athcon

8/11/2019 athcon

1/84

8/11/2019 athcon

2/84

Introduction

Who am I?

June 10, 2013 Jurriaan Bremer @skier t Analysis and Deobfuscation of Android Apps 2 / 44

8/11/2019 athcon

3/84

Introduction

Who am I? Student (University of Amsterdam) Freelance Security Researcher Cuckoo Sandbox Developer (Malware Analysis System)


8/11/2019 athcon

4/84

Introduction

Android?


8/11/2019 athcon

5/84

Introduction

Android?

Smartphones

Runs custom Linux Millions of Devices

Hundreds of thousands of applications

etc..


8/11/2019 athcon

6/84

Android Applications

Android Applications?


8/11/2019 athcon

7/84



Application Package File (APK) Download from Google Play Zip file Some Metadata (Manifest, Images, ..) classes.dex


8/11/2019 athcon

8/84




All your code are belong to classes.dex More on this later.


8/11/2019 athcon

9/84




All your code are belong to classes.dex More on this later.

Resources

Images Data files Native libraries


8/11/2019 athcon

10/84

Running Code on Android

There are two ways.

Running native libraries Extremely awesome

This talk does not focus on native


8/11/2019 athcon

11/84


There are two ways.


This talk does not focus on native


8/11/2019 athcon

12/84


There are two ways.


This talk does not focus on native Running Dalvik Bytecode

Dalvik is Compiled Java Dalvik != Java classes.dex

(More on this later)


8/11/2019 athcon

13/84

Dex File Format (I)

Dalvik Executable Format classes.dex

Container format to store Dalvik Bytecode with Metadata


8/11/2019 athcon

14/84

Dex File Format (I)


Container format to store Dalvik Bytecode with Metadata Various Data Pools

Strings Hello World

Classes Ljava/lang/String; Fields Ljava/lang/String;->value Prototypes (I)Ljava/lang/String;


8/11/2019 athcon

15/84

Dex File Format (I)


Container format to store Dalvik Bytecode with Metadata Various Data Pools

Strings Hello World

Classes Ljava/lang/String; Fields Ljava/lang/String;->value Prototypes (I)Ljava/lang/String;

Lots of headers Complex Cross-references between fields and headers The Classname is a String A Prototype has a String as return value A method links to a Prototype, etc..


8/11/2019 athcon

16/84

Dex File Format (II)


8/11/2019 athcon

17/84

Dalvik Bytecode Example

public static void hello() {

System.out.println(Hello AthCon);}

->


8/11/2019 athcon

18/84




->

sget-object v0, Ljava/lang/System;->out:Ljava/io/PrintStream;


D l ik B d E l

8/11/2019 athcon

19/84




->

sget-object v0, Ljava/lang/System;->out:Ljava/io/PrintStream;const-string v1, Hello AthCon


D l ik B d E l

8/11/2019 athcon

20/84




->

sget-object v0, Ljava/lang/System;->out:Ljava/io/PrintStream;const-string v1, Hello AthConinvoke-virtual v0, v1,

Ljava/io/PrintStream;->println(Ljava/lang/String;)V


D l ik B t d E l

8/11/2019 athcon

21/84




->

sget-object v0, Ljava/lang/System;->out:Ljava/io/PrintStream;const-string v1, Hello AthConinvoke-virtual v0, v1,

Ljava/io/PrintStream;->println(Ljava/lang/String;)Vreturn-void


Wh t i t?

8/11/2019 athcon

22/84

Whats your point?

Decompiling is mostly trivial JEB - http://android-decompiler.com/


Whats o oi t?
http://android-decompiler.com/https://code.google.com/p/smali/http://android-decompiler.com/

8/11/2019 athcon

23/84

What s your point?

Decompiling is mostly trivial JEB - http://android-decompiler.com/

Smali/Baksmali allows you to quickly modify code

Based on .smali files, a wrapper around Dalvik bytecode

Free and Open Sourcehttps://code.google.com/p/smali/


Lets welcome Obfuscators
http://android-decompiler.com/https://code.google.com/p/smali/https://code.google.com/p/smali/http://android-decompiler.com/

8/11/2019 athcon

24/84

Let s welcome Obfuscators

Commercial solutions

Make Reverse Engineering harder

Make automated analysis harder (what to look at?)



8/11/2019 athcon

25/84





What can we do..?



8/11/2019 athcon

26/84





What can we do..?

Deobfuscate the obfuscated code!



8/11/2019 athcon

27/84





What can we do..?

Deobfuscate the obfuscated code!

But first..


Introduction to Our Tools

8/11/2019 athcon

28/84


readdex(1)

Custom utility to read .dex files

Not very strict

Works in cases where traditional tools fail

E.g., dexdump, dex2jar, sometimes even JEB (Will report JEB bugs later)



8/11/2019 athcon

29/84


readdex(1)

Custom utility to read .dex files

Not very strict

Works in cases where traditional tools fail

E.g., dexdump, dex2jar, sometimes even JEB (Will report JEB bugs later) Handles the following cases correctly

Invalid checksum hashes (fails dexdump) Unused opcodes (fails dex2jar/dexdump) Invalid Data Pool Indices (dexdump/dex2jar) Unicode function names (IDA Pro?!) Etc..


Introduction to Our Libraries

8/11/2019 athcon

30/84


Dalvik Disassembler



8/11/2019 athcon

31/84


Dalvik Disassembler Basic Dalvik Emulator

Supports most Dalvik Instructions Supports simple Java Classes (Strings, etc.)


8/11/2019 athcon

32/84


8/11/2019 athcon

33/84



Dex File Parser Dex File Creator is Work in Progress

Totalling more than 5kloc C (including readdex)



8/11/2019 athcon

34/84





Not to mention basic Python wrappers



8/11/2019 athcon

35/84





Not to mention basic Python wrappers

All of it will be Open Source soon (TM)


Whats next? This stuff is actually useful?

8/11/2019 athcon

36/84

y


Whats next? This stuff is actually useful?

8/11/2019 athcon

37/84


Class & Function Name Obfuscation

8/11/2019 athcon

38/84

Used by for example Dexguard & Freedom.apk..



8/11/2019 athcon

39/84


Welcome to China..



8/11/2019 athcon

40/84


Welcome to China..



8/11/2019 athcon

41/84


China?

8/11/2019 athcon

42/84

Unreadable identifiers

Problematic when Modifying Dalvik Code (.smali)


China?

8/11/2019 athcon

43/84

Unreadable identifiers

Problematic when Modifying Dalvik Code (.smali)

unchina.py to the rescue!


unchina.py

8/11/2019 athcon

44/84

Walks the Dex file Enumerates all classes and methods

Renames Chinese names with something readable

zmagic + number

(For now, can be changed of course..)


8/11/2019 athcon

45/84

unchina.py Demo

8/11/2019 athcon

46/84

Demo of Unchina.py..


Obfuscated Strings (I)

8/11/2019 athcon

47/84

Used by for example Dexguard, Whatsapp.apk, Freedom.apk



8/11/2019 athcon

48/84


Instead of using Hardcoded Strings

Build strings up at runtime



8/11/2019 athcon

49/84




Makes it harder to analyze Strings usually have meaningful information (Function names, Debug information, URLs, etc.)



8/11/2019 athcon

50/84




Makes it harder to analyze Strings usually have meaningful information (Function names, Debug information, URLs, etc.)

More code in the binary Normally one string Now entire functions for decoding, function calls, etc..


Obfuscated Strings (II)

8/11/2019 athcon

51/84

We want to reconstruct the obfuscated strings


8/11/2019 athcon

52/84

8/11/2019 athcon

53/84

Whatsapp (I)

8/11/2019 athcon

54/84

#1 - Whatsapp.apk

Defines for lots of classes Class Initialization function Called when the class is being loaded


Whatsapp (II)

8/11/2019 athcon

55/84


Whatsapp (III)

8/11/2019 athcon

56/84

We emulate the method Intercept the sput-object instruction

sput-object v0, mb->z:Ljava/lang/String;

Assign Static Class Variable


Whatsapp (III)

8/11/2019 athcon

57/84




We now have the deobfuscated string

(or multiple strings, in some cases)


Whatsapp (III)

8/11/2019 athcon

58/84




We now have the deobfuscated string

(or multiple strings, in some cases)

Roughly 5000 strings deobfuscated!


Freedom (I)

8/11/2019 athcon

59/84

#2 - Freedom.apk

Has xor decryption methods

Calls functions with magic decoding value


8/11/2019 athcon

60/84

Freedom (III)

8/11/2019 athcon

61/84

The xor decryption methods have a specific signature

Their prototype is always(B)Ljava/lang/String;

(Accepts an 8bit integer, returns a String.)


8/11/2019 athcon

62/84

Freedom (III)

8/11/2019 athcon

63/84

The xor decryption methods have a specific signature

Their prototype is always(B)Ljava/lang/String;

(Accepts an 8bit integer, returns a String.)

We scan every method in the Dex file Function Call to Decryption Method ->Decrypt the String

Roughly 600 strings deobfuscated!


Dexguard (I)

8/11/2019 athcon

64/84

#3 - Dexguard is a Commercial ObfuscatorAs example we use an obfuscated Cyanide.apk

Root exploit for some Motorala device

(Thanks to Justin Case for the sample)


Dexguard (II)

8/11/2019 athcon

65/84


Dexguard (III)

8/11/2019 athcon

66/84

Dexguard initializes a lookup table on

Decrypts strings using this lookup table

One dedicated decryption method Signature (III)Ljava/lang/String;


Dexguard (IV)

8/11/2019 athcon

67/84

Dexguard is a combination of Whatsapp and Freedom

(With regards to techniques)

First emulate

To obtain the lookup table


Dexguard (IV)

8/11/2019 athcon

68/84

Dexguard is a combination of Whatsapp and Freedom

(With regards to techniques)

First emulate

To obtain the lookup table Then scan every method in the Dex file

Find function calls to the decryption method

Decrypt strings!


Dexguard (IV)

8/11/2019 athcon

69/84

Original Dexguarded Cyanide.apk


Rewriting the Dex file (I)

8/11/2019 athcon

70/84

Rewriting Whatsapp, Freedom and Dexguarded Cyanide.apk

We have the decrypted strings

Obfuscated code always takes more instructions thandeobfuscated code

Patching time..!


8/11/2019 athcon

71/84

Rewriting the Dex file (II)

8/11/2019 athcon

72/84


Rewriting the Dex file (III)

8/11/2019 athcon

73/84

Some problems..

We have to introduce new strings Extend the String Data Pool Shuffle around half the Dex..


Rewriting the Dex file (III)

8/11/2019 athcon

74/84

Some problems..

We have to introduce new strings Extend the String Data Pool Shuffle around half the Dex..

Patch Dalvik instructions (straightforward) Remove obsolete functions

String Decryption Methods are now unused Quite painful.. Dex file-wise *Work in Progress*


Rewriting the Dex file (IV)

8/11/2019 athcon

75/84

We move all strings to EOF

We fixup other data structures

Demo time


Rewriting the Dex file (V)

8/11/2019 athcon

76/84

Demo of reconstructing Dexguarded Cyanide.apk


How do we go from here?

8/11/2019 athcon

77/84

Generic Deobfuscation Based on Heuristics with Prototypes etc



8/11/2019 athcon

78/84


Classification based on stripped down binaries One binary can have many obfuscated representations

Deobfuscate to something like the original binary Allows more accurate classification



8/11/2019 athcon

79/84




Did I mention plaintext strings?



8/11/2019 athcon

80/84




Did I mention plaintext strings?

Plaintext Strings!


Automated Malware Analysis!

8/11/2019 athcon

81/84

Yesterday a new malware was found in the wild..

http://www.securelist.com/en/blog/8106/The_most_sophisticated_Android_Trojan


High Expectations Asian Dad strikes again!
http://www.securelist.com/en/blog/8106/The_most_sophisticated_Android_Trojanhttp://www.securelist.com/en/blog/8106/The_most_sophisticated_Android_Trojanhttp://www.securelist.com/en/blog/8106/The_most_sophisticated_Android_Trojanhttp://www.securelist.com/en/blog/8106/The_most_sophisticated_Android_Trojan

8/11/2019 athcon

82/84


Backdoor.AndroidOS.Obad.a

8/11/2019 athcon

83/84

Seems like a pretty advanced android malware Multiple obfuscation layers (for strings)

Got a start, but far from complete.. *Quick Demo*

Some Plaintext Strings.. Tries to enable Bluetooth getSimSerialNumber .. (I need some more time)


Questions?

8/11/2019 athcon

84/84

Any questions?

Cheers to..p1ra, nex, rep, blasty, thuxnder, diff-, jcase, George, jduck, ..

Interested in Android Security?Join #droidsec on irc.freenode.org (thanks jduck!)

June 10 2013 Jurriaan Bremer @skier t Analysis and Deobfuscation of Android Apps 44 / 44

athcon

Documents