�ݺ�ߣ

WHO NEEDS THUMBS?!
REVERSE ENGINEERING
SCRAMBLE WITH
FRIENDS v1.1

DAVID TEITELBAUM

@davtbaum
OCTOBER 2012

OBJECTIVES
Expect to learn:
Fundamentals of APK Code Injection
How to use tools like Smali/Baksmali
Better practices in Android forensics.

2 ? 2012 Apkudo Inc. Confidential www.apkudo.com

APK HACKING
Approach
1.? Extract APK and disassemble classes.dex using baksmali
2.? Isolate target resources (e.g., Scramble With Friends words list)
3.? Patch APK to receive resource, serialize, and transmit to host
4.? Reassemble
Sta0c)analysis/)
Code)Injec0on)

Disassemble) Reassemble)
(baksmali)) (smali))
.smali)


CODE INJECTION
BEST PRACTICES:
!? You don��t need to be a Dalvik byte code pro!

!? Write patches in Java, compile, then use the Smali/
Baksmali tools to disassemble into Dalvik byte code

!? Stick to public static methods in Dalvik byte code which
have no register dependencies.

!? Note: this hack is achieved by inserting only two lines of
manual Dalvik byte code


SMALI/BAKSMALI?
DALVIK ASSEMBLER/
DISASSEMBLER
!? Baksmali disassembles Dalvik executable (.dex) into
readable Dalvik byte code (.smali)

!? Smali re-assembles .smali files back into .dex Dalvik
executable

!? Gives developers the ability to modify execution without
having access to source code

!? Documentation on Smali/Baksmali and Dalvik in Smali wiki
!? http://code.google.com/p/smali/w/list


RESOURCE SERIALIZATION
AND TRANSMISSION
ROMAIN GUY��S VIEWSERVER
onCreate()��
ADB forwarded
addWindow() localhost:4939
ViewServer)

Android)
OS)


STEP 1
DECOMPRESS AND
DISASSEMBLE
!? Extract classes.dex and remove keys
!? unzip scramble.apk!
!? rm �Cr ./META-INF!
!
!? Disassemble:
!? baksmali -a 10 �Cd <framework_path> ./classes.dex!
!? -a = api-level!
!? -d = bootclasspath dir!
!? out/target/product/generic/system/framework!


STEP 2
ANDROID FORENSICS
!? Find the words list��how?
!? Beat obfuscation!
!? Search for class types and log messages
!? Find the intersection of the two!
!? Insert your own log statements

invoke-virtual {v2}, Ljava/util/List;->toString()Ljava/lang/String;!
move-result-object v2!
invoke-static {v1, v2}, Landroid/util/Log;->e(Ljava/lang/String;Ljava/lang/String;)I!
)


STEP 3
INJECT VIEWSERVER INTO APP
!? Resource located! Now we need to send it��

!? Apply patch to ViewServer that stores list
!? public static void setScrambleWordList(List list);!

!? Build patched ViewServer, extract .smali files

!? Copy smali files into our application
!? Easy enough, right?


STEP 4
PATCH APP TO USE VIEWSERVER
API
!? Start the ViewServer in the onCreate() method of
MainActivity.smali
!? ViewServer.get()
!? invoke-static {}, Lcom/android/debug/hv/ViewServer;-
>get()Lcom/android/debug/hv/ViewServer;!

!? Pass the list to ViewServer in fu.smali
!? ViewServer.setScrambleWordList(list)
invoke-static {v2}, Lcom/android/debug/hv/ViewServer;-
!? >setScrambleWordList(Ljava/util/List;)V!


STEP 5
REBUILD APK
!? Re-assemble
!? smali �Ca 10 ./out �Co classes.dex!
!? Re-compress
!? zip �Cz0 �Cr ../scramble.apk ./*
!? Sign APK
!? jarsigner -verbose -keystore my-
release-key.keystore ./
scramble.apk alias_name!


STEP 6
INSTALL AND COMMUNICATE
WITH APP
!? Install
!? adb install �Cr ../scramble.apk!
!? Forward port
!? adb forward tcp:4939 tcp:4939
!? Communicate
!? nc �Cl 127.0.0.1 (listen)


APE
INTELLIGENT ANDROID
INSTRUMENTATION
!? Fully aware of applications content
!? Invokes actions and makes decisions based off
of what it sees
!? Optimized and extended Romain��s ViewServer
!? Transmit view data after each invoked action
!? Introspect on OpenGL
!? Uses word list to obtain matrix positions and
OpenGL introspection to find buttons on screen


Thank you.
@davtbaum DAVID@ .COM

�ݺ�ߣ

Who Needs Thumbs? Reverse Engineering Scramble with Friends v1.1

More Related Content

Who Needs Thumbs? Reverse Engineering Scramble with Friends v1.1