BSides Rochester 2016: Jamie Geiger: Android Application Function Hooking with Xposed

no i'm gerry geiger and i'm here to give you a talk on a function of him with exposed so grab that link right there tiny CC /d signs rock dash exposed that is the whole presentation all of the links all the code and all this stuff do you guys need from this presentation are going to be at that length this will link directly to this presentation you be able to look at it you can follow along and grab the leaves from there that's the easiest way I thought to distribute all this stuff because there's a couple different github repos and things so grab that if you guys have any questions throughout this entire presentation just please stop me and ask

your question if I'm going too fast I'm talking too fast if I say something that doesn't make any sense phone now I'm open to that I want to make this presentation if you guys how'd it be educational so yeah so without further ado we'll move on so our Jennifer today is a who am i or you kind of intro thing looking into tools this presentation kind of turned into a we're kind of an intro to reverse engineering Android as well as expose you can't really do use this expose framework thing without the worst engineering some of the Android applications so we're going to look into that what to hook finding the functions with any applications that are you

talking about finding the functions you want to cook and take advantage of basic hooks writing basic hooks to replace methods to do all sorts different things we're going to be had a couple practical examples these last three bullets each one has a practical example so basic books were those changing returned eyes things reverse engineering you'll have Bo be times where you know you have an application and you need to figure out what it does but maybe there's something in the way or there's some sort of strange algorithm to calculate something you can kind of make the appt do the work for you in that case and then disabling security checks specifically certificate kind of get in the middle show made a

middling some traffic after every disabled certificate pinning within the app so I'm gonna go through all this and more I promise so here's the intro i am j guy Graham wombo lombo down in I like spongebob is I'm 22 it's fine in for a second RIT it's my last year i'm graduating i'm going to a company called grim after graduation griffco calm very small 15 people now really cool place to work my hobbies and interests cts reversing exploitation all that stuff poking android collecting acronyms what is it with this field in acronyms yeah crazy so red team our development that's uh my other work that i do but i like android and so work on that so for you

guys so this a little audience-participation part any rit students raise your hands p rit students just make sure you guys are way going to gauge body and spread and in java programmers anyone program a job and before a couple people all right good good android users I mean introduced forgotten here yeah there we go it's good android application programmers done any app app 10 or anything okay use expose before heard of it ah there we go this is good then written any xposed module is you're getting people in here they've done that excellent this talk will be perfect then none of the above any of the people is just alright there we go people only level perfect so this

talk is still for you don't worry so what is n expose sounds hot yeah it is it's it's really actually awesome it's a funky function and resource hooking framework so that means you can basically take a function or resource that an Android application uses and change it to do whatever you wanted to do so returns parameters exceptions all of that and UI elements on the UI elements part is not something i'll be covering in this talk because it's this this is a huge topic like this framework does a lot of stuff so we're gonna go just mostly for we're gonna go entirely for the function part of us UI elements is something else that I'm looking into even and it's it's

kind of complex I'm not really an active so this stuff has kind of been interested in for me to look into so it's minute written and maintained by this guy named Robo 89 there's this github he has all this stuff is open-source his xposed framework which is a modified app process he's got that on there he's got the Expos bridge which is a java jar which will be talking about it's all up on there so you can go look at it and see how it works so like I said it replace the app process which has been actually the next slide how does it work it doesn't change a nap signature this is a question that i got

from someone when I when I show them this talk before it it was practicing does it change the apps signature and no it doesn't it doesn't modify the application that you're hooking in any way it does in the background but it does not modify the package of stuff so it's a replacement app process that basically adds the expose this expose bridge jar to the classpath and any java programmers know a clasp at it is basically what we're it loads all your resources I can include for see so you're including this jar that basically has a bunch of functions that you can call so when it starts when the first process on Android is called psycho and

every process force off of that so if you can cook in a zygote which is launch the app process you can hook into every single process that launches cycle is actually like a java java process like launched by app process and then every application spoke elephant so if you add a Java class a char to that app process module you can actually get that into every single application unloads on the device so that's how this is all done so yes before anyone asks you need root to do this this talk is more of like a you know for your own personal like okay I want to do this with this application knowingly you're not going to put this

on someone's phone and use it for like a coder like like back door or something so tools they live among us so I got to explain some tools before we go any further so you guys are kind of aware of what's out there for Android reverse engineering when you get an application an APK Android's run these APK files they contain all the resources all the java classes and everything and there we good job so you need a java decompiler to really look you can basically look at the source code sometimes it's office gated sometimes it's not but these two tools will basically allow you to decompile on android applications the one that I'm going to be taking

advantage of in this demonstration so i'll be doing is jad which i found more recently but better the d compilation seems a bit better it takes the java classes and it just basically takes the bytecode and puts into back into a pseudo java for you to look at so it's a lot easier to look at them java bytecode which is really obnoxious desta jar an 80 k tool the way that you need to you need to convert your indicates two jars so that's why we have Dexta jars because inside an APK there's this thing called the decks and classes that text and that's basically all the codes that application is one file Dexta jar takes

that file and converts it to a java jar so you can actually decompile it with these with dad or JD giving an APK tool is useful if you're reverse engineering application as well extracts the smaller the java bytecode and then the resources from the package so you can look at those and change them if you want so a apt i'm going to be using this one actually pretty pretty heavily um this is a party android sdk and it allows you to see the resources inside a package without unpacking it your d compiled code doesn't have all the strings that you're going to look for because you know if you're reversing something you're going to be looking one of the

first things you look at its strengths ok i'm going to find the circus train that you know i think is pertaining to the part of the program that i'm trying to get to the strings aren't all in the application on like they're referenced by number in a resource so you actually have to use this tool to find out where those resources are and you can use this tool to actually look for all the strings within the application and you can grep for them so from there you would basically say okay I'm looking for this string has this ID and I'm going to grep for that in a code didn't compiled code and now I know what location that string

with that so that's a you kind of unique thing with reversing android classes that you know kind of have to do so we're gonna be using that I wrote some custom tools to help with this because I was tired of doing these commands over and over and over and over again and I got really mad as you can see at this last one because some fun sometimes there's obfuscation within these classes within these within these jars and sometimes they'll be named the classes hospitals will be named like this a capital A or is a capital a capital A and I don't have a case-sensitive file system so these overwrite each other as soon as they unzip so I had to write

this big like else curve it's not really a big shell script but a shell script to take it check if it's already there and then unpack it this also has the shitty options so that you can that you can unpack class our jars that have these ridiculous classes so the first one will take it will take an APK file it will convert it with vexed ajar to a jar it will unpack it by just unzip a jar file is simply a zip file and signed zip file and then it will unpack it and if you can hide everything so you can start to look at all the code in all the classes so does that all in one jad actually

takes a class file at a time so it's really tedious to go through and okay i'm going to compile this one now and if you compile this one now so this this tool basically helps you do everything almost search string allow you to use a pt's apt to search strings if you find say you're looking in the code somewhere and to find a reference you can paste it as it the first part of the second argument search string and basically it will tell you what strength at ease so this number this big long decimal number or hex number or whatever you paste it and you can use that I'll show you an example of that constrain an example for that later

so you can find them here like you settle the links for all the tools for this presentation or in the presentation itself so make sure to check those out so what so hook we have to find something to go after this involves reverse engineering the application so the process that I usually use this is this is it you gotta get the APK first you have to get ahold of this file as the application you can get it at ATK for fun calm which is it'll give you any case don't hire things i sometimes use this just to check out cam in a poke at this this application and grab you know grab it offline i'm just i don't have a

USB cable i'm just trying to in our vs ok before you can get it in this directory on your phone so if you use an adb shell and you get shell access to your phone you need room to get into this area we need to do this all this expose stuff anywhere anyway so you should have that already convert it to a jar with our dexter our program so that's literally next to jar than the APK you've extracted decompile with theater jad RJD GUI whatever you prefer jazz with command line tool only and JD who actually has a humanist maybe smash your head against the obfuscation like i said i will i was actually show you

guys later one of the applications that i have is heavily office gated like this that's why i had to write that one tool and the class names are just horrendous identifying the relevant classes and functions so you can do that by standard verse engineering techniques looking through seeing how things are connected reading the code understanding it trying to find i usually start up with strings honestly like looking at you know what what strings are there that's one of the demos actually going to do is looking at something trying to find out how it's doing something via the strings so I've come up with a couple different scenarios to kind of give you an idea what use cases

for this would be so before we talk about those these are like this is the meat of the programming part like you need to understand what all these things do to be able to program a module the exposed bridge is that class that we talked about before that gets loaded on when they expose thingy the exposed hooks app process or the modified process loads the path the jar this is the jar that loads you need this to be able to build these modules are they essentially compiled to apks and the xposed framework will apply to any employment is able expose helpers find hook method if we're going to be living on this this is it finds a method by

class name and method name and parameters and will allow you to hook it and change it into whatever way you want call method is something that I've used before you can call methods out of line I don't have a specific example of that in this talk but I think it's a really cool thing that you can kind of do just all right before this function runs call this other function and then get the return and do something as a result of that I exposed hook load package is a class that your is as a class are going to implement so you're implementing this tunable core packages so on a pin it every time this will get loaded and then

you'll see it check you can check for a package shame if it's the package name you're looking for us to have you're trying to hook you continue if not you just exit XD method replacement and XD method hook are really important those are the two things that actually do the work for you and they're used with finding quick method so these two are they do exactly what they sound like this hooks a method and this Title II load package load package program is essentially a package information will be using that to identify if this is the correct app that we're looking for if when were writing a modular and then the Expos bridge that's basically logging helper than i'm going

to using a lot so I threw that in the bottom that's like the base expose bridge well again so module structure I'm providing code in this talk for a skeleton there's a skeleton creator you run the script with a bunch of arguments it will tell you what they are and it will create a new module for you that's ready to build so you can see into it directly and it will hook the app that you want or it'll create a package for you that builds and you can just modify the code from there so you want to spend time fighting with building build stuff so you need this expose bridge rd build it this is just the whole project

structure I'm not going to go over this too much because there's examples of it the only important things to know are exposed at Nick which is a new thing which is added as an asset that basically says run this class when this module starts like grab this class which is the one that will be in here java you're accompanying whatever acne and plugs java so this path minus the java will be an exposed in it saying when you load this module load up this code and that'll do that so a side note on building installing it's but with Gradle it's a build system the output the output is an apk and it's sent to at

bill's outputs APK after a fashion bug day okay so that's the file you'll be installing on your device to install the module feel free to sign it if you want this is just a debug app it will install just fine with this command right here so I've been using that I've just been using the debug versions and it works just fine so now we're actually going to give you the meat of the code of package hooking what package loads so like I said load package there's one of the things we've seen before and another important part of this is a handle little baggage function so we're using this for implementing this function handle load package so this function

will launch every single time and package gets loaded up so every time you open an app every time an app opens this will run as you have to check is the package name equal to what I'm trying to find if it's not quick just go off just leave if it is then we want to hook methods so this is the main Skelton you're going to be using applications you can also hook you can also cook UI elements in a different way by implementing a different class and also a zygote itself so the main Android process which is pretty cool but this is an application hooking talk so I'm talking about just loaded packages so any questions so far I try to speed

through the beginning because it's not really it's not the title of my topic so this is the more important stuff so this is all about finding hook method like I said this is really important going to be living on this this is going to be our main thing that we're gonna be using it finds a class it does exactly what it sounds like it finds a class measured by name and helps it to do whatever you want really so there's five different scenarios that I've come up with and have small examples for so you guys get a feel on how this kind of works you can return a constant so true false 789 spongebob whatever ignore it completely

just make the function to do nothing do something before it's called do something else entirely or do something after it's called successfully and so this is the main way you call this you specify the class name that it's within LP Prem class loader is always the second argument the function name in quotes and then if there's any arguments you need to provide them as you need to provide them in a certain way which will show my example come and then the actual hook itself which is one of the two that i showed before XC method hook or XD method replacement so you'll begin placing those so our first scenario is really we want to make that function

just returned a constant value and this is useful for hey maybe you know you're verifying a passcode and this app will let you in and last you verify the passcode successfully alright so we want that just to return true we don't care what it does we just know that it verifies the passcode and we have the correct passcode of course so in this is going to be in calmed up and got apt up mane it was always the return trip so here's actually when I said fine and hook methods here this is where you would put this finding hook method so in class come back at me yeah it's that same argument all the time verified

passcode takes a string as an argument this is what I was talking about with arguments so when this finding hook method is finding a method it's going to look for a method called verify pass code in this class with that argument string class if the passage is a duck class I'm not sure why that's just be a that's just a syntax and then you're using XC method replacement so we're replacing what this function does entirely with just returning a constant we're gonna return true alright and what that will do is make this function return true every time so that's really cool scenario two is we just want to make it to nothing this is more like

used for void functions because usually not annoyed functions will expect some sort of return and it doesn't try anything if you'd like pressure app but there's void functions to all sorts of things like if we're just you know we have a function called check security and we don't want it to do that no security here very similar same time banks at this time is one no arguments so there's no argument after the function name itself we have XC Vatican replacement do nothing which is fairly straightforward this will just make this method not do anything at all do something before the function is called so there's no code under here because it's on the next slide is a

little bit more involved that's why it's the third the third the third fourth and fifth or the more technically like more require more programming so say we have a function called transfer funds it takes a string account number or something in the class kombank a pin and we want to just before the function runs we want to change that argument to make it say our account number or a different one whatever whatever that may be so instead of just your ex cement replacement you have to make a new XE medical and so essentially we have to override the function call before hooked method so this code will run before the hook before this method transfer funds

runs and you can access this really neat because you can actually access the arguments of this function right before it's called you can change them or you can dump up the logs for dota v want with them and so this is this X roast bridge log I was talking about this will dump out to the ATV logcat so log cats essentially androids logging system it'll dump with the tag expose so if you grep for expos in your adb logcat help but you can actually see this will come up with change the account number and so you know it's working I use this a lot for debug that's a lot of foreigners so you have to override the method because

you're creating a new X a method hook and we'll be sticking with the HTML for a little while because that is before hooked and Elsa as an after hook method which is the last suitcase here any omission somebody runs still with me thank you for the head mad after she ate it so we can do something else entirely instead we can you know make it crash the app or do something so same Bank example check password ok string password we're going to do kind of the return constant thing but we're also going to dump it to the log so we're just replacing the method entirely and we're gonna say ok don't the dump the password out might as well grab that

while we're at it and return true so we're doing this function returns a boolean so our friend XD vectors replacement is back this time are actually creating a new one and we're saying override the replace hooked method auction and we're saying ok here's our here's our brand by the way that's got all the information about the arguments that object that is part of and returned on a few things sorry is going to cover that for me so we're logging it expose bridge log and we're sending that we know it's a straight argument so we're just asking interest rate to make sure it's a string and just sending that to the logs and then return true so this function will now return

true always and also give you the password which is alright doing something after the function is called so we have this function called generate token and so in this case we want to get we want to get a token so we want to get a valid token that we can use to request things say this is a van hat that's or that generates token on the client side and it's got a certain algorithm or something I'm not really sure but whatever it does this returns a string that has a token and we want to get it because we want to be able to make our own request to their server and we want to generate it so we'll dump it out to

the laws so we're going to soon assume that returns that string back to our friend XD method hook or overriding instead of before box method so very straightforward we're just logging out Quran it result so I show this as an example because you can get the result of the function put it somewhere do something with it and maybe it's a certain value do something else with it like you can write whatever you can write a Java you can do before or after or completely instead of other functions within Android applications so it's really awesome so I'm going to do the classic words with friends hack of words with friends client side is the words checking some client side so we're

going to disable that and play whatever we want I managed to come up with a game where we both played shady off each other which I think it's pretty funny so we have this game right here where this is about to be pretty shady I'm going to get a lot of points in a couple minutes here so I'm gonna try to play I like triple letters right let's play I got J&Q it's perfect right so I'm gonna try to do this my mom the module that I wrote is not enabled currently so it's gonna yell at me and it's gonna say no that that is not a real word which you can check any dictionary I don't I don't

think I don't think that's all right word so I'm going to enable this I'm going to talk about how you would go about finding this so if you haven't seen the Expos interface before i'm just going to enable this and reboot and then while i'm rebooting i'm going to talk about how i actually found this the process that I went through to find this all right and I wrote all my commands down so you guys don't have to like painfully watch me take a bunch of commands in so I'm going to spare you the decomp elation of this because it's literally just that new line here's the command it will decompile needy hate the compile will essentially make a

directory called out and a jar called out yes I understand and a jar called out a jar and hope and inside the app directory is a bunch of they'll leave classes but find cup there we go so should hear the decompile classes these are the concerns of fully these are the photos with the full bytecode classes and hear the actual decompile classes each and so those are the ones are going to be looking at so let's use a apt to find a string so we're going to be looking for the word valid I think that's a good choice because you know we're looking for valid or invalid words and I know that this is also somewhere

where I can find the valid work camp so this is what we're looking at right here sorry whatever it is not a valid bird we saw that pop up on the screen when I tried to play that ridiculous word and we're going to look for that so apt also has another function and it allows you like I said you can look at the resources within package so we're actually going to try to look for sorry this is not a valid word within the resources and find the ID like I said a lot of the times your strings will actually not be in the D compiled code itself they'll be referenced by number so we have to find that number an apt

will actually let us do this if we search with grep for that exact strength as you can see here's this resource and here's the code that we're using like I said jad has it detects so if we grab for that in our code hopefully we will find that you can see where this is being printed out

and sure enough we found it in one place like I planet where we're getting this resource for saying that's not a valid word so we're actually going to go to that and check out what is there and why that's saying that everyone can see this our area we're going to do want to blow it up anymore have okay so we wrote down the line numbers because anyone forget 126 so as you can see here's our x value with sorry that's not a bad word and here's the word checks as invalid word that's not the place we want to get if you look a couple lines above we want we want to get you back right valid word

yeah that's good so if P which is a class method called peace it's a little-bitty obfuscation working for you it fee that work so we want to make P return true so we're going to go up to feed which is in this lent it to go and it returns a boolean great but we want to kind of go a little bit deeper than that because if this is doing other stuff relating to the app we don't know if this is going to trigger something like this big long line or something else in here is going to trigger something else in the app so I like to go to as deep as possible so we can see

that flag is returned if there's not an exception so this function this really strange function that flags being assigned from we'll go check that out because I know for a fact I tested it that if you hook a pee and make it return true it doesn't work so we'll go down a little bit deeper so it's a little bit of trial and error so we'll go to this class and leaders the function here's the function that was just being called from P so this function also returns a boolean and as you can see word specified is not valid so basically otherwise return true so you want to make this function return true always so this is the function that

we're gonna be okay this is the function we're going to be looking at and run our module based off so now we've identified the code that we need to hook and we can go check out our mod show mod code step 8 okay so this is the code this sure looks somewhat familiar these imports are all the stuff that we talked about on a first like import import slide this is the full pass for them from natural jar and like i said this code is online so you can check that out after our handle our I exposed hook load package we're implementing it implementing the handle load package function and we're checking if the app

name is calm single words which is words with friends is I deep packaging it logs head you're cheating okay it logs that just to let you know that it's on and then it will hope the function that we hadn't calm zengo words d ay ay ay so in that class this motion and then just returns true so this takes a string as we saw we're going to make it return trip so the reason I'm looking calms and go words d ay ay ay is because it's the path is calms and get words daa and the function name was a with a string argument just so we're stuff so I loaded this up it rebooted in crashing and

we'll go into words with friends and this person's gonna be unhappy a thing so this is like the classic example it should still have my word to all right I was a lot of points so that's the classic say I'm going to resign because I feel bad if this person um so that's like the classic the classic like function hooking example right there where I can play whatever I want just by changing the return value of one function we've got a couple more examples that are more relevant to security minded so verse engineering I know extract information understanding code if you're going to be your engineering Android app you're going to be looking at a bunch of really like a lot

of really unimportant code on only trying to find a certain section or something that is in the code that's obfuscated adore populated afterwards obfuscated code of variables they can be annoying fine so if the app checks its own signature your decompiling editing the smiley code and then recompiling is ruled out completely you can do that you can dump with expose you can dump variables to logs a patent in calculated just make dad do all the work for you so let me make sure to look so yeah okay so how many people in here I've used the record of you can all right good I have a good audience set so their api key is actually calculated

based on the app's signature so we're looking for that in the app I mean scary difference commands the get bites method is used on the variable one requests are signed so if we hook that function we can dump everything out to the logs including the API key itself so every time is a side note this ad is heavily office cated and like i said it's the reason I wrote that shell script to unpack them the obfuscation changes every time he had is updated so my practicing my demo they had updated itself because this is a slightly older version it still work on the new version I just haven't like taken the time to reverse it I was my gentle is just

crashing over and over so I was like why like why is this not working you can't find that class really because they get renamed every time the app is recompiled which sucks so I out of a lot of reversing a lot of a fox but I play with this app a lot I have a lot of reversing I found that the API key is actually stored in this right here and I'll spare you that that huge explanation but we want to find out where this is set and try to hook that function or try to find out like what this is actually doing I'm not in the right window that's got to be the right project so we're looking at

where this is set and luckily it's set in just this area so we'll go into that file and check out why this is being set this was lying through six okay so as you can say the way this is all being calculated is this s1 is being fed in to this is a doxy function a DC function and an s-1 is calculated based on the app's signature and shawwal the base 64 encoded sha-1 hash map so that's passed into this agency function and then the return of that is put into the API key so we're assuming that ad dots that he generates this keekee ID that's used to sign necrosis this is the prime example

of not being able to decompile it and read the pilot because if you decompile the application yum packet and try to repackage it its signature will change so the API key will change so don't eat the request would be valid what's up you actually can do that you just have to another application can read with the signature of another APIs and then you just hard code what that signature is right there yeah that's one way to do I had tried to do that and the actual mechanism for the actual mechanism for calculating the API keys the next I'm gonna show I try to just grab that code extract the signature myself and do it but writing an exposé module turned out

to be a lot easier because it's hooking one function to just dump that out and give it to me instead of having to calculate it so we can see that a DC is what we're looking for so I will go into that and show kind of where that's created 937 day so this is our c function within the ad class it takes can be five hash of the input that a 64 encoded thing and then runs this function a on the dittus and that function is on line 2 17 and especially just does a bunch of shifting and ridiculous stuff on this array to calculate some sort of key and the array that it's doing that

on is essentially at the bottom here it's a bunch of it's just all the hex carriers you can have so we're looking for some sort of hex thing and need to dump that to the logs so where to dump it how do I know that the get Pike's function is relevant here I know from previous research that the each request has user longitude parameter to it so they're sending a request to an API via HTTPS and I know there's a parameter called user long is associated with it so before every request is tacked on and I'm assuming that they're going to sign it right around there so this took a bit of work to get to that but it's a good

example of you know kind of associated this file qf Chad and as you can see we're adding salt and hash so whatever is in s4 is the hatch that we're generating so the API key is used to sign every request with a hash if your hash values not correct then it rejects what you're trying to send it so s fork is our hash and s4 is being assigned from this function a which I promise you is a function that just takes a tix you're basically to request URI and then it will take the key which is the API key i was talking though and it will hvac it will do any keen hatch on H max

shot 10 is the API key and the thing to hash is the request-uri those will both get dumped out of logs so we'll see those later so essentially we're using get da get fights so if we go function we can just dump that straight out of logs those have a couple more things but we kind of know what we're looking for ok so our module this is a little bit more if there's two things in here because i use the attack as another example so again I exposed load package implementing that handle load packages are function that we're going to be overriding here are implementing it checking if the application name is yet and then we're loading the module we're

cooking the method get fights here so we're hooking java.lang.string and then they get bites method of that so you can hook java internal classes anything that's accessible the java you count so we're creating a method hook and before it cook set we're just going to say this object this string object specifically just dump it out to the logs prefix by got bites so I can grow up for it fairly easily so this cool you can actually access the object that's inside or the object that this is being called on so whatever string it is I can grab it and dump it off the logs so now with any look I'm going to close this first

because it freaks them with any luck when I open the application I'll be able to see that it's dumps out yes I look tan able Wi-Fi perfect thanks again wpa2 it was connected to the wrong internet that's one okay let me go back to the app though so now our got bites function it's two out of three demos that work of maize okay so our God bikes got bites tags here we can see this is the key that we're looking for and so if you actually have before they implemented more security someone wrote up a big Python module to basically make requests to their end points so you could add you like add users make posts

up oak download things and so they they didn't let security the people were just scripting downloads of this and it got wiped off the planet for a couple days so that's the key to through the side of a request and now if we have that key we can throw that in that application and actually query like the RIT gig act from where we are and now so as a side note i'm going to make sure you refresh the page here as a side note this right here this API get messages accuracy this is the endpoints career this is what it's hashing so it's hashing this H max draw one hatch this with this keep so now

with that API key within that module we can actually see that we can we can get the GAT feed from their API to the Python script so we're using that to sign request to their server yeah they're pretty bad if you haven't heard of you gag before it's essentially like 4chan in like a 10 mile radius it's terrible all right we'll get that off the screen all right I got to disable them ought to show you guys the next part and then so today yes to replace your life that's fine I wanted to do all right so we'll say laughs so the sampling secured chicks so it's reverse if you've ever reverse engineer an application in Android application

and tried to figure out what it's doing reverse engineering application and figuring out how its building its requests this stuff is way harder than actually span in middle lane if you command in the middle you can see what's what's doing when and you can actually just you know grab the requests so we're going to do the same thing with you jack and I'll talk about that on excellent section so if the app employed is doing a thinning you're out of luck pretty much you need to disable that somehow or manually reverse engineer it you can disable spit a good thing with expose so we'll do that so the practice our second practical example is yet again um David

toys 50 penny so essentially what happens when you open the app and I'll show it and you're trying to man middle it will say no I can't even middles and say you have no internet which is obviously false because I have plenty of internet so I've through a bit of reversing and figuring out things i learned that SL is still up here unverified exception is thrown when the certificate is unknown so we're going to basically find that in the code and hook the function that's throwing enough to do nothing so man the middle some stuff how many going on time ten minutes it's very fiction so Rep yeah rip it so we're going to grep in our d compiled code like I said

I saved you daddy compilation step because it takes a little bit to go through everything especially with this because there's so many classes let me actually show you all of the class names there's your ridiculous I added the numbers because they were the same name and like I said on a case-sensitive file system so i'm going to scrap that again so it appears in a couple places i try it out most of them but we'll go with the first one because that's the one actually works and because the first one right all right go back to my glad I decided record these commands so we have this function that throws appear on verified exception at the bottom so

here's that so we don't want it to do that and as you can see as well certificate pinning failure ok so this string builder is the theta it's returning stringbuilder two strings what's returning as the exception message and so as you can see here it says certificate hanging failure we have that CD drive so we don't want this function to happen at all because it's going to start an exception so we kind of make note of that arguments it takes a string and a list and what it's called a so NCAA with the string and a list so now I'll show you guys and if you haven't used beiser by the way this is what I'm using to put this put my phone

up on the screen I was thinking about how to do this talk and I was I was like I can I hold my phone up or lose an emulator or what but this is actually a lot better so I'll show you guys that without this enabled it yells at me and it says internet connection actually appears to be offline which I'm definitely online I know that I've got Wi-Fi that has internet so it's something's going on right now I'm trying to man in middle of traffic so I have it I have a certificate installed from burp I have burp suite running over here and it's grabbing the stuff so if we go back here and we'll show the

module code before I reenable already enabled it now and then well I'm showing the module code it'll reboot and we can show that it's actually I put it here for a reason okay modules yea enable okay so this is the same much we looked at before but I didn't show you I didn't explain this line of code which is disabling certificate pinning i also have an example in here a replacement method that just logs whatever string its past and then returns null finding Huck method and CJ that was our class and then function name first argument is a string second argument is a list and then Ellen that loves attention and then our we're replacing the method we're

just saying hey man just don't just do anything all right so we don't want to throw that exception so if it doesn't run it's not going to throw that exception function you may be saying a well if that function does something else that is where things get complicated you actually have to start like really digging into this and figuring out like what to do but like I said this is a basic intro to explicit rework and how you can help stuff so I figured out that it doesn't do anything else besides just get painting that's all the checks so we just don't do it then I'll be fine all right waiting for my phone to Pluto so first wheats

running you guys have had you guys having how many people you spurt before or sweet yeah Roxy in the middle the issue is here HTS we need to cert you can install the circ within the Android certificate store and that will allow you two met in middle traffic that aren't traffic's that's not certificate and so it verifies a certificate you're outta luck and so basically that's what we're disabled within this application so waiting for my phone it's going to yell me any questions while we're here this is my last part so good did you publish the Python script the wholesale yeah it's somewhere on the internet is I did that I had had that from a while ago it

wasn't mine but I had like made changes to it so that I could I could I updated it so that I could query it again because they've changed their API a little bit since its kind of broken right now there's a lot of features that are out there like message posting uploading and downloading because I think they're rate limiting now you used to be able to just download things like continually and now you can't do that anymore they've actually improved their security to go which is good for them but i think it's the martin and it's called py AK jack and there's some code that I've contributed to that that i'm not sure if it works anymore have to fix

it but if you guys want i can publish just the part that gets the messages and prints them out to the screen sure kind of you demonstrated method hooky with objects that are from the java standard library how is the framework capable of hooking functions that take objects that are defined inside of the definitions by the application yes but you need to basically get the d compiled code and like make it acceptable for reading because it needs to know what the class is to be able to accept it you can recreate it you have all the code so you can recreate it that's a little bit more painful and that's kind of outside the scope of this talk because it takes

forever to do that if you're looking for a cool example of that i thought one of the projects that i fall on it has helped me did all this talk early I really lost as on the last slide talk about it when we get there good oh just a former common with a slight question so you sort of mentioned you really do anything too terribly nefarious with us but one of the issues I've seen with android app sec is that it's pretty bad you're not wrong now so immediately my first thought is let's try and hook something that's doing client-side input validation have you been covered with that um I mean I've seen a couple laps but I mean yeah like

words of friends of that example like that's the appliance I Belgian yeah sure something maybe a little bit more nefarious something where you actually doing like you know parsing for SQL general I haven't looked into that that's definitely something that's like mymy idea with this talk was I have these applications that I know work and our fun examples yeah but this is definitely like I said extendable to whatever else you know you can write a module if you can think about the module like if you can think about a function that you want to hook with inside the application you can change you can change the functionality the reverse engineering is like i said i was about

half this talk and it is a big big topic that people really need to get further into and that put out a hold two three talks devote to it itself so if you can find it you can change it pretty much within ok is your question someone all right so now we'll launch the app and we'll see hopefully cross my fingers on my last demo that it will grab it will grab the yes and at this point we can go over to our burp I'm know this font small I'm sorry and we can see that it squaring the API successfully and I'll actually put this in a vim window and just show it to you here copy

and so we can see that here's the API here's the actual query to the server and we are meddling all the traffic now and it's not yelling at us because oh hey you're not connect to the internet we disabled the certificate pinning check and now we can get all the traffic in the middle and we don't have to spend the time reverse engineering that whole like section of code that compiles this whole request so we can see them as they happen so like getting messages or posting things are uploading downloading whatever all right alright so other resources in the code the coaching this presentation the reversing tools the KPK decompiler script and the string search script on

there as well as the module are the unzip or expose mods has a couple mods there's one extra there's a fun module that will monitor google play music for Taylor Swift songs and skip them so I thought that was fun it was it's an interesting thing that's interesting module to look at as well because it access class attributes it's a kind of a practicing accessing class attributes so song name I to figure out what the hell that was and resolve it dynamically so that's a really cool little thing the there's a development tutorial by a guy that created the xposed framework he actually this small little tutorial has changed the clock read like change the

system clock read so he actually has an example of cooking zygote which is that first process and looking for the actual android UI so you can hook things with an android UI and not just in applications but that was coming outside the scope of this this talk the XDA forum there's a physics a forum for everything into it and there is one for the xposed framework and module development and modules themselves so go ahead and check out out here interested the export source code was something that I looked at a little bit just interested in it because it was just it's a really cool project and the guy that maintains it the guys have maintained it really like just

mind-blowing stuff how they came up with this and I was going to rewrite at process like great snap dress is the app that I was talking about Brad snap perhaps the source code for snap perhaps is great they have stuff on obfuscation like doing the obfuscation for snapchat it's basically a big snapchat library so you can like no screenshot notifications I think we can change the weather you can make it to like going a million miles an hour extra filters or stuff like that it doesn't work currently because update it that much but if you guys want to submit for us I'm sure you do both of them the source code is there and that

has a lot of examples of hooking stuff a lot of creating your own you is if you're looking into cooking UI elements and things like that that's definitely a project to look into and I did well on time Wow how do you put any of the questions from you guys you're more than welcome you approach me afterwards and yeah thank you guys for listening and coming to the soccer

you