Reversing Android Applications For Fun and Profit
•
6 gefällt mir•759 views
In this talk I'm gonna talk about Android applications' internals and how we can break them for fun and (why not?) profit.
Empfohlen
Weitere ähnliche Inhalte
Was ist angesagt?
Was ist angesagt? (20)
Ähnlich wie Reversing Android Applications For Fun and Profit
Ähnlich wie Reversing Android Applications For Fun and Profit (20)
Kürzlich hochgeladen
Kürzlich hochgeladen (20)
Reversing Android Applications For Fun and Profit
- 1. DC5527 Maycon Maia Vitali maycon@hacknroll.com DC5527.ORG DEF CON GROUP REVERSING ANDROID APPLICATIONS FOR FUN AND PROFIT
- 2. AGENDA ● Who am I? ● Hello Android! ● Reversing Toolset ● Static Analysis – (Short Introduction to) Smali Code ● Dynamic Analysis – Binary Instrumentation ● Let’s Go – Patching WhatsApp Messenger (On-the-fly) – Patching WhatsApp Messenger (Binary APK)
- 3. WHO AM I? ● Maycon Maia Vitali ● Bsc & Msc in Computer Science ● Trustwave – Security Consultant @ SpiderLabs – Member of Mobile Application Security VT ● Hack N’ Roll - Member & Founder ● DC5527 Defcon Group - Member & Founder ● Certifications – Offensive Security Certified Expert (OSCE) – Mobile Application Penetration Test (MAPT)
- 4. HELLO WORLD, ANDROID! ANDROID FUNDAMENTALS
- 5. Application Components ● Activities – Entry point for interacting with the user ● Services – Keep an app running in the background ● Content Providers – App data that you can store in the file system ● Broadcast Receivers – Enables the system to deliver events
- 6. THE MANIFEST FILE AndroidManifest.xml ● Application information – Name, Version, API Level, SDK version etc. ● User permissions – Internet Access, Camera, access external storage etc. ● Components – Activities, Services, Receivers and Providers ● Componentes resources
- 12. THE MANIFEST FILE AndroidManifest.xml Intent Filters
- 14. REVERSING TOOLSET ● adb – Android Debug Bridge ● unzip + dex2jar – Decompres apk file and convert .dex file to .class ● apktool + keytool + jarsigner – Decode/build/sign .apk files ● ByteCode Viewer <3 – Last two toolset ● Frida <3 – Android process instrumentation tool
- 15. ANDROID DEBUG BRIDGE adb ● adb forward <local> <remote> ● adb install <apk> ● adb uninstall <pkg> ● adb sideload <file> ● adb push <local>... <remote> ● adb pull <remote>... <local> ● adb -s <specific device> ... ● adb logcat ● adb kill-server ● adb start-server ● adb devices -l ● adb shell ● adb root ● adb unroot
- 20. DECOMPRESS APK FILE unzip + dex2jar
- 21. DECOMPRESS APK FILE unzip + dex2jar
- 22. DECOMPRESS APK FILE unzip + dex2jar
- 23. DECOMPRESS APK FILE unzip + dex2jar
- 24. DECOMPRESS APK FILE unzip + dex2jar
- 25. DECOMPRESS APK FILE unzip + dex2jar
- 26. apktool + keytool + jarsigner
- 27. apktool + keytool + jarsigner
- 28. apktool + keytool + jarsigner $ vim ./build_sign_install.sh
- 29. BYTECODE VIEWER procyon + CFR + JD-GUI + FernFlower + Krakatau
- 30. STATIC ANALYSIS Introduction to Smali Language
- 31. INTRODUCTION TO SMALI Registers ● Virtual Registers – Up to 64k registes – 128 first are the most common (v0, v1, v2 …) – Can store everything (int, float, Object …) – Two naming schema: ● Local: v0, v1, v2… ● Params: p0, p1, p2… Local Param v0 First local register v1 Second local register v2 p0 First param register v3 p1 Second param registers v4 p2 Third param register
- 32. INTRODUCTION TO SMALI Data Type ● Primitive Data Type – I – int – J – long – Z – boolean – D – double – F – float – S – short – C – char – V – void (when return value) ● Classes: – Ljava/lang/Object; ● Arrays: – [I – [Ljava/lang/Object; – [[I ● List of types: simple concatenation – getAttr(Landroid/util/AttributeSet;[III)
- 33. INTRODUCTION TO SMALI Java Smali→
- 34. INTRODUCTION TO SMALI Java Smali→
- 35. INTRODUCTION TO SMALI Java Smali→
- 36. INTRODUCTION TO SMALI Java Smali→
- 37. INTRODUCTION TO SMALI Java Smali→
- 38. INTRODUCTION TO SMALI Java Smali→
- 39. INTRODUCTION TO SMALI Java Smali→
- 40. INTRODUCTION TO SMALI Java Smali→
- 41. INTRODUCTION TO SMALI Java Smali→
- 42. INTRODUCTION TO SMALI Java Smali→
- 43. INTRODUCTION TO SMALI Java Smali→
- 44. INTRODUCTION TO SMALI Smali Java→
- 45. INTRODUCTION TO SMALI Smali Java→
- 46. INTRODUCTION TO SMALI Smali Java→
- 47. INTRODUCTION TO SMALI Smali Java→
- 48. INTRODUCTION TO SMALI Smali Java→
- 49. INTRODUCTION TO SMALI Smali Java→
- 50. INTRODUCTION TO SMALI Smali Java→
- 51. INTRODUCTION TO SMALI Smali Java→
- 52. INTRODUCTION TO SMALI Smali Java→
- 53. INTRODUCTION TO SMALI Smali Java→
- 54. INTRODUCTION TO SMALI Smali Java→
- 55. INTRODUCTION TO SMALI Smali Java→
- 56. INTRODUCTION TO SMALI Smali Java→
- 57. INTRODUCTION TO SMALI Smali Java→
- 58. INTRODUCTION TO SMALI Smali Java→
- 59. INTRODUCTION TO SMALI Smali Java→
- 60. INTRODUCTION TO SMALI Smali Java→
- 61. INTRODUCTION TO SMALI Smali Java→
- 62. INTRODUCTION TO SMALI Smali Java→
- 64. Frida Introduction ● Inject Javascript to explore native applications ● Compatible with many OS – Windows, MacOS, Linux, iOS, Android and QNX. ● Extremely useful for… – … custom debugger. – … hook any function. – … spy on Crypt API. – … trace application code. ● No source-code needed.
- 69. Frida frida-ps
- 75. Frida Hooking
- 76. Frida Hooking
- 77. Frida Hooking
- 78. Frida Hooking
- 79. Frida Hooking
- 80. Frida Hooking
- 81. Frida Hooking
- 82. DEMO
- 83. DC5527 Maycon Maia Vitali maycon@hacknroll.com DC5527.ORG DEF CON GROUP THANK YOU!