1

An APK I'm working on uses some sort of algorithm to generate a hash which is sent along with an HTTP request. I want to figure out how the algorithm works.

Decompiling the APK to Java is of no help at all because it is much too obfuscated and there is clearly a ton of jumping around to separate files, it's impossible to follow.

Analysing the SMALI is much more helpful, but still very difficult to follow due to the use of many different files, and also the generic/meaningless function names.

I have IDA Pro but I don't have the Hex rays decompiler. There is also an extremely small amount of tutorials on using IDA Pro with Android. Is IDA Pro useless here? Smali is definitely easier to understand than the raw machine code instructions.

What are my options for analysing and figuring out this algorithm?

Thank you for your suggestions

43.52.4D.
  • 195
  • 8
  • What is the apk name and sha256? If it really has strong bytecode obfuscation, I'd be curious to take a look. You don't see that on Android often. Most apps either have weak obfuscation (Proguard) or just use a packer. – Antimony Jan 13 '16 at 14:54
  • com.instagram.android? – Antimony Jan 13 '16 at 18:48
  • @Antimony yes that's correct. I pulled the APK from my phone with adb. Then I used Apktool to convert to SMALI. I can tell you more about the app in a chatroom if you need. – 43.52.4D. Jan 13 '16 at 18:55
  • I took a look, but I didn't see any unusual obfuscation. Just a bit of identifier renaming. Any recent decompiler should work here. – Antimony Jan 13 '16 at 19:41
  • @Antimony what approach would you take personally to learning how an algorithm generates a value? Do you mean decompiler like Apktool or disassembler like IDA Pro? – 43.52.4D. Jan 13 '16 at 20:43
  • I wouldn't use IDA Pro for Java. It's designed for native code. There's lots of free Java tools to choose from. Personally I'd go with Apktool + Enjarify + Krakatau. – Antimony Jan 13 '16 at 22:07
  • @Antimony I just tried out Enjarify with Krakatau (nice code btw) but I don't think it's useful in this situation. Krakatau had many errors and couldn't decompile all the code correctly (The error logs were written in the java files). Although Krakatau had nicer output than others, it's still difficult to understand. Also: it's obvious Proguard has been used on this app. The algorithm is spread out between an infuriating amount of files. There are so many calls to so many different useless functions jumping around everywhere. How do I find out meaningful information in a situation like this? – 43.52.4D. Jan 14 '16 at 05:06
  • @Antimony any tips? – 43.52.4D. Jan 14 '16 at 23:02
  • Sorry it took so long to get back to you. I looked into it, and there actually was a bug in Krakatau, which I fixed. It decompiles without errors with the latest version of Krakatau. – Antimony Feb 07 '16 at 21:59
  • Apart from that, you probably forgot to specify a path to all the dependencies. Here's the command line I used. You'll need to replace stuff/android with the path to your Android SDK. python Krakatau/decompile.py -out temp apk_apps/Instagram_v7.15.0_apkpure.com-enjarify.jar -path stuff/android/android-23/android.jar -path stuff/android/android-23/optional/org.apache.http.legacy.jar -path stuff/android/android-23/data/layoutlib.jar – Antimony Feb 07 '16 at 22:00
  • Did you end up finding the algorithm? If so how? – Arya Dec 28 '17 at 06:15
  • @Antimony would using dynamic instrumentation such as Frida be of any use here? – Arya Jan 02 '18 at 19:10

1 Answers1

1

IDA PRO is useful for analyzing native code. Hex-Rays decompiler decompiles ARM and x86/x64, not java. For your specific case IDA pro would be useful if this hashing algorithm would be compiled in native code and called with JNI like interface.

For your specific case IDA is almost useless because almost all of its advantages related to native code analysis.

w s
  • 8,458
  • 1
  • 24
  • 40
  • What could I utilize to analyse how this algorithm works then? – 43.52.4D. Jan 13 '16 at 17:15
  • There is no other choice, you have to deobfuscate the APK code. In addition I'd suggest you to read answers to this question: http://reverseengineering.stackexchange.com/questions/1370/what-is-a-good-java-decompiler-and-deobfuscator – w s Jan 13 '16 at 18:14
  • Well a strange dilemma is that using Apktool to convert to SMALI makes the code more understandable/less obfuscated than attempting to convert to Java source code. If there was a way to convert SMALI to java source code, that would be helpful. – 43.52.4D. Jan 13 '16 at 19:02