40
HACKING APKS FOR FUN AND FOR PROFIT (MOSTLY FOR FUN) DAVID TEITELBAUM DECEMBER 2012 @davtbaum

Hacking for Fun and Profit

  • Upload
    apkudo

  • View
    879

  • Download
    3

Embed Size (px)

DESCRIPTION

Dive deep into the internals of Android in this two-part, 150-minute class. You will explore the wonders of Dalvik bytecode, smali syntax, decompilation tools, patching techniques, and common methods you can use to (try to) protect your apps. Extremely hands-on, you'll be downloading a very popular app, modifying it, and messing around with its behavior. Even if you're not that interested in APK hacking, you'll leave this class with the sort of deep appreciation for Dalvik that makes good Android developers great.

Citation preview

  • 1. HACKING APKS FOR FUNAND FOR PROFIT(MOSTLY FOR FUN)DAVID TEITELBAUM@davtbaumDECEMBER 2012

2. OBJECTIVESExpect to learn: Android app disassembly Fundamentals of code injection Smali/Baksmali and reading Dalvik byte code Best practices in hardening your apps2 2012 Apkudo Inc. Confidential www.apkudo.com 3. ROADMAP PART I - CLASS PART II DEMO/HACKApproach to hacking Scramble With Friends deep diveTools apktool, baksmali, smaliApp disassembly and analysisThe APK Code injection with ViewServerAll things byte codeResource transmissionRecap 3 2012 Apkudo Inc. Confidential www.apkudo.com 4. PART I - CLASS4 2012 Apkudo Inc. Confidential www.apkudo.com 5. APK HACKING Approach1. Unzip APK and disassemble classes.dex (baksmali)2. Static analysis what is the application doing?3. Inject byte code into the application to modify execution4. Reassemble classes.dex (smali) and rezip APK Static analysisDisassembleReassemble(baksmali) (smali).smali Code injection 5 2012 Apkudo Inc. Confidential www.apkudo.com 6. CODE INJECTIONBest Practices: You dont need to be a Dalvik byte code pro! Write patches in Java, compile, then use theSmali/Baksmali tools to disassemble into Dalvik byte code Stick to public static methods in Dalvik byte code whichhave no register dependencies. Let the compiler do the work the demo hack is achievedby inserting only two lines of manual Dalvik byte code!6 2012 Apkudo Inc. Confidential www.apkudo.com 7. TOOLSYoull need Access to a terminal environment (preferably Linux or Macosx) Android SDK keytool and jarsigner Smali/Baksmali - http://code.google.com/p/smali/ Apktool - http://code.google.com/p/android-apktool/ Editor of choice (emacs!)7 2012 Apkudo Inc. Confidential www.apkudo.com 8. SMALI/BAKSMALIDalvik Assembler/Disassembler Baksmali disassembles Dalvik executable (.dex) intoreadable Dalvik byte code (.smali) Smali re-assembles .smali files back into .dex Dalvikexecutable Gives developers the ability to modify execution of an APKwithout having access to source code8 2012 Apkudo Inc. Confidential www.apkudo.com 9. APKTOOLAll in one reverser Wraps smali/baksmali and Android asset packaging tool(aapt) Decodes resources and decompresses xml Great for manifest introspection Buggy :/9 2012 Apkudo Inc. Confidential www.apkudo.com 10. THE APKA container for your app Zipped file formatted based on JARMETA-INF/AndroidManifest.xmlclasses.dexlib/res/resources.arsc10 2012 Apkudo Inc. Confidential www.apkudo.com 11. EXAMPLESbaksmali$ unzip foobar.apk d foobar$ cd ./foobar$ lsAndroidManifest.xml META-INFclasses.dex resresources.arsc lib$ baksmali a 10 d ~/boot_class_path classes.dexAPI level boot class pathdex file11 2012 Apkudo Inc. Confidential www.apkudo.com 12. EXAMPLESsmali$ lsAndroidManifest.xml META-INF classes.dex resresources.arsc libout$ smali a 10 ./out o classes.dex API leveloutput dex file$ zip r ~/hacked.apk ./*recursive12 2012 Apkudo Inc. Confidential www.apkudo.com 13. EXAMPLES apktool$ apktool d foobar.apk foobar decode out directory$ cd ./foobar$ lsAndroidManifest.xml apktool.yml assets res smali$ cd ../$ apktool b ./foobar build13 2012 Apkudo Inc. Confidential www.apkudo.com 14. EXAMPLES keytool and jarsigner$ keytool -genkeypair -v -alias default keystore~/.keystore storepass password$ jarsigner keystore ~/.keystore ./foobar.apkdefault alias14 2012 Apkudo Inc. Confidential www.apkudo.com 15. SMALI FILESclass representation in byte code.class public Lcom/apkudo/util/Serializer;.super Ljava/lang/Object; Class information.source "Serializer.java# static fields.field public static final TAG:Ljava/lang/String; = "ApkudoUtils Static fields# direct methods.method public constructor ()V .registers 1.prologue.line 5 Methodsinvoke-direct {p0}, Ljava/lang/Object;->()V DirectVirtual return-void.end method 15 2012 Apkudo Inc. Confidential www.apkudo.com 16. SYNTAX types.method private doSomething()VV voidZ booleanB byteS shortC charF floatI intJ long 64 bit special instructionsD double[ array16 2012 Apkudo Inc. Confidential www.apkudo.com 17. SYNTAXclassesLcom/apkudo/util/Serializer; full name space slash separated prefixed with L suffixed with ;const-string v0, "ApkudoUtils"new-instance v1, Ljava/lang/StringBuilder;invoke-direct {v1}, Ljava/lang/StringBuilder;->()Vconst-string v2, "docId: ["invoke-virtual {v1, v2}, Ljava/lang/StringBuilder;->append(Ljava/lang/String;)Ljava/lang/StringBuilder;move-result-object v1 17 2012 Apkudo Inc. Confidential www.apkudo.com 18. SYNTAXmethods.method private doSomething()V Method definitions .method () Method invocations invoke-static any method that is static invoke-virtual any method that isnt private, static, or final invoke-direct any non-static direct method invoke-super any superclasss virtual method Invoke-interface invoke an interface method18 2012 Apkudo Inc. Confidential www.apkudo.com 19. SYNTAXmethods .method private doSomething()V keyword method name parameters/return.method private delayedAnimationFrame(J)Z.registers 8.parameter "currentTime# Static invocationinvoke-static {p2}, Landroid/text/TextUtils;->isEmpty(Ljava/lang/CharSequence;)Z# Virtual invocationinvoke-virtual {v0, v1}, Lcom/google/android/finsky/FinskyApp;->drainAllRequests(I)V 19 2012 Apkudo Inc. Confidential www.apkudo.com 20. SYNTAXRegisters .locals 16.registers 18 All registers are 32 bits Declaration .registers total number of registers .locals total minus method parameter registers Naming scheme P registers parameter registers implicit p0 = this instance V registers local registers P registers are always at the end of the register list20 2012 Apkudo Inc. Confidential www.apkudo.com 21. SYNTAXRegister Example.method public onCreate()V.registers 7 v0 First local register v1 Second local register... v2 v3 v4 v5 v6 p0 First param this p0 == v6 21 2012 Apkudo Inc. Confidential www.apkudo.com 22. SYNTAXRegister Example 2.method public doIt(Ljava/lang/String;II)V.registers 7 v0 First local register v1 Second local register v2 v3 p0 this v4 p1 String v5 p2 int v6 p3 int p3 == v6 p2 == v5 p1 == v4 p0 == v3 22 2012 Apkudo Inc. Confidential www.apkudo.com 23. SYNTAXRegister Example 3.method public doIt(JI)V.registers 7 # hint, j == longv0First local registerv1Second local registerv2 Third local register v3 - is itv4 - is it A) Fourth local register?A) Fourth local register? v3 p0 this instance B) This instance?B) This instance? v4 p1 long C) Long? C) Long?v5 p2 long D) Int?D) Int?v6 p3 int v5 - is itv6 - is it A) Fourth local register?A) Fourth local register? B) This instance?B) This instance? C) Long? C) Long? D) Int?D) Int? 23 2012 Apkudo Inc. Confidential www.apkudo.com 24. SYNTAXjumping.method public doIt(JI)V jumps .registers 7 goto ... goto :goto_31 ... :goto_31 return-void24 2012 Apkudo Inc. Confidential www.apkudo.com 25. SYNTAXconditionalsmethod public foobar()V Conditionals .registers 2 If-eqconst/4 v0, 0x0 If-neif-eqz v0, :cond_6 If-le If-ltreturn-void If-ge:cond_6 If-gt Add z for zero# Do something.end method25 2012 Apkudo Inc. Confidential www.apkudo.com 26. PUTTING IT ALLTOGETHER Example - Javapackage com.google.android.finsky;import android.app.Application;import android.accounts.Account;public class FinskyApp() extends Application { Account mCurrentAccount; ... public String getCurrentAccountName() { if (mCurrentAccount != null) { return mCurrentAccount.name; } else { return null; } }}26 2012 Apkudo Inc. Confidential www.apkudo.com 27. PUTTING IT ALL TOGETHER Same example - smali.method public getCurrentAccountName()Ljava/lang/String;.registers 2v0First local register.prologuev1p0 this instance.line 617iget-object v0, p0, Lcom/google/android/finsky/FinskyApp;->mCurrentAccount:Landroid/accounts/Account;if-nez v0, :cond_6Getting this field!of type const/4 v0, 0x0 into this reg:goto_5return-object v0:cond_6iget-object v0, v0, Landroid/accounts/Account;->name:Ljava/lang/String; goto :goto_5.end method 27 2012 Apkudo Inc. Confidential www.apkudo.com 28. ONE FINALSTEP Obfuscation!Renames classes, class members and and methodPreserves OS entry points and java namespace classesSlows down the static analysis processNot a silver bullet, but an easy first line of defenseiget-object v0, p0, Lcom/a/a/g;->a:Lcom/a/a/f;invoke-static {v0}, Lcom/a/a/f;->a(Lcom/a/a/f;)Landroid/webkit/WebView;28 2012 Apkudo Inc. Confidential www.apkudo.com 29. PART II - DEMO29 2012 Apkudo Inc. Confidential www.apkudo.com 30. 30 2012 Apkudo Inc. Confidential www.apkudo.com 31. HACKINGSCRAMBLEApproach1.Unzip APK and disassemble classes.dex (baksmali)2.Isolate target resources (e.g., Scramble With Friends words list)3.Patch APK to receive resource, serialize, and transmit to host4.Reassemble classes.dex (smali) and rezip APKStatic analysis/Code Injection Disassemble Reassemble (baksmali)(smali).smali 31 2012 Apkudo Inc. Confidential www.apkudo.com 32. RESOURCE SERIALIZATIONAND TRANSMISSION ROMAIN GUYS VIEWSERVERonCreate()addWindow() localhost:4939ViewServerAndroidOS32 2012 Apkudo Inc. Confidential www.apkudo.com 33. STEP 1DECOMPRESS ANDDISASSEMBLE Extract classes.dex and remove keys unzip scramble.apk rm r ./META-INF Disassemble: baksmali -a 10 d ./classes.dex -a = api-level -d = bootclasspath dir out/target/product/generic/system/framework33 2012 Apkudo Inc. Confidential www.apkudo.com 34. STEP 2ANDROID FORENSICS apktool dump and inspect AndroidManifest.xmlfor activities Find the words listhow? Beat obfuscation! Search for class types and log messages Find the intersection of the two! Insert your own log statementsinvoke-virtual {v2}, Ljava/util/List;->toString()Ljava/lang/String;move-result-object v2invoke-static {v1, v2}, Landroid/util/Log;->e(Ljava/lang/String;Ljava/lang/String;)I34 2012 Apkudo Inc. Confidential www.apkudo.com 35. STEP 3INJECT VIEWSERVER INTO APPResource located! Now we need to send itApply patch to ViewServer that stores list public static void setScrambleWordList(List list);Build patched ViewServer, extract .smali filesCopy smali files into our application Easy enough, right?35 2012 Apkudo Inc. Confidential www.apkudo.com 36. STEP 4PATCH APP TO USE VIEWSERVERAPIStart the ViewServer in the onCreate() method of MainActivity.smali ViewServer.get()invoke-static {}, Lcom/android/debug/hv/ViewServer;- >get()Lcom/android/debug/hv/ViewServer;Pass the list to ViewServer in fu.smali ViewServer.setScrambleWordList(list) invoke-static {v2}, Lcom/android/debug/hv/ViewServer;->setScrambleWordList(Ljava/util/List;)V36 2012 Apkudo Inc. Confidential www.apkudo.com 37. STEP 5REBUILD APK Re-assemble smali a 10 ./out o classes.dex Re-compress zip z0 r ../scramble.apk ./* Sign APK jarsigner -verbose -keystore my-release-key.keystore ./scramble.apk alias_name37 2012 Apkudo Inc. Confidential www.apkudo.com 38. STEP 6INSTALL AND COMMUNICATEWITH APP Install adb install r ../scramble.apk Forward port adb forward tcp:4939 tcp:4939 Communicate nc l 127.0.0.1 (listen)38 2012 Apkudo Inc. Confidential www.apkudo.com 39. APEINTELLIGENT ANDROIDINSTRUMENTATION Fully aware of applications content Invokes actions and makes decisions based offof what it sees Optimized and extended Romains ViewServer Transmit view data after each invoked action Introspect on OpenGL Uses word list to obtain matrix positions andOpenGL introspection to find buttons on screen39 2012 Apkudo Inc. Confidential www.apkudo.com 40. Thank you.@davtbaum DAVID@ .COM