Embed Size (px)
DESCRIPTION
http://www.dexlabs.org/spring7_14_slides_schulz.pdf
Citation preview
Introduction Reverse Engineering Tools Obfuscation techniques Conclusion
Android - Bytecode Obfuscationbringing x86 fuckups to dalvik
Patrick Schulz
06.07.2012
Patrick Schulz [email protected]
Android - Bytecode Obfuscation
Introduction Reverse Engineering Tools Obfuscation techniques Conclusion
Overview
1 Introduction
2 Reverse Engineering Tools
3 Obfuscation techniques
4 Conclusion
Patrick Schulz [email protected]
Android - Bytecode Obfuscation
Introduction Reverse Engineering Tools Obfuscation techniques Conclusion
Introduction
Patrick Schulz [email protected]
Android - Bytecode Obfuscation
Introduction Reverse Engineering Tools Obfuscation techniques Conclusion
Android
Operating System for mobile devicesattractive research fieldApplications (dalvik/native/resources)
Reverse engineeringWe want to analyse Android applications.
Patrick Schulz [email protected]
Android - Bytecode Obfuscation
Introduction Reverse Engineering Tools Obfuscation techniques Conclusion
Application RuntimeDalvik Virtual Machine
Native Execution
APK file
Dalvik Interpreter
Application Frameworkdex file
- dalvik bytecode- Application Framework calls- native calls
- Package Manager- Notification Manager- Resource Manager…
custom.so custom2.so
native code native code
custom2.socustom2.solibdvm.so
native code
Patrick Schulz [email protected]
Android - Bytecode Obfuscation
Introduction Reverse Engineering Tools Obfuscation techniques Conclusion
Dalvik bytecode
instructions of various sizewords-aligned (16-bit code unit)move, return, const, goto, if, invoke, binop, unopnew-instance, fill-array, switch
Patrick Schulz [email protected]
Android - Bytecode Obfuscation
Introduction Reverse Engineering Tools Obfuscation techniques Conclusion
Reverse Engineering Tools
Patrick Schulz [email protected]
Android - Bytecode Obfuscation
Introduction Reverse Engineering Tools Obfuscation techniques Conclusion
Reverse Engineering Tools
Disassemblerdexdump: c/cpp, Android SDK, meta information, stdoutbaksmali: java, assembler, jasmin syntax, file outputDedexer: java, jasmin syntax, file outputAndroguard: python/cpp, cliIDA Pro: closed source, gui, plugins
Decompilerjad: java decompiler, uses dex2jarjd-gui: java decompiler, uses dex2jarded: dalvik decompiler
easy to confuse and break ;)
Patrick Schulz [email protected]
Android - Bytecode Obfuscation
Introduction Reverse Engineering Tools Obfuscation techniques Conclusion
Obfuscation techniques
Patrick Schulz [email protected]
Android - Bytecode Obfuscation
Introduction Reverse Engineering Tools Obfuscation techniques Conclusion
Obfuscation techniques
String obfuscationIdentifier manglingDynamic code loadingJunkbyte insertionSelf modifying code
Patrick Schulz [email protected]
Android - Bytecode Obfuscation
Introduction Reverse Engineering Tools Obfuscation techniques Conclusion
Build process
.java Files.java Files .class Files.class Files
.dex File.dex File.apk File.apk File
Java CompilerJava Compiler
dxdx
ApkBuilderApkBuilder
jarsignerjarsigner
obfuscator
obfuscator
ResourcesResources .so Files.so Files
1
2
3
4
a
b
Patrick Schulz [email protected]
Android - Bytecode Obfuscation
Introduction Reverse Engineering Tools Obfuscation techniques Conclusion
Dalvik Design
Android Applications are... written in Java... highlevel bytecode... clear defined bytecode... strict model assumptions (verifier)
So should be easy to analyze ...
mostly ;)
Patrick Schulz [email protected]
Android - Bytecode Obfuscation
Introduction Reverse Engineering Tools Obfuscation techniques Conclusion
Dalvik Design
Android Applications are... written in Java... highlevel bytecode... clear defined bytecode... strict model assumptions (verifier)
So should be easy to analyze ... mostly ;)
Patrick Schulz [email protected]
Android - Bytecode Obfuscation
Introduction Reverse Engineering Tools Obfuscation techniques Conclusion
my fault
adb install test.apk309 KB/s (13010 bytes in 0.041s)pkg: /data/local/tmp/test.apkFailure [INSTALL_FAILED_DEXOPT]
checksum?wrong method size?wrong "goto" destination?unsorted string listunknown opcode?
Patrick Schulz [email protected]
Android - Bytecode Obfuscation
Introduction Reverse Engineering Tools Obfuscation techniques Conclusion
Junk Byte
dexdump:0003ac : |[0003ac] com.junkbyte.JunkByteActivity.calc: ( ) I0003bc : 1250 |0000: const /4 v0 , # i n t 5 // #50003be : 3c00 0400 |0001: i f−gtz v0 , 0005 // +00040003c2 : 0001 0000 d800 0001 |0003: packed−switch−data (4 u n i t s )0003ca : 0 f00 |0007: r e t u r n v0
androguard:0 0x0 const /4 v0 , [ #+ 5 ] // {5}1 0x2 i f−gtz v0 , [ + 4 ]2 0x6 nop3 0x8 nop4 0xa add−int / l i t 8 v0 , v0 , [ #+ 1 ]5 0xe r e t u r n v0
dex2jar + jd-gui
if (5 <= 0);return 5;
Patrick Schulz [email protected]
Android - Bytecode Obfuscation
Introduction Reverse Engineering Tools Obfuscation techniques Conclusion
Junk Byte
dexdump:0003ac : |[0003ac] com.junkbyte.JunkByteActivity.calc: ( ) I0003bc : 1250 |0000: const /4 v0 , # i n t 5 // #50003be : 3c00 0400 |0001: i f−gtz v0 , 0005 // +00040003c2 : 1800 0000 d800 0001 0f00 |0003: const−wide v0 , #double 0.000000 // #000f010000d80000
androguard:0 0x0 const /4 v0 , [ #+ 5 ] // {5}1 0x2 i f−gtz v0 , [ + 4 ]2 0x6 const−wide v0 , [ #+ 0 ] , [ #+ 216 ] , [ #+ 256 ] , [ #+ 15 ] // {2.08654998027e-308}
dex2jar + jd-gui
if (5 <= 0);
Patrick Schulz [email protected]
Android - Bytecode Obfuscation
Introduction Reverse Engineering Tools Obfuscation techniques Conclusion
new instance
new-instance vAA, type@BBBB
what if class index does not exist?
Patrick Schulz [email protected]
Android - Bytecode Obfuscation
Introduction Reverse Engineering Tools Obfuscation techniques Conclusion
new instance
dexdumpsegmentation fault (core dumped) dexdump -d test.dex
baksmaliUNEXPECTED TOP-LEVEL EXCEPTION:
androguardIndexError: list index out of range
dexdexerjava.lang.ArrayIndexOutOfBoundsException: 16896
Patrick Schulz [email protected]
Android - Bytecode Obfuscation
Introduction Reverse Engineering Tools Obfuscation techniques Conclusion
Verifier
It’s not installable on Android Devices due to verifier rejectssuch APKs.
not a security feature, but optimization
so, let’s mark it as optimized ;)
Ups, verifier bug -> device won’t boot
Patrick Schulz [email protected]
Android - Bytecode Obfuscation
Introduction Reverse Engineering Tools Obfuscation techniques Conclusion
Verifier
It’s not installable on Android Devices due to verifier rejectssuch APKs.
not a security feature, but optimization
so, let’s mark it as optimized ;)
Ups, verifier bug -> device won’t boot
Patrick Schulz [email protected]
Android - Bytecode Obfuscation
Introduction Reverse Engineering Tools Obfuscation techniques Conclusion
Crypto Loader
DexFile Class enables reflectionoperates on filesgenerates and stores optimized dex filescool functions are private :(
Patrick Schulz [email protected]
Android - Bytecode Obfuscation
Introduction Reverse Engineering Tools Obfuscation techniques Conclusion
Crypto Loader
Dalvik bytecode Android library
within the DVM
native execution
Shared object libdvm.soprivate static int openDexFile(byte[] fileContents)
private static int openDexFile(String sourceName, String outputName, int flags)
public static int openDexFile(byte[] fileContents)
class DexFile { private static int openDexFile(byte[] fileContents)
public static int openDexFile(String sourceName, String outputName, int flags)}
X
process context
1a
2a1b
2b
Patrick Schulz [email protected]
Android - Bytecode Obfuscation
Introduction Reverse Engineering Tools Obfuscation techniques Conclusion
Conclusion
Patrick Schulz [email protected]
Android - Bytecode Obfuscation
Introduction Reverse Engineering Tools Obfuscation techniques Conclusion
Conclusion
bytecode constrains are nice, but the verifierimplementation has bugspacker/dropper can be implementeddisassemblers have still bugs
Patrick Schulz [email protected]
Android - Bytecode Obfuscation
Introduction Reverse Engineering Tools Obfuscation techniques Conclusion
Questions?
Thank you for your attention.
email [email protected] @thuxnder
Patrick Schulz [email protected]
Android - Bytecode Obfuscation
