DexHunter

Aici puteti posta software nou dezvoltat de dumneavoastra.
Software news and new software launch.

DexHunter

Post Number:#1  Postby rukov » 08 Sep 2015 10:57

DexHunter aims at unpacking hardened dex file automatically.
DexHunter is based on the source code of Android runtime. It is composed of modified ART and DVM runtime. You can use the modified runtime to replace the original content in Android source codes (Android 4.4.3). The modification is mainly in "art/runtime/class_linker.cc" (ART) and "dalvik/vm/native/dalvik_system_DexFile.cpp" (DVM).
Usgae:

If you want to unpack an app, you need to push the "dexname" file to "/data/" in the mobile before starting the app. The first line in "dexname" is the feature string (referring to "slide.pptx"). The second line is the data path of the target app (e.g. "/data/data/com.test.test/"). Its line ending should be in the style of Unix/Linux. You can observe the log using "logcat" to determine whether the unpacking procedure is finished. Once done, the generated "whole.dex" file is the wanted result which is located in the app's data directory.
Tips:

1) DexHunter simply reuses the content before "class_def" section instead of parsing them for the efficiency. If there are some problems, you can parse and reassemble them again or amend them statically.
2) It is worth noting that some "annotation_off" or "debug_info_off" fields may be invalid in the result. These fileds have nothing to do with execution just to hinder decompiling. We do not deal with this situation specifically for the moment. You can just program some scripts to set the invalid fileds with 0x00000000.
3) As is known, some hardening services can protect several methods in the dex file by restoring the instructions just before being executed and wiping them just after finished. So you also need to modify the "DoInvoke" (ART) or "dvmMterp_invokeMethod" (DVM) function to extract the protected instruction while being executed.
4) The feature string may be changed along with the evolution of hardening services.
5) If the "fwrite" and other libc functions fail, maybe these functions are hooked by hardening sevices. As a result, you cannot dump the memory via them. You can bypass this limitation by calling relevant system calls directly.
DexHunter has its own limitation. As the hardening services develop, DexHunter may be not effective in the future. If you are interested, you can amend DexHunter to keep pace with hardening services continuously.

Download
Hidden Content
This board requires you to be registered and logged-in before you can view hidden content.
User avatar
rukov
Mediu
Mediu
Progress to next rank:
48%
 
Status: Offline
Posts: 74
Joined: 23 Jan 2014 12:43

Invitations sent: 0
Referrals: 1
Local time: 23 Sep 2017 12:11
Has thanked: 25 times
Been thanked: 71 times

Return to Lansari de software

Who is online

Users browsing this forum: No registered users and 3 guests

cron