hacktricks/mobile-pentesting/android-app-pentesting/manual-deobfuscation.md
Carlos Polop 968100037a a
2024-02-03 15:45:32 +01:00

88 lines
5.7 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

<details>
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
Other ways to support HackTricks:
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/carlospolopm)**.**
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details>
## How to De-Obfuscate
De-obfuscation strategies depend on the obfuscation method. This section introduces static de-obfuscation techniques, suitable for static analysis or reversing:
* For DEX bytecode (Java), a common approach is to identify and replicate the application's de-obfuscation methods into a Java file, which is then executed against the obfuscated elements.
* Both for Java and Native Code, another technique involves translating the de-obfuscation algorithm into a familiar scripting language like Python, emphasizing that understanding the algorithm is not as crucial as being able to execute it.
## Indicators of Obfuscation
Recognizing obfuscation involves identifying certain indicators, with the following examples provided:
* Absence of strings or presence of scrambled strings in Java and Android, hinting at string obfuscation.
* Existence of binary files in the assets directory or DexClassLoader calls, indicating possible code unpacking and loading.
* Use of Native libraries without identifiable JNI functions, suggesting native method obfuscation.
### String Deobfuscation Exercise
An exercise is provided to practice string de-obfuscation within a static analysis context. The task involves a sample file with a specific SHA256 digest, requiring the analyst to uncover an obfuscated Javascript string without running the application dynamically.
The solution involves a Python script that deciphers the encoded string, revealing an embedded script sourcing from coinhive.com and initiating a miner.
### Additional Resources
Further insights into de-obfuscating Android apps, especially focusing on advanced obfuscation techniques, can be explored in the talks at BlackHat USA 2018 and REcon 2019, each covering unique aspects of obfuscation in Android applications.
Exercise from https://maddiestone.github.io/AndroidAppRE/obfuscation.html:
```python
enc_str = "773032205849207A3831326F1351202E3B306B7D1E5A3B33252B382454173735266C3D3B53163735222D393B475C7A37222D7F38421B6A66643032205849206477303220584920643D2223725C503A3F39636C725F5C237A082C383C7950223F65023F3D5F4039353E3079755F5F666E1134141F5C4C64377A1B671F565A1B2C7F7B101F42700D1F39331717161574213F2B2337505D27606B712C7B0A543D342E317F214558262E636A6A6E1E4A37282233256C"
length = len(enc_str)
count = 0
dec_str = [0] * (length/2)
while (count < length):
dec_str[count/2] = (int(enc_str[count], 16) << 4) + int(enc_str[count + 1], 16) & 0xFF
count += 2
print dec_str
key = [75, 67, 81, 82, 49, 57, 84, 90]
enc_str = dec_str
count = 0
length = len(enc_str)
while (count < length):
dec_str[count] = chr(enc_str[count] ^ key[count % len(key)])
count += 1
print ''.join(dec_str)
```
# References and Further Reading
* [https://maddiestone.github.io/AndroidAppRE/obfuscation.html](https://maddiestone.github.io/AndroidAppRE/obfuscation.html)
* BlackHat USA 2018: “Unpacking the Packed Unpacker: Reverse Engineering an Android Anti-Analysis Library” \[[video](https://www.youtube.com/watch?v=s0Tqi7fuOSU)]
* This talk goes over reverse engineering one of the most complex anti-analysis native libraries Ive seen used by an Android application. It covers mostly obfuscation techniques in native code.
* REcon 2019: “The Path to the Payload: Android Edition” \[[video](https://recon.cx/media-archive/2019/Session.005.Maddie_Stone.The_path_to_the_payload_Android_Edition-J3ZnNl2GYjEfa.mp4)]
* This talk discusses a series of obfuscation techniques, solely in Java code, that an Android botnet was using to hide its behavior.
<details>
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
Other ways to support HackTricks:
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/carlospolopm)**.**
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details>