Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Reverse engineering is not just for hackers

Jon Reeve
October 29, 2015

Reverse engineering is not just for hackers

Presented at Droidcon UK on 29th October 2015, Droidcon Bucharest on 12th March 2016, Droidcon Torino on 7th April 2016, DroidKaigi on 9th March 2017.

Jon Reeve

October 29, 2015
Tweet

More Decks by Jon Reeve

Other Decks in Programming

Transcript

  1. Reverse engineering is
    not just for hackers
    +JonReeve
    @themightyjon

    View Slide

  2. View Slide

  3. View Slide

  4. Why that permission?
    • “This notes app wants
    access to my contacts…”

    • “This photo-taking app
    wants to send SMS…”

    View Slide

  5. Why is this crashing?
    • “It’s my app, but that’s not my code!”

    (Closed source library, e.g. ads +
    analytics)
    • “It’s not my app, but crashes on my
    device!”

    (Device-specific variations,
    particularly custom ROMs)

    View Slide

  6. How did they do that?
    • Some technical feat you thought “impossible”?

    e.g. good results from Camera API on Samsung
    • Too many libraries to choose from?

    See what everyone else went with!
    • Sure, write your own…

    But that doesn’t mean you can’t look at theirs first!
    • Nifty- visual effect?
    schwifty

    View Slide

  7. Get the APK
    • From device, e.g.:
    $ adb shell pm list packages -f -3
    $ adb pull "$(adb shell pm path $1 | cut -d : -f 2 | tr -d ‘\015’)"
    • Or from other sources, but be aware of TOS and
    malware…
    … to list installed packages
    … to pull package $1 in one line (with root)

    View Slide

  8. aapt

    View Slide

  9. $ aapt

    Android Asset Packaging Tool


    Usage:

    aapt l[ist] [-v] [-a] file.{zip,jar,apk}

    List contents of Zip-compatible archive.


    aapt d[ump] [--values] [--include-meta-data] WHAT file.{apk} [asset [asset ...]]

    strings Print the contents of the resource table string pool in the APK.

    badging Print the label and icon for the app declared in APK.

    permissions Print the permissions from the APK.

    resources Print the resource table from the APK.

    configurations Print the configurations in the APK.

    xmltree Print the compiled xmls in the given assets.

    xmlstrings Print the strings of the given compiled xml assets.


    aapt p[ackage] [-d][-f][-m][-u][-v][-x][-z][-M AndroidManifest.xml] \

    ...


    Package the android resources. It will read assets and resources that are

    supplied with the -M -A -S or raw-files-dir arguments. The -J -P -F and -R

    options control which files are output.


    aapt r[emove] [-v] file.{zip,jar,apk} file1 [file2 ...]

    Delete specified files from Zip-compatible archive.


    aapt a[dd] [-v] file.{zip,jar,apk} file1 [file2 ...]

    Add specified files to Zip-compatible archive.

    aapt
    aapt d[ump] [--values] [--include-meta-data] WHAT file.{apk} [asset [asset ...]]

    strings Print the contents of the resource table string pool in the APK.

    badging Print the label and icon for the app declared in APK.

    permissions Print the permissions from the APK.

    resources Print the resource table from the APK.

    configurations Print the configurations in the APK.

    xmltree Print the compiled xmls in the given assets.

    xmlstrings Print the strings of the given compiled xml assets.

    View Slide

  10. aapt
    General APK info:
    $ aapt dump badging Mysterious.apk
    $ aapt dump strings Mysterious.apk
    $ aapt dump xmltree Mysterious.apk AndroidManifest.xml
    Any interesting strings?
    View a binary XML file:

    View Slide

  11. The APK
    assets/
    lib/
    META-INF/
    res/
    AndroidManifest.xml
    classes.dex
    resources.arsc
    *
    raw files, anything, even dynamically
    loaded code
    native code libraries
    Certificate, signature and file hashes, to
    verify origin and integrity.
    Non-compiled resources
    Binary XML version of manifest
    Dalvik Executable - All the classes for the
    Dalvik VM
    Compiled resources
    (other)

    View Slide

  12. basic tools

    View Slide

  13. basic + old tools
    #!/bin/bash

    unzip -d zip-out "$1"

    java -jar AXMLPrinter2.jar zip-out/AndroidManifest.xml > AndroidManifest.xml

    /opt/dex2jar-0.0.9.15/d2j-dex2jar.sh “$1" # creates “${1%.apk}-dex2jar.jar”

    mkdir cfr-extracted && /opt/cfr/cfr.sh “${1%.apk}-dex2jar.jar” --outputdir java-out

    java -jar /opt/smali/baksmali-2.0.6.jar -o smali-out zip-out/classes.dex
    #!/bin/bash

    unzip -d zip-out "$1"

    java -jar AXMLPrinter2.jar zip-out/AndroidManifest.xml > AndroidManifest.xml

    /opt/dex2jar-0.0.9.15/d2j-dex2jar.sh “$1" # creates “${1%.apk}-dex2jar.jar”

    mkdir cfr-extracted && /opt/cfr/cfr.sh “${1%.apk}-dex2jar.jar” --outputdir java-out

    java -jar /opt/smali/baksmali-2.0.6.jar -o smali-out zip-out/classes.dex


    View Slide

  14. apktool

    View Slide

  15. apktool

    View Slide

  16. apktool
    $ apktool d target.apk

    I: Using Apktool 2.0.0-RC4 on target.apk

    I: Loading resource table...

    I: Decoding AndroidManifest.xml with resources...

    I: Loading resource table from file: /[…]/apktool/framework/1.apk

    I: Regular manifest package...

    I: Decoding file-resources...

    I: Decoding values */* XMLs...

    I: Baksmaling classes.dex...

    I: Copying assets and libs...

    I: Copying unknown files...

    I: Copying original files..
    $ apktool d target.apk

    I: Using Apktool 2.0.0-RC4 on target.apk

    I: Loading resource table...

    I: Decoding AndroidManifest.xml with resources...

    I: Loading resource table from file: /[…]/apktool/framework/1.apk

    I: Regular manifest package...

    I: Decoding file-resources...

    I: Decoding values */* XMLs...

    I: Baksmaling classes.dex...

    I: Copying assets and libs...

    I: Copying unknown files...

    I: Copying original files.
    https://ibotpeaches.github.io/Apktool/

    View Slide

  17. apktool
    “How was that done?”

    View Slide

  18. apktool
    “How was that done?”

    View Slide

  19. apktool
    $ apktool d -d -o SomeApp SomeApp.apk


    ...


    $ apktool b -d SomeApp


    ...


    $ jarsigner -verbose -sigalg SHA1withRSA -digestalg SHA1 -keystore
    release-key.keystore SomeApp.apk release_key_alias_name
    Rebuild for debug:
    … install, run, and a debugger can be attached.

    (use smali dir as source dir on a new project)
    “Why is this crashing?” / “I wish I could debug this!”

    View Slide

  20. androguard

    View Slide

  21. androguard

    View Slide

  22. androguard
    • Python-based, collection of useful tools
    • Modular, pluggable and embeddable
    • Interactive, ipython shell (androlyze.py)
    • Includes DAD Dalvik decompiler
    • Site != active, but project is!
    https://github.com/androguard/androguard

    View Slide

  23. androguard
    $ python androlyze.py -s
    Androlyze version 3.0

    In [1]: a, d, dx = AnalyzeAPK(“/Users/jon/Desktop/target.apk")
    In [2]: a, d, dx
    Out [2]:

    (,

    ,

    )


    In [3]: a.get_main_activity()
    Out [3]: u'com.example.app.ui.MainHomeActivity'


    In [4]: d.CLASS_Lcom_example_app_ui_MainHomeActivity.source()
    more at https://code.google.com/p/androguard/wiki/RE
    https://github.com/androguard/androguard

    View Slide

  24. androguard
    “Why does it need that permission?”
    In [5]: show_Permissions?

    Signature: show_Permissions(dx)

    Docstring:

    Show where permissions are used in a specific application

    :param dx : the analysis virtual machine

    :type dx: a :class:`VMAnalysis` object

    File: /opt/androguard-2.0/androguard/core/analysis/analysis.py

    Type: function
    In [6]: show_Permissions(dx)

    android.permission.READ_CONTACTS :

    R ['Landroid/provider/ContactsContract;', 'AUTHORITY_URI', 'Landroid/net/Uri;'] (0x0) --->
    Lcom/android/ex/chips/BaseRecipientAdapter$DirectoryListQuery;->()V

    R ['Landroid/provider/ContactsContract$CommonDataKinds$Email;', 'CONTENT_FILTER_URI',
    'Landroid/net/Uri;'] (0x118) ---> Lcom/android/ex/chips/Queries;->()V

    R ['Landroid/provider/ContactsContract$CommonDataKinds$Phone;', 'CONTENT_FILTER_URI',
    'Landroid/net/Uri;'] (0x88) ---> Lcom/android/ex/chips/Queries;->()V

    R ['Landroid/provider/ContactsContract$CommonDataKinds$Email;', 'CONTENT_URI', 'Landroid/net/
    Uri;'] (0x11c) ---> Lcom/android/ex/chips/Queries;->()V

    R ['Landroid/provider/ContactsContract$CommonDataKinds$Phone;', 'CONTENT_URI', 'Landroid/net/
    Uri;'] (0x8c) ---> Lcom/android/ex/chips/Queries;->()V

    View Slide

  25. other tools

    View Slide

  26. ClassyShark
    https://github.com/google/android-classyshark
    • GUI and CLI
    • Easy to browse, check basics
    • Dex method counts, package structure, size
    • Opens .dex, .aar, .so, .apk, .jar, .class, etc…

    View Slide

  27. radare2
    • Scriptable hex editor evolved into reverse
    engineering framework
    • Supports multiple architectures
    • Open source
    • Portable - on device as well as PC (on Play Store)
    http://www.radare.org/r/

    View Slide

  28. Other Play Store Apps
    • JaDX - old, super ugly, but still…
    • “Show Java” - can use above, or CFR
    • Dexplorer - simple asset browsing, class structure

    View Slide

  29. Santoku
    • Bootable Lubuntu-based Linux environment
    • Tools pre-installed and set up
    • Tool list a good starting point
    https://santoku-linux.com/features/

    View Slide

  30. also…

    View Slide

  31. IDA Pro
    • “The Interactive Disassembler”
    • Incredibly full-featured disassembler + debugger
    with long history for other architectures.
    • Supports Dalvik since 6.1
    • Commercial, not cheap!
    https://www.hex-rays.com/products/ida/

    View Slide

  32. CodeInspect
    • “Jimple”, not “Jasmin”
    • “Soot” static analysis framework
    • Debug app, run-time analysis
    • Navigate + rename fields, methods
    • Based on Eclipse RCP :/
    http://sseblog.ec-spride.de/2014/12/codeinspect/

    View Slide

  33. JEB / JEB2
    • Dalvik -> Java source decompiler
    • Interactive decompilation - navigate, rename, etc.
    • Debuggers for Dalvik & native
    • Commercial, subscription
    https://www.pnfsoftware.com/

    View Slide

  34. Security
    “The only truly secure system is one that is powered off,
    cast in a block of concrete and sealed in a lead-lined room
    with armed guards - and even then I have my doubts.”


    - Eugene H. Spafford

    View Slide

  35. Security
    • What should be secret, and how important is it?
    • Important? Keep it out of the app!
    • Protection effort vs reversing ease
    • Obfuscation + minification at least?
    • dexguard ($), SQLCipher (free), more if needed
    • Reverse your own apps!

    View Slide

  36. Compromised Obfuscation
    • “keep”-ing things keeps their
    whole path
    • Group public things in totally
    different package structure
    to avoid this
    • LOOK at obfuscation results

    View Slide

  37. Further Info
    • Android Hacker’s Handbook (find it on Amazon)
    • CodeInspect:

    Dismantling Droids for Breakfast @ Droidcon Berlin
    2015
    • O&D Android Reverse Engineering @ DEFCON23
    • Reversing with androguard

    View Slide

  38. Thanks!
    +JonReeve
    @themightyjon
    Slides

    https://goo.gl/Cy96UO

    View Slide