SlideShare una empresa de Scribd logo

Hacking for Fun and Profit (Mostly for Fun). AnDevCon Boston

Descargar como PPTX, PDF
A
Apkudo

Dive deep into the internals of Android in this two-part, 150-minute class. You will explore the wonders of Dalvik bytecode, smali syntax, decompilation tools, patching techniques, and common methods you can use to (try to) protect your apps. Extremely hands-on, you'll be downloading a very popular app, modifying it, and messing around with its behavior. Even if you're not that interested in APK hacking, you'll leave this class with the sort of deep appreciation for Dalvik that makes good Android developers great.

Tecnología
1 de 45
HACKINGAPKS FOR FUN AND FOR PROFIT (MOSTLYFOR FUN) DAVIDTEITELBAUM MAY2013 @davtbaum
2 © 2013 Apkudo LLC. www.apkudo.com OBJECTIVES Androidappdisassembly Fundamentalsofcodeinjection Smali/BaksmaliandreadingDalvikbytecode Bestpracticesinhardeningyourapp Expect to learn:
3 © 2013 Apkudo LLC. www.apkudo.com ROADMAP PART I - CLASS PART II – DEMO/HACK Approachtohacking Tools–apktool,baksmali,smali TheAPK Allthingsbytecode Snapchatdeepdive Appdisassemblyandanalysis Codeinjection Recap
4 © 2013 Apkudo LLC. www.apkudo.com PART I - CLASS
5 © 2013 Apkudo LLC. www.apkudo.com 1. UnzipAPK and disassemble classes.dex (baksmali) 2. Analyze – what is the application doing? 3. Inject byte code into the application to modify execution 4. Reassemble classes.dex (smali) and rezip/signAPK APK HACKING Approach Disassemble (baksmali) .smali Static analysis Reassemble (smali) Code injection
6 © 2013 Apkudo LLC. www.apkudo.com CODE INJECTION  Write patches in Java, compile, then use the Smali/Baksmali tools to disassemble into Dalvik byte code  Stick to public static methods in Dalvik byte code which have no register dependencies.  Let the compiler do the work - this hack was achieved with only one line of code injection! Best Practices:
7 © 2013 Apkudo LLC. www.apkudo.com TOOLS  Access to a terminal environment (preferably Linux or Mac osx)  Android SDK  keytool and jarsigner  Smali/Baksmali - http://code.google.com/p/smali/  Apktool - http://code.google.com/p/android-apktool/  Editor of choice (emacs!) You’ll need…
8 © 2013 Apkudo LLC. www.apkudo.com SMALI/BAKSMALI  Baksmali disassembles Dalvik executable (.dex) into readable Dalvik byte code (.smali)  Smali re-assembles .smali files back into .dex Dalvik executable  Gives developers the ability to modify execution of anAPK without having access to source code Dalvik Assembler/ Disassembler
9 © 2013 Apkudo LLC. www.apkudo.com APKTOOL  Wraps smali/baksmali andAndroid asset packaging tool (aapt)  Decodes resources and decompresses xml  Great for manifest introspection  Buggy :/ All in one reverser
10 © 2013 Apkudo LLC. www.apkudo.com THE APK A container for your app  Zipped file formatted based on JAR META-INF/ AndroidManifest.xml classes.dex lib/ res/ resources.arsc
11 © 2013 Apkudo LLC. www.apkudo.com EXAMPLES $unzipfoobar.apk–dfoobar $cd./foobar $ls AndroidManifest.xml META-INF classes.dex res resources.arsc lib $baksmali–a10–d~/boot_class_pathclasses.dex baksmali API level boot class path dex file
12 © 2013 Apkudo LLC. www.apkudo.com EXAMPLES $ls AndroidManifest.xml META-INF classes.dex res resources.arsc lib out $smali –a10./out–oclasses.dex $zip–r~/hacked.apk./* smali API level output dex file recursive
13 © 2013 Apkudo LLC. www.apkudo.com EXAMPLES $apktooldfoobar.apk foobar $cd./foobar $ls AndroidManifest.xml apktool.yml assets res smali $cd../ $apktoolb./foobar apktool decode out directory build
14 © 2013 Apkudo LLC. www.apkudo.com EXAMPLES $keytool-genkeypair-v -aliasdefault–keystore ~/.keystore–storepasspassword $jarsigner–keystore~/.keystore ./foobar.apk default keytool and jarsigner alias
15 © 2013 Apkudo LLC. www.apkudo.com SMALI FILES class representation in byte code .class public Lcom/apkudo/util/Serializer; .super Ljava/lang/Object; .source "Serializer.java” # static fields .field public static final TAG:Ljava/lang/String; = "ApkudoUtils” # direct methods .method public constructor <init>()V .registers 1 .prologue .line 5 invoke-direct {p0}, Ljava/lang/Object;-><init>()V return-void .end method Class information Static fields Methods Direct Virtual
16 © 2013 Apkudo LLC. www.apkudo.com SYNTAX V void Z boolean B byte S short C char F float I int J long D double [ array types .method private doSomething()V 64 bit – special instructions
17 © 2013 Apkudo LLC. www.apkudo.com SYNTAX • full name space slash separated • prefixed with L • suffixed with ; Lcom/apkudo/util/Serializer;classes const-string v0, "ApkudoUtils" new-instance v1, Ljava/lang/StringBuilder; invoke-direct {v1}, Ljava/lang/StringBuilder;-><init>()V const-string v2, "docId: [" invoke-virtual {v1, v2}, Ljava/lang/StringBuilder;- >append(Ljava/lang/String;)Ljava/lang/StringBuilder; move-result-object v1
18 © 2013 Apkudo LLC. www.apkudo.com SYNTAX  Method definitions  .method <[keyword]> <name>(<[param]>)<return type>  Method invocations  invoke-static – any method that is static  invoke-virtual– any method that isn‟t private, static, or final  invoke-direct – any non-static direct method  invoke-super – any superclass's virtual method  Invoke-interface– any interface method  Virtual methods require their class instance as a parameter! .method private doSomething()Vmethods
19 © 2013 Apkudo LLC. www.apkudo.com SYNTAX .method private doSomething()Vmethods .method private delayedAnimationFrame(J)Z .registers 8 .parameter "currentTime” keyword method name parameters/return # Static invocation invoke-static {p2}, Landroid/text/TextUtils;->isEmpty(Ljava/lang/CharSequence;)Z # Virtual invocation invoke-virtual {v0, v1}, Lcom/google/android/finsky/FinskyApp;- >drainAllRequests(I)V
20 © 2013 Apkudo LLC. www.apkudo.com SYNTAX  All registers are 32 bits  Declaration  .registers – total number of registers  .locals – total minus method parameter registers  Naming scheme  Pregisters – parameter registers  implicit p0 = „this‟instance (non-static)  V registers – local registers  Pregisters are always at the end of the register list .locals 16 .registers 18 Registers
21 © 2013 Apkudo LLC. www.apkudo.com SYNTAX .method public onCreate()V .registers 7 ... Register Example v0 First local register v1 Second local register v2 … v3 … v4 … v5 … v6 p0 First param – ‘this’ p0 == v6
22 © 2013 Apkudo LLC. www.apkudo.com SYNTAX .method public doIt(Ljava/lang/String;II)V .registers 7 Register Example 2 v0 First local register v1 Second local register v2 … v3 p0 ‘this’ v4 p1 String v5 p2 int v6 p3 int p3 == v6 p2 == v5 p1 == v4 p0 == v3
23 © 2013 Apkudo LLC. www.apkudo.com SYNTAX .method public doIt(JI)V .registers 7 # hint, j == long Register Example 3 v0 First local register v1 Second local register v2 v3 v4 v5 v6 Third local register p0 ‘this’ instance p1 long p2 long p3 int v3 - is it… A) Fourth local register? B) This instance? C) Long? D) Int? v4 - is it… A) Fourth local register? B) This instance? C) Long? D) Int? v5 - is it… A) Fourth local register? B) This instance? C) Long? D) Int? v6 - is it… A) Fourth local register? B) This instance? C) Long? D) Int?
24 © 2013 Apkudo LLC. www.apkudo.com SYNTAX .method public static doIt(IJ)V .registers 7 Register Example 4 v0 First local register v1 Second local register v2 v3 v4 v5 v6 Third local register Fourth local register p0 Int p1 Long p2 Long v3 - is it… A) Fourth local register? B) This instance? C) Long? D) Int? v4 - is it… A) Fourth local register? B) This instance? C) Long? D) Int? v5 - is it… A) Fourth local register? B) This instance? C) Long? D) Int? v6 - is it… A) Fourth local register? B) This instance? C) Long? D) Int?
25 © 2013 Apkudo LLC. www.apkudo.com SYNTAX  jumps  goto <offset> jumping .method public doIt(JI)V .registers 7 ... goto :goto_31 ... :goto_31 return-void
26 © 2013 Apkudo LLC. www.apkudo.com SYNTAX  Conditionals  If-eq  If-ne  If-le  If-lt  If-ge  If-gt  Add z for zero  If-eqz  If-nez conditionals method public foobar()V .registers 2 const/4 v0, 0x0 if-eqz v0, :cond_6 return-void :cond_6 # Do something .end method
27 © 2013 Apkudo LLC. www.apkudo.com PUTTING IT ALL TOGETHER Example - Java package com.google.android.finsky; import android.app.Application; import android.accounts.Account; public class FinskyApp() extends Application { Account mCurrentAccount; public String getCurrentAccountName() { if (mCurrentAccount != null) { return mCurrentAccount.name; } else { return null; } } }
28 © 2013 Apkudo LLC. www.apkudo.com PUTTING IT ALL TOGETHER Same example - smali .method public getCurrentAccountName()Ljava/lang/String; .registers 2 .prologue .line 617 iget-object v0, p0, Lcom/google/android/finsky/FinskyApp;->mCurrentAccount:Landroid/accounts/Account; if-nez v0, :cond_6 const/4 v0, 0x0 :goto_5 return-object v0 :cond_6 iget-object v0, v0, Landroid/accounts/Account;->name:Ljava/lang/String; goto :goto_5 .end method v0 First local register v1 p0 ‘this’ instance Getting this field! of type … into this reg
29 © 2013 Apkudo LLC. www.apkudo.com ONE FINAL STEP Obfuscation! • Renames classes, class members and and method • Preserves OS entry points and java namespace classes • Slows down the static analysis process • Not a silver bullet, but an easy first line of defense iget-object v0, p0, Lcom/a/a/g;->a:Lcom/a/a/f; invoke-static {v0}, Lcom/a/a/f;->a(Lcom/a/a/f;)Landroid/webkit/WebView;
30 © 2013 Apkudo LLC. www.apkudo.com PART II - DEMO https://github.com/davtbaum/adc-demo
31 © 2013 Apkudo LLC. www.apkudo.com HACKING SNAPCHAT
32 © 2013 Apkudo LLC. www.apkudo.com 1. Picture messenger with a catch… 2. Self-destructive pictures! 3. Pictures only last up to 10 seconds, ensures the receiver cannot save them 4. Alerts the sender if the receiver tries to take a screenshot 5. Net-worth $70M – over 20M snaps sent a day!1 WHAT IS SNAPCHAT? Real-time picture messenger 1. http://techcrunch.com/2012/12/12/sources-snapchat-raising-north-of-10m-at-around-70m-valuation-led-by-benchmarks-mitch-lasky/
33 © 2013 Apkudo LLC. www.apkudo.com SNAPCHAT IN ACTION
34 © 2013 Apkudo LLC. www.apkudo.com 1. UnzipAPK and disassemble classes.dex 2. Analyze for target resource (snapchat pictureAKA„snap‟) 3. Inject code to store or transmit resource 4. Reassemble classes.dex and rezip/resignAPK HACKING SNAPCHAT Approach Disassemble (baksmali) .smali Static analysis/ Code Injection Reassemble (smali)
35 © 2013 Apkudo LLC. www.apkudo.com TOOLS  Access to a terminal environment (preferably Linux or Mac osx)  Android SDK  keytool and jarsigner  Smali/Baksmali - http://code.google.com/p/smali/  Apktool - http://code.google.com/p/android-apktool/  Editor of choice (emacs!) You’ll need…
36 © 2013 Apkudo LLC. www.apkudo.com STEP 1  Query device for list of applications and associated file paths  adbshellpm listpackages–f  (optional)|grep–si“snapchat”  Pull the files  adbpull<file>~/snapchat/snapchat.apk GET THE APP
37 © 2013 Apkudo LLC. www.apkudo.com STEP 2  Extract classes.dexand remove keys  unzipsnapchat.apk  rm–r ./META-INF  Disassemble:  baksmali-a 10–d<framework_path> ./classes.dex  -a=api-level  -d=bootclasspathdir  „adbpull/system/framework/ ./framework‟ DECOMPRESS AND DISASSEMBLE
38 © 2013 Apkudo LLC. www.apkudo.com STEP 3  apktool dump and inspectAndroidManifest.xml for activities  apktooldsnapchat.apk  emacsAndroidManifest.xml  Find the resource  Use tools  uiautomator to retrieve view hierarchy (buggy)  adbshelldumpsyswindow|grep–si “mCurrentFocus”  Resolve resource in code ANDROID FORENSICS
39 © 2013 Apkudo LLC. www.apkudo.com STEP 3  Resource located! Now we need to retrieve it…  Don‟t write everything in byte code- build an application that contains the resource retrieval code.  Disassemble donor application and copy appropriate methods into target app  Easy enough, right? RESOURCE RETRIEVAL Java resource retrieval code Build Bytecode
40 © 2013 Apkudo LLC. www.apkudo.com DONOR APP RESOURCE RETRIEVAL package com.apkudo.util; import android.app.Activity; import android.graphics.Bitmap; import java.io.FileOutputStream; Import android.os.Bundle; public class HackUtils extends Activity { @Override public void onCreate(Bundle savedInstanceState) { super.onCreate(savedInstanceState); setContentView(R.layout.main); } public void saveSnap(Bitmap bmp) { try { FileOutputStream out = new FileOutputStream(“/sdcard/test.png”); bmp.compress(Bitmap.CompressFormat.PNG, 90, out); } catch (Exception e) { e.printStackTrace(); } } }
41 © 2013 Apkudo LLC. www.apkudo.com STEP 4 CODE INJECTION  .method private showImage()V  Isolate Bitmap  Pass into resource retrieval method invoke-virtual{v1,v2},Lcom/snapchat/android/model/ReceivedSnap;- >getImageBitmap(Landroid/content/Context;)Landroid/graphics/Bitmap; move-result-objectv0 #Patches invoke-static{v0},Lcom/apkudo/util/HackUtils;->saveSnap(Landroid/graphics/Bitmap;)V #EndofPatches
42 © 2013 Apkudo LLC. www.apkudo.com STEP 5  Re-assemble  smali–a10./out–oclasses.dex  Compress  zip–z0–r../snapchat.apk./*  SignAPK  jarsigner-verbose -keystore my-release-key.keystore ./snapchat.apkalias_name REBUILD APK
43 © 2013 Apkudo LLC. www.apkudo.com STEP 6  Install  adb install –r ../snapchat.apk  Run the app! INSTALLAND EXECUTE
44 © 2013 Apkudo LLC. www.apkudo.com RECAP  Obfuscate?  Very simple to navigate using method name  E.g. “showSnap()”.  Push images to native layer  OpenGL?  Native code is much harder to reverse.  Dynamic signature verification?  There is no silver bullet! ROOM FOR IMPROVEMENTS
Thankyou. DAVID@ .COM@davtbaum

Recomendados

Hacking for Fun and Profit
Hacking for Fun and ProfitHacking for Fun and Profit
Hacking for Fun and ProfitApkudo
 
Who Needs Thumbs? Reverse Engineering Scramble With Friends
Who Needs Thumbs? Reverse Engineering Scramble With FriendsWho Needs Thumbs? Reverse Engineering Scramble With Friends
Who Needs Thumbs? Reverse Engineering Scramble With FriendsApkudo
 
Hacking for fun and for profit
Hacking for fun and for profitHacking for fun and for profit
Hacking for fun and for profitdavtbaum
 
Part II: LLVM Intermediate Representation
Part II: LLVM Intermediate RepresentationPart II: LLVM Intermediate Representation
Part II: LLVM Intermediate RepresentationWei-Ren Chen
 
Mobile development in 2020
Mobile development in 2020 Mobile development in 2020
Mobile development in 2020 Bogusz Jelinski
 
How to Customize Android Framework&System
How to Customize Android Framework&SystemHow to Customize Android Framework&System
How to Customize Android Framework&SystemIndustrial Technology Research Institute (ITRI)(工業技術研究院, 工研院)
 
CORBA Programming with TAOX11/C++11 tutorial
CORBA Programming with TAOX11/C++11 tutorialCORBA Programming with TAOX11/C++11 tutorial
CORBA Programming with TAOX11/C++11 tutorialRemedy IT
 
Comparing IDL to C++ with IDL to C++11
Comparing IDL to C++ with IDL to C++11Comparing IDL to C++ with IDL to C++11
Comparing IDL to C++ with IDL to C++11Remedy IT
 

Recomendados

Hacking for Fun and Profit
Hacking for Fun and ProfitHacking for Fun and Profit
Hacking for Fun and ProfitApkudo
 
Who Needs Thumbs? Reverse Engineering Scramble With Friends
Who Needs Thumbs? Reverse Engineering Scramble With FriendsWho Needs Thumbs? Reverse Engineering Scramble With Friends
Who Needs Thumbs? Reverse Engineering Scramble With FriendsApkudo
 
Hacking for fun and for profit
Hacking for fun and for profitHacking for fun and for profit
Hacking for fun and for profitdavtbaum
 
Part II: LLVM Intermediate Representation
Part II: LLVM Intermediate RepresentationPart II: LLVM Intermediate Representation
Part II: LLVM Intermediate RepresentationWei-Ren Chen
 
Mobile development in 2020
Mobile development in 2020 Mobile development in 2020
Mobile development in 2020 Bogusz Jelinski
 
How to Customize Android Framework&System
How to Customize Android Framework&SystemHow to Customize Android Framework&System
How to Customize Android Framework&SystemIndustrial Technology Research Institute (ITRI)(工業技術研究院, 工研院)
 
CORBA Programming with TAOX11/C++11 tutorial
CORBA Programming with TAOX11/C++11 tutorialCORBA Programming with TAOX11/C++11 tutorial
CORBA Programming with TAOX11/C++11 tutorialRemedy IT
 
Comparing IDL to C++ with IDL to C++11
Comparing IDL to C++ with IDL to C++11Comparing IDL to C++ with IDL to C++11
Comparing IDL to C++ with IDL to C++11Remedy IT
 
Who Needs Thumbs? Reverse Engineering Scramble with Friends v1.1
Who Needs Thumbs? Reverse Engineering Scramble with Friends v1.1Who Needs Thumbs? Reverse Engineering Scramble with Friends v1.1
Who Needs Thumbs? Reverse Engineering Scramble with Friends v1.1Apkudo
 
Ruby conf2012
Ruby conf2012Ruby conf2012
Ruby conf2012Chandan Jog
 
How to Build & Use OpenCL on OpenCV & Android NDK
How to Build & Use OpenCL on OpenCV & Android NDKHow to Build & Use OpenCL on OpenCV & Android NDK
How to Build & Use OpenCL on OpenCV & Android NDKIndustrial Technology Research Institute (ITRI)(工業技術研究院, 工研院)
 
FRIDA 101 Android
FRIDA 101 AndroidFRIDA 101 Android
FRIDA 101 AndroidTony Thomas
 
Sst hackathon express
Sst hackathon expressSst hackathon express
Sst hackathon expressAeshan Wijetunge
 
Optimizing Spring Boot apps for Docker
Optimizing Spring Boot apps for DockerOptimizing Spring Boot apps for Docker
Optimizing Spring Boot apps for DockerGraham Charters
 
rssfeeds.classpathrssfeeds.project rssfeed .docx
rssfeeds.classpathrssfeeds.project rssfeed .docxrssfeeds.classpathrssfeeds.project rssfeed .docx
rssfeeds.classpathrssfeeds.project rssfeed .docxjoellemurphey
 
Keeping Up with Java: Look at All These New Features!
Keeping Up with Java: Look at All These New Features!Keeping Up with Java: Look at All These New Features!
Keeping Up with Java: Look at All These New Features!VMware Tanzu
 
Develop Android app using Golang
Develop Android app using GolangDevelop Android app using Golang
Develop Android app using GolangSeongJae Park
 
Building Serverless applications with Python
Building Serverless applications with PythonBuilding Serverless applications with Python
Building Serverless applications with PythonAndrii Soldatenko
 
JDK 9: Big Changes To Make Java Smaller
JDK 9: Big Changes To Make Java SmallerJDK 9: Big Changes To Make Java Smaller
JDK 9: Big Changes To Make Java SmallerSimon Ritter
 
How to Make Android Native Application
How to Make Android Native ApplicationHow to Make Android Native Application
How to Make Android Native ApplicationIndustrial Technology Research Institute (ITRI)(工業技術研究院, 工研院)
 
JavaOne 2017: Eclipse OpenJ9: Under the hood of the JVM
JavaOne 2017: Eclipse OpenJ9: Under the hood of the JVMJavaOne 2017: Eclipse OpenJ9: Under the hood of the JVM
JavaOne 2017: Eclipse OpenJ9: Under the hood of the JVMDanHeidinga
 
Drone sdk showdown
Drone sdk showdownDrone sdk showdown
Drone sdk showdownGodfrey Nolan
 
Dropwizard and Friends
Dropwizard and FriendsDropwizard and Friends
Dropwizard and FriendsYun Zhi Lin
 
Hacking the Codename One Source Code - Part IV - Transcript.pdf
Hacking the Codename One Source Code - Part IV - Transcript.pdfHacking the Codename One Source Code - Part IV - Transcript.pdf
Hacking the Codename One Source Code - Part IV - Transcript.pdfShaiAlmog1
 
DMCA #25: Jenkins - Docker & Android: Comment Docker peu faciliter la créatio...
DMCA #25: Jenkins - Docker & Android: Comment Docker peu faciliter la créatio...DMCA #25: Jenkins - Docker & Android: Comment Docker peu faciliter la créatio...
DMCA #25: Jenkins - Docker & Android: Comment Docker peu faciliter la créatio...Olivier Destrebecq
 
7 Ways to improve your gradle build
7 Ways to improve your gradle build7 Ways to improve your gradle build
7 Ways to improve your gradle buildTania Pinheiro
 
Demystifying Maven
Demystifying MavenDemystifying Maven
Demystifying MavenMike Desjardins
 
Compose Camp: Introduction to Kotlin.pptx
Compose Camp: Introduction to Kotlin.pptxCompose Camp: Introduction to Kotlin.pptx
Compose Camp: Introduction to Kotlin.pptxAmruthasriAmaravati
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 

Más contenido relacionado

Similar a Hacking for Fun and Profit (Mostly for Fun). AnDevCon Boston

Who Needs Thumbs? Reverse Engineering Scramble with Friends v1.1
Who Needs Thumbs? Reverse Engineering Scramble with Friends v1.1Who Needs Thumbs? Reverse Engineering Scramble with Friends v1.1
Who Needs Thumbs? Reverse Engineering Scramble with Friends v1.1Apkudo
 
FRIDA 101 Android
FRIDA 101 AndroidFRIDA 101 Android
FRIDA 101 AndroidTony Thomas
 
Optimizing Spring Boot apps for Docker
Optimizing Spring Boot apps for DockerOptimizing Spring Boot apps for Docker
Optimizing Spring Boot apps for DockerGraham Charters
 
rssfeeds.classpathrssfeeds.project rssfeed .docx
rssfeeds.classpathrssfeeds.project rssfeed .docxrssfeeds.classpathrssfeeds.project rssfeed .docx
rssfeeds.classpathrssfeeds.project rssfeed .docxjoellemurphey
 
Keeping Up with Java: Look at All These New Features!
Keeping Up with Java: Look at All These New Features!Keeping Up with Java: Look at All These New Features!
Keeping Up with Java: Look at All These New Features!VMware Tanzu
 
Develop Android app using Golang
Develop Android app using GolangDevelop Android app using Golang
Develop Android app using GolangSeongJae Park
 
Building Serverless applications with Python
Building Serverless applications with PythonBuilding Serverless applications with Python
Building Serverless applications with PythonAndrii Soldatenko
 
JDK 9: Big Changes To Make Java Smaller
JDK 9: Big Changes To Make Java SmallerJDK 9: Big Changes To Make Java Smaller
JDK 9: Big Changes To Make Java SmallerSimon Ritter
 
JavaOne 2017: Eclipse OpenJ9: Under the hood of the JVM
JavaOne 2017: Eclipse OpenJ9: Under the hood of the JVMJavaOne 2017: Eclipse OpenJ9: Under the hood of the JVM
JavaOne 2017: Eclipse OpenJ9: Under the hood of the JVMDanHeidinga
 
Dropwizard and Friends
Dropwizard and FriendsDropwizard and Friends
Dropwizard and FriendsYun Zhi Lin
 
Hacking the Codename One Source Code - Part IV - Transcript.pdf
Hacking the Codename One Source Code - Part IV - Transcript.pdfHacking the Codename One Source Code - Part IV - Transcript.pdf
Hacking the Codename One Source Code - Part IV - Transcript.pdfShaiAlmog1
 
DMCA #25: Jenkins - Docker & Android: Comment Docker peu faciliter la créatio...
DMCA #25: Jenkins - Docker & Android: Comment Docker peu faciliter la créatio...DMCA #25: Jenkins - Docker & Android: Comment Docker peu faciliter la créatio...
DMCA #25: Jenkins - Docker & Android: Comment Docker peu faciliter la créatio...Olivier Destrebecq
 
7 Ways to improve your gradle build
7 Ways to improve your gradle build7 Ways to improve your gradle build
7 Ways to improve your gradle buildTania Pinheiro
 
Compose Camp: Introduction to Kotlin.pptx
Compose Camp: Introduction to Kotlin.pptxCompose Camp: Introduction to Kotlin.pptx
Compose Camp: Introduction to Kotlin.pptxAmruthasriAmaravati
 

Similar a Hacking for Fun and Profit (Mostly for Fun). AnDevCon Boston (20)

Who Needs Thumbs? Reverse Engineering Scramble with Friends v1.1
Who Needs Thumbs? Reverse Engineering Scramble with Friends v1.1Who Needs Thumbs? Reverse Engineering Scramble with Friends v1.1
Who Needs Thumbs? Reverse Engineering Scramble with Friends v1.1
 
Ruby conf2012
Ruby conf2012Ruby conf2012
Ruby conf2012
 
How to Build & Use OpenCL on OpenCV & Android NDK
How to Build & Use OpenCL on OpenCV & Android NDKHow to Build & Use OpenCL on OpenCV & Android NDK
How to Build & Use OpenCL on OpenCV & Android NDK
 
FRIDA 101 Android
FRIDA 101 AndroidFRIDA 101 Android
FRIDA 101 Android
 
Sst hackathon express
Sst hackathon expressSst hackathon express
Sst hackathon express
 
Optimizing Spring Boot apps for Docker
Optimizing Spring Boot apps for DockerOptimizing Spring Boot apps for Docker
Optimizing Spring Boot apps for Docker
 
rssfeeds.classpathrssfeeds.project rssfeed .docx
rssfeeds.classpathrssfeeds.project rssfeed .docxrssfeeds.classpathrssfeeds.project rssfeed .docx
rssfeeds.classpathrssfeeds.project rssfeed .docx
 
Keeping Up with Java: Look at All These New Features!
Keeping Up with Java: Look at All These New Features!Keeping Up with Java: Look at All These New Features!
Keeping Up with Java: Look at All These New Features!
 
Develop Android app using Golang
Develop Android app using GolangDevelop Android app using Golang
Develop Android app using Golang
 
Building Serverless applications with Python
Building Serverless applications with PythonBuilding Serverless applications with Python
Building Serverless applications with Python
 
JDK 9: Big Changes To Make Java Smaller
JDK 9: Big Changes To Make Java SmallerJDK 9: Big Changes To Make Java Smaller
JDK 9: Big Changes To Make Java Smaller
 
How to Make Android Native Application
How to Make Android Native ApplicationHow to Make Android Native Application
How to Make Android Native Application
 
JavaOne 2017: Eclipse OpenJ9: Under the hood of the JVM
JavaOne 2017: Eclipse OpenJ9: Under the hood of the JVMJavaOne 2017: Eclipse OpenJ9: Under the hood of the JVM
JavaOne 2017: Eclipse OpenJ9: Under the hood of the JVM
 
Drone sdk showdown
Drone sdk showdownDrone sdk showdown
Drone sdk showdown
 
Dropwizard and Friends
Dropwizard and FriendsDropwizard and Friends
Dropwizard and Friends
 
Hacking the Codename One Source Code - Part IV - Transcript.pdf
Hacking the Codename One Source Code - Part IV - Transcript.pdfHacking the Codename One Source Code - Part IV - Transcript.pdf
Hacking the Codename One Source Code - Part IV - Transcript.pdf
 
DMCA #25: Jenkins - Docker & Android: Comment Docker peu faciliter la créatio...
DMCA #25: Jenkins - Docker & Android: Comment Docker peu faciliter la créatio...DMCA #25: Jenkins - Docker & Android: Comment Docker peu faciliter la créatio...
DMCA #25: Jenkins - Docker & Android: Comment Docker peu faciliter la créatio...
 
7 Ways to improve your gradle build
7 Ways to improve your gradle build7 Ways to improve your gradle build
7 Ways to improve your gradle build
 
Demystifying Maven
Demystifying MavenDemystifying Maven
Demystifying Maven
 
Compose Camp: Introduction to Kotlin.pptx
Compose Camp: Introduction to Kotlin.pptxCompose Camp: Introduction to Kotlin.pptx
Compose Camp: Introduction to Kotlin.pptx
 

Último

How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEarley Information Science
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)wesley chun
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 

Último (20)

How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 

Hacking for Fun and Profit (Mostly for Fun). AnDevCon Boston

  • 1. HACKINGAPKS FOR FUN AND FOR PROFIT (MOSTLYFOR FUN) DAVIDTEITELBAUM MAY2013 @davtbaum
  • 2. 2 © 2013 Apkudo LLC. www.apkudo.com OBJECTIVES Androidappdisassembly Fundamentalsofcodeinjection Smali/BaksmaliandreadingDalvikbytecode Bestpracticesinhardeningyourapp Expect to learn:
  • 3. 3 © 2013 Apkudo LLC. www.apkudo.com ROADMAP PART I - CLASS PART II – DEMO/HACK Approachtohacking Tools–apktool,baksmali,smali TheAPK Allthingsbytecode Snapchatdeepdive Appdisassemblyandanalysis Codeinjection Recap
  • 4. 4 © 2013 Apkudo LLC. www.apkudo.com PART I - CLASS
  • 5. 5 © 2013 Apkudo LLC. www.apkudo.com 1. UnzipAPK and disassemble classes.dex (baksmali) 2. Analyze – what is the application doing? 3. Inject byte code into the application to modify execution 4. Reassemble classes.dex (smali) and rezip/signAPK APK HACKING Approach Disassemble (baksmali) .smali Static analysis Reassemble (smali) Code injection
  • 6. 6 © 2013 Apkudo LLC. www.apkudo.com CODE INJECTION  Write patches in Java, compile, then use the Smali/Baksmali tools to disassemble into Dalvik byte code  Stick to public static methods in Dalvik byte code which have no register dependencies.  Let the compiler do the work - this hack was achieved with only one line of code injection! Best Practices:
  • 7. 7 © 2013 Apkudo LLC. www.apkudo.com TOOLS  Access to a terminal environment (preferably Linux or Mac osx)  Android SDK  keytool and jarsigner  Smali/Baksmali - http://code.google.com/p/smali/  Apktool - http://code.google.com/p/android-apktool/  Editor of choice (emacs!) You’ll need…
  • 8. 8 © 2013 Apkudo LLC. www.apkudo.com SMALI/BAKSMALI  Baksmali disassembles Dalvik executable (.dex) into readable Dalvik byte code (.smali)  Smali re-assembles .smali files back into .dex Dalvik executable  Gives developers the ability to modify execution of anAPK without having access to source code Dalvik Assembler/ Disassembler
  • 9. 9 © 2013 Apkudo LLC. www.apkudo.com APKTOOL  Wraps smali/baksmali andAndroid asset packaging tool (aapt)  Decodes resources and decompresses xml  Great for manifest introspection  Buggy :/ All in one reverser
  • 10. 10 © 2013 Apkudo LLC. www.apkudo.com THE APK A container for your app  Zipped file formatted based on JAR META-INF/ AndroidManifest.xml classes.dex lib/ res/ resources.arsc
  • 11. 11 © 2013 Apkudo LLC. www.apkudo.com EXAMPLES $unzipfoobar.apk–dfoobar $cd./foobar $ls AndroidManifest.xml META-INF classes.dex res resources.arsc lib $baksmali–a10–d~/boot_class_pathclasses.dex baksmali API level boot class path dex file
  • 12. 12 © 2013 Apkudo LLC. www.apkudo.com EXAMPLES $ls AndroidManifest.xml META-INF classes.dex res resources.arsc lib out $smali –a10./out–oclasses.dex $zip–r~/hacked.apk./* smali API level output dex file recursive
  • 13. 13 © 2013 Apkudo LLC. www.apkudo.com EXAMPLES $apktooldfoobar.apk foobar $cd./foobar $ls AndroidManifest.xml apktool.yml assets res smali $cd../ $apktoolb./foobar apktool decode out directory build
  • 14. 14 © 2013 Apkudo LLC. www.apkudo.com EXAMPLES $keytool-genkeypair-v -aliasdefault–keystore ~/.keystore–storepasspassword $jarsigner–keystore~/.keystore ./foobar.apk default keytool and jarsigner alias
  • 15. 15 © 2013 Apkudo LLC. www.apkudo.com SMALI FILES class representation in byte code .class public Lcom/apkudo/util/Serializer; .super Ljava/lang/Object; .source "Serializer.java” # static fields .field public static final TAG:Ljava/lang/String; = "ApkudoUtils” # direct methods .method public constructor <init>()V .registers 1 .prologue .line 5 invoke-direct {p0}, Ljava/lang/Object;-><init>()V return-void .end method Class information Static fields Methods Direct Virtual
  • 16. 16 © 2013 Apkudo LLC. www.apkudo.com SYNTAX V void Z boolean B byte S short C char F float I int J long D double [ array types .method private doSomething()V 64 bit – special instructions
  • 17. 17 © 2013 Apkudo LLC. www.apkudo.com SYNTAX • full name space slash separated • prefixed with L • suffixed with ; Lcom/apkudo/util/Serializer;classes const-string v0, "ApkudoUtils" new-instance v1, Ljava/lang/StringBuilder; invoke-direct {v1}, Ljava/lang/StringBuilder;-><init>()V const-string v2, "docId: [" invoke-virtual {v1, v2}, Ljava/lang/StringBuilder;- >append(Ljava/lang/String;)Ljava/lang/StringBuilder; move-result-object v1
  • 18. 18 © 2013 Apkudo LLC. www.apkudo.com SYNTAX  Method definitions  .method <[keyword]> <name>(<[param]>)<return type>  Method invocations  invoke-static – any method that is static  invoke-virtual– any method that isn‟t private, static, or final  invoke-direct – any non-static direct method  invoke-super – any superclass's virtual method  Invoke-interface– any interface method  Virtual methods require their class instance as a parameter! .method private doSomething()Vmethods
  • 19. 19 © 2013 Apkudo LLC. www.apkudo.com SYNTAX .method private doSomething()Vmethods .method private delayedAnimationFrame(J)Z .registers 8 .parameter "currentTime” keyword method name parameters/return # Static invocation invoke-static {p2}, Landroid/text/TextUtils;->isEmpty(Ljava/lang/CharSequence;)Z # Virtual invocation invoke-virtual {v0, v1}, Lcom/google/android/finsky/FinskyApp;- >drainAllRequests(I)V
  • 20. 20 © 2013 Apkudo LLC. www.apkudo.com SYNTAX  All registers are 32 bits  Declaration  .registers – total number of registers  .locals – total minus method parameter registers  Naming scheme  Pregisters – parameter registers  implicit p0 = „this‟instance (non-static)  V registers – local registers  Pregisters are always at the end of the register list .locals 16 .registers 18 Registers
  • 21. 21 © 2013 Apkudo LLC. www.apkudo.com SYNTAX .method public onCreate()V .registers 7 ... Register Example v0 First local register v1 Second local register v2 … v3 … v4 … v5 … v6 p0 First param – ‘this’ p0 == v6
  • 22. 22 © 2013 Apkudo LLC. www.apkudo.com SYNTAX .method public doIt(Ljava/lang/String;II)V .registers 7 Register Example 2 v0 First local register v1 Second local register v2 … v3 p0 ‘this’ v4 p1 String v5 p2 int v6 p3 int p3 == v6 p2 == v5 p1 == v4 p0 == v3
  • 23. 23 © 2013 Apkudo LLC. www.apkudo.com SYNTAX .method public doIt(JI)V .registers 7 # hint, j == long Register Example 3 v0 First local register v1 Second local register v2 v3 v4 v5 v6 Third local register p0 ‘this’ instance p1 long p2 long p3 int v3 - is it… A) Fourth local register? B) This instance? C) Long? D) Int? v4 - is it… A) Fourth local register? B) This instance? C) Long? D) Int? v5 - is it… A) Fourth local register? B) This instance? C) Long? D) Int? v6 - is it… A) Fourth local register? B) This instance? C) Long? D) Int?
  • 24. 24 © 2013 Apkudo LLC. www.apkudo.com SYNTAX .method public static doIt(IJ)V .registers 7 Register Example 4 v0 First local register v1 Second local register v2 v3 v4 v5 v6 Third local register Fourth local register p0 Int p1 Long p2 Long v3 - is it… A) Fourth local register? B) This instance? C) Long? D) Int? v4 - is it… A) Fourth local register? B) This instance? C) Long? D) Int? v5 - is it… A) Fourth local register? B) This instance? C) Long? D) Int? v6 - is it… A) Fourth local register? B) This instance? C) Long? D) Int?
  • 25. 25 © 2013 Apkudo LLC. www.apkudo.com SYNTAX  jumps  goto <offset> jumping .method public doIt(JI)V .registers 7 ... goto :goto_31 ... :goto_31 return-void
  • 26. 26 © 2013 Apkudo LLC. www.apkudo.com SYNTAX  Conditionals  If-eq  If-ne  If-le  If-lt  If-ge  If-gt  Add z for zero  If-eqz  If-nez conditionals method public foobar()V .registers 2 const/4 v0, 0x0 if-eqz v0, :cond_6 return-void :cond_6 # Do something .end method
  • 27. 27 © 2013 Apkudo LLC. www.apkudo.com PUTTING IT ALL TOGETHER Example - Java package com.google.android.finsky; import android.app.Application; import android.accounts.Account; public class FinskyApp() extends Application { Account mCurrentAccount; public String getCurrentAccountName() { if (mCurrentAccount != null) { return mCurrentAccount.name; } else { return null; } } }
  • 28. 28 © 2013 Apkudo LLC. www.apkudo.com PUTTING IT ALL TOGETHER Same example - smali .method public getCurrentAccountName()Ljava/lang/String; .registers 2 .prologue .line 617 iget-object v0, p0, Lcom/google/android/finsky/FinskyApp;->mCurrentAccount:Landroid/accounts/Account; if-nez v0, :cond_6 const/4 v0, 0x0 :goto_5 return-object v0 :cond_6 iget-object v0, v0, Landroid/accounts/Account;->name:Ljava/lang/String; goto :goto_5 .end method v0 First local register v1 p0 ‘this’ instance Getting this field! of type … into this reg
  • 29. 29 © 2013 Apkudo LLC. www.apkudo.com ONE FINAL STEP Obfuscation! • Renames classes, class members and and method • Preserves OS entry points and java namespace classes • Slows down the static analysis process • Not a silver bullet, but an easy first line of defense iget-object v0, p0, Lcom/a/a/g;->a:Lcom/a/a/f; invoke-static {v0}, Lcom/a/a/f;->a(Lcom/a/a/f;)Landroid/webkit/WebView;
  • 30. 30 © 2013 Apkudo LLC. www.apkudo.com PART II - DEMO https://github.com/davtbaum/adc-demo
  • 31. 31 © 2013 Apkudo LLC. www.apkudo.com HACKING SNAPCHAT
  • 32. 32 © 2013 Apkudo LLC. www.apkudo.com 1. Picture messenger with a catch… 2. Self-destructive pictures! 3. Pictures only last up to 10 seconds, ensures the receiver cannot save them 4. Alerts the sender if the receiver tries to take a screenshot 5. Net-worth $70M – over 20M snaps sent a day!1 WHAT IS SNAPCHAT? Real-time picture messenger 1. http://techcrunch.com/2012/12/12/sources-snapchat-raising-north-of-10m-at-around-70m-valuation-led-by-benchmarks-mitch-lasky/
  • 33. 33 © 2013 Apkudo LLC. www.apkudo.com SNAPCHAT IN ACTION
  • 34. 34 © 2013 Apkudo LLC. www.apkudo.com 1. UnzipAPK and disassemble classes.dex 2. Analyze for target resource (snapchat pictureAKA„snap‟) 3. Inject code to store or transmit resource 4. Reassemble classes.dex and rezip/resignAPK HACKING SNAPCHAT Approach Disassemble (baksmali) .smali Static analysis/ Code Injection Reassemble (smali)
  • 35. 35 © 2013 Apkudo LLC. www.apkudo.com TOOLS  Access to a terminal environment (preferably Linux or Mac osx)  Android SDK  keytool and jarsigner  Smali/Baksmali - http://code.google.com/p/smali/  Apktool - http://code.google.com/p/android-apktool/  Editor of choice (emacs!) You’ll need…
  • 36. 36 © 2013 Apkudo LLC. www.apkudo.com STEP 1  Query device for list of applications and associated file paths  adbshellpm listpackages–f  (optional)|grep–si“snapchat”  Pull the files  adbpull<file>~/snapchat/snapchat.apk GET THE APP
  • 37. 37 © 2013 Apkudo LLC. www.apkudo.com STEP 2  Extract classes.dexand remove keys  unzipsnapchat.apk  rm–r ./META-INF  Disassemble:  baksmali-a 10–d<framework_path> ./classes.dex  -a=api-level  -d=bootclasspathdir  „adbpull/system/framework/ ./framework‟ DECOMPRESS AND DISASSEMBLE
  • 38. 38 © 2013 Apkudo LLC. www.apkudo.com STEP 3  apktool dump and inspectAndroidManifest.xml for activities  apktooldsnapchat.apk  emacsAndroidManifest.xml  Find the resource  Use tools  uiautomator to retrieve view hierarchy (buggy)  adbshelldumpsyswindow|grep–si “mCurrentFocus”  Resolve resource in code ANDROID FORENSICS
  • 39. 39 © 2013 Apkudo LLC. www.apkudo.com STEP 3  Resource located! Now we need to retrieve it…  Don‟t write everything in byte code- build an application that contains the resource retrieval code.  Disassemble donor application and copy appropriate methods into target app  Easy enough, right? RESOURCE RETRIEVAL Java resource retrieval code Build Bytecode
  • 40. 40 © 2013 Apkudo LLC. www.apkudo.com DONOR APP RESOURCE RETRIEVAL package com.apkudo.util; import android.app.Activity; import android.graphics.Bitmap; import java.io.FileOutputStream; Import android.os.Bundle; public class HackUtils extends Activity { @Override public void onCreate(Bundle savedInstanceState) { super.onCreate(savedInstanceState); setContentView(R.layout.main); } public void saveSnap(Bitmap bmp) { try { FileOutputStream out = new FileOutputStream(“/sdcard/test.png”); bmp.compress(Bitmap.CompressFormat.PNG, 90, out); } catch (Exception e) { e.printStackTrace(); } } }
  • 41. 41 © 2013 Apkudo LLC. www.apkudo.com STEP 4 CODE INJECTION  .method private showImage()V  Isolate Bitmap  Pass into resource retrieval method invoke-virtual{v1,v2},Lcom/snapchat/android/model/ReceivedSnap;- >getImageBitmap(Landroid/content/Context;)Landroid/graphics/Bitmap; move-result-objectv0 #Patches invoke-static{v0},Lcom/apkudo/util/HackUtils;->saveSnap(Landroid/graphics/Bitmap;)V #EndofPatches
  • 42. 42 © 2013 Apkudo LLC. www.apkudo.com STEP 5  Re-assemble  smali–a10./out–oclasses.dex  Compress  zip–z0–r../snapchat.apk./*  SignAPK  jarsigner-verbose -keystore my-release-key.keystore ./snapchat.apkalias_name REBUILD APK
  • 43. 43 © 2013 Apkudo LLC. www.apkudo.com STEP 6  Install  adb install –r ../snapchat.apk  Run the app! INSTALLAND EXECUTE
  • 44. 44 © 2013 Apkudo LLC. www.apkudo.com RECAP  Obfuscate?  Very simple to navigate using method name  E.g. “showSnap()”.  Push images to native layer  OpenGL?  Native code is much harder to reverse.  Dynamic signature verification?  There is no silver bullet! ROOM FOR IMPROVEMENTS

Notas del editor

  1. META-INF contains keys
  2. META-INF contains keys
  3. META-INF contains keys
  4. META-INF contains keys
  5. META-INF contains keys
  6. META-INF contains keys
  7. META-INF contains keys