Android penetration testing 12： IDA dynamic debugging so

0x00 Preface

The previous article shared the use of Android studioand JebDirectly debug Apk files dynamically, this article will share the use of IDA pro debugging so.

The debugging apk file is still using the file from CTF case 4, which has been uploaded to the Knowledge Planet. You can download it yourself

Technologies involved in this article:

• IDA pro tool usage

• Debug android applications

• Dynamic debugging technology

Note: The apk file required for this case has been uploaded to the Knowledge Planet. Those who need it can download it by following the link at the end of the article

0x01 Preparation

1. Download the case Apk file

Use the Android Killer tool to modify the configuration file and add android:debuggable="true"This configuration, so the apk can be debugged.

2. FindIDA_Pro_v7.5_Portable\dbgsrvDirectory, where the files correspond to the server files of different platforms:

3. Check the CPU architecture of the phone:

4. The debugging phone is android's arm64-v8a, you can choose android_server64, send this file to the mobile phone/data/local/tmpDirectory, then grant execution permissions, and finally execute.

The default port is 23946, here it is deliberately changed to 22222

5. Port forwarding

adb forward tcp:11111 tcp:22222    

This indicates that the local 11111 port (on my Windows machine) is forwarded to the remote mobile phone 22222 port:

After the preparation is done, two debugging methods will be explained: one is to debug the apk started in normal mode, and the other is to debug the apk started in Debug mode. If the debugging code logic runs after startup, then you can use the normal apk startup debugging mode. If the debugging code logic is executed when the application starts, then you need to use the Debug mode to start the Apk for debugging.

0x02 Normal mode debugging

1. Start the corresponding Activity with adb, here using Start apk in normal mode

adb shell am start -n com.example.hellojni/com.example.application.IsThisTheRealOne 

2. Open the 64-bit version of IDA pro and load the libhello-jni.so file from arm64-v8a

3. IDA debugging configuration

Select Remote ARM Linux/Android debugger for debugging

Select Debugger options and check the following three options

Select Process options for configuration:

Select the process to attach to

4, Debugger warning appears

This indicates that the same so file as the locally loaded one is found on the phone, and select same:

5, Search in the module, the module to be debugged

Then locate the function to be broken into:

6, Set breakpoints

You can directly use the shortcut key F5, and then set breakpoints in the pseudo-code of c/c++:

7, Start debugging

Click Quick debug view, open LocalsWindow, press F9 to run, press F8 to step over, and debug

8, Successfully obtained the flag value.

0x03 Debug mode debugging

1, Open Android device monitorTools

This tool is located in theAndroid\Sdk\toolsdirectory

2, In Debug modeStart the apk's Activity

adb shell am start -D -n  com.example.hellojni/com.example.application.IsThisTheRealOne

Found in Android device monitorIn front of the program to be debugged, there is an additionalThe red bug

3, Open IDA, load so (as above)

4, IDA debugging configuration, check three items, etc., find the process to be debugged (as above)

5, Execute the jdb command

jdb -connect com.sun.jdi.SocketAttach:hostname=127.0.0.1,port=8608

This port can be viewed in Monitor

After execution is complete,The red bug turns green, then you can start debugging

6, Start debugging, press F9 until

At this time, the so to be debugged is loaded

7, Find the module to be debugged and the specific functions within the module (as above)

8, Continue debugging

Open Locals to view variables,

Successfully obtained the flag value.

0x04 Conclusion

In Android reverse engineering, dynamic debugging is an important technique, and IDA pro is a powerful tool for debugging so code. Those who are interested can download the apk file of the case for practical experience.