Common reverse engineering tools and usage tips for Android App

Preface

This article will mainly introduce some tools and tips that I often use when reverse engineering Android Apps. When it comes to Android reverse engineering, we have to mention the commonly used reverse analysis tools, IDA, jadx, Android Killer, and JEB.

Common tools introduction

jadx is a very good apk decompilation tool that can directly convert apk into java source code. It has high code restoration and supports cross-indexing, etc. Taking an open source tool as an example, the structure diagram after decompilation

Code display effect:

Excluding the influence of obfuscation, the overall display effect of the code is basically the same as the original project, which is very logical. You can also view the references of methods and variables by right-clicking. However, jadx also has many shortcomings. It is slow and does not support variable and method renaming, etc. It is somewhat powerless when analyzing obfuscated code. Here we recommend another tool JEB.

JEB is a very good Android reverse analysis tool. The new version of JEB also supports dynamic debugging of apps, but due to instability, it is not recommended for use yet. This article uses version 1.5. Since most people have used JEB and know its common features, this article mainly explains another function of JEB, the script function. The sample app is RE Manager. After decompilation, you can see:

Most of the strings in the method have been converted into byte arrays, which will be difficult to reverse analyze. To solve this problem, we can try to write a script to restore these strings. Open idea, create a new java project, and import jeb.jar (the file can be found in the JEB directory). In the first step, you need to know what method JEB needs to traverse. Here, the new String method is called to convert the byte array into a string, so here you need to match the new String method, as follows

Next, you need to let JEB enumerate all methods

Here we mainly use the JEB plug-in function to enumerate all methods that reference the signature. The advantage is that it saves time for subsequent matching and replacement. After finding the key point, we will naturally start the replacement and decryption operations.

The main thing here is to traverse and iterate the elements in all methods. After getting the element, you need to filter it first. Because it is a new String, you need to determine whether the current type is New. If it is, match the signature value to see if it is consistent with the above setting. When the match is successful, you can get the value in the element. After getting the value, you need to perform corresponding processing to convert the type into the byte array we need, and then decrypt and replace it in the future. The overall logic and implementation are not complicated. The screenshots above are also annotated in detail. Here is a screenshot after the loss process:

This makes the analysis much easier. Of course, this is just a simple example of a new String. The script can also be modified to decrypt encryption operations such as des, aes, base64, etc.

Of course, when it comes to reverse engineering, the tool that must be mentioned is IDA. As a reverse analysis tool that adapts to multiple platforms, it is also widely used on Android. Its powerful disassembly function and F5 function to convert pseudo-C code provide convenience for analysts. The following is a demonstration of a CrackeMe:

Common native methods include static registration and dynamic registration. Static registrations all start with java and are named after the class path, so they can be easily found. Double-click the method to go to the assembly code. After pressing F5, you will find that a lot of code is missing, as shown below:

In the assembly code state, press the space bar to switch to the flowchart, as follows:

It was found that the method had two entry points identified, which resulted in a lot of code not being identified. The end of the first branch was found.

Select Edit->function->removefunction tail in the menu bar, then click Edit->other->forceBL call in the modified place, and then press F5 to display all the codes normally.

The dynamic registration method is a little more troublesome than the static registration method when finding the key points, and the dynamic registration is bound to process these functions in jni_Onload. Taking a certain so as an example, the code after F5 is as follows

You will see a lot of offset addresses here, which are actually the relative positions of pointers in jniEnv. At this time, you can automatically identify them by importing the jni header file. You can easily download this file on the Internet. After importing, right-click Convert to Struct and the code is as follows:

It is very clear here. The RegisterNatives method is called to register two methods. off_8004 records the offset address of the method. Double-click to enter:

Here we have seen the contents of two methods, _Z10verifySignP7_JNIENVP8_jobect and _Z13getentyStringv. Double-click to jump to the method. Of course, these are basic functions for IDA. In addition, the new version of IDA supports patching the bytecode directly. There is no need to record the modification address as before. Use a hexadecimal editor to modify the bytecode. The example is as follows:

At 000025C6, I called a method to detect whether the program is in debugging state. If the program is connected by a debugger, it will automatically crash. ReadStatus is a void method, which has no parameters and return values. The idea is very simple. Nop this method and repackage it to debug normally. Select Options->General on the menu bar.

Just change 0 to 4 here.

At this point, the machine code corresponding to each instruction has been displayed. You can see that readStatus is an arm instruction. The modification method is very simple. The common nop method can use all 0s to replace the machine code

After clicking on the modification command, select Edit->patch program->changebyte in the menu bar and change the first 4 bytes to 00 00 00 00. The effect is as follows:

It can be seen that the anti-debugging method has been cleared, so how to save the modified file? It is also very simple. Click Edit->patchprogram->Apply patches to Input file in the menu bar and just click ok. Of course, there are many other tricks of ida. For example, changing the default port of android_server during dynamic debugging can filter out the anti-debugging detection of port 23946. The command is -p123, 123 is the port number, and remember that there is no space between -p and the port number.

***The one I want to introduce is Android Killer. ak is a good apk decompilation integrated tool with good smali display effect and editing function

Of course, as a decompilation tool, these are the most basic functions. ak has a powerful function of code insertion, which can be used to encapsulate the code slightly to quickly insert the code. For example, the log plug-in implemented by me is converted into a smali plug-in based on the open source project LogUtils. It supports one-click output of any basic type of data and data types such as json, Intent, etc. It is also very simple to use. Just right-click and select Insert code.

The code is just one sentence, where p0 is the register to be printed. In the static method, p0 represents the first input parameter. In reverse engineering, code stubs can help us analyze the data very well. I have published these plug-ins on the Internet and they can be downloaded.

Summarize

This article mainly introduces the commonly used tools for Android App reverse engineering and some tips for using them. However, reverse engineering is often not enough with just one tool and common techniques. It requires everyone's attempts and patience as well as their own spirit of research on reverse engineering.