Deobfuscator for Android Application

Overview

This Tool is selected as BlackHat Arsenal USA 2020

What is Deoptfuscator

  • Deoptfuscator is a tool for deobfuscating Android applications that have been transformed using control-flow obfuscation mechanisms.
  • Deoptfuscator can reverse the control-flow obfuscation performed by DexGuard on open-source Android applications.

Publication

@article{you2022deoptfuscator,
    title = "Deoptfuscator: Defeating Advanced Control-flow Obfuscation Using Android Runtime (ART)",
    journal = "IEEE Access",
    volume = "10",
    pages = "61426-61440",
    year = "2022",
    issn = "2169-3536",
    doi = "10.1109/ACCESS.2022.3181373",
    url = "https://ieeexplore.ieee.org/document/9791370",
    author = "You, Geunha and Kim, Gyoosik and Han, Sangchul and Park, Minkyu and Cho, Seong-je",
    keywords = "Android app, malicious app, obfuscation, deobfuscation, control-flow obfuscation"
 }

Prerequisites

In order to build and run deoptfuscator, the followings are required:

  • Deoptfuscator based on Ubuntu 18.04 LTS 64bit PC
    • libboost, libjson (C++ library)
      $ sudo apt-get install libboost-all-dev  
      $ sudo apt-get install libjsoncpp-dev
      
    • openjdk
      $ sudo apt-get install openjdk-11-jdk
      
    • i386 libc
      $ sudo dpkg --add-architecture i386  
      $ sudo apt-get update  
      $ sudo apt-get install libc6:i386 libstdc++6:i386
      
    • zipalign
      $ sudo apt-get install zipalign
      
    • apksigner
      $ sudo apt-get install apksigner
      

How to Install

  • deoptfuscator's repositary need git-lfs
  • Git LFS
$ curl -s https://packagecloud.io/install/repositories/github/git-lfs/script.deb.sh | sudo bash
$ sudo apt install git-lfs
$ git clone https://github.com/Gyoonus/deoptfuscator.git

Our repository Already Contains Tools needed to run our Tool

HOW TO USE

  • Set Local Environment

    $ . ./launch.sh  
    

    OR

     $ source ./launch.sh
    
  • Deobfuscate an Android application that has been transformed using control-flow obfuscated techniques.

    $ python3 deoptfuscator.py <obfuscated_apk>  
    
  • Test our tools!

    $ python3 deoptfuscator.py test/AndroZoo_DexGuard_apk/com.alienguns.scifirifles_4F326C99558145BB636D31C96488823A.apk
    
    • If the input file (an obfuscated app) was com.alienguns.scifirifles_4F326C99558145BB636D31C96488823A.apk, the file name of the deobfuscated apk is com.alienguns.scifirifles_4F326C99558145BB636D31C96488823A_deobfuscated_align.apk
  • Our tool can effectively deobfuscate Android applications transformed with the control flow obfuscation option of DexGuard :

    • Our tool can currently handle the control-flow obfuscation techniques of DexGuard.
    • It cannot handle other obfuscation techniques such as layout obfuscation, identifier renaming, and string encryption. git

Contact

  • E-mail : gyoonus at gmail dot com [Gyoosik Kim(김규식)]
  • Mobile : 082)10-9888-2792

Acknowledgement

  • This research was supported by Basic Science Research Program through the National Research Foundation of Korea(NRF) funded by the Ministry of Science and ICT (no. 2018R1A2B2004830) 시그니처 가로형_영문조합형
Comments
  • KeyError: 1765

    KeyError: 1765

    location : True .apk/classes.dex Traceback (most recent call last): File "deoptfuscator.py", line 23, in deobfuscator.main(".apk/"+dex) File "deobfuscator/deobfuscator.py", line 20, in main dexfile(dex) File "deobfuscator/classes.py", line 27, in dexfile dexf_a[dex_location+2] = class_dic[f_idx+add] KeyError: 1765

    bug 
    opened by rahul-sani 5
  • NOT WORKING

    NOT WORKING

    hi could you please tell me what's wrong i got that message

    Traceback (most recent call last): File "deoptfuscator.py", line 18, in deobfuscator.main(".apk/"+dex) File "deobfuscator\deobfuscator.py", line 9, in main ret = opaque_id.opaque_id(dex) File "deobfuscator\opaque_id.py", line 6, in opaque_id child = subprocess.Popen([os.getenv('ANDROID_HOST_OUT')+'/bin/OTest'], stdin=subprocess.PIPE, stdout=subprocess.PIPE, stderr=subprocess.PIPE, universal_newlines=True) TypeError: unsupported operand type(s) for +: 'NoneType' and 'str'

    what's wrong i tried by both python2 And python3 but the same error

    opened by AKBIROCK3 5
  • ValueError

    ValueError

    location : True .apk/classes.dex Traceback (most recent call last): File "deoptfuscator.py", line 24, in deobfuscator.main(".apk/"+dex) File "deobfuscator/deobfuscator.py", line 20, in main dexfile(dex) File "deobfuscator/classes.py", line 20, in dexfile class_dic[int(num[0])] = int(num[1]) ValueError: invalid literal for int() with base 10: '45b8'

    bug 
    opened by HaCkErNiCe 3
  • OTest File not found

    OTest File not found

    So... It says that it couldn't find OTest

    I: Using Apktool 2.4.1 on XXXXXX
    I: Copying raw resources...
    I: Copying raw classes.dex file...
    I: Copying raw classes2.dex file...
    I: Copying raw classes3.dex file...
    I: Copying assets and libs...
    I: Copying unknown files...
    I: Copying original files...
    I: Copying META-INF/services directory
    .apk/classes.dex
    Traceback (most recent call last):
      File "deoptfuscator.py", line 18, in <module>
        deobfuscator.main(".apk/"+dex)
      File "deobfuscator/deobfuscator.py", line 9, in main
        ret = opaque_id.opaque_id(dex)
      File "deobfuscator/opaque_id.py", line 6, in opaque_id
        child = subprocess.Popen([os.getenv('ANDROID_HOST_OUT')+'/bin/OTest'], stdin=subprocess.PIPE, stdout=subprocess.PIPE, stderr=subprocess.PIPE, universal_newlines=True)
      File "/usr/lib/python3.8/subprocess.py", line 854, in __init__
        self._execute_child(args, executable, preexec_fn, close_fds,
      File "/usr/lib/python3.8/subprocess.py", line 1702, in _execute_child
        raise child_exception_type(errno_num, err_msg, err_filename)
    FileNotFoundError: [Errno 2] No such file or directory: '/home/schni/temp/deoptfuscator/android/bin/OTest'
    

    But I can verify that it is there. But if i want to run it manually it also says it couldn't be found. But cat works...

    image

    opened by h4ckd0tm3 2
  • Error - File ...">

    Error - File "deoptfuscator.py", line 18, in ...

    Machine built precisely to version and following steps.

    image

    Environmental variables set with launch.sh and then running against APK file in same directory.

    image

    Attempted to run against a directory with the APK unzipped as well and did not work.

    Install steps were as follows:

    sudo apt-get install -y libboost-all-dev  
    sudo apt-get install -y libjsoncpp-dev
    sudo apt-get install -y openjdk-11-jdk
    sudo dpkg --add-architecture i386  
    sudo apt-get update  
    sudo apt-get install -y libc6:i386 libstdc++6:i386
    sudo apt-get install -y zipalign
    sudo apt-get install -y apksigner
    
    sudo apt install -y curl
    curl -s https://packagecloud.io/install/repositories/github/git-lfs/script.deb.sh | sudo bash
    sudo apt install -y git-lfs
    git clone https://github.com/Gyoonus/deoptfuscator.git
    

    All installed without error message. Have tried running with sudo and get same error. Have tried running with working directory in command, receive same error.

    image

    Please advise. Thanks!

    opened by min3rv4 1
  • Error: Unable to access jarfile /apktool.jar

    Error: Unable to access jarfile /apktool.jar

    Error: Unable to access jarfile /apktool.jar Traceback (most recent call last): File "deoptfuscator.py", line 18, in dex_li = [a for a in os.listdir(".apk") if a.endswith(".dex") and a.startswith("classes")] FileNotFoundError: [Errno 2] No such file or directory: '.apk'

    command used: python3 deoptfuscator.py apkname.apk

    opened by rahul-sani 1
  • Something called

    Something called "ANDROID_HOST_OUT" is not working

    I think there are still some modules required to run this tool

    Traceback (most recent call last):
      File "deoptfuscator.py", line 19, in <module>
        deobfuscator.main(".apk/"+dex)
      File "deobfuscator/deobfuscator.py", line 9, in main
        ret = opaque_id.opaque_id(dex)
      File "deobfuscator/opaque_id.py", line 6, in opaque_id
        child = subprocess.Popen([os.getenv('ANDROID_HOST_OUT')+'/bin/OTest'], stdin=subprocess.PIPE, stdout=subprocess.PIPE, stderr=subprocess.PIPE, universal_newlines=True)
    TypeError: unsupported operand type(s) for +: 'NoneType' and 'str'
    
    opened by sting8k 1
  • error while loading shared libraries: libboost_iostreams.so.1.71.0

    error while loading shared libraries: libboost_iostreams.so.1.71.0

    Hello. This is part of the answer when using deoptfuscator:

    Error : .apk/classes4.dex /root/deoptfuscator/tools/redex-all: error while loading shared libraries: libboost_iostreams.so.1.71.0:cannot open shared object file: No such file or directory $TOOLS/redex-all .apk/const/const.dex -o .apk/const mv: cannot stat '.apk/const/classes.dex': No such file or directory .apk/classes7.dex Error : .apk/classes7.dex /root/deoptfuscator/tools/redex-all: error while loading shared libraries: libboost_iostreams.so.1.71.0: cannot open shared object file: No such file or directory $TOOLS/redex-all .apk/const/const.dex -o .apk/const mv: cannot stat '.apk/const/classes.dex': No such file or directory

    Please can you tell me how to fix it

    opened by nsysp4 2
Owner
Always Be Happy!
null
Compose Multiplatform Application

Compose Multiplatform Application Desktop ./gradlew run - run application ./gradlew package - package native distribution into build/compose/binaries

null 0 Nov 21, 2021
A runtime mobile application analysis toolkit with a Web GUI, powered by Frida, written in Python.

___ ___ / | \ ____ __ __ ______ ____ / ~ \/ _ \| | \/ ___// __ \ \ Y ( <_> )

NCC Group Plc 1.2k Dec 21, 2022
BlackDex is an Android unpack tool, it supports Android 5.0~12 and need not rely to any environment. BlackDex can run on any Android mobile phones or emulators, you can unpack APK File in several seconds.

BlackDex is an Android unpack tool, it supports Android 5.0~12 and need not rely to any environment. BlackDex can run on any Android mobile phones or emulators, you can unpack APK File in several seconds.

null 4.3k Jan 2, 2023
Simple API to perform AES encryption on Android. This is the Android counterpart to the AESCrypt library Ruby and Obj-C (with the same weak security defaults :( ) created by Gurpartap Singh. https://github.com/Gurpartap/aescrypt

AESCrypt-Android Simple API to perform AES encryption on Android with no dependancies. This is the Android counterpart to the AESCrypt library Ruby an

Scott Alexander-Bown 636 Dec 18, 2022
PermissionX is an extension Android library that makes Android runtime permission request extremely easy

PermissionX is an extension Android library that makes Android runtime permission request extremely easy. You can use it for basic pe

Lin Guo 2.9k Dec 28, 2022
Signal Protocol library for Java/Android

Overview A ratcheting forward secrecy protocol that works in synchronous and asynchronous messaging environments. PreKeys This protocol uses a concept

Signal 1.8k Dec 24, 2022
Grab’n Run, a simple and effective Java Library for Android projects to secure dynamic code loading.

Grab’n Run, a simple and effective Java Library for Android projects to secure dynamic code loading.

Luca Falsina 418 Dec 29, 2022
A collection of android security related resources

android-security-awesome A collection of android security related resources. Tools Academic/Research/Publications/Books Exploits/Vulnerabilities/Bugs

Ashish Bhatia 6.6k Jan 5, 2023
a version of the official Android openssl setup to build standalone for use in app

OpenSSL on the Android platform. --- The code in this directory is based on $OPENSSL_VERSION in the file openssl.version. See patches/README for more

Guardian Project 371 Dec 8, 2022
A port of gnupg to Android (UNMAINTAINED!)

Gnu Privacy Guard for Android A port of the whole GnuPG 2.1 suite to Android. If you are using these tools in your own apps, we'd love to hear about i

Guardian Project 282 Jan 7, 2023
OpenPGP for Android

APG (Android Privacy Guard) APG originally brought email encryption to the Android platform. In recent years the project has fallen asleep, but a lot

Thialfihar 234 Dec 30, 2022
Analyze any Android/Java based app or game

ClassyShark Introduction ClassyShark is a standalone binary inspection tool for Android developers. It can reliably browse any Android executable and

Google 7.2k Jan 3, 2023
enjarify 8.6 0.0 L5 Python Enjarify is a tool for translating Dalvik bytecode to equivalent Java bytecode. This allows Java analysis tools to analyze Android applications.

Note: This repository may be out of date. Future development will occur at https://github.com/Storyyeller/enjarify. Introduction Enjarify is a tool fo

Google 2.7k Jan 8, 2023
CLI tool for decompiling Android apps to Java. It does resources! It does Java! Its real easy!

Easy-as-pie Android Decompiler Why One stop shop I got pretty tired of decompiling Android apps with a bunch of steps that I had to remember all the t

Alex Davis 619 Dec 27, 2022
A android app for encrypting apk

A android app for encrypting apk

FlyingYu 124 Jan 5, 2023
Unlock an Android phone (or device) by bruteforcing the lockscreen PIN.

Unlock an Android phone (or device) by bruteforcing the lockscreen PIN. Turn your Kali Nethunter phone into a bruteforce PIN cracker for Android devices! (no root, no adb)

Andrew Horton 2.7k Jan 1, 2023
A Java ePub reader and parser framework for Android.

FolioReader-Android is an EPUB reader written in Java and Kotlin. Features Custom Fonts Custom Text Size Themes / Day mode / Night mode Text Highlight

FolioReader 2.1k Jan 3, 2023
A program to flip every private, protected and package-private access flag to public in an Android dex file!

DexExposed A program to flip every private, protected and package-private access flag to public in an Android dex file! Building Simply run gradle mak

John Doe 2 Aug 29, 2021