SlideShare ist ein Scribd-Unternehmen logo

How to reverse engineer Android applications

H
hubx

Android applications are an interesting target for reverse engineering. They are written in Java, which is tradi- tionally good to decompile and are executed by Google’s custom Java virtual machine, making them interesting to study. In this paper we present the basic methods and approaches as well as the necessary tools to reverse engineer Android applications. We discuss how to change Android applications and show alternative approaches including man-in-the-middle attacks and automation.

Technologie
1 von 38
Downloaden Sie, um offline zu lesen
How to reverse engineer Android applications Finding Vulnerabilities through Reverse Engineering Hasso Plattner Institute, Potsdam Hubert Hesse, Lukas Pirl, Christoph Matthies, Conrad Calmez using a popular word game as an example ?? Images: “Freepik” on flaticon.com (CC BY 3.0), Google (CC BY 3.0)
1 Get the .apk 23 4 Extract the .apk 5 Decompilation to Smali Debugging 6Putting it together 7 8Automation Proxy Decompilation to Java
Our Example—a word game ● Top 10 word game in 145 countries (as of July 2014) ● More than 10.000.000 installs ● Over 50 million players ● Play online (with friends) ● 14 languages ● Free and premium version
1:58 0 points S N B I L U SF E I T T E RP A
1:58 15 points S N B I L U SF E I T T E RP A FLUT +15
● APK (application package file), archive file, based on JAR format ● Similar to Deb packages (in Ubuntu) or MSI packages (in Windows) ● Contains program code, resources, assets, certificates, and manifest file ● Can’t be directly downloaded from App Store 1 Get the .apk Download using online “APK Downloader” (http://apps.evozi.com/apk-downloader/) - or - Install on device and download using SDK tools (adb pull <app_path> downloaded.apk)
2 Extract the .apk ● Normal decompression using unzip fails ● Special tool: APKTool ○ Standard is APKTool 1.5.2. (not able to recompress correctly) (https: //code.google.com/p/android-apktool/downloads/list) ○ APKTool 2.0.0 Beta 9 works (http://connortumbleson.com/2014/02/apktool-2-0-0-beta-9-released/) Decrompressing: apktool d -d game.apk -o outdir
2 Extract the .apk
2 Modifying resources ● Change arbitrary resources ● Repack into .apk file and install Recrompressing: apktool b -d outdir -o com.company.game.free_patch.apk ● Recompression works, Android fails with “can’t install”, wrong certificate ○ APKTool tries to reuse as much as possible, doesn’t recompute signature
2Manually sign repacked apk: ● Create custom CA ● Java JAR Signing and Verification Tool (http://docs.oracle.com/javase/7/docs/technotes/tools/windows/jarsigner.html) jarsigner -verbose -sigalg SHA1withRSA -digestalg SHA1 -keystore my- release-key.keystore com.company.game.free_patch.apk alias_name Modifying resources
.apk contains compiled code ● Dalvik bytecode interpreted by the Dalvik Process virtual machine ● Stored in .dex (Dalvik EXecutable) files APKTool translates this to “smali” (https://code.google.com/p/smali/) ● Abstraction of bytecode, closer to Java ● Dalvik opcodes (http://s.android.com/tech/dalvik/dalvik-bytecode.html) ● Can be edited directly 3Decompilation to Smali
.class public LHelloWorld; .super Ljava/lang/Object; .method public static main([Ljava/lang/String;)V .registers 2 sget-object v0, Ljava/lang/System;->out:Ljava/io/PrintStream; const-string v1, "Hello World!" invoke-virtual {v0, v1}, Ljava/io/PrintStream;->println(Ljava/lang/String;)V return-void .end method 3 Smali Hello World
Interactive debugging ● Set debuggable=”true” in AndroidManifest.xml ○ Repack using APKTool ● Need to connect smali sources to binary ● Workaround: pretend we have valid Java code 4 Debugging <application android:allowBackup="true" android:hardwareAccelerated="true" android:icon="@drawable/launcher_icon" android:label="@string/app_name" android:name="com.company.game.core.GameApplication" android:theme=" @style/Theme.GameTheme" android:debuggable="true">
a=0;// .class public abstract La; a=0;// .super Ljava/lang/Object; a=0;// a=0;// a=0;// # instance fields a=0;// .field protected final a:Ljava/lang/Object; a=0;// a=0;// .field private final b:Landroid/os/Handler; a=0;// 4 Debugging Smali code in comments Placeholder Java
Two ways to obtain java code ● Convert .dex files to .jar ○ Use standard java bytecode decompilers ● Disassemble .dex directly to .java 5 Decompilation to Java
Using dex files ● Androguard (https://code.google.com/p/androguard/) ○ Maps DEX format into full Python objects ○ Works in memory (My 4GB machine wasn’t enough) ○ Doesn’t immediately dump code into Java files 5 Decompilation to Java
Using jar files ● dex2jar (https://code.google.com/p/dex2jar/) ○ dex2jar, jar2dex, apk-sign ○ Supports recreating .dex from Java ● JD-GUI (http://jd.benow.ca/) ○ Popular jar-decompiler ○ Works 100% with “Hello World” app 5 Decompilation to Java
Combining Java decompilation and Smali ● Java more readable than Smali ● Unfortunately Java decompilation not 100% perfect ○ Invalid Java constructs or only method signatures ○ Cannot recompile from Java sources 6 Putting it together
private void fixSpecialChars() { int i; char ac[]; int j; int k; i = 0; ac = tiles; j = ac.length; k = 0; _L9: if(k >= j) break MISSING_BLOCK_LABEL_161; ac[k]; JVM INSTR lookupswitch 6: default 80 // 40: 125 // 41: 137 // 47: 149 // 91: 89 // 92: 101 // 93: 113; goto _L1 _L2 _L3 _L4 _L5 _L6 _L7 _L4: break MISSING_BLOCK_LABEL_149; _L1: break; /* Loop/switch isn't completed */ _L5: break; /* Loop/switch isn't completed */ _L10: i++; k++; if(true) goto _L9; else goto _L8 _L8: 6When Decompilation fails an example Goto not supported in Java Bare JVM instructions
Combining Java decompilation and Smali ● Approach: Use multiple Java decompilers ○ They tend to fail in different places 6 Putting it together 1. Find interesting parts in Java source 2. Check corresponding smali sources 3. Edit those
protected void roundEnd(boolean paramBoolean) { // … this.resultData.setTotalScore(this.totalScore); // … startRoundSummary(); if (!this.isPractice) { this.currentRound.setWordsInRound(this.resultData.getMoves().size()); // … this.currentRound.setPlayer1Moves(GameHelper.encodeMoves(this.resultData. getMoves())); this.currentRound.setPlayer1Score(this.totalScore); // … 6 Manipulating the score Opportunities for manipulation ● Server validation disallows this
a=0;// sget-boolean v0, Lcom/company/game/core/statics/Statics;->DEBUGGING:Z a=0;// a=0;// #v0=(Boolean); -a=0;// if-eqz v0, :cond_0 +a=0;// #if-eqz v0, :cond_0 a=0;// 6 Enable Logging public class Toolkit { // … public static void Logw(String s, String s1) { if(Statics.DEBUGGING) Log.w(s, s1); } // …
a=0;// # static fields a=0;// .field public static ROUND_DURATION_IN_SECONDS_FOR_NORMAL_GAME:I a=0;// .field public static ROUND_DURATION_IN_SECONDS_FOR_TUTORIAL:I a=0;// a=0;// .method static constructor <clinit>()V a=0;// .locals 1 … -a=0;// const/16 v0, 0x78 +a=0;// const/16 v0, 0x12c a=0;// a=0;// #v0=(PosByte); a=0;// sput v0, Lcom/company/game/core/statics/GameStatics;->ROUND_DURATION_IN_SECONDS_FOR_NORMAL_GAME:I 6 More time per round 120s 300s
public static boolean allowPremiumContent(PremiumType premiumtype, Context context) { if(premiumIsPurchased(context)) return true; synchronized(lock) { if(!isLicensed(context)) break MISSING_BLOCK_LABEL_31; } return true; 6 Getting Premium a=0;// .line 129 -a=0;// invoke-static {p0}, Lcom/company/game/util/PremiumCampaignHelper;->premiumIsPurchased(…;)Z +a=0;// # invoke-static {p0}, Lcom/company/game/util/PremiumCampaignHelper;->premiumIsPurchased(…;)Z a=0;// -a=0;// move-result v0 +a=0;// # move-result v0 a=0;// -a=0;// #v0=(Boolean); -a=0;// if-eqz v0, :cond_0 +a=0;// #v0=(One); +a=0;// # if-eqz v0, :cond_0
6 Getting Premium free version premium (stats unlocked, no ads)
7 Proxy Route all app traffic through custom proxy ● Used MitMProxy (https://github.com/mitmproxy/mitmproxy) ● Retrieve real server URL via Wireshark ● Redirect app traffic via /etc/hosts on device ● Custom SSL certificate ○ Install own CA in device ○ No certificate pinning ● Avoid compressed responses via HTTP header ○ Accept-Encoding: gzip;q=0,deflate,sdch
7 Proxy AES encryption ● Shared key in decompiled code ● No key derivation function ● AES initialization vector in HTTP header ○ Payload-session: 2e2f6a61642f7372… ○ Unencrypted // file APIConnector.java private static byte sharedKey[] = { 57, -116, 126, 39, 116, -25, -95, -106, -81, 48, -33, -19, 120, 118, 35, 40, 66, 126, 31, 30, -83, 76, 31, 93, 13, -122, -50, 68, -108, -114, 28, -80 };
SSL MitM Proxy SSLHTTP Server by “aLf “, thenounproject.com (CC BY 3.0 US) Spy by “Hopstarter ”, iconarchive.com (CC BY-NC-ND 4.0) #! python #decrypt AES #using IV 7 ProxyHeader: AES IV AES payload HTTP # /etc/hosts # redirect # to proxy
7 Proxy { "cacheTimestamp": "1405377910521", "userId": "0", "conversationId": "-1", "player1MostWordsInRound": "32", "id": "6602198229545556683", "player1Score": "214", "player1LongestWord": "HEAPS", "player1User": { "username": "username", "ranking": "0", "premium": "false", "recruits": "0", "deleted": "false", "newUser": "false", "bestScoreInMatch": "0", "userId": "3005807464", "bestScoreInRound": "0", "online": "false", "facebookConnected": "false", "avatarId": "0", "matchesPlayed": "0", "useFacebookImage": "false", "mostWordsInRound": "0" }, {"rounds": [ { "seed3": "14657688", "player2MoveErrors": "0", "gameId": "6602198229545556683", "player2SwipeDistance": "681", "player2Moves": "1AB2BAE2EAB216227612AEF2DA73840127652567354013DAB723673 B7654EAB72", "player1MoveErrors": "19", "player2Done": "true", "seed1": "2073207065", "seed2": "680974433", "player1SwipeDistance": "1608", "board": { "bonus": [" ", " ", " ", " ", " ", " ", "D", " ", " ", " ", " ", " ", " ", " ", " ", "T" ], "board": ["A", "T", "E", "H", "E", "P", "O", "T", "H", "S", "A", "S", "T", "F", "T", "E" ], "words": [ "TATE", "SOTS", "HOST", "SAPS", "FATSOS", … Server response request size up to 100kB
8 Automation Play the game automatically ● Generic external approach ○ No modification of binary necessary ○ Works for any app Monkeyrunner (http://developer.android.com/tools/help/monkeyrunner_concepts.html) ● Test apps at the functional/framework level ● Able to simulate keystrokes, take screenshots ● Python bindings
8Obtain all possible words to play correctly ● apk contains .jet “dictionary” for each language ● Btw, also a wordlist (probably) used to check for cheaters Automation
8 Automation Ruzzle .jet files ● Binary files ● Trie / Radix tree structure ● Optimal for the way the game is played ● No duplicate encoding of characters ● List of all excepted words constructable G GA GAM GAME GO GOD GOT G O D T A M E
8 Automation Achieving the highscore ● Get all 16 letters ○ Input by hand / screenshot + OCR ● Find all valid words using the extracted dictionary ● Simulate keystrokes for found words ○ Actually not enough time to enter all valid words
8 Automation DEMO
Achievements Found possibilities to: ✓ Enable logging ✓ Unlock premium features ✓ Achieve insanely high score through automation ✓ Extract protocol via man-in-the-middle attack
Backup slides
Pinned certificate (installed at dev. time) App Server Get current server certificate 1 Compare current and pinned certificates 2 if identical: establish connection else: reject 3 Certificate Pinning

Empfohlen

Introduction httpClient on Java11 / Java11時代のHTTPアクセス再入門
Introduction httpClient on Java11 / Java11時代のHTTPアクセス再入門Introduction httpClient on Java11 / Java11時代のHTTPアクセス再入門
Introduction httpClient on Java11 / Java11時代のHTTPアクセス再入門
tamtam180
 
syzkaller: the next gen kernel fuzzer
syzkaller: the next gen kernel fuzzersyzkaller: the next gen kernel fuzzer
syzkaller: the next gen kernel fuzzer
Dmitry Vyukov
 
Pimp My Java LavaJUG
Pimp My Java LavaJUGPimp My Java LavaJUG
Pimp My Java LavaJUG
Daniel Petisme
 
PowerShell Inside Out: Applied .NET Hacking for Enhanced Visibility by Satosh...
PowerShell Inside Out: Applied .NET Hacking for Enhanced Visibility by Satosh...PowerShell Inside Out: Applied .NET Hacking for Enhanced Visibility by Satosh...
PowerShell Inside Out: Applied .NET Hacking for Enhanced Visibility by Satosh...
CODE BLUE
 
Puppet evolutions
Puppet evolutionsPuppet evolutions
Puppet evolutions
Alessandro Franceschi
 
You're Off the Hook: Blinding Security Software
You're Off the Hook: Blinding Security SoftwareYou're Off the Hook: Blinding Security Software
You're Off the Hook: Blinding Security Software
Cylance
 
Puppet Continuous Integration with PE and GitLab
Puppet Continuous Integration with PE and GitLabPuppet Continuous Integration with PE and GitLab
Puppet Continuous Integration with PE and GitLab
Alessandro Franceschi
 
[UniteKorea2013] Protecting your Android content
[UniteKorea2013] Protecting your Android content[UniteKorea2013] Protecting your Android content
[UniteKorea2013] Protecting your Android content
William Hugo Yang
 

Empfohlen

Introduction httpClient on Java11 / Java11時代のHTTPアクセス再入門
Introduction httpClient on Java11 / Java11時代のHTTPアクセス再入門Introduction httpClient on Java11 / Java11時代のHTTPアクセス再入門
Introduction httpClient on Java11 / Java11時代のHTTPアクセス再入門
tamtam180
 
syzkaller: the next gen kernel fuzzer
syzkaller: the next gen kernel fuzzersyzkaller: the next gen kernel fuzzer
syzkaller: the next gen kernel fuzzer
Dmitry Vyukov
 
Pimp My Java LavaJUG
Pimp My Java LavaJUGPimp My Java LavaJUG
Pimp My Java LavaJUG
Daniel Petisme
 
PowerShell Inside Out: Applied .NET Hacking for Enhanced Visibility by Satosh...
PowerShell Inside Out: Applied .NET Hacking for Enhanced Visibility by Satosh...PowerShell Inside Out: Applied .NET Hacking for Enhanced Visibility by Satosh...
PowerShell Inside Out: Applied .NET Hacking for Enhanced Visibility by Satosh...
CODE BLUE
 
Puppet evolutions
Puppet evolutionsPuppet evolutions
Puppet evolutions
Alessandro Franceschi
 
You're Off the Hook: Blinding Security Software
You're Off the Hook: Blinding Security SoftwareYou're Off the Hook: Blinding Security Software
You're Off the Hook: Blinding Security Software
Cylance
 
Puppet Continuous Integration with PE and GitLab
Puppet Continuous Integration with PE and GitLabPuppet Continuous Integration with PE and GitLab
Puppet Continuous Integration with PE and GitLab
Alessandro Franceschi
 
[UniteKorea2013] Protecting your Android content
[UniteKorea2013] Protecting your Android content[UniteKorea2013] Protecting your Android content
[UniteKorea2013] Protecting your Android content
William Hugo Yang
 
Reconstructing Gapz: Position-Independent Code Analysis Problem
Reconstructing Gapz: Position-Independent Code Analysis ProblemReconstructing Gapz: Position-Independent Code Analysis Problem
Reconstructing Gapz: Position-Independent Code Analysis Problem
Alex Matrosov
 
How to implement a simple dalvik virtual machine
How to implement a simple dalvik virtual machineHow to implement a simple dalvik virtual machine
How to implement a simple dalvik virtual machine
Chun-Yu Wang
 
Facebook Glow Compiler のソースコードをグダグダ語る会
Facebook Glow Compiler のソースコードをグダグダ語る会Facebook Glow Compiler のソースコードをグダグダ語る会
Facebook Glow Compiler のソースコードをグダグダ語る会
Mr. Vengineer
 
Антон Наумович, Система автоматической крэш-аналитики своими средствами
Антон Наумович, Система автоматической крэш-аналитики своими средствамиАнтон Наумович, Система автоматической крэш-аналитики своими средствами
Антон Наумович, Система автоматической крэш-аналитики своими средствами
Sergey Platonov
 
C++ for the Web
C++ for the WebC++ for the Web
C++ for the Web
Patrick Charrier
 
Going native with less coupling: Dependency Injection in C++
Going native with less coupling: Dependency Injection in C++Going native with less coupling: Dependency Injection in C++
Going native with less coupling: Dependency Injection in C++
Daniele Pallastrelli
 
Gradle in a Polyglot World
Gradle in a Polyglot WorldGradle in a Polyglot World
Gradle in a Polyglot World
Schalk Cronjé
 
このPHP拡張がすごい!2017
このPHP拡張がすごい!2017このPHP拡張がすごい!2017
このPHP拡張がすごい!2017
sasezaki
 
Threat stack aws
Threat stack awsThreat stack aws
Threat stack aws
Jen Andre
 
groovy & grails - lecture 6
groovy & grails - lecture 6groovy & grails - lecture 6
groovy & grails - lecture 6
Alexandre Masselot
 
Ein Stall voller Trüffelschweine - (PHP-)Profiling-Tools im Überblick
Ein Stall voller Trüffelschweine - (PHP-)Profiling-Tools im ÜberblickEin Stall voller Trüffelschweine - (PHP-)Profiling-Tools im Überblick
Ein Stall voller Trüffelschweine - (PHP-)Profiling-Tools im Überblick
renebruns
 
Codetainer: a Docker-based browser code 'sandbox'
Codetainer: a Docker-based browser code 'sandbox'Codetainer: a Docker-based browser code 'sandbox'
Codetainer: a Docker-based browser code 'sandbox'
Jen Andre
 
PyParis 2017 / Writing a C Python extension in 2017, Jean-Baptiste Aviat
PyParis 2017 / Writing a C Python extension in 2017, Jean-Baptiste Aviat PyParis 2017 / Writing a C Python extension in 2017, Jean-Baptiste Aviat
PyParis 2017 / Writing a C Python extension in 2017, Jean-Baptiste Aviat
Pôle Systematic Paris-Region
 
Dependencies Managers in C/C++. Using stdcpp 2014
Dependencies Managers in C/C++. Using stdcpp 2014Dependencies Managers in C/C++. Using stdcpp 2014
Dependencies Managers in C/C++. Using stdcpp 2014
biicode
 
Os Leventhal
Os LeventhalOs Leventhal
Os Leventhal
oscon2007
 
Reverse engineering - Shellcodes techniques
Reverse engineering - Shellcodes techniquesReverse engineering - Shellcodes techniques
Reverse engineering - Shellcodes techniques
Eran Goldstein
 
Modern javascript localization with c-3po and the good old gettext
Modern javascript localization with c-3po and the good old gettextModern javascript localization with c-3po and the good old gettext
Modern javascript localization with c-3po and the good old gettext
Alexander Mostovenko
 
penetration testing - black box type.
penetration testing - black box type.penetration testing - black box type.
penetration testing - black box type.
luigi capuzzello
 
Veil-PowerView - NovaHackers
Veil-PowerView - NovaHackersVeil-PowerView - NovaHackers
Veil-PowerView - NovaHackers
VeilFramework
 
The Art of Exploiting Unconventional Use-after-free Bugs in Android Kernel by...
The Art of Exploiting Unconventional Use-after-free Bugs in Android Kernel by...The Art of Exploiting Unconventional Use-after-free Bugs in Android Kernel by...
The Art of Exploiting Unconventional Use-after-free Bugs in Android Kernel by...
CODE BLUE
 
OWASP ZAP Workshop for QA Testers
OWASP ZAP Workshop for QA TestersOWASP ZAP Workshop for QA Testers
OWASP ZAP Workshop for QA Testers
Javan Rasokat
 
Advanced debugging  techniques in different environments
Advanced debugging  techniques in different environmentsAdvanced debugging  techniques in different environments
Advanced debugging  techniques in different environments
Andrii Soldatenko
 

Weitere ähnliche Inhalte

Was ist angesagt?

Reconstructing Gapz: Position-Independent Code Analysis Problem
Reconstructing Gapz: Position-Independent Code Analysis ProblemReconstructing Gapz: Position-Independent Code Analysis Problem
Reconstructing Gapz: Position-Independent Code Analysis Problem
Alex Matrosov
 
Антон Наумович, Система автоматической крэш-аналитики своими средствами
Антон Наумович, Система автоматической крэш-аналитики своими средствамиАнтон Наумович, Система автоматической крэш-аналитики своими средствами
Антон Наумович, Система автоматической крэш-аналитики своими средствами
Sergey Platonov
 
C++ for the Web
C++ for the WebC++ for the Web
C++ for the Web
Patrick Charrier
 
Threat stack aws
Threat stack awsThreat stack aws
Threat stack aws
Jen Andre
 
Ein Stall voller Trüffelschweine - (PHP-)Profiling-Tools im Überblick
Ein Stall voller Trüffelschweine - (PHP-)Profiling-Tools im ÜberblickEin Stall voller Trüffelschweine - (PHP-)Profiling-Tools im Überblick
Ein Stall voller Trüffelschweine - (PHP-)Profiling-Tools im Überblick
renebruns
 
Os Leventhal
Os LeventhalOs Leventhal
Os Leventhal
oscon2007
 
The Art of Exploiting Unconventional Use-after-free Bugs in Android Kernel by...
The Art of Exploiting Unconventional Use-after-free Bugs in Android Kernel by...The Art of Exploiting Unconventional Use-after-free Bugs in Android Kernel by...
The Art of Exploiting Unconventional Use-after-free Bugs in Android Kernel by...
CODE BLUE
 

Was ist angesagt? (20)

Reconstructing Gapz: Position-Independent Code Analysis Problem
Reconstructing Gapz: Position-Independent Code Analysis ProblemReconstructing Gapz: Position-Independent Code Analysis Problem
Reconstructing Gapz: Position-Independent Code Analysis Problem
 
How to implement a simple dalvik virtual machine
How to implement a simple dalvik virtual machineHow to implement a simple dalvik virtual machine
How to implement a simple dalvik virtual machine
 
Facebook Glow Compiler のソースコードをグダグダ語る会
Facebook Glow Compiler のソースコードをグダグダ語る会Facebook Glow Compiler のソースコードをグダグダ語る会
Facebook Glow Compiler のソースコードをグダグダ語る会
 
Антон Наумович, Система автоматической крэш-аналитики своими средствами
Антон Наумович, Система автоматической крэш-аналитики своими средствамиАнтон Наумович, Система автоматической крэш-аналитики своими средствами
Антон Наумович, Система автоматической крэш-аналитики своими средствами
 
C++ for the Web
C++ for the WebC++ for the Web
C++ for the Web
 
Going native with less coupling: Dependency Injection in C++
Going native with less coupling: Dependency Injection in C++Going native with less coupling: Dependency Injection in C++
Going native with less coupling: Dependency Injection in C++
 
Gradle in a Polyglot World
Gradle in a Polyglot WorldGradle in a Polyglot World
Gradle in a Polyglot World
 
このPHP拡張がすごい!2017
このPHP拡張がすごい!2017このPHP拡張がすごい!2017
このPHP拡張がすごい!2017
 
Threat stack aws
Threat stack awsThreat stack aws
Threat stack aws
 
groovy & grails - lecture 6
groovy & grails - lecture 6groovy & grails - lecture 6
groovy & grails - lecture 6
 
Ein Stall voller Trüffelschweine - (PHP-)Profiling-Tools im Überblick
Ein Stall voller Trüffelschweine - (PHP-)Profiling-Tools im ÜberblickEin Stall voller Trüffelschweine - (PHP-)Profiling-Tools im Überblick
Ein Stall voller Trüffelschweine - (PHP-)Profiling-Tools im Überblick
 
Codetainer: a Docker-based browser code 'sandbox'
Codetainer: a Docker-based browser code 'sandbox'Codetainer: a Docker-based browser code 'sandbox'
Codetainer: a Docker-based browser code 'sandbox'
 
PyParis 2017 / Writing a C Python extension in 2017, Jean-Baptiste Aviat
PyParis 2017 / Writing a C Python extension in 2017, Jean-Baptiste Aviat PyParis 2017 / Writing a C Python extension in 2017, Jean-Baptiste Aviat
PyParis 2017 / Writing a C Python extension in 2017, Jean-Baptiste Aviat
 
Dependencies Managers in C/C++. Using stdcpp 2014
Dependencies Managers in C/C++. Using stdcpp 2014Dependencies Managers in C/C++. Using stdcpp 2014
Dependencies Managers in C/C++. Using stdcpp 2014
 
Os Leventhal
Os LeventhalOs Leventhal
Os Leventhal
 
Reverse engineering - Shellcodes techniques
Reverse engineering - Shellcodes techniquesReverse engineering - Shellcodes techniques
Reverse engineering - Shellcodes techniques
 
Modern javascript localization with c-3po and the good old gettext
Modern javascript localization with c-3po and the good old gettextModern javascript localization with c-3po and the good old gettext
Modern javascript localization with c-3po and the good old gettext
 
penetration testing - black box type.
penetration testing - black box type.penetration testing - black box type.
penetration testing - black box type.
 
Veil-PowerView - NovaHackers
Veil-PowerView - NovaHackersVeil-PowerView - NovaHackers
Veil-PowerView - NovaHackers
 
The Art of Exploiting Unconventional Use-after-free Bugs in Android Kernel by...
The Art of Exploiting Unconventional Use-after-free Bugs in Android Kernel by...The Art of Exploiting Unconventional Use-after-free Bugs in Android Kernel by...
The Art of Exploiting Unconventional Use-after-free Bugs in Android Kernel by...
 

Ähnlich wie How to reverse engineer Android applications

[CB20] Vulnerabilities of Machine Learning Infrastructure by Sergey Gordeychik
[CB20] Vulnerabilities of Machine Learning Infrastructure by Sergey Gordeychik[CB20] Vulnerabilities of Machine Learning Infrastructure by Sergey Gordeychik
[CB20] Vulnerabilities of Machine Learning Infrastructure by Sergey Gordeychik
CODE BLUE
 
Serial Killer - Silently Pwning your Java Endpoints // OWASP BeNeLux Day 2016
Serial Killer - Silently Pwning your Java Endpoints // OWASP BeNeLux Day 2016Serial Killer - Silently Pwning your Java Endpoints // OWASP BeNeLux Day 2016
Serial Killer - Silently Pwning your Java Endpoints // OWASP BeNeLux Day 2016
Christian Schneider
 

Ähnlich wie How to reverse engineer Android applications (20)

OWASP ZAP Workshop for QA Testers
OWASP ZAP Workshop for QA TestersOWASP ZAP Workshop for QA Testers
OWASP ZAP Workshop for QA Testers
 
Advanced debugging  techniques in different environments
Advanced debugging  techniques in different environmentsAdvanced debugging  techniques in different environments
Advanced debugging  techniques in different environments
 
A Life of breakpoint
A Life of breakpointA Life of breakpoint
A Life of breakpoint
 
OWASP Poland Day 2018 - Pedro Fortuna - Are your Java Script based protection...
OWASP Poland Day 2018 - Pedro Fortuna - Are your Java Script based protection...OWASP Poland Day 2018 - Pedro Fortuna - Are your Java Script based protection...
OWASP Poland Day 2018 - Pedro Fortuna - Are your Java Script based protection...
 
Fast as C: How to Write Really Terrible Java
Fast as C: How to Write Really Terrible JavaFast as C: How to Write Really Terrible Java
Fast as C: How to Write Really Terrible Java
 
[CB20] Vulnerabilities of Machine Learning Infrastructure by Sergey Gordeychik
[CB20] Vulnerabilities of Machine Learning Infrastructure by Sergey Gordeychik[CB20] Vulnerabilities of Machine Learning Infrastructure by Sergey Gordeychik
[CB20] Vulnerabilities of Machine Learning Infrastructure by Sergey Gordeychik
 
Much ado about randomness. What is really a random number?
Much ado about randomness. What is really a random number?Much ado about randomness. What is really a random number?
Much ado about randomness. What is really a random number?
 
Nodejs Intro Part One
Nodejs Intro Part OneNodejs Intro Part One
Nodejs Intro Part One
 
Introduction to Software Development
Introduction to Software DevelopmentIntroduction to Software Development
Introduction to Software Development
 
introduction to node.js
introduction to node.jsintroduction to node.js
introduction to node.js
 
Groovy and Grails in Action - Devoxx 2008 - University - Guillaume Laforge
Groovy and Grails in Action - Devoxx 2008 - University - Guillaume LaforgeGroovy and Grails in Action - Devoxx 2008 - University - Guillaume Laforge
Groovy and Grails in Action - Devoxx 2008 - University - Guillaume Laforge
 
Node.js vs Play Framework
Node.js vs Play FrameworkNode.js vs Play Framework
Node.js vs Play Framework
 
Serial Killer - Silently Pwning your Java Endpoints // OWASP BeNeLux Day 2016
Serial Killer - Silently Pwning your Java Endpoints // OWASP BeNeLux Day 2016Serial Killer - Silently Pwning your Java Endpoints // OWASP BeNeLux Day 2016
Serial Killer - Silently Pwning your Java Endpoints // OWASP BeNeLux Day 2016
 
AppengineJS
AppengineJSAppengineJS
AppengineJS
 
IstSec'14 - İbrahim BALİÇ - Automated Malware Analysis
IstSec'14 - İbrahim BALİÇ - Automated Malware AnalysisIstSec'14 - İbrahim BALİÇ - Automated Malware Analysis
IstSec'14 - İbrahim BALİÇ - Automated Malware Analysis
 
Rust Hack
Rust HackRust Hack
Rust Hack
 
How Secure Are Docker Containers?
How Secure Are Docker Containers?How Secure Are Docker Containers?
How Secure Are Docker Containers?
 
Appenginejs (old presentation)
Appenginejs (old presentation)Appenginejs (old presentation)
Appenginejs (old presentation)
 
Search for Vulnerabilities Using Static Code Analysis
Search for Vulnerabilities Using Static Code AnalysisSearch for Vulnerabilities Using Static Code Analysis
Search for Vulnerabilities Using Static Code Analysis
 
The State of the Veil Framework
The State of the Veil FrameworkThe State of the Veil Framework
The State of the Veil Framework
 

Kürzlich hochgeladen

Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
Joaquim Jorge
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
Igalia
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
Principled Technologies
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
 

Kürzlich hochgeladen (20)

Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of Brazil
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation Strategies
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 

How to reverse engineer Android applications

  • 1. How to reverse engineer Android applications Finding Vulnerabilities through Reverse Engineering Hasso Plattner Institute, Potsdam Hubert Hesse, Lukas Pirl, Christoph Matthies, Conrad Calmez using a popular word game as an example ?? Images: “Freepik” on flaticon.com (CC BY 3.0), Google (CC BY 3.0)
  • 2. 1 Get the .apk 23 4 Extract the .apk 5 Decompilation to Smali Debugging 6Putting it together 7 8Automation Proxy Decompilation to Java
  • 3. Our Example—a word game ● Top 10 word game in 145 countries (as of July 2014) ● More than 10.000.000 installs ● Over 50 million players ● Play online (with friends) ● 14 languages ● Free and premium version
  • 4. 1:58 0 points S N B I L U SF E I T T E RP A
  • 5. 1:58 15 points S N B I L U SF E I T T E RP A FLUT +15
  • 6. ● APK (application package file), archive file, based on JAR format ● Similar to Deb packages (in Ubuntu) or MSI packages (in Windows) ● Contains program code, resources, assets, certificates, and manifest file ● Can’t be directly downloaded from App Store 1 Get the .apk Download using online “APK Downloader” (http://apps.evozi.com/apk-downloader/) - or - Install on device and download using SDK tools (adb pull <app_path> downloaded.apk)
  • 7. 2 Extract the .apk ● Normal decompression using unzip fails ● Special tool: APKTool ○ Standard is APKTool 1.5.2. (not able to recompress correctly) (https: //code.google.com/p/android-apktool/downloads/list) ○ APKTool 2.0.0 Beta 9 works (http://connortumbleson.com/2014/02/apktool-2-0-0-beta-9-released/) Decrompressing: apktool d -d game.apk -o outdir
  • 9. 2 Modifying resources ● Change arbitrary resources ● Repack into .apk file and install Recrompressing: apktool b -d outdir -o com.company.game.free_patch.apk ● Recompression works, Android fails with “can’t install”, wrong certificate ○ APKTool tries to reuse as much as possible, doesn’t recompute signature
  • 10. 2Manually sign repacked apk: ● Create custom CA ● Java JAR Signing and Verification Tool (http://docs.oracle.com/javase/7/docs/technotes/tools/windows/jarsigner.html) jarsigner -verbose -sigalg SHA1withRSA -digestalg SHA1 -keystore my- release-key.keystore com.company.game.free_patch.apk alias_name Modifying resources
  • 11.
  • 12. .apk contains compiled code ● Dalvik bytecode interpreted by the Dalvik Process virtual machine ● Stored in .dex (Dalvik EXecutable) files APKTool translates this to “smali” (https://code.google.com/p/smali/) ● Abstraction of bytecode, closer to Java ● Dalvik opcodes (http://s.android.com/tech/dalvik/dalvik-bytecode.html) ● Can be edited directly 3Decompilation to Smali
  • 13. .class public LHelloWorld; .super Ljava/lang/Object; .method public static main([Ljava/lang/String;)V .registers 2 sget-object v0, Ljava/lang/System;->out:Ljava/io/PrintStream; const-string v1, "Hello World!" invoke-virtual {v0, v1}, Ljava/io/PrintStream;->println(Ljava/lang/String;)V return-void .end method 3 Smali Hello World
  • 14. Interactive debugging ● Set debuggable=”true” in AndroidManifest.xml ○ Repack using APKTool ● Need to connect smali sources to binary ● Workaround: pretend we have valid Java code 4 Debugging <application android:allowBackup="true" android:hardwareAccelerated="true" android:icon="@drawable/launcher_icon" android:label="@string/app_name" android:name="com.company.game.core.GameApplication" android:theme=" @style/Theme.GameTheme" android:debuggable="true">
  • 15. a=0;// .class public abstract La; a=0;// .super Ljava/lang/Object; a=0;// a=0;// a=0;// # instance fields a=0;// .field protected final a:Ljava/lang/Object; a=0;// a=0;// .field private final b:Landroid/os/Handler; a=0;// 4 Debugging Smali code in comments Placeholder Java
  • 16. Two ways to obtain java code ● Convert .dex files to .jar ○ Use standard java bytecode decompilers ● Disassemble .dex directly to .java 5 Decompilation to Java
  • 17. Using dex files ● Androguard (https://code.google.com/p/androguard/) ○ Maps DEX format into full Python objects ○ Works in memory (My 4GB machine wasn’t enough) ○ Doesn’t immediately dump code into Java files 5 Decompilation to Java
  • 18. Using jar files ● dex2jar (https://code.google.com/p/dex2jar/) ○ dex2jar, jar2dex, apk-sign ○ Supports recreating .dex from Java ● JD-GUI (http://jd.benow.ca/) ○ Popular jar-decompiler ○ Works 100% with “Hello World” app 5 Decompilation to Java
  • 19. Combining Java decompilation and Smali ● Java more readable than Smali ● Unfortunately Java decompilation not 100% perfect ○ Invalid Java constructs or only method signatures ○ Cannot recompile from Java sources 6 Putting it together
  • 20. private void fixSpecialChars() { int i; char ac[]; int j; int k; i = 0; ac = tiles; j = ac.length; k = 0; _L9: if(k >= j) break MISSING_BLOCK_LABEL_161; ac[k]; JVM INSTR lookupswitch 6: default 80 // 40: 125 // 41: 137 // 47: 149 // 91: 89 // 92: 101 // 93: 113; goto _L1 _L2 _L3 _L4 _L5 _L6 _L7 _L4: break MISSING_BLOCK_LABEL_149; _L1: break; /* Loop/switch isn't completed */ _L5: break; /* Loop/switch isn't completed */ _L10: i++; k++; if(true) goto _L9; else goto _L8 _L8: 6When Decompilation fails an example Goto not supported in Java Bare JVM instructions
  • 21. Combining Java decompilation and Smali ● Approach: Use multiple Java decompilers ○ They tend to fail in different places 6 Putting it together 1. Find interesting parts in Java source 2. Check corresponding smali sources 3. Edit those
  • 22. protected void roundEnd(boolean paramBoolean) { // … this.resultData.setTotalScore(this.totalScore); // … startRoundSummary(); if (!this.isPractice) { this.currentRound.setWordsInRound(this.resultData.getMoves().size()); // … this.currentRound.setPlayer1Moves(GameHelper.encodeMoves(this.resultData. getMoves())); this.currentRound.setPlayer1Score(this.totalScore); // … 6 Manipulating the score Opportunities for manipulation ● Server validation disallows this
  • 23. a=0;// sget-boolean v0, Lcom/company/game/core/statics/Statics;->DEBUGGING:Z a=0;// a=0;// #v0=(Boolean); -a=0;// if-eqz v0, :cond_0 +a=0;// #if-eqz v0, :cond_0 a=0;// 6 Enable Logging public class Toolkit { // … public static void Logw(String s, String s1) { if(Statics.DEBUGGING) Log.w(s, s1); } // …
  • 24. a=0;// # static fields a=0;// .field public static ROUND_DURATION_IN_SECONDS_FOR_NORMAL_GAME:I a=0;// .field public static ROUND_DURATION_IN_SECONDS_FOR_TUTORIAL:I a=0;// a=0;// .method static constructor <clinit>()V a=0;// .locals 1 … -a=0;// const/16 v0, 0x78 +a=0;// const/16 v0, 0x12c a=0;// a=0;// #v0=(PosByte); a=0;// sput v0, Lcom/company/game/core/statics/GameStatics;->ROUND_DURATION_IN_SECONDS_FOR_NORMAL_GAME:I 6 More time per round 120s 300s
  • 25. public static boolean allowPremiumContent(PremiumType premiumtype, Context context) { if(premiumIsPurchased(context)) return true; synchronized(lock) { if(!isLicensed(context)) break MISSING_BLOCK_LABEL_31; } return true; 6 Getting Premium a=0;// .line 129 -a=0;// invoke-static {p0}, Lcom/company/game/util/PremiumCampaignHelper;->premiumIsPurchased(…;)Z +a=0;// # invoke-static {p0}, Lcom/company/game/util/PremiumCampaignHelper;->premiumIsPurchased(…;)Z a=0;// -a=0;// move-result v0 +a=0;// # move-result v0 a=0;// -a=0;// #v0=(Boolean); -a=0;// if-eqz v0, :cond_0 +a=0;// #v0=(One); +a=0;// # if-eqz v0, :cond_0
  • 26. 6 Getting Premium free version premium (stats unlocked, no ads)
  • 27. 7 Proxy Route all app traffic through custom proxy ● Used MitMProxy (https://github.com/mitmproxy/mitmproxy) ● Retrieve real server URL via Wireshark ● Redirect app traffic via /etc/hosts on device ● Custom SSL certificate ○ Install own CA in device ○ No certificate pinning ● Avoid compressed responses via HTTP header ○ Accept-Encoding: gzip;q=0,deflate,sdch
  • 28. 7 Proxy AES encryption ● Shared key in decompiled code ● No key derivation function ● AES initialization vector in HTTP header ○ Payload-session: 2e2f6a61642f7372… ○ Unencrypted // file APIConnector.java private static byte sharedKey[] = { 57, -116, 126, 39, 116, -25, -95, -106, -81, 48, -33, -19, 120, 118, 35, 40, 66, 126, 31, 30, -83, 76, 31, 93, 13, -122, -50, 68, -108, -114, 28, -80 };
  • 29. SSL MitM Proxy SSLHTTP Server by “aLf “, thenounproject.com (CC BY 3.0 US) Spy by “Hopstarter ”, iconarchive.com (CC BY-NC-ND 4.0) #! python #decrypt AES #using IV 7 ProxyHeader: AES IV AES payload HTTP # /etc/hosts # redirect # to proxy
  • 30. 7 Proxy { "cacheTimestamp": "1405377910521", "userId": "0", "conversationId": "-1", "player1MostWordsInRound": "32", "id": "6602198229545556683", "player1Score": "214", "player1LongestWord": "HEAPS", "player1User": { "username": "username", "ranking": "0", "premium": "false", "recruits": "0", "deleted": "false", "newUser": "false", "bestScoreInMatch": "0", "userId": "3005807464", "bestScoreInRound": "0", "online": "false", "facebookConnected": "false", "avatarId": "0", "matchesPlayed": "0", "useFacebookImage": "false", "mostWordsInRound": "0" }, {"rounds": [ { "seed3": "14657688", "player2MoveErrors": "0", "gameId": "6602198229545556683", "player2SwipeDistance": "681", "player2Moves": "1AB2BAE2EAB216227612AEF2DA73840127652567354013DAB723673 B7654EAB72", "player1MoveErrors": "19", "player2Done": "true", "seed1": "2073207065", "seed2": "680974433", "player1SwipeDistance": "1608", "board": { "bonus": [" ", " ", " ", " ", " ", " ", "D", " ", " ", " ", " ", " ", " ", " ", " ", "T" ], "board": ["A", "T", "E", "H", "E", "P", "O", "T", "H", "S", "A", "S", "T", "F", "T", "E" ], "words": [ "TATE", "SOTS", "HOST", "SAPS", "FATSOS", … Server response request size up to 100kB
  • 31. 8 Automation Play the game automatically ● Generic external approach ○ No modification of binary necessary ○ Works for any app Monkeyrunner (http://developer.android.com/tools/help/monkeyrunner_concepts.html) ● Test apps at the functional/framework level ● Able to simulate keystrokes, take screenshots ● Python bindings
  • 32. 8Obtain all possible words to play correctly ● apk contains .jet “dictionary” for each language ● Btw, also a wordlist (probably) used to check for cheaters Automation
  • 33. 8 Automation Ruzzle .jet files ● Binary files ● Trie / Radix tree structure ● Optimal for the way the game is played ● No duplicate encoding of characters ● List of all excepted words constructable G GA GAM GAME GO GOD GOT G O D T A M E
  • 34. 8 Automation Achieving the highscore ● Get all 16 letters ○ Input by hand / screenshot + OCR ● Find all valid words using the extracted dictionary ● Simulate keystrokes for found words ○ Actually not enough time to enter all valid words
  • 36. Achievements Found possibilities to: ✓ Enable logging ✓ Unlock premium features ✓ Achieve insanely high score through automation ✓ Extract protocol via man-in-the-middle attack
  • 38. Pinned certificate (installed at dev. time) App Server Get current server certificate 1 Compare current and pinned certificates 2 if identical: establish connection else: reject 3 Certificate Pinning