Hacking APKs for Fun and for Profit
December 3, 2016 | Author: Joan | Category: N/A
Short Description
Hacking APKs for Fun and for Profit resume with details...
Description
HACKING APKS FOR FUN AND FOR PROFIT (MOSTLY FOR FUN)
DAVID TEITELBAUM @davtbaum
DECEMBER 2012
OBJECTIVES Expect to learn: Android app disassembly Fundamentals of code injection How to use tools like Smali/Baksmali Best practices in Android forensics. 2
© 2012 Apkudo Inc. Confidential www.apkudo.com
ROADMAP PART I - CLASS Approach to hacking Tools – apktool, baksmali, smali The APK Dalvik Virtual Machine Reading Dalvik byte code 3
© 2012 Apkudo Inc. Confidential www.apkudo.com
PART II - DEMO Scramble With Friends deep dive App disassembly and analysis Code injection with ViewServer Resource serialization and transmission to host machine
PART I - CLASS
4
© 2012 Apkudo Inc. Confidential www.apkudo.com
APK HACKING
Approach
Extract APK and disassemble classes.dex (baksmali) Apply static analysis – what is the application doing? Inject byte code into the application to modify execution Reassemble classes.dex (smali) and rezip APK
1. 2. 3. 4.
Sta0c analysis/ Code Injec0on Disassemble (baksmali)
.smali
5
© 2012 Apkudo Inc. Confidential www.apkudo.com
Reassemble (smali)
CODE INJECTION Best Practices:
§
You don’t need to be a Dalvik byte code pro!
§
Write patches in Java, compile, then use the Smali/ Baksmali tools to disassemble into Dalvik byte code
§
Stick to public static methods in Dalvik byte code which have no register dependencies.
§
Let the compiler do the work!
6
© 2012 Apkudo Inc. Confidential www.apkudo.com
TOOLS
You’ll need…
§
Access to a terminal environment (preferably Linux or mac osx)
§
Android SDK and a working emulator
§
Smali/Baksmali - http://code.google.com/p/smali/
§
Apktool - http://code.google.com/p/android-apktool/
§
Editor of choice (emacs!)
7
© 2012 Apkudo Inc. Confidential www.apkudo.com
SMALI/BAKSMALI? Dalvik Assembler/ Disassembler
§
Baksmali disassembles Dalvik executable (.dex) into readable Dalvik byte code (.smali)
§
Smali re-assembles .smali files back into .dex Dalvik executable
§
Gives developers the ability to modify execution without having access to source code
§
Documentation on Smali/Baksmali and Dalvik in Smali wiki § http://code.google.com/p/smali/w/list
8
© 2012 Apkudo Inc. Confidential www.apkudo.com
APKTOOL
All in one reverser
§
Wraps smali/baksmali and Android asset packaging tool (aapt)
§
Decodes resources and deserializes xml
§
Great for manifest introspection
§
Buggy :/
9
© 2012 Apkudo Inc. Confidential www.apkudo.com
THE APK
A container for your app §
Zipped file formatted based on JAR
META-INF/ AndroidManifest.xml classes.dex lib/ res/ resources.arsc
10
© 2012 Apkudo Inc. Confidential www.apkudo.com
EXAMPLES baksmali
$ unzip foobar.apk –d foobar! ! $ cd ./foobar! ! $ ls! AndroidManifest.xml META-INF classes.dex res resources.arsc lib! ! $ baksmali –a 10 –d ~/boot_class_path classes.dex! ! API level
11
boot class path
© 2012 Apkudo Inc. Confidential www.apkudo.com
dex file
EXAMPLES smali
$ ls! AndroidManifest.xml META-INF res resources.arsc out! ! $ smali –a 10 ./out –o classes.dex! ! API level output dex file ! ! $ zip –r ~/hacked.apk ./*! recursive
12
© 2012 Apkudo Inc. Confidential www.apkudo.com
classes.dex lib!
EXAMPLES apktool
$ apktool d foobar.apk foobar ! ! decode out directory ! $ cd ./foobar! ! $ ls! AndroidManifest.xml apktool.yml res smali! ! $ cd ../! ! $ apktool b ./foobar ! build 13
© 2012 Apkudo Inc. Confidential www.apkudo.com
assets
SMALI FILES
class representation in byte code
.class public Lcom/apkudo/util/Serializer;! .super Ljava/lang/Object;! .source "Serializer.java”! ! # static fields! .field public static final TAG:Ljava/lang/String; = "ApkudoUtils”! ! # direct methods! .method public constructor ()V! .registers 1! ! .prologue! .line 5! invoke-direct {p0}, Ljava/lang/Object;->()V! ! return-void! .end method!
14
© 2012 Apkudo Inc. Confidential www.apkudo.com
Class information
Static fields
Methods
SYNTAX classes
§
Lcom/apkudo/util/Serializer; !
Class names § prefixed with L § full name space slash separated !
15
© 2012 Apkudo Inc. Confidential www.apkudo.com
SYNTAX methods
.method private doSomething()V!
§
Method definitions § .method ()
§
Method invocations § invoke-static – any method that is static § invoke-virtual – any method that isn’t private, static, or final § invoke-direct – any non-static direct method § invoke-super – any superclasses virtual method § Invoke-interface – invoke an interface method!
16
© 2012 Apkudo Inc. Confidential www.apkudo.com
SYNTAX Registers
.locals 16! .registers 18!
All registers are 32 bits Declaration § .registers – total number of registers § .locals – total minus method parameter registers § Naming scheme § P registers – parameter registers § implicit p0 = ‘this’ instance § V registers – local registers § P registers are always at the end of the register list § §
17
© 2012 Apkudo Inc. Confidential www.apkudo.com
SYNTAX
Register Example
.method public onCreate()V! .registers 7! ! ! ...! ! !
v0
First local register
v1
Second local register
v2
…
v3
…
v4
…
v5
…
v6 p0 First param – ‘this’
18
© 2012 Apkudo Inc. Confidential www.apkudo.com
SYNTAX
Register Example 2
.method public doIt(Ljava/lang/String;II)V! .registers 7!
! !
v0
First local register
v1
Second local register
v2
…
v3 p0 ‘this’ v4 p1 String v5 p2 int v6 p3 int
19
© 2012 Apkudo Inc. Confidential www.apkudo.com
SYNTAX
Register Example 3
.method public doIt(JI)V! .registers 7! ! !# hint, j == long!
v0
First local register
v1
Second local register Third local register v2 v3 p0 ‘this’ instance
! !
v4 p1 long – first register v5 p2 long – second register v6 p3 int
20
© 2012 Apkudo Inc. Confidential www.apkudo.com
SYNTAX jumping
§
jumps § goto
21
© 2012 Apkudo Inc. Confidential www.apkudo.com
.method public doIt(JI)V! .registers 7! ! !...! ! !goto :goto_31! !! !...! ! !:goto_31! !return-void! !
SYNTAX
conditionals
Conditionals § If-eq § If-ne § If-le § If-lt § If-ge § If-gt § Add z for zero §
22
© 2012 Apkudo Inc. Confidential www.apkudo.com
method public foobar()V! .registers 2! ! const/4 v0, 0x0! ! if-eqz v0, :cond_6! ! return-void! ! :cond_6! ! !# Do something! !! .end method!
PUTTING IT ALL TOGETHER Example
v0
First local register
.method public getCurrentAccountName()Ljava/lang/String;! .registers 2! ! .prologue! .line 617! iget-object v0, p0, Lcom/google/android/finsky/FinskyApp;->mCurrentAccount:Landroid/accounts/Account;! ! if-nez v0, :cond_6! ! Getting this field! of type … const/4 v0, 0x0! into this reg ! :goto_5! return-object v0! ! :cond_6! iget-object v0, v0, Landroid/accounts/Account;->name:Ljava/lang/String;! ! goto :goto_5! .end method!
v1 p0 ‘this’ instance
23
© 2012 Apkudo Inc. Confidential www.apkudo.com
PART II - DEMO
24
© 2012 Apkudo Inc. Confidential www.apkudo.com
25
© 2012 Apkudo Inc. Confidential www.apkudo.com
RESOURCE SERIALIZATION AND TRANSMISSION ROMAIN GUY’S VIEWSERVER onCreate()…
ADB forwarded localhost:4939
addWindow() ViewServer
Android OS 26
© 2012 Apkudo Inc. Confidential www.apkudo.com
STEP 1
DECOMPRESS AND DISASSEMBLE
§
Extract classes.dex and remove keys § §
unzip scramble.apk! rm –r ./META-INF!
! §
Disassemble: § § §
27
baksmali -a 10 –d ./classes.dex! -a = api-level! -d = bootclasspath dir! § out/target/product/generic/system/framework!
© 2012 Apkudo Inc. Confidential www.apkudo.com
STEP 2
ANDROID FORENSICS Find the words list…how? § Beat obfuscation! § Search for class types and log messages § Find the intersection of the two! § Insert your own log statements
§
invoke-virtual {v2}, Ljava/util/List;->toString()Ljava/lang/String;! move-result-object v2! invoke-static {v1, v2}, Landroid/util/Log;->e(Ljava/lang/String;Ljava/lang/String;)I!
28
© 2012 Apkudo Inc. Confidential www.apkudo.com
STEP 3
INJECT VIEWSERVER INTO APP
§
Resource located! Now we need to send it…
§
Apply patch to ViewServer that stores list §
public static void setScrambleWordList(List list);!
§
Build patched ViewServer, extract .smali files
§
Copy smali files into our application § Easy enough, right?
29
© 2012 Apkudo Inc. Confidential www.apkudo.com
STEP 4
PATCH APP TO USE VIEWSERVER API
§
Start the ViewServer in the onCreate() method of MainActivity.smali § ViewServer.get() §
§
Pass the list to ViewServer in fu.smali § ViewServer.setScrambleWordList(list) §
30
invoke-static {}, Lcom/android/debug/hv/ViewServer;>get()Lcom/android/debug/hv/ViewServer;!
invoke-static {v2}, Lcom/android/debug/hv/ViewServer;>setScrambleWordList(Ljava/util/List;)V!
© 2012 Apkudo Inc. Confidential www.apkudo.com
STEP 5
REBUILD APK
Re-assemble § smali –a 10 ./out –o classes.dex! § Re-compress § zip –z0 –r ../scramble.apk ./* § Sign APK § jarsigner -verbose -keystore myrelease-key.keystore ./ scramble.apk alias_name! §
31
© 2012 Apkudo Inc. Confidential www.apkudo.com
STEP 6
INSTALL AND COMMUNICATE WITH APP
Install § adb install –r ../scramble.apk! § Forward port § adb forward tcp:4939 tcp:4939 § Communicate § nc –l 127.0.0.1 (listen) §
32
© 2012 Apkudo Inc. Confidential www.apkudo.com
APE
INTELLIGENT ANDROID INSTRUMENTATION
Fully aware of applications content Invokes actions and makes decisions based off of what it sees § Optimized and extended Romain’s ViewServer § Transmit view data after each invoked action § Introspect on OpenGL § Uses word list to obtain matrix positions and OpenGL introspection to find buttons on screen § §
33
© 2012 Apkudo Inc. Confidential www.apkudo.com
Thank you. @davtbaum DAVID@
.COM
View more...
Comments