Click here to load reader

Club Hack Mag - Dec 2010

  • View

  • Download

Embed Size (px)


1st Indian "Hacking" Magazine

Text of Club Hack Mag - Dec 2010

Issue 2 Mar 2010 | Page - 1

Issue 11 Dec2010 | Page - 2

Issue 11 Dec2010 | Page - 3

Android Reverse Engineering - A Kick StartIntroductionRecently, the open source mobile operating system Android has a large community of developers writing application programs that extend the functionality of supporting devices. It seems a lot of people are getting crazy about the Android platform these days (everyone is trying to buy an Android phone!). I dont have an Android cell phone but still, I did manage to learn a few tricks on this Linux + java clean room engineered platform. In this article I shall explain you with an example, the simple technique of reverse engineering a normal android application.

published by Deurus and explained the steps involved to legally reverse engineer this application. And our objective (Dont get the wrong idea friends!) is to break the licensing scheme of this application. So to begin our journey we first need to get geared up. First we need the Android SDK and then the necessary tools. You can download the necessary files from these locations: Android SDK: ml Smali and baksmali: Dex2jar: Java decompiler: Deurus Android crackme 03: crackme03/

Setting up the GroundFor the purpose of a demonstration, I have chosen an Android crackme application

Issue 11 Dec2010 | Page - 4

Getting Started with the GameDownload all these files to your hard disk. Unzip Android SDK to C:\. Unzip rest of the tools to C:\ android-sdk-windows\RE. If everything is in order you can start Android SDK manager from C:\android-sdkwindows\. Now it will give you a list of packages to download and install. We need to select at least one SDK platform to continue our quest. After downloading and installing, we can move on to creating a new Android Virtual Device.

Issue 11 Dec2010 | Page - 5

After creating AVD, we can start emulation by selecting AVD and clicking the start button. Within a few minutes we can see the emulator booting up and showing the phone screen. Thats it! We have our emulator up and running. Now we need to install the software (crackme, its legal!) to the emulator. For that you may have to get acquainted with Android debug bridge (adb). Installing an apk file is pretty simple; all you have to do is to run two commands from the Android SDK directory/tools.

After the installation you can see the crackme icon from application menu.

Issue 11 Dec2010 | Page - 6

Now run the crackme by clicking on it. If everything went as expected you will see the crackme application on the screen. Now lets try to play with it a bit, pressing the check button with no inputs pops a message 'Min 4 chars', and if the check button is pressed with a proper name it pops up a message 'Bad boy'. Do remember these strings because we will be using them as our search keys when we deassemble the apk (actually the dex) files. Also note that we have two hardware ids and we need to find out what those exactly mean.

Now for real Reverse EngineeringAs our crackme is up and running in the emulator, we can now move on to the reversing part. If you have read the apk file format, you can somewhat visualize it as an extended JAR file which essentially is a zip file. Now you can change the crackme file name from Crackme03.apk to and decompress it to any folder.

Issue 11 Dec2010 | Page - 7

Now the interesting file for us is the classes.dex, which contains the compiled virtual machine (vm) codes. We are now going to deassemble the dex file with baksmali. The commands are pretty simple as mentioned in the screen shots below.

Our aim is now to understand the serial checking function and write a keygen for it. For which we have to know all the dalvik opcodes that are used here. You can visit this page ( vik_opcodes.html) to understand the opcodes and after that you can convert the disassembled code to much higher language constructs. Here, I will provide a brief code snippet which actually implements the algorithm. The two hardware ids used are the IMEI and the sim serial number. 01 //Read name from text box 02 const v23, 0x7f050004 03 invoke-virtual/range {v22 .. v23}, Lcom/example/helloandroid/HelloAndroid; ->findViewById(I)Landroid/view/View; 04 move-result-object v9 05 06 //Read serial from text box 07 const v23, 0x7f050006 08 invoke-virtual/range {v22 .. v23}, Lcom/example/helloandroid/HelloAndroid; ->findViewById(I)Landroid/view/View; 09 move-result-object v21 10 11 //Checking whether the name is of length greater than 4 12 const/16 v22, 0x4 13 move v0, v11 14 move/from16 v1, v22 15 if-ge v0, v1, :cond_51 16 17 //Popup showing Min 4 chars 18 const-string v23, "Min 4 chars" 19 const/16 v24, 0x1 20 .line 86

If everything worked fine, we will have a folder structure similar to Java packages. Interesting .smali files are located at '\com\example\helloandroid'. Open all the .smali files into your favorite text editor(I use Notepad++). If you have never done anything related to reverse engineering/esoteric programming/assembly(IL) programming, dont start sweating. We have just opened a disassembled dex file. Next, if you are thinking that how on earth can someone find the correct location of a checking function, Well I hope you remember those pop up strings I told earlier. Yeah, 'Min 4 chars' and 'Bad boy'. It is time to use those strings as our search keys. After searching the Min 4 chars in all the opened .smali files, we will find a hit in the file HelloAndroid$2.smali, quite specifically line 130.

Issue 11 Dec2010 | Page - 8

21 invoke-static/range {v22 .. v24}, Landroid/widget/Toast;>makeText(Landroid/content/Context;Ljav a/lang/CharSequence;I)Landroid/widget/T oast; 22 move-result-object v13 23 .line 88 24 .local v13, notificacionToast:Landroid/widget/Toast; 25 invoke-virtual {v13}, Landroid/widget/Toast;->show()V 26 27 //There is a little exception trick to make integer string from username 28 //It converts aaaa to 97979797 which is ascii equivalent 29 invoke-virtual {v10, v5}, Ljava/lang/String;->charAt(I)C 30 move-result v3 31 32 //Getting first 5 chars from ascii converted name 33 const/16 v22, 0x0 34 const/16 v23, 0x5 35 move-object v0, v12 36 move/from16 v1, v22 37 move/from16 v2, v23 38 invoke-virtual {v0, v1, v2}, Ljava/lang/String;>substring(II)Ljava/lang/String; 39 40 //Converting it into integer and xoring with 0x6B016 - Serial part 1 41 invoke-static {v12}, Ljava/lang/Integer;>parseInt(Ljava/lang/String;)I 42 move-result v22 43 const v23, 0x6b016 44 xor-int v22, v22, v23 45 46 //Getting IMEI from TelephonyManager 47 // Android/telephony/TelephonyManager.htm l 48 invoke-virtual {v8}, Landroid/telephony/TelephonyManager;>getDeviceId()Ljava/lang/String; 49 move-result-object v6 50 .line 102 51 .local v6, imei2:Ljava/lang/String; 52

53 //Getting sim serial 54 invoke-virtual {v8}, Landroid/telephony/TelephonyManager;>getSimSerialNumber()Ljava/lang/String; 55 move-result-object v16 56 .line 103 57 .local v16, simsn:Ljava/lang/String; 58 59 //Getting first 6 chars from IMEI, and similarly from sim serial (IMEI.Substring(0,6) will be used as Serial part 3) 60 const/16 v22, 0x0 61 const/16 v23, 0x6 62 move-object v0, v6 63 move/from16 v1, v22 64 move/from16 v2, v23 65 invoke-virtual {v0, v1, v2}, Ljava/lang/String;>substring(II)Ljava/lang/String; 66 67 //Converting them to integer and xoring - Serial part2 68 invoke-static/range {v19 .. v19}, Ljava/lang/Integer;>parseInt(Ljava/lang/String;)I 69 move-result v22 70 invoke-static/range {v20 .. v20}, Ljava/lang/Integer;>parseInt(Ljava/lang/String;)I 71 move-result v23 72 xor-int v22, v22, v23 73 74 //Making a new StringBuilder object and formatting the string to part1-part2-part3 75 new-instance v22, Ljava/lang/StringBuilder; 76 invoke-static {v12}, Ljava/lang/String;>valueOf(Ljava/lang/Object;)Ljava/lang/St ring; 77 move-result-object v23 78 invoke-direct/range {v22 .. v23}, Ljava/lang/StringBuilder;>(Ljava/lang/String;)V 79 const-string v23, "-" 80 invoke-virtual/range {v22 .. v23}, Ljava/lang/StringBuilder;>append(Ljava/lang/String;)Ljava/lang/Str ingBuilder; 81 move-result-object v22 82 invoke-static/range {v17 .. v18},

Issue 11 Dec2010 | Page - 9

Ljava/lang/String;>valueOf(J)Ljava/lang/String; 83 move-result-object v23 84 invoke-virtual/range {v22 .. v23}, Ljava/lang/StringBuilder;>append(Ljava/lang/String;)Ljava/lang/Str ingBuilder; 85 move-result-object v22 86 const-string v23, "-" 87 invoke-virtual/range {v22 .. v23}, Ljava/lang/StringBuilder;>append(Ljava/lang/String;)Ljava/lang/Str ingBuilder; 88 move-result-object v22 89 move-object/from16 v0, v22 90 move-object/from16 v1, v19 91 invoke-virtual {v0, v1}, Ljava/lang/StringBuilder;>append(Ljava/lang/String;)Ljava/lang/Str ingBuilder; 92 move-result-object v22 93 94 //Checking whether user entered serial and program made serials are equal. 95 invoke-virtual {v14, v15}, Ljava/lang/String;>equals(Ljava/lang/Object;) As you can see, the algorithm is pretty straight forward. It is using name and two hardware ids as input and doing some operations on them to make a serial. We can quite easily recode it in any programming language that we prefer to make it as a keygen. Anyways, I am not posting any keygen sources as it will spoil the whole phun!

At first 'aaaaa' will be converted to '9797979797', from which we will take first 5 letters and convert it into integer 97979 This will be xored with 0x6B016 resulting 511661 and this will be the first part of serial. For the second part, we will take the first 6 letters from HW ID1 and HW ID2, convert them to integer and xor, resulting 000000^890141 = 890141. For the third part we will use the first 6 characters from HW ID1. Formatting with the specified delimiter the serial will become '511661-890141-000000'.

Decoding the AlgorithmA demonstrative serial calculation routine is given below: Name: aaaaa HW ID1: 0000000000000000 HW ID2: 89014103211118510720 Here are stepwise instructions generating final serial number on

Issue 11 Dec2010 | Page - 10

Final Verification of ReversingNow let us put the same magic number into our Crackme application. Bingo! Everything worked as expected. Now, for all those who think it is pretty hard to read all those deassembled instructions and manually converting them to higher language constructs, there are other options. As dalvik is based on the design of Java, it is also susceptible to decompilation. There is no decompiler available at this moment, but there is a hope. For now we can use another utility which converts dex files to jar files so that we can use Java decompilers to see much more abstracted code. From the starting of this article you may have noticed a tool dex2jar. You can use the dex2jar to convert classes.dex to classes.dex.dex2jar.jar. Open it in a Java decompiler and you can see much better output than dalvik disassembly. Please note that dex2jar is still in a development phase and the output you get could be meaningless in many

places. This should be used only to get a quick understanding of all the functions.

ConclusionIn this introductory article, I explained reversing of an Android application using the emulator and all available tools in sequence with pictorial elaborative steps. It is mainly based to set up your ground for further reversing work on Android Platform. Well, thats it! We have analyzed an Android program and defeated its protection. Cheerio!

Dhanesh kDhanesh is a software engineer specialized in .NET programming. In his spare time he works on Win32 reversing and malware analysis.

Issue 11 Dec2010 | Page - 11

Android Security AppsAndroid is creating some (a lot actually!) buzz all over with all its awesome user friendly features and apps. Millions of applications and games are available to choose from. Our phones have all sorts of personal data messages, photos, etc. At some point these apps access your data. And as we all know data=money, so lets have a look at some apps that will help you protect your data and privacy.

provides anti-virus protection, malware and spyware blocking functions. It also scans every app installed on your phone thus preventing you from using those apps in future.

If you loose your phone, you can track your phones location via locate phone on map feature. It basically sounds an alarm from the device itself when asked to track it. Another good feature of this app is that it allows you to backup and restore your data, like contact, photos, text messages and emails etc. All in one package huh! And guess what? It is a freeware! You can get it here

Malware and Theft Protection AppsHere are few apps that will help you protect your data, privacy.

1. Lookout Mobile SecurityThis is one of the good apps protecting your phone from viruses, data loss, etc. This app

Issue 11 Dec2010 | Page - 12

2. WaveSecureAnother good all-in-one app that protects your data and privacy. It can track the location of your phone incase its stolen or misplaced by you. It basically sends a sms alert to a pre-defined contact. It has this

amazing ability to locate, lock and wipe a device remotely. Yes! you can WIPE your data remotely if your phone is not found. Though it does not provide anti-virus protection, it does provide backup and restore facility. Recently, WaveSecure was McAfee. acquired by

The Protector allows users to password protect various Android apps including Chat, Notepad, Calendar, Photos, Setting, Email, Gmail and even their SMS inbox. One negative aspect of this app is that it does not provide a pin recovery service. So it can create a lot of problems if you forget or lose your pin code. And one more good thing its FREE!! URL: -

URL: android.aspx

4. Norton Mobile SecurityThis app has got almost same features as that of apps mentioned above. Like tracking, remote lock-and-wipe ability, anti-virus etc.

3. ProtectorIt enables users to password protect any application stored on their phone. This security app takes it one step further by enabling users to even password protect any feature of an existing app on your phone. Many users will experience the benefits of this security app.

Issue 11 Dec2010 | Page - 13

In addition to this, you can block or control incoming calls and sms of some person from your call log. Again, its free! URL: -

URL: - Few more app you can use Smobile AntiTheft, aFirewall. I hope this will help you decide which app to use and protect your data. Be Safe

5. SMobile Security ShieldThis app comes in two flavors one with Anti-Virus and other with Parental Control. This is a power packed app with some great features. Features like Anti-Virus Anti-spam. This blocks calls and messages from annoying person(s). Firewall. Helps in keeping malicious programs at bay.

Saurabh Shah Shah has done Masters in Computer Science from Pune university. He says that he would love to try to do experiments on Android phone and trying to learn some apps, security is very important for Android these days before someone steals or breaks you stuff on android. Working as a FrontEnd Web Developer (@, majorly in Joomla.

Backup and restore ability. Lock-and-wipe ability. GPS to locate phone when stolen. And also parental controls like text messages and email monitoring, child locator, etc.

Though this is a not a free app but its worth it.

Issue 11 Dec2010 | Page - 14

Android Application SafetyAndroid is a Linux based mobile "smartphone" operating system. Android(tm) was designed with security in mind, and almost all of the important functions of the system are protected by layers of defense. Applications installed on the system declare what features and functions it needs or wish to access via a Manifest - a declaration written by the developer of the app, that cannot be changed during the lifetime of the application package installed on the Android(tm) device. Newer versions of the app can modify the Manifest, but when updating the app, the system requests the user to allow the change. The Manifest contains important information about the app - but Permissions are the most important part by far. Permissions are a declaration about what sensitive data and parts of the system are going to be accessed by the app being

installed. Some examples of android permissions : ACCESS_FINE_LOCATION - access Gps location. CALL_PHONE - place calls. CAMERA - access the camera. SEND_SMS - send sms messages. INTERNET - access the web. the full list is avialable at : droid/Manifest.permission.html

Issue 11 Dec2010 | Page - 15

"angry birds bonus level" proof of concept used by the malware to install more apps silently in the background. Google has already fixed the problem, but the issue can still affect older phones - Never install an apps that requests this permission. A notable exception to this rule is the Appbrain app. However - apps that needs the permissions for their work by reputable developers can be installed with no problem : Chompsms need access to SEND_SMS to work, Facebook apps needs access to the internet, an alternative dialer program can be allowed to dial the phone. When an app that looks like a game, or a video player asks for SEND_SMS then you should not install it and notify someone about it - Us at or google, or the market comments. Remember that the moblie phone is the closest thing to you after your family, it goes with you everywhere and it contains most of your personal, private and revealing information! always check the permissions before installing a new app or a game. Have fun with your Android phones!

When installing an app the market or other installer asks the user to confirm the permissions the app requests. Reading these carefully and understaing the implications of the permissions can help the user avoid many of the dangers of using a smartphone. for instance: SEND_SMS permission can allow the app to send SMS from the phone to premium numbers, thus deducting money from the user. MAKE_CALLS can allow the app to make phone calls and deducts money in the same way. ACCESS_FINE_LOCATION + INTERNET can allow the app to track the user location, and sell the info to advertizing companies for targeted ads in the best case scenario and in the worst actively snoop on the user. READ_SMS, READ_CALL_LOG, READ_LOGS - these permissions can be used to access the user calls, sms and more. Combined with INTERNET they can be used to snoop on the user, or steal his data. the gsf.READ_GSERVICES is especially dangerous - as it is the basic permission the

Oren barAdOren barAd, working at Droidsecurity for 1 year as a Developer and Researcher focusing on mobile security. part time hacker, and hardware/gadget enthusiast.

Issue 11 Dec2010 | Page - 16

Electronic contracts & the Indian lawChapter IV of the Information Technology Act, 2000 (amendment of 2008) contains Sections 10, 11, 12 and 13 which talks about Legal Recognition to Electronic Contracts, Attribution, Acknowledgment and Dispatch of Electronic Records.

This Section is based on the United Nations Convention on the use of Electronic Communications in International Contracts. Section 11:Attribution of electronic records, An electronic record shall be attributed to the originator a) if it was sent by the originator

Section 10A of the IT Act, 2000 provides that, a communication or contract shouldnt be denied or declared void merely because its in electronic form. i.e. Every electronic contract has legal recognition same as traditional paper based contract.

himself; b) by a person who had the authority to act on behalf of the originator in respect of that electronic record; or c) by an information system programmed by or on behalf of the originator to operate automatically.

Issue 11 Dec2010 | Page - 17

(1) Where the originator has not agreed Here, Originator means (Sec. 2(1) (za)):A person who sends, generates, stores or transmits any electronic message or causes any electronic message to be sent, generated, stored or transmitted to any other person Originator Intermediary. Example:Vivek uses his yahoo account to send an email to Rohit. Here, Vivek is the originator & Yahoo is the intermediary. Example:Vivek is on vacation. During vacation he has turned his vacation responder on with the following message:Thank you for your email. I am on vacation, will reply your mail as soon I get back. Here, though Vivek has programmed an information system to operate automatically on his behalf. Still Vivek is the originator in this case. Section 12:Acknowledgement of receipt Example:Rohit sends an email to Pooja asking her that he would like to purchase a car and would like to know the prices of the cars available for sale. Pooja in return sends Rohit Here, Addressee means (Sec. 2 (1) (b)):A person who is intended by the originator to receive the electronic record but does not include any intermediary. Example:Vivek uses his yahoo account to send an email to Rohit. Here, Vivek is originator, Yahoo is intermediary & Rohit is addressee. doesnt include a) any communication by the or addressee, otherwise; or b) any conduct of the addressee, sufficient to indicate to the originator that the electronic record has been received. automated with the addressee of that receipt the of acknowledgment

electronic record be given in a particular form or by a particular method, an acknowledgment may be given by

Issue 11 Dec2010 | Page - 18

a catalogue of prices of the cars available for sale. Now this action of Pooja is sufficient to indicate to Rohit (the originator) that his email (i.e. the electronic record) has been received by the addressee (i.e. Pooja). (2) Where the originator has stipulated that the electronic record shall be binding only on receipt of an acknowledgment of such electronic record by him, then has unless so acknowledgment been Example:Pooja composes a message for Rohit. At exactly 12.00 noon she presses the Send button. When she does that the message leaves her computer and begins its journey across the Internet. It is now no longer in Poojas control. The time of (3) Where the originator has not dispatch of this message will be 12.00 noon. (2) Save as otherwise agreed between the originator and the addressee, the time of receipt of an electronic record shall be determined as follows, namely: (a) if the addressee has designated a computer resource for the purpose of receiving electronic records, (i) receipt occurs at the time when the electronic record enters the designated computer resource; or (ii) if the electronic record is sent to a computer resource of the addressee that is not the designated computer resource, receipt occurs at stipulated that the electronic record shall be binding only on receipt of such acknowledgment, has and not the been acknowledgment (1) Save as otherwise agreed to between the originator and the addressee, the dispatch of an electronic record occurs when it enters a computer resource outside the control of the originator. Sec. 13:Time and place of dispatch and receipt of electronic record

received, the electronic record shall be deemed to have been never sent by the originator.

received by the originator within the specified time or reasonable time, then the originator may give notice to the addressee stating that no acknowledgment has been received by him and specifying a reasonable time by which the acknowledgment must be received by him. Now if no acknowledgment is received within the aforesaid time limit he may after giving notice to the addressee, treat the electronic record as though it has never been sent.

Issue 11 Dec2010 | Page - 19

the time when the electronic record is retrieved by the addressee; (b) if the addressee has not designated a computer resource along with the specified timings, if any, receipt occurs when the electronic record enters the computer resource of the addressee. (3) Save as otherwise agreed to between the originator and the addressee, an electronic record is deemed to be dispatched at the place where the originator has his place of business, and is deemed to be received at the place where the addressee has his place of business. (4) The provisions of sub-section (2) shall apply notwithstanding that the place where the computer resource is located may be different from the place where the electronic record is deemed to have been received under sub-section (3). Example:Rohit has entered into contract with a US based company. Company has its server in Brazil. Even if the company has its mail server located physically in Brazil, the place of receipt of the order would be the companys office in USA. (5) For the purposes of this section, (a) if the originator or the addressee has more than one place of business, the principal place of business, shall be the place of business;

(b) if the originator or the addressee does not have a place of business, his usual place of residence shall be deemed to be the place of business; (c) "usual place of residence", in relation to a body corporate, means the place where it is registered.

Sagar Rahukar [email protected] Rahukar, a Law graduate, is Head(Maharashtra) at Asian School of Cyber Laws. Sagar specializes in Cyber Law, Intellectual Property Law and Corporate Law. Sagar also teaches law at numerous educational institutes and has also trained officials from various law enforcement agencies.

Issue 11 Dec2010 | Page - 20

Tethering your androidIntroductionFrankly this issue of Command Line Gyan does not have as much flesh as previous issues. But we thought of dedicating this issue to Android so here we are with a small article on how to tether your android. As per wikipedia Tethering is the use of a mobile device with Internet access such as 3G cellular service to serve as an Internet gateway or access point for other devices. Other devices may connect to the gateway via Bluetooth, Wi-Fi or by Universal Serial Bus (USB) cabling. The connectivity can be normal GPRS/EDGE or most awaited 3G. At the same time other device can be other wi-fi enabled phone/pda, laptop or even desktop. For the sake of this article Im taking example of my Samsung android device but be assured it will be same in all phones

LinuxI have personally tried this trick in BackTrack4 and Debian5 (lenny) but Im sure it will run similarly on other Linux distros. The moment you connect your android over USB youll be prompted with different connectivity options on the phone as shown below.

Issue 11 Dec2010 | Page - 21

Select PC Internet in this (obviously). Remember exact screen might not appear as per different models & android version. Once you select PC Internet there will be a device created in your system. In all my attempts the device created was USB0. Make sure you check the exact device created from dmesg. Once you get this device/interface created, all you need to do is seek IP over DHCP for this interface. dhclient usb0 Or dhcpcd usb0 Done sir, your tethered internet is working on your Linux machine now. Interestingly android works as a DHCP server and a NAT device. Thats really smart.

Rohit Srivastwa [email protected]

WindowsSorry OK, as far as I have tried & seen, I havent found a way out in windows to do it via command line. Yes there are a few apps to tether the phone, but nothing on command line. Although its against the spirit of this section of the magazine but Ills til point out a few apps to do tethering on Windows Some of such apps are 1) PDAnet 2) EasyTether 3) Proxoid Best of luck with GUI in windows

Issue 2 Mar 2010 | Page - 1