Weitere ähnliche Inhalte Ähnlich wie Hacking for Fun and Profit (20) Hacking for Fun and Profit1. HACKING APKS FOR FUN
AND FOR PROFIT
(MOSTLY FOR FUN)
DAVID TEITELBAUM
@davtbaum
DECEMBER 2012
2. OBJECTIVES
Expect to learn:
Android app disassembly
Fundamentals of code injection
Smali/Baksmali and reading Dalvik byte code
Best practices in hardening your apps
2 © 2012 Apkudo Inc. Confidential www.apkudo.com
3. ROADMAP
PART I - CLASS PART II – DEMO/HACK
Approach to hacking Scramble With Friends deep dive
Tools – apktool, baksmali, smali App disassembly and analysis
The APK Code injection with ViewServer
All things byte code Resource transmission
Recap
3 © 2012 Apkudo Inc. Confidential www.apkudo.com
4. PART I - CLASS
4 © 2012 Apkudo Inc. Confidential www.apkudo.com
5. APK HACKING
Approach
1. Unzip APK and disassemble classes.dex (baksmali)
2. Static analysis – what is the application doing?
3. Inject byte code into the application to modify execution
4. Reassemble classes.dex (smali) and rezip APK
Static analysis
Disassemble Reassemble
(baksmali) (smali)
.smali
Code injection
5 © 2012 Apkudo Inc. Confidential www.apkudo.com
6. CODE INJECTION
Best Practices:
You don’t need to be a Dalvik byte code pro!
Write patches in Java, compile, then use the
Smali/Baksmali tools to disassemble into Dalvik byte code
Stick to public static methods in Dalvik byte code which
have no register dependencies.
Let the compiler do the work – the demo hack is achieved
by inserting only two lines of manual Dalvik byte code!
6 © 2012 Apkudo Inc. Confidential www.apkudo.com
7. TOOLS
You’ll need…
Access to a terminal environment (preferably Linux or Mac
osx)
Android SDK
keytool and jarsigner
Smali/Baksmali - http://code.google.com/p/smali/
Apktool - http://code.google.com/p/android-apktool/
Editor of choice (emacs!)
7 © 2012 Apkudo Inc. Confidential www.apkudo.com
8. SMALI/BAKSMALI
Dalvik Assembler/
Disassembler
Baksmali disassembles Dalvik executable (.dex) into
readable Dalvik byte code (.smali)
Smali re-assembles .smali files back into .dex Dalvik
executable
Gives developers the ability to modify execution of an APK
without having access to source code
8 © 2012 Apkudo Inc. Confidential www.apkudo.com
9. APKTOOL
All in one reverser
Wraps smali/baksmali and Android asset packaging tool
(aapt)
Decodes resources and decompresses xml
Great for manifest introspection
Buggy :/
9 © 2012 Apkudo Inc. Confidential www.apkudo.com
10. THE APK
A container for your app
Zipped file formatted based on JAR
META-INF/
AndroidManifest.xml
classes.dex
lib/
res/
resources.arsc
10 © 2012 Apkudo Inc. Confidential www.apkudo.com
11. EXAMPLES
baksmali
$ unzip foobar.apk –d foobar
$ cd ./foobar
$ ls
AndroidManifest.xml META-INF classes.dex res
resources.arsc lib
$ baksmali –a 10 –d ~/boot_class_path classes.dex
API level boot class path dex file
11 © 2012 Apkudo Inc. Confidential www.apkudo.com
13. EXAMPLES
apktool
$ apktool d foobar.apk foobar
decode out directory
$ cd ./foobar
$ ls
AndroidManifest.xml apktool.yml assets res smali
$ cd ../
$ apktool b ./foobar
build
13 © 2012 Apkudo Inc. Confidential www.apkudo.com
14. EXAMPLES
keytool and jarsigner
$ keytool -genkeypair -v -alias default –keystore
~/.keystore –storepass password
$ jarsigner –keystore ~/.keystore ./foobar.apk
default
alias
14 © 2012 Apkudo Inc. Confidential www.apkudo.com
15. SMALI FILES
class representation in byte code
.class public Lcom/apkudo/util/Serializer;
.super Ljava/lang/Object; Class information
.source "Serializer.java”
# static fields
.field public static final TAG:Ljava/lang/String; = "ApkudoUtils” Static fields
# direct methods
.method public constructor <init>()V
.registers 1
.prologue
.line 5 Methods
invoke-direct {p0}, Ljava/lang/Object;-><init>()V Direct
Virtual
return-void
.end method
15 © 2012 Apkudo Inc. Confidential www.apkudo.com
16. SYNTAX
types .method private doSomething()V
V void
Z boolean
B byte
S short
C char
F float
I int
J long
64 bit – special instructions
D double
[ array
16 © 2012 Apkudo Inc. Confidential www.apkudo.com
17. SYNTAX
classes Lcom/apkudo/util/Serializer;
• full name space slash separated
• prefixed with L
• suffixed with ;
const-string v0, "ApkudoUtils"
new-instance v1, Ljava/lang/StringBuilder;
invoke-direct {v1}, Ljava/lang/StringBuilder;-><init>()V
const-string v2, "docId: ["
invoke-virtual {v1, v2}, Ljava/lang/StringBuilder;-
>append(Ljava/lang/String;)Ljava/lang/StringBuilder;
move-result-object v1
17 © 2012 Apkudo Inc. Confidential www.apkudo.com
18. SYNTAX
methods .method private doSomething()V
Method definitions
.method <keyword> <name>(<param>)<return type>
Method invocations
invoke-static – any method that is static
invoke-virtual – any method that isn’t private, static, or
final
invoke-direct – any non-static direct method
invoke-super – any superclass's virtual method
Invoke-interface – invoke an interface method
18 © 2012 Apkudo Inc. Confidential www.apkudo.com
19. SYNTAX
methods .method private doSomething()V
keyword method name parameters/return
.method private delayedAnimationFrame(J)Z
.registers 8
.parameter "currentTime”
# Static invocation
invoke-static {p2}, Landroid/text/TextUtils;->isEmpty(Ljava/lang/CharSequence;)Z
# Virtual invocation
invoke-virtual {v0, v1}, Lcom/google/android/finsky/FinskyApp;-
>drainAllRequests(I)V
19 © 2012 Apkudo Inc. Confidential www.apkudo.com
20. SYNTAX
Registers .locals 16
.registers 18
All registers are 32 bits
Declaration
.registers – total number of registers
.locals – total minus method parameter registers
Naming scheme
P registers – parameter registers
implicit p0 = ‘this’ instance
V registers – local registers
P registers are always at the end of the register list
20 © 2012 Apkudo Inc. Confidential www.apkudo.com
21. SYNTAX
Register Example
.method public onCreate()V
.registers 7 v0 First local register
v1 Second local register
...
v2 …
v3 …
v4 …
v5 …
v6 p0 First param – ‘this’
p0 == v6
21 © 2012 Apkudo Inc. Confidential www.apkudo.com
22. SYNTAX
Register Example 2
.method public doIt(Ljava/lang/String;II)V
.registers 7
v0 First local register
v1 Second local register
v2 …
v3 p0 ‘this’
v4 p1 String
v5 p2 int
v6 p3 int
p3 == v6
p2 == v5
p1 == v4
p0 == v3
22 © 2012 Apkudo Inc. Confidential www.apkudo.com
23. SYNTAX
Register Example 3
.method public doIt(JI)V
.registers 7
# hint, j == long
v0 First local register
v1 Second local register
v2 Third local register
v3 - is it… v4 - is it…
A) Fourth local register? A) Fourth local register? v3 p0 ‘this’ instance
B) This instance? B) This instance? v4 p1 long
C) Long? C) Long?
v5 p2 long
D) Int? D) Int?
v6 p3 int
v5 - is it… v6 - is it…
A) Fourth local register? A) Fourth local register?
B) This instance? B) This instance?
C) Long? C) Long?
D) Int? D) Int?
23 © 2012 Apkudo Inc. Confidential www.apkudo.com
24. SYNTAX
jumping
.method public doIt(JI)V
jumps .registers 7
goto <offset> ...
goto :goto_31
...
:goto_31
return-void
24 © 2012 Apkudo Inc. Confidential www.apkudo.com
25. SYNTAX
conditionals
method public foobar()V
Conditionals .registers 2
If-eq const/4 v0, 0x0
If-ne
if-eqz v0, :cond_6
If-le
If-lt return-void
If-ge
:cond_6
If-gt
Add z for zero # Do something
.end method
25 © 2012 Apkudo Inc. Confidential www.apkudo.com
26. PUTTING IT ALL
TOGETHER
Example - Java
package com.google.android.finsky;
import android.app.Application;
import android.accounts.Account;
public class FinskyApp() extends Application {
Account mCurrentAccount;
...
public String getCurrentAccountName() {
if (mCurrentAccount != null) {
return mCurrentAccount.name;
} else {
return null;
}
}
}
26 © 2012 Apkudo Inc. Confidential www.apkudo.com
27. PUTTING IT ALL
TOGETHER
Same example - smali
.method public getCurrentAccountName()Ljava/lang/String;
.registers 2
v0 First local register
.prologue
v1 p0 ‘this’ instance
.line 617
iget-object v0, p0, Lcom/google/android/finsky/FinskyApp;->mCurrentAccount:Landroid/accounts/Account;
if-nez v0, :cond_6
Getting this field! of type …
const/4 v0, 0x0
into this reg
:goto_5
return-object v0
:cond_6
iget-object v0, v0, Landroid/accounts/Account;->name:Ljava/lang/String;
goto :goto_5
.end method
27 © 2012 Apkudo Inc. Confidential www.apkudo.com
28. ONE FINAL
STEP
Obfuscation!
• Renames classes, class members and and method
• Preserves OS entry points and java namespace classes
• Slows down the static analysis process
• Not a silver bullet, but an easy first line of defense
iget-object v0, p0, Lcom/a/a/g;->a:Lcom/a/a/f;
invoke-static {v0}, Lcom/a/a/f;->a(Lcom/a/a/f;)Landroid/webkit/WebView;
28 © 2012 Apkudo Inc. Confidential www.apkudo.com
29. PART II - DEMO
29 © 2012 Apkudo Inc. Confidential www.apkudo.com
30. 30 © 2012 Apkudo Inc. Confidential www.apkudo.com
31. HACKING
SCRAMBLE
Approach
1. Unzip APK and disassemble classes.dex (baksmali)
2. Isolate target resources (e.g., Scramble With Friends words list)
3. Patch APK to receive resource, serialize, and transmit to host
4. Reassemble classes.dex (smali) and rezip APK
Static analysis/
Code Injection
Disassemble Reassemble
(baksmali) (smali)
.smali
31 © 2012 Apkudo Inc. Confidential www.apkudo.com
33. STEP 1
DECOMPRESS AND
DISASSEMBLE
Extract classes.dex and remove keys
unzip scramble.apk
rm –r ./META-INF
Disassemble:
baksmali -a 10 –d <framework_path> ./classes.dex
-a = api-level
-d = bootclasspath dir
out/target/product/generic/system/framework
33 © 2012 Apkudo Inc. Confidential www.apkudo.com
34. STEP 2
ANDROID FORENSICS
apktool dump and inspect AndroidManifest.xml
for activities
Find the words list…how?
Beat obfuscation!
Search for class types and log messages
Find the intersection of the two!
Insert your own log statements
invoke-virtual {v2}, Ljava/util/List;->toString()Ljava/lang/String;
move-result-object v2
invoke-static {v1, v2}, Landroid/util/Log;->e(Ljava/lang/String;Ljava/lang/String;)I
34 © 2012 Apkudo Inc. Confidential www.apkudo.com
35. STEP 3
INJECT VIEWSERVER INTO APP
Resource located! Now we need to send it…
Apply patch to ViewServer that stores list
public static void setScrambleWordList(List list);
Build patched ViewServer, extract .smali files
Copy smali files into our application
Easy enough, right?
35 © 2012 Apkudo Inc. Confidential www.apkudo.com
36. STEP 4
PATCH APP TO USE VIEWSERVER
API
Start the ViewServer in the onCreate() method of
MainActivity.smali
ViewServer.get()
invoke-static {}, Lcom/android/debug/hv/ViewServer;-
>get()Lcom/android/debug/hv/ViewServer;
Pass the list to ViewServer in fu.smali
ViewServer.setScrambleWordList(list)
invoke-static {v2}, Lcom/android/debug/hv/ViewServer;->setScrambleWordList(Ljava/util/List;)V
36 © 2012 Apkudo Inc. Confidential www.apkudo.com
37. STEP 5
REBUILD APK
Re-assemble
smali –a 10 ./out –o classes.dex
Re-compress
zip –z0 –r ../scramble.apk ./*
Sign APK
jarsigner -verbose -keystore my-release-
key.keystore ./scramble.apk alias_name
37 © 2012 Apkudo Inc. Confidential www.apkudo.com
38. STEP 6
INSTALL AND COMMUNICATE
WITH APP
Install
adb install –r ../scramble.apk
Forward port
adb forward tcp:4939 tcp:4939
Communicate
nc –l 127.0.0.1 (listen)
38 © 2012 Apkudo Inc. Confidential www.apkudo.com
39. APE
INTELLIGENT ANDROID
INSTRUMENTATION
Fully aware of applications content
Invokes actions and makes decisions based off
of what it sees
Optimized and extended Romain’s ViewServer
Transmit view data after each invoked action
Introspect on OpenGL
Uses word list to obtain matrix positions and
OpenGL introspection to find buttons on screen
39 © 2012 Apkudo Inc. Confidential www.apkudo.com
Hinweis der Redaktion META-INF contains keys META-INF contains keys META-INF contains keys META-INF contains keys META-INF contains keys META-INF contains keys