HACKING APKS FOR FUNAND FOR PROFIT(MOSTLY FOR FUN)    DAVID TEITELBAUM    @davtbaum    DECEMBER 2012
OBJECTIVESExpect to learn: Android app disassembly Fundamentals of code injection Smali/Baksmali and reading Dalvik byte c...
ROADMAP PART I - CLASS                                       PART II – DEMO/HACKApproach to hacking                       ...
PART I - CLASS4   © 2012 Apkudo Inc. Confidential www.apkudo.com
APK HACKING         Approach1.       Unzip APK and disassemble classes.dex (baksmali)2.       Static analysis – what is th...
CODE INJECTION    Best Practices:   You don’t need to be a Dalvik byte code pro!   Write patches in Java, compile, then ...
TOOLSYou’ll need…   Access to a terminal environment (preferably Linux or Mac    osx)   Android SDK   keytool and jarsi...
THE APKA container for your app        Zipped file formatted based on JAR                                                ...
SMALI/BAKSMALIDalvik Assembler/Disassembler   Baksmali disassembles Dalvik executable (.dex) into    readable Dalvik byte...
EXAMPLESbaksmali$ unzip foobar.apk –d foobar$ cd ./foobar$ lsAndroidManifest.xml META-INF                          classes...
EXAMPLESsmali$ lsAndroidManifest.xml META-INF                           classes.dex   resresources.arsc libout$ smali –a 1...
AAPTAndroid Asset Packaging Tool    Builds/dumps package information    Same tool that packages APKS    Decompresses xm...
EXAMPLESaapt$ aapt dump badging ~/foobar.apk$ aapt dump xmltree ~/foobar.apkAndroidManifest$ aapt dump xmlstrings ~/foobar...
APKTOOLAll in one reverser    Wraps smali/baksmali and Android asset packaging tool     (aapt)    Decodes resources and ...
EXAMPLES apktool$ apktool d foobar.apk foobar                 decode                       out directory$ cd ./foobar$ lsA...
EXAMPLES keytool and jarsigner$ keytool -genkeypair -v -alias default –keystore~/.keystore –storepass password$ jarsigner ...
TOOLS Questions?17   © 2012 Apkudo Inc. Confidential www.apkudo.com
SMALI FILES  class representation in byte code.class public Lcom/apkudo/util/Serializer;.super Ljava/lang/Object;         ...
SYNTAX types                                                .method private doSomething()VV voidZ booleanB byteS shortC ch...
SYNTAX      classes                                    Lcom/apkudo/util/Serializer; •        full name space slash separat...
SYNTAX    methods                                .method private doSomething()V   Method definitions      .method <keywo...
SYNTAX    methods                                   .method private doSomething()V               keyword                  ...
SYNTAX    Registers                                         .locals 16                                                    ...
SYNTAX    Register Example.method public onCreate()V  .registers 7                                           v0         Fi...
SYNTAX      Register Example 2.method public doIt(Ljava/lang/String;II)V  .registers 7                                    ...
SYNTAX      Register Example 3.method public doIt(JI)V  .registers 7     # hint, j == long                                ...
SYNTAX    jumping                                                      .method public doIt(JI)V   jumps                  ...
SYNTAX    conditionals                                                      method public foobar()V Conditionals         ...
PUTTING IT ALLTOGETHER Example - Javapackage com.google.android.finsky;import android.app.Application;import android.accou...
PUTTING IT ALL           TOGETHER             Same example - smali.method public getCurrentAccountName()Ljava/lang/String;...
ONE FINAL    STEP     Obfuscation!•    Renames classes, class members and and method•    Preserves OS entry points and jav...
BYTECODE Questions?32   © 2012 Apkudo Inc. Confidential www.apkudo.com
PART II - DEMO33   © 2012 Apkudo Inc. Confidential www.apkudo.com
34   © 2012 Apkudo Inc. Confidential www.apkudo.com
HACKING      SCRAMBLE      Approach1.    Unzip APK and disassemble classes.dex (baksmali)2.    Isolate target resources (e...
RESOURCE SERIALIZATIONAND TRANSMISSION     ROMAIN GUY’S VIEWSERVER          onCreate()…          addWindow()              ...
STEP 1    DECOMPRESS AND    DISASSEMBLE   Extract classes.dex and remove keys       unzip scramble.apk       rm –r ./ME...
STEP 2    ANDROID FORENSICS   apktool dump and inspect AndroidManifest.xml    for activities   Find the words list…how? ...
STEP 3    INJECT VIEWSERVER INTO APP    Resource located! Now we need to send it…    Apply patch to ViewServer that stor...
STEP 4    PATCH APP TO USE VIEWSERVER    API    Start the ViewServer in the onCreate() method of     MainActivity.smali  ...
STEP 5    REBUILD APK   Re-assemble       smali –a 10 ./out –o classes.dex   Re-compress       zip –z0 –r ../scramble....
STEP 6INSTALL AND COMMUNICATEWITH APP Install     adb install –r ../scramble.apk Forward port     adb forward tcp:4939...
RECAPWHAT ZYNGA TEACHESUS Obfuscate, it’s easy and makes things much  harder    Use proguard, it optimizes too!         ...
FINALLY…WHAT ZYNGA TEACHESUS44   © 2012 Apkudo Inc. Confidential www.apkudo.com
Thank you.@davtbaum DAVID@   .COM
Upcoming SlideShare
Loading in …5
×

Hacking for fun and for profit

3,061 views

Published on

Published in: Technology
0 Comments
6 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
3,061
On SlideShare
0
From Embeds
0
Number of Embeds
253
Actions
Shares
0
Downloads
125
Comments
0
Likes
6
Embeds 0
No embeds

No notes for slide
  • META-INF contains keys
  • META-INF contains keys
  • META-INF contains keys
  • META-INF contains keys
  • META-INF contains keys
  • META-INF contains keys
  • Hacking for fun and for profit

    1. 1. HACKING APKS FOR FUNAND FOR PROFIT(MOSTLY FOR FUN) DAVID TEITELBAUM @davtbaum DECEMBER 2012
    2. 2. OBJECTIVESExpect to learn: Android app disassembly Fundamentals of code injection Smali/Baksmali and reading Dalvik byte code Best practices in hardening your apps2 © 2012 Apkudo Inc. Confidential www.apkudo.com
    3. 3. ROADMAP PART I - CLASS PART II – DEMO/HACKApproach to hacking Scramble With Friends deep diveTools – apktool, baksmali, smali App disassembly and analysisThe APK Code injection with ViewServerAll things byte code Resource transmission Recap 3 © 2012 Apkudo Inc. Confidential www.apkudo.com
    4. 4. PART I - CLASS4 © 2012 Apkudo Inc. Confidential www.apkudo.com
    5. 5. APK HACKING Approach1. Unzip APK and disassemble classes.dex (baksmali)2. Static analysis – what is the application doing?3. Inject byte code into the application to modify execution4. Reassemble classes.dex (smali) and rezip APK Static analysis Disassemble Reassemble (baksmali) (smali) .smali Code injection 5 © 2012 Apkudo Inc. Confidential www.apkudo.com
    6. 6. CODE INJECTION Best Practices: You don’t need to be a Dalvik byte code pro! Write patches in Java, compile, then use the Smali/Baksmali tools to disassemble into Dalvik byte code Stick to public static methods in Dalvik byte code which have no register dependencies. Let the compiler do the work – the demo hack is achieved by inserting only two lines of manual Dalvik byte code! 6 © 2012 Apkudo Inc. Confidential www.apkudo.com
    7. 7. TOOLSYou’ll need… Access to a terminal environment (preferably Linux or Mac osx) Android SDK keytool and jarsigner Smali/Baksmali - http://code.google.com/p/smali/ Apktool - http://code.google.com/p/android-apktool/ Editor of choice (emacs!)7 © 2012 Apkudo Inc. Confidential www.apkudo.com
    8. 8. THE APKA container for your app  Zipped file formatted based on JAR META-INF/ AndroidManifest.xml classes.dex lib/ res/ resources.arsc8 © 2012 Apkudo Inc. Confidential www.apkudo.com
    9. 9. SMALI/BAKSMALIDalvik Assembler/Disassembler Baksmali disassembles Dalvik executable (.dex) into readable Dalvik byte code (.smali) Smali re-assembles .smali files back into .dex Dalvik executable Gives developers the ability to modify execution of an APK without having access to source code9 © 2012 Apkudo Inc. Confidential www.apkudo.com
    10. 10. EXAMPLESbaksmali$ unzip foobar.apk –d foobar$ cd ./foobar$ lsAndroidManifest.xml META-INF classes.dex resresources.arsc lib$ baksmali –a 10 –d ~/boot_class_path classes.dex API level boot class path dex file10 © 2012 Apkudo Inc. Confidential www.apkudo.com
    11. 11. EXAMPLESsmali$ lsAndroidManifest.xml META-INF classes.dex resresources.arsc libout$ smali –a 10 ./out –o classes.dex API level output dex file$ zip –r ~/hacked.apk ./* recursive11 © 2012 Apkudo Inc. Confidential www.apkudo.com
    12. 12. AAPTAndroid Asset Packaging Tool Builds/dumps package information Same tool that packages APKS Decompresses xml resources Dumps permissions, application info.12 © 2012 Apkudo Inc. Confidential www.apkudo.com
    13. 13. EXAMPLESaapt$ aapt dump badging ~/foobar.apk$ aapt dump xmltree ~/foobar.apkAndroidManifest$ aapt dump xmlstrings ~/foobar.apkAndroidManifest resource13 © 2012 Apkudo Inc. Confidential www.apkudo.com
    14. 14. APKTOOLAll in one reverser Wraps smali/baksmali and Android asset packaging tool (aapt) Decodes resources and decompresses xml Great for manifest introspection Buggy :/14 © 2012 Apkudo Inc. Confidential www.apkudo.com
    15. 15. EXAMPLES apktool$ apktool d foobar.apk foobar decode out directory$ cd ./foobar$ lsAndroidManifest.xml apktool.yml assets res smali$ cd ../$ apktool b ./foobar build15 © 2012 Apkudo Inc. Confidential www.apkudo.com
    16. 16. EXAMPLES keytool and jarsigner$ keytool -genkeypair -v -alias default –keystore~/.keystore –storepass password$ jarsigner –keystore ~/.keystore ./foobar.apkdefault alias16 © 2012 Apkudo Inc. Confidential www.apkudo.com
    17. 17. TOOLS Questions?17 © 2012 Apkudo Inc. Confidential www.apkudo.com
    18. 18. SMALI FILES class representation in byte code.class public Lcom/apkudo/util/Serializer;.super Ljava/lang/Object; Class information.source "Serializer.java”# static fields.field public static final TAG:Ljava/lang/String; = "ApkudoUtils” Static fields# direct methods.method public constructor <init>()V .registers 1 .prologue .line 5 Methods invoke-direct {p0}, Ljava/lang/Object;-><init>()V Direct Virtual return-void.end method 18 © 2012 Apkudo Inc. Confidential www.apkudo.com
    19. 19. SYNTAX types .method private doSomething()VV voidZ booleanB byteS shortC charF floatI intJ long 64 bit – special instructionsD double[ array19 © 2012 Apkudo Inc. Confidential www.apkudo.com
    20. 20. SYNTAX classes Lcom/apkudo/util/Serializer; • full name space slash separated • prefixed with L • suffixed with ;const-string v0, "ApkudoUtils"new-instance v1, Ljava/lang/StringBuilder;invoke-direct {v1}, Ljava/lang/StringBuilder;-><init>()Vconst-string v2, "docId: ["invoke-virtual {v1, v2}, Ljava/lang/StringBuilder;->append(Ljava/lang/String;)Ljava/lang/StringBuilder;move-result-object v1 20 © 2012 Apkudo Inc. Confidential www.apkudo.com
    21. 21. SYNTAX methods .method private doSomething()V Method definitions  .method <keyword> <name>(<param>)<return type> Method invocations  invoke-static – any method that is static  invoke-virtual – any method that isn’t private, static, or final  invoke-direct – any non-static direct method  invoke-super – any superclasss virtual method  Invoke-interface – invoke an interface method21 © 2012 Apkudo Inc. Confidential www.apkudo.com
    22. 22. SYNTAX methods .method private doSomething()V keyword method name parameters/return.method private delayedAnimationFrame(J)Z .registers 8 .parameter "currentTime”# Static invocationinvoke-static {p2}, Landroid/text/TextUtils;->isEmpty(Ljava/lang/CharSequence;)Z# Virtual invocationinvoke-virtual {v0, v1}, Lcom/google/android/finsky/FinskyApp;->drainAllRequests(I)V 22 © 2012 Apkudo Inc. Confidential www.apkudo.com
    23. 23. SYNTAX Registers .locals 16 .registers 18 All registers are 32 bits Declaration  .registers – total number of registers  .locals – total minus method parameter registers Naming scheme  P registers – parameter registers  implicit p0 = ‘this’ instance  V registers – local registers P registers are always at the end of the register list23 © 2012 Apkudo Inc. Confidential www.apkudo.com
    24. 24. SYNTAX Register Example.method public onCreate()V .registers 7 v0 First local register v1 Second local register ... v2 … v3 … v4 … v5 … v6 p0 First param – ‘this’ p0 == v6 24 © 2012 Apkudo Inc. Confidential www.apkudo.com
    25. 25. SYNTAX Register Example 2.method public doIt(Ljava/lang/String;II)V .registers 7 v0 First local register v1 Second local register v2 … v3 p0 ‘this’ v4 p1 String v5 p2 int v6 p3 int p3 == v6 p2 == v5 p1 == v4 p0 == v3 25 © 2012 Apkudo Inc. Confidential www.apkudo.com
    26. 26. SYNTAX Register Example 3.method public doIt(JI)V .registers 7 # hint, j == long v0 First local register v1 Second local register v2 Third local register v3 - is it… v4 - is it… A) Fourth local register? A) Fourth local register? v3 p0 ‘this’ instance B) This instance? B) This instance? v4 p1 long C) Long? C) Long? v5 p2 long D) Int? D) Int? v6 p3 int v5 - is it… v6 - is it… A) Fourth local register? A) Fourth local register? B) This instance? B) This instance? C) Long? C) Long? D) Int? D) Int? 26 © 2012 Apkudo Inc. Confidential www.apkudo.com
    27. 27. SYNTAX jumping .method public doIt(JI)V jumps .registers 7  goto <offset> ... goto :goto_31 ... :goto_31 return-void27 © 2012 Apkudo Inc. Confidential www.apkudo.com
    28. 28. SYNTAX conditionals method public foobar()V Conditionals .registers 2  If-eq const/4 v0, 0x0  If-ne if-eqz v0, :cond_6  If-le  If-lt return-void  If-ge :cond_6  If-gt Add z for zero # Do something .end method28 © 2012 Apkudo Inc. Confidential www.apkudo.com
    29. 29. PUTTING IT ALLTOGETHER Example - Javapackage com.google.android.finsky;import android.app.Application;import android.accounts.Account;public class FinskyApp() extends Application { Account mCurrentAccount; ... public String getCurrentAccountName() { if (mCurrentAccount != null) { return mCurrentAccount.name; } else { return null; } }}29 © 2012 Apkudo Inc. Confidential www.apkudo.com
    30. 30. PUTTING IT ALL TOGETHER Same example - smali.method public getCurrentAccountName()Ljava/lang/String; .registers 2 v0 First local register .prologue v1 p0 ‘this’ instance .line 617 iget-object v0, p0, Lcom/google/android/finsky/FinskyApp;->mCurrentAccount:Landroid/accounts/Account; if-nez v0, :cond_6 Getting this field! of type … const/4 v0, 0x0 into this reg :goto_5 return-object v0 :cond_6 iget-object v0, v0, Landroid/accounts/Account;->name:Ljava/lang/String; goto :goto_5.end method 30 © 2012 Apkudo Inc. Confidential www.apkudo.com
    31. 31. ONE FINAL STEP Obfuscation!• Renames classes, class members and and method• Preserves OS entry points and java namespace classes• Slows down the static analysis process• Not a silver bullet, but an easy first line of defenseiget-object v0, p0, Lcom/a/a/g;->a:Lcom/a/a/f;invoke-static {v0}, Lcom/a/a/f;->a(Lcom/a/a/f;)Landroid/webkit/WebView; 31 © 2012 Apkudo Inc. Confidential www.apkudo.com
    32. 32. BYTECODE Questions?32 © 2012 Apkudo Inc. Confidential www.apkudo.com
    33. 33. PART II - DEMO33 © 2012 Apkudo Inc. Confidential www.apkudo.com
    34. 34. 34 © 2012 Apkudo Inc. Confidential www.apkudo.com
    35. 35. HACKING SCRAMBLE Approach1. Unzip APK and disassemble classes.dex (baksmali)2. Isolate target resources (e.g., Scramble With Friends words list)3. Patch APK to receive resource, serialize, and transmit to host4. Reassemble classes.dex (smali) and rezip APK Static analysis/ Code Injection Disassemble Reassemble (baksmali) (smali) .smali 35 © 2012 Apkudo Inc. Confidential www.apkudo.com
    36. 36. RESOURCE SERIALIZATIONAND TRANSMISSION ROMAIN GUY’S VIEWSERVER onCreate()… addWindow() localhost:4939 ViewServer Android OS36 © 2012 Apkudo Inc. Confidential www.apkudo.com
    37. 37. STEP 1 DECOMPRESS AND DISASSEMBLE Extract classes.dex and remove keys  unzip scramble.apk  rm –r ./META-INF Disassemble:  baksmali -a 10 –d <framework_path> ./classes.dex  -a = api-level  -d = bootclasspath dir  out/target/product/generic/system/framework37 © 2012 Apkudo Inc. Confidential www.apkudo.com
    38. 38. STEP 2 ANDROID FORENSICS apktool dump and inspect AndroidManifest.xml for activities Find the words list…how?  Beat obfuscation!  Search for class types and log messages  Find the intersection of the two!  Insert your own log statementsinvoke-virtual {v2}, Ljava/util/List;->toString()Ljava/lang/String;move-result-object v2invoke-static {v1, v2}, Landroid/util/Log;->e(Ljava/lang/String;Ljava/lang/String;)I38 © 2012 Apkudo Inc. Confidential www.apkudo.com
    39. 39. STEP 3 INJECT VIEWSERVER INTO APP Resource located! Now we need to send it… Apply patch to ViewServer that stores list  public static void setScrambleWordList(List list); Build patched ViewServer, extract .smali files Copy smali files into our application  Easy enough, right?39 © 2012 Apkudo Inc. Confidential www.apkudo.com
    40. 40. STEP 4 PATCH APP TO USE VIEWSERVER API Start the ViewServer in the onCreate() method of MainActivity.smali  ViewServer.get()  invoke-static {}, Lcom/android/debug/hv/ViewServer;- >get()Lcom/android/debug/hv/ViewServer; Pass the list to ViewServer in fu.smali  ViewServer.setScrambleWordList(list) invoke-static {v2}, Lcom/android/debug/hv/ViewServer;->setScrambleWordList(Ljava/util/List;)V 40 © 2012 Apkudo Inc. Confidential www.apkudo.com
    41. 41. STEP 5 REBUILD APK Re-assemble  smali –a 10 ./out –o classes.dex Re-compress  zip –z0 –r ../scramble.apk ./* Sign APK  jarsigner -verbose -keystore my-release- key.keystore ./scramble.apk alias_name41 © 2012 Apkudo Inc. Confidential www.apkudo.com
    42. 42. STEP 6INSTALL AND COMMUNICATEWITH APP Install  adb install –r ../scramble.apk Forward port  adb forward tcp:4939 tcp:4939 Communicate  nc –l 127.0.0.1 (listen)42 © 2012 Apkudo Inc. Confidential www.apkudo.com
    43. 43. RECAPWHAT ZYNGA TEACHESUS Obfuscate, it’s easy and makes things much harder  Use proguard, it optimizes too! Low hanging Remove logs fruit Use reflection Design your application with cheaters in mind!  Move logic to cloud Google play licensing43 © 2012 Apkudo Inc. Confidential www.apkudo.com
    44. 44. FINALLY…WHAT ZYNGA TEACHESUS44 © 2012 Apkudo Inc. Confidential www.apkudo.com
    45. 45. Thank you.@davtbaum DAVID@ .COM

    ×