How do I reverse engineer .so files found in android APKs?

Question

I know how to reverse engineer normal android APKs using tools like APK-tool anddex2jar but i don't know how to work with obfuscation. Can anyone help or atleast provide some pointers? I know this largely constitues learning by myself but I really don't know what to look or where to look. Some examples would be really helpful. Thanks!

Edit:

When I extract everything from APK, I get some SMALI files (I tried JD-GUI but the strings contained random names. Probably obfuscated using Proguard.), some resource files and a ".so" files in the lib directory. How do I analyze the ".so" file. I know that SO files are, kind of DLLs of the Linux world but what are the tools that can be used to analyze SO files. Any links to videos would be very helpful. :)

Also, how would I get around if there were a JAR file instead of SO file in the APK?

Guntram Blohm · Accepted Answer

The .so file is a compiled library, in most cases from C or C++ source code. .so stands for Shared Object, it doesn't have anything to do with obfusation, it just means someone wrote parts of the app in C.

In some cases, there is existing C code and it's just easier for the programmer to build a JNI interface to call the library from java; in other cases, the programmer wants the speed advantage that compiled C has over java. And of course, if i want to hide how some part of my application works, writing that in C and compiling it to a .so makes it much harder to reverse.

If you want to reverse an android .so, these are the options you have:

Buy the commercial version of IDA pro. The demo versions will not do, as they can't disassemble ARM code. This is expensive, but by far the best tool to work with unknown object code.
If the app includes versions of the .so for different hardware, and if it has a library for android on x86, you can use the free IDA 5.1 version to disassemble it.
If you have access to a linux system, get a gcc toolchain for ARM that includes objdump, and use objdump --disassemble to get a huge text file containing disassembled code. Then, have fun with that text file. There might be gcc toolchains for ARM targets that run on windows as well, but i never tried.
You could also upload the .so file to http://onlinedisassembler.com/ to get a disassembled file, if you don't want to install a gcc toolchain.

Beware, though, in all of these cases, you need a thorough understanding of the ARM processor architecture, assembler language, JNI conventions, and compiler ABI to make any sense of the disassembly. Prepare for many long nights if you're unexperienced.

Ole André Vadla Ravnås · Answer

You can also try a dynamic approach by hooking APIs and observing arguments and return values. This will allow you to look at data going into crypto APIs, which may help a lot when dealing with network protocols. Check out the Frida instrumentation toolkit for an open source cross-platform solution (Android, iOS, Windows, Mac and Linux). There's a tutorial showing how to build an interactive instrumentation tool in a few minutes, which injects code into the “Yo” app on iOS and plots network connections using Google Maps.

Answered by Ole André Vadla Ravnås on January 20, 2021

Cedric VB · Answer

Besides Guntram's suggestions, check out the retargetable decompiler aka retdec. It can decompile the binary to Python or C code. At least for me, it reads easier than pure assembly (and it works for ARM binaries).

It works very well for sketching you the rough workings of the shared object.

A plugin for select IDA versions exists, but the main limitation is that it doesn't support 64-bit code.

Shailesh Mota · Answer

Use android-ndk, https://developer.android.com/ndk/downloads/index.html.

You can use the toolchains inside the ndk to perform the type of disassembling you want to. For e.g. if I decompile an apk and get a .so library out of it, I will do :

./android-ndk-r15b/toolchains/arm-linux-androideabi-4.9/prebuilt/darwin-x86_64/bin/arm-linux-androideabi-objdump -T "SAMPLE.so | less

To get an objdump.

Adrian Paul · Answer

You can also try the Snowman tool: https://derevenets.com/.

Snowman is a native code to C/C++ decompiler

It supports ARM, x86, and x86-64 architectures as specified on their website.

KYHSGeekCode · Answer

You can also reverse-engineer APK files directly on an android device.

Java part: Show Java
.so files: Android disassembler.

(Disclaimer: I 'm the developer)

Version 1.4.2 release.

Android-Disassembler

Disassemble ANY files including android shared libraries (aka .so files) (NDK, JNI), windows PE files(EXE, DLLs, SYSs, etc..), linux executables, object files, ANY files you want like pictures, audios, etc(for fun) entirely on Android. Capstone-based disassembler application on android.

Features

Shows details of elf files.
Shows symbol table(functions or objects' ,... names) of elf files.
Disassembles the code sections.
Has various export options of the disassembly. (Reloadable raw file, compilable txt file, analytic text files, json, and  reloadable database)
Supports projects.
Supports directly launching from file browsers.
Supports many ABIs(arm,x86,x64,MIPS,PowerPC,...)
Jump to address by symbols' names, or a hex address.
Syntax colorizing.
Support PE and other bin formats.
Sort symbols if needed.
No need to press Disassemble button!
Colorize PUSH/POP instructions.
Colorize ARM arch instructions better.
Added Follow Jump menu for jump instructions.(With BackStack)
Can override auto parse setup

What's new

You can copy an instruction to the clipboard.
It now parses IAT, EAT of PE headers.
Fixed bugs.

Materials about assemblies

ARM
ARM BlackHat
Intel
Wiki

Open Source

This app used
 - Capstone 
 - Storage-Chooser
 - Colorpickerview
 - Java-binutils
 - PECOFF4J.

Thanks

https://reverseengineering.stackexchange.com/a/20124/23870

XRefs

https://reverseengineering.stackexchange.com/a/18203/23870