I am reversing Android malware that appears to dynamically load packed dex using the dalvik.system.dexclassloader. Im using IDA as my remote debugger and when this dynamic DEX is loaded, I cant step into it to debug the new dex (Since my IDA doesnt have that dex file loaded). Anyone know if you can add a new dex file and associate it with a segment of memory so I can actually debug this dynamic dex code? or any other way around this?
DMEW I haven't reversed anything in a while (Windows/Android/Linux) but there is a technique used in this tool called DexHunter which basically unpacks the packed Dex file via exploiting the implementation of the android run-time features.The general way you want to attack this is to unpack the packed Dex file and then debug the unpacked file. I give you some links on some insightful reading material in dealing with this .
https://github.com/zyq8709/DexHunter/bl ... Hunter.pdf
https://github.com/zyq8709/DexHunter
https://hitcon.org/2015/ENT/PDF/The%20T ... %20Yin.pdf
