codeScriber
codeScriber

Reputation: 4612

Debugging reversed Android application

Let's assumed I have a malware application I got from a device and reversing it using smali or dedexter or dex2jar is ok, but I want to actually debug it and not just perform static analysis.

Is it even possible? I'm not sure how the dalvik VM debugging capabilities work since they should know when single stepping which line of code belongs to which dalvik opcode line, I'm not sure where that meta data resides, anyone has experience with it? Of course i can try dex2jar and create an eclipse project, but I'm looking for a way to do it from dalvik as well, meaning being able to step through dalvik byecode lines.

Couldn't find any open source project that does that, I'm not sure even Ida Pro allows it.

Anyone got a clue?

Upvotes: 4

Views: 1469

Answers (2)

David A
David A

Reputation: 821

You can certainly do that, and debug the malware app without problem. Ida allows you to do it in a very smooth and gentle way, you only need to open the classes.dex inside the apk to IDA PRO and configure the Davilk debugger. But you could also do this in the same way that you would do it if you were writing the application using eclipse for example.

Only restriction,since the application manifest doesn't allow you to debug it (let's suppose the worst scenario and a smart malware), you need to have an engineer device so that you can attach your IDA Pro or Debugger , I mean a device where

$ getprop ro.debuggable
1
$ getprop ro.secure
0

It is also extremely easy to meet those conditions, if you can unlock the bootloader of your device and edit you ramdisk setting ro.debuggable=1 and ro.secure=0 inside the initfiles. Alternatively, if you device were rooted, you would be able to use setpropex to easily change read only properties in this way.

# ./setpropex ro.debuggable 1
# ./setpropex ro.secure 0

github to setpropex https://github.com/poliva/rootadb/blob/master/jni/setpropex.c

Upvotes: 2

Yury
Yury

Reputation: 20936

I did not try the approach but it's possible. To do that you need to download old versions of apktool 1.4.1 and netbeans 6.8 It's claimed that on newer versions the approach does not work.

You can watch the video here how to do this and read also this article which describes how to perform debugging using smali codes.

I read about the approaches on a popular russian IT webpage. Here are the links to these articles: first and it's extension. If you know russian, there are step by step instructions what to do to perform debugging. If you don't Google Translate can help you to catch the idea.

If you there are some points unclear I'll try to help you with them.

Upvotes: 0

Related Questions