdb-connect com.sun.jdi.socketattach:hostname=127.0.0.1,port=8700
JDB debugger use, the specific command line meaning do not know, it seems that Linux under the command is not the case


OK, the required files are ready, and the pace of Android reverse dynamic debugging is a step forward.

Third step, open the Eclipse application and add android:exported= "true" option for the target APK application to be debugged, build the APK program that matches the debugging

When Android reverse dynamic debugging, you must open the Eclipse program , and also run Android emulator Ddms to facilitate the use of ADB programs and JDB programs, rich local tyrants can use the real machine debugging.


before we do the Android dynamic debugging, we need to do one more thing, android:exported= "true" and modify the listen.mk file for the target APK program to be debugged. Looking at other people's written posts and blogs may also be character problem! In the Android dynamic debugging when the am start-d command can not start in debug mode to debug the target APK application, may also be a character outbreak, today Baidu search data solved, the solution is to start activities to add Android: Exported= "true" option, after adding this option to execute the am start-d command, the target APK program being debugged can appear waiting for debugger interface and stop there. So the question now is how to add the android:exported= "true" option, which is simple. We use the Android Reverse engineering tool Androidkiller tools, this tool is used for a long time simple. I am here to dynamically debug the target program for the crackme.apk application, next open the Androidkiller program, Drag-and-drop the CRACKEME.APK program into the Androidkiller program's interface to perform the reverse disassembly of the CRACKEME.APK application and locate the crackme.apk profile in the extracted project options Androidmanifest.xml opens, such as finding the package name of the crackme.apk file, the activity of the main active, and the correct add android:exported= "true" option in the activity :


in the To dynamically debug the target APK program crackeme.apk file to unpack the reverse modification after adding android:exported= "true" option, you must not forget to re-package the project of the modified target program, Signature processing generates a new CRAKEME.APK program for use when debugging later, the newly generated CRAKEME.APK program is installed in the Android Killer directory C:\AndroidDevlopment\ androidkiller\projects\crackme\bin path (the specific path is determined by the Android Killer installation directory). Now it's much easier, the target application crackme.apk files to be debugged dynamically.

Yes, the name of the apk application that corresponds to the target to be debugged and its main startup activity modify the variables in the listen.mk file accordingly modale_name= crackme.apk and command ADB shell am start-d-ncom.yaotong.crackme/. Mainactivity.

Fourth step, open a CMD console to start the target APK program in debug mode

In the third step, you will repack the crackme.apk file under the generated C:\AndroidDevlopment\androidkiller\projects\crackme\bin Path and Copy the android_server,listen.mk files ,conn.mk files to the same directory, and then open a CMD console CD command to enter the directory, execute the command make-f listen.mk such as:



actually Notice here that if you not in the third step, add android:exported= "true" for the target APK application you want to debug   option, in execution adb shell am start-d-n com.yaotong.crackme/. The following error occurs when you mainactivity the command, but if you add android:exported= "true" for the target APK application you want to debug   option after the execution of the command does not appear the following error, the specific reason I do not know, before trying to try Android Dynamic debugging is also stuck here, may be Android ' app permissions problem, You also need to export when registering your Android content provider, which may be the same, or refer to this article http://chenxuebinbj.blog.163.com/blog/static/42869151201302235215832/. I also encountered this kind of mistake in the Snow forum.

Note: I really have no words, when I finished writing this note to reproduce the error, the silent thing appeared, I did not android:exported= "true" option to execute ADB shell am again Start-d-N com.yaotong.crackme/. Mainactivity command, unexpectedly did not report to find com.yaotong.crackme/. The mainactivity class error. I also tried several times, I encountered this am start-d command error prompt did not appear, really no language. To correct it, it appears that adding the android:exported= "true" option is not required.

At this time the Android ' simulation is dynamically debugged by the target CRACKME.APK program running status as follows, stopped at the Waiting for debugger interface:


Launch an IDA main program, click the menu debugger->attach->remote armlinux/android Debugger, open the Debugger dialog box, enter localhost in the hostname field, click OK, Then in the IDA Pop-up window, select the process you want to attach Com.yaotong.crackme and click OK, such as:




At this point, the process of the target APK application to be debugged dynamically is attached to the IDA6.6 program after a successful state such as:


Here are some of the debugging settings for IDA6.6 for dynamic debugging of the target APK application, click the Ida menu item Debugger->debugger opitions Select Suspend in the events that pop up the Debugger Setup window On thread start/exit and suspend on library load/unload, then click OK to exit. This allows you to set the program to automatically break when creating new threads and loading so. For specific operation, see:



ok,ida6.6 Setup is complete, the CMD console does not close the hold state, the IDA6.6 program does not close the hold state, the Eclipse program and the Android emulator can not be turned off to remain in the state, in the later dynamic debugging will be used.

Fifth step, then open a cmd console, under the Jni_onload function at the target APK application's so library.

Modify the Jdb command in the conn.mk file According to the fourth step of com.yaotong.crackme process Debug Port 8612/8700 to jdb-connect com.sun.jdi.socketattach:hostname=127.0.0.1,port=8700, such as:


To open a CMD console, the CD command enters the directory where the conn.mk is located and executes the make-f conn.mk command, such as:


After the connection is successful, the "Waiting for debugger" hint will automatically disappear in the third step of the IDA6.6 program after pressing F9 after the Android simulation, this time should have been broken in the new thread, or loaded so, the specific state such as. But one thing is not quite clear, in my debugging running process IDA6.6 appear the following prompt, do not know whether error, please guide the great God help pointing.


IDA6.6 below, for example, for this dialog box I did not listen to, straight all the way to determine The confusion of this add Map dialog is ignored by me.


You can now press the shortcut key in the IDA6.6 ctrl+s to see if the so you want to debug has been loaded, if not F9, until loaded ; If you already have it, write it down . The so's start memory base address , and then directly with the compression software to extract the crackme.apk file, get the crackme.apk file to load the so library, and then another IDA6.6 static analysis of the. So library, Locate the memory relative virtual address (RVA)jni_onload_offsetof the Jni_onload function, then the JNI The real address of the _onload function in memory is so.start+ Jni_onload_offset(the memory of the so library loads the base +jni_onload function's memory relative virtual address).



Note: There are several so libraries with the same name in the shortcut ctrl+s Pop-up window, and we should choose to load the base so with a class type of code that is a snippet of memory . Start is the permission for this RX, RX is usually the code snippet, RW is generally a data segment. Here's so . start=aa238000.

By opening the IDA6.6 static analysis target APK application so library file get libcrackme.so file jni_onload function memory relative virtual address is 00001b9c that jni_onload_ offset=00001b9c, so jni_onload function in memory real address is so.start+ jni_onload_offset=aa238000+00001b9c= aa239b9c. After getting the real address, press the shortcut G in the IDA6.6 of the attached target process to go to address aa239b9c, and then press the shortcut key F2 The breakpoint is completed at the entrance of the Jni_onload function.

O K, in the Jni_onload function at the bottom of the successful breakpoint, the following can be carried out in the dynamic debugging so file F7, F8 Single step or directly F9 run Jni_onload function at the breakpoint.

The next breakpoint in the APK application's jni_onload function is very effective for the local method of producing the APK program from the ARM assembly point of view, but this method is not always valid. JNI programming on Android can also be done without using the Jni_onload function for the JNI programming of Android.

This debugging note also took a few hours, but the result is unfortunately F9 run to fly, it is estimated that I am in the operation of IDA6.6 the Add Map dialog box caused by error, I hope the great God can tell the reason, also please know the Great God told Android ' A good method of dynamic debugging and ADB shell am start-d-n com.yaotong.crackme/. The mainactivity command does not add an export option to start the cause of the error.

Reference URL:

Http://www.cnblogs.com/wanyuanchun/p/3760825.html?utm_source=tuicool

http://www.52pojie.cn/forum.php?mod=viewthread&tid=293648


2015/4/12 2:08

Android reverse dynamic debug So library jni_onload function-----based on IDA implementation

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.