Hi readers! Time for another post 🙂
Last week I had an argument with my friend about where to eat.
We decided to toss a coin.
My friend took the coin out of his wallet and announced quickly “Heads- I win, Tails- you lose”. Guess you already know what the outcome was 😑
Two days after he tried to pull the same trick, but this time I had a good night’s sleep, and I realized what happened last time.
I didn’t expose him, I had a far better idea 😈
Recognize the icon at the top?
Chwazi is an extremely popular app (Over 500k downloads).
The app’s sole purpose is: “A funny and interactive way to randomly select someone from a group of a people”.
The players put their fingers on the screen and the app randomly chooses a finger (or more, depends on your choice).
The app has been laying on my phone for quite some time without any usage.
It’s about to change…
The idea was to take this app and patch its luck 😉
My friend Sahar took the liberty to put it in motion.
The flow goes like this:
1. Locating the function that randomly chooses the winner – Decompiles the APK
2. Patch it in SMALI – Disassemble the APK.
3. Apply the patch – Reassemble the SMALI to APK.
Intro
APK is the commonly used format for android apps.
The APK is an extension of the zip format.
It contains a bytecode for the android VM, resources used by the program and sometimes SO files. An app can run from a number of processes, and it has more than one entry point.
Some basics you need to understand:
– AndroidMainfest.xml – Contains the app metadata (Entry points, permissions, etc…)
– classes.dex – Most if the app’s logic. The app code is typically written in java and compiled
to a special bytecode named Dalvik. Android contains JVM named DVM in order to run it.
– META-INF – contains digital signatures. Android requires every app to be signed.
– lib – the SO (binary) files. Usually used for better performance.
– A user is created for every app. The user is simply a Linux user with low permissions that
gets added to certain groups based on the required permissions in the manifest.
In this research, we chose to use the Debian-based Linux distribution named “Santoku” which contains every tool you need for dealing with APKs.
It goes without saying that you need to get your phone into developer mode.
Pwndom
One of the key techniques of reverse engineering is finding “footholds”.
A foothold can be anything from strings and function names to known binaries and imports.
Without footholds, the work is almost impossible because the entire app needs to be analyzed.
In this case, we know that the app’s logic lay on one basic thing – Randomization.
The function name in Java that responsible for that is pretty straightforward – random.
We decompile the app using dex2jar in order to view the code written in java.
Then we open it with jd-gui and search for out foothold – random.
After a little search, we find the responsible function – doGameLogic in the class ModeFingers.
loop numberOfWinners
{
if numOfFingers != 0
{
rnd = getRandom % NumOfFingers
add numOfFingers[rnd] to WinnerList
remove numOfFingers[rnd] from numOfFingers
{
}
Patched Luck
Java’s “assembly” is called SMALI.
SMALI is a human-readable representation of the DVM bytecode.
In order to get the SMALI for our app, we use apktool – APK disassembler.
Now we look for a class file with the function to patch – ModeFingers.class.
Then we search for the function doGameLogic.
After a few lines, we see the usage of the random function and a var named randomChoosed being assigned to v4 – this is rnd from the pseudo code above.
If we have control over it – we can choose the winner!
The array is sorted according to the order the players’ fingers were put on the screen,
our goal is to make sure that the first finger always wins.
We do it by patching the value of v4 to be 0 instead of randomChoosed.
Can I have your autograph?
Now it’s time to pack things up.
We use apktool to rebuild the patched app.
Those of you who have a good memory remember that they were not done yet.
As mentioned, android requires a signature for every app that resides in META-INF within the APK.
When we patched the APK it’s signature became invalid, so we have to sign it again.
We use keytool and jarsigner in order to do it.
The procedure is as follows:
Final Touch
Today I am a very lucky man.
I can’t remember the last time I was a designated driver, I’m never getting the pizza from downstairs or taking the trash, but most importantly
I always get to decide where we eat 😎
Until next time,
Si Tadmor & Sahar Noyman 😀
https://www.youtube.com/watch?v=7SRfk321I5o
https://www.digitalwhisper.co.il/files/Zines/0x49/DW73-2-AndroidAttSurface.pdf
Comments are closed