Giter VIP home page Giter VIP logo

dehoser's Introduction

dehoser

Unpacker for the HoseDex2Jar APK Protection which packs the original file inside the dex header

What is HoseDex2Jar?

HoseDex2Jar is an attempt to create a service to obfuscate/mangle/mung APK files to prevent decompilation (maybe analysis?) of those files. The service is currently located at [http://www.decompilingandroid.com/hosedex2jar/]

The current method deployed by HoseDex2Jar is actually very similar (the same?) method described in my BlackHat 2012 presentation. The original dex file is repackage into a zip/jar/apk (it's just a compressed archive containing the dex file). Then this file is encrypted and packed into the Dalvik header. This process is outlined in "DexEducation: Practicing Safe Dex" found here; [http://www.strazzere.com/papers/DexEducation-PracticingSafeDex.pdf]

How does this work?

This is just a quick PoC unpacker - since the encryption methods are static. The interesting part for me was just figuring out how the packing/unpacking was being done - so I didn't bother reversing the actual crypto used. Since it was static across all binaries I used, I decided to take a "interesting" way to do the crypto in a lazy way. Since the hoser is meant to break dex2jar, I thought it would be funny to use dex2jar against itself! After running the crypto code through dex2jar, I simply imported it into a java project and access the function directly. The rest of the code simply wraps this function and properly reads the bytes needed for unpacked and decrypting.

Since I ended up being somewhat interesting in what was actualling going on in the (de)obfuscation layer, I tore it apart and recoded it into the unpacker. This removes the external jar (created via dex2jar) as a dependancy, though I left the function and the jar included into the project. I attempted to leave the code as close to what it was compiled down to, including the silly function names. This might prove useful for anyone who wants to reverse a newer version, or just follow along. I've also included the "dead" code, which might be used to mangle some tools, or it could just be left of, or maybe it's just an attempt to confused reversers. Either way, all the code is in there and commmented.

Anything else?

A commented IDA Pro IDB file is in the examples directory. Dumped into this directory upon request :)

Tim Strazzere - [email protected] - @timstrazz

dehoser's People

Contributors

strazzere avatar

Stargazers

avatar

Watchers

avatar

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.