It's just a tutorial to Android app hacking. Wanna know more? You can contact FB: Landice Fu email: rusty.flower@gmail.com

1. Learning by Hacking
Android application
hacking tutorial Landice Fu!
rusty.flower@gmail.com

2. About me
Landice Fu
Android system developer at ASUS!
!
FOSS user and promoter!
!
Android app hacker!
!
Ruby / JAVA / C / Qt

3. Android application hacking tutorial
Background
Knowledge
❖ Java!
❖ Android Application Design!
❖ Using Android Logcat with
Android Debug Bridge (ADB)!
❖ Assembly syntax

4. My proclamation about this presentation
❖ The application binary and
decompiled code I use in this
presentation are only for
teaching and learning!
!
❖ After the presentation, I would
not provide or use them in
ANY circumstances and I will
immediately delete them

5. You must be really bad!
❖ Pirate!
❖ Stealing accounts and data!
❖ Mess up the device!
❖ BitCoin mining using others’ device

7. What about…
❖ UI Localization!
❖ Ad. removal!
❖ Resource extraction!
❖ Wow, that’s cool!
How did you do that?!
❖ Fix the bug yourself!
❖ Get to know your enemy and
how to better protect your
product!
❖ Add some features to it
Are you kidding?

9. APKTOOL
❖ https://code.google.com/p/android-apktool/!
❖ Command line tool for disassembling/assembling APK!
❖ Decompile APK
apktool d file_name.apk!
❖ Rebuild APK
apktool b folder_name

10. xxxxx!Free
Localization Demo
❖ You don’t even need to know how to
write android app or JAVA!
!
❖ Android multi-language support
mechanism [1][2]!
!
[1] http://developer.android.com/training/basics/supporting-devices/languages.html! !
[2] http://jjnnykimo.pixnet.net/blog/post/37831205-android%E5%A4%9A%E5%9C%8B%E8%AA
%9E%E8%A8%80%E8%B3%87%E6%96%99%E5%A4%BE%E5%91%BD%E5%90%8D
%E6%96%B9%E5%BC%8F

11. Localization Demo
❖ Get the original APK!
❖ AndroidAssistant (backup)!
❖ /data/app/ (root access)!
❖ Copy values folder to
values-zh-rTW!
❖ Localize the content of
values-zh-rTW/strings.xml!
❖ Build and sign the APK

12. Smali/Baksmali
❖ Assembler/disassembler for the dex format used by Dalvik!
❖ The syntax is loosely based on Jasmin’s dedexer's syntax!
❖ Supports the full functionality of the dex format!
❖ Annotations (@Override, @SuppressWarnings …)!
❖ Debug Information!
❖ Line Information!
❖ Etc.!
❖ https://code.google.com/p/smali/

13. Dalvik opcodes
❖ Write a simple application and decompile it and see how it is
turned into Dalvik operations!
❖ http://pallergabor.uw.hu/androidblog/dalvik_opcodes.html!
❖ http://www.netmite.com/android/mydroid/dalvik/docs/
dalvik-bytecode.html

14. Types in smali
Smali JAVA Primitive Type
V void - can only be used for return types
Z boolean
B byte
S short
C char
I int
J long (64 bits)
F float
D double
Class Object Lcom/lansion/myapp/xxxparser;

15. Framework Resource
❖ Some code and resources that are built into the Android
system on your device!
❖ /system/framework/framework-res.apk!
❖ Installing framework resource for apktool
apktool if framework-res.apk

16. Integrated
Development Hacking
Environment

17. Virtuous Ten Studio (VTS)
❖ Integrated Reverse Engineering Environment for APK!
❖ Built-in ApkTool, ADB, Zipalign, Sign, dex2jar…!
❖ Support for APKs and framework JARs!
❖ Text editing of smali, xml files with syntax highlighting, live
checking and code folding!
❖ M10 file editing (HTC Sense)!
❖ Unpack/ repack boot images!
❖ Generate JAVA sources using multiple libraries!
❖ http://virtuous-ten-studio.com/

18. Demo: Remove the ad. from xxxxx!free
❖ What you need!
❖ Know the API of libraries!
❖ Know the API of Android!
❖ Luck!
❖ Patience!
❖ Tip1 : When you don’t know how to do something in
smali, just write it in JAVA and decompile it

19. Source Obfuscation
❖ Make it really difficult for
human to understand and time
consuming to hack!
❖ Make the names of variables,
methods, classes and
packages meaningless!
❖ Remove debug information!
❖ Complicated call flow!
❖ Redundant source code!
❖ …………..!
❖ Penalty of obfuscation
Stop laughing…!
This is you!!

22. Build your own crack tool
❖ Provide static functions!
❖ Add logcat logs with variable states!
❖ Add stack trace dump!
❖ Do the complicated tricks out side of the original
program (much easier in JAVA)

23. A more difficult task - ???????
❖ UI is always the key to find the
starting point!
❖ Resource ID (name) turns into
constant value map!
❖ Insert the snippets decompiled
from your crack tool!
❖ Most of the local license checking
is not too complicated!
❖ Altering one of the boolean-returning
function does the trick
in a majority of cases

25. Still a piece of cake
❖ Knowing the system API is
very helpful!
❖ More complicated check
might involve getting IMEI,
MAC… from your device!
❖ You still can trick the
application by replacing the
system API call to your own
function

26. What I did to Age of Empires on Android
❖ Modify the menu bar to provide control interface!
❖ TCP server to communication with another Android
device with the same hacked APK!
❖ Add a robot state machine to get money, resource…
from the other account without effort.

27. Protect your work
❖ Design with NDK!
❖ Using framework like cocos2d (generates native library)!
❖ Don’t just use one method for checking!
❖ Strong obfuscation!
❖ Provide the content using web!
❖ Find a way to mess up the decompiler

28. What you might be interested in
❖ You can use the decompiled code from other apps in
your application!
❖ Embed a broadcast receiver to interact with external
application

29. Thanks for your attention