WHO NEEDS THUMBS?!REVERSE ENGINEERINGSCRAMBLE WITHFRIENDS v1.1    DAVID TEITELBAUM    @davtbaum    OCTOBER 2012
OBJECTIVESExpect to learn: Fundamentals of APK Code Injection How to use tools like Smali/Baksmali Better practices in And...
3   © 2012 Apkudo Inc. Confidential www.apkudo.com
APK HACKING          Approach1.        Extract APK and disassemble classes.dex using baksmali2.        Isolate target reso...
CODE INJECTION     BEST PRACTICES:!    You don’t need to be a Dalvik byte code pro!!    Write patches in Java, compile, th...
SMALI/BAKSMALI?DALVIK ASSEMBLER/DISASSEMBLER!    Baksmali disassembles Dalvik executable (.dex) into     readable Dalvik b...
RESOURCE SERIALIZATIONAND TRANSMISSION    ROMAIN GUY’S VIEWSERVER          onCreate()…                                    ...
STEP 1     DECOMPRESS AND     DISASSEMBLE!    Extract classes.dex and remove keys       !    unzip scramble.apk!       !  ...
STEP 2     ANDROID FORENSICS!        Find the words list…how?           !  Beat obfuscation!                !  Search for ...
STEP 3     INJECT VIEWSERVER INTO APP!     Resource located! Now we need to send it…!     Apply patch to ViewServer that s...
STEP 4     PATCH APP TO USE VIEWSERVER     API!     Start the ViewServer in the onCreate() method of      MainActivity.sma...
STEP 5     REBUILD APK!  Re-assemble     !  smali –a 10 ./out –o classes.dex!!  Re-compress     !  zip –z0 –r ../scramble....
STEP 6 INSTALL AND COMMUNICATE WITH APP!  Install     !  adb install –r ../scramble.apk!!  Forward port     !  adb forward...
APE     INTELLIGENT ANDROID     INSTRUMENTATION!  Fully aware of applications content!  Invokes actions and makes decision...
Thank you.@davtbaum DAVID@   .COM
Upcoming SlideShare
Loading in …5
×

Who Needs Thumbs? Reverse Engineering Scramble with Friends v1.1

2,179 views

Published on

0 Comments
3 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
2,179
On SlideShare
0
From Embeds
0
Number of Embeds
42
Actions
Shares
0
Downloads
54
Comments
0
Likes
3
Embeds 0
No embeds

No notes for slide

Who Needs Thumbs? Reverse Engineering Scramble with Friends v1.1

  1. 1. WHO NEEDS THUMBS?!REVERSE ENGINEERINGSCRAMBLE WITHFRIENDS v1.1 DAVID TEITELBAUM @davtbaum OCTOBER 2012
  2. 2. OBJECTIVESExpect to learn: Fundamentals of APK Code Injection How to use tools like Smali/Baksmali Better practices in Android forensics.2 © 2012 Apkudo Inc. Confidential www.apkudo.com
  3. 3. 3 © 2012 Apkudo Inc. Confidential www.apkudo.com
  4. 4. APK HACKING Approach1.  Extract APK and disassemble classes.dex using baksmali2.  Isolate target resources (e.g., Scramble With Friends words list)3.  Patch APK to receive resource, serialize, and transmit to host4.  Reassemble Sta0c)analysis/) Code)Injec0on) Disassemble) Reassemble) (baksmali)) (smali)) .smali) 4 © 2012 Apkudo Inc. Confidential www.apkudo.com
  5. 5. CODE INJECTION BEST PRACTICES:!  You don’t need to be a Dalvik byte code pro!!  Write patches in Java, compile, then use the Smali/ Baksmali tools to disassemble into Dalvik byte code!  Stick to public static methods in Dalvik byte code which have no register dependencies.!  Note: this hack is achieved by inserting only two lines of manual Dalvik byte code 5 © 2012 Apkudo Inc. Confidential www.apkudo.com
  6. 6. SMALI/BAKSMALI?DALVIK ASSEMBLER/DISASSEMBLER!  Baksmali disassembles Dalvik executable (.dex) into readable Dalvik byte code (.smali)!  Smali re-assembles .smali files back into .dex Dalvik executable!  Gives developers the ability to modify execution without having access to source code!  Documentation on Smali/Baksmali and Dalvik in Smali wiki !  http://code.google.com/p/smali/w/list6 © 2012 Apkudo Inc. Confidential www.apkudo.com
  7. 7. RESOURCE SERIALIZATIONAND TRANSMISSION ROMAIN GUY’S VIEWSERVER onCreate()… ADB forwarded addWindow() localhost:4939 ViewServer) Android) OS)7 © 2012 Apkudo Inc. Confidential www.apkudo.com
  8. 8. STEP 1 DECOMPRESS AND DISASSEMBLE!  Extract classes.dex and remove keys !  unzip scramble.apk! !  rm –r ./META-INF! !!  Disassemble: !  baksmali -a 10 –d <framework_path> ./classes.dex! !  -a = api-level! !  -d = bootclasspath dir! !  out/target/product/generic/system/framework! 8 © 2012 Apkudo Inc. Confidential www.apkudo.com
  9. 9. STEP 2 ANDROID FORENSICS!  Find the words list…how? !  Beat obfuscation! !  Search for class types and log messages !  Find the intersection of the two! !  Insert your own log statements invoke-virtual {v2}, Ljava/util/List;->toString()Ljava/lang/String;! move-result-object v2! invoke-static {v1, v2}, Landroid/util/Log;->e(Ljava/lang/String;Ljava/lang/String;)I! ) 9 © 2012 Apkudo Inc. Confidential www.apkudo.com
  10. 10. STEP 3 INJECT VIEWSERVER INTO APP!  Resource located! Now we need to send it…!  Apply patch to ViewServer that stores list !  public static void setScrambleWordList(List list);!!  Build patched ViewServer, extract .smali files!  Copy smali files into our application !  Easy enough, right? 10 © 2012 Apkudo Inc. Confidential www.apkudo.com
  11. 11. STEP 4 PATCH APP TO USE VIEWSERVER API!  Start the ViewServer in the onCreate() method of MainActivity.smali !  ViewServer.get() !  invoke-static {}, Lcom/android/debug/hv/ViewServer;- >get()Lcom/android/debug/hv/ViewServer;!!  Pass the list to ViewServer in fu.smali !  ViewServer.setScrambleWordList(list) invoke-static {v2}, Lcom/android/debug/hv/ViewServer;- !  >setScrambleWordList(Ljava/util/List;)V! 11 © 2012 Apkudo Inc. Confidential www.apkudo.com
  12. 12. STEP 5 REBUILD APK!  Re-assemble !  smali –a 10 ./out –o classes.dex!!  Re-compress !  zip –z0 –r ../scramble.apk ./*!  Sign APK !  jarsigner -verbose -keystore my- release-key.keystore ./ scramble.apk alias_name! 12 © 2012 Apkudo Inc. Confidential www.apkudo.com
  13. 13. STEP 6 INSTALL AND COMMUNICATE WITH APP!  Install !  adb install –r ../scramble.apk!!  Forward port !  adb forward tcp:4939 tcp:4939!  Communicate !  nc –l 127.0.0.1 (listen) 13 © 2012 Apkudo Inc. Confidential www.apkudo.com
  14. 14. APE INTELLIGENT ANDROID INSTRUMENTATION!  Fully aware of applications content!  Invokes actions and makes decisions based off of what it sees!  Optimized and extended Romain’s ViewServer !  Transmit view data after each invoked action !  Introspect on OpenGL!  Uses word list to obtain matrix positions and OpenGL introspection to find buttons on screen 14 © 2012 Apkudo Inc. Confidential www.apkudo.com
  15. 15. Thank you.@davtbaum DAVID@ .COM

×