SlideShare a Scribd company logo
Introduction to
mobile reversing
         tora@pandas.es
   jose.duart@zynamics.com
Who are you?

• Reverse engineer since late 90s
 •   Malware analysis, binary auditing and behaviour
     analysis

• Mobile and embedded systems
  reversing as a hobby
• Working at Zynamics GmbH
Summary
• Windows Mobile
• Android
 •   Dalvik VM

 •   Decompilation

• iPhone
 •   AppStore DRM

 •   Reversing Objective-C code
Why mobile reversing?
• Few years ago:
 •   Lots of java-based mobileOS

 •   Only Symbian and PalmOS were “interesting”

     •   But not much development community

     •   First? mobile malware developed for Symbian,
         codename Caribe/Cabir, author Vallez/29A

• Now:
 •   Android, iPhoneOS, Windows Mobile, Bada...
Why mobile reversing?
• More SDK’s, more developers... more
  interesting stuff
Why mobile reversing?
• ... and evil stuff
Windows Mobile
  Reversing a banking app: BBVA
WM: First Steps

• Executable file format: PE
• Architecture: ARM
• Language: C++
• API: Windows-like
WM: Target

• Spanish “banking app”: BBVA
• https://www.bbva.es/TLBS/
  BBVA_MobiDesc.htm
• Versions for Java, RIM, Windows
  Mobile, iPhone and Android
WM: Analysis
WM: Thoughts
• ARM can look a bit hard at first, but is
  much easier than x86!!
• The API is a piece of cake for people
  with experience in Windows XP/Vista
  development/reversing.
• Easy to debug the targets, emulate the
  OS and patch apps.
Google Android
 Reversing a banking app: Wells Fargo
Android: First Steps

• Architecture: ARM
• API: Dalvik VM based
• Two ways of delevolment (SDK/NDK)
 •   Executable file format: Dex/ELF

 •   Language: Java/C++
Android: First Steps
Android: First Steps
Android: First Steps
              Android                   Java
 Source          .java                  .java

 Binary          .dex                  .class
 Binary
                .odex                   N/A
Optimized
Packages          .apk                   .jar
Reversing   DeDexer, Baksmali,       JAD, DJ Java
  Tools       DeoDexerant        Decompiler, JD-GUI...
Android: Analysis
• Sample code
Android: Analysis
    • DeDexer way
.method public onCreate(Landroid/os/Bundle;)V
.limit registers 4
; this: v2 (Lcom/example/android/helloactivity/HelloActivity;)
; parameter[0] : v3 (Landroid/os/Bundle;)
.line 36
         invoke-super    {v2,v3},android/app/Activity/
onCreate    ; onCreate(Landroid/os/Bundle;)V
.line 40
         const/high16    v1,32514
         invoke-virtual {v2,v1},com/example/android/
helloactivity/HelloActivity/setContentView ; setContentView
(I)V
Android: Analysis
     • Baksmali way
.method public onCreate(Landroid/os/Bundle;)V
    .registers 4
    .parameter "savedInstanceState"

    .prologue
    .line 36
    invoke-super {p0, p1}, Landroid/app/Activity;->onCreate
(Landroid/os/Bundle;)V

    .line 40
    const/high16 v1, 0x7f02

    invoke-virtual {p0, v1}, Lcom/example/android/
helloactivity/HelloActivity;->setContentView(I)V
Android: Target


• US banking app: Wells Fargo
• Downloaded from androlib.com
• Also available for iPhone
Android: Analysis II
.class public Ldroidheaven/app/wellsfargo/Main;
.super Landroid/app/Activity;
.source "Main.java"



# annotations
.annotation system Ldalvik/annotation/MemberClasses;
    value = {
        Ldroidheaven/app/wellsfargo/Main$HelloWebViewClient;
    }
.end annotation


# instance fields
.field webview:Landroid/webkit/WebView;
Android: Thoughts

• Decompilers are not ready yet
 •   In the future, it will be similar to Java-reversing

• Free emulator:
 •   It’s possible to install apk’s

 •   No access to Android Market :(
Apple iPhone
Reversing a banking app: HanaBank
iPhone: First Steps

• Executable file format: Mach-O
• Architecture: ARM
• Language: Objective-C
• API: iPhone SDK Framework and libc
iPhone: First Steps
• Apps come in IPA packages
 •   ZIP files with executables and resources
     (images, package info, config files...)

• iPhone Simulator works with i386
• Tricky to setup a debug environment
 •   enable ssh access

 •   iphonedbg/gdb
iPhone: First Steps
• AppStore
 •   Apps are encrypted, iPhone Mach-O loader is in
     charge of decryption

 •   GDB and a little understanding of Mach-O
     headers (otool) can help

• Objective-C
 •   80% calls to msgSend() == lots of fun :)
iPhone: First Steps




                        Typical
                      objective-C
                       callgraph
iPhone: First Steps




                Callgraph after script
              (in blue new “msg” subs)
iPhone: Target


• Korean banking app: HanaBank
• Downloaded from AppStore
iPhone: Analysis


• Removing AppStore encryption
• Playing with FLIRT signatures
• Reversing Objective-C code
iPhone: Thoughts
• AppStore DRM is not a big problem
• Objective-C can be quite painful
• Debug using GDB:
 •   Well known tool, but you need delevoper
     account or a jailbroken device.

• Simulator is not useful for reversing
Questions?

             !!!

More Related Content

What's hot

A Taste of Pharo 7.0
A Taste of Pharo 7.0A Taste of Pharo 7.0
A Taste of Pharo 7.0
ESUG
 

What's hot (20)

The why and how of moving to php 8
The why and how of moving to php 8The why and how of moving to php 8
The why and how of moving to php 8
 
Hacking - high school intro
Hacking - high school introHacking - high school intro
Hacking - high school intro
 
TypeScript - Silver Bullet for the Full-stack Developers
TypeScript - Silver Bullet for the Full-stack DevelopersTypeScript - Silver Bullet for the Full-stack Developers
TypeScript - Silver Bullet for the Full-stack Developers
 
Introduction to Writing Readable and Maintainable Perl (YAPC::EU 2011 Version)
Introduction to Writing Readable and Maintainable Perl (YAPC::EU 2011 Version)Introduction to Writing Readable and Maintainable Perl (YAPC::EU 2011 Version)
Introduction to Writing Readable and Maintainable Perl (YAPC::EU 2011 Version)
 
Core Java Tutorial
Core Java TutorialCore Java Tutorial
Core Java Tutorial
 
TypeScript Best Practices
TypeScript Best PracticesTypeScript Best Practices
TypeScript Best Practices
 
TypeScript Modules
TypeScript ModulesTypeScript Modules
TypeScript Modules
 
Old code doesn't stink
Old code doesn't stinkOld code doesn't stink
Old code doesn't stink
 
"Architecting and testing large iOS apps: lessons from Facebook". Adam Ernst,...
"Architecting and testing large iOS apps: lessons from Facebook". Adam Ernst,..."Architecting and testing large iOS apps: lessons from Facebook". Adam Ernst,...
"Architecting and testing large iOS apps: lessons from Facebook". Adam Ernst,...
 
nullcon 2011 - Reversing MicroSoft patches to reveal vulnerable code
nullcon 2011 - Reversing MicroSoft patches to reveal vulnerable codenullcon 2011 - Reversing MicroSoft patches to reveal vulnerable code
nullcon 2011 - Reversing MicroSoft patches to reveal vulnerable code
 
AngularConf2015
AngularConf2015AngularConf2015
AngularConf2015
 
Effective Java, Third Edition - Keepin' it Effective
Effective Java, Third Edition - Keepin' it EffectiveEffective Java, Third Edition - Keepin' it Effective
Effective Java, Third Edition - Keepin' it Effective
 
Introduction to TypeScript by Winston Levi
Introduction to TypeScript by Winston LeviIntroduction to TypeScript by Winston Levi
Introduction to TypeScript by Winston Levi
 
C# Security Testing and Debugging
C# Security Testing and DebuggingC# Security Testing and Debugging
C# Security Testing and Debugging
 
TypeScript 101
TypeScript 101TypeScript 101
TypeScript 101
 
TypeScript: coding JavaScript without the pain
TypeScript: coding JavaScript without the painTypeScript: coding JavaScript without the pain
TypeScript: coding JavaScript without the pain
 
ITT 2014 - Niklas Therning - Truly Native Java Apps on iOS with RoboVM
ITT 2014 - Niklas Therning - Truly Native Java Apps on iOS with RoboVMITT 2014 - Niklas Therning - Truly Native Java Apps on iOS with RoboVM
ITT 2014 - Niklas Therning - Truly Native Java Apps on iOS with RoboVM
 
Francesco Strazzullo - Frameworkless Frontend Development - Codemotion Milan ...
Francesco Strazzullo - Frameworkless Frontend Development - Codemotion Milan ...Francesco Strazzullo - Frameworkless Frontend Development - Codemotion Milan ...
Francesco Strazzullo - Frameworkless Frontend Development - Codemotion Milan ...
 
CC-Castle; The best Real-Time/Embedded/HighTech language EVER?
CC-Castle; The best Real-Time/Embedded/HighTech language EVER?CC-Castle; The best Real-Time/Embedded/HighTech language EVER?
CC-Castle; The best Real-Time/Embedded/HighTech language EVER?
 
A Taste of Pharo 7.0
A Taste of Pharo 7.0A Taste of Pharo 7.0
A Taste of Pharo 7.0
 

Similar to Introduction to mobile reversing

Building Mobile Cross-Platform Apps with HTML5, jQuery Mobile & PhoneGap
Building Mobile Cross-Platform Apps with HTML5, jQuery Mobile & PhoneGapBuilding Mobile Cross-Platform Apps with HTML5, jQuery Mobile & PhoneGap
Building Mobile Cross-Platform Apps with HTML5, jQuery Mobile & PhoneGap
Nick Landry
 

Similar to Introduction to mobile reversing (20)

Android - Anroid Pproject
Android - Anroid PprojectAndroid - Anroid Pproject
Android - Anroid Pproject
 
Ember Conf 2016: Building Mobile Apps with Ember
Ember Conf 2016: Building Mobile Apps with EmberEmber Conf 2016: Building Mobile Apps with Ember
Ember Conf 2016: Building Mobile Apps with Ember
 
Mono for Android... for Google Devs
Mono for Android... for Google DevsMono for Android... for Google Devs
Mono for Android... for Google Devs
 
The Great Mobile Debate: Native vs. Hybrid App Development
The Great Mobile Debate: Native vs. Hybrid App DevelopmentThe Great Mobile Debate: Native vs. Hybrid App Development
The Great Mobile Debate: Native vs. Hybrid App Development
 
Building Effective and Rapid Applications with IBM MobileFirst Platform
Building Effective and Rapid Applications with IBM MobileFirst PlatformBuilding Effective and Rapid Applications with IBM MobileFirst Platform
Building Effective and Rapid Applications with IBM MobileFirst Platform
 
Xamarin v.Now
Xamarin v.NowXamarin v.Now
Xamarin v.Now
 
Introduction to android
Introduction to androidIntroduction to android
Introduction to android
 
Talk (2)
Talk (2)Talk (2)
Talk (2)
 
Building Mobile Cross-Platform Apps with HTML5, jQuery Mobile & PhoneGap
Building Mobile Cross-Platform Apps with HTML5, jQuery Mobile & PhoneGapBuilding Mobile Cross-Platform Apps with HTML5, jQuery Mobile & PhoneGap
Building Mobile Cross-Platform Apps with HTML5, jQuery Mobile & PhoneGap
 
Outsmarting SmartPhones
Outsmarting SmartPhonesOutsmarting SmartPhones
Outsmarting SmartPhones
 
Rapid Prototyping with Cordova aka Phonegap
Rapid Prototyping with Cordova aka PhonegapRapid Prototyping with Cordova aka Phonegap
Rapid Prototyping with Cordova aka Phonegap
 
[2015/2016] Apache Cordova
[2015/2016] Apache Cordova[2015/2016] Apache Cordova
[2015/2016] Apache Cordova
 
NCDevCon 2017 - Cross Platform Mobile Apps
NCDevCon 2017 - Cross Platform Mobile AppsNCDevCon 2017 - Cross Platform Mobile Apps
NCDevCon 2017 - Cross Platform Mobile Apps
 
Android Development: The Basics
Android Development: The BasicsAndroid Development: The Basics
Android Development: The Basics
 
Future of Mobile
Future of MobileFuture of Mobile
Future of Mobile
 
Developing a native mobile apps using Ionic&Cordova
Developing a native mobile apps using Ionic&CordovaDeveloping a native mobile apps using Ionic&Cordova
Developing a native mobile apps using Ionic&Cordova
 
Mobile Vue.js – From PWA to Native
Mobile Vue.js – From PWA to NativeMobile Vue.js – From PWA to Native
Mobile Vue.js – From PWA to Native
 
HTML5 Can't Do That
HTML5 Can't Do ThatHTML5 Can't Do That
HTML5 Can't Do That
 
Android complete basic Guide
Android complete basic GuideAndroid complete basic Guide
Android complete basic Guide
 
Domo Arigato Mr. Roboto - Open Source Bridge 2009
Domo Arigato Mr. Roboto - Open Source Bridge 2009Domo Arigato Mr. Roboto - Open Source Bridge 2009
Domo Arigato Mr. Roboto - Open Source Bridge 2009
 

More from zynamics GmbH (9)

How to really obfuscate your pdf malware
How to really obfuscate   your pdf malwareHow to really obfuscate   your pdf malware
How to really obfuscate your pdf malware
 
Architectural Diversity (German)
Architectural Diversity (German)Architectural Diversity (German)
Architectural Diversity (German)
 
Architectural Diversity (German)
Architectural Diversity (German)Architectural Diversity (German)
Architectural Diversity (German)
 
Uni mannheim debuggers
Uni mannheim debuggersUni mannheim debuggers
Uni mannheim debuggers
 
0-knowledge fuzzing white paper
0-knowledge fuzzing white paper0-knowledge fuzzing white paper
0-knowledge fuzzing white paper
 
Inbot10 vxclass
Inbot10 vxclassInbot10 vxclass
Inbot10 vxclass
 
ShaREing is Caring
ShaREing is CaringShaREing is Caring
ShaREing is Caring
 
0-knowledge fuzzing
0-knowledge fuzzing0-knowledge fuzzing
0-knowledge fuzzing
 
Formale Methoden im Reverse Engineering
Formale Methoden im Reverse EngineeringFormale Methoden im Reverse Engineering
Formale Methoden im Reverse Engineering
 

Introduction to mobile reversing

  • 1. Introduction to mobile reversing tora@pandas.es jose.duart@zynamics.com
  • 2. Who are you? • Reverse engineer since late 90s • Malware analysis, binary auditing and behaviour analysis • Mobile and embedded systems reversing as a hobby • Working at Zynamics GmbH
  • 3. Summary • Windows Mobile • Android • Dalvik VM • Decompilation • iPhone • AppStore DRM • Reversing Objective-C code
  • 4. Why mobile reversing? • Few years ago: • Lots of java-based mobileOS • Only Symbian and PalmOS were “interesting” • But not much development community • First? mobile malware developed for Symbian, codename Caribe/Cabir, author Vallez/29A • Now: • Android, iPhoneOS, Windows Mobile, Bada...
  • 5. Why mobile reversing? • More SDK’s, more developers... more interesting stuff
  • 6. Why mobile reversing? • ... and evil stuff
  • 7. Windows Mobile Reversing a banking app: BBVA
  • 8. WM: First Steps • Executable file format: PE • Architecture: ARM • Language: C++ • API: Windows-like
  • 9. WM: Target • Spanish “banking app”: BBVA • https://www.bbva.es/TLBS/ BBVA_MobiDesc.htm • Versions for Java, RIM, Windows Mobile, iPhone and Android
  • 11. WM: Thoughts • ARM can look a bit hard at first, but is much easier than x86!! • The API is a piece of cake for people with experience in Windows XP/Vista development/reversing. • Easy to debug the targets, emulate the OS and patch apps.
  • 12. Google Android Reversing a banking app: Wells Fargo
  • 13. Android: First Steps • Architecture: ARM • API: Dalvik VM based • Two ways of delevolment (SDK/NDK) • Executable file format: Dex/ELF • Language: Java/C++
  • 16. Android: First Steps Android Java Source .java .java Binary .dex .class Binary .odex N/A Optimized Packages .apk .jar Reversing DeDexer, Baksmali, JAD, DJ Java Tools DeoDexerant Decompiler, JD-GUI...
  • 18. Android: Analysis • DeDexer way .method public onCreate(Landroid/os/Bundle;)V .limit registers 4 ; this: v2 (Lcom/example/android/helloactivity/HelloActivity;) ; parameter[0] : v3 (Landroid/os/Bundle;) .line 36 invoke-super {v2,v3},android/app/Activity/ onCreate ; onCreate(Landroid/os/Bundle;)V .line 40 const/high16 v1,32514 invoke-virtual {v2,v1},com/example/android/ helloactivity/HelloActivity/setContentView ; setContentView (I)V
  • 19. Android: Analysis • Baksmali way .method public onCreate(Landroid/os/Bundle;)V .registers 4 .parameter "savedInstanceState" .prologue .line 36 invoke-super {p0, p1}, Landroid/app/Activity;->onCreate (Landroid/os/Bundle;)V .line 40 const/high16 v1, 0x7f02 invoke-virtual {p0, v1}, Lcom/example/android/ helloactivity/HelloActivity;->setContentView(I)V
  • 20. Android: Target • US banking app: Wells Fargo • Downloaded from androlib.com • Also available for iPhone
  • 21. Android: Analysis II .class public Ldroidheaven/app/wellsfargo/Main; .super Landroid/app/Activity; .source "Main.java" # annotations .annotation system Ldalvik/annotation/MemberClasses; value = { Ldroidheaven/app/wellsfargo/Main$HelloWebViewClient; } .end annotation # instance fields .field webview:Landroid/webkit/WebView;
  • 22. Android: Thoughts • Decompilers are not ready yet • In the future, it will be similar to Java-reversing • Free emulator: • It’s possible to install apk’s • No access to Android Market :(
  • 23. Apple iPhone Reversing a banking app: HanaBank
  • 24. iPhone: First Steps • Executable file format: Mach-O • Architecture: ARM • Language: Objective-C • API: iPhone SDK Framework and libc
  • 25. iPhone: First Steps • Apps come in IPA packages • ZIP files with executables and resources (images, package info, config files...) • iPhone Simulator works with i386 • Tricky to setup a debug environment • enable ssh access • iphonedbg/gdb
  • 26. iPhone: First Steps • AppStore • Apps are encrypted, iPhone Mach-O loader is in charge of decryption • GDB and a little understanding of Mach-O headers (otool) can help • Objective-C • 80% calls to msgSend() == lots of fun :)
  • 27. iPhone: First Steps Typical objective-C callgraph
  • 28. iPhone: First Steps Callgraph after script (in blue new “msg” subs)
  • 29. iPhone: Target • Korean banking app: HanaBank • Downloaded from AppStore
  • 30. iPhone: Analysis • Removing AppStore encryption • Playing with FLIRT signatures • Reversing Objective-C code
  • 31. iPhone: Thoughts • AppStore DRM is not a big problem • Objective-C can be quite painful • Debug using GDB: • Well known tool, but you need delevoper account or a jailbroken device. • Simulator is not useful for reversing
  • 32. Questions? !!!