The Xposed Framework can be used to hook and replace Java methods in Android applications. This talk explores ways to take advantage of the framework for reverse engineering, fun, and (perhaps) even profit. Prior knowledge of Java and Android application programming recommended but not required!

1. Function Hooking with Xposed
Jaime Geiger
1
http://tiny.cc/bsidesroc-xposed

2. Agenda
● Intro - whoami, whoareyou, what is xposed?
● Tools (brief) - JD-gui, jad, apktool, aapt, dex2jar
● What to hook - making sense of obfuscation, finding the right function to
hook
● Basic hooks - hooking code, changing return values/parameters
● Reversing - making the app do the work, dumping API keys
● Disabling Security Checks - certificate pinning
2

3. Intro: Formalities and Background
3

4. # whoami
● @jgeigerm / wumb0 - wumb0.in
● InfoSec @ RIT (or CSEC, whatever)
● Working for Grimm after graduation in VA (grimm-co.com)
● Hobbies/Interests:
○ CTFs, Reversing, Exploitation
○ Collecting acronyms: RC3, KDR, CCDC, SI, R2D2, ACDC, etc. etc.
○ Poking android (in all the right places )
○ Red team & malware development
4

5. # who -u
● RIT Students?
● Java programmers?
● Android users?
● Android application programmers?
● Used xposed before?
● Written xposed modules before?
● None of the above?
5

6. What’s an Xposed? Sounds hot.
● Function and resource hooking framework
○ Modify functions (returns, parameters, exceptions) & UI elements
● Written and maintained by rovo89 (GitHub)
● Replaces app_process to allow access to ART/Dalvik
● It is hot!
6

7. How does xposed work?
● Does not change an app’s signature
● Replacement app_process that adds a jar to the java classpath
○ service zygote /system/bin/app_process -Xzygote /system/bin
--zygote --start-system-server
○ All processes are forked from zygote - hook zygote, hook all
apps!
○ Jar added is the xposedbridge!
● (Yes you need root to do this!)
7

8. Tools: they live among us
8

9. JD-GUI/jad
9
● Java decompilers
● JD-GUI takes jar/class files and has a browser
● Jad takes class files only
○ but better decompilation, IMO

10. dex2jar/apktool
● dex2jar converts dex (classes in an APK) into JAR
● apktool extracts smali (Java bytecode) and resources from an
APK
10

11. aapt
● Part of build-tools in the Android SDK
● Lets you see resources inside an APK without unpacking it
● Decompiled code has references to string values by number
○ Jad has them in hex
○ JD-GUI has them in decimal
● Need this to search strings completely
aapt d strings the.apk | grep “looking for this string”
11

12. Custom Tools to help!
● apkdecompile.sh - unpacks and decompiles all classes in APK
○ Requires dex2jar and jad
○ Has a --shitty option (see unzipshittyobfuscatedjar.sh...)
● searchstring.sh - search a string value in an APK by hex or
decimal number
○ Requires aapt
● unzipshittyobfuscatedjar.sh - sometimes obfuscated class names
are Aa.class AND AA.class AND aa.class
● Find them here
12

13. What to hook: digging through source!
13

14. Process
14
1. Get the apk
○ @ www.apk4fun.com (pls no piracy) or /data/app on device
2. Convert to JAR (d2j-dex2jar the.apk) and extract (apktool d
the.apk)
3. Decompile with jad or jd-gui
4. (maybe) smash head against obfuscation
○ Look at strings, related functions, etc.
5. Identify relevant classes and functions

15. Basic Hooks: Getting up in there
15

16. Important imports!
● XposedBridge.jar - contains all necessary classes for module dev
● XposedHelpers.findAndHookMethod
● XposedHelpers.callMethod
● IXposedHookLoadPackage - base class loaded on app init
● XC_MethodReplacement/XC_MethodHook
● Callbacks.XC_LoadPackage.LoadPackageParam - package
information
● XposedBridge - helpers (logging)
16

17. Xposed Project Module Structure
libs/XposedBridge.jar -> ../XposedBridge/app/build/intermediates/packaged/release/classes.jar
build.gradle - root project build file
Local.properties - specifies Android SDK directory
app/
build.gradle - details module, includes XposedBridge from libs
src/main
AndroidManifest.xml - defines the app permissions and such
assets/xposed_init - tells xposed what class to run on start
res/ - any resources you need (strings, layouts, etc.)
java/your/company/appname/Hooks.java - hooks to install
See xposed skeleton creator in the GitHub repo for this talk! 17

18. Side Note: Building and Installing Modules
● Build with gradle (gradle build)
● Output APK is at app/build/outputs/apk/app-debug.apk
○ Feel free to sign it
● adb install -r app/build/outputs/apk/app-debug.apk
18

19. Package hooking skeleton
public class Hooks implements IXposedHookLoadPackage {
public void handleLoadPackage(final LoadPackageParam lpparam)
throws Throwable {
if (!lpparam.packageName.equals("the.package.name"))
return;
//find and hook methods here
}
}
19

20. findAndHookMethod
● Finds a class method by name and hooks it with whatever you
want
1. Return a constant
2. Ignore it completely
3. Do something before the function is called
4. Do something else instead
5. Do something after the function is called successfully
findAndHookMethod(“com.app.classname”, lpparam.classLoader,
“functionName”, [func arg1 class], [func arg2 class], hook);
20

21. Scenario 1: Make a function return a constant value
● We want verifyPasscode(String passcode) in class com.bank.
app.Main to always return true
○ Assume it returns a boolean
findAndHookMethod(“com.bank.app.Main”, lpparam.classLoader,
“verifyPasscode”, String.class, XC_MethodReplacement.returnConstant
(true));
21

22. Scenario 2: Ignore the function completely
● We want checkSecurity() in class com.bank.app.Main to be
ignored
○ Mostly used with void functions!
findAndHookMethod(“com.bank.app.Main”, lpparam.classLoader,
“checkSecurity”, XC_MethodReplacement.DO_NOTHING);
22

23. Scenario 3: Do something before the function is called
● We want to check the parameter for function transferFunds
(String toAccount) in class com.bank.app.Main and change it
23

24. Scenario 3: Do something before the function is called
findAndHookMethod(“com.bank.app.Main”, lpparam.classLoader,
“transferFunds”, String.class, new XC_MethodHook() {
@Override
protected void beforeHookedMethod (MethodHookParam param) throws
Throwable {
param.args[0] = “12345678”;
XposedBridge.log(“changed account number!!”);
}
});
24

25. Scenario 4: Do something else instead
● We want checkPasswordOK(String password) in class com.
bank.app.Main to always return true, but also dump to the logs.
○ Assuming the function returns a boolean
25

26. Scenario 4: Do something else instead
findAndHookMethod(“com.bank.app.Main”, lpparam.classLoader,
“checkPasswordOK”, String.class, new XC_MethodReplacement() {
@Override
protected Object replaceHookedMethod(MethodHookParam param)
throws Throwable {
XposedBridge.log((String)param.args[0]);
return true;
}
});
26

27. Scenario 5: Do something after the function is called
● We want to get the return value of generateToken() in class
com.bank.app.Main and dump it to the logs
○ Assuming it returns a string with the token
27

28. Scenario 5: Do something after the function is called
findAndHookMethod(“com.bank.app.Main”, lpparam.classLoader,
“generateToken”, new XC_MethodHook() {
@Override
protected void afterHookedMethod (MethodHookParam param) throws
Throwable {
XposedBridge.log((String)param.getResult());
}
});
28

29. Practical Example & Demo: Words With Friends
Word checking is done client side, so we’ll disable the check
1. Decompile/unpack
2. Find where word validation is done
3. Hook function to always return true (XC_MethodReplacement)
4. Cheat!
29

30. gnireenignE: Extracting information, understanding code
30

31. Getting to the Goods
● Obfuscated code/variables/keys can be annoying to find in an
app
● If the app checks it’s own signature decompiling, editing, and
recompiling is ruled out
● Dump variables to the logs after they have been
deobfuscated/calculated
31

32. Practical Example & Demo: Yik Yak
32
● API key is calculated based on the app’s signature (YikYak.a)
● getBytes method is used on the variable when requests are
being signed (post calculation)
○ Part of java.lang.String
● Dump key out to the logs, acquire API key, make requests with
python!
● And yes, every time they update the app, the obfuscation
changes...

33. Disabling Security Checks: we don’t need them
33

34. Android Application Auditing
34
● Man-in-the-middle-ing is useful
○ If the app employs certificate pinning you are out of luck
○ Alternative method is static code analysis
● You can disable certificate pinning with xposed!

35. Practical Example & Demo: Yik Yak (pt. 2)
35
● SSLPeerUnverifiedException is thrown if the certificate is
invalid
○ A few hours of reversing told me this. I’ll spare you that demo :)
● Find the SSLPeerUnverifiedException, hook the function it’s
thrown in, and cert pinning goes away
● Let’s MITM

36. Other Resources and Code
36
● Code from this presentation: rev_tools, xposed_mods
● rovo89’s module development tutorial
● XDA forum for xposed modules and development
● Xposed source code
● Snapprefs source code

37. Questions?
37