Android Reverse Step-the art of shelling (dump in the base mode)

This article I spring and autumn writer Hai_zhu

0x00 Preface

Most of the information on the market is based on the Dalvik mode dump, so this is going to be a dump in art mode. hai_ User's Manual (various good Things)

Dalvik mode is Android 4.4 and its following mode, after the Android 5.0 is the art mode, about the details of these two modes, please Baidu, if in the article can not see where the article could be turned over. If you have any questions, you can talk to me privately.

Nonsense not much to say, directly on the operation.

content :demo dynamic dump out dex file

Environment description

1. System Xiaomi 9.0
2.ida 7.0

0x01 demo Dynamic dump out Dex file 1. Start Ida Port Monitoring 1.1 start Android_server Service

1.2 Port forwarding

1.3 Software into debug mode

2.ida down 2.1 Attach additional process

2.2 Break three items

2.3 Select Process

2.4 Opening Modules

Search Art

PS: Small Knowledge

Prior to Android 4.4, system functions were libdvm.so

After Android 5.0 system functions in libart.so

2.5 Open the Openmemory () function

Search for the Openmemory function in libart.so and follow in.

PS: Small Knowledge

In general, the system Dex will load in this function, but there will be a problem, said later.

2.6 Down Breakpoint

3. Run program to down 3.1 jdb forward Run program

3.2 View Ida Run

Succeeded in breaking down and running to the place where we had broken down.

3.3 Viewing the location of Dex

Open the Register window and you can see that R1 is our Dex.

Then open the R1 in the hex window.

It's obvious that you see the binary structure of the Dex file. If you don't understand, you can look at the previous Dex file analysis.

3.4 Extracting key information

First key message: Address offset: 0xf35ca328

The second key message: File offset: 70 35 01 00, a conversion is 0x00013570

Add with 16 adder, f35dd898

4. dump4.1 using a script to dump

StaticMainvoid) {Auto FP,Begin,End, Dexbyte;Open or create a filefp = fopen ("D:\\dump.dex","WB");Dex Base Address    begin =   0xf34c6320;    //dex base + Dex file size end = begin + 0x00013570;    for (Dexbyte = begin Dexbyte < end;     dexbyte + +) {//dump it into a local file by byte FPUTC (Byte (dexbyte), FP);        }}

4.2 Script Dump Run

Once the script has been completed, click Run.

4.3 Successful dump

0x02 Follow-up

The dump out of the Dex is still a little different from the original Dex, to do some repair can be. About the contents of the repair is still under discussion, if there is a big guy passing advice one or two, grateful.

Android Reverse Step-the art of shelling (dump in the base mode)