How to link a dynamic .so library to create a static executable?

[CZC]

Quote:

Originally Posted by CZC

This means getting rid of the .dynsym section and replacing all stubs in the .plt section - not an easy task.

This turned out to be way more complicated that I've anticipated so I've dropped it.

In the end I've found an easier alternative:

I've installed the Android NDK (not SDK) on my linux computer and configured it for arm64.
That enabled me to compile my own ELF executable linked to the above library and the Android libs.
Since I had root access on the scope I've used the scope as my testing platform: I've transferred to the scope a statically linked gdb (arm64) and
then I've traced my testing programs until I found all the info I needed to create the scope options.
So now the scope is enhanced with all the options.

[dion]

no intention to hijack the thread, but i am on the same goal as CZC, to understand codes in android .so native library (arm64).

i have tried to debug using jeb (the apk itself) on rooted phone, turned out one has to set debuggable flag. I did (after repack and resign the apk), but then the app crashed. so i try another way.

the native has somekind of java wrapper, it load them using system.loadlibrary. so, i look into android studio sample, which incorporate external native library and calls them. then i add the target native library and modify gradle, cmakelists.txt, the source code, and i don't remember whatelse, to accomodate the new native library.

so, i press debug in android studio, and the app crashed, i know by looking at the logcat window. the cause was something like this :

Code:

JNI NewGlobalRef called with pending exception java.lang.ClassNotFoundException: Didn't find class "com.example.hello" on path: DexPathList [[zip file "/data/app/com.example.hello-JXyLr8y_WKw9Tt8GbtoaIw==/base.apk"],nativeLibraryDirectories=[/data/app/com.example.hello-JXyLr8y_WKw9Tt8GbtoaIw==/lib/arm64, /data/app/com.example.hello-JXyLr8y_WKw9Tt8GbtoaIw==/base.apk!/lib/arm64-v8a, /system/lib64]]'

i looked, it turned out it is on JNI_OnLoad() function inside one of the native library. ida 'interpret' the function like this :

Code:

jint JNI_OnLoad(JavaVM *vm, void *reserved)
{
  jint result; // w0
  __int64 v3; // x19
  __int64 v4; // x8
  __int64 v5[2]; // [xsp+0h] [xbp-30h] BYREF

  v5[1] = *(_QWORD *)(_ReadStatusReg(ARM64_SYSREG(3, 3, 13, 0, 2)) + 40);
  v5[0] = 0LL;
  if ( (*vm)->GetEnv(vm, (void **)v5, 65540LL)
    || (v3 = v5[0],
        (v4 = (*(__int64 (__fastcall **)(__int64, const char *))(*(_QWORD *)v5[0] + 48LL))(
                v5[0],
                "com/original/class/name")) == 0) )
  {
    result = -1;
  }
  else
  {
    result = ((*(int (__fastcall **)(__int64, __int64, char **, __int64))(*(_QWORD *)v3 + 1720LL))(
                v3,
                v4,
                off_70010,
                53LL) >> 31) | 0x10004;
  }
  return result;
}

since the expected class name was different (i masked the original class name here), i hex edited the class name inside the so file, and got the logcat like above when debug.

later, i know the function that return the error was findclass(). i was thinking to patch the function, but i am not sure about the function after else syntax, that looks like do something with the results.

have search google couple days, and applied what suggested, like using -keepclass at proguard.pro rule. but nothing works so far.

does anyone can help with the problem?
thanks in advance.

[Moe]

Quote:

Originally Posted by dion

later, i know the function that return the error was findclass(). i was thinking to patch the function, but i am not sure about the function after else syntax, that looks like do something with the results.

have search google couple days, and applied what suggested, like using -keepclass at proguard.pro rule. but nothing works so far.

does anyone can help with the problem?
thanks in advance.

Is it possible to share the apk? Difficult to comment without seeing it, except wild speculations. I assume you did the proper zip align after editing...

[chants]

Quote:

Originally Posted by Abdul Moeed

Is it possible to share the apk? Difficult to comment without seeing it, except wild speculations. I assume you did the proper zip align after editing...

TechLord, I don't think anyone wants to share private files with you. You are the least trustworthy person to ever use this forum. Not to mention, many problems are resolved by describing them without rushing to send a package file. A but fishy to so quickly request it, but we know your cheesy tactics.

[Moe]

Quote:

Originally Posted by chants

TechLord, I don't think anyone wants to share private files with you. A but fishy to so quickly request it, but we know your cheesy tactics.

This chants guy seems to have gone mad. Or maybe obsessed.
Seems to be always dreaming about Techlord and addressing everyone as Techlord, lol. Seems that he does not have anything better to do.

Techlord is banned here? But in every other post I see his name invoked.
And @chants keeps chanting his name in every post. Almost as if Techlord is immortal.