More Related Content Similar to Who Needs Thumbs? Reverse Engineering Scramble With Friends (20) Who Needs Thumbs? Reverse Engineering Scramble With Friends2. OBJECTIVES
APK Code Injection
Smali/Baksmali
Android Instrumentation
Android Forensics
Hands On!
2 © 2012 Apkudo Inc. Confidential www.apkudo.com
4. APK HACKING
Approach
1. Extract APK and disassemble classes.dex
2. Isolate target resources (e.g., Scramble With Friends words list)
3. Create a server to receive resource, serialize, and transmit to
host
4. Patch APK with server.
4 © 2012 Apkudo Inc. Confidential www.apkudo.com
5. BUT I DON’T KNOW
DALVIK!?
DON’T WORRY!
You do know Java, and you can use the
Smali/Baksmali tools to disassemble Java
code into Dalvik byte code
By sticking to public static methods within
the server, static method calls in Dalvik are
only two lines long.
invoke-static {}, Lcom/zynga/scramble/ViewServer;->get()Lcom/zynga/
scramble/ViewServer;!
move-result-object v0!
5 © 2012 Apkudo Inc. Confidential www.apkudo.com
6. SMALI/BAKSMALI?
DALVIK ASSEMBLER/
DISASSEMBLER
Baksmali disassembles APK’s classes.dex
executable into readable Dalvik byte code
(.smali)
Smali re-assembles .smali files back into .dex
Dalvik executable
Gives developers the ability to modify Android
APKs without having access to source code
Documentation on Smali/Baksmali and Dalvik
in Smali wiki
http://code.google.com/p/smali/w/list
6 © 2012 Apkudo Inc. Confidential www.apkudo.com
7. ROMAIN’S VIEWSERVER
LOCAL SERVER FOR ANDROID’S
HIERARCHY VIEWER
Serves app’s view data to host (hierarchyviewer) via
forwarded port through ADB
Runs entirely in APK’s address space
Developed to emulate Android ViewServer implemented
on development Android devices
Perfect for transmitting serialized word list back to a host
machine
Must add ViewServer window in onCreate() method of
each activity in the app.
https://github.com/romainguy/ViewServer
7 © 2012 Apkudo Inc. Confidential www.apkudo.com
8. STEP 1
DECOMPRESS AND
DISASSEMBLE
Extract classes.dex and remove keys
unzip scramble.apk!
rm –r ./META-INF!
Disassemble:
baksmali -a 10 –c <framework_path> ./classes.dex!
-a = api-level!
-c = bootclasspath !
out/target/product/generic/system/framework!
8 © 2012 Apkudo Inc. Confidential www.apkudo.com
9. STEP 2
ANDROID FORENSICS
Investigate .smali source code for aggregation of
resources
Trace!
onCreate() method in calling activity
ScrambleGameActivity.java
Insert log statements to print active resources
invoke-virtual {v2}, Ljava/util/List;->toString()Ljava/lang/String;!
move-result-object v2!
invoke-static {v1, v2}, Landroid/util/Log;->e(Ljava/lang/String;Ljava/lang/String;)I!
9 © 2012 Apkudo Inc. Confidential www.apkudo.com
10. WHAT WE FOUND
A LIST OF WORDS AND MATRIX
POSITIONS
10 © 2012 Apkudo Inc. Confidential www.apkudo.com
11. STEP 3
COMPILE VIEWSERVER INTO
DONOR APP
Donor can be any Android app you can build from
source
Just include server’s .java files as a part of the package
server does not need to be instantiated or
implemented in the app itself
for compilation purposes only!
11 © 2012 Apkudo Inc. Confidential www.apkudo.com
12. STEP 4
EXTRACT SERVER FROM DONOR
AND INJECT INTO SWF
Disassemble ViewServer.apk
Use sed to replace all method calls from
com.android.debug.hv.ViewServer
com.zynga.scramble.ViewServer!
Run
find . -type f -exec sed -i '' s/Lcom
/android/debug/hv/
ViewServer/Lcom/zynga/scramble
/ViewServer/ {} +!
Copy ViewServer.smali files into SWF out directory
12 © 2012 Apkudo Inc. Confidential www.apkudo.com
13. STEP 5
PATCH SWF TO SERVE VIEW
DATA ON ACTIVITY LAUNCH
Preliminary investigation shows that SWF uses a base
class that extends Activity
• grep -sir '.super Landroid/app/Activity;' ./
In the onCreate() and onResume() methods, invoke
ViewServer.addWindow() and
ViewServer.setFocusedWindow() repectively!
13 © 2012 Apkudo Inc. Confidential www.apkudo.com
14. STEP 6
IMPLEMENT RESOURCE
SERIALIZATION ON VIEWSERVER
Create public static method that takes in resource,
serializes, and transmits to host.
Patch APK to invoke this method once the resources
have been collected.
invoke-interface {v2, v1}, Ljava/util/List;->add(Ljava/lang/Object;)Z!
invoke-static {v2}, Lcom/zynga/scramble/ViewServer;->storeList(Ljava/util/
List;)V!
14 © 2012 Apkudo Inc. Confidential www.apkudo.com
15. STEP 7
REBUILD APK
Re-assemble
smali –a 10 ./out –o classes.dex!
Re-compress
zip –z0 –r ../scramble.apk ./*
Sign APK
jarsigner -verbose -keystore my-
release-key.keystore ./
scramble.apk alias_name!
15 © 2012 Apkudo Inc. Confidential www.apkudo.com
16. APE
INTELLIGENT ANDROID
INSTRUMENTATION
Fully aware of applications content
Invokes actions and makes decisions based off
of what it sees
Optimized and extended Romain’s ViewServer
Transmit view data after each invoked action
Introspect on OpenGL
Uses word list to obtain matrix positions and
OpenGL introspection to find buttons on screen
16 © 2012 Apkudo Inc. Confidential www.apkudo.com
Editor's Notes Once, you have your app disassembled, apply forensics!Knew SWF was storing words lsts when was this list being populated? how?Trace!