Debugging Dalvik programs with IDA

Copyright (c) 2014 Hex-Rays

Preface
Startng with v6.6 IDA Pro can debug Android applicatons writen for the Dalvik Virtual achine. It
includes the source level debugging too. !his tutorial e"plains how to set up and run a dalvik debugging
session.
Install Android SDK
#irst of all we have to install the Android SD$ fro% the o&cial site htp'((developer.an d roid.co%(sdk.
)e do not need the AD! *undle+ so selectng the ,SD$ !ools -nl./ download is enough.
Environment variables
IDA needs to know where the adb utlit. resides+ and tries various %ethods to locate it auto%atcall..
0suall. IDA 1nds the path to adb, but if it fails then we can de1ne the ANDROD!"D#!HO$% or the
ANDROD!HO$% environ%ent variable to point to the director. where the Android SD$ is installed to.
Android device
Start the Android 2%ulator or connect the Android device to a 0S* port.
!he infor%aton about creatng AVDs 3Android Virtual Devices4 and startng the e%ulator can be found at
the o&cial site' 0sing the 2%ulator.
!he infor%aton about preparing a ph.sical device for develop%ent can be found at 0sing 5ardware
Devices.
6heck that the device can be correctl. detected b. adb'
$ adb devices
List of devices attached
emulator-5554 device
Install application
IDA presu%es that the debugged applicaton is alread. installed on the Android e%ulator(device.
Please download $y&irstApp'ap( and $y&irstApp'src')ip fro% our site. )e will use this applicaton in the
tutorial.
)e will use adb to install the applicaton'
adb s emulator-5554 install MyFirstApp.apk
Loading application into IDA
)e can start with ap( or dex 1les into IDA. If we specif. the ap( 1le+ IDA will displa. its contents and ask
us to select the desired 1le fro% the package. )e select the c*asses'dex 1le'
Dalvik debugger options
*efore launching the debugger let us check out the debugger con1guraton. 7o to ,Deb+gger,Deb+gger
Op-o.s,"et speci/c op-o.s/'
ADB executable
As %entoned above IDA tries to locate the adb utlit.. If IDA failed to 1nd it then we can set the path to
adb here.
Package name
!he package na%e for the applicaton is speci1ed in A.droid$a.i0est'x1*.
)e enter ,co1'exa1p*e'1y/rstapp/ into this 1eld+ this is our package na%e. 6urrentl. we have to cop.
this infor%aton %anuall..
Activity
5ere we set the applicaton actvit. na%e to start with. In our case it is ,'$ai.Ac-2ity/.
Pat to sources
!o use source8level debugging we have to set paths to the applicaton source 1les. )e can do it using the
,Op-o.s,"o+rces path 3/ %enu ite%.
-ur dalvik debugger presu%es that the applicaton sources reside in the current 3,'/4 director.. If this is
not the case+ we can %ap current director. 3,'/4 to the director. where the source 1les are located.
9et us place the source 1les Disp*ay$essageAc-2ity'4a2a and $ai.Ac-2ity'4a2a in the sa%e director. as
the $y&irstApp'ap( package. !his wa. we do not need an. %apping.
Set breakpoints
*efore launching the applicaton it is reasonable to set a few breakpoints. A good candidate is the
,o.Create/ %ethod of the applicaton:s %ain actvit..
)e can use the actvit. na%e and the %ethod na%e ,o.Create/ to set a breakpoint'
;aturall.+ we can set an. other breakpoints an. t%e. #or e"a%ple+ we can do it later+ when we suspend
the applicaton.
Starting te debugger
At last we can start the debugger. 6heck that the Dalvik debugger backend is selected. 0suall. it should
be done auto%atcall. b. IDA'
If the debugger backend is correct+ we are read. to start a debugger session. !here are two wa.s to do it'
<. 9aunch a new cop. of the applicaton 3Start process4
=. Atach to a running process 3Atach to process4
!" Start process
!o start a new cop. of the applicaton >ust press ?#@A or use the ,Deb+gger,"tart process/ %enu ite%.
!he Dalvik debugger will launch the applicaton+ wait untl applicaton is read. and open a debugger
session to it.
)e %a. wait for the e"ecuton to reach a breakpoint or press the ,Ca.ce*/ buton to suspend the
applicaton.
In our case let us wait untl e"ecuton reach of o.Create() %ethod breakpoint.
#" Attac to process
Instead of launching a new process we could atach to a running process and debug it. #or that we could
have selected the ,Deb+gger,A5ach to process3/ %enu ite%. IDA will displa. a list of actve processes.
)e >ust select the process we want to atach to.
Particularities of dalvik debugger
All traditonal debug actons like Step into+ Step over+ Bun untl return and others can be used. If the
applicaton sources are accessible then IDA will auto%atcall. switch to the source8level debugging.
*elow is the list of special things about our Dalvik debugger'
In Dalvik there is no stack and there is no "6 register. !he onl. available register is 6.
!he %ethod fra%e registers and slots 320+ 21+ 34 are represented as local variables in
IDA. )e can see the% in the Deb+gger,Deb+gger 7i.do8s,9oca*s window 3see below4
!he stack trace is available fro% ,Deb+gger,7i.do8s,"tac( trace/ 3the hotke. is ?6trl8
Alt8SA4.
)hen the applicaton is running+ it %a. e"ecute so%e s.ste% code. If we break the
e"ecuton b. clicking on the ,Ca.ce*/ buton+ Cuite oDen we %a. 1nd ourselves outside
of the applicaton+ in the s.ste% code. !he value of the 6 register is 0x&&&&&&&& in this
case+ and stack trace shows onl. s.ste% calls and a lot of 0x&&&&&&&&s. It %eans that IDA
could not locate the current e"ecuton positon inside the applicaton. )e reco%%end
to set %ore breakpoints inside the applicaton+ resu%e the e"ecuton and interact with
applicaton b. clicking on its windows+ selectng %enu ite%s+ etc. !he sa%e thing can
occur when we step out the applicaton.
Locals $indo$
IDA considers the %ethod fra%e registers+ slots+ and variables 320+ 21+ 34 as local variables. !o see their
values we have to open the ,9oca*s/ window fro% the ,Deb+gger,Deb+gger 8i.do8s,9oca*s/ %enu
ite%.
At the %o%ent the debugger stopped the e"ecuton at the breakpoint which we set on o.Create()
%ethod. 9et us open the ,9oca*s/ window and we will see so%ething like the following'
If the infor%aton about the fra%e is available 3the s.%bol table is intact4 then IDA shows the %ethod
argu%ents+ the %ethod local variables with na%es and other non8na%ed variables. -therwise so%e
variable values will not be displa.ed because IDA does not know their t.pes.
Variables without t.pe infor%aton are %arked with ,:ad type/ in the ,9oca*s/ window. !o see the
variable value in this case please use the ,7atches/ window 3see below4.
%atces $indo$
!o open the ,7atches/ window please select the ,Deb+gger,7i.do8s,7atches/ %enu ite%. In this
window we can add an. variable to watch its value.
Please note that we have to specif. t.pe of variable if it is not known. 0se 68st.le casts'
!b"ect#$v%
&trin'$v(
char#$v)*
int$v*
)e do not need to specif. the real t.pe of an ob>ect variable+ the ,(Ob4ect;)/ cast is enough. IDA can
derive the real ob>ect t.pe itself.
Atenton! An incorrect type may cause the Dalvik VM to crash. !here is not %uch we can do about it.
-ur reco%%endaton is to never cast an integer variable to an ob>ect t.pe+ the Dalvik V usuall. crashes
if we do that. *ut the integer cast ,(i.t)/ is safe in practce.
$eeping the above in the %ind+ do not leave the cast entries in the ,7atches/ window for a long t%e.
Delete the% before an. e"ecutng instructon that %a. change the t.pe of the watched variable.
If someting goes $rong
6heck the path to adb in the ,Deb+gger speci/c op-o.s/
6heck the package and actvit. na%es
6heck that the e%ulator is working and was registered as an adb device. !r. to restart
the adb dae%on.
6heck that the applicaton was successfull. installed on the e%ulator(device
6heck the output window of IDA for an. errors or warnings
!urn on %ore debug print in IDA with the -)<0000 co%%and line switch.