A forum for reverse engineering, OS internals and malware analysis 

Discussion on reverse-engineering and debugging.
 #28837  by DMEW
 Thu Jul 07, 2016 7:48 pm
I am reversing Android malware that appears to dynamically load packed dex using the dalvik.system.dexclassloader. Im using IDA as my remote debugger and when this dynamic DEX is loaded, I cant step into it to debug the new dex (Since my IDA doesnt have that dex file loaded). Anyone know if you can add a new dex file and associate it with a segment of memory so I can actually debug this dynamic dex code? or any other way around this?
 #28963  by TSION
 Sun Jul 31, 2016 9:11 pm
DMEW I haven't reversed anything in a while (Windows/Android/Linux) but there is a technique used in this tool called DexHunter which basically unpacks the packed Dex file via exploiting the implementation of the android run-time features.The general way you want to attack this is to unpack the packed Dex file and then debug the unpacked file. I give you some links on some insightful reading material in dealing with this .

https://github.com/zyq8709/DexHunter/bl ... Hunter.pdf
https://hitcon.org/2015/ENT/PDF/The%20T ... %20Yin.pdf