HACKING APKS FOR FUN AND FOR PROFIT (MOSTLY FOR FUN)

DAVID TEITELBAUM

DECEMBER 2012

@davtbaum

2 2012 Apkudo Inc. Confidential www.apkudo.com

OBJECTIVES

Android app disassembly Fundamentals of code injection How to use tools like Smali/Baksmali Best practices in Android forensics.

Expect to learn:

3 2012 Apkudo Inc. Confidential www.apkudo.com

ROADMAP PART I - CLASS PART II - DEMO

Approach to hacking Tools apktool, baksmali, smali The APK Dalvik Virtual Machine Reading Dalvik byte code

Scramble With Friends deep dive App disassembly and analysis Code injection with ViewServer Resource serialization and transmission to host machine

4 2012 Apkudo Inc. Confidential www.apkudo.com

PART I - CLASS

5 2012 Apkudo Inc. Confidential www.apkudo.com

1. Extract APK and disassemble classes.dex (baksmali) 2. Apply static analysis what is the application doing? 3. Inject byte code into the application to modify execution 4. Reassemble classes.dex (smali) and rezip APK

APK HACKING Approach

Disassemble (baksmali)

.smali

Sta0c analysis/ Code Injec0on

Reassemble (smali)

6 2012 Apkudo Inc. Confidential www.apkudo.com

CODE INJECTION You dont need to be a Dalvik byte code pro!

Write patches in Java, compile, then use the Smali/Baksmali tools to disassemble into Dalvik byte code

Stick to public static methods in Dalvik byte code which have no register dependencies.

Let the compiler do the work!

Best Practices:

7 2012 Apkudo Inc. Confidential www.apkudo.com

TOOLS Access to a terminal environment (preferably Linux or mac

osx)

Android SDK and a working emulator

Smali/Baksmali - http://code.google.com/p/smali/

Apktool - http://code.google.com/p/android-apktool/

Editor of choice (emacs!)

Youll need

8 2012 Apkudo Inc. Confidential www.apkudo.com

SMALI/BAKSMALI?

Baksmali disassembles Dalvik executable (.dex) into readable Dalvik byte code (.smali)

Smali re-assembles .smali files back into .dex Dalvik executable

Gives developers the ability to modify execution without having access to source code

Documentation on Smali/Baksmali and Dalvik in Smali wiki http://code.google.com/p/smali/w/list

Dalvik Assembler/ Disassembler

9 2012 Apkudo Inc. Confidential www.apkudo.com

APKTOOL Wraps smali/baksmali and Android asset packaging tool

(aapt) Decodes resources and deserializes xml

Great for manifest introspection

Buggy :/

All in one reverser

10 2012 Apkudo Inc. Confidential www.apkudo.com

THE APK A container for your app Zipped file formatted based on JAR

META-INF/

AndroidManifest.xml

classes.dex

lib/ res/

resources.arsc

11 2012 Apkudo Inc. Confidential www.apkudo.com

EXAMPLES $ unzip foobar.apk d foobar!!$ cd ./foobar!!$ ls!AndroidManifest.xml META-INF classes.dex res resources.arsc lib!!$ baksmali a 10 d ~/boot_class_path classes.dex!!

baksmali

API level boot class path dex file

12 2012 Apkudo Inc. Confidential www.apkudo.com

EXAMPLES $ ls!AndroidManifest.xml META-INF classes.dex res resources.arsc lib!out!!$ smali a 10 ./out o classes.dex!!!!$ zip r ~/hacked.apk ./*!

smali

API level output dex file

recursive

13 2012 Apkudo Inc. Confidential www.apkudo.com

EXAMPLES $ apktool d foobar.apk foobar !!!$ cd ./foobar!!$ ls!AndroidManifest.xml apktool.yml assets res smali!!$ cd ../!!$ apktool b ./foobar !

apktool

decode out directory

build

14 2012 Apkudo Inc. Confidential www.apkudo.com

SMALI FILES class representation in byte code

.class public Lcom/apkudo/util/Serializer;!

.super Ljava/lang/Object;!

.source "Serializer.java!!# static fields!.field public static final TAG:Ljava/lang/String; = "ApkudoUtils!!# direct methods!.method public constructor ()V! .registers 1!! .prologue! .line 5! invoke-direct {p0}, Ljava/lang/Object;->()V!! return-void!.end method!

Class information

Static fields

Methods

15 2012 Apkudo Inc. Confidential www.apkudo.com

SYNTAX

Class names prefixed with L full name space slash separated

!

Lcom/apkudo/util/Serializer; !classes

16 2012 Apkudo Inc. Confidential www.apkudo.com

SYNTAX

Method definitions .method ()

Method invocations invoke-static any method that is static invoke-virtual any method that isnt private, static, or

final invoke-direct any non-static direct method invoke-super any superclasses virtual method Invoke-interface invoke an interface method!

.method private doSomething()V!methods

17 2012 Apkudo Inc. Confidential www.apkudo.com

SYNTAX

All registers are 32 bits Declaration

.registers total number of registers .locals total minus method parameter registers

Naming scheme P registers parameter registers

implicit p0 = this instance V registers local registers

P registers are always at the end of the register list

.locals 16!

.registers 18!Registers

18 2012 Apkudo Inc. Confidential www.apkudo.com

SYNTAX

.method public onCreate()V! .registers 7!!! ...!

!!

Register Example

v0 First local register v1 Second local register v2 v3 v4 v5 v6 p0 First param this

19 2012 Apkudo Inc. Confidential www.apkudo.com

SYNTAX

.method public doIt(Ljava/lang/String;II)V! .registers 7!!!

Register Example 2

v0 First local register v1 Second local register v2 v3 p0 this v4 p1 String v5 p2 int v6 p3 int

20 2012 Apkudo Inc. Confidential www.apkudo.com

SYNTAX

.method public doIt(JI)V! .registers 7!!

!# hint, j == long!!!

Register Example 3

v0 First local register v1 Second local register v2 v3 v4 v5 v6

Third local register p0 this instance

p1 long rst register p2 long second register p3 int

21 2012 Apkudo Inc. Confidential www.apkudo.com

SYNTAX jumps

goto

jumping .method public doIt(JI)V!

.registers 7!!

!...!!

!goto :goto_31!!!!...!

!!:goto_31!!return-void!

!

22 2012 Apkudo Inc. Confidential www.apkudo.com

SYNTAX Conditionals

If-eq If-ne If-le If-lt If-ge If-gt

Add z for zero

conditionals method public foobar()V!

.registers 2!! const/4 v0, 0x0!! if-eqz v0, :cond_6!! return-void!! :cond_6!!

!# Do something!!!

.end method!

23 2012 Apkudo Inc. Confidential www.apkudo.com

PUTTING IT ALL TOGETHER Example .method public getCurrentAccountName()Ljava/lang/String;! .registers 2!

! .prologue! .line 617! iget-object v0, p0, Lcom/google/android/finsky/FinskyApp;->mCurrentAccount:Landroid/accounts/Account;!! if-nez v0, :cond_6!! const/4 v0, 0x0!! :goto_5! return-object v0!! :cond_6! iget-object v0, v0, Landroid/accounts/Account;->name:Ljava/lang/String;!! goto :goto_5!.end method!

v0 First local register v1 p0 this instance

Getting this field! of type into this reg

24 2012 Apkudo Inc. Confidential www.apkudo.com

PART II - DEMO

25 2012 Apkudo Inc. Confidential www.apkudo.com

26 2012 Apkudo Inc. Confidential www.apkudo.com

RESOURCE SERIALIZATION AND TRANSMISSION

onCreate() addWindow()

ViewServer

Android OS

ROMAIN GUYS VIEWSERVER

ADB forwarded localhost:4939

27 2012 Apkudo Inc. Confidential www.apkudo.com

STEP 1

Extract classes.dex and remove keys unzip scramble.apk! rm r ./META-INF!!

Disassemble: baksmali -a 10 d ./classes.dex! -a = api-level! -d = bootclasspath dir!

out/target/product/generic/system/framework!

DECOMPRESS AND DISASSEMBLE

28 2012 Apkudo Inc. Confidential www.apkudo.com

STEP 2 Find the words listhow?

Beat obfuscation! Search for class types and log messages Find the intersection of the two!

Insert your own log statements

ANDROID FORENSICS

invoke-virtual {v2}, Ljava/util/List;->toString()Ljava/lang/String;!move-result-object v2!invoke-static {v1, v2}, Landroid/util/Log;->e(Ljava/lang/String;Ljava/lang/String;)I!

29 2012 Apkudo Inc. Confidential www.apkudo.com

STEP 3 Resource located! Now we need to send it

Apply patch to ViewServer that stores list public static void setScrambleWordList(List list);!

Build patched ViewServer, extract .smali files

Copy smali files into our application Easy enough, right?

INJECT VIEWSERVER INTO APP

30 2012 Apkudo Inc. Confidential www.apkudo.com

STEP 4 PATCH APP TO USE VIEWSERVER API

Start the ViewServer in the onCreate() method of MainActivity.smali ViewServer.get()

Pass the list to ViewServer in fu.smali ViewServer.setScrambleWordList(list)

invoke-static {}, Lcom/android/debug/hv/ViewServer;->get()Lcom/android/debug/hv/ViewServer;!

invoke-static {v2}, Lcom/android/debug/hv/ViewServer;->setScrambleWordList(Ljava/util/List;)V!

31 2012 Apkudo Inc. Confidential www.apkudo.com

STEP 5 Re-assemble

smali a 10 ./out o classes.dex! Re-compress

zip z0 r ../scramble.apk ./* Sign APK

jarsigner -verbose -keystore my-release-key.keystore ./scramble.apk alias_name!

REBUILD APK

32 2012 Apkudo Inc. Confidential www.apkudo.com

STEP 6

Install adb install r ../scramble.apk!

Forward port adb forward tcp:4939 tcp:4939

Communicate nc l 127.0.0.1 (listen)

INSTALL AND COMMUNICATE WITH APP

33 2012 Apkudo Inc. Confidential www.apkudo.com

APE

Fully aware of applications content Invokes actions and makes decisions based off

of what it sees Optimized and extended Romains ViewServer

Transmit view data after each invoked action Introspect on OpenGL

Uses word list to obtain matrix positions and OpenGL introspection to find buttons on screen

INTELLIGENT ANDROID INSTRUMENTATION

Thank you. DAVID@ .COM @davtbaum