Android Reverse Engineering

Reverse Engineering in Android
Huỳnh Quang Thảo
Silicon Straits Saigon
Google Developer Expert on Android

Why we need reverse
engineering
- understand app behaviors.

Why we need reverse
engineering
- get some necessary data.

Why we need reverse
engineering
- understand protocol between client and server.

Why we need reverse
engineering
- understand protocol between client and server.
- modify its behaviors.

Decompile app using Dex2Jar
d2j-dex2jar sample.apk

Reverse engineering
using Android APK Tool

Reverse engineering
- Decompile directly to smali code.

Reverse engineering
- Encode resource Kiles.

Reverse engineering
- Encode resource Kiles.
- Recompile again to normal apk with updated code or resource.

Android bytecode
introduction

Android bytecode datatype
V Void
Z Boolean
B byte
S short
C char
I int
J long (64 bits)
F Kloat
D double (64 bits)

V Void
Z Boolean
B byte
S short
C char
I int
J long (64 bits)
F Kloat
D double (64 bits)
Lpackage1/package2/className;

V Void
Z Boolean
B byte
S short
C char
I int
J long (64 bits)
F Kloat
D double (64 bits)
package com.hqt.model;
class Person {
}

V Void
Z Boolean
B byte
S short
C char
I int
J long (64 bits)
F Kloat
D double (64 bits)
class Person {
}
Lcom/hqt/model/Person;

V Void
Z Boolean
B byte
S short
C char
I int
J long (64 bits)
F Kloat
D double (64 bits)
Lpackage1/package2/ className;
class Person {
}
Lcom/hqt/model/ Person;

Android bytecode method
action {param1, param2}, LpackageName/ClassName->
methodName(paramType1; paramType2)ReturnType

action {param1, param2}, LpackageName/ClassName->
Log.e(“hqthao”, “Hello World”)

action {param1, param2}, LpackageName/ClassName;->
const-string v1, "hqthao"

const-string v1, “hqthao”
const-string v2, “Hello World"

const-string v2, “Hello World”
invoke-static {v1, v2},

invoke-static {v1, v2}, Landroid/util/Log;

action {param1, param2}, LpackageName/ClassName; ->
invoke-static {v1, v2}, Landroid/util/Log; ->

invoke-static {v1, v2}, Landroid/util/Log;->
e(Ljava/lang/String;Ljava/lang/String;)I

methodName(paramType1 ; paramType2)ReturnType
e(Ljava/lang/String; Ljava/lang/String;)I

methodName(paramType1; paramType2 )ReturnType
Log.e(“hqthao”, “Hello World” )
e(Ljava/lang/String; Ljava/lang/String;)I

e(Ljava/lang/String;Ljava/lang/String;)I
public static int e(String tag, String msg) {}

invoke-static {v1, v2}, Landroid/util/Log;->e(Ljava/lang/String;Ljava/lang/String;)I

Static Function: com.utils.Utils.sum(long, int): long

const v1, 4 // assign (irst param v1 to 4

const v3, 5 // assign second param v2 to 5

invoke-static {v1, v3}, Lcom/utils/Utils;->sum(JI)I

invoke-static {v1, v3}, Lcom/utils/Utils;->sum(JI)I
invoke-static {v1, v2, v3}, Lcom/utils/Utils;->sum(JI)I

Method signature: methodName(paramType1, paramType2)

Method signature: methodName(paramType1, paramType2): paramType3

Method signature: methodName(paramType1, paramType2): paramType3
Landroid/util/Log;->e(Ljava/lang/String; L.java/lang/String):I
Landroid/util/Log;->e(Ljava/lang/String; L.java/lang/String):V

calcButton.setOnClickListener(new View.OnClickListener() { 
@Override 
public void onClick(View view) { 
int firstNumber = Integer.parseInt(firstNumberText.getText().toString()); 
int secondNumber = Integer.parseInt(secondNumberText.getText().toString()); 
ICalc calc = new CalcImpl(); 
int result = calc.sum(firstNumber, secondNumber); 
resultText.setText(result + ""); 
} 
});

@Override 
} 
});
public interface ICalc { 
int sum(int first, int second); 
}

@Override 
} 
});
}
public class CalcImpl implements ICalc { 
@Override 
public int sum(int first, int second) { 
return first + second; 
} 
}

Step 2: decompile app
apktool d original_app.apk

Step 3: Understand smali code
<activity android:name=".activity.MainActivity"> 
<intent-filter> 
<action android:name="android.intent.action.MAIN" /> 
 
<category android:name="android.intent.category.LAUNCHER" /
> 
</intent-filter> 
</activity>

}
.class public interface abstract Lcom/hqt/reverse/sample/a/b; 
.super Ljava/lang/Object; 
 
 
# virtual methods 
.method public abstract a(II)I 
.end method

}
 
 
.end method
interface ICalc
became interface “b”

}
 
 
.end method
method sum became
method “a”

package com.hqt.reverse.sample.utils;
@Override 
} 
}

@Override 
} 
}
.class public Lcom/hqt/reverse/sample/a/a; 
 
# interfaces 
.implements Lcom/hqt/reverse/sample/a/b; 
 
 
# direct methods 
.method public constructor <init>()V 
.locals 0 
 
invoke-direct {p0}, Ljava/lang/Object;-><init>()V 
 
return-void 
.end method 
 
 
.method public a(II)I 
.locals 1 
 
add-int v0, p1, p2 
 
return v0 
.end method

@Override 
} 
}
 
# interfaces 
 
 
# direct methods 
.locals 0 
 
 
return-void 
.end method 
 
 
.locals 1 
 
 
return v0 
.end method 
interface
com.hqt.reverse.sample.utils
became
com.hqt.reverse.a

@Override 
} 
}
 
# interfaces 
 
 
# direct methods 
.locals 0 
 
 
return-void 
.end method 
 
 
.locals 1 
 
 
return v0 
.end method 
class CalcImpl
became class a

@Override 
} 
}
 
# interfaces 
 
 
# direct methods 
.locals 0 
 
 
return-void 
.end method 
 
 
.locals 1 
 
 
return v0 
.end method 
implements ICalc
became
implements Lcom/hqt/reverse/
sample/a/b

@Override 
} 
}
 
# interfaces 
 
 
# direct methods 
.locals 0 
 
 
return-void 
.end method 
 
 
.locals 1 
 
 
return v0 
.end method 
Implicit constructor

@Override 
} 
}
 
# interfaces 
 
 
# direct methods 
.locals 0 
 
 
return-void 
.end method 
 
 
.locals 1 
 
 
return v0 
.end method 
using method add-int for sum

Step 4: Modifying smali code
@Override 
} 
}
 
# interfaces 
 
 
# direct methods 
.locals 0 
 
 
return-void 
.end method 
 
 
.locals 1 
 
 
return v0 
.end method 
 
.method public mul(II)I 
.locals 1 
mul-int v0, p1, p2 
return v0 
.end method
z
using method mul-int for multiplication

@Override 
} 
}
 
# interfaces 
 
 
# direct methods 
.locals 0 
 
 
return-void 
.end method 
 
 
.locals 1 
 
 
return v0 
.end method 
 
.method public mul(II)I 
.locals 1
 
mul-int v0, p1, p2 
return v0 
.end method
z

@Override 
protected void onCreate(Bundle savedInstanceState) { 
super.onCreate(savedInstanceState); 
setContentView(R.layout.activity_main); 
 
firstNumberText = (EditText) findViewById(R.id.first_number_text); 
secondNumberText = (EditText) findViewById(R.id.second_number_text); 
resultText = (TextView) findViewById(R.id.result_text); 
calcButton = (Button) findViewById(R.id.calc_button); 
 
@Override 
} 
}); 
}

public class MainActivity extends AppCompatActivity { 
 
// variable definition 
 
@Override 
 
// finding view
 
@Override 
} 
}); 
} 
}

public class MainActivity extends AppCompatActivity { 
 
// variable definition 
 
@Override 
 
// finding view
 
@Override 
} 
}); 
} 
}
Anonymous inner class became
MainActivity$1

File $MainActivity$1.smali
.method public onClick(Landroid/view/View;)V 
.locals 3 
 
iget-object v0, p0, Lcom/hqt/reverse/sample/activity/MainActivity$1;->a:Lcom/hqt/reverse/sample/activity/MainActivity; 
 
iget-object v0, v0, Lcom/hqt/reverse/sample/activity/MainActivity;->m:Landroid/widget/EditText; 
 
invoke-virtual {v0}, Landroid/widget/EditText;->getText()Landroid/text/Editable; 
 
move-result-object v0 
 
invoke-virtual {v0}, Ljava/lang/Object;->toString()Ljava/lang/String; 
 
 
invoke-static {v0}, Ljava/lang/Integer;->parseInt(Ljava/lang/String;)I 
 
move-result v0 
 
iget-object v1, p0, Lcom/hqt/reverse/sample/activity/MainActivity$1;->a:Lcom/hqt/reverse/sample/activity/MainActivity; 
 
iget-object v1, v1, Lcom/hqt/reverse/sample/activity/MainActivity;->n:Landroid/widget/EditText; 
 
invoke-virtual {v1}, Landroid/widget/EditText;->getText()Landroid/text/Editable; 
 
 
invoke-virtual {v1}, Ljava/lang/Object;->toString()Ljava/lang/String; 
 
 
invoke-static {v1}, Ljava/lang/Integer;->parseInt(Ljava/lang/String;)I 
 
move-result v1 
 
new-instance v2, Lcom/hqt/reverse/sample/a/a; 
 
invoke-direct {v2}, Lcom/hqt/reverse/sample/a/a;-><init>()V 
 
invoke-interface {v2, v0, v1}, Lcom/hqt/reverse/sample/a/b;->mul(II)I 
 
move-result v0 
 
iget-object v1, p0, Lcom/hqt/reverse/sample/activity/MainActivity$1;->a:Lcom/hqt/reverse/sample/activity/MainActivity;

@Override 
// some line before
 
// some line after 
} 
});

Find <icalc_object>.sum(int, int)
@Override 
// some line before
 
} 
});

@Override 
// some line before
 
} 
});
- icalc_object -> Lcom/hqt/reverse/sample/a/b
- sum -> a
- (int, int) -> (I,I)

Find Lcom/hqt/reverse/sample/a/b;->a(II)I
@Override 
// some line before
 
} 
});
- icalc_object -> Lcom/hqt/reverse/sample/a/b
- sum -> a
- (int, int) -> (I,I)

Step 4 Compile again apk ile
apktool b modiied_apk_folder

Step 5 Sign again apk ile
Step 1: Generate keystore:
keytool -genkey -v -keystore my-release-key.keystore
-alias alias_name -keyalg RSA -keysize 2048 -validity 10000

Step 5 Sign again apk ile
Step 2: Sign apk with generated keystone
jarsigner -verbose -sigalg SHA1withRSA -digestalg SHA1
-keystore my-release-key.keystore
my_application.apk alias_name

What is hooking
public int calc(int a, int b) {
// logic code here
if (a % 2 == 0) return 0;
return a + b;
}

What is hooking
// logic code here
if (a % 2 == 0) return 0;
return a + b;
}
calc(10, 10) = 0
calc(5, 10) = 15

What is hooking
// logic code here
if (a % 2 == 0) return 0;
return a + b;
}
Hook before method:

What is hooking
// logic code here
if (a % 2 == 0) return 0;
return a + b;
}
Hook before method:
a = a + 1

What is hooking
// logic code here
if (a % 2 == 0) return 0;
return a + b;
}
Hook before method:
a = a + 1
calc(10, 10) = calc(11, 10) = 21
calc(5, 10) = calc(6, 10) = 0

What is hooking
// logic code here
if (a % 2 == 0) return 0;
return a + b;
}
Hook before method:
a = a + 1
calc(10, 10) = calc(11, 10) = 21
calc(5, 10) = calc(6, 10) = 0
Hook after method:

What is hooking
// logic code here
if (a % 2 == 0) return 0;
return a + b;
}
Hook before method:
a = a + 1
calc(10, 10) = calc(11, 10) = 21
calc(5, 10) = calc(6, 10) = 0
Hook after method:
return result + 1

What is hooking
// logic code here
if (a % 2 == 0) return 0;
return a + b;
}
Hook before method:
a = a + 1
calc(10, 10) = calc(11, 10) = 21
calc(5, 10) = calc(6, 10) = 0
Hook after method:
return result + 1
calc(10, 10) = 0 = 0 + 1 = 1
calc(5, 10) = 15 = 15 + 1 = 16

Xposed modules
• https://github.com/wanam/YouTubeAdAway

Xposed modules
• https://github.com/pylerSM/YouTubeBackgroundPlayback

Xposed modules
• https://github.com/devadvance/rootcloak

Xposed modules
• https://github.com/devadvance/rootcloak
• https://github.com/M66B/XPrivacy

Demo
public class XposedHook implements IXposedHookLoadPackage {
 
public void handleLoadPackage(final XC_LoadPackage.LoadPackageParam lpparam) { 
if (!lpparam.packageName.equals("com.hqt.reverse.sample")) return; 
 
Class<?> clazz = XposedHelpers.findClass("com.hqt.reverse.sample.a.a",
lpparam.classLoader); 
 
XposedHelpers.findAndHookMethod(clazz, "a", 
int.class, int.class, 
new XC_MethodHook() { 
@Override 
protected void afterHookedMethod(MethodHookParam param) { 
Integer first = (Integer) param.args[0]; 
Integer second = (Integer) param.args[1]; 
Integer result = first * second; 
param.setResult(result); 
} 
}); 
} 
}

ReKlection API
- change some internal value.

ReKlection API
- call some private methods.

ReKlection API
- call some private methods.
- Internal Android doesn’t obfuscate its source code.

Not always work …
ProxyDroid

Not always work …
ProxyDroid
JustTrustMe

Not always work …
ProxyDroid
JustTrustMe
using native hooking framework. (later)

Multidex Introduction
Total number of methods that can be referenced within a single
DEX Kile limit to 65,536

Multidex Introduction
Total number of methods that can be referenced within a single
DEX Kile limit to 65,536
public class MyApplication extends Application { 
@Override 
protected void attachBaseContext(Context base) { 
super.attachBaseContext(base); 
MultiDex.install(this); 
} 
}

Merge multi dex Kiles
Baksmali: https://github.com/testwhat/SmaliEx
Command: java -jar baksmali.jar sample.apk

Multidex Hooking
XposedHelpers.findAndHookMethod(“com.org.d.a.b”, 
paramLoadPackageParam.classLoader, "doingSomething", new
XC_MethodHook() { 
protected void afterHookedMethod(MethodHookParam
paramAnonymousMethodHookParam) 
throws Throwable { 
super.afterHookedMethod(paramAnonymousMethodHookParam); 
paramAnonymousMethodHookParam.setResult(""); 
} 
});

Multidex Hooking
} 
});
- This hooking function will fail if this function lies on second dex ile.

Multidex Hooking
} 
});
- This hooking function will fail if this function lies on second dex ile.
- We must hook all functions after Multidex.install(this) line.

Multidex Hooking
final Class<?>[] customClass = new Class<?>[1]; 
customClass[0] = XposedHelpers.findClass(“com.sample.MyApplication”, 
paramLoadPackageParam.classLoader); 
 
XposedHelpers.findAndHookMethod(customClass[0], "onCreate", 
@Override 
XposedBridge.log(“Hooked");
});

Multidex Hooking
final Class<?> customClass = new Class<?>[1]; 
customClass[0] = XposedHelpers.findClass(“com.sample.MyApplication”, 
XposedHelpers.findAndHookMethod(customClass[0], "onCreate", 
@Override 
XposedBridge.log(“Hooked");
 
Class<?> nestedClass = XposedHelpers.findClass(“com.org.d.a.b”,
 
XposedHelpers.findAndHookMethod(nestedClass, "doSomething", 
@Override 
protected void afterHookedMethod(MethodHookParam param){ 
Log.e("hqthao", “hooked to different dex file"); 
} 
});
});

Hooking native layer
XPosed: only hook bridge methods.

Cydia Substrate:
- similar for iOS reverse engineers.
- only for Android 4.3 or before.

Cydia Substrate:
Frida:
- using javascript.
- fast for prototype.

Cydia Substrate:
Frida:
- using javascript.
- fast for prototype.
AndroidEagleEye:
- Good for implementing.
- Not good for testing prototype like Frida.

Others
IDA - Interactive Disassembler
Smalidea

Others
IDA - Interactive Disassembler
Smalidea
https://github.com/hqt/reverse-engineering

Android Reverse Engineering

More Related Content

Similar to Android Reverse Engineering (20)

More from Thao Huynh Quang (15)

Recently uploaded (20)

Android Reverse Engineering