Más contenido relacionado
La actualidad más candente (20)
Similar a Hacking for fun and for profit (20)
Hacking for fun and for profit
- 1. HACKING APKS FOR FUN
AND FOR PROFIT
(MOSTLY FOR FUN)
DAVID TEITELBAUM
@davtbaum
DECEMBER 2012
- 2. OBJECTIVES
Expect to learn:
Android app disassembly
Fundamentals of code injection
Smali/Baksmali and reading Dalvik byte code
Best practices in hardening your apps
2 © 2012 Apkudo Inc. Confidential www.apkudo.com
- 3. ROADMAP
PART I - CLASS PART II – DEMO/HACK
Approach to hacking Scramble With Friends deep dive
Tools – apktool, baksmali, smali App disassembly and analysis
The APK Code injection with ViewServer
All things byte code Resource transmission
Recap
3 © 2012 Apkudo Inc. Confidential www.apkudo.com
- 4. PART I - CLASS
4 © 2012 Apkudo Inc. Confidential www.apkudo.com
- 5. APK HACKING
Approach
1. Unzip APK and disassemble classes.dex (baksmali)
2. Static analysis – what is the application doing?
3. Inject byte code into the application to modify execution
4. Reassemble classes.dex (smali) and rezip APK
Static analysis
Disassemble Reassemble
(baksmali) (smali)
.smali
Code injection
5 © 2012 Apkudo Inc. Confidential www.apkudo.com
- 6. CODE INJECTION
Best Practices:
You don’t need to be a Dalvik byte code pro!
Write patches in Java, compile, then use the
Smali/Baksmali tools to disassemble into Dalvik byte code
Stick to public static methods in Dalvik byte code which
have no register dependencies.
Let the compiler do the work – the demo hack is achieved
by inserting only two lines of manual Dalvik byte code!
6 © 2012 Apkudo Inc. Confidential www.apkudo.com
- 7. TOOLS
You’ll need…
Access to a terminal environment (preferably Linux or Mac
osx)
Android SDK
keytool and jarsigner
Smali/Baksmali - http://code.google.com/p/smali/
Apktool - http://code.google.com/p/android-apktool/
Editor of choice (emacs!)
7 © 2012 Apkudo Inc. Confidential www.apkudo.com
- 8. THE APK
A container for your app
Zipped file formatted based on JAR
META-INF/
AndroidManifest.xml
classes.dex
lib/
res/
resources.arsc
8 © 2012 Apkudo Inc. Confidential www.apkudo.com
- 9. SMALI/BAKSMALI
Dalvik Assembler/
Disassembler
Baksmali disassembles Dalvik executable (.dex) into
readable Dalvik byte code (.smali)
Smali re-assembles .smali files back into .dex Dalvik
executable
Gives developers the ability to modify execution of an APK
without having access to source code
9 © 2012 Apkudo Inc. Confidential www.apkudo.com
- 10. EXAMPLES
baksmali
$ unzip foobar.apk –d foobar
$ cd ./foobar
$ ls
AndroidManifest.xml META-INF classes.dex res
resources.arsc lib
$ baksmali –a 10 –d ~/boot_class_path classes.dex
API level boot class path dex file
10 © 2012 Apkudo Inc. Confidential www.apkudo.com
- 12. AAPT
Android Asset Packaging Tool
Builds/dumps package information
Same tool that packages APKS
Decompresses xml resources
Dumps permissions, application info.
12 © 2012 Apkudo Inc. Confidential www.apkudo.com
- 13. EXAMPLES
aapt
$ aapt dump badging ~/foobar.apk
$ aapt dump xmltree ~/foobar.apkAndroidManifest
$ aapt dump xmlstrings ~/foobar.apkAndroidManifest
resource
13 © 2012 Apkudo Inc. Confidential www.apkudo.com
- 14. APKTOOL
All in one reverser
Wraps smali/baksmali and Android asset packaging tool
(aapt)
Decodes resources and decompresses xml
Great for manifest introspection
Buggy :/
14 © 2012 Apkudo Inc. Confidential www.apkudo.com
- 15. EXAMPLES
apktool
$ apktool d foobar.apk foobar
decode out directory
$ cd ./foobar
$ ls
AndroidManifest.xml apktool.yml assets res smali
$ cd ../
$ apktool b ./foobar
build
15 © 2012 Apkudo Inc. Confidential www.apkudo.com
- 16. EXAMPLES
keytool and jarsigner
$ keytool -genkeypair -v -alias default –keystore
~/.keystore –storepass password
$ jarsigner –keystore ~/.keystore ./foobar.apk
default
alias
16 © 2012 Apkudo Inc. Confidential www.apkudo.com
- 18. SMALI FILES
class representation in byte code
.class public Lcom/apkudo/util/Serializer;
.super Ljava/lang/Object; Class information
.source "Serializer.java”
# static fields
.field public static final TAG:Ljava/lang/String; = "ApkudoUtils” Static fields
# direct methods
.method public constructor <init>()V
.registers 1
.prologue
.line 5 Methods
invoke-direct {p0}, Ljava/lang/Object;-><init>()V Direct
Virtual
return-void
.end method
18 © 2012 Apkudo Inc. Confidential www.apkudo.com
- 19. SYNTAX
types .method private doSomething()V
V void
Z boolean
B byte
S short
C char
F float
I int
J long
64 bit – special instructions
D double
[ array
19 © 2012 Apkudo Inc. Confidential www.apkudo.com
- 20. SYNTAX
classes Lcom/apkudo/util/Serializer;
• full name space slash separated
• prefixed with L
• suffixed with ;
const-string v0, "ApkudoUtils"
new-instance v1, Ljava/lang/StringBuilder;
invoke-direct {v1}, Ljava/lang/StringBuilder;-><init>()V
const-string v2, "docId: ["
invoke-virtual {v1, v2}, Ljava/lang/StringBuilder;-
>append(Ljava/lang/String;)Ljava/lang/StringBuilder;
move-result-object v1
20 © 2012 Apkudo Inc. Confidential www.apkudo.com
- 21. SYNTAX
methods .method private doSomething()V
Method definitions
.method <keyword> <name>(<param>)<return type>
Method invocations
invoke-static – any method that is static
invoke-virtual – any method that isn’t private, static, or
final
invoke-direct – any non-static direct method
invoke-super – any superclass's virtual method
Invoke-interface – invoke an interface method
21 © 2012 Apkudo Inc. Confidential www.apkudo.com
- 22. SYNTAX
methods .method private doSomething()V
keyword method name parameters/return
.method private delayedAnimationFrame(J)Z
.registers 8
.parameter "currentTime”
# Static invocation
invoke-static {p2}, Landroid/text/TextUtils;->isEmpty(Ljava/lang/CharSequence;)Z
# Virtual invocation
invoke-virtual {v0, v1}, Lcom/google/android/finsky/FinskyApp;-
>drainAllRequests(I)V
22 © 2012 Apkudo Inc. Confidential www.apkudo.com
- 23. SYNTAX
Registers .locals 16
.registers 18
All registers are 32 bits
Declaration
.registers – total number of registers
.locals – total minus method parameter registers
Naming scheme
P registers – parameter registers
implicit p0 = ‘this’ instance
V registers – local registers
P registers are always at the end of the register list
23 © 2012 Apkudo Inc. Confidential www.apkudo.com
- 24. SYNTAX
Register Example
.method public onCreate()V
.registers 7 v0 First local register
v1 Second local register
...
v2 …
v3 …
v4 …
v5 …
v6 p0 First param – ‘this’
p0 == v6
24 © 2012 Apkudo Inc. Confidential www.apkudo.com
- 25. SYNTAX
Register Example 2
.method public doIt(Ljava/lang/String;II)V
.registers 7
v0 First local register
v1 Second local register
v2 …
v3 p0 ‘this’
v4 p1 String
v5 p2 int
v6 p3 int
p3 == v6
p2 == v5
p1 == v4
p0 == v3
25 © 2012 Apkudo Inc. Confidential www.apkudo.com
- 26. SYNTAX
Register Example 3
.method public doIt(JI)V
.registers 7
# hint, j == long
v0 First local register
v1 Second local register
v2 Third local register
v3 - is it… v4 - is it…
A) Fourth local register? A) Fourth local register? v3 p0 ‘this’ instance
B) This instance? B) This instance? v4 p1 long
C) Long? C) Long?
v5 p2 long
D) Int? D) Int?
v6 p3 int
v5 - is it… v6 - is it…
A) Fourth local register? A) Fourth local register?
B) This instance? B) This instance?
C) Long? C) Long?
D) Int? D) Int?
26 © 2012 Apkudo Inc. Confidential www.apkudo.com
- 27. SYNTAX
jumping
.method public doIt(JI)V
jumps .registers 7
goto <offset> ...
goto :goto_31
...
:goto_31
return-void
27 © 2012 Apkudo Inc. Confidential www.apkudo.com
- 28. SYNTAX
conditionals
method public foobar()V
Conditionals .registers 2
If-eq const/4 v0, 0x0
If-ne
if-eqz v0, :cond_6
If-le
If-lt return-void
If-ge
:cond_6
If-gt
Add z for zero # Do something
.end method
28 © 2012 Apkudo Inc. Confidential www.apkudo.com
- 29. PUTTING IT ALL
TOGETHER
Example - Java
package com.google.android.finsky;
import android.app.Application;
import android.accounts.Account;
public class FinskyApp() extends Application {
Account mCurrentAccount;
...
public String getCurrentAccountName() {
if (mCurrentAccount != null) {
return mCurrentAccount.name;
} else {
return null;
}
}
}
29 © 2012 Apkudo Inc. Confidential www.apkudo.com
- 30. PUTTING IT ALL
TOGETHER
Same example - smali
.method public getCurrentAccountName()Ljava/lang/String;
.registers 2
v0 First local register
.prologue
v1 p0 ‘this’ instance
.line 617
iget-object v0, p0, Lcom/google/android/finsky/FinskyApp;->mCurrentAccount:Landroid/accounts/Account;
if-nez v0, :cond_6
Getting this field! of type …
const/4 v0, 0x0
into this reg
:goto_5
return-object v0
:cond_6
iget-object v0, v0, Landroid/accounts/Account;->name:Ljava/lang/String;
goto :goto_5
.end method
30 © 2012 Apkudo Inc. Confidential www.apkudo.com
- 31. ONE FINAL
STEP
Obfuscation!
• Renames classes, class members and and method
• Preserves OS entry points and java namespace classes
• Slows down the static analysis process
• Not a silver bullet, but an easy first line of defense
iget-object v0, p0, Lcom/a/a/g;->a:Lcom/a/a/f;
invoke-static {v0}, Lcom/a/a/f;->a(Lcom/a/a/f;)Landroid/webkit/WebView;
31 © 2012 Apkudo Inc. Confidential www.apkudo.com
- 33. PART II - DEMO
33 © 2012 Apkudo Inc. Confidential www.apkudo.com
- 34. 34 © 2012 Apkudo Inc. Confidential www.apkudo.com
- 35. HACKING
SCRAMBLE
Approach
1. Unzip APK and disassemble classes.dex (baksmali)
2. Isolate target resources (e.g., Scramble With Friends words list)
3. Patch APK to receive resource, serialize, and transmit to host
4. Reassemble classes.dex (smali) and rezip APK
Static analysis/
Code Injection
Disassemble Reassemble
(baksmali) (smali)
.smali
35 © 2012 Apkudo Inc. Confidential www.apkudo.com
- 37. STEP 1
DECOMPRESS AND
DISASSEMBLE
Extract classes.dex and remove keys
unzip scramble.apk
rm –r ./META-INF
Disassemble:
baksmali -a 10 –d <framework_path> ./classes.dex
-a = api-level
-d = bootclasspath dir
out/target/product/generic/system/framework
37 © 2012 Apkudo Inc. Confidential www.apkudo.com
- 38. STEP 2
ANDROID FORENSICS
apktool dump and inspect AndroidManifest.xml
for activities
Find the words list…how?
Beat obfuscation!
Search for class types and log messages
Find the intersection of the two!
Insert your own log statements
invoke-virtual {v2}, Ljava/util/List;->toString()Ljava/lang/String;
move-result-object v2
invoke-static {v1, v2}, Landroid/util/Log;->e(Ljava/lang/String;Ljava/lang/String;)I
38 © 2012 Apkudo Inc. Confidential www.apkudo.com
- 39. STEP 3
INJECT VIEWSERVER INTO APP
Resource located! Now we need to send it…
Apply patch to ViewServer that stores list
public static void setScrambleWordList(List list);
Build patched ViewServer, extract .smali files
Copy smali files into our application
Easy enough, right?
39 © 2012 Apkudo Inc. Confidential www.apkudo.com
- 40. STEP 4
PATCH APP TO USE VIEWSERVER
API
Start the ViewServer in the onCreate() method of
MainActivity.smali
ViewServer.get()
invoke-static {}, Lcom/android/debug/hv/ViewServer;-
>get()Lcom/android/debug/hv/ViewServer;
Pass the list to ViewServer in fu.smali
ViewServer.setScrambleWordList(list)
invoke-static {v2}, Lcom/android/debug/hv/ViewServer;->setScrambleWordList(Ljava/util/List;)V
40 © 2012 Apkudo Inc. Confidential www.apkudo.com
- 41. STEP 5
REBUILD APK
Re-assemble
smali –a 10 ./out –o classes.dex
Re-compress
zip –z0 –r ../scramble.apk ./*
Sign APK
jarsigner -verbose -keystore my-release-
key.keystore ./scramble.apk alias_name
41 © 2012 Apkudo Inc. Confidential www.apkudo.com
- 42. STEP 6
INSTALL AND COMMUNICATE
WITH APP
Install
adb install –r ../scramble.apk
Forward port
adb forward tcp:4939 tcp:4939
Communicate
nc –l 127.0.0.1 (listen)
42 © 2012 Apkudo Inc. Confidential www.apkudo.com
- 43. RECAP
WHAT ZYNGA TEACHES
US
Obfuscate, it’s easy and makes things much
harder
Use proguard, it optimizes too! Low hanging
Remove logs fruit
Use reflection
Design your application with cheaters in mind!
Move logic to cloud
Google play licensing
43 © 2012 Apkudo Inc. Confidential www.apkudo.com
Notas del editor
- META-INF contains keys
- META-INF contains keys
- META-INF contains keys
- META-INF contains keys
- META-INF contains keys
- META-INF contains keys