Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
ANDROID DEOBFUSCATION
01.04.2016
TetCon 2016
Tools and Techniques
About Me
• Reverse engineering Android since 2010
• Made some reversing tools
• Former malware researcher at Lookout
• Sec...
Contents
• Obfuscation Overview
• Deobfuscation Strategies
• Pattern Matching - dex-oracle
• Virtual Execution - smalivm +...
OBFUSCATION
OVERVIEW
Part 1 / 2
Obfuscation Types
• Identifier remapping
• Literal encryption
• White noise
• Packers
• Other
Identifier Remapping
• Class names
• Method names
• Variable names
• ProGuard remaps and strips debugging info
• ProGuard m...
Identifier Remapping
Classes renamed in
alphabetical order
Identifier Remapping
Member names not changed
Didn’t use aggressive ProGuard settings
Methods renamed
Parameters / local va...
Literal Encryption
• Strings, numbers, array payloads
• Original replaced with encrypted version and call
to decryption me...
White Noise
• Many useless operations or method calls
• No direct or indirect side effects outside of method
• Does not mod...
White Noise
Values never
used
Packers
• Original DEX replaced with unpacker DEX
• Original is usually encrypted and hidden in APK
• Unpacker decrypts an...
Others
• Anti-disassembly - break decompilers
• Virtual machine - uncommon on Android (for now)
• Reflection - adds layer o...
DEOBFUSCATION
STRATEGIES
Part 2 / 2
Pattern Matching
1. Identify patterns and transformations
2. Describe with regular expressions
3. Search for pattern and a...
Pattern Matching
• Simple
• Less code, less to go wrong
• Easy to extend
• Works well for some
obfuscation types
• /Regula...
dex-oracle
• Originally targeted Android.Obad with DexGuard
• Searches for regex patterns in Smali
• Improves analysis by ...
Pattern Example
(?m-ix:^[ t]*(
const(?:/d+) [vp]d+, (-?0x[a-fd]+)s+
const(?:/d+) [vp]d+, (-?0x[a-fd]+)s+
const(?:/d+) [vp]...
Pattern Example
Execute CC0Ioll.oCIlCll(0x6e, 0x7, -0x10)
on device / emulator and replace with result…
dex-oracle Components
• Plugins
• each plugin gets all Smali files
• search for patterns and make changes
• executed repeat...
dex-oracle Workflow
Virtual Execution
• Execute entire method to determine behavior
• Similar to inter-procedural data flow analysis
• Smali is...
Virtual Execution
• Much more flexible
• No regular expressions
• Deeper analysis
• Less brittle, generalized
• Can be used...
smalivm
• Acts like sandboxed Dalvik virtual machine
• Takes Smali / DEX / APK as input
• Handles unknown values + method ...
smalivm Example
Java Smali
smalivm Example
Multiple possible
return values
Unknown
argument value
Execution
Graph
smalivm Other Uses
• Data and type flow analysis
• Taint analysis
• Reversible debugger
• Works with Java if converted with...
simplify
• Uses smalivm to analyze and create graph
• Applies optimizations to graph
• Constant propagation
• Dead / usele...
simplify Example
Always returns 8!
simplify Example
After constant propagation
and dead code removal
simplify Example
Before After
Which is best?
EXTENDED READING
• https://github.com/rednaga/training
• http://www.strazzere.com/papers/DexEducation-PracticingSafeDex.pd...
REDNAGA
01.04.2016
THANKS!
TetCon 2016
Good people to follow on Twitter for

Android / Reversing / Malware / Hacking:
@_js...
Upcoming SlideShare
Loading in …5
×

Android Deobfuscation Tools and Techniques

27,285 views

Published on

This talk describes several general Android obfuscation techniques as well as deobfuscation strategies and tools including dex-oracle and Simplify.

dex-oracle - https://github.com/CalebFenton/dex-oracle
Simplify - https://github.com/CalebFenton/simplify

Presented @ TetCon 2016 - https://tetcon.org/

Published in: Technology
  • Follow the link, new dating source: ♥♥♥ http://bit.ly/2F4cEJi ♥♥♥
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • Dating for everyone is here: ❶❶❶ http://bit.ly/2F4cEJi ❶❶❶
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • DOWNLOAD THIS BOOKS INTO AVAILABLE FORMAT (2019 Update) ......................................................................................................................... ......................................................................................................................... Download Full PDF EBOOK here { https://soo.gd/irt2 } ......................................................................................................................... Download Full EPUB Ebook here { https://soo.gd/irt2 } ......................................................................................................................... Download Full doc Ebook here { https://soo.gd/irt2 } ......................................................................................................................... Download PDF EBOOK here { https://soo.gd/irt2 } ......................................................................................................................... Download EPUB Ebook here { https://soo.gd/irt2 } ......................................................................................................................... Download doc Ebook here { https://soo.gd/irt2 } ......................................................................................................................... ......................................................................................................................... ................................................................................................................................... eBook is an electronic version of a traditional print book THIS can be read by using a personal computer or by using an eBook reader. (An eBook reader can be a software application for use on a computer such as Microsoft's free Reader application, or a book-sized computer THIS is used solely as a reading device such as Nuvomedia's Rocket eBook.) Users can purchase an eBook on diskette or CD, but the most popular method of getting an eBook is to purchase a downloadable file of the eBook (or other reading material) from a Web site (such as Barnes and Noble) to be read from the user's computer or reading device. Generally, an eBook can be downloaded in five minutes or less ......................................................................................................................... .............. Browse by Genre Available eBooks .............................................................................................................................. Art, Biography, Business, Chick Lit, Children's, Christian, Classics, Comics, Contemporary, Cookbooks, Manga, Memoir, Music, Mystery, Non Fiction, Paranormal, Philosophy, Poetry, Psychology, Religion, Romance, Science, Science Fiction, Self Help, Suspense, Spirituality, Sports, Thriller, Travel, Young Adult, Crime, Ebooks, Fantasy, Fiction, Graphic Novels, Historical Fiction, History, Horror, Humor And Comedy, ......................................................................................................................... ......................................................................................................................... .....BEST SELLER FOR EBOOK RECOMMEND............................................................. ......................................................................................................................... Blowout: Corrupted Democracy, Rogue State Russia, and the Richest, Most Destructive Industry on Earth,-- The Ride of a Lifetime: Lessons Learned from 15 Years as CEO of the Walt Disney Company,-- Call Sign Chaos: Learning to Lead,-- StrengthsFinder 2.0,-- Stillness Is the Key,-- She Said: Breaking the Sexual Harassment Story THIS Helped Ignite a Movement,-- Atomic Habits: An Easy & Proven Way to Build Good Habits & Break Bad Ones,-- Everything Is Figureoutable,-- What It Takes: Lessons in the Pursuit of Excellence,-- Rich Dad Poor Dad: What the Rich Teach Their Kids About Money THIS the Poor and Middle Class Do Not!,-- The Total Money Makeover: Classic Edition: A Proven Plan for Financial Fitness,-- Shut Up and Listen!: Hard Business Truths THIS Will Help You Succeed, ......................................................................................................................... .........................................................................................................................
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • Visit Here to Read PDF eBook === http://bestadaododadj.justdied.com/8441537496-desarrollo-de-juegos-para-android-edicion-2016-titulos-especiales.html
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • Thank you :)
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here

Android Deobfuscation Tools and Techniques

  1. 1. ANDROID DEOBFUSCATION 01.04.2016 TetCon 2016 Tools and Techniques
  2. 2. About Me • Reverse engineering Android since 2010 • Made some reversing tools • Former malware researcher at Lookout • Security researcher at SourceClear • github.com/CalebFenton • @caleb_fenton
  3. 3. Contents • Obfuscation Overview • Deobfuscation Strategies • Pattern Matching - dex-oracle • Virtual Execution - smalivm + simplify
  4. 4. OBFUSCATION OVERVIEW Part 1 / 2
  5. 5. Obfuscation Types • Identifier remapping • Literal encryption • White noise • Packers • Other
  6. 6. Identifier Remapping • Class names • Method names • Variable names • ProGuard remaps and strips debugging info • ProGuard most common and weak
  7. 7. Identifier Remapping Classes renamed in alphabetical order
  8. 8. Identifier Remapping Member names not changed Didn’t use aggressive ProGuard settings Methods renamed Parameters / local variable names removed
  9. 9. Literal Encryption • Strings, numbers, array payloads • Original replaced with encrypted version and call to decryption method • Or replaced with lookup method
  10. 10. White Noise • Many useless operations or method calls • No direct or indirect side effects outside of method • Does not modify class state • No I/O (file, network) • Does not affect return value • For example, • x = 5; 1 + 2 + 3 * 4 / 5 % 8; return x;
  11. 11. White Noise Values never used
  12. 12. Packers • Original DEX replaced with unpacker DEX • Original is usually encrypted and hidden in APK • Unpacker decrypts and loads DEX at runtime • E.g. Bangcle (SecNeo), APKProtect, Qihoo
  13. 13. Others • Anti-disassembly - break decompilers • Virtual machine - uncommon on Android (for now) • Reflection - adds layer of redirection • Native code - harder to understand disassembly • Control flow - confuses decompilers and analysis
  14. 14. DEOBFUSCATION STRATEGIES Part 2 / 2
  15. 15. Pattern Matching 1. Identify patterns and transformations 2. Describe with regular expressions 3. Search for pattern and apply transformations
  16. 16. Pattern Matching • Simple • Less code, less to go wrong • Easy to extend • Works well for some obfuscation types • /Regular expressions/ • Analysis is surface level • Brittle - one change in obfuscation breaks pattern Good Bad
  17. 17. dex-oracle • Originally targeted Android.Obad with DexGuard • Searches for regex patterns in Smali • Improves analysis by executing some methods • Replaces obfuscated code with return value • github.com/CalebFenton/dex-oracle
  18. 18. Pattern Example (?m-ix:^[ t]*( const(?:/d+) [vp]d+, (-?0x[a-fd]+)s+ const(?:/d+) [vp]d+, (-?0x[a-fd]+)s+ const(?:/d+) [vp]d+, (-?0x[a-fd]+)s+ invoke-static {[vp]d+, [vp]d+, [vp]d+}, L([^;]+);->([^(]+(III))Ljava/lang/String;s+ move-result-object ([vp]d+) ))
  19. 19. Pattern Example Execute CC0Ioll.oCIlCll(0x6e, 0x7, -0x10) on device / emulator and replace with result…
  20. 20. dex-oracle Components • Plugins • each plugin gets all Smali files • search for patterns and make changes • executed repeatedly until no more changes • Driver • merged with input Smali / DEX / APK • moved to device / emulator • invoked by plugins with method + arguments • uses reflection to call method and return result
  21. 21. dex-oracle Workflow
  22. 22. Virtual Execution • Execute entire method to determine behavior • Similar to inter-procedural data flow analysis • Smali is much less ambiguous than Java • Should have identical behavior to actual execution • Deobfuscate by replacing complex, obfuscated instructions with simpler instructions
  23. 23. Virtual Execution • Much more flexible • No regular expressions • Deeper analysis • Less brittle, generalized • Can be used for more than deobfuscation • Harder to implement • Correctness is constant struggle • Need to study program analysis and lots of jargon Good Bad
  24. 24. smalivm • Acts like sandboxed Dalvik virtual machine • Takes Smali / DEX / APK as input • Handles unknown values + method arguments • Executes all possible paths • API methods are whitelisted for security • Returns context sensitive graph of each method • Graph has VM state for each execution of every op
  25. 25. smalivm Example Java Smali
  26. 26. smalivm Example Multiple possible return values Unknown argument value Execution Graph
  27. 27. smalivm Other Uses • Data and type flow analysis • Taint analysis • Reversible debugger • Works with Java if converted with dx
  28. 28. simplify • Uses smalivm to analyze and create graph • Applies optimizations to graph • Constant propagation • Dead / useless code removal • Reflection removal • Various peephole optimizations • github.com/CalebFenton/simplify
  29. 29. simplify Example
  30. 30. Always returns 8!
  31. 31. simplify Example After constant propagation and dead code removal
  32. 32. simplify Example Before After
  33. 33. Which is best?
  34. 34. EXTENDED READING • https://github.com/rednaga/training • http://www.strazzere.com/papers/DexEducation-PracticingSafeDex.pdf • https://github.com/strazzere/anti-emulator/tree/master/slides • https://github.com/strazzere/android-unpacker/blob/master/AHPL0.pdf • http://www.droidsec.org/wiki/#whitepapers • http://androidcracking.blogspot.com/ • http://www.unicorn-engine.org/
  35. 35. REDNAGA 01.04.2016 THANKS! TetCon 2016 Good people to follow on Twitter for
 Android / Reversing / Malware / Hacking: @_jsoo_@brucedang @capstone_engine @droidsec @Fuzion24 @jcase @jduck @marcwrogers @pof @quine @saurik @snare @tamakikusu@timstrazz @uberlaggydarwin @unicorn_engine #MalwareMustDie

×