Manual DeObfuscation

Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
Other ways to support HackTricks:

Manual De-obfuscation Techniques

In the realm of software security, the process of making obscured code understandable, known as de-obfuscation, is crucial. This guide delves into various strategies for de-obfuscation, focusing on static analysis techniques and recognizing obfuscation patterns. Additionally, it introduces an exercise for practical application and suggests further resources for those interested in exploring more advanced topics.

Strategies for Static De-obfuscation

When dealing with obfuscated code, several strategies can be employed depending on the nature of the obfuscation:
  • DEX bytecode (Java): One effective approach involves identifying the application's de-obfuscation methods, then replicating these methods in a Java file. This file is executed to reverse the obfuscation on the targeted elements.
  • Java and Native Code: Another method is to translate the de-obfuscation algorithm into a scripting language like Python. This strategy highlights that the primary goal is not to fully understand the algorithm but to execute it effectively.

Identifying Obfuscation

Recognizing obfuscated code is the first step in the de-obfuscation process. Key indicators include:
  • The absence or scrambling of strings in Java and Android, which may suggest string obfuscation.
  • The presence of binary files in the assets directory or calls to DexClassLoader, hinting at code unpacking and dynamic loading.
  • The use of native libraries alongside unidentifiable JNI functions, indicating potential obfuscation of native methods.

Dynamic Analysis in De-obfuscation

By executing the code in a controlled environment, dynamic analysis allows for the observation of how the obfuscated code behaves in real time. This method is particularly effective in uncovering the inner workings of complex obfuscation patterns that are designed to hide the true intent of the code.

Applications of Dynamic Analysis

  • Runtime Decryption: Many obfuscation techniques involve encrypting strings or code segments that only get decrypted at runtime. Through dynamic analysis, these encrypted elements can be captured at the moment of decryption, revealing their true form.
  • Identifying Obfuscation Techniques: By monitoring the application's behavior, dynamic analysis can help identify specific obfuscation techniques being used, such as code virtualization, packers, or dynamic code generation.
  • Uncovering Hidden Functionality: Obfuscated code may contain hidden functionalities that are not apparent through static analysis alone. Dynamic analysis allows for the observation of all code paths, including those conditionally executed, to uncover such hidden functionalities.

References and Further Reading

  • BlackHat USA 2018: “Unpacking the Packed Unpacker: Reverse Engineering an Android Anti-Analysis Library” [video]
    • This talk goes over reverse engineering one of the most complex anti-analysis native libraries I’ve seen used by an Android application. It covers mostly obfuscation techniques in native code.
  • REcon 2019: “The Path to the Payload: Android Edition” [video]
    • This talk discusses a series of obfuscation techniques, solely in Java code, that an Android botnet was using to hide its behavior.
Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
Other ways to support HackTricks: