�ݺ�ߣ

HACKING APKS FOR FUN
AND FOR PROFIT
(MOSTLY FOR FUN)

DAVID TEITELBAUM

@davtbaum
DECEMBER 2012

OBJECTIVES
Expect to learn:
Android app disassembly
Fundamentals of code injection
Smali/Baksmali and reading Dalvik byte code
Best practices in hardening your apps
2 ? 2012 Apkudo Inc. Confidential www.apkudo.com

ROADMAP
PART I - CLASS PART II �C DEMO/HACK
Approach to hacking Scramble With Friends deep dive
Tools �C apktool, baksmali, smali App disassembly and analysis
The APK Code injection with ViewServer
All things byte code Resource transmission
Recap

PART I - CLASS


APK HACKING
Approach
1. Unzip APK and disassemble classes.dex (baksmali)
2. Static analysis �C what is the application doing?
3. Inject byte code into the application to modify execution
4. Reassemble classes.dex (smali) and rezip APK

Static analysis

Disassemble Reassemble
(baksmali) (smali)
.smali
Code injection

CODE INJECTION
Best Practices:
? You don��t need to be a Dalvik byte code pro!

? Write patches in Java, compile, then use the
Smali/Baksmali tools to disassemble into Dalvik byte code

? Stick to public static methods in Dalvik byte code which
have no register dependencies.

? Let the compiler do the work �C the demo hack is achieved
by inserting only two lines of manual Dalvik byte code!


TOOLS
You��ll need��
? Access to a terminal environment (preferably Linux or Mac
osx)

? Android SDK

? keytool and jarsigner

? Smali/Baksmali - http://code.google.com/p/smali/

? Apktool - http://code.google.com/p/android-apktool/

? Editor of choice (emacs!)


SMALI/BAKSMALI
Dalvik Assembler/
Disassembler
? Baksmali disassembles Dalvik executable (.dex) into
readable Dalvik byte code (.smali)

? Smali re-assembles .smali files back into .dex Dalvik
executable

? Gives developers the ability to modify execution of an APK
without having access to source code


APKTOOL
All in one reverser
? Wraps smali/baksmali and Android asset packaging tool
(aapt)

? Decodes resources and decompresses xml

? Great for manifest introspection

? Buggy :/


THE APK
A container for your app
? Zipped file formatted based on JAR
META-INF/
AndroidManifest.xml
classes.dex
lib/
res/
resources.arsc


EXAMPLES
baksmali
$ unzip foobar.apk �Cd foobar

$ cd ./foobar

$ ls
AndroidManifest.xml META-INF classes.dex res
resources.arsc lib

$ baksmali �Ca 10 �Cd ~/boot_class_path classes.dex

API level boot class path dex file


EXAMPLES
smali
$ ls
AndroidManifest.xml META-INF classes.dex res
resources.arsc lib
out

$ smali �Ca 10 ./out �Co classes.dex

API level output dex file

$ zip �Cr ~/hacked.apk ./*
recursive


EXAMPLES
apktool
$ apktool d foobar.apk foobar
decode out directory
$ cd ./foobar

$ ls
AndroidManifest.xml apktool.yml assets res smali

$ cd ../

$ apktool b ./foobar

build


EXAMPLES
keytool and jarsigner
$ keytool -genkeypair -v -alias default �Ckeystore
~/.keystore �Cstorepass password

$ jarsigner �Ckeystore ~/.keystore ./foobar.apk
default
alias


SMALI FILES
class representation in byte code
.class public Lcom/apkudo/util/Serializer;
.super Ljava/lang/Object; Class information
.source "Serializer.java��

# static fields
.field public static final TAG:Ljava/lang/String; = "ApkudoUtils�� Static fields
# direct methods
.method public constructor <init>()V
.registers 1

.prologue
.line 5 Methods
invoke-direct {p0}, Ljava/lang/Object;-><init>()V Direct
Virtual
return-void
.end method


SYNTAX
types .method private doSomething()V

V void
Z boolean
B byte
S short
C char
F float
I int
J long
64 bit �C special instructions
D double
[ array


SYNTAX
classes Lcom/apkudo/util/Serializer;
? full name space slash separated
? prefixed with L
? suffixed with ;
const-string v0, "ApkudoUtils"

new-instance v1, Ljava/lang/StringBuilder;

invoke-direct {v1}, Ljava/lang/StringBuilder;-><init>()V

const-string v2, "docId: ["

invoke-virtual {v1, v2}, Ljava/lang/StringBuilder;-
>append(Ljava/lang/String;)Ljava/lang/StringBuilder;

move-result-object v1


SYNTAX
methods .method private doSomething()V

? Method definitions
? .method <keyword> <name>(<param>)<return type>

? Method invocations
? invoke-static �C any method that is static
? invoke-virtual �C any method that isn��t private, static, or
final
? invoke-direct �C any non-static direct method
? invoke-super �C any superclass's virtual method
? Invoke-interface �C invoke an interface method


SYNTAX
methods .method private doSomething()V

keyword method name parameters/return

.method private delayedAnimationFrame(J)Z
.registers 8
.parameter "currentTime��

# Static invocation
invoke-static {p2}, Landroid/text/TextUtils;->isEmpty(Ljava/lang/CharSequence;)Z

# Virtual invocation
invoke-virtual {v0, v1}, Lcom/google/android/finsky/FinskyApp;-
>drainAllRequests(I)V


SYNTAX
Registers .locals 16
.registers 18
? All registers are 32 bits
? Declaration
? .registers �C total number of registers
? .locals �C total minus method parameter registers
? Naming scheme
? P registers �C parameter registers
? implicit p0 = ��this�� instance
? V registers �C local registers
? P registers are always at the end of the register list


SYNTAX
Register Example
.method public onCreate()V
.registers 7 v0 First local register
v1 Second local register
...
v2 ��
v3 ��
v4 ��
v5 ��
v6 p0 First param �C ��this��

p0 == v6


SYNTAX
Register Example 2
.method public doIt(Ljava/lang/String;II)V
.registers 7
v0 First local register
v2 ��
v3 p0 ��this��
v4 p1 String
v5 p2 int
v6 p3 int

p3 == v6
p2 == v5
p1 == v4
p0 == v3


SYNTAX
Register Example 3
.method public doIt(JI)V
.registers 7

# hint, j == long
v2 Third local register
v3 - is it�� v4 - is it��
A) Fourth local register? A) Fourth local register? v3 p0 ��this�� instance
B) This instance? B) This instance? v4 p1 long
C) Long? C) Long?
v5 p2 long
D) Int? D) Int?
v6 p3 int
v5 - is it�� v6 - is it��
A) Fourth local register? A) Fourth local register?
B) This instance? B) This instance?
C) Long? C) Long?
D) Int? D) Int?


SYNTAX
jumping
.method public doIt(JI)V
? jumps .registers 7

? goto <offset> ...

goto :goto_31

...

:goto_31
return-void


SYNTAX
conditionals
method public foobar()V
? Conditionals .registers 2

? If-eq const/4 v0, 0x0
? If-ne
if-eqz v0, :cond_6
? If-le
? If-lt return-void
? If-ge
:cond_6
? If-gt
? Add z for zero # Do something

.end method


PUTTING IT ALL
TOGETHER
Example - Java
package com.google.android.finsky;

import android.app.Application;
import android.accounts.Account;

public class FinskyApp() extends Application {

Account mCurrentAccount;

...

public String getCurrentAccountName() {
if (mCurrentAccount != null) {
return mCurrentAccount.name;
} else {
return null;
}
}
}


PUTTING IT ALL
TOGETHER
Same example - smali
.method public getCurrentAccountName()Ljava/lang/String;
.registers 2
.prologue
v1 p0 ��this�� instance
.line 617
iget-object v0, p0, Lcom/google/android/finsky/FinskyApp;->mCurrentAccount:Landroid/accounts/Account;

if-nez v0, :cond_6
Getting this field! of type ��
const/4 v0, 0x0
into this reg
:goto_5
return-object v0

:cond_6
iget-object v0, v0, Landroid/accounts/Account;->name:Ljava/lang/String;

goto :goto_5
.end method


ONE FINAL
STEP
Obfuscation!
? Renames classes, class members and and method

? Preserves OS entry points and java namespace classes

? Slows down the static analysis process

? Not a silver bullet, but an easy first line of defense

iget-object v0, p0, Lcom/a/a/g;->a:Lcom/a/a/f;

invoke-static {v0}, Lcom/a/a/f;->a(Lcom/a/a/f;)Landroid/webkit/WebView;


PART II - DEMO


HACKING
SCRAMBLE
Approach
1. Unzip APK and disassemble classes.dex (baksmali)
2. Isolate target resources (e.g., Scramble With Friends words list)
3. Patch APK to receive resource, serialize, and transmit to host
4. Reassemble classes.dex (smali) and rezip APK
Static analysis/
Code Injection

Disassemble Reassemble
(baksmali) (smali)
.smali


RESOURCE SERIALIZATION
AND TRANSMISSION
ROMAIN GUY��S VIEWSERVER
onCreate()��
addWindow() localhost:4939
ViewServer

Android
OS


STEP 1
DECOMPRESS AND
DISASSEMBLE
? Extract classes.dex and remove keys
? unzip scramble.apk
? rm �Cr ./META-INF

? Disassemble:
? baksmali -a 10 �Cd <framework_path> ./classes.dex
? -a = api-level
? -d = bootclasspath dir
? out/target/product/generic/system/framework


STEP 2
ANDROID FORENSICS
? apktool dump and inspect AndroidManifest.xml
for activities

? Find the words list��how?
? Beat obfuscation!
? Search for class types and log messages
? Find the intersection of the two!
? Insert your own log statements

invoke-virtual {v2}, Ljava/util/List;->toString()Ljava/lang/String;
move-result-object v2
invoke-static {v1, v2}, Landroid/util/Log;->e(Ljava/lang/String;Ljava/lang/String;)I


STEP 3
INJECT VIEWSERVER INTO APP
? Resource located! Now we need to send it��

? Apply patch to ViewServer that stores list
? public static void setScrambleWordList(List list);

? Build patched ViewServer, extract .smali files

? Copy smali files into our application
? Easy enough, right?


STEP 4
PATCH APP TO USE VIEWSERVER
API
? Start the ViewServer in the onCreate() method of
MainActivity.smali
? ViewServer.get()
? invoke-static {}, Lcom/android/debug/hv/ViewServer;-
>get()Lcom/android/debug/hv/ViewServer;

? Pass the list to ViewServer in fu.smali
? ViewServer.setScrambleWordList(list)
invoke-static {v2}, Lcom/android/debug/hv/ViewServer;->setScrambleWordList(Ljava/util/List;)V
?


STEP 5
REBUILD APK
? Re-assemble
? smali �Ca 10 ./out �Co classes.dex
? Re-compress
? zip �Cz0 �Cr ../scramble.apk ./*
? Sign APK
? jarsigner -verbose -keystore my-release-
key.keystore ./scramble.apk alias_name


STEP 6
INSTALL AND COMMUNICATE
WITH APP
? Install
? adb install �Cr ../scramble.apk
? Forward port
? adb forward tcp:4939 tcp:4939
? Communicate
? nc �Cl 127.0.0.1 (listen)


APE
INTELLIGENT ANDROID
INSTRUMENTATION
? Fully aware of applications content
? Invokes actions and makes decisions based off
of what it sees
? Optimized and extended Romain��s ViewServer
? Transmit view data after each invoked action
? Introspect on OpenGL
? Uses word list to obtain matrix positions and
OpenGL introspection to find buttons on screen


Thank you.
@davtbaum DAVID@ .COM

�ݺ�ߣ

Hacking for Fun and Profit

More Related Content

Hacking for Fun and Profit

Editor's Notes