Hacking for Fun and Profit (Mostly for Fun). AnDevCon Boston

HACKINGAPKS FOR FUN
AND FOR PROFIT
(MOSTLYFOR FUN)
DAVIDTEITELBAUM
MAY2013
@davtbaum

2 © 2013 Apkudo LLC. www.apkudo.com
OBJECTIVES
Androidappdisassembly
Fundamentalsofcodeinjection
Smali/BaksmaliandreadingDalvikbytecode
Bestpracticesinhardeningyourapp
Expect to learn:

ROADMAP
PART I - CLASS PART II – DEMO/HACK
Approachtohacking
Tools–apktool,baksmali,smali
TheAPK
Allthingsbytecode
Snapchatdeepdive
Appdisassemblyandanalysis
Codeinjection
Recap

PART I - CLASS

1. UnzipAPK and disassemble classes.dex (baksmali)
2. Analyze – what is the application doing?
3. Inject byte code into the application to modify execution
4. Reassemble classes.dex (smali) and rezip/signAPK
APK HACKING
Approach
Disassemble
(baksmali)
.smali
Static analysis
Reassemble
(smali)
Code injection

CODE INJECTION
 Write patches in Java, compile, then use the
Smali/Baksmali tools to disassemble into Dalvik byte code
 Stick to public static methods in Dalvik byte code which
have no register dependencies.
 Let the compiler do the work - this hack was achieved
with only one line of code injection!
Best Practices:

TOOLS
 Access to a terminal environment (preferably Linux or Mac
osx)
 Android SDK
 keytool and jarsigner
 Smali/Baksmali - http://code.google.com/p/smali/
 Apktool - http://code.google.com/p/android-apktool/
 Editor of choice (emacs!)
You’ll need…

SMALI/BAKSMALI
 Baksmali disassembles Dalvik executable (.dex) into
readable Dalvik byte code (.smali)
 Smali re-assembles .smali files back into .dex Dalvik
executable
 Gives developers the ability to modify execution of anAPK
without having access to source code
Dalvik Assembler/
Disassembler

APKTOOL
 Wraps smali/baksmali andAndroid asset packaging tool
(aapt)
 Decodes resources and decompresses xml
 Great for manifest introspection
 Buggy :/
All in one reverser

THE APK
A container for your app
 Zipped file formatted based on JAR
META-INF/
AndroidManifest.xml
classes.dex
lib/
res/
resources.arsc

EXAMPLES
$unzipfoobar.apk–dfoobar
$cd./foobar
$ls
AndroidManifest.xml META-INF classes.dex res
resources.arsc lib
$baksmali–a10–d~/boot_class_pathclasses.dex
baksmali
API level boot class path dex file

EXAMPLES
$ls
AndroidManifest.xml META-INF classes.dex res
resources.arsc lib
out
$smali –a10./out–oclasses.dex
$zip–r~/hacked.apk./*
smali
API level output dex file
recursive

EXAMPLES
$apktooldfoobar.apk foobar
$cd./foobar
$ls
AndroidManifest.xml apktool.yml assets res smali
$cd../
$apktoolb./foobar
apktool
decode out directory
build

EXAMPLES
$keytool-genkeypair-v -aliasdefault–keystore
~/.keystore–storepasspassword
$jarsigner–keystore~/.keystore ./foobar.apk
default
keytool and jarsigner
alias

SMALI FILES
class representation in byte code
.class public Lcom/apkudo/util/Serializer;
.super Ljava/lang/Object;
.source "Serializer.java”
# static fields
.field public static final TAG:Ljava/lang/String; = "ApkudoUtils”
# direct methods
.method public constructor <init>()V
.registers 1
.prologue
.line 5
invoke-direct {p0}, Ljava/lang/Object;-><init>()V
return-void
.end method
Class information
Static fields
Methods
Direct
Virtual

SYNTAX
V void
Z boolean
B byte
S short
C char
F float
I int
J long
D double
[ array
types .method private doSomething()V
64 bit – special instructions

SYNTAX
• full name space slash separated
• prefixed with L
• suffixed with ;
Lcom/apkudo/util/Serializer;classes
const-string v0, "ApkudoUtils"
new-instance v1, Ljava/lang/StringBuilder;
invoke-direct {v1}, Ljava/lang/StringBuilder;-><init>()V
const-string v2, "docId: ["
invoke-virtual {v1, v2}, Ljava/lang/StringBuilder;-
>append(Ljava/lang/String;)Ljava/lang/StringBuilder;
move-result-object v1

SYNTAX
 Method definitions
 .method <[keyword]> <name>(<[param]>)<return type>
 Method invocations
 invoke-static – any method that is static
 invoke-virtual– any method that isn‟t private, static, or
final
 invoke-direct – any non-static direct method
 invoke-super – any superclass's virtual method
 Invoke-interface– any interface method
 Virtual methods require their class instance as a parameter!
.method private doSomething()Vmethods

SYNTAX
.method private doSomething()Vmethods
.method private delayedAnimationFrame(J)Z
.registers 8
.parameter "currentTime”
keyword method name parameters/return
# Static invocation
invoke-static {p2}, Landroid/text/TextUtils;->isEmpty(Ljava/lang/CharSequence;)Z
# Virtual invocation
invoke-virtual {v0, v1}, Lcom/google/android/finsky/FinskyApp;-
>drainAllRequests(I)V

SYNTAX
 All registers are 32 bits
 Declaration
 .registers – total number of registers
 .locals – total minus method parameter registers
 Naming scheme
 Pregisters – parameter registers
 implicit p0 = „this‟instance (non-static)
 V registers – local registers
 Pregisters are always at the end of the register list
.locals 16
.registers 18
Registers

SYNTAX
.method public onCreate()V
.registers 7
...
Register Example
v0 First local register
v1 Second local register
v2 …
v3 …
v4 …
v5 …
v6 p0 First param – ‘this’
p0 == v6

SYNTAX
.method public doIt(Ljava/lang/String;II)V
.registers 7
Register Example 2
v2 …
v3 p0 ‘this’
v4 p1 String
v5 p2 int
v6 p3 int
p3 == v6
p2 == v5
p1 == v4
p0 == v3

SYNTAX
.method public doIt(JI)V
.registers 7
# hint, j == long
Register Example 3
v2
v3
v4
v5
v6
Third local register
p0 ‘this’ instance
p1 long
p2 long
p3 int
v3 - is it…
A) Fourth local register?
B) This instance?
C) Long?
D) Int?
v4 - is it…
B) This instance?
C) Long?
D) Int?
v5 - is it…
B) This instance?
C) Long?
D) Int?
v6 - is it…
B) This instance?
C) Long?
D) Int?

SYNTAX
.method public static doIt(IJ)V
.registers 7
Register Example 4
v2
v3
v4
v5
v6
Third local register
Fourth local register
p0 Int
p1 Long
p2 Long
v3 - is it…
B) This instance?
C) Long?
D) Int?
v4 - is it…
B) This instance?
C) Long?
D) Int?
v5 - is it…
B) This instance?
C) Long?
D) Int?
v6 - is it…
B) This instance?
C) Long?
D) Int?

SYNTAX
 jumps
 goto <offset>
jumping
.method public doIt(JI)V
.registers 7
...
goto :goto_31
...
:goto_31
return-void

SYNTAX
 Conditionals
 If-eq
 If-ne
 If-le
 If-lt
 If-ge
 If-gt
 Add z for zero
 If-eqz
 If-nez
conditionals
method public foobar()V
.registers 2
const/4 v0, 0x0
if-eqz v0, :cond_6
return-void
:cond_6
# Do something
.end method

PUTTING IT ALL
TOGETHER
Example - Java
package com.google.android.finsky;
import android.app.Application;
import android.accounts.Account;
public class FinskyApp() extends Application {
Account mCurrentAccount;
public String getCurrentAccountName() {
if (mCurrentAccount != null) {
return mCurrentAccount.name;
} else {
return null;
}
}
}

PUTTING IT ALL
TOGETHER
Same example - smali
.method public getCurrentAccountName()Ljava/lang/String;
.registers 2
.prologue
.line 617
iget-object v0, p0, Lcom/google/android/finsky/FinskyApp;->mCurrentAccount:Landroid/accounts/Account;
if-nez v0, :cond_6
const/4 v0, 0x0
:goto_5
return-object v0
:cond_6
iget-object v0, v0, Landroid/accounts/Account;->name:Ljava/lang/String;
goto :goto_5
.end method
v1 p0 ‘this’ instance
Getting this field! of type …
into this reg

ONE FINAL
STEP
Obfuscation!
• Renames classes, class members and and method
• Preserves OS entry points and java namespace classes
• Slows down the static analysis process
• Not a silver bullet, but an easy first line of defense
iget-object v0, p0, Lcom/a/a/g;->a:Lcom/a/a/f;
invoke-static {v0}, Lcom/a/a/f;->a(Lcom/a/a/f;)Landroid/webkit/WebView;

PART II - DEMO
https://github.com/davtbaum/adc-demo

HACKING
SNAPCHAT

1. Picture messenger with a catch…
2. Self-destructive pictures!
3. Pictures only last up to 10 seconds, ensures the receiver cannot
save them
4. Alerts the sender if the receiver tries to take a screenshot
5. Net-worth $70M – over 20M snaps sent a day!1
WHAT IS
SNAPCHAT?
Real-time picture messenger
1. http://techcrunch.com/2012/12/12/sources-snapchat-raising-north-of-10m-at-around-70m-valuation-led-by-benchmarks-mitch-lasky/

SNAPCHAT
IN ACTION

1. UnzipAPK and disassemble classes.dex
2. Analyze for target resource (snapchat pictureAKA„snap‟)
3. Inject code to store or transmit resource
4. Reassemble classes.dex and rezip/resignAPK
HACKING
SNAPCHAT
Approach
Disassemble
(baksmali)
.smali
Static analysis/
Code Injection
Reassemble
(smali)

TOOLS
 Access to a terminal environment (preferably Linux or Mac
osx)
 Android SDK
 keytool and jarsigner
 Smali/Baksmali - http://code.google.com/p/smali/
 Apktool - http://code.google.com/p/android-apktool/
 Editor of choice (emacs!)
You’ll need…

STEP 1
 Query device for list of applications and associated file paths
 adbshellpm listpackages–f
 (optional)|grep–si“snapchat”
 Pull the files
 adbpull<file>~/snapchat/snapchat.apk
GET THE APP

STEP 2
 Extract classes.dexand remove keys
 unzipsnapchat.apk
 rm–r ./META-INF
 Disassemble:
 baksmali-a 10–d<framework_path> ./classes.dex
 -a=api-level
 -d=bootclasspathdir
 „adbpull/system/framework/ ./framework‟
DECOMPRESS AND
DISASSEMBLE

STEP 3
 apktool dump and inspectAndroidManifest.xml
for activities
 apktooldsnapchat.apk
 emacsAndroidManifest.xml
 Find the resource
 Use tools
 uiautomator to retrieve view hierarchy
(buggy)
 adbshelldumpsyswindow|grep–si
“mCurrentFocus”
 Resolve resource in code
ANDROID FORENSICS

STEP 3
 Resource located! Now we need to retrieve it…
 Don‟t write everything in byte code- build an application
that contains the resource retrieval code.
 Disassemble donor application and copy appropriate
methods into target app
 Easy enough, right?
RESOURCE RETRIEVAL
Java
resource
retrieval
code
Build Bytecode

DONOR APP
RESOURCE RETRIEVAL
package com.apkudo.util;
import android.app.Activity;
import android.graphics.Bitmap;
import java.io.FileOutputStream;
Import android.os.Bundle;
public class HackUtils extends Activity {
@Override
public void onCreate(Bundle savedInstanceState) {
super.onCreate(savedInstanceState);
setContentView(R.layout.main);
}
public void saveSnap(Bitmap bmp) {
try {
FileOutputStream out = new FileOutputStream(“/sdcard/test.png”);
bmp.compress(Bitmap.CompressFormat.PNG, 90, out);
} catch (Exception e) {
e.printStackTrace();
}
}
}

STEP 4
CODE INJECTION
 .method private showImage()V
 Isolate Bitmap
 Pass into resource retrieval method
invoke-virtual{v1,v2},Lcom/snapchat/android/model/ReceivedSnap;-
>getImageBitmap(Landroid/content/Context;)Landroid/graphics/Bitmap;
move-result-objectv0
#Patches
invoke-static{v0},Lcom/apkudo/util/HackUtils;->saveSnap(Landroid/graphics/Bitmap;)V
#EndofPatches

STEP 5
 Re-assemble
 smali–a10./out–oclasses.dex
 Compress
 zip–z0–r../snapchat.apk./*
 SignAPK
 jarsigner-verbose -keystore my-release-key.keystore
./snapchat.apkalias_name
REBUILD APK

STEP 6
 Install
 adb install –r ../snapchat.apk
 Run the app!
INSTALLAND EXECUTE

RECAP
 Obfuscate?
 Very simple to navigate using method name
 E.g. “showSnap()”.
 Push images to native layer
 OpenGL?
 Native code is much harder to reverse.
 Dynamic signature verification?
 There is no silver bullet!
ROOM FOR IMPROVEMENTS

Thankyou.
DAVID@ .COM@davtbaum

Hacking for Fun and Profit (Mostly for Fun). AnDevCon Boston

More Related Content

Similar to Hacking for Fun and Profit (Mostly for Fun). AnDevCon Boston

Recently uploaded

Hacking for Fun and Profit (Mostly for Fun). AnDevCon Boston

Editor's Notes