SlideShare a Scribd company logo

Inc0gnito 2015 Android DEX Analysis Technique

남준 김
남준 김

KIM NAMJUN (SEJONG SECURITY GROUP)

Engineering
1 of 60
Download to read offline
Android Deep DEX Analysis Technique 세종대학교 SSG 김남준
S.S.G In this session.. • How Android translate DEX file format inside APK file • Deep Analysis of DEX file (class, method recovery) • Translate DEX bytecode • How we extract information from malicious DEX file • Apply to Real World (smishing.kr) 2015. 8. 28. 2
S.S.G About Speaker • 김남준 (20) 세종대학교 정보보호학과 15 (고3 탈출!) + 작년 고등학생 인코 발표자 Newbie of Sejong Security Group UpRoot Researcher KITRI Best of the Best 3기 여친구함
 
 E-mail : admin@smishing.kr 
 Blog : blog.smishing.kr
 Web : smishing.kr
 2015. 8. 28. 3 Special Thanks to @공기반여자반 Pictured by @유정빈
S.S.G What is DEX file • Dalvik Executable File Format • Specially designed for Embedded System • It can run on DVM inside Android • Actually, DVM is different between JVM 2015. 8. 28. 4
S.S.G Standard Android Translation Process 2015. 8. 28. 5 JAVA Code Dalvik bytecode public class MainActivity.. { public static void onCreate(s..) { super.onCreate(savedInsta..) .. public string TAG = “S.S.G”; Log.i(TAG, “sejong S.S.G”); } } .class public Lbunseokbot/MainActivity .source MainActivity.java .method public static onCreate(..)V const-string v0, “S.S.G” const-string v1, “sejong S.S.G” invoke-static {v0, v1}, L/android/util/Log -> i(Ljava/lang/String;Ljava/lang/String;)I return-void
S.S.G Building Android Application 2015. 8. 28. 6 JAVA Code Translator Dalvik Bytecode
S.S.G Translator 2015. 8. 28. 7 Java Translator Dalvik Translator
S.S.G Java Language • Object-Oriented Programming Language • Easy to “DECOMPILE” • Running on Java Virtual Machine as “JAR” File • Actually, JVM is different between DVM • use for “native” (NOT JNI) Android Programming 2015. 8. 28. 8
S.S.G Different between JAR and DEX • Java Archive File -> Package File Format • Java class files + metadata + resources • each class have independent class file • “Class Level File Management” 2015. 8. 28. 9
S.S.G Different between JAR and DEX • Dalvik Execution File • Single DEX file • specified for Embedded..? (Mobile, PDA..?) 2015. 8. 28. 10
S.S.G Different between JVM and DVM 2015. 8. 28. 11 Dalvik Virtual Machine Java Virtual Machine Register Based Stack Based Constant Pool per Application Constant Pool per Class Supply Just-In Time Execution
S.S.G We have to understand and Translate DEX File as different technique 2015. 8. 28. 12
S.S.G Normally.. we use “dex2jar” 2015. 8. 28. 13
S.S.G or.. baksmali! 2015. 8. 28. 14 How baksmali translate it?
S.S.G inside DEX file 2015. 8. 28. 15 Header string_ids type_ids proto_ids Method, Class.. Standalone DEX file Header Info item size item offset Header Structure
S.S.G inside DEX file 2015. 8. 28. 16 Header string_ids type_ids proto_ids Method, Class.. String where code contains (only Address) Class, Method type container (only Address) Class, Method parameter return info (only Address) real Method, Class, Field, Data container
S.S.G inside DEX file 2015. 8. 28. 17 Header Info item size item offset Header Section-name
S.S.G Now, We analyze DEX file 2015. 8. 28. 18 public class MyActivity extends Activity { @Override public void onCreate(Bundle savedInstanceState) { super.onCreate(savedInstanceState); setContentView(R.layout.main); Log.i(“S.S.G”, “DEX File Analyze Testing”); } } Log/i S.S.G DEX File Analyze Testing
S.S.G How to Analysis DEX file 2015. 8. 28. 19 • DEX Parser for Python v0.0.1 • https://github.com/bunseokbot/dexparser • pip install dexparser
S.S.G 1. DEX Header 2015. 8. 28. 20
S.S.G 1. DEX Header 2015. 8. 28. 21 d.header_info() -> Dictionary Type d.header_info()[‘string_ids_size’] d.header_info()[‘string_ids_off’]
S.S.G 2. Parse string_ids section 2015. 8. 28. 22 • 1. extract string_ids section offset, size • 2. parse string_data offset for access string_data_item • 3. translate to Language from string_data_item
S.S.G 2. Parse string_ids section 2015. 8. 28. 23
S.S.G 2. Parse string_ids section 2015. 8. 28. 24
S.S.G 2. Parse string_ids section 2015. 8. 28. 25 0x40001000 0x40001000 My Test DEX Parser Test String MyActivity LLVM string_ids_item string_data_item
S.S.G 2. Parse string_ids section 2015. 8. 28. 26
S.S.G 3. Parse type_ids section 2015. 8. 28. 27 search from string_ids
S.S.G 3. Parse type_ids section 2015. 8. 28. 28 this is descriptor_idx list
S.S.G 3. Parse type_ids section 2015. 8. 28. 29
S.S.G 3. Parse type_ids section 2015. 8. 28. 30 http://source.android.com/devices/tech/dalvik/dex-format.html#top
S.S.G 4. Parse proto_ids section 2015. 8. 28. 31
S.S.G 4. Parse proto_ids section 2015. 8. 28. 32 parameters_offset Access to “data” section directly and parse offset
S.S.G 4. Parse proto_ids section 2015. 8. 28. 33
S.S.G 4. Parse proto_ids section 2015. 8. 28. 34
S.S.G 5. get Method Information 2015. 8. 28. 35
S.S.G 5. get Method Information 2015. 8. 28. 36 string_ids type_ids proto_ids method_ids
S.S.G 5. get Method Information 2015. 8. 28. 37
S.S.G 5. get Method Information 2015. 8. 28. 38
S.S.G 6. get Class Information 2015. 8. 28. 39 class_idx superclass_idx access_flags class_data_off annotation_off source_file_idx interfaces_off static_values_off each class have it
S.S.G 6. get Class Information 2015. 8. 28. 40 class_idx superclass_idx access_flags class_data_off annotation_off source_file_idx interfaces_off static_values_off ACCESS_FLAG Source File index associated class data offset class level static value offset
S.S.G 6. calculate ACCESS_FLAG 2015. 8. 28. 41 VARIOUS TYPE OF ACCESS_FLAG!
S.S.G 6. calculate ACCESS_FLAG 2015. 8. 28. 42 public static void myFunction() {} ACC_PUBLIC = 0x1 ACC_STATIC = 0x8 —————————— ACCESS_FLAG = 0x9
S.S.G 6. calculate ACCESS_FLAG 2015. 8. 28. 43
S.S.G 6. class_data_item 2015. 8. 28. 44 static_fields_size direct_method_size instance_fields_size direct_methods instances_fields static_fields virtual_method_size virtual_methods each class have it
S.S.G 6. class_data_item 2015. 8. 28. 45
S.S.G 6. leb128? 2015. 8. 28. 46 • Little-Endian Based 128 • Type : Unsigned & Signed • following DWARF Format • for encoding variable-length, arbitrary signed or unsigned int
S.S.G 6. leb128? 2015. 8. 28. 47 return value is (result, size)
S.S.G 6. get Class Information! 2015. 8. 28. 48
S.S.G 6. get Class Information! 2015. 8. 28. 49
S.S.G Apply to Real World 2015. 8. 28. 50 • smishing.kr
S.S.G isolate Real Permission 2015. 8. 28. 51 • Usually, Android Malware Analyzer’s check this thing!
 “Searching Permission info from AndroidManifest.xml” • BUT.. • Recently, Attacker register all uses-permission to AndroidManifest.xml
S.S.G isolate Real Permission 2015. 8. 28. 52 android.permission.* • If application want to use Permission such as INTERNET, ACCESS_COURSE_LOCATION. They must call “Authorized Function”
S.S.G Logical Permission Enforcement 2015. 8. 28. 53 Marakana Inc. Andsec
S.S.G isolate Real Permission 2015. 8. 28. 54 android.permission.* • invoke-* [parameter] [call method]
 -> direct
 -> virtual
 -> super
 -> static
 -> interface
S.S.G isolate Real Permission 2015. 8. 28. 55 android.permission.* • invoke-* [parameter] [call method]
 -> direct
 -> virtual
 -> super
 -> static
 -> interface
S.S.G For Example.. 2015. 8. 28. 56 android.permission.INTERNET invoke-direct {v0, v1}, Lorg/../HttpGet;-><init>(Ljava/lang/String;)V Lorg/../HttpGet class “Approve” to access Internet Module Network connection success!
S.S.G Where to get Function Mapping.. 2015. 8. 28. 57 • inside Android Source…? • “Androguard” have it • https://github.com/androguard/androguard
S.S.G in Androguard 2015. 8. 28. 58 • in androguard/core/bytecodes/api_permission.py
S.S.G Conclusion 2015. 8. 28. 59 • DEX have “Simple” structure • source.android.com have specific DEX file info • If you use “dexparser” in Python, You’ll be easy to parse DEX and analyze. • DEXCrypt, DEXGuard have same structure! • DEX Research is very fun!
S.S.G2015. 8. 28. 감사합니다

Recommended

Understanding the Dalvik bytecode with the Dedexer tool
Understanding the Dalvik bytecode with the Dedexer toolUnderstanding the Dalvik bytecode with the Dedexer tool
Understanding the Dalvik bytecode with the Dedexer toolGabor Paller
 
LinkedIn - Disassembling Dalvik Bytecode
LinkedIn - Disassembling Dalvik BytecodeLinkedIn - Disassembling Dalvik Bytecode
LinkedIn - Disassembling Dalvik BytecodeAlain Leon
 
Dancing with dalvik
Dancing with dalvikDancing with dalvik
Dancing with dalvikThomas Richards
 
The dedexer disassembler
The dedexer disassemblerThe dedexer disassembler
The dedexer disassemblerGabor Paller
 
How to implement a simple dalvik virtual machine
How to implement a simple dalvik virtual machineHow to implement a simple dalvik virtual machine
How to implement a simple dalvik virtual machineChun-Yu Wang
 
NDK Primer (Wearable DevCon 2014)
NDK Primer (Wearable DevCon 2014)NDK Primer (Wearable DevCon 2014)
NDK Primer (Wearable DevCon 2014)Ron Munitz
 
Java 7 - New Features - by Mihail Stoynov and Svetlin Nakov
Java 7 - New Features - by Mihail Stoynov and Svetlin NakovJava 7 - New Features - by Mihail Stoynov and Svetlin Nakov
Java 7 - New Features - by Mihail Stoynov and Svetlin NakovSvetlin Nakov
 
NDK Primer (AnDevCon Boston 2014)
NDK Primer (AnDevCon Boston 2014)NDK Primer (AnDevCon Boston 2014)
NDK Primer (AnDevCon Boston 2014)Ron Munitz
 

Recommended

Understanding the Dalvik bytecode with the Dedexer tool
Understanding the Dalvik bytecode with the Dedexer toolUnderstanding the Dalvik bytecode with the Dedexer tool
Understanding the Dalvik bytecode with the Dedexer toolGabor Paller
 
LinkedIn - Disassembling Dalvik Bytecode
LinkedIn - Disassembling Dalvik BytecodeLinkedIn - Disassembling Dalvik Bytecode
LinkedIn - Disassembling Dalvik BytecodeAlain Leon
 
Dancing with dalvik
Dancing with dalvikDancing with dalvik
Dancing with dalvikThomas Richards
 
The dedexer disassembler
The dedexer disassemblerThe dedexer disassembler
The dedexer disassemblerGabor Paller
 
How to implement a simple dalvik virtual machine
How to implement a simple dalvik virtual machineHow to implement a simple dalvik virtual machine
How to implement a simple dalvik virtual machineChun-Yu Wang
 
NDK Primer (Wearable DevCon 2014)
NDK Primer (Wearable DevCon 2014)NDK Primer (Wearable DevCon 2014)
NDK Primer (Wearable DevCon 2014)Ron Munitz
 
Java 7 - New Features - by Mihail Stoynov and Svetlin Nakov
Java 7 - New Features - by Mihail Stoynov and Svetlin NakovJava 7 - New Features - by Mihail Stoynov and Svetlin Nakov
Java 7 - New Features - by Mihail Stoynov and Svetlin NakovSvetlin Nakov
 
NDK Primer (AnDevCon Boston 2014)
NDK Primer (AnDevCon Boston 2014)NDK Primer (AnDevCon Boston 2014)
NDK Primer (AnDevCon Boston 2014)Ron Munitz
 
Native code in Android applications
Native code in Android applicationsNative code in Android applications
Native code in Android applicationsDmitry Matyukhin
 
I Know Kung Fu - Juggling Java Bytecode
I Know Kung Fu - Juggling Java BytecodeI Know Kung Fu - Juggling Java Bytecode
I Know Kung Fu - Juggling Java BytecodeAlexander Shopov
 
How to reverse engineer Android applications
How to reverse engineer Android applicationsHow to reverse engineer Android applications
How to reverse engineer Android applicationshubx
 
Android JNI
Android JNIAndroid JNI
Android JNISiva Ramakrishna kv
 
Lifting The Veil - Reading Java Bytecode
Lifting The Veil - Reading Java BytecodeLifting The Veil - Reading Java Bytecode
Lifting The Veil - Reading Java BytecodeAlexander Shopov
 
Lifting The Veil - Reading Java Bytecode During Lunchtime
Lifting The Veil - Reading Java Bytecode During LunchtimeLifting The Veil - Reading Java Bytecode During Lunchtime
Lifting The Veil - Reading Java Bytecode During LunchtimeAlexander Shopov
 
No locked doors, no windows barred: hacking OpenAM infrastructure
No locked doors, no windows barred: hacking OpenAM infrastructureNo locked doors, no windows barred: hacking OpenAM infrastructure
No locked doors, no windows barred: hacking OpenAM infrastructureAndrew Petukhov
 
Java Course 15: Ant, Scripting, Spring, Hibernate
Java Course 15: Ant, Scripting, Spring, HibernateJava Course 15: Ant, Scripting, Spring, Hibernate
Java Course 15: Ant, Scripting, Spring, HibernateAnton Keks
 
Java Course 2: Basics
Java Course 2: BasicsJava Course 2: Basics
Java Course 2: BasicsAnton Keks
 
College Project - Java Disassembler - Description
College Project - Java Disassembler - DescriptionCollege Project - Java Disassembler - Description
College Project - Java Disassembler - DescriptionGanesh Samarthyam
 
Java Course 3: OOP
Java Course 3: OOPJava Course 3: OOP
Java Course 3: OOPAnton Keks
 
SyScan 2016 - Remote code execution via Java native deserialization
SyScan 2016 - Remote code execution via Java native deserializationSyScan 2016 - Remote code execution via Java native deserialization
SyScan 2016 - Remote code execution via Java native deserializationDavid Jorm
 
Open arkcompiler
Open arkcompilerOpen arkcompiler
Open arkcompileryiwei yang
 
Introduction to java
Introduction to javaIntroduction to java
Introduction to javaAjay Sharma
 
Java se7 features
Java se7 featuresJava se7 features
Java se7 featuresKumaraswamy M
 
Java Course 7: Text processing, Charsets & Encodings
Java Course 7: Text processing, Charsets & EncodingsJava Course 7: Text processing, Charsets & Encodings
Java Course 7: Text processing, Charsets & EncodingsAnton Keks
 
Metamodeling of custom Pharo images
Metamodeling of custom Pharo images Metamodeling of custom Pharo images
Metamodeling of custom Pharo imagesESUG
 
New Features Of JDK 7
New Features Of JDK 7New Features Of JDK 7
New Features Of JDK 7Deniz Oguz
 
Core java
Core javaCore java
Core javakasaragaddaslide
 
Core java complete ppt(note)
Core java complete ppt(note)Core java complete ppt(note)
Core java complete ppt(note)arvind pandey
 
OSCON 2014 - API Ecosystem with Scala, Scalatra, and Swagger at Netflix
OSCON 2014 - API Ecosystem with Scala, Scalatra, and Swagger at NetflixOSCON 2014 - API Ecosystem with Scala, Scalatra, and Swagger at Netflix
OSCON 2014 - API Ecosystem with Scala, Scalatra, and Swagger at NetflixManish Pandit
 
ASP.NET MVC Workshop for Women in Technology
ASP.NET MVC Workshop for Women in TechnologyASP.NET MVC Workshop for Women in Technology
ASP.NET MVC Workshop for Women in TechnologyMałgorzata Borzęcka
 

More Related Content

What's hot

Native code in Android applications
Native code in Android applicationsNative code in Android applications
Native code in Android applicationsDmitry Matyukhin
 
I Know Kung Fu - Juggling Java Bytecode
I Know Kung Fu - Juggling Java BytecodeI Know Kung Fu - Juggling Java Bytecode
I Know Kung Fu - Juggling Java BytecodeAlexander Shopov
 
How to reverse engineer Android applications
How to reverse engineer Android applicationsHow to reverse engineer Android applications
How to reverse engineer Android applicationshubx
 
Lifting The Veil - Reading Java Bytecode
Lifting The Veil - Reading Java BytecodeLifting The Veil - Reading Java Bytecode
Lifting The Veil - Reading Java BytecodeAlexander Shopov
 
Lifting The Veil - Reading Java Bytecode During Lunchtime
Lifting The Veil - Reading Java Bytecode During LunchtimeLifting The Veil - Reading Java Bytecode During Lunchtime
Lifting The Veil - Reading Java Bytecode During LunchtimeAlexander Shopov
 
No locked doors, no windows barred: hacking OpenAM infrastructure
No locked doors, no windows barred: hacking OpenAM infrastructureNo locked doors, no windows barred: hacking OpenAM infrastructure
No locked doors, no windows barred: hacking OpenAM infrastructureAndrew Petukhov
 
Java Course 15: Ant, Scripting, Spring, Hibernate
Java Course 15: Ant, Scripting, Spring, HibernateJava Course 15: Ant, Scripting, Spring, Hibernate
Java Course 15: Ant, Scripting, Spring, HibernateAnton Keks
 
Java Course 2: Basics
Java Course 2: BasicsJava Course 2: Basics
Java Course 2: BasicsAnton Keks
 
College Project - Java Disassembler - Description
College Project - Java Disassembler - DescriptionCollege Project - Java Disassembler - Description
College Project - Java Disassembler - DescriptionGanesh Samarthyam
 
Java Course 3: OOP
Java Course 3: OOPJava Course 3: OOP
Java Course 3: OOPAnton Keks
 
SyScan 2016 - Remote code execution via Java native deserialization
SyScan 2016 - Remote code execution via Java native deserializationSyScan 2016 - Remote code execution via Java native deserialization
SyScan 2016 - Remote code execution via Java native deserializationDavid Jorm
 
Open arkcompiler
Open arkcompilerOpen arkcompiler
Open arkcompileryiwei yang
 
Introduction to java
Introduction to javaIntroduction to java
Introduction to javaAjay Sharma
 
Java Course 7: Text processing, Charsets & Encodings
Java Course 7: Text processing, Charsets & EncodingsJava Course 7: Text processing, Charsets & Encodings
Java Course 7: Text processing, Charsets & EncodingsAnton Keks
 
Metamodeling of custom Pharo images
Metamodeling of custom Pharo images Metamodeling of custom Pharo images
Metamodeling of custom Pharo imagesESUG
 
New Features Of JDK 7
New Features Of JDK 7New Features Of JDK 7
New Features Of JDK 7Deniz Oguz
 
Core java complete ppt(note)
Core java complete ppt(note)Core java complete ppt(note)
Core java complete ppt(note)arvind pandey
 

What's hot (20)

Native code in Android applications
Native code in Android applicationsNative code in Android applications
Native code in Android applications
 
I Know Kung Fu - Juggling Java Bytecode
I Know Kung Fu - Juggling Java BytecodeI Know Kung Fu - Juggling Java Bytecode
I Know Kung Fu - Juggling Java Bytecode
 
How to reverse engineer Android applications
How to reverse engineer Android applicationsHow to reverse engineer Android applications
How to reverse engineer Android applications
 
Android JNI
Android JNIAndroid JNI
Android JNI
 
Lifting The Veil - Reading Java Bytecode
Lifting The Veil - Reading Java BytecodeLifting The Veil - Reading Java Bytecode
Lifting The Veil - Reading Java Bytecode
 
Lifting The Veil - Reading Java Bytecode During Lunchtime
Lifting The Veil - Reading Java Bytecode During LunchtimeLifting The Veil - Reading Java Bytecode During Lunchtime
Lifting The Veil - Reading Java Bytecode During Lunchtime
 
No locked doors, no windows barred: hacking OpenAM infrastructure
No locked doors, no windows barred: hacking OpenAM infrastructureNo locked doors, no windows barred: hacking OpenAM infrastructure
No locked doors, no windows barred: hacking OpenAM infrastructure
 
Java Course 15: Ant, Scripting, Spring, Hibernate
Java Course 15: Ant, Scripting, Spring, HibernateJava Course 15: Ant, Scripting, Spring, Hibernate
Java Course 15: Ant, Scripting, Spring, Hibernate
 
Java Course 2: Basics
Java Course 2: BasicsJava Course 2: Basics
Java Course 2: Basics
 
College Project - Java Disassembler - Description
College Project - Java Disassembler - DescriptionCollege Project - Java Disassembler - Description
College Project - Java Disassembler - Description
 
Java Course 3: OOP
Java Course 3: OOPJava Course 3: OOP
Java Course 3: OOP
 
SyScan 2016 - Remote code execution via Java native deserialization
SyScan 2016 - Remote code execution via Java native deserializationSyScan 2016 - Remote code execution via Java native deserialization
SyScan 2016 - Remote code execution via Java native deserialization
 
Open arkcompiler
Open arkcompilerOpen arkcompiler
Open arkcompiler
 
Introduction to java
Introduction to javaIntroduction to java
Introduction to java
 
Java se7 features
Java se7 featuresJava se7 features
Java se7 features
 
Java Course 7: Text processing, Charsets & Encodings
Java Course 7: Text processing, Charsets & EncodingsJava Course 7: Text processing, Charsets & Encodings
Java Course 7: Text processing, Charsets & Encodings
 
Metamodeling of custom Pharo images
Metamodeling of custom Pharo images Metamodeling of custom Pharo images
Metamodeling of custom Pharo images
 
New Features Of JDK 7
New Features Of JDK 7New Features Of JDK 7
New Features Of JDK 7
 
Core java
Core javaCore java
Core java
 
Core java complete ppt(note)
Core java complete ppt(note)Core java complete ppt(note)
Core java complete ppt(note)
 

Similar to Inc0gnito 2015 Android DEX Analysis Technique

OSCON 2014 - API Ecosystem with Scala, Scalatra, and Swagger at Netflix
OSCON 2014 - API Ecosystem with Scala, Scalatra, and Swagger at NetflixOSCON 2014 - API Ecosystem with Scala, Scalatra, and Swagger at Netflix
OSCON 2014 - API Ecosystem with Scala, Scalatra, and Swagger at NetflixManish Pandit
 
ASP.NET MVC Workshop for Women in Technology
ASP.NET MVC Workshop for Women in TechnologyASP.NET MVC Workshop for Women in Technology
ASP.NET MVC Workshop for Women in TechnologyMałgorzata Borzęcka
 
7\9 SSIS 2008R2_Training - Script Task
7\9 SSIS 2008R2_Training - Script Task7\9 SSIS 2008R2_Training - Script Task
7\9 SSIS 2008R2_Training - Script TaskPramod Singla
 
Azure Key Vault with a PaaS Architecture and ARM Template Deployment
Azure Key Vault with a PaaS Architecture and ARM Template DeploymentAzure Key Vault with a PaaS Architecture and ARM Template Deployment
Azure Key Vault with a PaaS Architecture and ARM Template DeploymentRoy Kim
 
Azure Data Studio Extension Development
Azure Data Studio Extension DevelopmentAzure Data Studio Extension Development
Azure Data Studio Extension DevelopmentDrew Skwiers-Koballa
 
Vortex Tutorial -- Part I
Vortex Tutorial -- Part IVortex Tutorial -- Part I
Vortex Tutorial -- Part IAngelo Corsaro
 
Eric Lafortune - Fighting application size with ProGuard and beyond
Eric Lafortune - Fighting application size with ProGuard and beyondEric Lafortune - Fighting application size with ProGuard and beyond
Eric Lafortune - Fighting application size with ProGuard and beyondGuardSquare
 
Eric Lafortune - Fighting application size with ProGuard and beyond
Eric Lafortune - Fighting application size with ProGuard and beyondEric Lafortune - Fighting application size with ProGuard and beyond
Eric Lafortune - Fighting application size with ProGuard and beyondGuardSquare
 
Building Rich Internet Applications with Ext JS
Building Rich Internet Applications with Ext JSBuilding Rich Internet Applications with Ext JS
Building Rich Internet Applications with Ext JSMats Bryntse
 
Multi-tenancy with Rails
Multi-tenancy with RailsMulti-tenancy with Rails
Multi-tenancy with RailsPaul Gallagher
 
Getting started with titanium
Getting started with titaniumGetting started with titanium
Getting started with titaniumNaga Harish M
 
How to generate customized java 8 code from your database
How to generate customized java 8 code from your databaseHow to generate customized java 8 code from your database
How to generate customized java 8 code from your databaseSpeedment, Inc.
 
Silicon Valley JUG - How to generate customized java 8 code from your database
Silicon Valley JUG - How to generate customized java 8 code from your databaseSilicon Valley JUG - How to generate customized java 8 code from your database
Silicon Valley JUG - How to generate customized java 8 code from your databaseSpeedment, Inc.
 
Machine Learning Data Lineage with MLflow and Delta Lake
Machine Learning Data Lineage with MLflow and Delta LakeMachine Learning Data Lineage with MLflow and Delta Lake
Machine Learning Data Lineage with MLflow and Delta LakeDatabricks
 
How to Use OWASP Security Logging
How to Use OWASP Security LoggingHow to Use OWASP Security Logging
How to Use OWASP Security LoggingMilton Smith
 
Getting started with Appcelerator Titanium
Getting started with Appcelerator TitaniumGetting started with Appcelerator Titanium
Getting started with Appcelerator TitaniumTechday7
 
Mitigating Java Deserialization attacks from within the JVM (improved version)
Mitigating Java Deserialization attacks from within the JVM (improved version)Mitigating Java Deserialization attacks from within the JVM (improved version)
Mitigating Java Deserialization attacks from within the JVM (improved version)Apostolos Giannakidis
 
Case Study: Elasticsearch Ingest Using StreamSets at Cisco Intercloud
Case Study: Elasticsearch Ingest Using StreamSets at Cisco IntercloudCase Study: Elasticsearch Ingest Using StreamSets at Cisco Intercloud
Case Study: Elasticsearch Ingest Using StreamSets at Cisco IntercloudRick Bilodeau
 
Case Study: Elasticsearch Ingest Using StreamSets @ Cisco Intercloud
Case Study: Elasticsearch Ingest Using StreamSets @ Cisco IntercloudCase Study: Elasticsearch Ingest Using StreamSets @ Cisco Intercloud
Case Study: Elasticsearch Ingest Using StreamSets @ Cisco IntercloudStreamsets Inc.
 

Similar to Inc0gnito 2015 Android DEX Analysis Technique (20)

OSCON 2014 - API Ecosystem with Scala, Scalatra, and Swagger at Netflix
OSCON 2014 - API Ecosystem with Scala, Scalatra, and Swagger at NetflixOSCON 2014 - API Ecosystem with Scala, Scalatra, and Swagger at Netflix
OSCON 2014 - API Ecosystem with Scala, Scalatra, and Swagger at Netflix
 
ASP.NET MVC Workshop for Women in Technology
ASP.NET MVC Workshop for Women in TechnologyASP.NET MVC Workshop for Women in Technology
ASP.NET MVC Workshop for Women in Technology
 
7\9 SSIS 2008R2_Training - Script Task
7\9 SSIS 2008R2_Training - Script Task7\9 SSIS 2008R2_Training - Script Task
7\9 SSIS 2008R2_Training - Script Task
 
Azure Key Vault with a PaaS Architecture and ARM Template Deployment
Azure Key Vault with a PaaS Architecture and ARM Template DeploymentAzure Key Vault with a PaaS Architecture and ARM Template Deployment
Azure Key Vault with a PaaS Architecture and ARM Template Deployment
 
Azure Data Studio Extension Development
Azure Data Studio Extension DevelopmentAzure Data Studio Extension Development
Azure Data Studio Extension Development
 
PrismTech Vortex Tutorial Part 1
PrismTech Vortex Tutorial Part 1PrismTech Vortex Tutorial Part 1
PrismTech Vortex Tutorial Part 1
 
Vortex Tutorial -- Part I
Vortex Tutorial -- Part IVortex Tutorial -- Part I
Vortex Tutorial -- Part I
 
Eric Lafortune - Fighting application size with ProGuard and beyond
Eric Lafortune - Fighting application size with ProGuard and beyondEric Lafortune - Fighting application size with ProGuard and beyond
Eric Lafortune - Fighting application size with ProGuard and beyond
 
Eric Lafortune - Fighting application size with ProGuard and beyond
Eric Lafortune - Fighting application size with ProGuard and beyondEric Lafortune - Fighting application size with ProGuard and beyond
Eric Lafortune - Fighting application size with ProGuard and beyond
 
Building Rich Internet Applications with Ext JS
Building Rich Internet Applications with Ext JSBuilding Rich Internet Applications with Ext JS
Building Rich Internet Applications with Ext JS
 
Multi-tenancy with Rails
Multi-tenancy with RailsMulti-tenancy with Rails
Multi-tenancy with Rails
 
Getting started with titanium
Getting started with titaniumGetting started with titanium
Getting started with titanium
 
How to generate customized java 8 code from your database
How to generate customized java 8 code from your databaseHow to generate customized java 8 code from your database
How to generate customized java 8 code from your database
 
Silicon Valley JUG - How to generate customized java 8 code from your database
Silicon Valley JUG - How to generate customized java 8 code from your databaseSilicon Valley JUG - How to generate customized java 8 code from your database
Silicon Valley JUG - How to generate customized java 8 code from your database
 
Machine Learning Data Lineage with MLflow and Delta Lake
Machine Learning Data Lineage with MLflow and Delta LakeMachine Learning Data Lineage with MLflow and Delta Lake
Machine Learning Data Lineage with MLflow and Delta Lake
 
How to Use OWASP Security Logging
How to Use OWASP Security LoggingHow to Use OWASP Security Logging
How to Use OWASP Security Logging
 
Getting started with Appcelerator Titanium
Getting started with Appcelerator TitaniumGetting started with Appcelerator Titanium
Getting started with Appcelerator Titanium
 
Mitigating Java Deserialization attacks from within the JVM (improved version)
Mitigating Java Deserialization attacks from within the JVM (improved version)Mitigating Java Deserialization attacks from within the JVM (improved version)
Mitigating Java Deserialization attacks from within the JVM (improved version)
 
Case Study: Elasticsearch Ingest Using StreamSets at Cisco Intercloud
Case Study: Elasticsearch Ingest Using StreamSets at Cisco IntercloudCase Study: Elasticsearch Ingest Using StreamSets at Cisco Intercloud
Case Study: Elasticsearch Ingest Using StreamSets at Cisco Intercloud
 
Case Study: Elasticsearch Ingest Using StreamSets @ Cisco Intercloud
Case Study: Elasticsearch Ingest Using StreamSets @ Cisco IntercloudCase Study: Elasticsearch Ingest Using StreamSets @ Cisco Intercloud
Case Study: Elasticsearch Ingest Using StreamSets @ Cisco Intercloud
 

More from 남준 김

보안 스타트업 분석가가 Django로 웹 서비스 개발하기
보안 스타트업 분석가가 Django로 웹 서비스 개발하기보안 스타트업 분석가가 Django로 웹 서비스 개발하기
보안 스타트업 분석가가 Django로 웹 서비스 개발하기남준 김
 
Pokemon Go Android Malware Analysis
Pokemon Go Android Malware AnalysisPokemon Go Android Malware Analysis
Pokemon Go Android Malware Analysis남준 김
 
숙명여자대학교 식당검색기 gonggang.party 개발기
숙명여자대학교 식당검색기 gonggang.party 개발기숙명여자대학교 식당검색기 gonggang.party 개발기
숙명여자대학교 식당검색기 gonggang.party 개발기남준 김
 
BoB Information Security Conference
BoB Information Security Conference BoB Information Security Conference
BoB Information Security Conference 남준 김
 
RDP Packet Analysis 삽질기 - Basic Level 1
RDP Packet Analysis 삽질기 - Basic Level 1RDP Packet Analysis 삽질기 - Basic Level 1
RDP Packet Analysis 삽질기 - Basic Level 1남준 김
 
나는 캡챠 스미싱이 싫어요!
나는 캡챠 스미싱이 싫어요!나는 캡챠 스미싱이 싫어요!
나는 캡챠 스미싱이 싫어요!남준 김
 

More from 남준 김 (6)

보안 스타트업 분석가가 Django로 웹 서비스 개발하기
보안 스타트업 분석가가 Django로 웹 서비스 개발하기보안 스타트업 분석가가 Django로 웹 서비스 개발하기
보안 스타트업 분석가가 Django로 웹 서비스 개발하기
 
Pokemon Go Android Malware Analysis
Pokemon Go Android Malware AnalysisPokemon Go Android Malware Analysis
Pokemon Go Android Malware Analysis
 
숙명여자대학교 식당검색기 gonggang.party 개발기
숙명여자대학교 식당검색기 gonggang.party 개발기숙명여자대학교 식당검색기 gonggang.party 개발기
숙명여자대학교 식당검색기 gonggang.party 개발기
 
BoB Information Security Conference
BoB Information Security Conference BoB Information Security Conference
BoB Information Security Conference
 
RDP Packet Analysis 삽질기 - Basic Level 1
RDP Packet Analysis 삽질기 - Basic Level 1RDP Packet Analysis 삽질기 - Basic Level 1
RDP Packet Analysis 삽질기 - Basic Level 1
 
나는 캡챠 스미싱이 싫어요!
나는 캡챠 스미싱이 싫어요!나는 캡챠 스미싱이 싫어요!
나는 캡챠 스미싱이 싫어요!
 

Recently uploaded

(SHREYA) Chakan Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Esc...
(SHREYA) Chakan Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Esc...(SHREYA) Chakan Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Esc...
(SHREYA) Chakan Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Esc...ranjana rawat
 
HARMONY IN THE NATURE AND EXISTENCE - Unit-IV
HARMONY IN THE NATURE AND EXISTENCE - Unit-IVHARMONY IN THE NATURE AND EXISTENCE - Unit-IV
HARMONY IN THE NATURE AND EXISTENCE - Unit-IVRajaP95
 
UNIT-V FMM.HYDRAULIC TURBINE - Construction and working
UNIT-V FMM.HYDRAULIC TURBINE - Construction and workingUNIT-V FMM.HYDRAULIC TURBINE - Construction and working
UNIT-V FMM.HYDRAULIC TURBINE - Construction and workingrknatarajan
 
(RIA) Call Girls Bhosari ( 7001035870 ) HI-Fi Pune Escorts Service
(RIA) Call Girls Bhosari ( 7001035870 ) HI-Fi Pune Escorts Service(RIA) Call Girls Bhosari ( 7001035870 ) HI-Fi Pune Escorts Service
(RIA) Call Girls Bhosari ( 7001035870 ) HI-Fi Pune Escorts Serviceranjana rawat
 
UNIT - IV - Air Compressors and its Performance
UNIT - IV - Air Compressors and its PerformanceUNIT - IV - Air Compressors and its Performance
UNIT - IV - Air Compressors and its Performancesivaprakash250
 
(ANJALI) Dange Chowk Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
(ANJALI) Dange Chowk Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...(ANJALI) Dange Chowk Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
(ANJALI) Dange Chowk Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...ranjana rawat
 
IMPLICATIONS OF THE ABOVE HOLISTIC UNDERSTANDING OF HARMONY ON PROFESSIONAL E...
IMPLICATIONS OF THE ABOVE HOLISTIC UNDERSTANDING OF HARMONY ON PROFESSIONAL E...IMPLICATIONS OF THE ABOVE HOLISTIC UNDERSTANDING OF HARMONY ON PROFESSIONAL E...
IMPLICATIONS OF THE ABOVE HOLISTIC UNDERSTANDING OF HARMONY ON PROFESSIONAL E...RajaP95
 
VIP Call Girls Service Kondapur Hyderabad Call +91-8250192130
VIP Call Girls Service Kondapur Hyderabad Call +91-8250192130VIP Call Girls Service Kondapur Hyderabad Call +91-8250192130
VIP Call Girls Service Kondapur Hyderabad Call +91-8250192130Suhani Kapoor
 
Call for Papers - Educational Administration: Theory and Practice, E-ISSN: 21...
Call for Papers - Educational Administration: Theory and Practice, E-ISSN: 21...Call for Papers - Educational Administration: Theory and Practice, E-ISSN: 21...
Call for Papers - Educational Administration: Theory and Practice, E-ISSN: 21...Christo Ananth
 
247267395-1-Symmetric-and-distributed-shared-memory-architectures-ppt (1).ppt
247267395-1-Symmetric-and-distributed-shared-memory-architectures-ppt (1).ppt247267395-1-Symmetric-and-distributed-shared-memory-architectures-ppt (1).ppt
247267395-1-Symmetric-and-distributed-shared-memory-architectures-ppt (1).pptssuser5c9d4b1
 
Software Development Life Cycle By Team Orange (Dept. of Pharmacy)
Software Development Life Cycle By Team Orange (Dept. of Pharmacy)Software Development Life Cycle By Team Orange (Dept. of Pharmacy)
Software Development Life Cycle By Team Orange (Dept. of Pharmacy)Suman Mia
 
Coefficient of Thermal Expansion and their Importance.pptx
Coefficient of Thermal Expansion and their Importance.pptxCoefficient of Thermal Expansion and their Importance.pptx
Coefficient of Thermal Expansion and their Importance.pptxAsutosh Ranjan
 
SPICE PARK APR2024 ( 6,793 SPICE Models )
SPICE PARK APR2024 ( 6,793 SPICE Models )SPICE PARK APR2024 ( 6,793 SPICE Models )
SPICE PARK APR2024 ( 6,793 SPICE Models )Tsuyoshi Horigome
 
Introduction to Multiple Access Protocol.pptx
Introduction to Multiple Access Protocol.pptxIntroduction to Multiple Access Protocol.pptx
Introduction to Multiple Access Protocol.pptxupamatechverse
 
OSVC_Meta-Data based Simulation Automation to overcome Verification Challenge...
OSVC_Meta-Data based Simulation Automation to overcome Verification Challenge...OSVC_Meta-Data based Simulation Automation to overcome Verification Challenge...
OSVC_Meta-Data based Simulation Automation to overcome Verification Challenge...Soham Mondal
 
High Profile Call Girls Nagpur Isha Call 7001035870 Meet With Nagpur Escorts
High Profile Call Girls Nagpur Isha Call 7001035870 Meet With Nagpur EscortsHigh Profile Call Girls Nagpur Isha Call 7001035870 Meet With Nagpur Escorts
High Profile Call Girls Nagpur Isha Call 7001035870 Meet With Nagpur Escortsranjana rawat
 
Call for Papers - African Journal of Biological Sciences, E-ISSN: 2663-2187, ...
Call for Papers - African Journal of Biological Sciences, E-ISSN: 2663-2187, ...Call for Papers - African Journal of Biological Sciences, E-ISSN: 2663-2187, ...
Call for Papers - African Journal of Biological Sciences, E-ISSN: 2663-2187, ...Christo Ananth
 
CCS335 _ Neural Networks and Deep Learning Laboratory_Lab Complete Record
CCS335 _ Neural Networks and Deep Learning Laboratory_Lab Complete RecordCCS335 _ Neural Networks and Deep Learning Laboratory_Lab Complete Record
CCS335 _ Neural Networks and Deep Learning Laboratory_Lab Complete RecordAsst.prof M.Gokilavani
 

Recently uploaded (20)

(SHREYA) Chakan Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Esc...
(SHREYA) Chakan Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Esc...(SHREYA) Chakan Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Esc...
(SHREYA) Chakan Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Esc...
 
HARMONY IN THE NATURE AND EXISTENCE - Unit-IV
HARMONY IN THE NATURE AND EXISTENCE - Unit-IVHARMONY IN THE NATURE AND EXISTENCE - Unit-IV
HARMONY IN THE NATURE AND EXISTENCE - Unit-IV
 
UNIT-V FMM.HYDRAULIC TURBINE - Construction and working
UNIT-V FMM.HYDRAULIC TURBINE - Construction and workingUNIT-V FMM.HYDRAULIC TURBINE - Construction and working
UNIT-V FMM.HYDRAULIC TURBINE - Construction and working
 
★ CALL US 9953330565 ( HOT Young Call Girls In Badarpur delhi NCR
★ CALL US 9953330565 ( HOT Young Call Girls In Badarpur delhi NCR★ CALL US 9953330565 ( HOT Young Call Girls In Badarpur delhi NCR
★ CALL US 9953330565 ( HOT Young Call Girls In Badarpur delhi NCR
 
(RIA) Call Girls Bhosari ( 7001035870 ) HI-Fi Pune Escorts Service
(RIA) Call Girls Bhosari ( 7001035870 ) HI-Fi Pune Escorts Service(RIA) Call Girls Bhosari ( 7001035870 ) HI-Fi Pune Escorts Service
(RIA) Call Girls Bhosari ( 7001035870 ) HI-Fi Pune Escorts Service
 
UNIT - IV - Air Compressors and its Performance
UNIT - IV - Air Compressors and its PerformanceUNIT - IV - Air Compressors and its Performance
UNIT - IV - Air Compressors and its Performance
 
(ANJALI) Dange Chowk Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
(ANJALI) Dange Chowk Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...(ANJALI) Dange Chowk Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
(ANJALI) Dange Chowk Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
 
IMPLICATIONS OF THE ABOVE HOLISTIC UNDERSTANDING OF HARMONY ON PROFESSIONAL E...
IMPLICATIONS OF THE ABOVE HOLISTIC UNDERSTANDING OF HARMONY ON PROFESSIONAL E...IMPLICATIONS OF THE ABOVE HOLISTIC UNDERSTANDING OF HARMONY ON PROFESSIONAL E...
IMPLICATIONS OF THE ABOVE HOLISTIC UNDERSTANDING OF HARMONY ON PROFESSIONAL E...
 
VIP Call Girls Service Kondapur Hyderabad Call +91-8250192130
VIP Call Girls Service Kondapur Hyderabad Call +91-8250192130VIP Call Girls Service Kondapur Hyderabad Call +91-8250192130
VIP Call Girls Service Kondapur Hyderabad Call +91-8250192130
 
Call for Papers - Educational Administration: Theory and Practice, E-ISSN: 21...
Call for Papers - Educational Administration: Theory and Practice, E-ISSN: 21...Call for Papers - Educational Administration: Theory and Practice, E-ISSN: 21...
Call for Papers - Educational Administration: Theory and Practice, E-ISSN: 21...
 
247267395-1-Symmetric-and-distributed-shared-memory-architectures-ppt (1).ppt
247267395-1-Symmetric-and-distributed-shared-memory-architectures-ppt (1).ppt247267395-1-Symmetric-and-distributed-shared-memory-architectures-ppt (1).ppt
247267395-1-Symmetric-and-distributed-shared-memory-architectures-ppt (1).ppt
 
Software Development Life Cycle By Team Orange (Dept. of Pharmacy)
Software Development Life Cycle By Team Orange (Dept. of Pharmacy)Software Development Life Cycle By Team Orange (Dept. of Pharmacy)
Software Development Life Cycle By Team Orange (Dept. of Pharmacy)
 
Coefficient of Thermal Expansion and their Importance.pptx
Coefficient of Thermal Expansion and their Importance.pptxCoefficient of Thermal Expansion and their Importance.pptx
Coefficient of Thermal Expansion and their Importance.pptx
 
DJARUM4D - SLOT GACOR ONLINE | SLOT DEMO ONLINE
DJARUM4D - SLOT GACOR ONLINE | SLOT DEMO ONLINEDJARUM4D - SLOT GACOR ONLINE | SLOT DEMO ONLINE
DJARUM4D - SLOT GACOR ONLINE | SLOT DEMO ONLINE
 
SPICE PARK APR2024 ( 6,793 SPICE Models )
SPICE PARK APR2024 ( 6,793 SPICE Models )SPICE PARK APR2024 ( 6,793 SPICE Models )
SPICE PARK APR2024 ( 6,793 SPICE Models )
 
Introduction to Multiple Access Protocol.pptx
Introduction to Multiple Access Protocol.pptxIntroduction to Multiple Access Protocol.pptx
Introduction to Multiple Access Protocol.pptx
 
OSVC_Meta-Data based Simulation Automation to overcome Verification Challenge...
OSVC_Meta-Data based Simulation Automation to overcome Verification Challenge...OSVC_Meta-Data based Simulation Automation to overcome Verification Challenge...
OSVC_Meta-Data based Simulation Automation to overcome Verification Challenge...
 
High Profile Call Girls Nagpur Isha Call 7001035870 Meet With Nagpur Escorts
High Profile Call Girls Nagpur Isha Call 7001035870 Meet With Nagpur EscortsHigh Profile Call Girls Nagpur Isha Call 7001035870 Meet With Nagpur Escorts
High Profile Call Girls Nagpur Isha Call 7001035870 Meet With Nagpur Escorts
 
Call for Papers - African Journal of Biological Sciences, E-ISSN: 2663-2187, ...
Call for Papers - African Journal of Biological Sciences, E-ISSN: 2663-2187, ...Call for Papers - African Journal of Biological Sciences, E-ISSN: 2663-2187, ...
Call for Papers - African Journal of Biological Sciences, E-ISSN: 2663-2187, ...
 
CCS335 _ Neural Networks and Deep Learning Laboratory_Lab Complete Record
CCS335 _ Neural Networks and Deep Learning Laboratory_Lab Complete RecordCCS335 _ Neural Networks and Deep Learning Laboratory_Lab Complete Record
CCS335 _ Neural Networks and Deep Learning Laboratory_Lab Complete Record
 

Inc0gnito 2015 Android DEX Analysis Technique

  • 1. Android Deep DEX Analysis Technique 세종대학교 SSG 김남준
  • 2. S.S.G In this session.. • How Android translate DEX file format inside APK file • Deep Analysis of DEX file (class, method recovery) • Translate DEX bytecode • How we extract information from malicious DEX file • Apply to Real World (smishing.kr) 2015. 8. 28. 2
  • 3. S.S.G About Speaker • 김남준 (20) 세종대학교 정보보호학과 15 (고3 탈출!) + 작년 고등학생 인코 발표자 Newbie of Sejong Security Group UpRoot Researcher KITRI Best of the Best 3기 여친구함
 
 E-mail : admin@smishing.kr 
 Blog : blog.smishing.kr
 Web : smishing.kr
 2015. 8. 28. 3 Special Thanks to @공기반여자반 Pictured by @유정빈
  • 4. S.S.G What is DEX file • Dalvik Executable File Format • Specially designed for Embedded System • It can run on DVM inside Android • Actually, DVM is different between JVM 2015. 8. 28. 4
  • 5. S.S.G Standard Android Translation Process 2015. 8. 28. 5 JAVA Code Dalvik bytecode public class MainActivity.. { public static void onCreate(s..) { super.onCreate(savedInsta..) .. public string TAG = “S.S.G”; Log.i(TAG, “sejong S.S.G”); } } .class public Lbunseokbot/MainActivity .source MainActivity.java .method public static onCreate(..)V const-string v0, “S.S.G” const-string v1, “sejong S.S.G” invoke-static {v0, v1}, L/android/util/Log -> i(Ljava/lang/String;Ljava/lang/String;)I return-void
  • 6. S.S.G Building Android Application 2015. 8. 28. 6 JAVA Code Translator Dalvik Bytecode
  • 7. S.S.G Translator 2015. 8. 28. 7 Java Translator Dalvik Translator
  • 8. S.S.G Java Language • Object-Oriented Programming Language • Easy to “DECOMPILE” • Running on Java Virtual Machine as “JAR” File • Actually, JVM is different between DVM • use for “native” (NOT JNI) Android Programming 2015. 8. 28. 8
  • 9. S.S.G Different between JAR and DEX • Java Archive File -> Package File Format • Java class files + metadata + resources • each class have independent class file • “Class Level File Management” 2015. 8. 28. 9
  • 10. S.S.G Different between JAR and DEX • Dalvik Execution File • Single DEX file • specified for Embedded..? (Mobile, PDA..?) 2015. 8. 28. 10
  • 11. S.S.G Different between JVM and DVM 2015. 8. 28. 11 Dalvik Virtual Machine Java Virtual Machine Register Based Stack Based Constant Pool per Application Constant Pool per Class Supply Just-In Time Execution
  • 12. S.S.G We have to understand and Translate DEX File as different technique 2015. 8. 28. 12
  • 13. S.S.G Normally.. we use “dex2jar” 2015. 8. 28. 13
  • 14. S.S.G or.. baksmali! 2015. 8. 28. 14 How baksmali translate it?
  • 15. S.S.G inside DEX file 2015. 8. 28. 15 Header string_ids type_ids proto_ids Method, Class.. Standalone DEX file Header Info item size item offset Header Structure
  • 16. S.S.G inside DEX file 2015. 8. 28. 16 Header string_ids type_ids proto_ids Method, Class.. String where code contains (only Address) Class, Method type container (only Address) Class, Method parameter return info (only Address) real Method, Class, Field, Data container
  • 17. S.S.G inside DEX file 2015. 8. 28. 17 Header Info item size item offset Header Section-name
  • 18. S.S.G Now, We analyze DEX file 2015. 8. 28. 18 public class MyActivity extends Activity { @Override public void onCreate(Bundle savedInstanceState) { super.onCreate(savedInstanceState); setContentView(R.layout.main); Log.i(“S.S.G”, “DEX File Analyze Testing”); } } Log/i S.S.G DEX File Analyze Testing
  • 19. S.S.G How to Analysis DEX file 2015. 8. 28. 19 • DEX Parser for Python v0.0.1 • https://github.com/bunseokbot/dexparser • pip install dexparser
  • 21. S.S.G 1. DEX Header 2015. 8. 28. 21 d.header_info() -> Dictionary Type d.header_info()[‘string_ids_size’] d.header_info()[‘string_ids_off’]
  • 22. S.S.G 2. Parse string_ids section 2015. 8. 28. 22 • 1. extract string_ids section offset, size • 2. parse string_data offset for access string_data_item • 3. translate to Language from string_data_item
  • 23. S.S.G 2. Parse string_ids section 2015. 8. 28. 23
  • 24. S.S.G 2. Parse string_ids section 2015. 8. 28. 24
  • 25. S.S.G 2. Parse string_ids section 2015. 8. 28. 25 0x40001000 0x40001000 My Test DEX Parser Test String MyActivity LLVM string_ids_item string_data_item
  • 26. S.S.G 2. Parse string_ids section 2015. 8. 28. 26
  • 27. S.S.G 3. Parse type_ids section 2015. 8. 28. 27 search from string_ids
  • 28. S.S.G 3. Parse type_ids section 2015. 8. 28. 28 this is descriptor_idx list
  • 29. S.S.G 3. Parse type_ids section 2015. 8. 28. 29
  • 30. S.S.G 3. Parse type_ids section 2015. 8. 28. 30 http://source.android.com/devices/tech/dalvik/dex-format.html#top
  • 31. S.S.G 4. Parse proto_ids section 2015. 8. 28. 31
  • 32. S.S.G 4. Parse proto_ids section 2015. 8. 28. 32 parameters_offset Access to “data” section directly and parse offset
  • 33. S.S.G 4. Parse proto_ids section 2015. 8. 28. 33
  • 34. S.S.G 4. Parse proto_ids section 2015. 8. 28. 34
  • 35. S.S.G 5. get Method Information 2015. 8. 28. 35
  • 36. S.S.G 5. get Method Information 2015. 8. 28. 36 string_ids type_ids proto_ids method_ids
  • 37. S.S.G 5. get Method Information 2015. 8. 28. 37
  • 38. S.S.G 5. get Method Information 2015. 8. 28. 38
  • 39. S.S.G 6. get Class Information 2015. 8. 28. 39 class_idx superclass_idx access_flags class_data_off annotation_off source_file_idx interfaces_off static_values_off each class have it
  • 40. S.S.G 6. get Class Information 2015. 8. 28. 40 class_idx superclass_idx access_flags class_data_off annotation_off source_file_idx interfaces_off static_values_off ACCESS_FLAG Source File index associated class data offset class level static value offset
  • 41. S.S.G 6. calculate ACCESS_FLAG 2015. 8. 28. 41 VARIOUS TYPE OF ACCESS_FLAG!
  • 42. S.S.G 6. calculate ACCESS_FLAG 2015. 8. 28. 42 public static void myFunction() {} ACC_PUBLIC = 0x1 ACC_STATIC = 0x8 —————————— ACCESS_FLAG = 0x9
  • 44. S.S.G 6. class_data_item 2015. 8. 28. 44 static_fields_size direct_method_size instance_fields_size direct_methods instances_fields static_fields virtual_method_size virtual_methods each class have it
  • 46. S.S.G 6. leb128? 2015. 8. 28. 46 • Little-Endian Based 128 • Type : Unsigned & Signed • following DWARF Format • for encoding variable-length, arbitrary signed or unsigned int
  • 47. S.S.G 6. leb128? 2015. 8. 28. 47 return value is (result, size)
  • 48. S.S.G 6. get Class Information! 2015. 8. 28. 48
  • 49. S.S.G 6. get Class Information! 2015. 8. 28. 49
  • 50. S.S.G Apply to Real World 2015. 8. 28. 50 • smishing.kr
  • 51. S.S.G isolate Real Permission 2015. 8. 28. 51 • Usually, Android Malware Analyzer’s check this thing!
 “Searching Permission info from AndroidManifest.xml” • BUT.. • Recently, Attacker register all uses-permission to AndroidManifest.xml
  • 52. S.S.G isolate Real Permission 2015. 8. 28. 52 android.permission.* • If application want to use Permission such as INTERNET, ACCESS_COURSE_LOCATION. They must call “Authorized Function”
  • 53. S.S.G Logical Permission Enforcement 2015. 8. 28. 53 Marakana Inc. Andsec
  • 54. S.S.G isolate Real Permission 2015. 8. 28. 54 android.permission.* • invoke-* [parameter] [call method]
 -> direct
 -> virtual
 -> super
 -> static
 -> interface
  • 55. S.S.G isolate Real Permission 2015. 8. 28. 55 android.permission.* • invoke-* [parameter] [call method]
 -> direct
 -> virtual
 -> super
 -> static
 -> interface
  • 56. S.S.G For Example.. 2015. 8. 28. 56 android.permission.INTERNET invoke-direct {v0, v1}, Lorg/../HttpGet;-><init>(Ljava/lang/String;)V Lorg/../HttpGet class “Approve” to access Internet Module Network connection success!
  • 57. S.S.G Where to get Function Mapping.. 2015. 8. 28. 57 • inside Android Source…? • “Androguard” have it • https://github.com/androguard/androguard
  • 58. S.S.G in Androguard 2015. 8. 28. 58 • in androguard/core/bytecodes/api_permission.py
  • 59. S.S.G Conclusion 2015. 8. 28. 59 • DEX have “Simple” structure • source.android.com have specific DEX file info • If you use “dexparser” in Python, You’ll be easy to parse DEX and analyze. • DEXCrypt, DEXGuard have same structure! • DEX Research is very fun!