Embed Size (px)
DESCRIPTION
Fact: It is generally assumed that reverse engineering of Android applications is much easier than on other architectures. Static program analysis is the way to go.You can go back and forth between application and bytecode assembly without much hassle. Reality: Few techniques are willing to make their comeback on this platform, namely dynamically code loading and self modifying code : bringing the fun back ! Source code examples will be shown, with step by step explanation. https://www.hackitoergosum.org
Citation preview
![Page 1: [HES2013] Nifty stuff that you can still do with android by Xavier Martin](https://reader034.dokumen.tips/reader034/viewer/2022052522/54bd1fa74a795943458b45c2/html5/thumbnails/1.jpg)
1
Nifty stuff that you can still do with Android
Xavier 'xEU' Martin
HES 2013
May 2th 2013
![Page 2: [HES2013] Nifty stuff that you can still do with android by Xavier Martin](https://reader034.dokumen.tips/reader034/viewer/2022052522/54bd1fa74a795943458b45c2/html5/thumbnails/2.jpg)
2
Thank You!
This presentation is a compilation of original research done by the following people: Tim Strazzere (Black Hat USA 2012)
Patrick Schulz
![Page 3: [HES2013] Nifty stuff that you can still do with android by Xavier Martin](https://reader034.dokumen.tips/reader034/viewer/2022052522/54bd1fa74a795943458b45c2/html5/thumbnails/3.jpg)
3
Speaker's bio
Bootstrapping Immunapp
Immunapp is a developer library and a SaaS dashboard that helps Android app developers fight against rampant malware which are repackaged versions of legitimate apps.
Past work
RE'ed Video game console : Dreamcast, PlayStation2.
Code & tools were used in Code Breaker (cheat device)
![Page 4: [HES2013] Nifty stuff that you can still do with android by Xavier Martin](https://reader034.dokumen.tips/reader034/viewer/2022052522/54bd1fa74a795943458b45c2/html5/thumbnails/4.jpg)
4
Outline
Android architecture
Dynamic DEX file loading
Self modifying Dalvik bytecode
![Page 5: [HES2013] Nifty stuff that you can still do with android by Xavier Martin](https://reader034.dokumen.tips/reader034/viewer/2022052522/54bd1fa74a795943458b45c2/html5/thumbnails/5.jpg)
5
Android
Applications are (mostly) written in Java
Classes are merged onto a single file, suitable for Dalvik virtual machine
Deployed in APK file
– AndroidManifest.xml : describe application (package name, components, required permissions, compatibility level)
– Certificate, digests of files– Assets : image, video, audio– Native code : .so libraries– Classes.dex : Dalvik virtual machine
![Page 6: [HES2013] Nifty stuff that you can still do with android by Xavier Martin](https://reader034.dokumen.tips/reader034/viewer/2022052522/54bd1fa74a795943458b45c2/html5/thumbnails/6.jpg)
6
classes.dex – Dalvik EXecutable
Application sourcecode : java
Compiled onto regular .class files
Android specific steps
Merge multiple classes onto a single file
Convert bytecode, from stack machines (JVM) to register-based architecture (Dalvik)
![Page 7: [HES2013] Nifty stuff that you can still do with android by Xavier Martin](https://reader034.dokumen.tips/reader034/viewer/2022052522/54bd1fa74a795943458b45c2/html5/thumbnails/7.jpg)
7
DexClassLoader
Application wants to load another dex file
– Legitimate usage : in-app purchase– Abuse : from Command&Control server
API
– DexClassLoader(String dexPath, String optimizedDirectory, String libraryPath, ClassLoader parent)
– Needs dex file on disk
![Page 8: [HES2013] Nifty stuff that you can still do with android by Xavier Martin](https://reader034.dokumen.tips/reader034/viewer/2022052522/54bd1fa74a795943458b45c2/html5/thumbnails/8.jpg)
8
Under the hood
Dalvik internals: dvm_dalvik_system_DexFile
const DalvikNativeMethod dvm_dalvik_system_DexFile[] = {
{ "openDexFile", "(Ljava/lang/String;Ljava/lang/String;I)I",
Dalvik_dalvik_system_DexFile_openDexFile },
{ "openDexFile", "([B)I",
Dalvik_dalvik_system_DexFile_openDexFile_bytearray },
{ "closeDexFile", "(I)V",
Dalvik_dalvik_system_DexFile_closeDexFile },
{ "defineClass", "(Ljava/lang/String;Ljava/lang/ClassLoader;I)Ljava/lang/Class;",
Dalvik_dalvik_system_DexFile_defineClass },
{ "getClassNameList", "(I)[Ljava/lang/String;",
Dalvik_dalvik_system_DexFile_getClassNameList },
{ "isDexOptNeeded", "(Ljava/lang/String;)Z",
Dalvik_dalvik_system_DexFile_isDexOptNeeded },
{ NULL, NULL, NULL },
};
![Page 9: [HES2013] Nifty stuff that you can still do with android by Xavier Martin](https://reader034.dokumen.tips/reader034/viewer/2022052522/54bd1fa74a795943458b45c2/html5/thumbnails/9.jpg)
9
dvm_dalvik_system_DexFile
Application must use native code (JNI, .so library)
OnLoad method + dlsymJNINativeMethod *dvm_dalvik_system_DexFile;
JNIEXPORT jint JNI_OnLoad(JavaVM* vm, void* reserved) {
void *ldvm = (void*)dlopen("libdvm.so", RTLD_LAZY);
dvm_dalvik_system_DexFile = (JNINativeMethod*)dlsym(ldvm, "dvm_dalvik_system_DexFile");
![Page 10: [HES2013] Nifty stuff that you can still do with android by Xavier Martin](https://reader034.dokumen.tips/reader034/viewer/2022052522/54bd1fa74a795943458b45c2/html5/thumbnails/10.jpg)
10
OpenDexFile
From dvm_dalvik_system_DexFile
Find matching name
Check for correct signature ([B)I
Get pointer
![Page 11: [HES2013] Nifty stuff that you can still do with android by Xavier Martin](https://reader034.dokumen.tips/reader034/viewer/2022052522/54bd1fa74a795943458b45c2/html5/thumbnails/11.jpg)
11
OpenDexFile
void (*openDexFile)(const u4* args, JValue* pResult);
lookup(openDexFile, "dvm_dalvik_system_DexFile", "([B)I", &openDexFile)
int lookup (JNINativeMethod *table, const char *name, const char *sig, void (**fnPtrout)(u4 const *, union JValue *)) {
int i = 0;
while (table[i].name != NULL) {
if ( (strcmp(name, table[i].name) == 0) && (strcmp(sig, table[i].signature) == 0) ) {
*fnPtrout = table[i].fnPtr;
return 1;
}
i++;
}
return 0;
}
![Page 12: [HES2013] Nifty stuff that you can still do with android by Xavier Martin](https://reader034.dokumen.tips/reader034/viewer/2022052522/54bd1fa74a795943458b45c2/html5/thumbnails/12.jpg)
12
OpenDexFile
Invoke
ArrayObject *ao; // header+dex content
u4 args[] = { (u4)ao };
JValue pResult ;
jint result ;
openDexFile(args, &pResult);
result = (jint)pResult.l;
return result;
![Page 13: [HES2013] Nifty stuff that you can still do with android by Xavier Martin](https://reader034.dokumen.tips/reader034/viewer/2022052522/54bd1fa74a795943458b45c2/html5/thumbnails/13.jpg)
13
Under the hood
Dalvik internals: dvm_dalvik_system_DexFile
const DalvikNativeMethod dvm_dalvik_system_DexFile[] = {
{ "openDexFile", "(Ljava/lang/String;Ljava/lang/String;I)I",
Dalvik_dalvik_system_DexFile_openDexFile },
{ "openDexFile", "([B)I",
Dalvik_dalvik_system_DexFile_openDexFile_bytearray },
{ "closeDexFile", "(I)V",
Dalvik_dalvik_system_DexFile_closeDexFile },
{ "defineClass", "(Ljava/lang/String;Ljava/lang/ClassLoader;I)Ljava/lang/Class;",
Dalvik_dalvik_system_DexFile_defineClass },
{ "getClassNameList", "(I)[Ljava/lang/String;",
Dalvik_dalvik_system_DexFile_getClassNameList },
{ "isDexOptNeeded", "(Ljava/lang/String;)Z",
Dalvik_dalvik_system_DexFile_isDexOptNeeded },
{ NULL, NULL, NULL },
};
![Page 14: [HES2013] Nifty stuff that you can still do with android by Xavier Martin](https://reader034.dokumen.tips/reader034/viewer/2022052522/54bd1fa74a795943458b45c2/html5/thumbnails/14.jpg)
14
Dex Loading
getClassNameList (I)[Ljava/lang/String;
– List of classes available from loaded dex
defineClass (Ljava/lang/String;Ljava/lang/ClassLoader;I)Ljava/lang/Class;
– Oddity : expect / as separator (com.a.b.c.d => com/a/b/c/d)
![Page 15: [HES2013] Nifty stuff that you can still do with android by Xavier Martin](https://reader034.dokumen.tips/reader034/viewer/2022052522/54bd1fa74a795943458b45c2/html5/thumbnails/15.jpg)
15
Dex Loading
int cookie = openDexFile(...);
Class<?> cls = null;
String as[] = getClassNameList(cookie);
for(int z=0; z<as.length; z++) {
if(as[z].equals("com.immunapp.hes2013.MainActivity")) {cls=defineClass(as[z].replace('.', '/'), context.getClassLoader(), cookie );
} else {defineClass(as[z].replace('.', '/'), context.getClassLoader(), cookie );
}}
if(cls!=null) {
Intent intent = new Intent(this, newcls);
startActivity(intent);
}
![Page 16: [HES2013] Nifty stuff that you can still do with android by Xavier Martin](https://reader034.dokumen.tips/reader034/viewer/2022052522/54bd1fa74a795943458b45c2/html5/thumbnails/16.jpg)
16
Self modifying Dalvik Bytecode
JNI again
/proc/self/maps4914300049145000 rs 00003000 1f:01 1013 /data/app/com.immunapp.hes2013.bc1.apk
4914500049146000 rs 0003f000 1f:01 1013 /data/app/com.immunapp.hes2013.bc1.apk
49146000491b5000 rp 00000000 1f:01 857 /data/dalvikcache/data@[email protected][email protected]
491b5000491be000 rwp 00000000 00:07 14251 /dev/ashmem/dalvikauxstructure (deleted)
491bf000491c6000 rxp 00000000 1f:01 837 /data/applib/com.immunapp.hes2013.bc1/libdextest.so
![Page 17: [HES2013] Nifty stuff that you can still do with android by Xavier Martin](https://reader034.dokumen.tips/reader034/viewer/2022052522/54bd1fa74a795943458b45c2/html5/thumbnails/17.jpg)
17
Self modifying Dalvik Bytecode
Search in memory : look for DEX signature
dex\n035
It'll be aligned on _SC_PAGESIZE, at offset 0x28
![Page 18: [HES2013] Nifty stuff that you can still do with android by Xavier Martin](https://reader034.dokumen.tips/reader034/viewer/2022052522/54bd1fa74a795943458b45c2/html5/thumbnails/18.jpg)
18
Self modifying Dalvik Bytecode
DEX is found : easy part
Parse it
https://source.android.com/tech/dalvik/dex-format.html
![Page 19: [HES2013] Nifty stuff that you can still do with android by Xavier Martin](https://reader034.dokumen.tips/reader034/viewer/2022052522/54bd1fa74a795943458b45c2/html5/thumbnails/19.jpg)
19
Self modifying Dalvik Bytecode
DEX header
– String table– Method table– Class Def table
![Page 20: [HES2013] Nifty stuff that you can still do with android by Xavier Martin](https://reader034.dokumen.tips/reader034/viewer/2022052522/54bd1fa74a795943458b45c2/html5/thumbnails/20.jpg)
20
Self modifying Dalvik Bytecode
DEX format
Variable-length quantity, ULEB128
127 0x7F
128 0x80 0x01
Strings : MUTF-8 (Modified UTF-8) Encoding
![Page 21: [HES2013] Nifty stuff that you can still do with android by Xavier Martin](https://reader034.dokumen.tips/reader034/viewer/2022052522/54bd1fa74a795943458b45c2/html5/thumbnails/21.jpg)
21
Self modifying Dalvik Bytecode
Finding the right place
– 1st pass : search class– 2nd pass : look for your method
encoded_method
– code_off uleb128– offset from the start of the file to the code structure
for this method, or 0 if this method is either abstract or native.
– The offset should be to a location in the data section.
![Page 22: [HES2013] Nifty stuff that you can still do with android by Xavier Martin](https://reader034.dokumen.tips/reader034/viewer/2022052522/54bd1fa74a795943458b45c2/html5/thumbnails/22.jpg)
22
Self modifying Dalvik Bytecode
bytecode
– insns ushort[insns_size] (offset 0x10)
– actual array of bytecode, described in a document "Bytecode for the Dalvik VM".
![Page 23: [HES2013] Nifty stuff that you can still do with android by Xavier Martin](https://reader034.dokumen.tips/reader034/viewer/2022052522/54bd1fa74a795943458b45c2/html5/thumbnails/23.jpg)
23
Self modifying Dalvik Bytecode
Unlock memory
Align address to closest _SC_PAGESIZE
mprotect((unsigned char*)aligned, PROT_WRITE | PROT_READ, len);
Insert your payload
memcpy((unsigned char*)code_off, opcodes, len);
![Page 24: [HES2013] Nifty stuff that you can still do with android by Xavier Martin](https://reader034.dokumen.tips/reader034/viewer/2022052522/54bd1fa74a795943458b45c2/html5/thumbnails/24.jpg)
24
Self modifying Dalvik Bytecode
Unlock memory
Align address to closest _SC_PAGESIZE
mprotect((unsigned char*)aligned, PROT_WRITE | PROT_READ, len);
Insert your payload
memcpy((unsigned char*)code_off, opcodes, len);
![Page 25: [HES2013] Nifty stuff that you can still do with android by Xavier Martin](https://reader034.dokumen.tips/reader034/viewer/2022052522/54bd1fa74a795943458b45c2/html5/thumbnails/25.jpg)
25
Self modifying Dalvik Bytecode
Sample
public static int dummyMethod() {
return 42;// bytecode:/*13 00 2A 00 const/16 v0, 0x2A0F 00 return v0
*/
}
![Page 26: [HES2013] Nifty stuff that you can still do with android by Xavier Martin](https://reader034.dokumen.tips/reader034/viewer/2022052522/54bd1fa74a795943458b45c2/html5/thumbnails/26.jpg)
26
Self modifying Dalvik Bytecode
sample
native static int searchDex();
native static int patchDex(int addr, String methodName, byte[] opcode);
![Page 27: [HES2013] Nifty stuff that you can still do with android by Xavier Martin](https://reader034.dokumen.tips/reader034/viewer/2022052522/54bd1fa74a795943458b45c2/html5/thumbnails/27.jpg)
27
Self modifying Dalvik Bytecode
sample
int dexInMemory = searchDex();
patchDex(dexInMemory, "dummyMethod", new byte[] { 0x13, 0x00, 0x55, 0x00, 0x0F, 0x00 });
int r = dummyMethod();
Log.d("dummy()", ""+r);
![Page 28: [HES2013] Nifty stuff that you can still do with android by Xavier Martin](https://reader034.dokumen.tips/reader034/viewer/2022052522/54bd1fa74a795943458b45c2/html5/thumbnails/28.jpg)
28
Self modifying Dalvik Bytecode I/bytecode( 9205): 4914500049146000 rs 00034000 1f:01 1759 /data/app/com.example.sample41.apk
I/bytecode( 9205): 49146000491b5000 rp 00000000 1f:01 1456 /data/dalvikcache/data@[email protected][email protected]
I/bytecode( 9205): 491b5000491be000 rwp 00000000 00:07 123159 /dev/ashmem/dalvikauxstructure (deleted)
I/bytecode( 9205): 491bf000491c2000 rxp 00000000 1f:01 1409 /data/applib/com.immunapp.hes2013.bc1/libdextest.so
I/bytecode( 9205): 491c2000491c3000 rp 00002000 1f:01 1409 /data/applib/com.immunapp.hes2013.bc1/libdextest.so
I/bytecode( 9205): 491c3000491c4000 rwp 00003000 1f:01 1409 /data/applib/com.immunapp.hes2013.bc1/libdextest.so
I/bytecode( 9205): be95d000be972000 rwp befeb000 00:00 0 [stack]
I/bytecode( 9205): found at 49146000, dex at 49146028
I/bytecode( 9205): methodName=dummyMethod (11)
I/bytecode( 9205): opcodes length=6
I/bytecode( 9205): string_ids_size=00000fac
I/bytecode( 9205): string_ids_off=00000070
I/bytecode( 9205): method_ids_size=00000d81
I/bytecode( 9205): method_ids_off=000085d4
I/bytecode( 9205): method[3280] 000007fe
I/bytecode( 9205): class_defs_size=0000013f
I/bytecode( 9205): class_defs_off=0000f1dc
I/bytecode( 9205): found method[3280] at 0002b470 : 491714a8
I/bytecode( 9205): aligned page 49171000
I/bytecode( 9205): unlocked
I/bytecode( 9205): bytecode patched
D/dummy() ( 9205): 85
![[HES2013] Virtually secure, analysis to remote root 0day on an industry leading ssl-vpn appliance by Tal Zeltzer](https://img.dokumen.tips/doc/110x75/54844eabb4af9fa00d8b4b90/hes2013-virtually-secure-analysis-to-remote-root-0day-on-an-industry-leading-ssl-vpn-appliance-by-tal-zeltzer.jpg)
![[HES2013] Hacking apple accessories to pown iDevices – Wake up Neo! Your phone got pwnd ! by Mathieu ‘GoToHack’ RENARD](https://img.dokumen.tips/doc/110x75/54b6e6574a7959aa3d8b46db/hes2013-hacking-apple-accessories-to-pown-idevices-wake-up-neo-your-phone-got-pwnd-by-mathieu-gotohack-renard.jpg)
![[HES2013] The reality about red october by paul root bsd by Paul “RootBSD” Rascagneres](https://img.dokumen.tips/doc/110x75/54844e0f5906b5cd158b4709/hes2013-the-reality-about-red-october-by-paul-root-bsd-by-paul-rootbsd-rascagneres.jpg)
![[HES2013] Information Warfare: mistakes from the MoDs by Raoul “Nobody” Chiesa](https://img.dokumen.tips/doc/110x75/5455ae5faf7959795d8b48f4/hes2013-information-warfare-mistakes-from-the-mods-by-raoul-nobody-chiesa.jpg)
![[Transformers Setting] Looking for Ideas, Thoughts, And Nifty Stuff](https://img.dokumen.tips/doc/110x75/577cd26e1a28ab9e78956d57/transformers-setting-looking-for-ideas-thoughts-and-nifty-stuff.jpg)
