dancing with dalvik

1 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted.

THOMAS RICHARDS

Dancing with Dalvik


About me

• Thomas Richards• Security Consultant @ Cigital, Inc• @g13net - Twitter• OSCP, GPEN, OSWP• Developer

o Goofile and Pwnberry Pi

• Organizer for BsidesROC• Presented before at GrrCON and DerbyCON• Really enjoy tearing apart Android


Toc

• 0x1 – Intro to Dalvik

• 0x2 – Dalvik Opcode Primer

• 0x3 – Case Studies


0x01 Intro to Dalvik


What is Dalvik?

• A town in Iceland• A lightweight register-based VM• Optimized for embedded/mobile

platformso Low RAM/CPU


Dalvik optimizations

• Duplicate code is reused within DEX• 16-bit instruction set that works directly

on local variableso Lowers instruction count and increased

interpreter speed

• Slimmed down VM to run in less space


Stack vs register based

• Java JVM is Stack Basedo real or emulated computer that uses a pushdown stack rather

than individual machine registers to evaluate each sub-expression in the program

• Register Basedo Dalvik uses registers as primarily units of data storage instead

of the stack. Google is hoping to accomplish 30 percent fewer instructions as a result.

• http://stackoverflow.com/questions/2719469/why-is-the-jvm-stack-based-and-the-dalvik-vm-register-based

• http://en.wikipedia.org/wiki/Stack_machine

http://stackoverflow.com/questions/2719469/why-is-the-jvm-stack-based-and-the-dalvik-vm-register-based



http://en.wikipedia.org/wiki/Stack_machine

http://en.wikipedia.org/wiki/Stack_machine


Register Vs. Stack Cont.


Getting to dalvik

• Android apps are traditionally written in Java

• Compiled into Java bytecode then converted to Dalvik bytecode

• Java class files converted into .dex


Java vs Dalvik


Inside the APK

• AndroidManifest.xml• Classes.dex• Res/• Lib/• META-INF/


Disassembling classes.dex

• Typical toolso Apktoolo Baksmali

• The result is several .smali files


Apktool decoding

me@Mentos ~/android/ghost $ apktool d ghost-meter.apk I: Baksmaling...I: Loading resource table...I: Loaded.I: Decoding AndroidManifest.xml with resources...I: Loading resource table from file: /home/me/apktool/framework/1.apkI: Loaded.I: Regular manifest package...I: Decoding file-resources...I: Decoding values */* XMLs...I: Done.I: Copying assets and libs...


Directories Created


Files created

me@Mentos ~/android/ghost $ ls ghost-meter/smali/a.smali c$a.smali c$c.smali c$e.smali c.smali e.smali g.smali i.smali k.smali m.smali o.smali q.smali s.smali u.smali w.smalib.smali c$b.smali c$d.smali com d.smali f.smali h.smali j.smali l.smali n.smali p.smali r.smali t.smali v.smali x.smalime@Mentos ~/android/ghost $


Apktool building

me@Mentos ~/android/ghost $ apktool b ghost-meter/ ghost.apkI: Checking whether sources has changed...I: Smaling...I: Checking whether resources has changed...I: Building resources...I: Building apk file...me@Mentos ~/android/ghost $ • After building you must use jarsigner to sign the APK

before it can be installed!


Signing the APK

• Creating the certo keytool -genkey -v -keystore my-release-

key.keystore -alias alias_name -keyalg RSA -validity 10000

• Signing the APKo jarsigner -verbose -keystore my-release-

key.keystore GhostMeter.apk alias_name


Cydia Substrate

• Originally on iOS, recently released on Android.

• Tool for hooking methods within an application or the system.

• Modify runtime behavior of Android Application without recompiling code


0x2 Dalvik Opcode Primer


Smali files

• Disassembled DEX files• Not as scary as x86 ASM• ASCII representation of Dalvik Opcodes• Mostly correspond to the original .java

files


Types

V void - can only be used for return types Z boolean B byte S short C char I int J long (64 bits) F float D double (64 bits)


Helloworld example

.class public LHelloWorld;#this is a comment.super Ljava/lang/Object;

.method public static main([Ljava/lang/String;)V

.registers 2

sget-object v0, Ljava/lang/System;->out:Ljava/io/PrintStream;

const-string v1, "Hello World!"

invoke-virtual {v0, v1}, Ljava/io/PrintStream;->println(Ljava/lang/String;)V

return-void.end method

http://code.google.com/p/smali/source/browse/examples/HelloWorld/HelloWorld.smali


Variables

• Registerso v0, v1, etc.o Variables defined in the original java code

• Parameterso p0, p1, etcoMust be the same as defined by the method

• Both are defined at the beginning of the method


Example



.registers 2






Assigning variables

• const• const-string• Etc,

• Exampleso const v0, 0x1o const-string v1, “This is a test”


Example



.registers 2






Calling methods

• invoke-* { parameters }, method-to-callo Static – static methodo Virtual – virtual method


Example



.registers 2






Conditional statements

• If-* - If statementso If-eq vx, vy, target – If equalo If-nez vx, target – If vx is a nonzeroo If-eqz vx, target – If vx is zeroo If-ge vx, vy, target – if vx>=vyo Etc

• Targetso Shown as cond_0, cond_1


example

invoke-virtual {v0}, Ljava/lang/Class;->desiredAssertionStatus()Z

move-result v0

if-nez v0, :cond_0

.line 100 :cond_0 const/4 v0, 0x0

goto/16 :goto_0


Get/put

• Apps could declare constants.• Get/Put will retrieve or store values into

those constants• Examples:

o iput v0, v1, Lcom/greencod/pinball/gameengine/zones/Table0Zone;->ZORDER_TABLE:I

o iget v0, v0, Lcom/greencod/pinball/gameengine/xinterface/persistence/Settings;->friction:F


Return

• Unless the method is declared as a void, it will return a value.

• Return types:oReturn-voidoReturn-objectoReturn v0


0x3 case studies


Removing ads

• Ads are annoying• Take up screen realestate• My 4 yr old mistakenly clicks them

o “Look daddy!”


solitare

• Ad function is called inbetween deals• Ads are annoying

oMusico Video

• Disable calling the ads?


Short video showing ad calling


The code

• After an exhaustive search in com/mobilityware/solitare/solitare.smali:

.method public displayAd()V .locals 1

.prologue .line 572 iget-object v0, p0, Lcom/mobilityware/solitaire/Solitaire;->adControl:Lcom/mobilityware/solitaire/AdControl;

if-eqz v0, :cond_0

.line 573 iget-object v0, p0, Lcom/mobilityware/solitaire/Solitaire;->adControl:Lcom/mobilityware/solitaire/AdControl;

invoke-virtual {v0}, Lcom/mobilityware/solitaire/AdControl;->displayAd()Z

.line 574 :cond_0 return-void.end method


The code

• After an exhaustive search in com/mobilityware/solitare/solitare.smali:

.method public displayAd()V .locals 1

.prologue .line 572 iget-object v0, p0, Lcom/mobilityware/solitaire/Solitaire;->adControl:Lcom/mobilityware/solitaire/AdControl;

if-eqz v0, :cond_0

.line 573 iget-object v0, p0, Lcom/mobilityware/solitaire/Solitaire;->adControl:Lcom/mobilityware/solitaire/AdControl;

#invoke-virtual {v0}, Lcom/mobilityware/solitaire/AdControl;->displayAd()Z

.line 574 :cond_0 return-void.end method


After the change is made

• Recompile the code and use apktool to create a new APKo You will have to sign this with your own cert

• After the APK is created:oRemove old Solitare APKo Install new hax0rd one


Short video showing no more ad


chess

• Most apps display the ads at all times• When the network is disabled, the ads

don’t show• Can we force this behavior?


Screenshot of chess with ads


Google ads

• Most apps rely on Google’s ad provider network• Good for us!

o Code to break this should be the same for many apps

• How to make it look like there is no network connectivity?

• Log Entry when Network is disabledo adRequestWebView was null while trying to load an ad


The original code

• From com/google/ads/c.smali::try_start_0iget-object v0, p0, Lcom/google/ads/c;->f:Landroid/webkit/WebView; if-eqz v0, :cond_0

iget-object v0, p0, Lcom/google/ads/c;->c:Lcom/google/ads/b;

if-nez v0, :cond_1

:cond_0const-string v0, "adRequestWebView was null while trying to load an ad."

invoke-static {v0}, Lcom/google/ads/util/a;->e(Ljava/lang/String;)V

sget-object v0, Lcom/google/ads/AdRequest$ErrorCode;->INTERNAL_ERROR:Lcom/google/ads/AdRequest$ErrorCode


The modified code

• From com/google/ads/c.smali::try_start_0iget-object v0, p0, Lcom/google/ads/c;->f:Landroid/webkit/WebView;

const v0, 0x0

if-eqz v0, :cond_0

iget-object v0, p0, Lcom/google/ads/c;->c:Lcom/google/ads/b;

if-nez v0, :cond_1

:cond_0const-string v0, "adRequestWebView was null while trying to load an ad."

invoke-static {v0}, Lcom/google/ads/util/a;->e(Ljava/lang/String;)V


Screenshot showing no ads


Removing Ads with Cydia

• Write once, use everywhere• Using reflection, hook a method • Stop ads from loading


Google Mobile Ads

• Again, very common to see used.• Plan:

oHook loadDataWithBaseUrl methodoRender it useless


Cydia Code

MS.hookClassLoad("com.google.ads.internal.AdWebView", new MS.ClassLoadHook() {

public void classLoaded(Class<?> resources) {

Method loadAd;

try {

loadAd = resources.getMethod("loadDataWithBaseURL", String.class, String.class, String.class, String.class, String.class);

} catch (NoSuchMethodException d) {

loadAd = null;

}

if (loadAd != null) {

final MS.MethodPointer old = new MS.MethodPointer();

MS.hookMethod(resources, loadAd, new MS.MethodHook() {

public Object invoked(Object _this, Object... args) throws Throwable {

return null;

}

}, old);


Screenshot of App with Ads


Screenshot after Cydia App Installed


Pinball wizard

• How about getting a high score?• Values are most likely in the source• Totally impress your friends with l33t

pinball skillz


Picture of game after normal score


The code

.local v12, scorer:Lcom/greencod/gameengine/behaviours/ScorerBehaviour; const/16 v1, 0x2c7

const/16 v3, 0x5aa

invoke-virtual {v12, v1, v3}, Lcom/greencod/gameengine/behaviours/ScorerBehaviour;->addScoreMessage(II)V

.line 508 const/16 v1, 0x204

const/16 v3, 0x10fe



Altered code

.local v12, scorer:Lcom/greencod/gameengine/behaviours/ScorerBehaviour; const/16 v1, 0x2c7

const/16 v3, 0xfff


.line 508 const/16 v1, 0x204

const/16 v3, 0xffff



Picture of new high score


Leaderboard


What now?

• Explore!• Bypass restrictions?

o Very useful in mobile app assessment


References

• http://pallergabor.uw.hu/androidblog/dalvik_opcodes.html

• http://code.google.com/p/android-apktool/

• http://code.google.com/p/smali/source/browse/examples/HelloWorld/HelloWorld.smali

• http://www.cydiasubstrate.com/inject/dalvik/

http://pallergabor.uw.hu/androidblog/dalvik_opcodes.html



http://code.google.com/p/android-apktool/

http://code.google.com/p/android-apktool/




http://www.cydiasubstrate.com/inject/dalvik/




QUESTIONS?

dancing with dalvik

Technology

loading resource

cigital confidential

class public

lcomgoogleadsadrequesterrorcode

virtualv12

virtual v0

high score

exhaustive