Getting started with Android reverse engineering

Category: Tag:

This article mainly introduces the commonly used environment, tools, dynamic and static analysis ideas for Android reverse engineering.

1. Environmental preparation
The first step for Android mobile security is to configure a set of environments. First, the hardware configuration is as follows:

Kali-linux-2019-4-vmware-amd64

A Nexus 6P phone

A Pixel XL phone

1.1, VMware virtual machine
1. After downloading and installing the virtual machine, use Google to search for the registration code to register.

VMware workstation download (Windows)

VMware Fusion download (Mac)

2. Download and run the kali virtual machine

kali-linux-2019-4-vmware-amd64-zip.torrent

3. Kali:changes time zone:

dpkg-reconfigure tzdata
Then select ʻAsia→Shanghai` and restart.

4. Update source:apt updateapt update

5、 Install fonts(or not)

apt install xfonts-intl-English

apt install ttf-wqy-microhei

1.2, Android studio
1. Visit the official website and download the latest version of android studio

wget https://redirector.gvt1.com/edgedl/android/studio/ide-zips/4.0.1.0/android-studio-ide-193.6626763-linux.tar.gz

2. Create the first Android project

3. Wait patiently for android-studio to finish loading

If the download speed is too slow, you can configure the proxy to reload.

1.3, Genymotion emulator
1. Download genymotion

2. Select Android8.0 version, and select the main network card to set to bridge mode

3. Run the emulator and eliminate the wifi exclamation mark and time synchronization

Execute as root user in the emulator’s shell:

settings put global captive_portal_http_url https://www.google.cn/generate_204
settings put global captive_portal_https_url https://www.google.cn/generate_204
settings put global ntp_server 1.hk.pool.ntp.org
reboot

1.4, Genymotion ARM Translation
1. Genymotion is based on X86 and does not support ARM architecture. Therefore, some applications cannot be installed if compiled based on the ARM architecture, and the following prompt appears:

2. Solution

Install ARM Translation tool

Download the Android version of Genymotion-ARM-Translation.zip corresponding to the Genymotion emulator

Then drag the file directly into Genymotion, click OK to start the installation

Click OK after installation, restart Genymotion

 

1.5, common tools
1. Command tool

tmux: You can close the window and run the program in the background

jnettop: monitor network traffic, get communication IP, port, URL, rate information

netstat -tunlp: port corresponding to the process number, monitoring, receiving and sending packets port

htop: an enhanced version of top, current system load, foreground active processes, threads and occupancy

apt install tmux jnettop htop

2. QtScrcpy

Android real-time projection software

https://gitee.com/Barryda/QtScrcpy/releases

3. wifi adb

Connect to WIFI automatically start network debugging

https://www.apkmirror.com/apk/metactrl/wifi-adb-debug-over-air/

Kali virtual machine adb connection simulator:

It prompts that there is no device when directly adb devices, you can use adb connect 192.168.3.18:5555 first

4. termux

The Android terminal emulator application can be run directly. The minimal basic system is automatically installed-other packages can be used with the APT package manager.

https://termux.com/

5. Neofetch

Display Linux system information in the terminal, you can connect to a mobile phone to view mobile phone system information

 

2. Four major components and system architecture
2.1, the four major components of Android
1. Activity

1. An Activity is usually a separate window
2. Communicate between activities through Intent.
3. Each Activity in the Activity application must be declared in the AndroidManifest.xml configuration file, otherwise the system will not recognize and execute the Activity.

2、Service

1. Started: When an application component (such as Activity) calls the StartService() method to start the service, the service is in the Started state.
2. Bound: When the application component calls the bindService() method to bind to the service, the service is in the bound state.
3. Service usually runs in the background, it generally does not need to interact with the user, so the Service component does not have a graphical user interface. The Service component needs to inherit the Service base class. The Service component is usually used to provide background services for other components or monitor the running status of other components.

3、Content provider

1. The Android platform provides a Content Provider to provide a specified data set of an application to other applications. Other applications can obtain or save data from the content provider through the ContentResolver class.
2. Content providers are only needed to share data among multiple applications. For example, address book data is used by multiple applications and must be stored in one content provider. Its benefit is to unify data access methods.
3. ContentProvider realizes data sharing. ContentProvider is used to save and retrieve data and make it visible to all applications. This is the only way to share data between different applications, 
because Android does not provide a common storage area that all applications can access.
4. Developers will not directly use ContentProvider objects, and most of them implement operations on ContentProvider through ContentResolver objects. 
5. ContentProvider uses URI to uniquely identify its data set. The URI here is prefixed with content://, which means that the data is managed by ContentProvider.

4、Broadcast Receiver

1. Your application can use it to filter external events and only receive and respond to external events that are of interest (such as when a phone calls in, or when a data network is available).
The broadcast receiver has no user interface. However, they can start an activity or serice to respond to the information they receive, or use NotificationManager to notify the user. Notifications can be used in many ways to attract the user's attention, 
such as flashing the backlight, vibrating, and playing sounds. Generally speaking, a persistent icon is placed on the status bar, and the user can open it and get the message.
2. There are two ways to register broadcast receivers, namely dynamic registration of the program and static registration in the AndroidManifest file.
3. The feature of the dynamic registration broadcast receiver is that when the activity used for registration is turned off, the broadcast is invalidated. Static registration does not need to worry about whether the broadcast receiver is turned off, 
as long as the device is turned on, the broadcast receiver is also turned on. That is to say, even if the app itself is not started, the broadcast subscribed by the app will work on it when triggered.

 

2.2, Android system architecture
Android adopts a layered architecture and is divided into four layers. From the high-level to the bottom, it is divided into the application layer (app+System apps), the application framework layer (Java API Framework), the system runtime library and the runtime environment layer (Libraries + android Runtime). ) And Linux kernel layer (HAL+ Linux Kernel)

 

2.3 Summary of Android common development and reverse commands
1. File view file attributes

2. Use the echo command to write content to the file, and then use cat to read the file content.

3. Use the dumpsys command to get information about the current top-level activity, grep to filter, and the -i parameter ignores case.

4. ls -alit displays all information of the current directory in chronological order.

5. Dumpsys package com.termux to view the information in the APP memory

6. ps -e: displays all processes

ps -e |grep -i termux

7, dumpsys dbinfo com.termux:view database information

8. adb pull /sdcard/app: copy the files in the phone to the current directory of the computer

adb push D:\tmp.txt /sdcard: put local files on the phone

Note: If you encounter permission problems, use chmod to change the permissions

9, adb forward: port forwarding

10. adb logcat: view current log information

adb logcat |grep -i com.termux

11. Specify the adb shell to connect to a device

adb -s 192.168.3.18:5555 shell

12. View the process name corresponding to a port

netstat -tunlp |grep 7001  # port
netstat -tunlp |grep "com.termux" # Process name
netstat -aple |grep -i https #The port that is communicating, check the communication using https

13, htop real-time view mobile phone process

Termux installation for ordinary mobile users

pkg install htop

 

Mobile phone root users view htop, all processes

$ su
# /data/data/com.termux/files/usr/bin/htop

 

3. Root
3.1. Recommended environment
Frida: Two environments:
1. Pixel(sailfish)+Official 8.1.0_r1+twrp3.3.0+Magisk+Frida

2.pixel(sailfish)+twrp3.3.0+lineage16.0+addonsu16.0

Xposed: A set of environments:
1. Pixel(sailfish)+Official 7.1.2_r8+twrp3.2.1-0+SuperSU+XposedInstaller

Fart and Aosp: Two environments:
1. Pixel (sailfish) + latest fastboot + Fart 8.1.0

2. n6p(angler)+old fastboot+Fart8.1.0

Kali NetHunter: An environment:
1. n6p(angler)+ native 8.1.0_r1+twrp3.3.1+SuperSu

 

3.2, n6p(angler)+Official 8.1.0_r1+twrp3.3.1+Magisk+Frida
Let’s lead you to root two commonly used mobile phone environments.

Search the mirror and download 8.1.0 (OPM1.171019.011, Dec 2017)

https://developers.google.com/android/images

Then download the installation package corresponding to the phone model

root@tale:~/Desktop# wget https://dl.google.com/dl/android/aosp/angler-opm1.171019.011-factory-39448337.zip
root@tale:~/Desktop# 7z x angler-opm1.171019.011-factory-39448337.zip

1. Add environment variables to fastboot

# nano ~/.bashrc
add export PATH=/root/Android/Sdk/platform-tools:$PATH
# source ~/.bashrc

2. Turn off the phone completely, press and hold the (-)volume key + shutdown key to enter bootloader mode

root@tale:~/Desktop/angler-opm1.171019.011# ./flash-all.sh

When some older models use fastboot to flash the 8.1.0_r1 version of FART (such as bullhead), various strange errors will appear. The reason is that the higher version of fastboot will report an error:

Copy the fastboot compiled by yourself and replace the original file.

# which fastboot
# mv /root/Desktop/fastboot Android/Sdk/platform-tools/fastboot
# chmod 777 fastboot

After prompting finished, the phone will enter the restart state

After selecting the language, keep clicking Next to enter the main screen of the phone, and then set the sleep time to be longer, then click the version number 10 times, open the developer options, and open the “Do not lock screen”

-Turn off “Automatic system update”-Turn on “USB debugging”

3.2.1. Use Magisk to get root
https://twrp.me/

Select TWRP 3.3.1-0 Released, then click on the devices page

 

Choose Primary (Europe)

Download and copy to kali virtual machine

The phone enters bootloader mode, and then use the fastboot flash recovery command

# adb reboot bootloader
# fastboot flash recovery twrp-3.3.1-0-angler.img 
Remarks: used when installing pixel XL
# fastboot boot twrp-3.3.1-0-marlin.img

Then press the (-,down)volume button twice on the phone and click the power button to enter the recovery mode

Swipe to enter and select settings, then cancel “Enable screen timeout”

Download Magisk, frida-server

# wget https://github.com/topjohnwu/Magisk/releases/download/v20.4/Magisk-v20.4.zip
# adb push Magisk-v20.4.zip /sdcard/
# wget https://github.com/frida/frida/releases/download/12.11.10/frida-server-12.11.10-android-arm64.xz
# 7z x frida-server-12.11.10-android-arm64.xz 
Put it in the directory recommended by the official website
# adb push frida-server-12.11.10-android-arm64 /data/local/tmp/

Then click the install option, find Magisk-v20.4.zip, click in and slide to the right to install, click Reboot System after completion, and select Do Not install

 

After starting the phone, the root request option will pop up when running wifi adb, as follows

3.2.2, start frida-server
Then we go to open the frida-server of the mobile phone

➜  ~ adb shell
angler:/ $ whoami
shell
angler:/ $ su
angler:/ # whoami
root
angler:/ # cd /data/local/tmp/
angler:/data/local/tmp # ls
frida-server-12.11.10-android-arm64 oat
angler:/data/local/tmp # chmod 777 frida-server-12.11.10-android-arm64                      
angler:/data/local/tmp # ./frida-server-12.11.10-android-arm64 &
[1] 8096

So far, the n6p(angler)+official 8.1.0_r1+twrp3.3.1+Magisk+Frida environment has been installed successfully.

3.3, n6p(angler)+Official 8.1.0_r1+twrp3.3.1+SuperSu+NetHunter.
At the beginning of April 2020, Kali released the latest Kali Nethunter 2020.1 on its official blog, bringing the new Kali NetHunter Rootless and Kali NetHunter Lite. At the same time, the full version of Kali Nethunter has been further optimized, using the new The kernel compilation tool fully supports USB keyboard, CD-ROM and network card simulation from the kernel, with more powerful functions and more stable system. It can be connected to a monitor and a keyboard and mouse to directly become a computer and directly take the desktop environment away.

Kali Nethunter’s complete mirror is not available on all phones, only devices supported by the official website can be installed. Here we use Nexus 6p (angler) as an example. The main process is divided into four steps:

Flash into the official original mirror:
recovery: twrp;
root: Choose the classic SuperSU;
Brush into Kali Nethunter;
3.3.1, flash into the official original image
First completely shut down, press and hold the (-,down)volume button + shutdown button, or directly use the following command to enter bootloader mode

# adb reboot bootloader
# cd angler-opm1.171019.011/
# ./flash-all.sh

3.3.2、recovery:twrp

 

# adb reboot bootloader
# fastboot flash recovery twrp-3.3.1-0-angler.img

3.3.3, use SuperSU to get root

Press the volume ↓ key twice and the power button to confirm to enter the recovery mode
# adb push SR5-SuperSU-v2.82-SR5-20171001224502.zip /sdcard
Then install SuperSU

3.3.4, flash into Kali Nethunter

Download Nexus 6P Oreo

https://www.offensive-security.com/kali-linux-nethunter-download/
root@tale:~# proxychains wget https://images.kali.org/nethunter/nethunter-2020.3-angler-oreo-kalifs-full.zip
# adb push /Users/tale/Downloads/nethunter-2020.3-angler-oreo-kalifs-full.zip /sdcard/
# adb reboot bootloader
Press the volume ↓ key twice and the power button, confirm to enter the recovery mode,
 and then choose to install Nethunter

After root, you must first click on the Nethunter application to enter the system for the first time. All the permissions you have applied for must be given. Navigate to the left to enter Kali Chroot Manager and click START KALI CHROOT. As long as you initialize this time, any subsequent restarts will appear as shown in the figure. Everything is fine and Chroot has been started!.

So far, the detailed root process ends.

3.3.5, use Kali Nethunter
1. Click on the Nethunter app, give it all the permissions, select the Kali Chroot Manager page in the upper left corner, and see that the chroot system is initialized.

2. Click on the Nethunter terminal App, select KALI, and enter the Kali system.

3. apt update upgrades the software library information in the system.

4. You can install command programs that can only run in the linux environment, such as apt install neofetch htop jnettop, etc.

5. Open the Nethunter application, switch to KeX Manager in the upper left corner, click “SETUP LOCAL SERVER”, enter a connection password and display password, enter and confirm, and then click “START SERVER” to start the server. Click on the “KeX Client” App, enter the password in the password field, click “Connect” to connect, and you can directly enter the desktop of the Kali Nethunter operating system.

6. With QtScrcpy and wifiadb, it is more convenient to control the mobile phone from the computer without connecting the data cable

7. You can run and operate burp and Wireshark on this mobile phone system to capture packets, and the traffic of the mobile phone SIM card can also be captured.

8. Kali Nethunter has applied driver patches for many USB devices and wireless network cards. Routers can be made directly on mobile phones, and then packets can be captured on the network card. (Details of articles will be introduced later)

Making a router to capture packets can completely solve the problem of not being able to capture packets, because capturing packets on a router is no different for an App in daily use, so it can be completely unaware of the App, from the perspective of God APP performs comprehensive monitoring.

4. Dynamic and static analysis
Let’s take a specific malicious APP as an example, using dynamic and static analysis methods combined with tools to analyze the APP.

Installing the APP through the simulator found that the scene is high-energy, the background and background music are very unhealthy (I almost broke my name), and the volume is adjusted to maximum, the loop playback cannot be turned off, and the screen is locked and cannot be turned off.

4.1, static analysis
The principle of static analysis is basically a disassembly process. The commonly used static analysis tools are jadx, jeb, and gda. When we get to analyze an APP, we basically first decompile and unpack to view the contents of the APK. The picture below is jadx -gui after decompilation.

# proxychains wget https://github.com/skylot/jadx/releases/download/v1.1.0/jadx-1.1.0.zip

It can be seen that the APP is not packed, and after we decompress the APK file, we find that resource files (including pictures and sounds) are stored in the r folder, dex is an executable file of the Dalvik virtual machine, and resources store some strings. meta contains the APP signature information, and the AndroidManifest file contains the APP configuration information.

After dragging the APP file to be analyzed into jeb, enter MainActivity, and then select Decompile. Through code analysis, it is found that the APP first registered Broadcast, then search for the class Class.forName(“com.shimeng.qq2693533893.MyServiceOne”), and finally use startService To start the class. The main logic is in the MyServiceOne class.

Open MyServiceOne and find that there are blessings in it

By running the APP on the emulator, it is found that the ADB connected to the emulator is disconnected, and restarting the emulator will automatically pop up the APP page and automatically play a sound. The sound cannot be turned off, and the sound will automatically play after restarting the phone.

setprop persist.sys.usb.config none executes the operation of disconnecting its own USB.

4.2, dynamic analysis
Dynamic analysis: In the case of running code, through tracking and analyzing related memory, such as register content, function execution results, memory usage, etc., analyze function functions and clarify code logic.

Objection is a runtime mobile exploration toolkit supported by Frida, designed to help you assess the security status of mobile applications

# wget https://bootstrap.pypa.io/get-pip.py
# python3 get-pip.py
# pip install objection
# objection version
# adb push frida-server-12.11.10-android-arm64  /data/local/tmp
# adb shell
# su
# cd /data/local/tmp
# chmod 777 *
# ./frida-server-12.11.10-android-arm64
# objection -g com.android.settings explore

The APP is dynamically analyzed through objection. Because the analyzed malicious APP will automatically disconnect the USB connection, we use termux to run the frida service on the emulator and monitor port 8888, and use the computer to connect to the monitored port.

vbox: # ./frida-server-12.11.10-android-x86 -l 0.0.0.0:8888

Find the APP package name com.shimeng.qq2693533893 through frida-ps

# frida-ps -H 192.168.56.101:8888

With the loading of the Wallbreaker plug-in, it is more convenient to search and view the class structure, instance, internal data, etc. in the Android memory.

# git clone https://github.com/hluwa/Wallbreaker ~/.objection/plugins/Wallbreaker
# objection -N -h 192.168.56.101 -p 8888 -g com.android.settings explore -P ~/.objection/plugins

Understand the general logic through dynamic and static analysis. In the com.shimeng.qq2693533893.MyServiceOne class, after the operation is unlocked, the class is hooked

com.shimeng.qq2693533893 on (Android: 8.0.0) [net] # android hooking watch class com.shimeng.qq2693533893.MyServiceOne

First observe objection and find that the function access$L1000018 is always called

Then hook this method

com.shimeng.qq2693533893 on (Android: 8.0.0) [net] # android hooking watch class_method com.shimeng.qq2693533893.MyServiceOne.access$L1000018 --dump-ba
cktrace

It is found that MyServiceOne$100000007 is being called all the time, and 100000007 is found through static analysis. It is found that this method is to call getStreamMaxVolume, which has the largest system volume api, so the volume cannot be turned off after the APP runs.

Look at the unlock code we entered and then print out the content, which is equivalent to entering an unlock code parameter. The calling method involved in the following figure is the execution flow of the APP.

com.shimeng.qq2693533893 on (Android: 8.0.0) [net] # android hooking watch class com.shimeng.qq2693533893.MyServiceOne

Then hook Yan Ruyu method

com.shimeng.qq2693533893 on (Android: 8.0.0) [net] # android hooking watch class_method com.shimeng.qq2693533893.MyServiceOne.
Yan Ruyu --dump-args --dump-backtrace --dump-return

Click and click to unlock, and found that the parameters, return value, and call stack are printed.

Continue to track this category according to the printed content com.shimeng.qq2693533893.MyServiceOne$100000002

It is found that the main judgment logic is as follows. If it is equal to 9DDEB743E935CE399F1DFAF080775366, remove MyServiceOne.this.util.removeView() and enter sm2

if(Yan RuyuQQ2693533893.getSaltMD5(MyServiceOne.Yan Ruyu(v2.substring(0, 3))) + v2.substring(3, v2.length()).equals(“9DDEB743E935CE399F1DFAF080775366” + v3_1)) {

MyServiceOne.this.util.removeView();

MyServiceOne.this.sm2();

So far, using dynamic analysis, we will locate the key logic more accurately, which is faster and more reliable than searching for string touches.

5. Shelling
Import the unpacked dex file into 010Editor for analysis and view, and it is found that the file header is dex035. The more commonly used shelling machine FRIDA-DEXDump, the principle is to use brute force search memory dex035 for feature matching.

# proxychains wget https://www.sweetscape.com/download/010EditorLinux64Installer.tar.gz
# tar zxvf 010EditorLinux64Installer.tar.gz 
# ./010EditorLinux64Installer

FRIDA-DEXDump is said to be able to shell out in three seconds.

https://github.com/hluwa/FRIDA-DEXDump
start APP。
start frida-server。
python main.py。

 

Reviews

There are no reviews yet.

Be the first to review “Getting started with Android reverse engineering”

Your email address will not be published. Required fields are marked *