Home
Upgrade
Credits
Search
Awards
Auth
Vouches
ALERT!
Click here to register with a few steps and explore all our cool stuff we have to offer!

Jump to content

Home Upgrade Credits Search Awards Auth Vouches
Sign In
Create Account


Photo

Try this crackme.so

Started By ginmay, Oct 10 2019 04:38 AM

  • Please log in to reply
Try this crackme.so

#1
Posted 10 October 2019 - 04:38 AM

ginmay
ginmay
    Offline
    0
    Rep
    0
    Likes

    New Member

Posts: 24
Threads: 3
Joined: Oct 10, 2019
Credits: 0
Four years registered
#1
Posted 10 October 2019 - 04:38 AM

hi, there.

 

.so is binary used in android application compiled from c or c++

 

I launched this in Ida I discovered it's using ollvm, there are deobfusctor available but I don't hava ida7.1 or ida7.2 (this .so is from armeabi-v7a)

also another script using Binary Ninja required full version else we can't access the api.

 

 

Anyway here's a function call from

 

base64 decrypt this, don't post the function name:

Please Login or Register to see this Hidden Content

 

 

as you can see the function is hidden in .so and you need to find the decryptor.

If you able to deobfuscate it please show me how you do it.

Is there anyway to dump the memory instead of reading the .so binary?

 

Please Login or Register to see this Hidden Content

or

Please Login or Register to see this Hidden Content


Edited by ginmay, 10 October 2019 - 04:39 AM.

  • 0

#2
Posted 11 October 2019 - 02:12 AM

FaithHF
FaithHF
    Offline
    36
    Rep
    234
    Likes

    SESH

Posts: 408
Threads: 36
Joined: Dec 04, 2016
Credits: 0

Seven years registered
#2
Posted 11 October 2019 - 02:12 AM

A .so isn't necessarily compiled from C/C++, nor is it only used in android.

It's basically just the unix equivalent of the Windows DLL file (or in other words a compiled library to save time at compiletime for applications that use it, only needing to link the file rather than recompile the entire thing together.)

 

If it's encrypted with ollvm, then I wouldn't try to just pop it into IDA since you're going to get all kinds of BS, as

Please Login or Register to see this Hidden Content

.

Instead, maybe try using LLDB. It's packaged in most debian/ubuntu distros afaik, or it should be an easy install. And it seems to follow a command mapping pretty similar to GDB, so the learning curve shouldn't be too steep.

 

At least with debugging you don't need to blankly stare at obfuscated code and try to make sense of it, instead just step through with LLDB and find the important stuff.

 

Oh, but don't forget that you can't really debug a .so file since it, well, doesn't really run on its own. You'll need to create a quick program that calls the function on its own (LD_PRELOAD will be useful here.) Make sure it's linked properly and you should be good to go.


  • 0

#3
Posted 13 October 2019 - 12:10 AM

ginmay
ginmay
    Offline
    0
    Rep
    0
    Likes

    New Member

Posts: 24
Threads: 3
Joined: Oct 10, 2019
Credits: 0
Four years registered
#3
Posted 13 October 2019 - 12:10 AM

he is using Microcode API only ida 7.1 and above have it, and 7.1 can only debug 64bit app
This android .so is 32bit. I had unpacked it today, but the funtion I mentioned above is still hidden, I have no idea how to map it back to it's original address
TRhHw2Qfk9DlqAmbOY0GHpnzKYwulSORoxhX7Hgn
 
If anyone like to give it a shot, here is the file

Please Login or Register to see this Hidden Content


Edited by ginmay, 13 October 2019 - 12:19 AM.

  • 0
Back to General Chat

 Users browsing this thread:

  1. Nulled
  2. Reverse Engineering
  3. General Chat