Trace system calls, including stack (and java stack if possible), on android?

Reverse Engineering Asked by Guntram Blohm on December 3, 2020

I have an android app that reads/writes a data file which seems to be encrypted, and i want to make a tool to read/write that file, so i need to reverse the encryption.

The app in question consists of a few hundred classes and several .so libraries, and grepping through the classes and the output of strings on the .so files doesn’t find the name of the game file (i tried case-sensitive, omitting the extension, and all that stuff), so the “easy” way to find the function doesn’t work. So, what i want to do is intercept calls to the open system call, and check the stacks (dalvik and C) for the callers.

On Windows, this is quite easy using procmon which saves the stack of each system call; on Linux, there is strace -i which doesn’t give me a stack backtrace, but at least an IP value; also, i could make a named pipe having the filename in question to make the app block on opening it and attach gdb to get the backtrace.

The problem with using strace and or a debugger on android is that i a) it seems to be non-trivial to get a version of strace that works with a particular OS level of android, b) when i try the named pipe approach, the app just exits, c) unless the whole encryption stuff is done in one of the .so libraries, i need the Java stack as well.

I found jtrace which seems to be a replacement for strace, but doesnt show the stack, and this question has some links, but they seem to be targetted at instrumentation/profiling, not what i need.

So the question really is in the title: Is there a tool that traces system calls on android, and shows the stack trace, like procmon does on windows, including the java stack if possible? Or another idea to quickly find the code that opens and decrypts the file?

If all else fails, i’ll probably attach IDA to the process, put a breakpoint on open, and write a breakpoint condition that checks the file name. But that still won’t give me the java stack, and i’d like to avoid the effort if there’s a “nicer” tool.

2 Answers

you can get system call stack with strace too. you just need to compile strace with libunwind. After that you just need to use -k to get system call stack for each system call.

Answered by Rasoul on December 3, 2020

JavaJournal, which was built on top of the pyspresso framework, was designed specifically for tracing method calls in Java.

Answered by Jason Geffner on December 3, 2020

Add your own answers!

Ask a Question

Get help from others!

© 2024 All rights reserved. Sites we Love: PCI Database, UKBizDB, Menu Kuliner, Sharing RPP