DEXCALIBUR AUTOMATE YOUR ANDROID APP REVERSE Or hooking for dummies - PowerPoint PPT Presentation

DEXCALIBUR AUTOMATE YOUR ANDROID APP REVERSE Or hooking for dummies https://github.com/FrenchYeti/dexcalibur.git

WHO AM I ? GEORGES-B. MICHEL ▸ @FrenchYeti ▸ yeti@0xff.ninja Aka @FrenchYeti ▸ Software Security Evaluator at Thales ▸ Day : Reverse engineering (Android + TEE) apps HCE Payment applications, Trusted Applications, ARM binaries ▸ ▸ Night : Develop reverse / pentest / appsec tools Frida addict ▸

EXAMPLE OF AN OBFUSCATED ANDROID APPLICATION

MOTIVATION LET’S IMAGINE AN OBFUSCATED MULTI-DEX APPLICATION PACKER 
 DECIPHER & LOAD CLASS LOADER DEX LOADER APP CLASSES & METHODS Ciphered secondary 
 NATIVE 
 .dex file FUNCTIONS Clear .dex file & JNI libs

MOTIVATION LET’S IMAGINE AN OBFUSCATED MULTI-DEX APPLICATION PACKER 
 DECIPHER & LOAD CLASS LOADER DEX LOADER INVOKE BY REFLECTION APP CLASSES & METHODS Ciphered secondary 
 NATIVE 
 .dex file FUNCTIONS Clear .dex file & JNI libs

MOTIVATION LET’S IMAGINE AN OBFUSCATED MULTI-DEX APPLICATION PACKER 
 DECIPHER & LOAD DECIPHER & LOAD CLASS LOADER DEX LOADER INVOKE BY REFLECTION APP CLASSES WHITE BOX 
 & METHODS CRYPTO Ciphered secondary 
 NATIVE 
 .dex file FUNCTIONS Ciphered JNI lib Clear .dex file & JNI libs

MOTIVATION LET’S IMAGINE AN OBFUSCATED MULTI-DEX APPLICATION PACKER 
 DECIPHER & LOAD DECIPHER & LOAD CLASS LOADER DEX LOADER INVOKE BY REFLECTION JNI FUNCTIONS APP CLASSES WHITE BOX 
 & METHODS CRYPTO Ciphered secondary 
 NATIVE 
 DOWNLOAD, 
 .dex file FUNCTIONS DECIPHER & LOAD Ciphered JNI lib Clear .dex file & JNI libs Class loaded from the network 
 (NetworkClassLoader)

MOTIVATION LET’S IMAGINE AN OBFUSCATED MULTI-DEX APPLICATION PACKER 
 DECIPHER & LOAD DECIPHER & LOAD CLASS LOADER DEX LOADER INVOKE BY REFLECTION JNI FUNCTIONS APP CLASSES WHITE BOX 
 & METHODS CRYPTO Ciphered secondary 
 NATIVE 
 DOWNLOAD, 
 .dex file FUNCTIONS DECIPHER & LOAD Ciphered JNI lib Clear .dex file & JNI libs Class loaded from the network 
 (NetworkClassLoader)

MOTIVATION WHAT CAN I HOOK ? PACKER 
 DECIPHER DECIPHER & LOAD CLASS LOADER DEX LOADER INVOKE BY REFLECTION JNI FUNCTIONS APP CLASSES & METHODS Ciphered secondary 
 NATIVE 
 DOWNLOAD, 
 .dex file FUNCTIONS DECIPHER & LOAD Ciphered JNI lib Clear .dex file & JNI libs Class loaded from the network 
 YOU CAN HOOK 
 (NetworkClassLoader) ONLY WHAT YOU SEE

MOTIVATION WHAT IS INTERESTING TO HOOK ? PACKER 
 DECIPHER DECIPHER & LOAD CLASS LOADER DEX LOADER INVOKE BY REFLECTION JNI FUNCTIONS APP CLASSES & METHODS Ciphered secondary 
 NATIVE 
 DOWNLOAD, 
 .dex file FUNCTIONS DECIPHER & LOAD Clear .dex file Ciphered JNI lib Clear .dex file & JNI libs Class loaded from the network 
 (NetworkClassLoader) IT REQUIRES SEVERAL 
 HOOKING SESSIONS

MOTIVATION

THE IDEA MOTIVATION ▸ Deobfuscate waste of time

THE IDEA MOTIVATION ▸ Deobfuscate waste of time ▸ Manage hooks not so easy

THE IDEA MOTIVATION ▸ Deobfuscate waste of time ▸ Manage hooks not so easy ▸ Manual tasks can be automated (start App, …)

THE IDEA MOTIVATION ▸ Deobfuscate waste of time ▸ Manage hooks not so easy ▸ Manual tasks can be automated (start App, …) ▸ Several devices hooked simultaneously

THE IDEA MOTIVATION ▸ Deobfuscate waste of time ▸ Manage hooks not so easy ▸ Manual tasks can be automated (start App, …) ▸ Several devices hooked simultaneously ▸ Application size explore bytecode/libs is boring

THE IDEA CHRISTMAS WISH LIST 1/2 : ▸ Show functions invoked dynamically as « xrefs » ▸ Discover automatically classes & bytecode loaded dynamically (DexFile ..) ▸ Generate hook with a single click on the function ▸ Debug a single hook while others are active ▸ Enable/disable hook without lose 
 or pollute the source code

THE IDEA CHRISTMAS WISH LIST 2/2 : ▸ Multi-user : share the same instrumentation with my friends ▸ Instrumente several devices and merge hook logs 
 (Workflow / IoT) ▸ Be able to run with rooted & non-rooted devices ▸ Offer user-friendly GUI and API, ▸ Free & open-source ! ( license APACHE 2 )

WHAT IS DEXCALIBUR ?

WHAT IS DEXCALIBUR ? NOT JUST A TOOLBOX Baksmali DEX DISASSEMBLER

WHAT IS DEXCALIBUR ? NOT JUST A TOOLBOX Baksmali DEX DISASSEMBLER FILE IDENTIFIERS & PARSERS

WHAT IS DEXCALIBUR ? NOT JUST A TOOLBOX Baksmali DEX DISASSEMBLER FILE IDENTIFIERS & PARSERS STATIC BYTECODE ANALYZER DYNAMIC BYTECODE ANALYZER

WHAT IS DEXCALIBUR ? NOT JUST A TOOLBOX Baksmali DEX DISASSEMBLER FILE IDENTIFIERS & PARSERS STATIC BYTECODE ANALYZER DYNAMIC BYTECODE ANALYZER INSTRUMENTATION TOOL

WHAT IS DEXCALIBUR ? NOT JUST A TOOLBOX Baksmali DEX DISASSEMBLER FILE IDENTIFIERS & PARSERS STATIC BYTECODE ANALYZER DYNAMIC BYTECODE ANALYZER INSTRUMENTATION TOOL MODULAR HEURISTIC & SEARCH ENGINE

WHAT IS DEXCALIBUR ? NOT JUST A TOOLBOX Baksmali DEX DISASSEMBLER FILE IDENTIFIERS & PARSERS STATIC BYTECODE ANALYZER DYNAMIC BYTECODE ANALYZER INSTRUMENTATION TOOL MODULAR HEURISTIC & SEARCH ENGINE DEVICE MANAGER & FRIDA UTILS

WHAT IS DEXCALIBUR ? NOT JUST A TOOLBOX Baksmali DEX DISASSEMBLER FILE IDENTIFIERS & PARSERS STATIC BYTECODE ANALYZER DYNAMIC BYTECODE ANALYZER INSTRUMENTATION TOOL CONTROLS & CUSTOMIZE MODULAR HEURISTIC & SEARCH ENGINE DEVICE MANAGER & FRIDA UTILS WEB SERVER & UI

WHAT IS DEXCALIBUR ? NOT JUST A TOOLBOX Baksmali DEX DISASSEMBLER FILE IDENTIFIERS & PARSERS STATIC BYTECODE ANALYZER DYNAMIC BYTECODE ANALYZER IMPROVES AT 
 INSTRUMENTATION TOOL RUNTIME CONTROLS & CUSTOMIZE MODULAR HEURISTIC & SEARCH ENGINE DEVICE MANAGER & FRIDA UTILS WEB SERVER & UI

WHAT IS DEXCALIBUR ? DEXCALIBUR NOT JUST A TOOLBOX Baksmali DEX DISASSEMBLER FILE IDENTIFIERS & PARSERS STATIC BYTECODE ANALYZER DYNAMIC BYTECODE ANALYZER IMPROVES AT 
 INSTRUMENTATION TOOL RUNTIME CONTROLS & CUSTOMIZE MODULAR HEURISTIC & SEARCH ENGINE DEVICE MANAGER & FRIDA UTILS WEB SERVER & UI

WHAT IS DEXCALIBUR ? NICE TOOLS :-) POWERED BY … APKTOOL + 
 BAKSMALI ANDROID SDK Today NATIVE HOOK CANNOT BE GENERATED 
 NO BYTECODE SYMBOLIC EXEC Functions contained into JNI/native libs 
 can be hooked, but decompilers/analyzers 
 dont support it. So, native hook cannot be 
 generated.

WHAT IS DEXCALIBUR ? NICE TOOLS :-) POWERED BY … AND MORE ! SMALI VM Z3 SOLVER APKTOOL R2 LIEF LIEF + 
 BAKSMALI RetDec ANDROID SDK Today Tomorrow NATIVE HOOK CANNOT BE GENERATED 
 ADD NATIVE LIBRARIES SUPPORT NO BYTECODE SYMBOLIC EXEC SMALI SYMBOLIC EXEC Functions contained into JNI/native libs 
 can be hooked, but decompilers/analyzers 
 dont support it. So, native hook cannot be 
 generated.

DEMO #1

HOW IT WORKS ?

HOW IT WORKS ? 1) START PHASE - FILE ANALYSIS 4 Files identified & categorized: 
 2 Parse APK content key stores, libs, properties, xml, 
 FILE 
 ANALYZER shared pref, cache, … Undetected / high entropy files 
 are tagged UNCOMPRESS APK FILE 1 notify APK Pull Application data 
 3 /data/data/xxx … DEVICE

HOW IT WORKS ? 1) START PHASE - ANDROID API ANALYSIS FILE 
 ANALYZER UNCOMPRESS APK FILE APK DEVICE Application 
 Graph 1 2 Statically built ANDROID DEX SAST Create app 
 API/STUB DISASSEMBLER 3 graph

HOW IT WORKS ? 1) START PHASE - APPLICATION BYTE CODE ANALYSIS FILE 
 ANALYZER UNCOMPRESS 1 APK FILE notify APK 3 2 Update app 
 DEX 4 SAST DISASSEMBLER graph DEVICE Application 
 Graph Statically built ANDROID DEX SAST API/STUB DISASSEMBLER

HOW IT WORKS ? 2) INSTRUMENTATION PHASE - BEFORE RUN Application 
 + 
 Android API 
 Graph Statically built MODULAR HEURISTIC ENGINE notify 1 DYNAMIC BYTE ARRAY FILE ACCESS KEY STORES LOADER CLASSIFIER … Categorized Files

HOW IT WORKS ? 2) INSTRUMENTATION PHASE - BEFORE RUN Application 
 + 
 Android API 
 Graph Search pattern & 
 2 method Statically built MODULAR HEURISTIC ENGINE notify 1 FILE ACCESS DYNAMIC NATIVE DESCRIPTORS KEY STORE LOADER LIB / JNI STREAMS … Correlate static files 
 2’ Categorized Bind a file to a method Files

HOW IT WORKS ? 2) INSTRUMENTATION PHASE - BEFORE RUN Generate 
 5 Get method 
 frida code 4 HOOK 
 signature MANAGER HOOKS Application 
 + 
 Android API 
 Graph 3 ASK FOR INSTRUMENTATION Statically built MODULAR HEURISTIC ENGINE FILE ACCESS DYNAMIC NATIVE DESCRIPTORS KEY STORE LOADER LIB / JNI STREAMS … Categorized Files

HOW IT WORKS ? 2) INSTRUMENTATION PHASE - RUNTIME Starts app & 
 6 deploys HOOK 
 DEVICE MANAGER HOOKS Application 
 + 
 Android API 
 Graph Hook data : args, 
 Correlate graph & 
 7 8 return, this, … Statically built intercepted data MODULAR HEURISTIC ENGINE FILE ACCESS DYNAMIC NATIVE DESCRIPTORS KEY STORE LOADER LIB / JNI STREAMS …