DEXCALIBUR AUTOMATE YOUR ANDROID APP REVERSE Or hooking for dummies https://github.com/FrenchYeti/dexcalibur.git
WHO AM I ? GEORGES-B. MICHEL ▸ @FrenchYeti ▸ yeti@0xff.ninja Aka @FrenchYeti ▸ Software Security Evaluator at Thales ▸ Day : Reverse engineering (Android + TEE) apps HCE Payment applications, Trusted Applications, ARM binaries ▸ ▸ Night : Develop reverse / pentest / appsec tools Frida addict ▸
EXAMPLE OF AN OBFUSCATED ANDROID APPLICATION
MOTIVATION LET’S IMAGINE AN OBFUSCATED MULTI-DEX APPLICATION PACKER DECIPHER & LOAD CLASS LOADER DEX LOADER APP CLASSES & METHODS Ciphered secondary NATIVE .dex file FUNCTIONS Clear .dex file & JNI libs
MOTIVATION LET’S IMAGINE AN OBFUSCATED MULTI-DEX APPLICATION PACKER DECIPHER & LOAD CLASS LOADER DEX LOADER INVOKE BY REFLECTION APP CLASSES & METHODS Ciphered secondary NATIVE .dex file FUNCTIONS Clear .dex file & JNI libs
MOTIVATION LET’S IMAGINE AN OBFUSCATED MULTI-DEX APPLICATION PACKER DECIPHER & LOAD DECIPHER & LOAD CLASS LOADER DEX LOADER INVOKE BY REFLECTION APP CLASSES WHITE BOX & METHODS CRYPTO Ciphered secondary NATIVE .dex file FUNCTIONS Ciphered JNI lib Clear .dex file & JNI libs
MOTIVATION LET’S IMAGINE AN OBFUSCATED MULTI-DEX APPLICATION PACKER DECIPHER & LOAD DECIPHER & LOAD CLASS LOADER DEX LOADER INVOKE BY REFLECTION JNI FUNCTIONS APP CLASSES WHITE BOX & METHODS CRYPTO Ciphered secondary NATIVE DOWNLOAD, .dex file FUNCTIONS DECIPHER & LOAD Ciphered JNI lib Clear .dex file & JNI libs Class loaded from the network (NetworkClassLoader)
MOTIVATION LET’S IMAGINE AN OBFUSCATED MULTI-DEX APPLICATION PACKER DECIPHER & LOAD DECIPHER & LOAD CLASS LOADER DEX LOADER INVOKE BY REFLECTION JNI FUNCTIONS APP CLASSES WHITE BOX & METHODS CRYPTO Ciphered secondary NATIVE DOWNLOAD, .dex file FUNCTIONS DECIPHER & LOAD Ciphered JNI lib Clear .dex file & JNI libs Class loaded from the network (NetworkClassLoader)
MOTIVATION WHAT CAN I HOOK ? PACKER DECIPHER DECIPHER & LOAD CLASS LOADER DEX LOADER INVOKE BY REFLECTION JNI FUNCTIONS APP CLASSES & METHODS Ciphered secondary NATIVE DOWNLOAD, .dex file FUNCTIONS DECIPHER & LOAD Ciphered JNI lib Clear .dex file & JNI libs Class loaded from the network YOU CAN HOOK (NetworkClassLoader) ONLY WHAT YOU SEE
MOTIVATION WHAT IS INTERESTING TO HOOK ? PACKER DECIPHER DECIPHER & LOAD CLASS LOADER DEX LOADER INVOKE BY REFLECTION JNI FUNCTIONS APP CLASSES & METHODS Ciphered secondary NATIVE DOWNLOAD, .dex file FUNCTIONS DECIPHER & LOAD Clear .dex file Ciphered JNI lib Clear .dex file & JNI libs Class loaded from the network (NetworkClassLoader) IT REQUIRES SEVERAL HOOKING SESSIONS
MOTIVATION
THE IDEA MOTIVATION ▸ Deobfuscate waste of time
THE IDEA MOTIVATION ▸ Deobfuscate waste of time ▸ Manage hooks not so easy
THE IDEA MOTIVATION ▸ Deobfuscate waste of time ▸ Manage hooks not so easy ▸ Manual tasks can be automated (start App, …)
THE IDEA MOTIVATION ▸ Deobfuscate waste of time ▸ Manage hooks not so easy ▸ Manual tasks can be automated (start App, …) ▸ Several devices hooked simultaneously
THE IDEA MOTIVATION ▸ Deobfuscate waste of time ▸ Manage hooks not so easy ▸ Manual tasks can be automated (start App, …) ▸ Several devices hooked simultaneously ▸ Application size explore bytecode/libs is boring
THE IDEA CHRISTMAS WISH LIST 1/2 : ▸ Show functions invoked dynamically as « xrefs » ▸ Discover automatically classes & bytecode loaded dynamically (DexFile ..) ▸ Generate hook with a single click on the function ▸ Debug a single hook while others are active ▸ Enable/disable hook without lose or pollute the source code
THE IDEA CHRISTMAS WISH LIST 2/2 : ▸ Multi-user : share the same instrumentation with my friends ▸ Instrumente several devices and merge hook logs (Workflow / IoT) ▸ Be able to run with rooted & non-rooted devices ▸ Offer user-friendly GUI and API, ▸ Free & open-source ! ( license APACHE 2 )
WHAT IS DEXCALIBUR ?
WHAT IS DEXCALIBUR ? NOT JUST A TOOLBOX Baksmali DEX DISASSEMBLER
WHAT IS DEXCALIBUR ? NOT JUST A TOOLBOX Baksmali DEX DISASSEMBLER FILE IDENTIFIERS & PARSERS
WHAT IS DEXCALIBUR ? NOT JUST A TOOLBOX Baksmali DEX DISASSEMBLER FILE IDENTIFIERS & PARSERS STATIC BYTECODE ANALYZER DYNAMIC BYTECODE ANALYZER
WHAT IS DEXCALIBUR ? NOT JUST A TOOLBOX Baksmali DEX DISASSEMBLER FILE IDENTIFIERS & PARSERS STATIC BYTECODE ANALYZER DYNAMIC BYTECODE ANALYZER INSTRUMENTATION TOOL
WHAT IS DEXCALIBUR ? NOT JUST A TOOLBOX Baksmali DEX DISASSEMBLER FILE IDENTIFIERS & PARSERS STATIC BYTECODE ANALYZER DYNAMIC BYTECODE ANALYZER INSTRUMENTATION TOOL MODULAR HEURISTIC & SEARCH ENGINE
WHAT IS DEXCALIBUR ? NOT JUST A TOOLBOX Baksmali DEX DISASSEMBLER FILE IDENTIFIERS & PARSERS STATIC BYTECODE ANALYZER DYNAMIC BYTECODE ANALYZER INSTRUMENTATION TOOL MODULAR HEURISTIC & SEARCH ENGINE DEVICE MANAGER & FRIDA UTILS
WHAT IS DEXCALIBUR ? NOT JUST A TOOLBOX Baksmali DEX DISASSEMBLER FILE IDENTIFIERS & PARSERS STATIC BYTECODE ANALYZER DYNAMIC BYTECODE ANALYZER INSTRUMENTATION TOOL CONTROLS & CUSTOMIZE MODULAR HEURISTIC & SEARCH ENGINE DEVICE MANAGER & FRIDA UTILS WEB SERVER & UI
WHAT IS DEXCALIBUR ? NOT JUST A TOOLBOX Baksmali DEX DISASSEMBLER FILE IDENTIFIERS & PARSERS STATIC BYTECODE ANALYZER DYNAMIC BYTECODE ANALYZER IMPROVES AT INSTRUMENTATION TOOL RUNTIME CONTROLS & CUSTOMIZE MODULAR HEURISTIC & SEARCH ENGINE DEVICE MANAGER & FRIDA UTILS WEB SERVER & UI
WHAT IS DEXCALIBUR ? DEXCALIBUR NOT JUST A TOOLBOX Baksmali DEX DISASSEMBLER FILE IDENTIFIERS & PARSERS STATIC BYTECODE ANALYZER DYNAMIC BYTECODE ANALYZER IMPROVES AT INSTRUMENTATION TOOL RUNTIME CONTROLS & CUSTOMIZE MODULAR HEURISTIC & SEARCH ENGINE DEVICE MANAGER & FRIDA UTILS WEB SERVER & UI
WHAT IS DEXCALIBUR ? NICE TOOLS :-) POWERED BY … APKTOOL + BAKSMALI ANDROID SDK Today NATIVE HOOK CANNOT BE GENERATED NO BYTECODE SYMBOLIC EXEC Functions contained into JNI/native libs can be hooked, but decompilers/analyzers dont support it. So, native hook cannot be generated.
WHAT IS DEXCALIBUR ? NICE TOOLS :-) POWERED BY … AND MORE ! SMALI VM Z3 SOLVER APKTOOL R2 LIEF LIEF + BAKSMALI RetDec ANDROID SDK Today Tomorrow NATIVE HOOK CANNOT BE GENERATED ADD NATIVE LIBRARIES SUPPORT NO BYTECODE SYMBOLIC EXEC SMALI SYMBOLIC EXEC Functions contained into JNI/native libs can be hooked, but decompilers/analyzers dont support it. So, native hook cannot be generated.
DEMO #1
HOW IT WORKS ?
HOW IT WORKS ? 1) START PHASE - FILE ANALYSIS 4 Files identified & categorized: 2 Parse APK content key stores, libs, properties, xml, FILE ANALYZER shared pref, cache, … Undetected / high entropy files are tagged UNCOMPRESS APK FILE 1 notify APK Pull Application data 3 /data/data/xxx … DEVICE
HOW IT WORKS ? 1) START PHASE - ANDROID API ANALYSIS FILE ANALYZER UNCOMPRESS APK FILE APK DEVICE Application Graph 1 2 Statically built ANDROID DEX SAST Create app API/STUB DISASSEMBLER 3 graph
HOW IT WORKS ? 1) START PHASE - APPLICATION BYTE CODE ANALYSIS FILE ANALYZER UNCOMPRESS 1 APK FILE notify APK 3 2 Update app DEX 4 SAST DISASSEMBLER graph DEVICE Application Graph Statically built ANDROID DEX SAST API/STUB DISASSEMBLER
HOW IT WORKS ? 2) INSTRUMENTATION PHASE - BEFORE RUN Application + Android API Graph Statically built MODULAR HEURISTIC ENGINE notify 1 DYNAMIC BYTE ARRAY FILE ACCESS KEY STORES LOADER CLASSIFIER … Categorized Files
HOW IT WORKS ? 2) INSTRUMENTATION PHASE - BEFORE RUN Application + Android API Graph Search pattern & 2 method Statically built MODULAR HEURISTIC ENGINE notify 1 FILE ACCESS DYNAMIC NATIVE DESCRIPTORS KEY STORE LOADER LIB / JNI STREAMS … Correlate static files 2’ Categorized Bind a file to a method Files
HOW IT WORKS ? 2) INSTRUMENTATION PHASE - BEFORE RUN Generate 5 Get method frida code 4 HOOK signature MANAGER HOOKS Application + Android API Graph 3 ASK FOR INSTRUMENTATION Statically built MODULAR HEURISTIC ENGINE FILE ACCESS DYNAMIC NATIVE DESCRIPTORS KEY STORE LOADER LIB / JNI STREAMS … Categorized Files
HOW IT WORKS ? 2) INSTRUMENTATION PHASE - RUNTIME Starts app & 6 deploys HOOK DEVICE MANAGER HOOKS Application + Android API Graph Hook data : args, Correlate graph & 7 8 return, this, … Statically built intercepted data MODULAR HEURISTIC ENGINE FILE ACCESS DYNAMIC NATIVE DESCRIPTORS KEY STORE LOADER LIB / JNI STREAMS …
Recommend
More recommend