Lobotomy: Android Reverse Engineering Framework (Part1)

Lobotomy: Android Reverse Engineering Framework (Part1)

If you have followed the previous articles on Android security, you should be familiar with rotlogix. He is keen on the mobile security business and plays a binary role. This series of articles is a guide to his own Lobotomy framework. This framework can also be said to be the accumulation of technology by rotlogix!

Many articles on his personal blog are suitable for newcomers. I have translated several articles before:

?? What are the consequences of misuse of Android ClipData?

UC Browser: Thoughts on ZipInputStream

Overview

In this series of articles, we will involve many different features of Lobotomy and how to use this tool when evaluating and performing reverse analysis on Android applications.

Load

Lobotomy is designed to allow users to seamlessly load an Android Application to its Console environment and perform different operations without exiting Lobotomy. This is achieved by providing a global instance to load the application to the entire framework. When a new application is loaded, the previous application will be replaced, this Loader is often used in my daily work.

This Loader has the following functions:

Load an APK file that contains classes. dex. Load an APK file that does not contain classes. dex. Load only classes. dex.

Lobotomy tries to describe each feature you will use. For example, if you load only one classes. dex file, you cannot enumerate components. The example component is derived from AndroidManifest. xml in the APK file.

Generally, If you download an Android app from the Google Play store, use the following command:

(lobotomy) loader /Users/rotlogix/Android-Browser-Research/thunder-web-browser/apk/thunder-browser.apk[2015-12-26 10:36:30.149971] Loading : /Users/rotlogix/Android-Browser-Research/thunder-web-browser/apk/thunder-browser.apk

However, if you only want to perform operations on classes. dex, we can decompress the APK file and then send the following command:

...... extracting: res/drawable-xxhdpi/menu_quit_pressed.png extracting: res/drawable-xxhdpi/menu_screenshot_normal.png extracting: res/drawable-xxhdpi/menu_screenshot_pressed.png extracting: res/drawable-xxhdpi/menu_setting_normal.png extracting: res/drawable-xxhdpi/menu_setting_pressed.png extracting: res/drawable-xxhdpi/navigator_bg_rectangle_with_corner.9.png extracting: res/drawable-xxhdpi/notify_search.png extracting: res/drawable-xxhdpi/notify_search_icon.png extracting: res/drawable-xxhdpi/powered_by_google_dark.png extracting: res/drawable-xxhdpi/powered_by_google_light.png extracting: res/drawable-xxhdpi/setting_back.png extracting: res/drawable-xxhdpi/setting_icon_right.png extracting: res/drawable-xxhdpi/website_delete.png  inflating: classes.dex

(lobotomy) loader dex /Users/rotlogix/Android-Browser-Research/thunder-web-browser/apk/classes.dex[2015-12-26 10:40:15.757531] Loading : /Users/rotlogix/Android-Browser-Research/thunder-web-browser/apk/classes.dex

Now let's execute a request to load the APK, not just classes. dex:

(lobotomy) loader dex /Users/rotlogix/Android-Browser-Research/thunder-web-browser/apk/classes.dex[2015-12-26 10:40:15.757531] Loading : /Users/rotlogix/Android-Browser-Research/thunder-web-browser/apk/classes.dex(lobotomy) profiler[2015-12-26 10:41:28.451238] Module not available![2015-12-26 10:41:28.451280] You cannot run the profiler module without a loaded APK

Lobotomy responds quickly, letting you know that the file type currently loaded cannot be used in this module. Now, if you only want to perform this operation on the classes. dex module, Lobotomy will continue as required:

(lobotomy) surgical[2015-12-26 10:48:44.717386] Available functions:[2015-12-26 10:48:44.717422] storage[2015-12-26 10:48:44.717432] crypto[2015-12-26 10:48:44.717438] logging[2015-12-26 10:48:44.717444] ipc[2015-12-26 10:48:44.717449] zip[2015-12-26 10:48:44.717454] native[2015-12-26 10:48:44.717459] socket[2015-12-26 10:48:44.717464] ssl[2015-12-26 10:48:44.717470] certkey[2015-12-26 10:48:44.717475] Enter 'quit' to exit[2015-12-26 10:48:44.717481] Enter 'list' to show available functions[2015-12-26 10:48:44.717487] Enter function:

Operation demonstration

Summary

In Part1, we explained how to load different file types to Lobotomy before starting evaluation and reverse analysis. In Part2, we will introduce Lobotomy to share with applications and list provided modules.