Android Deobfuscation Tools and Techniques
-
Upload
caleb-fenton -
Category
Technology
-
view
13.379 -
download
8
Transcript of Android Deobfuscation Tools and Techniques
ANDROID DEOBFUSCATION
01.04.2016
TetCon 2016
Tools and Techniques
About Me• Reverse engineering Android since 2010
• Made some reversing tools
• Former malware researcher at Lookout
• Security researcher at SourceClear
• github.com/CalebFenton
• @caleb_fenton
Contents
• Obfuscation Overview
• Deobfuscation Strategies
• Pattern Matching - dex-oracle
• Virtual Execution - smalivm + simplify
OBFUSCATION OVERVIEW
Part 1 / 2
Obfuscation Types• Identifier remapping
• Literal encryption
• White noise
• Packers
• Other
Identifier Remapping• Class names
• Method names
• Variable names
• ProGuard remaps and strips debugging info
• ProGuard most common and weak
Identifier Remapping
Classes renamed in alphabetical order
Identifier RemappingMember names not changed
Didn’t use aggressive ProGuard settings
Methods renamed
Parameters / local variable names removed
Literal Encryption
• Strings, numbers, array payloads
• Original replaced with encrypted version and call
to decryption method
• Or replaced with lookup method
White Noise• Many useless operations or method calls
• No direct or indirect side effects outside of method
• Does not modify class state
• No I/O (file, network)
• Does not affect return value
• For example,
• x = 5; 1 + 2 + 3 * 4 / 5 % 8; return x;
White Noise
Values neverused
Packers• Original DEX replaced with unpacker DEX
• Original is usually encrypted and hidden in APK
• Unpacker decrypts and loads DEX at runtime
• E.g. Bangcle (SecNeo), APKProtect, Qihoo
Others• Anti-disassembly - break decompilers
• Virtual machine - uncommon on Android (for now)
• Reflection - adds layer of redirection
• Native code - harder to understand disassembly
• Control flow - confuses decompilers and analysis
DEOBFUSCATION STRATEGIES
Part 2 / 2
Pattern Matching
1. Identify patterns and transformations
2. Describe with regular expressions
3. Search for pattern and apply transformations
Pattern Matching
• Simple
• Less code, less to go wrong
• Easy to extend
• Works well for some obfuscation types
• /Regular expressions/
• Analysis is surface level
• Brittle - one change in obfuscation breaks pattern
Good Bad
dex-oracle• Originally targeted Android.Obad with DexGuard
• Searches for regex patterns in Smali
• Improves analysis by executing some methods
• Replaces obfuscated code with return value
• github.com/CalebFenton/dex-oracle
Pattern Example
(?m-ix:^[ \t]*( const(?:\/\d+) [vp]\d+, (-?0x[a-f\d]+)\s+ const(?:\/\d+) [vp]\d+, (-?0x[a-f\d]+)\s+ const(?:\/\d+) [vp]\d+, (-?0x[a-f\d]+)\s+ invoke-static \{[vp]\d+, [vp]\d+, [vp]\d+\}, L([^;]+);->([^\(]+\(III\))Ljava\/lang\/String;\s+ move-result-object ([vp]\d+)
))
Pattern Example
Execute CC0Ioll.oCIlCll(0x6e, 0x7, -0x10) on device / emulator and replace with result…
dex-oracle Components• Plugins
• each plugin gets all Smali files • search for patterns and make changes • executed repeatedly until no more changes
• Driver • merged with input Smali / DEX / APK • moved to device / emulator • invoked by plugins with method + arguments • uses reflection to call method and return result
dex-oracle Workflow
Virtual Execution• Execute entire method to determine behavior
• Similar to inter-procedural data flow analysis
• Smali is much less ambiguous than Java
• Should have identical behavior to actual execution
• Deobfuscate by replacing complex, obfuscated
instructions with simpler instructions
Virtual Execution
• Much more flexible
• No regular expressions
• Deeper analysis
• Less brittle, generalized
• Can be used for more than deobfuscation
• Harder to implement
• Correctness is constant struggle
• Need to study program analysis and lots of jargon
Good Bad
smalivm• Acts like sandboxed Dalvik virtual machine
• Takes Smali / DEX / APK as input
• Handles unknown values + method arguments
• Executes all possible paths
• API methods are whitelisted for security
• Returns context sensitive graph of each method
• Graph has VM state for each execution of every op
smalivm ExampleJava Smali
smalivm Example
Multiple possiblereturn values
Unknownargument value
ExecutionGraph
smalivm Other Uses• Data and type flow analysis
• Taint analysis
• Reversible debugger
• Works with Java if converted with dx
simplify• Uses smalivm to analyze and create graph
• Applies optimizations to graph
• Constant propagation
• Dead / useless code removal
• Reflection removal
• Various peephole optimizations
• github.com/CalebFenton/simplify
simplify Example
Always returns 8!
simplify Example
After constant propagation and dead code removal
simplify ExampleBefore After
Which is best?
EXTENDED READING
• https://github.com/rednaga/training • http://www.strazzere.com/papers/DexEducation-PracticingSafeDex.pdf • https://github.com/strazzere/anti-emulator/tree/master/slides • https://github.com/strazzere/android-unpacker/blob/master/AHPL0.pdf • http://www.droidsec.org/wiki/#whitepapers • http://androidcracking.blogspot.com/ • http://www.unicorn-engine.org/
REDNAGA
01.04.2016
THANKS!
TetCon 2016
Good people to follow on Twitter forAndroid / Reversing / Malware / Hacking:
@_jsoo_@brucedang @capstone_engine @droidsec @Fuzion24 @jcase @jduck @marcwrogers @pof @quine @saurik @snare @tamakikusu@timstrazz @uberlaggydarwin @unicorn_engine
#MalwareMustDie