An introduction to gikdbg.art (aka Android Ollydbg) attaching Towelroot

gikdbg.art (Android Ollydbg)

This post will provide the following:

• Introduction to gikdbg.art
• Setup of the environment
• Quick introduction on attaching the TowelRoot exploit (libexploit.so)

The debugger can be downloaded from the official site: gikir.com

Gikdbg uses the following software to perform Android OS assembly-level debugging:

• OllyDbg (32-bit assembler level analysing debugger for Microsoft^® Windows)
• GDB (GDB, the GNU Project debugger).
• LLVM (collection of modular and reusable compiler and tool-chain technologies).

Gikdbg include features like (translated from author's site):

• ELF executable file static analysis
• Android App dynamic program debugging
• Android remote console
• ARM assembler & disassembler
• Device file uploading and downloading
• Built-GDB, LLDB
• Support for breakpoint memory, software breakpoints, conditional breakpoints
• Support for multi-threaded debugging
• Support for assembly code level file patching

In order to begin working with the gikdbg, we will need a 4.4.2 Kit Kat AVD. Through the AVD Manager we will create a virtual device with the following characteristics.

The ART run-time must be enabled. It can be enabled on the Settings of the AVD. More instructions on the picture below.

Starting gikdbg, the following screen is being shown to the user. From this main screen you can connect to your AVD (Android Virtual Device), attach to a process with a specific PID (Process IDentifier) etc.

 

Next step is to connect the tool with the 4.4.2 AVD that we have created. This can be performed from the menu "ART Debug > Device". There, as we can see in the picture below, we can find our AVD. Double click on it, in order the tool to perform the connection. A dialog will appear that is asking wherever to install the appropriate libs to your AVD, click yes.

If everything went fine (aka no error message), we are ready to attach a process to the debugger. I've chose to install/push to the AVD the latest exploit of Geohot, the TowelRoot. After running TowelRoot in the AVD we can attach the process from the menu (picture below).

The following window will appear where we attach com.geohot.towelroot to gikdbg . Select the process and click attach.

Now we need to view the memory of the  included elf file (libexploit.so) of TowelRoot, where the actual exploit exists. From the menu we click on Module  (see picture below).

From the window Module we double click on libexploit.so module.

Finally we can set a breakpoint with F2 wherever we want, and then F9 to run the app. Now if we go back to the AVD and click on the button to run the exploit, the breakpoint will "fire" back on gikdbg (memories from the past now on Android).

This was a preliminary post on how to setup and run gikdbg. More detailed analyses will be posted on new articles in the future. Gikdbg is a great tool for application security assessment, discovery for security vulnerabilities etc. 

I tried to run Gikdbg with Genymotion but I had no luck setting ART runtime there. If I found a way to connect it I will update this post with how-to instructions.

Lets start the experiments!

Have fun!

p.s. to be updated.