Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
ANDROID DEOBFUSCATION
01.04.2016
TetCon 2016
Tools and Techniques
About Me
• Reverse engineering Android since 2010
• Made some reversing tools
• Former malware researcher at Lookout
• Sec...
Contents
• Obfuscation Overview
• Deobfuscation Strategies
• Pattern Matching - dex-oracle
• Virtual Execution - smalivm +...
OBFUSCATION
OVERVIEW
Part 1 / 2
Obfuscation Types
• Identifier remapping
• Literal encryption
• White noise
• Packers
• Other
Identifier Remapping
• Class names
• Method names
• Variable names
• ProGuard remaps and strips debugging info
• ProGuard m...
Identifier Remapping
Classes renamed in
alphabetical order
Identifier Remapping
Member names not changed
Didn’t use aggressive ProGuard settings
Methods renamed
Parameters / local va...
Literal Encryption
• Strings, numbers, array payloads
• Original replaced with encrypted version and call
to decryption me...
White Noise
• Many useless operations or method calls
• No direct or indirect side effects outside of method
• Does not mod...
White Noise
Values never
used
Packers
• Original DEX replaced with unpacker DEX
• Original is usually encrypted and hidden in APK
• Unpacker decrypts an...
Others
• Anti-disassembly - break decompilers
• Virtual machine - uncommon on Android (for now)
• Reflection - adds layer o...
DEOBFUSCATION
STRATEGIES
Part 2 / 2
Pattern Matching
1. Identify patterns and transformations
2. Describe with regular expressions
3. Search for pattern and a...
Pattern Matching
• Simple
• Less code, less to go wrong
• Easy to extend
• Works well for some
obfuscation types
• /Regula...
dex-oracle
• Originally targeted Android.Obad with DexGuard
• Searches for regex patterns in Smali
• Improves analysis by ...
Pattern Example
(?m-ix:^[ t]*(
const(?:/d+) [vp]d+, (-?0x[a-fd]+)s+
const(?:/d+) [vp]d+, (-?0x[a-fd]+)s+
const(?:/d+) [vp]...
Pattern Example
Execute CC0Ioll.oCIlCll(0x6e, 0x7, -0x10)
on device / emulator and replace with result…
dex-oracle Components
• Plugins
• each plugin gets all Smali files
• search for patterns and make changes
• executed repeat...
dex-oracle Workflow
Virtual Execution
• Execute entire method to determine behavior
• Similar to inter-procedural data flow analysis
• Smali is...
Virtual Execution
• Much more flexible
• No regular expressions
• Deeper analysis
• Less brittle, generalized
• Can be used...
smalivm
• Acts like sandboxed Dalvik virtual machine
• Takes Smali / DEX / APK as input
• Handles unknown values + method ...
smalivm Example
Java Smali
smalivm Example
Multiple possible
return values
Unknown
argument value
Execution
Graph
smalivm Other Uses
• Data and type flow analysis
• Taint analysis
• Reversible debugger
• Works with Java if converted with...
simplify
• Uses smalivm to analyze and create graph
• Applies optimizations to graph
• Constant propagation
• Dead / usele...
simplify Example
Always returns 8!
simplify Example
After constant propagation
and dead code removal
simplify Example
Before After
Which is best?
EXTENDED READING
• https://github.com/rednaga/training
• http://www.strazzere.com/papers/DexEducation-PracticingSafeDex.pd...
REDNAGA
01.04.2016
THANKS!
TetCon 2016
Good people to follow on Twitter for

Android / Reversing / Malware / Hacking:
@_js...
Upcoming SlideShare
Loading in …5
×

Android Deobfuscation Tools and Techniques

25,016 views

Published on

This talk describes several general Android obfuscation techniques as well as deobfuscation strategies and tools including dex-oracle and Simplify.

dex-oracle - https://github.com/CalebFenton/dex-oracle
Simplify - https://github.com/CalebFenton/simplify

Presented @ TetCon 2016 - https://tetcon.org/

Published in: Technology

Android Deobfuscation Tools and Techniques

  1. 1. ANDROID DEOBFUSCATION 01.04.2016 TetCon 2016 Tools and Techniques
  2. 2. About Me • Reverse engineering Android since 2010 • Made some reversing tools • Former malware researcher at Lookout • Security researcher at SourceClear • github.com/CalebFenton • @caleb_fenton
  3. 3. Contents • Obfuscation Overview • Deobfuscation Strategies • Pattern Matching - dex-oracle • Virtual Execution - smalivm + simplify
  4. 4. OBFUSCATION OVERVIEW Part 1 / 2
  5. 5. Obfuscation Types • Identifier remapping • Literal encryption • White noise • Packers • Other
  6. 6. Identifier Remapping • Class names • Method names • Variable names • ProGuard remaps and strips debugging info • ProGuard most common and weak
  7. 7. Identifier Remapping Classes renamed in alphabetical order
  8. 8. Identifier Remapping Member names not changed Didn’t use aggressive ProGuard settings Methods renamed Parameters / local variable names removed
  9. 9. Literal Encryption • Strings, numbers, array payloads • Original replaced with encrypted version and call to decryption method • Or replaced with lookup method
  10. 10. White Noise • Many useless operations or method calls • No direct or indirect side effects outside of method • Does not modify class state • No I/O (file, network) • Does not affect return value • For example, • x = 5; 1 + 2 + 3 * 4 / 5 % 8; return x;
  11. 11. White Noise Values never used
  12. 12. Packers • Original DEX replaced with unpacker DEX • Original is usually encrypted and hidden in APK • Unpacker decrypts and loads DEX at runtime • E.g. Bangcle (SecNeo), APKProtect, Qihoo
  13. 13. Others • Anti-disassembly - break decompilers • Virtual machine - uncommon on Android (for now) • Reflection - adds layer of redirection • Native code - harder to understand disassembly • Control flow - confuses decompilers and analysis
  14. 14. DEOBFUSCATION STRATEGIES Part 2 / 2
  15. 15. Pattern Matching 1. Identify patterns and transformations 2. Describe with regular expressions 3. Search for pattern and apply transformations
  16. 16. Pattern Matching • Simple • Less code, less to go wrong • Easy to extend • Works well for some obfuscation types • /Regular expressions/ • Analysis is surface level • Brittle - one change in obfuscation breaks pattern Good Bad
  17. 17. dex-oracle • Originally targeted Android.Obad with DexGuard • Searches for regex patterns in Smali • Improves analysis by executing some methods • Replaces obfuscated code with return value • github.com/CalebFenton/dex-oracle
  18. 18. Pattern Example (?m-ix:^[ t]*( const(?:/d+) [vp]d+, (-?0x[a-fd]+)s+ const(?:/d+) [vp]d+, (-?0x[a-fd]+)s+ const(?:/d+) [vp]d+, (-?0x[a-fd]+)s+ invoke-static {[vp]d+, [vp]d+, [vp]d+}, L([^;]+);->([^(]+(III))Ljava/lang/String;s+ move-result-object ([vp]d+) ))
  19. 19. Pattern Example Execute CC0Ioll.oCIlCll(0x6e, 0x7, -0x10) on device / emulator and replace with result…
  20. 20. dex-oracle Components • Plugins • each plugin gets all Smali files • search for patterns and make changes • executed repeatedly until no more changes • Driver • merged with input Smali / DEX / APK • moved to device / emulator • invoked by plugins with method + arguments • uses reflection to call method and return result
  21. 21. dex-oracle Workflow
  22. 22. Virtual Execution • Execute entire method to determine behavior • Similar to inter-procedural data flow analysis • Smali is much less ambiguous than Java • Should have identical behavior to actual execution • Deobfuscate by replacing complex, obfuscated instructions with simpler instructions
  23. 23. Virtual Execution • Much more flexible • No regular expressions • Deeper analysis • Less brittle, generalized • Can be used for more than deobfuscation • Harder to implement • Correctness is constant struggle • Need to study program analysis and lots of jargon Good Bad
  24. 24. smalivm • Acts like sandboxed Dalvik virtual machine • Takes Smali / DEX / APK as input • Handles unknown values + method arguments • Executes all possible paths • API methods are whitelisted for security • Returns context sensitive graph of each method • Graph has VM state for each execution of every op
  25. 25. smalivm Example Java Smali
  26. 26. smalivm Example Multiple possible return values Unknown argument value Execution Graph
  27. 27. smalivm Other Uses • Data and type flow analysis • Taint analysis • Reversible debugger • Works with Java if converted with dx
  28. 28. simplify • Uses smalivm to analyze and create graph • Applies optimizations to graph • Constant propagation • Dead / useless code removal • Reflection removal • Various peephole optimizations • github.com/CalebFenton/simplify
  29. 29. simplify Example
  30. 30. Always returns 8!
  31. 31. simplify Example After constant propagation and dead code removal
  32. 32. simplify Example Before After
  33. 33. Which is best?
  34. 34. EXTENDED READING • https://github.com/rednaga/training • http://www.strazzere.com/papers/DexEducation-PracticingSafeDex.pdf • https://github.com/strazzere/anti-emulator/tree/master/slides • https://github.com/strazzere/android-unpacker/blob/master/AHPL0.pdf • http://www.droidsec.org/wiki/#whitepapers • http://androidcracking.blogspot.com/ • http://www.unicorn-engine.org/
  35. 35. REDNAGA 01.04.2016 THANKS! TetCon 2016 Good people to follow on Twitter for
 Android / Reversing / Malware / Hacking: @_jsoo_@brucedang @capstone_engine @droidsec @Fuzion24 @jcase @jduck @marcwrogers @pof @quine @saurik @snare @tamakikusu@timstrazz @uberlaggydarwin @unicorn_engine #MalwareMustDie

×