Remotely Debugging Android Binaries in IDA Pro
Today I came across a peculiarity with regards to how Android kernels can be configured to restrict permissions of execvp( ) arguments or forked processes - limiting the ability for a reverse engineer to remotely debug an Android binary from within IDA Pro.
If you arrived at this post by searching Google for answers to: “The file can’t be loaded by the debugger plugin. Please verify that the parameters are valid.” then please continue to my post on fixing this: Error: The file can’t be loaded by the debugger plugin
Otherwise, follow along as we learn how to debug Android binaries in IDA Pro.
step 0: find android_server binary on your host machine #
IDA Pro packages pre-compiled binaries in your installation for remote debugging of different hosts as seen here:
We are currently interested in the android_server file which we will push to our Android device and execute. On my Mac OS X installation of IDA Pro 6.6 the file was located at: /Applications/IDA Pro 6.6/idaq.app/Contents/MacOS/dbgsrv/android_server - if this results in failure then use the Unix command locate android_server to discover the correct path. If you are on a Windows machine, I have no clue how to help you.
step 1: move android_server to your target and execute! #
You will now want to push the android_server onto your Android device, set the proper permissions of the file and execute the file to begin the IDA Pro listener.
Note: I am assuming you have an Android device connected, or at least an Android Virtual Device created and are comfortable with ADB
Push the android_server #
adb push ./android_server /data/local/tmp
Connect to your device and navigate to /data/local/tmp #
adb shell su cd /data/local/tmp ll
Set permissions #
chmod 755 /data/local/tmp/android_server
Execute android_server #
step 2: port forwarding #
Ok, take a deep breath!
We now have a debugging server running on your Android target. This opens a listener (default is port 23946) so that IDA Pro can connect to it to perform all of its awesome magic!
In order to be able to accept connections from the debug server (android_server) we need to setup a port forwarding rule in ADB (Android Debug Bridge) - but don’t worry, it’s easy!
adb forward tcp:23946 tcp:23946
We can confirm this has worked by running:
netstat -a -n | grep 23946
step 3: IDA Pro Configuration #
Now let’s configure IDA Pro to connect to your debug server running on your Android target. Start IDA Pro and load the file you want to debug, after it loads find the drop-down menu at the top of the Window and change it to: “Remote ARM Linux/Android debugger” as seen here:
Then in the menu choose Debugger > Process Options.
At this point things could either work out perfectly or go very, very wrong. I have managed to trigger almost every error I think is possible so let’s try and get you through this.
In the Debug application setup window, which should have popped up after clicking on Debugger > Process Options …
You will see “Application”, “input file”, “Directory”, “Parameters” and “Hostname”, “Port” and “Password”
What you must remember is that these paths should all match the remote Android target and not your host machine.
So let’s assume you want to debug sample located in /data/local/tmp you would enter:
And now you might see the following prompt, to which you can say Yes and IDA Pro will copy the file to your remote-path:
and if all is well, IDA Pro will change its GUI to reflect the “"Debug View”“ and you can continue being a happy little Reverse Engineer however if you trigger the fatal "The file can’t be loaded by the debugger plugin. Please verify that the parameters are valid.” error, then you need to continue on and read my journey into solving this problem located here.
-Finn el Humano