"Two scripts for Android app reverse engineering"

- code

For the last two weeks, I've been working on an audit project for an Android app. I worked on Microsoft's WinCE about 14 years ago. I am quietly impressed by how developer friendly the Android platform is. Here are a couple of shell scripts I have written to make the reverse engineering process easier.

During our work, it is quite common to make some modification to the smali files generated by apktool, turn it back into a proper apk and install on the device to see whether our guesses were correct. This is quite a repetitive process that involves sign the apk, align the zip file, uninstall the original app and install the new one from local computer to the device.

Pack.sh is a shell script that automates this process for you. It takes two parameters, the first is the folder where the smali files are; the second is the package name for the application, which is needed for us to automatically uninstalled the app from the device.

{% gist 6073781 %}

strace is a brilliant tool that allows you to attach to a running process and see all the unix system calls it's making. Once you get it up and running, it is almost trivial to get a comprehensive view of the app's interaction with Android system, for example, which files it touches, which urls it requests.

In our case, the app would be launched and crashed immediately, leaving us no time to manually attach a strace to the process to see what has gone wrong. ambush.sh is a shell script that waits for a process to show up and automatically attach strace to that process. This makes it possible for us to see what the app has been doing before it crashes itself. It takes two parameters too. The first is the pattern that ps | grep could use to find the process id; the latter is where the strace is located.

{% gist 6034934 %}

Benno has compiled a version of strace for Android. If you have busybox installed, you can run the following command to install it from the net.

{% codeblock lang:bash %} $ cd /data/local $ wget http://benno.id.au/android/strace $ chmod 555 ./strace

Please note that you'll have to put the strace in /data/local in order to use chmod to make it an executable.