Automated Deobfuscation of Android Applications
During AthCon 2013 last week I talked about Automated Deobfuscation
of Android Applications and Malware. In particular, this presentation
focussed on using automated deobfuscation tools in order to speed up the
analysis of 3rd party applications which have been obfuscated.
Click here for the slides.
The cyanide and obad.a samples discussed in the presentation can be found
here (password infected.)
The Dexguard Scripts
At the moment the dexguard scripts are focussed at deobfuscating all
obfuscated strings and reconstructing a new dex file. As you will quickly see
when analyzing the _undexguard.dex files (explained further in the samples
section), this is far from complete deobfuscation. However, it gives a good
start at analyzing the sample more quickly. (And it’s work in progress.)
As for now I have decided to, unfortunately, keep the code private. I’m
considering setting up a deobfuscation website later, where one can upload
a sample and download the deobfuscated sample a few seconds later.
Please do let me know if you (or your company) is interested in such
service! You know where to contact me.
A little explanation on the given samples.
Cyanide.dex is a root exploit by Justin Case.
- cyanide_original.dex is the original Cyanide binary
- cyanide_dexguard.dex is a Dexguarded version of cyanide_original.dex
- Running unchina.py on cyanide_dexguard.dex gives us cyanide_unchina.dex
- Running our dexguard scripts on cyanide_unchina.dex gives us cyanide_undexguard.dex
Note: the dexguard version used for this sample is the one-to-last, however,
our framework has support for the latest version as well.
Obad.a is a Most Sophisticated Android Trojan.
- obad_original.dex is the original obad.a binary
- We get obad_undexguard.dex after running our dexguard scripts on obad_original.dex
Note: obad_undexguard.dex will not run on an emulator or a real device due
to the way it’s built. (The cyanide_undexguard.dex, however, should work.)
Even though it doesn’t run, JEB loads the undexguarded file just fine,
so it’s mostly useful for analysis.
Pingback: Android OBad decompiled sources | Android App Reviews
How do you handle the lack of bytecode verification in Android? From what I’ve read, it’s possible for Android binaries to use whatever malformed classfiles they want, and it will probably still run. This includes stuff like jumping into the middle of an instruction (which on it’s own isn’t hard to handle but it does make disassembly complicated).
Yes, it is. In my engine I recursively disassemble all branches. As there are no instructions which take a register or field as offset, all instructions have a predefined destination address, and the engine follows these recursively.
Of course, the lack of bytecode might make some interesting edge cases, but I’m guessing that some of the simpler obfuscated variants are handled correctly.