Automated Deobfuscation of Android Applications
During AthCon 2013 last week I talked about Automated Deobfuscation
of Android Applications and Malware. In particular, this presentation
focussed on using automated deobfuscation tools in order to speed up the
analysis of 3rd party applications which have been obfuscated.
Click here for the slides.
The cyanide and obad.a samples discussed in the presentation can be found
here (password infected.)
The Dexguard Scripts
At the moment the dexguard scripts are focussed at deobfuscating all
obfuscated strings and reconstructing a new dex file. As you will quickly see
when analyzing the _undexguard.dex files (explained further in the samples
section), this is far from complete deobfuscation. However, it gives a good
start at analyzing the sample more quickly. (And it’s work in progress.)
As for now I have decided to, unfortunately, keep the code private. I’m
considering setting up a deobfuscation website later, where one can upload
a sample and download the deobfuscated sample a few seconds later.
Please do let me know if you (or your company) is interested in such
service! You know where to contact me.
A little explanation on the given samples.
Cyanide.dex is a root exploit by Justin Case.
- cyanide_original.dex is the original Cyanide binary
- cyanide_dexguard.dex is a Dexguarded version of cyanide_original.dex
- Running unchina.py on cyanide_dexguard.dex gives us cyanide_unchina.dex
- Running our dexguard scripts on cyanide_unchina.dex gives us cyanide_undexguard.dex
Note: the dexguard version used for this sample is the one-to-last, however,
our framework has support for the latest version as well.
Obad.a is a Most Sophisticated Android Trojan.
- obad_original.dex is the original obad.a binary
- We get obad_undexguard.dex after running our dexguard scripts on obad_original.dex
Note: obad_undexguard.dex will not run on an emulator or a real device due
to the way it’s built. (The cyanide_undexguard.dex, however, should work.)
Even though it doesn’t run, JEB loads the undexguarded file just fine,
so it’s mostly useful for analysis.