An issue occurred trying to dump the memory to a file

strazzere / android-unpacker

Android Unpacker presented at Defcon 22: Android Hacker Protection Level 0

Apache License 2.0

1.12k stars 331 forks source link

An issue occurred trying to dump the memory to a file #32

Closed TheRealJunior closed 7 years ago

TheRealJunior commented 7 years ago

Steps to reproduce:

trying to unpack this: https://play.google.com/store/apps/details?id=com.zhiliaoapp.musicallylite
./data/local/tmp/kisskiss com.zhiliaoapp.musicallylite

Screenshot

Using: Nox Player (x86) API Version 19 (4.4.2)

SHA1: 0c4d6be2dc5de92bcb0a87b2bcd4108a7634d0a6

TheRealJunior commented 7 years ago

Adding this line of code before return -1:

printf(" [!] error: %s\n", strerror(errno));

prints:

error: Invalid Argument

ppereviazko commented 7 years ago

I have the same problem. "pread" returns -1 everywhere and errno == 22 (Invalid Argument) This is the same for any running process in the system. API Version 22 (5.1.1) x86 Android Emulator

Screen with some log info:

strazzere commented 7 years ago

Are you using the same application? Judging by the man page for Invalid argument;

EINVAL
The STREAM or multiplexer referenced by fildes is linked (directly or indirectly) downstream from a multiplexer.

The application is potentially already reading the address or has it locked some way.

Based on your screen shot, it looks like the unpacker is attempting to read protected or non-readable areas. Try unprotecting/enabling reading fish.

ppereviazko commented 7 years ago

I use your native-unpacker (kisskiss), last version (current master brunch), by the way it's very good solution. I see, that pread not work properly for me. How can i try unprotecting/enabling reading? I run the app by root, of couse.

strazzere commented 7 years ago

Currently the code doesn't do anything to the memory regions - so it needs to be changed within the code.

Do you have the application hash you're attempting to unpack? Or potentially an uploaded file?

ppereviazko commented 7 years ago

SHA1: 5EA79666EF98D70B2673FE8885181CEBB30AA8EC

But i don't thinks this problem connected with app. I think the cause of the problem is in the emulator or OS. I'm going to try unpuck it on other version of android.

strazzere commented 7 years ago

Cool, let me know if that helps. Since you're running on 5 or higher, selinux might be nerfing ptrace/pread/etc.

ppereviazko commented 7 years ago

Android 7: all the same... May be the cause of the problem is the emulator. I use the original google AVD.

strazzere commented 7 years ago

What makes you believe this application is packed? It does not appear to be, though it does include some obfuscation and protectors.

ppereviazko commented 7 years ago

Two parts of signing and encrypt/decrypt mechanism is packed. But very simple, without encryption. Getting a model of classes from memory can would be nice. But I found it now, without unpacking. Thank you. I think, i have solved my task.

strazzere commented 7 years ago

I've only skimmed the binary, it appears two dex files are dynamically loaded (they're listed as shared libraries via extensions, but are just jar's)

Other than that didn't see anything "packed". Going to close this for now.