Todays topic was reverse engineering of android applications and also some network traffic analysis.
Android applications are packaged into bundles, called APK-files. They are standard zip-archives and can easily be unpacked to reveal the contents. The program code however is compiled into dalvik bytecode, and cannot be read directly. But the sound files and images are very easy to get.
The tool JADX can take apart APK-files and decompile the dalvik java code.
We took apart an application and unzipped it. We found some assets, sound, images and embedded LUA code. We found that it was based on the Corona 2D game engine. (A fitting name in these times…)
We also looked at a chess tactics application to see if it contained all problems or if it fetched them from a server. This application was obfuscated, all method and variable names had been changed. But we managed to find that it accessed an URL with a HTTP request to fetch new problems.
Some methods did not decompile. Instead, the disassembled bytecode was included as a comment. Dalvik bytecode is much easier to read than x86 assembler. This might be easier to work with when you start learning reverse engineering.
247CTF, network analysis
We also looked at https://247ctf.com, a webpage with challenges that are up all the time. We looked at the first challenge. It consisted of a package dump, stored in a pcap file. We first used Wireshark to look at the package dump contents.
Wireshark is very good to get a first overview of network traffic and simple data extraction. But it can be hard to use if you need to combine many packets in some way.
We used then the python module
scapy to load the packet dump file and perform more scripted data extraction.
Code example in scapy
from scapy.all import * # PcapReader creates a packet iterator from a file packets = PcapReader('filename.pcap') for p in packets: # Every packet has several layers, with different data src = p.getlayer('IP').src if src == '192.168.0.1': # The lastlayer() method takes out the innermost data, this is usually the payload data = p.lastlayer() print(data)