SlideShare une entreprise Scribd logo

Hacking for fun and for profit

Télécharger en tant que PPTX, PDF
D
davtbaum
Technologie
1  sur  45
HACKING APKS FOR FUN AND FOR PROFIT (MOSTLY FOR FUN) DAVID TEITELBAUM @davtbaum DECEMBER 2012
OBJECTIVES Expect to learn: Android app disassembly Fundamentals of code injection Smali/Baksmali and reading Dalvik byte code Best practices in hardening your apps 2 © 2012 Apkudo Inc. Confidential www.apkudo.com
ROADMAP PART I - CLASS PART II – DEMO/HACK Approach to hacking Scramble With Friends deep dive Tools – apktool, baksmali, smali App disassembly and analysis The APK Code injection with ViewServer All things byte code Resource transmission Recap 3 © 2012 Apkudo Inc. Confidential www.apkudo.com
PART I - CLASS 4 © 2012 Apkudo Inc. Confidential www.apkudo.com
APK HACKING Approach 1. Unzip APK and disassemble classes.dex (baksmali) 2. Static analysis – what is the application doing? 3. Inject byte code into the application to modify execution 4. Reassemble classes.dex (smali) and rezip APK Static analysis Disassemble Reassemble (baksmali) (smali) .smali Code injection 5 © 2012 Apkudo Inc. Confidential www.apkudo.com
CODE INJECTION Best Practices:  You don’t need to be a Dalvik byte code pro!  Write patches in Java, compile, then use the Smali/Baksmali tools to disassemble into Dalvik byte code  Stick to public static methods in Dalvik byte code which have no register dependencies.  Let the compiler do the work – the demo hack is achieved by inserting only two lines of manual Dalvik byte code! 6 © 2012 Apkudo Inc. Confidential www.apkudo.com
TOOLS You’ll need…  Access to a terminal environment (preferably Linux or Mac osx)  Android SDK  keytool and jarsigner  Smali/Baksmali - http://code.google.com/p/smali/  Apktool - http://code.google.com/p/android-apktool/  Editor of choice (emacs!) 7 © 2012 Apkudo Inc. Confidential www.apkudo.com
THE APK A container for your app  Zipped file formatted based on JAR META-INF/ AndroidManifest.xml classes.dex lib/ res/ resources.arsc 8 © 2012 Apkudo Inc. Confidential www.apkudo.com
SMALI/BAKSMALI Dalvik Assembler/ Disassembler  Baksmali disassembles Dalvik executable (.dex) into readable Dalvik byte code (.smali)  Smali re-assembles .smali files back into .dex Dalvik executable  Gives developers the ability to modify execution of an APK without having access to source code 9 © 2012 Apkudo Inc. Confidential www.apkudo.com
EXAMPLES baksmali $ unzip foobar.apk –d foobar $ cd ./foobar $ ls AndroidManifest.xml META-INF classes.dex res resources.arsc lib $ baksmali –a 10 –d ~/boot_class_path classes.dex API level boot class path dex file 10 © 2012 Apkudo Inc. Confidential www.apkudo.com
EXAMPLES smali $ ls AndroidManifest.xml META-INF classes.dex res resources.arsc lib out $ smali –a 10 ./out –o classes.dex API level output dex file $ zip –r ~/hacked.apk ./* recursive 11 © 2012 Apkudo Inc. Confidential www.apkudo.com
AAPT Android Asset Packaging Tool  Builds/dumps package information  Same tool that packages APKS  Decompresses xml resources  Dumps permissions, application info. 12 © 2012 Apkudo Inc. Confidential www.apkudo.com
EXAMPLES aapt $ aapt dump badging ~/foobar.apk $ aapt dump xmltree ~/foobar.apkAndroidManifest $ aapt dump xmlstrings ~/foobar.apkAndroidManifest resource 13 © 2012 Apkudo Inc. Confidential www.apkudo.com
APKTOOL All in one reverser  Wraps smali/baksmali and Android asset packaging tool (aapt)  Decodes resources and decompresses xml  Great for manifest introspection  Buggy :/ 14 © 2012 Apkudo Inc. Confidential www.apkudo.com
EXAMPLES apktool $ apktool d foobar.apk foobar decode out directory $ cd ./foobar $ ls AndroidManifest.xml apktool.yml assets res smali $ cd ../ $ apktool b ./foobar build 15 © 2012 Apkudo Inc. Confidential www.apkudo.com
EXAMPLES keytool and jarsigner $ keytool -genkeypair -v -alias default –keystore ~/.keystore –storepass password $ jarsigner –keystore ~/.keystore ./foobar.apk default alias 16 © 2012 Apkudo Inc. Confidential www.apkudo.com
TOOLS Questions? 17 © 2012 Apkudo Inc. Confidential www.apkudo.com
SMALI FILES class representation in byte code .class public Lcom/apkudo/util/Serializer; .super Ljava/lang/Object; Class information .source "Serializer.java” # static fields .field public static final TAG:Ljava/lang/String; = "ApkudoUtils” Static fields # direct methods .method public constructor <init>()V .registers 1 .prologue .line 5 Methods invoke-direct {p0}, Ljava/lang/Object;-><init>()V Direct Virtual return-void .end method 18 © 2012 Apkudo Inc. Confidential www.apkudo.com
SYNTAX types .method private doSomething()V V void Z boolean B byte S short C char F float I int J long 64 bit – special instructions D double [ array 19 © 2012 Apkudo Inc. Confidential www.apkudo.com
SYNTAX classes Lcom/apkudo/util/Serializer; • full name space slash separated • prefixed with L • suffixed with ; const-string v0, "ApkudoUtils" new-instance v1, Ljava/lang/StringBuilder; invoke-direct {v1}, Ljava/lang/StringBuilder;-><init>()V const-string v2, "docId: [" invoke-virtual {v1, v2}, Ljava/lang/StringBuilder;- >append(Ljava/lang/String;)Ljava/lang/StringBuilder; move-result-object v1 20 © 2012 Apkudo Inc. Confidential www.apkudo.com
SYNTAX methods .method private doSomething()V  Method definitions  .method <keyword> <name>(<param>)<return type>  Method invocations  invoke-static – any method that is static  invoke-virtual – any method that isn’t private, static, or final  invoke-direct – any non-static direct method  invoke-super – any superclass's virtual method  Invoke-interface – invoke an interface method 21 © 2012 Apkudo Inc. Confidential www.apkudo.com
SYNTAX methods .method private doSomething()V keyword method name parameters/return .method private delayedAnimationFrame(J)Z .registers 8 .parameter "currentTime” # Static invocation invoke-static {p2}, Landroid/text/TextUtils;->isEmpty(Ljava/lang/CharSequence;)Z # Virtual invocation invoke-virtual {v0, v1}, Lcom/google/android/finsky/FinskyApp;- >drainAllRequests(I)V 22 © 2012 Apkudo Inc. Confidential www.apkudo.com
SYNTAX Registers .locals 16 .registers 18  All registers are 32 bits  Declaration  .registers – total number of registers  .locals – total minus method parameter registers  Naming scheme  P registers – parameter registers  implicit p0 = ‘this’ instance  V registers – local registers  P registers are always at the end of the register list 23 © 2012 Apkudo Inc. Confidential www.apkudo.com
SYNTAX Register Example .method public onCreate()V .registers 7 v0 First local register v1 Second local register ... v2 … v3 … v4 … v5 … v6 p0 First param – ‘this’ p0 == v6 24 © 2012 Apkudo Inc. Confidential www.apkudo.com
SYNTAX Register Example 2 .method public doIt(Ljava/lang/String;II)V .registers 7 v0 First local register v1 Second local register v2 … v3 p0 ‘this’ v4 p1 String v5 p2 int v6 p3 int p3 == v6 p2 == v5 p1 == v4 p0 == v3 25 © 2012 Apkudo Inc. Confidential www.apkudo.com
SYNTAX Register Example 3 .method public doIt(JI)V .registers 7 # hint, j == long v0 First local register v1 Second local register v2 Third local register v3 - is it… v4 - is it… A) Fourth local register? A) Fourth local register? v3 p0 ‘this’ instance B) This instance? B) This instance? v4 p1 long C) Long? C) Long? v5 p2 long D) Int? D) Int? v6 p3 int v5 - is it… v6 - is it… A) Fourth local register? A) Fourth local register? B) This instance? B) This instance? C) Long? C) Long? D) Int? D) Int? 26 © 2012 Apkudo Inc. Confidential www.apkudo.com
SYNTAX jumping .method public doIt(JI)V  jumps .registers 7  goto <offset> ... goto :goto_31 ... :goto_31 return-void 27 © 2012 Apkudo Inc. Confidential www.apkudo.com
SYNTAX conditionals method public foobar()V  Conditionals .registers 2  If-eq const/4 v0, 0x0  If-ne if-eqz v0, :cond_6  If-le  If-lt return-void  If-ge :cond_6  If-gt  Add z for zero # Do something .end method 28 © 2012 Apkudo Inc. Confidential www.apkudo.com
PUTTING IT ALL TOGETHER Example - Java package com.google.android.finsky; import android.app.Application; import android.accounts.Account; public class FinskyApp() extends Application { Account mCurrentAccount; ... public String getCurrentAccountName() { if (mCurrentAccount != null) { return mCurrentAccount.name; } else { return null; } } } 29 © 2012 Apkudo Inc. Confidential www.apkudo.com
PUTTING IT ALL TOGETHER Same example - smali .method public getCurrentAccountName()Ljava/lang/String; .registers 2 v0 First local register .prologue v1 p0 ‘this’ instance .line 617 iget-object v0, p0, Lcom/google/android/finsky/FinskyApp;->mCurrentAccount:Landroid/accounts/Account; if-nez v0, :cond_6 Getting this field! of type … const/4 v0, 0x0 into this reg :goto_5 return-object v0 :cond_6 iget-object v0, v0, Landroid/accounts/Account;->name:Ljava/lang/String; goto :goto_5 .end method 30 © 2012 Apkudo Inc. Confidential www.apkudo.com
ONE FINAL STEP Obfuscation! • Renames classes, class members and and method • Preserves OS entry points and java namespace classes • Slows down the static analysis process • Not a silver bullet, but an easy first line of defense iget-object v0, p0, Lcom/a/a/g;->a:Lcom/a/a/f; invoke-static {v0}, Lcom/a/a/f;->a(Lcom/a/a/f;)Landroid/webkit/WebView; 31 © 2012 Apkudo Inc. Confidential www.apkudo.com
BYTECODE Questions? 32 © 2012 Apkudo Inc. Confidential www.apkudo.com
PART II - DEMO 33 © 2012 Apkudo Inc. Confidential www.apkudo.com
34 © 2012 Apkudo Inc. Confidential www.apkudo.com
HACKING SCRAMBLE Approach 1. Unzip APK and disassemble classes.dex (baksmali) 2. Isolate target resources (e.g., Scramble With Friends words list) 3. Patch APK to receive resource, serialize, and transmit to host 4. Reassemble classes.dex (smali) and rezip APK Static analysis/ Code Injection Disassemble Reassemble (baksmali) (smali) .smali 35 © 2012 Apkudo Inc. Confidential www.apkudo.com
RESOURCE SERIALIZATION AND TRANSMISSION ROMAIN GUY’S VIEWSERVER onCreate()… addWindow() localhost:4939 ViewServer Android OS 36 © 2012 Apkudo Inc. Confidential www.apkudo.com
STEP 1 DECOMPRESS AND DISASSEMBLE  Extract classes.dex and remove keys  unzip scramble.apk  rm –r ./META-INF  Disassemble:  baksmali -a 10 –d <framework_path> ./classes.dex  -a = api-level  -d = bootclasspath dir  out/target/product/generic/system/framework 37 © 2012 Apkudo Inc. Confidential www.apkudo.com
STEP 2 ANDROID FORENSICS  apktool dump and inspect AndroidManifest.xml for activities  Find the words list…how?  Beat obfuscation!  Search for class types and log messages  Find the intersection of the two!  Insert your own log statements invoke-virtual {v2}, Ljava/util/List;->toString()Ljava/lang/String; move-result-object v2 invoke-static {v1, v2}, Landroid/util/Log;->e(Ljava/lang/String;Ljava/lang/String;)I 38 © 2012 Apkudo Inc. Confidential www.apkudo.com
STEP 3 INJECT VIEWSERVER INTO APP  Resource located! Now we need to send it…  Apply patch to ViewServer that stores list  public static void setScrambleWordList(List list);  Build patched ViewServer, extract .smali files  Copy smali files into our application  Easy enough, right? 39 © 2012 Apkudo Inc. Confidential www.apkudo.com
STEP 4 PATCH APP TO USE VIEWSERVER API  Start the ViewServer in the onCreate() method of MainActivity.smali  ViewServer.get()  invoke-static {}, Lcom/android/debug/hv/ViewServer;- >get()Lcom/android/debug/hv/ViewServer;  Pass the list to ViewServer in fu.smali  ViewServer.setScrambleWordList(list) invoke-static {v2}, Lcom/android/debug/hv/ViewServer;->setScrambleWordList(Ljava/util/List;)V  40 © 2012 Apkudo Inc. Confidential www.apkudo.com
STEP 5 REBUILD APK  Re-assemble  smali –a 10 ./out –o classes.dex  Re-compress  zip –z0 –r ../scramble.apk ./*  Sign APK  jarsigner -verbose -keystore my-release- key.keystore ./scramble.apk alias_name 41 © 2012 Apkudo Inc. Confidential www.apkudo.com
STEP 6 INSTALL AND COMMUNICATE WITH APP  Install  adb install –r ../scramble.apk  Forward port  adb forward tcp:4939 tcp:4939  Communicate  nc –l 127.0.0.1 (listen) 42 © 2012 Apkudo Inc. Confidential www.apkudo.com
RECAP WHAT ZYNGA TEACHES US  Obfuscate, it’s easy and makes things much harder  Use proguard, it optimizes too! Low hanging  Remove logs fruit  Use reflection  Design your application with cheaters in mind!  Move logic to cloud  Google play licensing 43 © 2012 Apkudo Inc. Confidential www.apkudo.com
FINALLY… WHAT ZYNGA TEACHES US 44 © 2012 Apkudo Inc. Confidential www.apkudo.com
Thank you. @davtbaum DAVID@ .COM

Recommandé

Hacking for Fun and Profit
Hacking for Fun and ProfitHacking for Fun and Profit
Hacking for Fun and ProfitApkudo
 
Hacking for Fun and Profit (Mostly for Fun). AnDevCon Boston
Hacking for Fun and Profit (Mostly for Fun). AnDevCon BostonHacking for Fun and Profit (Mostly for Fun). AnDevCon Boston
Hacking for Fun and Profit (Mostly for Fun). AnDevCon BostonApkudo
 
LinkedIn - Disassembling Dalvik Bytecode
LinkedIn - Disassembling Dalvik BytecodeLinkedIn - Disassembling Dalvik Bytecode
LinkedIn - Disassembling Dalvik BytecodeAlain Leon
 
Part II: LLVM Intermediate Representation
Part II: LLVM Intermediate RepresentationPart II: LLVM Intermediate Representation
Part II: LLVM Intermediate RepresentationWei-Ren Chen
 
Improving DroidBox
Improving DroidBoxImproving DroidBox
Improving DroidBoxKelwin Yang
 
Introduction to llvm
Introduction to llvmIntroduction to llvm
Introduction to llvmTao He
 
secure lazy binding, and the 64bit time_t development process by Philip Guenther
secure lazy binding, and the 64bit time_t development process by Philip Guenthersecure lazy binding, and the 64bit time_t development process by Philip Guenther
secure lazy binding, and the 64bit time_t development process by Philip Guenthereurobsdcon
 
Java Bytecode Fundamentals - JUG.lv
Java Bytecode Fundamentals - JUG.lvJava Bytecode Fundamentals - JUG.lv
Java Bytecode Fundamentals - JUG.lvAnton Arhipov
 

Recommandé

Hacking for Fun and Profit
Hacking for Fun and ProfitHacking for Fun and Profit
Hacking for Fun and ProfitApkudo
 
Hacking for Fun and Profit (Mostly for Fun). AnDevCon Boston
Hacking for Fun and Profit (Mostly for Fun). AnDevCon BostonHacking for Fun and Profit (Mostly for Fun). AnDevCon Boston
Hacking for Fun and Profit (Mostly for Fun). AnDevCon BostonApkudo
 
LinkedIn - Disassembling Dalvik Bytecode
LinkedIn - Disassembling Dalvik BytecodeLinkedIn - Disassembling Dalvik Bytecode
LinkedIn - Disassembling Dalvik BytecodeAlain Leon
 
Part II: LLVM Intermediate Representation
Part II: LLVM Intermediate RepresentationPart II: LLVM Intermediate Representation
Part II: LLVM Intermediate RepresentationWei-Ren Chen
 
Improving DroidBox
Improving DroidBoxImproving DroidBox
Improving DroidBoxKelwin Yang
 
Introduction to llvm
Introduction to llvmIntroduction to llvm
Introduction to llvmTao He
 
secure lazy binding, and the 64bit time_t development process by Philip Guenther
secure lazy binding, and the 64bit time_t development process by Philip Guenthersecure lazy binding, and the 64bit time_t development process by Philip Guenther
secure lazy binding, and the 64bit time_t development process by Philip Guenthereurobsdcon
 
Java Bytecode Fundamentals - JUG.lv
Java Bytecode Fundamentals - JUG.lvJava Bytecode Fundamentals - JUG.lv
Java Bytecode Fundamentals - JUG.lvAnton Arhipov
 
Intro to J Ruby
Intro to J RubyIntro to J Ruby
Intro to J RubyFrederic Jean
 
Java - Sockets
Java - SocketsJava - Sockets
Java - SocketsRiccardo Cardin
 
IronSmalltalk
IronSmalltalkIronSmalltalk
IronSmalltalkESUG
 
In Vogue Dynamic
In Vogue DynamicIn Vogue Dynamic
In Vogue DynamicAlexander Shopov
 
C tutorial
C tutorialC tutorial
C tutorialKhan Rahimeen
 
LabDocumentation
LabDocumentationLabDocumentation
LabDocumentationYeshasvi Tirupachuri
 
CocoaConf: The Language of Mobile Software is APIs
CocoaConf: The Language of Mobile Software is APIsCocoaConf: The Language of Mobile Software is APIs
CocoaConf: The Language of Mobile Software is APIsTim Burks
 
Django - 次の一歩 gumiStudy#3
Django - 次の一歩 gumiStudy#3Django - 次の一歩 gumiStudy#3
Django - 次の一歩 gumiStudy#3makoto tsuyuki
 
llvm-py: Writing Compilers In Python
llvm-py: Writing Compilers In Pythonllvm-py: Writing Compilers In Python
llvm-py: Writing Compilers In Pythonmdevan
 
C tutorial
C tutorialC tutorial
C tutorialDiwakar_singh1989
 
Syntactic Salt and Sugar Presentation
Syntactic Salt and Sugar PresentationSyntactic Salt and Sugar Presentation
Syntactic Salt and Sugar Presentationgrepalex
 
Android NDK
Android NDKAndroid NDK
Android NDKSentinel Solutions Ltd
 
PIL - A Platform Independent Language
PIL - A Platform Independent LanguagePIL - A Platform Independent Language
PIL - A Platform Independent Languagezefhemel
 
Aumentando a eficiência do Web Container usando chamadas Assíncronas
Aumentando a eficiência do Web Container usando chamadas Assíncronas Aumentando a eficiência do Web Container usando chamadas Assíncronas
Aumentando a eficiência do Web Container usando chamadas Assíncronas Rafael T. C. Soares (tuelho)
 
I Know Kung Fu - Juggling Java Bytecode
I Know Kung Fu - Juggling Java BytecodeI Know Kung Fu - Juggling Java Bytecode
I Know Kung Fu - Juggling Java BytecodeAlexander Shopov
 
Kostis Sagonas: Cool Tools for Modern Erlang Program Developmen
Kostis Sagonas: Cool Tools for Modern Erlang Program DevelopmenKostis Sagonas: Cool Tools for Modern Erlang Program Developmen
Kostis Sagonas: Cool Tools for Modern Erlang Program DevelopmenKonstantin Sorokin
 
Android Radio Layer Interface
Android Radio Layer InterfaceAndroid Radio Layer Interface
Android Radio Layer InterfaceChun-Yu Wang
 
Eric Lafortune - Fighting application size with ProGuard and beyond
Eric Lafortune - Fighting application size with ProGuard and beyondEric Lafortune - Fighting application size with ProGuard and beyond
Eric Lafortune - Fighting application size with ProGuard and beyondGuardSquare
 
Workshop de Ruby on Rails
Workshop de Ruby on RailsWorkshop de Ruby on Rails
Workshop de Ruby on RailsFabio Akita
 
Running gRPC Services for Serving Legacy API on Kubernetes
Running gRPC Services for Serving Legacy API on KubernetesRunning gRPC Services for Serving Legacy API on Kubernetes
Running gRPC Services for Serving Legacy API on KubernetesSungwon Lee
 
Who Needs Thumbs? Reverse Engineering Scramble with Friends v1.1
Who Needs Thumbs? Reverse Engineering Scramble with Friends v1.1Who Needs Thumbs? Reverse Engineering Scramble with Friends v1.1
Who Needs Thumbs? Reverse Engineering Scramble with Friends v1.1Apkudo
 
Who Needs Thumbs? Reverse Engineering Scramble With Friends
Who Needs Thumbs? Reverse Engineering Scramble With FriendsWho Needs Thumbs? Reverse Engineering Scramble With Friends
Who Needs Thumbs? Reverse Engineering Scramble With FriendsApkudo
 

Contenu connexe

Tendances

IronSmalltalk
IronSmalltalkIronSmalltalk
IronSmalltalkESUG
 
CocoaConf: The Language of Mobile Software is APIs
CocoaConf: The Language of Mobile Software is APIsCocoaConf: The Language of Mobile Software is APIs
CocoaConf: The Language of Mobile Software is APIsTim Burks
 
Django - 次の一歩 gumiStudy#3
Django - 次の一歩 gumiStudy#3Django - 次の一歩 gumiStudy#3
Django - 次の一歩 gumiStudy#3makoto tsuyuki
 
llvm-py: Writing Compilers In Python
llvm-py: Writing Compilers In Pythonllvm-py: Writing Compilers In Python
llvm-py: Writing Compilers In Pythonmdevan
 
Syntactic Salt and Sugar Presentation
Syntactic Salt and Sugar PresentationSyntactic Salt and Sugar Presentation
Syntactic Salt and Sugar Presentationgrepalex
 
PIL - A Platform Independent Language
PIL - A Platform Independent LanguagePIL - A Platform Independent Language
PIL - A Platform Independent Languagezefhemel
 
Aumentando a eficiência do Web Container usando chamadas Assíncronas
Aumentando a eficiência do Web Container usando chamadas Assíncronas Aumentando a eficiência do Web Container usando chamadas Assíncronas
Aumentando a eficiência do Web Container usando chamadas Assíncronas Rafael T. C. Soares (tuelho)
 
I Know Kung Fu - Juggling Java Bytecode
I Know Kung Fu - Juggling Java BytecodeI Know Kung Fu - Juggling Java Bytecode
I Know Kung Fu - Juggling Java BytecodeAlexander Shopov
 
Kostis Sagonas: Cool Tools for Modern Erlang Program Developmen
Kostis Sagonas: Cool Tools for Modern Erlang Program DevelopmenKostis Sagonas: Cool Tools for Modern Erlang Program Developmen
Kostis Sagonas: Cool Tools for Modern Erlang Program DevelopmenKonstantin Sorokin
 
Android Radio Layer Interface
Android Radio Layer InterfaceAndroid Radio Layer Interface
Android Radio Layer InterfaceChun-Yu Wang
 
Eric Lafortune - Fighting application size with ProGuard and beyond
Eric Lafortune - Fighting application size with ProGuard and beyondEric Lafortune - Fighting application size with ProGuard and beyond
Eric Lafortune - Fighting application size with ProGuard and beyondGuardSquare
 
Workshop de Ruby on Rails
Workshop de Ruby on RailsWorkshop de Ruby on Rails
Workshop de Ruby on RailsFabio Akita
 
Running gRPC Services for Serving Legacy API on Kubernetes
Running gRPC Services for Serving Legacy API on KubernetesRunning gRPC Services for Serving Legacy API on Kubernetes
Running gRPC Services for Serving Legacy API on KubernetesSungwon Lee
 

Tendances (20)

Intro to J Ruby
Intro to J RubyIntro to J Ruby
Intro to J Ruby
 
Java - Sockets
Java - SocketsJava - Sockets
Java - Sockets
 
IronSmalltalk
IronSmalltalkIronSmalltalk
IronSmalltalk
 
In Vogue Dynamic
In Vogue DynamicIn Vogue Dynamic
In Vogue Dynamic
 
C tutorial
C tutorialC tutorial
C tutorial
 
LabDocumentation
LabDocumentationLabDocumentation
LabDocumentation
 
CocoaConf: The Language of Mobile Software is APIs
CocoaConf: The Language of Mobile Software is APIsCocoaConf: The Language of Mobile Software is APIs
CocoaConf: The Language of Mobile Software is APIs
 
Django - 次の一歩 gumiStudy#3
Django - 次の一歩 gumiStudy#3Django - 次の一歩 gumiStudy#3
Django - 次の一歩 gumiStudy#3
 
llvm-py: Writing Compilers In Python
llvm-py: Writing Compilers In Pythonllvm-py: Writing Compilers In Python
llvm-py: Writing Compilers In Python
 
C tutorial
C tutorialC tutorial
C tutorial
 
Syntactic Salt and Sugar Presentation
Syntactic Salt and Sugar PresentationSyntactic Salt and Sugar Presentation
Syntactic Salt and Sugar Presentation
 
Android NDK
Android NDKAndroid NDK
Android NDK
 
PIL - A Platform Independent Language
PIL - A Platform Independent LanguagePIL - A Platform Independent Language
PIL - A Platform Independent Language
 
Aumentando a eficiência do Web Container usando chamadas Assíncronas
Aumentando a eficiência do Web Container usando chamadas Assíncronas Aumentando a eficiência do Web Container usando chamadas Assíncronas
Aumentando a eficiência do Web Container usando chamadas Assíncronas
 
I Know Kung Fu - Juggling Java Bytecode
I Know Kung Fu - Juggling Java BytecodeI Know Kung Fu - Juggling Java Bytecode
I Know Kung Fu - Juggling Java Bytecode
 
Kostis Sagonas: Cool Tools for Modern Erlang Program Developmen
Kostis Sagonas: Cool Tools for Modern Erlang Program DevelopmenKostis Sagonas: Cool Tools for Modern Erlang Program Developmen
Kostis Sagonas: Cool Tools for Modern Erlang Program Developmen
 
Android Radio Layer Interface
Android Radio Layer InterfaceAndroid Radio Layer Interface
Android Radio Layer Interface
 
Eric Lafortune - Fighting application size with ProGuard and beyond
Eric Lafortune - Fighting application size with ProGuard and beyondEric Lafortune - Fighting application size with ProGuard and beyond
Eric Lafortune - Fighting application size with ProGuard and beyond
 
Workshop de Ruby on Rails
Workshop de Ruby on RailsWorkshop de Ruby on Rails
Workshop de Ruby on Rails
 
Running gRPC Services for Serving Legacy API on Kubernetes
Running gRPC Services for Serving Legacy API on KubernetesRunning gRPC Services for Serving Legacy API on Kubernetes
Running gRPC Services for Serving Legacy API on Kubernetes
 

Similaire à Hacking for fun and for profit

Who Needs Thumbs? Reverse Engineering Scramble with Friends v1.1
Who Needs Thumbs? Reverse Engineering Scramble with Friends v1.1Who Needs Thumbs? Reverse Engineering Scramble with Friends v1.1
Who Needs Thumbs? Reverse Engineering Scramble with Friends v1.1Apkudo
 
Who Needs Thumbs? Reverse Engineering Scramble With Friends
Who Needs Thumbs? Reverse Engineering Scramble With FriendsWho Needs Thumbs? Reverse Engineering Scramble With Friends
Who Needs Thumbs? Reverse Engineering Scramble With FriendsApkudo
 
Android Auto instrumentation
Android Auto instrumentationAndroid Auto instrumentation
Android Auto instrumentationPrzemek Jakubczyk
 
Beginners guide-to-reverse-engineering-android-apps-pau-oliva-fora-viaforensi...
Beginners guide-to-reverse-engineering-android-apps-pau-oliva-fora-viaforensi...Beginners guide-to-reverse-engineering-android-apps-pau-oliva-fora-viaforensi...
Beginners guide-to-reverse-engineering-android-apps-pau-oliva-fora-viaforensi...viaForensics
 
DocuOps & Asciidoctor in a JVM World
DocuOps & Asciidoctor in a JVM WorldDocuOps & Asciidoctor in a JVM World
DocuOps & Asciidoctor in a JVM WorldSchalk Cronjé
 
Reverse engineering Java et contournement du mécanisme de paiement inapp Android
Reverse engineering Java et contournement du mécanisme de paiement inapp AndroidReverse engineering Java et contournement du mécanisme de paiement inapp Android
Reverse engineering Java et contournement du mécanisme de paiement inapp AndroidJUG Lausanne
 
Mobile development in 2020
Mobile development in 2020 Mobile development in 2020
Mobile development in 2020 Bogusz Jelinski
 
Android OS Porting: Introduction
Android OS Porting: IntroductionAndroid OS Porting: Introduction
Android OS Porting: IntroductionJollen Chen
 
Getting started with the NDK
Getting started with the NDKGetting started with the NDK
Getting started with the NDKKirill Kounik
 
Steelcon 2015 Reverse-Engineering Obfuscated Android Applications
Steelcon 2015 Reverse-Engineering Obfuscated Android ApplicationsSteelcon 2015 Reverse-Engineering Obfuscated Android Applications
Steelcon 2015 Reverse-Engineering Obfuscated Android ApplicationsTom Keetch
 
GDGSCL - Docker a jeho provoz v Heroku a AWS
GDGSCL - Docker a jeho provoz v Heroku a AWSGDGSCL - Docker a jeho provoz v Heroku a AWS
GDGSCL - Docker a jeho provoz v Heroku a AWSLadislav Prskavec
 
Serverless, The Middy Way - Workshop
Serverless, The Middy Way - WorkshopServerless, The Middy Way - Workshop
Serverless, The Middy Way - WorkshopLuciano Mammino
 
How to build Sdk? Best practices
How to build Sdk? Best practicesHow to build Sdk? Best practices
How to build Sdk? Best practicesVitali Pekelis
 
2020 03-26 - meet up - zparkio
2020 03-26 - meet up - zparkio2020 03-26 - meet up - zparkio
2020 03-26 - meet up - zparkioLeo Benkel
 
MicroProfile, Docker, Kubernetes, Istio and Open Shift lab @dev nexus
MicroProfile, Docker, Kubernetes, Istio and Open Shift lab @dev nexusMicroProfile, Docker, Kubernetes, Istio and Open Shift lab @dev nexus
MicroProfile, Docker, Kubernetes, Istio and Open Shift lab @dev nexusEmily Jiang
 
Scaling docker with kubernetes
Scaling docker with kubernetesScaling docker with kubernetes
Scaling docker with kubernetesLiran Cohen
 

Similaire à Hacking for fun and for profit (20)

Who Needs Thumbs? Reverse Engineering Scramble with Friends v1.1
Who Needs Thumbs? Reverse Engineering Scramble with Friends v1.1Who Needs Thumbs? Reverse Engineering Scramble with Friends v1.1
Who Needs Thumbs? Reverse Engineering Scramble with Friends v1.1
 
Who Needs Thumbs? Reverse Engineering Scramble With Friends
Who Needs Thumbs? Reverse Engineering Scramble With FriendsWho Needs Thumbs? Reverse Engineering Scramble With Friends
Who Needs Thumbs? Reverse Engineering Scramble With Friends
 
Android Auto instrumentation
Android Auto instrumentationAndroid Auto instrumentation
Android Auto instrumentation
 
Beginners guide-to-reverse-engineering-android-apps-pau-oliva-fora-viaforensi...
Beginners guide-to-reverse-engineering-android-apps-pau-oliva-fora-viaforensi...Beginners guide-to-reverse-engineering-android-apps-pau-oliva-fora-viaforensi...
Beginners guide-to-reverse-engineering-android-apps-pau-oliva-fora-viaforensi...
 
DocuOps & Asciidoctor in a JVM World
DocuOps & Asciidoctor in a JVM WorldDocuOps & Asciidoctor in a JVM World
DocuOps & Asciidoctor in a JVM World
 
How to Build & Use OpenCL on OpenCV & Android NDK
How to Build & Use OpenCL on OpenCV & Android NDKHow to Build & Use OpenCL on OpenCV & Android NDK
How to Build & Use OpenCL on OpenCV & Android NDK
 
Practice of Android Reverse Engineering
Practice of Android Reverse EngineeringPractice of Android Reverse Engineering
Practice of Android Reverse Engineering
 
Reverse engineering Java et contournement du mécanisme de paiement inapp Android
Reverse engineering Java et contournement du mécanisme de paiement inapp AndroidReverse engineering Java et contournement du mécanisme de paiement inapp Android
Reverse engineering Java et contournement du mécanisme de paiement inapp Android
 
Mobile development in 2020
Mobile development in 2020 Mobile development in 2020
Mobile development in 2020
 
Drone sdk showdown
Drone sdk showdownDrone sdk showdown
Drone sdk showdown
 
Android OS Porting: Introduction
Android OS Porting: IntroductionAndroid OS Porting: Introduction
Android OS Porting: Introduction
 
Getting started with the NDK
Getting started with the NDKGetting started with the NDK
Getting started with the NDK
 
Steelcon 2015 Reverse-Engineering Obfuscated Android Applications
Steelcon 2015 Reverse-Engineering Obfuscated Android ApplicationsSteelcon 2015 Reverse-Engineering Obfuscated Android Applications
Steelcon 2015 Reverse-Engineering Obfuscated Android Applications
 
GDGSCL - Docker a jeho provoz v Heroku a AWS
GDGSCL - Docker a jeho provoz v Heroku a AWSGDGSCL - Docker a jeho provoz v Heroku a AWS
GDGSCL - Docker a jeho provoz v Heroku a AWS
 
Serverless, The Middy Way - Workshop
Serverless, The Middy Way - WorkshopServerless, The Middy Way - Workshop
Serverless, The Middy Way - Workshop
 
Serverless and React
Serverless and ReactServerless and React
Serverless and React
 
How to build Sdk? Best practices
How to build Sdk? Best practicesHow to build Sdk? Best practices
How to build Sdk? Best practices
 
2020 03-26 - meet up - zparkio
2020 03-26 - meet up - zparkio2020 03-26 - meet up - zparkio
2020 03-26 - meet up - zparkio
 
MicroProfile, Docker, Kubernetes, Istio and Open Shift lab @dev nexus
MicroProfile, Docker, Kubernetes, Istio and Open Shift lab @dev nexusMicroProfile, Docker, Kubernetes, Istio and Open Shift lab @dev nexus
MicroProfile, Docker, Kubernetes, Istio and Open Shift lab @dev nexus
 
Scaling docker with kubernetes
Scaling docker with kubernetesScaling docker with kubernetes
Scaling docker with kubernetes
 

Dernier

🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...apidays
 
Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024SynarionITSolutions
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CVKhem
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...Principled Technologies
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUK Journal
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...apidays
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...DianaGray10
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsJoaquim Jorge
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobeapidays
 
Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024The Digital Insurer
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyKhushali Kathiriya
 

Dernier (20)

🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 

Hacking for fun and for profit

  • 1. HACKING APKS FOR FUN AND FOR PROFIT (MOSTLY FOR FUN) DAVID TEITELBAUM @davtbaum DECEMBER 2012
  • 2. OBJECTIVES Expect to learn: Android app disassembly Fundamentals of code injection Smali/Baksmali and reading Dalvik byte code Best practices in hardening your apps 2 © 2012 Apkudo Inc. Confidential www.apkudo.com
  • 3. ROADMAP PART I - CLASS PART II – DEMO/HACK Approach to hacking Scramble With Friends deep dive Tools – apktool, baksmali, smali App disassembly and analysis The APK Code injection with ViewServer All things byte code Resource transmission Recap 3 © 2012 Apkudo Inc. Confidential www.apkudo.com
  • 4. PART I - CLASS 4 © 2012 Apkudo Inc. Confidential www.apkudo.com
  • 5. APK HACKING Approach 1. Unzip APK and disassemble classes.dex (baksmali) 2. Static analysis – what is the application doing? 3. Inject byte code into the application to modify execution 4. Reassemble classes.dex (smali) and rezip APK Static analysis Disassemble Reassemble (baksmali) (smali) .smali Code injection 5 © 2012 Apkudo Inc. Confidential www.apkudo.com
  • 6. CODE INJECTION Best Practices:  You don’t need to be a Dalvik byte code pro!  Write patches in Java, compile, then use the Smali/Baksmali tools to disassemble into Dalvik byte code  Stick to public static methods in Dalvik byte code which have no register dependencies.  Let the compiler do the work – the demo hack is achieved by inserting only two lines of manual Dalvik byte code! 6 © 2012 Apkudo Inc. Confidential www.apkudo.com
  • 7. TOOLS You’ll need…  Access to a terminal environment (preferably Linux or Mac osx)  Android SDK  keytool and jarsigner  Smali/Baksmali - http://code.google.com/p/smali/  Apktool - http://code.google.com/p/android-apktool/  Editor of choice (emacs!) 7 © 2012 Apkudo Inc. Confidential www.apkudo.com
  • 8. THE APK A container for your app  Zipped file formatted based on JAR META-INF/ AndroidManifest.xml classes.dex lib/ res/ resources.arsc 8 © 2012 Apkudo Inc. Confidential www.apkudo.com
  • 9. SMALI/BAKSMALI Dalvik Assembler/ Disassembler  Baksmali disassembles Dalvik executable (.dex) into readable Dalvik byte code (.smali)  Smali re-assembles .smali files back into .dex Dalvik executable  Gives developers the ability to modify execution of an APK without having access to source code 9 © 2012 Apkudo Inc. Confidential www.apkudo.com
  • 10. EXAMPLES baksmali $ unzip foobar.apk –d foobar $ cd ./foobar $ ls AndroidManifest.xml META-INF classes.dex res resources.arsc lib $ baksmali –a 10 –d ~/boot_class_path classes.dex API level boot class path dex file 10 © 2012 Apkudo Inc. Confidential www.apkudo.com
  • 11. EXAMPLES smali $ ls AndroidManifest.xml META-INF classes.dex res resources.arsc lib out $ smali –a 10 ./out –o classes.dex API level output dex file $ zip –r ~/hacked.apk ./* recursive 11 © 2012 Apkudo Inc. Confidential www.apkudo.com
  • 12. AAPT Android Asset Packaging Tool  Builds/dumps package information  Same tool that packages APKS  Decompresses xml resources  Dumps permissions, application info. 12 © 2012 Apkudo Inc. Confidential www.apkudo.com
  • 13. EXAMPLES aapt $ aapt dump badging ~/foobar.apk $ aapt dump xmltree ~/foobar.apkAndroidManifest $ aapt dump xmlstrings ~/foobar.apkAndroidManifest resource 13 © 2012 Apkudo Inc. Confidential www.apkudo.com
  • 14. APKTOOL All in one reverser  Wraps smali/baksmali and Android asset packaging tool (aapt)  Decodes resources and decompresses xml  Great for manifest introspection  Buggy :/ 14 © 2012 Apkudo Inc. Confidential www.apkudo.com
  • 15. EXAMPLES apktool $ apktool d foobar.apk foobar decode out directory $ cd ./foobar $ ls AndroidManifest.xml apktool.yml assets res smali $ cd ../ $ apktool b ./foobar build 15 © 2012 Apkudo Inc. Confidential www.apkudo.com
  • 16. EXAMPLES keytool and jarsigner $ keytool -genkeypair -v -alias default –keystore ~/.keystore –storepass password $ jarsigner –keystore ~/.keystore ./foobar.apk default alias 16 © 2012 Apkudo Inc. Confidential www.apkudo.com
  • 17. TOOLS Questions? 17 © 2012 Apkudo Inc. Confidential www.apkudo.com
  • 18. SMALI FILES class representation in byte code .class public Lcom/apkudo/util/Serializer; .super Ljava/lang/Object; Class information .source "Serializer.java” # static fields .field public static final TAG:Ljava/lang/String; = "ApkudoUtils” Static fields # direct methods .method public constructor <init>()V .registers 1 .prologue .line 5 Methods invoke-direct {p0}, Ljava/lang/Object;-><init>()V Direct Virtual return-void .end method 18 © 2012 Apkudo Inc. Confidential www.apkudo.com
  • 19. SYNTAX types .method private doSomething()V V void Z boolean B byte S short C char F float I int J long 64 bit – special instructions D double [ array 19 © 2012 Apkudo Inc. Confidential www.apkudo.com
  • 20. SYNTAX classes Lcom/apkudo/util/Serializer; • full name space slash separated • prefixed with L • suffixed with ; const-string v0, "ApkudoUtils" new-instance v1, Ljava/lang/StringBuilder; invoke-direct {v1}, Ljava/lang/StringBuilder;-><init>()V const-string v2, "docId: [" invoke-virtual {v1, v2}, Ljava/lang/StringBuilder;- >append(Ljava/lang/String;)Ljava/lang/StringBuilder; move-result-object v1 20 © 2012 Apkudo Inc. Confidential www.apkudo.com
  • 21. SYNTAX methods .method private doSomething()V  Method definitions  .method <keyword> <name>(<param>)<return type>  Method invocations  invoke-static – any method that is static  invoke-virtual – any method that isn’t private, static, or final  invoke-direct – any non-static direct method  invoke-super – any superclass's virtual method  Invoke-interface – invoke an interface method 21 © 2012 Apkudo Inc. Confidential www.apkudo.com
  • 22. SYNTAX methods .method private doSomething()V keyword method name parameters/return .method private delayedAnimationFrame(J)Z .registers 8 .parameter "currentTime” # Static invocation invoke-static {p2}, Landroid/text/TextUtils;->isEmpty(Ljava/lang/CharSequence;)Z # Virtual invocation invoke-virtual {v0, v1}, Lcom/google/android/finsky/FinskyApp;- >drainAllRequests(I)V 22 © 2012 Apkudo Inc. Confidential www.apkudo.com
  • 23. SYNTAX Registers .locals 16 .registers 18  All registers are 32 bits  Declaration  .registers – total number of registers  .locals – total minus method parameter registers  Naming scheme  P registers – parameter registers  implicit p0 = ‘this’ instance  V registers – local registers  P registers are always at the end of the register list 23 © 2012 Apkudo Inc. Confidential www.apkudo.com
  • 24. SYNTAX Register Example .method public onCreate()V .registers 7 v0 First local register v1 Second local register ... v2 … v3 … v4 … v5 … v6 p0 First param – ‘this’ p0 == v6 24 © 2012 Apkudo Inc. Confidential www.apkudo.com
  • 25. SYNTAX Register Example 2 .method public doIt(Ljava/lang/String;II)V .registers 7 v0 First local register v1 Second local register v2 … v3 p0 ‘this’ v4 p1 String v5 p2 int v6 p3 int p3 == v6 p2 == v5 p1 == v4 p0 == v3 25 © 2012 Apkudo Inc. Confidential www.apkudo.com
  • 26. SYNTAX Register Example 3 .method public doIt(JI)V .registers 7 # hint, j == long v0 First local register v1 Second local register v2 Third local register v3 - is it… v4 - is it… A) Fourth local register? A) Fourth local register? v3 p0 ‘this’ instance B) This instance? B) This instance? v4 p1 long C) Long? C) Long? v5 p2 long D) Int? D) Int? v6 p3 int v5 - is it… v6 - is it… A) Fourth local register? A) Fourth local register? B) This instance? B) This instance? C) Long? C) Long? D) Int? D) Int? 26 © 2012 Apkudo Inc. Confidential www.apkudo.com
  • 27. SYNTAX jumping .method public doIt(JI)V  jumps .registers 7  goto <offset> ... goto :goto_31 ... :goto_31 return-void 27 © 2012 Apkudo Inc. Confidential www.apkudo.com
  • 28. SYNTAX conditionals method public foobar()V  Conditionals .registers 2  If-eq const/4 v0, 0x0  If-ne if-eqz v0, :cond_6  If-le  If-lt return-void  If-ge :cond_6  If-gt  Add z for zero # Do something .end method 28 © 2012 Apkudo Inc. Confidential www.apkudo.com
  • 29. PUTTING IT ALL TOGETHER Example - Java package com.google.android.finsky; import android.app.Application; import android.accounts.Account; public class FinskyApp() extends Application { Account mCurrentAccount; ... public String getCurrentAccountName() { if (mCurrentAccount != null) { return mCurrentAccount.name; } else { return null; } } } 29 © 2012 Apkudo Inc. Confidential www.apkudo.com
  • 30. PUTTING IT ALL TOGETHER Same example - smali .method public getCurrentAccountName()Ljava/lang/String; .registers 2 v0 First local register .prologue v1 p0 ‘this’ instance .line 617 iget-object v0, p0, Lcom/google/android/finsky/FinskyApp;->mCurrentAccount:Landroid/accounts/Account; if-nez v0, :cond_6 Getting this field! of type … const/4 v0, 0x0 into this reg :goto_5 return-object v0 :cond_6 iget-object v0, v0, Landroid/accounts/Account;->name:Ljava/lang/String; goto :goto_5 .end method 30 © 2012 Apkudo Inc. Confidential www.apkudo.com
  • 31. ONE FINAL STEP Obfuscation! • Renames classes, class members and and method • Preserves OS entry points and java namespace classes • Slows down the static analysis process • Not a silver bullet, but an easy first line of defense iget-object v0, p0, Lcom/a/a/g;->a:Lcom/a/a/f; invoke-static {v0}, Lcom/a/a/f;->a(Lcom/a/a/f;)Landroid/webkit/WebView; 31 © 2012 Apkudo Inc. Confidential www.apkudo.com
  • 32. BYTECODE Questions? 32 © 2012 Apkudo Inc. Confidential www.apkudo.com
  • 33. PART II - DEMO 33 © 2012 Apkudo Inc. Confidential www.apkudo.com
  • 34. 34 © 2012 Apkudo Inc. Confidential www.apkudo.com
  • 35. HACKING SCRAMBLE Approach 1. Unzip APK and disassemble classes.dex (baksmali) 2. Isolate target resources (e.g., Scramble With Friends words list) 3. Patch APK to receive resource, serialize, and transmit to host 4. Reassemble classes.dex (smali) and rezip APK Static analysis/ Code Injection Disassemble Reassemble (baksmali) (smali) .smali 35 © 2012 Apkudo Inc. Confidential www.apkudo.com
  • 36. RESOURCE SERIALIZATION AND TRANSMISSION ROMAIN GUY’S VIEWSERVER onCreate()… addWindow() localhost:4939 ViewServer Android OS 36 © 2012 Apkudo Inc. Confidential www.apkudo.com
  • 37. STEP 1 DECOMPRESS AND DISASSEMBLE  Extract classes.dex and remove keys  unzip scramble.apk  rm –r ./META-INF  Disassemble:  baksmali -a 10 –d <framework_path> ./classes.dex  -a = api-level  -d = bootclasspath dir  out/target/product/generic/system/framework 37 © 2012 Apkudo Inc. Confidential www.apkudo.com
  • 38. STEP 2 ANDROID FORENSICS  apktool dump and inspect AndroidManifest.xml for activities  Find the words list…how?  Beat obfuscation!  Search for class types and log messages  Find the intersection of the two!  Insert your own log statements invoke-virtual {v2}, Ljava/util/List;->toString()Ljava/lang/String; move-result-object v2 invoke-static {v1, v2}, Landroid/util/Log;->e(Ljava/lang/String;Ljava/lang/String;)I 38 © 2012 Apkudo Inc. Confidential www.apkudo.com
  • 39. STEP 3 INJECT VIEWSERVER INTO APP  Resource located! Now we need to send it…  Apply patch to ViewServer that stores list  public static void setScrambleWordList(List list);  Build patched ViewServer, extract .smali files  Copy smali files into our application  Easy enough, right? 39 © 2012 Apkudo Inc. Confidential www.apkudo.com
  • 40. STEP 4 PATCH APP TO USE VIEWSERVER API  Start the ViewServer in the onCreate() method of MainActivity.smali  ViewServer.get()  invoke-static {}, Lcom/android/debug/hv/ViewServer;- >get()Lcom/android/debug/hv/ViewServer;  Pass the list to ViewServer in fu.smali  ViewServer.setScrambleWordList(list) invoke-static {v2}, Lcom/android/debug/hv/ViewServer;->setScrambleWordList(Ljava/util/List;)V  40 © 2012 Apkudo Inc. Confidential www.apkudo.com
  • 41. STEP 5 REBUILD APK  Re-assemble  smali –a 10 ./out –o classes.dex  Re-compress  zip –z0 –r ../scramble.apk ./*  Sign APK  jarsigner -verbose -keystore my-release- key.keystore ./scramble.apk alias_name 41 © 2012 Apkudo Inc. Confidential www.apkudo.com
  • 42. STEP 6 INSTALL AND COMMUNICATE WITH APP  Install  adb install –r ../scramble.apk  Forward port  adb forward tcp:4939 tcp:4939  Communicate  nc –l 127.0.0.1 (listen) 42 © 2012 Apkudo Inc. Confidential www.apkudo.com
  • 43. RECAP WHAT ZYNGA TEACHES US  Obfuscate, it’s easy and makes things much harder  Use proguard, it optimizes too! Low hanging  Remove logs fruit  Use reflection  Design your application with cheaters in mind!  Move logic to cloud  Google play licensing 43 © 2012 Apkudo Inc. Confidential www.apkudo.com
  • 44. FINALLY… WHAT ZYNGA TEACHES US 44 © 2012 Apkudo Inc. Confidential www.apkudo.com

Notes de l'éditeur

  1. META-INF contains keys
  2. META-INF contains keys
  3. META-INF contains keys
  4. META-INF contains keys
  5. META-INF contains keys
  6. META-INF contains keys