- 1. HACKING APKS FOR FUNAND FOR PROFIT(MOSTLY FOR FUN)DAVID
TEITELBAUM@davtbaumDECEMBER 2012
2. OBJECTIVESExpect to learn: Android app disassembly
Fundamentals of code injection Smali/Baksmali and reading Dalvik
byte code Best practices in hardening your apps2 2012 Apkudo Inc.
Confidential www.apkudo.com 3. ROADMAP PART I - CLASS PART II
DEMO/HACKApproach to hacking Scramble With Friends deep diveTools
apktool, baksmali, smaliApp disassembly and analysisThe APK Code
injection with ViewServerAll things byte codeResource
transmissionRecap 3 2012 Apkudo Inc. Confidential www.apkudo.com 4.
PART I - CLASS4 2012 Apkudo Inc. Confidential www.apkudo.com 5. APK
HACKING Approach1. Unzip APK and disassemble classes.dex
(baksmali)2. Static analysis what is the application doing?3.
Inject byte code into the application to modify execution4.
Reassemble classes.dex (smali) and rezip APK Static
analysisDisassembleReassemble(baksmali) (smali).smali Code
injection 5 2012 Apkudo Inc. Confidential www.apkudo.com 6. CODE
INJECTIONBest Practices: You dont need to be a Dalvik byte code
pro! Write patches in Java, compile, then use theSmali/Baksmali
tools to disassemble into Dalvik byte code Stick to public static
methods in Dalvik byte code whichhave no register dependencies. Let
the compiler do the work the demo hack is achievedby inserting only
two lines of manual Dalvik byte code!6 2012 Apkudo Inc.
Confidential www.apkudo.com 7. TOOLSYoull need Access to a terminal
environment (preferably Linux or Macosx) Android SDK keytool and
jarsigner Smali/Baksmali - http://code.google.com/p/smali/ Apktool
- http://code.google.com/p/android-apktool/ Editor of choice
(emacs!)7 2012 Apkudo Inc. Confidential www.apkudo.com 8. THE APKA
container for your appZipped file formatted based on JAR META-INF/
AndroidManifest.xml classes.dex lib/ res/ resources.arsc8 2012
Apkudo Inc. Confidential www.apkudo.com 9. SMALI/BAKSMALIDalvik
Assembler/Disassembler Baksmali disassembles Dalvik executable
(.dex) intoreadable Dalvik byte code (.smali) Smali re-assembles
.smali files back into .dex Dalvikexecutable Gives developers the
ability to modify execution of an APKwithout having access to
source code9 2012 Apkudo Inc. Confidential www.apkudo.com 10.
EXAMPLESbaksmali$ unzip foobar.apk d foobar$ cd ./foobar$
lsAndroidManifest.xml META-INFclasses.dex resresources.arsc lib$
baksmali a 10 d ~/boot_class_path classes.dexAPI level boot class
pathdex file10 2012 Apkudo Inc. Confidential www.apkudo.com 11.
EXAMPLESsmali$ lsAndroidManifest.xml META-INF classes.dex
resresources.arsc libout$ smali a 10 ./out o classes.dex API
leveloutput dex file$ zip r ~/hacked.apk ./*recursive11 2012 Apkudo
Inc. Confidential www.apkudo.com 12. AAPTAndroid Asset Packaging
ToolBuilds/dumps package informationSame tool that packages
APKSDecompresses xml resourcesDumps permissions, application
info.12 2012 Apkudo Inc. Confidential www.apkudo.com 13.
EXAMPLESaapt$ aapt dump badging ~/foobar.apk$ aapt dump xmltree
~/foobar.apkAndroidManifest$ aapt dump xmlstrings
~/foobar.apkAndroidManifestresource13 2012 Apkudo Inc. Confidential
www.apkudo.com 14. APKTOOLAll in one reverserWraps smali/baksmali
and Android asset packaging tool (aapt)Decodes resources and
decompresses xmlGreat for manifest introspectionBuggy :/14 2012
Apkudo Inc. Confidential www.apkudo.com 15. EXAMPLES apktool$
apktool d foobar.apk foobar decode out directory$ cd ./foobar$
lsAndroidManifest.xml apktool.yml assets res smali$ cd ../$ apktool
b ./foobar build15 2012 Apkudo Inc. Confidential www.apkudo.com 16.
EXAMPLES keytool and jarsigner$ keytool -genkeypair -v -alias
default keystore~/.keystore storepass password$ jarsigner keystore
~/.keystore ./foobar.apkdefault alias16 2012 Apkudo Inc.
Confidential www.apkudo.com 17. TOOLS Questions?17 2012 Apkudo Inc.
Confidential www.apkudo.com 18. SMALI FILESclass representation in
byte code.class public Lcom/apkudo/util/Serializer;.super
Ljava/lang/Object; Class information.source "Serializer.java#
static fields.field public static final TAG:Ljava/lang/String; =
"ApkudoUtils Static fields# direct methods.method public
constructor ()V .registers 1.prologue.line 5 Methodsinvoke-direct
{p0}, Ljava/lang/Object;->()V DirectVirtual return-void.end
method 18 2012 Apkudo Inc. Confidential www.apkudo.com 19. SYNTAX
types.method private doSomething()VV voidZ booleanB byteS shortC
charF floatI intJ long 64 bit special instructionsD double[ array19
2012 Apkudo Inc. Confidential www.apkudo.com 20.
SYNTAXclassesLcom/apkudo/util/Serializer; full name space slash
separated prefixed with L suffixed with ;const-string v0,
"ApkudoUtils"new-instance v1,
Ljava/lang/StringBuilder;invoke-direct {v1},
Ljava/lang/StringBuilder;->()Vconst-string v2, "docId:
["invoke-virtual {v1, v2},
Ljava/lang/StringBuilder;->append(Ljava/lang/String;)Ljava/lang/StringBuilder;move-result-object
v1 20 2012 Apkudo Inc. Confidential www.apkudo.com 21.
SYNTAXmethods.method private doSomething()V Method definitions
.method () Method invocations invoke-static any method that is
static invoke-virtual any method that isnt private, static, or
final invoke-direct any non-static direct method invoke-super any
superclasss virtual method Invoke-interface invoke an interface
method21 2012 Apkudo Inc. Confidential www.apkudo.com 22.
SYNTAXmethods .method private doSomething()V keyword method name
parameters/return.method private
delayedAnimationFrame(J)Z.registers 8.parameter "currentTime#
Static invocationinvoke-static {p2},
Landroid/text/TextUtils;->isEmpty(Ljava/lang/CharSequence;)Z#
Virtual invocationinvoke-virtual {v0, v1},
Lcom/google/android/finsky/FinskyApp;->drainAllRequests(I)V 22
2012 Apkudo Inc. Confidential www.apkudo.com 23. SYNTAXRegisters
.locals 16.registers 18 All registers are 32 bits Declaration
.registers total number of registers .locals total minus method
parameter registers Naming scheme P registers parameter registers
implicit p0 = this instance V registers local registers P registers
are always at the end of the register list23 2012 Apkudo Inc.
Confidential www.apkudo.com 24. SYNTAXRegister Example.method
public onCreate()V.registers 7 v0 First local register v1 Second
local register... v2 v3 v4 v5 v6 p0 First param this p0 == v6 24
2012 Apkudo Inc. Confidential www.apkudo.com 25. SYNTAXRegister
Example 2.method public doIt(Ljava/lang/String;II)V.registers 7 v0
First local register v1 Second local register v2 v3 p0 this v4 p1
String v5 p2 int v6 p3 int p3 == v6 p2 == v5 p1 == v4 p0 == v3 25
2012 Apkudo Inc. Confidential www.apkudo.com 26. SYNTAXRegister
Example 3.method public doIt(JI)V.registers 7 # hint, j ==
longv0First local registerv1Second local registerv2 Third local
register v3 - is itv4 - is it A) Fourth local register?A) Fourth
local register? v3 p0 this instance B) This instance?B) This
instance? v4 p1 long C) Long? C) Long?v5 p2 long D) Int?D) Int?v6
p3 int v5 - is itv6 - is it A) Fourth local register?A) Fourth
local register? B) This instance?B) This instance? C) Long? C)
Long? D) Int?D) Int? 26 2012 Apkudo Inc. Confidential
www.apkudo.com 27. SYNTAXjumping.method public doIt(JI)V jumps
.registers 7 goto ... goto :goto_31 ... :goto_31 return-void27 2012
Apkudo Inc. Confidential www.apkudo.com 28.
SYNTAXconditionalsmethod public foobar()V Conditionals .registers 2
If-eqconst/4 v0, 0x0 If-neif-eqz v0, :cond_6 If-le If-ltreturn-void
If-ge:cond_6 If-gt Add z for zero# Do something.end method28 2012
Apkudo Inc. Confidential www.apkudo.com 29. PUTTING IT ALLTOGETHER
Example - Javapackage com.google.android.finsky;import
android.app.Application;import android.accounts.Account;public
class FinskyApp() extends Application { Account mCurrentAccount;
... public String getCurrentAccountName() { if (mCurrentAccount !=
null) { return mCurrentAccount.name; } else { return null; } }}29
2012 Apkudo Inc. Confidential www.apkudo.com 30. PUTTING IT ALL
TOGETHER Same example - smali.method public
getCurrentAccountName()Ljava/lang/String;.registers 2v0First local
register.prologuev1p0 this instance.line 617iget-object v0, p0,
Lcom/google/android/finsky/FinskyApp;->mCurrentAccount:Landroid/accounts/Account;if-nez
v0, :cond_6Getting this field!of type const/4 v0, 0x0 into this
reg:goto_5return-object v0:cond_6iget-object v0, v0,
Landroid/accounts/Account;->name:Ljava/lang/String; goto
:goto_5.end method 30 2012 Apkudo Inc. Confidential www.apkudo.com
31. ONE FINALSTEP Obfuscation!Renames classes, class members and
and methodPreserves OS entry points and java namespace classesSlows
down the static analysis processNot a silver bullet, but an easy
first line of defenseiget-object v0, p0,
Lcom/a/a/g;->a:Lcom/a/a/f;invoke-static {v0},
Lcom/a/a/f;->a(Lcom/a/a/f;)Landroid/webkit/WebView;31 2012
Apkudo Inc. Confidential www.apkudo.com 32. BYTECODE Questions?32
2012 Apkudo Inc. Confidential www.apkudo.com 33. PART II - DEMO33
2012 Apkudo Inc. Confidential www.apkudo.com 34. 34 2012 Apkudo
Inc. Confidential www.apkudo.com 35. HACKINGSCRAMBLEApproach1.Unzip
APK and disassemble classes.dex (baksmali)2.Isolate target
resources (e.g., Scramble With Friends words list)3.Patch APK to
receive resource, serialize, and transmit to host4.Reassemble
classes.dex (smali) and rezip APKStatic analysis/Code Injection
Disassemble Reassemble (baksmali)(smali).smali 35 2012 Apkudo Inc.
Confidential www.apkudo.com 36. RESOURCE SERIALIZATIONAND
TRANSMISSION ROMAIN GUYS VIEWSERVERonCreate()addWindow()
localhost:4939ViewServerAndroidOS36 2012 Apkudo Inc. Confidential
www.apkudo.com 37. STEP 1DECOMPRESS ANDDISASSEMBLE Extract
classes.dex and remove keys unzip scramble.apk rm r ./META-INF
Disassemble: baksmali -a 10 d ./classes.dex -a = api-level -d =
bootclasspath dir out/target/product/generic/system/framework37
2012 Apkudo Inc. Confidential www.apkudo.com 38. STEP 2ANDROID
FORENSICS apktool dump and inspect AndroidManifest.xmlfor
activities Find the words listhow? Beat obfuscation! Search for
class types and log messages Find the intersection of the two!
Insert your own log statementsinvoke-virtual {v2},
Ljava/util/List;->toString()Ljava/lang/String;move-result-object
v2invoke-static {v1, v2},
Landroid/util/Log;->e(Ljava/lang/String;Ljava/lang/String;)I38
2012 Apkudo Inc. Confidential www.apkudo.com 39. STEP 3INJECT
VIEWSERVER INTO APPResource located! Now we need to send itApply
patch to ViewServer that stores list public static void
setScrambleWordList(List list);Build patched ViewServer, extract
.smali filesCopy smali files into our application Easy enough,
right?39 2012 Apkudo Inc. Confidential www.apkudo.com 40. STEP
4PATCH APP TO USE VIEWSERVERAPIStart the ViewServer in the
onCreate() method of MainActivity.smali
ViewServer.get()invoke-static {},
Lcom/android/debug/hv/ViewServer;-
>get()Lcom/android/debug/hv/ViewServer;Pass the list to
ViewServer in fu.smali ViewServer.setScrambleWordList(list)
invoke-static {v2},
Lcom/android/debug/hv/ViewServer;->setScrambleWordList(Ljava/util/List;)V40
2012 Apkudo Inc. Confidential www.apkudo.com 41. STEP 5REBUILD APK
Re-assemble smali a 10 ./out o classes.dex Re-compress zip z0 r
../scramble.apk ./* Sign APK jarsigner -verbose -keystore
my-release-key.keystore ./scramble.apk alias_name41 2012 Apkudo
Inc. Confidential www.apkudo.com 42. STEP 6INSTALL AND
COMMUNICATEWITH APP Install adb install r ../scramble.apk Forward
port adb forward tcp:4939 tcp:4939 Communicate nc l 127.0.0.1
(listen)42 2012 Apkudo Inc. Confidential www.apkudo.com 43.
RECAPWHAT ZYNGA TEACHESUS Obfuscate, its easy and makes things
muchharder Use proguard, it optimizes too!Low hanging Remove logs
fruit Use reflection Design your application with cheaters in mind!
Move logic to cloud Google play licensing43 2012 Apkudo Inc.
Confidential www.apkudo.com 44. FINALLYWHAT ZYNGA TEACHESUS44 2012
Apkudo Inc. Confidential www.apkudo.com 45. Thank you.@davtbaum
DAVID@ .COM
![Digital Whisper - exploit-db.comhebrew]-digital... · ' ¡ · ¬ §Hacking Games For Fun And (mostly) Profit - 2014 רבמבונ ,55 ןוילג: ¨ · ¡ ¢ ¶ ¥ ® WWP ¬ ¹ PEM](https://img.pdfslide.us/doc/110x75/5b57945c7f8b9ab7348dd076/digital-whisper-exploit-dbcom-hebrew-digital-hacking-games.jpg)
