Android hacking for dummies: ‘if’ operator demolytion

Transcript

1. Android hacking for dummies ‘if’ operator demolition Michael Pustovit Software

   Engineer @ Stanfy

2. WARNING #1 This presentation is for newbies in Android applications

   hacking. *If you are a pro or just know enough - pretend that you are interested in the topic. Please.

3. WARNING #2 Stay on the light side of the force!

   *Reverse engineering can be illegal.

4. Objectives Reverse Engineering methods APK build process Analysis tools Small

   demo Defence approaches

5. Reverse engineering What is this?

6. - extracting knowledge or design information from anything man-made -

   re-producing it based on the extracted information Reverse engineering

7. Reverse engineering aims Steal resources Analyze algorithms Repack • Remove

   ads • Piracy • Add malware • Algorithms • API details • Assets • DB

8. Types of reverse engineering analysis Observation of information exchange Disassembly

   • Logs • Memory • Storage • Network • get/view a program in raw machine language Decompilation • get/view a program in high-level language

9. APK build process Only basic steps

10. Overview .java Files javac .class Files dx .dex file apkbuilder

    Resources .so APK jarsigner source aapt zipalign

11. .java Files .dex file apkbuilder Resources .so APK jarsigner source

    aapt zipalign jack Overview

12. APK structure Resources in binary form Executables in DEX form

    Manifest in binary form Str resources in bin form

13. Digital signature Certificate Jar manifest Signed hash list

14. .class - stack VM - registers VM VS .dex -

    a single file per java class - all java classes in a single file - better compression (because of single file)

15. Analysis tools Hacker toys!

16. Analysis tools Decompilers dex2jar apktools • Smali/backsmali • Resources unpacker

    • Manifest unpacker • “Unpack” - “Modify” - “Pack” scenario • Transforms .dex back to set of .class files • Transforms .class files back to java code

17. Smali/backsmali - smali/baksmali = assembler/disassembler (in Icelandic) - syntax is

    loosely based on Jasmin's/dedexer's syntax - supports the full functionality of the dex format

18. Smali format overview public static int sum( final int a,

    final int b) { return a + b; } java smali .method public static sum(II)I .locals 1 .param p0, "a" # I .param p1, "b" # I .prologue .line 8 add-int v0, p0, p1 return v0 .end method

19. Smali format overview public static int sum( final int a,

    final int b) { return a + b; } .method public static sum(II)I .locals 1 .param p0, "a" # I .param p1, "b" # I .prologue .line 8 add-int v0, p0, p1 return v0 .end method Local registers count Line num for debugger Main operation Method params java smali

20. Basic modification process Get APK > apktool d app.apk -o

    app Make modifications > apktool b app -o reapp.apk Sign & Install

21. Demo time!

22. Defense Armors?

23. Tool types Packers Obfuscators • transform sources • encode binaries

24. Obfuscation * Java compiler leaves names in bytecode Obfuscator ◦

    renames ◦ shrink unused code/res ◦ encodes names ◦ adds junk-code ◦ etc

25. Obfuscation position .java Files javac .class Files dx .dex file

    apkbuilder APK source Obfuscation

26. .java Files .dex file apkbuilder APK source Obfuscation jack Obfuscation

    position

27. Code shrinking and name encoding +org |-+lampapos |-+crackmeapp |-BuildConfig.smali |-MainActivity$1.smali

    |-MainActivity.smali |-MainActivity_ViewBinder.smali |-MainActivity_ViewBinding.smali |-R$anim.smali |-R$attr.smali |-R$bool.smali |-R$color.smali |-R$dimen.smali |-R$drawable.smali |-R$id.smali |-R$integer.smali |-R$layout.smali |-R$mipmap.smali |-R$string.smali |-R$style.smali |-R$styleable.smali |-R.smali +a |-+a |-+a |-a.smali |-b$1.smali |-b.smali |-b_a.smali before after

28. String encryption - java representation public static final String P

    = "123"; byte[] P = new byte[] {5, 6, 7}; byte KEY = 52; unencrypted encrypted byte[] P = new byte[] {5, 6, 7}; byte KEY = 52; byte[] realPassBytes = new byte[P.length]; for (int i = 0; i < P.length; i++) { realPassBytes[i] = (byte)(P[i] ^ KEY); } String pass = new String(realPassBytes);

29. String encryption - smali representation .field public static final P:Ljava/lang/String;

    = "123" const/4 v0, 0x3 new-array v0, v0, [B fill-array-data v0, :array_0 sput-object v0, Lorg/lampapos/crackmeapp/MainActivi ty;->P:[B return-void nop .array-data 1 0x5t 0x6t 0x7t .end array-data unencrypted encrypted

30. Reflection System.exit(0); Class.forName("java.lang.System") .getMethod("exit", Integer.TYPE).invoke(null, Integer.valueOf("0")); Class.forName(e.d("amF2YS5sYW5nLlN5c3RlbQ==")) .getMethod(e.d("ZXhpdA=="), Integer.TYPE) .invoke(null,

    Integer.valueOf(e.d("MCA=")));

31. Native code * but remember that there are disassemblers for

    a native code binaries Want to hide an algorithm? Move it to a native (C/C++) part ** can be reused even without decompilation

32. Packers Wrapper APK Wrappers DEX file Native lib Mangled/encoded DEX

    Original APK DEX file Resources Resources Packer

33. Packers APK Original DEX file Native lib 1. anti-emulator 2.

    anti-debugging Decode/fix DEX

34. Tools Packers Obfuscators • Proguard • DexGuard • Allatori •

    SecNeo (Bangcle) • Ijiami • ApkProtect

35. Summary 4 more slides and coffee break, snacks, freedom... ;)

36. Summary Don’t store secrets in your code!

37. Summary • Smartphone is not a “trusted environment” • “Security

    through obscurity ” doesn’t stop but slows down a hacker • Everything can be hacked, it’s question of cost and time

38. Sources • Android hacker protection level 0 (video) • Understanding

    the Dalvik bytecode with the Dedexer tool • Code protection in Android • Hacking APK for fun and for profit • Reverse engineering android apps • Android reverse engineering 101 • Understanding the Android build process • Stack based vs Register based VM Architecture, and the Dalvik VM

39. Evolvezavr

40. Michael Pustovit @pustovit https://github.com/lampapos Questions? Thank you!