[Soot-list] Partial Evaluator based on Soot

Bodden, Eric eric.bodden at sit.fraunhofer.de
Fri Jun 28 12:35:41 EDT 2013 

Hi Saswat.

There is some de-obfuscation support in dava (which is part of Soot) but it's not meant to be for Android. I am sure it does nothing for reflection. Would be great to have such a tool! Please keep me posted …

Cheers,
Eric


On 14.06.2013, at 01:51, Saswat Anand <saswat78 at gmail.com> wrote:

> Hi,
> 
> I wish to analyze obfuscated (android) programs using soot. So I am
> wondering if anybody tried to de-obfuscate programs statically.
> Specifically, what I have in mind is to partially evaluate parts of
> the code and replace those parts with simpler code. The idea is
> similar to what TamiFlex could using dynamic analysis.
> 
> For example, to prevent analysis, the following code not only uses
> reflection to call a method, but the strings representing the method
> and class names are obfuscated. In this example, it is possible to
> replace the entire code with one invocation stmt.
> 
> Did anybody has any code that can either already do this or serve as a
> starting point?
> 
> Thanks,
> Saswat
> 
> 
>        $b142 = 0;
>        $b143 = -3;
>        $s144 = 285;
>        $r238 = staticinvoke <com.android.system.admin.ICICcOCo:
> java.lang.String oCIlCll(int,int,int)>($b142, $b143, $s144);
>        $r239 = $r238;
>        $r240 = staticinvoke <java.lang.Class: java.lang.Class
> forName(java.lang.String)>($r239);
>        $r241 = $r240;
>        $b145 = -34;
>        $b146 = -1;
>        $s147 = 188;
>        $r242 = staticinvoke <com.android.system.admin.ICICcOCo:
> java.lang.String oCIlCll(int,int,int)>($b145, $b146, $s147);
>        $r243 = $r242;
>        $n10 = null;
>        $r244 = virtualinvoke $r241.<java.lang.Class:
> java.lang.reflect.Method
> getMethod(java.lang.String,java.lang.Class[])>($r243, $n10);
> $r245 = $r244;
>        $n11 = null;
>        virtualinvoke $r245.<java.lang.reflect.Method:
> java.lang.Object invoke(java.lang.Object,java.lang.Object[])>($r2,
> $n11);
> _______________________________________________
> Soot-list mailing list
> Soot-list at sable.mcgill.ca
> http://mailman.cs.mcgill.ca/mailman/listinfo/soot-list

--
Eric Bodden, Ph.D., http://sse.ec-spride.de/ http://bodden.de/
Head of Secure Software Engineering Group at EC SPRIDE
Tel: +49 6151 16-75422    Fax: +49 6151 16-72051
Room 3.2.14, Mornewegstr. 30, 64293 Darmstadt

More information about the Soot-list mailing list