Club Hack Mag - Dec 2010

Embed Size (px)


1st Indian "Hacking" Magazine

Text of Club Hack Mag - Dec 2010

Issue 2 Mar 2010 | Page - 1

Issue 11 Dec2010 | Page - 2

Issue 11 Dec2010 | Page - 3

Android Reverse Engineering - A Kick StartIntroductionRecently, the open source mobile operating system Android has a large community of developers writing application programs that extend the functionality of supporting devices. It seems a lot of people are getting crazy about the Android platform these days (everyone is trying to buy an Android phone!). I dont have an Android cell phone but still, I did manage to learn a few tricks on this Linux + java clean room engineered platform. In this article I shall explain you with an example, the simple technique of reverse engineering a normal android application.

published by Deurus and explained the steps involved to legally reverse engineer this application. And our objective (Dont get the wrong idea friends!) is to break the licensing scheme of this application. So to begin our journey we first need to get geared up. First we need the Android SDK and then the necessary tools. You can download the necessary files from these locations: Android SDK: ml Smali and baksmali: Dex2jar: Java decompiler: Deurus Android crackme 03: crackme03/

Setting up the GroundFor the purpose of a demonstration, I have chosen an Android crackme application

Issue 11 Dec2010 | Page - 4

Getting Started with the GameDownload all these files to your hard disk. Unzip Android SDK to C:\. Unzip rest of the tools to C:\ android-sdk-windows\RE. If everything is in order you can start Android SDK manager from C:\android-sdkwindows\. Now it will give you a list of packages to download and install. We need to select at least one SDK platform to continue our quest. After downloading and installing, we can move on to creating a new Android Virtual Device.

Issue 11 Dec2010 | Page - 5

After creating AVD, we can start emulation by selecting AVD and clicking the start button. Within a few minutes we can see the emulator booting up and showing the phone screen. Thats it! We have our emulator up and running. Now we need to install the software (crackme, its legal!) to the emulator. For that you may have to get acquainted with Android debug bridge (adb). Installing an apk file is pretty simple; all you have to do is to run two commands from the Android SDK directory/tools.

After the installation you can see the crackme icon from application menu.

Issue 11 Dec2010 | Page - 6

Now run the crackme by clicking on it. If everything went as expected you will see the crackme application on the screen. Now lets try to play with it a bit, pressing the check button with no inputs pops a message 'Min 4 chars', and if the check button is pressed with a proper name it pops up a message 'Bad boy'. Do remember these strings because we will be using them as our search keys when we deassemble the apk (actually the dex) files. Also note that we have two hardware ids and we need to find out what those exactly mean.

Now for real Reverse EngineeringAs our crackme is up and running in the emulator, we can now move on to the reversing part. If you have read the apk file format, you can somewhat visualize it as an extended JAR file which essentially is a zip file. Now you can change the crackme file name from Crackme03.apk to and decompress it to any folder.

Issue 11 Dec2010 | Page - 7

Now the interesting file for us is the classes.dex, which contains the compiled virtual machine (vm) codes. We are now going to deassemble the dex file with baksmali. The commands are pretty simple as mentioned in the screen shots below.

Our aim is now to understand the serial checking function and write a keygen for it. For which we have to know all the dalvik opcodes that are used here. You can visit this page ( vik_opcodes.html) to understand the opcodes and after that you can convert the disassembled code to much higher language constructs. Here, I will provide a brief code snippet which actually implements the algorithm. The two hardware ids used are the IMEI and the sim serial number. 01 //Read name from text box 02 const v23, 0x7f050004 03 invoke-virtual/range {v22 .. v23}, Lcom/example/helloandroid/HelloAndroid; ->findViewById(I)Landroid/view/View; 04 move-result-object v9 05 06 //Read serial from text box 07 const v23, 0x7f050006 08 invoke-virtual/range {v22 .. v23}, Lcom/example/helloandroid/HelloAndroid; ->findViewById(I)Landroid/view/View; 09 move-result-object v21 10 11 //Checking whether the name is of length greater than 4 12 const/16 v22, 0x4 13 move v0, v11 14 move/from16 v1, v22 15 if-ge v0, v1, :cond_51 16 17 //Popup showing Min 4 chars 18 const-string v23, "Min 4 chars" 19 const/16 v24, 0x1 20 .line 86

If everything worked fine, we will have a folder structure similar to Java packages. Interesting .smali files are located at '\com\example\helloandroid'. Open all the .smali files into your favorite text editor(I use Notepad++). If you have never done anything related to reverse engineering/esoteric programming/assembly(IL) programming, dont start sweating. We have just opened a disassembled dex file. Next, if you are thinking that how on earth can someone find the correct location of a checking function, Well I hope you remember those pop up strings I told earlier. Yeah, 'Min 4 chars' and 'Bad boy'. It is time to use those strings as our search keys. After searching the Min 4 chars in all the opened .smali files, we will find a hit in the file HelloAndroid$2.smali, quite specifically line 130.

Issue 11 Dec2010 | Page - 8

21 invoke-static/range {v22 .. v24}, Landroid/widget/Toast;>makeText(Landroid/content/Context;Ljav a/lang/CharSequence;I)Landroid/widget/T oast; 22 move-result-object v13 23 .line 88 24 .local v13, notificacionToast:Landroid/widget/Toast; 25 invoke-virtual {v13}, Landroid/widget/Toast;->show()V 26 27 //There is a little exception trick to make integer string from username 28 //It converts aaaa to 97979797 which is ascii equivalent 29 invoke-virtual {v10, v5}, Ljava/lang/String;->charAt(I)C 30 move-result v3 31 32 //Getting first 5 chars from ascii converted name 33 const/16 v22, 0x0 34 const/16 v23, 0x5 35 move-object v0, v12 36 move/from16 v1, v22 37 move/from16 v2, v23 38 invoke-virtual {v0, v1, v2}, Ljava/lang/String;>substring(II)Ljava/lang/String; 39 40 //Converting it into integer and xoring with 0x6B016 - Serial part 1 41 invoke-static {v12}, Ljava/lang/Integer;>parseInt(Ljava/lang/String;)I 42 move-result v22 43 const v23, 0x6b016 44 xor-int v22, v22, v23 45 46 //Getting IMEI from TelephonyManager 47 // Android/telephony/TelephonyManager.htm l 48 invoke-virtual {v8}, Landroid/telephony/TelephonyManager;>getDeviceId()Ljava/lang/String; 49 move-result-object v6 50 .line 102 51 .local v6, imei2:Ljava/lang/String; 52

53 //Getting sim serial 54 invoke-virtual {v8}, Landroid/telephony/TelephonyManager;>getSimSerialNumber()Ljava/lang/String; 55 move-result-object v16 56 .line 103 57 .local v16, simsn:Ljava/lang/String; 58 59 //Getting first 6 chars from IMEI, and similarly from sim serial (IMEI.Substring(0,6) will be used as Serial part 3) 60 const/16 v22, 0x0 61 const/16 v23, 0x6 62 move-object v0, v6 63 move/from16 v1, v22 64 move/from16 v2, v23 65 invoke-virtual {v0, v1, v2}, Ljava/lang/String;>substring(II)Ljava/lang/String; 66 67 //Converting them to integer and xoring - Serial part2 68 invoke-static/range {v19 .. v19}, Ljava/lang/Integer;>parseInt(Ljava/lang/String;)I 69 move-result v22 70 invoke-static/range {v20 .. v20}, Ljava/lang/Integer;>parseInt(Ljava/lang/String;)I 71 move-result v23 72 xor-int v22, v22, v23 73 74 //Making a new StringBuilder object and formatting the string to part1-part2-part3 75 new-instance v22, Ljava/lang/StringBuilder; 76 invoke-static {v12}, Ljava/lang/String;>valueOf(Ljava/lang/Object;)Ljava/lang/St ring; 77 move-result-object v23 78 invoke-direct/range {v22 .. v23}, Ljava/lang/StringBuilder;>(Ljava/lang/String;)V 79 const-string v23, "-" 80 invoke-virtual/range {v22 .. v23}, Ljava/lang/StringBuilder;>append(Ljava/lang/String;)Ljava/lang/Str ingBuilder; 81 move-result-object v22 82 invoke-static/range {v17 .. v18},

Issue 11 Dec2010 | Page - 9

Ljava/lang/String;>valueOf(J)Ljava/lang/String; 83 move-result-object v23 84 invoke-virtual/range {v22 .. v23}, Ljava/lang/StringBuilder;>append(Ljava/lang/String;)Ljava/lang/Str ingBuilder; 85 move-result-object v22 86 const-string v23, "-" 87 invoke-virtual/range {v22 .. v23}, Ljava/lang/StringBuilder;>append(Ljava/lang/String;)Ljava/lang/Str ingBuilder; 88 move-result-object v22 89 move-object/from16 v0, v22 90 move-object/from16 v1, v19 91 invoke-virtual {v0, v1}, Ljava/lang/StringBuilder;>append(Ljava/lang/String;)Ljava/lang/Str ingBuilder; 92 move-result-object v22 93 94 //Checking whether user entered serial and program made serials are equal. 95 invoke-virtual {v14, v15}, Ljava/lang/String;>equals(Ljava/lang/Object;) As you can see, the algorithm is pretty straight forward. It is using name and two hardware ids as input and doing some operations on them to make a serial. We can quite easily recode it in any programming language that we prefer to make it as a keygen. Anyways, I am not posting any keygen sources as it will spoil the whole phun!

At first 'aaaaa' will be converted to '9797979797', from which we will take first 5 letters and convert it into integer 97979 This will be xored with 0x6B016 resulting 511661 and this will be the first part of serial. For the second part, we will take the first 6 letters from HW ID1 and H