LinkedIn - Disassembling Dalvik Bytecode
- 2. Background
- 3. What is Android? Android is an operating system by Google that uses a Linux kernel and runs its applications on a VM, formerly known as Dalvik The programs that run on Android are packaged and distributed as APK files Inside each APK file, there is an executable DEX file which is what actually gets run when the program starts Android has the largest installed base of all operating systems of any kind
- 4. What is Dalvik? It’s a VM but it’s not the Java VM Register-based VM made more efficient when running on battery-powered, relatively low CPU/RAM smartphones You write Java source that compiles to Java bytecode which then gets translated to Dalvik bytecode Successor is Android Runtime (ART), introduced in KitKat (4.4+), completely replaced Dalvik in Lollipop (5.0+), which compiles-on-install rather than JIT
- 5. What is an APK? Android Package This is what you download and install from the Google Play store It’s really just a zip file containing an app Holds the app’s assets and Dalvik bytecode (in .dex or .odex format)
- 6. What is bytecode? Not machine code DEX = Dalvik Executable Intermediate found in Java .class files and Dalvik .dex files Translated between .dex and .class using the dx tool Machine code is only created at runtime by the Just-In-Time (JIT) compiler
- 7. What is JIT compilation? Mix between traditional ahead-of-time compiling and interpreting Machine code is generated during runtime Combines the speed of compiled code with the flexibility of interpretation At the cost of overhead of an interpreter + the additional overhead of compiling Allows for adaptive optimization such as dynamic recompilation Think re.compile() from Python
- 8. What is the Android NDK? Android Native Development Kit A set of tools that allow you to leverage C and C++ code in your Android apps Uses the Java Native Interface (JNI) to expose Java calls to underlying system Used by Cocos2d-x, game development tools written in C++ Cocos is compiled as a shared library and shipped inside the APK
- 9. Hacking at the Surface Level
- 10. Use a Macro to “Bot” the Game Was the goal of my last talk Use macros or scripts to automate some repeatable circuit to gain in-game currencies all day every day Prone to errors Slow, human level gain Too Bad It’s Not Really That Cool
- 11. Hacking at the REST Level
- 12. Wireshark Sniff the traffic to and from an Android emulator Make a malicious imposter client Replay the get/put/posts using curl or python Fail: Google Play Services uses OAuth 2.0 Sends ephemeral Base64-URL-encoded token
- 14. Hacking at the APK/DEX level
- 15. Get the APK Find on Google Play and use that URL at an APK Downloader website or Enable USB Debugging, install Android SDK, connect your smartphone and: adb shell pm list packages | grep khux adb shell pm path com.square_enix.android_googleplay.khuxww adb pull /data/app/com.square_enix.android_googleplay.khuxww-1/base.apk
- 16. DEX Bytecode Disassembling (Baksmaling) Two ways, recommend doing both: Directly: Convert to bytecode to a readable format (Baksmali, Jasmine, etc.) apktool d -f “khux.apk” -o smali Indirectly: Convert to Java first, then use Java’s decompiling tools dex2jar -> Java Decompiler (JD-Core, JD-GUI, etc.)
- 17. Smali Dalvik Bytecode Representation
- 18. Apply Changes Change variables, convert to hex first! const/16 v0, 9bff Output variables to the Android log const-string v0, "grep_for_this_breh:" invoke-static {v0, p1}, Landroid/util/Log;->e(Ljava/lang/String;Ljava/lang/String;)I
- 19. APK Reassembling apktool b -f smali/ -o khux_rekt.apk jarsigner (Android SDK) - sign the apk with your own keystore or.. https://github.com/appium/sign java -jar sign.jar modded.apk zipalign (Android SDK) - (optional) ensures that all uncompressed data starts with a particular alignment relative to the start of the file, reducing app’s RAM footprint zipalign 4 modded.s.apk aligned.apk
- 20. Reinstall the APK Uninstall the original APK if it’s still on the device Install the modded APK adb install aligned.apk Disable or uninstall Facebook if you’re having problems with Facebook login Watch the logs adb logcat | grep grep_for_this_breh
- 21. Hacking at the Shared Object Level
- 22. Shared Object Analysis libcocos2dcpp.so was the only meaningful difference When diff tells you “Binary files differ”, you can convert to hex and try again. xxd hacked.so > hacked.hex vimdiff hacked.hex unhacked.hex You can also try a byte-for-byte comparison cmp -l file1.so file2.so This prints out the line number of the changes and their differences in octal
- 24. Machine Code Disassembly Get the Android NDK Find the right objdump for your architecture For Android smartphones, it’s usually ARM little endian, arm-linux-androideabi /path/to/arch/objdump -d haxt.so > haxt.asm You can also use Hex-Keys IDA Pro (Interactive Disassembler) for multiarch disassembly
- 26. Machine Code Decompilation Bring the .so all the way back up to the C level (Hex-Rays Decompiler) Vs. disassembling, it’s more readable but it can be inaccurate and it takes much longer.
- 27. The End