Decrypt internal logic in all apps ' running process

Source: Internet
Author: User

Add: http://www.freebuf.com/tools/54562.html

0x01 Preface

These days, APK is all encrypted ah, Shell Ah, anti-debugging Ah, the small partners said that they have been unable to play happily. Static analysis is more and more unreliable, Apktool, Apkide, JD GUI, Dex2jar, etc. have been unable to meet the needs of everyone. So the question is, what do the little friends really need? All right, let's shout out your inner desires, our goal is "debug apk step by step".

0x02 Those dodgy tools.

First of all, those unreliable tools, that is, today I have a little half a day of all kinds of tools, crossing sit, and I carefully said.

2.1 IDA Pro

IDA pro6.6 After adding the Dex dynamic debugging function, a time to celebrate, Xi Dapu ben. When you're excited, you'll find Ida is really a setback for dynamic debugging, and even if he is the static anti-compilation king, I have to say that his dynamic debugging features are also very much needed to strengthen. Let's start by talking about debugging Dex with Ida.

IDA Pro Debug Dex Process:

1. Use Apktool to decompile apk, add android:debuggable= "true", RePack apk and sign 2. class.dex files are deducted from the apk file, no matter what method you use, 7zip, unzip ... Whatever3. Open the Dex file with Ida until the Output window displays "xxxx finished" 4. Set debugger options, Debugger->debugger options->set Specific options, set as 1, and then all the way back to 5. Locate the location where you want to place the breakpoint, move the cursor to the line where you want to place the breakpoint, and press F2 under Breakpoint 6. Turn on the debug option on your phone, link USB to PC 7. Select the IDA Pro window, press F9 No unexpected words should appear 2 of the picture, success ~

Figure 1 Ida Debug configuration

Figure 2 ida dynamic Debug apk

trigger Breakpoint, in the Watch view and Locals window can see the value of memory variables, is simply painting the United States do not look at Ah, is not a little excited?! I can only say happy too early, small partners are too naïve, careful observation, even if you check the "hex display", you still can not display the value of the variable in hex format, that is, the non-display character you can not see what the value is, and I looked for a long time did not find similar WinDbg, OD, VC6 , GDB, lldb the ability to view a memory address value in a variety of poses or commands, and then there is a 3 screen ... wtf! I have been busy for a long while actually not as direct logcat come happy!

Figure 3 Locals window

2.2 Apktool+eclipse

In fact, the niche has always been very supportive of Eclipse, after all, I spent countless sleepless nights and ignorant of the years (of course, Cang teachers and WinDbg may account for more), but this time I really a little disappointed ha. Since the debug method using Apktool+eclipse and Apktool+android Studio is the same as Apktool+idea, the debugging method is followed by the following: I'll just spit out the groove here first.

When the small partners successfully set debugging options, with Hi-turn mood into the debugging interface, we saw 4 of the screen, carefully observed and various attempts, I guarantee that your heart must have 10,000 grass mud horse Pentium and over!!!

Figure 4 Eclipse Single-step debugging apk

What we've all seen:

The 1.debug window represents the breakpoint that hit the first line

The 2.variables window does not have any value for the local variable, nor is the value of the Register

3. Step into, step by step, and other debugging buttons are gray, shortcut keys F5678 no response

I just want to know how you made me Debug , do I have to set an infinite breakpoint, desperately F9 to debug? Even so, where do I go to see the value of a variable?

2.3 Apktool+android Studio

Android Studio this thing is quite good, is a little bit card, accustomed to also OK. In fact , Android Studio itself was changed with idea , but it seems to have been changed. Debugging method or later, directly on the successful mount to the Debug interface diagram,5.

Figure 5 Android Studio single-Step debugging apk

This is the case:

1. You can see which line the program is currently parked in, although not obvious

2. Local variables can be seen, but the registers are still wood.

3. Single-step buttons and one-step shortcuts can be used, it looks much better.

I still want to say, the problem is the value of the register is still not intuitive to see AH, for obsessive-compulsive disorder I still can't accept this setting ah, think that year VC6 , od , WinDbg , gdb , Lldb is how to force, how to use!

0x03 Apktool +idea

come on,Apktool. The 2.0bete9 version launches the - d option, designed to repackage the apk for single-step debugging, Awesome! apktool+ idea no source debug Apkstep by step simply don't use it too much, This is also the wavelet I consulted after the fix, this option is also a wavelet and other people suggestApktoolthe author does so, cannot help but sigh, the wave god you why so dick!

3.1 Debugging Basics

The content of this section is quoted from the Watch Snow forum @ Fire Wing [CCG] the article, the original link: http://www.kanxue.com/bbs/showthread.php?p=1291716

according to Android The official documentation, if you want to debug a apk inside the Dex code, you must meet any one of the following two conditions:

The application tag in the Androidmanifest.xml file in 1.apk contains the property android:debuggable= "true" in 2./default.prop ro.debuggable value is 1

due to the normal release of the software will not beandroid:debuggableset tofalse(and of course not to rule out some very2the application istrue), so to achieve the conditions1need toappto repackage, which not only analyzes aapkare repeated, and many software checks themselves, and the re-package execution is detected, so a way to meet the2a condition is a one-way solution.

because default.prop boot.img ramdisk This part of each reboot will be re-started from rom load, so to the destination must be modified boot.img ramdisk

1. Download from Google's official website to BOOT.IMG2. Using Tools (Abootimg,gunzip, Cpio) boot.img completely untied, get to DEFAULT.PROP3. Modify the DEFAULT.PROP4. Repackage the modified file into BOOT_NEW.IMG5. Use the FastBoot tool to turn the Boot_ NEW.IMG Brush-in device (FastBoot Flash boot boot_new.img)

3.2 Debugging methods

Here we still use the first method of testing:

1. Download apktool2.0b9 version,:http://connortumbleson.com/2014/02/06/apktool-2-0-0-beta-9-released/

2. use apktool to decompile the apk:

Java-jar Apktool_2.0.0b9.jar d-d Xxx.apk-o out

With the-D option, the decompile file suffix is. java instead of. Smali, each. java file is immediately forged into a class, and the statements are all "a=0;" This sentence, Smali statements become comments, the small partners themselves to see open to know, to do this is to deceive idea, Eclipse, androidstudio these Ides;

3. Add android:debuggable= "true" option;

4. re-pack apk, remember to also use the -d option:

Java-jar Apktool_2.0.0b9.jar b-d Out-o debug.apk

5. Sign the APK and install the APK to the debug device (this does not need me to say how to operate it);

6. download and install and open the Span style= "text-indent:28px" >idea java project, in this case the project is named " debugonly apk post-compilation smali All files in directory are copied to the newly created java project src/ directory, refresh, 6

Figure 6 copying a file

7. Open androiddevice monitor(terminal down command monitor or DDMS ), run the command under Terminal: adb shell am start-d-N {package name}/. {Activity}, run effect 7;

Figure 7 command Run effect

Waiting for debugger access appears on the debug device:

Figure 8 debugging Device status

8. from the androiddevice monitor found the need to debug the program has been shown in the list, note the port number, in this case, 8700;

Figure 9 Android device Monitor

9. New remote debugging: Click run->edit configuration->"+" number ->remote, Select the new project in step 6, fill in the port number obtained in step 8,ten;

Figure Ten debug settings

Find the appropriate location to set the breakpoint (set a few more breakpoints before and after the location where you want to set the breakpoint), and click run->debug->unnamed, where unnamed is the name of the newly created remote debugging in step 9 ;

Figure One remote debugging name

No accident, the small partners should be able to see The picture shown, congratulations, you have succeeded! At this moment, the excitement can be said to be a statement ha ~good luck! have fun! enjoy~

Figure Idea Single-step debugging apk

0x04 after language

In addition, AH-hang once mentioned an article with the jdb remote debugging android Program article, Link: /http resources.infosecinstitute.com/android-hacking-security-part-6-exploiting-debuggable-android-applications/< Span style= "TEXT-INDENT:28PX; Font-family: Microsoft Black "> I have not tried, mainly I am lazy, with apktool+idea already enough, did not go to Daoteng, interested in the small partner please self-daoteng, do not forget to share!

Finally, I'm not really sure. ida is not really hex format displays variable values, Maybe I'm not using ida eclipse In the end can see the value of the register, the single-step button and shortcut keys can be used, perhaps I eclipse version of the problem; I'm not sure. android Studio can you see the value of the register, perhaps I android studio version of the problem, or I use the debug device has a problem, or my face is a problem ... the above question, if which small partner knows how to solve, kneeling asks to inform!

[Author/Ali Poly Security-Xuan Xia jason_hz, reprint must be indicated from freebuf.com]

Decrypt internal logic in all apps running (GO)

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.