You can download the necessary files you will need for this tutorials by clicking below
•Android SDK• Deurus Android Crackme (Search Google for it !)
• Smali and baksmali (Search Google for it !)
• Dex2jar (Search Google for it !)
• Javar decompiler (Search Google for it !)
Now, the gist:
Download and install Android SDK, SDK platform (latest is 2.2 at the time of writing), necessary Java packages and rest of the tools. Create a virtual device from SDK menu and start emulation. Within few minutes you can see the emulator booting up and showing the phone screen. Well, thats it! we have our emulator up and running.Getting Started with the Game :
Now we need to install the software (crackme, its legal!) to the emulator. For that you may have to get acquainted with Android debug bridge(adb). Installing a apk file is pretty simple, all you have todo is to run two commands from Android SDK directory/tools.
After the installation you can see the crackme icon from application menu.
After the installation you can see the crackme icon from application menu.
Now run the crackme by clicking onit. If everything went as expected you will see the crackme application on the screen.
Now we will play with it, pressing check button with no inputs pops a message 'Min 4 chars', and with a proper name it pops up 'Bad boy'. We have to remember these strings because we will be using them as our search keys when we disassemble the apk(actually dex) files. Also note that we have two hardware ids and we need to find out what those exactly means.
Real Android Reversing :
As our crackme is up and running inemulator, we now move onto reversing it. If you have read apk file format, you can visualize it as aextended JAR file which essentially is a zip file. Now you can change the crackme file name from Crackme03.apk to Crackme03.zip and decompress it to any folder.
Now the interesting file for us is classes.dex, which contains the compiled vm codes. We are going to disassemble the dex file with baksmali. Commands are pretty simple as you can see from screen shots.
If everything worked fine, we will have a folder structure similar to Java packages. Interesting .smali files are located at '\com\example\helloandroid'. Open all the .smali files into your favorite text editor(Iuse Notepad++). If you have neverdone anything related to reverse engineering/esoteric programming/assembly(IL) programming, you will probably think: WTF!. Relax. We have just opened a disassembled dex file. Now, if you are thinking how on earth someone can find the correct location of checking function, I hope you remember those pop up strings I told earlier. Yeah, 'Min 4 chars' and 'Bad boy'. Now we will use those strings as our search keys. Searching Min 4 chars in all the opened .smali files, we will find a hit in HelloAndroid$2.smali line 130.
Our aim is to understand the serial checking function and write a keygen for it. For that we have to know all the dalvik opcodes that are used here. You can visit this page to understand the opcodes and after that you can convert disassembled code to much higher language constructs. I will provide a brief code snippet which actually implements the algorithm. Two hardware ids used are IMEI and sim serial number. As you can see, the algorithm is pretty straight forward. It is using name and two hardware ids as input and doing some operations on them to make a serial. We can easily recode it in any programming language we prefer to make it as a keygen. Anyway, I am not posting any keygen sources as it will spoil the whole phun!
Decoding the Algorithm:
A demonstrative serial calculation routine is given below:Code:Name: aaaaaHW ID1: 0000000000000000HW
ID2: 89014103211118510720
Here are stepwise instructions on generating final serial number. At first 'aaaaa' will be converted to '9797979797', from which we will take first 5 letters and convert it into integer 97979.
This will be xored with 0x6B016 resulting 511661 and this will be first part of serial.
For second part, we will take first 6letters from HW ID1 and HW ID2, convert them to integer and xor, resulting 000000^890141 = 890141.
For third part we will use first 6 characters from HW ID1.
Formatting with the specified delimiter the serial will become '511661-890141-000000'.
Final Verification of Reversing:
Now we will put the same magic number into our Crackme application.
Bingo! everything worked as expected. Now, for all those who thinks it is pretty hard to read all those disassembled instructions and manually converting them to higher language constructs, there are other options. As dalvik is based on design of Java, it is also susceptible to decompilation. There is no decompiler available at this moment, but there is hope.For now we can use another utility which converts dex files to jar files so that we can use Java decompilers to see much more abstracted code. From starting of this blog post you may have noticed the tool dex2jar. Use dex2jar to convert classes.dex to classes.dex.dex2jar.jar. Open it in a Java decompiler and you can see much better output than dalvik disassembly. Please note that dex2jar is still in development phase and the output is meaningless at many places. This should be used only to get a quick understanding of all the functions.
Conclusion:
In this introductory article, am trying to explain reversing Andriod using the emulator and all available toolsin sequence with pictorial elaborative steps. It is mainly based to set up your ground for further reversing work on Andriod Platform.Well, thats it! We have analyzed an Android program and defeated its protection.
- The End -