who needs thumbs? reverse engineering scramble with friends v1.1
Post on 12-Sep-2014
2.173 views
DESCRIPTION
TRANSCRIPT
WHO NEEDS THUMBS?! REVERSE ENGINEERING SCRAMBLE WITH FRIENDS v1.1
DAVID TEITELBAUM
OCTOBER 2012
@davtbaum
2 © 2012 Apkudo Inc. Confidential www.apkudo.com
OBJECTIVES Fundamentals of APK Code Injection How to use tools like Smali/Baksmali Better practices in Android forensics.
Expect to learn:
3 © 2012 Apkudo Inc. Confidential www.apkudo.com
4 © 2012 Apkudo Inc. Confidential www.apkudo.com
1. Extract APK and disassemble classes.dex using baksmali 2. Isolate target resources (e.g., Scramble With Friends words list) 3. Patch APK to receive resource, serialize, and transmit to host 4. Reassemble
APK HACKING Approach
Disassemble)(baksmali))
.smali)
Sta0c)analysis/)Code)Injec0on)
Reassemble)(smali))
5 © 2012 Apkudo Inc. Confidential www.apkudo.com
CODE INJECTION ! You don’t need to be a Dalvik byte code pro!
! Write patches in Java, compile, then use the Smali/Baksmali tools to disassemble into Dalvik byte code
! Stick to public static methods in Dalvik byte code which have no register dependencies.
! Note: this hack is achieved by inserting only two lines of manual Dalvik byte code
BEST PRACTICES:
6 © 2012 Apkudo Inc. Confidential www.apkudo.com
SMALI/BAKSMALI?
! Baksmali disassembles Dalvik executable (.dex) into readable Dalvik byte code (.smali)
! Smali re-assembles .smali files back into .dex Dalvik executable
! Gives developers the ability to modify execution without having access to source code
! Documentation on Smali/Baksmali and Dalvik in Smali wiki ! http://code.google.com/p/smali/w/list
DALVIK ASSEMBLER/DISASSEMBLER
7 © 2012 Apkudo Inc. Confidential www.apkudo.com
RESOURCE SERIALIZATION AND TRANSMISSION
onCreate()… addWindow()
ViewServer)
Android)OS)
ROMAIN GUY’S VIEWSERVER
ADB forwarded localhost:4939
8 © 2012 Apkudo Inc. Confidential www.apkudo.com
STEP 1
! Extract classes.dex and remove keys ! unzip scramble.apk!! rm –r ./META-INF!!
! Disassemble: ! baksmali -a 10 –d <framework_path> ./classes.dex!! -a = api-level!! -d = bootclasspath dir!
! out/target/product/generic/system/framework!
DECOMPRESS AND DISASSEMBLE
9 © 2012 Apkudo Inc. Confidential www.apkudo.com
STEP 2 ! Find the words list…how?
! Beat obfuscation! ! Search for class types and log messages ! Find the intersection of the two!
! Insert your own log statements
ANDROID FORENSICS
invoke-virtual {v2}, Ljava/util/List;->toString()Ljava/lang/String;!move-result-object v2!invoke-static {v1, v2}, Landroid/util/Log;->e(Ljava/lang/String;Ljava/lang/String;)I!
)
10 © 2012 Apkudo Inc. Confidential www.apkudo.com
STEP 3 ! Resource located! Now we need to send it…
! Apply patch to ViewServer that stores list ! public static void setScrambleWordList(List list);!
! Build patched ViewServer, extract .smali files
! Copy smali files into our application ! Easy enough, right?
INJECT VIEWSERVER INTO APP
11 © 2012 Apkudo Inc. Confidential www.apkudo.com
STEP 4 PATCH APP TO USE VIEWSERVER API
! Start the ViewServer in the onCreate() method of MainActivity.smali ! ViewServer.get() !
! Pass the list to ViewServer in fu.smali ! ViewServer.setScrambleWordList(list) !
invoke-static {}, Lcom/android/debug/hv/ViewServer;->get()Lcom/android/debug/hv/ViewServer;!
invoke-static {v2}, Lcom/android/debug/hv/ViewServer;->setScrambleWordList(Ljava/util/List;)V!
12 © 2012 Apkudo Inc. Confidential www.apkudo.com
STEP 5 ! Re-assemble
! smali –a 10 ./out –o classes.dex!! Re-compress
! zip –z0 –r ../scramble.apk ./* ! Sign APK
! jarsigner -verbose -keystore my-release-key.keystore ./scramble.apk alias_name!
REBUILD APK
13 © 2012 Apkudo Inc. Confidential www.apkudo.com
STEP 6
! Install ! adb install –r ../scramble.apk!
! Forward port ! adb forward tcp:4939 tcp:4939
! Communicate ! nc –l 127.0.0.1 (listen)
INSTALL AND COMMUNICATE WITH APP
14 © 2012 Apkudo Inc. Confidential www.apkudo.com
APE
! Fully aware of applications content ! Invokes actions and makes decisions based off
of what it sees ! Optimized and extended Romain’s ViewServer
! Transmit view data after each invoked action ! Introspect on OpenGL
! Uses word list to obtain matrix positions and OpenGL introspection to find buttons on screen
INTELLIGENT ANDROID INSTRUMENTATION
Thank you. DAVID@ .COM @davtbaum