Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Who Needs Thumbs? Reverse Engineering Scramble with Friends v1.1


Published on

  • Be the first to comment

Who Needs Thumbs? Reverse Engineering Scramble with Friends v1.1

  2. 2. OBJECTIVESExpect to learn: Fundamentals of APK Code Injection How to use tools like Smali/Baksmali Better practices in Android forensics.2 © 2012 Apkudo Inc. Confidential
  3. 3. 3 © 2012 Apkudo Inc. Confidential
  4. 4. APK HACKING Approach1.  Extract APK and disassemble classes.dex using baksmali2.  Isolate target resources (e.g., Scramble With Friends words list)3.  Patch APK to receive resource, serialize, and transmit to host4.  Reassemble Sta0c)analysis/) Code)Injec0on) Disassemble) Reassemble) (baksmali)) (smali)) .smali) 4 © 2012 Apkudo Inc. Confidential
  5. 5. CODE INJECTION BEST PRACTICES:!  You don’t need to be a Dalvik byte code pro!!  Write patches in Java, compile, then use the Smali/ Baksmali tools to disassemble into Dalvik byte code!  Stick to public static methods in Dalvik byte code which have no register dependencies.!  Note: this hack is achieved by inserting only two lines of manual Dalvik byte code 5 © 2012 Apkudo Inc. Confidential
  6. 6. SMALI/BAKSMALI?DALVIK ASSEMBLER/DISASSEMBLER!  Baksmali disassembles Dalvik executable (.dex) into readable Dalvik byte code (.smali)!  Smali re-assembles .smali files back into .dex Dalvik executable!  Gives developers the ability to modify execution without having access to source code!  Documentation on Smali/Baksmali and Dalvik in Smali wiki ! © 2012 Apkudo Inc. Confidential
  7. 7. RESOURCE SERIALIZATIONAND TRANSMISSION ROMAIN GUY’S VIEWSERVER onCreate()… ADB forwarded addWindow() localhost:4939 ViewServer) Android) OS)7 © 2012 Apkudo Inc. Confidential
  8. 8. STEP 1 DECOMPRESS AND DISASSEMBLE!  Extract classes.dex and remove keys !  unzip scramble.apk! !  rm –r ./META-INF! !!  Disassemble: !  baksmali -a 10 –d <framework_path> ./classes.dex! !  -a = api-level! !  -d = bootclasspath dir! !  out/target/product/generic/system/framework! 8 © 2012 Apkudo Inc. Confidential
  9. 9. STEP 2 ANDROID FORENSICS!  Find the words list…how? !  Beat obfuscation! !  Search for class types and log messages !  Find the intersection of the two! !  Insert your own log statements invoke-virtual {v2}, Ljava/util/List;->toString()Ljava/lang/String;! move-result-object v2! invoke-static {v1, v2}, Landroid/util/Log;->e(Ljava/lang/String;Ljava/lang/String;)I! ) 9 © 2012 Apkudo Inc. Confidential
  10. 10. STEP 3 INJECT VIEWSERVER INTO APP!  Resource located! Now we need to send it…!  Apply patch to ViewServer that stores list !  public static void setScrambleWordList(List list);!!  Build patched ViewServer, extract .smali files!  Copy smali files into our application !  Easy enough, right? 10 © 2012 Apkudo Inc. Confidential
  11. 11. STEP 4 PATCH APP TO USE VIEWSERVER API!  Start the ViewServer in the onCreate() method of MainActivity.smali !  ViewServer.get() !  invoke-static {}, Lcom/android/debug/hv/ViewServer;- >get()Lcom/android/debug/hv/ViewServer;!!  Pass the list to ViewServer in fu.smali !  ViewServer.setScrambleWordList(list) invoke-static {v2}, Lcom/android/debug/hv/ViewServer;- !  >setScrambleWordList(Ljava/util/List;)V! 11 © 2012 Apkudo Inc. Confidential
  12. 12. STEP 5 REBUILD APK!  Re-assemble !  smali –a 10 ./out –o classes.dex!!  Re-compress !  zip –z0 –r ../scramble.apk ./*!  Sign APK !  jarsigner -verbose -keystore my- release-key.keystore ./ scramble.apk alias_name! 12 © 2012 Apkudo Inc. Confidential
  13. 13. STEP 6 INSTALL AND COMMUNICATE WITH APP!  Install !  adb install –r ../scramble.apk!!  Forward port !  adb forward tcp:4939 tcp:4939!  Communicate !  nc –l (listen) 13 © 2012 Apkudo Inc. Confidential
  14. 14. APE INTELLIGENT ANDROID INSTRUMENTATION!  Fully aware of applications content!  Invokes actions and makes decisions based off of what it sees!  Optimized and extended Romain’s ViewServer !  Transmit view data after each invoked action !  Introspect on OpenGL!  Uses word list to obtain matrix positions and OpenGL introspection to find buttons on screen 14 © 2012 Apkudo Inc. Confidential
  15. 15. Thank you.@davtbaum DAVID@ .COM