When I reverse engineer applications on x86, I can get the x86 assembly code while debugging, e.g. disassemble the opcode pointed by EIP/RIP to x86 assembly. But for android application, I always need some kind of source in advance to make the debugging useful. My question is, instead of doing a disassembly of the apk, can I get the java/smali code of the program that I'll debug in real time? In other words, can the debugger "disassemble" the code on the fly like what it can do on x86?
The reason I want that is because when I use the disassembled code of the APK, I only get the static disassembly code of the program, but what if the method is hooked?
I've been reversing for a little while and I never came across a live debugging tool for Smali bytecodes. However, it is really useful to have both static and dynamic analysis in our toolset when you have some complex targets. This is how I do it, it might help you out.
String encrypt(String key, String data);
Using Xposed we can do the following to dump the key:public void handleLoadPackage(final XC_LoadPackage.LoadPackageParam lpparam) throws Throwable {
if (!lpparam.packageName.equals("com.target.app")) {
return;
}
findAndHookMethod("com.target.app.CryptoClass", lpparam.classLoader, "encrypt", String.class, String.class, new XC_MethodHook() {
@Override
protected void beforeHookedMethod(MethodHookParam param) throws Throwable {
Log.i("TargetApp_Hook", "Secret Key: " + param.args[0].toString());
}
});
You can use Xposed to hook before and after methods, replace methods, avoid a method call, call a method directly using your code and much more ! There is also a tool named Frida that let you hook Java code but also native code at the same time, it is simple to use and everything is wrapped through their custom Javascript API. However, I found Xposed to be more stable.