Shell
mobisec@Mobisec-VM:~$ adb forward tcp:31415 tcp:31415
mobisec@Mobisec-VM:~$ sudo drozer console connect
dz> cd app.package
dz#app.package> run info -a com.android.system.admin
dz#app.package> run attacksurface com.android.system.admin
dz#app.package> run manifest com.android.system.admin
# More interestingly:
dz#app.package> run launchintent com.android.system.admin
tells us that the launcher activity for this package
com.android.system.admin.CCOIoll
# Now if we wanted to manually launch this activity we can do so via:
dz#app.activity> run start --component com.android.system.admin com.android.system.admin.CCOIoll
# if we want to use the sdk tools only we can start this activity as:
mobisec@Mobisec:~$ adb shell am start -a android.intent.category.LAUNCHER -n com.android.system.admin/.CCOIoll
Shell
# start the monitor tool
/opt/mobisec/devtools/android-sdk/tools/monitor & # this has DDMS that can port forward any VM's specific debugging port to the standard port used by jdb which is 8700
在仿真器中,转到应用程序视图中,单击devtools,然后选择“开发设置”,在“调试应用程序”,点击应用程序的名称(通常是没有默认情况下),然后从应用程序列表中向下滚动并选择com.android。 system.admin。也可以选择“等待调试器”。
模拟器进入应用程序视图,点击devtools然后移选择“Development Settings”,点击应用名称(通常没有默认情况下)在“Debug app”,然后从应用程序列表向下滚动并选择com.android.system.admin,也可以选择“wait for debugger”
现在,您可以使用drozer或SDK工具启动应用程序
Shell
dz#app.activity> run start --component com.android.system.admin com.android.system.admin.CCOIoll
OR
mobisec@Mobisec:~$ adb shell am start -a android.intent.category.LAUNCHER -n com.android.system.admin/.CCOIoll
Shell
stop in com.android.system.admin.COcCccl.onCreate
and attached the jdb to the app:
mobisec@Mobisec-VM:~$ jdb -attach localhost:8700
Set uncaught java.lang.Throwable
Set deferred uncaught java.lang.Throwable
Initializing jdb ...
*** Reading commands from /home/mobisec/.jdbrc
Deferring breakpoint com.android.system.admin.COcCccl.onCreate.
It will be set after the class is loaded.
> > Set deferred breakpoint com.android.system.admin.COcCccl.onCreate
Breakpoint hit: "thread=<1> main", com.android.system.admin.COcCccl.onCreate(), line=4,327 bci=0
<1> main[1]
当这个断点附加上了,那么你可以这样运行
<1> main[1] trace go methods
<1> main[1] cont
[One can also run trace go methods for just the main thread]
Shell
"exclude" feature in jdb,
running help in jdb and we see
exclude [<class pattern>, ... | "none"] -- do not report step or method events for specified classes
issuing the exclude command on jdb prompt we see
> > exclude
java.*,javax.*,sun.*,com.sun.*,
当我们运行跟踪go方法时没有看到从包中输入/输出的方法。
那么让我们来尝试在java.lang.System.exit设置一个断点,我们已经有一个虚拟机快照可以恢复,编辑.jdbrc文件(放在“stop in java.lang.System.exit(int) “),再次运行该应用程序,JDB附加,这样我们可以看到:
Shell
mobisec@Mobisec-VM:~$ vi ~/.jdbrc;jdb -attach localhost:8700
Set uncaught java.lang.Throwable
Set deferred uncaught java.lang.Throwable
Initializing jdb ...
*** Reading commands from /home/mobisec/.jdbrc
Set breakpoint java.lang.System.exit(int)
> > cont
Nothing suspended.
>
Breakpoint hit: "thread=<1> main", java.lang.System.exit(), line=181 bci=0
<1> main[1] wherei
[1] java.lang.System.exit (System.java:181), pc = 0
[2] com.android.system.admin.COcCccl.onCreate (null), pc = 1,041
[3] android.app.Instrumentation.callApplicationOnCreate (Instrumentation.java:969), pc = 0
[4] android.app.ActivityThread.handleBindApplication (ActivityThread.java:3,954), pc = 729
[5] android.app.ActivityThread.access$1300 (ActivityThread.java:123), pc = 0
[6] android.app.ActivityThread$H.handleMessage (ActivityThread.java:1,185), pc = 177
[7] android.os.Handler.dispatchMessage (Handler.java:99), pc = 20
[8] android.os.Looper.loop (Looper.java:137), pc = 122
[9] android.app.ActivityThread.main (ActivityThread.java:4,424), pc = 34
[10] java.lang.reflect.Method.invokeNative (native method)
[11] java.lang.reflect.Method.invoke (Method.java:511), pc = 17
[12] com.android.internal.os.ZygoteInit$MethodAndArgsCaller.run (ZygoteInit.java:784), pc = 11
[13] com.android.internal.os.ZygoteInit.main (ZygoteInit.java:551), pc = 66
[14] dalvik.system.NativeStart.main (native method)
<1> main[1]
Shell
#decompile the apk with -d (debugging)
c:\downloads\apktool_2\Apktool\brut.apktool\apktool-cli\build\libs>java -jar apktool-cli-2.0.0-Beta5.jar d -d -o decompiled_with_apktool_2_with_debug d:\OBad\E1064BFD836E4C895B569B2DE4700284.apk
This will give you (among other things) java source files with smali code, e.g.
you will find COcCccl.java in decompiled_with_apktool_2_with_debug\smali\com\android\system\admin
and if you look at the code for onCreate you would see it as:
a=0;// # virtual methods
a=0;// .method public onCreate()V
a=0;// .locals 10
a=0;//
a=0;// invoke-super {p0}, Landroid/app/Application;->onCreate()V
a=0;//
a=0;// invoke-direct {p0}, Lcom/android/system/admin/COcCccl;->oIOccOcl()Z
a=0;//
a=0;// move-result v0
a=0;//
a=0;// #v0=(Boolean);
a=0;// if-eqz v0, :cond_0
a=0;//
a=0;// const/4 v0, 0x1
a=0;//
a=0;// #v0=(One);
a=0;// invoke-static {v0}, Ljava/lang/System;->exit(I)V
aapt p --debug-mode -M d:\OBad\E1064BFD836E4C895B569B2DE4700284.apk\decompiled_with_apktool_2_with_debug\AndroidManifest.xml
要解决错误你可以参考这里,一旦你已经编辑过XML文件而没有更多的错误报告,可以继续重新打包为:
Shell
D:\apktool_2\Apktool\brut.apktool\apktool-cli\build\libs>java -jar apktool-cli-2.0.0-Beta5.jar b -d -o E1064BFD836E4C895B569B2DE4700284_rebuilt_with_apktool_2_with_debug.apk d:\OBad\decompiled_with_apktool_2_with_debug
# signing your apk - you can read the details here (below is what I did)
# creating keystore
D:\>"c:\Program Files\Java\jdk1.7.0_07\bin\keytool.exe" -genkeypair -validity 10000 -dname "CN=IBM-XF,C=CA" -keystore d:\downloads\MYKEYSTORE.keystore -storepass <keyPass> -keypass <Pass> -alias myXFKey -sigalg MD5withRSA -keyalg RSA -keysize 1024 -v
# signing apk
D:\>"c:\Program Files\Java\jdk1.7.0_07\bin\jarsigner.exe" -keystore d:\downloads\MYKEYSTORE.keystore -storepass <keyPass> -keypass <Pass> -digestalg SHA1 -sigalg MD5withRSA -verbose -certs E1064BFD836E4C895B569B2DE4700284_rebuilt_apktool_2_dbg.apk myXFKey
#zipalign - for optimization
D:\>zipalign -v 4 "d:\E1064BFD836E4C895B569B2DE4700284_rebuilt_with_apktool_2_with_debug.apk" "d:\E1064BFD836E4C895B569B2DE4700284_rebuilt_with_apktool_2_with_debug_aligned.apk"
==> verifying jar signature -
D:\>"c:\Program Files\Java\jdk1.7.0_07\bin\jarsigner.exe" -verify -verbose -certs E1064BFD836E4C895B569B2DE4700284_rebuilt_apktool_2_dbg_aligned.apk
现在我们已经重编译/重打包apk,安装并附加jdb。附加jdb之前再次备份虚拟机快照是很有必要的。在.jdbrc文件中添加“stop in java.lang.System.exit(int)”声明,这样便在jdb中访问smali代码
use /home/mobisec/Malware/OBAD/decompiled_with_apktool_2_with_debug/smali/
<use the appropriate path for your setup, recall earlier we mentioned where the .java files containing smali code are>
.jdbrc:
use /home/mobisec/decompiled_with_apktool_2_with_debug/smali/
monitor print this
monitor locals
monitor where
monitor suspend
monitor cont
monitor resume
stop in java.lang.Class.getDeclaredField(java.lang.String)
stop in java.lang.Class.getDeclaredMethod(java.lang.String,java.lang.Class[])
stop in java.lang.Class.getField(java.lang.String)
stop in java.lang.reflect.AccessibleObject.setAccessible(boolean)
stop in java.lang.Runtime.exec(java.lang.String)
stop in java.lang.Runtime.exec(java.lang.String[])
stop in java.lang.Runtime.exec(java.lang.String[],java.lang.String[])
stop in java.lang.Runtime.exec(java.lang.String[],java.lang.String[],java.io.File)
stop in java.lang.Runtime.exec(java.lang.String,java.lang.String[],java.io.File)
stop in java.lang.Runtime.exec(java.lang.String,java.lang.String[])
stop in java.lang.System.exit(int)