Strategies for Analyzing Native Code in Android Applications...

[carlospolop]

🤖 Automated Content Update

This PR was automatically generated by the HackTricks News Bot based on a technical blog post.

📝 Source Information

• Blog URL: https://revflash.medium.com/strategies-for-analyzing-native-code-in-android-applications-combining-ghidra-and-symbolic-aaef4c9555df
• Blog Title: Strategies for Analyzing Native Code in Android Applications: Combining Ghidra and Symbolic Execution for Code Decryption and Deobfuscation
• Suggested Section: Basic Forensic Methodology -> Malware Analysis (add a subsection: Android/JNI native string deobfuscation with angr + Ghidra)

🎯 Content Summary

This post presents a practical reverse‑engineering workflow to statically decrypt/deobfuscate strings embedded in an Android native library by combining Ghidra (for static triage) with angr (for symbolic execution). The scenario is a RASP‑protected app that crashed on Frida attach with an “invalid JNI version” exception and stack trace, even when using Frida’s JavaScript API, Interceptor, and Stalker (Frida). T...

🔧 Technical Details

Execute in‑binary decode routines statically with angr: Treat the decoder as a callable inside the binary. Create a blank state, allocate a heap buffer, call the decode function with (encoded_ptr, out_buf, len), then concretize the output using result_state.memory.load + result_state.solver.eval and parse C‑strings up to \x00. This recovers plaintext (e.g., JNI names/signatures) without live instrumentation.

Keep tool address spaces synchronized: Load the binary in angr with the same image base as Ghidra (e.g., 0x00100000) so function/data addresses line up, avoiding mismatches when referencing FUN_00100e10 or data like DAT_00100bf4.

Automate at scale with Ghidra’s API: Build a call‑site → (encoded_addr, size) map; enumerate callers of the decode routine via ReferenceManager; for each call site, run the angr decoder and insert a PRE...

🤖 Agent Actions

I analyzed the blog and HackTricks repository, and determined the most appropriate place to add the new content is in Basic Forensic Methodology -> Malware Analysis. The technique is a practical malware triage/reversing workflow that combines Ghidra with angr to statically execute in-binary decode routines (e.g., JNI name/signature decoders) and annotate results back into Ghidra. This content fits well as an Android-focused malware analysis trick alongside the existing “Android in-app native telemetry (no root)” subsection.

Actions performed:

• Reviewed relevant HackTricks sections (5+ files), focusing on:
  • src/generic-methodologies-and-resources/basic-forensic-methodology/malware-analysis.md
  • src/mobile-pentesting/android-app-pentesting/reversing-native-libraries.md
  • src/reversing/reversing-tools-basic-methods/angr/README.md
  • src/reversing/reversing-tools-basic-methods/angr/angr-examples.md
• Added a new subsection to Malware Analysis:
  • Title: “Android/JNI native string deobfuscation with angr + Ghidra”
  • Content includes:
    • Ghidra triage of JNI_OnLoad and RegisterNatives with JNINativeMethod structure and decoder identification
    • angr setup with base_addr alignment to Ghidra and disabling auto-load of libs
    • A reusable decode_string helper function using project.factory.callable and result_state.solver.eval to concretize strings up to first NUL
    • A call-site-to-argument mapping approach with example addresses/sizes
    • Two annotation workflows:
      • Option A: CPython3 angr -> JSON dump of decoded strings -> Ghidra Jython script to write PRE_COMMENTs
      • Option B: Use pyhidra/ghidra_bridge to run angr and Ghidra API in one CPython process
    • Practical tips/pitfalls (calling conventions, zero-initialized buffers, PIC base alignment)
    • Internal link to angr basics: ../../reversing/reversing-tools-basic-methods/angr/README.md
• Updated the “References” section at the end of Malware Analysis to include:
  • The blog post
  • Ghidra, angr links
  • JNI_OnLoad and RegisterNatives docs
  • Related JNI reversing articles

Files modified:

• src/generic-methodologies-and-resources/basic-forensic-methodology/malware-analysis.md
  • Inserted the new subsection right after the existing “Android in-app native telemetry (no root)” section
  • Appended new references

No new files were created, and existing structure/style were preserved with proper Markdown and code blocks. The content is technical, includes commands/code, and follows HackTricks’ guidelines.

---

This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.

🗑️ File Cleanup

• searchindex.js removed: This auto-generated file has been removed to prevent conflicts.

[carlospolop]

🔗 Additional Context

Original Blog Post: https://revflash.medium.com/strategies-for-analyzing-native-code-in-android-applications-combining-ghidra-and-symbolic-aaef4c9555df

Content Categories: Based on the analysis, this content was categorized under "Basic Forensic Methodology -> Malware Analysis (add a subsection: Android/JNI native string deobfuscation with angr + Ghidra)".

Repository Maintenance:

• MD Files Formatting: 876 files processed

Review Notes:

• This content was automatically processed and may require human review for accuracy
• Check that the placement within the repository structure is appropriate
• Verify that all technical details are correct and up-to-date
• All .md files have been checked for proper formatting (headers, includes, etc.)

Bot Version: HackTricks News Bot v1.0

[carlospolop]

merge