Reverse phone core, add debug support and anti-debug

Source: Internet
Author: User
Tags unpack

0x00 Preface
An Android app can be debugged by applying androidmanifest.xml to display the specified android:debuggable= "true" if the android:debuggable value is not set, then the default android: Debuggable= "false", so most of the published applications are not debugging, if you want to debug, you need to unpack, change properties and then RePack, this is very cumbersome, and inefficient. The second condition is the kernel configuration file Default.prop The properties of the ro.debuggable=1, so that the application inside the set of properties, it seems to be a better solution, we just need to modify the kernel once and for all.
An anti-debugging tool commonly used in Android applications is to view the information under/proc/[pid]/status, if it is in the debug state, then the Tracerpid value is the PID of the debugging process, then the program will do the corresponding behavior to reverse debugging.

0x01 Extract Kernel

View the partition where the boot is located

Ls-l/dev/block/platform/msm_sdcc.1/by-name

Extract kernel

DD if=/dev/block/mmcblk0p17 of=/data/local/boot.imgadb pull/data/local/boot.img boot.img

Unpacking the kernel

Bootimg.exe--unpack-bootimg

The file structure after unpacking

0x02 modifying ro.debuggable

Modify the ro.debuggable=1 in the Initrd/default.prop file

0X03 Modifying kernel files

Copying a copy of the kernel for zimage.gz convenient for subsequent modifications

Open zimage.gz with 010editor to find hex 1F 8B 08 00, delete all previous data, make the file into a standard gzip compressed file, so that you can use Gunzip unpacking.

Gunzip zimage.gz

The zimage generated by the unpacking is the kernel binary file.

Open the file with Ida and set the processor type to arm Little-endian

Set ROM start address and loading address to 0xc0008000

Turn off symbol masking at the Android root terminal

echo 0 >/proc/sys/kernel/kptr_restrict

View Proc_pid_status and __task_pid_nr_ns function addresses

cat/proc/kallsyms | grep proc_pid_status

cat/proc/kallsyms | grep __task_pid_nr_ns

Why do we look for these two functions, according to the source/kernel/msm/fs/proc/array.c

The function proc_pid_status is inline with the Task_state function, which is obtained tracerpid and printed through the function __task_pid_nr_ns in the task_state inline function.

In Ida, press the shortcut key G to jump to the function c0187f88 (__task_pid_nr_ns) function, press X to refer to the search box, where the function c02764b8 (proc_pid_status) is found.

View the local call as

Can see the results of the call will be stored in R11, so modify the command mov R11, R0 for mov R11, #0, machine code for the B0 A0 E3, file offset for (0xc02765f8-0xc0008000= 26e5f8)

Re-compress Zimage

Gzip-n-f-9 Zimage

Use 010editor to add the original kernel header and tail binary data to the file zimage.gz (the new zimage.gz file must be smaller than the original zimage.gz file, and back to write back can not change the original kernel file size and modify the contents behind the original kernel file, otherwise it will be very troublesome) , then got the kernel file.

Add header 3DEB Long data

First placeholder, then copy the header data to the head

Add Trailer Data

Replace the original kernel file to regenerate the new boot.img

Bootimg.exe--repack-bootimg

0x04 brushes into the new kernel

Phone restarts to bootloader mode

ADB reboot bootloader

Swipe into the new boot

FastBoot Flash Boot boot-new.img

Restart

FastBoot reboot

If the phone is not able to drive, then re-brush back to the old kernel

FastBoot Flash Boot boot-old.img

0x05selinux causes Ida to fail to debug

After Android starts andorid_server with root, and does port forwarding on this machine, IDA can normally list the applications that can be debugged, but the following error occurs when a program is selected

The debugger could not attach to the selected process.

This can perhaps indicate the process is just terminated, or that you dot ' t has the necessary privileges.

Off SELinux, then normal, do not know is not MIUI exclusive problem.

Detect if SELinux is turned on

Getenforce

return value: Enforcing: Forced mode Permissive: Tolerant mode Disabled: Off

Temporarily close SELinux

0

0 is off, 1 is on, effective immediately after execution, no restart required

0X06 Summary

工欲善其事, its prerequisite, having a basic debugging environment is very helpful for reverse learning. Because a lot of mobile phone manufacturers do not release the phone system source code, so can only take the reverse kernel of the way to modify, if the handset manufacturer has the system source code out, then compiled from the source will be more modified, you can customize more kernel features. If the phone has open-source Android support, such as lineage OS or cm support, you can also choose these excellent open source code to compile.

Reference:

Reverse modify the phone core, bypassing anti-debugging

Android Reverse Journey-Application "anti-debug" scenario resolution (additional modification of IDA Debug port and modification of kernel information)

[Original] Support for Windows packaging boot/recovery.img Bootimg.exe, and support automatic unpacking/packaging dt.img, add MTK model support

Android Anti-Debug notes

Record Android SELinux causing Ida not to debug

Reverse phone core, add debug support and anti-debug

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.