r2frida or die

Hassles

• Fully stripped
• String encryption
• Assembly syscalls
• Code encryption
• Dynamic code loading

Strategy

• Do manual RE and find out how this packer works
• Hook the unpacking code (init_array) (STAGE0)
• Figure out libc functions by hand (Sigyl?)
• Hook assembly syscalls with Frida
• After mmap use the return ptr as STAGE1 baseaddr
• Wait until mapped memory is mprotected
• Dump STAGE1 code from mmap ptr
• Hijack the fptr ("entrypoint") that jumps to STAGE1
• Hook any function within STAGE1 w/ baddr+offset
• Bindiff STAGE0 w/ STAGE1 & recover symbols
• Repeat steps with STAGE1... more syscalls... more RE...
• Hook code at STAGE2 ...

RE .init_array

Frida hooking SVC

ARM code dumped

"STAGE1"

Bindiffing stages

Diaphora

STAGE1 Crypto

STAGE1 Crypto

APKiD rule

Take aways

• Obfuscation wasn't so hard
• Assembly syscalls numbers weren't concealed
• No anti-disassembly tricks and easy logic
• Asm syscall hooking with Frida was doable
• Kernel module might be the way to go
• Packed as a "Matroska" Russian doll
• Stage bindiffing was very convenient