I have an android app that reads/writes a data file which seems to be encrypted, and i want to make a tool to read/write that file, so i need to reverse the encryption.
The app in question consists of a few hundred classes and several .so libraries, and grepping through the classes and the output of
strings on the .so files doesn’t find the name of the game file (i tried case-sensitive, omitting the extension, and all that stuff), so the “easy” way to find the function doesn’t work. So, what i want to do is intercept calls to the
open system call, and check the stacks (dalvik and C) for the callers.
On Windows, this is quite easy using
procmon which saves the stack of each system call; on Linux, there is
strace -i which doesn’t give me a stack backtrace, but at least an IP value; also, i could make a named pipe having the filename in question to make the app block on opening it and attach gdb to get the backtrace.
The problem with using
strace and or a debugger on android is that i a) it seems to be non-trivial to get a version of
strace that works with a particular OS level of android, b) when i try the named pipe approach, the app just exits, c) unless the whole encryption stuff is done in one of the
.so libraries, i need the Java stack as well.
So the question really is in the title: Is there a tool that traces system calls on android, and shows the stack trace, like
procmon does on windows, including the java stack if possible? Or another idea to quickly find the code that opens and decrypts the file?
If all else fails, i’ll probably attach IDA to the process, put a breakpoint on
open, and write a breakpoint condition that checks the file name. But that still won’t give me the java stack, and i’d like to avoid the effort if there’s a “nicer” tool.
you can get system call stack with strace too. you just need to compile strace with libunwind. After that you just need to use -k to get system call stack for each system call.
Answered by Rasoul on December 3, 2020
1 Asked on August 15, 2021
1 Asked on August 14, 2021 by arkod
1 Asked on August 13, 2021
1 Asked on August 12, 2021
1 Asked on August 12, 2021 by user11144725
1 Asked on August 11, 2021 by brainstorm
1 Asked on August 10, 2021 by 78dtat78da
2 Asked on August 8, 2021
1 Asked on August 8, 2021 by constructive
2 Asked on August 7, 2021
0 Asked on August 4, 2021 by atomx
0 Asked on August 2, 2021 by bahar
1 Asked on July 31, 2021 by abathur
1 Asked on July 31, 2021 by cobz
2 Asked on July 30, 2021 by gogo_gorilla
Get help from others!