Android Tutorial Dump decrypted DLL file with IDA Pro

ThePianoGuy · August 15, 2016

Note: This tutorial was created by xiaobaiyey and written in chinese. This tutorial is poorly translated from Google Translation but i have fixed some grammar to make it easier to understand.

reviously I read an article by hook decrypting the encrypted dll Unity3D, recently new to dynamic, so they can try the next through IDA, the same as the shelling, dump the decrypted dll file, try the next, it really can, in here to share under

Requirements:
Tools: ida6.6 millet 2s
Game: Monthly Dragon knife (just find a game)
Enable USB-debugging in Developer Options

Open lib in IDA:
Unzip lib folder from the APK, drag the file libmono.so to IDA
Several functions mainly in the upper and lower breakpoint (refer mono source )

mono_image_open_from_data_full
mono_image_open_from_data
mono_image_open_from_data_with_name

In a decryption process can about these function

View the final in front of a function call or mono_image_open_from_data_with_name,

Enable Developer Options:
If Developer Option does not show in settings, follow the steps below.
1. Open Settings > About
2. Then tap “Build number” seven times to enable Developer options....
3. Go back to Settings menu and now you'll be able to see “Developer options” there.
4. Tap it and turn on USB Debugging

Dynamic debugging:
If the app has anti-debugging, you need to skip meals to debug, the following brief dynamic debugging Preparations (there are many online tutorials dynamic debugging)

Get android_server file from IDA PRO 6.6\ida66\dbgsrv or download the file HERE!

Push android_server file to the phone

1:

adb push android_server /data/local/tmp/

2:

adb shell

3:

cd /data/data/tmp/

4:

chmod 777 android_server

5:

./android_server

Port Forwarding:

adb forward tcp:23946 tcp:23946

Debug startup app:

adb shell am start -D -n com.huiguan.qinglong.taiqi.dl/com.huiguan.qlyyd.UnityPlayerNativeActivity

Check the app's PID:

1.

adb shell

2.

ps | grep dl

Record the PID and Forwarding (pid can be seen in the ida)

adb forward tcp:8700 jdwp:PID

Setting ida (the main settings hostname: 127.0.0.1) and open the attach process (wait for the program to automatically break live, live off later)

Run app (in the f9 at ifa)
This time in the cmd window run jdb debugger:

jdb -connect com.sun.jdi.SocketAttach:hostname=127.0.0.1,port=8700

This time can be debugged
Run app will break on the linker

Then if the app is no anti-molestation: running directly f9
This window appears: same point

Wait a moment, will end on Linker , directly connected to f9 op row
If this window appears, select "yes (pass to app)" without waiting

Many may appear behind all this window select yes and then run f9
Finally broken in the mono_image_open_from_data_with_name, method
Loading is not the first time we want to skip dll

If you can not read f5 look at the source code, source code demonstrate this direct f5, where he rewrote momo source

int __fastcall mono_image_open_from_data_with_name (int a1, char * haystack, int a3, int a4, char a5, char * haystacka)

Several key parameters

// NT A1 read dll file offset address
// Char * haystack, DLL file size
// Char * haystacka , file name

This time following the R1 register to see the encrypted DLL file address, indicating the DLL has not yet begun to decrypt, decryption may later. And laid down the road to change a single note of each register after a simple loop

The dll decrypted
This time it decrypted DLL in memory,

This time it can have a dump,

Check Register Window: Find R6 and R11
The entire file offset start R6 = 7B95304C
End offset address R6 = R11 + 7B95304C + 3AF200 = 7BD0224C

Use; dump dex scripts

auto fp, dexAddress;
fp = fopen ( "D:\\Test.dll", "wb");
for (dexAddress = 0x7B95304C; dexAddress < 0x7BD0224C; dexAddress ++)
fputc (Byte(dexAddress), FP);

Under run on ok
Decryption out the effect,

Attach the original dll and decrypted dll

Credit:
xiaobaiyey

Updated August 15, 2016 by evildog1