ANDROID DEOBFUSCATION

01.04.2016

TetCon 2016

Tools and Techniques

About Me• Reverse engineering Android since 2010

• Made some reversing tools

• Former malware researcher at Lookout

• Security researcher at SourceClear

• github.com/CalebFenton

• @caleb_fenton

Contents

• Obfuscation Overview

• Deobfuscation Strategies

• Pattern Matching - dex-oracle

• Virtual Execution - smalivm + simplify

OBFUSCATION OVERVIEW

Part 1 / 2

Obfuscation Types• Identifier remapping

• Literal encryption

• White noise

• Packers

• Other

Identifier Remapping• Class names

• Method names

• Variable names

• ProGuard remaps and strips debugging info

• ProGuard most common and weak

Identifier Remapping

Classes renamed in alphabetical order

Identifier RemappingMember names not changed

Didn’t use aggressive ProGuard settings

Methods renamed

Parameters / local variable names removed

Literal Encryption

• Strings, numbers, array payloads

• Original replaced with encrypted version and call

to decryption method

• Or replaced with lookup method

White Noise• Many useless operations or method calls

• No direct or indirect side effects outside of method

• Does not modify class state

• No I/O (file, network)

• Does not affect return value

• For example,

• x = 5; 1 + 2 + 3 * 4 / 5 % 8; return x;

White Noise

Values neverused

Packers• Original DEX replaced with unpacker DEX

• Original is usually encrypted and hidden in APK

• Unpacker decrypts and loads DEX at runtime

• E.g. Bangcle (SecNeo), APKProtect, Qihoo

Others• Anti-disassembly - break decompilers

• Virtual machine - uncommon on Android (for now)

• Reflection - adds layer of redirection

• Native code - harder to understand disassembly

• Control flow - confuses decompilers and analysis

DEOBFUSCATION STRATEGIES

Part 2 / 2

Pattern Matching

1. Identify patterns and transformations

2. Describe with regular expressions

3. Search for pattern and apply transformations

Pattern Matching

• Simple

• Less code, less to go wrong

• Easy to extend

• Works well for some obfuscation types

• /Regular expressions/

• Analysis is surface level

• Brittle - one change in obfuscation breaks pattern

Good Bad

dex-oracle• Originally targeted Android.Obad with DexGuard

• Searches for regex patterns in Smali

• Improves analysis by executing some methods

• Replaces obfuscated code with return value

• github.com/CalebFenton/dex-oracle

Pattern Example

(?m-ix:^[ \t]*( const(?:\/\d+) [vp]\d+, (-?0x[a-f\d]+)\s+ const(?:\/\d+) [vp]\d+, (-?0x[a-f\d]+)\s+ const(?:\/\d+) [vp]\d+, (-?0x[a-f\d]+)\s+ invoke-static \{[vp]\d+, [vp]\d+, [vp]\d+\}, L([^;]+);->([^\(]+\(III\))Ljava\/lang\/String;\s+ move-result-object ([vp]\d+)

))

Pattern Example

Execute CC0Ioll.oCIlCll(0x6e, 0x7, -0x10) on device / emulator and replace with result…

dex-oracle Components• Plugins

• each plugin gets all Smali files • search for patterns and make changes • executed repeatedly until no more changes

• Driver • merged with input Smali / DEX / APK • moved to device / emulator • invoked by plugins with method + arguments • uses reflection to call method and return result

dex-oracle Workflow

Virtual Execution• Execute entire method to determine behavior

• Similar to inter-procedural data flow analysis

• Smali is much less ambiguous than Java

• Should have identical behavior to actual execution

• Deobfuscate by replacing complex, obfuscated

instructions with simpler instructions

Virtual Execution

• Much more flexible

• No regular expressions

• Deeper analysis

• Less brittle, generalized

• Can be used for more than deobfuscation

• Harder to implement

• Correctness is constant struggle

• Need to study program analysis and lots of jargon

Good Bad

smalivm• Acts like sandboxed Dalvik virtual machine

• Takes Smali / DEX / APK as input

• Handles unknown values + method arguments

• Executes all possible paths

• API methods are whitelisted for security

• Returns context sensitive graph of each method

• Graph has VM state for each execution of every op

smalivm ExampleJava Smali

smalivm Example

Multiple possiblereturn values

Unknownargument value

ExecutionGraph

smalivm Other Uses• Data and type flow analysis

• Taint analysis

• Reversible debugger

• Works with Java if converted with dx

simplify• Uses smalivm to analyze and create graph

• Applies optimizations to graph

• Constant propagation

• Dead / useless code removal

• Reflection removal

• Various peephole optimizations

• github.com/CalebFenton/simplify

simplify Example

Always returns 8!

simplify Example

After constant propagation and dead code removal

simplify ExampleBefore After

Which is best?

EXTENDED READING

• https://github.com/rednaga/training • http://www.strazzere.com/papers/DexEducation-PracticingSafeDex.pdf • https://github.com/strazzere/anti-emulator/tree/master/slides • https://github.com/strazzere/android-unpacker/blob/master/AHPL0.pdf • http://www.droidsec.org/wiki/#whitepapers • http://androidcracking.blogspot.com/ • http://www.unicorn-engine.org/

REDNAGA

01.04.2016

THANKS!

TetCon 2016

Good people to follow on Twitter forAndroid / Reversing / Malware / Hacking:

@_jsoo_@brucedang @capstone_engine @droidsec @Fuzion24 @jcase @jduck @marcwrogers @pof @quine @saurik @snare @tamakikusu@timstrazz @uberlaggydarwin @unicorn_engine

#MalwareMustDie