WHO NEEDS THUMBS?! REVERSE ENGINEERING SCRAMBLE WITH FRIENDS

JOSH MATTHEWS DAVID TEITELBAUM

MAY 2012

2 © 2012 Apkudo Inc. Confidential www.apkudo.com

OBJECTIVES APK Code Injection Smali/Baksmali Android Instrumentation Android Forensics Hands On!

3 © 2012 Apkudo Inc. Confidential www.apkudo.com

VIEW SCRAMBLE WITH FRIENDS DEMO HERE:

http://tiny.cc/r79rew

4 © 2012 Apkudo Inc. Confidential www.apkudo.com

1.  Extract APK and disassemble classes.dex 2.  Isolate target resources (e.g., Scramble With Friends words list) 3.  Create a server to receive resource, serialize, and transmit to

host 4.  Patch APK with server.

APK HACKING Approach

5 © 2012 Apkudo Inc. Confidential www.apkudo.com

BUT I DON’T KNOW DALVIK!?   You do know Java, and you can use the

Smali/Baksmali tools to disassemble Java code into Dalvik byte code

  By sticking to public static methods within the server, static method calls in Dalvik are only two lines long.

DON’T WORRY!

invoke-static {}, Lcom/zynga/scramble/ViewServer;->get()Lcom/zynga/scramble/ViewServer;!

move-result-object v0!

6 © 2012 Apkudo Inc. Confidential www.apkudo.com

SMALI/BAKSMALI?

  Baksmali disassembles APK’s classes.dex executable into readable Dalvik byte code (.smali)

  Smali re-assembles .smali files back into .dex Dalvik executable

  Gives developers the ability to modify Android APKs without having access to source code

  Documentation on Smali/Baksmali and Dalvik in Smali wiki   http://code.google.com/p/smali/w/list

DALVIK ASSEMBLER/DISASSEMBLER

7 © 2012 Apkudo Inc. Confidential www.apkudo.com

ROMAIN’S VIEWSERVER

  Serves app’s view data to host (hierarchyviewer) via forwarded port through ADB

  Runs entirely in APK’s address space   Developed to emulate Android ViewServer implemented

on development Android devices   Perfect for transmitting serialized word list back to a host

machine   Must add ViewServer window in onCreate() method of

each activity in the app.   https://github.com/romainguy/ViewServer

LOCAL SERVER FOR ANDROID’S HIERARCHY VIEWER

8 © 2012 Apkudo Inc. Confidential www.apkudo.com

STEP 1

  Extract classes.dex and remove keys   unzip scramble.apk!  rm –r ./META-INF!

  Disassemble:   baksmali -a 10 –c <framework_path> ./classes.dex!  -a = api-level!  -c = bootclasspath !

  out/target/product/generic/system/framework!

DECOMPRESS AND DISASSEMBLE

9 © 2012 Apkudo Inc. Confidential www.apkudo.com

STEP 2

  Investigate .smali source code for aggregation of resources

  Trace!   onCreate() method in calling activity   ScrambleGameActivity.java   Insert log statements to print active resources

ANDROID FORENSICS

invoke-virtual {v2}, Ljava/util/List;->toString()Ljava/lang/String;!move-result-object v2!invoke-static {v1, v2}, Landroid/util/Log;->e(Ljava/lang/String;Ljava/lang/String;)I!

10 © 2012 Apkudo Inc. Confidential www.apkudo.com

WHAT WE FOUND A LIST OF WORDS AND MATRIX POSITIONS

11 © 2012 Apkudo Inc. Confidential www.apkudo.com

STEP 3

  Donor can be any Android app you can build from source

  Just include server’s .java files as a part of the package   server does not need to be instantiated or

implemented in the app itself   for compilation purposes only!

COMPILE VIEWSERVER INTO DONOR APP

12 © 2012 Apkudo Inc. Confidential www.apkudo.com

STEP 4

  Disassemble ViewServer.apk   Use sed to replace all method calls from

com.android.debug.hv.ViewServer com.zynga.scramble.ViewServer!

  Run   find . -type f -exec sed -i '' s/Lcom\\\/android\\\/debug\\\/hv\\\/ViewServer/Lcom\\\/zynga\\\/scramble\\\/ViewServer/ {} +!

  Copy ViewServer.smali files into SWF out directory

EXTRACT SERVER FROM DONOR AND INJECT INTO SWF

13 © 2012 Apkudo Inc. Confidential www.apkudo.com

STEP 5

  Preliminary investigation shows that SWF uses a base class that extends Activity

•  grep -sir '.super Landroid/app/Activity;' ./   In the onCreate() and onResume() methods, invoke

ViewServer.addWindow() and ViewServer.setFocusedWindow() repectively!

PATCH SWF TO SERVE VIEW DATA ON ACTIVITY LAUNCH

14 © 2012 Apkudo Inc. Confidential www.apkudo.com

STEP 6

  Create public static method that takes in resource, serializes, and transmits to host.

  Patch APK to invoke this method once the resources have been collected.

IMPLEMENT RESOURCE SERIALIZATION ON VIEWSERVER

invoke-interface {v2, v1}, Ljava/util/List;->add(Ljava/lang/Object;)Z!

invoke-static {v2}, Lcom/zynga/scramble/ViewServer;->storeList(Ljava/util/List;)V!

15 © 2012 Apkudo Inc. Confidential www.apkudo.com

STEP 7

  Re-assemble   smali –a 10 ./out –o classes.dex!

  Re-compress   zip –z0 –r ../scramble.apk ./*

  Sign APK   jarsigner -verbose -keystore my-release-key.keystore ./scramble.apk alias_name!

REBUILD APK

16 © 2012 Apkudo Inc. Confidential www.apkudo.com

APE

  Fully aware of applications content   Invokes actions and makes decisions based off

of what it sees   Optimized and extended Romain’s ViewServer

  Transmit view data after each invoked action   Introspect on OpenGL

  Uses word list to obtain matrix positions and OpenGL introspection to find buttons on screen

INTELLIGENT ANDROID INSTRUMENTATION

Thank you. JOSH@ .COM

DAVID@ .COM @davtbaum

@jshmthws