Your SlideShare is downloading. ×
0
Who Needs Thumbs? Reverse Engineering Scramble With Friends
Who Needs Thumbs? Reverse Engineering Scramble With Friends
Who Needs Thumbs? Reverse Engineering Scramble With Friends
Who Needs Thumbs? Reverse Engineering Scramble With Friends
Who Needs Thumbs? Reverse Engineering Scramble With Friends
Who Needs Thumbs? Reverse Engineering Scramble With Friends
Who Needs Thumbs? Reverse Engineering Scramble With Friends
Who Needs Thumbs? Reverse Engineering Scramble With Friends
Who Needs Thumbs? Reverse Engineering Scramble With Friends
Who Needs Thumbs? Reverse Engineering Scramble With Friends
Who Needs Thumbs? Reverse Engineering Scramble With Friends
Who Needs Thumbs? Reverse Engineering Scramble With Friends
Who Needs Thumbs? Reverse Engineering Scramble With Friends
Who Needs Thumbs? Reverse Engineering Scramble With Friends
Who Needs Thumbs? Reverse Engineering Scramble With Friends
Who Needs Thumbs? Reverse Engineering Scramble With Friends
Who Needs Thumbs? Reverse Engineering Scramble With Friends
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Who Needs Thumbs? Reverse Engineering Scramble With Friends

1,951

Published on

Apkudo's AnDevCon III class, "Who Needs Thumbs? Reverse Engineering Scramble With Friends: Part 1" This class was presented on May 15, 2012 by Apkudo's App Analytics Engineer, David Teitelbaum, and …

Apkudo's AnDevCon III class, "Who Needs Thumbs? Reverse Engineering Scramble With Friends: Part 1" This class was presented on May 15, 2012 by Apkudo's App Analytics Engineer, David Teitelbaum, and CEO, Josh Matthews.

1 Comment
1 Like
Statistics
Notes
No Downloads
Views
Total Views
1,951
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
52
Comments
1
Likes
1
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide
  • Once, you have your app disassembled, apply forensics!Knew SWF was storing words lsts when was this list being populated? how?Trace!
  • Transcript

    • 1. WHO NEEDS THUMBS?!REVERSE ENGINEERINGSCRAMBLE WITHFRIENDS JOSH MATTHEWS DAVID TEITELBAUM MAY 2012
    • 2. OBJECTIVES APK Code Injection Smali/Baksmali Android Instrumentation Android Forensics Hands On!2 © 2012 Apkudo Inc. Confidential www.apkudo.com
    • 3. VIEW SCRAMBLEWITH FRIENDSDEMO HERE: http://tiny.cc/r79rew3 © 2012 Apkudo Inc. Confidential www.apkudo.com
    • 4. APK HACKINGApproach1.  Extract APK and disassemble classes.dex2.  Isolate target resources (e.g., Scramble With Friends words list)3.  Create a server to receive resource, serialize, and transmit to host4.  Patch APK with server. 4 © 2012 Apkudo Inc. Confidential www.apkudo.com
    • 5. BUT I DON’T KNOWDALVIK!?DON’T WORRY!   You do know Java, and you can use the Smali/Baksmali tools to disassemble Java code into Dalvik byte code   By sticking to public static methods within the server, static method calls in Dalvik are only two lines long. invoke-static {}, Lcom/zynga/scramble/ViewServer;->get()Lcom/zynga/ scramble/ViewServer;! move-result-object v0!5 © 2012 Apkudo Inc. Confidential www.apkudo.com
    • 6. SMALI/BAKSMALI?DALVIK ASSEMBLER/DISASSEMBLER  Baksmali disassembles APK’s classes.dex executable into readable Dalvik byte code (.smali)  Smali re-assembles .smali files back into .dex Dalvik executable  Gives developers the ability to modify Android APKs without having access to source code  Documentation on Smali/Baksmali and Dalvik in Smali wiki   http://code.google.com/p/smali/w/list6 © 2012 Apkudo Inc. Confidential www.apkudo.com
    • 7. ROMAIN’S VIEWSERVER LOCAL SERVER FOR ANDROID’S HIERARCHY VIEWER  Serves app’s view data to host (hierarchyviewer) via forwarded port through ADB  Runs entirely in APK’s address space  Developed to emulate Android ViewServer implemented on development Android devices  Perfect for transmitting serialized word list back to a host machine  Must add ViewServer window in onCreate() method of each activity in the app.  https://github.com/romainguy/ViewServer 7 © 2012 Apkudo Inc. Confidential www.apkudo.com
    • 8. STEP 1 DECOMPRESS AND DISASSEMBLE  Extract classes.dex and remove keys   unzip scramble.apk!   rm –r ./META-INF!  Disassemble:   baksmali -a 10 –c <framework_path> ./classes.dex!   -a = api-level!   -c = bootclasspath !   out/target/product/generic/system/framework! 8 © 2012 Apkudo Inc. Confidential www.apkudo.com
    • 9. STEP 2 ANDROID FORENSICS  Investigate .smali source code for aggregation of resources  Trace!   onCreate() method in calling activity   ScrambleGameActivity.java   Insert log statements to print active resources invoke-virtual {v2}, Ljava/util/List;->toString()Ljava/lang/String;! move-result-object v2! invoke-static {v1, v2}, Landroid/util/Log;->e(Ljava/lang/String;Ljava/lang/String;)I! 9 © 2012 Apkudo Inc. Confidential www.apkudo.com
    • 10. WHAT WE FOUND A LIST OF WORDS AND MATRIX POSITIONS10 © 2012 Apkudo Inc. Confidential www.apkudo.com
    • 11. STEP 3 COMPILE VIEWSERVER INTO DONOR APP  Donor can be any Android app you can build from source  Just include server’s .java files as a part of the package   server does not need to be instantiated or implemented in the app itself   for compilation purposes only! 11 © 2012 Apkudo Inc. Confidential www.apkudo.com
    • 12. STEP 4 EXTRACT SERVER FROM DONOR AND INJECT INTO SWF  Disassemble ViewServer.apk  Use sed to replace all method calls from com.android.debug.hv.ViewServer com.zynga.scramble.ViewServer!  Run   find . -type f -exec sed -i s/Lcom /android/debug/hv/ ViewServer/Lcom/zynga/scramble /ViewServer/ {} +!  Copy ViewServer.smali files into SWF out directory 12 © 2012 Apkudo Inc. Confidential www.apkudo.com
    • 13. STEP 5 PATCH SWF TO SERVE VIEW DATA ON ACTIVITY LAUNCH  Preliminary investigation shows that SWF uses a base class that extends Activity •  grep -sir .super Landroid/app/Activity; ./  In the onCreate() and onResume() methods, invoke ViewServer.addWindow() and ViewServer.setFocusedWindow() repectively! 13 © 2012 Apkudo Inc. Confidential www.apkudo.com
    • 14. STEP 6 IMPLEMENT RESOURCE SERIALIZATION ON VIEWSERVER  Create public static method that takes in resource, serializes, and transmits to host.  Patch APK to invoke this method once the resources have been collected. invoke-interface {v2, v1}, Ljava/util/List;->add(Ljava/lang/Object;)Z! invoke-static {v2}, Lcom/zynga/scramble/ViewServer;->storeList(Ljava/util/List;)V! 14 © 2012 Apkudo Inc. Confidential www.apkudo.com
    • 15. STEP 7 REBUILD APK  Re-assemble   smali –a 10 ./out –o classes.dex!  Re-compress   zip –z0 –r ../scramble.apk ./*  Sign APK   jarsigner -verbose -keystore my- release-key.keystore ./ scramble.apk alias_name! 15 © 2012 Apkudo Inc. Confidential www.apkudo.com
    • 16. APE INTELLIGENT ANDROID INSTRUMENTATION  Fully aware of applications content  Invokes actions and makes decisions based off of what it sees  Optimized and extended Romain’s ViewServer   Transmit view data after each invoked action   Introspect on OpenGL  Uses word list to obtain matrix positions and OpenGL introspection to find buttons on screen 16 © 2012 Apkudo Inc. Confidential www.apkudo.com
    • 17. Thank you.@jshmthws JOSH@ .COM@davtbaum DAVID@ .COM

    ×