SlideShare ist ein Scribd-Unternehmen logo

Hacking for Fun and Profit (Mostly for Fun). AnDevCon Boston

Als PPTX, PDF herunterladen
A
Apkudo

Dive deep into the internals of Android in this two-part, 150-minute class. You will explore the wonders of Dalvik bytecode, smali syntax, decompilation tools, patching techniques, and common methods you can use to (try to) protect your apps. Extremely hands-on, you'll be downloading a very popular app, modifying it, and messing around with its behavior. Even if you're not that interested in APK hacking, you'll leave this class with the sort of deep appreciation for Dalvik that makes good Android developers great.

Technologie
1 von 45
HACKINGAPKS FOR FUN AND FOR PROFIT (MOSTLYFOR FUN) DAVIDTEITELBAUM MAY2013 @davtbaum
2 © 2013 Apkudo LLC. www.apkudo.com OBJECTIVES Androidappdisassembly Fundamentalsofcodeinjection Smali/BaksmaliandreadingDalvikbytecode Bestpracticesinhardeningyourapp Expect to learn:
3 © 2013 Apkudo LLC. www.apkudo.com ROADMAP PART I - CLASS PART II – DEMO/HACK Approachtohacking Tools–apktool,baksmali,smali TheAPK Allthingsbytecode Snapchatdeepdive Appdisassemblyandanalysis Codeinjection Recap
4 © 2013 Apkudo LLC. www.apkudo.com PART I - CLASS
5 © 2013 Apkudo LLC. www.apkudo.com 1. UnzipAPK and disassemble classes.dex (baksmali) 2. Analyze – what is the application doing? 3. Inject byte code into the application to modify execution 4. Reassemble classes.dex (smali) and rezip/signAPK APK HACKING Approach Disassemble (baksmali) .smali Static analysis Reassemble (smali) Code injection
6 © 2013 Apkudo LLC. www.apkudo.com CODE INJECTION  Write patches in Java, compile, then use the Smali/Baksmali tools to disassemble into Dalvik byte code  Stick to public static methods in Dalvik byte code which have no register dependencies.  Let the compiler do the work - this hack was achieved with only one line of code injection! Best Practices:
7 © 2013 Apkudo LLC. www.apkudo.com TOOLS  Access to a terminal environment (preferably Linux or Mac osx)  Android SDK  keytool and jarsigner  Smali/Baksmali - http://code.google.com/p/smali/  Apktool - http://code.google.com/p/android-apktool/  Editor of choice (emacs!) You’ll need…
8 © 2013 Apkudo LLC. www.apkudo.com SMALI/BAKSMALI  Baksmali disassembles Dalvik executable (.dex) into readable Dalvik byte code (.smali)  Smali re-assembles .smali files back into .dex Dalvik executable  Gives developers the ability to modify execution of anAPK without having access to source code Dalvik Assembler/ Disassembler
9 © 2013 Apkudo LLC. www.apkudo.com APKTOOL  Wraps smali/baksmali andAndroid asset packaging tool (aapt)  Decodes resources and decompresses xml  Great for manifest introspection  Buggy :/ All in one reverser
10 © 2013 Apkudo LLC. www.apkudo.com THE APK A container for your app  Zipped file formatted based on JAR META-INF/ AndroidManifest.xml classes.dex lib/ res/ resources.arsc
11 © 2013 Apkudo LLC. www.apkudo.com EXAMPLES $unzipfoobar.apk–dfoobar $cd./foobar $ls AndroidManifest.xml META-INF classes.dex res resources.arsc lib $baksmali–a10–d~/boot_class_pathclasses.dex baksmali API level boot class path dex file
12 © 2013 Apkudo LLC. www.apkudo.com EXAMPLES $ls AndroidManifest.xml META-INF classes.dex res resources.arsc lib out $smali –a10./out–oclasses.dex $zip–r~/hacked.apk./* smali API level output dex file recursive
13 © 2013 Apkudo LLC. www.apkudo.com EXAMPLES $apktooldfoobar.apk foobar $cd./foobar $ls AndroidManifest.xml apktool.yml assets res smali $cd../ $apktoolb./foobar apktool decode out directory build
14 © 2013 Apkudo LLC. www.apkudo.com EXAMPLES $keytool-genkeypair-v -aliasdefault–keystore ~/.keystore–storepasspassword $jarsigner–keystore~/.keystore ./foobar.apk default keytool and jarsigner alias
15 © 2013 Apkudo LLC. www.apkudo.com SMALI FILES class representation in byte code .class public Lcom/apkudo/util/Serializer; .super Ljava/lang/Object; .source "Serializer.java” # static fields .field public static final TAG:Ljava/lang/String; = "ApkudoUtils” # direct methods .method public constructor <init>()V .registers 1 .prologue .line 5 invoke-direct {p0}, Ljava/lang/Object;-><init>()V return-void .end method Class information Static fields Methods Direct Virtual
16 © 2013 Apkudo LLC. www.apkudo.com SYNTAX V void Z boolean B byte S short C char F float I int J long D double [ array types .method private doSomething()V 64 bit – special instructions
17 © 2013 Apkudo LLC. www.apkudo.com SYNTAX • full name space slash separated • prefixed with L • suffixed with ; Lcom/apkudo/util/Serializer;classes const-string v0, "ApkudoUtils" new-instance v1, Ljava/lang/StringBuilder; invoke-direct {v1}, Ljava/lang/StringBuilder;-><init>()V const-string v2, "docId: [" invoke-virtual {v1, v2}, Ljava/lang/StringBuilder;- >append(Ljava/lang/String;)Ljava/lang/StringBuilder; move-result-object v1
18 © 2013 Apkudo LLC. www.apkudo.com SYNTAX  Method definitions  .method <[keyword]> <name>(<[param]>)<return type>  Method invocations  invoke-static – any method that is static  invoke-virtual– any method that isn‟t private, static, or final  invoke-direct – any non-static direct method  invoke-super – any superclass's virtual method  Invoke-interface– any interface method  Virtual methods require their class instance as a parameter! .method private doSomething()Vmethods
19 © 2013 Apkudo LLC. www.apkudo.com SYNTAX .method private doSomething()Vmethods .method private delayedAnimationFrame(J)Z .registers 8 .parameter "currentTime” keyword method name parameters/return # Static invocation invoke-static {p2}, Landroid/text/TextUtils;->isEmpty(Ljava/lang/CharSequence;)Z # Virtual invocation invoke-virtual {v0, v1}, Lcom/google/android/finsky/FinskyApp;- >drainAllRequests(I)V
20 © 2013 Apkudo LLC. www.apkudo.com SYNTAX  All registers are 32 bits  Declaration  .registers – total number of registers  .locals – total minus method parameter registers  Naming scheme  Pregisters – parameter registers  implicit p0 = „this‟instance (non-static)  V registers – local registers  Pregisters are always at the end of the register list .locals 16 .registers 18 Registers
21 © 2013 Apkudo LLC. www.apkudo.com SYNTAX .method public onCreate()V .registers 7 ... Register Example v0 First local register v1 Second local register v2 … v3 … v4 … v5 … v6 p0 First param – ‘this’ p0 == v6
22 © 2013 Apkudo LLC. www.apkudo.com SYNTAX .method public doIt(Ljava/lang/String;II)V .registers 7 Register Example 2 v0 First local register v1 Second local register v2 … v3 p0 ‘this’ v4 p1 String v5 p2 int v6 p3 int p3 == v6 p2 == v5 p1 == v4 p0 == v3
23 © 2013 Apkudo LLC. www.apkudo.com SYNTAX .method public doIt(JI)V .registers 7 # hint, j == long Register Example 3 v0 First local register v1 Second local register v2 v3 v4 v5 v6 Third local register p0 ‘this’ instance p1 long p2 long p3 int v3 - is it… A) Fourth local register? B) This instance? C) Long? D) Int? v4 - is it… A) Fourth local register? B) This instance? C) Long? D) Int? v5 - is it… A) Fourth local register? B) This instance? C) Long? D) Int? v6 - is it… A) Fourth local register? B) This instance? C) Long? D) Int?
24 © 2013 Apkudo LLC. www.apkudo.com SYNTAX .method public static doIt(IJ)V .registers 7 Register Example 4 v0 First local register v1 Second local register v2 v3 v4 v5 v6 Third local register Fourth local register p0 Int p1 Long p2 Long v3 - is it… A) Fourth local register? B) This instance? C) Long? D) Int? v4 - is it… A) Fourth local register? B) This instance? C) Long? D) Int? v5 - is it… A) Fourth local register? B) This instance? C) Long? D) Int? v6 - is it… A) Fourth local register? B) This instance? C) Long? D) Int?
25 © 2013 Apkudo LLC. www.apkudo.com SYNTAX  jumps  goto <offset> jumping .method public doIt(JI)V .registers 7 ... goto :goto_31 ... :goto_31 return-void
26 © 2013 Apkudo LLC. www.apkudo.com SYNTAX  Conditionals  If-eq  If-ne  If-le  If-lt  If-ge  If-gt  Add z for zero  If-eqz  If-nez conditionals method public foobar()V .registers 2 const/4 v0, 0x0 if-eqz v0, :cond_6 return-void :cond_6 # Do something .end method
27 © 2013 Apkudo LLC. www.apkudo.com PUTTING IT ALL TOGETHER Example - Java package com.google.android.finsky; import android.app.Application; import android.accounts.Account; public class FinskyApp() extends Application { Account mCurrentAccount; public String getCurrentAccountName() { if (mCurrentAccount != null) { return mCurrentAccount.name; } else { return null; } } }
28 © 2013 Apkudo LLC. www.apkudo.com PUTTING IT ALL TOGETHER Same example - smali .method public getCurrentAccountName()Ljava/lang/String; .registers 2 .prologue .line 617 iget-object v0, p0, Lcom/google/android/finsky/FinskyApp;->mCurrentAccount:Landroid/accounts/Account; if-nez v0, :cond_6 const/4 v0, 0x0 :goto_5 return-object v0 :cond_6 iget-object v0, v0, Landroid/accounts/Account;->name:Ljava/lang/String; goto :goto_5 .end method v0 First local register v1 p0 ‘this’ instance Getting this field! of type … into this reg
29 © 2013 Apkudo LLC. www.apkudo.com ONE FINAL STEP Obfuscation! • Renames classes, class members and and method • Preserves OS entry points and java namespace classes • Slows down the static analysis process • Not a silver bullet, but an easy first line of defense iget-object v0, p0, Lcom/a/a/g;->a:Lcom/a/a/f; invoke-static {v0}, Lcom/a/a/f;->a(Lcom/a/a/f;)Landroid/webkit/WebView;
30 © 2013 Apkudo LLC. www.apkudo.com PART II - DEMO https://github.com/davtbaum/adc-demo
31 © 2013 Apkudo LLC. www.apkudo.com HACKING SNAPCHAT
32 © 2013 Apkudo LLC. www.apkudo.com 1. Picture messenger with a catch… 2. Self-destructive pictures! 3. Pictures only last up to 10 seconds, ensures the receiver cannot save them 4. Alerts the sender if the receiver tries to take a screenshot 5. Net-worth $70M – over 20M snaps sent a day!1 WHAT IS SNAPCHAT? Real-time picture messenger 1. http://techcrunch.com/2012/12/12/sources-snapchat-raising-north-of-10m-at-around-70m-valuation-led-by-benchmarks-mitch-lasky/
33 © 2013 Apkudo LLC. www.apkudo.com SNAPCHAT IN ACTION
34 © 2013 Apkudo LLC. www.apkudo.com 1. UnzipAPK and disassemble classes.dex 2. Analyze for target resource (snapchat pictureAKA„snap‟) 3. Inject code to store or transmit resource 4. Reassemble classes.dex and rezip/resignAPK HACKING SNAPCHAT Approach Disassemble (baksmali) .smali Static analysis/ Code Injection Reassemble (smali)
35 © 2013 Apkudo LLC. www.apkudo.com TOOLS  Access to a terminal environment (preferably Linux or Mac osx)  Android SDK  keytool and jarsigner  Smali/Baksmali - http://code.google.com/p/smali/  Apktool - http://code.google.com/p/android-apktool/  Editor of choice (emacs!) You’ll need…
36 © 2013 Apkudo LLC. www.apkudo.com STEP 1  Query device for list of applications and associated file paths  adbshellpm listpackages–f  (optional)|grep–si“snapchat”  Pull the files  adbpull<file>~/snapchat/snapchat.apk GET THE APP
37 © 2013 Apkudo LLC. www.apkudo.com STEP 2  Extract classes.dexand remove keys  unzipsnapchat.apk  rm–r ./META-INF  Disassemble:  baksmali-a 10–d<framework_path> ./classes.dex  -a=api-level  -d=bootclasspathdir  „adbpull/system/framework/ ./framework‟ DECOMPRESS AND DISASSEMBLE
38 © 2013 Apkudo LLC. www.apkudo.com STEP 3  apktool dump and inspectAndroidManifest.xml for activities  apktooldsnapchat.apk  emacsAndroidManifest.xml  Find the resource  Use tools  uiautomator to retrieve view hierarchy (buggy)  adbshelldumpsyswindow|grep–si “mCurrentFocus”  Resolve resource in code ANDROID FORENSICS
39 © 2013 Apkudo LLC. www.apkudo.com STEP 3  Resource located! Now we need to retrieve it…  Don‟t write everything in byte code- build an application that contains the resource retrieval code.  Disassemble donor application and copy appropriate methods into target app  Easy enough, right? RESOURCE RETRIEVAL Java resource retrieval code Build Bytecode
40 © 2013 Apkudo LLC. www.apkudo.com DONOR APP RESOURCE RETRIEVAL package com.apkudo.util; import android.app.Activity; import android.graphics.Bitmap; import java.io.FileOutputStream; Import android.os.Bundle; public class HackUtils extends Activity { @Override public void onCreate(Bundle savedInstanceState) { super.onCreate(savedInstanceState); setContentView(R.layout.main); } public void saveSnap(Bitmap bmp) { try { FileOutputStream out = new FileOutputStream(“/sdcard/test.png”); bmp.compress(Bitmap.CompressFormat.PNG, 90, out); } catch (Exception e) { e.printStackTrace(); } } }
41 © 2013 Apkudo LLC. www.apkudo.com STEP 4 CODE INJECTION  .method private showImage()V  Isolate Bitmap  Pass into resource retrieval method invoke-virtual{v1,v2},Lcom/snapchat/android/model/ReceivedSnap;- >getImageBitmap(Landroid/content/Context;)Landroid/graphics/Bitmap; move-result-objectv0 #Patches invoke-static{v0},Lcom/apkudo/util/HackUtils;->saveSnap(Landroid/graphics/Bitmap;)V #EndofPatches
42 © 2013 Apkudo LLC. www.apkudo.com STEP 5  Re-assemble  smali–a10./out–oclasses.dex  Compress  zip–z0–r../snapchat.apk./*  SignAPK  jarsigner-verbose -keystore my-release-key.keystore ./snapchat.apkalias_name REBUILD APK
43 © 2013 Apkudo LLC. www.apkudo.com STEP 6  Install  adb install –r ../snapchat.apk  Run the app! INSTALLAND EXECUTE
44 © 2013 Apkudo LLC. www.apkudo.com RECAP  Obfuscate?  Very simple to navigate using method name  E.g. “showSnap()”.  Push images to native layer  OpenGL?  Native code is much harder to reverse.  Dynamic signature verification?  There is no silver bullet! ROOM FOR IMPROVEMENTS
Thankyou. DAVID@ .COM@davtbaum

Empfohlen

Hacking for Fun and Profit
Hacking for Fun and ProfitHacking for Fun and Profit
Hacking for Fun and ProfitApkudo
 
Who Needs Thumbs? Reverse Engineering Scramble With Friends
Who Needs Thumbs? Reverse Engineering Scramble With FriendsWho Needs Thumbs? Reverse Engineering Scramble With Friends
Who Needs Thumbs? Reverse Engineering Scramble With FriendsApkudo
 
Hacking for fun and for profit
Hacking for fun and for profitHacking for fun and for profit
Hacking for fun and for profitdavtbaum
 
Part II: LLVM Intermediate Representation
Part II: LLVM Intermediate RepresentationPart II: LLVM Intermediate Representation
Part II: LLVM Intermediate RepresentationWei-Ren Chen
 
Mobile development in 2020
Mobile development in 2020 Mobile development in 2020
Mobile development in 2020 Bogusz Jelinski
 
How to Customize Android Framework&System
How to Customize Android Framework&SystemHow to Customize Android Framework&System
How to Customize Android Framework&SystemIndustrial Technology Research Institute (ITRI)(工業技術研究院, 工研院)
 
CORBA Programming with TAOX11/C++11 tutorial
CORBA Programming with TAOX11/C++11 tutorialCORBA Programming with TAOX11/C++11 tutorial
CORBA Programming with TAOX11/C++11 tutorialRemedy IT
 
Comparing IDL to C++ with IDL to C++11
Comparing IDL to C++ with IDL to C++11Comparing IDL to C++ with IDL to C++11
Comparing IDL to C++ with IDL to C++11Remedy IT
 

Empfohlen

Hacking for Fun and Profit
Hacking for Fun and ProfitHacking for Fun and Profit
Hacking for Fun and ProfitApkudo
 
Who Needs Thumbs? Reverse Engineering Scramble With Friends
Who Needs Thumbs? Reverse Engineering Scramble With FriendsWho Needs Thumbs? Reverse Engineering Scramble With Friends
Who Needs Thumbs? Reverse Engineering Scramble With FriendsApkudo
 
Hacking for fun and for profit
Hacking for fun and for profitHacking for fun and for profit
Hacking for fun and for profitdavtbaum
 
Part II: LLVM Intermediate Representation
Part II: LLVM Intermediate RepresentationPart II: LLVM Intermediate Representation
Part II: LLVM Intermediate RepresentationWei-Ren Chen
 
Mobile development in 2020
Mobile development in 2020 Mobile development in 2020
Mobile development in 2020 Bogusz Jelinski
 
How to Customize Android Framework&System
How to Customize Android Framework&SystemHow to Customize Android Framework&System
How to Customize Android Framework&SystemIndustrial Technology Research Institute (ITRI)(工業技術研究院, 工研院)
 
CORBA Programming with TAOX11/C++11 tutorial
CORBA Programming with TAOX11/C++11 tutorialCORBA Programming with TAOX11/C++11 tutorial
CORBA Programming with TAOX11/C++11 tutorialRemedy IT
 
Comparing IDL to C++ with IDL to C++11
Comparing IDL to C++ with IDL to C++11Comparing IDL to C++ with IDL to C++11
Comparing IDL to C++ with IDL to C++11Remedy IT
 
Who Needs Thumbs? Reverse Engineering Scramble with Friends v1.1
Who Needs Thumbs? Reverse Engineering Scramble with Friends v1.1Who Needs Thumbs? Reverse Engineering Scramble with Friends v1.1
Who Needs Thumbs? Reverse Engineering Scramble with Friends v1.1Apkudo
 
Ruby conf2012
Ruby conf2012Ruby conf2012
Ruby conf2012Chandan Jog
 
How to Build & Use OpenCL on OpenCV & Android NDK
How to Build & Use OpenCL on OpenCV & Android NDKHow to Build & Use OpenCL on OpenCV & Android NDK
How to Build & Use OpenCL on OpenCV & Android NDKIndustrial Technology Research Institute (ITRI)(工業技術研究院, 工研院)
 
FRIDA 101 Android
FRIDA 101 AndroidFRIDA 101 Android
FRIDA 101 AndroidTony Thomas
 
Sst hackathon express
Sst hackathon expressSst hackathon express
Sst hackathon expressAeshan Wijetunge
 
Optimizing Spring Boot apps for Docker
Optimizing Spring Boot apps for DockerOptimizing Spring Boot apps for Docker
Optimizing Spring Boot apps for DockerGraham Charters
 
rssfeeds.classpathrssfeeds.project rssfeed .docx
rssfeeds.classpathrssfeeds.project rssfeed .docxrssfeeds.classpathrssfeeds.project rssfeed .docx
rssfeeds.classpathrssfeeds.project rssfeed .docxjoellemurphey
 
Keeping Up with Java: Look at All These New Features!
Keeping Up with Java: Look at All These New Features!Keeping Up with Java: Look at All These New Features!
Keeping Up with Java: Look at All These New Features!VMware Tanzu
 
Develop Android app using Golang
Develop Android app using GolangDevelop Android app using Golang
Develop Android app using GolangSeongJae Park
 
Building Serverless applications with Python
Building Serverless applications with PythonBuilding Serverless applications with Python
Building Serverless applications with PythonAndrii Soldatenko
 
JDK 9: Big Changes To Make Java Smaller
JDK 9: Big Changes To Make Java SmallerJDK 9: Big Changes To Make Java Smaller
JDK 9: Big Changes To Make Java SmallerSimon Ritter
 
How to Make Android Native Application
How to Make Android Native ApplicationHow to Make Android Native Application
How to Make Android Native ApplicationIndustrial Technology Research Institute (ITRI)(工業技術研究院, 工研院)
 
JavaOne 2017: Eclipse OpenJ9: Under the hood of the JVM
JavaOne 2017: Eclipse OpenJ9: Under the hood of the JVMJavaOne 2017: Eclipse OpenJ9: Under the hood of the JVM
JavaOne 2017: Eclipse OpenJ9: Under the hood of the JVMDanHeidinga
 
Drone sdk showdown
Drone sdk showdownDrone sdk showdown
Drone sdk showdownGodfrey Nolan
 
Dropwizard and Friends
Dropwizard and FriendsDropwizard and Friends
Dropwizard and FriendsYun Zhi Lin
 
Hacking the Codename One Source Code - Part IV - Transcript.pdf
Hacking the Codename One Source Code - Part IV - Transcript.pdfHacking the Codename One Source Code - Part IV - Transcript.pdf
Hacking the Codename One Source Code - Part IV - Transcript.pdfShaiAlmog1
 
DMCA #25: Jenkins - Docker & Android: Comment Docker peu faciliter la créatio...
DMCA #25: Jenkins - Docker & Android: Comment Docker peu faciliter la créatio...DMCA #25: Jenkins - Docker & Android: Comment Docker peu faciliter la créatio...
DMCA #25: Jenkins - Docker & Android: Comment Docker peu faciliter la créatio...Olivier Destrebecq
 
7 Ways to improve your gradle build
7 Ways to improve your gradle build7 Ways to improve your gradle build
7 Ways to improve your gradle buildTania Pinheiro
 
Demystifying Maven
Demystifying MavenDemystifying Maven
Demystifying MavenMike Desjardins
 
Compose Camp: Introduction to Kotlin.pptx
Compose Camp: Introduction to Kotlin.pptxCompose Camp: Introduction to Kotlin.pptx
Compose Camp: Introduction to Kotlin.pptxAmruthasriAmaravati
 
Spring Boot vs Quarkus the ultimate battle - DevoxxUK
Spring Boot vs Quarkus the ultimate battle - DevoxxUKSpring Boot vs Quarkus the ultimate battle - DevoxxUK
Spring Boot vs Quarkus the ultimate battle - DevoxxUKJago de Vreede
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Victor Rentea
 

Weitere ähnliche Inhalte

Ähnlich wie Hacking for Fun and Profit (Mostly for Fun). AnDevCon Boston

Who Needs Thumbs? Reverse Engineering Scramble with Friends v1.1
Who Needs Thumbs? Reverse Engineering Scramble with Friends v1.1Who Needs Thumbs? Reverse Engineering Scramble with Friends v1.1
Who Needs Thumbs? Reverse Engineering Scramble with Friends v1.1Apkudo
 
FRIDA 101 Android
FRIDA 101 AndroidFRIDA 101 Android
FRIDA 101 AndroidTony Thomas
 
Optimizing Spring Boot apps for Docker
Optimizing Spring Boot apps for DockerOptimizing Spring Boot apps for Docker
Optimizing Spring Boot apps for DockerGraham Charters
 
rssfeeds.classpathrssfeeds.project rssfeed .docx
rssfeeds.classpathrssfeeds.project rssfeed .docxrssfeeds.classpathrssfeeds.project rssfeed .docx
rssfeeds.classpathrssfeeds.project rssfeed .docxjoellemurphey
 
Keeping Up with Java: Look at All These New Features!
Keeping Up with Java: Look at All These New Features!Keeping Up with Java: Look at All These New Features!
Keeping Up with Java: Look at All These New Features!VMware Tanzu
 
Develop Android app using Golang
Develop Android app using GolangDevelop Android app using Golang
Develop Android app using GolangSeongJae Park
 
Building Serverless applications with Python
Building Serverless applications with PythonBuilding Serverless applications with Python
Building Serverless applications with PythonAndrii Soldatenko
 
JDK 9: Big Changes To Make Java Smaller
JDK 9: Big Changes To Make Java SmallerJDK 9: Big Changes To Make Java Smaller
JDK 9: Big Changes To Make Java SmallerSimon Ritter
 
JavaOne 2017: Eclipse OpenJ9: Under the hood of the JVM
JavaOne 2017: Eclipse OpenJ9: Under the hood of the JVMJavaOne 2017: Eclipse OpenJ9: Under the hood of the JVM
JavaOne 2017: Eclipse OpenJ9: Under the hood of the JVMDanHeidinga
 
Dropwizard and Friends
Dropwizard and FriendsDropwizard and Friends
Dropwizard and FriendsYun Zhi Lin
 
Hacking the Codename One Source Code - Part IV - Transcript.pdf
Hacking the Codename One Source Code - Part IV - Transcript.pdfHacking the Codename One Source Code - Part IV - Transcript.pdf
Hacking the Codename One Source Code - Part IV - Transcript.pdfShaiAlmog1
 
DMCA #25: Jenkins - Docker & Android: Comment Docker peu faciliter la créatio...
DMCA #25: Jenkins - Docker & Android: Comment Docker peu faciliter la créatio...DMCA #25: Jenkins - Docker & Android: Comment Docker peu faciliter la créatio...
DMCA #25: Jenkins - Docker & Android: Comment Docker peu faciliter la créatio...Olivier Destrebecq
 
7 Ways to improve your gradle build
7 Ways to improve your gradle build7 Ways to improve your gradle build
7 Ways to improve your gradle buildTania Pinheiro
 
Compose Camp: Introduction to Kotlin.pptx
Compose Camp: Introduction to Kotlin.pptxCompose Camp: Introduction to Kotlin.pptx
Compose Camp: Introduction to Kotlin.pptxAmruthasriAmaravati
 

Ähnlich wie Hacking for Fun and Profit (Mostly for Fun). AnDevCon Boston (20)

Who Needs Thumbs? Reverse Engineering Scramble with Friends v1.1
Who Needs Thumbs? Reverse Engineering Scramble with Friends v1.1Who Needs Thumbs? Reverse Engineering Scramble with Friends v1.1
Who Needs Thumbs? Reverse Engineering Scramble with Friends v1.1
 
Ruby conf2012
Ruby conf2012Ruby conf2012
Ruby conf2012
 
How to Build & Use OpenCL on OpenCV & Android NDK
How to Build & Use OpenCL on OpenCV & Android NDKHow to Build & Use OpenCL on OpenCV & Android NDK
How to Build & Use OpenCL on OpenCV & Android NDK
 
FRIDA 101 Android
FRIDA 101 AndroidFRIDA 101 Android
FRIDA 101 Android
 
Sst hackathon express
Sst hackathon expressSst hackathon express
Sst hackathon express
 
Optimizing Spring Boot apps for Docker
Optimizing Spring Boot apps for DockerOptimizing Spring Boot apps for Docker
Optimizing Spring Boot apps for Docker
 
rssfeeds.classpathrssfeeds.project rssfeed .docx
rssfeeds.classpathrssfeeds.project rssfeed .docxrssfeeds.classpathrssfeeds.project rssfeed .docx
rssfeeds.classpathrssfeeds.project rssfeed .docx
 
Keeping Up with Java: Look at All These New Features!
Keeping Up with Java: Look at All These New Features!Keeping Up with Java: Look at All These New Features!
Keeping Up with Java: Look at All These New Features!
 
Develop Android app using Golang
Develop Android app using GolangDevelop Android app using Golang
Develop Android app using Golang
 
Building Serverless applications with Python
Building Serverless applications with PythonBuilding Serverless applications with Python
Building Serverless applications with Python
 
JDK 9: Big Changes To Make Java Smaller
JDK 9: Big Changes To Make Java SmallerJDK 9: Big Changes To Make Java Smaller
JDK 9: Big Changes To Make Java Smaller
 
How to Make Android Native Application
How to Make Android Native ApplicationHow to Make Android Native Application
How to Make Android Native Application
 
JavaOne 2017: Eclipse OpenJ9: Under the hood of the JVM
JavaOne 2017: Eclipse OpenJ9: Under the hood of the JVMJavaOne 2017: Eclipse OpenJ9: Under the hood of the JVM
JavaOne 2017: Eclipse OpenJ9: Under the hood of the JVM
 
Drone sdk showdown
Drone sdk showdownDrone sdk showdown
Drone sdk showdown
 
Dropwizard and Friends
Dropwizard and FriendsDropwizard and Friends
Dropwizard and Friends
 
Hacking the Codename One Source Code - Part IV - Transcript.pdf
Hacking the Codename One Source Code - Part IV - Transcript.pdfHacking the Codename One Source Code - Part IV - Transcript.pdf
Hacking the Codename One Source Code - Part IV - Transcript.pdf
 
DMCA #25: Jenkins - Docker & Android: Comment Docker peu faciliter la créatio...
DMCA #25: Jenkins - Docker & Android: Comment Docker peu faciliter la créatio...DMCA #25: Jenkins - Docker & Android: Comment Docker peu faciliter la créatio...
DMCA #25: Jenkins - Docker & Android: Comment Docker peu faciliter la créatio...
 
7 Ways to improve your gradle build
7 Ways to improve your gradle build7 Ways to improve your gradle build
7 Ways to improve your gradle build
 
Demystifying Maven
Demystifying MavenDemystifying Maven
Demystifying Maven
 
Compose Camp: Introduction to Kotlin.pptx
Compose Camp: Introduction to Kotlin.pptxCompose Camp: Introduction to Kotlin.pptx
Compose Camp: Introduction to Kotlin.pptx
 

Kürzlich hochgeladen

Spring Boot vs Quarkus the ultimate battle - DevoxxUK
Spring Boot vs Quarkus the ultimate battle - DevoxxUKSpring Boot vs Quarkus the ultimate battle - DevoxxUK
Spring Boot vs Quarkus the ultimate battle - DevoxxUKJago de Vreede
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Victor Rentea
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...apidays
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsNanddeep Nachan
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesrafiqahmad00786416
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyKhushali Kathiriya
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWERMadyBayot
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native ApplicationsWSO2
 
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...apidays
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfOrbitshub
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamUiPathCommunity
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...DianaGray10
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...apidays
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxRustici Software
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdfSandro Moreira
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 

Kürzlich hochgeladen (20)

Spring Boot vs Quarkus the ultimate battle - DevoxxUK
Spring Boot vs Quarkus the ultimate battle - DevoxxUKSpring Boot vs Quarkus the ultimate battle - DevoxxUK
Spring Boot vs Quarkus the ultimate battle - DevoxxUK
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 

Hacking for Fun and Profit (Mostly for Fun). AnDevCon Boston

  • 1. HACKINGAPKS FOR FUN AND FOR PROFIT (MOSTLYFOR FUN) DAVIDTEITELBAUM MAY2013 @davtbaum
  • 2. 2 © 2013 Apkudo LLC. www.apkudo.com OBJECTIVES Androidappdisassembly Fundamentalsofcodeinjection Smali/BaksmaliandreadingDalvikbytecode Bestpracticesinhardeningyourapp Expect to learn:
  • 3. 3 © 2013 Apkudo LLC. www.apkudo.com ROADMAP PART I - CLASS PART II – DEMO/HACK Approachtohacking Tools–apktool,baksmali,smali TheAPK Allthingsbytecode Snapchatdeepdive Appdisassemblyandanalysis Codeinjection Recap
  • 4. 4 © 2013 Apkudo LLC. www.apkudo.com PART I - CLASS
  • 5. 5 © 2013 Apkudo LLC. www.apkudo.com 1. UnzipAPK and disassemble classes.dex (baksmali) 2. Analyze – what is the application doing? 3. Inject byte code into the application to modify execution 4. Reassemble classes.dex (smali) and rezip/signAPK APK HACKING Approach Disassemble (baksmali) .smali Static analysis Reassemble (smali) Code injection
  • 6. 6 © 2013 Apkudo LLC. www.apkudo.com CODE INJECTION  Write patches in Java, compile, then use the Smali/Baksmali tools to disassemble into Dalvik byte code  Stick to public static methods in Dalvik byte code which have no register dependencies.  Let the compiler do the work - this hack was achieved with only one line of code injection! Best Practices:
  • 7. 7 © 2013 Apkudo LLC. www.apkudo.com TOOLS  Access to a terminal environment (preferably Linux or Mac osx)  Android SDK  keytool and jarsigner  Smali/Baksmali - http://code.google.com/p/smali/  Apktool - http://code.google.com/p/android-apktool/  Editor of choice (emacs!) You’ll need…
  • 8. 8 © 2013 Apkudo LLC. www.apkudo.com SMALI/BAKSMALI  Baksmali disassembles Dalvik executable (.dex) into readable Dalvik byte code (.smali)  Smali re-assembles .smali files back into .dex Dalvik executable  Gives developers the ability to modify execution of anAPK without having access to source code Dalvik Assembler/ Disassembler
  • 9. 9 © 2013 Apkudo LLC. www.apkudo.com APKTOOL  Wraps smali/baksmali andAndroid asset packaging tool (aapt)  Decodes resources and decompresses xml  Great for manifest introspection  Buggy :/ All in one reverser
  • 10. 10 © 2013 Apkudo LLC. www.apkudo.com THE APK A container for your app  Zipped file formatted based on JAR META-INF/ AndroidManifest.xml classes.dex lib/ res/ resources.arsc
  • 11. 11 © 2013 Apkudo LLC. www.apkudo.com EXAMPLES $unzipfoobar.apk–dfoobar $cd./foobar $ls AndroidManifest.xml META-INF classes.dex res resources.arsc lib $baksmali–a10–d~/boot_class_pathclasses.dex baksmali API level boot class path dex file
  • 12. 12 © 2013 Apkudo LLC. www.apkudo.com EXAMPLES $ls AndroidManifest.xml META-INF classes.dex res resources.arsc lib out $smali –a10./out–oclasses.dex $zip–r~/hacked.apk./* smali API level output dex file recursive
  • 13. 13 © 2013 Apkudo LLC. www.apkudo.com EXAMPLES $apktooldfoobar.apk foobar $cd./foobar $ls AndroidManifest.xml apktool.yml assets res smali $cd../ $apktoolb./foobar apktool decode out directory build
  • 14. 14 © 2013 Apkudo LLC. www.apkudo.com EXAMPLES $keytool-genkeypair-v -aliasdefault–keystore ~/.keystore–storepasspassword $jarsigner–keystore~/.keystore ./foobar.apk default keytool and jarsigner alias
  • 15. 15 © 2013 Apkudo LLC. www.apkudo.com SMALI FILES class representation in byte code .class public Lcom/apkudo/util/Serializer; .super Ljava/lang/Object; .source "Serializer.java” # static fields .field public static final TAG:Ljava/lang/String; = "ApkudoUtils” # direct methods .method public constructor <init>()V .registers 1 .prologue .line 5 invoke-direct {p0}, Ljava/lang/Object;-><init>()V return-void .end method Class information Static fields Methods Direct Virtual
  • 16. 16 © 2013 Apkudo LLC. www.apkudo.com SYNTAX V void Z boolean B byte S short C char F float I int J long D double [ array types .method private doSomething()V 64 bit – special instructions
  • 17. 17 © 2013 Apkudo LLC. www.apkudo.com SYNTAX • full name space slash separated • prefixed with L • suffixed with ; Lcom/apkudo/util/Serializer;classes const-string v0, "ApkudoUtils" new-instance v1, Ljava/lang/StringBuilder; invoke-direct {v1}, Ljava/lang/StringBuilder;-><init>()V const-string v2, "docId: [" invoke-virtual {v1, v2}, Ljava/lang/StringBuilder;- >append(Ljava/lang/String;)Ljava/lang/StringBuilder; move-result-object v1
  • 18. 18 © 2013 Apkudo LLC. www.apkudo.com SYNTAX  Method definitions  .method <[keyword]> <name>(<[param]>)<return type>  Method invocations  invoke-static – any method that is static  invoke-virtual– any method that isn‟t private, static, or final  invoke-direct – any non-static direct method  invoke-super – any superclass's virtual method  Invoke-interface– any interface method  Virtual methods require their class instance as a parameter! .method private doSomething()Vmethods
  • 19. 19 © 2013 Apkudo LLC. www.apkudo.com SYNTAX .method private doSomething()Vmethods .method private delayedAnimationFrame(J)Z .registers 8 .parameter "currentTime” keyword method name parameters/return # Static invocation invoke-static {p2}, Landroid/text/TextUtils;->isEmpty(Ljava/lang/CharSequence;)Z # Virtual invocation invoke-virtual {v0, v1}, Lcom/google/android/finsky/FinskyApp;- >drainAllRequests(I)V
  • 20. 20 © 2013 Apkudo LLC. www.apkudo.com SYNTAX  All registers are 32 bits  Declaration  .registers – total number of registers  .locals – total minus method parameter registers  Naming scheme  Pregisters – parameter registers  implicit p0 = „this‟instance (non-static)  V registers – local registers  Pregisters are always at the end of the register list .locals 16 .registers 18 Registers
  • 21. 21 © 2013 Apkudo LLC. www.apkudo.com SYNTAX .method public onCreate()V .registers 7 ... Register Example v0 First local register v1 Second local register v2 … v3 … v4 … v5 … v6 p0 First param – ‘this’ p0 == v6
  • 22. 22 © 2013 Apkudo LLC. www.apkudo.com SYNTAX .method public doIt(Ljava/lang/String;II)V .registers 7 Register Example 2 v0 First local register v1 Second local register v2 … v3 p0 ‘this’ v4 p1 String v5 p2 int v6 p3 int p3 == v6 p2 == v5 p1 == v4 p0 == v3
  • 23. 23 © 2013 Apkudo LLC. www.apkudo.com SYNTAX .method public doIt(JI)V .registers 7 # hint, j == long Register Example 3 v0 First local register v1 Second local register v2 v3 v4 v5 v6 Third local register p0 ‘this’ instance p1 long p2 long p3 int v3 - is it… A) Fourth local register? B) This instance? C) Long? D) Int? v4 - is it… A) Fourth local register? B) This instance? C) Long? D) Int? v5 - is it… A) Fourth local register? B) This instance? C) Long? D) Int? v6 - is it… A) Fourth local register? B) This instance? C) Long? D) Int?
  • 24. 24 © 2013 Apkudo LLC. www.apkudo.com SYNTAX .method public static doIt(IJ)V .registers 7 Register Example 4 v0 First local register v1 Second local register v2 v3 v4 v5 v6 Third local register Fourth local register p0 Int p1 Long p2 Long v3 - is it… A) Fourth local register? B) This instance? C) Long? D) Int? v4 - is it… A) Fourth local register? B) This instance? C) Long? D) Int? v5 - is it… A) Fourth local register? B) This instance? C) Long? D) Int? v6 - is it… A) Fourth local register? B) This instance? C) Long? D) Int?
  • 25. 25 © 2013 Apkudo LLC. www.apkudo.com SYNTAX  jumps  goto <offset> jumping .method public doIt(JI)V .registers 7 ... goto :goto_31 ... :goto_31 return-void
  • 26. 26 © 2013 Apkudo LLC. www.apkudo.com SYNTAX  Conditionals  If-eq  If-ne  If-le  If-lt  If-ge  If-gt  Add z for zero  If-eqz  If-nez conditionals method public foobar()V .registers 2 const/4 v0, 0x0 if-eqz v0, :cond_6 return-void :cond_6 # Do something .end method
  • 27. 27 © 2013 Apkudo LLC. www.apkudo.com PUTTING IT ALL TOGETHER Example - Java package com.google.android.finsky; import android.app.Application; import android.accounts.Account; public class FinskyApp() extends Application { Account mCurrentAccount; public String getCurrentAccountName() { if (mCurrentAccount != null) { return mCurrentAccount.name; } else { return null; } } }
  • 28. 28 © 2013 Apkudo LLC. www.apkudo.com PUTTING IT ALL TOGETHER Same example - smali .method public getCurrentAccountName()Ljava/lang/String; .registers 2 .prologue .line 617 iget-object v0, p0, Lcom/google/android/finsky/FinskyApp;->mCurrentAccount:Landroid/accounts/Account; if-nez v0, :cond_6 const/4 v0, 0x0 :goto_5 return-object v0 :cond_6 iget-object v0, v0, Landroid/accounts/Account;->name:Ljava/lang/String; goto :goto_5 .end method v0 First local register v1 p0 ‘this’ instance Getting this field! of type … into this reg
  • 29. 29 © 2013 Apkudo LLC. www.apkudo.com ONE FINAL STEP Obfuscation! • Renames classes, class members and and method • Preserves OS entry points and java namespace classes • Slows down the static analysis process • Not a silver bullet, but an easy first line of defense iget-object v0, p0, Lcom/a/a/g;->a:Lcom/a/a/f; invoke-static {v0}, Lcom/a/a/f;->a(Lcom/a/a/f;)Landroid/webkit/WebView;
  • 30. 30 © 2013 Apkudo LLC. www.apkudo.com PART II - DEMO https://github.com/davtbaum/adc-demo
  • 31. 31 © 2013 Apkudo LLC. www.apkudo.com HACKING SNAPCHAT
  • 32. 32 © 2013 Apkudo LLC. www.apkudo.com 1. Picture messenger with a catch… 2. Self-destructive pictures! 3. Pictures only last up to 10 seconds, ensures the receiver cannot save them 4. Alerts the sender if the receiver tries to take a screenshot 5. Net-worth $70M – over 20M snaps sent a day!1 WHAT IS SNAPCHAT? Real-time picture messenger 1. http://techcrunch.com/2012/12/12/sources-snapchat-raising-north-of-10m-at-around-70m-valuation-led-by-benchmarks-mitch-lasky/
  • 33. 33 © 2013 Apkudo LLC. www.apkudo.com SNAPCHAT IN ACTION
  • 34. 34 © 2013 Apkudo LLC. www.apkudo.com 1. UnzipAPK and disassemble classes.dex 2. Analyze for target resource (snapchat pictureAKA„snap‟) 3. Inject code to store or transmit resource 4. Reassemble classes.dex and rezip/resignAPK HACKING SNAPCHAT Approach Disassemble (baksmali) .smali Static analysis/ Code Injection Reassemble (smali)
  • 35. 35 © 2013 Apkudo LLC. www.apkudo.com TOOLS  Access to a terminal environment (preferably Linux or Mac osx)  Android SDK  keytool and jarsigner  Smali/Baksmali - http://code.google.com/p/smali/  Apktool - http://code.google.com/p/android-apktool/  Editor of choice (emacs!) You’ll need…
  • 36. 36 © 2013 Apkudo LLC. www.apkudo.com STEP 1  Query device for list of applications and associated file paths  adbshellpm listpackages–f  (optional)|grep–si“snapchat”  Pull the files  adbpull<file>~/snapchat/snapchat.apk GET THE APP
  • 37. 37 © 2013 Apkudo LLC. www.apkudo.com STEP 2  Extract classes.dexand remove keys  unzipsnapchat.apk  rm–r ./META-INF  Disassemble:  baksmali-a 10–d<framework_path> ./classes.dex  -a=api-level  -d=bootclasspathdir  „adbpull/system/framework/ ./framework‟ DECOMPRESS AND DISASSEMBLE
  • 38. 38 © 2013 Apkudo LLC. www.apkudo.com STEP 3  apktool dump and inspectAndroidManifest.xml for activities  apktooldsnapchat.apk  emacsAndroidManifest.xml  Find the resource  Use tools  uiautomator to retrieve view hierarchy (buggy)  adbshelldumpsyswindow|grep–si “mCurrentFocus”  Resolve resource in code ANDROID FORENSICS
  • 39. 39 © 2013 Apkudo LLC. www.apkudo.com STEP 3  Resource located! Now we need to retrieve it…  Don‟t write everything in byte code- build an application that contains the resource retrieval code.  Disassemble donor application and copy appropriate methods into target app  Easy enough, right? RESOURCE RETRIEVAL Java resource retrieval code Build Bytecode
  • 40. 40 © 2013 Apkudo LLC. www.apkudo.com DONOR APP RESOURCE RETRIEVAL package com.apkudo.util; import android.app.Activity; import android.graphics.Bitmap; import java.io.FileOutputStream; Import android.os.Bundle; public class HackUtils extends Activity { @Override public void onCreate(Bundle savedInstanceState) { super.onCreate(savedInstanceState); setContentView(R.layout.main); } public void saveSnap(Bitmap bmp) { try { FileOutputStream out = new FileOutputStream(“/sdcard/test.png”); bmp.compress(Bitmap.CompressFormat.PNG, 90, out); } catch (Exception e) { e.printStackTrace(); } } }
  • 41. 41 © 2013 Apkudo LLC. www.apkudo.com STEP 4 CODE INJECTION  .method private showImage()V  Isolate Bitmap  Pass into resource retrieval method invoke-virtual{v1,v2},Lcom/snapchat/android/model/ReceivedSnap;- >getImageBitmap(Landroid/content/Context;)Landroid/graphics/Bitmap; move-result-objectv0 #Patches invoke-static{v0},Lcom/apkudo/util/HackUtils;->saveSnap(Landroid/graphics/Bitmap;)V #EndofPatches
  • 42. 42 © 2013 Apkudo LLC. www.apkudo.com STEP 5  Re-assemble  smali–a10./out–oclasses.dex  Compress  zip–z0–r../snapchat.apk./*  SignAPK  jarsigner-verbose -keystore my-release-key.keystore ./snapchat.apkalias_name REBUILD APK
  • 43. 43 © 2013 Apkudo LLC. www.apkudo.com STEP 6  Install  adb install –r ../snapchat.apk  Run the app! INSTALLAND EXECUTE
  • 44. 44 © 2013 Apkudo LLC. www.apkudo.com RECAP  Obfuscate?  Very simple to navigate using method name  E.g. “showSnap()”.  Push images to native layer  OpenGL?  Native code is much harder to reverse.  Dynamic signature verification?  There is no silver bullet! ROOM FOR IMPROVEMENTS

Hinweis der Redaktion

  1. META-INF contains keys
  2. META-INF contains keys
  3. META-INF contains keys
  4. META-INF contains keys
  5. META-INF contains keys
  6. META-INF contains keys
  7. META-INF contains keys