2016-01-22

Debugging an Android app with IDA Pro

I decided to write about this as I had to piece this together from countless online sources, help from IDA support and a few friends.

So here it goes.


Steps (I can forget something here, so please use the comments if you miss something)

* A rooted Android phone (check for example http://www.androidcentral.com/root -- use a slightly older model to be certain).
* Once rooted, install SSH server on it (I used https://play.google.com/store/apps/details?id=com.icecoldapps.sshserver&hl=en). Inside this app, create an SSH server with an as long as possible timeout value.
* Log into your SSH server (normal log information is root/admin), and go to /data/app, and copy your apk file to /mnt/sdcard. [ you probably need to do "su -" to fully gain root ]
* Download it on your Windows PC. (I use WinSCP)
* Next thing you need is apktool (https://ibotpeaches.github.io/Apktool/)
     apktool -d
* re-package with debugging enabled:
     apktool -b -d
* sign the apk (I don't know if this step is necessary, but I did it, and the final result worked, so :)). [https://github.com/appium/sign - I found a download at: http://www.learn2crack.com/2014/02/sign-android-apk-zip.html]
   java -jar signapk.jar testkey.x509.pem testkey.pk8
* install Android SDK (you will only need the SDK tools: http://developer.android.com/sdk/index.html#Other)
* See that adb.exe can be found in your PATH environment variable!
* adb devices -l
* adb install [ I made sure that the official app was first uninstalled ]
* enable USB debugging (https://www.kingoapp.com/root-tutorials/how-to-enable-usb-debugging-mode-on-android.htm)
 --> I also set to keep awake while charging
 --> + set the debug application to the one you just installed (your own debuggable version)
* Copy/Start android server into the Android device (for me it was in C:\Program Files (x86)\IDA 6.9\dbgsrv\android_server).
[ from: https://www.trustwave.com/Resources/SpiderLabs-Blog/Debugging-Android-Libraries-using-IDA/]
adb remount
adb push android_server /system/
adb shell
su (probably not needed for the emulator but is necessary if doing this on a rooted device)
cd /system
chmod 755 android_server
./android_server



now fire up 2 IDA's

IDA 1: load the signed APK file & point to the classes.dex
- Debugger > Debugger Options > Set Specific Options:
  * emulator (got that from adb devices)
  * click "fill" button
  * adb.exe should be auto-found.
- put your breakpoints
- change the default port in “Debugger/Process options” to any other value.
- start the Dalvik debugger and wait until breakpoint is hit.

IDA 2: load the signed APK file & point to the JNI file (generally under /lib/armeabi*/*.so
- put your breakpoints
- select "remote arm linux/android debugger"
  * Debugger > Process Options: set everything OK here (no need to concern with the paths, just ip & port). I left the local file in there, and it asked me if this was the same (it was). So all ok there.
- debugger > attach to process (select the process)
- it will break on entry. So just say "run (F9)".

IDA 1: F8 to call the native function

IDA 2: here your breakpoint should have triggered.



That's all :-).


Other sources:
https://www.trustwave.com/Resources/SpiderLabs-Blog/Debugging-Android-Libraries-using-IDA/
http://www.hexblog.com/?p=809
http://bbs.pediy.com/showthread.php?t=138472
http://www.asciitable.com/

No comments: