This Tool is selected as BlackHat Arsenal USA 2020

• Deoptfuscator is a tool for deobfuscating Android applications that have been transformed using control-flow obfuscation mechanisms.
• Deoptfuscator can reverse the control-flow obfuscation performed by DexGuard on open-source Android applications.

In order to build and run deoptfuscator, the followings are required:

• Deoptfuscator based on Ubuntu 18.04 LTS 64bit PC
  • libboost, libjson (C++ library)

    $ sudo apt-get install libboost-all-dev  
    $ sudo apt-get install libjsoncpp-dev
    

  • openjdk

    $ sudo apt-get install openjdk-11-jdk
    

  • i386 libc

    $ sudo dpkg --add-architecture i386  
    $ sudo apt-get update  
    $ sudo apt-get install libc6:i386 libstdc++6:i386
    

  • zipalign

    $ sudo apt-get install zipalign
    

  • apksigner

    $ sudo apt-get install apksigner
    

• deoptfuscator's repositary need git-lfs
• Git LFS

$ curl -s https://packagecloud.io/install/repositories/github/git-lfs/script.deb.sh | sudo bash
$ sudo apt install git-lfs
$ git clone https://github.com/Gyoonus/deoptfuscator.git

Our repository Already Contains Tools needed to run our Tool

• Apktools : https://ibotpeaches.github.io/Apktool/
• fbredex : https://fbredex.com/

• Set Local Environment

  $. ./launch.sh
  

• Deobfuscate an Android application that has been transformed using control-flow obfuscated techniques.

  $ python3 deoptfuscator.py <obfuscated_apk>  
  

• Test our tools!

  $ python3 deoptfuscator.py test/AndroZoo_DexGuard_apk/com.alienguns.scifirifles_4F326C99558145BB636D31C96488823A.apk
  

  • If the input file (an obfuscated app) was com.alienguns.scifirifles_4F326C99558145BB636D31C96488823A.apk, the file name of the deobfuscated apk is com.alienguns.scifirifles_4F326C99558145BB636D31C96488823A_deobfuscated_align.apk
  • There is a problem with the license, so we stop sharing the test app for a while.

• Our tool can effectively deobfuscate Android applications transformed with the control flow obfuscation option of DexGuard :

  • Our tool can currently handle the control-flow obfuscation techniques of DexGuard.
  • It cannot handle other obfuscation techniques such as layout obfuscation, identifier renaming, and string encryption.

• This research was supported by Basic Science Research Program through the National Research Foundation of Korea(NRF) funded by the Ministry of Science and ICT (no. 2018R1A2B2004830)