Shulou(Shulou.com)06/02 Report--

This article is about what Android App common reverse tools and skills are, the editor feels very practical, so share with you to learn, I hope you can get something after reading this article, say no more, follow the editor to have a look.

Preface

This paper mainly introduces some tools and tips that individuals often use in Android App reverse analysis. When it comes to Android inversion, we have to mention the commonly used reverse analysis artifact, IDA,jadx,Android Killer,JEB.

Introduction to common tools

Jadx is a very good apk decompilation tool, which can directly convert apk to java source code, high code reduction, cross-indexing and so on. Take an open source tool as an example, decompiled structure diagram

Code display effect:

Excluding the impact of confusion, on the whole, the display effect of the code is basically the same as the original project, very logical, right-click can also view the reference of methods and variables, but jadx has many shortcomings, slow speed, and does not support variables, method renaming, etc., in view of confusion code analysis is somewhat inadequate, here recommend another tool JEB.

JEB is a very good Android reverse analysis tool, the new version of JEB has also supported app dynamic debugging, but due to instability, it is not recommended for the time being, this article uses version 1.5, because most people have come into contact with JEB, but also know the common features of JEB, this article mainly explains another function of JEB, scripting function, example app for RE manager. After decompilation, you can see:

In order to solve this problem, we can try to write a script to restore these strings, open idea, create a new java project, import jeb.jar (the file can be found in the JEB directory), * step, we need to know what method JEB needs to traverse. Here we call the new String method to convert the byte array to string. Then you need to match the new String method here, as follows

Next you need to have JEB enumerate all the methods

The main purpose here is to enumerate all the methods referenced to the signature by using the plug-in function of JEB. The advantage is that it saves the time of matching and replacing later. After finding the key points, the replacement and decryption operations will begin naturally.

Here, we mainly traverse and iterate the elements in all methods. After getting the elements, we first need to filter them. Because it is new String, we need to judge whether the current type is New, and if so, we need to match whether the signature value is consistent with the value set above. When the match is successful, we can take the value in the element. After getting the value, we also need to carry out corresponding processing to convert the type into the byte array we need. If we decrypt and replace it in the future, the overall logic and implementation are not complicated, and the above screenshots are all made detailed notes, and the screenshots after the missing screenshot are also made:

This makes it much easier to analyze, of course, here is just a simple example of new String, the same script can be slightly modified to decrypt encryption operations such as des,aes,base64.

Of course, when it comes to reverse engineering, the tool we have to mention is IDA. As a reverse analysis tool adapted to multiple platforms, it is also highly used on Android. The powerful disassembly feature and F5's ability to convert pseudo C code provide convenience for analysts. The following CrackeMe is demonstrated:

Common native methods include static registration and dynamic registration. Static registration starts with java and is named after the path of the class, so it can be easily found. Double-click the method to go to the assembly code. After F5, it is found that a lot of code has been lost, as shown below:

Press the spacebar in the assembly code state to switch to the flowchart, as follows:

It is found that two entry points are identified in this method, resulting in a lot of code not being recognized and finding the end of * branches.

Select Edit- > function- > removefunction tail in the menu bar, then click the menu bar Edit- > other- > forceBL call in the modified place, and then this F5 will display all the codes normally.

The dynamic registration method is a little more troublesome than static registration in finding key points, and dynamic registration is bound to deal with these functions in jni_Onload. Take a so as an example, the code after F5 is as follows

You can see a lot of offset addresses here, which are actually the relative positions of the pointer in the jniEnv. You can automatically identify them by importing the jni header file, which can be easily downloaded on the Internet. After import, right-click Convert to Struct and the code is as follows:

You can see clearly here that you call the RegisterNatives method to register two methods, while off_8004 records the offset address of the method, and double-click to enter:

You have seen the corresponding contents of the two methods, _ Z10verifySignP7_JNIENVP8_jobect and _ Z13getentyStringv. Double-click to jump to this method. Of course, these are all basic features for ida, and the new version of IDA supports direct patch of bytecode without recording the modified address as before. Use a hexadecimal editor to modify the bytecode. Examples are as follows:

At 000025C6, I called a method to detect whether the program is currently in a debug state. If the program is connected by the debugger, it will crash automatically. ReadStatus is a void method with no parameters and return values. The idea is very simple. Nop this method and then repackage it to debug normally. Select Options- > General on the menu bar.

Just change 0 to 4 here.

At this point, the machine code corresponding to each instruction has been displayed. You can see that readStatus is an arm instruction. The modification method is very simple. The common nop method can replace the machine code with all zeros.

Click to modify the instruction and select Edit- > patch program- > changebyte in the menu bar. Change the first 4 bytes to 00 00 00. The effect is as follows:

You can see that the anti-debugging method has been cleared, so how to save the modified file is also very simple. Click Edit- > patchprogram- > Apply patches to Input file in the menu bar, and click ok directly. Of course, there are many tips for ida. For example, if you change the default port of android_server during dynamic debugging, you can filter out the detection of port 23946 by anti-debugging. The command is-p123,123 as the port number. Remember that there is no space between-p and the port number.

* what I want to introduce is Android Killer. Ak is a good apk decompilation and integration tool with good smali display and editing functions.

Of course, as a decompiler, these are the most basic functions. Ak has a powerful function of code insertion, which can be encapsulated slightly to quickly insert code. For example, the log plug-in implemented by individuals is converted into a smali plug-in on the basis of the open source project LogUtils. It supports one-click output of any basic type of data and data types such as json,Intent, and the way to use it is also very simple. Right-click to insert the code

The code is just one sentence, in which p0 is the register that needs to be printed, and in the static method, p0 represents the first input parameter. In reverse engineering, code stuffing can help us to analyze the data. I have released all these plug-ins to the network and can be downloaded.

These are the common reverse tools and skills of Android App. The editor believes that there are some knowledge points that we may see or use in our daily work. I hope you can learn more from this article. For more details, please follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.