PTS 2019 CANDIDATE PDF · android internals calls static values data read/write secondary dex &...
Transcript of PTS 2019 CANDIDATE PDF · android internals calls static values data read/write secondary dex &...
![Page 1: PTS 2019 CANDIDATE PDF · android internals calls static values data read/write secondary dex & libs stack trace runtime context reflection api instrumented start app hook trigged](https://reader035.fdocuments.us/reader035/viewer/2022063002/5f277d2f49f926125831c3b3/html5/thumbnails/1.jpg)
DEXCALIBURAUTOMATE YOUR ANDROID APP REVERSE
Or hooking for dummies
https://github.com/FrenchYeti/dexcalibur.git
![Page 2: PTS 2019 CANDIDATE PDF · android internals calls static values data read/write secondary dex & libs stack trace runtime context reflection api instrumented start app hook trigged](https://reader035.fdocuments.us/reader035/viewer/2022063002/5f277d2f49f926125831c3b3/html5/thumbnails/2.jpg)
WHO AM I ?
GEORGES-B. MICHEL
▸ @FrenchYeti
▸ Software Security Evaluator at Thales
▸ Day : Reverse engineering (Android + TEE) apps
▸ HCE Payment applications, Trusted Applications, ARM binaries
▸ Night : Develop reverse / pentest / appsec tools
▸ Frida addict
Aka @FrenchYeti
![Page 3: PTS 2019 CANDIDATE PDF · android internals calls static values data read/write secondary dex & libs stack trace runtime context reflection api instrumented start app hook trigged](https://reader035.fdocuments.us/reader035/viewer/2022063002/5f277d2f49f926125831c3b3/html5/thumbnails/3.jpg)
EXAMPLE OF AN OBFUSCATED ANDROID APPLICATION
![Page 4: PTS 2019 CANDIDATE PDF · android internals calls static values data read/write secondary dex & libs stack trace runtime context reflection api instrumented start app hook trigged](https://reader035.fdocuments.us/reader035/viewer/2022063002/5f277d2f49f926125831c3b3/html5/thumbnails/4.jpg)
MOTIVATION
LET’S IMAGINE AN OBFUSCATED MULTI-DEX APPLICATIONPACKER
CLASS LOADER DEX LOADER
APP CLASSES & METHODS
Clear .dex file & JNI libs
Ciphered secondary .dex file
DECIPHER & LOAD
NATIVEFUNCTIONS
![Page 5: PTS 2019 CANDIDATE PDF · android internals calls static values data read/write secondary dex & libs stack trace runtime context reflection api instrumented start app hook trigged](https://reader035.fdocuments.us/reader035/viewer/2022063002/5f277d2f49f926125831c3b3/html5/thumbnails/5.jpg)
MOTIVATION
LET’S IMAGINE AN OBFUSCATED MULTI-DEX APPLICATIONPACKER
CLASS LOADER DEX LOADER
APP CLASSES & METHODS
Clear .dex file & JNI libs
Ciphered secondary .dex file
DECIPHER & LOAD
INVOKE BY REFLECTION
NATIVEFUNCTIONS
![Page 6: PTS 2019 CANDIDATE PDF · android internals calls static values data read/write secondary dex & libs stack trace runtime context reflection api instrumented start app hook trigged](https://reader035.fdocuments.us/reader035/viewer/2022063002/5f277d2f49f926125831c3b3/html5/thumbnails/6.jpg)
MOTIVATION
LET’S IMAGINE AN OBFUSCATED MULTI-DEX APPLICATIONPACKER
CLASS LOADER DEX LOADER
APP CLASSES & METHODS
Clear .dex file & JNI libs
Ciphered secondary .dex file
DECIPHER & LOAD
INVOKE BY REFLECTION
Ciphered JNI lib
DECIPHER & LOAD
NATIVEFUNCTIONS
WHITE BOXCRYPTO
![Page 7: PTS 2019 CANDIDATE PDF · android internals calls static values data read/write secondary dex & libs stack trace runtime context reflection api instrumented start app hook trigged](https://reader035.fdocuments.us/reader035/viewer/2022063002/5f277d2f49f926125831c3b3/html5/thumbnails/7.jpg)
MOTIVATION
LET’S IMAGINE AN OBFUSCATED MULTI-DEX APPLICATIONPACKER
CLASS LOADER DEX LOADER
APP CLASSES & METHODS
Clear .dex file & JNI libs
Ciphered secondary .dex file
DECIPHER & LOAD
INVOKE BY REFLECTION
Ciphered JNI lib
DECIPHER & LOAD
Class loaded from the network(NetworkClassLoader)
DOWNLOAD,DECIPHER & LOAD
JNI FUNCTIONS
NATIVEFUNCTIONS
WHITE BOXCRYPTO
![Page 8: PTS 2019 CANDIDATE PDF · android internals calls static values data read/write secondary dex & libs stack trace runtime context reflection api instrumented start app hook trigged](https://reader035.fdocuments.us/reader035/viewer/2022063002/5f277d2f49f926125831c3b3/html5/thumbnails/8.jpg)
MOTIVATION
LET’S IMAGINE AN OBFUSCATED MULTI-DEX APPLICATIONPACKER
CLASS LOADER DEX LOADER
APP CLASSES & METHODS
Clear .dex file & JNI libs
Ciphered secondary .dex file
DECIPHER & LOAD
INVOKE BY REFLECTION
Ciphered JNI lib
DECIPHER & LOAD
Class loaded from the network(NetworkClassLoader)
DOWNLOAD,DECIPHER & LOAD
JNI FUNCTIONS
NATIVEFUNCTIONS
WHITE BOXCRYPTO
![Page 9: PTS 2019 CANDIDATE PDF · android internals calls static values data read/write secondary dex & libs stack trace runtime context reflection api instrumented start app hook trigged](https://reader035.fdocuments.us/reader035/viewer/2022063002/5f277d2f49f926125831c3b3/html5/thumbnails/9.jpg)
MOTIVATION
PACKER CLASS LOADER
DEX LOADER
APP CLASSES & METHODS
Ciphered secondary .dex file
DECIPHER
INVOKE BY REFLECTION
Ciphered JNI lib
DECIPHER & LOAD
Class loaded from the network(NetworkClassLoader)
DOWNLOAD,DECIPHER & LOAD
JNI FUNCTIONS
YOU CAN HOOKONLY WHAT YOU SEE
WHAT CAN I HOOK ?
Clear .dex file & JNI libs
NATIVEFUNCTIONS
![Page 10: PTS 2019 CANDIDATE PDF · android internals calls static values data read/write secondary dex & libs stack trace runtime context reflection api instrumented start app hook trigged](https://reader035.fdocuments.us/reader035/viewer/2022063002/5f277d2f49f926125831c3b3/html5/thumbnails/10.jpg)
MOTIVATION
PACKER CLASS LOADER
DEX LOADER
APP CLASSES & METHODS
Clear .dex file
Ciphered secondary .dex file
DECIPHER
INVOKE BY REFLECTION
Ciphered JNI lib
DECIPHER & LOAD
Class loaded from the network(NetworkClassLoader)
DOWNLOAD,DECIPHER & LOAD
JNI FUNCTIONS
IT REQUIRES SEVERAL HOOKING SESSIONS
Clear .dex file & JNI libs
NATIVEFUNCTIONS
WHAT IS INTERESTING TO HOOK ?
![Page 11: PTS 2019 CANDIDATE PDF · android internals calls static values data read/write secondary dex & libs stack trace runtime context reflection api instrumented start app hook trigged](https://reader035.fdocuments.us/reader035/viewer/2022063002/5f277d2f49f926125831c3b3/html5/thumbnails/11.jpg)
MOTIVATION
![Page 12: PTS 2019 CANDIDATE PDF · android internals calls static values data read/write secondary dex & libs stack trace runtime context reflection api instrumented start app hook trigged](https://reader035.fdocuments.us/reader035/viewer/2022063002/5f277d2f49f926125831c3b3/html5/thumbnails/12.jpg)
THE IDEA
▸ Deobfuscate waste of time
MOTIVATION
![Page 13: PTS 2019 CANDIDATE PDF · android internals calls static values data read/write secondary dex & libs stack trace runtime context reflection api instrumented start app hook trigged](https://reader035.fdocuments.us/reader035/viewer/2022063002/5f277d2f49f926125831c3b3/html5/thumbnails/13.jpg)
THE IDEA
▸ Deobfuscate waste of time
▸ Manage hooks not so easy
MOTIVATION
![Page 14: PTS 2019 CANDIDATE PDF · android internals calls static values data read/write secondary dex & libs stack trace runtime context reflection api instrumented start app hook trigged](https://reader035.fdocuments.us/reader035/viewer/2022063002/5f277d2f49f926125831c3b3/html5/thumbnails/14.jpg)
THE IDEA
▸ Deobfuscate waste of time
▸ Manage hooks not so easy
▸ Manual tasks can be automated (start App, …)
MOTIVATION
![Page 15: PTS 2019 CANDIDATE PDF · android internals calls static values data read/write secondary dex & libs stack trace runtime context reflection api instrumented start app hook trigged](https://reader035.fdocuments.us/reader035/viewer/2022063002/5f277d2f49f926125831c3b3/html5/thumbnails/15.jpg)
THE IDEA
▸ Deobfuscate waste of time
▸ Manage hooks not so easy
▸ Manual tasks can be automated (start App, …)
▸ Several devices hooked simultaneously
MOTIVATION
![Page 16: PTS 2019 CANDIDATE PDF · android internals calls static values data read/write secondary dex & libs stack trace runtime context reflection api instrumented start app hook trigged](https://reader035.fdocuments.us/reader035/viewer/2022063002/5f277d2f49f926125831c3b3/html5/thumbnails/16.jpg)
THE IDEA
▸ Deobfuscate waste of time
▸ Manage hooks not so easy
▸ Manual tasks can be automated (start App, …)
▸ Several devices hooked simultaneously
▸ Application size explore bytecode/libs is boring
MOTIVATION
![Page 17: PTS 2019 CANDIDATE PDF · android internals calls static values data read/write secondary dex & libs stack trace runtime context reflection api instrumented start app hook trigged](https://reader035.fdocuments.us/reader035/viewer/2022063002/5f277d2f49f926125831c3b3/html5/thumbnails/17.jpg)
THE IDEA
▸ Show functions invoked dynamically as « xrefs »
▸ Discover automatically classes & bytecode loaded dynamically (DexFile ..)
▸ Generate hook with a single click on the function
▸ Debug a single hook while others are active
▸ Enable/disable hook without lose or pollute the source code
CHRISTMAS WISH LIST 1/2 :
![Page 18: PTS 2019 CANDIDATE PDF · android internals calls static values data read/write secondary dex & libs stack trace runtime context reflection api instrumented start app hook trigged](https://reader035.fdocuments.us/reader035/viewer/2022063002/5f277d2f49f926125831c3b3/html5/thumbnails/18.jpg)
THE IDEA
▸ Multi-user : share the same instrumentation with my friends
▸ Instrumente several devices and merge hook logs (Workflow / IoT)
▸ Be able to run with rooted & non-rooted devices
▸ Offer user-friendly GUI and API,
▸ Free & open-source ! ( license APACHE 2 )
CHRISTMAS WISH LIST 2/2 :
![Page 19: PTS 2019 CANDIDATE PDF · android internals calls static values data read/write secondary dex & libs stack trace runtime context reflection api instrumented start app hook trigged](https://reader035.fdocuments.us/reader035/viewer/2022063002/5f277d2f49f926125831c3b3/html5/thumbnails/19.jpg)
WHAT IS DEXCALIBUR ?
![Page 20: PTS 2019 CANDIDATE PDF · android internals calls static values data read/write secondary dex & libs stack trace runtime context reflection api instrumented start app hook trigged](https://reader035.fdocuments.us/reader035/viewer/2022063002/5f277d2f49f926125831c3b3/html5/thumbnails/20.jpg)
NOT JUST A TOOLBOX
DEX DISASSEMBLER Baksmali
WHAT IS DEXCALIBUR ?
![Page 21: PTS 2019 CANDIDATE PDF · android internals calls static values data read/write secondary dex & libs stack trace runtime context reflection api instrumented start app hook trigged](https://reader035.fdocuments.us/reader035/viewer/2022063002/5f277d2f49f926125831c3b3/html5/thumbnails/21.jpg)
NOT JUST A TOOLBOX
FILE IDENTIFIERS & PARSERS
DEX DISASSEMBLER Baksmali
WHAT IS DEXCALIBUR ?
![Page 22: PTS 2019 CANDIDATE PDF · android internals calls static values data read/write secondary dex & libs stack trace runtime context reflection api instrumented start app hook trigged](https://reader035.fdocuments.us/reader035/viewer/2022063002/5f277d2f49f926125831c3b3/html5/thumbnails/22.jpg)
NOT JUST A TOOLBOX
STATIC BYTECODE ANALYZER
DYNAMIC BYTECODE ANALYZER
FILE IDENTIFIERS & PARSERS
DEX DISASSEMBLER Baksmali
WHAT IS DEXCALIBUR ?
![Page 23: PTS 2019 CANDIDATE PDF · android internals calls static values data read/write secondary dex & libs stack trace runtime context reflection api instrumented start app hook trigged](https://reader035.fdocuments.us/reader035/viewer/2022063002/5f277d2f49f926125831c3b3/html5/thumbnails/23.jpg)
NOT JUST A TOOLBOX
STATIC BYTECODE ANALYZER
DYNAMIC BYTECODE ANALYZER
FILE IDENTIFIERS & PARSERS
DEX DISASSEMBLER Baksmali
INSTRUMENTATION TOOL
WHAT IS DEXCALIBUR ?
![Page 24: PTS 2019 CANDIDATE PDF · android internals calls static values data read/write secondary dex & libs stack trace runtime context reflection api instrumented start app hook trigged](https://reader035.fdocuments.us/reader035/viewer/2022063002/5f277d2f49f926125831c3b3/html5/thumbnails/24.jpg)
NOT JUST A TOOLBOX
STATIC BYTECODE ANALYZER
DYNAMIC BYTECODE ANALYZER
FILE IDENTIFIERS & PARSERS
MODULAR HEURISTIC & SEARCH ENGINE
DEX DISASSEMBLER Baksmali
INSTRUMENTATION TOOL
WHAT IS DEXCALIBUR ?
![Page 25: PTS 2019 CANDIDATE PDF · android internals calls static values data read/write secondary dex & libs stack trace runtime context reflection api instrumented start app hook trigged](https://reader035.fdocuments.us/reader035/viewer/2022063002/5f277d2f49f926125831c3b3/html5/thumbnails/25.jpg)
NOT JUST A TOOLBOX
STATIC BYTECODE ANALYZER
DYNAMIC BYTECODE ANALYZER
FILE IDENTIFIERS & PARSERS
MODULAR HEURISTIC & SEARCH ENGINE
DEVICE MANAGER & FRIDA UTILS
DEX DISASSEMBLER Baksmali
INSTRUMENTATION TOOL
WHAT IS DEXCALIBUR ?
![Page 26: PTS 2019 CANDIDATE PDF · android internals calls static values data read/write secondary dex & libs stack trace runtime context reflection api instrumented start app hook trigged](https://reader035.fdocuments.us/reader035/viewer/2022063002/5f277d2f49f926125831c3b3/html5/thumbnails/26.jpg)
NOT JUST A TOOLBOX
STATIC BYTECODE ANALYZER
DYNAMIC BYTECODE ANALYZER
FILE IDENTIFIERS & PARSERS
MODULAR HEURISTIC & SEARCH ENGINE
WEB SERVER & UI
DEVICE MANAGER & FRIDA UTILS
CONTROLS & CUSTOMIZE
DEX DISASSEMBLER Baksmali
INSTRUMENTATION TOOL
WHAT IS DEXCALIBUR ?
![Page 27: PTS 2019 CANDIDATE PDF · android internals calls static values data read/write secondary dex & libs stack trace runtime context reflection api instrumented start app hook trigged](https://reader035.fdocuments.us/reader035/viewer/2022063002/5f277d2f49f926125831c3b3/html5/thumbnails/27.jpg)
NOT JUST A TOOLBOX
STATIC BYTECODE ANALYZER
DYNAMIC BYTECODE ANALYZER
FILE IDENTIFIERS & PARSERS
MODULAR HEURISTIC & SEARCH ENGINE
WEB SERVER & UI
DEVICE MANAGER & FRIDA UTILS
IMPROVES ATRUNTIME CONTROLS &
CUSTOMIZE
DEX DISASSEMBLER Baksmali
INSTRUMENTATION TOOL
WHAT IS DEXCALIBUR ?
![Page 28: PTS 2019 CANDIDATE PDF · android internals calls static values data read/write secondary dex & libs stack trace runtime context reflection api instrumented start app hook trigged](https://reader035.fdocuments.us/reader035/viewer/2022063002/5f277d2f49f926125831c3b3/html5/thumbnails/28.jpg)
NOT JUST A TOOLBOX
STATIC BYTECODE ANALYZER
DYNAMIC BYTECODE ANALYZER
FILE IDENTIFIERS & PARSERS
MODULAR HEURISTIC & SEARCH ENGINE
WEB SERVER & UI
DEVICE MANAGER & FRIDA UTILS
IMPROVES ATRUNTIME CONTROLS &
CUSTOMIZE
DEXCALIBUR
DEX DISASSEMBLER Baksmali
INSTRUMENTATION TOOL
WHAT IS DEXCALIBUR ?
![Page 29: PTS 2019 CANDIDATE PDF · android internals calls static values data read/write secondary dex & libs stack trace runtime context reflection api instrumented start app hook trigged](https://reader035.fdocuments.us/reader035/viewer/2022063002/5f277d2f49f926125831c3b3/html5/thumbnails/29.jpg)
WHAT IS DEXCALIBUR ?
POWERED BY …
ANDROID SDK
APKTOOL +
BAKSMALI
Today
NATIVE HOOK CANNOT BE GENERATED NO BYTECODE SYMBOLIC EXEC
Functions contained into JNI/native libscan be hooked, but decompilers/analyzersdont support it. So, native hook cannot be generated.
NICE TOOLS :-)
![Page 30: PTS 2019 CANDIDATE PDF · android internals calls static values data read/write secondary dex & libs stack trace runtime context reflection api instrumented start app hook trigged](https://reader035.fdocuments.us/reader035/viewer/2022063002/5f277d2f49f926125831c3b3/html5/thumbnails/30.jpg)
WHAT IS DEXCALIBUR ?
POWERED BY …
ANDROID SDK
APKTOOL +
BAKSMALI
Today
NATIVE HOOK CANNOT BE GENERATED NO BYTECODE SYMBOLIC EXEC
Functions contained into JNI/native libscan be hooked, but decompilers/analyzersdont support it. So, native hook cannot be generated.
ADD NATIVE LIBRARIES SUPPORT SMALI SYMBOLIC EXEC
NICE TOOLS :-)
LIEFR2 LIEF
Tomorrow
RetDec
SMALI VM Z3 SOLVERAND MORE !
![Page 31: PTS 2019 CANDIDATE PDF · android internals calls static values data read/write secondary dex & libs stack trace runtime context reflection api instrumented start app hook trigged](https://reader035.fdocuments.us/reader035/viewer/2022063002/5f277d2f49f926125831c3b3/html5/thumbnails/31.jpg)
DEMO #1
![Page 32: PTS 2019 CANDIDATE PDF · android internals calls static values data read/write secondary dex & libs stack trace runtime context reflection api instrumented start app hook trigged](https://reader035.fdocuments.us/reader035/viewer/2022063002/5f277d2f49f926125831c3b3/html5/thumbnails/32.jpg)
HOW IT WORKS ?
![Page 33: PTS 2019 CANDIDATE PDF · android internals calls static values data read/write secondary dex & libs stack trace runtime context reflection api instrumented start app hook trigged](https://reader035.fdocuments.us/reader035/viewer/2022063002/5f277d2f49f926125831c3b3/html5/thumbnails/33.jpg)
HOW IT WORKS ?
1) START PHASE - FILE ANALYSIS
UNCOMPRESS APKAPK FILE
DEVICE
FILE ANALYZER
Files identified & categorized:key stores, libs, properties, xml,shared pref, cache, …
Pull Application data/data/data/xxx …
Undetected / high entropy files are tagged
notify1
3
4
Parse APK content2
![Page 34: PTS 2019 CANDIDATE PDF · android internals calls static values data read/write secondary dex & libs stack trace runtime context reflection api instrumented start app hook trigged](https://reader035.fdocuments.us/reader035/viewer/2022063002/5f277d2f49f926125831c3b3/html5/thumbnails/34.jpg)
HOW IT WORKS ?
1) START PHASE - ANDROID API ANALYSIS
UNCOMPRESS APKAPK FILE
ANDROID API/STUB
ApplicationGraph
Statically builtDEX
DISASSEMBLER SAST
FILE ANALYZER
3
1 2
Create appgraph
DEVICE
![Page 35: PTS 2019 CANDIDATE PDF · android internals calls static values data read/write secondary dex & libs stack trace runtime context reflection api instrumented start app hook trigged](https://reader035.fdocuments.us/reader035/viewer/2022063002/5f277d2f49f926125831c3b3/html5/thumbnails/35.jpg)
HOW IT WORKS ?
1) START PHASE - APPLICATION BYTE CODE ANALYSIS
UNCOMPRESS APKAPK FILE
ANDROID API/STUB
DEX DISASSEMBLER
notify
SAST
ApplicationGraph
Statically builtDEX
DISASSEMBLER SAST
FILE ANALYZER
12
4
3Update appgraph
DEVICE
![Page 36: PTS 2019 CANDIDATE PDF · android internals calls static values data read/write secondary dex & libs stack trace runtime context reflection api instrumented start app hook trigged](https://reader035.fdocuments.us/reader035/viewer/2022063002/5f277d2f49f926125831c3b3/html5/thumbnails/36.jpg)
HOW IT WORKS ?
2) INSTRUMENTATION PHASE - BEFORE RUN
notify
Categorized Files
Application+Android APIGraph
Statically built
DYNAMIC LOADER
BYTE ARRAY CLASSIFIER FILE ACCESS KEY STORES
…
1 MODULAR HEURISTIC ENGINE
![Page 37: PTS 2019 CANDIDATE PDF · android internals calls static values data read/write secondary dex & libs stack trace runtime context reflection api instrumented start app hook trigged](https://reader035.fdocuments.us/reader035/viewer/2022063002/5f277d2f49f926125831c3b3/html5/thumbnails/37.jpg)
HOW IT WORKS ?
notify
Categorized Files
Application+Android APIGraph
Statically built
DYNAMIC LOADER
NATIVE LIB / JNI
FILE ACCESS DESCRIPTORS
STREAMS
Search pattern &method
Correlate static filesBind a file to a method
KEY STORE
…
1
2
2’
MODULAR HEURISTIC ENGINE
2) INSTRUMENTATION PHASE - BEFORE RUN
![Page 38: PTS 2019 CANDIDATE PDF · android internals calls static values data read/write secondary dex & libs stack trace runtime context reflection api instrumented start app hook trigged](https://reader035.fdocuments.us/reader035/viewer/2022063002/5f277d2f49f926125831c3b3/html5/thumbnails/38.jpg)
HOW IT WORKS ?
Categorized Files
Application+Android APIGraph
Statically built
DYNAMIC LOADER
NATIVE LIB / JNI
FILE ACCESS DESCRIPTORS
STREAMSKEY STORE
…
HOOK MANAGER
Get methodsignature
ASK FOR INSTRUMENTATION
Generatefrida code
HOOKS
3
45
MODULAR HEURISTIC ENGINE
2) INSTRUMENTATION PHASE - BEFORE RUN
![Page 39: PTS 2019 CANDIDATE PDF · android internals calls static values data read/write secondary dex & libs stack trace runtime context reflection api instrumented start app hook trigged](https://reader035.fdocuments.us/reader035/viewer/2022063002/5f277d2f49f926125831c3b3/html5/thumbnails/39.jpg)
HOW IT WORKS ?
2) INSTRUMENTATION PHASE - RUNTIME
Application+Android APIGraph
Statically built
DYNAMIC LOADER
NATIVE LIB / JNI
FILE ACCESS DESCRIPTORS
STREAMSKEY STORE
…
HOOK MANAGER DEVICE
HOOKS
Starts app &deploys
Hook data : args, return, this, …
6
7Correlate graph &intercepted data8
MODULAR HEURISTIC ENGINE
![Page 40: PTS 2019 CANDIDATE PDF · android internals calls static values data read/write secondary dex & libs stack trace runtime context reflection api instrumented start app hook trigged](https://reader035.fdocuments.us/reader035/viewer/2022063002/5f277d2f49f926125831c3b3/html5/thumbnails/40.jpg)
HOW IT WORKS ?
Application+Android APIGraph
Statically built
DYNAMIC LOADER
NATIVE LIB / JNI
FILE ACCESS DESCRIPTORS
STREAMSKEY STORE
…
HOOK MANAGER DEVICE
HOOKS
Starts app &deploys
Hook data : args, return, this, …
6
7Correlate intercepted data8
Push discovered elements & tag node9
MODULAR HEURISTIC ENGINE
2) INSTRUMENTATION PHASE - RUNTIME
![Page 41: PTS 2019 CANDIDATE PDF · android internals calls static values data read/write secondary dex & libs stack trace runtime context reflection api instrumented start app hook trigged](https://reader035.fdocuments.us/reader035/viewer/2022063002/5f277d2f49f926125831c3b3/html5/thumbnails/41.jpg)
« HEY ! GIVE ME THE MOST COMPLETE PICTURE OF THE APPLICATION »
![Page 42: PTS 2019 CANDIDATE PDF · android internals calls static values data read/write secondary dex & libs stack trace runtime context reflection api instrumented start app hook trigged](https://reader035.fdocuments.us/reader035/viewer/2022063002/5f277d2f49f926125831c3b3/html5/thumbnails/42.jpg)
DRAW A COMPLETE PICTURE OF THE APPLICATION
MIX * ANALYSIS WITH INSTRUMENTATION RESULTS
GRAPHSSTATIC
ANALYSIS
ANDROIDINTERNALS
CALLSSTATIC VALUES
![Page 43: PTS 2019 CANDIDATE PDF · android internals calls static values data read/write secondary dex & libs stack trace runtime context reflection api instrumented start app hook trigged](https://reader035.fdocuments.us/reader035/viewer/2022063002/5f277d2f49f926125831c3b3/html5/thumbnails/43.jpg)
DRAW A COMPLETE PICTURE OF THE APPLICATION
GRAPHSSYMBOLIC
VALUESSTATIC
ANALYSIS
DYNAMIC ANALYSIS
ANDROIDINTERNALS
CALLSSTATIC VALUES
SOLVE CONSTRAINT
…
MIX * ANALYSIS WITH INSTRUMENTATION RESULTS
![Page 44: PTS 2019 CANDIDATE PDF · android internals calls static values data read/write secondary dex & libs stack trace runtime context reflection api instrumented start app hook trigged](https://reader035.fdocuments.us/reader035/viewer/2022063002/5f277d2f49f926125831c3b3/html5/thumbnails/44.jpg)
DRAW A COMPLETE PICTURE OF THE APPLICATION
GRAPHSSYMBOLIC
VALUESSTATIC
ANALYSIS
DYNAMIC ANALYSIS
ANDROIDINTERNALS
CALLSSTATIC VALUES
FILE ANALYSIS
KEYSTORES
PROPERTIES
LIBS & DEX
…
STRUCTURESSOLVE CONSTRAINT
…
MIX * ANALYSIS WITH INSTRUMENTATION RESULTS
![Page 45: PTS 2019 CANDIDATE PDF · android internals calls static values data read/write secondary dex & libs stack trace runtime context reflection api instrumented start app hook trigged](https://reader035.fdocuments.us/reader035/viewer/2022063002/5f277d2f49f926125831c3b3/html5/thumbnails/45.jpg)
DRAW A COMPLETE PICTURE OF THE APPLICATION
GRAPHSSYMBOLIC
VALUES
PARAMS & RETURNS
VALUES
STATIC ANALYSIS
DYNAMIC ANALYSIS
DYNAMIC INSTRUMENTATION
ANDROIDINTERNALS
CALLSSTATIC VALUES
DATA READ/WRITE SECONDARY
DEX & LIBS
STACK TRACERUNTIME CONTEXT
FILE ANALYSIS
KEYSTORES
PROPERTIES
LIBS & DEX
…
STRUCTURESSOLVE CONSTRAINT
…
MIX * ANALYSIS WITH INSTRUMENTATION RESULTS
![Page 46: PTS 2019 CANDIDATE PDF · android internals calls static values data read/write secondary dex & libs stack trace runtime context reflection api instrumented start app hook trigged](https://reader035.fdocuments.us/reader035/viewer/2022063002/5f277d2f49f926125831c3b3/html5/thumbnails/46.jpg)
CASE #1 DYNAMIC UPDATE OF XREF WITH INVOKED METHODS
![Page 47: PTS 2019 CANDIDATE PDF · android internals calls static values data read/write secondary dex & libs stack trace runtime context reflection api instrumented start app hook trigged](https://reader035.fdocuments.us/reader035/viewer/2022063002/5f277d2f49f926125831c3b3/html5/thumbnails/47.jpg)
METHOD INVOKED DYNAMICALLY
‣ Method.invoke()
‣ Class.getMethod()
From a static point-of-view only two methods are called :
Smali code
DYNAMIC UPDATE OF « XREF FROM »WITH INVOKED METHODS
![Page 48: PTS 2019 CANDIDATE PDF · android internals calls static values data read/write secondary dex & libs stack trace runtime context reflection api instrumented start app hook trigged](https://reader035.fdocuments.us/reader035/viewer/2022063002/5f277d2f49f926125831c3b3/html5/thumbnails/48.jpg)
DYNAMIC UPDATE OF « XREF FROM »WITH INVOKED METHODS
DYNAMIC UPDATE OF XREF WITH INVOKED METHODS
GRAPHS
PARAMS & RETURNS
VALUES
STATIC ANALYSIS
DYNAMIC INSTRUMENTATION
ANDROIDINTERNALS
CALLSSTATIC VALUES
DATA READ/WRITE SECONDARY
DEX & LIBS
STACK TRACERUNTIME CONTEXT
![Page 49: PTS 2019 CANDIDATE PDF · android internals calls static values data read/write secondary dex & libs stack trace runtime context reflection api instrumented start app hook trigged](https://reader035.fdocuments.us/reader035/viewer/2022063002/5f277d2f49f926125831c3b3/html5/thumbnails/49.jpg)
DYNAMIC UPDATE OF « XREF FROM »WITH INVOKED METHODS
DYNAMIC UPDATE OF XREF WITH INVOKED METHODS
GRAPHS
PARAMS & RETURNS
VALUES
STATIC ANALYSIS
DYNAMIC INSTRUMENTATION
ANDROIDINTERNALS
CALLSSTATIC VALUES
DATA READ/WRITE SECONDARY
DEX & LIBS
STACK TRACERUNTIME CONTEXT
REFLECTION API INSTRUMENTED
![Page 50: PTS 2019 CANDIDATE PDF · android internals calls static values data read/write secondary dex & libs stack trace runtime context reflection api instrumented start app hook trigged](https://reader035.fdocuments.us/reader035/viewer/2022063002/5f277d2f49f926125831c3b3/html5/thumbnails/50.jpg)
DYNAMIC UPDATE OF « XREF FROM »WITH INVOKED METHODS
DYNAMIC UPDATE OF XREF WITH INVOKED METHODS
GRAPHS
PARAMS & RETURNS
VALUES
STATIC ANALYSIS
DYNAMIC INSTRUMENTATION
ANDROIDINTERNALS
CALLSSTATIC VALUES
DATA READ/WRITE SECONDARY
DEX & LIBS
STACK TRACERUNTIME CONTEXT
REFLECTION API INSTRUMENTEDSTART APP
![Page 51: PTS 2019 CANDIDATE PDF · android internals calls static values data read/write secondary dex & libs stack trace runtime context reflection api instrumented start app hook trigged](https://reader035.fdocuments.us/reader035/viewer/2022063002/5f277d2f49f926125831c3b3/html5/thumbnails/51.jpg)
DYNAMIC UPDATE OF « XREF FROM »WITH INVOKED METHODS
DYNAMIC UPDATE OF XREF WITH INVOKED METHODS
GRAPHS
PARAMS & RETURNS
VALUES
STATIC ANALYSIS
DYNAMIC INSTRUMENTATION
ANDROIDINTERNALS
CALLSSTATIC VALUES
DATA READ/WRITE SECONDARY
DEX & LIBS
STACK TRACERUNTIME CONTEXT
REFLECTION API INSTRUMENTEDSTART APP
HOOK TRIGGED
![Page 52: PTS 2019 CANDIDATE PDF · android internals calls static values data read/write secondary dex & libs stack trace runtime context reflection api instrumented start app hook trigged](https://reader035.fdocuments.us/reader035/viewer/2022063002/5f277d2f49f926125831c3b3/html5/thumbnails/52.jpg)
DYNAMIC UPDATE OF « XREF FROM »WITH INVOKED METHODS
DYNAMIC UPDATE OF XREF WITH INVOKED METHODS
GRAPHS
PARAMS & RETURNS
VALUES
STATIC ANALYSIS
DYNAMIC INSTRUMENTATION
ANDROIDINTERNALS
CALLSSTATIC VALUES
DATA READ/WRITE SECONDARY
DEX & LIBS
STACK TRACERUNTIME CONTEXT
REFLECTION API INSTRUMENTEDSTART APP
HOOK TRIGGED
HOOK GATHERS METHOD INFO
![Page 53: PTS 2019 CANDIDATE PDF · android internals calls static values data read/write secondary dex & libs stack trace runtime context reflection api instrumented start app hook trigged](https://reader035.fdocuments.us/reader035/viewer/2022063002/5f277d2f49f926125831c3b3/html5/thumbnails/53.jpg)
DYNAMIC UPDATE OF « XREF FROM »WITH INVOKED METHODS
DYNAMIC UPDATE OF XREF WITH INVOKED METHODS
GRAPHS
PARAMS & RETURNS
VALUES
STATIC ANALYSIS
DYNAMIC INSTRUMENTATION
ANDROIDINTERNALS
CALLSSTATIC VALUES
DATA READ/WRITE SECONDARY
DEX & LIBS
STACK TRACERUNTIME CONTEXT
REFLECTION API INSTRUMENTEDSTART APP
HOOK TRIGGED
HOOK SHOWS STACK TRACE
HOOK GATHERS METHOD INFO
![Page 54: PTS 2019 CANDIDATE PDF · android internals calls static values data read/write secondary dex & libs stack trace runtime context reflection api instrumented start app hook trigged](https://reader035.fdocuments.us/reader035/viewer/2022063002/5f277d2f49f926125831c3b3/html5/thumbnails/54.jpg)
DYNAMIC UPDATE OF « XREF FROM »WITH INVOKED METHODS
DYNAMIC UPDATE OF XREF WITH INVOKED METHODS
GRAPHS
PARAMS & RETURNS
VALUES
STATIC ANALYSIS
DYNAMIC INSTRUMENTATION
ANDROIDINTERNALS
CALLSSTATIC VALUES
DATA READ/WRITE SECONDARY
DEX & LIBS
STACK TRACERUNTIME CONTEXT
REFLECTION API INSTRUMENTEDSTART APP
HOOK TRIGGED
HOOK SHOWS STACK TRACE
HOOK GATHERS METHOD INFO
HEURISTIC ENGINE UPDATE DB
![Page 55: PTS 2019 CANDIDATE PDF · android internals calls static values data read/write secondary dex & libs stack trace runtime context reflection api instrumented start app hook trigged](https://reader035.fdocuments.us/reader035/viewer/2022063002/5f277d2f49f926125831c3b3/html5/thumbnails/55.jpg)
BEFORERUNTIME
DYNAMIC UPDATE OF THE CALL GRAPH
METHOD INVOKED DYNAMICALLY
![Page 56: PTS 2019 CANDIDATE PDF · android internals calls static values data read/write secondary dex & libs stack trace runtime context reflection api instrumented start app hook trigged](https://reader035.fdocuments.us/reader035/viewer/2022063002/5f277d2f49f926125831c3b3/html5/thumbnails/56.jpg)
BEFORERUNTIME
AFTER RUNTIME
METHOD INVOKED DYNAMICALLY
DYNAMIC UPDATE OF THE CALL GRAPH
![Page 57: PTS 2019 CANDIDATE PDF · android internals calls static values data read/write secondary dex & libs stack trace runtime context reflection api instrumented start app hook trigged](https://reader035.fdocuments.us/reader035/viewer/2022063002/5f277d2f49f926125831c3b3/html5/thumbnails/57.jpg)
UPDATE OF THE CALL GRAPH
Green nodes are internal Android or Java methods
Pink node are invoked dynamically and not discovered statically
Gray nodes have been discovered statically
DYNAMIC UPDATE OF THE CALL GRAPH
![Page 58: PTS 2019 CANDIDATE PDF · android internals calls static values data read/write secondary dex & libs stack trace runtime context reflection api instrumented start app hook trigged](https://reader035.fdocuments.us/reader035/viewer/2022063002/5f277d2f49f926125831c3b3/html5/thumbnails/58.jpg)
DEMO #2
DYNAMIC UPDATE OF XREFS WITH INVOKED METHODS
DYNAMIC UPDATE OF THE CALL GRAPH
![Page 59: PTS 2019 CANDIDATE PDF · android internals calls static values data read/write secondary dex & libs stack trace runtime context reflection api instrumented start app hook trigged](https://reader035.fdocuments.us/reader035/viewer/2022063002/5f277d2f49f926125831c3b3/html5/thumbnails/59.jpg)
CASE #2 ANALYZE DEX FILE LOADED DYNAMICALLY
![Page 60: PTS 2019 CANDIDATE PDF · android internals calls static values data read/write secondary dex & libs stack trace runtime context reflection api instrumented start app hook trigged](https://reader035.fdocuments.us/reader035/viewer/2022063002/5f277d2f49f926125831c3b3/html5/thumbnails/60.jpg)
ANALYZE DEX FILE LOADED DYNAMICALLY
ANALYZE DEX FILE LOADED DYNAMICALLY
PARAMS & RETURNS
VALUES
DYNAMIC INSTRUMENTATION
DATA READ/WRITE SECONDARY
DEX & LIBS
STACK TRACERUNTIME CONTEXT
FILE ANALYSIS
LIBS & DEX
CLASS GRAPH
STATIC ANALYSIS
ANDROIDINTERNALS
CALLS
![Page 61: PTS 2019 CANDIDATE PDF · android internals calls static values data read/write secondary dex & libs stack trace runtime context reflection api instrumented start app hook trigged](https://reader035.fdocuments.us/reader035/viewer/2022063002/5f277d2f49f926125831c3b3/html5/thumbnails/61.jpg)
ANALYZE DEX FILE LOADED DYNAMICALLY
ANALYZE DEX FILE LOADED DYNAMICALLY
PARAMS & RETURNS
VALUES
DYNAMIC INSTRUMENTATION
DATA READ/WRITE SECONDARY
DEX & LIBS
STACK TRACERUNTIME CONTEXT
FILE ANALYSIS
LIBS & DEX
CLASS GRAPH
STATIC ANALYSIS
ANDROIDINTERNALS
CALLS
DEX LOADING API INSTRUMENTEDSTART APP
![Page 62: PTS 2019 CANDIDATE PDF · android internals calls static values data read/write secondary dex & libs stack trace runtime context reflection api instrumented start app hook trigged](https://reader035.fdocuments.us/reader035/viewer/2022063002/5f277d2f49f926125831c3b3/html5/thumbnails/62.jpg)
ANALYZE DEX FILE LOADED DYNAMICALLY
ANALYZE DEX FILE LOADED DYNAMICALLY
PARAMS & RETURNS
VALUES
DYNAMIC INSTRUMENTATION
DATA READ/WRITE SECONDARY
DEX & LIBS
STACK TRACERUNTIME CONTEXT
FILE ANALYSIS
LIBS & DEX
CLASS GRAPH
STATIC ANALYSIS
ANDROIDINTERNALS
CALLS
DEX LOADING API INSTRUMENTED
DEXFILE CONSTRUCTORS TRIGGED
START APP
![Page 63: PTS 2019 CANDIDATE PDF · android internals calls static values data read/write secondary dex & libs stack trace runtime context reflection api instrumented start app hook trigged](https://reader035.fdocuments.us/reader035/viewer/2022063002/5f277d2f49f926125831c3b3/html5/thumbnails/63.jpg)
ANALYZE DEX FILE LOADED DYNAMICALLY
ANALYZE DEX FILE LOADED DYNAMICALLY
PARAMS & RETURNS
VALUES
DYNAMIC INSTRUMENTATION
DATA READ/WRITE SECONDARY
DEX & LIBS
STACK TRACERUNTIME CONTEXT
FILE ANALYSIS
LIBS & DEX
CLASS GRAPH
STATIC ANALYSIS
ANDROIDINTERNALS
CALLS
DEX LOADING API INSTRUMENTED
DEXFILE CONSTRUCTORS TRIGGED
START APP
HOOKS ASK IF DEX FILES ARE ALREADY KNOWN
Dex File already analyzed ?
![Page 64: PTS 2019 CANDIDATE PDF · android internals calls static values data read/write secondary dex & libs stack trace runtime context reflection api instrumented start app hook trigged](https://reader035.fdocuments.us/reader035/viewer/2022063002/5f277d2f49f926125831c3b3/html5/thumbnails/64.jpg)
ANALYZE DEX FILE LOADED DYNAMICALLY
ANALYZE DEX FILE LOADED DYNAMICALLY
PARAMS & RETURNS
VALUES
DYNAMIC INSTRUMENTATION
DATA READ/WRITE SECONDARY
DEX & LIBS
STACK TRACERUNTIME CONTEXT
FILE ANALYSIS
LIBS & DEX
CLASS GRAPH
STATIC ANALYSIS
ANDROIDINTERNALS
CALLS
DEX LOADING API INSTRUMENTED
DEXFILE CONSTRUCTORS TRIGGED
START APP
HOOKS ASK IF DEX FILES ARE ALREADY KNOWN
Dex File already analyzed ?
COPY OR GET DEX FILE
![Page 65: PTS 2019 CANDIDATE PDF · android internals calls static values data read/write secondary dex & libs stack trace runtime context reflection api instrumented start app hook trigged](https://reader035.fdocuments.us/reader035/viewer/2022063002/5f277d2f49f926125831c3b3/html5/thumbnails/65.jpg)
ANALYZE DEX FILE LOADED DYNAMICALLY
ANALYZE DEX FILE LOADED DYNAMICALLY
PARAMS & RETURNS
VALUES
DYNAMIC INSTRUMENTATION
DATA READ/WRITE SECONDARY
DEX & LIBS
STACK TRACERUNTIME CONTEXT
FILE ANALYSIS
LIBS & DEX
CLASS GRAPH
STATIC ANALYSIS
ANDROIDINTERNALS
CALLS
DEX LOADING API INSTRUMENTED
DEXFILE CONSTRUCTORS TRIGGED
START APP
HOOKS ASK IF DEX FILES ARE ALREADY KNOWN
Dex File already analyzed ?
COPY OR GET DEX FILEDECOMPILE DEX & UPDATE DB
![Page 66: PTS 2019 CANDIDATE PDF · android internals calls static values data read/write secondary dex & libs stack trace runtime context reflection api instrumented start app hook trigged](https://reader035.fdocuments.us/reader035/viewer/2022063002/5f277d2f49f926125831c3b3/html5/thumbnails/66.jpg)
ANALYZE DEX FILE LOADED DYNAMICALLY
![Page 67: PTS 2019 CANDIDATE PDF · android internals calls static values data read/write secondary dex & libs stack trace runtime context reflection api instrumented start app hook trigged](https://reader035.fdocuments.us/reader035/viewer/2022063002/5f277d2f49f926125831c3b3/html5/thumbnails/67.jpg)
CASE #3 BYTECODE CLEANER
![Page 68: PTS 2019 CANDIDATE PDF · android internals calls static values data read/write secondary dex & libs stack trace runtime context reflection api instrumented start app hook trigged](https://reader035.fdocuments.us/reader035/viewer/2022063002/5f277d2f49f926125831c3b3/html5/thumbnails/68.jpg)
BYTECODE CLEANER
BYTE CODE CLEANER : REMOVE NOP
BEFORE
![Page 69: PTS 2019 CANDIDATE PDF · android internals calls static values data read/write secondary dex & libs stack trace runtime context reflection api instrumented start app hook trigged](https://reader035.fdocuments.us/reader035/viewer/2022063002/5f277d2f49f926125831c3b3/html5/thumbnails/69.jpg)
BYTECODE CLEANER
BYTE CODE CLEANER : REMOVE NOP
BEFORE AFTER
![Page 70: PTS 2019 CANDIDATE PDF · android internals calls static values data read/write secondary dex & libs stack trace runtime context reflection api instrumented start app hook trigged](https://reader035.fdocuments.us/reader035/viewer/2022063002/5f277d2f49f926125831c3b3/html5/thumbnails/70.jpg)
REMOVE USELESS GOTO
BEFORE
BYTECODE CLEANER
![Page 71: PTS 2019 CANDIDATE PDF · android internals calls static values data read/write secondary dex & libs stack trace runtime context reflection api instrumented start app hook trigged](https://reader035.fdocuments.us/reader035/viewer/2022063002/5f277d2f49f926125831c3b3/html5/thumbnails/71.jpg)
REMOVE USELESS GOTO
BEFORE AFTER
BYTECODE CLEANER
![Page 72: PTS 2019 CANDIDATE PDF · android internals calls static values data read/write secondary dex & libs stack trace runtime context reflection api instrumented start app hook trigged](https://reader035.fdocuments.us/reader035/viewer/2022063002/5f277d2f49f926125831c3b3/html5/thumbnails/72.jpg)
DEXCALIBUR - NEXT STEPS
IMPROVEMENTS
‣ Use my own customizable Dex Decompiler (or use LIEF)?
‣ Add r2 binding and native hooks
‣ HTTP communications & Intent grabbing
‣ Bytecode & native symbolic exec (Z3) ?
‣ Bytecode emulation (SmaliVM @CalebFenton)?
‣ Offers native instruction hooking (QBDI)?
‣ And fuzz (afl-fuzz params + feedback given by hooking)?
![Page 73: PTS 2019 CANDIDATE PDF · android internals calls static values data read/write secondary dex & libs stack trace runtime context reflection api instrumented start app hook trigged](https://reader035.fdocuments.us/reader035/viewer/2022063002/5f277d2f49f926125831c3b3/html5/thumbnails/73.jpg)
DEXCALIBUR
Thanks
![Page 74: PTS 2019 CANDIDATE PDF · android internals calls static values data read/write secondary dex & libs stack trace runtime context reflection api instrumented start app hook trigged](https://reader035.fdocuments.us/reader035/viewer/2022063002/5f277d2f49f926125831c3b3/html5/thumbnails/74.jpg)
Q&A
![Page 75: PTS 2019 CANDIDATE PDF · android internals calls static values data read/write secondary dex & libs stack trace runtime context reflection api instrumented start app hook trigged](https://reader035.fdocuments.us/reader035/viewer/2022063002/5f277d2f49f926125831c3b3/html5/thumbnails/75.jpg)
ANNEXES
![Page 76: PTS 2019 CANDIDATE PDF · android internals calls static values data read/write secondary dex & libs stack trace runtime context reflection api instrumented start app hook trigged](https://reader035.fdocuments.us/reader035/viewer/2022063002/5f277d2f49f926125831c3b3/html5/thumbnails/76.jpg)
HOW TO INSTALL ?
HOW TO INSTALL ?
‣ Ensure you have the requirements (Frida, NodeJS, apktool)
‣ Or install from DockerHub
git clone https://github.com/FrenchYeti/dexcalibur.git
cd dexcalibur
npm install
docker pull frenchyeti/dexcalibur
docker run -it \
-v <workspace>:/home/dexcalibur/workspace \
-p 8080:8000 —dev=<device> \
frenchyeti/dexcalibur
![Page 77: PTS 2019 CANDIDATE PDF · android internals calls static values data read/write secondary dex & libs stack trace runtime context reflection api instrumented start app hook trigged](https://reader035.fdocuments.us/reader035/viewer/2022063002/5f277d2f49f926125831c3b3/html5/thumbnails/77.jpg)
DEXCALIBUR - WHAT IS IT ?
SEARCH BYTE ARRAY