SlideShare a Scribd company logo
1 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted.
THOMAS RICHARDS
Dancing with Dalvik
2 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted.
About me
• Thomas Richards
• Security Consultant @ Cigital, Inc
• @g13net - Twitter
• OSCP, GPEN, OSWP
• Developer
o Goofile and Pwnberry Pi
• Organizer for BsidesROC
• Presented before at GrrCON and DerbyCON
• Really enjoy tearing apart Android
3 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted.
Toc
• 0x1 – Intro to Dalvik
• 0x2 – Dalvik Opcode Primer
• 0x3 – Case Studies
4 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted.
0x01 Intro to Dalvik
5 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted.
What is Dalvik?
• A town in Iceland
• A lightweight register-based VM
• Optimized for embedded/mobile
platforms
o Low RAM/CPU
6 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted.
Dalvik optimizations
• Duplicate code is reused within DEX
• 16-bit instruction set that works directly
on local variables
o Lowers instruction count and increased
interpreter speed
• Slimmed down VM to run in less space
7 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted.
Stack vs register based
• Java JVM is Stack Based
o real or emulated computer that uses a pushdown stack rather
than individual machine registers to evaluate each sub-
expression in the program
• Register Based
o Dalvik uses registers as primarily units of data storage instead
of the stack. Google is hoping to accomplish 30 percent fewer
instructions as a result.
• http://stackoverflow.com/questions/2719469/why-is-the-
jvm-stack-based-and-the-dalvik-vm-register-based
• http://en.wikipedia.org/wiki/Stack_machine
8 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted.
Register Vs. Stack Cont.
9 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted.
Getting to dalvik
• Android apps are traditionally written in
Java
• Compiled into Java bytecode then
converted to Dalvik bytecode
• Java class files converted into .dex
10 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted.
Java vs Dalvik
11 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted.
Inside the APK
• AndroidManifest.xml
• Classes.dex
• Res/
• Lib/
• META-INF/
12 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted.
Disassembling classes.dex
• Typical tools
o Apktool
o Baksmali
• The result is several .smali files
13 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted.
Apktool decoding
me@Mentos ~/android/ghost $ apktool d ghost-meter.apk
I: Baksmaling...
I: Loading resource table...
I: Loaded.
I: Decoding AndroidManifest.xml with resources...
I: Loading resource table from file:
/home/me/apktool/framework/1.apk
I: Loaded.
I: Regular manifest package...
I: Decoding file-resources...
I: Decoding values */* XMLs...
I: Done.
I: Copying assets and libs...
14 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted.
Directories Created
15 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted.
Files created
me@Mentos ~/android/ghost $ ls ghost-
meter/smali/
a.smali c$a.smali c$c.smali
c$e.smali c.smali e.smali g.smali
i.smali k.smali m.smali o.smali
q.smali s.smali u.smali w.smali
b.smali c$b.smali c$d.smali com
d.smali f.smali h.smali j.smali
l.smali n.smali p.smali r.smali
t.smali v.smali x.smali
me@Mentos ~/android/ghost $
16 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted.
Apktool building
me@Mentos ~/android/ghost $ apktool b ghost-
meter/ ghost.apk
I: Checking whether sources has changed...
I: Smaling...
I: Checking whether resources has changed...
I: Building resources...
I: Building apk file...
me@Mentos ~/android/ghost $
• After building you must use jarsigner to sign the APK
before it can be installed!
17 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted.
Signing the APK
• Creating the cert
o keytool -genkey -v -keystore my-release-
key.keystore -alias alias_name -keyalg RSA
-validity 10000
• Signing the APK
o jarsigner -verbose -keystore my-release-
key.keystore GhostMeter.apk alias_name
18 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted.
Cydia Substrate
• Originally on iOS, recently released on
Android.
• Tool for hooking methods within an
application or the system.
• Modify runtime behavior of Android
Application without recompiling code
19 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted.
0x2 Dalvik Opcode Primer
20 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted.
Smali files
• Disassembled DEX files
• Not as scary as x86 ASM
• ASCII representation of Dalvik Opcodes
• Mostly correspond to the original .java
files
21 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted.
Types
V void - can only be used for return types
Z boolean
B byte
S short
C char
I int
J long (64 bits)
F float
D double (64 bits)
22 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted.
Helloworld example
.class public LHelloWorld;
#this is a comment
.super Ljava/lang/Object;
.method public static main([Ljava/lang/String;)V
.registers 2
sget-object v0, Ljava/lang/System;->out:Ljava/io/PrintStream;
const-string v1, "Hello World!"
invoke-virtual {v0, v1}, Ljava/io/PrintStream;->println(Ljava/lang/String;)V
return-void
.end method
http://code.google.com/p/smali/source/browse/examples/HelloWorld/HelloWorld.sm
ali
23 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted.
Variables
• Registers
o v0, v1, etc.
o Variables defined in the original java code
• Parameters
o p0, p1, etc
o Must be the same as defined by the method
• Both are defined at the beginning of the
method
24 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted.
Example
.class public LHelloWorld;
#this is a comment
.super Ljava/lang/Object;
.method public static main([Ljava/lang/String;)V
.registers 2
sget-object v0, Ljava/lang/System;->out:Ljava/io/PrintStream;
const-string v1, "Hello World!"
invoke-virtual {v0, v1}, Ljava/io/PrintStream;-
>println(Ljava/lang/String;)V
return-void
.end method
25 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted.
Assigning variables
• const
• const-string
• Etc,
• Examples
o const v0, 0x1
o const-string v1, “This is a test”
26 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted.
Example
.class public LHelloWorld;
#this is a comment
.super Ljava/lang/Object;
.method public static main([Ljava/lang/String;)V
.registers 2
sget-object v0, Ljava/lang/System;->out:Ljava/io/PrintStream;
const-string v1, "Hello World!"
invoke-virtual {v0, v1}, Ljava/io/PrintStream;-
>println(Ljava/lang/String;)V
return-void
.end method
27 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted.
Calling methods
• invoke-* { parameters }, method-to-call
o Static – static method
o Virtual – virtual method
28 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted.
Example
.class public LHelloWorld;
#this is a comment
.super Ljava/lang/Object;
.method public static main([Ljava/lang/String;)V
.registers 2
sget-object v0, Ljava/lang/System;->out:Ljava/io/PrintStream;
const-string v1, "Hello World!"
invoke-virtual {v0, v1}, Ljava/io/PrintStream;-
>println(Ljava/lang/String;)V
return-void
.end method
29 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted.
Conditional statements
• If-* - If statements
o If-eq vx, vy, target – If equal
o If-nez vx, target – If vx is a nonzero
o If-eqz vx, target – If vx is zero
o If-ge vx, vy, target – if vx>=vy
o Etc
• Targets
o Shown as cond_0, cond_1
30 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted.
example
invoke-virtual {v0}, Ljava/lang/Class;-
>desiredAssertionStatus()Z
move-result v0
if-nez v0, :cond_0
.line 100
:cond_0
const/4 v0, 0x0
goto/16 :goto_0
31 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted.
Get/put
• Apps could declare constants.
• Get/Put will retrieve or store values into
those constants
• Examples:
o iput v0, v1, Lcom/greencod/pinball/gameengine/zones/Table0Zone;-
>ZORDER_TABLE:I
o iget v0, v0, Lcom/greencod/pinball/gameengine/xinterface/persistenc
e/Settings;->friction:F
32 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted.
Return
• Unless the method is declared as a void,
it will return a value.
• Return types:
o Return-void
o Return-object
o Return v0
33 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted.
0x3 case studies
34 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted.
Removing ads
• Ads are annoying
• Take up screen realestate
• My 4 yr old mistakenly clicks them
o “Look daddy!”
35 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted.
solitare
• Ad function is called inbetween deals
• Ads are annoying
o Music
o Video
• Disable calling the ads?
36 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted.
Short video showing ad calling
37 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted.
The code
• After an exhaustive search in com/mobilityware/solitare/solitare.smali:
.method public displayAd()V
.locals 1
.prologue
.line 572
iget-object v0, p0, Lcom/mobilityware/solitaire/Solitaire;-
>adControl:Lcom/mobilityware/solitaire/AdControl;
if-eqz v0, :cond_0
.line 573
iget-object v0, p0, Lcom/mobilityware/solitaire/Solitaire;-
>adControl:Lcom/mobilityware/solitaire/AdControl;
invoke-virtual {v0}, Lcom/mobilityware/solitaire/AdControl;->displayAd()Z
.line 574
:cond_0
return-void
.end method
38 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted.
The code
• After an exhaustive search in com/mobilityware/solitare/solitare.smali:
.method public displayAd()V
.locals 1
.prologue
.line 572
iget-object v0, p0, Lcom/mobilityware/solitaire/Solitaire;-
>adControl:Lcom/mobilityware/solitaire/AdControl;
if-eqz v0, :cond_0
.line 573
iget-object v0, p0, Lcom/mobilityware/solitaire/Solitaire;-
>adControl:Lcom/mobilityware/solitaire/AdControl;
#invoke-virtual {v0}, Lcom/mobilityware/solitaire/AdControl;->displayAd()Z
.line 574
:cond_0
return-void
.end method
39 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted.
After the change is made
• Recompile the code and use apktool to
create a new APK
o You will have to sign this with your own cert
• After the APK is created:
o Remove old Solitare APK
o Install new hax0rd one
40 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted.
Short video showing no more ad
41 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted.
chess
• Most apps display the ads at all times
• When the network is disabled, the ads
don’t show
• Can we force this behavior?
42 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted.
Screenshot of chess with ads
43 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted.
Google ads
• Most apps rely on Google’s ad provider
network
• Good for us!
o Code to break this should be the same for
many apps
• How to make it look like there is no network
connectivity?
• Log Entry when Network is disabled
o adRequestWebView was null while
trying to load an ad
44 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted.
The original code
• From com/google/ads/c.smali:
:try_start_0
iget-object v0, p0, Lcom/google/ads/c;->f:Landroid/webkit/WebView;
if-eqz v0, :cond_0
iget-object v0, p0, Lcom/google/ads/c;->c:Lcom/google/ads/b;
if-nez v0, :cond_1
:cond_0
const-string v0, "adRequestWebView was null while trying to load an ad."
invoke-static {v0}, Lcom/google/ads/util/a;->e(Ljava/lang/String;)V
sget-object v0, Lcom/google/ads/AdRequest$ErrorCode;-
>INTERNAL_ERROR:Lcom/google/ads/AdRequest$ErrorCode
45 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted.
The modified code
• From com/google/ads/c.smali:
:try_start_0
iget-object v0, p0, Lcom/google/ads/c;->f:Landroid/webkit/WebView;
const v0, 0x0
if-eqz v0, :cond_0
iget-object v0, p0, Lcom/google/ads/c;->c:Lcom/google/ads/b;
if-nez v0, :cond_1
:cond_0
const-string v0, "adRequestWebView was null while trying to load an
ad."
invoke-static {v0}, Lcom/google/ads/util/a;->e(Ljava/lang/String;)V
46 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted.
Screenshot showing no ads
47 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted.
Removing Ads with Cydia
• Write once, use everywhere
• Using reflection, hook a method
• Stop ads from loading
48 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted.
Google Mobile Ads
• Again, very common to see used.
• Plan:
o Hook loadDataWithBaseUrl method
o Render it useless
49 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted.
Cydia Code
MS.hookClassLoad("com.google.ads.internal.AdWebView", new
MS.ClassLoadHook() {
public void classLoaded(Class<?> resources) {
Method loadAd;
try {
loadAd = resources.getMethod("loadDataWithBaseURL", String.class,
String.class, String.class, String.class, String.class);
} catch (NoSuchMethodException d) {
loadAd = null;
}
if (loadAd != null) {
final MS.MethodPointer old = new MS.MethodPointer();
MS.hookMethod(resources, loadAd, new MS.MethodHook() {
public Object invoked(Object _this, Object... args) throws Throwable {
return null;
}
}, old);
50 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted.
Screenshot of App with Ads
51 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted.
Screenshot after Cydia App Installed
52 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted.
Pinball wizard
• How about getting a high score?
• Values are most likely in the source
• Totally impress your friends with l33t
pinball skillz
53 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted.
Picture of game after normal score
54 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted.
The code
.local v12,
scorer:Lcom/greencod/gameengine/behaviours/ScorerBehaviour;
const/16 v1, 0x2c7
const/16 v3, 0x5aa
invoke-
virtual {v12, v1, v3}, Lcom/greencod/gameengine/behaviours/ScorerBe
haviour;->addScoreMessage(II)V
.line 508
const/16 v1, 0x204
const/16 v3, 0x10fe
invoke-
virtual {v12, v1, v3}, Lcom/greencod/gameengine/behaviours/ScorerBe
haviour;->addScoreMessage(II)V
55 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted.
Altered code
.local v12,
scorer:Lcom/greencod/gameengine/behaviours/ScorerBehaviour;
const/16 v1, 0x2c7
const/16 v3, 0xfff
invoke-
virtual {v12, v1, v3}, Lcom/greencod/gameengine/behaviours/Scorer
Behaviour;->addScoreMessage(II)V
.line 508
const/16 v1, 0x204
const/16 v3, 0xffff
invoke-
virtual {v12, v1, v3}, Lcom/greencod/gameengine/behaviours/Scorer
Behaviour;->addScoreMessage(II)V
56 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted.
Picture of new high score
57 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted.
Leaderboard
58 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted.
What now?
• Explore!
• Bypass restrictions?
o Very useful in mobile app assessment
59 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted.
References
• http://pallergabor.uw.hu/androidblog/dalvik_
opcodes.html
• http://code.google.com/p/android-apktool/
• http://code.google.com/p/smali/source/brow
se/examples/HelloWorld/HelloWorld.smali
• http://www.cydiasubstrate.com/inject/dalvik/
60 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted.
QUESTIONS?

More Related Content

What's hot

JAVA OOP
JAVA OOPJAVA OOP
JAVA OOP
Sunil OS
 
스프링5 웹플럭스와 테스트 전략
스프링5 웹플럭스와 테스트 전략스프링5 웹플럭스와 테스트 전략
스프링5 웹플럭스와 테스트 전략
if kakao
 
REST-API overview / concepts
REST-API overview / conceptsREST-API overview / concepts
REST-API overview / concepts
Patrick Savalle
 
PHP unserialization vulnerabilities: What are we missing?
PHP unserialization vulnerabilities: What are we missing?PHP unserialization vulnerabilities: What are we missing?
PHP unserialization vulnerabilities: What are we missing?
Sam Thomas
 
Introduction to Spring's Dependency Injection
Introduction to Spring's Dependency InjectionIntroduction to Spring's Dependency Injection
Introduction to Spring's Dependency Injection
Richard Paul
 
Java
JavaJava
Spring Cloud Config
Spring Cloud ConfigSpring Cloud Config
Spring Cloud Config
Theerut Bunkhanphol
 
Advanced Web Development in PHP - Understanding REST API
Advanced Web Development in PHP - Understanding REST APIAdvanced Web Development in PHP - Understanding REST API
Advanced Web Development in PHP - Understanding REST API
Rasan Samarasinghe
 
Java web application development
Java web application developmentJava web application development
Java web application development
RitikRathaur
 
La magia de Flutter
La magia de FlutterLa magia de Flutter
La magia de Flutter
Mauricio Angulo Sillas
 
A guide to getting started with WebdriverIO
A guide to getting started with WebdriverIOA guide to getting started with WebdriverIO
A guide to getting started with WebdriverIO
Nilenth Selvaraja
 
DVGA writeup
DVGA writeupDVGA writeup
DVGA writeup
Yu Iwama
 
Node.Js: Basics Concepts and Introduction
Node.Js: Basics Concepts and Introduction Node.Js: Basics Concepts and Introduction
Node.Js: Basics Concepts and Introduction
Kanika Gera
 
7가지 동시성 모델 - 3장. 함수형 프로그래밍
7가지 동시성 모델 - 3장. 함수형 프로그래밍7가지 동시성 모델 - 3장. 함수형 프로그래밍
7가지 동시성 모델 - 3장. 함수형 프로그래밍
Hyunsoo Jung
 
Powershell Training
Powershell TrainingPowershell Training
Powershell Training
Fahad Noaman
 
JBoss Web Server ( JBoss 웹서버 ) 설치 가이드
JBoss Web Server ( JBoss 웹서버 ) 설치 가이드JBoss Web Server ( JBoss 웹서버 ) 설치 가이드
JBoss Web Server ( JBoss 웹서버 ) 설치 가이드
Opennaru, inc.
 
Solr と自然言語処理によるSalesforce のディープサーチ
Solr と自然言語処理によるSalesforce のディープサーチSolr と自然言語処理によるSalesforce のディープサーチ
Solr と自然言語処理によるSalesforce のディープサーチ
Junichi Hasegawa
 
Spring cheat sheet
Spring cheat sheetSpring cheat sheet
Spring cheat sheet
Mark Papis
 
Designing with malli
Designing with malliDesigning with malli
Designing with malli
Metosin Oy
 
JPA and Hibernate
JPA and HibernateJPA and Hibernate
JPA and Hibernate
elliando dias
 

What's hot (20)

JAVA OOP
JAVA OOPJAVA OOP
JAVA OOP
 
스프링5 웹플럭스와 테스트 전략
스프링5 웹플럭스와 테스트 전략스프링5 웹플럭스와 테스트 전략
스프링5 웹플럭스와 테스트 전략
 
REST-API overview / concepts
REST-API overview / conceptsREST-API overview / concepts
REST-API overview / concepts
 
PHP unserialization vulnerabilities: What are we missing?
PHP unserialization vulnerabilities: What are we missing?PHP unserialization vulnerabilities: What are we missing?
PHP unserialization vulnerabilities: What are we missing?
 
Introduction to Spring's Dependency Injection
Introduction to Spring's Dependency InjectionIntroduction to Spring's Dependency Injection
Introduction to Spring's Dependency Injection
 
Java
JavaJava
Java
 
Spring Cloud Config
Spring Cloud ConfigSpring Cloud Config
Spring Cloud Config
 
Advanced Web Development in PHP - Understanding REST API
Advanced Web Development in PHP - Understanding REST APIAdvanced Web Development in PHP - Understanding REST API
Advanced Web Development in PHP - Understanding REST API
 
Java web application development
Java web application developmentJava web application development
Java web application development
 
La magia de Flutter
La magia de FlutterLa magia de Flutter
La magia de Flutter
 
A guide to getting started with WebdriverIO
A guide to getting started with WebdriverIOA guide to getting started with WebdriverIO
A guide to getting started with WebdriverIO
 
DVGA writeup
DVGA writeupDVGA writeup
DVGA writeup
 
Node.Js: Basics Concepts and Introduction
Node.Js: Basics Concepts and Introduction Node.Js: Basics Concepts and Introduction
Node.Js: Basics Concepts and Introduction
 
7가지 동시성 모델 - 3장. 함수형 프로그래밍
7가지 동시성 모델 - 3장. 함수형 프로그래밍7가지 동시성 모델 - 3장. 함수형 프로그래밍
7가지 동시성 모델 - 3장. 함수형 프로그래밍
 
Powershell Training
Powershell TrainingPowershell Training
Powershell Training
 
JBoss Web Server ( JBoss 웹서버 ) 설치 가이드
JBoss Web Server ( JBoss 웹서버 ) 설치 가이드JBoss Web Server ( JBoss 웹서버 ) 설치 가이드
JBoss Web Server ( JBoss 웹서버 ) 설치 가이드
 
Solr と自然言語処理によるSalesforce のディープサーチ
Solr と自然言語処理によるSalesforce のディープサーチSolr と自然言語処理によるSalesforce のディープサーチ
Solr と自然言語処理によるSalesforce のディープサーチ
 
Spring cheat sheet
Spring cheat sheetSpring cheat sheet
Spring cheat sheet
 
Designing with malli
Designing with malliDesigning with malli
Designing with malli
 
JPA and Hibernate
JPA and HibernateJPA and Hibernate
JPA and Hibernate
 

Viewers also liked

Understanding the Dalvik bytecode with the Dedexer tool
Understanding the Dalvik bytecode with the Dedexer toolUnderstanding the Dalvik bytecode with the Dedexer tool
Understanding the Dalvik bytecode with the Dedexer tool
Gabor Paller
 
LinkedIn - Disassembling Dalvik Bytecode
LinkedIn - Disassembling Dalvik BytecodeLinkedIn - Disassembling Dalvik Bytecode
LinkedIn - Disassembling Dalvik Bytecode
Alain Leon
 
Reverse engineering android apps
Reverse engineering android appsReverse engineering android apps
Reverse engineering android apps
Pranay Airan
 
Android JNI
Android JNIAndroid JNI
Android JNI
Siva Ramakrishna kv
 
Let's talk about jni
Let's talk about jniLet's talk about jni
Let's talk about jni
Yongqiang Li
 
Practice of Android Reverse Engineering
Practice of Android Reverse EngineeringPractice of Android Reverse Engineering
Practice of Android Reverse Engineering
National Cheng Kung University
 
Learning by hacking - android application hacking tutorial
Learning by hacking - android application hacking tutorialLearning by hacking - android application hacking tutorial
Learning by hacking - android application hacking tutorial
Landice Fu
 
Android internals 05 - Dalvik VM (rev_1.1)
Android internals 05 - Dalvik VM (rev_1.1)Android internals 05 - Dalvik VM (rev_1.1)
Android internals 05 - Dalvik VM (rev_1.1)
Egor Elizarov
 
CNIT 128 Ch 4: Android
CNIT 128 Ch 4: AndroidCNIT 128 Ch 4: Android
CNIT 128 Ch 4: Android
Sam Bowne
 
Hacking your Droid (Aditya Gupta)
Hacking your Droid (Aditya Gupta)Hacking your Droid (Aditya Gupta)
Hacking your Droid (Aditya Gupta)
ClubHack
 
Smali语法
Smali语法Smali语法
Smali语法
xiaoshan8743
 
Toward Reverse Engineering of VBA Based Excel Spreadsheets Applications
Toward Reverse Engineering of VBA Based Excel Spreadsheets ApplicationsToward Reverse Engineering of VBA Based Excel Spreadsheets Applications
Toward Reverse Engineering of VBA Based Excel Spreadsheets Applications
REvERSE University of Naples Federico II
 
Reverse Engineering Android Application
Reverse Engineering Android ApplicationReverse Engineering Android Application
Reverse Engineering Android Application
n|u - The Open Security Community
 
Reverse Engineering .NET and Java
Reverse Engineering .NET and JavaReverse Engineering .NET and Java
Reverse Engineering .NET and Java
Joe Kuemerle
 
Android reverse engineering - Analyzing skype
Android reverse engineering - Analyzing skypeAndroid reverse engineering - Analyzing skype
Android reverse engineering - Analyzing skype
Mário Almeida
 
Steelcon 2015 Reverse-Engineering Obfuscated Android Applications
Steelcon 2015 Reverse-Engineering Obfuscated Android ApplicationsSteelcon 2015 Reverse-Engineering Obfuscated Android Applications
Steelcon 2015 Reverse-Engineering Obfuscated Android Applications
Tom Keetch
 
How to reverse engineer Android applications—using a popular word game as an ...
How to reverse engineer Android applications—using a popular word game as an ...How to reverse engineer Android applications—using a popular word game as an ...
How to reverse engineer Android applications—using a popular word game as an ...
Christoph Matthies
 
Garbage Collection of Java VM
Garbage Collection of Java VMGarbage Collection of Java VM
Garbage Collection of Java VM
Yongqiang Li
 
Inside Android's Dalvik VM - NEJUG Nov 2011
Inside Android's Dalvik VM - NEJUG Nov 2011Inside Android's Dalvik VM - NEJUG Nov 2011
Inside Android's Dalvik VM - NEJUG Nov 2011
Doug Hawkins
 
CNIT 121: 9 Network Evidence
CNIT 121: 9 Network EvidenceCNIT 121: 9 Network Evidence
CNIT 121: 9 Network Evidence
Sam Bowne
 

Viewers also liked (20)

Understanding the Dalvik bytecode with the Dedexer tool
Understanding the Dalvik bytecode with the Dedexer toolUnderstanding the Dalvik bytecode with the Dedexer tool
Understanding the Dalvik bytecode with the Dedexer tool
 
LinkedIn - Disassembling Dalvik Bytecode
LinkedIn - Disassembling Dalvik BytecodeLinkedIn - Disassembling Dalvik Bytecode
LinkedIn - Disassembling Dalvik Bytecode
 
Reverse engineering android apps
Reverse engineering android appsReverse engineering android apps
Reverse engineering android apps
 
Android JNI
Android JNIAndroid JNI
Android JNI
 
Let's talk about jni
Let's talk about jniLet's talk about jni
Let's talk about jni
 
Practice of Android Reverse Engineering
Practice of Android Reverse EngineeringPractice of Android Reverse Engineering
Practice of Android Reverse Engineering
 
Learning by hacking - android application hacking tutorial
Learning by hacking - android application hacking tutorialLearning by hacking - android application hacking tutorial
Learning by hacking - android application hacking tutorial
 
Android internals 05 - Dalvik VM (rev_1.1)
Android internals 05 - Dalvik VM (rev_1.1)Android internals 05 - Dalvik VM (rev_1.1)
Android internals 05 - Dalvik VM (rev_1.1)
 
CNIT 128 Ch 4: Android
CNIT 128 Ch 4: AndroidCNIT 128 Ch 4: Android
CNIT 128 Ch 4: Android
 
Hacking your Droid (Aditya Gupta)
Hacking your Droid (Aditya Gupta)Hacking your Droid (Aditya Gupta)
Hacking your Droid (Aditya Gupta)
 
Smali语法
Smali语法Smali语法
Smali语法
 
Toward Reverse Engineering of VBA Based Excel Spreadsheets Applications
Toward Reverse Engineering of VBA Based Excel Spreadsheets ApplicationsToward Reverse Engineering of VBA Based Excel Spreadsheets Applications
Toward Reverse Engineering of VBA Based Excel Spreadsheets Applications
 
Reverse Engineering Android Application
Reverse Engineering Android ApplicationReverse Engineering Android Application
Reverse Engineering Android Application
 
Reverse Engineering .NET and Java
Reverse Engineering .NET and JavaReverse Engineering .NET and Java
Reverse Engineering .NET and Java
 
Android reverse engineering - Analyzing skype
Android reverse engineering - Analyzing skypeAndroid reverse engineering - Analyzing skype
Android reverse engineering - Analyzing skype
 
Steelcon 2015 Reverse-Engineering Obfuscated Android Applications
Steelcon 2015 Reverse-Engineering Obfuscated Android ApplicationsSteelcon 2015 Reverse-Engineering Obfuscated Android Applications
Steelcon 2015 Reverse-Engineering Obfuscated Android Applications
 
How to reverse engineer Android applications—using a popular word game as an ...
How to reverse engineer Android applications—using a popular word game as an ...How to reverse engineer Android applications—using a popular word game as an ...
How to reverse engineer Android applications—using a popular word game as an ...
 
Garbage Collection of Java VM
Garbage Collection of Java VMGarbage Collection of Java VM
Garbage Collection of Java VM
 
Inside Android's Dalvik VM - NEJUG Nov 2011
Inside Android's Dalvik VM - NEJUG Nov 2011Inside Android's Dalvik VM - NEJUG Nov 2011
Inside Android's Dalvik VM - NEJUG Nov 2011
 
CNIT 121: 9 Network Evidence
CNIT 121: 9 Network EvidenceCNIT 121: 9 Network Evidence
CNIT 121: 9 Network Evidence
 

Similar to Dancing with dalvik

MOSSCon 2013, Cisco Open Source talk
MOSSCon 2013, Cisco Open Source talkMOSSCon 2013, Cisco Open Source talk
MOSSCon 2013, Cisco Open Source talk
Jeff Squyres
 
Jailbreak Detector Detector
Jailbreak Detector DetectorJailbreak Detector Detector
Jailbreak Detector Detector
Nick Mooney
 
Keep it out - How to keep Drupal Secure
Keep it out - How to keep Drupal SecureKeep it out - How to keep Drupal Secure
Keep it out - How to keep Drupal Secure
Alex Burrows
 
JAZOON'13 - Thomas Hug & Bartosz Majsak - Git Workshop -Essentials
JAZOON'13 - Thomas Hug & Bartosz Majsak - Git Workshop -EssentialsJAZOON'13 - Thomas Hug & Bartosz Majsak - Git Workshop -Essentials
JAZOON'13 - Thomas Hug & Bartosz Majsak - Git Workshop -Essentials
jazoon13
 
20190315 Oracle Cloud Friends #2 Blockchain GIG ご紹介
20190315 Oracle Cloud Friends #2  Blockchain GIG ご紹介20190315 Oracle Cloud Friends #2  Blockchain GIG ご紹介
20190315 Oracle Cloud Friends #2 Blockchain GIG ご紹介
オラクルエンジニア通信
 
Social Content Management with MongoDB
Social Content Management with MongoDBSocial Content Management with MongoDB
Social Content Management with MongoDB
MongoDB
 
No liftoff, touchdown, or heartbeat shall miss because of a software failure
No liftoff, touchdown, or heartbeat shall miss because of a software failureNo liftoff, touchdown, or heartbeat shall miss because of a software failure
No liftoff, touchdown, or heartbeat shall miss because of a software failure
Rogue Wave Software
 
Kernel Recipes 2014 - Writing Code: Keep It Short, Stupid!
Kernel Recipes 2014 - Writing Code: Keep It Short, Stupid!Kernel Recipes 2014 - Writing Code: Keep It Short, Stupid!
Kernel Recipes 2014 - Writing Code: Keep It Short, Stupid!
Anne Nicolas
 
Spring & messaging
Spring & messagingSpring & messaging
Spring & messaging
Artem Bilan
 
The genesis of clusterlib - An open source library to tame your favourite sup...
The genesis of clusterlib - An open source library to tame your favourite sup...The genesis of clusterlib - An open source library to tame your favourite sup...
The genesis of clusterlib - An open source library to tame your favourite sup...
Arnaud Joly
 
Mobile app class Chicago
Mobile app class ChicagoMobile app class Chicago
Mobile app class Chicago
Matthew Dobson
 
Feelin' Groovy: A Groovy Developer in the Java World
Feelin' Groovy: A Groovy Developer in the Java WorldFeelin' Groovy: A Groovy Developer in the Java World
Feelin' Groovy: A Groovy Developer in the Java World
Ken Kousen
 
Testing RESTful Web Services
Testing RESTful Web ServicesTesting RESTful Web Services
Testing RESTful Web Services
TechWell
 
Implementing a highly scalable stock prediction system with R, Geode, SpringX...
Implementing a highly scalable stock prediction system with R, Geode, SpringX...Implementing a highly scalable stock prediction system with R, Geode, SpringX...
Implementing a highly scalable stock prediction system with R, Geode, SpringX...
William Markito Oliveira
 
IPTC Rights Working Party Summer 2015
IPTC Rights Working Party Summer 2015IPTC Rights Working Party Summer 2015
IPTC Rights Working Party Summer 2015
Stuart Myles
 
Gluster Cloud Night in Tokyo 2013 -- Tips for getting started
Gluster Cloud Night in Tokyo 2013 -- Tips for getting startedGluster Cloud Night in Tokyo 2013 -- Tips for getting started
Gluster Cloud Night in Tokyo 2013 -- Tips for getting started
Keisuke Takahashi
 
Develop Android/iOS app using golang
Develop Android/iOS app using golangDevelop Android/iOS app using golang
Develop Android/iOS app using golang
SeongJae Park
 
HotSpot Synchronization, A Peek Under the Hood [JavaOne 2015 CON7570]
HotSpot Synchronization, A Peek Under the Hood [JavaOne 2015 CON7570]HotSpot Synchronization, A Peek Under the Hood [JavaOne 2015 CON7570]
HotSpot Synchronization, A Peek Under the Hood [JavaOne 2015 CON7570]
David Buck
 
Hacking for Fun and Profit (Mostly for Fun). AnDevCon Boston
Hacking for Fun and Profit (Mostly for Fun). AnDevCon BostonHacking for Fun and Profit (Mostly for Fun). AnDevCon Boston
Hacking for Fun and Profit (Mostly for Fun). AnDevCon Boston
Apkudo
 
Stripe Capture the Flag Meetup
Stripe Capture the Flag MeetupStripe Capture the Flag Meetup
Stripe Capture the Flag Meetup
abrody
 

Similar to Dancing with dalvik (20)

MOSSCon 2013, Cisco Open Source talk
MOSSCon 2013, Cisco Open Source talkMOSSCon 2013, Cisco Open Source talk
MOSSCon 2013, Cisco Open Source talk
 
Jailbreak Detector Detector
Jailbreak Detector DetectorJailbreak Detector Detector
Jailbreak Detector Detector
 
Keep it out - How to keep Drupal Secure
Keep it out - How to keep Drupal SecureKeep it out - How to keep Drupal Secure
Keep it out - How to keep Drupal Secure
 
JAZOON'13 - Thomas Hug & Bartosz Majsak - Git Workshop -Essentials
JAZOON'13 - Thomas Hug & Bartosz Majsak - Git Workshop -EssentialsJAZOON'13 - Thomas Hug & Bartosz Majsak - Git Workshop -Essentials
JAZOON'13 - Thomas Hug & Bartosz Majsak - Git Workshop -Essentials
 
20190315 Oracle Cloud Friends #2 Blockchain GIG ご紹介
20190315 Oracle Cloud Friends #2  Blockchain GIG ご紹介20190315 Oracle Cloud Friends #2  Blockchain GIG ご紹介
20190315 Oracle Cloud Friends #2 Blockchain GIG ご紹介
 
Social Content Management with MongoDB
Social Content Management with MongoDBSocial Content Management with MongoDB
Social Content Management with MongoDB
 
No liftoff, touchdown, or heartbeat shall miss because of a software failure
No liftoff, touchdown, or heartbeat shall miss because of a software failureNo liftoff, touchdown, or heartbeat shall miss because of a software failure
No liftoff, touchdown, or heartbeat shall miss because of a software failure
 
Kernel Recipes 2014 - Writing Code: Keep It Short, Stupid!
Kernel Recipes 2014 - Writing Code: Keep It Short, Stupid!Kernel Recipes 2014 - Writing Code: Keep It Short, Stupid!
Kernel Recipes 2014 - Writing Code: Keep It Short, Stupid!
 
Spring & messaging
Spring & messagingSpring & messaging
Spring & messaging
 
The genesis of clusterlib - An open source library to tame your favourite sup...
The genesis of clusterlib - An open source library to tame your favourite sup...The genesis of clusterlib - An open source library to tame your favourite sup...
The genesis of clusterlib - An open source library to tame your favourite sup...
 
Mobile app class Chicago
Mobile app class ChicagoMobile app class Chicago
Mobile app class Chicago
 
Feelin' Groovy: A Groovy Developer in the Java World
Feelin' Groovy: A Groovy Developer in the Java WorldFeelin' Groovy: A Groovy Developer in the Java World
Feelin' Groovy: A Groovy Developer in the Java World
 
Testing RESTful Web Services
Testing RESTful Web ServicesTesting RESTful Web Services
Testing RESTful Web Services
 
Implementing a highly scalable stock prediction system with R, Geode, SpringX...
Implementing a highly scalable stock prediction system with R, Geode, SpringX...Implementing a highly scalable stock prediction system with R, Geode, SpringX...
Implementing a highly scalable stock prediction system with R, Geode, SpringX...
 
IPTC Rights Working Party Summer 2015
IPTC Rights Working Party Summer 2015IPTC Rights Working Party Summer 2015
IPTC Rights Working Party Summer 2015
 
Gluster Cloud Night in Tokyo 2013 -- Tips for getting started
Gluster Cloud Night in Tokyo 2013 -- Tips for getting startedGluster Cloud Night in Tokyo 2013 -- Tips for getting started
Gluster Cloud Night in Tokyo 2013 -- Tips for getting started
 
Develop Android/iOS app using golang
Develop Android/iOS app using golangDevelop Android/iOS app using golang
Develop Android/iOS app using golang
 
HotSpot Synchronization, A Peek Under the Hood [JavaOne 2015 CON7570]
HotSpot Synchronization, A Peek Under the Hood [JavaOne 2015 CON7570]HotSpot Synchronization, A Peek Under the Hood [JavaOne 2015 CON7570]
HotSpot Synchronization, A Peek Under the Hood [JavaOne 2015 CON7570]
 
Hacking for Fun and Profit (Mostly for Fun). AnDevCon Boston
Hacking for Fun and Profit (Mostly for Fun). AnDevCon BostonHacking for Fun and Profit (Mostly for Fun). AnDevCon Boston
Hacking for Fun and Profit (Mostly for Fun). AnDevCon Boston
 
Stripe Capture the Flag Meetup
Stripe Capture the Flag MeetupStripe Capture the Flag Meetup
Stripe Capture the Flag Meetup
 

Recently uploaded

“How Axelera AI Uses Digital Compute-in-memory to Deliver Fast and Energy-eff...
“How Axelera AI Uses Digital Compute-in-memory to Deliver Fast and Energy-eff...“How Axelera AI Uses Digital Compute-in-memory to Deliver Fast and Energy-eff...
“How Axelera AI Uses Digital Compute-in-memory to Deliver Fast and Energy-eff...
Edge AI and Vision Alliance
 
Driving Business Innovation: Latest Generative AI Advancements & Success Story
Driving Business Innovation: Latest Generative AI Advancements & Success StoryDriving Business Innovation: Latest Generative AI Advancements & Success Story
Driving Business Innovation: Latest Generative AI Advancements & Success Story
Safe Software
 
HCL Notes and Domino License Cost Reduction in the World of DLAU
HCL Notes and Domino License Cost Reduction in the World of DLAUHCL Notes and Domino License Cost Reduction in the World of DLAU
HCL Notes and Domino License Cost Reduction in the World of DLAU
panagenda
 
FREE A4 Cyber Security Awareness Posters-Social Engineering part 3
FREE A4 Cyber Security Awareness  Posters-Social Engineering part 3FREE A4 Cyber Security Awareness  Posters-Social Engineering part 3
FREE A4 Cyber Security Awareness Posters-Social Engineering part 3
Data Hops
 
Skybuffer SAM4U tool for SAP license adoption
Skybuffer SAM4U tool for SAP license adoptionSkybuffer SAM4U tool for SAP license adoption
Skybuffer SAM4U tool for SAP license adoption
Tatiana Kojar
 
What is an RPA CoE? Session 1 – CoE Vision
What is an RPA CoE?  Session 1 – CoE VisionWhat is an RPA CoE?  Session 1 – CoE Vision
What is an RPA CoE? Session 1 – CoE Vision
DianaGray10
 
WeTestAthens: Postman's AI & Automation Techniques
WeTestAthens: Postman's AI & Automation TechniquesWeTestAthens: Postman's AI & Automation Techniques
WeTestAthens: Postman's AI & Automation Techniques
Postman
 
GraphRAG for Life Science to increase LLM accuracy
GraphRAG for Life Science to increase LLM accuracyGraphRAG for Life Science to increase LLM accuracy
GraphRAG for Life Science to increase LLM accuracy
Tomaz Bratanic
 
Freshworks Rethinks NoSQL for Rapid Scaling & Cost-Efficiency
Freshworks Rethinks NoSQL for Rapid Scaling & Cost-EfficiencyFreshworks Rethinks NoSQL for Rapid Scaling & Cost-Efficiency
Freshworks Rethinks NoSQL for Rapid Scaling & Cost-Efficiency
ScyllaDB
 
JavaLand 2024: Application Development Green Masterplan
JavaLand 2024: Application Development Green MasterplanJavaLand 2024: Application Development Green Masterplan
JavaLand 2024: Application Development Green Masterplan
Miro Wengner
 
Serial Arm Control in Real Time Presentation
Serial Arm Control in Real Time PresentationSerial Arm Control in Real Time Presentation
Serial Arm Control in Real Time Presentation
tolgahangng
 
Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...
Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...
Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...
saastr
 
GraphRAG for LifeSciences Hands-On with the Clinical Knowledge Graph
GraphRAG for LifeSciences Hands-On with the Clinical Knowledge GraphGraphRAG for LifeSciences Hands-On with the Clinical Knowledge Graph
GraphRAG for LifeSciences Hands-On with the Clinical Knowledge Graph
Neo4j
 
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAUHCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
panagenda
 
Energy Efficient Video Encoding for Cloud and Edge Computing Instances
Energy Efficient Video Encoding for Cloud and Edge Computing InstancesEnergy Efficient Video Encoding for Cloud and Edge Computing Instances
Energy Efficient Video Encoding for Cloud and Edge Computing Instances
Alpen-Adria-Universität
 
Main news related to the CCS TSI 2023 (2023/1695)
Main news related to the CCS TSI 2023 (2023/1695)Main news related to the CCS TSI 2023 (2023/1695)
Main news related to the CCS TSI 2023 (2023/1695)
Jakub Marek
 
Nordic Marketo Engage User Group_June 13_ 2024.pptx
Nordic Marketo Engage User Group_June 13_ 2024.pptxNordic Marketo Engage User Group_June 13_ 2024.pptx
Nordic Marketo Engage User Group_June 13_ 2024.pptx
MichaelKnudsen27
 
TrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy SurveyTrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy Survey
TrustArc
 
Astute Business Solutions | Oracle Cloud Partner |
Astute Business Solutions | Oracle Cloud Partner |Astute Business Solutions | Oracle Cloud Partner |
Astute Business Solutions | Oracle Cloud Partner |
AstuteBusiness
 
Generating privacy-protected synthetic data using Secludy and Milvus
Generating privacy-protected synthetic data using Secludy and MilvusGenerating privacy-protected synthetic data using Secludy and Milvus
Generating privacy-protected synthetic data using Secludy and Milvus
Zilliz
 

Recently uploaded (20)

“How Axelera AI Uses Digital Compute-in-memory to Deliver Fast and Energy-eff...
“How Axelera AI Uses Digital Compute-in-memory to Deliver Fast and Energy-eff...“How Axelera AI Uses Digital Compute-in-memory to Deliver Fast and Energy-eff...
“How Axelera AI Uses Digital Compute-in-memory to Deliver Fast and Energy-eff...
 
Driving Business Innovation: Latest Generative AI Advancements & Success Story
Driving Business Innovation: Latest Generative AI Advancements & Success StoryDriving Business Innovation: Latest Generative AI Advancements & Success Story
Driving Business Innovation: Latest Generative AI Advancements & Success Story
 
HCL Notes and Domino License Cost Reduction in the World of DLAU
HCL Notes and Domino License Cost Reduction in the World of DLAUHCL Notes and Domino License Cost Reduction in the World of DLAU
HCL Notes and Domino License Cost Reduction in the World of DLAU
 
FREE A4 Cyber Security Awareness Posters-Social Engineering part 3
FREE A4 Cyber Security Awareness  Posters-Social Engineering part 3FREE A4 Cyber Security Awareness  Posters-Social Engineering part 3
FREE A4 Cyber Security Awareness Posters-Social Engineering part 3
 
Skybuffer SAM4U tool for SAP license adoption
Skybuffer SAM4U tool for SAP license adoptionSkybuffer SAM4U tool for SAP license adoption
Skybuffer SAM4U tool for SAP license adoption
 
What is an RPA CoE? Session 1 – CoE Vision
What is an RPA CoE?  Session 1 – CoE VisionWhat is an RPA CoE?  Session 1 – CoE Vision
What is an RPA CoE? Session 1 – CoE Vision
 
WeTestAthens: Postman's AI & Automation Techniques
WeTestAthens: Postman's AI & Automation TechniquesWeTestAthens: Postman's AI & Automation Techniques
WeTestAthens: Postman's AI & Automation Techniques
 
GraphRAG for Life Science to increase LLM accuracy
GraphRAG for Life Science to increase LLM accuracyGraphRAG for Life Science to increase LLM accuracy
GraphRAG for Life Science to increase LLM accuracy
 
Freshworks Rethinks NoSQL for Rapid Scaling & Cost-Efficiency
Freshworks Rethinks NoSQL for Rapid Scaling & Cost-EfficiencyFreshworks Rethinks NoSQL for Rapid Scaling & Cost-Efficiency
Freshworks Rethinks NoSQL for Rapid Scaling & Cost-Efficiency
 
JavaLand 2024: Application Development Green Masterplan
JavaLand 2024: Application Development Green MasterplanJavaLand 2024: Application Development Green Masterplan
JavaLand 2024: Application Development Green Masterplan
 
Serial Arm Control in Real Time Presentation
Serial Arm Control in Real Time PresentationSerial Arm Control in Real Time Presentation
Serial Arm Control in Real Time Presentation
 
Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...
Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...
Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...
 
GraphRAG for LifeSciences Hands-On with the Clinical Knowledge Graph
GraphRAG for LifeSciences Hands-On with the Clinical Knowledge GraphGraphRAG for LifeSciences Hands-On with the Clinical Knowledge Graph
GraphRAG for LifeSciences Hands-On with the Clinical Knowledge Graph
 
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAUHCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
 
Energy Efficient Video Encoding for Cloud and Edge Computing Instances
Energy Efficient Video Encoding for Cloud and Edge Computing InstancesEnergy Efficient Video Encoding for Cloud and Edge Computing Instances
Energy Efficient Video Encoding for Cloud and Edge Computing Instances
 
Main news related to the CCS TSI 2023 (2023/1695)
Main news related to the CCS TSI 2023 (2023/1695)Main news related to the CCS TSI 2023 (2023/1695)
Main news related to the CCS TSI 2023 (2023/1695)
 
Nordic Marketo Engage User Group_June 13_ 2024.pptx
Nordic Marketo Engage User Group_June 13_ 2024.pptxNordic Marketo Engage User Group_June 13_ 2024.pptx
Nordic Marketo Engage User Group_June 13_ 2024.pptx
 
TrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy SurveyTrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy Survey
 
Astute Business Solutions | Oracle Cloud Partner |
Astute Business Solutions | Oracle Cloud Partner |Astute Business Solutions | Oracle Cloud Partner |
Astute Business Solutions | Oracle Cloud Partner |
 
Generating privacy-protected synthetic data using Secludy and Milvus
Generating privacy-protected synthetic data using Secludy and MilvusGenerating privacy-protected synthetic data using Secludy and Milvus
Generating privacy-protected synthetic data using Secludy and Milvus
 

Dancing with dalvik

  • 1. 1 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted. THOMAS RICHARDS Dancing with Dalvik
  • 2. 2 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted. About me • Thomas Richards • Security Consultant @ Cigital, Inc • @g13net - Twitter • OSCP, GPEN, OSWP • Developer o Goofile and Pwnberry Pi • Organizer for BsidesROC • Presented before at GrrCON and DerbyCON • Really enjoy tearing apart Android
  • 3. 3 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted. Toc • 0x1 – Intro to Dalvik • 0x2 – Dalvik Opcode Primer • 0x3 – Case Studies
  • 4. 4 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted. 0x01 Intro to Dalvik
  • 5. 5 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted. What is Dalvik? • A town in Iceland • A lightweight register-based VM • Optimized for embedded/mobile platforms o Low RAM/CPU
  • 6. 6 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted. Dalvik optimizations • Duplicate code is reused within DEX • 16-bit instruction set that works directly on local variables o Lowers instruction count and increased interpreter speed • Slimmed down VM to run in less space
  • 7. 7 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted. Stack vs register based • Java JVM is Stack Based o real or emulated computer that uses a pushdown stack rather than individual machine registers to evaluate each sub- expression in the program • Register Based o Dalvik uses registers as primarily units of data storage instead of the stack. Google is hoping to accomplish 30 percent fewer instructions as a result. • http://stackoverflow.com/questions/2719469/why-is-the- jvm-stack-based-and-the-dalvik-vm-register-based • http://en.wikipedia.org/wiki/Stack_machine
  • 8. 8 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted. Register Vs. Stack Cont.
  • 9. 9 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted. Getting to dalvik • Android apps are traditionally written in Java • Compiled into Java bytecode then converted to Dalvik bytecode • Java class files converted into .dex
  • 10. 10 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted. Java vs Dalvik
  • 11. 11 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted. Inside the APK • AndroidManifest.xml • Classes.dex • Res/ • Lib/ • META-INF/
  • 12. 12 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted. Disassembling classes.dex • Typical tools o Apktool o Baksmali • The result is several .smali files
  • 13. 13 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted. Apktool decoding me@Mentos ~/android/ghost $ apktool d ghost-meter.apk I: Baksmaling... I: Loading resource table... I: Loaded. I: Decoding AndroidManifest.xml with resources... I: Loading resource table from file: /home/me/apktool/framework/1.apk I: Loaded. I: Regular manifest package... I: Decoding file-resources... I: Decoding values */* XMLs... I: Done. I: Copying assets and libs...
  • 14. 14 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted. Directories Created
  • 15. 15 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted. Files created me@Mentos ~/android/ghost $ ls ghost- meter/smali/ a.smali c$a.smali c$c.smali c$e.smali c.smali e.smali g.smali i.smali k.smali m.smali o.smali q.smali s.smali u.smali w.smali b.smali c$b.smali c$d.smali com d.smali f.smali h.smali j.smali l.smali n.smali p.smali r.smali t.smali v.smali x.smali me@Mentos ~/android/ghost $
  • 16. 16 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted. Apktool building me@Mentos ~/android/ghost $ apktool b ghost- meter/ ghost.apk I: Checking whether sources has changed... I: Smaling... I: Checking whether resources has changed... I: Building resources... I: Building apk file... me@Mentos ~/android/ghost $ • After building you must use jarsigner to sign the APK before it can be installed!
  • 17. 17 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted. Signing the APK • Creating the cert o keytool -genkey -v -keystore my-release- key.keystore -alias alias_name -keyalg RSA -validity 10000 • Signing the APK o jarsigner -verbose -keystore my-release- key.keystore GhostMeter.apk alias_name
  • 18. 18 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted. Cydia Substrate • Originally on iOS, recently released on Android. • Tool for hooking methods within an application or the system. • Modify runtime behavior of Android Application without recompiling code
  • 19. 19 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted. 0x2 Dalvik Opcode Primer
  • 20. 20 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted. Smali files • Disassembled DEX files • Not as scary as x86 ASM • ASCII representation of Dalvik Opcodes • Mostly correspond to the original .java files
  • 21. 21 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted. Types V void - can only be used for return types Z boolean B byte S short C char I int J long (64 bits) F float D double (64 bits)
  • 22. 22 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted. Helloworld example .class public LHelloWorld; #this is a comment .super Ljava/lang/Object; .method public static main([Ljava/lang/String;)V .registers 2 sget-object v0, Ljava/lang/System;->out:Ljava/io/PrintStream; const-string v1, "Hello World!" invoke-virtual {v0, v1}, Ljava/io/PrintStream;->println(Ljava/lang/String;)V return-void .end method http://code.google.com/p/smali/source/browse/examples/HelloWorld/HelloWorld.sm ali
  • 23. 23 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted. Variables • Registers o v0, v1, etc. o Variables defined in the original java code • Parameters o p0, p1, etc o Must be the same as defined by the method • Both are defined at the beginning of the method
  • 24. 24 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted. Example .class public LHelloWorld; #this is a comment .super Ljava/lang/Object; .method public static main([Ljava/lang/String;)V .registers 2 sget-object v0, Ljava/lang/System;->out:Ljava/io/PrintStream; const-string v1, "Hello World!" invoke-virtual {v0, v1}, Ljava/io/PrintStream;- >println(Ljava/lang/String;)V return-void .end method
  • 25. 25 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted. Assigning variables • const • const-string • Etc, • Examples o const v0, 0x1 o const-string v1, “This is a test”
  • 26. 26 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted. Example .class public LHelloWorld; #this is a comment .super Ljava/lang/Object; .method public static main([Ljava/lang/String;)V .registers 2 sget-object v0, Ljava/lang/System;->out:Ljava/io/PrintStream; const-string v1, "Hello World!" invoke-virtual {v0, v1}, Ljava/io/PrintStream;- >println(Ljava/lang/String;)V return-void .end method
  • 27. 27 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted. Calling methods • invoke-* { parameters }, method-to-call o Static – static method o Virtual – virtual method
  • 28. 28 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted. Example .class public LHelloWorld; #this is a comment .super Ljava/lang/Object; .method public static main([Ljava/lang/String;)V .registers 2 sget-object v0, Ljava/lang/System;->out:Ljava/io/PrintStream; const-string v1, "Hello World!" invoke-virtual {v0, v1}, Ljava/io/PrintStream;- >println(Ljava/lang/String;)V return-void .end method
  • 29. 29 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted. Conditional statements • If-* - If statements o If-eq vx, vy, target – If equal o If-nez vx, target – If vx is a nonzero o If-eqz vx, target – If vx is zero o If-ge vx, vy, target – if vx>=vy o Etc • Targets o Shown as cond_0, cond_1
  • 30. 30 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted. example invoke-virtual {v0}, Ljava/lang/Class;- >desiredAssertionStatus()Z move-result v0 if-nez v0, :cond_0 .line 100 :cond_0 const/4 v0, 0x0 goto/16 :goto_0
  • 31. 31 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted. Get/put • Apps could declare constants. • Get/Put will retrieve or store values into those constants • Examples: o iput v0, v1, Lcom/greencod/pinball/gameengine/zones/Table0Zone;- >ZORDER_TABLE:I o iget v0, v0, Lcom/greencod/pinball/gameengine/xinterface/persistenc e/Settings;->friction:F
  • 32. 32 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted. Return • Unless the method is declared as a void, it will return a value. • Return types: o Return-void o Return-object o Return v0
  • 33. 33 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted. 0x3 case studies
  • 34. 34 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted. Removing ads • Ads are annoying • Take up screen realestate • My 4 yr old mistakenly clicks them o “Look daddy!”
  • 35. 35 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted. solitare • Ad function is called inbetween deals • Ads are annoying o Music o Video • Disable calling the ads?
  • 36. 36 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted. Short video showing ad calling
  • 37. 37 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted. The code • After an exhaustive search in com/mobilityware/solitare/solitare.smali: .method public displayAd()V .locals 1 .prologue .line 572 iget-object v0, p0, Lcom/mobilityware/solitaire/Solitaire;- >adControl:Lcom/mobilityware/solitaire/AdControl; if-eqz v0, :cond_0 .line 573 iget-object v0, p0, Lcom/mobilityware/solitaire/Solitaire;- >adControl:Lcom/mobilityware/solitaire/AdControl; invoke-virtual {v0}, Lcom/mobilityware/solitaire/AdControl;->displayAd()Z .line 574 :cond_0 return-void .end method
  • 38. 38 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted. The code • After an exhaustive search in com/mobilityware/solitare/solitare.smali: .method public displayAd()V .locals 1 .prologue .line 572 iget-object v0, p0, Lcom/mobilityware/solitaire/Solitaire;- >adControl:Lcom/mobilityware/solitaire/AdControl; if-eqz v0, :cond_0 .line 573 iget-object v0, p0, Lcom/mobilityware/solitaire/Solitaire;- >adControl:Lcom/mobilityware/solitaire/AdControl; #invoke-virtual {v0}, Lcom/mobilityware/solitaire/AdControl;->displayAd()Z .line 574 :cond_0 return-void .end method
  • 39. 39 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted. After the change is made • Recompile the code and use apktool to create a new APK o You will have to sign this with your own cert • After the APK is created: o Remove old Solitare APK o Install new hax0rd one
  • 40. 40 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted. Short video showing no more ad
  • 41. 41 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted. chess • Most apps display the ads at all times • When the network is disabled, the ads don’t show • Can we force this behavior?
  • 42. 42 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted. Screenshot of chess with ads
  • 43. 43 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted. Google ads • Most apps rely on Google’s ad provider network • Good for us! o Code to break this should be the same for many apps • How to make it look like there is no network connectivity? • Log Entry when Network is disabled o adRequestWebView was null while trying to load an ad
  • 44. 44 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted. The original code • From com/google/ads/c.smali: :try_start_0 iget-object v0, p0, Lcom/google/ads/c;->f:Landroid/webkit/WebView; if-eqz v0, :cond_0 iget-object v0, p0, Lcom/google/ads/c;->c:Lcom/google/ads/b; if-nez v0, :cond_1 :cond_0 const-string v0, "adRequestWebView was null while trying to load an ad." invoke-static {v0}, Lcom/google/ads/util/a;->e(Ljava/lang/String;)V sget-object v0, Lcom/google/ads/AdRequest$ErrorCode;- >INTERNAL_ERROR:Lcom/google/ads/AdRequest$ErrorCode
  • 45. 45 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted. The modified code • From com/google/ads/c.smali: :try_start_0 iget-object v0, p0, Lcom/google/ads/c;->f:Landroid/webkit/WebView; const v0, 0x0 if-eqz v0, :cond_0 iget-object v0, p0, Lcom/google/ads/c;->c:Lcom/google/ads/b; if-nez v0, :cond_1 :cond_0 const-string v0, "adRequestWebView was null while trying to load an ad." invoke-static {v0}, Lcom/google/ads/util/a;->e(Ljava/lang/String;)V
  • 46. 46 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted. Screenshot showing no ads
  • 47. 47 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted. Removing Ads with Cydia • Write once, use everywhere • Using reflection, hook a method • Stop ads from loading
  • 48. 48 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted. Google Mobile Ads • Again, very common to see used. • Plan: o Hook loadDataWithBaseUrl method o Render it useless
  • 49. 49 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted. Cydia Code MS.hookClassLoad("com.google.ads.internal.AdWebView", new MS.ClassLoadHook() { public void classLoaded(Class<?> resources) { Method loadAd; try { loadAd = resources.getMethod("loadDataWithBaseURL", String.class, String.class, String.class, String.class, String.class); } catch (NoSuchMethodException d) { loadAd = null; } if (loadAd != null) { final MS.MethodPointer old = new MS.MethodPointer(); MS.hookMethod(resources, loadAd, new MS.MethodHook() { public Object invoked(Object _this, Object... args) throws Throwable { return null; } }, old);
  • 50. 50 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted. Screenshot of App with Ads
  • 51. 51 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted. Screenshot after Cydia App Installed
  • 52. 52 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted. Pinball wizard • How about getting a high score? • Values are most likely in the source • Totally impress your friends with l33t pinball skillz
  • 53. 53 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted. Picture of game after normal score
  • 54. 54 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted. The code .local v12, scorer:Lcom/greencod/gameengine/behaviours/ScorerBehaviour; const/16 v1, 0x2c7 const/16 v3, 0x5aa invoke- virtual {v12, v1, v3}, Lcom/greencod/gameengine/behaviours/ScorerBe haviour;->addScoreMessage(II)V .line 508 const/16 v1, 0x204 const/16 v3, 0x10fe invoke- virtual {v12, v1, v3}, Lcom/greencod/gameengine/behaviours/ScorerBe haviour;->addScoreMessage(II)V
  • 55. 55 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted. Altered code .local v12, scorer:Lcom/greencod/gameengine/behaviours/ScorerBehaviour; const/16 v1, 0x2c7 const/16 v3, 0xfff invoke- virtual {v12, v1, v3}, Lcom/greencod/gameengine/behaviours/Scorer Behaviour;->addScoreMessage(II)V .line 508 const/16 v1, 0x204 const/16 v3, 0xffff invoke- virtual {v12, v1, v3}, Lcom/greencod/gameengine/behaviours/Scorer Behaviour;->addScoreMessage(II)V
  • 56. 56 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted. Picture of new high score
  • 57. 57 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted. Leaderboard
  • 58. 58 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted. What now? • Explore! • Bypass restrictions? o Very useful in mobile app assessment
  • 59. 59 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted. References • http://pallergabor.uw.hu/androidblog/dalvik_ opcodes.html • http://code.google.com/p/android-apktool/ • http://code.google.com/p/smali/source/brow se/examples/HelloWorld/HelloWorld.smali • http://www.cydiasubstrate.com/inject/dalvik/
  • 60. 60 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted. QUESTIONS?