ReDex: Unpacking Android Packed Apps by Executing Every Method

In recent years, Android commercial packers have been widely used to encrypt dex files of apps, making analysts and malware detection solutions hard to obtain the actual dex files for further analysis. Therefore, we propose a novel unpacking system named ReDex. ReDex uses Java reflection to execute all methods with forged arguments and collects the original instructions when the method is executing. Although apps may crash due to forged arguments, ReDex can collect its original instructions released by the commercial packer before the crash. Also, we design an exception/crash handling module, which can avoid most of the crashes and restart the unpacking process at the next method after the crash. The comparison with 2 state-of-the-art unpackers on 100 packed apps with source code and 140 wild packed apps shows that ReDex can unpack more apps. Besides, we conduct an experiment with 1,801 real-world apps packed by 7 representative packers. Of 21 million methods, ReDex can extract 19,239,743 (90.30%) methods. The exception/crash handling module effectively reduces the crash rate to 2.31%. In these packed apps, we find 4 interesting packing techniques. ReDex can deal with these packing techniques while 2 state-of-the-art unpackers cannot.