Hacker News new | past | comments | ask | show | jobs | submit login
How I defeated an anti-tamper APK with some Python and a homemade Smali emulator (evilsocket.net)
147 points by evilsocket on April 18, 2016 | hide | past | favorite | 75 comments



My highlights after reading this: 0. Really impressive work.

1. Great link with the Dalvik opcodes manual http://pallergabor.uw.hu/androidblog/dalvik_opcodes.html

This came up with a google search: https://source.android.com/devices/tech/dalvik/dalvik-byteco...

2. If you run in to obfuscated smali filenames in the APK, a simple search replace will help you rename the files.

3. Instead of trying to understand the proprietary encryption/decryption, just run the decryption code without understanding it.

4. OP Created a smali emulator for this task (#3). Only supporting a small subset of dalvik instructions. Which means than for now, the emulator can be defeated using as many dalvik opcodes as possible in your encryption/decryption code. A simple check-cast for example (Throw a ClassCastException if the reference in the given register cannot be cast to the indicated type.) can break the emulator.

5. Being written in python, relying heavily on regular expressions and without much algorithmic improvements (the opcode lookup for example is a for loop instead of a lookup table) - there's a lot to improve the emulator performance, but this is an incredible first step.


> Instead of trying to understand the proprietary encryption/decryption, just run the decryption code without understanding it.

When I have encountered this sort of problem in the past, I would drop the encryption module into another Android app and directly call the functions. I would then run the other Android app on a phone or Android emulator. Custom emulation seems unnecessary for most cases.


shameless plug: this is basically what dex-oracle does https://github.com/CalebFenton/dex-oracle

It has modules which look for patterns in code. Then you can tell it to run some method from the original app to understand what the code should be. Then, you can replace the obfuscated code with whatever you computed.


Unnecessary, but fun.


smalivm is another smali emulator and is part of simplify, a generic deobfuscator - https://github.com/CalebFenton/simplify


thanks for the great feeedback! i'll treasure your words :)


Seriously, it's 2016, stop it with the memes.


oh come on! it doesn't hurt smiling a little bit from time to time you know? :)


Unfortunately often the only person smiling is the author, while others just cringe.


Some people find them charming, and like a little chuckle with their articles.


maybe you could make a chrome extension which blocks all forms of fun and frivolity. you could just hide images from various meme sites, maybe do some checksum comparisons?


I don't have anything against fun things, but seeing the same memes we have all seen every day for years now is not really funny.


on one hand, I completely agree with you. on the other hand, i've had to make presentations and talks and the stuff just looks so dry and boring and people respond surprisingly well to old jokes. if you don't include any sort of lulz they just sit there thinking they're learning, but if you mix in a few memes, it helps wake them up and they start to pay attention.


I think a p-hash[1] would work better at detecting the same image... but what about a neural net that detects fun? That would probably be pretty enjoyable to write.

1: http://www.phash.org/


Reminds me of the reverse engineering of the dropbox client: https://www.usenix.org/system/files/conference/woot13/woot13...


It’s always funny how large developers – say, Google – still try to obfuscate their code when it’s so easy to reverse.

Even better, as in many legislations a derivate of manually deobfuscated code does not count as derivate of the original source, they even give up their copyright on their code, practically.

I’m surprised that this still happens. By now anyone should know that if you can run a piece of code, you can decompile, deobfuscate, and understand it. DRM and obfuscation only work to waste a week or two of the time of the person taking it apart.


"DRM and obfuscation only work to waste a week or two of the time of the person taking it apart." Not only that, it also drastically decreases the amount of people in the world capable of reverse engineering your code. It also decreases the amount of people willing to. In the end, security is a game of effort vs gain. More effort -> might not be worth the gain.

Also - a lot of these techniques are used by malware to evade anti viruses and static code analysis.


> Not only that, it also drastically decreases the amount of people in the world capable of reverse engineering your code. It also decreases the amount of people willing to.

But with software and electronic media, only one person needs to care/be smart enough for everyone to reap the benefits.


Checkout denuvo. It's drm/reverse engineering protection, and it has prevented Just Cause 3 from being cracked since last December. Yes somebody will crack it eventually, but I would count this as a success(The game has already made the majority of it's money).


> Even better, as in many legislations a derivate of manually deobfuscated code does not count as derivate of the original source, they even give up their copyright on their code, practically.

I never heard that, source ? It's not really "clean room".


It’s not clean room, but the ECJ has allowed it one time already. Which did set an interesting precedent.


I'm guessing you're talking about this then: https://en.wikipedia.org/wiki/SAS_Institute_Inc_v_World_Prog...

I still don't see how it's a derivative of RE'd code (like https://news.ycombinator.com/item?id=3919250 was). It's just the classic "reverse engineering allowed for compatibility".


In that case they actually wrote their code while having the reversed code open side-by-side. That’s the interesting part of the case.


> DRM and obfuscation only work to waste a week or two of the time of the person taking it apart.

I don't think it's that simple. There's some distribution of time wasted that goes from 0 (already prepared tools for automated deobfuscation) to infinity (it's enough of a roadblock to stop the effort). If you automate the obfuscation and just stick it into the publishing pipeline, you effectively stopped >0 people with ~0 effort. So why not do it?


> If you automate the obfuscation and just stick it into the publishing pipeline, you effectively stopped >0 people with ~0 effort. So why not do it?

Because automated obfuscation can also be solved automatically. Heuristical deobfuscators like JSnice.org are already getting more popular.


> DRM and obfuscation only work to waste a week or two of the time of the person taking it apart.

I remember reading an article featured here that the latest PC video game needed something like 6 months to be cracked and the crackers (Chinese I think) almost abandoned.

Will try to find the link.


Found it for you (or at least I think you meant 3DM (cracking group) and Denuvo (anti-tamper)):

https://torrentfreak.com/no-more-pirate-games-in-two-years-g...

Additionally some fun facts for games released with the latest Denuvo iterations:

Rise of the Tomb Raider released 28th of January this year, not cracked to date.

Just Cause 3 released December 1st 2015, not cracked to date.

Thats a lot longer than a week or two :)


This is true, but it's primarily due to the fact that highly skilled reversers aren't really producing cracks anymore.


If the skilled reversers stopped producing cracks, isn't that the same thing? :P


Sure, but it's still noteworthy that this isn't due to DRM suddenly becoming better.


What are they doing instead?


Writing obfuscators.


Easy to reverse, but not trivial.

100% protection does not exist, which doesn't mean you shouldn't try to make it a bit difficult

(keeping honest people honest and all that)


> DRM and obfuscation only work to waste a week or two of the time of the person taking it apart.

For 90 percent of Play Store apps, that would be more effort than the initial development effort for the app (and with 90 percent, I'm being very, very generous).


Well, it’s very useful when you try to understand how a random app did their neat UI, though, and want to get inspiration on how they managed to have a list on top of a toolbar.

Or anything similar to that.

For getting inspiration like that, it’s super awesome.


Guessing this is most likely just some commercial obfuscator - Are there not generic deobfuscators in Java or Android land?

I know several for .NET including SimpleAssemblyExplorer and De4Dot (though de4dot also includes several specific deobs).

EDIT: Looking around you might try something like https://github.com/CalebFenton/simplify or https://github.com/contra/JMD after converting with dex2jar or similar.


They should have used JEB and save some time.

https://www.pnfsoftware.com/

(not my product)


maybe I tried and it didn't work?


Did you? :P


This stomps on motivation to develop any novell code, because for all the years of hard work you put into r&d, there will alway be a lot of people who are just waiting for something to slip through your fingers, so they can steal it and call it theirs.


I don't see how publishing a research without disclosing specific details about the app itself or any kind of "crack" could stomp on motivation to develop something ... unless you trust in "security through obscurity" of course ... which was proven more than once to be a fail :)


So what should I do? My patents have limited geopolitical enforcement jurisdictions, whereas the Internet is global. Plus, I'm deemed evil, even though It's not easy to create something novel. MP3 patent https://www.google.com/patents/US5812672 was nice, and enforced time to time, but for a small startup the barrier between the abyss and land is just a step away.


Just like continuously breaking all the DRMs stopped any new movies from being produced, right?


Not blockbuster movies, no. But all the small indie games (not indie superhits your hear about!) both for iOS, Android and PC are typically have 10x, 100x more downloads on Torrents than purchases. Same goes for small label releases on Beatport, Bandcamp and Juno: they get hundreds of individual sales on those sites after the tracks are out on trackers. Don't know about movies though; but in the industries I'm familiar with, it's the little guys who get screwed mostly, not the big ones.


You just agreed with the fact that the motivation to produce new code didn't die - indie games have to be written in the first place to end up on torrent sites. Breaking the DRM and torrenting does not stop people from writing new ones.

Regarding the ratio of purchases/downloads, the argument goes back to the usual questions: 1) if the torrents didn't exist, how would the number of purchases change (i.e. are those lost sales, or were they never potential sales to begin with); and 2) what's the promotion channel for indie bands? I purchased a lot of music because I heard about it from someone who had a pirated copy. Now at least we've got Spotify discovery, Google music tailored radios, etc. working for us, but it's still not a lot.


1) Judging by experience of many friends in game industry, the moment a non-free game appears on torrents, sales go down.

2) For the mass audience, streaming solutions (99% of that being youtube), have completely replaced piracy. However, if you noticed, I'm not talking about mass audience, it stopped buying music anyway. I'm talking about Beatport, Juno — shops especially targeted at DJs, who have very different purchasing patterns, and usually different ways of learning about music as well. A significant part of modern electronic music labels have stopped doing digital releases altogether, going vinyl-only, and piracy is one of the main reasons.


>1) Judging by experience of many friends in game industry, the moment a non-free game appears on torrents, sales go down

In the case of most games, sales are steadily decreasing over time anyway - so it'd need to be a pretty marked step down to remove the possibility that they're simply following trend. It'd be interesting trying to account for that in an analysis.

Anecdotally, I have several friends who torrent games by default - but they legitimately wouldn't buy anyway (to quote "lol at buying videogames in the year of our lord 2016").


You just reminded me of how much of the 09 F9 11 02 9D number I still remember after all this time.


Everyone remembers that number, but you didn't use it for profit. I'm talking about purposefully reverse engineering a piece of software, to build an internal version of the solution, with direct impact to the inventor, not a global corporation. And it's not a web or a games or a movies or a piece of music.


Corporations are made of people, too. (Though in a way that somehow reminds me of Soylent green...)


Multi-billion dollar movie studios are much different than a small company releasing an Android App. They can handle the loss and make it up with licensing deals. The small company will go out of business in an already ridiculously difficult market.

It only pushes out the small companies and makes way for an app store environment where only large companies can survive. The exact same thing happened with the music industry over the past decade (filesharing was supposed to help the indy artist..or so many, like you, claimed)


Just by global warming being solved by you being cold today, right? You know, the world is a bit larger than Games/Movies/Musics/Web. Like seriously, try some fluid dynamics, or neutron leakage. Just because it's expressible in software, doens't mean that a script kiddie next door with his fingers still sticky from the unclosed pornhub tab has to have all my life's work.


^ THIS ^


You realise that you never had any copyright to your algorithms, etc anyway?

If you spend years of R&D on algorithms, patent them.

But boilerplate code can neither be patented nor copyrighted (except in its source form, but the binary, for example, can’t), so you never owned anything to begin with.

Disclaimer: This is just a general info about EU law, this is not legal advice, I am not a lawyer.


But I do have a patent, in multiple countries, and have legal advice. How is that suppose to stop people like the op? He clearly didn't bother with any of it, and EFF is on the side of crooks like him. So I spend all my fortune on R&D, spend another fortune on legal, and the result is that my kids have nothing to eat, because there is always a way when none of it means squat. Whether it's RCA ripping off Farnsworth, who has to fight all his life to protect his invention, or Edison blatantly stealing from Melies by simply changing the titles in his movies and swapping French text for English.


> Whether it's RCA ripping off Farnsworth

You realize Farnsworth ripped off Braun?

Also, if you have a patent, you can always sue. That’s not an issue.


I'm a card carrying EFF member. The EFF supports Internet Freedom and Privacy (those things go hand in hand).

Without even looking, if they're against you the chances are they're in the right. I've yet to see them do anything I disagree with as someone who considers those points very important.


> Without even looking, if they're against you the chances are they're in the right

This is a very dangerous attitude to have regardless of who it concerns.


Why does your novel code need to be proprietary?


Because I've invented something unseen before, spent a fortune developing a method, patented it, also spending a fortune on legal, and don't want script kiddies to mooch off my talent that easily. I have a sense of proprietorship and want to own something. Patents mean jack squat to people like op, and I'm stuck between a rock and a hard place. If I invoke my patent, I'm deemed "evil" because I have a patent, and will have to spend lifetime in courts protecting my invention. If I compile, I'm deemed "evil" because there is no such thing as innovative code.


> and don't want script kiddies to mooch off my talent that easily.

You do realise that's not how research, science and engineering work right? Just because you think it's morally justifiable to "own an idea" doesn't mean it is morally justifiable to do so.

Besides, do you really think someone is going to supplant you that easily? If you're really worried, use the GPL and then use their improvements to improve your own work.


> and don't want script kiddies to mooch off my talent that easily.

We all "mooch" off of other's talents. That's the beauty of our industry. We get inspired, we share, and we base our works on the works of others.

That's why its so important to pair huge investments in R&D with awesome business people. Don't obsess about protecting your inventions. Obsess about getting your inventions out there, selling, supporting, and custom tailoring it for what customers really need.


> Obsess about getting your inventions out there That's what I want to do, but all of the legal advice I got was to do otherwise. At first I thought that losing all that you've built in an instance was a rare event, but the more I talked to business owners and lawyers, I haven't gotten a single advise to release it in any way that would put it outside of my control. And the thing they cited is almost exactly of what OP describes: once someone else has your code, the whole world has it.

And it hurts that I careless about the code - it can be rewritten in a million ways. What I care about is what code does, and the multitude of GloboCorps working on the same issue in vane, and their ability to reproduce our work in months once they understand the secret sauce.


> their ability to reproduce our work in months once they understand the secret sauce.

if the secret sause is so simple that they can copy it in months without violating copyright laws, may be it's not so saucy after all!

Data, whether code, or algorithm, is not physical, and therefore, unless you don't give the code out (e.g., sell via SaaS), it's gone as soon as you release it, obfuscated or not.


If that's the case, you might want to release your code as an online service.

Also - keep in mind that "Legal advice" isn't necessarily "Business advice". Lawyers can't tell you how to make money, or how to build a business that survives even when people compete with you. They'll tell you how to try to prevent competition, or protect IP, but they won't tell you how to be a market leader.

As for BigCorp copying your inventions - that can obviously happen. But it's also very likely that if you can solve a problem that BigCorp is failing at, they'll simply give you an M&A offer.


Imagine where you'd be if mathematicians had a similar thought process as yours. They spend entire lifetimes inventing methods and algorithms to solve complex problems.

I think all these problems arise from the way we pretend that information is property. It is not.


>If I invoke my patent, I'm deemed "evil" because I have a patent

I don't think people have a problem with enforcing patents in general, just patent 'trolling', i.e. buying someone else's patent or patenting broad ideas.

edit: newline detection fail


I upvoted for discussion, but I actually disagree. Consider Web development as a major counterexample.


I believe there's more profit-oriented piracy of SaaS based businesses than traditional software. It's rare that someone will take an app, crack it, and start selling it under their own brand. People clone apps but in general they've remade the code entirely by looking at the software and coding their own version.

Conversely however, I do hear about companies that have taken someone's SaaS app by dumping the front-end code, and building their own backend, and releasing it with absolutely no changes to the elements they've stolen.

This may be due to my filter bubble making it so I hear more about web apps (I write web based apps) but anecdotally it does seem that SaaS is not a protection against piracy.


But I'm not talking about Web, nor music, nor video, nor games. Why are all of the comments coming from such a small world? What if you'd spent half your life developing aicraft communication just for a skript kiddie to steal it via his 1337 python skillz in half an hour? Noone would care that you had filed for a patent, i.e. https://www.google.cz/patents/US8909158, because the said kiddie works for GlobaComm that is going to use it internally to develop multitude of their own patents, and products, and not need you anyway - they have everything they needed.


mmm would you please elaborate?


You pretty much publish everything related to your job if you're a web developer. People are continually creating awesome things as web developers, despite their source code being out there for everyone to see. There isn't a "copyright violation holocaust" happening as implied by the top comment.


Well, obviously, I'm not a web developer. Nor am I a music producer, nor a film maker. As the world becomes increasingly more digital, more technologies can be expressed as code. You all like MPEG-4, but many patents are involved there, such a http://www.google.com/patents/US6092120


Should be interesting to see what webassembly does to this existing ecosystem.


Flamebait




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: