A brief introduction to Android reverse tools

Enterprise 2023-05-05 01:38:08 views: null

Table of contents

1. Android reverse overview

Android APK generation process
insert image description here

1. What is Android reverse engineering

  • The process of packaging code and resource files into APK in Android development mainly includes: compiling, encrypting and packaging. Android reverse is decompression, decryption and decompilation.
  • To put it bluntly, Android reverse engineering is to re-acquire the source code of the APK, and even some gray products will modify part of the application content and then repackage it.
  • For proper use, many large companies have Android reverse engineers who are responsible for the security of enterprise applications. "Use the spear of the son to attack the shield of the son" to test and strengthen the security of their own applications.
  • We Android development engineers sometimes use some reverse tricks to see how a certain function of a competing app is implemented.

2. Reverse process

  • We can regard the APK file used during Android installation as an encrypted compressed package, and reverse engineering is to restore the source code of the APK before packaging to the greatest extent.
  • Reverse requires the use of decryption, decompilation, decompression and other technologies. It is almost impossible to restore 100% of the source code of the APK. Therefore, in actual reverse analysis, the APK is generally analyzed according to the purpose you want to achieve. Part of the source code and implementation logic, and then modify this part of the source code and package it with the original APK, so as to obtain an APP that realizes its own specific purpose.

3. Reverse use

1) APP automatic execution program script

For example, there is such a scenario: a certain APP will promote a coupon collection activity at a certain time on a certain day. Just log in to the account and enter the collection page to receive a voucher with a denomination of 100 yuan without threshold. Obviously, this is an activity that can be used for wool. If I collect 100 accounts and use some means to ensure that each account grabs a voucher on that day, then I can grab 100*100=10,000 yuan Vouchers, and then use the Internet to sell these coupons at a 30% discount, and you can earn 7,000 yuan, isn't it cool? ! Through Android reverse analysis, I can make the actions of logging in and receiving coupons into a plug-in for automatic execution. I first save all account numbers and passwords for future use. When the opening time for receiving coupons arrives, I will automatically log in and receive coupons immediately. One account After receiving the coupons, you will automatically switch to log in to another account, and you will get all the coupons from all accounts in one go. This is one of the uses of Android reverse engineering, which can automatically execute a series of actions of APP in batches. Similarly, if you want to achieve batch login accounts, likes, and comments, it is also possible.

2) Modify the function of APP

I don’t know if you have encountered it. Some apps often prompt to update, and some must be updated before they can be used, but I just don’t want to update. At this time, reverse technology can also be used to modify some functions of the app. Through reverse analysis, find the code that triggers the update, and then block it, so that the update will not be prompted again after opening the APP.

3) APP security
  • It mainly decompiles and debugs Android mobile APPs to analyze the security of APPs, including APP vulnerabilities, decompilation confrontation, anti-cracking and code injection, completes some specific needs according to vulnerabilities and data, and analyzes the plug-in assistance and production principles on the market.
  • Some gray industries will look for certain application weaknesses to attack, or repackage and distribute applications after implanting viruses and adding advertisements. In view of this, the security manager needs to obtain the source code of Android viruses through reverse engineering for analysis.

2. Introduction of commonly used reverse tools

1. APP packet capture tool

1)Fiddler
  • Fiddler is a powerful packet capture tool. Its principle is to work in the form of a web proxy server. The proxy address used is: 127.0.0.1, and the default port is 8888. We can also modify it through settings.
  • Fiddler is an http protocol debugging proxy tool, which can record and check all http communications between your computer and the Internet, set breakpoints, and view all data "in and out" of Fiddler (referring to cookies, html, js, css and other files ).
  • Proxy (intermediary): The proxy is to set up a checkpoint between the client and the server. After the client sends the request data, the proxy server will intercept the data packet, and the proxy server will pretend to be the client and send the data to the server; similarly , the server will return the response data, and the proxy server will also intercept the data and return it to the client.
  • Fiddler can capture the data packets of any program that supports http proxy. If you want to capture the https session, you must first install the certificate. (Note: ios needs to be trusted in the settings, otherwise some https packages will not be caught)
  • Key note: You must ensure that the computer and mobile phone where fiddler is installed are in the same wifi environment.
2)Wireshark
  • Wireshark is a very popular network packet analysis software with very powerful functions, which can intercept various network packets and display detailed information of network packets.
  • To use wireshark, you must be familiar with relevant network protocols.
  • For security reasons, wireshark can only view the packet, but cannot modify the contents of the packet, or send the packet.
  • Wireshark can obtain HTTP and HTTPS, but it cannot decrypt HTTPS, so wireshark cannot understand the content in HTTPS. If you are dealing with HTTP and HTTPS, you should use Fiddler packet capture tool. For other protocols such as TCP and UDP, use wireshark packet capture tool .
  • The power of Wireshark is that it can not only capture packets, but also perform further analysis on the captured data. Specifically, the analysis of the pcap package can be divided into:
    • Filter function - input filter rules, and display the groups that meet the rules
    • Statistical function - an overview of all/part of the data packets
    • Analysis features - apply certain fields as filters & enable/disable certain protocols
    • Find function - find a specific value in all/some packets
    • view function - view the byte stream of a field/packet/session

2. jadx decompilation tool

  • jadx is a powerful decompilation tool, which is simple and convenient to use (drag-and-drop operation). It not only provides command-line programs, but also provides GUI programs. In general, we can directly use the GUI program.
  • jadx supports Windows, Linux, macOS, and can help us open files in .apk, .dex, .jar, .zip, and other formats..class
  • If you need to decompile a jar package to view its source code, you can directly drag the jar package into jadx; if you want to see the source code of an apk, you can directly drag it into jadx after getting the apk.
  • jadx: command line version; jadx-gui: GUI version.
  • Common Functions:
    • Search function: jadx comes with a powerful search function that supports multiple matching modes. The search function can be opened through Navigation, and we can choose to search for specified classes, methods, properties, codes, files, and even comments.
    • View class, variable or method usage: For a class, variable or method, we can also see where it is used. Directly select the corresponding class, variable or method, then right-click and select Find Usage. Soon, jadx will help you find out where it is used throughout the project.
    • Adding comments: We can also customize comments into the source code. After selecting the corresponding position, right-click and select Comment.
    • Anti-obfuscation: In general, for the safety of the project, we obfuscate and encrypt the code before packaging and releasing an apk, such as renaming classes, variables, and methods with meaningless short variables, so as to prevent the code from being easily cracked and leaked. The obfuscated code is functionally unchanged, but the semantic information in some names is removed. For code readability, we can deobfuscate the code. In jadx, we can turn on the deobfuscation function through Tools -> Deobfuscation.

3、APKDB

APKDB is an APK decompilation modification program for the Android OS system, which integrates the most powerful and sharpest APK and Dex file compilation tools today. After normal installation, it directly creates a shortcut menu on the [right mouse button], which is very convenient for localization workers to perform simple decompilation and recompilation operations on APK or Dex files.

Main usage scenarios:

  • View the xml resource file, mainly AndroidManifest.xml
  • To add a signature operation for apk and zip files, just click the [right mouse button] and select [Sign XX file]! There is no need to delete the original [META-INF] signature data before signing, this tool will distinguish apk or zip and automatically delete the signature data.
  • Under Windows, the icon of the APK itself is displayed, which is convenient for distinguishing the APP to be decompiled.

4. Frida's Hook Tool

Frida is a hook framework based on python + java. It is an open source, free, cross-platform hook tool that can run on Windows, iOS, Linux, Android and other platforms. It mainly uses dynamic binary instrumentation technology.

Hook tools on the Android platform include Xposed. They usually only hook the Java layer. Every time the logic code is modified, the Apk on the target device must be updated. It is always inconvenient to use. But Frida is different. It not only supports Hooking on the Java layer, but also supports Hooking on the so library files of the Native layer, and every time the logic is modified, there is no need to install a new Apk to the target device, because of its Hook logic. It doesn’t need to be packaged into an Apk, you can run it directly after writing the logic to see the effect, which is very convenient, saves a lot of time and effort, and improves work efficiency. In addition, Xposed can only hook the Android system, while Frida can be used for all systems, which can be said to be the best choice for Hook.

  • main feature:

    • The platform supports Android, IOS, Windows, Linux, MacOS, etc.
    • On the Android system, not only the Hook for the Java layer is supported, but also the Hook for the Native layer of the so library file is supported.
    • Support Python syntax or js syntax to write Hook scripts
    • With VSCode extension, it supports Frida syntax intellisense, so you don't have to worry about typing code

  • Pile instrumentation technology
    Pile instrumentation refers to injecting additional code into the program to collect runtime information, which can be divided into two types:

    • Source code instrumentation [Source Code Instrumentation (SCI)]: Extra code is injected into the program source code.
    • Binary Instrumentation: The injection of additional code into binary executables.
      • Static Binary Instrumentation [Static Binary Instrumentation (SBI)]: Insert additional code and data before program execution to generate a permanently changed executable file.
      • Dynamic binary instrumentation [Dynamic Binary Instrumentation (DBI)]: Insert additional code and data in real time while the program is running, without any permanent changes to the executable file.

  • DBI is used to
    (1) access the memory of the process
    (2) override some functions while the application is running (
    3) call functions from imported classes
    (4) find object instances on the heap and use these object instances
    (5) Hook, track and intercept functions etc.

5. IDA disassembly tool

IDA Pro is an interactive disassembler and debugger for static and dynamic analysis of executable binaries. IDA Pro can analyze executable binary files in various formats for various platforms, such as: ELF, windows PE, Android dex, Java .class, Python .pyc, etc. IDA's core processor module can even be extended through the SDK to support custom format binary file analysis.

1) Why disassemble
  • Analyze malware.
  • Analyze closed source software for vulnerabilities.
  • Analyze the implementation and interoperability of closed-source software.
  • Analyze the code generated by the compiler to verify the compiler's optimization options and correctness.
  • Cooperate with the debugger to display program instructions.
2) How to disassemble

Rough process:

  • Identify areas of code that need to be disassembled. (not as simple as it seems, instructions and data are often mixed together)
  • Read the instructions one by one, look up the table, and output the assembly language descriptor. (Need to deal with: variable instruction length, instruction prefix affects instruction behavior, instruction operand determination, etc.)
  • Determine where each function starts and ends.

There are two commonly used methods of disassembly:

  • Linear scanning method.
  • Recursive descent method.

Relatively speaking, the linear scan method is easier to implement, and objdump uses this method. The main disadvantage of the linear scanning method is that it cannot effectively separate the instructions from the data, and sometimes the data part is decompiled into instructions by mistake. The recursive descent method emphasizes the concept of control flow. The control flow decides whether to disassemble an instruction based on whether it is referenced by another instruction, which largely overcomes the shortcomings of the linear scan method. IDA Pro uses the recursive descent method to perform Disassemble.

3) Basic functions of IDA Pro:
  • Perform static analysis on executables.
  • Modify the executable file and generate a patch.
  • Debug executables. (Dynamic Analysis)
4) IDA directory structure

There are many folders under the root directory of IDA installation, each folder stores different content

  • cfg: Contains various configuration files, basic IDA configuration file ida.cfg, GUI configuration file idagui.cfg, text mode user interface configuration file idatui.cfg,
  • idc: Contains the core files required by IDA's built-in scripting language IDC
  • ids: contains some symbol files
  • loaders: Contains PE or ELF for identifying and parsing
  • plugins: additional plugin modules
  • procs: contains the processor module
5) Commonly used shortcut keys

The shortcut keys in IDA correspond to each function option in the menu bar one by one. Basically, as long as you can find a certain function on the menu bar, you can also see the corresponding shortcut keys. Here are a few commonly used ones:

  • a: convert the data to a string
  • f5: One-click disassembly
  • Blank space: conversion between flowchart and linear table
  • Tab: Conversion between C language and assembly
  • Esc: Back key, can rewind the view of the previous operation (this function is only available in the disassembly window, if you press esc in other windows, the window will be closed)
  • shift+f12: You can open the string window, find all the strings with one click, right click on the setup, and you can also set the properties of the window
  • ctrl+w: save ida database
  • ctrl+s: Select a data segment and jump directly
  • ctrl+mouse wheel: can adjust the size of the process view
  • x: Press this shortcut key against a function or variable to view its cross-reference
  • g: jump directly to an address
  • n: change the name of the variable
  • y: change the type of the variable
  • /: write comments in the decompiled pseudocode interface
  • \: Hide/display the type description of variables and functions in the decompiled pseudocode interface. Sometimes it will be much easier to hide the type description when there are too many variables
  • ;: Write a comment in the disassembled interface
  • ctrl+shift+w: take IDA snapshot
  • u: undefine, undefine function, code, data definition
6) Common settings

  • take a snapshot

    Since IDA does not provide the undo function, if you accidentally press a key, resulting in changes to the ida database, you have to start over, so remember to add a snapshot during frequent operations: file–>take database snapshot

    After the snapshot is added, a new ida database file will be generated, which is essentially a save operation

    Shortcut key: ctrl+shift+w

  • view–>open subviews: You can restore the data display window that you accidentally closed

  • windows–>reset desktop: can restore the initial ida layout

  • option–>font: You can change the relevant attributes of the font

Guess you like

Origin blog.csdn.net/johnWcheung/article/details/127507686
Recommended
微软回应中国区AI团队“打包赴美”传闻
Ranking
How to use ChatGPT to write 100,000+ hot articles for public accounts (includes prompt words)
sudo echo command execution Permission denied
ADO: Using Transactions to Operate Oracle Database
[Java] [Class and Object] equals, hashCode, clone methods
Linux virtual host function
Порт управления rabbitmq открыт
on,where
jQuery WeUI
How can there be a weed pilot in Hangzhou?
tcp / ip model four
Daily
More
2024-05-15(5)
2024-05-14(9)
2024-05-13(8)
2024-05-12(28)
2024-05-11(32)
2024-05-10(34)
2024-05-09(32)
2024-05-08(18)
2024-05-07(34)
2024-05-06(6)

Code World

© 2018 codetd.com