SlideShare a Scribd company logo

Reverse Engineer Scramble with Friends to Extract Word List

A
Apkudo

This document discusses reverse engineering an Android application called Scramble With Friends to extract a word list resource. It provides a 7 step approach: 1) Extract and disassemble the APK, 2) Investigate the code to find the resource, 3) Compile a local server into a donor app, 4) Extract and inject the server into the target app, 5) Patch the app to serve the resource on launch, 6) Implement serialization on the server, and 7) Rebuild the APK. The goal is to have the server transmit the word list back to a connected host for analysis.

Self ImprovementTechnologyEducation
1 of 17
Download to read offline
WHO NEEDS THUMBS?! REVERSE ENGINEERING SCRAMBLE WITH FRIENDS JOSH MATTHEWS DAVID TEITELBAUM MAY 2012
OBJECTIVES APK Code Injection Smali/Baksmali Android Instrumentation Android Forensics Hands On! 2 © 2012 Apkudo Inc. Confidential www.apkudo.com
VIEW SCRAMBLE WITH FRIENDS DEMO HERE: http://tiny.cc/r79rew 3 © 2012 Apkudo Inc. Confidential www.apkudo.com
APK HACKING Approach 1.  Extract APK and disassemble classes.dex 2.  Isolate target resources (e.g., Scramble With Friends words list) 3.  Create a server to receive resource, serialize, and transmit to host 4.  Patch APK with server. 4 © 2012 Apkudo Inc. Confidential www.apkudo.com
BUT I DON’T KNOW DALVIK!? DON’T WORRY!   You do know Java, and you can use the Smali/Baksmali tools to disassemble Java code into Dalvik byte code   By sticking to public static methods within the server, static method calls in Dalvik are only two lines long. invoke-static {}, Lcom/zynga/scramble/ViewServer;->get()Lcom/zynga/ scramble/ViewServer;! move-result-object v0! 5 © 2012 Apkudo Inc. Confidential www.apkudo.com
SMALI/BAKSMALI? DALVIK ASSEMBLER/ DISASSEMBLER   Baksmali disassembles APK’s classes.dex executable into readable Dalvik byte code (.smali)   Smali re-assembles .smali files back into .dex Dalvik executable   Gives developers the ability to modify Android APKs without having access to source code   Documentation on Smali/Baksmali and Dalvik in Smali wiki   http://code.google.com/p/smali/w/list 6 © 2012 Apkudo Inc. Confidential www.apkudo.com
ROMAIN’S VIEWSERVER LOCAL SERVER FOR ANDROID’S HIERARCHY VIEWER   Serves app’s view data to host (hierarchyviewer) via forwarded port through ADB   Runs entirely in APK’s address space   Developed to emulate Android ViewServer implemented on development Android devices   Perfect for transmitting serialized word list back to a host machine   Must add ViewServer window in onCreate() method of each activity in the app.   https://github.com/romainguy/ViewServer 7 © 2012 Apkudo Inc. Confidential www.apkudo.com
STEP 1 DECOMPRESS AND DISASSEMBLE   Extract classes.dex and remove keys   unzip scramble.apk!   rm –r ./META-INF!   Disassemble:   baksmali -a 10 –c <framework_path> ./classes.dex!   -a = api-level!   -c = bootclasspath !   out/target/product/generic/system/framework! 8 © 2012 Apkudo Inc. Confidential www.apkudo.com
STEP 2 ANDROID FORENSICS   Investigate .smali source code for aggregation of resources   Trace!   onCreate() method in calling activity   ScrambleGameActivity.java   Insert log statements to print active resources invoke-virtual {v2}, Ljava/util/List;->toString()Ljava/lang/String;! move-result-object v2! invoke-static {v1, v2}, Landroid/util/Log;->e(Ljava/lang/String;Ljava/lang/String;)I! 9 © 2012 Apkudo Inc. Confidential www.apkudo.com
WHAT WE FOUND A LIST OF WORDS AND MATRIX POSITIONS 10 © 2012 Apkudo Inc. Confidential www.apkudo.com
STEP 3 COMPILE VIEWSERVER INTO DONOR APP   Donor can be any Android app you can build from source   Just include server’s .java files as a part of the package   server does not need to be instantiated or implemented in the app itself   for compilation purposes only! 11 © 2012 Apkudo Inc. Confidential www.apkudo.com
STEP 4 EXTRACT SERVER FROM DONOR AND INJECT INTO SWF   Disassemble ViewServer.apk   Use sed to replace all method calls from com.android.debug.hv.ViewServer com.zynga.scramble.ViewServer!   Run   find . -type f -exec sed -i '' s/Lcom /android/debug/hv/ ViewServer/Lcom/zynga/scramble /ViewServer/ {} +!   Copy ViewServer.smali files into SWF out directory 12 © 2012 Apkudo Inc. Confidential www.apkudo.com
STEP 5 PATCH SWF TO SERVE VIEW DATA ON ACTIVITY LAUNCH   Preliminary investigation shows that SWF uses a base class that extends Activity •  grep -sir '.super Landroid/app/Activity;' ./   In the onCreate() and onResume() methods, invoke ViewServer.addWindow() and ViewServer.setFocusedWindow() repectively! 13 © 2012 Apkudo Inc. Confidential www.apkudo.com
STEP 6 IMPLEMENT RESOURCE SERIALIZATION ON VIEWSERVER   Create public static method that takes in resource, serializes, and transmits to host.   Patch APK to invoke this method once the resources have been collected. invoke-interface {v2, v1}, Ljava/util/List;->add(Ljava/lang/Object;)Z! invoke-static {v2}, Lcom/zynga/scramble/ViewServer;->storeList(Ljava/util/ List;)V! 14 © 2012 Apkudo Inc. Confidential www.apkudo.com
STEP 7 REBUILD APK   Re-assemble   smali –a 10 ./out –o classes.dex!   Re-compress   zip –z0 –r ../scramble.apk ./*   Sign APK   jarsigner -verbose -keystore my- release-key.keystore ./ scramble.apk alias_name! 15 © 2012 Apkudo Inc. Confidential www.apkudo.com
APE INTELLIGENT ANDROID INSTRUMENTATION   Fully aware of applications content   Invokes actions and makes decisions based off of what it sees   Optimized and extended Romain’s ViewServer   Transmit view data after each invoked action   Introspect on OpenGL   Uses word list to obtain matrix positions and OpenGL introspection to find buttons on screen 16 © 2012 Apkudo Inc. Confidential www.apkudo.com
Thank you. @jshmthws JOSH@ .COM @davtbaum DAVID@ .COM

Recommended

Hacking for Fun and Profit
Hacking for Fun and ProfitHacking for Fun and Profit
Hacking for Fun and ProfitApkudo
 
Hacking for Fun and Profit (Mostly for Fun). AnDevCon Boston
Hacking for Fun and Profit (Mostly for Fun). AnDevCon BostonHacking for Fun and Profit (Mostly for Fun). AnDevCon Boston
Hacking for Fun and Profit (Mostly for Fun). AnDevCon BostonApkudo
 
How to Add Original Library to Android NDK
How to Add Original Library to Android NDKHow to Add Original Library to Android NDK
How to Add Original Library to Android NDKIndustrial Technology Research Institute (ITRI)(工業技術研究院, 工研院)
 
Understanding and building Your Own Docker
Understanding and building Your Own DockerUnderstanding and building Your Own Docker
Understanding and building Your Own DockerMotiejus Jakštys
 
Improving DroidBox
Improving DroidBoxImproving DroidBox
Improving DroidBoxKelwin Yang
 
GraphQL in Apache Sling - but isn't it the opposite of REST?
GraphQL in Apache Sling - but isn't it the opposite of REST?GraphQL in Apache Sling - but isn't it the opposite of REST?
GraphQL in Apache Sling - but isn't it the opposite of REST?Bertrand Delacretaz
 
Building an Apache Sling Rendering Farm
Building an Apache Sling Rendering FarmBuilding an Apache Sling Rendering Farm
Building an Apache Sling Rendering FarmBertrand Delacretaz
 
Android reverse engineering - Analyzing skype
Android reverse engineering - Analyzing skypeAndroid reverse engineering - Analyzing skype
Android reverse engineering - Analyzing skypeMário Almeida
 

Recommended

Hacking for Fun and Profit
Hacking for Fun and ProfitHacking for Fun and Profit
Hacking for Fun and ProfitApkudo
 
Hacking for Fun and Profit (Mostly for Fun). AnDevCon Boston
Hacking for Fun and Profit (Mostly for Fun). AnDevCon BostonHacking for Fun and Profit (Mostly for Fun). AnDevCon Boston
Hacking for Fun and Profit (Mostly for Fun). AnDevCon BostonApkudo
 
How to Add Original Library to Android NDK
How to Add Original Library to Android NDKHow to Add Original Library to Android NDK
How to Add Original Library to Android NDKIndustrial Technology Research Institute (ITRI)(工業技術研究院, 工研院)
 
Understanding and building Your Own Docker
Understanding and building Your Own DockerUnderstanding and building Your Own Docker
Understanding and building Your Own DockerMotiejus Jakštys
 
Improving DroidBox
Improving DroidBoxImproving DroidBox
Improving DroidBoxKelwin Yang
 
GraphQL in Apache Sling - but isn't it the opposite of REST?
GraphQL in Apache Sling - but isn't it the opposite of REST?GraphQL in Apache Sling - but isn't it the opposite of REST?
GraphQL in Apache Sling - but isn't it the opposite of REST?Bertrand Delacretaz
 
Building an Apache Sling Rendering Farm
Building an Apache Sling Rendering FarmBuilding an Apache Sling Rendering Farm
Building an Apache Sling Rendering FarmBertrand Delacretaz
 
Android reverse engineering - Analyzing skype
Android reverse engineering - Analyzing skypeAndroid reverse engineering - Analyzing skype
Android reverse engineering - Analyzing skypeMário Almeida
 
Asynchronous Programming at Netflix
Asynchronous Programming at NetflixAsynchronous Programming at Netflix
Asynchronous Programming at NetflixC4Media
 
Steelcon 2015 Reverse-Engineering Obfuscated Android Applications
Steelcon 2015 Reverse-Engineering Obfuscated Android ApplicationsSteelcon 2015 Reverse-Engineering Obfuscated Android Applications
Steelcon 2015 Reverse-Engineering Obfuscated Android ApplicationsTom Keetch
 
Functional Reactive Programming in the Netflix API
Functional Reactive Programming in the Netflix APIFunctional Reactive Programming in the Netflix API
Functional Reactive Programming in the Netflix APIC4Media
 
Sling and Serverless, Best Friends Forever?
Sling and Serverless, Best Friends Forever?Sling and Serverless, Best Friends Forever?
Sling and Serverless, Best Friends Forever?Bertrand Delacretaz
 
How to Make Android Native Application
How to Make Android Native ApplicationHow to Make Android Native Application
How to Make Android Native ApplicationIndustrial Technology Research Institute (ITRI)(工業技術研究院, 工研院)
 
Beginners guide-to-reverse-engineering-android-apps-pau-oliva-fora-viaforensi...
Beginners guide-to-reverse-engineering-android-apps-pau-oliva-fora-viaforensi...Beginners guide-to-reverse-engineering-android-apps-pau-oliva-fora-viaforensi...
Beginners guide-to-reverse-engineering-android-apps-pau-oliva-fora-viaforensi...viaForensics
 
Mobile development in 2020
Mobile development in 2020 Mobile development in 2020
Mobile development in 2020 Bogusz Jelinski
 
How to reverse engineer Android applications
How to reverse engineer Android applicationsHow to reverse engineer Android applications
How to reverse engineer Android applicationshubx
 
How to Customize Android Framework&System
How to Customize Android Framework&SystemHow to Customize Android Framework&System
How to Customize Android Framework&SystemIndustrial Technology Research Institute (ITRI)(工業技術研究院, 工研院)
 
Practice of Android Reverse Engineering
Practice of Android Reverse EngineeringPractice of Android Reverse Engineering
Practice of Android Reverse EngineeringNational Cheng Kung University
 
Discovering the p2 API
Discovering the p2 APIDiscovering the p2 API
Discovering the p2 APIPascal Rapicault
 
CORBA Programming with TAOX11/C++11 tutorial
CORBA Programming with TAOX11/C++11 tutorialCORBA Programming with TAOX11/C++11 tutorial
CORBA Programming with TAOX11/C++11 tutorialRemedy IT
 
Comparing IDL to C++ with IDL to C++11
Comparing IDL to C++ with IDL to C++11Comparing IDL to C++ with IDL to C++11
Comparing IDL to C++ with IDL to C++11Remedy IT
 
LabDocumentation
LabDocumentationLabDocumentation
LabDocumentationYeshasvi Tirupachuri
 
Optimizing Spring Boot apps for Docker
Optimizing Spring Boot apps for DockerOptimizing Spring Boot apps for Docker
Optimizing Spring Boot apps for DockerGraham Charters
 
Dependencies Managers in C/C++. Using stdcpp 2014
Dependencies Managers in C/C++. Using stdcpp 2014Dependencies Managers in C/C++. Using stdcpp 2014
Dependencies Managers in C/C++. Using stdcpp 2014biicode
 
How to Use OpenGL/ES on Native Activity
How to Use OpenGL/ES on Native ActivityHow to Use OpenGL/ES on Native Activity
How to Use OpenGL/ES on Native ActivityIndustrial Technology Research Institute (ITRI)(工業技術研究院, 工研院)
 
Reverse engineering android apps
Reverse engineering android appsReverse engineering android apps
Reverse engineering android appsPranay Airan
 
Understanding and extending p2 for fun and profit
Understanding and extending p2 for fun and profitUnderstanding and extending p2 for fun and profit
Understanding and extending p2 for fun and profitPascal Rapicault
 
ADB(Android Debug Bridge): How it works?
ADB(Android Debug Bridge): How it works?ADB(Android Debug Bridge): How it works?
ADB(Android Debug Bridge): How it works?Tetsuyuki Kobayashi
 
Who Needs Thumbs? Reverse Engineering Scramble with Friends v1.1
Who Needs Thumbs? Reverse Engineering Scramble with Friends v1.1Who Needs Thumbs? Reverse Engineering Scramble with Friends v1.1
Who Needs Thumbs? Reverse Engineering Scramble with Friends v1.1Apkudo
 
Hacking for fun and for profit
Hacking for fun and for profitHacking for fun and for profit
Hacking for fun and for profitdavtbaum
 

More Related Content

What's hot

Asynchronous Programming at Netflix
Asynchronous Programming at NetflixAsynchronous Programming at Netflix
Asynchronous Programming at NetflixC4Media
 
Steelcon 2015 Reverse-Engineering Obfuscated Android Applications
Steelcon 2015 Reverse-Engineering Obfuscated Android ApplicationsSteelcon 2015 Reverse-Engineering Obfuscated Android Applications
Steelcon 2015 Reverse-Engineering Obfuscated Android ApplicationsTom Keetch
 
Functional Reactive Programming in the Netflix API
Functional Reactive Programming in the Netflix APIFunctional Reactive Programming in the Netflix API
Functional Reactive Programming in the Netflix APIC4Media
 
Sling and Serverless, Best Friends Forever?
Sling and Serverless, Best Friends Forever?Sling and Serverless, Best Friends Forever?
Sling and Serverless, Best Friends Forever?Bertrand Delacretaz
 
Beginners guide-to-reverse-engineering-android-apps-pau-oliva-fora-viaforensi...
Beginners guide-to-reverse-engineering-android-apps-pau-oliva-fora-viaforensi...Beginners guide-to-reverse-engineering-android-apps-pau-oliva-fora-viaforensi...
Beginners guide-to-reverse-engineering-android-apps-pau-oliva-fora-viaforensi...viaForensics
 
Mobile development in 2020
Mobile development in 2020 Mobile development in 2020
Mobile development in 2020 Bogusz Jelinski
 
How to reverse engineer Android applications
How to reverse engineer Android applicationsHow to reverse engineer Android applications
How to reverse engineer Android applicationshubx
 
CORBA Programming with TAOX11/C++11 tutorial
CORBA Programming with TAOX11/C++11 tutorialCORBA Programming with TAOX11/C++11 tutorial
CORBA Programming with TAOX11/C++11 tutorialRemedy IT
 
Comparing IDL to C++ with IDL to C++11
Comparing IDL to C++ with IDL to C++11Comparing IDL to C++ with IDL to C++11
Comparing IDL to C++ with IDL to C++11Remedy IT
 
Optimizing Spring Boot apps for Docker
Optimizing Spring Boot apps for DockerOptimizing Spring Boot apps for Docker
Optimizing Spring Boot apps for DockerGraham Charters
 
Dependencies Managers in C/C++. Using stdcpp 2014
Dependencies Managers in C/C++. Using stdcpp 2014Dependencies Managers in C/C++. Using stdcpp 2014
Dependencies Managers in C/C++. Using stdcpp 2014biicode
 
Reverse engineering android apps
Reverse engineering android appsReverse engineering android apps
Reverse engineering android appsPranay Airan
 
Understanding and extending p2 for fun and profit
Understanding and extending p2 for fun and profitUnderstanding and extending p2 for fun and profit
Understanding and extending p2 for fun and profitPascal Rapicault
 
ADB(Android Debug Bridge): How it works?
ADB(Android Debug Bridge): How it works?ADB(Android Debug Bridge): How it works?
ADB(Android Debug Bridge): How it works?Tetsuyuki Kobayashi
 

What's hot (20)

Asynchronous Programming at Netflix
Asynchronous Programming at NetflixAsynchronous Programming at Netflix
Asynchronous Programming at Netflix
 
Steelcon 2015 Reverse-Engineering Obfuscated Android Applications
Steelcon 2015 Reverse-Engineering Obfuscated Android ApplicationsSteelcon 2015 Reverse-Engineering Obfuscated Android Applications
Steelcon 2015 Reverse-Engineering Obfuscated Android Applications
 
Functional Reactive Programming in the Netflix API
Functional Reactive Programming in the Netflix APIFunctional Reactive Programming in the Netflix API
Functional Reactive Programming in the Netflix API
 
Sling and Serverless, Best Friends Forever?
Sling and Serverless, Best Friends Forever?Sling and Serverless, Best Friends Forever?
Sling and Serverless, Best Friends Forever?
 
How to Make Android Native Application
How to Make Android Native ApplicationHow to Make Android Native Application
How to Make Android Native Application
 
Beginners guide-to-reverse-engineering-android-apps-pau-oliva-fora-viaforensi...
Beginners guide-to-reverse-engineering-android-apps-pau-oliva-fora-viaforensi...Beginners guide-to-reverse-engineering-android-apps-pau-oliva-fora-viaforensi...
Beginners guide-to-reverse-engineering-android-apps-pau-oliva-fora-viaforensi...
 
Mobile development in 2020
Mobile development in 2020 Mobile development in 2020
Mobile development in 2020
 
How to reverse engineer Android applications
How to reverse engineer Android applicationsHow to reverse engineer Android applications
How to reverse engineer Android applications
 
How to Customize Android Framework&System
How to Customize Android Framework&SystemHow to Customize Android Framework&System
How to Customize Android Framework&System
 
Practice of Android Reverse Engineering
Practice of Android Reverse EngineeringPractice of Android Reverse Engineering
Practice of Android Reverse Engineering
 
Discovering the p2 API
Discovering the p2 APIDiscovering the p2 API
Discovering the p2 API
 
CORBA Programming with TAOX11/C++11 tutorial
CORBA Programming with TAOX11/C++11 tutorialCORBA Programming with TAOX11/C++11 tutorial
CORBA Programming with TAOX11/C++11 tutorial
 
Comparing IDL to C++ with IDL to C++11
Comparing IDL to C++ with IDL to C++11Comparing IDL to C++ with IDL to C++11
Comparing IDL to C++ with IDL to C++11
 
LabDocumentation
LabDocumentationLabDocumentation
LabDocumentation
 
Optimizing Spring Boot apps for Docker
Optimizing Spring Boot apps for DockerOptimizing Spring Boot apps for Docker
Optimizing Spring Boot apps for Docker
 
Dependencies Managers in C/C++. Using stdcpp 2014
Dependencies Managers in C/C++. Using stdcpp 2014Dependencies Managers in C/C++. Using stdcpp 2014
Dependencies Managers in C/C++. Using stdcpp 2014
 
How to Use OpenGL/ES on Native Activity
How to Use OpenGL/ES on Native ActivityHow to Use OpenGL/ES on Native Activity
How to Use OpenGL/ES on Native Activity
 
Reverse engineering android apps
Reverse engineering android appsReverse engineering android apps
Reverse engineering android apps
 
Understanding and extending p2 for fun and profit
Understanding and extending p2 for fun and profitUnderstanding and extending p2 for fun and profit
Understanding and extending p2 for fun and profit
 
ADB(Android Debug Bridge): How it works?
ADB(Android Debug Bridge): How it works?ADB(Android Debug Bridge): How it works?
ADB(Android Debug Bridge): How it works?
 

Similar to Reverse Engineer Scramble with Friends to Extract Word List

Who Needs Thumbs? Reverse Engineering Scramble with Friends v1.1
Who Needs Thumbs? Reverse Engineering Scramble with Friends v1.1Who Needs Thumbs? Reverse Engineering Scramble with Friends v1.1
Who Needs Thumbs? Reverse Engineering Scramble with Friends v1.1Apkudo
 
Hacking for fun and for profit
Hacking for fun and for profitHacking for fun and for profit
Hacking for fun and for profitdavtbaum
 
Dockerizing apps for the Deployment Platform of the Month with OSGi - David B...
Dockerizing apps for the Deployment Platform of the Month with OSGi - David B...Dockerizing apps for the Deployment Platform of the Month with OSGi - David B...
Dockerizing apps for the Deployment Platform of the Month with OSGi - David B...mfrancis
 
Docker Swarm For High Availability | Docker Tutorial | DevOps Tutorial | Edureka
Docker Swarm For High Availability | Docker Tutorial | DevOps Tutorial | EdurekaDocker Swarm For High Availability | Docker Tutorial | DevOps Tutorial | Edureka
Docker Swarm For High Availability | Docker Tutorial | DevOps Tutorial | EdurekaEdureka!
 
Run your Appium tests using Docker Android - AppiumConf 2019
Run your Appium tests using Docker Android - AppiumConf 2019Run your Appium tests using Docker Android - AppiumConf 2019
Run your Appium tests using Docker Android - AppiumConf 2019Sargis Sargsyan
 
DockerCon EU 2018 - Dockerfile Best Practices
DockerCon EU 2018 - Dockerfile Best PracticesDockerCon EU 2018 - Dockerfile Best Practices
DockerCon EU 2018 - Dockerfile Best PracticesTibor Vass
 
DCEU 18: Dockerfile Best Practices
DCEU 18: Dockerfile Best PracticesDCEU 18: Dockerfile Best Practices
DCEU 18: Dockerfile Best PracticesDocker, Inc.
 
Intro to development sites and site migration
Intro to development sites and site migrationIntro to development sites and site migration
Intro to development sites and site migrationR-Cubed Design Forge
 
Reverse engineering Java et contournement du mécanisme de paiement inapp Android
Reverse engineering Java et contournement du mécanisme de paiement inapp AndroidReverse engineering Java et contournement du mécanisme de paiement inapp Android
Reverse engineering Java et contournement du mécanisme de paiement inapp AndroidJUG Lausanne
 
Symfony2 for Midgard Developers
Symfony2 for Midgard DevelopersSymfony2 for Midgard Developers
Symfony2 for Midgard DevelopersHenri Bergius
 
GDGSCL - Docker a jeho provoz v Heroku a AWS
GDGSCL - Docker a jeho provoz v Heroku a AWSGDGSCL - Docker a jeho provoz v Heroku a AWS
GDGSCL - Docker a jeho provoz v Heroku a AWSLadislav Prskavec
 
Developing and deploying applications with Spring Boot and Docker (@oakjug)
Developing and deploying applications with Spring Boot and Docker (@oakjug)Developing and deploying applications with Spring Boot and Docker (@oakjug)
Developing and deploying applications with Spring Boot and Docker (@oakjug)Chris Richardson
 
Docker Basic to Advance
Docker Basic to AdvanceDocker Basic to Advance
Docker Basic to AdvanceParas Jain
 

Similar to Reverse Engineer Scramble with Friends to Extract Word List (20)

Who Needs Thumbs? Reverse Engineering Scramble with Friends v1.1
Who Needs Thumbs? Reverse Engineering Scramble with Friends v1.1Who Needs Thumbs? Reverse Engineering Scramble with Friends v1.1
Who Needs Thumbs? Reverse Engineering Scramble with Friends v1.1
 
Hacking for fun and for profit
Hacking for fun and for profitHacking for fun and for profit
Hacking for fun and for profit
 
How to Build & Use OpenCL on OpenCV & Android NDK
How to Build & Use OpenCL on OpenCV & Android NDKHow to Build & Use OpenCL on OpenCV & Android NDK
How to Build & Use OpenCL on OpenCV & Android NDK
 
Dockerizing apps for the Deployment Platform of the Month with OSGi - David B...
Dockerizing apps for the Deployment Platform of the Month with OSGi - David B...Dockerizing apps for the Deployment Platform of the Month with OSGi - David B...
Dockerizing apps for the Deployment Platform of the Month with OSGi - David B...
 
Docker Swarm For High Availability | Docker Tutorial | DevOps Tutorial | Edureka
Docker Swarm For High Availability | Docker Tutorial | DevOps Tutorial | EdurekaDocker Swarm For High Availability | Docker Tutorial | DevOps Tutorial | Edureka
Docker Swarm For High Availability | Docker Tutorial | DevOps Tutorial | Edureka
 
Sst hackathon express
Sst hackathon expressSst hackathon express
Sst hackathon express
 
Run your Appium tests using Docker Android - AppiumConf 2019
Run your Appium tests using Docker Android - AppiumConf 2019Run your Appium tests using Docker Android - AppiumConf 2019
Run your Appium tests using Docker Android - AppiumConf 2019
 
DockerCon EU 2018 - Dockerfile Best Practices
DockerCon EU 2018 - Dockerfile Best PracticesDockerCon EU 2018 - Dockerfile Best Practices
DockerCon EU 2018 - Dockerfile Best Practices
 
DCEU 18: Dockerfile Best Practices
DCEU 18: Dockerfile Best PracticesDCEU 18: Dockerfile Best Practices
DCEU 18: Dockerfile Best Practices
 
React Native
React NativeReact Native
React Native
 
Intro to development sites and site migration
Intro to development sites and site migrationIntro to development sites and site migration
Intro to development sites and site migration
 
Drone sdk showdown
Drone sdk showdownDrone sdk showdown
Drone sdk showdown
 
Reverse engineering Java et contournement du mécanisme de paiement inapp Android
Reverse engineering Java et contournement du mécanisme de paiement inapp AndroidReverse engineering Java et contournement du mécanisme de paiement inapp Android
Reverse engineering Java et contournement du mécanisme de paiement inapp Android
 
Symfony2 for Midgard Developers
Symfony2 for Midgard DevelopersSymfony2 for Midgard Developers
Symfony2 for Midgard Developers
 
iOS App Using cordova
iOS App Using cordovaiOS App Using cordova
iOS App Using cordova
 
Ruby conf2012
Ruby conf2012Ruby conf2012
Ruby conf2012
 
GDGSCL - Docker a jeho provoz v Heroku a AWS
GDGSCL - Docker a jeho provoz v Heroku a AWSGDGSCL - Docker a jeho provoz v Heroku a AWS
GDGSCL - Docker a jeho provoz v Heroku a AWS
 
Oracle APEX & PhoneGap
Oracle APEX & PhoneGapOracle APEX & PhoneGap
Oracle APEX & PhoneGap
 
Developing and deploying applications with Spring Boot and Docker (@oakjug)
Developing and deploying applications with Spring Boot and Docker (@oakjug)Developing and deploying applications with Spring Boot and Docker (@oakjug)
Developing and deploying applications with Spring Boot and Docker (@oakjug)
 
Docker Basic to Advance
Docker Basic to AdvanceDocker Basic to Advance
Docker Basic to Advance
 

Recently uploaded

Authentic No 1 Amil Baba In Pakistan Amil Baba In Faisalabad Amil Baba In Kar...
Authentic No 1 Amil Baba In Pakistan Amil Baba In Faisalabad Amil Baba In Kar...Authentic No 1 Amil Baba In Pakistan Amil Baba In Faisalabad Amil Baba In Kar...
Authentic No 1 Amil Baba In Pakistan Amil Baba In Faisalabad Amil Baba In Kar...Authentic No 1 Amil Baba In Pakistan
 
Inspiring Through Words Power of Inspiration.pptx
Inspiring Through Words Power of Inspiration.pptxInspiring Through Words Power of Inspiration.pptx
Inspiring Through Words Power of Inspiration.pptxShubham Rawat
 
Virtue ethics & Effective Altruism: What can EA learn from virtue ethics?
Virtue ethics & Effective Altruism: What can EA learn from virtue ethics?Virtue ethics & Effective Altruism: What can EA learn from virtue ethics?
Virtue ethics & Effective Altruism: What can EA learn from virtue ethics?Mikko Kangassalo
 
(南达科他州立大学毕业证学位证成绩单-永久存档)
(南达科他州立大学毕业证学位证成绩单-永久存档)(南达科他州立大学毕业证学位证成绩单-永久存档)
(南达科他州立大学毕业证学位证成绩单-永久存档)oannq
 
integrity in personal relationship (1).pdf
integrity in personal relationship (1).pdfintegrity in personal relationship (1).pdf
integrity in personal relationship (1).pdfAmitRout25
 
Module-2-Lesson-2-COMMUNICATION-AIDS-AND-STRATEGIES-USING-TOOLS-OF-TECHNOLOGY...
Module-2-Lesson-2-COMMUNICATION-AIDS-AND-STRATEGIES-USING-TOOLS-OF-TECHNOLOGY...Module-2-Lesson-2-COMMUNICATION-AIDS-AND-STRATEGIES-USING-TOOLS-OF-TECHNOLOGY...
Module-2-Lesson-2-COMMUNICATION-AIDS-AND-STRATEGIES-USING-TOOLS-OF-TECHNOLOGY...JeylaisaManabat1
 
南新罕布什尔大学毕业证学位证成绩单-学历认证
南新罕布什尔大学毕业证学位证成绩单-学历认证南新罕布什尔大学毕业证学位证成绩单-学历认证
南新罕布什尔大学毕业证学位证成绩单-学历认证kbdhl05e
 
Spiritual Life Quote from Shiva Negi
Spiritual Life Quote from Shiva Negi Spiritual Life Quote from Shiva Negi
Spiritual Life Quote from Shiva Negi OneDay18
 

Recently uploaded (8)

Authentic No 1 Amil Baba In Pakistan Amil Baba In Faisalabad Amil Baba In Kar...
Authentic No 1 Amil Baba In Pakistan Amil Baba In Faisalabad Amil Baba In Kar...Authentic No 1 Amil Baba In Pakistan Amil Baba In Faisalabad Amil Baba In Kar...
Authentic No 1 Amil Baba In Pakistan Amil Baba In Faisalabad Amil Baba In Kar...
 
Inspiring Through Words Power of Inspiration.pptx
Inspiring Through Words Power of Inspiration.pptxInspiring Through Words Power of Inspiration.pptx
Inspiring Through Words Power of Inspiration.pptx
 
Virtue ethics & Effective Altruism: What can EA learn from virtue ethics?
Virtue ethics & Effective Altruism: What can EA learn from virtue ethics?Virtue ethics & Effective Altruism: What can EA learn from virtue ethics?
Virtue ethics & Effective Altruism: What can EA learn from virtue ethics?
 
(南达科他州立大学毕业证学位证成绩单-永久存档)
(南达科他州立大学毕业证学位证成绩单-永久存档)(南达科他州立大学毕业证学位证成绩单-永久存档)
(南达科他州立大学毕业证学位证成绩单-永久存档)
 
integrity in personal relationship (1).pdf
integrity in personal relationship (1).pdfintegrity in personal relationship (1).pdf
integrity in personal relationship (1).pdf
 
Module-2-Lesson-2-COMMUNICATION-AIDS-AND-STRATEGIES-USING-TOOLS-OF-TECHNOLOGY...
Module-2-Lesson-2-COMMUNICATION-AIDS-AND-STRATEGIES-USING-TOOLS-OF-TECHNOLOGY...Module-2-Lesson-2-COMMUNICATION-AIDS-AND-STRATEGIES-USING-TOOLS-OF-TECHNOLOGY...
Module-2-Lesson-2-COMMUNICATION-AIDS-AND-STRATEGIES-USING-TOOLS-OF-TECHNOLOGY...
 
南新罕布什尔大学毕业证学位证成绩单-学历认证
南新罕布什尔大学毕业证学位证成绩单-学历认证南新罕布什尔大学毕业证学位证成绩单-学历认证
南新罕布什尔大学毕业证学位证成绩单-学历认证
 
Spiritual Life Quote from Shiva Negi
Spiritual Life Quote from Shiva Negi Spiritual Life Quote from Shiva Negi
Spiritual Life Quote from Shiva Negi
 

Reverse Engineer Scramble with Friends to Extract Word List

  • 1. WHO NEEDS THUMBS?! REVERSE ENGINEERING SCRAMBLE WITH FRIENDS JOSH MATTHEWS DAVID TEITELBAUM MAY 2012
  • 2. OBJECTIVES APK Code Injection Smali/Baksmali Android Instrumentation Android Forensics Hands On! 2 © 2012 Apkudo Inc. Confidential www.apkudo.com
  • 3. VIEW SCRAMBLE WITH FRIENDS DEMO HERE: http://tiny.cc/r79rew 3 © 2012 Apkudo Inc. Confidential www.apkudo.com
  • 4. APK HACKING Approach 1.  Extract APK and disassemble classes.dex 2.  Isolate target resources (e.g., Scramble With Friends words list) 3.  Create a server to receive resource, serialize, and transmit to host 4.  Patch APK with server. 4 © 2012 Apkudo Inc. Confidential www.apkudo.com
  • 5. BUT I DON’T KNOW DALVIK!? DON’T WORRY!   You do know Java, and you can use the Smali/Baksmali tools to disassemble Java code into Dalvik byte code   By sticking to public static methods within the server, static method calls in Dalvik are only two lines long. invoke-static {}, Lcom/zynga/scramble/ViewServer;->get()Lcom/zynga/ scramble/ViewServer;! move-result-object v0! 5 © 2012 Apkudo Inc. Confidential www.apkudo.com
  • 6. SMALI/BAKSMALI? DALVIK ASSEMBLER/ DISASSEMBLER   Baksmali disassembles APK’s classes.dex executable into readable Dalvik byte code (.smali)   Smali re-assembles .smali files back into .dex Dalvik executable   Gives developers the ability to modify Android APKs without having access to source code   Documentation on Smali/Baksmali and Dalvik in Smali wiki   http://code.google.com/p/smali/w/list 6 © 2012 Apkudo Inc. Confidential www.apkudo.com
  • 7. ROMAIN’S VIEWSERVER LOCAL SERVER FOR ANDROID’S HIERARCHY VIEWER   Serves app’s view data to host (hierarchyviewer) via forwarded port through ADB   Runs entirely in APK’s address space   Developed to emulate Android ViewServer implemented on development Android devices   Perfect for transmitting serialized word list back to a host machine   Must add ViewServer window in onCreate() method of each activity in the app.   https://github.com/romainguy/ViewServer 7 © 2012 Apkudo Inc. Confidential www.apkudo.com
  • 8. STEP 1 DECOMPRESS AND DISASSEMBLE   Extract classes.dex and remove keys   unzip scramble.apk!   rm –r ./META-INF!   Disassemble:   baksmali -a 10 –c <framework_path> ./classes.dex!   -a = api-level!   -c = bootclasspath !   out/target/product/generic/system/framework! 8 © 2012 Apkudo Inc. Confidential www.apkudo.com
  • 9. STEP 2 ANDROID FORENSICS   Investigate .smali source code for aggregation of resources   Trace!   onCreate() method in calling activity   ScrambleGameActivity.java   Insert log statements to print active resources invoke-virtual {v2}, Ljava/util/List;->toString()Ljava/lang/String;! move-result-object v2! invoke-static {v1, v2}, Landroid/util/Log;->e(Ljava/lang/String;Ljava/lang/String;)I! 9 © 2012 Apkudo Inc. Confidential www.apkudo.com
  • 10. WHAT WE FOUND A LIST OF WORDS AND MATRIX POSITIONS 10 © 2012 Apkudo Inc. Confidential www.apkudo.com
  • 11. STEP 3 COMPILE VIEWSERVER INTO DONOR APP   Donor can be any Android app you can build from source   Just include server’s .java files as a part of the package   server does not need to be instantiated or implemented in the app itself   for compilation purposes only! 11 © 2012 Apkudo Inc. Confidential www.apkudo.com
  • 12. STEP 4 EXTRACT SERVER FROM DONOR AND INJECT INTO SWF   Disassemble ViewServer.apk   Use sed to replace all method calls from com.android.debug.hv.ViewServer com.zynga.scramble.ViewServer!   Run   find . -type f -exec sed -i '' s/Lcom /android/debug/hv/ ViewServer/Lcom/zynga/scramble /ViewServer/ {} +!   Copy ViewServer.smali files into SWF out directory 12 © 2012 Apkudo Inc. Confidential www.apkudo.com
  • 13. STEP 5 PATCH SWF TO SERVE VIEW DATA ON ACTIVITY LAUNCH   Preliminary investigation shows that SWF uses a base class that extends Activity •  grep -sir '.super Landroid/app/Activity;' ./   In the onCreate() and onResume() methods, invoke ViewServer.addWindow() and ViewServer.setFocusedWindow() repectively! 13 © 2012 Apkudo Inc. Confidential www.apkudo.com
  • 14. STEP 6 IMPLEMENT RESOURCE SERIALIZATION ON VIEWSERVER   Create public static method that takes in resource, serializes, and transmits to host.   Patch APK to invoke this method once the resources have been collected. invoke-interface {v2, v1}, Ljava/util/List;->add(Ljava/lang/Object;)Z! invoke-static {v2}, Lcom/zynga/scramble/ViewServer;->storeList(Ljava/util/ List;)V! 14 © 2012 Apkudo Inc. Confidential www.apkudo.com
  • 15. STEP 7 REBUILD APK   Re-assemble   smali –a 10 ./out –o classes.dex!   Re-compress   zip –z0 –r ../scramble.apk ./*   Sign APK   jarsigner -verbose -keystore my- release-key.keystore ./ scramble.apk alias_name! 15 © 2012 Apkudo Inc. Confidential www.apkudo.com
  • 16. APE INTELLIGENT ANDROID INSTRUMENTATION   Fully aware of applications content   Invokes actions and makes decisions based off of what it sees   Optimized and extended Romain’s ViewServer   Transmit view data after each invoked action   Introspect on OpenGL   Uses word list to obtain matrix positions and OpenGL introspection to find buttons on screen 16 © 2012 Apkudo Inc. Confidential www.apkudo.com
  • 17. Thank you. @jshmthws JOSH@ .COM @davtbaum DAVID@ .COM

Editor's Notes

  1. Once, you have your app disassembled, apply forensics!Knew SWF was storing words lsts when was this list being populated? how?Trace!