[Michael Pustovit] Android hacking for dummies: ‘if’ operator demolytion

Transcript

1. Android hacking for dummies ‘if’ operator demolition Michael Pustovit Software

   Engineer @ Stanfy

2. #dfua WARNING #1 This presentation is for newbies in Android

   applications hacking. *If you are a pro or just know enough - pretend that you are interested in the topic. Please.

3. #dfua WARNING #2 Stay on the light side of the

   force! *Reverse engineering can be illegal.

4. #dfua Objectives Reverse Engineering methods APK build process Analysis tools

   Small demo Defence approaches

5. Reverse engineering What is this?

6. #dfua - extracting knowledge or design information from anything man-made

   - re-producing it based on the extracted information Reverse engineering

7. #dfua Reverse engineering aims Steal resources Analyze algorithms Repack •

   Remove ads • Piracy • Add malware • Algorithms • API details • Assets • DB

8. #dfua Types of reverse engineering analysis Observation of information exchange

   Disassembly • Logs • Memory • Storage • Network • get/view a program in raw machine language Decompilation • get/view a program in high-level language

9. APK build process Only basic steps

10. #dfua Overview .java Files javac .class Files dx .dex file

    apkbuilder Resources .so APK jarsigner source aapt zipalign

11. #dfua APK structure Resources in binary form Executables in DEX

    form Manifest in binary form Str resources in bin form

12. #dfua Digital signature Certificate Jar manifest Signed hash list

13. #dfua .class - stack VM - registers VM VS .dex

    pop 20 pop 7 add 20, 7, result push result * result on a stack top mov r1, 20 mov r2, 7 add r1, r2, r3 * result in a register r3

14. #dfua .class - stack VM - registers VM VS .dex

    - a single file per java class - all java classes in a single file - better compression (because of single file)

15. Analysis tools Hacker toys!

16. #dfua Analysis tools Decompilers dex2jar apktools • Smali/backsmali • Resources

    unpacker • Manifest unpacker • “Unpack” - “Modify” - “Pack” scenario • Transforms .dex back to set of .class files • Transforms .class files back to java code

17. #dfua Smali/backsmali - smali/baksmali = assembler/disassembler (in Icelandic) - syntax

    is loosely based on Jasmin's/dedexer's syntax - supports the full functionality of the dex format

18. #dfua Smali format overview public static int sum( final int

    a, final int b) { return a + b; } java smali .method public static sum(II)I .locals 1 .param p0, "a" # I .param p1, "b" # I .prologue .line 8 add-int v0, p0, p1 return v0 .end method

19. #dfua public static int sum( final int a, final int

    b) { return a + b; } .method public static sum(II)I .locals 1 .param p0, "a" # I .param p1, "b" # I .prologue .line 8 add-int v0, p0, p1 return v0 .end method Local registers count Line num for debugger Main operation Method params java smali Smali format overview

20. #dfua Basic modification process Get APK > apktool d app.apk

    -o app Make modifications > apktool b app -o reapp.apk Sign & Install

21. Demo time!

22. Defense Armors?

23. #dfua Tool types Packers Obfuscators • transform sources • encode

    binaries

24. #dfua Obfuscation * Java compiler leaves names in bytecode Obfuscator

    ◦ renames ◦ shrink unused code/res ◦ encodes names ◦ adds junk-code ◦ etc

25. #dfua Obfuscation position .java Files javac .class Files dx .dex

    file apkbuilder APK source Obfuscation

26. #dfua Code shrinking and name encoding +org |-+lampapos |-+crackmeapp |-BuildConfig.smali

    |-MainActivity$1.smali |-MainActivity.smali |-MainActivity_ViewBinder.smali |-MainActivity_ViewBinding.smali |-R$anim.smali |-R$attr.smali |-R$bool.smali |-R$color.smali |-R$dimen.smali |-R$drawable.smali |-R$id.smali |-R$integer.smali |-R$layout.smali |-R$mipmap.smali |-R$string.smali |-R$style.smali |-R$styleable.smali |-R.smali +a |-+a |-+a |-a.smali |-b$1.smali |-b.smali |-b_a.smali before after

27. #dfua String encryption - java representation public static final String

    P = "123"; byte[] P = new byte[] {5, 6, 7}; byte KEY = 52; unencrypted encrypted byte[] P = new byte[] {5, 6, 7}; byte KEY = 52; byte[] realPassBytes = new byte[P.length]; for (int i = 0; i < P.length; i++) { realPassBytes[i] = (byte)(P[i] ^ KEY); } String pass = new String(realPassBytes);

28. #dfua String encryption - smali representation .field public static final

    P:Ljava/lang/String; = "123" const/4 v0, 0x3 new-array v0, v0, [B fill-array-data v0, :array_0 sput-object v0, Lorg/lampapos/crackmeapp/MainActivi ty;->P:[B return-void nop .array-data 1 0x5t 0x6t 0x7t .end array-data unencrypted encrypted

29. #dfua Reflection System.exit(0); Class.forName("java.lang.System") .getMethod("exit", Integer.TYPE).invoke(null, Integer.valueOf("0")); Class.forName(e.d("amF2YS5sYW5nLlN5c3RlbQ==")) .getMethod(e.d("ZXhpdA=="), Integer.TYPE)

    .invoke(null, Integer.valueOf(e.d("MCA=")));

30. #dfua Native code * but remember that there are disassemblers

    for a native code binaries Want to hide an algorithm? Move it to a native (C/C++) part ** can be reused even without decompilation

31. #dfua Packers Wrapper APK Wrappers DEX file Native lib Mangled/encoded

    DEX Original APK DEX file Resources Resources Packer

32. #dfua Packers APK Original DEX file Native lib 1. anti-emulator

    2. anti-debugging Decode/fix DEX

33. #dfua Tools Packers Obfuscators • Proguard • DexGuard • Allatori

    • SecNeo (Bangcle) • Ijiami • ApkProtect

34. Summary 4 more slides and coffee break, snacks, freedom... ;)

35. #dfua Summary Don’t store secrets in your code!

36. #dfua Summary • Smartphone is not a “trusted environment” •

    “Security through obscurity ” doesn’t stop but slows down a hacker • Everything can be hacked, it’s question of cost and time

37. #dfua Sources • Android hacker protection level 0 (video) •

    Understanding the Dalvik bytecode with the Dedexer tool • Code protection in Android • Hacking APK for fun and for profit • Reverse engineering android apps • Android reverse engineering 101 • Understanding the Android build process • Stack based vs Register based VM Architecture, and the Dalvik VM

38. Michael Pustovit @pustovit https://github.com/lampapos Questions? Thank you!