1 00:00:02,280 --> 00:00:07,200 - Welcome to the new video of Android Security and Exploitation by Pentester 2 00:00:07,200 --> 00:00:14,010 Academy. My name is Aditya and I am your course instructor for this entire training 3 00:00:14,010 --> 00:00:19,360 series. So, in the last few videos we have gone through how you can debug and hook 4 00:00:19,360 --> 00:00:25,710 into the various API methods and calls of your application and basically analyze 5 00:00:25,710 --> 00:00:29,710 what the application is doing, what kind of methods it is calling, what are the 6 00:00:29,710 --> 00:00:35,790 different arguments, and all these different kind of things. But one of the 7 00:00:35,790 --> 00:00:42,130 problems is even if you are able to analyze the application and maybe you can 8 00:00:42,130 --> 00:00:48,520 modify some of the variables, how do you make these changes permanent. So, in those 9 00:00:48,520 --> 00:00:53,560 particular situations, the debugging and hooking which we have done so far will not 10 00:00:53,560 --> 00:00:59,670 be that much useful. One of the ways in which you can actually do it is by 11 00:00:59,670 --> 00:01:04,480 patching the application by reverse engineering and then adding your changes 12 00:01:04,480 --> 00:01:10,520 and recompiling them back. But it is often too much time consuming and it's really, 13 00:01:10,520 --> 00:01:15,580 really complicated in some of the cases. So, one of the really good alternatives 14 00:01:15,580 --> 00:01:21,290 which we have over here is we can use something called a Cydia Substrate as well 15 00:01:21,290 --> 00:01:25,800 as another framework called Xposed in order to make permanent changes to the 16 00:01:25,800 --> 00:01:30,490 application. So for this particular video we'll go through how you can make changes 17 00:01:30,490 --> 00:01:35,020 for your application or basically patch your application without doing any apk 18 00:01:35,020 --> 00:01:42,450 modification using Cydia Substrate. Now, Cydia is a platform for customizing your 19 00:01:42,450 --> 00:01:47,960 applications. So, Cydia is written by the guy, Jay Freeman who is also known as 20 00:01:47,960 --> 00:01:54,110 Saurik and he has written great bunch of software for IOS jail-breaking and all 21 00:01:54,110 --> 00:01:59,100 these kind of things. So, Cydia and Android or Cydia Substrate and Android 22 00:01:59,100 --> 00:02:04,070 provides you with an API with which you can hook into an application methods and 23 00:02:04,070 --> 00:02:09,710 API calls and from there you can simply change the behavior of the application and 24 00:02:09,710 --> 00:02:15,310 it's really simple to do that. So, for this particular situation we'll take the 25 00:02:15,310 --> 00:02:21,370 example of an application called Listlock which written by the team at GDS Security 26 00:02:21,370 --> 00:02:28,160 and you can basically download the application as well as the bypass at this 27 00:02:28,160 --> 00:02:38,330 GitHub URL. So, once you have downloaded the application, you can then go ahead and 28 00:02:38,330 --> 00:02:42,740 install it. So, let me just install the application real quick. 29 00:02:49,700 --> 00:02:52,510 So, let me first see if I have the device 30 00:02:52,510 --> 00:03:09,101 connected. I'll just connect my Genymotion over here which 57.101. Then, I can go 31 00:03:09,101 --> 00:03:22,264 ahead and install the Listlock.apk. Let me first locate the Listlock.apk. 32 00:03:32,606 --> 00:03:38,803 Or I can simply download it from GitHub which will be much more convenient. 33 00:03:54,970 --> 00:04:00,710 Great. So, now I have the Listlock.apk over here and I can simply go ahead and 34 00:04:00,710 --> 00:04:09,740 install it. 35 00:04:09,740 --> 00:04:14,610 So, this is how the application looks like which says that the list is currently 36 00:04:14,610 --> 00:04:19,720 locked and we don't know the password obviously. So, let's try with any random 37 00:04:19,720 --> 00:04:26,070 password. All right, it simply refuses to unlock the application. So, what we can do 38 00:04:26,070 --> 00:04:31,630 here is we can try to reverse the application and figure out which method is 39 00:04:31,630 --> 00:04:39,010 responsible for authenticating the user. So, we can use a dex2jar in order to 40 00:04:39,010 --> 00:04:41,143 reverse the application. 41 00:04:50,740 --> 00:04:57,570 Once dex2jar has successfully converted it to a jar, you can simply use jd-gui in 42 00:04:57,570 --> 00:05:00,762 order to view the jar. 43 00:05:05,090 --> 00:05:11,180 So, if you look over here, the package name is com.historypeats.listlock. If we 44 00:05:11,180 --> 00:05:19,910 go inside the classes there is a Authenticate class over here and inside 45 00:05:19,910 --> 00:05:24,470 the Authenticate Class you see an interesting method that is called validate 46 00:05:24,470 --> 00:05:32,760 password and if you look closely, it's simply taking in two arguments or one 47 00:05:32,760 --> 00:05:38,120 argument in this case which is the input. Most probably the input which the user has 48 00:05:38,120 --> 00:05:45,270 supplied and validating it against the actual password. So, this is how the 49 00:05:45,270 --> 00:05:52,580 application looks like and this is how the application is authenticating the user. So 50 00:05:52,580 --> 00:05:59,140 now we can go ahead and try to bypass this using Cydia Substrate, but before actually 51 00:05:59,140 --> 00:06:04,880 doing it we need to get ourselves familiar with the Cydia Substrate API so that we 52 00:06:04,880 --> 00:06:12,880 can write our own module on top of the Cydia Substrate. So one of the most 53 00:06:12,880 --> 00:06:19,530 important things in Cydia Substrate is the MS.hookClassLoad which basically notifies 54 00:06:19,530 --> 00:06:25,580 you whenever a particular class or particular application class gets active. 55 00:06:25,580 --> 00:06:31,910 So unlike IOS in Java or in Android, the classes are not active all the time. So 56 00:06:31,910 --> 00:06:37,890 once the class gets activated, then you can hook into it and basically change all 57 00:06:37,890 --> 00:06:44,190 the input variables, or basically even change the return value. So you can use 58 00:06:44,190 --> 00:06:49,990 MS.hookClassLoad to notify you whenever the class gets active, and once you know 59 00:06:49,990 --> 00:06:55,370 that the class is active, you can use the MS.hookMethod to make all the changes. And 60 00:06:55,370 --> 00:07:06,100 you can simply have a look at the Cydia API by going to the Cydia Substrate API 61 00:07:06,100 --> 00:07:18,960 webpage, and... So you can check out the MS.hookClassLoad, MS.hookMethod, what they 62 00:07:18,960 --> 00:07:31,000 actually do. This is kind of broken. Anyways, so coming back. So Cydia 63 00:07:31,000 --> 00:07:39,720 Substrate API, you can use MS.hookClassLoad to basically tell Cydia 64 00:07:39,720 --> 00:07:44,120 that this is the method and this is the class that you are looking for and once 65 00:07:44,120 --> 00:07:49,020 that class and method gets activated, it will simply let you know. Here you can 66 00:07:49,020 --> 00:07:55,020 make all the changes whichever you want. So we have reversed the application, we 67 00:07:55,020 --> 00:07:59,820 have identified the method responsible for validating the password, but how do we 68 00:07:59,820 --> 00:08:04,470 actually make the authentication successful? The answer lies in the 69 00:08:04,470 --> 00:08:12,510 application source code itself. So if you look over here, it says, public boolean 70 00:08:12,510 --> 00:08:19,500 validatePassword. This means that the return type is boolean, which simply means 71 00:08:19,500 --> 00:08:23,700 that if the user has successfully entered the correct password, it will simply 72 00:08:23,700 --> 00:08:29,890 return it true and if the user hasn't inputted a correct password, it will 73 00:08:29,890 --> 00:08:35,790 return a false. So all we need to do is change the return value to be true no 74 00:08:35,790 --> 00:08:46,320 matter what the user has entered. Simply start up my eclipse which is the IDE for 75 00:08:46,320 --> 00:08:56,640 Android application development. I have a list bypass project already created over 76 00:08:56,640 --> 00:09:12,320 here, which if you get to ListBypass. Basically it's the VI SRC, gdsecurity 77 00:09:12,320 --> 00:09:19,680 listbypass.java. Excuse me. So if you'll look over here, we have mentioned the 78 00:09:19,680 --> 00:09:26,600 class name and we are using the MS.hookClassLoad to see when the class 79 00:09:26,600 --> 00:09:31,850 gets activated and we've also mentioned the method name, which is the validate 80 00:09:31,850 --> 00:09:38,340 password and if the class and method matches, that it is currently loaded, it 81 00:09:38,340 --> 00:09:44,360 further goes ahead and uses the MS.hookMethod in order to change some of 82 00:09:44,360 --> 00:09:50,120 the components. So what it does is it changes the original return value with a 83 00:09:50,120 --> 00:09:56,160 new return value which is true. So, no matter what the original return value is, 84 00:09:56,160 --> 00:10:01,590 the new return value will be used in this particular case and that is returning true 85 00:10:01,590 --> 00:10:10,349 all the times. You can simply...run this application. 86 00:10:17,300 --> 00:10:21,170 Let's make sure that we have Genymotion 87 00:10:21,170 --> 00:10:29,390 connected, which it is. Install it. So if you notice over here the Substrate 88 00:10:29,390 --> 00:10:34,840 extensions have updated. So, all you need to do is drag down the top navigation bar 89 00:10:34,840 --> 00:10:41,400 and click on the substrate extensions and then you simply restart system soft which 90 00:10:41,400 --> 00:10:49,280 will allow Cydia to add all the extensions to the Android system. And now if you go 91 00:10:49,280 --> 00:10:55,220 to the ListLock, let's try to enter any password, and click unlock and you have 92 00:10:55,220 --> 00:11:04,060 the application unlocked. Also you can check it in the logcat. So if you do adb 93 00:11:04,060 --> 00:11:15,210 logcat, you'll see that the class was loaded, the method was hooked and the 94 00:11:15,210 --> 00:11:20,080 original return value was false because we didn't enter the correct password. But 95 00:11:20,080 --> 00:11:26,050 Cydia actually went ahead and changed the return value to true and that is why we 96 00:11:26,050 --> 00:11:32,430 were able to authenticate ourselves. So this is how we can basically change or 97 00:11:32,430 --> 00:11:39,290 modify the application behavior using Cydia Substrate and it is really one of 98 00:11:39,290 --> 00:11:44,370 the most interesting things which you can do in an Android. So that's all for this 99 00:11:44,370 --> 00:11:49,440 video. I hope you liked the video and if you have any feedback and queries, feel 100 00:11:49,440 --> 00:11:57,080 free to drop me a mail at adi@attify.com. You can also tweet out to me @adi1391. 101 00:11:57,080 --> 00:11:59,000 Thanks for watching the video.