-
Notifications
You must be signed in to change notification settings - Fork 2
/
reverse_engineering.html
executable file
·277 lines (266 loc) · 17.4 KB
/
reverse_engineering.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
<!DOCTYPE html>
<html lang="en" xmlns="http://www.w3.org/1999/xhtml"
xmlns:fb="http://ogp.me/ns/fb#">
<head>
<meta charset="utf-8">
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<title>Reverse Engineering | Watch Dogs | Security Analysis of Android Applications</title>
<meta name="description" content="Team Watch Dogs | Security Analysis of Android Applications">
<meta name="viewport" content="width=device-width, initial-scale=1">
<meta name="author" content="Team Watch Dogs | CS416[2020]">
<link rel="image_src" href="https://i.redd.it/p8vw8ggae1751.jpg">
<link rel="shortcut icon" type="image/x-icon" href="assets/img/favicon.png">
<link rel="stylesheet" href="assets/css/bootstrap.min.css">
<link rel="stylesheet" href="assets/font-awesome/css/font-awesome.min.css">
<link rel="stylesheet" href="assets/css/highlight.min.css">
<link rel="stylesheet" href="assets/css/style.css?v5">
</head>
<body class="body-bg" style="position: relative;" data-spy="scroll" data-target="#side_menu" data-offset=92>
<div class="preloader">
<pre class="canvas"></pre>
<div class="loading">
<span>L</span><span>O</span><span>A</span><span>D</span><span>I</span><span>N</span><span>G</span><span> </span>
</div>
</div>
<nav class="navbar navbar-expand-sm bg-dark navbar-dark sticky-top">
<a class="navbar-brand" href="./">Team Watch Dogs</a>
<button class="navbar-toggler" type="button" data-toggle="collapse" data-target="#collapsibleNavbar">
<span class="navbar-toggler-icon"></span>
</button>
<div class="collapse navbar-collapse justify-content-end" id="collapsibleNavbar">
<ul class="navbar-nav">
<li class="nav-item"><a class="nav-link" href="./index.html">Home</a></li>
<li class="nav-item"><a class="nav-link" href="./android_application_fundamentals.html">Android Fundamentals</a></li>
<li class="nav-item active"><a class="nav-link" href="./reverse_engineering.html">Reverse Engineering</a></li>
<li class="nav-item dropdown">
<a class="nav-link dropdown-toggle" href="./security_analysis.html">
Security Analysis
</a>
<div class="dropdown-menu" aria-labelledby="navbarDropdown">
<a class="dropdown-item" href="./security_analysis.html#static-analysis">Static Analysis</a>
<a class="dropdown-item" href="./security_analysis.html#dynamic-analysis">Dynamic Analysis</a>
<a class="dropdown-item" href="./security_analysis.html#data-storage-analysis">Data Storage Analysis</a>
<a class="dropdown-item" href="./security_analysis.html#cryptography">Cryptography</a>
</div>
</li>
<li class="nav-item dropdown">
<a class="nav-link dropdown-toggle" href="./other_topics.html">
Other Topics
</a>
<div class="dropdown-menu" aria-labelledby="navbarDropdown">
<a class="dropdown-item" href="./other_topics.html#rooting-android-device">Rooting Android Device</a>
<a class="dropdown-item" href="./other_topics.html#android-malware">Android Malware</a>
<a class="dropdown-item" href="./other_topics.html#useful-tools">Useful Tools</a>
</div>
</li>
</ul>
</div>
</nav>
<main>
<div class="container-fluid pb-3">
<div class="row">
<div class="col-sm-4">
<div class="side-menu sticky_menu">
<div class="page-title">
Reverse Engineering
</div>
<div id="side">
<div id="side_menu">
<!--<div class="side-menu-header">-->
<!-- <h4 class="text-left">Tutorial</h4>-->
<!--</div>-->
<div class="side-menu-content">
<ul class="side_nav">
<li><a class="nav-link active" href="#intro">Introduction</a></li>
<li><a class="nav-link" href="#uses_rev_eng">Uses of Reverse Engineering</a></li>
<li><a class="nav-link" href="#get_apk">Get APK File of an application</a></li>
<li><a class="nav-link" href="#apk_tool">APKTool for Reverse Engineering</a></li>
<li><a class="nav-link" href="#tampering">Tampering Reverse Engineered Code</a></li>
<li><a class="nav-link" href="#recompiling">Recompiling Android APK</a></li>
</ul>
</div>
</div>
</div>
</div>
</div>
<div class="col-sm-8">
<div class="side-content">
<section class="section" id="intro">
<div class="title-img d-flex align-items-center justify-content-center">
<img src="assets/img/reverse_engineering/rev_eng_2.jpg" alt="Reverse Engineering" class="img-fluid">
</div>
<br>
<p>
Reverse engineering a mobile app is the process of analyzing the compiled app to extract information about its source code. The goal of reverse engineering is <i>to comprehend</i> the code.
<br>
Reverse engineering is the process of reconstructing the semantics of a compiled program's source code. In other words, you take the program apart, run it, simulate parts of it, and do other unspeakable things to it to understand what it does and how.
</p>
</section>
<section class="section" id="uses_rev_eng">
<h2 class="content-title">How can an attacker use reverse engineering?</h2>
<ol>
<li>
<b>To enable black-box testing of mobile apps.</b> - Modern apps often include controls that will hinder dynamic analysis. SSL pinning and end-to-end (E2E) encryption sometimes prevent you from intercepting or manipulating traffic with a proxy. Root detection could prevent the app from running on a rooted device, preventing you from using advanced testing tools. You must be able to deactivate these defenses.
</li>
<li>
<b>To enhance static analysis in black-box security testing</b> - In a black-box test, static analysis of the app bytecode or binary code helps you understand the internal logic of the app. It also allows you to identify flaws such as hard-coded credentials.
</li>
</ol>
</section>
<section class="section" id="get_apk">
<h2 class="content-title">How to get an APK File</h2>
<p>
For the analysis of android applications we need the apk file. In Google Play Store, there is no option to download an APK file. So the very obvious question arises, that is from where to get the apk file for android application?
</p>
<p>
If we are lucky, we can get the apk of the required application by simply googling myapp apk file. But we can never be sure that we will get the APK file for all the applications and more than that it is not safe to download and install APK files from untrusted websites.
</p>
<p>
Fortunately, we can use adb tool to extract APK from our android device.
</p>
For extracting APK from android device:
<ul>
<li>
<a href="https://www.xda-developers.com/install-adb-windows-macos-linux/">Download and install</a> ADB tool on your desktop.
</li>
<li>
Connect Android device to a laptop and start ADB CLI.
</li>
<li>
Determine the package name of the application using:
<pre><code class="console text-light bg-dark">adb shell pm list packages</code></pre>
</li>
<li>
Get the full pathname of the APK file for the desired package.
<pre><code class="console text-light bg-dark">adb shell pm path com.example.someapp</code></pre>
</li>
<li>
Using the full pathname from Step 2, pull the APK file from the Android device.
<pre><code class="console text-light bg-dark">adb pull /data/app/com.example.someapp-2.apk path/to/desired/destination</code></pre>
</li>
</ul>
</section>
<section class="section" id="apk_tool">
<h2 class="content-title">Using APKTool for reverse Engineering</h2>
<p>
<i>Apktool</i> is very simple to use, but also very powerful. It has two main functionalities: <b>decode</b> and <b>build</b>.
</p>
<p>
Decoding is for making APK data readable (and modifiable), while building is for transforming the decoded files into an APK file again. For this, <i>Apktool</i> makes use of <i><a href="https://github.com/JesusFreke/smali" target="_blank">smali</a></i>, a disassembler for DEX files. This turns the actual Dalvik bytecode into an intermediate representation (smali code) that can be modified. With <i>baksmali</i> you can reassemble smali code into DEX files, effectively allowing modifications to app code.
</p>
Disassembling an APK is pretty simple:
<pre><code class="console bg-dark text-light">apktool decode -o output_dir application.apk</code></pre>
Here is an example output of smali code of a MainActivity class, as generated by Apktool:
<pre><code class="smali bg-dark text-light">.class public Lcom/example/ui/MainActivity;
.super Lcom/example/ui/BaseActivity;
.source "Application"
# interfaces
.implements Lx/lz;
.implements Lx/ma;
.implements Lx/mo;
.implements Lx/mp;
# instance fields
.field private m:Ljava/util/HashMap;
.annotation system Ldalvik/annotation/Signature;
value = {
"Ljava/util/HashMap<",
"Ljava/lang/Integer;",
"Lorg/apache/cordova/CordovaPlugin;",
">;"
}
.end annotation
.end field</code></pre>
So, once <i>Apktool</i> has done its job, you get a file structure like this:
<pre><code class="console bg-dark text-light">output_dir/
├── AndroidManifest.xml
├── apktool.yml
├── assets
├── lib
├── original
├── res
├── smali
├── smali_classes2
└── unknown</code></pre>
</section>
<section class="section" id="tampering">
<h2 class="content-title">Tampering Reverse Engineered Code</h2>
<p>
<i>Tampering</i> is the process of changing a mobile app (either the compiled app or the running process) or its environment to affect its behavior. For example, an app might refuse to run on your rooted test device, making it impossible to run some of your tests. In such cases, you'll want to alter the app's behavior.
</p>
<h5 class="content-sub-title">Tampering Techniques</h5>
<ul class="spaced-ul">
<li>
<b>Binary Patching</b>
<br>
Patching is the process of changing the compiled app, e.g., changing code in binary executables, modifying Java bytecode, or tampering with resources. This process is known as modding in the mobile game hacking scene. Patches can be applied in many ways, including editing binary files in a hex editor and decompiling, editing, and re-assembling an app.
</li>
<li>
<b>Code Injection</b>
<br>
Code injection is a very powerful technique that allows you to explore and modify processes at runtime. Injection can be implemented in various ways, but you'll get by without knowing all the details thanks to freely available, well-documented tools that automate the process. These tools give you direct access to process memory and important structures such as live objects instantiated by the app. They come with many utility functions that are useful for resolving loaded libraries, hooking methods and native functions, and more. Process memory tampering is more difficult to detect than file patching, so it is the preferred method in most cases. Substrate, <span class="text-orange">Frida</span>, and <span class="text-orange">Xposed</span> are the most widely used hooking and code injection frameworks in the mobile industry.
</li>
</ul>
</section>
<section class="section" id="recompiling">
<h2 class="content-title">Recompiling Android APK</h2>
<p>
Modern mobile operating systems strictly enforce code signing, so running modified apps is not as straightforward as it used to be in desktop environments.
<br>
Fortunately, patching is not very difficult if you work on your own device. You simply have to re-sign the app or disable the default code signature verification facilities to run modified code.
</p>
For resigning the apk we need to use tools like APKTool, keytool and Jarsigner
<ul>
<li>
apktool — tool for reverse engineering Android apk files. In this case we are using to extract files from apk and rebuild.
</li>
<li>
keytool — Java tool for creating keys/certs, that comes with the JDK.
</li>
<li>
jarsigner Java tool for signing JAR/APK files, that comes with the JDK.
</li>
</ul>
Once we decompile the APK and made changes in the source code, to recompile(build) the apk
<br>
We can use,
<pre><code class="console bg-dark text-light">apktool b application</code></pre>
After recompiling (building) the apk the new apk will be generated in the Dist folder.
<pre><code class="console bg-dark text-light">Application -- Dist- application.apk</code></pre>
<p>
The APK must be signed before you run on your device.
</p>
Before signing an apk, create a key if you don’t have an existing one. If prompted for a password, create your own password.
<ul class="hash">
<li>
To generate a key
<pre><code class="console bg-dark text-light">keytool -genkey -v -keystore my-release-key.keystore -alias alias_name \
-keyalg RSA -keysize 2048 -validity 10000</code></pre>
</li>
<li>
Sign the apk
<br>
Now sign the APK with the key:
<pre><code class="console bg-dark text-light">jarsigner -verbose my-release-key.keystore my_application.apk alias_name</code></pre>
</li>
<li>
Verify apk
<pre><code class="console bg-dark text-light">jarsigner -verify -verbose -certs my_application.apk</code></pre>
</li>
</ul>
</section>
</div>
</div>
</div>
</div>
</main>
<footer>
<div class="text-center bg-dark text-light p-3 h6" style="margin-bottom:0; font-family: monospace">
<div>Developed by Team Watch Dogs [CS416 2021 | IIT Bombay]</div>
</div>
</footer>
<script src="./assets/js/vendor/jquery-3.5.1.min.js"></script>
<script src="./assets/js/bootstrap.min.js"></script>
<script src="./assets/js/highlight.min.js"></script>
<script src="./assets/js/main.js?v4"></script>
</body>
</html>