TransWikia.com

How do I reverse engineer .so files found in android APKs?

Reverse Engineering Asked by Pervy Sage on January 20, 2021

I know how to reverse engineer normal android APKs using tools like APK-tool anddex2jar but i don’t know how to work with obfuscation. Can anyone help or atleast provide some pointers? I know this largely constitues learning by myself but I really don’t know what to look or where to look. Some examples would be really helpful. Thanks!

Edit:

When I extract everything from APK, I get some SMALI files (I tried JD-GUI but the strings contained random names. Probably obfuscated using Proguard.), some resource files and a “.so” files in the lib directory. How do I analyze the “.so” file. I know that SO files are, kind of DLLs of the Linux world but what are the tools that can be used to analyze SO files. Any links to videos would be very helpful. 🙂

Also, how would I get around if there were a JAR file instead of SO file in the APK?

8 Answers

The .so file is a compiled library, in most cases from C or C++ source code. .so stands for Shared Object, it doesn't have anything to do with obfusation, it just means someone wrote parts of the app in C.

In some cases, there is existing C code and it's just easier for the programmer to build a JNI interface to call the library from java; in other cases, the programmer wants the speed advantage that compiled C has over java. And of course, if i want to hide how some part of my application works, writing that in C and compiling it to a .so makes it much harder to reverse.

If you want to reverse an android .so, these are the options you have:

  • Buy the commercial version of IDA pro. The demo versions will not do, as they can't disassemble ARM code. This is expensive, but by far the best tool to work with unknown object code.
  • If the app includes versions of the .so for different hardware, and if it has a library for android on x86, you can use the free IDA 5.1 version to disassemble it.
  • If you have access to a linux system, get a gcc toolchain for ARM that includes objdump, and use objdump --disassemble to get a huge text file containing disassembled code. Then, have fun with that text file. There might be gcc toolchains for ARM targets that run on windows as well, but i never tried.
  • You could also upload the .so file to http://onlinedisassembler.com/ to get a disassembled file, if you don't want to install a gcc toolchain.

Beware, though, in all of these cases, you need a thorough understanding of the ARM processor architecture, assembler language, JNI conventions, and compiler ABI to make any sense of the disassembly. Prepare for many long nights if you're unexperienced.

Correct answer by Guntram Blohm on January 20, 2021

You can also try a dynamic approach by hooking APIs and observing arguments and return values. This will allow you to look at data going into crypto APIs, which may help a lot when dealing with network protocols. Check out the Frida instrumentation toolkit for an open source cross-platform solution (Android, iOS, Windows, Mac and Linux). There's a tutorial showing how to build an interactive instrumentation tool in a few minutes, which injects code into the “Yo” app on iOS and plots network connections using Google Maps.

Answered by Ole André Vadla Ravnås on January 20, 2021

Besides Guntram's suggestions, check out the retargetable decompiler aka retdec. It can decompile the binary to Python or C code. At least for me, it reads easier than pure assembly (and it works for ARM binaries).

It works very well for sketching you the rough workings of the shared object.

A plugin for select IDA versions exists, but the main limitation is that it doesn't support 64-bit code.

Answered by Cedric VB on January 20, 2021

Use android-ndk, https://developer.android.com/ndk/downloads/index.html.

You can use the toolchains inside the ndk to perform the type of disassembling you want to. For e.g. if I decompile an apk and get a .so library out of it, I will do :

./android-ndk-r15b/toolchains/arm-linux-androideabi-4.9/prebuilt/darwin-x86_64/bin/arm-linux-androideabi-objdump -T "SAMPLE.so | less

To get an objdump.

Answered by Shailesh Mota on January 20, 2021

You can also try the Snowman tool: https://derevenets.com/.

Snowman is a native code to C/C++ decompiler

It supports ARM, x86, and x86-64 architectures as specified on their website.

Answered by Adrian Paul on January 20, 2021

You can also reverse-engineer APK files directly on an android device.

  1. Java part: Show Java
  2. .so files: Android disassembler.

(Disclaimer: I 'm the developer)

Version 1.4.2 release.

Android-Disassembler

Disassemble ANY files including android shared libraries (aka .so files) (NDK, JNI), windows PE files(EXE, DLLs, SYSs, etc..), linux executables, object files, ANY files you want like pictures, audios, etc(for fun) entirely on Android. Capstone-based disassembler application on android.

Features

  • Shows details of elf files.
  • Shows symbol table(functions or objects' ,... names) of elf files.
  • Disassembles the code sections.
  • Has various export options of the disassembly. (Reloadable raw file, compilable txt file, analytic text files, json, and reloadable database)
  • Supports projects.
  • Supports directly launching from file browsers.
  • Supports many ABIs(arm,x86,x64,MIPS,PowerPC,...)
  • Jump to address by symbols' names, or a hex address.
  • Syntax colorizing.
  • Support PE and other bin formats.
  • Sort symbols if needed.
  • No need to press Disassemble button!
  • Colorize PUSH/POP instructions.
  • Colorize ARM arch instructions better.
  • Added Follow Jump menu for jump instructions.(With BackStack)
  • Can override auto parse setup

What's new

  • You can copy an instruction to the clipboard.
  • It now parses IAT, EAT of PE headers.
  • Fixed bugs.

Materials about assemblies

Open Source

This app used - Capstone - Storage-Chooser - Colorpickerview - Java-binutils - PECOFF4J.

Thanks

https://reverseengineering.stackexchange.com/a/20124/23870

XRefs

https://reverseengineering.stackexchange.com/a/18203/23870

Related link(RE thread)

Answered by KYHSGeekCode on January 20, 2021

According to this blog post, GikDbg seems like an Ollydbg mod to debug native Android libraries.

Unfortunatly, the website of GikDbg doesn't exist anymore.

Answered by Sam on January 20, 2021

you can try the ghidra ,Ghidra is a software reverse engineering (SRE) framework created and maintained by the National Security Agency Research Directorate. This framework includes a suite of full-featured, high-end software analysis tools that enable users to analyze compiled code on a variety of platforms including Windows, macOS, and Linux. Capabilities include disassembly, assembly, decompilation, graphing, and scripting, along with hundreds of other features. Ghidra supports a wide variety of processor instruction sets and executable formats and can be run in both user-interactive and automated modes. Users may also develop their own Ghidra plug-in components and/or scripts using Java or Python. link:https://github.com/NationalSecurityAgency/ghidra

Answered by 梁赛飞 on January 20, 2021

Add your own answers!

Ask a Question

Get help from others!

© 2024 TransWikia.com. All rights reserved. Sites we Love: PCI Database, UKBizDB, Menu Kuliner, Sharing RPP