Hacking APKs for Fun and for Profit

December 3, 2016 | Author: Joan | Category: N/A
Share Embed Donate


Short Description

Hacking APKs for Fun and for Profit resume with details...

Description

HACKING APKS FOR FUN AND FOR PROFIT (MOSTLY FOR FUN)

DAVID TEITELBAUM @davtbaum

DECEMBER 2012

OBJECTIVES Expect to learn: Android app disassembly Fundamentals of code injection How to use tools like Smali/Baksmali Best practices in Android forensics. 2

© 2012 Apkudo Inc. Confidential www.apkudo.com

ROADMAP PART I - CLASS Approach to hacking Tools – apktool, baksmali, smali The APK Dalvik Virtual Machine Reading Dalvik byte code 3

© 2012 Apkudo Inc. Confidential www.apkudo.com

PART II - DEMO Scramble With Friends deep dive App disassembly and analysis Code injection with ViewServer Resource serialization and transmission to host machine

PART I - CLASS

4

© 2012 Apkudo Inc. Confidential www.apkudo.com

APK HACKING

Approach

Extract APK and disassemble classes.dex (baksmali) Apply static analysis – what is the application doing? Inject byte code into the application to modify execution Reassemble classes.dex (smali) and rezip APK

1.  2.  3.  4. 

Sta0c  analysis/   Code  Injec0on   Disassemble   (baksmali)  

.smali  

5

© 2012 Apkudo Inc. Confidential www.apkudo.com

Reassemble   (smali)  

CODE INJECTION Best Practices:

§ 

You don’t need to be a Dalvik byte code pro!

§ 

Write patches in Java, compile, then use the Smali/ Baksmali tools to disassemble into Dalvik byte code

§ 

Stick to public static methods in Dalvik byte code which have no register dependencies.

§ 

Let the compiler do the work!

6

© 2012 Apkudo Inc. Confidential www.apkudo.com

TOOLS

You’ll need…

§ 

Access to a terminal environment (preferably Linux or mac osx)

§ 

Android SDK and a working emulator

§ 

Smali/Baksmali - http://code.google.com/p/smali/

§ 

Apktool - http://code.google.com/p/android-apktool/

§ 

Editor of choice (emacs!)

7

© 2012 Apkudo Inc. Confidential www.apkudo.com

SMALI/BAKSMALI? Dalvik Assembler/ Disassembler

§ 

Baksmali disassembles Dalvik executable (.dex) into readable Dalvik byte code (.smali)

§ 

Smali re-assembles .smali files back into .dex Dalvik executable

§ 

Gives developers the ability to modify execution without having access to source code

§ 

Documentation on Smali/Baksmali and Dalvik in Smali wiki §  http://code.google.com/p/smali/w/list

8

© 2012 Apkudo Inc. Confidential www.apkudo.com

APKTOOL

All in one reverser

§ 

Wraps smali/baksmali and Android asset packaging tool (aapt)

§ 

Decodes resources and deserializes xml

§ 

Great for manifest introspection

§ 

Buggy :/

9

© 2012 Apkudo Inc. Confidential www.apkudo.com

THE APK

A container for your app § 

Zipped file formatted based on JAR

META-INF/ AndroidManifest.xml classes.dex lib/ res/ resources.arsc

10

© 2012 Apkudo Inc. Confidential www.apkudo.com

EXAMPLES baksmali

$ unzip foobar.apk –d foobar! ! $ cd ./foobar! ! $ ls! AndroidManifest.xml META-INF classes.dex res resources.arsc lib! ! $ baksmali –a 10 –d ~/boot_class_path classes.dex! ! API level

11

boot class path

© 2012 Apkudo Inc. Confidential www.apkudo.com

dex file

EXAMPLES smali

$ ls! AndroidManifest.xml META-INF res resources.arsc out! ! $ smali –a 10 ./out –o classes.dex! ! API level output dex file ! ! $ zip –r ~/hacked.apk ./*! recursive

12

© 2012 Apkudo Inc. Confidential www.apkudo.com

classes.dex lib!

EXAMPLES apktool

$ apktool d foobar.apk foobar ! ! decode out directory ! $ cd ./foobar! ! $ ls! AndroidManifest.xml apktool.yml res smali! ! $ cd ../! ! $ apktool b ./foobar ! build 13

© 2012 Apkudo Inc. Confidential www.apkudo.com

assets

SMALI FILES

class representation in byte code

.class public Lcom/apkudo/util/Serializer;! .super Ljava/lang/Object;! .source "Serializer.java”! ! # static fields! .field public static final TAG:Ljava/lang/String; = "ApkudoUtils”! ! # direct methods! .method public constructor ()V! .registers 1! ! .prologue! .line 5! invoke-direct {p0}, Ljava/lang/Object;->()V! ! return-void! .end method!

14

© 2012 Apkudo Inc. Confidential www.apkudo.com

Class information

Static fields

Methods

SYNTAX classes

§ 

Lcom/apkudo/util/Serializer; !

Class names §  prefixed with L §  full name space slash separated !

15

© 2012 Apkudo Inc. Confidential www.apkudo.com

SYNTAX methods

.method private doSomething()V!

§ 

Method definitions §  .method ()

§ 

Method invocations §  invoke-static – any method that is static §  invoke-virtual – any method that isn’t private, static, or final §  invoke-direct – any non-static direct method §  invoke-super – any superclasses virtual method §  Invoke-interface – invoke an interface method!

16

© 2012 Apkudo Inc. Confidential www.apkudo.com

SYNTAX Registers

.locals 16! .registers 18!

All registers are 32 bits Declaration §  .registers – total number of registers §  .locals – total minus method parameter registers §  Naming scheme §  P registers – parameter registers §  implicit p0 = ‘this’ instance §  V registers – local registers §  P registers are always at the end of the register list §  § 

17

© 2012 Apkudo Inc. Confidential www.apkudo.com

SYNTAX

Register Example

.method public onCreate()V! .registers 7! ! ! ...! ! !

v0  

First  local  register  

v1  

Second  local  register  

v2  

…  

v3  

…  

v4  

…  

v5  

…  

v6   p0   First  param  –  ‘this’  

18

© 2012 Apkudo Inc. Confidential www.apkudo.com

SYNTAX

Register Example 2

.method public doIt(Ljava/lang/String;II)V! .registers 7!

! !

v0  

First  local  register  

v1  

Second  local  register  

v2  

…  

v3   p0   ‘this’   v4   p1   String   v5   p2   int   v6   p3   int  

19

© 2012 Apkudo Inc. Confidential www.apkudo.com

SYNTAX

Register Example 3

.method public doIt(JI)V! .registers 7! ! !# hint, j == long!

v0  

First  local  register  

v1  

Second  local  register   Third  local  register   v2   v3   p0        ‘this’  instance  

! !

v4   p1        long  –  first  register   v5   p2        long  –  second  register   v6   p3        int  

20

© 2012 Apkudo Inc. Confidential www.apkudo.com

SYNTAX jumping

§ 

jumps §  goto

21

© 2012 Apkudo Inc. Confidential www.apkudo.com

.method public doIt(JI)V! .registers 7! ! !...! ! !goto :goto_31! !! !...! ! !:goto_31! !return-void! !

SYNTAX

conditionals

Conditionals §  If-eq §  If-ne §  If-le §  If-lt §  If-ge §  If-gt §  Add z for zero § 

22

© 2012 Apkudo Inc. Confidential www.apkudo.com

method public foobar()V! .registers 2! ! const/4 v0, 0x0! ! if-eqz v0, :cond_6! ! return-void! ! :cond_6! ! !# Do something! !! .end method!

PUTTING IT ALL TOGETHER Example

v0  

First  local  register  

.method public getCurrentAccountName()Ljava/lang/String;! .registers 2! ! .prologue! .line 617! iget-object v0, p0, Lcom/google/android/finsky/FinskyApp;->mCurrentAccount:Landroid/accounts/Account;! ! if-nez v0, :cond_6! ! Getting this field! of type … const/4 v0, 0x0! into this reg ! :goto_5! return-object v0! ! :cond_6! iget-object v0, v0, Landroid/accounts/Account;->name:Ljava/lang/String;! ! goto :goto_5! .end method!

v1   p0   ‘this’  instance  

23

© 2012 Apkudo Inc. Confidential www.apkudo.com

PART II - DEMO

24

© 2012 Apkudo Inc. Confidential www.apkudo.com

25

© 2012 Apkudo Inc. Confidential www.apkudo.com

RESOURCE SERIALIZATION AND TRANSMISSION ROMAIN GUY’S VIEWSERVER onCreate()…

ADB forwarded localhost:4939

addWindow() ViewServer  

Android   OS   26

© 2012 Apkudo Inc. Confidential www.apkudo.com

STEP 1

DECOMPRESS AND DISASSEMBLE

§ 

Extract classes.dex and remove keys §  § 

unzip scramble.apk! rm –r ./META-INF!

! § 

Disassemble: §  §  § 

27

baksmali -a 10 –d ./classes.dex! -a = api-level! -d = bootclasspath dir! §  out/target/product/generic/system/framework!

© 2012 Apkudo Inc. Confidential www.apkudo.com

STEP 2

ANDROID FORENSICS Find the words list…how? §  Beat obfuscation! §  Search for class types and log messages §  Find the intersection of the two! §  Insert your own log statements

§ 

invoke-virtual {v2}, Ljava/util/List;->toString()Ljava/lang/String;! move-result-object v2! invoke-static {v1, v2}, Landroid/util/Log;->e(Ljava/lang/String;Ljava/lang/String;)I!

 

28

© 2012 Apkudo Inc. Confidential www.apkudo.com

STEP 3

INJECT VIEWSERVER INTO APP

§ 

Resource located! Now we need to send it…

§ 

Apply patch to ViewServer that stores list § 

public static void setScrambleWordList(List list);!

§ 

Build patched ViewServer, extract .smali files

§ 

Copy smali files into our application §  Easy enough, right?

29

© 2012 Apkudo Inc. Confidential www.apkudo.com

STEP 4

PATCH APP TO USE VIEWSERVER API

§ 

Start the ViewServer in the onCreate() method of MainActivity.smali §  ViewServer.get() § 

§ 

Pass the list to ViewServer in fu.smali §  ViewServer.setScrambleWordList(list) § 

30

invoke-static {}, Lcom/android/debug/hv/ViewServer;>get()Lcom/android/debug/hv/ViewServer;!

invoke-static {v2}, Lcom/android/debug/hv/ViewServer;>setScrambleWordList(Ljava/util/List;)V!

© 2012 Apkudo Inc. Confidential www.apkudo.com

STEP 5

REBUILD APK

Re-assemble §  smali –a 10 ./out –o classes.dex! §  Re-compress §  zip –z0 –r ../scramble.apk ./* §  Sign APK §  jarsigner -verbose -keystore myrelease-key.keystore ./ scramble.apk alias_name! § 

31

© 2012 Apkudo Inc. Confidential www.apkudo.com

STEP 6

INSTALL AND COMMUNICATE WITH APP

Install §  adb install –r ../scramble.apk! §  Forward port §  adb forward tcp:4939 tcp:4939 §  Communicate §  nc –l 127.0.0.1 (listen) § 

32

© 2012 Apkudo Inc. Confidential www.apkudo.com

APE

INTELLIGENT ANDROID INSTRUMENTATION

Fully aware of applications content Invokes actions and makes decisions based off of what it sees §  Optimized and extended Romain’s ViewServer §  Transmit view data after each invoked action §  Introspect on OpenGL §  Uses word list to obtain matrix positions and OpenGL introspection to find buttons on screen §  § 

33

© 2012 Apkudo Inc. Confidential www.apkudo.com

Thank you. @davtbaum DAVID@

.COM

View more...

Comments

Copyright ©2017 KUPDF Inc.
SUPPORT KUPDF