preface

Because I use Mac to do development, and recently I have to do reverse correlation, suffering from the majority of online tutorials are Win, I have no choice but to collect information everywhere and step on the pit by myself, feeling the stones. Here’s how the Mac does it. Target, IDA dynamic debugging, dump dex unshell. Peeling words, there are two methods, a dynamic debugging, a xposed, currently learning for dynamic debugging

MacOS 10.14.1 root HTC 4.4.2 IDA 7.0 IDA MAC high version crash resolve adaptation of Mprop to set all mobile applications as debugable download address

Downsizing programs

Copy starts the Android Server

  1. IDA debug server address: IDAPro70\ DBGSRV \android_server
  2. CMD goes to the directory: IDAPro70\ DBGSRV
  3. Adb push android_server /data/local/ TMP
  4. Adb shell starts with SU (mobile requires root)
  5. CD to /data/local/ TMP: chmod 777 android_server
  6. /android_server(restart the phone if it fails)

2. Set the ro.debuggable to 1 on the root phone using mprop

adb push xxx/mprop /data/local/tmp/mprop adb shell su chmod 755 /data/local/tmp/mprop data/local/tmp/mprop setprop ro.debuggable 1 /data/local/tmp/mprop -r

3. Forward IDA port to enable ADB application debugging

Adb forward TCP :23946 TCP :23946 ADB shell am start -d -n

IDA attach to the application process interruption point

Open IDA set process Options 127.0.0.1 port 23946 IDA – “debugger -” attach process select the corresponding application process select libdvm.so find dvmDexFileOpenPartial Calculate the breakpoint under the offset

5. JDB connection application

Connection JDB (two ways) 1, through DDMS (if occupy 8700 ps check kill kill again) 2, command the adb shell ps find the corresponding app | XXX process the adb forward TCP: 8700 JDWP: JDB number process -connect com.sun.jdi.SocketAttach:port=8700,hostname=localhost

6 IDA debugging is enabled

Start IDA F9 for debugging

General principles

Libdvmdexfileopenpartial is used to find dex segment addresses in memory, and then dump the dex segment addresses. (different Java VIRTUAL machine types before and after 4.4, so the phone is 4.4.2, the system library is libdVM, if it is after libart, the debugging method is openMemory)

The detailed process

It seems that the principle is very simple, but there will be many problems and pits, each can card you half a day, so here to share with you some details, hope jun do not repeat the same mistake.

Copy starts the Android Server
  1. IDA debug server address: IDAPro70\ DBGSRV \android_server
  2. CMD goes to the directory: IDAPro70\ DBGSRV
  3. Adb push android_server /data/local/ TMP
  4. Adb shell starts with SU (mobile requires root)
  5. CD to /data/local/ TMP: chmod 777 android_server
  6. /android_server(restart the phone if it fails)

IDA Android 32-bit Remote Debug Server (ST) v1.22. hall-Rays (C) 2004-2017 So in 32-bit, if you open IDA you open IDA in 32-bit or you open IDA in 64-bit

2. Set the ro.debuggable to 1 on the root phone using mprop

adb push xxx/mprop /data/local/tmp/mprop adb shell su chmod 755 /data/local/tmp/mprop data/local/tmp/mprop setprop ro.debuggable 1 /data/local/tmp/mprop -r

Use getProp ro.debuggable to check whether the modification is successful

Sometimes come across

android_server Address already in use
Copy the code

You can kill the process and start over

Enter the adb shell ps | grep android_server kill s 9 process restart android_server

Note: This operation should be repeated every time the phone is restarted. The debuggable must be reset to 1 every time.

3. Forward IDA port to enable ADB application debugging

Adb forward TCP :23946 TCP :23946 ADB shell am start -d -n

Lsof -i:23946 if Listen is displayed, the forwarding is successful. Then call ADB debugging command to fill in the corresponding package name and start the Activity injection debugging

Adb shell Dumpsys Package = adb shell Dumpsys Package = adb shell Dumpsys Package You can query for an Activity that has an action MAIN, which is typically called a SplashActivity

Inject debugging, the phone has a waiting for debugging popbox.

IDA attach to the application process interruption point

Open IDA set process Options 127.0.0.1 port 23946 IDA – “debugger -” attach process select the corresponding application process select libdvm.so find dvmDexFileOpenPartial Calculate the breakpoint under the offset

Here we use the 32-bit IDA open, usually two open, one for static analysis so (find the dexFileOpen address of libdvm.so); The other one is for debugging.

First, you need to get libdvm.so, usually under /system/lib/ on your phone

Adb pull /system/lib/libdvm.so /users/jafir/desktop/ adb pull /system/lib/libdvm.so /users/jafir/desktop/

The address 0004BB10 is the offset address of dexFileOpen in libdvm.so, and we will need to find the real dexFileOpen address in the entire memory when we break the point later. Libvm. So, and then add the offset address to get the address of dexFileOpen in libvm. Ok, so that’s static analysis to get the address.

Then, open another File->New Instance and select GO Debugger->Attach->Remote ArmLinux/Android

Next, CTRL + S finds libdvm.so and looks at its initial address in memory and calculates the offset

Calculate the offset 4152D000+ 0004BB10 = 41578b10 and press G to jump to the address

On the breakpoint

5. JDB connection application

Connect JDB (two ways) 1, through DDMS (if occupy 8700 ps check kill kill again) 2, command (- the adb shell ps find the corresponding app | XXX process forward, the adb TCP: 8700 JDWP: process) jdb -connect com.sun.jdi.SocketAttach:port=8700,hostname=localhost

The simplest open the DDMS, it is in your Android SDK/tools below the monitor then JDB – connect com. Sun. Jdi. SocketAttach: port = 8700, the hostname = localhost

(base) Jafir: ~ Jafir $JDB - connect com. Sun. Jdi. SocketAttach: hostname = localhost, port = 8700 set uncaught Java. Lang. Throwable Uncaught java.lang.Throwable setting delay is initializing JDB... >Copy the code

If the DDMS is opened and 8700 is occupied, run the lsof -i command to check the port number, and then kill -s 9 to kill the process number

(base) Jafir:~ jafir$ lsof -i:8700
COMMAND   PID  USER   FD   TYPE             DEVICE SIZE/OFF NODE NAME
monitor 31587 jafir  121u  IPv6 0x8c41b253ec7cd357      0t0  TCP localhost:8700 (LISTEN)
(base) Jafir:~ jafir$ kill -s 9 31587 
Copy the code

If you do not use DDMS, you can also use commands to connect to JDB

Adb shell ps | XXX package name to find corresponding process of app, the adb forward TCP: 8700 JDWP: process, JDB - connect com.sun.jdi.SocketAttach:port=8700,hostname=localhostCopy the code

6 IDA debugging is enabled

Start IDA F9 for debugging

Click the green start button, it is ok, at this time according to the reason, the mobile phone’s debug waiting box also disappears, enter the debugging state.

The DDMS light turns green, then the breakpoint breaks over the LIBC, and it’s done, then F9 all the way, press Enter. F9, enter until we get to our breakpoint. Watch for breakpoints, go down, don’t go past BL, just PUSH

At the breakpoint, if successful, the variable value can be viewed from the General registers.

static main(void){ auto fp, dex_addr,end_addr; Open or create a file fp = fopen("/users/jafir/desktop/dump.dex"."wb");
    end_addr = r0+r1;
    for( dex_addr = r0; dex_addr < end_addr; End_addr ++){// Dump it to a local file by Byte fpuTC (Byte(dex_addr), fp); }}Copy the code

File->Script Command can create Script commands

You should see the dump.dex file on your desktop after a while.

There are many more potholes to come:

Command Sharing

#### process-related: ps A View all programs on the same terminal. Lsof -i: XXX View port process information. Kill -9 XXXX Kill A process ##### Reverse related commands: Cat run the cat /proc/xxxpid/maps command to view the lib library file of the XXX process. Echo touch Write content to the file echo content >> file path (append the file if there is one, create one if not) echo content Adb shell dumpsys activity top ADB shell dumpsys package [packagename] ADB shell dumpsys Meminfo XXXX com.cctv4g. cctvMobiletv ADB shell Dumpsys dainfo XXX ADB shell screencap -p XXX path ADB install -t XXX Install ##### as a test package to view the current activity: 1, the adb shell dumpsys activity activities | sed – En – e ‘/ Running activities /, / Run # 0 / p’ 2, adb shell dumpsys activity | Grep -i run ##### Run the following command to view permissions: Ls -alf View files and their permissions ls -a View hidden files ls view ##### View summary keystore information sha1 keytool -list -keystore keystore #####jadx-gui: Jadx-gui xxx.jar/xxxx.dex/xxx.apk configure the environment variable #####Dx: Dx –dex –output=HelloWorld. Dex HelloWorld. Can also command generated from the jar to use dx) 2, then the adb push XXX. Dex XXX to phone 3, 4, the adb shell dalvikvm – cp XXX. Dex com. Jafir. Signprotect. The Main (primary)

Afterword.

I have just started, small white, groping stones across the river, consulted a lot of gods, but no matter how to say or to their own hands, trample pits, try, countless attempts. Here is only to dump dex, in fact, there are a lot of operations, such as what instruction extraction to restore oh, but also filter debugging etc.

I just used my apK without reverse debugging for a hand, and then encountered more problems when I wanted to unshell. In a word, I still need to continue learning and exploring when I was new here. There are like-minded people who hope to communicate with each other.