GDB Native Debugging And Patching With AppUse
TOOLS:
1.gdbserver for arm platform(included in the AppUse ToolChains).
2.gdb for arm platform(included in AppUse ReFrameworker)
Debug:(Android Emulator Started)
step 1:Run the gdbserver on the target device.
root@ubuntu:~# cd /root/Desktop/AppUse/.android/android-sdk-linux
root@ubuntu:~/Desktop/AppUse/.android/android-sdk-linux# find . -name gdbserver
./ndk-bundle/prebuilt/android-arm/gdbserver
./ndk-bundle/prebuilt/android-arm/gdbserver/gdbserver
./ndk-bundle/prebuilt/android-mips64/gdbserver
./ndk-bundle/prebuilt/android-mips64/gdbserver/gdbserver
./ndk-bundle/prebuilt/android-x86_64/gdbserver
./ndk-bundle/prebuilt/android-x86_64/gdbserver/gdbserver
./ndk-bundle/prebuilt/android-arm64/gdbserver
./ndk-bundle/prebuilt/android-arm64/gdbserver/gdbserver
./ndk-bundle/prebuilt/android-x86/gdbserver
./ndk-bundle/prebuilt/android-x86/gdbserver/gdbserver
./ndk-bundle/prebuilt/android-mips/gdbserver
./ndk-bundle/prebuilt/android-mips/gdbserver/gdbserver
root@ubuntu:~/Desktop/AppUse/.android/android-sdk-linux# adb push ./ndk-bundle/prebuilt/android-arm/gdbserver /sdcard
root@ubuntu:~/Desktop/AppUse/.android/android-sdk-linux# adb shell ps|grep com.AppSecLabs.HackMeNative |awk ‘{print $2}’
900
Open another terminal,to run the command below as starting debug server.
root@ubuntu:~# adb shell /sdcard/gdbserver :5050 –attach `adb shell ps|grep com.AppSecLabs.HackMeNative|awk ‘{print $2}’`
Attached; pid = 900
Listening on port 5050
Step 2:Download target Apk file from target device and Disassemble it
(load APK–>Device–>com.AppSecLabs.HackMeNative-1.apk–>Pull APK)
Reversing –>Decode APK(APKtool+baksmail)
The disassemble path is:/root/Desktop/AppUse/targets/com.AppSecLabs.HackMeNative-1./disassembled/
Step 3: Run the GDB Client on ubuntu(ReFrameworker—>Launch GDB Client)
reurn to the terminal before,run these commands,config the adb forward port.
root@ubuntu:~/Desktop/AppUse/.android/android-sdk-linux# adb forward tcp:5050 tcp:5050
GNU gdb (GDB) 7.11 Copyright (C) 2016 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html> This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Type "show copying" and "show warranty" for details. This GDB was configured as "x86_64-linux-gnu". Type "show configuration" for configuration details. For bug reporting instructions, please see: <http://www.gnu.org/software/gdb/bugs/>. Find the GDB manual and other documentation resources online at: <http://www.gnu.org/software/gdb/documentation/>. For help, type "help". Type "apropos word" to search for commands related to "word".
(gdb) target remote :5050 //connect to remote gdb server
Remote debugging using :5050
warning: No executable has been specified and target does not support
determining executable automatically. Try using the “file” command.
0xb6f2a5cc in ?? ()
(gdb) set solib-search-path /root/Desktop/AppUse/targets/com.AppSecLabs.HackMeNative-1./disassembled/lib/armeabi //set .so library files search path
Reading /system/bin/linker from remote target…
Reading symbols from /appuse/targets/com.AppSecLabs.HackMeNative-1./disassembled/lib/armeabi/libnative.so…(no debugging symbols found)…done.
Reading /system/bin/linker from remote target…
(gdb) info sharedlibrary //check share library’s info
From To Syms Read Shared Object Library
0xb6f77a40 0xb6f82674 Yes (*) target:/system/bin/linker
…………………………..
0xa8c60c3c 0xa8c621bc Yes (*) /appuse/targets/com.AppSecLabs.HackMeNative-1./disassembled/lib/armeabi/libnative.so
No lib_renderControl_enc.so
No libGLESv2_enc.so
No libGLESv1_enc.so
No libOpenglSystemCommon.so
No gralloc.goldfish.so
No gralloc.default.so
(*): Shared library is missing debugging information.
(gdb) x/100i 0xa8c60c3c
0xa8c60c3c: ldr r2, [pc, #8] ; 0xa8c60c4c
0xa8c60c40: mov r1, #0
0xa8c60c44: add r2, pc, r2
………………..
0xa8c60d5c <checkSecret>: push {r11, lr}
0xa8c60d60 <checkSecret+4>: add r11, sp, #4
0xa8c60d64 <checkSecret+8>: sub sp, sp, #8
0xa8c60d68 <checkSecret+12>: str r0, [r11, #-8]
0xa8c60d6c <checkSecret+16>: str r1, [r11, #-12]
0xa8c60d70 <checkSecret+20>: ldr r0, [r11, #-8]
0xa8c60d74 <checkSecret+24>: ldr r1, [r11, #-12]
0xa8c60d78 <checkSecret+28>: bl 0xa8c60bf4 <strcmp@plt>
0xa8c60d7c <checkSecret+32>: mov r3, r0
0xa8c60d80 <checkSecret+36>: cmp r3, #0
(gdb) x/100i checkSecret //check the function checkSecret’s code
0xa8c60d5c <checkSecret>: push {r11, lr}
0xa8c60d60 <checkSecret+4>: add r11, sp, #4
0xa8c60d64 <checkSecret+8>: sub sp, sp, #8
0xa8c60d68 <checkSecret+12>: str r0, [r11, #-8]
0xa8c60d6c <checkSecret+16>: str r1, [r11, #-12]
0xa8c60d70 <checkSecret+20>: ldr r0, [r11, #-8]
0xa8c60d74 <checkSecret+24>: ldr r1, [r11, #-12]
0xa8c60d78 <checkSecret+28>: bl 0xa8c60bf4 <strcmp@plt>
0xa8c60d7c <checkSecret+32>: mov r3, r0
0xa8c60d80 <checkSecret+36>: cmp r3, #0
0xa8c60d84 <checkSecret+40>: movne r3, #0
0xa8c60d88 <checkSecret+44>: moveq r3, #1
0xa8c60d8c <checkSecret+48>: mov r0, r3
0xa8c60d90 <checkSecret+52>: sub sp, r11, #4
0xa8c60d94 <checkSecret+56>: pop {r11, pc}
……………………..
(gdb) b *0xa8c60d8c //create a breakpoint
Note: breakpoint 1 also set at pc 0xa8c60d8c.
Breakpoint 2 at 0xa8c60d8c
(gdb) i b //info breakpoint,check breakpoint info
Num Type Disp Enb Address What
1 breakpoint keep y 0xa8c60d8c <checkSecret+48>
breakpoint already hit 1 time
(gdb) c //Continue to run the application on the android emulator
Continuing.
Thread 1 “bs.HackMeNative” hit Breakpoint 1, 0xa8c60d8c in checkSecret ()
from /appuse/targets/com.AppSecLabs.HackMeNative-1./disassembled/lib/armeabi/libnative.so //break at 0xa8c60d8c
(gdb) info registers //check the register r3’s value,it’s a condition,r3=1,it will pass.
r0 0x1 1
r1 0xb916691c 3105253660
r2 0x33323130 858927408
r3 0x0 0
r4 0xaf5d9788 2942146440
r5 0xb8f78380 3103228800
r6 0x4 4
r7 0xb0293dc4 2955492804
r8 0xbeb6d538 3199653176
r9 0xb0293dbc 2955492796
r10 0xb8f78390 3103228816
r11 0xbeb6d50c 3199653132
r12 0x343332 3420978
sp 0xbeb6d500 0xbeb6d500
lr 0xa8c60d7c -1463415428
pc 0xa8c60d8c 0xa8c60d8c <checkSecret+48>
cpsr 0x28000010 671088656
(gdb) set $r3=1 //replace r3’s value as 1
(gdb) c //continue to run.
Continuing.
access granted!it’s passed
