How to Unpack Baidu Protect through Memory Dumping

Trustlook Mobile Security has researched an app (MD5: 67257EA2E9EC6B35C9E5245927980EEA) that is packed/encrypted by Baidu Protect, the service provided by Baidu. Users can upload their APKs to the developer portal in Baidu to get their apps hardened.

The app terminates itself when running on several versions of Android emulators.

It runs on a Moto G phone with Android version 4.4.3. The app has the following structure:

image02

The file “libbaiduprotect.so” under the lib/armeabi folder shows that the app is packed by Baidu Protect.

Some popular unpacking tools don’t seem to work on this app. ZjDroid, for example, which is installed as a module for the Xposed, causes the app to crash. DexExtractor also doesn’t generate any DEX files.

The app has implemented anti-debugging techniques. For example, the following code snippets prevent the debugger from attaching to the process:

image01

Most app packers use JNI native code to modify the Dalvik bytecode in the memory. The packers sometime unpack/decrypt the real DEX file in the memory, which is what gave us a chance to dump the memory.

Using the ADB connect to the phone, we ran the “ps” command, which gave the following result:

image04

The app has the process ID “28953”. We examined the region of the virtual memory in the process.

The first address field shows the starting and ending address of the region in the process’s memory space. The last field shows the name of the file mapped. We fired up “dd” command to dump the memory associated with the last file.

image06

The “dd” command accepts decimal values in the parameters. Here the value for the “skip” parameter is the beginning address of the memory and the “count” parameter takes the range of the beginning and ending value.

After the file is dumped, we pull the file and examine it:

image05

The file is an ODEX file which has the header stripped. After retrieving the magic code, we have the following file:

image08

Unpack the file:

image07
image11
image09

Observe the JAR file:

image10

Note the above method does not work for apps using multiple processes. The memory dumping tool searching for the DEX magic code won’t work on this type of app.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s