Upgrade to Pro — share decks privately, control downloads, hide ads and more …

[Michael Pustovit] Android hacking for dummies: ‘if’ operator demolytion

[Michael Pustovit] Android hacking for dummies: ‘if’ operator demolytion

Presentation from GDG DevFest Ukraine 2016.
Learn more at: https://devfest.gdg.org.ua

Google Developers Group Lviv

September 09, 2016
Tweet

More Decks by Google Developers Group Lviv

Other Decks in Technology

Transcript

  1. #dfua WARNING #1 This presentation is for newbies in Android

    applications hacking. *If you are a pro or just know enough - pretend that you are interested in the topic. Please.
  2. #dfua WARNING #2 Stay on the light side of the

    force! *Reverse engineering can be illegal.
  3. #dfua - extracting knowledge or design information from anything man-made

    - re-producing it based on the extracted information Reverse engineering
  4. #dfua Reverse engineering aims Steal resources Analyze algorithms Repack •

    Remove ads • Piracy • Add malware • Algorithms • API details • Assets • DB
  5. #dfua Types of reverse engineering analysis Observation of information exchange

    Disassembly • Logs • Memory • Storage • Network • get/view a program in raw machine language Decompilation • get/view a program in high-level language
  6. #dfua Overview .java Files javac .class Files dx .dex file

    apkbuilder Resources .so APK jarsigner source aapt zipalign
  7. #dfua APK structure Resources in binary form Executables in DEX

    form Manifest in binary form Str resources in bin form
  8. #dfua .class - stack VM - registers VM VS .dex

    pop 20 pop 7 add 20, 7, result push result * result on a stack top mov r1, 20 mov r2, 7 add r1, r2, r3 * result in a register r3
  9. #dfua .class - stack VM - registers VM VS .dex

    - a single file per java class - all java classes in a single file - better compression (because of single file)
  10. #dfua Analysis tools Decompilers dex2jar apktools • Smali/backsmali • Resources

    unpacker • Manifest unpacker • “Unpack” - “Modify” - “Pack” scenario • Transforms .dex back to set of .class files • Transforms .class files back to java code
  11. #dfua Smali/backsmali - smali/baksmali = assembler/disassembler (in Icelandic) - syntax

    is loosely based on Jasmin's/dedexer's syntax - supports the full functionality of the dex format
  12. #dfua Smali format overview public static int sum( final int

    a, final int b) { return a + b; } java smali .method public static sum(II)I .locals 1 .param p0, "a" # I .param p1, "b" # I .prologue .line 8 add-int v0, p0, p1 return v0 .end method
  13. #dfua public static int sum( final int a, final int

    b) { return a + b; } .method public static sum(II)I .locals 1 .param p0, "a" # I .param p1, "b" # I .prologue .line 8 add-int v0, p0, p1 return v0 .end method Local registers count Line num for debugger Main operation Method params java smali Smali format overview
  14. #dfua Basic modification process Get APK > apktool d app.apk

    -o app Make modifications > apktool b app -o reapp.apk Sign & Install
  15. #dfua Obfuscation * Java compiler leaves names in bytecode Obfuscator

    ◦ renames ◦ shrink unused code/res ◦ encodes names ◦ adds junk-code ◦ etc
  16. #dfua Code shrinking and name encoding +org |-+lampapos |-+crackmeapp |-BuildConfig.smali

    |-MainActivity$1.smali |-MainActivity.smali |-MainActivity_ViewBinder.smali |-MainActivity_ViewBinding.smali |-R$anim.smali |-R$attr.smali |-R$bool.smali |-R$color.smali |-R$dimen.smali |-R$drawable.smali |-R$id.smali |-R$integer.smali |-R$layout.smali |-R$mipmap.smali |-R$string.smali |-R$style.smali |-R$styleable.smali |-R.smali +a |-+a |-+a |-a.smali |-b$1.smali |-b.smali |-b_a.smali before after
  17. #dfua String encryption - java representation public static final String

    P = "123"; byte[] P = new byte[] {5, 6, 7}; byte KEY = 52; unencrypted encrypted byte[] P = new byte[] {5, 6, 7}; byte KEY = 52; byte[] realPassBytes = new byte[P.length]; for (int i = 0; i < P.length; i++) { realPassBytes[i] = (byte)(P[i] ^ KEY); } String pass = new String(realPassBytes);
  18. #dfua String encryption - smali representation .field public static final

    P:Ljava/lang/String; = "123" const/4 v0, 0x3 new-array v0, v0, [B fill-array-data v0, :array_0 sput-object v0, Lorg/lampapos/crackmeapp/MainActivi ty;->P:[B return-void nop .array-data 1 0x5t 0x6t 0x7t .end array-data unencrypted encrypted
  19. #dfua Native code * but remember that there are disassemblers

    for a native code binaries Want to hide an algorithm? Move it to a native (C/C++) part ** can be reused even without decompilation
  20. #dfua Packers Wrapper APK Wrappers DEX file Native lib Mangled/encoded

    DEX Original APK DEX file Resources Resources Packer
  21. #dfua Tools Packers Obfuscators • Proguard • DexGuard • Allatori

    • SecNeo (Bangcle) • Ijiami • ApkProtect
  22. #dfua Summary • Smartphone is not a “trusted environment” •

    “Security through obscurity ” doesn’t stop but slows down a hacker • Everything can be hacked, it’s question of cost and time
  23. #dfua Sources • Android hacker protection level 0 (video) •

    Understanding the Dalvik bytecode with the Dedexer tool • Code protection in Android • Hacking APK for fun and for profit • Reverse engineering android apps • Android reverse engineering 101 • Understanding the Android build process • Stack based vs Register based VM Architecture, and the Dalvik VM