Soumettre la recherche
Mettre en ligne
Hacking for fun and for profit
•
Télécharger en tant que PPTX, PDF
•
6 j'aime
•
3,427 vues
D
davtbaum
Suivre
Technologie
Signaler
Partager
Signaler
Partager
1 sur 45
Télécharger maintenant
Recommandé
Hacking for Fun and Profit
Hacking for Fun and Profit
Apkudo
Hacking for Fun and Profit (Mostly for Fun). AnDevCon Boston
Hacking for Fun and Profit (Mostly for Fun). AnDevCon Boston
Apkudo
LinkedIn - Disassembling Dalvik Bytecode
LinkedIn - Disassembling Dalvik Bytecode
Alain Leon
Part II: LLVM Intermediate Representation
Part II: LLVM Intermediate Representation
Wei-Ren Chen
Improving DroidBox
Improving DroidBox
Kelwin Yang
Introduction to llvm
Introduction to llvm
Tao He
secure lazy binding, and the 64bit time_t development process by Philip Guenther
secure lazy binding, and the 64bit time_t development process by Philip Guenther
eurobsdcon
Java Bytecode Fundamentals - JUG.lv
Java Bytecode Fundamentals - JUG.lv
Anton Arhipov
Recommandé
Hacking for Fun and Profit
Hacking for Fun and Profit
Apkudo
Hacking for Fun and Profit (Mostly for Fun). AnDevCon Boston
Hacking for Fun and Profit (Mostly for Fun). AnDevCon Boston
Apkudo
LinkedIn - Disassembling Dalvik Bytecode
LinkedIn - Disassembling Dalvik Bytecode
Alain Leon
Part II: LLVM Intermediate Representation
Part II: LLVM Intermediate Representation
Wei-Ren Chen
Improving DroidBox
Improving DroidBox
Kelwin Yang
Introduction to llvm
Introduction to llvm
Tao He
secure lazy binding, and the 64bit time_t development process by Philip Guenther
secure lazy binding, and the 64bit time_t development process by Philip Guenther
eurobsdcon
Java Bytecode Fundamentals - JUG.lv
Java Bytecode Fundamentals - JUG.lv
Anton Arhipov
Intro to J Ruby
Intro to J Ruby
Frederic Jean
Java - Sockets
Java - Sockets
Riccardo Cardin
IronSmalltalk
IronSmalltalk
ESUG
In Vogue Dynamic
In Vogue Dynamic
Alexander Shopov
C tutorial
C tutorial
Khan Rahimeen
LabDocumentation
LabDocumentation
Yeshasvi Tirupachuri
CocoaConf: The Language of Mobile Software is APIs
CocoaConf: The Language of Mobile Software is APIs
Tim Burks
Django - 次の一歩 gumiStudy#3
Django - 次の一歩 gumiStudy#3
makoto tsuyuki
llvm-py: Writing Compilers In Python
llvm-py: Writing Compilers In Python
mdevan
C tutorial
C tutorial
Diwakar_singh1989
Syntactic Salt and Sugar Presentation
Syntactic Salt and Sugar Presentation
grepalex
Android NDK
Android NDK
Sentinel Solutions Ltd
PIL - A Platform Independent Language
PIL - A Platform Independent Language
zefhemel
Aumentando a eficiência do Web Container usando chamadas Assíncronas
Aumentando a eficiência do Web Container usando chamadas Assíncronas
Rafael T. C. Soares (tuelho)
I Know Kung Fu - Juggling Java Bytecode
I Know Kung Fu - Juggling Java Bytecode
Alexander Shopov
Kostis Sagonas: Cool Tools for Modern Erlang Program Developmen
Kostis Sagonas: Cool Tools for Modern Erlang Program Developmen
Konstantin Sorokin
Android Radio Layer Interface
Android Radio Layer Interface
Chun-Yu Wang
Eric Lafortune - Fighting application size with ProGuard and beyond
Eric Lafortune - Fighting application size with ProGuard and beyond
GuardSquare
Workshop de Ruby on Rails
Workshop de Ruby on Rails
Fabio Akita
Running gRPC Services for Serving Legacy API on Kubernetes
Running gRPC Services for Serving Legacy API on Kubernetes
Sungwon Lee
Who Needs Thumbs? Reverse Engineering Scramble with Friends v1.1
Who Needs Thumbs? Reverse Engineering Scramble with Friends v1.1
Apkudo
Who Needs Thumbs? Reverse Engineering Scramble With Friends
Who Needs Thumbs? Reverse Engineering Scramble With Friends
Apkudo
Contenu connexe
Tendances
Intro to J Ruby
Intro to J Ruby
Frederic Jean
Java - Sockets
Java - Sockets
Riccardo Cardin
IronSmalltalk
IronSmalltalk
ESUG
In Vogue Dynamic
In Vogue Dynamic
Alexander Shopov
C tutorial
C tutorial
Khan Rahimeen
LabDocumentation
LabDocumentation
Yeshasvi Tirupachuri
CocoaConf: The Language of Mobile Software is APIs
CocoaConf: The Language of Mobile Software is APIs
Tim Burks
Django - 次の一歩 gumiStudy#3
Django - 次の一歩 gumiStudy#3
makoto tsuyuki
llvm-py: Writing Compilers In Python
llvm-py: Writing Compilers In Python
mdevan
C tutorial
C tutorial
Diwakar_singh1989
Syntactic Salt and Sugar Presentation
Syntactic Salt and Sugar Presentation
grepalex
Android NDK
Android NDK
Sentinel Solutions Ltd
PIL - A Platform Independent Language
PIL - A Platform Independent Language
zefhemel
Aumentando a eficiência do Web Container usando chamadas Assíncronas
Aumentando a eficiência do Web Container usando chamadas Assíncronas
Rafael T. C. Soares (tuelho)
I Know Kung Fu - Juggling Java Bytecode
I Know Kung Fu - Juggling Java Bytecode
Alexander Shopov
Kostis Sagonas: Cool Tools for Modern Erlang Program Developmen
Kostis Sagonas: Cool Tools for Modern Erlang Program Developmen
Konstantin Sorokin
Android Radio Layer Interface
Android Radio Layer Interface
Chun-Yu Wang
Eric Lafortune - Fighting application size with ProGuard and beyond
Eric Lafortune - Fighting application size with ProGuard and beyond
GuardSquare
Workshop de Ruby on Rails
Workshop de Ruby on Rails
Fabio Akita
Running gRPC Services for Serving Legacy API on Kubernetes
Running gRPC Services for Serving Legacy API on Kubernetes
Sungwon Lee
Tendances
(20)
Intro to J Ruby
Intro to J Ruby
Java - Sockets
Java - Sockets
IronSmalltalk
IronSmalltalk
In Vogue Dynamic
In Vogue Dynamic
C tutorial
C tutorial
LabDocumentation
LabDocumentation
CocoaConf: The Language of Mobile Software is APIs
CocoaConf: The Language of Mobile Software is APIs
Django - 次の一歩 gumiStudy#3
Django - 次の一歩 gumiStudy#3
llvm-py: Writing Compilers In Python
llvm-py: Writing Compilers In Python
C tutorial
C tutorial
Syntactic Salt and Sugar Presentation
Syntactic Salt and Sugar Presentation
Android NDK
Android NDK
PIL - A Platform Independent Language
PIL - A Platform Independent Language
Aumentando a eficiência do Web Container usando chamadas Assíncronas
Aumentando a eficiência do Web Container usando chamadas Assíncronas
I Know Kung Fu - Juggling Java Bytecode
I Know Kung Fu - Juggling Java Bytecode
Kostis Sagonas: Cool Tools for Modern Erlang Program Developmen
Kostis Sagonas: Cool Tools for Modern Erlang Program Developmen
Android Radio Layer Interface
Android Radio Layer Interface
Eric Lafortune - Fighting application size with ProGuard and beyond
Eric Lafortune - Fighting application size with ProGuard and beyond
Workshop de Ruby on Rails
Workshop de Ruby on Rails
Running gRPC Services for Serving Legacy API on Kubernetes
Running gRPC Services for Serving Legacy API on Kubernetes
Similaire à Hacking for fun and for profit
Who Needs Thumbs? Reverse Engineering Scramble with Friends v1.1
Who Needs Thumbs? Reverse Engineering Scramble with Friends v1.1
Apkudo
Who Needs Thumbs? Reverse Engineering Scramble With Friends
Who Needs Thumbs? Reverse Engineering Scramble With Friends
Apkudo
Android Auto instrumentation
Android Auto instrumentation
Przemek Jakubczyk
Beginners guide-to-reverse-engineering-android-apps-pau-oliva-fora-viaforensi...
Beginners guide-to-reverse-engineering-android-apps-pau-oliva-fora-viaforensi...
viaForensics
DocuOps & Asciidoctor in a JVM World
DocuOps & Asciidoctor in a JVM World
Schalk Cronjé
How to Build & Use OpenCL on OpenCV & Android NDK
How to Build & Use OpenCL on OpenCV & Android NDK
Industrial Technology Research Institute (ITRI)(工業技術研究院, 工研院)
Practice of Android Reverse Engineering
Practice of Android Reverse Engineering
National Cheng Kung University
Reverse engineering Java et contournement du mécanisme de paiement inapp Android
Reverse engineering Java et contournement du mécanisme de paiement inapp Android
JUG Lausanne
Mobile development in 2020
Mobile development in 2020
Bogusz Jelinski
Drone sdk showdown
Drone sdk showdown
Godfrey Nolan
Android OS Porting: Introduction
Android OS Porting: Introduction
Jollen Chen
Getting started with the NDK
Getting started with the NDK
Kirill Kounik
Steelcon 2015 Reverse-Engineering Obfuscated Android Applications
Steelcon 2015 Reverse-Engineering Obfuscated Android Applications
Tom Keetch
GDGSCL - Docker a jeho provoz v Heroku a AWS
GDGSCL - Docker a jeho provoz v Heroku a AWS
Ladislav Prskavec
Serverless, The Middy Way - Workshop
Serverless, The Middy Way - Workshop
Luciano Mammino
Serverless and React
Serverless and React
Marina Miranovich
How to build Sdk? Best practices
How to build Sdk? Best practices
Vitali Pekelis
2020 03-26 - meet up - zparkio
2020 03-26 - meet up - zparkio
Leo Benkel
MicroProfile, Docker, Kubernetes, Istio and Open Shift lab @dev nexus
MicroProfile, Docker, Kubernetes, Istio and Open Shift lab @dev nexus
Emily Jiang
Scaling docker with kubernetes
Scaling docker with kubernetes
Liran Cohen
Similaire à Hacking for fun and for profit
(20)
Who Needs Thumbs? Reverse Engineering Scramble with Friends v1.1
Who Needs Thumbs? Reverse Engineering Scramble with Friends v1.1
Who Needs Thumbs? Reverse Engineering Scramble With Friends
Who Needs Thumbs? Reverse Engineering Scramble With Friends
Android Auto instrumentation
Android Auto instrumentation
Beginners guide-to-reverse-engineering-android-apps-pau-oliva-fora-viaforensi...
Beginners guide-to-reverse-engineering-android-apps-pau-oliva-fora-viaforensi...
DocuOps & Asciidoctor in a JVM World
DocuOps & Asciidoctor in a JVM World
How to Build & Use OpenCL on OpenCV & Android NDK
How to Build & Use OpenCL on OpenCV & Android NDK
Practice of Android Reverse Engineering
Practice of Android Reverse Engineering
Reverse engineering Java et contournement du mécanisme de paiement inapp Android
Reverse engineering Java et contournement du mécanisme de paiement inapp Android
Mobile development in 2020
Mobile development in 2020
Drone sdk showdown
Drone sdk showdown
Android OS Porting: Introduction
Android OS Porting: Introduction
Getting started with the NDK
Getting started with the NDK
Steelcon 2015 Reverse-Engineering Obfuscated Android Applications
Steelcon 2015 Reverse-Engineering Obfuscated Android Applications
GDGSCL - Docker a jeho provoz v Heroku a AWS
GDGSCL - Docker a jeho provoz v Heroku a AWS
Serverless, The Middy Way - Workshop
Serverless, The Middy Way - Workshop
Serverless and React
Serverless and React
How to build Sdk? Best practices
How to build Sdk? Best practices
2020 03-26 - meet up - zparkio
2020 03-26 - meet up - zparkio
MicroProfile, Docker, Kubernetes, Istio and Open Shift lab @dev nexus
MicroProfile, Docker, Kubernetes, Istio and Open Shift lab @dev nexus
Scaling docker with kubernetes
Scaling docker with kubernetes
Dernier
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
RTylerCroy
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Neo4j
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
apidays
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024
SynarionITSolutions
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
Khem
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
Rafal Los
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Principled Technologies
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
The Digital Insurer
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
UK Journal
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
The Digital Insurer
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
The Digital Insurer
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
apidays
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
DianaGray10
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
Joaquim Jorge
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
apidays
Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024
The Digital Insurer
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
Khushali Kathiriya
Dernier
(20)
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
Hacking for fun and for profit
1.
HACKING APKS FOR
FUN AND FOR PROFIT (MOSTLY FOR FUN) DAVID TEITELBAUM @davtbaum DECEMBER 2012
2.
OBJECTIVES Expect to learn:
Android app disassembly Fundamentals of code injection Smali/Baksmali and reading Dalvik byte code Best practices in hardening your apps 2 © 2012 Apkudo Inc. Confidential www.apkudo.com
3.
ROADMAP PART I
- CLASS PART II – DEMO/HACK Approach to hacking Scramble With Friends deep dive Tools – apktool, baksmali, smali App disassembly and analysis The APK Code injection with ViewServer All things byte code Resource transmission Recap 3 © 2012 Apkudo Inc. Confidential www.apkudo.com
4.
PART I -
CLASS 4 © 2012 Apkudo Inc. Confidential www.apkudo.com
5.
APK HACKING
Approach 1. Unzip APK and disassemble classes.dex (baksmali) 2. Static analysis – what is the application doing? 3. Inject byte code into the application to modify execution 4. Reassemble classes.dex (smali) and rezip APK Static analysis Disassemble Reassemble (baksmali) (smali) .smali Code injection 5 © 2012 Apkudo Inc. Confidential www.apkudo.com
6.
CODE INJECTION
Best Practices: You don’t need to be a Dalvik byte code pro! Write patches in Java, compile, then use the Smali/Baksmali tools to disassemble into Dalvik byte code Stick to public static methods in Dalvik byte code which have no register dependencies. Let the compiler do the work – the demo hack is achieved by inserting only two lines of manual Dalvik byte code! 6 © 2012 Apkudo Inc. Confidential www.apkudo.com
7.
TOOLS You’ll need…
Access to a terminal environment (preferably Linux or Mac osx) Android SDK keytool and jarsigner Smali/Baksmali - http://code.google.com/p/smali/ Apktool - http://code.google.com/p/android-apktool/ Editor of choice (emacs!) 7 © 2012 Apkudo Inc. Confidential www.apkudo.com
8.
THE APK A container
for your app Zipped file formatted based on JAR META-INF/ AndroidManifest.xml classes.dex lib/ res/ resources.arsc 8 © 2012 Apkudo Inc. Confidential www.apkudo.com
9.
SMALI/BAKSMALI Dalvik Assembler/ Disassembler
Baksmali disassembles Dalvik executable (.dex) into readable Dalvik byte code (.smali) Smali re-assembles .smali files back into .dex Dalvik executable Gives developers the ability to modify execution of an APK without having access to source code 9 © 2012 Apkudo Inc. Confidential www.apkudo.com
10.
EXAMPLES baksmali $ unzip foobar.apk
–d foobar $ cd ./foobar $ ls AndroidManifest.xml META-INF classes.dex res resources.arsc lib $ baksmali –a 10 –d ~/boot_class_path classes.dex API level boot class path dex file 10 © 2012 Apkudo Inc. Confidential www.apkudo.com
11.
EXAMPLES smali $ ls AndroidManifest.xml META-INF
classes.dex res resources.arsc lib out $ smali –a 10 ./out –o classes.dex API level output dex file $ zip –r ~/hacked.apk ./* recursive 11 © 2012 Apkudo Inc. Confidential www.apkudo.com
12.
AAPT Android Asset Packaging
Tool Builds/dumps package information Same tool that packages APKS Decompresses xml resources Dumps permissions, application info. 12 © 2012 Apkudo Inc. Confidential www.apkudo.com
13.
EXAMPLES aapt $ aapt dump
badging ~/foobar.apk $ aapt dump xmltree ~/foobar.apkAndroidManifest $ aapt dump xmlstrings ~/foobar.apkAndroidManifest resource 13 © 2012 Apkudo Inc. Confidential www.apkudo.com
14.
APKTOOL All in one
reverser Wraps smali/baksmali and Android asset packaging tool (aapt) Decodes resources and decompresses xml Great for manifest introspection Buggy :/ 14 © 2012 Apkudo Inc. Confidential www.apkudo.com
15.
EXAMPLES apktool $ apktool
d foobar.apk foobar decode out directory $ cd ./foobar $ ls AndroidManifest.xml apktool.yml assets res smali $ cd ../ $ apktool b ./foobar build 15 © 2012 Apkudo Inc. Confidential www.apkudo.com
16.
EXAMPLES keytool and
jarsigner $ keytool -genkeypair -v -alias default –keystore ~/.keystore –storepass password $ jarsigner –keystore ~/.keystore ./foobar.apk default alias 16 © 2012 Apkudo Inc. Confidential www.apkudo.com
17.
TOOLS Questions? 17
© 2012 Apkudo Inc. Confidential www.apkudo.com
18.
SMALI FILES
class representation in byte code .class public Lcom/apkudo/util/Serializer; .super Ljava/lang/Object; Class information .source "Serializer.java” # static fields .field public static final TAG:Ljava/lang/String; = "ApkudoUtils” Static fields # direct methods .method public constructor <init>()V .registers 1 .prologue .line 5 Methods invoke-direct {p0}, Ljava/lang/Object;-><init>()V Direct Virtual return-void .end method 18 © 2012 Apkudo Inc. Confidential www.apkudo.com
19.
SYNTAX types
.method private doSomething()V V void Z boolean B byte S short C char F float I int J long 64 bit – special instructions D double [ array 19 © 2012 Apkudo Inc. Confidential www.apkudo.com
20.
SYNTAX
classes Lcom/apkudo/util/Serializer; • full name space slash separated • prefixed with L • suffixed with ; const-string v0, "ApkudoUtils" new-instance v1, Ljava/lang/StringBuilder; invoke-direct {v1}, Ljava/lang/StringBuilder;-><init>()V const-string v2, "docId: [" invoke-virtual {v1, v2}, Ljava/lang/StringBuilder;- >append(Ljava/lang/String;)Ljava/lang/StringBuilder; move-result-object v1 20 © 2012 Apkudo Inc. Confidential www.apkudo.com
21.
SYNTAX
methods .method private doSomething()V Method definitions .method <keyword> <name>(<param>)<return type> Method invocations invoke-static – any method that is static invoke-virtual – any method that isn’t private, static, or final invoke-direct – any non-static direct method invoke-super – any superclass's virtual method Invoke-interface – invoke an interface method 21 © 2012 Apkudo Inc. Confidential www.apkudo.com
22.
SYNTAX
methods .method private doSomething()V keyword method name parameters/return .method private delayedAnimationFrame(J)Z .registers 8 .parameter "currentTime” # Static invocation invoke-static {p2}, Landroid/text/TextUtils;->isEmpty(Ljava/lang/CharSequence;)Z # Virtual invocation invoke-virtual {v0, v1}, Lcom/google/android/finsky/FinskyApp;- >drainAllRequests(I)V 22 © 2012 Apkudo Inc. Confidential www.apkudo.com
23.
SYNTAX
Registers .locals 16 .registers 18 All registers are 32 bits Declaration .registers – total number of registers .locals – total minus method parameter registers Naming scheme P registers – parameter registers implicit p0 = ‘this’ instance V registers – local registers P registers are always at the end of the register list 23 © 2012 Apkudo Inc. Confidential www.apkudo.com
24.
SYNTAX
Register Example .method public onCreate()V .registers 7 v0 First local register v1 Second local register ... v2 … v3 … v4 … v5 … v6 p0 First param – ‘this’ p0 == v6 24 © 2012 Apkudo Inc. Confidential www.apkudo.com
25.
SYNTAX
Register Example 2 .method public doIt(Ljava/lang/String;II)V .registers 7 v0 First local register v1 Second local register v2 … v3 p0 ‘this’ v4 p1 String v5 p2 int v6 p3 int p3 == v6 p2 == v5 p1 == v4 p0 == v3 25 © 2012 Apkudo Inc. Confidential www.apkudo.com
26.
SYNTAX
Register Example 3 .method public doIt(JI)V .registers 7 # hint, j == long v0 First local register v1 Second local register v2 Third local register v3 - is it… v4 - is it… A) Fourth local register? A) Fourth local register? v3 p0 ‘this’ instance B) This instance? B) This instance? v4 p1 long C) Long? C) Long? v5 p2 long D) Int? D) Int? v6 p3 int v5 - is it… v6 - is it… A) Fourth local register? A) Fourth local register? B) This instance? B) This instance? C) Long? C) Long? D) Int? D) Int? 26 © 2012 Apkudo Inc. Confidential www.apkudo.com
27.
SYNTAX
jumping .method public doIt(JI)V jumps .registers 7 goto <offset> ... goto :goto_31 ... :goto_31 return-void 27 © 2012 Apkudo Inc. Confidential www.apkudo.com
28.
SYNTAX
conditionals method public foobar()V Conditionals .registers 2 If-eq const/4 v0, 0x0 If-ne if-eqz v0, :cond_6 If-le If-lt return-void If-ge :cond_6 If-gt Add z for zero # Do something .end method 28 © 2012 Apkudo Inc. Confidential www.apkudo.com
29.
PUTTING IT ALL TOGETHER
Example - Java package com.google.android.finsky; import android.app.Application; import android.accounts.Account; public class FinskyApp() extends Application { Account mCurrentAccount; ... public String getCurrentAccountName() { if (mCurrentAccount != null) { return mCurrentAccount.name; } else { return null; } } } 29 © 2012 Apkudo Inc. Confidential www.apkudo.com
30.
PUTTING IT ALL
TOGETHER Same example - smali .method public getCurrentAccountName()Ljava/lang/String; .registers 2 v0 First local register .prologue v1 p0 ‘this’ instance .line 617 iget-object v0, p0, Lcom/google/android/finsky/FinskyApp;->mCurrentAccount:Landroid/accounts/Account; if-nez v0, :cond_6 Getting this field! of type … const/4 v0, 0x0 into this reg :goto_5 return-object v0 :cond_6 iget-object v0, v0, Landroid/accounts/Account;->name:Ljava/lang/String; goto :goto_5 .end method 30 © 2012 Apkudo Inc. Confidential www.apkudo.com
31.
ONE FINAL
STEP Obfuscation! • Renames classes, class members and and method • Preserves OS entry points and java namespace classes • Slows down the static analysis process • Not a silver bullet, but an easy first line of defense iget-object v0, p0, Lcom/a/a/g;->a:Lcom/a/a/f; invoke-static {v0}, Lcom/a/a/f;->a(Lcom/a/a/f;)Landroid/webkit/WebView; 31 © 2012 Apkudo Inc. Confidential www.apkudo.com
32.
BYTECODE Questions? 32
© 2012 Apkudo Inc. Confidential www.apkudo.com
33.
PART II -
DEMO 33 © 2012 Apkudo Inc. Confidential www.apkudo.com
34.
34
© 2012 Apkudo Inc. Confidential www.apkudo.com
35.
HACKING
SCRAMBLE Approach 1. Unzip APK and disassemble classes.dex (baksmali) 2. Isolate target resources (e.g., Scramble With Friends words list) 3. Patch APK to receive resource, serialize, and transmit to host 4. Reassemble classes.dex (smali) and rezip APK Static analysis/ Code Injection Disassemble Reassemble (baksmali) (smali) .smali 35 © 2012 Apkudo Inc. Confidential www.apkudo.com
36.
RESOURCE SERIALIZATION AND TRANSMISSION
ROMAIN GUY’S VIEWSERVER onCreate()… addWindow() localhost:4939 ViewServer Android OS 36 © 2012 Apkudo Inc. Confidential www.apkudo.com
37.
STEP 1
DECOMPRESS AND DISASSEMBLE Extract classes.dex and remove keys unzip scramble.apk rm –r ./META-INF Disassemble: baksmali -a 10 –d <framework_path> ./classes.dex -a = api-level -d = bootclasspath dir out/target/product/generic/system/framework 37 © 2012 Apkudo Inc. Confidential www.apkudo.com
38.
STEP 2
ANDROID FORENSICS apktool dump and inspect AndroidManifest.xml for activities Find the words list…how? Beat obfuscation! Search for class types and log messages Find the intersection of the two! Insert your own log statements invoke-virtual {v2}, Ljava/util/List;->toString()Ljava/lang/String; move-result-object v2 invoke-static {v1, v2}, Landroid/util/Log;->e(Ljava/lang/String;Ljava/lang/String;)I 38 © 2012 Apkudo Inc. Confidential www.apkudo.com
39.
STEP 3
INJECT VIEWSERVER INTO APP Resource located! Now we need to send it… Apply patch to ViewServer that stores list public static void setScrambleWordList(List list); Build patched ViewServer, extract .smali files Copy smali files into our application Easy enough, right? 39 © 2012 Apkudo Inc. Confidential www.apkudo.com
40.
STEP 4
PATCH APP TO USE VIEWSERVER API Start the ViewServer in the onCreate() method of MainActivity.smali ViewServer.get() invoke-static {}, Lcom/android/debug/hv/ViewServer;- >get()Lcom/android/debug/hv/ViewServer; Pass the list to ViewServer in fu.smali ViewServer.setScrambleWordList(list) invoke-static {v2}, Lcom/android/debug/hv/ViewServer;->setScrambleWordList(Ljava/util/List;)V 40 © 2012 Apkudo Inc. Confidential www.apkudo.com
41.
STEP 5
REBUILD APK Re-assemble smali –a 10 ./out –o classes.dex Re-compress zip –z0 –r ../scramble.apk ./* Sign APK jarsigner -verbose -keystore my-release- key.keystore ./scramble.apk alias_name 41 © 2012 Apkudo Inc. Confidential www.apkudo.com
42.
STEP 6 INSTALL AND
COMMUNICATE WITH APP Install adb install –r ../scramble.apk Forward port adb forward tcp:4939 tcp:4939 Communicate nc –l 127.0.0.1 (listen) 42 © 2012 Apkudo Inc. Confidential www.apkudo.com
43.
RECAP WHAT ZYNGA TEACHES US
Obfuscate, it’s easy and makes things much harder Use proguard, it optimizes too! Low hanging Remove logs fruit Use reflection Design your application with cheaters in mind! Move logic to cloud Google play licensing 43 © 2012 Apkudo Inc. Confidential www.apkudo.com
44.
FINALLY… WHAT ZYNGA TEACHES US 44
© 2012 Apkudo Inc. Confidential www.apkudo.com
45.
Thank you. @davtbaum DAVID@
.COM
Notes de l'éditeur
META-INF contains keys
META-INF contains keys
META-INF contains keys
META-INF contains keys
META-INF contains keys
META-INF contains keys
Télécharger maintenant