Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Who Needs Thumbs? Reverse Engineering Scramble with Friends v1.1

2,247 views

Published on

  • Be the first to comment

Who Needs Thumbs? Reverse Engineering Scramble with Friends v1.1

  1. 1. WHO NEEDS THUMBS?!REVERSE ENGINEERINGSCRAMBLE WITHFRIENDS v1.1 DAVID TEITELBAUM @davtbaum OCTOBER 2012
  2. 2. OBJECTIVESExpect to learn: Fundamentals of APK Code Injection How to use tools like Smali/Baksmali Better practices in Android forensics.2 © 2012 Apkudo Inc. Confidential www.apkudo.com
  3. 3. 3 © 2012 Apkudo Inc. Confidential www.apkudo.com
  4. 4. APK HACKING Approach1.  Extract APK and disassemble classes.dex using baksmali2.  Isolate target resources (e.g., Scramble With Friends words list)3.  Patch APK to receive resource, serialize, and transmit to host4.  Reassemble Sta0c)analysis/) Code)Injec0on) Disassemble) Reassemble) (baksmali)) (smali)) .smali) 4 © 2012 Apkudo Inc. Confidential www.apkudo.com
  5. 5. CODE INJECTION BEST PRACTICES:!  You don’t need to be a Dalvik byte code pro!!  Write patches in Java, compile, then use the Smali/ Baksmali tools to disassemble into Dalvik byte code!  Stick to public static methods in Dalvik byte code which have no register dependencies.!  Note: this hack is achieved by inserting only two lines of manual Dalvik byte code 5 © 2012 Apkudo Inc. Confidential www.apkudo.com
  6. 6. SMALI/BAKSMALI?DALVIK ASSEMBLER/DISASSEMBLER!  Baksmali disassembles Dalvik executable (.dex) into readable Dalvik byte code (.smali)!  Smali re-assembles .smali files back into .dex Dalvik executable!  Gives developers the ability to modify execution without having access to source code!  Documentation on Smali/Baksmali and Dalvik in Smali wiki !  http://code.google.com/p/smali/w/list6 © 2012 Apkudo Inc. Confidential www.apkudo.com
  7. 7. RESOURCE SERIALIZATIONAND TRANSMISSION ROMAIN GUY’S VIEWSERVER onCreate()… ADB forwarded addWindow() localhost:4939 ViewServer) Android) OS)7 © 2012 Apkudo Inc. Confidential www.apkudo.com
  8. 8. STEP 1 DECOMPRESS AND DISASSEMBLE!  Extract classes.dex and remove keys !  unzip scramble.apk! !  rm –r ./META-INF! !!  Disassemble: !  baksmali -a 10 –d <framework_path> ./classes.dex! !  -a = api-level! !  -d = bootclasspath dir! !  out/target/product/generic/system/framework! 8 © 2012 Apkudo Inc. Confidential www.apkudo.com
  9. 9. STEP 2 ANDROID FORENSICS!  Find the words list…how? !  Beat obfuscation! !  Search for class types and log messages !  Find the intersection of the two! !  Insert your own log statements invoke-virtual {v2}, Ljava/util/List;->toString()Ljava/lang/String;! move-result-object v2! invoke-static {v1, v2}, Landroid/util/Log;->e(Ljava/lang/String;Ljava/lang/String;)I! ) 9 © 2012 Apkudo Inc. Confidential www.apkudo.com
  10. 10. STEP 3 INJECT VIEWSERVER INTO APP!  Resource located! Now we need to send it…!  Apply patch to ViewServer that stores list !  public static void setScrambleWordList(List list);!!  Build patched ViewServer, extract .smali files!  Copy smali files into our application !  Easy enough, right? 10 © 2012 Apkudo Inc. Confidential www.apkudo.com
  11. 11. STEP 4 PATCH APP TO USE VIEWSERVER API!  Start the ViewServer in the onCreate() method of MainActivity.smali !  ViewServer.get() !  invoke-static {}, Lcom/android/debug/hv/ViewServer;- >get()Lcom/android/debug/hv/ViewServer;!!  Pass the list to ViewServer in fu.smali !  ViewServer.setScrambleWordList(list) invoke-static {v2}, Lcom/android/debug/hv/ViewServer;- !  >setScrambleWordList(Ljava/util/List;)V! 11 © 2012 Apkudo Inc. Confidential www.apkudo.com
  12. 12. STEP 5 REBUILD APK!  Re-assemble !  smali –a 10 ./out –o classes.dex!!  Re-compress !  zip –z0 –r ../scramble.apk ./*!  Sign APK !  jarsigner -verbose -keystore my- release-key.keystore ./ scramble.apk alias_name! 12 © 2012 Apkudo Inc. Confidential www.apkudo.com
  13. 13. STEP 6 INSTALL AND COMMUNICATE WITH APP!  Install !  adb install –r ../scramble.apk!!  Forward port !  adb forward tcp:4939 tcp:4939!  Communicate !  nc –l 127.0.0.1 (listen) 13 © 2012 Apkudo Inc. Confidential www.apkudo.com
  14. 14. APE INTELLIGENT ANDROID INSTRUMENTATION!  Fully aware of applications content!  Invokes actions and makes decisions based off of what it sees!  Optimized and extended Romain’s ViewServer !  Transmit view data after each invoked action !  Introspect on OpenGL!  Uses word list to obtain matrix positions and OpenGL introspection to find buttons on screen 14 © 2012 Apkudo Inc. Confidential www.apkudo.com
  15. 15. Thank you.@davtbaum DAVID@ .COM

×