Who Needs Thumbs? Reverse Engineering Scramble With Friends

2,224 views

Published on

Apkudo's AnDevCon III class, "Who Needs Thumbs? Reverse Engineering Scramble With Friends: Part 1" This class was presented on May 15, 2012 by Apkudo's App Analytics Engineer, David Teitelbaum, and CEO, Josh Matthews.

1 Comment
1 Like
Statistics
Notes
No Downloads
Views
Total views
2,224
On SlideShare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
54
Comments
1
Likes
1
Embeds 0
No embeds

No notes for slide
  • Once, you have your app disassembled, apply forensics!Knew SWF was storing words lsts when was this list being populated? how?Trace!
  • Who Needs Thumbs? Reverse Engineering Scramble With Friends

    1. 1. WHO NEEDS THUMBS?!REVERSE ENGINEERINGSCRAMBLE WITHFRIENDS JOSH MATTHEWS DAVID TEITELBAUM MAY 2012
    2. 2. OBJECTIVES APK Code Injection Smali/Baksmali Android Instrumentation Android Forensics Hands On!2 © 2012 Apkudo Inc. Confidential www.apkudo.com
    3. 3. VIEW SCRAMBLEWITH FRIENDSDEMO HERE: http://tiny.cc/r79rew3 © 2012 Apkudo Inc. Confidential www.apkudo.com
    4. 4. APK HACKINGApproach1.  Extract APK and disassemble classes.dex2.  Isolate target resources (e.g., Scramble With Friends words list)3.  Create a server to receive resource, serialize, and transmit to host4.  Patch APK with server. 4 © 2012 Apkudo Inc. Confidential www.apkudo.com
    5. 5. BUT I DON’T KNOWDALVIK!?DON’T WORRY!   You do know Java, and you can use the Smali/Baksmali tools to disassemble Java code into Dalvik byte code   By sticking to public static methods within the server, static method calls in Dalvik are only two lines long. invoke-static {}, Lcom/zynga/scramble/ViewServer;->get()Lcom/zynga/ scramble/ViewServer;! move-result-object v0!5 © 2012 Apkudo Inc. Confidential www.apkudo.com
    6. 6. SMALI/BAKSMALI?DALVIK ASSEMBLER/DISASSEMBLER  Baksmali disassembles APK’s classes.dex executable into readable Dalvik byte code (.smali)  Smali re-assembles .smali files back into .dex Dalvik executable  Gives developers the ability to modify Android APKs without having access to source code  Documentation on Smali/Baksmali and Dalvik in Smali wiki   http://code.google.com/p/smali/w/list6 © 2012 Apkudo Inc. Confidential www.apkudo.com
    7. 7. ROMAIN’S VIEWSERVER LOCAL SERVER FOR ANDROID’S HIERARCHY VIEWER  Serves app’s view data to host (hierarchyviewer) via forwarded port through ADB  Runs entirely in APK’s address space  Developed to emulate Android ViewServer implemented on development Android devices  Perfect for transmitting serialized word list back to a host machine  Must add ViewServer window in onCreate() method of each activity in the app.  https://github.com/romainguy/ViewServer 7 © 2012 Apkudo Inc. Confidential www.apkudo.com
    8. 8. STEP 1 DECOMPRESS AND DISASSEMBLE  Extract classes.dex and remove keys   unzip scramble.apk!   rm –r ./META-INF!  Disassemble:   baksmali -a 10 –c <framework_path> ./classes.dex!   -a = api-level!   -c = bootclasspath !   out/target/product/generic/system/framework! 8 © 2012 Apkudo Inc. Confidential www.apkudo.com
    9. 9. STEP 2 ANDROID FORENSICS  Investigate .smali source code for aggregation of resources  Trace!   onCreate() method in calling activity   ScrambleGameActivity.java   Insert log statements to print active resources invoke-virtual {v2}, Ljava/util/List;->toString()Ljava/lang/String;! move-result-object v2! invoke-static {v1, v2}, Landroid/util/Log;->e(Ljava/lang/String;Ljava/lang/String;)I! 9 © 2012 Apkudo Inc. Confidential www.apkudo.com
    10. 10. WHAT WE FOUND A LIST OF WORDS AND MATRIX POSITIONS10 © 2012 Apkudo Inc. Confidential www.apkudo.com
    11. 11. STEP 3 COMPILE VIEWSERVER INTO DONOR APP  Donor can be any Android app you can build from source  Just include server’s .java files as a part of the package   server does not need to be instantiated or implemented in the app itself   for compilation purposes only! 11 © 2012 Apkudo Inc. Confidential www.apkudo.com
    12. 12. STEP 4 EXTRACT SERVER FROM DONOR AND INJECT INTO SWF  Disassemble ViewServer.apk  Use sed to replace all method calls from com.android.debug.hv.ViewServer com.zynga.scramble.ViewServer!  Run   find . -type f -exec sed -i s/Lcom /android/debug/hv/ ViewServer/Lcom/zynga/scramble /ViewServer/ {} +!  Copy ViewServer.smali files into SWF out directory 12 © 2012 Apkudo Inc. Confidential www.apkudo.com
    13. 13. STEP 5 PATCH SWF TO SERVE VIEW DATA ON ACTIVITY LAUNCH  Preliminary investigation shows that SWF uses a base class that extends Activity •  grep -sir .super Landroid/app/Activity; ./  In the onCreate() and onResume() methods, invoke ViewServer.addWindow() and ViewServer.setFocusedWindow() repectively! 13 © 2012 Apkudo Inc. Confidential www.apkudo.com
    14. 14. STEP 6 IMPLEMENT RESOURCE SERIALIZATION ON VIEWSERVER  Create public static method that takes in resource, serializes, and transmits to host.  Patch APK to invoke this method once the resources have been collected. invoke-interface {v2, v1}, Ljava/util/List;->add(Ljava/lang/Object;)Z! invoke-static {v2}, Lcom/zynga/scramble/ViewServer;->storeList(Ljava/util/List;)V! 14 © 2012 Apkudo Inc. Confidential www.apkudo.com
    15. 15. STEP 7 REBUILD APK  Re-assemble   smali –a 10 ./out –o classes.dex!  Re-compress   zip –z0 –r ../scramble.apk ./*  Sign APK   jarsigner -verbose -keystore my- release-key.keystore ./ scramble.apk alias_name! 15 © 2012 Apkudo Inc. Confidential www.apkudo.com
    16. 16. APE INTELLIGENT ANDROID INSTRUMENTATION  Fully aware of applications content  Invokes actions and makes decisions based off of what it sees  Optimized and extended Romain’s ViewServer   Transmit view data after each invoked action   Introspect on OpenGL  Uses word list to obtain matrix positions and OpenGL introspection to find buttons on screen 16 © 2012 Apkudo Inc. Confidential www.apkudo.com
    17. 17. Thank you.@jshmthws JOSH@ .COM@davtbaum DAVID@ .COM

    ×