From caa1e005e47cc08216e3df4a81b94d991a6d8584 Mon Sep 17 00:00:00 2001 From: Jean-Marie Mineau Date: Fri, 4 Jul 2025 17:58:57 +0200 Subject: [PATCH] add collision resolution --- 1_introduction/main.typ | 13 +++++++++++++ 2_background/main.typ | 15 +++++++++++++++ 5_theseus/1_static_transformation.typ | 26 ++++++++++++++++++++++++-- 3 files changed, 52 insertions(+), 2 deletions(-) diff --git a/1_introduction/main.typ b/1_introduction/main.typ index bbb0783..0b45ff9 100644 --- a/1_introduction/main.typ +++ b/1_introduction/main.typ @@ -4,3 +4,16 @@ #todo[Write an introduction] +/* +* +* De tout temps les hommes on fait des apps android ... +* +* Introduire la notion de reverseur qui veux analyser une app +* +* Les outils d'analyses android sont problématique: +* - résulats trop bons sur des datasets faciles +* - facile a pieger: shadow attacks +* - savent pas gerer le chargement dyn et reflection +* +* Problématique: todo +*/ diff --git a/2_background/main.typ b/2_background/main.typ index 671224c..1442111 100644 --- a/2_background/main.typ +++ b/2_background/main.typ @@ -5,3 +5,18 @@ #todo[Present field background and related work] #text(fill: luma(75%), lorem(200)) + +/* +* Cours generique sur android +* présenter apk tool, jadx, androguard et flowdroid +* analyse statique +* outils avec des datasets un peu trop gentils +* +* analyse dynamique +* +* process du reverseur +* +* Garder les détails du class loading et de la reflection pour les chapitres associés? +* +* Analyse dynamique +*/ diff --git a/5_theseus/1_static_transformation.typ b/5_theseus/1_static_transformation.typ index 911fffe..1e3e001 100644 --- a/5_theseus/1_static_transformation.typ +++ b/5_theseus/1_static_transformation.typ @@ -1,5 +1,11 @@ #import "../lib.typ": todo, APK, DEX, JAR, OAT, eg +/* +* Parler de dex lego et du papier qui encode les resultats d'anger en jimple +* +* +*/ + == Code Transformation #todo[Define code loading and reflection somewhere] @@ -129,8 +135,6 @@ In those cases, the parameters could be used directly whithout the detour inside === Code loading -#todo[custom class loaders] - An application can dynamically import code from several format like #DEX, #APK, #JAR or #OAT, either stored in memory or in a file. Because it is an internal, platform dependant format, we elected to ignore the #OAT format. Practically, #JAR and #APK files are zip files containing #DEX files. @@ -148,6 +152,24 @@ Specifically, to call dynamically loaded code, an application needs to use refle === Class Collisions +We saw in @sec:cl-obfuscation that having several classes with the same name in the same application can be problematic. +In @sec:th-trans-cl, we are adding code from another source. +By doing so, we augment the probability of having class collisions. +When loaded dynamically, the classes are in a different classloader, and the class resolution is resolved at runtime like we saw in @sec:cl-loading. +We decided to restrain our scope to the use of class loader from the Android SDK. +In the abscence of class collision, those class loader behave seamlessly and adding the classes to application maintains the behavior. + +When we detect a collision, we rename one of the classes colliding before injecting it to the application. +To avoid breaking the application, we then need to rename all references to this specific class, an be carefull not to modify references to the other class. +To do so, we regroup each classes by the classloaders defining them, then, for each colliding class name and each classloader, we check the actual class used by the classloader. +If the class has been renamed, we rename all reference to this class in the classes defined by this classloader. +To find the class used by a classloader, we reproduce the behavior of the different classloaders of the Android SDK. +This is an important step: remember that the delegation process can lead to situation where the class defined by a classloader is not the class that will be loaded when querying the classloader. + +#todo[renamin algo] + === Pitfalls #todo[interupting try blocks: catch block might expect temporary registers to still stored the saved value] +#todo[diferenciating the classloaders] +#todo[changing classloader with class collision]