who needs thumbs? reverse engineering scramble with friends v1.1

WHO NEEDS THUMBS?! REVERSE ENGINEERING SCRAMBLE WITH FRIENDS v1.1

DAVID TEITELBAUM

OCTOBER 2012

@davtbaum

2 © 2012 Apkudo Inc. Confidential www.apkudo.com

OBJECTIVES Fundamentals of APK Code Injection How to use tools like Smali/Baksmali Better practices in Android forensics.

Expect to learn:


1.  Extract APK and disassemble classes.dex using baksmali 2.  Isolate target resources (e.g., Scramble With Friends words list) 3.  Patch APK to receive resource, serialize, and transmit to host 4.  Reassemble

APK HACKING Approach

Disassemble)(baksmali))

.smali)

Sta0c)analysis/)Code)Injec0on)

Reassemble)(smali))


CODE INJECTION !  You don’t need to be a Dalvik byte code pro!

!  Write patches in Java, compile, then use the Smali/Baksmali tools to disassemble into Dalvik byte code

!  Stick to public static methods in Dalvik byte code which have no register dependencies.

!  Note: this hack is achieved by inserting only two lines of manual Dalvik byte code

BEST PRACTICES:


SMALI/BAKSMALI?

!  Baksmali disassembles Dalvik executable (.dex) into readable Dalvik byte code (.smali)

!  Smali re-assembles .smali files back into .dex Dalvik executable

!  Gives developers the ability to modify execution without having access to source code

!  Documentation on Smali/Baksmali and Dalvik in Smali wiki !  http://code.google.com/p/smali/w/list

DALVIK ASSEMBLER/DISASSEMBLER


RESOURCE SERIALIZATION AND TRANSMISSION

onCreate()… addWindow()

ViewServer)

Android)OS)

ROMAIN GUY’S VIEWSERVER

ADB forwarded localhost:4939


STEP 1

!  Extract classes.dex and remove keys !  unzip scramble.apk!!  rm –r ./META-INF!!

!  Disassemble: !  baksmali -a 10 –d <framework_path> ./classes.dex!!  -a = api-level!!  -d = bootclasspath dir!

!  out/target/product/generic/system/framework!

DECOMPRESS AND DISASSEMBLE


STEP 2 !  Find the words list…how?

!  Beat obfuscation! !  Search for class types and log messages !  Find the intersection of the two!

!  Insert your own log statements

ANDROID FORENSICS

invoke-virtual {v2}, Ljava/util/List;->toString()Ljava/lang/String;!move-result-object v2!invoke-static {v1, v2}, Landroid/util/Log;->e(Ljava/lang/String;Ljava/lang/String;)I!

)


STEP 3 !  Resource located! Now we need to send it…

!  Apply patch to ViewServer that stores list !  public static void setScrambleWordList(List list);!

!  Build patched ViewServer, extract .smali files

!  Copy smali files into our application !  Easy enough, right?

INJECT VIEWSERVER INTO APP


STEP 4 PATCH APP TO USE VIEWSERVER API

!  Start the ViewServer in the onCreate() method of MainActivity.smali !  ViewServer.get() ! 

!  Pass the list to ViewServer in fu.smali !  ViewServer.setScrambleWordList(list) ! 

invoke-static {}, Lcom/android/debug/hv/ViewServer;->get()Lcom/android/debug/hv/ViewServer;!

invoke-static {v2}, Lcom/android/debug/hv/ViewServer;->setScrambleWordList(Ljava/util/List;)V!


STEP 5 !  Re-assemble

!  smali –a 10 ./out –o classes.dex!!  Re-compress

!  zip –z0 –r ../scramble.apk ./* !  Sign APK

!  jarsigner -verbose -keystore my-release-key.keystore ./scramble.apk alias_name!

REBUILD APK


STEP 6

!  Install !  adb install –r ../scramble.apk!

!  Forward port !  adb forward tcp:4939 tcp:4939

!  Communicate !  nc –l 127.0.0.1 (listen)

INSTALL AND COMMUNICATE WITH APP


APE

!  Fully aware of applications content !  Invokes actions and makes decisions based off

of what it sees !  Optimized and extended Romain’s ViewServer

!  Transmit view data after each invoked action !  Introspect on OpenGL

!  Uses word list to obtain matrix positions and OpenGL introspection to find buttons on screen

INTELLIGENT ANDROID INSTRUMENTATION

Thank you. DAVID@ .COM @davtbaum

who needs thumbs? reverse engineering scramble with friends v1.1

Documents

dalvik byte

confidential

list

apk

viewserver

smali

find

disassemble