Documente Academic
Documente Profesional
Documente Cultură
DAVID TEITELBAUM
@davtbaum
DECEMBER 2012
OBJECTIVES
Expect to learn:
Android app disassembly
Fundamentals of code injection
How to use tools like Smali/Baksmali
Best practices in Android forensics.
2
ROADMAP
PART I - CLASS
Approach to hacking
Tools apktool, baksmali, smali
The APK
Dalvik Virtual Machine
Reading Dalvik byte code
3
PART II - DEMO
Scramble With Friends deep dive
App disassembly and analysis
Code injection with ViewServer
Resource serialization and
transmission to host machine
PART I - CLASS
APK HACKING
Approach
1.
2.
3.
4.
Sta0c
analysis/
Code
Injec0on
Disassemble
(baksmali)
.smali
Reassemble
(smali)
CODE INJECTION
Best Practices:
TOOLS
Youll need
Smali/Baksmali - http://code.google.com/p/smali/
Apktool - http://code.google.com/p/android-apktool/
SMALI/BAKSMALI?
Dalvik Assembler/
Disassembler
APKTOOL
Buggy :/
THE APK
META-INF/
AndroidManifest.xml
classes.dex
lib/
res/
resources.arsc
10
EXAMPLES
baksmali
11
dex file
EXAMPLES
smali
$ ls!
AndroidManifest.xml META-INF
res
resources.arsc
out!
!
$ smali a 10 ./out o classes.dex!
!
API level
output dex file
!
!
$ zip r ~/hacked.apk ./*!
recursive
12
classes.dex
lib!
EXAMPLES
apktool
assets
SMALI FILES
14
Class information
Static fields
Methods
SYNTAX
classes
Lcom/apkudo/util/Serializer; !
Class names
prefixed with L
full name space slash separated
!
15
SYNTAX
methods
Method definitions
.method <keyword> <name>(<param>)<return type>
Method invocations
invoke-static any method that is static
invoke-virtual any method that isnt private, static, or
final
invoke-direct any non-static direct method
invoke-super any superclasses virtual method
Invoke-interface invoke an interface method!
16
SYNTAX
Registers
.locals 16!
.registers 18!
17
SYNTAX
Register Example
v0
v1
v2
v3
v4
v5
18
SYNTAX
Register Example 2
!
!
v0
v1
v2
v3
p0
this
v4
p1
String
v5
p2
int
v6
p3
int
19
SYNTAX
Register Example 3
v0
v1
!
!
20
SYNTAX
jumping
jumps
goto <offset>
21
SYNTAX
conditionals
Conditionals
If-eq
If-ne
If-le
If-lt
If-ge
If-gt
Add z for zero
22
PUTTING IT ALL
TOGETHER
Example
v0
v1 p0 this instance
23
PART II - DEMO
24
25
RESOURCE SERIALIZATION
AND TRANSMISSION
ROMAIN GUYS VIEWSERVER
onCreate()
ADB forwarded
localhost:4939
addWindow()
ViewServer
Android
OS
26
STEP 1
DECOMPRESS AND
DISASSEMBLE
unzip scramble.apk!
rm r ./META-INF!
Disassemble:
27
STEP 2
ANDROID FORENSICS
Find the words listhow?
Beat obfuscation!
Search for class types and log messages
Find the intersection of the two!
Insert your own log statements
28
STEP 3
29
STEP 4
30
STEP 5
REBUILD APK
Re-assemble
smali a 10 ./out o classes.dex!
Re-compress
zip z0 r ../scramble.apk ./*
Sign APK
jarsigner -verbose -keystore myrelease-key.keystore ./
scramble.apk alias_name!
31
STEP 6
Install
adb install r ../scramble.apk!
Forward port
adb forward tcp:4939 tcp:4939
Communicate
nc l 127.0.0.1 (listen)
32
APE
INTELLIGENT ANDROID
INSTRUMENTATION
33
Thank you.
@davtbaum DAVID@
.COM