Learn, hack!

URL

https://media.blackhat.com/bh-ad-11/Desnos/bh-ad-11-DesnosGueguen-Andriod-Reversing_to_Decompilation_Slides.pdf

File name

bh-ad-11-DesnosGueguen-Andriod-Reversing_to_Decompilation_Slides.pdf

File size

4.5 MB

MD5

0cf324e25a5ce231342dfbbb6d21f098

SHA1

2fd21bbce542c060cb892328ed580be39ab6ed07

This talk deals with Android's bytecode analysis. The Android system is now widespread, and lots of applications are developed each days. These applications are mostly written in Java, though it is now possible to do some calls to binaries or shared libraries. To be executed on the DVM (Dalvik Virtual Machine) the Java source code (.java files) is translated into Java bytecode (.class files) and then a tool named `dx' is used to convert them into the DVM (or Dex) format (these are the .dex files). Such a conversion is needed as the DVM is a register-based machine whereas the JVM is a stack-based one, and as such they have different opcodes. Due to the nature of the bytecode, its reversing is somewhat easier than machine code. Indeed, unlike machine code, (Dalvik) bytecode contains semantics information (e.g types of objects) that allows us to do a better analysis. We can get useful details on variables, fields, methods... We can create signatures for a method, or we can use the android permissions to see where a specific one is used in an application. The analysis part allows us to extract the control flow graph (which is composed of basic blocks, and which cannot be modified dynamically due to the virtual machine) which is used to reverse the different possibles executions of an application. Furthermore, we have implemented new algorithms to calculate the similarity distance between two applications, a useful information to know if your application has been stolen from the android market. It's also possible to use similarity to do `diffing' of Android applications is useful to see patches of bugs or insertion of evil code, this is why we have developed a combination of techniques to quickly see the differences between two applications. Moreover it's interesting to have the ability to manipulate in a simple way all these new formats (APK, DEX, Dalvik bytecode, Android's binary xml) to automate testing directly in a program or in a specific interpreter. Though some closed-source decompilers exist for Java as well as for Android applications, their effectiveness is somewhat limited (unreadable, don't compile...). There are other ways to retrieve the Java source code of an application from the bytecode, for instance some people use a software which transform Dex bytecode into Java bytecode and then combined this with a regular Java decompiler. But the resulting code looks more like an obfuscated version which does not compile than real source code. That's why we have developed a new decompiler which uses only Dalvik bytecode to create an original Java source code. We present a new open-source tool (Androguard) written in Python (and some parts of C language) which help the reversing of Android applications, as well as a technique we use to build a decompiler.