Reverse Engineering

JNI Static Linking

Linking must be done “manually”, by the binary code, before the methods are used.

  • Allows methods to have any name (read obfuscation!).

  • A fixed method (JNI_OnLoad) is called after the lib is loaded.

  • Library registers the mapping between Java methods and native methods using RegisterNatives.

    • Must do this once for each method called.

jint RegisterNatives(JNIEnv *env, jclass clazz, const JNINativeMethod *methods, jint nMethods);
typedef struct {
    char *name;
    char *signature;
    void *fnPtr;
} JNINativeMethod;

Reverse engineering of the library blob is the most viable alternative.

  • Some symbols must always be available: JNI_Load.

  • The remaining symbols usually are available, although they may have obfuscated names.

Process

  • Load the library in a tool: ghidra, IDA, BinaryNinja, R2, etc…

  • Find the JNI_Load method.

  • Determine when RegisterNatives is called.

  • Determine the arguments passed to the function.

    • This will allow determining the method mapping and the arguments of each function.

    • The arguments may also help identify the method.

PreviousJNI Dynamic LinkingNextExercise 5 and 6

Last updated