"Turn" Android Reverse dynamic debugging summary

First, the key function up and down breakpoints in so

just learned the reverse debugging. are mostly full of breakpoints on a key function in so. Then through the operation should use the program, to trigger this breakpoint, and then to debug
detailed steps can be found in the non-worm large "Android software security and reverse analysis"
Simply put: There is a function jnicall1 in the libsyclover.so file. This function is called every time the button is clicked.

1. Load this so file statically, and locate the offset address for the function: 0x132c

<ignore_js_op>
2. Execution Android_server3. Port forwarding

adb forward tcp:23946 tcp:23946

4. Running the program

5.IDA Additional

<ignore_js_op>
then it pops up .
<ignore_js_op>
After clicking OK, select the process you want to attach in the list box that pops up .

6. Next Breakpoint


after the attach is completed, it will be stopped in the Libc.so module. At this point, press CTRL + S, pop up the module list box, and search for the so file name.
<ignore_js_op>
record the base address: 0x76072000 (Rx access)
and static analysis of the resulting offset address 0x132c added to get 0x7607332c
G Jump to this location
<ignore_js_op>
F2 the Good breakpoint!

7. Triggering breakpoints


a good breakpoint, then F9 execution, at this time the state is runing
At this point, go to the app and click the button, the program will be broken at just the next good breakpoint ~
<ignore_js_op>
ok~ This kind of debugging method is very limited, it is suitable for the more elementary debugging. This kind of debugging method has not satisfied the demand now.


second, in the Jni_onload function up and down breakpoints

The approximate function of the jni_onload function is that when the program loads so, it executes the jni_onload function and does a series of preparations.
Most of the time, the program apes put some important information in this function, rather than repeating the trigger with some sort of event. This includes putting the anti-debug function in this function. Therefore, the debugging means has changed, the above debugging method is basically eliminated.
1. Static analysis, find the offset of the Jni_onload function: 0x1504

<ignore_js_op>

2. Execution Android_server3. Port forwarding

adb forward tcp:23946 tcp:23946

4. Start the program in debug mode

ADB shell am start-d-n com.example.mytestcm/. Mainactivity
At this point, the phone interface will appear waiting for debugger page

5. Open Ddms or eclipse (necessary, in order to use the JDB command)

6.IDA Additional

7. Set Debug Options

Debugger-debugger Options
<ignore_js_op>

8.F9 Running the program

in Ida, F9 runs the program, and this is the runing state.
Executed at the command line:jdb-connect com.sun.jdi.socketattach:hostname=127.0.0.1,port=8700 where port=8700 is seen from DDMS.
<ignore_js_op>
now the program will break down
<ignore_js_op>

9. Next Breakpoint

Ctrl + S then search for so file name
<ignore_js_op>
the base address is recorded as: 0x76118000
Add the Jni_onload function to the offset address 0x1504 to 0x76119504
G Jump to 0x76119504, next breakpoint
<ignore_js_op>

A. Triggering A Breakpoint

after the good breakpoint, directly F9 run it, you can break in the Jni_onload function ~
<ignore_js_op>
When this debugging technique occurs, it is not safe to put special functions, or counter-debug functions, in Jni_onload. At this time, the program apes through the analysis system to the so file loading link process found that the Jni_onload function is not the first to execute. A series of functions in the Init and Init_array are also executed before the Jni_onload function executes.
Therefore, the current debugging method is to put the breakpoint under the Init_array ~
As for the method of the next breakpoint, it can be analogous to the method of the breakpoint in Jni_onload, the breakpoint in the Init_array function. Another way to do this is by using a breakpoint in the linker module through the function, and then stepping into the Init_arrayBelow is a detailed description of how to give a breakpoint under any system function

third, to the arbitrary system function under the breakpoint

1. To be prepared are:
with your debugging environment consistent system source code, this can also be viewed online on the http://androidxref.com/website.
After the root of the phone, it is convenient to dump some of the system's so file to local, static get to the system function offset address

2. Process
Executive Android_server
Port forwarding adb forward tcp:23946 tcp:23946
Debug mode startup program adb shell am start-d-N Package Name/class name
Ida Attach
Static find the offset address of the module corresponding to the target function
Ctrl+s find the base address of the corresponding module, add two addresses to get the final address
G Jump to address, then down
F9 Run
Execute Jdb-connect com.sun.jdi.socketattach:hostname=127.0.0.1,port=8700
Disconnect, Debug

four, in the Dvmdexfileopenpartial function breakpoint, dump out plaintext Dex


development so far, from last year to the present, APK encryption and decryption development is very rapid. There are a lot of shell protection programs for APK in China. It is also mainly embodied in the protection of Dex and the protection of so!
For Dex protection, for a long time, it is possible to dump a plaintext Dex file by a breakpoint on the Dvmdexfileopenpartial function.
with this ALICTF third titled example, show how to dvmdexfileopenpartial the breakpoint under the function!
the other steps are the same, here's how to find the Dvmdexfileopenpartial function location
1. View the source code


The dvmdexfileopenpartial function is called in the Rewritedex function.
<ignore_js_op>
you can see that the key string information is: unable to create dexfile
At this point, get libdvm.so from the/system/lib directory of your phone

2. Load Ida, search string: Unable to create dexfile


<ignore_js_op>
Get offset address is: 0x0005ae8a

3. Next Breakpoint


Search Module libdvm.so
<ignore_js_op>
Base Address is 0x41492000
Plus the offset address is 0x414ece8a
G Jump to this position, a good breakpoint, you can

4.dump plaintext Dex File


after a good breakpoint, F9 runs, executes Jdb-connect com.sun.jdi.socketattach:hostname=127.0.0.1,port=8700
Program breaks down
<ignore_js_op>
at this point, you see that the value in the Register window is:
<ignore_js_op>
R0 Save Dex's start address, R1 is the length of Dex
<ignore_js_op>
Direct Dump can!

5. Follow-up


the dump-out Dex can be used to reverse-edit.
The effect is as follows:
<ignore_js_op>


Five, written in the last


with the development of technology now, the protection of APK is getting better! Greatly increases the analysis difficulty of the reverse analyst. At the same time, throughout the offensive and defensive process, both sides of the attack and defense brought a very good experience. Both sides have made great strides!
It also promotes the improvement of the whole reinforcement direction level!
Among them, the dynamic debugging technique is essential in the whole process.

"Turn" Android Reverse dynamic debugging summary