Android Application Reversing - Paper#1

I have attached a Pdf file here which includes full coverage of Basic method to reverser any android app in Tutorial & descriptive paper form. Hop you Guys gone like it.. Download Link:- Click

Android App Cracking Tutorial #2

Essay           Tutorial's

What are the type of Restriction & Protection?

- Advertisement Banners (Google or ad-mob)

- Nag & Msg Box Pop-Up (In Trial or Free App)

- Locked Features (In the form of In-App Purchase)

- Google or Amazon License (In the form of License Verification Library-LVL)

Before we start with Tut’s Download all Target Files from here :-  Click

Tut -1

Removing of Advertisement Banners from application

DifficoltTARGET	Dual File Manager( ) NewBies (X) Intermedio ( ) Avanzato ( ) Master
DifficolMETHOD	DifficolAd Removing by Editing Layout( ) NewBies (X) Intermedio ( ) Avanzato ( ) Master
Difficoltà   DIFFICULTY	( ) NewBies (X) Intermedio ( ) Avanzato ( ) Master    (X) Newbies () Intermediate () Advanced () Master

Step-1

Start Apktool & Select “Decompile Resources” Option

Step-2

Once Decompile Process finish go to “res” a resources folder which you found inside decompile folder of app                

Eg:-Dual File Manager_src

Step-3

Now search for Layout Folder & open every XML file with the help of “Axel” app to find String  called “Banner”

(Hint :- In most of the case Banner called through “main.xml” or “Activity_main.xml”)

Step-4

Finding & Editing XML Codes with “Axel” app

As I say in this app also we find Banner related XML code in “main.xml”

Original Code:-

<com.google.android.gms.ads.AdView       

android:id="@id/main_id_ad"

android:visibility="visible"

android:layout_width="fill_parent"--------------- Set this to “0dip”

android:layout_height="wrap_content"---------- Set this to “0dip”

android:layout_alignParentBottom="true"

admob:adSize="BANNER"

admob:adUnitId="ca-app-pub-5978068561095965/7471584327" />

  

 Modify Code:-

<com.google.android.gms.ads.AdView       

android:id="@id/main_id_ad"

android:visibility="visible"

android:layout_width=“0dip”

android:layout_height=“0dip”

android:layout_alignParentBottom="true"

admob:adSize="BANNER"

admob:adUnitId="ca-app-pub-5978068561095965/7471584327" />

So just tap this code after opening “main.xml” file with “Axel app” then edit relevant field as marked with RED in above & Save xml

Step-5

Recompile Source folder with APK Tool

Step-6

Now Zipalign apk with APK Tool

Step-7

Sign apk with APK Tool

(I pref “APK editor” app for Zipalign & Signing Bcz its fast. To do this you have to select “Optimize & Sign” Option after step-5)

   

                 (This is what you get Before & After – See the Bottom)

Important things for Reference Only

What is dip?
Density-independent Pixels - an abstract unit that is based on the physical density of the screen.

Related example:-

-px     (Pixels)

-in      (inches)

-mm  (Millimeters)

-pt     (Points)

-sp     (Scale Independent Pixels)

What are the Method through which we can remove Banner ad’s?

-          By editing Layout

-          By editing code in dex

Here is List of Known Ads to identify them easily –

• .gstatic.com
• .admob.com
• .analytics.localytics.com
• .flurry.com
• .greystripe.com
• inmobi.com
• admax.nexage.com
• ads.mdotm.com
• my.mobfox.com
• .plus1.wapstart.ru
• .madnet.ru
• .mp.mydas.mobi
• millennialmedia.com
• .g.doubleclick.net
• .appsdt.com
• ad.leadboltads.net
• run.admost.com
• mobile.admost.com

Android App Cracking Tutorial #1

Introduction

Understanding APK

What is Apk file?

Android application package file (APK) is the file format used to distribute and install application software and middleware onto Google's Android operating system. APK files are ZIP file formatted packages based on the JAR file format with .apk file extensions

What are the Contents you find inside Apk? 

An APK file is an archive that usually contains the following directories: 

• META-INF directory: 
• MANIFEST.MF: The Manifest File 
• CERT.RSA: The certificate of the application 
• CERT.SF: The list of resources and SHA-1 digest 

Corresponding lines in the MANIFEST.MF file; for example:

----------------------------------------------------------------------

Signature-Version: 1.0

Created-By: 1.0 (Android)

SHA1-Digest-Manifest: wxqnEAI0UA5nO5QJ8CGMwjkGGWE=

Name: res/layout/exchange_component_back_bottom.xml

SHA1-Digest: eACjMjESj7Zkf0cBFTZ0nqWrt7w=

Name: res/drawable-hdpi/icon.png 

SHA1-Digest: DGEqylP8W0n0iV/ZzBx3MW0WGCA=

-----------------------------------------------------------------------

lib: the directory containing the compiled code that is specific to a software layer of a processor, the directory is split into more directories within it: -

      -armeabi: compiled code for all ARM based processors only
      -armeabi-v7a: compiled code for all ARMv7 and above based processors only
      -x86: compiled code for x86 processors only
      -mips: compiled code for MIPS processors only

classes.dex: The classes compiled in the dex file format understandable by the Dalvik virtual machine 

res: The directory containing resources not compiled into resources.arsc (see below).

assets: a directory containing applications assets, which can be retrieved by AssetManager.

AndroidManifest.xml: An additional Android manifest file, describing the name, version, access rights, referenced library files for the application. This file may be in Android binary XML that can be converted into human-readable plain text XML with tools such as AXMLPrinter2, android-apktool, or Androguard

resources.arsc: A file containing precompiled resources, such as binary XML for example.

Tools & Download

Name	Download
Apktool Mobile Ver-4.6	Click
APK Editor Ver.1.90	Click
Axel Ver.2.4	Click
920 Text Editor Ver.13.7.18	Click
aGrep Ver.2014.03	Click

  

How to Use Tool’s

1. Apktool Mobile

What is Apk tool?

This tool is basically we use for Decompile & Recompile Apk file

How to Setup this Tool?

-  Unzip Apktool4.6_armhf.zip to your SD Card and install Apktool.apk inside

- Once installation done start app then goto directory where Apktool4.6_armhf.zip Unzipped & rename folder to “Apktool”

-  Now select that Unzipped Apktool folder and hold your finger until it pop-up following options

-   Now select “Set as apktool data folder” option

-  There are more option which you find inside setting option you can choose option which is more suitable for you

         Option which I pref:-

Ø      Vibration

Ø      Notification

Ø      Wrap output Message

Ø      File Sort Rule

Ø      Aapt - 4.4  (Android Asset Packaging Tool)

Ø      Apk tool version – 2.0

How to Use this Tool?

For this you need to know what functions it offer like-

Decompile functions

-          Decompile all (This will decompile Dex + Resources)

-          Decompile Dex (This will decompile Dex in to Smali Codes)

-          Decompile Resources (This will decompile layout  ie AXML Binary format to XML)

           
Other functions

-          Zipalign (This function align all files inside apk)

-          Sign (This will sign apk after modification)

-          Create odex

-          Add/Extract/Delete (META-INF)

-          Dex2Jar (This will convert Dex in to Java class file’s)

-          Jar2Dex (This will recompile Jar in to Dex file’s)

-          Install (This will help to install app)

-          Cancel

Recompile functions

-          Recompile (This will Re-Compile Source folder)

( Note:- Recompile function pop-up only when you click folder which end with “_src” for Eg:- apk_src  i.e application decompile folder ) 

2. APK Editor

This tool have very good features like-

-          Editing Text inside AXML file & Dex directly

-          Replace moded file with original file inside APK directly

-          Cloning APK so that you can use same application on single device

-          Optimize & Sign

We are going to use this app as resource editor for editing text strings

3. Axel

This is very good app to open AXML Binary format in to human readable format or modify  decompile XML format which we come across at the time of editing various application layout inside resource folder

4. 920 Text Editor

We use this application to edit & save our Decompile Smali Codes

5. aGrep

We use this application to find the strings in Decompile Smali Codes folder

Unpacking PEDiminisher

Packer     :- PEDiminisher
Type       :- PE packer
Level      :- Ba$ic 


Start with understanding codes Structure:-

This is how "End Routine Table look like" for this packer

POP EBP
POP EDI
POP ESI
POP EDX
POP ECX
POP EBX
JMP EAX


Now Follow The Steps to Unpack:-

1. Locate end routine instructions in the packed file by search-sequence of command
2. "JMP EAX" is the jump to the OEP so "Press F2" and Set a break point at the JMP instruction
3. Press F9 and you break on BP
4. Press F7 to step once and then dump the process with "Olly Dump Plugin" to get the unpacked version of the file

Using & Understanding Olly Script:-
Script-

Find eip,#5D5F5E5A595BFFE0#
Bp $RESULT
Run
Sti
Sti
Sti
Sti
Sti
Sti
Sti
Msg”OEP found PEDiminisher,Dump The Target Now!”

Function's- 

1. find eip, #5D5F5E5A95BFFE0# - locates the instructions(End Routin Table as discuss above)
2. bp $RESULT + run -The script then steps through the debugger until it reaches JMP EAX
3. sti - We use it 7 time so its step throug End Routin Table and Once it is at JMP EAX, the code steps once and is at the OEP
4. msg - Message Box pop up to instruct user that now he can dump the process

======================================================================
Some Useful Codes which help's you to made your own script:-

• sti   - F7
• estep - F8
• run   - F9
• var   - declares a variable
• mov   - is similar to assembly 
• findop- search for opcode from the specified address & stores the results into a $RESULT variable
• msg   - will show a message box -(log should be used but I used msg just for visual pleasure)

Thats all for Today..

Br
Nieo..