Ida pro android12/27/2022 ![]() stay sub_ Press F5 on the ab7336a4 function to see the corresponding C language code. ![]() We can see that this function is sub_ Called by ab7336a4.Ĭlick code XRef: sub on the right_ Ab7336a4 can enter the call sub_ Ab73330c. So we can be sure sub_ Ab73330c is the code for de debugging. At this time, LR is what we just talked about sub_ Ab73330c, as shown below: As shown in the figure below, set the breakpoint at fopen.Ĭlick F9 to continue running. Therefore, we can basically conclude that this function is the anti debugging code by breaking the fopen of which function is called under the fopen method of libc.įirst, we need to find the location of fopen, press Alt + T, and then enter the fopen keyword, as shown in the following figure:Īfter finding fopen, the code is as follows:Īt this time, press p to change to code form. Fopen will be called during the inspection of the second method. Then what shall I do? In 0x00, we talked about the common anti debugging code. This method loops through sub_ AB73330C。 We enter sub_ Ab73330c, it is suspected that this is the place to really check whether it is in the debugging state, but the code has been seriously confused, so the anti debugging code can not be found. Sub_ The ab7336a4 function body is as follows: The body of the function executed by this thread is sub_ Ab7336a4, as shown below: Similarly, selecting PC jumps to the current position. What if we want to go back to the function BLX R7? Select register LR, then right-click and select jump. Press F7 to enter the internal execution of BLX R7, as shown in the following figure:Ī thread is created to perform anti debugging. There will be no anti debugging interference during IDA debugging. Then re sign and generate APK, and run APK again. Next, this line of code NOP can be modified to 00 00 or 00 A0 E1.Īfter modification, right-click apply change. Then we double open IDA, open libme.so in another IDA, press g, and then enter 1c58, sure enough, we adjusted to the position of BLX R7, as shown in the following figure: We can see that the base address of libme.so is ab732000, which is subtracted from the address ab733c58 of BLX R7 Ab732000 equals 1c58. So how to get the base address of so in memory? Press crtl + s. Patch so, the code in the local so that needs to be modified, not in memory, so we need to subtract the base address of so in memory from the instruction address in the above figure to obtain the offset of this instruction in the local so file. Patch so is to modify the binary code in so, and then re sign to generate a new APK. Then we can bypass anti debugging as long as we give this entry to NOP. We found that after executing this step, our IDA exits, indicating that the anti debugging code enters and executes from this entry. We're in JNI_ The breakpoint under onload is shown as follows: Let's first explain IDA patch so, which can be patched in several places. Let's take the second question of Ali competition as an example for reference Android dynamic debugging peacock feather of seven weapons - IDA Pro。Ģ、 Ida dynamically modifies memory data and register values So how do we get through these anti debugging? Check some hardware information on the mobile phone to determine whether it is in the debugger, reference resources Analysis of Android application method hiding and anti debugging technology of 0 × 03 preliminary discussion on anti debugging. Check the interval between code execution, refer to Analysis of Android application method hiding and anti debugging technology0 of × 03 preliminary discussion on anti debugging.Ĥ. reference resources Android native anti debugging, use JNI realizes the anti debugging of apk。ģ. According to the principle that the tracerpid line in / proc / $PID / status shows the PID of the debugger, you can write a method to check this value. Directly call ptrace (ptrace_trace, 0, 0), refer to Android native anti debugging。Ģ. There are the following common Android native anti debugging methods.ġ. In order to avoid dynamic analysis of our so files, we usually add some anti debugging code to so.
0 Comments
Leave a Reply.AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |