The seven weapons of dynamic debugging for Android are the secrets of Android

The seven weapons of dynamic debugging for Android are the secrets of Android

Seven Weapons for dynamic debugging in Android-Smali Instrumentation

Author: steamed rice @ aliyunju Security

 

0x00

As mobile security becomes increasingly popular, various debugging tools are emerging one after another. However, no tool is omnipotent due to different environments and requirements. In addition, the tool is dead, and people are active. If you can understand the principle of the tool and combine your own experience, you can also create your own debugging weapon. Therefore, I will share some debugging tools and methods that I often use or original in this series of articles (7 in total, it is hoped that the research on mobile security in China will play a catalyst role.

 

0x01 swordsmanship

Changsheng sword is a magic sword, which is used by baibaijing. The name of the sword is derived from Li Bai's poem: "The Fairy caws me to the top, and sends and receives a long life ." Changshengjian is the first weapon of the Seven Weapons series, and the debugging method I will introduce next is also the earliest debugging method I learned, and this method is like changshengjian, simple and always have good results. This method is Smali Instrumentation, also known as Smali plug-in. The biggest advantage of using this method is that you do not need to perform the root operation on the phone, and you do not need to specify the android version. If you use tricks in combination, it will have unexpected results.

 

0x02 Sm Ali/baksmali

The first thing that comes into contact with Android in reverse engineering is the smali language. smali was first proposed by Jasmin, and then the most famous smali and baksmali tools developed by jesusfreke will be carried forward, almost all static analysis tools on dex are built on this project. What? Have you heard of smali and baksmali? Have you used Apktool only? If you carefully read the instructions on the official Apktool website, you will find that Apktool is actually a tool that combines various tools. I suggest that you abandon Apktool from now on. The reasons are as follows: First, Apktool updates are not frequently performed by smali/baksmali. After smali/baksmali is updated, it will take a short time to merge it into Apktool, before that, you may have to endure many strange bugs. Second, when Apktool decompiling or repackaging dex, if an error occurs, only the error exception information is provided. However, if you use smali/baksmali, the tool will tell you the specific cause of the error, which will be of great help for debugging after repackaging. Finally, many apks add a lot of junk code to the resource file to deal with anti-debugging, which causes the parsing of Apktool to crash, resulting in decompilation failure or re-packaging failure. However, if you only operate on classes. dex, these problems will not occur.

The best way to learn about smali is to write a program in java first, convert it into a smali statement in baksmali, and then compare and learn. For example, the following is a comparative analysis of the java code and the smali file decompiled with baksmali.

The MZLog class uses Log. d () to output debugging information. The Java code is as follows:

 

The corresponding smali code is as follows:

 

Finally, we will briefly introduce common data types of smali:

 

0x03 Smali plug-in

If you only use Smali to analyze the code, the result is actually less intuitive than using dex2jar and jd-gui. After all, it is easier to look at the decompiled java code. But the power of Smali is that you can insert a pile as you like. What is plug-in? reference wiki: program plug-in was first written by J.C. professor Huang proposed that it inserts some probes (also called "Detectors") into the program to ensure the original logic integrity of the program to be tested "), by executing the probe and throwing out feature data of the program running, you can analyze the data to obtain the control flow and data flow information of the program, and then obtain dynamic information such as logical coverage, to achieve the purpose of testing. Next I will use an example to explain how to implement the smali plug-in.

 

The test program is a simple crackme (figure 1 ). Enter the password and click check. If the password is correct, yes is output; otherwise, no is output.

Figure 1 interface of Crackme1

 

First, decompress the crackme apk and decompile it. We will see a getkey (String, int) function in MainActivity. This function seems very complicated, so we don't care about it for the time being. First, let's analyze the logic behind the button. We found that the program will calculate the real password through getkey ("mrkxqcroxqtskx", 42), and then compare it with the password we lost. The java code is as follows:

 

 

This is the time for smali plug-ins to show their skills. We can use the plug-in to directly obtain the return value of the getkey ("mrkxqcroxqtskx", 42) function, and then Log it out. In this way, we do not need to study the implementation of the getkey function. The specific process is as follows:

1. decompress the apk and decompile it with baksmali.

 

2. copy the smali file to the com/mzheng directory. This file has three LOG functions that can output the values of String, Object, and Object arrays respectively. Note: If the original program does not contain the com/mzheng directory, you need to create it using mkdir. After the copy, the directory structure is as follows:

 

3. Open the MainActivity $1. smali file in a text editor. Why is it MainActivity $1. smali instead of MainActivity. smali? The main judgment logic is in the OnClickListener class, which is an internal class of MainActivity. At the same time, we didn't declare a specific name for this class during implementation, therefore, this class is represented by $1. Add MZLog. after the smali file, we only need. add a line of code after the second line of smali, invoke-static {v1}, Lcom/mzheng/MZLog;-> Log (Ljava/lang/Object;) V, you can output the value of getkey. Invoke is a method call command. Because the class we want to call is a static method, invoke-static is used. If it is a non-static method, the first parameter should be the instance of the method, followed by each parameter. The specific insert conditions are as follows:

 

4. Use smali. jar to re-compile the modified smali file, overwrite the newly compiled classes. dex with the old classes. dex, and then use signapk. jar to sign the apk. Several key commands are as follows:

 

5. Install the program on android. Enter anything and click the check button. Then, you can see getkey ("mrkxqcroxqtskx", 42) in logcat) the return value of this function (figure 2 ).

Figure 2 get the getkey return value through logcat

 

0x03 modify Smali

Through the Smali/baksmali tool, we can not only plug-ins, but also modify the apk logic. Note the following:

 

1. if condition judgment and jump statement

The most common condition in smali is the if condition to determine the jump statement. This judgment has 12 commands:

 

 

For example, the smali code segment in crackme1 to determine whether the password is correct:

 

If we don't care about the password content, we just want the program to output "yes. We can change if-eqz v1,: cond_25 to if-nez v1,: cond_25. The logic becomes: when the wrong password is entered, the program will output "yes ".

 

2. Register Problems

Note the register when modifying Smali. Otherwise, the program may crash. The number of registers is declared at the beginning of each method, which is the sum of parameters and local variables. All parameters are represented by P. If the non-static method p0 represents this, the p1-pN represents each parameter. For a static method, the p0-pN represents each parameter. The local variables are all expressed in v. If you want to add a new local variable, you need to increase the number of registers at the beginning of the method.

For example, the following method:

 

Because this is not a static method, p0 represents this. If you want to add a new local variable, such as v0. Change. registers 1 to. registers 2.

 

3. Add a lot of logic to the original program

I do not recommend that you add a lot of logic to the original method of the program. This may cause many register errors and cause compilation failure. The better way is to write the logic to be added into an apk in java and decompile the apk into a smali file, then, insert the decompiled smali file of this logic into the smali folder of the Target Program, and then call the newly added logic using the invoke method in the original method. In this way, no matter how much logic is added, it only modifies several lines of code of the original program. This idea is also a common method for repackaging viruses, which is very convenient and easy to use.

 

0x04 APK signature Tricks

In practice, we sometimes encounter some apks that implement their own signature checks internally. The Smali Instrumentation method we introduced this time will change the original signature because it needs to be repackaged. Of course, you can delete the signature check logic by modifying the apk, which is time-consuming and laborious. Here I will briefly introduce two very convenient methods to solve the signature check problem.

 

1. Masterkey

There are three Masterkey vulnerabilities, which can affect versions earlier than android 4.4. With this vulnerability, We can insert a new classes. dex to replace the original classes. dex without re-signing the apk itself. If the apk has the signature verification logic, it would be better to use this vulnerability for Smali Instrumentation. First, you need a virtual machine or a real machine of android 4.4 or earlier, and then use a masterkey to use the tool to exploit the apk. The command used at the end of the document is as follows:

 

Orig.apkis the original apk file. moddedclassesdex.zipis the modified classes.dexand compressed into a zip file. out.apk is a new apk file generated using the Masterkey vulnerability. If the file is successfully opened with rar, two classes. dex are displayed.

Figure 3 the apk file generated by Masterkey has two classes. dex files.

The signature of the apk file after the masterkey is packaged does not change, so you do not have to worry about signature verification.

 

2. Custom ROM

Signature judgment actually calls the password library function of the android system. If we can customize the ROM, you only need to modify libcore \ luni \ src \ main \ java \ security \ MessageDigest in the aosp source code path. java file. Comment out the judgment statement in the isEqual function:

 

In this case, if you run the apk on your custom ROM, no matter how you modify the classes. dex file, you do not need to worry about the signature. The system will always return the correct signature.

 

0x05 Summary

Although more and more apks are now using so files for logical processing and reinforcement, android 4.4 is also added to the art runtime environment, but dalvik is always the most classic of android. If you want to learn android reversely, you must learn this knowledge well. After thoroughly studying smali, it will be of great help to customize the dalvik virtual machine. In addition, all the code and tools mentioned in the article can be downloaded from my github at: https://github.com/zhengmin1989/TheSevenWeapons

 

0x06 references

Way of the AndroidCracker http://androidcracking.blogspot.hk/p/way-of-android-cracker-lessons.html

Android Master Key Exploit-Uncovering Android Master Key

Https://bluebox.com/technical/uncovering-android-master-key-that-makes-99-of-devices-vulnerable/

Https://github.com/Fuzion24/AndroidZipArbitrage

Min Zheng, Patrick P. C. Lee, John C. S. Lui. "ADAM: An Automatic and Extensible Platform to Stress Test Android Anti-Virus Systems", DIMVA 2012

 

Author: steamed rice @ Ali poly security. For more security technical articles, please visit the Ali poly security blog