Trace system calls, including stack (and java stack if possible), on android?

Reverse Engineering Asked by Guntram Blohm on December 3, 2020

I have an android app that reads/writes a data file which seems to be encrypted, and i want to make a tool to read/write that file, so i need to reverse the encryption.

The app in question consists of a few hundred classes and several .so libraries, and grepping through the classes and the output of strings on the .so files doesn’t find the name of the game file (i tried case-sensitive, omitting the extension, and all that stuff), so the “easy” way to find the function doesn’t work. So, what i want to do is intercept calls to the open system call, and check the stacks (dalvik and C) for the callers.

On Windows, this is quite easy using procmon which saves the stack of each system call; on Linux, there is strace -i which doesn’t give me a stack backtrace, but at least an IP value; also, i could make a named pipe having the filename in question to make the app block on opening it and attach gdb to get the backtrace.

The problem with using strace and or a debugger on android is that i a) it seems to be non-trivial to get a version of strace that works with a particular OS level of android, b) when i try the named pipe approach, the app just exits, c) unless the whole encryption stuff is done in one of the .so libraries, i need the Java stack as well.

I found jtrace which seems to be a replacement for strace, but doesnt show the stack, and this question has some links, but they seem to be targetted at instrumentation/profiling, not what i need.

So the question really is in the title: Is there a tool that traces system calls on android, and shows the stack trace, like procmon does on windows, including the java stack if possible? Or another idea to quickly find the code that opens and decrypts the file?

If all else fails, i’ll probably attach IDA to the process, put a breakpoint on open, and write a breakpoint condition that checks the file name. But that still won’t give me the java stack, and i’d like to avoid the effort if there’s a “nicer” tool.

2 Answers

you can get system call stack with strace too. you just need to compile strace with libunwind. After that you just need to use -k to get system call stack for each system call.

Answered by Rasoul on December 3, 2020

JavaJournal, which was built on top of the pyspresso framework, was designed specifically for tracing method calls in Java.

Answered by Jason Geffner on December 3, 2020

Add your own answers!

Related Questions

Disassembling ARM based Camera Firmware

1  Asked on August 14, 2021 by arkod


How to know when a subroutine starts when reversing an ARM64 file?

1  Asked on August 12, 2021 by user11144725


Show full name in symbols panel of Ghidra

0  Asked on August 12, 2021 by sieutruc


Wrap-around MCU memory map definition with negative addresses

1  Asked on August 11, 2021 by brainstorm


Confused about the use of the shl instruction in this disassembly

1  Asked on August 8, 2021 by constructive


IDA python : reading n bytes from an offset

1  Asked on August 8, 2021 by user3714670


LOG Urls that APK requests using smali

1  Asked on August 4, 2021 by sitedude


Reverse engineering android native packer

1  Asked on August 3, 2021


Delphi mt38 CRC (Tricore 1766 Arch)

0  Asked on August 2, 2021 by bahar


How to dump firmware from ATWINC1510

1  Asked on July 31, 2021 by cobz


Ask a Question

Get help from others!

© 2022 All rights reserved. Sites we Love: PCI Database, MenuIva, UKBizDB, Menu Kuliner, Sharing RPP, SolveDir