{"id":657,"date":"2017-08-06T13:47:54","date_gmt":"2017-08-06T21:47:54","guid":{"rendered":"https:\/\/www.pnfsoftware.com\/blog\/?p=657"},"modified":"2017-08-07T11:58:08","modified_gmt":"2017-08-07T19:58:08","slug":"debugging-dynamically-loaded-dex-files-with-jeb","status":"publish","type":"post","link":"https:\/\/www.pnfsoftware.com\/blog\/debugging-dynamically-loaded-dex-files-with-jeb\/","title":{"rendered":"Debugging Dynamically Loaded DEX Bytecode Files"},"content":{"rendered":"

The JEB 2.3.2<\/a> release contains several enhancements of our JDWP and GDB\/LLDB1<\/a><\/sup> debugger clients used to debug both the Dalvik bytecode and native code of Android applications.<\/p>\n

Dynamically loaded DEX files<\/h2>\n

In this post, we wanted to highlight a neat addition to our Dalvik debugger. Up until now, we did not support debugging several DEX files within a single debugging session. 2<\/a><\/sup><\/p>\n

So, we decided to add\u00a0support for debugging DEX files loaded in a dynamic fashion<\/strong>. Below is a use-case, step-by-step study of a simple app whose workflow goes along these lines:<\/p>\n

    \n
  1. A routine in the principal classes.dex file looks for an encrypted asset<\/li>\n
  2. That asset is extracted and decrypted; it is a Jar file containing additional DEX bytecode<\/li>\n
  3. The Jar file is dynamically loaded using DexClassLoader, and its code is executed<\/li>\n<\/ol>\n

    Now, we want to debug that additional bytecode. How do we proceed?<\/p>\n

    An example of debugging dynamically loaded bytecode<\/h2>\n

    The app is called EnDyna<\/strong> (a benign crackme-like app, download it here<\/a>). It offers a simple text box, and waits for the user to input a passcode. When entering the proper passcode, a success message is displayed.<\/p>\n

    \"\"<\/a>
    The app requires the right password<\/figcaption><\/figure>\n

    Open the app in JEB. It contains a seemingly-encrypted asset file called edd.bin<\/strong>.<\/p>\n

    \"\"<\/a>
    Encrypted asset file<\/figcaption><\/figure>\n

    A closer look at the MainActivity class shows that the edd.bin file is extracted, decrypted (using a simple XOR cipher) and loaded using DexClassLoader<\/a> in order to validate the user input.<\/p>\n

    \"\"<\/a>
    Passcode verification routine<\/figcaption><\/figure>\n

    Let’s attach the debugger to the app, and set a breakpoint where the call to the\u00a0DexClassLoader constuctor<\/a>\u00a0is made.<\/p>\n

    \"\"<\/a>
    A breakpoint was set on the DexClassLoader constructor invocation<\/figcaption><\/figure>\n

    We then trigger the verify() routine by inputting a passcode and hitting the Verify<\/em> button. Our breakpoint is immediately hit. By examining the stackframe of the paused thread, we can retrieve the class loader variables and see where the decrypted DEX file was written to – and is about to get loaded from.<\/p>\n

    \"\"<\/a>
    The decrypted Jar file about to be loaded from the path referenced by the stack variable v8<\/figcaption><\/figure>\n

    We use the Dalvik debugger interpreter<\/a> to retrieve the file (command “pull”).<\/p>\n

    \"\"<\/a><\/p>\n

    We now have the Jar file containing our dynamically-loaded DEX file in hand! We load it in JEB by adding an additional artifact to the project<\/strong> (command File, Add an Artifact…<\/em>).<\/p>\n

    \"\"<\/a><\/p>\n

    After processing is complete, the Android debugger notices that the added artifact contains a DEX file, and integrates it in its list of managed units.<\/p>\n

    We can set a breakpoint on the method of the second DEX file that’s about to be called.3<\/a><\/sup><\/p>\n

    \"\"<\/a>
    The second DEX file; notice the decompiled chk() method on the right-side. Here, we set a breakpoint on the method’s first instruction. It’s about to be called from MainActivity.verify(), in the primary classes.dex file.<\/figcaption><\/figure>\n

    We resume execution, our breakpoint is hit: we can start debugging the dynamically dropped DEX file!<\/strong><\/p>\n

    \"\"<\/a><\/p>\n

    Of course, all of the above actions can be automated by a Python script or a Java plugin. (We will upload a sample script that hooks DexClassLoader on our public GitHub repository shortly.)<\/p>\n

    We published a short video that demos the above steps, have a look at it if you want to know precisely the steps that we took to get to debug the additional DEX file.<\/p>\n