Friday, 4 March 2016

Fiddling with Nexus 4 boot image

TLDR; How to modify any system to set ro.debuggable=1 without rebuilding it from source. This setting will make any apk debuggable on the device.

Get the existing boot image off the phone

dd if=/dev/block/mmcblk0p6 of=/mnt/sdcard/boot.img # on the phone
adb pull /mnt/sdcard/boot.img # on your computer

/dev/block/mmcblk0p6 is Nexus 4's boot partition.

Install abootimg from The rest of the process below is stolen from this page.

Extract and unpack initrd

mkdir boot 
cd boot
abootimg -x /tmp/boot.img

mkdir initrd
cd initrd
cat ../initrd.img | gunzip | cpio -vid

Edit default.prop, setting anything you want, including ro.debuggable=1.

Repack initrd and boot image

cd initrd
find . | cpio --create --format='newc' | gzip > ../myinitrd.img
cd ..
abootimg --create myboot.img -f bootimg.cfg -k zImage -r myinitrd.img

Flash to phone

adb reboot-bootloader
fastboot flash boot myboot.img

Android Studio for refactoring obscure decompiled code

"It's in Foreign" @thegrugq

A while ago, I've been experimenting with using Android Studio for refactoring decompiled code.

  1. Export Java sources, from whatever decompiler works 
  2. "Import project" from sources in Android Studio 
  3. Use Shift-Fn-F6 to rename classes, methods etc 
What's best is that Studio (hurray for IntelliJ IDEA) is sometimes intelligently estimates types of variables and offers reasonably meaningful names:

Thursday, 3 March 2016

Using Proguard to deobfuscate code

TLDR; Optimisation features of Proguard can be useful for removing some "obfuscations" that add dead code and screw up control flow.

Proguard comes with Android Studio or can be installed from homebrew on Mac, that one version is newer:

$brew install proguard

Then use a generic script similar to this one:

-injars      <obfuscated jar>
-outjars     <result>
-libraryjars $HOME/Library/Android/sdk/platforms/android-19/android.jar ; or similar
-optimizationpasses 10 


-keepattributes *Annotation*

-keep public class * extends
-keep public class * extends
-keep public class * extends
-keep public class * extends android.content.BroadcastReceiver
-keep public class * extends android.content.ContentProvider
-keep public class * extends
-keep public class * extends android.view.View {
 public <init>(android.content.Context);
        public <init>(android.content.Context, android.util.AttributeSet);
 public <init>(android.content.Context, android.util.AttributeSet, int);
 public void set*(...);
-keepclasseswithmembers class * {
 public <init>(android.content.Context, android.util.AttributeSet);
-keepclasseswithmembers class * {
 public <init>(android.content.Context, android.util.AttributeSet, int);
-keepclassmembers class * extends android.content.Context {
 public void *(android.view.View);
 public void *(android.view.MenuItem);
-keepclassmembers class * implements android.os.Parcelable {
 static ** CREATOR;
-keepclassmembers class **.R$* {
 public static <fields>;
-keepclassmembers class * {
 @android.webkit.JavascriptInterface <methods>;
-keepclasseswithmembernames class * {
    native <methods>;
-keepclassmembers enum * {
    public static **[] values();
    public static ** valueOf(java.lang.String);

Run as proguard @deob.conf and you'll end up with a more readable version of your obfuscated code.