Unable to deobfuscate reflection in obfuscated-app.apk
wzj1695224 opened this issue · comments
According to simplify/ObfuscatedApp/README.md
, it may easily to deobfuscate reflection in obfuscated-app.apk
.
But when I tried with
java -jar simplify/build/libs/simplify.jar -it 'org/cf/obfuscated' -et 'MainActivity' simplify/obfuscated-app.apk
...
(8 / 8) Executing top level method: Lorg/cf/obfuscated/Reflection;->reflectSecretMethod()V
14:07:35.555 WARN InvokeOp - org.cf.smalivm.exception.MaxAddressVisitsExceededException: Exceeded max address visits @0 ExecutionNode{signature=Landroid/util/Base64$Decoder;->process([BIIZ)Z, op=iget r9, r11, Landroid/util/Base64$Decoder;->state:I, @=0} in Landroid/util/Base64$Decoder;->process([BIIZ)Z
14:07:35.611 WARN InvokeOp - org.cf.smalivm.exception.MaxAddressVisitsExceededException: Exceeded max address visits @0 ExecutionNode{signature=Landroid/util/Base64$Decoder;->process([BIIZ)Z, op=iget r9, r11, Landroid/util/Base64$Decoder;->state:I, @=0} in Landroid/util/Base64$Decoder;->process([BIIZ)Z
14:07:35.662 WARN InvokeOp - org.cf.smalivm.exception.MaxAddressVisitsExceededException: Exceeded max address visits @0 ExecutionNode{signature=Landroid/util/Base64$Decoder;->process([BIIZ)Z, op=iget r9, r11, Landroid/util/Base64$Decoder;->state:I, @=0} in Landroid/util/Base64$Decoder;->process([BIIZ)Z
14:07:35.717 WARN InvokeOp - org.cf.smalivm.exception.MaxAddressVisitsExceededException: Exceeded max address visits @0 ExecutionNode{signature=Landroid/util/Base64$Decoder;->process([BIIZ)Z, op=iget r9, r11, Landroid/util/Base64$Decoder;->state:I, @=0} in Landroid/util/Base64$Decoder;->process([BIIZ)Z
14:07:35.767 WARN InvokeOp - org.cf.smalivm.exception.MaxAddressVisitsExceededException: Exceeded max address visits @0 ExecutionNode{signature=Landroid/util/Base64$Decoder;->process([BIIZ)Z, op=iget r9, r11, Landroid/util/Base64$Decoder;->state:I, @=0} in Landroid/util/Base64$Decoder;->process([BIIZ)Z
14:07:35.821 WARN InvokeOp - org.cf.smalivm.exception.MaxAddressVisitsExceededException: Exceeded max address visits @0 ExecutionNode{signature=Landroid/util/Base64$Decoder;->process([BIIZ)Z, op=iget r9, r11, Landroid/util/Base64$Decoder;->state:I, @=0} in Landroid/util/Base64$Decoder;->process([BIIZ)Z
14:07:35.873 WARN InvokeOp - org.cf.smalivm.exception.MaxAddressVisitsExceededException: Exceeded max address visits @0 ExecutionNode{signature=Landroid/util/Base64$Decoder;->process([BIIZ)Z, op=iget r9, r11, Landroid/util/Base64$Decoder;->state:I, @=0} in Landroid/util/Base64$Decoder;->process([BIIZ)Z
14:07:35.961 WARN InvokeOp - org.cf.smalivm.exception.MaxAddressVisitsExceededException: Exceeded max address visits @0 ExecutionNode{signature=Landroid/util/Base64$Decoder;->process([BIIZ)Z, op=iget r9, r11, Landroid/util/Base64$Decoder;->state:I, @=0} in Landroid/util/Base64$Decoder;->process([BIIZ)Z
14:07:36.017 WARN InvokeOp - org.cf.smalivm.exception.MaxAddressVisitsExceededException: Exceeded max address visits @0 ExecutionNode{signature=Landroid/util/Base64$Decoder;->process([BIIZ)Z, op=iget r9, r11, Landroid/util/Base64$Decoder;->state:I, @=0} in Landroid/util/Base64$Decoder;->process([BIIZ)Z
Simplifying: Lorg/cf/obfuscated/Reflection;->reflectSecretMethod()V
Optimizations:
constantized ifs = 0
constantized ops = 0
dead assignments removed = 0
dead ops removed = 0
dead results removed = 0
nops removed = 0
peephole optmizations = 0
unreflected fields = 0
unreflected methods = 0
useless gotos removed = 0
...
[8 / 20] Processing top level class Lorg/cf/obfuscated/StringHolder;
(1 / 5) Executing top level method: Lorg/cf/obfuscated/StringHolder;->get(I)Ljava/lang/String;
14:07:36.125 WARN InvokeOp - org.cf.smalivm.exception.MaxAddressVisitsExceededException: Exceeded max address visits @0 ExecutionNode{signature=Landroid/util/Base64$Decoder;->process([BIIZ)Z, op=iget r9, r11, Landroid/util/Base64$Decoder;->state:I, @=0} in Landroid/util/Base64$Decoder;->process([BIIZ)Z
I found nothing did in the Reflection.reflectSecretMethod(...)
Then I tried
java -jar simplify/build/libs/simplify.jar -it 'org/cf/obfuscated/Reflection;->reflectSecretMethod\(' -et 'MainActivity' simplify/obfuscated-app.apk
[1 / 1] Processing top level class Lorg/cf/obfuscated/Reflection;
(1 / 1) Executing top level method: Lorg/cf/obfuscated/Reflection;->reflectSecretMethod()V
14:10:48.420 WARN InvokeOp - org.cf.smalivm.exception.MaxAddressVisitsExceededException: Exceeded max address visits @0 ExecutionNode{signature=Landroid/util/Base64$Decoder;->process([BIIZ)Z, op=iget r9, r11, Landroid/util/Base64$Decoder;->state:I, @=0} in Landroid/util/Base64$Decoder;->process([BIIZ)Z
14:10:48.502 WARN InvokeOp - org.cf.smalivm.exception.MaxAddressVisitsExceededException: Exceeded max address visits @0 ExecutionNode{signature=Landroid/util/Base64$Decoder;->process([BIIZ)Z, op=iget r9, r11, Landroid/util/Base64$Decoder;->state:I, @=0} in Landroid/util/Base64$Decoder;->process([BIIZ)Z
14:10:48.586 WARN InvokeOp - org.cf.smalivm.exception.MaxAddressVisitsExceededException: Exceeded max address visits @0 ExecutionNode{signature=Landroid/util/Base64$Decoder;->process([BIIZ)Z, op=iget r9, r11, Landroid/util/Base64$Decoder;->state:I, @=0} in Landroid/util/Base64$Decoder;->process([BIIZ)Z
14:10:48.671 WARN InvokeOp - org.cf.smalivm.exception.MaxAddressVisitsExceededException: Exceeded max address visits @0 ExecutionNode{signature=Landroid/util/Base64$Decoder;->process([BIIZ)Z, op=iget r9, r11, Landroid/util/Base64$Decoder;->state:I, @=0} in Landroid/util/Base64$Decoder;->process([BIIZ)Z
14:10:48.750 WARN InvokeOp - org.cf.smalivm.exception.MaxAddressVisitsExceededException: Exceeded max address visits @0 ExecutionNode{signature=Landroid/util/Base64$Decoder;->process([BIIZ)Z, op=iget r9, r11, Landroid/util/Base64$Decoder;->state:I, @=0} in Landroid/util/Base64$Decoder;->process([BIIZ)Z
14:10:48.828 WARN InvokeOp - org.cf.smalivm.exception.MaxAddressVisitsExceededException: Exceeded max address visits @0 ExecutionNode{signature=Landroid/util/Base64$Decoder;->process([BIIZ)Z, op=iget r9, r11, Landroid/util/Base64$Decoder;->state:I, @=0} in Landroid/util/Base64$Decoder;->process([BIIZ)Z
14:10:48.906 WARN InvokeOp - org.cf.smalivm.exception.MaxAddressVisitsExceededException: Exceeded max address visits @0 ExecutionNode{signature=Landroid/util/Base64$Decoder;->process([BIIZ)Z, op=iget r9, r11, Landroid/util/Base64$Decoder;->state:I, @=0} in Landroid/util/Base64$Decoder;->process([BIIZ)Z
14:10:49.023 WARN InvokeOp - org.cf.smalivm.exception.MaxAddressVisitsExceededException: Exceeded max address visits @0 ExecutionNode{signature=Landroid/util/Base64$Decoder;->process([BIIZ)Z, op=iget r9, r11, Landroid/util/Base64$Decoder;->state:I, @=0} in Landroid/util/Base64$Decoder;->process([BIIZ)Z
14:10:49.090 WARN InvokeOp - org.cf.smalivm.exception.MaxAddressVisitsExceededException: Exceeded max address visits @0 ExecutionNode{signature=Landroid/util/Base64$Decoder;->process([BIIZ)Z, op=iget r9, r11, Landroid/util/Base64$Decoder;->state:I, @=0} in Landroid/util/Base64$Decoder;->process([BIIZ)Z
Simplifying: Lorg/cf/obfuscated/Reflection;->reflectSecretMethod()V
Optimizations:
constantized ifs = 0
constantized ops = 0
dead assignments removed = 0
dead ops removed = 0
dead results removed = 0
nops removed = 0
peephole optmizations = 0
unreflected fields = 0
unreflected methods = 0
useless gotos removed = 0
Simplification complete:
total classes = 1
total methods = 1
optimized methods = 1
failed methods = 0
run time = 4902 ms
Total optimizations:
constantized ifs = 0
constantized ops = 0
dead assignments removed = 0
dead ops removed = 0
dead results removed = 0
nops removed = 0
peephole optmizations = 0
unreflected fields = 0
unreflected methods = 0
useless gotos removed = 0
Writing output to obfuscated-app_simple.apk
still nothing change in Reflection.reflectSecretMethod(...)
next I did the following
java -jar simplify/build/libs/simplify.jar -it 'org/cf/obfuscated/Reflection;->reflectSecretMethod\(' -et 'MainActivity' simplify/obfuscated-app.apk --max-execution-time 600 --max-address-visits 1000000 --max-method-visits 1000000
and finally
java -Xmx24G -jar simplify/build/libs/simplify.jar -it 'org/cf/obfuscated/Reflection;->reflectSecretMethod\(' -et 'MainActivity' simplify/obfuscated-app.apk --max-execution-time 600 --max-address-visits 100000000 --max-method-visits 100000000
Exception in thread "main" java.lang.OutOfMemoryError: GC overhead limit exceeded
What''s wrong?😭
After some investigation, it appears the problem is that recent framework changes moved some of the Base64 decoding to object state. I.e. instead of having some static methods, they instantiate a Decoder and that has some instance state which simplify doesn't trust and assumes it's unknown. It's related to this: #22
Two possible solutions come to mind. First, convert Base64 code to Java, include in Simplify, and emulate instead of virtually execute. This was done in the past and one of the benefits is that the code is hella fast and won't break between frameworks. The second solution is to allow users to trust object instance state, which is almost always going to be a bad idea in general. Could be reasonable by whitelisting certain fields. Explaining wtf is happening in the docs will be harder than writing the code.
edc784d should fix your issue. Want to try and let me know?
It's working now. Thank you very much.