
How I defeated an anti-tamper APK with some Python and a homemade Smali emulator - evilsocket
http://www.evilsocket.net/2016/04/18/how-i-defeated-an-obfuscated-and-anti-tamper-apk-with-some-python-and-a-home-made-smali-emulator/#.VxRu3snMomQ.hackernews
======
dkopi
My highlights after reading this: 0\. Really impressive work.

1\. Great link with the Dalvik opcodes manual
[http://pallergabor.uw.hu/androidblog/dalvik_opcodes.html](http://pallergabor.uw.hu/androidblog/dalvik_opcodes.html)

This came up with a google search:
[https://source.android.com/devices/tech/dalvik/dalvik-
byteco...](https://source.android.com/devices/tech/dalvik/dalvik-
bytecode.html)

2\. If you run in to obfuscated smali filenames in the APK, a simple search
replace will help you rename the files.

3\. Instead of trying to understand the proprietary encryption/decryption,
just run the decryption code without understanding it.

4\. OP Created a smali emulator for this task (#3). Only supporting a small
subset of dalvik instructions. Which means than for now, the emulator can be
defeated using as many dalvik opcodes as possible in your
encryption/decryption code. A simple check-cast for example (Throw a
ClassCastException if the reference in the given register cannot be cast to
the indicated type.) can break the emulator.

5\. Being written in python, relying heavily on regular expressions and
without much algorithmic improvements (the opcode lookup for example is a for
loop instead of a lookup table) - there's a lot to improve the emulator
performance, but this is an incredible first step.

~~~
kanzure
> Instead of trying to understand the proprietary encryption/decryption, just
> run the decryption code without understanding it.

When I have encountered this sort of problem in the past, I would drop the
encryption module into another Android app and directly call the functions. I
would then run the other Android app on a phone or Android emulator. Custom
emulation seems unnecessary for most cases.

~~~
calebfenton
shameless plug: this is basically what dex-oracle does
[https://github.com/CalebFenton/dex-
oracle](https://github.com/CalebFenton/dex-oracle)

It has modules which look for patterns in code. Then you can tell it to run
some method from the original app to understand what the code should be. Then,
you can replace the obfuscated code with whatever you computed.

------
unlinker
Seriously, it's 2016, stop it with the memes.

~~~
calebfenton
maybe you could make a chrome extension which blocks all forms of fun and
frivolity. you could just hide images from various meme sites, maybe do some
checksum comparisons?

~~~
unlinker
I don't have anything against fun things, but seeing the same memes we have
all seen every day for years now is not really funny.

~~~
calebfenton
on one hand, I completely agree with you. on the other hand, i've had to make
presentations and talks and the stuff just looks so dry and boring and people
respond surprisingly well to old jokes. if you don't include any sort of lulz
they just sit there thinking they're learning, but if you mix in a few memes,
it helps wake them up and they start to pay attention.

------
tyingq
Reminds me of the reverse engineering of the dropbox client:
[https://www.usenix.org/system/files/conference/woot13/woot13...](https://www.usenix.org/system/files/conference/woot13/woot13-kholia.pdf)

------
kuschku
It’s always funny how large developers – say, Google – still try to obfuscate
their code when it’s so easy to reverse.

Even better, as in many legislations a derivate of manually deobfuscated code
does not count as derivate of the original source, they even give up their
copyright on their code, practically.

I’m surprised that this still happens. By now anyone should know that if you
can run a piece of code, you can decompile, deobfuscate, and understand it.
DRM and obfuscation only work to waste a week or two of the time of the person
taking it apart.

~~~
jmnicolas
> DRM and obfuscation only work to waste a week or two of the time of the
> person taking it apart.

I remember reading an article featured here that the latest PC video game
needed something like 6 months to be cracked and the crackers (Chinese I
think) almost abandoned.

Will try to find the link.

~~~
ryanlol
This is true, but it's primarily due to the fact that highly skilled reversers
aren't really producing cracks anymore.

~~~
penagwin
If the skilled reversers stopped producing cracks, isn't that the same thing?
:P

~~~
ryanlol
Sure, but it's still noteworthy that this isn't due to DRM suddenly becoming
better.

------
ultramancool
Guessing this is most likely just some commercial obfuscator - Are there not
generic deobfuscators in Java or Android land?

I know several for .NET including SimpleAssemblyExplorer and De4Dot (though
de4dot also includes several specific deobs).

EDIT: Looking around you might try something like
[https://github.com/CalebFenton/simplify](https://github.com/CalebFenton/simplify)
or [https://github.com/contra/JMD](https://github.com/contra/JMD) after
converting with dex2jar or similar.

------
marcelftw
They should have used JEB and save some time.

[https://www.pnfsoftware.com/](https://www.pnfsoftware.com/)

(not my product)

~~~
evilsocket
maybe I tried and it didn't work?

~~~
StavrosK
Did you? :P

------
abpavel
This stomps on motivation to develop any novell code, because for all the
years of hard work you put into r&d, there will alway be a lot of people who
are just waiting for something to slip through your fingers, so they can steal
it and call it theirs.

~~~
viraptor
Just like continuously breaking all the DRMs stopped any new movies from being
produced, right?

~~~
golergka
Not blockbuster movies, no. But all the small indie games (not indie superhits
your hear about!) both for iOS, Android and PC are typically have 10x, 100x
more downloads on Torrents than purchases. Same goes for small label releases
on Beatport, Bandcamp and Juno: they get hundreds of individual sales on those
sites after the tracks are out on trackers. Don't know about movies though;
but in the industries I'm familiar with, it's the little guys who get screwed
mostly, not the big ones.

~~~
viraptor
You just agreed with the fact that the motivation to produce new code didn't
die - indie games have to be written in the first place to end up on torrent
sites. Breaking the DRM and torrenting does not stop people from writing new
ones.

Regarding the ratio of purchases/downloads, the argument goes back to the
usual questions: 1) if the torrents didn't exist, how would the number of
purchases change (i.e. are those lost sales, or were they never potential
sales to begin with); and 2) what's the promotion channel for indie bands? I
purchased a lot of music because I heard about it from someone who had a
pirated copy. Now at least we've got Spotify discovery, Google music tailored
radios, etc. working for us, but it's still not a lot.

~~~
golergka
1) Judging by experience of many friends in game industry, the moment a non-
free game appears on torrents, sales go down.

2) For the mass audience, streaming solutions (99% of that being youtube),
have completely replaced piracy. However, if you noticed, I'm not talking
about mass audience, it stopped buying music anyway. I'm talking about
Beatport, Juno — shops especially targeted at DJs, who have very different
purchasing patterns, and usually different ways of learning about music as
well. A significant part of modern electronic music labels have stopped doing
digital releases altogether, going vinyl-only, and piracy is one of the main
reasons.

~~~
Ntrails
>1) Judging by experience of many friends in game industry, the moment a non-
free game appears on torrents, sales go down

In the case of most games, sales are steadily decreasing over time anyway - so
it'd need to be a pretty marked step down to remove the possibility that
they're simply following trend. It'd be interesting trying to account for that
in an analysis.

Anecdotally, I have several friends who torrent games by default - but they
legitimately wouldn't buy anyway (to quote "lol at buying videogames in the
year of our lord 2016").

