Forum Original Author Account:Flying Ugly Duck
Course Navigation:
“Teach My Brother Android Reversing 01: Write Your First Android Program”
“Teach My Brother Android Reversing 02: Crack Your First Android Program”
“Teach My Brother Android Reversing 03: Crack Your First Android Game”
“Teach My Brother Android Reversing 04: Dynamic Debugging of Smali Code”
“Teach My Brother Android Reversing 05: Insert Log into Smali Code”
“Teach My Brother Android Reversing 06: Write Your First So with Android Studio”
“Teach My Brother Android Reversing 07: IDA Cracking Your First So”
“Teach My Brother Android Reversing 08: IDA Breaking Signature Verification”
“Teach My Brother Android Reversing 09: IDA Dynamic Cracking of Login Verification”
“Teach My Brother Android Reversing 10: Static Analysis of Anti-Debugging APK”
“Teach My Brother Android Reversing 11: Dynamic Debugging of Init_array”
Extra Navigation:
“Teach My Brother Android Reversing Extra 01: Using Apktool”
“Teach My Brother Android Reversing Extra 02: Using JEB Tool”
“Teach My Brother Android Reversing Extra 03: Must-Know Commands for Android Reversing”
1. Introduction LLVM: a compiler used for compiling So and executable files. OLLVM: obfuscation on top of LLVM.
2. Setting Up OLLVM Obfuscation Environment
1. Environment Configuration Virtual Machine: VMware System: Ubuntu-12.04.5-64-bit (Another Linux system, Ubuntu-17.10.1-64-bit was also tested but could not compile due to missing Clang) OLLVM Version: obfuscator-llvm-3.4 NDK Version: android-ndk32-r10b-linux-x86_64.tar
3. Compiling OLLVM
1. Install Compilation Tools Execute the following two Linux commands: apt-get install cmake
apt-get install g++
2. Copy the OLLVM compressed package to the Linux system. Copy obfuscator-llvm-3.4 from the attachment to the virtual machine’s Linux system under Home/Pictures/android/llvm
(For Ubuntu 12.04, it is recommended to compile in the Picture directory. If placed elsewhere, even with SU permissions, it may still prompt insufficient permissions, which is unresolved. Other Linux systems should be tested independently.)
3. Create a build directory under the obfuscator-llvm-3.4 directory and execute cmake -DCMAKE_BUILD_TYPE:String=Release ../
in the build directory.
4. After completion, execute make -j7
. This compilation will take a long time. Once completed, it will generate bin
and lib
directories in the build directory.
5. If the build directory has lib
and bin
directories and the bin
directory contains the Clang file, it indicates successful compilation; otherwise, it failed. If it fails, check the reasons. If unresolved, consider changing the OLLVM version for testing or changing the Linux system to redo the steps above.
4. NDK Configuration of Environment Variables
1. Copy android-ndk-r10b from the attachment to the virtual machine’s NDK directory and unpack it.
2. Execute the command sudo gedit /etc/profile
and add the following commands at the end of the profile file. Note that NDK_HOME
should be your NDK directory. Save and exit: export NDK_HOME=/home/heyiran/Pictures/android/ndk/
export PATH=$NDK_HOME:$PATH
3. Execute source /etc/profile
to make the above changes effective.
4. Execute ndk-build
. If the following prompt appears, it indicates that the NDK environment variable configuration is successful.
5. If the environment variable does not take effect, you can try adding the content to the ~/.bashrc
file: sudo gedit ~/.bashrc
5. Integrating OLLVM into NDK
1. Go to the toolchains directory under the NDK directory and copy the llvm-3.3
folder to the current directory, renaming it to obfuscator-llvm-3.4
.
2. Replace the bin
and lib
directories in obfuscator-llvm-3.4/prebuilt/linux-x86_64
with those from obfuscator-llvm-3.4/build
.
3. Copy arm-linux-androideabi-clang3.4
, mipsel-linux-android-clang3.4
, and x86-clang3.4
from the NDK/toolchains directory to the current directory, renaming them to arm-linux-androideabi-obfuscator3.4
, mipsel-linux-android-obfuscator3.4
, x86-obfuscator3.4
. Change the value of LLVM_NAME
in the setup.mk
file in the copied folders to LLVM_NAME := obfuscator-llvm-$(LLVM_VERSION)
. Note: All three copied folders must be changed.
6. Compiling Obfuscated So via NDK
1. Create Android.mk
, Application.mk
, and hello.c
in the Pictures/android/test/hello/jni
directory.
Android.mk:
LOCAL_PATH := $(call my-dir)
include $(CLEAR_VARS)
LOCAL_MODULE := hello
LOCAL_SRC_FILES := hello.c
LOCAL_CFLAGS += -mllvm -sub -mllvm -bcf -mllvm -fla
LOCAL_ARM_MODE := arm
LOCAL_PROGUARD_ENABLED:= disabled
include $(BUILD_SHARED_LIBRARY)
Application.mk:
LOCAL_PATH := $(call my-dir)
include $(CLEAR_VARS)
APP_ABI := armeabi
NDK_TOOLCHAIN_VERSION := obfuscator3.4
include $(BUILD_SHARED_LIBRARY)
hello.c:
#include <stdio.h>
#include <fcntl.h>
#include <elf.h>
#include <stdlib.h>
#include <string.h>
#include <jni.h>
char * a(char* Text);
static jstring JNICALL serial(JNIEnv *env, jobject class,jstring user)
{
char *c_user = (*env)->GetStringUTFChars(env,user,0);
char * pass = a(“Tm|hjllv|o”);
if(strcmp(c_user,pass)==0)
{
return (*env)->NewStringUTF(env,”successful!”);
}
else
{
return (*env)->NewStringUTF(env,”wrong password!”);
}
}
char * a(char* Text)
{
char secretText[128]={‘\0’};
int count=0;
int i;
count = strlen(Text);
for(i=0;i<count;i++){
secretText[i]=Text[i]-i-1;
}
secretText[i] = ‘\0’;
return secretText;
}
static const JNINativeMethod gMethods[] = {
// {“check”, “(Ljava/lang/Object;Ljava/lang/String;Ljava/lang/String;)Ljava/lang/String;”, (jstring*)check},
{“check”, “(Ljava/lang/String;)Ljava/lang/String;”, (jstring*)serial}
// {“checkport”, “()V”, (jstring*)checkport}
};
static jclass myClass;
static const char* const kClassName=”demo2/jni/com/myapplication/myJNI”;
JNIEXPORT jint JNICALL JNI_OnLoad(JavaVM* vm, void* reserved){
JNIEnv* env = NULL;
jint result = -1;
if((*vm)->GetEnv(vm, (void**)&env, JNI_VERSION_1_4) != JNI_OK)
return -1;
myClass = (*env)->FindClass(env, kClassName);
if(myClass == NULL)
{
printf(“cannot get class:%s\n”, kClassName);
return -1;
}
if((*env)->RegisterNatives(env,myClass,gMethods,sizeof(gMethods)/sizeof(gMethods[0]))<0)
{
printf(“register native method failed!\n”);
return -1;
}
printf(“——–JNI_OnLoad—–“);
return JNI_VERSION_1_4;
}
ndk-build
and find that the hello directory has generated libs and obj directories. Copy libhello.so
from the libs directory to Windows and open it with IDA to find that the code has been obfuscated.
–Official Forum
www.52pojie.cn
–Recommended to Friends
Public WeChat Account: Wu Ai Crack Forum
Or search WeChat ID: pojie_52