Manual De-obfuscation Techniques

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

Manual De-obfuscation Techniques

Katika eneo la usalama wa programu, mchakato wa kufanya msimbo uliyojazwa/ulioshweka kueleweka, unaojulikana kama de-obfuscation, ni muhimu. Mwongozo huu unachunguza mikakati mbalimbali ya de-obfuscation, ukizingatia static analysis techniques na kutambua obfuscation patterns. Zaidi ya hayo, unaanzisha zoezi la matumizi ya vitendo na kupendekeza rasilimali za ziada kwa wale wanaopendelea kuchunguza mada za juu zaidi.

Strategies for Static De-obfuscation

Unapokabiliana na obfuscated code, mbinu kadhaa zinaweza kutumika kulingana na aina ya obfuscation:

  • DEX bytecode (Java): Njia moja yenye ufanisi ni kutambua de-obfuscation methods za programu, kisha kuzirudia katika Java file. File hii inaendeshwa ili kubadili obfuscation kwenye vipengele vinavyolengwa.
  • Java and Native Code: Njia nyingine ni kutafsiri de-obfuscation algorithm kuwa scripting language kama Python. Mkakati huu unaonyesha kuwa lengo kuu sio kuelewa kabisa algorithm bali kuitekeleza kwa ufanisi.

Identifying Obfuscation

Kutambua obfuscated code ni hatua ya kwanza katika mchakato wa de-obfuscation. Viashiria muhimu ni pamoja na:

  • The absence or scrambling of strings katika Java na Android, ambayo inaweza kuashiria string obfuscation.
  • The presence of binary files katika assets directory au miito kwa DexClassLoader, ikionyesha code unpacking na dynamic loading.
  • Matumizi ya native libraries alongside unidentifiable JNI functions, ikionyesha uwezekano wa obfuscation ya native methods.

Dynamic Analysis in De-obfuscation

Kwa kuendesha code katika mazingira yaliyodhibitiwa, dynamic analysis inaruhusu uchunguzi wa jinsi obfuscated code inavyojifungua kwa wakati halisi. Mbinu hii ni yenye ufanisi hasa katika kufichua ndani ya kazi za obfuscation patterns ngumu zilizoundwa kuficha nia halisi ya code.

Applications of Dynamic Analysis

  • Runtime Decryption: Mbinu nyingi za obfuscation zinahusisha encrypting strings au code segments ambazo zinafunguliwa tu wakati wa runtime. Kupitia dynamic analysis, vipengele hivi vilivyofichwa vinaweza kukamatwa wakati wa decryption, na kuonyesha umbo lao halisi.
  • Identifying Obfuscation Techniques: Kwa kufuatilia tabia ya programu, dynamic analysis inaweza kusaidia kutambua obfuscation techniques maalum zinazotumika, kama code virtualization, packers, au dynamic code generation.
  • Uncovering Hidden Functionality: Obfuscated code inaweza kuwa na functionalities zilizofichwa ambazo hazionekani kupitia static analysis peke yake. Dynamic analysis inaruhusu uchunguzi wa njia zote za code, ikiwa ni pamoja na zile zinazotekelezwa kwa masharti, ili kufichua functionalities hizo zilizofichwa.

Automated De-obfuscation with LLMs (Androidmeda)

Wakati sehemu zilizopita zikilenga mikakati ya mkono kabisa, mwaka 2025 daraja jipya la Large-Language-Model (LLM) powered tooling zilitokea ambazo zinaweza ku-automate kazi nyingi za kuchosha za kubadilisha majina na kurejesha control-flow. Mradi mmoja unaomwakilisha ni Androidmeda – utility ya Python inayochukua decompiled Java sources (mfano zilizoanzishwa na jadx) na kurudisha toleo lililosafishwa kwa kiasi kikubwa, limewekwa maoni na limewekwa maelezo ya usalama ya code.

Key capabilities

  • Hubadilisha majina yasiyo na maana yaliyozalishwa na ProGuard / DexGuard / DashO / Allatori / … kuwa majina ya semantic.
  • Inagundua na kurekebisha control-flow flattening, ikibadilisha opaque switch-case state machines na kuziweka kuwa loops / if-else constructs za kawaida.
  • Ina-decrypt patterns za kawaida za string encryption inapowezekana.
  • Inachoma inline comments zinazofafanua kusudi la complex blocks.
  • Inafanya a lightweight static security scan na inaandika matokeo kwa vuln_report.json na viwango vya ukali (informational → critical).

Installation

git clone https://github.com/In3tinct/Androidmeda
cd Androidmeda
pip3 install -r requirements.txt

Kuandaa pembejeo

  1. Decompile APK lengwa kwa kutumia jadx (au decompiler nyingine yoyote) na uhifadhi tu directory ya source inayojumuisha faili za .java:
jadx -d input_dir/ target.apk
  1. (Hiari) Punguza input_dir/ ili iwe na vifurushi vya application unavyotaka kuchambua — hii huharakisha sana usindikaji na gharama za LLM.

Mifano ya matumizi

Remote provider (Gemini-1.5-flash):

export OPENAI_API_KEY=<your_key>
python3 androidmeda.py \
--llm_provider google \
--llm_model gemini-1.5-flash \
--source_dir input_dir/ \
--output_dir out/ \
--save_code true

Bila mtandao (local ollama backend with llama3.2):

python3 androidmeda.py \
--llm_provider ollama \
--llm_model llama3.2 \
--source_dir input_dir/ \
--output_dir out/ \
--save_code true

Output

  • out/vuln_report.json – JSON array yenye file, line, issue, severity.
  • A mirrored package tree with de-obfuscated .java files (only if --save_code true).

Tips & troubleshooting

  • Skipped class ⇒ kawaida husababishwa na method isiyoweza kupaswa (unparsable); tenganisha package au sasisha parser regex.
  • Slow run-time / high token usage ⇒ elekeza --source_dir kwenye packages maalum za app badala ya decompile nzima.
  • Kila mara review kwa mkono ripoti ya udhaifu – hallucinations za LLM zinaweza kusababisha false positives / negatives.

Practical value – Crocodilus malware case study

Kuingiza sampuli iliyofichwa kwa kina kutoka kwa 2025 Crocodilus banking trojan kupitia Androidmeda kulipunguza muda wa uchambuzi kutoka saa hadi dakika: zana ilirejesha semantiki za call-graph, ikafichua miito kwa accessibility APIs na hard-coded C2 URLs, na ikatengeneza ripoti fupi iliyoweza kuingizwa kwenye dashboards za wachambuzi.

Targeted Dalvik string decryption with DaliVM

DaliVM ni Python Dalvik bytecode emulator inayolenga kurejesha kwa njia ya static thamani zinazotokana wakati wa runtime pekee (hasa decrypted strings) bila kuanzisha Android. Inatekeleza method specific ndani ya APK kwa kuiga opcodes za Dalvik na kwa mocking Android/Java APIs.

Workflow

  1. Select target method by Dalvik signature (Lpkg/Class;->method(Args)Ret). Examples: Lutil/Crypto;->decrypt(Ljava/lang/String;)Ljava/lang/String;, LMyClass;->compute(II)I.
  2. Enumerate call sites across multi-DEX (classes*.dex) and reconstruct arguments via backward data-flow tracing, forward lookup, and partial execution when needed.
  3. Emulate the method inside the Dalvik VM (covers 120+ opcodes across const/array/control/field/invoke, handles class init via <clinit>) and collect return values (e.g., decrypted strings).
  4. Bypass runtime dependencies using built-in mocks for common Android APIs (Context, PackageManager, Signature, reflection, system services) and hooks for Java stdlib (String/StringBuilder/Integer/Math/Arrays/List/Iterator).
  5. If execution stalls, enable opcode-level tracing to see PC/register changes and extend opcode handlers.

CLI usage

# Emulate a decryptor and dump all returns
python emulate.py app.apk "Lcom/example/Decryptor;->decrypt"

# Verbose, debug trace, and limit outputs
python emulate.py app.apk "Lcom/example/Decryptor;->decrypt" -v --debug --limit 10

Matokeo ni thamani za kurudishwa zilizokusanywa kwa kila uitoaji; zinafaa kwa uchimbaji wa string/config kwa wingi wakati wa malware triage au kwa apps zilizofichwa sana.

Marejeo na Kusomea Zaidi

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks