HACKING APKS FOR FUN

AND FOR PROFIT

(MOSTLY FOR FUN)

DAVID TEITELBAUM
@davtbaum

DECEMBER 2012

OBJECTIVES
Expect to learn:
Android app disassembly
Fundamentals of code injection
How to use tools like Smali/Baksmali
Best practices in Android forensics.
2

2012 Apkudo Inc. Confidential www.apkudo.com

ROADMAP
PART I - CLASS
Approach to hacking
Tools apktool, baksmali, smali
The APK
Dalvik Virtual Machine
Reading Dalvik byte code
3

2012 Apkudo Inc. Confidential www.apkudo.com

PART II - DEMO
Scramble With Friends deep dive
App disassembly and analysis
Code injection with ViewServer
Resource serialization and
transmission to host machine

PART I - CLASS

2012 Apkudo Inc. Confidential www.apkudo.com

APK HACKING

Approach

Extract APK and disassemble classes.dex (baksmali)

Apply static analysis what is the application doing?
Inject byte code into the application to modify execution
Reassemble classes.dex (smali) and rezip APK

1.
2.
3.
4.

Sta0c analysis/
Code Injec0on
Disassemble
(baksmali)

.smali

2012 Apkudo Inc. Confidential www.apkudo.com

Reassemble
(smali)

CODE INJECTION
Best Practices:

You dont need to be a Dalvik byte code pro!

Write patches in Java, compile, then use the Smali/

Baksmali tools to disassemble into Dalvik byte code

Stick to public static methods in Dalvik byte code which

have no register dependencies.

Let the compiler do the work!

2012 Apkudo Inc. Confidential www.apkudo.com

TOOLS

Youll need

Access to a terminal environment (preferably Linux or mac

osx)

Android SDK and a working emulator

Smali/Baksmali - http://code.google.com/p/smali/

Apktool - http://code.google.com/p/android-apktool/

Editor of choice (emacs!)

2012 Apkudo Inc. Confidential www.apkudo.com

SMALI/BAKSMALI?
Dalvik Assembler/
Disassembler

Baksmali disassembles Dalvik executable (.dex) into

readable Dalvik byte code (.smali)

Smali re-assembles .smali files back into .dex Dalvik

executable

Gives developers the ability to modify execution without

having access to source code

Documentation on Smali/Baksmali and Dalvik in Smali wiki

http://code.google.com/p/smali/w/list

2012 Apkudo Inc. Confidential www.apkudo.com

APKTOOL

All in one reverser

Wraps smali/baksmali and Android asset packaging tool

(aapt)

Decodes resources and deserializes xml

Great for manifest introspection

Buggy :/

2012 Apkudo Inc. Confidential www.apkudo.com

THE APK

A container for your app

Zipped file formatted based on JAR

META-INF/
AndroidManifest.xml
classes.dex
lib/
res/
resources.arsc

10

2012 Apkudo Inc. Confidential www.apkudo.com

EXAMPLES
baksmali

$ unzip foobar.apk d foobar!

!
$ cd ./foobar!
!
$ ls!
AndroidManifest.xml META-INF
classes.dex
res
resources.arsc
lib!
!
$ baksmali a 10 d ~/boot_class_path classes.dex!
!
API level

11

boot class path

2012 Apkudo Inc. Confidential www.apkudo.com

dex file

EXAMPLES
smali

$ ls!
AndroidManifest.xml META-INF
res
resources.arsc
out!
!
$ smali a 10 ./out o classes.dex!
!
API level
output dex file
!
!
$ zip r ~/hacked.apk ./*!
recursive

12

2012 Apkudo Inc. Confidential www.apkudo.com

classes.dex
lib!

EXAMPLES
apktool

$ apktool d foobar.apk foobar !

!
decode
out directory
!
$ cd ./foobar!
!
$ ls!
AndroidManifest.xml apktool.yml
res
smali!
!
$ cd ../!
!
$ apktool b ./foobar !
build
13

2012 Apkudo Inc. Confidential www.apkudo.com

assets

SMALI FILES

class representation in byte code

.class public Lcom/apkudo/util/Serializer;!

.super Ljava/lang/Object;!
.source "Serializer.java!
!
# static fields!
.field public static final TAG:Ljava/lang/String; =
"ApkudoUtils!
!
# direct methods!
.method public constructor <init>()V!
.registers 1!
!
.prologue!
.line 5!
invoke-direct {p0}, Ljava/lang/Object;-><init>()V!
!
return-void!
.end method!

14

2012 Apkudo Inc. Confidential www.apkudo.com

Class information

Static fields

Methods

SYNTAX
classes

Lcom/apkudo/util/Serializer; !

Class names
prefixed with L
full name space slash separated
!

15

2012 Apkudo Inc. Confidential www.apkudo.com

SYNTAX
methods

.method private doSomething()V!

Method definitions
.method <keyword> <name>(<param>)<return type>

Method invocations
invoke-static any method that is static
invoke-virtual any method that isnt private, static, or
final
invoke-direct any non-static direct method
invoke-super any superclasses virtual method
Invoke-interface invoke an interface method!

16

2012 Apkudo Inc. Confidential www.apkudo.com

SYNTAX
Registers

.locals 16!
.registers 18!

All registers are 32 bits

Declaration
.registers total number of registers
.locals total minus method parameter registers
Naming scheme
P registers parameter registers
implicit p0 = this instance
V registers local registers
P registers are always at the end of the register list

17

2012 Apkudo Inc. Confidential www.apkudo.com

SYNTAX

Register Example

.method public onCreate()V!

.registers 7!
!
! ...!
!
!

v0

First local register

v1

Second local register

v2

v3

v4

v5

v6 p0 First param this

18

2012 Apkudo Inc. Confidential www.apkudo.com

SYNTAX

Register Example 2

.method public doIt(Ljava/lang/String;II)V!

.registers 7!

!
!

v0

First local register

v1

Second local register

v2

v3 p0 this
v4 p1 String
v5 p2 int
v6 p3 int

19

2012 Apkudo Inc. Confidential www.apkudo.com

SYNTAX

Register Example 3

.method public doIt(JI)V!

.registers 7!
!
!# hint, j == long!

v0

First local register

v1

Second local register

Third local register
v2
v3 p0 this instance

!
!

v4 p1 long rst register

v5 p2 long second register
v6 p3 int

20

2012 Apkudo Inc. Confidential www.apkudo.com

SYNTAX
jumping

jumps
goto <offset>

21

2012 Apkudo Inc. Confidential www.apkudo.com

.method public doIt(JI)V!

.registers 7!
!
!...!
!
!goto :goto_31!
!!
!...!
!
!:goto_31!
!return-void!
!

SYNTAX

conditionals

Conditionals
If-eq
If-ne
If-le
If-lt
If-ge
If-gt
Add z for zero

22

2012 Apkudo Inc. Confidential www.apkudo.com

method public foobar()V!

.registers 2!
!
const/4 v0, 0x0!
!
if-eqz v0, :cond_6!
!
return-void!
!
:cond_6!
!
!# Do something!
!!
.end method!

PUTTING IT ALL
TOGETHER
Example

v0

First local register

.method public getCurrentAccountName()Ljava/lang/String;!

.registers 2!
!
.prologue!
.line 617!
iget-object v0, p0, Lcom/google/android/finsky/FinskyApp;->mCurrentAccount:Landroid/accounts/Account;!
!
if-nez v0, :cond_6!
!
Getting this field!
of type
const/4 v0, 0x0!
into this reg
!
:goto_5!
return-object v0!
!
:cond_6!
iget-object v0, v0, Landroid/accounts/Account;->name:Ljava/lang/String;!
!
goto :goto_5!
.end method!

v1 p0 this instance

23

2012 Apkudo Inc. Confidential www.apkudo.com

PART II - DEMO

24

2012 Apkudo Inc. Confidential www.apkudo.com

25

2012 Apkudo Inc. Confidential www.apkudo.com

RESOURCE SERIALIZATION
AND TRANSMISSION
ROMAIN GUYS VIEWSERVER
onCreate()

ADB forwarded
localhost:4939

addWindow()
ViewServer

Android
OS
26

2012 Apkudo Inc. Confidential www.apkudo.com

STEP 1

DECOMPRESS AND
DISASSEMBLE

Extract classes.dex and remove keys

unzip scramble.apk!
rm r ./META-INF!

Disassemble:

27

baksmali -a 10 d <framework_path> ./classes.dex!

-a = api-level!
-d = bootclasspath dir!
out/target/product/generic/system/framework!

2012 Apkudo Inc. Confidential www.apkudo.com

STEP 2

ANDROID FORENSICS
Find the words listhow?
Beat obfuscation!
Search for class types and log messages
Find the intersection of the two!
Insert your own log statements

invoke-virtual {v2}, Ljava/util/List;->toString()Ljava/lang/String;!

move-result-object v2!
invoke-static {v1, v2}, Landroid/util/Log;->e(Ljava/lang/String;Ljava/lang/String;)I!

28

2012 Apkudo Inc. Confidential www.apkudo.com

STEP 3

INJECT VIEWSERVER INTO APP

Resource located! Now we need to send it

Apply patch to ViewServer that stores list

public static void setScrambleWordList(List list);!

Build patched ViewServer, extract .smali files

Copy smali files into our application

Easy enough, right?

29

2012 Apkudo Inc. Confidential www.apkudo.com

STEP 4

PATCH APP TO USE VIEWSERVER

API

Start the ViewServer in the onCreate() method of

MainActivity.smali
ViewServer.get()

Pass the list to ViewServer in fu.smali

ViewServer.setScrambleWordList(list)

30

invoke-static {}, Lcom/android/debug/hv/ViewServer;>get()Lcom/android/debug/hv/ViewServer;!

invoke-static {v2}, Lcom/android/debug/hv/ViewServer;>setScrambleWordList(Ljava/util/List;)V!

2012 Apkudo Inc. Confidential www.apkudo.com

STEP 5

REBUILD APK

Re-assemble
smali a 10 ./out o classes.dex!
Re-compress
zip z0 r ../scramble.apk ./*
Sign APK
jarsigner -verbose -keystore myrelease-key.keystore ./
scramble.apk alias_name!

31

2012 Apkudo Inc. Confidential www.apkudo.com

STEP 6

INSTALL AND COMMUNICATE

WITH APP

Install
adb install r ../scramble.apk!
Forward port
adb forward tcp:4939 tcp:4939
Communicate
nc l 127.0.0.1 (listen)

32

2012 Apkudo Inc. Confidential www.apkudo.com

APE

INTELLIGENT ANDROID
INSTRUMENTATION

Fully aware of applications content

Invokes actions and makes decisions based off
of what it sees
Optimized and extended Romains ViewServer
Transmit view data after each invoked action
Introspect on OpenGL
Uses word list to obtain matrix positions and
OpenGL introspection to find buttons on screen

33

2012 Apkudo Inc. Confidential www.apkudo.com

Thank you.
@davtbaum DAVID@

.COM