Click to edit Master title style We can still crack you!
Click to edit Master title style • Click to edit Master text styles — can Secondstill level crack you! We • Third level — Fourth level » Fifth level General unpacking method for Android Packer(NO ROOT) Click to What is edit android Master packer? title style • • • Android packer is similar to UPX Click to edit Master text styles There arelevel several commercial android packers — Second (Ijiami, BangCle, DexGuard, LIAPP, etc) • Third level — Fourth level • They are distinguished two types by main » Fifth level packing mechanism — Dynamic code(*.dex/jar/apk) loading based — Memory patch based • There are various papers for features of android packers Click to edit Packing mechanism Master title style • Packing based Dynamic code loading Click tomechanism edit Master textonstyles — It can load code in file or on memory dynamically — Second level — Android platform provides following interfaces only for Java • Third level layer—toFourth load level .dex file dynamically • Documented interfaces: DexClassLoader, PathClassLoader, DexFile » Fifth level • Undocumented interfaces: — DexFile.java: » openDexFile(byte[] fileContents) » openDexFile(String sourceName, String outputName, int flags) — dalvik_system_DexFile.cpp: » Dalvik_dalvik_system_DexFile_openDexFile(const u4* args, Jvalue* pResult) » Dalvik_dalvik_system_DexFile_openDexFile_bytearray Click to edit Packing mechanism Master title style • Click to edit Master text styles DexClassLoader PathClassLoader — Second level <Documented interfaces> <Undocumented intefaces> DexFile • Third level pulibc DexFile public DexFile (File file) (String fileName) — Fourth level » Fifth level public static DexFile loadDex (String sourcePathName, String outputPathName, int flags) native private static openDexFile native private static openDexFile (String sourceName, String outputName, int flags) (byte[] fileContents) DexFile.cpp (Native Layer) dalvik_system_DexFile__openDexFile (const u4* args, Jvalue* pResult) dalvik_system_DexFile__openDexFile_bytearray (const u4* args, Jvalue* pResult) Click to edit Packing mechanism Master title style • Dynamic codeMaster loading (in file) Click to edit text styles — android — Many Second levelpacker are using this method • Third level Fourth Protected—APK filelevel1) Read a » Fifth level protected DEX Unpacker & Loader classes.dex Encrypted file classes.dex Unpack.so Protected DEX Decrypted code Execution Protected DEX Protected DEX 2) Loading native code for unpacking 3) Decryption 4) Drop protected DEX as file Decrypted code <Process memory> <Dropped file> 5) Dynamic loading and delete the file Click to edit Packing mechanism Master title style • Dynamic codeMaster loading (in file) Click to edit text styles — DEX is in unpacking dex file as array — Protected Second level • Third level Protected—APK file level Fourth » Fifth Protected DEX level Unpacker & Loader Encrypted data classes.dex classes.dex Protected DEX Encrypted data Execution 1) Decryption 2) Drop protected DEX as file Protected DEX Decrypted code Original DEX Decrypted code <Process memory> <Dropped file> 3) Dynamic loading and delete the file Click to edit Packing mechanism Master title style • Dynamic codeMaster loading (on Click to edit textmemory) styles — Second level • Third Protected APKlevel file classes.dex 1) Read a protected DEX — Fourth level Unpacker » Fifth level Encrypted & Loader classes.dex file Protected DEX 2) Decryption Execution Protected DEX Decrypted code <Process memory> 3) Loading Dex on memory Click to edit Packing mechanism Master title style • Loading separated DEX filestyles dynamically causes Click to aedit Master text ClassLoader problem — Second level — When decrypted dex loaded by different class loader from • Third level class loader in Application context try to load and call some — Fourth level method, ClassNotFound Exception will occurs » Fifth level Registered in Application context System Classloader User-defined Classloader <Unpacker> User-defined Classloader system_server <Unpacked> Platform service provider can’t find the class in Classloader for Unpakcer Click to edit Packing mechanism Master title style •• Context key for execution of main components in Android Click tois aedit Master text styles application (Activity, Service, Receiver, etc) — levelto change a object of ClassLoader in Application context — Second Unpacker needs to unpacked code correctly • execute Third level Application — Fourth level context »- LoadedApk: Fifth level - ClassLoader Reference system_server Change! Activity Manager Service Manager System Classloader User-defined Classloader <Unpacker> User-defined Classloader <Unpacked> … Click to edit Packing mechanism Master title style • Packing based Memory patch Click tomechanism edit Master textonstyles — modifies <application> tag in AndroidManifest.xml to be — It Second level executed firstly • Third level levelAndroidManifest.xml <application className:Unpacker> » Fifth level —firstly Fourth 1) Execution 2) Loading unpacker.so 3) Decryption Protected DEX Encrypted area Unpacker class Encrypted area unpacking.so Encrypted area Encrypted area 4) Call original code Decrypted class <Process memory> Click to unpack How edit Master logically title style • Dynamic codeMaster loading (in file) Click to edit text styles — to unpack: — <How Second level Just pick up the dropped file> • Third level Fourth Protected—APK filelevel » Fifth level Unpacker & Loader classes.dex Encrypted file classes.dex Unpack.so Decrypted code Execution Protected DEX Protected DEX Protected DEX Decrypted code <Process memory> <Dropped file> Click to unpack How edit Master logically title style • Dynamic codeMaster loading (in file) Click to edit text styles — to unpack: — <How Second level Just pick up the dropped file> • Third level Protected—APK file level Fourth » Fifth Protected DEX level Unpacker & Loader Encrypted data classes.dex classes.dex Protected DEX Encrypted data Execution 1) Decryption 2) Drop protected DEX as file Protected DEX Decrypted code Original DEX Decrypted code <Process memory> <Dropped file> 3) Dynamic loading and delete the file Click to unpack How edit Master logically title style • Dynamic codeMaster loading (on Click to edit textmemory) styles — to solve: — <How Second levelDump> • Third Protected APKlevel file classes.dex 1) Read a protected DEX — Fourth level Unpacker » Fifth level Encrypted & Loader classes.dex file Protected DEX 2) Decryption Execution Protected DEX Decrypted code <Process memory> 3) Loading Dex on memory Click to unpack How edit Master logically title style • Packing based Memory patch Click tomechanism edit Master textonstyles — to solve: — <How Second levelDump> • Third level levelAndroidManifest.xml <application className:Unpacker> » Fifth level —firstly Fourth 1) Execution 2) Loading unpacker.so 3) Decryption Protected DEX Encrypted area Unpacker class Encrypted area unpacking.so Encrypted area Encrypted area 4) Call original code Decrypted class <Process memory> Click to edittoMaster Challenges unpack title style •• • • • • • • Anti-debugging (for text gdb,styles ptrace) Click to edit Master Anti-debugging — Second level (for JDWP) Emulator/Device detection • Third level Rooting detection — Fourth level » Fifth level Obfuscation Native-level behavior Self integrity check Click to edit Master title style • Click to edit Master text styles — Second level Now Let’s unpack • Third level — Fourth level » Fifth level Click to unpack How edit Master practically title style • Click Each to challenge edit Master can be text overcome styles Second level • — Real-world packed android application is being • Thirdmany level challenges multiply applied — Fourth level • We can utilize multiple solutions for multiple » Fifth level challenges Click to unpack: How edit Master Condition title style •• We to satisfy conditions to Clickhave to edit Masterfollowing text styles unpack easily — Second level Use real-device — Don’t use android emulator • Third level without root, — Don’t require your device.. — Fourth levelroot privilege » Fifth level — Don’t use debugger Yeah.. just don’t use — Don’t use JDWP — Don’t analyze obfuscated unpacking stub — Pick up coin and dump Hooking! — Make your own process environment Click to unpack: How edit Master wait-for-debug title style •• Android platform provides wait-for-debug Click to edit Master text styles feature to debug android application Second level • — ActivityManager provides a function makes • Thirdapplication level android wait for connection for JDWP—atFourth starting level point using command “waitfor-debug” » Fifth level • We need to repackage the protected application to use wait-for-debug feature How Process Click to unpack: edit Master title style environment to unpack and trace •• When debuggee is waiting Click tothe edit Master text styles for debugger at starting point of Android application, DEX file is — Second level not loaded on memory • Third level • There—isFourth MethodEntryEvent in JDWP level • We can control a threads suspended by jdwp » Fifth level event • We can control the execution of debuggee using wait-for-debug feature and MethodEntryEvent before the DEX file is loaded on memory Click to editDexGuard Unpacking: Master title style •• DexGuard is Master employing Click to edit textdynamic styles code loading technique for execution of unpacked code — Second level • It can identified using logcat easily • Third level — Fourth level » Fifth level Click to editDexGuard Unpacking: Master title style •• • We hookMaster varioustext function Clickcan to edit styles to pick up coin.. I—use hooking Second level open() in libc.so /data/local/tmp/tmp • Third level classes.dex — Fourth level Protected DEX » Fifth level Encrypted data Extracted_dex1 Decrypted dex(1) <Dropped file> Decrypted DEX(1) Encrypted data Decrypted dex(2) <Process memory> <Dropped file> Extracted_dex2 Unpacked dex is obfuscated.. Click to editIjiami Unpacking: Master title style • •• • • Ijiami checks integrity of apk file Click to see edit textlogstyles I couldn’t dexMaster optimization with logcat — we can dump memory — Then, Second level When do we need to dump? level — •WeThird can know it by hooking dlopen, dlsym When Ijiami callslevel specific function, we can dump decrypted — Fourth Protected DEX code! » Fifth level /data/app/ Repackaged.apk Redirection Encrypted code Decryption Hooking! My unpacker /data/local/tmp/tmp OriginalPacked.apk Hooked function Dump! Decrypted code /data/local/tmp/tmp Unpacked DEX Click to editLIAPP Unpacking: Master title style •• • • LIAPP integritytext its .apk Click tocheck edit Master stylesfile too LIAPP useslevel dynamic code loading — Second We• can unpacked dex Thirdextract level — Fourth level » Fifth level /data/app/ Repackaged.apk Redirection Decryption Hooking! My unpacker /data/local/tmp/tmp Encrypted file Protected DEX Unpacked DEX Dropped file Read! Hooked function /data/local/tmp/tmp OriginalPacked.apk <Process memory> Extraction! Unpacked DEX Click to editPangXie Unpacking: Master title style •• PangXie, justMaster unpacktext manually.. Click to edit styles — Second level • Third level — Fourth level » Fifth level XOR Encrypted DEX Click to edit Master title style • Click to edit Master text styles — Second level DEMO: • Third level — Fourth level » Fifth level BangCle DexProtector APKProtect Click to editBangCle Unpacking: Master title style •• • BangCle unpacks encrypted dex file and loads it Click to edit Master text styles BangCle unpacking, anti-analysis and — Secondperforms level integrity checking simultaneously with multiple • Third level threads — Fourth level » Fifth level Click to editDexProtector Unpacking: Master title style •• • • DexProtector is usingtext dynamic Click to edit Master styles code loading DexProtector — Second levelemploys multiple unpacking step It performs • Third levelintegrity checking using Signature class in PackageInfo — Fourth level » Fifth level Click to editAPKProtect Unpacking: Master title style •• • APKProtect memory Click to editperforms Master text styles patch to unpack It of odex file mapped on —checks Second integrity level memory • Third level — Fourth level » Fifth level Click to edit Master title style Conclusion •• You need reversing unpacker’s code Clickdon’t to edit Master text styles — — Prediction, Second levelTracing based on hooking.. — Use mylevel powerful tool for analysis of android app • Third — Fourth level most android packers using • We can unpack » Fifth level wait-for-debug feature and injection • Companies developing android packer need to response to wait-for-debug feature
© Copyright 2024