0x00 Preface
An Android app can be debugged by applying androidmanifest.xml to display the specified android:debuggable= "true" if the android:debuggable value is not set, then the default android: Debuggable= "false", so most of the published applications are not debugging, if you want to debug, you need to unpack, change properties and then RePack, this is very cumbersome, and inefficient. The second condition is the kernel configuration file Default.prop The properties of the ro.debuggable=1, so that the application inside the set of properties, it seems to be a better solution, we just need to modify the kernel once and for all.
An anti-debugging tool commonly used in Android applications is to view the information under/proc/[pid]/status, if it is in the debug state, then the Tracerpid value is the PID of the debugging process, then the program will do the corresponding behavior to reverse debugging.
0x01 Extract Kernel
View the partition where the boot is located
Ls-l/dev/block/platform/msm_sdcc.1/by-name
Extract kernel
DD if=/dev/block/mmcblk0p17 of=/data/local/boot.imgadb pull/data/local/boot.img boot.img
Unpacking the kernel
Bootimg.exe--unpack-bootimg
The file structure after unpacking
0x02 modifying ro.debuggable
Modify the ro.debuggable=1 in the Initrd/default.prop file
0X03 Modifying kernel files
Copying a copy of the kernel for zimage.gz convenient for subsequent modifications
Open zimage.gz with 010editor to find hex 1F 8B 08 00, delete all previous data, make the file into a standard gzip compressed file, so that you can use Gunzip unpacking.
Gunzip zimage.gz
The zimage generated by the unpacking is the kernel binary file.
Open the file with Ida and set the processor type to arm Little-endian
Set ROM start address and loading address to 0xc0008000
Turn off symbol masking at the Android root terminal
echo 0 >/proc/sys/kernel/kptr_restrict
View Proc_pid_status and __task_pid_nr_ns function addresses
cat/proc/kallsyms | grep proc_pid_status
cat/proc/kallsyms | grep __task_pid_nr_ns
Why do we look for these two functions, according to the source/kernel/msm/fs/proc/array.c
The function proc_pid_status is inline with the Task_state function, which is obtained tracerpid and printed through the function __task_pid_nr_ns in the task_state inline function.
In Ida, press the shortcut key G to jump to the function c0187f88 (__task_pid_nr_ns) function, press X to refer to the search box, where the function c02764b8 (proc_pid_status) is found.
View the local call as
Can see the results of the call will be stored in R11, so modify the command mov R11, R0 for mov R11, #0, machine code for the B0 A0 E3, file offset for (0xc02765f8-0xc0008000= 26e5f8)
Re-compress Zimage
Gzip-n-f-9 Zimage
Use 010editor to add the original kernel header and tail binary data to the file zimage.gz (the new zimage.gz file must be smaller than the original zimage.gz file, and back to write back can not change the original kernel file size and modify the contents behind the original kernel file, otherwise it will be very troublesome) , then got the kernel file.
Add header 3DEB Long data
First placeholder, then copy the header data to the head
Add Trailer Data
Replace the original kernel file to regenerate the new boot.img
Bootimg.exe--repack-bootimg
0x04 brushes into the new kernel
Phone restarts to bootloader mode
ADB reboot bootloader
Swipe into the new boot
FastBoot Flash Boot boot-new.img
Restart
FastBoot reboot
If the phone is not able to drive, then re-brush back to the old kernel
FastBoot Flash Boot boot-old.img
0x05selinux causes Ida to fail to debug
After Android starts andorid_server with root, and does port forwarding on this machine, IDA can normally list the applications that can be debugged, but the following error occurs when a program is selected
The debugger could not attach to the selected process.
This can perhaps indicate the process is just terminated, or that you dot ' t has the necessary privileges.
Off SELinux, then normal, do not know is not MIUI exclusive problem.
Detect if SELinux is turned on
Getenforce
return value: Enforcing: Forced mode Permissive: Tolerant mode Disabled: Off
Temporarily close SELinux
0
0 is off, 1 is on, effective immediately after execution, no restart required
0X06 Summary
工欲善其事, its prerequisite, having a basic debugging environment is very helpful for reverse learning. Because a lot of mobile phone manufacturers do not release the phone system source code, so can only take the reverse kernel of the way to modify, if the handset manufacturer has the system source code out, then compiled from the source will be more modified, you can customize more kernel features. If the phone has open-source Android support, such as lineage OS or cm support, you can also choose these excellent open source code to compile.
Reference:
Reverse modify the phone core, bypassing anti-debugging
Android Reverse Journey-Application "anti-debug" scenario resolution (additional modification of IDA Debug port and modification of kernel information)
[Original] Support for Windows packaging boot/recovery.img Bootimg.exe, and support automatic unpacking/packaging dt.img, add MTK model support
Android Anti-Debug notes
Record Android SELinux causing Ida not to debug
Reverse phone core, add debug support and anti-debug