Setting Up OLLVM Obfuscation Environment for Android Reversing

Forum Original Author Account:Flying Ugly Duck

Course Navigation:

“Teach My Brother Android Reversing 01: Write Your First Android Program”

“Teach My Brother Android Reversing 02: Crack Your First Android Program”

“Teach My Brother Android Reversing 03: Crack Your First Android Game”

“Teach My Brother Android Reversing 04: Dynamic Debugging of Smali Code”

“Teach My Brother Android Reversing 05: Insert Log into Smali Code”

“Teach My Brother Android Reversing 06: Write Your First So with Android Studio”

“Teach My Brother Android Reversing 07: IDA Cracking Your First So”

“Teach My Brother Android Reversing 08: IDA Breaking Signature Verification”

“Teach My Brother Android Reversing 09: IDA Dynamic Cracking of Login Verification”

“Teach My Brother Android Reversing 10: Static Analysis of Anti-Debugging APK”

“Teach My Brother Android Reversing 11: Dynamic Debugging of Init_array”

Extra Navigation:

“Teach My Brother Android Reversing Extra 01: Using Apktool”

“Teach My Brother Android Reversing Extra 02: Using JEB Tool”

“Teach My Brother Android Reversing Extra 03: Must-Know Commands for Android Reversing”

1. Introduction LLVM: a compiler used for compiling So and executable files. OLLVM: obfuscation on top of LLVM.

2. Setting Up OLLVM Obfuscation Environment

1. Environment Configuration Virtual Machine: VMware System: Ubuntu-12.04.5-64-bit (Another Linux system, Ubuntu-17.10.1-64-bit was also tested but could not compile due to missing Clang) OLLVM Version: obfuscator-llvm-3.4 NDK Version: android-ndk32-r10b-linux-x86_64.tar

3. Compiling OLLVM

1. Install Compilation Tools Execute the following two Linux commands: apt-get install cmake apt-get install g++

2. Copy the OLLVM compressed package to the Linux system. Copy obfuscator-llvm-3.4 from the attachment to the virtual machine’s Linux system under Home/Pictures/android/llvm (For Ubuntu 12.04, it is recommended to compile in the Picture directory. If placed elsewhere, even with SU permissions, it may still prompt insufficient permissions, which is unresolved. Other Linux systems should be tested independently.)

3. Create a build directory under the obfuscator-llvm-3.4 directory and execute cmake -DCMAKE_BUILD_TYPE:String=Release ../ in the build directory.

4. After completion, execute make -j7. This compilation will take a long time. Once completed, it will generate bin and lib directories in the build directory.

5. If the build directory has lib and bin directories and the bin directory contains the Clang file, it indicates successful compilation; otherwise, it failed. If it fails, check the reasons. If unresolved, consider changing the OLLVM version for testing or changing the Linux system to redo the steps above.

4. NDK Configuration of Environment Variables

1. Copy android-ndk-r10b from the attachment to the virtual machine’s NDK directory and unpack it.

2. Execute the command sudo gedit /etc/profile and add the following commands at the end of the profile file. Note that NDK_HOME should be your NDK directory. Save and exit: export NDK_HOME=/home/heyiran/Pictures/android/ndk/ export PATH=$NDK_HOME:$PATH

3. Execute source /etc/profile to make the above changes effective.

4. Execute ndk-build. If the following prompt appears, it indicates that the NDK environment variable configuration is successful.

5. If the environment variable does not take effect, you can try adding the content to the ~/.bashrc file: sudo gedit ~/.bashrc

5. Integrating OLLVM into NDK

1. Go to the toolchains directory under the NDK directory and copy the llvm-3.3 folder to the current directory, renaming it to obfuscator-llvm-3.4.

2. Replace the bin and lib directories in obfuscator-llvm-3.4/prebuilt/linux-x86_64 with those from obfuscator-llvm-3.4/build.

3. Copy arm-linux-androideabi-clang3.4, mipsel-linux-android-clang3.4, and x86-clang3.4 from the NDK/toolchains directory to the current directory, renaming them to arm-linux-androideabi-obfuscator3.4, mipsel-linux-android-obfuscator3.4, x86-obfuscator3.4. Change the value of LLVM_NAME in the setup.mk file in the copied folders to LLVM_NAME := obfuscator-llvm-$(LLVM_VERSION). Note: All three copied folders must be changed.

6. Compiling Obfuscated So via NDK

1. Create Android.mk, Application.mk, and hello.c in the Pictures/android/test/hello/jni directory.

Android.mk:

LOCAL_PATH := $(call my-dir)

include $(CLEAR_VARS)

LOCAL_MODULE := hello

LOCAL_SRC_FILES := hello.c

LOCAL_CFLAGS += -mllvm -sub -mllvm -bcf -mllvm -fla

LOCAL_ARM_MODE := arm

LOCAL_PROGUARD_ENABLED:= disabled

include $(BUILD_SHARED_LIBRARY)

Application.mk:

LOCAL_PATH := $(call my-dir)

include $(CLEAR_VARS)

APP_ABI := armeabi

NDK_TOOLCHAIN_VERSION := obfuscator3.4

include $(BUILD_SHARED_LIBRARY)

hello.c:

#include <stdio.h>

#include <fcntl.h>

#include <elf.h>

#include <stdlib.h>

#include <string.h>

#include <jni.h>

char * a(char* Text);

static jstring JNICALL serial(JNIEnv *env, jobject class,jstring user)

{

char *c_user = (*env)->GetStringUTFChars(env,user,0);

char * pass = a(“Tm|hjllv|o”);

if(strcmp(c_user,pass)==0)

{

return (*env)->NewStringUTF(env,”successful!”);

}

else

{

return (*env)->NewStringUTF(env,”wrong password!”);

}

}

char * a(char* Text)

{

char secretText[128]={‘\0’};

int count=0;

int i;

count = strlen(Text);

for(i=0;i<count;i++){

secretText[i]=Text[i]-i-1;

}

secretText[i] = ‘\0’;

return secretText;

}

static const JNINativeMethod gMethods[] = {

// {“check”, “(Ljava/lang/Object;Ljava/lang/String;Ljava/lang/String;)Ljava/lang/String;”, (jstring*)check},

{“check”, “(Ljava/lang/String;)Ljava/lang/String;”, (jstring*)serial}

// {“checkport”, “()V”, (jstring*)checkport}

};

static jclass myClass;

static const char* const kClassName=”demo2/jni/com/myapplication/myJNI”;

JNIEXPORT jint JNICALL JNI_OnLoad(JavaVM* vm, void* reserved){

JNIEnv* env = NULL;

jint result = -1;

if((*vm)->GetEnv(vm, (void**)&env, JNI_VERSION_1_4) != JNI_OK)

return -1;

myClass = (*env)->FindClass(env, kClassName);

if(myClass == NULL)

{

printf(“cannot get class:%s\n”, kClassName);

return -1;

}

if((*env)->RegisterNatives(env,myClass,gMethods,sizeof(gMethods)/sizeof(gMethods[0]))<0)

{

printf(“register native method failed!\n”);

return -1;

}

printf(“——–JNI_OnLoad—–“);

return JNI_VERSION_1_4;

}

2. In the jni directory, execute the command ndk-build and find that the hello directory has generated libs and obj directories. Copy libhello.so from the libs directory to Windows and open it with IDA to find that the code has been obfuscated.

Setting Up OLLVM Obfuscation Environment for Android Reversing

Setting Up OLLVM Obfuscation Environment for Android Reversing

Setting Up OLLVM Obfuscation Environment for Android Reversing

Setting Up OLLVM Obfuscation Environment for Android Reversing

Setting Up OLLVM Obfuscation Environment for Android Reversing

Attachment Link:https://pan.baidu.com/s/1zO4hks94b-HJZVNCyTxYSg

Password:aio6

7. References

“OLLVM4.0+NDK Compilation Environment Setup”: https://blog.csdn.net/SilenceCoder/article/details/79401147

“OLLVM Obfuscation, Deobfuscation, and Custom Modifications”:

https://www.52pojie.cn/thread-609511-1-1.html

–Official Forum

www.52pojie.cn

–Recommended to Friends

Public WeChat Account: Wu Ai Crack Forum

Or search WeChat ID: pojie_52

Leave a Comment

×