BSidesROC 2016 - Jaime Geiger - Android Application Function Hooking With Xposed

Function Hooking with XposedJaime Geiger

1

http://tiny.cc/bsidesroc-xposed

Agenda● Intro - whoami, whoareyou, what is xposed?

● Tools (brief) - JD-gui, jad, apktool, aapt, dex2jar

● What to hook - making sense of obfuscation, finding the right function to

hook

● Basic hooks - hooking code, changing return values/parameters

● Reversing - making the app do the work, dumping API keys

● Disabling Security Checks - certificate pinning

2

Intro: Formalities and Background

3

# whoami

● @jgeigerm / wumb0 - wumb0.in

● InfoSec @ RIT (or CSEC, whatever)

● Working for Grimm after graduation in VA (grimm-co.com)

● Hobbies/Interests:○ CTFs, Reversing, Exploitation

○ Collecting acronyms: RC3, KDR, CCDC, SI, R2D2, ACDC, etc. etc.

○ Poking android (in all the right places )○ Red team & malware development

4

# who -u

● RIT Students?

● Java programmers?

● Android users?

● Android application programmers?

● Used xposed before?

● Written xposed modules before?

● None of the above?

5

What’s an Xposed? Sounds hot.

● Function and resource hooking framework○ Modify functions (returns, parameters, exceptions) & UI elements

● Written and maintained by rovo89 (GitHub)

● Replaces app_process to allow access to ART/Dalvik

● It is hot!

6

How does xposed work?

● Does not change an app’s signature

● Replacement app_process that adds a jar to the java classpath

○ service zygote /system/bin/app_process -Xzygote /system/bin

--zygote --start-system-server

○ All processes are forked from zygote - hook zygote, hook all

apps!

○ Jar added is the xposedbridge!

● (Yes you need root to do this!)

7

Tools: they live among us

8

JD-GUI/jad

9

● Java decompilers

● JD-GUI takes jar/class files and has a browser

● Jad takes class files only○ but better decompilation, IMO

dex2jar/apktool

● dex2jar converts dex (classes in an APK) into JAR

● apktool extracts smali (Java bytecode) and resources from an

APK

10

aapt

● Part of build-tools in the Android SDK

● Lets you see resources inside an APK without unpacking it

● Decompiled code has references to string values by number○ Jad has them in hex

○ JD-GUI has them in decimal

● Need this to search strings completely

aapt d strings the.apk | grep “looking for this string”

11

Custom Tools to help!● apkdecompile.sh - unpacks and decompiles all classes in APK

○ Requires dex2jar and jad

○ Has a --shitty option (see unzipshittyobfuscatedjar.sh...)

● searchstring.sh - search a string value in an APK by hex or

decimal number○ Requires aapt

● unzipshittyobfuscatedjar.sh - sometimes obfuscated class names

are Aa.class AND AA.class AND aa.class

● Find them here12

What to hook: digging through source!

13

Process

14

1. Get the apk○ @ www.apk4fun.com (pls no piracy) or /data/app on device

2. Convert to JAR (d2j-dex2jar the.apk) and extract (apktool d

the.apk)

3. Decompile with jad or jd-gui

4. (maybe) smash head against obfuscation○ Look at strings, related functions, etc.

5. Identify relevant classes and functions

Basic Hooks: Getting up in there

15

Important imports!

● XposedBridge.jar - contains all necessary classes for module dev

● XposedHelpers.findAndHookMethod

● XposedHelpers.callMethod

● IXposedHookLoadPackage - base class loaded on app init

● XC_MethodReplacement/XC_MethodHook

● Callbacks.XC_LoadPackage.LoadPackageParam - package

information

● XposedBridge - helpers (logging)

16

Xposed Project Module Structurelibs/XposedBridge.jar -> ../XposedBridge/app/build/intermediates/packaged/release/classes.jar

build.gradle - root project build fileLocal.properties - specifies Android SDK directoryapp/

build.gradle - details module, includes XposedBridge from libs

src/mainAndroidManifest.xml - defines the app permissions and suchassets/xposed_init - tells xposed what class to run on startres/ - any resources you need (strings, layouts, etc.)java/your/company/appname/Hooks.java - hooks to install

See xposed skeleton creator in the GitHub repo for this talk!17

Side Note: Building and Installing Modules

● Build with gradle (gradle build)

● Output APK is at app/build/outputs/apk/app-debug.apk○ Feel free to sign it

● adb install -r app/build/outputs/apk/app-debug.apk

18

Package hooking skeleton

public class Hooks implements IXposedHookLoadPackage {public void handleLoadPackage(final LoadPackageParam lpparam)

throws Throwable {if (!lpparam.packageName.equals("the.package.name"))

return;//find and hook methods here

}}

19

findAndHookMethod● Finds a class method by name and hooks it with whatever you

want1. Return a constant

2. Ignore it completely

3. Do something before the function is called

4. Do something else instead

5. Do something after the function is called successfully

findAndHookMethod(“com.app.classname”, lpparam.classLoader,

“functionName”, [func arg1 class], [func arg2 class], hook);20

Scenario 1: Make a function return a constant value

● We want verifyPasscode(String passcode) in class com.bank.

app.Main to always return true○ Assume it returns a boolean

findAndHookMethod(“com.bank.app.Main”, lpparam.classLoader,

“verifyPasscode”, String.class, XC_MethodReplacement.returnConstant

(true));

21

Scenario 2: Ignore the function completely

● We want checkSecurity() in class com.bank.app.Main to be

ignored○ Mostly used with void functions!

findAndHookMethod(“com.bank.app.Main”, lpparam.classLoader,

“checkSecurity”, XC_MethodReplacement.DO_NOTHING);

22

Scenario 3: Do something before the function is called

● We want to check the parameter for function transferFunds

(String toAccount) in class com.bank.app.Main and change it

23

Scenario 3: Do something before the function is called

findAndHookMethod(“com.bank.app.Main”, lpparam.classLoader,

“transferFunds”, String.class, new XC_MethodHook() {

@Override

protected void beforeHookedMethod (MethodHookParam param) throws

Throwable {

param.args[0] = “12345678”;

XposedBridge.log(“changed account number!!”);

}

});

24

Scenario 4: Do something else instead

● We want checkPasswordOK(String password) in class com.

bank.app.Main to always return true, but also dump to the logs.○ Assuming the function returns a boolean

25

Scenario 4: Do something else instead

findAndHookMethod(“com.bank.app.Main”, lpparam.classLoader,

“checkPasswordOK”, String.class, new XC_MethodReplacement() {

@Override

protected Object replaceHookedMethod(MethodHookParam param)

throws Throwable {

XposedBridge.log((String)param.args[0]);

return true;

}

});

26

Scenario 5: Do something after the function is called

● We want to get the return value of generateToken() in class

com.bank.app.Main and dump it to the logs○ Assuming it returns a string with the token

27

Scenario 5: Do something after the function is called

findAndHookMethod(“com.bank.app.Main”, lpparam.classLoader,

“generateToken”, new XC_MethodHook() {

@Override

protected void afterHookedMethod (MethodHookParam param) throws

Throwable {

XposedBridge.log((String)param.getResult());

}

});

28

Practical Example & Demo: Words With Friends

Word checking is done client side, so we’ll disable the check

1. Decompile/unpack

2. Find where word validation is done

3. Hook function to always return true (XC_MethodReplacement)

4. Cheat!

29

��

gnireenignE: Extracting information, understanding code

30

Getting to the Goods

● Obfuscated code/variables/keys can be annoying to find in an

app

● If the app checks it’s own signature decompiling, editing, and

recompiling is ruled out

● Dump variables to the logs after they have been

deobfuscated/calculated

31

Practical Example & Demo: Yik Yak

32

● API key is calculated based on the app’s signature (YikYak.a)

● getBytes method is used on the variable when requests are

being signed (post calculation)○ Part of java.lang.String

● Dump key out to the logs, acquire API key, make requests with

python!

● And yes, every time they update the app, the obfuscation

changes...

Disabling Security Checks: we don’t need them

33

Android Application Auditing

34

● Man-in-the-middle-ing is useful○ If the app employs certificate pinning you are out of luck

○ Alternative method is static code analysis

● You can disable certificate pinning with xposed!

Practical Example & Demo: Yik Yak (pt. 2)

35

● SSLPeerUnverifiedException is thrown if the certificate is

invalid○ A few hours of reversing told me this. I’ll spare you that demo :)

● Find the SSLPeerUnverifiedException, hook the function it’s

thrown in, and cert pinning goes away

● Let’s MITM

Other Resources and Code

36

● Code from this presentation: rev_tools, xposed_mods

● rovo89’s module development tutorial

● XDA forum for xposed modules and development

● Xposed source code

● Snapprefs source code

Questions?

37