Android Reverse Engineering and Network analysis

Todays topic was reverse engineering of android applications and also some network traffic analysis.

Android applications

Android applications are packaged into bundles, called APK-files. They are standard zip-archives and can easily be unpacked to reveal the contents. The program code however is compiled into dalvik bytecode, and cannot be read directly. But the sound files and images are very easy to get.

JADX

The tool JADX can take apart APK-files and decompile the dalvik java code.

https://github.com/skylot/jadx/releases/

We took apart an application and unzipped it. We found some assets, sound, images and embedded LUA code. We found that it was based on the Corona 2D game engine. (A fitting name in these times…)

We also looked at a chess tactics application to see if it contained all problems or if it fetched them from a server. This application was obfuscated, all method and variable names had been changed. But we managed to find that it accessed an URL with a HTTP request to fetch new problems.

Some methods did not decompile. Instead, the disassembled bytecode was included as a comment. Dalvik bytecode is much easier to read than x86 assembler. This might be easier to work with when you start learning reverse engineering.

247CTF, network analysis

We also looked at https://247ctf.com, a webpage with challenges that are up all the time. We looked at the first challenge. It consisted of a package dump, stored in a pcap file. We first used Wireshark to look at the package dump contents.

Wireshark is very good to get a first overview of network traffic and simple data extraction. But it can be hard to use if you need to combine many packets in some way.

We used then the python module scapy to load the packet dump file and perform more scripted data extraction.

Code example in scapy

from scapy.all import *

# PcapReader creates a packet iterator from a file
packets = PcapReader('filename.pcap')

for p in packets:

    # Every packet has several layers, with different data
    src = p.getlayer('IP').src

    if src == '192.168.0.1':
        # The lastlayer() method takes out the innermost data, this is usually the payload
        data = p.lastlayer()
        print(data)