Dancing with dalvik

5,061 views
4,842 views

Published on

So you've reversed you're first Android APK; now what? Java pseduocode is nice, but how do we modify the app? This is a crash course in reading and understanding Davlik opcodes. It will go through some basics then we will jump into a couple case studies to demonstrate some of the concepts. This talk should help testers who are interested in or do Android application assessments to better understand how to mess with the underlying code.

Published in: Technology, Education
0 Comments
9 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
5,061
On SlideShare
0
From Embeds
0
Number of Embeds
5
Actions
Shares
0
Downloads
172
Comments
0
Likes
9
Embeds 0
No embeds

No notes for slide

Dancing with dalvik

  1. 1. 1 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted. THOMAS RICHARDS Dancing with Dalvik
  2. 2. 2 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted. About me • Thomas Richards • Security Consultant @ Cigital, Inc • @g13net - Twitter • OSCP, GPEN, OSWP • Developer o Goofile and Pwnberry Pi • Organizer for BsidesROC • Presented before at GrrCON and DerbyCON • Really enjoy tearing apart Android
  3. 3. 3 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted. Toc • 0x1 – Intro to Dalvik • 0x2 – Dalvik Opcode Primer • 0x3 – Case Studies
  4. 4. 4 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted. 0x01 Intro to Dalvik
  5. 5. 5 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted. What is Dalvik? • A town in Iceland • A lightweight register-based VM • Optimized for embedded/mobile platforms o Low RAM/CPU
  6. 6. 6 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted. Dalvik optimizations • Duplicate code is reused within DEX • 16-bit instruction set that works directly on local variables o Lowers instruction count and increased interpreter speed • Slimmed down VM to run in less space
  7. 7. 7 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted. Stack vs register based • Java JVM is Stack Based o real or emulated computer that uses a pushdown stack rather than individual machine registers to evaluate each sub- expression in the program • Register Based o Dalvik uses registers as primarily units of data storage instead of the stack. Google is hoping to accomplish 30 percent fewer instructions as a result. • http://stackoverflow.com/questions/2719469/why-is-the- jvm-stack-based-and-the-dalvik-vm-register-based • http://en.wikipedia.org/wiki/Stack_machine
  8. 8. 8 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted. Register Vs. Stack Cont.
  9. 9. 9 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted. Getting to dalvik • Android apps are traditionally written in Java • Compiled into Java bytecode then converted to Dalvik bytecode • Java class files converted into .dex
  10. 10. 10 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted. Java vs Dalvik
  11. 11. 11 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted. Inside the APK • AndroidManifest.xml • Classes.dex • Res/ • Lib/ • META-INF/
  12. 12. 12 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted. Disassembling classes.dex • Typical tools o Apktool o Baksmali • The result is several .smali files
  13. 13. 13 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted. Apktool decoding me@Mentos ~/android/ghost $ apktool d ghost-meter.apk I: Baksmaling... I: Loading resource table... I: Loaded. I: Decoding AndroidManifest.xml with resources... I: Loading resource table from file: /home/me/apktool/framework/1.apk I: Loaded. I: Regular manifest package... I: Decoding file-resources... I: Decoding values */* XMLs... I: Done. I: Copying assets and libs...
  14. 14. 14 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted. Directories Created
  15. 15. 15 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted. Files created me@Mentos ~/android/ghost $ ls ghost- meter/smali/ a.smali c$a.smali c$c.smali c$e.smali c.smali e.smali g.smali i.smali k.smali m.smali o.smali q.smali s.smali u.smali w.smali b.smali c$b.smali c$d.smali com d.smali f.smali h.smali j.smali l.smali n.smali p.smali r.smali t.smali v.smali x.smali me@Mentos ~/android/ghost $
  16. 16. 16 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted. Apktool building me@Mentos ~/android/ghost $ apktool b ghost- meter/ ghost.apk I: Checking whether sources has changed... I: Smaling... I: Checking whether resources has changed... I: Building resources... I: Building apk file... me@Mentos ~/android/ghost $ • After building you must use jarsigner to sign the APK before it can be installed!
  17. 17. 17 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted. Signing the APK • Creating the cert o keytool -genkey -v -keystore my-release- key.keystore -alias alias_name -keyalg RSA -validity 10000 • Signing the APK o jarsigner -verbose -keystore my-release- key.keystore GhostMeter.apk alias_name
  18. 18. 18 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted. Cydia Substrate • Originally on iOS, recently released on Android. • Tool for hooking methods within an application or the system. • Modify runtime behavior of Android Application without recompiling code
  19. 19. 19 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted. 0x2 Dalvik Opcode Primer
  20. 20. 20 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted. Smali files • Disassembled DEX files • Not as scary as x86 ASM • ASCII representation of Dalvik Opcodes • Mostly correspond to the original .java files
  21. 21. 21 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted. Types V void - can only be used for return types Z boolean B byte S short C char I int J long (64 bits) F float D double (64 bits)
  22. 22. 22 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted. Helloworld example .class public LHelloWorld; #this is a comment .super Ljava/lang/Object; .method public static main([Ljava/lang/String;)V .registers 2 sget-object v0, Ljava/lang/System;->out:Ljava/io/PrintStream; const-string v1, "Hello World!" invoke-virtual {v0, v1}, Ljava/io/PrintStream;->println(Ljava/lang/String;)V return-void .end method http://code.google.com/p/smali/source/browse/examples/HelloWorld/HelloWorld.sm ali
  23. 23. 23 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted. Variables • Registers o v0, v1, etc. o Variables defined in the original java code • Parameters o p0, p1, etc o Must be the same as defined by the method • Both are defined at the beginning of the method
  24. 24. 24 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted. Example .class public LHelloWorld; #this is a comment .super Ljava/lang/Object; .method public static main([Ljava/lang/String;)V .registers 2 sget-object v0, Ljava/lang/System;->out:Ljava/io/PrintStream; const-string v1, "Hello World!" invoke-virtual {v0, v1}, Ljava/io/PrintStream;- >println(Ljava/lang/String;)V return-void .end method
  25. 25. 25 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted. Assigning variables • const • const-string • Etc, • Examples o const v0, 0x1 o const-string v1, “This is a test”
  26. 26. 26 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted. Example .class public LHelloWorld; #this is a comment .super Ljava/lang/Object; .method public static main([Ljava/lang/String;)V .registers 2 sget-object v0, Ljava/lang/System;->out:Ljava/io/PrintStream; const-string v1, "Hello World!" invoke-virtual {v0, v1}, Ljava/io/PrintStream;- >println(Ljava/lang/String;)V return-void .end method
  27. 27. 27 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted. Calling methods • invoke-* { parameters }, method-to-call o Static – static method o Virtual – virtual method
  28. 28. 28 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted. Example .class public LHelloWorld; #this is a comment .super Ljava/lang/Object; .method public static main([Ljava/lang/String;)V .registers 2 sget-object v0, Ljava/lang/System;->out:Ljava/io/PrintStream; const-string v1, "Hello World!" invoke-virtual {v0, v1}, Ljava/io/PrintStream;- >println(Ljava/lang/String;)V return-void .end method
  29. 29. 29 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted. Conditional statements • If-* - If statements o If-eq vx, vy, target – If equal o If-nez vx, target – If vx is a nonzero o If-eqz vx, target – If vx is zero o If-ge vx, vy, target – if vx>=vy o Etc • Targets o Shown as cond_0, cond_1
  30. 30. 30 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted. example invoke-virtual {v0}, Ljava/lang/Class;- >desiredAssertionStatus()Z move-result v0 if-nez v0, :cond_0 .line 100 :cond_0 const/4 v0, 0x0 goto/16 :goto_0
  31. 31. 31 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted. Get/put • Apps could declare constants. • Get/Put will retrieve or store values into those constants • Examples: o iput v0, v1, Lcom/greencod/pinball/gameengine/zones/Table0Zone;- >ZORDER_TABLE:I o iget v0, v0, Lcom/greencod/pinball/gameengine/xinterface/persistenc e/Settings;->friction:F
  32. 32. 32 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted. Return • Unless the method is declared as a void, it will return a value. • Return types: o Return-void o Return-object o Return v0
  33. 33. 33 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted. 0x3 case studies
  34. 34. 34 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted. Removing ads • Ads are annoying • Take up screen realestate • My 4 yr old mistakenly clicks them o “Look daddy!”
  35. 35. 35 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted. solitare • Ad function is called inbetween deals • Ads are annoying o Music o Video • Disable calling the ads?
  36. 36. 36 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted. Short video showing ad calling
  37. 37. 37 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted. The code • After an exhaustive search in com/mobilityware/solitare/solitare.smali: .method public displayAd()V .locals 1 .prologue .line 572 iget-object v0, p0, Lcom/mobilityware/solitaire/Solitaire;- >adControl:Lcom/mobilityware/solitaire/AdControl; if-eqz v0, :cond_0 .line 573 iget-object v0, p0, Lcom/mobilityware/solitaire/Solitaire;- >adControl:Lcom/mobilityware/solitaire/AdControl; invoke-virtual {v0}, Lcom/mobilityware/solitaire/AdControl;->displayAd()Z .line 574 :cond_0 return-void .end method
  38. 38. 38 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted. The code • After an exhaustive search in com/mobilityware/solitare/solitare.smali: .method public displayAd()V .locals 1 .prologue .line 572 iget-object v0, p0, Lcom/mobilityware/solitaire/Solitaire;- >adControl:Lcom/mobilityware/solitaire/AdControl; if-eqz v0, :cond_0 .line 573 iget-object v0, p0, Lcom/mobilityware/solitaire/Solitaire;- >adControl:Lcom/mobilityware/solitaire/AdControl; #invoke-virtual {v0}, Lcom/mobilityware/solitaire/AdControl;->displayAd()Z .line 574 :cond_0 return-void .end method
  39. 39. 39 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted. After the change is made • Recompile the code and use apktool to create a new APK o You will have to sign this with your own cert • After the APK is created: o Remove old Solitare APK o Install new hax0rd one
  40. 40. 40 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted. Short video showing no more ad
  41. 41. 41 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted. chess • Most apps display the ads at all times • When the network is disabled, the ads don’t show • Can we force this behavior?
  42. 42. 42 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted. Screenshot of chess with ads
  43. 43. 43 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted. Google ads • Most apps rely on Google’s ad provider network • Good for us! o Code to break this should be the same for many apps • How to make it look like there is no network connectivity? • Log Entry when Network is disabled o adRequestWebView was null while trying to load an ad
  44. 44. 44 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted. The original code • From com/google/ads/c.smali: :try_start_0 iget-object v0, p0, Lcom/google/ads/c;->f:Landroid/webkit/WebView; if-eqz v0, :cond_0 iget-object v0, p0, Lcom/google/ads/c;->c:Lcom/google/ads/b; if-nez v0, :cond_1 :cond_0 const-string v0, "adRequestWebView was null while trying to load an ad." invoke-static {v0}, Lcom/google/ads/util/a;->e(Ljava/lang/String;)V sget-object v0, Lcom/google/ads/AdRequest$ErrorCode;- >INTERNAL_ERROR:Lcom/google/ads/AdRequest$ErrorCode
  45. 45. 45 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted. The modified code • From com/google/ads/c.smali: :try_start_0 iget-object v0, p0, Lcom/google/ads/c;->f:Landroid/webkit/WebView; const v0, 0x0 if-eqz v0, :cond_0 iget-object v0, p0, Lcom/google/ads/c;->c:Lcom/google/ads/b; if-nez v0, :cond_1 :cond_0 const-string v0, "adRequestWebView was null while trying to load an ad." invoke-static {v0}, Lcom/google/ads/util/a;->e(Ljava/lang/String;)V
  46. 46. 46 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted. Screenshot showing no ads
  47. 47. 47 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted. Removing Ads with Cydia • Write once, use everywhere • Using reflection, hook a method • Stop ads from loading
  48. 48. 48 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted. Google Mobile Ads • Again, very common to see used. • Plan: o Hook loadDataWithBaseUrl method o Render it useless
  49. 49. 49 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted. Cydia Code MS.hookClassLoad("com.google.ads.internal.AdWebView", new MS.ClassLoadHook() { public void classLoaded(Class<?> resources) { Method loadAd; try { loadAd = resources.getMethod("loadDataWithBaseURL", String.class, String.class, String.class, String.class, String.class); } catch (NoSuchMethodException d) { loadAd = null; } if (loadAd != null) { final MS.MethodPointer old = new MS.MethodPointer(); MS.hookMethod(resources, loadAd, new MS.MethodHook() { public Object invoked(Object _this, Object... args) throws Throwable { return null; } }, old);
  50. 50. 50 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted. Screenshot of App with Ads
  51. 51. 51 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted. Screenshot after Cydia App Installed
  52. 52. 52 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted. Pinball wizard • How about getting a high score? • Values are most likely in the source • Totally impress your friends with l33t pinball skillz
  53. 53. 53 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted. Picture of game after normal score
  54. 54. 54 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted. The code .local v12, scorer:Lcom/greencod/gameengine/behaviours/ScorerBehaviour; const/16 v1, 0x2c7 const/16 v3, 0x5aa invoke- virtual {v12, v1, v3}, Lcom/greencod/gameengine/behaviours/ScorerBe haviour;->addScoreMessage(II)V .line 508 const/16 v1, 0x204 const/16 v3, 0x10fe invoke- virtual {v12, v1, v3}, Lcom/greencod/gameengine/behaviours/ScorerBe haviour;->addScoreMessage(II)V
  55. 55. 55 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted. Altered code .local v12, scorer:Lcom/greencod/gameengine/behaviours/ScorerBehaviour; const/16 v1, 0x2c7 const/16 v3, 0xfff invoke- virtual {v12, v1, v3}, Lcom/greencod/gameengine/behaviours/Scorer Behaviour;->addScoreMessage(II)V .line 508 const/16 v1, 0x204 const/16 v3, 0xffff invoke- virtual {v12, v1, v3}, Lcom/greencod/gameengine/behaviours/Scorer Behaviour;->addScoreMessage(II)V
  56. 56. 56 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted. Picture of new high score
  57. 57. 57 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted. Leaderboard
  58. 58. 58 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted. What now? • Explore! • Bypass restrictions? o Very useful in mobile app assessment
  59. 59. 59 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted. References • http://pallergabor.uw.hu/androidblog/dalvik_ opcodes.html • http://code.google.com/p/android-apktool/ • http://code.google.com/p/smali/source/brow se/examples/HelloWorld/HelloWorld.smali • http://www.cydiasubstrate.com/inject/dalvik/
  60. 60. 60 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted. QUESTIONS?

×