Upload
joan
View
20
Download
1
Embed Size (px)
DESCRIPTION
Hacking APKs for Fun and for Profit resume with details
Citation preview
HACKING APKS FOR FUN AND FOR PROFIT (MOSTLY FOR FUN)
DAVID TEITELBAUM
DECEMBER 2012
@davtbaum
2 2012 Apkudo Inc. Confidential www.apkudo.com
OBJECTIVES
Android app disassembly Fundamentals of code injection How to use tools like Smali/Baksmali Best practices in Android forensics.
Expect to learn:
3 2012 Apkudo Inc. Confidential www.apkudo.com
ROADMAP PART I - CLASS PART II - DEMO
Approach to hacking Tools apktool, baksmali, smali The APK Dalvik Virtual Machine Reading Dalvik byte code
Scramble With Friends deep dive App disassembly and analysis Code injection with ViewServer Resource serialization and transmission to host machine
4 2012 Apkudo Inc. Confidential www.apkudo.com
PART I - CLASS
5 2012 Apkudo Inc. Confidential www.apkudo.com
1. Extract APK and disassemble classes.dex (baksmali) 2. Apply static analysis what is the application doing? 3. Inject byte code into the application to modify execution 4. Reassemble classes.dex (smali) and rezip APK
APK HACKING Approach
Disassemble (baksmali)
.smali
Sta0c analysis/ Code Injec0on
Reassemble (smali)
6 2012 Apkudo Inc. Confidential www.apkudo.com
CODE INJECTION You dont need to be a Dalvik byte code pro!
Write patches in Java, compile, then use the Smali/Baksmali tools to disassemble into Dalvik byte code
Stick to public static methods in Dalvik byte code which have no register dependencies.
Let the compiler do the work!
Best Practices:
7 2012 Apkudo Inc. Confidential www.apkudo.com
TOOLS Access to a terminal environment (preferably Linux or mac
osx)
Android SDK and a working emulator
Smali/Baksmali - http://code.google.com/p/smali/
Apktool - http://code.google.com/p/android-apktool/
Editor of choice (emacs!)
Youll need
8 2012 Apkudo Inc. Confidential www.apkudo.com
SMALI/BAKSMALI?
Baksmali disassembles Dalvik executable (.dex) into readable Dalvik byte code (.smali)
Smali re-assembles .smali files back into .dex Dalvik executable
Gives developers the ability to modify execution without having access to source code
Documentation on Smali/Baksmali and Dalvik in Smali wiki http://code.google.com/p/smali/w/list
Dalvik Assembler/ Disassembler
9 2012 Apkudo Inc. Confidential www.apkudo.com
APKTOOL Wraps smali/baksmali and Android asset packaging tool
(aapt) Decodes resources and deserializes xml
Great for manifest introspection
Buggy :/
All in one reverser
10 2012 Apkudo Inc. Confidential www.apkudo.com
THE APK A container for your app Zipped file formatted based on JAR
META-INF/
AndroidManifest.xml
classes.dex
lib/ res/
resources.arsc
11 2012 Apkudo Inc. Confidential www.apkudo.com
EXAMPLES $ unzip foobar.apk d foobar!!$ cd ./foobar!!$ ls!AndroidManifest.xml META-INF classes.dex res resources.arsc lib!!$ baksmali a 10 d ~/boot_class_path classes.dex!!
baksmali
API level boot class path dex file
12 2012 Apkudo Inc. Confidential www.apkudo.com
EXAMPLES $ ls!AndroidManifest.xml META-INF classes.dex res resources.arsc lib!out!!$ smali a 10 ./out o classes.dex!!!!$ zip r ~/hacked.apk ./*!
smali
API level output dex file
recursive
13 2012 Apkudo Inc. Confidential www.apkudo.com
EXAMPLES $ apktool d foobar.apk foobar !!!$ cd ./foobar!!$ ls!AndroidManifest.xml apktool.yml assets res smali!!$ cd ../!!$ apktool b ./foobar !
apktool
decode out directory
build
14 2012 Apkudo Inc. Confidential www.apkudo.com
SMALI FILES class representation in byte code
.class public Lcom/apkudo/util/Serializer;!
.super Ljava/lang/Object;!
.source "Serializer.java!!# static fields!.field public static final TAG:Ljava/lang/String; = "ApkudoUtils!!# direct methods!.method public constructor ()V! .registers 1!! .prologue! .line 5! invoke-direct {p0}, Ljava/lang/Object;->()V!! return-void!.end method!
Class information
Static fields
Methods
15 2012 Apkudo Inc. Confidential www.apkudo.com
SYNTAX
Class names prefixed with L full name space slash separated
!
Lcom/apkudo/util/Serializer; !classes
16 2012 Apkudo Inc. Confidential www.apkudo.com
SYNTAX
Method definitions .method ()
Method invocations invoke-static any method that is static invoke-virtual any method that isnt private, static, or
final invoke-direct any non-static direct method invoke-super any superclasses virtual method Invoke-interface invoke an interface method!
.method private doSomething()V!methods
17 2012 Apkudo Inc. Confidential www.apkudo.com
SYNTAX
All registers are 32 bits Declaration
.registers total number of registers .locals total minus method parameter registers
Naming scheme P registers parameter registers
implicit p0 = this instance V registers local registers
P registers are always at the end of the register list
.locals 16!
.registers 18!Registers
18 2012 Apkudo Inc. Confidential www.apkudo.com
SYNTAX
.method public onCreate()V! .registers 7!!! ...!
!!
Register Example
v0 First local register v1 Second local register v2 v3 v4 v5 v6 p0 First param this
19 2012 Apkudo Inc. Confidential www.apkudo.com
SYNTAX
.method public doIt(Ljava/lang/String;II)V! .registers 7!!!
Register Example 2
v0 First local register v1 Second local register v2 v3 p0 this v4 p1 String v5 p2 int v6 p3 int
20 2012 Apkudo Inc. Confidential www.apkudo.com
SYNTAX
.method public doIt(JI)V! .registers 7!!
!# hint, j == long!!!
Register Example 3
v0 First local register v1 Second local register v2 v3 v4 v5 v6
Third local register p0 this instance
p1 long rst register p2 long second register p3 int
21 2012 Apkudo Inc. Confidential www.apkudo.com
SYNTAX jumps
goto
jumping .method public doIt(JI)V!
.registers 7!!
!...!!
!goto :goto_31!!!!...!
!!:goto_31!!return-void!
!
22 2012 Apkudo Inc. Confidential www.apkudo.com
SYNTAX Conditionals
If-eq If-ne If-le If-lt If-ge If-gt
Add z for zero
conditionals method public foobar()V!
.registers 2!! const/4 v0, 0x0!! if-eqz v0, :cond_6!! return-void!! :cond_6!!
!# Do something!!!
.end method!
23 2012 Apkudo Inc. Confidential www.apkudo.com
PUTTING IT ALL TOGETHER Example .method public getCurrentAccountName()Ljava/lang/String;! .registers 2!
! .prologue! .line 617! iget-object v0, p0, Lcom/google/android/finsky/FinskyApp;->mCurrentAccount:Landroid/accounts/Account;!! if-nez v0, :cond_6!! const/4 v0, 0x0!! :goto_5! return-object v0!! :cond_6! iget-object v0, v0, Landroid/accounts/Account;->name:Ljava/lang/String;!! goto :goto_5!.end method!
v0 First local register v1 p0 this instance
Getting this field! of type into this reg
24 2012 Apkudo Inc. Confidential www.apkudo.com
PART II - DEMO
25 2012 Apkudo Inc. Confidential www.apkudo.com
26 2012 Apkudo Inc. Confidential www.apkudo.com
RESOURCE SERIALIZATION AND TRANSMISSION
onCreate() addWindow()
ViewServer
Android OS
ROMAIN GUYS VIEWSERVER
ADB forwarded localhost:4939
27 2012 Apkudo Inc. Confidential www.apkudo.com
STEP 1
Extract classes.dex and remove keys unzip scramble.apk! rm r ./META-INF!!
Disassemble: baksmali -a 10 d ./classes.dex! -a = api-level! -d = bootclasspath dir!
out/target/product/generic/system/framework!
DECOMPRESS AND DISASSEMBLE
28 2012 Apkudo Inc. Confidential www.apkudo.com
STEP 2 Find the words listhow?
Beat obfuscation! Search for class types and log messages Find the intersection of the two!
Insert your own log statements
ANDROID FORENSICS
invoke-virtual {v2}, Ljava/util/List;->toString()Ljava/lang/String;!move-result-object v2!invoke-static {v1, v2}, Landroid/util/Log;->e(Ljava/lang/String;Ljava/lang/String;)I!
29 2012 Apkudo Inc. Confidential www.apkudo.com
STEP 3 Resource located! Now we need to send it
Apply patch to ViewServer that stores list public static void setScrambleWordList(List list);!
Build patched ViewServer, extract .smali files
Copy smali files into our application Easy enough, right?
INJECT VIEWSERVER INTO APP
30 2012 Apkudo Inc. Confidential www.apkudo.com
STEP 4 PATCH APP TO USE VIEWSERVER API
Start the ViewServer in the onCreate() method of MainActivity.smali ViewServer.get()
Pass the list to ViewServer in fu.smali ViewServer.setScrambleWordList(list)
invoke-static {}, Lcom/android/debug/hv/ViewServer;->get()Lcom/android/debug/hv/ViewServer;!
invoke-static {v2}, Lcom/android/debug/hv/ViewServer;->setScrambleWordList(Ljava/util/List;)V!
31 2012 Apkudo Inc. Confidential www.apkudo.com
STEP 5 Re-assemble
smali a 10 ./out o classes.dex! Re-compress
zip z0 r ../scramble.apk ./* Sign APK
jarsigner -verbose -keystore my-release-key.keystore ./scramble.apk alias_name!
REBUILD APK
32 2012 Apkudo Inc. Confidential www.apkudo.com
STEP 6
Install adb install r ../scramble.apk!
Forward port adb forward tcp:4939 tcp:4939
Communicate nc l 127.0.0.1 (listen)
INSTALL AND COMMUNICATE WITH APP
33 2012 Apkudo Inc. Confidential www.apkudo.com
APE
Fully aware of applications content Invokes actions and makes decisions based off
of what it sees Optimized and extended Romains ViewServer
Transmit view data after each invoked action Introspect on OpenGL
Uses word list to obtain matrix positions and OpenGL introspection to find buttons on screen
INTELLIGENT ANDROID INSTRUMENTATION
Thank you. DAVID@ .COM @davtbaum