Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
[HELP] How to decompile protected classes.dex file
#10
yes, your friend could be right. I didn't look any further on the target but i've seen libpp.so has some AES decryption routines which get called in almost every jni method. so i guess the original classes.dex is aes encrypted.

libpp.so does export a lot of symbols without hiding the original c/c++ function names. one can easily follow the calls to the encryption and decoding. if i have some time at the weekend i'm going to take a deeper look.

to dump a process' memory you need root in your test environment. then you can read all memory regions for processes in /proc/<pid>/maps. with the valid memory addresses from the maps file you can read the memory from /proc/<pid>/mem. all dexfiles should (some packers try to hide it in memory) start with a magic value. you can search the memory for that value and then dump the regions. this could give you the original classes.dex. the following links should get you into this topic

http://www.tldp.org/LDP/Linux-Filesystem.../proc.html
https://www.youtube.com/watch?v=RNqzF6X9lms
https://github.com/504ensicsLabs/LiME
Reply
 


Messages In This Thread
RE: [HELP] How to decompile protected classes.dex file - by mik01 - 04-27-2016, 06:48 PM

Forum Jump:


Users browsing this thread: 3 Guest(s)

About The Bytecode Club

We're a community forum focused on Reverse Engineering, we try to target Java/Android but we also include other langauges/platforms. We pride ourselves in supporting and free and open sourced applications.

Website