DEXCALIBUR AUTOMATE YOUR ANDROID APP REVERSE Or hooking for dummies - PowerPoint PPT Presentation

DEXCALIBUR AUTOMATE YOUR ANDROID APP REVERSE Or hooking for dummies https://github.com/FrenchYeti/dexcalibur.git

WHO AM I ? GEORGES-B. MICHEL ▸ @FrenchYeti ▸ yeti@0xff.ninja Aka @FrenchYeti ▸ Software Security Evaluator at Thales ▸ Day : Reverse engineering (Android + TEE) apps HCE Payment applications, Trusted Applications, ARM binaries ▸ ▸ Night : Develop reverse / pentest / appsec tools Frida addict ▸

EXAMPLE OF AN OBFUSCATED ANDROID APPLICATION

MOTIVATION LET’S IMAGINE AN OBFUSCATED MULTI-DEX APPLICATION PACKER   DECIPHER & LOAD CLASS LOADER DEX LOADER APP CLASSES & METHODS Ciphered secondary   NATIVE   .dex file FUNCTIONS Clear .dex file & JNI libs

MOTIVATION LET’S IMAGINE AN OBFUSCATED MULTI-DEX APPLICATION PACKER   DECIPHER & LOAD CLASS LOADER DEX LOADER INVOKE BY REFLECTION APP CLASSES & METHODS Ciphered secondary   NATIVE   .dex file FUNCTIONS Clear .dex file & JNI libs

MOTIVATION LET’S IMAGINE AN OBFUSCATED MULTI-DEX APPLICATION PACKER   DECIPHER & LOAD DECIPHER & LOAD CLASS LOADER DEX LOADER INVOKE BY REFLECTION APP CLASSES WHITE BOX   & METHODS CRYPTO Ciphered secondary   NATIVE   .dex file FUNCTIONS Ciphered JNI lib Clear .dex file & JNI libs

MOTIVATION LET’S IMAGINE AN OBFUSCATED MULTI-DEX APPLICATION PACKER   DECIPHER & LOAD DECIPHER & LOAD CLASS LOADER DEX LOADER INVOKE BY REFLECTION JNI FUNCTIONS APP CLASSES WHITE BOX   & METHODS CRYPTO Ciphered secondary   NATIVE   DOWNLOAD,   .dex file FUNCTIONS DECIPHER & LOAD Ciphered JNI lib Clear .dex file & JNI libs Class loaded from the network   (NetworkClassLoader)

MOTIVATION WHAT CAN I HOOK ? PACKER   DECIPHER DECIPHER & LOAD CLASS LOADER DEX LOADER INVOKE BY REFLECTION JNI FUNCTIONS APP CLASSES & METHODS Ciphered secondary   NATIVE   DOWNLOAD,   .dex file FUNCTIONS DECIPHER & LOAD Ciphered JNI lib Clear .dex file & JNI libs Class loaded from the network   YOU CAN HOOK   (NetworkClassLoader) ONLY WHAT YOU SEE

MOTIVATION WHAT IS INTERESTING TO HOOK ? PACKER   DECIPHER DECIPHER & LOAD CLASS LOADER DEX LOADER INVOKE BY REFLECTION JNI FUNCTIONS APP CLASSES & METHODS Ciphered secondary   NATIVE   DOWNLOAD,   .dex file FUNCTIONS DECIPHER & LOAD Clear .dex file Ciphered JNI lib Clear .dex file & JNI libs Class loaded from the network   (NetworkClassLoader) IT REQUIRES SEVERAL   HOOKING SESSIONS

MOTIVATION

THE IDEA MOTIVATION ▸ Deobfuscate waste of time

THE IDEA MOTIVATION ▸ Deobfuscate waste of time ▸ Manage hooks not so easy

THE IDEA MOTIVATION ▸ Deobfuscate waste of time ▸ Manage hooks not so easy ▸ Manual tasks can be automated (start App, …)

THE IDEA MOTIVATION ▸ Deobfuscate waste of time ▸ Manage hooks not so easy ▸ Manual tasks can be automated (start App, …) ▸ Several devices hooked simultaneously

THE IDEA MOTIVATION ▸ Deobfuscate waste of time ▸ Manage hooks not so easy ▸ Manual tasks can be automated (start App, …) ▸ Several devices hooked simultaneously ▸ Application size explore bytecode/libs is boring

THE IDEA CHRISTMAS WISH LIST 1/2 : ▸ Show functions invoked dynamically as « xrefs » ▸ Discover automatically classes & bytecode loaded dynamically (DexFile ..) ▸ Generate hook with a single click on the function ▸ Debug a single hook while others are active ▸ Enable/disable hook without lose   or pollute the source code

THE IDEA CHRISTMAS WISH LIST 2/2 : ▸ Multi-user : share the same instrumentation with my friends ▸ Instrumente several devices and merge hook logs   (Workflow / IoT) ▸ Be able to run with rooted & non-rooted devices ▸ Offer user-friendly GUI and API, ▸ Free & open-source ! ( license APACHE 2 )

WHAT IS DEXCALIBUR ?

WHAT IS DEXCALIBUR ? NOT JUST A TOOLBOX Baksmali DEX DISASSEMBLER

WHAT IS DEXCALIBUR ? NOT JUST A TOOLBOX Baksmali DEX DISASSEMBLER FILE IDENTIFIERS & PARSERS

WHAT IS DEXCALIBUR ? NOT JUST A TOOLBOX Baksmali DEX DISASSEMBLER FILE IDENTIFIERS & PARSERS STATIC BYTECODE ANALYZER DYNAMIC BYTECODE ANALYZER

WHAT IS DEXCALIBUR ? NOT JUST A TOOLBOX Baksmali DEX DISASSEMBLER FILE IDENTIFIERS & PARSERS STATIC BYTECODE ANALYZER DYNAMIC BYTECODE ANALYZER INSTRUMENTATION TOOL

WHAT IS DEXCALIBUR ? NOT JUST A TOOLBOX Baksmali DEX DISASSEMBLER FILE IDENTIFIERS & PARSERS STATIC BYTECODE ANALYZER DYNAMIC BYTECODE ANALYZER INSTRUMENTATION TOOL MODULAR HEURISTIC & SEARCH ENGINE

WHAT IS DEXCALIBUR ? NOT JUST A TOOLBOX Baksmali DEX DISASSEMBLER FILE IDENTIFIERS & PARSERS STATIC BYTECODE ANALYZER DYNAMIC BYTECODE ANALYZER INSTRUMENTATION TOOL MODULAR HEURISTIC & SEARCH ENGINE DEVICE MANAGER & FRIDA UTILS

WHAT IS DEXCALIBUR ? NOT JUST A TOOLBOX Baksmali DEX DISASSEMBLER FILE IDENTIFIERS & PARSERS STATIC BYTECODE ANALYZER DYNAMIC BYTECODE ANALYZER INSTRUMENTATION TOOL CONTROLS & CUSTOMIZE MODULAR HEURISTIC & SEARCH ENGINE DEVICE MANAGER & FRIDA UTILS WEB SERVER & UI

WHAT IS DEXCALIBUR ? NOT JUST A TOOLBOX Baksmali DEX DISASSEMBLER FILE IDENTIFIERS & PARSERS STATIC BYTECODE ANALYZER DYNAMIC BYTECODE ANALYZER IMPROVES AT   INSTRUMENTATION TOOL RUNTIME CONTROLS & CUSTOMIZE MODULAR HEURISTIC & SEARCH ENGINE DEVICE MANAGER & FRIDA UTILS WEB SERVER & UI

WHAT IS DEXCALIBUR ? DEXCALIBUR NOT JUST A TOOLBOX Baksmali DEX DISASSEMBLER FILE IDENTIFIERS & PARSERS STATIC BYTECODE ANALYZER DYNAMIC BYTECODE ANALYZER IMPROVES AT   INSTRUMENTATION TOOL RUNTIME CONTROLS & CUSTOMIZE MODULAR HEURISTIC & SEARCH ENGINE DEVICE MANAGER & FRIDA UTILS WEB SERVER & UI

WHAT IS DEXCALIBUR ? NICE TOOLS :-) POWERED BY … APKTOOL +   BAKSMALI ANDROID SDK Today NATIVE HOOK CANNOT BE GENERATED   NO BYTECODE SYMBOLIC EXEC Functions contained into JNI/native libs   can be hooked, but decompilers/analyzers   dont support it. So, native hook cannot be   generated.

WHAT IS DEXCALIBUR ? NICE TOOLS :-) POWERED BY … AND MORE ! SMALI VM Z3 SOLVER APKTOOL R2 LIEF LIEF +   BAKSMALI RetDec ANDROID SDK Today Tomorrow NATIVE HOOK CANNOT BE GENERATED   ADD NATIVE LIBRARIES SUPPORT NO BYTECODE SYMBOLIC EXEC SMALI SYMBOLIC EXEC Functions contained into JNI/native libs   can be hooked, but decompilers/analyzers   dont support it. So, native hook cannot be   generated.

DEMO #1

HOW IT WORKS ?

HOW IT WORKS ? 1) START PHASE - FILE ANALYSIS 4 Files identified & categorized:   2 Parse APK content key stores, libs, properties, xml,   FILE   ANALYZER shared pref, cache, … Undetected / high entropy files   are tagged UNCOMPRESS APK FILE 1 notify APK Pull Application data   3 /data/data/xxx … DEVICE

HOW IT WORKS ? 1) START PHASE - ANDROID API ANALYSIS FILE   ANALYZER UNCOMPRESS APK FILE APK DEVICE Application   Graph 1 2 Statically built ANDROID DEX SAST Create app   API/STUB DISASSEMBLER 3 graph

HOW IT WORKS ? 1) START PHASE - APPLICATION BYTE CODE ANALYSIS FILE   ANALYZER UNCOMPRESS 1 APK FILE notify APK 3 2 Update app   DEX 4 SAST DISASSEMBLER graph DEVICE Application   Graph Statically built ANDROID DEX SAST API/STUB DISASSEMBLER

HOW IT WORKS ? 2) INSTRUMENTATION PHASE - BEFORE RUN Application   +   Android API   Graph Statically built MODULAR HEURISTIC ENGINE notify 1 DYNAMIC BYTE ARRAY FILE ACCESS KEY STORES LOADER CLASSIFIER … Categorized Files

HOW IT WORKS ? 2) INSTRUMENTATION PHASE - BEFORE RUN Application   +   Android API   Graph Search pattern &   2 method Statically built MODULAR HEURISTIC ENGINE notify 1 FILE ACCESS DYNAMIC NATIVE DESCRIPTORS KEY STORE LOADER LIB / JNI STREAMS … Correlate static files   2’ Categorized Bind a file to a method Files

HOW IT WORKS ? 2) INSTRUMENTATION PHASE - BEFORE RUN Generate   5 Get method   frida code 4 HOOK   signature MANAGER HOOKS Application   +   Android API   Graph 3 ASK FOR INSTRUMENTATION Statically built MODULAR HEURISTIC ENGINE FILE ACCESS DYNAMIC NATIVE DESCRIPTORS KEY STORE LOADER LIB / JNI STREAMS … Categorized Files

HOW IT WORKS ? 2) INSTRUMENTATION PHASE - RUNTIME Starts app &   6 deploys HOOK   DEVICE MANAGER HOOKS Application   +   Android API   Graph Hook data : args,   Correlate graph &   7 8 return, this, … Statically built intercepted data MODULAR HEURISTIC ENGINE FILE ACCESS DYNAMIC NATIVE DESCRIPTORS KEY STORE LOADER LIB / JNI STREAMS …

DEXCALIBUR AUTOMATE YOUR ANDROID APP REVERSE Or hooking for dummies - PowerPoint PPT Presentation

DEXCALIBUR AUTOMATE YOUR ANDROID APP REVERSE Or hooking for dummies https://github.com/FrenchYeti/dexcalibur.git WHO AM I ? GEORGES-B. MICHEL @FrenchYeti yeti@0xff.ninja Aka @FrenchYeti Software Security Evaluator at Thales Day