With the popularity of smartphones, mobile apps have penetrated every area of people's lives. More and more people even have to rely on these apps, including Mobile QQ, games, navigation maps, Weibo, mobile phone payments, and so on, especially during the 2015 Spring Festival, the major manufacturers launched the Red Envelope campaign, a moment to make mobile payment applications become unusually hot.
Then the mobile security problem is connected to irresolute, which is mainly divided into mobile network security and client application security. Mobile app software protection is still in the initial stage, many manufacturers of the app security awareness is not deep enough, the product has not been encrypted processing, so that the reverse analysis can be reversed analysis, dynamic debugging and other technologies to crack the app, so that the app will need to account password function can be cracked by the smooth bypass, Make the interests of manufacturers seriously impaired.
Dynamic debugging of a shell-less app can often be a very smooth and fast way to bypass some landing restrictions or feature limits. This article will take Android app as an example to introduce the dynamic debugging technology of mobile app in detail.
0X01 Debug Environment Setup
1.1 Installing the JDK
The construction of the Java environment Please find the information yourself, here do not elaborate.
1.2 Installing the Android SDK
: http://developer.android.com/sdk/index.html.
After downloading the installation package, unzip to any directory, then click Run SDK Manager.exe and select the version you want to install.
1.3 Installing the Eclipse integrated development environment
: Http://www.eclipse.org/downloads. Select Eclipse for Mobile developers to extract to any directory.
1.4 Creating Android Virtual Device
Dynamic debugging can use real mobile phone to do debugging environment, also can use virtual machine to do debugging environment, this article adopts virtual machine environment. So the steps to create the virtual machine are as follows:
1 Open eclipse–>windows->android Virtual Device
2 Click Create, then select each parameter
Here target is the SDK installed in the previous step to choose any version you feel like. Click OK to create the complete.
1.5 Installing the APK change manager
This is a very useful auxiliary debugging software, please search for download by yourself.
1.6 Installing IDA6.6
IDA6.6 started to support the Android app instruction debug, now this version has been provided free download installation, please search by yourself.
0x02 Dalvik Instruction Dynamic Commissioning 2.1 Preparatory work
Android app suffix apk, is actually a compressed package, we renamed it to RAR Open
Where Classes.dex is the application's main execution program, including all Dalvik directives. We use APK change to open the APK, the software will automatically decompile it. There will be a lot of smail files after the anti-compilation, which saves the app's Dalvik instructions.
In the APK change manager double hit open androidmanifest.xml, in order to let the app can be debugged, need to add a sentence android:debuggable= "true" in the application tag
Then click the Save button and compile to generate a new apk file. Then open eclipse–>windows->android virtual device, select the VM you just created, then click Start, and the virtual machine will start running. Occasionally if eclipse fails to start, error, you can modify the configuration file in the same directory:
Change the configuration parameter originally 512 to 256 originally 1024 to 512, and then try to start.
In the SDK installation directory there is a command-line debug tool under the ADB shell, the local directory is E:\adt-bundle-windows-x86-20140702\sdk\platform-tools, Register the Adb.exe into the system environment variable, open the DOS command-line window to execute the ADB shell to enter the app command line debugging environment, or switch to the ADB directory to execute the ADB shell.
Instead of entering the ADB shell, execute the command under the DOS command line: adb install d:\1.apk installs the APK file we just recompiled. There will be a success prompt after installation.
2.2 Using IDA Dynamic debugging
Extract the Classes.dex from the app package to any directory and drag it into Ida. Wait for the IDA load analysis to complete, click Debugger->debugger Options
Tick on the process portal as shown, then click on Set specific options to fill in the app package name and entry activity
The package name and entry activity can be obtained through the Androidmanifest.xml file in the APK change manager:
123 |
< manifest xmlns: Android= "Http://schemas.android.com/apk/res/android" package= "com.example.simpleencryption"; &NBSP;&NBSP;&NBSP;&NBSP; < application android:allowbackup= "true" Android: Debuggable= "true" android:icon= "@drawable/creakme_bg2" android:label= "@string/app_name" android:theme= "@style/ Apptheme, &NBSP;&NBSP;&NBSP;&NBSP;&NBSP;&NBSP;&NBSP;&NBSP; < activity android: Label= "@string/app_name" Android:name= ". Mainactivity " |
Then click Debugger->process Options in Ida
The other defaults unchanged, the port is changed here to 8700. Here the default port is 23946, I have been plagued here for a long time, because this port is not changed to 8700 caused. Then let's see how this 8700-port comes in. A tool DDMS is provided in the Android SDK to monitor the running status and results of the app. There is a ddms.bat in the SDK's Tools directory, and the DDMS is started after running. Since my native installation of the SDK's ADT plugin, DDMS integrated into the eclips, open Eclips->open Perspective->ddms started DDMS.
:
After Ddms selected a process, it will comment out its debug port, this machine is 8700.
All of this work is ready and you can then debug the app with a breakpoint. We look at the Smali file in the APK change manager in the COM directory to find an interesting function getpwdfrompic () in Mainactivity.smali, then we'll break it down to keep track of the app running.
Search for the string getpwdfrompic in Ida and find that the onclick has called the function
We press F2 at the start of the onclick function.
Then click the Green Triangle button to start debugging
Debugging process has a problem occurred many times, wasting my time, in the writing of the article, the operation still encountered such a problem. is to click on the start after IDA hint can ' t bind socket, pondering a long time finally found the reason, when opened once DDMS every start eclips will start Ddms and 8700 port is this DDMS to occupy, and then every time will start failure, the solution is The virtual machine runs up and shuts down the eclips, and then everything is normal!
In the case, an app Crackme prompts for a password to enter the correct interface. This time we enter 123, click Login, Ida interrupts where we set breakpoints, select Ida->debugger->use source Level debugger, then click ida->debugger-> Debugger Windows->locals Open the Local Variables window,
Then press F7 or F8 to step through the program flow and observe the change in the value of the variable, or you can select the graph view in the IDA right-click to see the flowchart that the entire app executes:
As shown in the variable window we entered 123 is converted to the password is wide dead, PW variable also shows the correct password, in fact, this time has been easy to determine the correct password.
Dynamic debugging of 0x03 andoid native dynamic link library
Typically, in order to encrypt the protection of such measures, sometimes Dex execution calls the dynamic link library file, the file with so suffix, exists in the app file package.
Here we debug the native library in a dynamically attached way.
3.1 Preparatory work
1, copy the Android_server in the Ida->dbgsrv directory to the virtual machine, and give the executable permission
The DOS commands were:
adb shell pull d:\ android_server/data/data/svadb Shell chmod 755/data/data/sv
2. Start the Debug server Android_server
Command:adb shell /data/data/sv
The server listens on port 23946 by default.
3. Re-open the DOS window for port forwarding, command:
adb forward tcp:23946 tcp:23946
3.2 Using Ida for dynamic debugging
1. Launch the app to debug in the virtual Machine 2, start Ida, open debugger->attach->remote armlinux/andoid Debugger
Port changed to 23946 other remains unchanged, click OK
For example, select the package name for the app you want to debug, and then click OK.
Under normal circumstances, Ida will suspend the app process.
3, because the current program is not in the dynamic link library airspace, then we would like to reopen a IDA, with it to open the need to debug so file, find the location of the need to go down the file offset, and make a record, and then close the back open this Ida.
4, in the original Ida interface press the Ctrl+s key, find and find the need to debug so, while recording the file's load base. Then click the OK or Cancel button to close the dialog box.
5, press the shortcut key G input base + file offset from the address, click OK to jump to so file needs to go down, then press the F2 key to set a breakpoint. It can be broken when the app is executed here.
3.3 Dynamic debugging before the anti-debug function is run
When the program loads so, it executes the jni_onload function and does a series of preparations. Usually the anti-debug function is also placed in the Jni_onload function. You may encounter the following in the 2nd step of 4.2:
When the app detects the debugger and exits automatically, the debug policy needs to change.
After the 3rd step 4.1, execute the command at the DOS command line:
ADB shell am start-d-N com.yaotong.crackme/com.yaotong.crackme.mainactivity
To start the app in debug mode
Com.yaotong.crackme is the app package name, Com.yaotong.crackme.MainActivity is the execution portal which can be viewed with the APK change manager.
Because the app is not running yet, the anti-debug function also doesn't work, and the app hangs in the 2nd step of 4.2. Ida will be interrupted at a certain point.
Then click Debugger->debugger opions settings as follows:
Click OK and press F9 to run the app, then execute the command under DOS command:
Jdb-connect com.sun.jdi.socketattach:hostname=127.0.0.1,port=8700
Then the app will break down, then follow the 4.2 3, 4, 5 to find the address of the Jni_onload function and down, and then press F9 will break down. You can then continue to dynamically track the debug analysis.
0x04 Main references
1, "andoroid software security and reverse analysis"
2, see the Snow Forum Android security version
3, my Love Crack forum Android version
Android app dynamic debugging-ida practical tips