DJI – The ART of obfuscation

I don’t understand any of this, but some of you will (ed)

Study of an Android runtime (ART) hijacking mechanism for bytecode injection through a step-by-step analysis of the packer used to protect the DJI Pilot Android application.

Introduction

In the world of Android applications, it’s not uncommon to come across applications protected by a packer. The role of a packer is to protect all or part of the application code from static analysis. There are many reasons why a developer might want to protect an application:

  • Protect valuable business logic;
  • Protect application monetization logic (e.g. a license management mechanism);
  • Evading conventional analysis tools to hide malicious logic;

Here, we take a look at the DJI Pilot application, not to understand why developers want to protect their code – this has already been the subject of previous work (see in particular this DJI Pilot analysis) – but to highlight a runtime mechanism implemented by DJI to protect its application code. This protection is based on the use of a modified version of the SecNeo packer.

The article details the various stages in the analysis to understand how the application code is obfuscated. A Python proof-of-concept named DxFx for statically unpacking the DJI Pilot application is provided as practical support for this article. DxFx does not claim to be a SecNeo unpacker. Its sole aim is to improve the reader’s understanding of the various mechanisms implemented by the packer through Python code. It will not be maintained in the future.

Read the full article here

Similar Posts