Mirrors/hacktricks

Fork 0

mirror of https://github.com/carlospolop/hacktricks synced 2024-11-22 20:53:37 +00:00

Carlos Polop 968100037a a

2024-02-03 15:45:32 +01:00

5.7 KiB

Raw Blame History

Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!

Other ways to support HackTricks:

If you want to see your company advertised in HackTricks or download HackTricks in PDF Check the SUBSCRIPTION PLANS!
Get the official PEASS & HackTricks swag
Discover The PEASS Family, our collection of exclusive NFTs
Join the 💬 Discord group or the telegram group or follow me on Twitter 🐦 @carlospolopm.
Share your hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

How to De-Obfuscate

De-obfuscation strategies depend on the obfuscation method. This section introduces static de-obfuscation techniques, suitable for static analysis or reversing:

For DEX bytecode (Java), a common approach is to identify and replicate the application's de-obfuscation methods into a Java file, which is then executed against the obfuscated elements.
Both for Java and Native Code, another technique involves translating the de-obfuscation algorithm into a familiar scripting language like Python, emphasizing that understanding the algorithm is not as crucial as being able to execute it.

Indicators of Obfuscation

Recognizing obfuscation involves identifying certain indicators, with the following examples provided:

Absence of strings or presence of scrambled strings in Java and Android, hinting at string obfuscation.
Existence of binary files in the assets directory or DexClassLoader calls, indicating possible code unpacking and loading.
Use of Native libraries without identifiable JNI functions, suggesting native method obfuscation.

String Deobfuscation Exercise

An exercise is provided to practice string de-obfuscation within a static analysis context. The task involves a sample file with a specific SHA256 digest, requiring the analyst to uncover an obfuscated Javascript string without running the application dynamically.

The solution involves a Python script that deciphers the encoded string, revealing an embedded script sourcing from coinhive.com and initiating a miner.

Additional Resources

Further insights into de-obfuscating Android apps, especially focusing on advanced obfuscation techniques, can be explored in the talks at BlackHat USA 2018 and REcon 2019, each covering unique aspects of obfuscation in Android applications.

Exercise from https://maddiestone.github.io/AndroidAppRE/obfuscation.html:

enc_str = "773032205849207A3831326F1351202E3B306B7D1E5A3B33252B382454173735266C3D3B53163735222D393B475C7A37222D7F38421B6A66643032205849206477303220584920643D2223725C503A3F39636C725F5C237A082C383C7950223F65023F3D5F4039353E3079755F5F666E1134141F5C4C64377A1B671F565A1B2C7F7B101F42700D1F39331717161574213F2B2337505D27606B712C7B0A543D342E317F214558262E636A6A6E1E4A37282233256C"

length = len(enc_str)
count = 0
dec_str = [0] * (length/2)
while (count < length):
    dec_str[count/2] = (int(enc_str[count], 16) << 4) + int(enc_str[count + 1], 16) & 0xFF
    count += 2
print dec_str


key = [75, 67, 81, 82, 49, 57, 84, 90]
enc_str = dec_str
count = 0
length = len(enc_str)
while (count < length):
    dec_str[count] = chr(enc_str[count] ^ key[count % len(key)])
    count += 1
print ''.join(dec_str)

References and Further Reading

https://maddiestone.github.io/AndroidAppRE/obfuscation.html
BlackHat USA 2018: “Unpacking the Packed Unpacker: Reverse Engineering an Android Anti-Analysis Library” [video]
- This talk goes over reverse engineering one of the most complex anti-analysis native libraries I’ve seen used by an Android application. It covers mostly obfuscation techniques in native code.
REcon 2019: “The Path to the Payload: Android Edition” [video]
- This talk discusses a series of obfuscation techniques, solely in Java code, that an Android botnet was using to hide its behavior.