We Can Still Crack You! General Unpacking Method for Android Packer (no root)

Presented at Black Hat Asia 2015, Unknown date/time (Unknown duration)

Recently, Android application employs some techniques to protect their code such as APKProtect, DexGuard, BangCle, Ijiami, and LIAPP. These tools modify original DEX (Dalvik Executable) or replace original DEX to second DEX(for unpacking&loader) generated by packing tool. The tools employ many anti-analysis techniques to prevent being analyzed such as anti-debugging (for gdb), anti-jdwp (for java debugger), anti-tamper and obfuscation for dalvik and native code. Even they are using self-debugging (self-ptrace) techniques. These techniques cause a reverse engineer to be annoyed and devastated. Also, tools and systems which automatically analyze Android application cannot analyze them correctly because of their anti-analysis technique. However, we propose a novel general unpacking method without getting root privilege for unpacking. In this presentation, we are going to show you how it works.

Presenters:

• Yeongung Park - ETRI
  Santa Park works as a Security Researcher at ETRI, Korea.

Links:

• https://www.blackhat.com/asia-15/briefings.html#Park
• https://www.youtube.com/watch?v=UVCckhcuoec
• https://www.blackhat.com/docs/asia-15/materials/asia-15-Park-We-Can-Still-Crack-You-General-Unpacking-Method-For-Android-Packer-No-Root.pdf

Similar Presentations:

• DEF CON 14 (2006) / OllyBone: Semi-Automatic Unpacking on IA-32
• REcon 2006 / OllyBone - Semi-Automatic Unpacking on IA-32
• Black Hat USA 2015 / THIS IS DeepERENT: Tracking App Behaviors with (Nothing Changed) Phone for Evasive Android Malware