Dancing with dalvik

1 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted.
THOMAS RICHARDS
Dancing with Dalvik

About me
• Thomas Richards
• Security Consultant @ Cigital, Inc
• @g13net - Twitter
• OSCP, GPEN, OSWP
• Developer
o Goofile and Pwnberry Pi
• Organizer for BsidesROC
• Presented before at GrrCON and DerbyCON
• Really enjoy tearing apart Android

Toc
• 0x1 – Intro to Dalvik
• 0x2 – Dalvik Opcode Primer
• 0x3 – Case Studies

0x01 Intro to Dalvik

What is Dalvik?
• A town in Iceland
• A lightweight register-based VM
• Optimized for embedded/mobile
platforms
o Low RAM/CPU

Dalvik optimizations
• Duplicate code is reused within DEX
• 16-bit instruction set that works directly
on local variables
o Lowers instruction count and increased
interpreter speed
• Slimmed down VM to run in less space

Stack vs register based
• Java JVM is Stack Based
o real or emulated computer that uses a pushdown stack rather
than individual machine registers to evaluate each sub-
expression in the program
• Register Based
o Dalvik uses registers as primarily units of data storage instead
of the stack. Google is hoping to accomplish 30 percent fewer
instructions as a result.
• http://stackoverflow.com/questions/2719469/why-is-the-
jvm-stack-based-and-the-dalvik-vm-register-based
• http://en.wikipedia.org/wiki/Stack_machine

Register Vs. Stack Cont.

Getting to dalvik
• Android apps are traditionally written in
Java
• Compiled into Java bytecode then
converted to Dalvik bytecode
• Java class files converted into .dex

Java vs Dalvik

Inside the APK
• AndroidManifest.xml
• Classes.dex
• Res/
• Lib/
• META-INF/

Disassembling classes.dex
• Typical tools
o Apktool
o Baksmali
• The result is several .smali files

Apktool decoding
me@Mentos ~/android/ghost $ apktool d ghost-meter.apk
I: Baksmaling...
I: Loading resource table...
I: Loaded.
I: Decoding AndroidManifest.xml with resources...
I: Loading resource table from file:
/home/me/apktool/framework/1.apk
I: Loaded.
I: Regular manifest package...
I: Decoding file-resources...
I: Decoding values */* XMLs...
I: Done.
I: Copying assets and libs...

Directories Created

Files created
me@Mentos ~/android/ghost $ ls ghost-
meter/smali/
a.smali c$a.smali c$c.smali
c$e.smali c.smali e.smali g.smali
i.smali k.smali m.smali o.smali
q.smali s.smali u.smali w.smali
b.smali c$b.smali c$d.smali com
d.smali f.smali h.smali j.smali
l.smali n.smali p.smali r.smali
t.smali v.smali x.smali
me@Mentos ~/android/ghost $

Apktool building
me@Mentos ~/android/ghost $ apktool b ghost-
meter/ ghost.apk
I: Checking whether sources has changed...
I: Smaling...
I: Checking whether resources has changed...
I: Building resources...
I: Building apk file...
me@Mentos ~/android/ghost $
• After building you must use jarsigner to sign the APK
before it can be installed!

Signing the APK
• Creating the cert
o keytool -genkey -v -keystore my-release-
key.keystore -alias alias_name -keyalg RSA
-validity 10000
• Signing the APK
o jarsigner -verbose -keystore my-release-
key.keystore GhostMeter.apk alias_name

Cydia Substrate
• Originally on iOS, recently released on
Android.
• Tool for hooking methods within an
application or the system.
• Modify runtime behavior of Android
Application without recompiling code

0x2 Dalvik Opcode Primer

Smali files
• Disassembled DEX files
• Not as scary as x86 ASM
• ASCII representation of Dalvik Opcodes
• Mostly correspond to the original .java
files

Types
V void - can only be used for return types
Z boolean
B byte
S short
C char
I int
J long (64 bits)
F float
D double (64 bits)

Helloworld example
.class public LHelloWorld;
#this is a comment
.super Ljava/lang/Object;
.method public static main([Ljava/lang/String;)V
.registers 2
sget-object v0, Ljava/lang/System;->out:Ljava/io/PrintStream;
const-string v1, "Hello World!"
invoke-virtual {v0, v1}, Ljava/io/PrintStream;->println(Ljava/lang/String;)V
return-void
.end method
http://code.google.com/p/smali/source/browse/examples/HelloWorld/HelloWorld.sm
ali

Variables
• Registers
o v0, v1, etc.
o Variables defined in the original java code
• Parameters
o p0, p1, etc
o Must be the same as defined by the method
• Both are defined at the beginning of the
method

Example
#this is a comment
.registers 2
invoke-virtual {v0, v1}, Ljava/io/PrintStream;-
>println(Ljava/lang/String;)V
return-void
.end method

Assigning variables
• const
• const-string
• Etc,
• Examples
o const v0, 0x1
o const-string v1, “This is a test”

Example
#this is a comment
.registers 2
return-void
.end method

Calling methods
• invoke-* { parameters }, method-to-call
o Static – static method
o Virtual – virtual method

Example
#this is a comment
.registers 2
return-void
.end method

Conditional statements
• If-* - If statements
o If-eq vx, vy, target – If equal
o If-nez vx, target – If vx is a nonzero
o If-eqz vx, target – If vx is zero
o If-ge vx, vy, target – if vx>=vy
o Etc
• Targets
o Shown as cond_0, cond_1

example
invoke-virtual {v0}, Ljava/lang/Class;-
>desiredAssertionStatus()Z
move-result v0
if-nez v0, :cond_0
.line 100
:cond_0
const/4 v0, 0x0
goto/16 :goto_0

Get/put
• Apps could declare constants.
• Get/Put will retrieve or store values into
those constants
• Examples:
o iput v0, v1, Lcom/greencod/pinball/gameengine/zones/Table0Zone;-
>ZORDER_TABLE:I
o iget v0, v0, Lcom/greencod/pinball/gameengine/xinterface/persistenc
e/Settings;->friction:F

Return
• Unless the method is declared as a void,
it will return a value.
• Return types:
o Return-void
o Return-object
o Return v0

0x3 case studies

Removing ads
• Ads are annoying
• Take up screen realestate
• My 4 yr old mistakenly clicks them
o “Look daddy!”

solitare
• Ad function is called inbetween deals
• Ads are annoying
o Music
o Video
• Disable calling the ads?

Short video showing ad calling

The code
• After an exhaustive search in com/mobilityware/solitare/solitare.smali:
.method public displayAd()V
.locals 1
.prologue
.line 572
iget-object v0, p0, Lcom/mobilityware/solitaire/Solitaire;-
>adControl:Lcom/mobilityware/solitaire/AdControl;
if-eqz v0, :cond_0
.line 573
invoke-virtual {v0}, Lcom/mobilityware/solitaire/AdControl;->displayAd()Z
.line 574
:cond_0
return-void
.end method

The code
• After an exhaustive search in com/mobilityware/solitare/solitare.smali:
.method public displayAd()V
.locals 1
.prologue
.line 572
if-eqz v0, :cond_0
.line 573
#invoke-virtual {v0}, Lcom/mobilityware/solitaire/AdControl;->displayAd()Z
.line 574
:cond_0
return-void
.end method

After the change is made
• Recompile the code and use apktool to
create a new APK
o You will have to sign this with your own cert
• After the APK is created:
o Remove old Solitare APK
o Install new hax0rd one

Short video showing no more ad

chess
• Most apps display the ads at all times
• When the network is disabled, the ads
don’t show
• Can we force this behavior?

Screenshot of chess with ads

Google ads
• Most apps rely on Google’s ad provider
network
• Good for us!
o Code to break this should be the same for
many apps
• How to make it look like there is no network
connectivity?
• Log Entry when Network is disabled
o adRequestWebView was null while
trying to load an ad

The original code
• From com/google/ads/c.smali:
:try_start_0
iget-object v0, p0, Lcom/google/ads/c;->f:Landroid/webkit/WebView;
if-eqz v0, :cond_0
iget-object v0, p0, Lcom/google/ads/c;->c:Lcom/google/ads/b;
if-nez v0, :cond_1
:cond_0
const-string v0, "adRequestWebView was null while trying to load an ad."
invoke-static {v0}, Lcom/google/ads/util/a;->e(Ljava/lang/String;)V
sget-object v0, Lcom/google/ads/AdRequest$ErrorCode;-
>INTERNAL_ERROR:Lcom/google/ads/AdRequest$ErrorCode

The modified code
• From com/google/ads/c.smali:
:try_start_0
iget-object v0, p0, Lcom/google/ads/c;->f:Landroid/webkit/WebView;
const v0, 0x0
if-eqz v0, :cond_0
iget-object v0, p0, Lcom/google/ads/c;->c:Lcom/google/ads/b;
if-nez v0, :cond_1
:cond_0
const-string v0, "adRequestWebView was null while trying to load an
ad."
invoke-static {v0}, Lcom/google/ads/util/a;->e(Ljava/lang/String;)V

Screenshot showing no ads

Removing Ads with Cydia
• Write once, use everywhere
• Using reflection, hook a method
• Stop ads from loading

Google Mobile Ads
• Again, very common to see used.
• Plan:
o Hook loadDataWithBaseUrl method
o Render it useless

Cydia Code
MS.hookClassLoad("com.google.ads.internal.AdWebView", new
MS.ClassLoadHook() {
public void classLoaded(Class<?> resources) {
Method loadAd;
try {
loadAd = resources.getMethod("loadDataWithBaseURL", String.class,
String.class, String.class, String.class, String.class);
} catch (NoSuchMethodException d) {
loadAd = null;
}
if (loadAd != null) {
final MS.MethodPointer old = new MS.MethodPointer();
MS.hookMethod(resources, loadAd, new MS.MethodHook() {
public Object invoked(Object _this, Object... args) throws Throwable {
return null;
}
}, old);

Screenshot of App with Ads

Screenshot after Cydia App Installed

Pinball wizard
• How about getting a high score?
• Values are most likely in the source
• Totally impress your friends with l33t
pinball skillz

Picture of game after normal score

The code
.local v12,
scorer:Lcom/greencod/gameengine/behaviours/ScorerBehaviour;
const/16 v1, 0x2c7
const/16 v3, 0x5aa
invoke-
virtual {v12, v1, v3}, Lcom/greencod/gameengine/behaviours/ScorerBe
haviour;->addScoreMessage(II)V
.line 508
const/16 v1, 0x204
const/16 v3, 0x10fe
invoke-
virtual {v12, v1, v3}, Lcom/greencod/gameengine/behaviours/ScorerBe
haviour;->addScoreMessage(II)V

Altered code
.local v12,
scorer:Lcom/greencod/gameengine/behaviours/ScorerBehaviour;
const/16 v1, 0x2c7
const/16 v3, 0xfff
invoke-
virtual {v12, v1, v3}, Lcom/greencod/gameengine/behaviours/Scorer
Behaviour;->addScoreMessage(II)V
.line 508
const/16 v1, 0x204
const/16 v3, 0xffff
invoke-
virtual {v12, v1, v3}, Lcom/greencod/gameengine/behaviours/Scorer
Behaviour;->addScoreMessage(II)V

Picture of new high score

Leaderboard

What now?
• Explore!
• Bypass restrictions?
o Very useful in mobile app assessment

References
• http://pallergabor.uw.hu/androidblog/dalvik_
opcodes.html
• http://code.google.com/p/android-apktool/
• http://code.google.com/p/smali/source/brow
se/examples/HelloWorld/HelloWorld.smali
• http://www.cydiasubstrate.com/inject/dalvik/

QUESTIONS?

Dancing with dalvik

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Viewers also liked

Viewers also liked (20)

Similar to Dancing with dalvik

Similar to Dancing with dalvik (20)

Recently uploaded

Recently uploaded (20)

Dancing with dalvik