How do I reverse engineer .so files found in android APKs?
I know how to reverse engineer normal android APKs using tools like APK-tool anddex2jar but i don't know how to work with obfuscation. Can anyone help or atleast provide some pointers? I know this largely constitues learning by myself but I really don't know what to look or where to look. Some examples would be really helpful. Thanks!
When I extract everything from APK, I get some SMALI files (I tried JD-GUI but the strings contained random names. Probably obfuscated using Proguard.), some resource files and a ".so" files in the lib directory. How do I analyze the ".so" file. I know that SO files are, kind of DLLs of the Linux world but what are the tools that can be used to analyze SO files. Any links to videos would be very helpful. :)
Also, how would I get around if there were a JAR file instead of SO file in the APK?
This is a bad question as the topic of obfuscation is huge. Try to narrow it down.
Try to make it a 'googlaleble' question. For example: when I open my PE I am missing an import table? How can this be? or I noticed my APK is packed with dexprotector what would be the best way to approach this?
Perfect! I've nominated it for reopening. When it is reopened I'll answer the question for you.
The .so file is a compiled library, in most cases from C or C++ source code. .so stands for Shared Object, it doesn't have anything to do with obfusation, it just means someone wrote parts of the app in C.
In some cases, there is existing C code and it's just easier for the programmer to build a JNI interface to call the library from java; in other cases, the programmer wants the speed advantage that compiled C has over java. And of course, if i want to hide how some part of my application works, writing that in C and compiling it to a .so makes it much harder to reverse.
If you want to reverse an android .so, these are the options you have:
- Buy the commercial version of IDA pro. The demo versions will not do, as they can't disassemble ARM code. This is expensive, but by far the best tool to work with unknown object code.
- If the app includes versions of the .so for different hardware, and if it has a library for android on x86, you can use the free IDA 5.1 version to disassemble it.
- If you have access to a linux system, get a gcc toolchain for ARM that includes objdump, and use objdump --disassemble to get a huge text file containing disassembled code. Then, have fun with that text file. There might be gcc toolchains for ARM targets that run on windows as well, but i never tried.
- You could also upload the .so file to http://onlinedisassembler.com/ to get a disassembled file, if you don't want to install a gcc toolchain.
Beware, though, in all of these cases, you need a thorough understanding of the ARM processor architecture, assembler language, JNI conventions, and compiler ABI to make any sense of the disassembly. Prepare for many long nights if you're unexperienced.
Android has x86 version so I think the OP can grab the same .so file from x86 image and decompile it
Unfortunately onlinedisassembler.com has limitation. Maximum upload size is 256KB.
~"**Then, have fun with that text file.**" What do you mean? What is the best way to inspect this text file sensibly.
Besides Guntram's suggestions, check out the retargetable decompiler aka retdec. It can decompile the binary to Python or C code. At least for me, it reads easier than pure assembly (and it works for ARM binaries).
It works very well for sketching you the rough workings of the shared object.
A plugin for select IDA versions exists, but the main limitation is that it doesn't support 64-bit code.
You can also try a dynamic approach by hooking APIs and observing arguments and return values. This will allow you to look at data going into crypto APIs, which may help a lot when dealing with network protocols. Check out the Frida instrumentation toolkit for an open source cross-platform solution (Android, iOS, Windows, Mac and Linux). There's a tutorial showing how to build an interactive instrumentation tool in a few minutes, which injects code into the “Yo” app on iOS and plots network connections using Google Maps.
Use android-ndk, https://developer.android.com/ndk/downloads/index.html.
You can use the toolchains inside the ndk to perform the type of disassembling you want to. For e.g. if I decompile an apk and get a .so library out of it, I will do :
./android-ndk-r15b/toolchains/arm-linux-androideabi-4.9/prebuilt/darwin-x86_64/bin/arm-linux-androideabi-objdump -T "SAMPLE.so | less
To get an
You can also try the Snowman tool: https://derevenets.com/.
Snowman is a native code to C/C++ decompiler
It supports ARM, x86, and x86-64 architectures as specified on their website.
Snowman possibly has memory leaks. It took 6+ Gb RAM while decompiling a small .so file
You can also reverse-engineer APK files directly on an android device.
(Disclaimer: I 'm the developer)
Version 1.4.2 release.
Disassemble ANY files including android shared libraries (aka .so files) (NDK, JNI), windows PE files(EXE, DLLs, SYSs, etc..), linux executables, object files, ANY files you want like pictures, audios, etc(for fun) entirely on Android. Capstone-based disassembler application on android.
- Shows details of elf files.
- Shows symbol table(functions or objects' ,... names) of elf files.
- Disassembles the code sections.
- Has various export options of the disassembly. (Reloadable raw file, compilable txt file, analytic text files, json, and reloadable database)
- Supports projects.
- Supports directly launching from file browsers.
- Supports many ABIs(arm,x86,x64,MIPS,PowerPC,...)
- Jump to address by symbols' names, or a hex address.
- Syntax colorizing.
- Support PE and other bin formats.
- Sort symbols if needed.
- No need to press
- Colorize PUSH/POP instructions.
- Colorize ARM arch instructions better.
- Added Follow Jump menu for jump instructions.(With BackStack)
- Can override auto parse setup
- You can copy an instruction to the clipboard.
- It now parses IAT, EAT of PE headers.
- Fixed bugs.
Materials about assemblies
you can try the ghidra ,Ghidra is a software reverse engineering (SRE) framework created and maintained by the National Security Agency Research Directorate. This framework includes a suite of full-featured, high-end software analysis tools that enable users to analyze compiled code on a variety of platforms including Windows, macOS, and Linux. Capabilities include disassembly, assembly, decompilation, graphing, and scripting, along with hundreds of other features. Ghidra supports a wide variety of processor instruction sets and executable formats and can be run in both user-interactive and automated modes. Users may also develop their own Ghidra plug-in components and/or scripts using Java or Python. link:https://github.com/NationalSecurityAgency/ghidra