Android Deobfuscation Tools and Techniques
-
Upload
caleb-fenton -
Category
Technology
-
view
13.380 -
download
8
Transcript of Android Deobfuscation Tools and Techniques
![Page 1: Android Deobfuscation Tools and Techniques](https://reader035.fdocuments.net/reader035/viewer/2022062306/587199511a28ab044e8b556f/html5/thumbnails/1.jpg)
ANDROID DEOBFUSCATION
01.04.2016
TetCon 2016
Tools and Techniques
![Page 2: Android Deobfuscation Tools and Techniques](https://reader035.fdocuments.net/reader035/viewer/2022062306/587199511a28ab044e8b556f/html5/thumbnails/2.jpg)
About Me• Reverse engineering Android since 2010
• Made some reversing tools
• Former malware researcher at Lookout
• Security researcher at SourceClear
• github.com/CalebFenton
• @caleb_fenton
![Page 3: Android Deobfuscation Tools and Techniques](https://reader035.fdocuments.net/reader035/viewer/2022062306/587199511a28ab044e8b556f/html5/thumbnails/3.jpg)
Contents
• Obfuscation Overview
• Deobfuscation Strategies
• Pattern Matching - dex-oracle
• Virtual Execution - smalivm + simplify
![Page 4: Android Deobfuscation Tools and Techniques](https://reader035.fdocuments.net/reader035/viewer/2022062306/587199511a28ab044e8b556f/html5/thumbnails/4.jpg)
OBFUSCATION OVERVIEW
Part 1 / 2
![Page 5: Android Deobfuscation Tools and Techniques](https://reader035.fdocuments.net/reader035/viewer/2022062306/587199511a28ab044e8b556f/html5/thumbnails/5.jpg)
Obfuscation Types• Identifier remapping
• Literal encryption
• White noise
• Packers
• Other
![Page 6: Android Deobfuscation Tools and Techniques](https://reader035.fdocuments.net/reader035/viewer/2022062306/587199511a28ab044e8b556f/html5/thumbnails/6.jpg)
Identifier Remapping• Class names
• Method names
• Variable names
• ProGuard remaps and strips debugging info
• ProGuard most common and weak
![Page 7: Android Deobfuscation Tools and Techniques](https://reader035.fdocuments.net/reader035/viewer/2022062306/587199511a28ab044e8b556f/html5/thumbnails/7.jpg)
Identifier Remapping
Classes renamed in alphabetical order
![Page 8: Android Deobfuscation Tools and Techniques](https://reader035.fdocuments.net/reader035/viewer/2022062306/587199511a28ab044e8b556f/html5/thumbnails/8.jpg)
Identifier RemappingMember names not changed
Didn’t use aggressive ProGuard settings
Methods renamed
Parameters / local variable names removed
![Page 9: Android Deobfuscation Tools and Techniques](https://reader035.fdocuments.net/reader035/viewer/2022062306/587199511a28ab044e8b556f/html5/thumbnails/9.jpg)
Literal Encryption
• Strings, numbers, array payloads
• Original replaced with encrypted version and call
to decryption method
• Or replaced with lookup method
![Page 10: Android Deobfuscation Tools and Techniques](https://reader035.fdocuments.net/reader035/viewer/2022062306/587199511a28ab044e8b556f/html5/thumbnails/10.jpg)
White Noise• Many useless operations or method calls
• No direct or indirect side effects outside of method
• Does not modify class state
• No I/O (file, network)
• Does not affect return value
• For example,
• x = 5; 1 + 2 + 3 * 4 / 5 % 8; return x;
![Page 11: Android Deobfuscation Tools and Techniques](https://reader035.fdocuments.net/reader035/viewer/2022062306/587199511a28ab044e8b556f/html5/thumbnails/11.jpg)
White Noise
Values neverused
![Page 12: Android Deobfuscation Tools and Techniques](https://reader035.fdocuments.net/reader035/viewer/2022062306/587199511a28ab044e8b556f/html5/thumbnails/12.jpg)
Packers• Original DEX replaced with unpacker DEX
• Original is usually encrypted and hidden in APK
• Unpacker decrypts and loads DEX at runtime
• E.g. Bangcle (SecNeo), APKProtect, Qihoo
![Page 13: Android Deobfuscation Tools and Techniques](https://reader035.fdocuments.net/reader035/viewer/2022062306/587199511a28ab044e8b556f/html5/thumbnails/13.jpg)
Others• Anti-disassembly - break decompilers
• Virtual machine - uncommon on Android (for now)
• Reflection - adds layer of redirection
• Native code - harder to understand disassembly
• Control flow - confuses decompilers and analysis
![Page 14: Android Deobfuscation Tools and Techniques](https://reader035.fdocuments.net/reader035/viewer/2022062306/587199511a28ab044e8b556f/html5/thumbnails/14.jpg)
DEOBFUSCATION STRATEGIES
Part 2 / 2
![Page 15: Android Deobfuscation Tools and Techniques](https://reader035.fdocuments.net/reader035/viewer/2022062306/587199511a28ab044e8b556f/html5/thumbnails/15.jpg)
Pattern Matching
1. Identify patterns and transformations
2. Describe with regular expressions
3. Search for pattern and apply transformations
![Page 16: Android Deobfuscation Tools and Techniques](https://reader035.fdocuments.net/reader035/viewer/2022062306/587199511a28ab044e8b556f/html5/thumbnails/16.jpg)
Pattern Matching
• Simple
• Less code, less to go wrong
• Easy to extend
• Works well for some obfuscation types
• /Regular expressions/
• Analysis is surface level
• Brittle - one change in obfuscation breaks pattern
Good Bad
![Page 17: Android Deobfuscation Tools and Techniques](https://reader035.fdocuments.net/reader035/viewer/2022062306/587199511a28ab044e8b556f/html5/thumbnails/17.jpg)
dex-oracle• Originally targeted Android.Obad with DexGuard
• Searches for regex patterns in Smali
• Improves analysis by executing some methods
• Replaces obfuscated code with return value
• github.com/CalebFenton/dex-oracle
![Page 18: Android Deobfuscation Tools and Techniques](https://reader035.fdocuments.net/reader035/viewer/2022062306/587199511a28ab044e8b556f/html5/thumbnails/18.jpg)
Pattern Example
(?m-ix:^[ \t]*( const(?:\/\d+) [vp]\d+, (-?0x[a-f\d]+)\s+ const(?:\/\d+) [vp]\d+, (-?0x[a-f\d]+)\s+ const(?:\/\d+) [vp]\d+, (-?0x[a-f\d]+)\s+ invoke-static \{[vp]\d+, [vp]\d+, [vp]\d+\}, L([^;]+);->([^\(]+\(III\))Ljava\/lang\/String;\s+ move-result-object ([vp]\d+)
))
![Page 19: Android Deobfuscation Tools and Techniques](https://reader035.fdocuments.net/reader035/viewer/2022062306/587199511a28ab044e8b556f/html5/thumbnails/19.jpg)
Pattern Example
Execute CC0Ioll.oCIlCll(0x6e, 0x7, -0x10) on device / emulator and replace with result…
![Page 20: Android Deobfuscation Tools and Techniques](https://reader035.fdocuments.net/reader035/viewer/2022062306/587199511a28ab044e8b556f/html5/thumbnails/20.jpg)
dex-oracle Components• Plugins
• each plugin gets all Smali files • search for patterns and make changes • executed repeatedly until no more changes
• Driver • merged with input Smali / DEX / APK • moved to device / emulator • invoked by plugins with method + arguments • uses reflection to call method and return result
![Page 21: Android Deobfuscation Tools and Techniques](https://reader035.fdocuments.net/reader035/viewer/2022062306/587199511a28ab044e8b556f/html5/thumbnails/21.jpg)
dex-oracle Workflow
![Page 22: Android Deobfuscation Tools and Techniques](https://reader035.fdocuments.net/reader035/viewer/2022062306/587199511a28ab044e8b556f/html5/thumbnails/22.jpg)
Virtual Execution• Execute entire method to determine behavior
• Similar to inter-procedural data flow analysis
• Smali is much less ambiguous than Java
• Should have identical behavior to actual execution
• Deobfuscate by replacing complex, obfuscated
instructions with simpler instructions
![Page 23: Android Deobfuscation Tools and Techniques](https://reader035.fdocuments.net/reader035/viewer/2022062306/587199511a28ab044e8b556f/html5/thumbnails/23.jpg)
Virtual Execution
• Much more flexible
• No regular expressions
• Deeper analysis
• Less brittle, generalized
• Can be used for more than deobfuscation
• Harder to implement
• Correctness is constant struggle
• Need to study program analysis and lots of jargon
Good Bad
![Page 24: Android Deobfuscation Tools and Techniques](https://reader035.fdocuments.net/reader035/viewer/2022062306/587199511a28ab044e8b556f/html5/thumbnails/24.jpg)
smalivm• Acts like sandboxed Dalvik virtual machine
• Takes Smali / DEX / APK as input
• Handles unknown values + method arguments
• Executes all possible paths
• API methods are whitelisted for security
• Returns context sensitive graph of each method
• Graph has VM state for each execution of every op
![Page 25: Android Deobfuscation Tools and Techniques](https://reader035.fdocuments.net/reader035/viewer/2022062306/587199511a28ab044e8b556f/html5/thumbnails/25.jpg)
smalivm ExampleJava Smali
![Page 26: Android Deobfuscation Tools and Techniques](https://reader035.fdocuments.net/reader035/viewer/2022062306/587199511a28ab044e8b556f/html5/thumbnails/26.jpg)
smalivm Example
Multiple possiblereturn values
Unknownargument value
ExecutionGraph
![Page 27: Android Deobfuscation Tools and Techniques](https://reader035.fdocuments.net/reader035/viewer/2022062306/587199511a28ab044e8b556f/html5/thumbnails/27.jpg)
smalivm Other Uses• Data and type flow analysis
• Taint analysis
• Reversible debugger
• Works with Java if converted with dx
![Page 28: Android Deobfuscation Tools and Techniques](https://reader035.fdocuments.net/reader035/viewer/2022062306/587199511a28ab044e8b556f/html5/thumbnails/28.jpg)
simplify• Uses smalivm to analyze and create graph
• Applies optimizations to graph
• Constant propagation
• Dead / useless code removal
• Reflection removal
• Various peephole optimizations
• github.com/CalebFenton/simplify
![Page 29: Android Deobfuscation Tools and Techniques](https://reader035.fdocuments.net/reader035/viewer/2022062306/587199511a28ab044e8b556f/html5/thumbnails/29.jpg)
simplify Example
![Page 30: Android Deobfuscation Tools and Techniques](https://reader035.fdocuments.net/reader035/viewer/2022062306/587199511a28ab044e8b556f/html5/thumbnails/30.jpg)
Always returns 8!
![Page 31: Android Deobfuscation Tools and Techniques](https://reader035.fdocuments.net/reader035/viewer/2022062306/587199511a28ab044e8b556f/html5/thumbnails/31.jpg)
simplify Example
After constant propagation and dead code removal
![Page 32: Android Deobfuscation Tools and Techniques](https://reader035.fdocuments.net/reader035/viewer/2022062306/587199511a28ab044e8b556f/html5/thumbnails/32.jpg)
simplify ExampleBefore After
![Page 33: Android Deobfuscation Tools and Techniques](https://reader035.fdocuments.net/reader035/viewer/2022062306/587199511a28ab044e8b556f/html5/thumbnails/33.jpg)
Which is best?
![Page 34: Android Deobfuscation Tools and Techniques](https://reader035.fdocuments.net/reader035/viewer/2022062306/587199511a28ab044e8b556f/html5/thumbnails/34.jpg)
EXTENDED READING
• https://github.com/rednaga/training • http://www.strazzere.com/papers/DexEducation-PracticingSafeDex.pdf • https://github.com/strazzere/anti-emulator/tree/master/slides • https://github.com/strazzere/android-unpacker/blob/master/AHPL0.pdf • http://www.droidsec.org/wiki/#whitepapers • http://androidcracking.blogspot.com/ • http://www.unicorn-engine.org/
![Page 35: Android Deobfuscation Tools and Techniques](https://reader035.fdocuments.net/reader035/viewer/2022062306/587199511a28ab044e8b556f/html5/thumbnails/35.jpg)
REDNAGA
01.04.2016
THANKS!
TetCon 2016
Good people to follow on Twitter forAndroid / Reversing / Malware / Hacking:
@_jsoo_@brucedang @capstone_engine @droidsec @Fuzion24 @jcase @jduck @marcwrogers @pof @quine @saurik @snare @tamakikusu@timstrazz @uberlaggydarwin @unicorn_engine
#MalwareMustDie