1
00:00:00,080 --> 00:00:05,450
- Hello all and welcome to the new video
of the Android Security and Exploitation

2
00:00:05,450 --> 00:00:10,810
by Pentester Academy. My name is Aditya
and I'm your course instructor for this

3
00:00:10,810 --> 00:00:16,850
training series. So, this course is being
run on http://PentesterAcademy.com and you

4
00:00:16,850 --> 00:00:22,980
also can check out the certifications at
http://securitytube-training.com. So, in

5
00:00:22,980 --> 00:00:28,910
the previous video we actually had a look
at how we can bypass the ListLock

6
00:00:28,910 --> 00:00:36,370
application authentication using Cydia
Substrate API and it was really convenient

7
00:00:36,370 --> 00:00:42,110
to use the Cydia Substrate and hook into
the method which was responsible for

8
00:00:42,110 --> 00:00:48,970
authentication and simply return a Boolean
True in order to validate ourselves. So in

9
00:00:48,970 --> 00:00:53,990
this particular video, we are going to
achieve the same goal but with a different

10
00:00:53,990 --> 00:01:00,110
framework in this case that is called
XPosed. So, XPosed is a framework which is

11
00:01:00,110 --> 00:01:06,480
use for modifying system and application
behavior. So, it is written by XDA developer

12
00:01:06,480 --> 00:01:14,930
member called rovo89 and there are a lot
of similarities between XPosed and Cydia

13
00:01:14,930 --> 00:01:18,860
Substrate. There are a couple of
differences as well which you can check

14
00:01:18,860 --> 00:01:28,060
out at this particular URL. The way in
which XPosed works is whenever you install

15
00:01:28,060 --> 00:01:34,260
XPosed, it copies itself into /system/bin
and basically launches itself at the time

16
00:01:34,260 --> 00:01:41,650
of system boot. Once it launches, it adds
a couple of additional jars at this

17
00:01:41,650 --> 00:02:02,240
respective places in order to make all
those changes. So, for this video we will

18
00:02:02,240 --> 00:02:13,560
use the same application ListLock and
we'll proceed in a different way in order

19
00:02:13,560 --> 00:02:17,400
to authentic ourselves. Instead of simply
changing the return values, we will change

20
00:02:17,400 --> 00:02:21,040
the variables over here. So, if we go to
the VM, inside APIHooking/Cydia and we

21
00:02:21,040 --> 00:02:29,370
have the ListLlock apk. If we look over
here. If we look in the dex2jar output

22
00:02:29,370 --> 00:02:36,360
what we are trying to achieve here is we
are going to make these two variables

23
00:02:36,360 --> 00:02:43,020
which is the input string and the password
of the actual application. So, we are

24
00:02:43,020 --> 00:02:47,880
going to make both of them the same and
then the validate password method will get

25
00:02:47,880 --> 00:02:56,250
called and will basically get
authenticated. So, the way to write Xposed

26
00:02:56,250 --> 00:03:01,470
modules is really straight forward and you
can checkout the development guide over

27
00:03:01,470 --> 00:03:08,740
here. Then checkout the XposedBridge Wiki
and basically get started by creating a

28
00:03:08,740 --> 00:03:16,730
sample application. So in order to use the
Xposed framework, you first have to

29
00:03:16,730 --> 00:03:25,123
install Xposed. Let's go ahead and install
the Xposed application. So adb install.

30
00:03:30,326 --> 00:03:41,040
Connect. So this application is
already installed on my device, but all

31
00:03:41,040 --> 00:03:47,850
you need to do is simply install the apk
and you have the installer over here. Once

32
00:03:47,850 --> 00:03:53,550
you have installed the application, you
just need to go to Framework and click on

33
00:03:53,550 --> 00:04:02,500
Install. So once you have installed Xposed
successfully, you can go to modules and

34
00:04:02,500 --> 00:04:07,270
you can notice that there's no any Xposed
modules currently installed and this is

35
00:04:07,270 --> 00:04:12,119
because we haven't installed any of the
modules so far. So we'll write a custom

36
00:04:12,119 --> 00:04:19,126
module for Xposed which will help us
bypass the Listlock authentication. Let's

37
00:04:19,126 --> 00:04:26,449
go to Eclipse and write our own custom
module. In order to write the custom

38
00:04:26,449 --> 00:04:32,647
module, you need to go through the Wiki
guide of Xposed on how to use the API in

39
00:04:32,647 --> 00:04:38,850
order to basically hook into a method and
modify some of the variables. So some of

40
00:04:38,850 --> 00:04:44,117
the things which are important over here
in the API is the handle load package

41
00:04:44,117 --> 00:04:49,447
which simply notifies when a package has
been loaded. Now if you notice, this is

42
00:04:49,447 --> 00:04:57,655
quite similar to the Cydia Substrate
MS.hookClassLoad. So there are a lot of

43
00:04:57,655 --> 00:05:04,247
similarities between Xposed and Cydia
which you'll figure out as you start using

44
00:05:04,247 --> 00:05:10,587
both of them. After the handleLoadPackage,
once you have notified that a package has

45
00:05:10,587 --> 00:05:16,114
been loaded you can use the
findAndHookMethod to simply identify that

46
00:05:16,114 --> 00:05:21,187
this is the method you want to hook into
and use it to hook into that particular

47
00:05:21,187 --> 00:05:26,180
method. Then you can simply use the
beforeHookedMethod and afterHookedMethod

48
00:05:26,180 --> 00:05:31,656
in order to manipulate the parameters and
change what the function or the method

49
00:05:31,656 --> 00:05:37,714
actually returns. So this is how the
overall structure looks like. So first of

50
00:05:37,714 --> 00:05:42,981
all the beforeHookedMethod will get loaded
and then you have the original method get

51
00:05:42,981 --> 00:05:48,589
loaded and then the afterHookedMethod. So
you can change some of the variables in

52
00:05:48,589 --> 00:05:54,659
the beforeHookMethod which will then be
used in the original method. So that's

53
00:05:54,659 --> 00:06:00,329
what we'll do now. So we'll identify the
package name. We'll figure out what's the

54
00:06:00,329 --> 00:06:06,124
method we want to hook into. We will write
the beforeHookMethod and inside that we

55
00:06:06,260 --> 00:06:11,780
will change the variables so that both the
variables actually match each other. So

56
00:06:11,780 --> 00:06:15,780
whenever it tries to validate for a
password, both the password or both the

57
00:06:15,780 --> 00:06:22,690
user input and the actual password turned
out to be the same value. And once that is

58
00:06:22,690 --> 00:06:30,420
done, you will have the authentication
granted. So this is how the overall

59
00:06:30,420 --> 00:06:41,550
architecture looks like. If you go to
Eclipes...we have the bypass validation

60
00:06:41,550 --> 00:06:52,870
over here which is using the XposedBridge
API. If you look in the source code, you

61
00:06:52,870 --> 00:06:55,260
have the package name which is
com.historypeats.listluck and then you are

62
00:06:55,260 --> 00:07:00,670
using the findAndHookMethod specifying the
class name authenticate, the method name

63
00:07:00,670 --> 00:07:04,070
validate password. Then we're using the
beforeHookMethod and specifying that the

64
00:07:04,070 --> 00:07:19,240
param.args [1] = param.args [0] which is
basically making both the values to be the

65
00:07:19,240 --> 00:07:26,160
same. Then once that is done we are simply
adding a bunch of login statement just our

66
00:07:26,160 --> 00:07:38,250
convenience. So let's go ahead and install
this application. And once you do that you

67
00:07:38,250 --> 00:07:43,420
see that you have a module installed over
here. Now in order to install this module,

68
00:07:43,420 --> 00:07:55,820
you need to restart your device. So I'll
simply close this and restart the device.

69
00:07:55,820 --> 00:08:04,580
Also at the same time, let's do a adb
logcat so that we keep track of whatever

70
00:08:04,580 --> 00:08:18,050
is happening. Adb logcat and probably go
back to Genymotion and if we notice an

71
00:08:18,050 --> 00:08:23,730
Xposed modules that we have
BypassValidation activated and we come

72
00:08:23,730 --> 00:08:36,280
back to Listlock and enter test123 and
click on unlock. If you notice that Xposed

73
00:08:36,280 --> 00:08:40,980
is showing you the previous argument which
is test123 and the actual password

74
00:08:40,980 --> 00:08:48,380
C@ntSeeMyList and after hooking it changes
both of the arguments to be the same as

75
00:08:48,380 --> 00:08:56,380
test123. If you notice you have the
authentication granted over here. So this

76
00:08:56,380 --> 00:09:03,000
is how Xposed works and this is one of the
other ways in which you can hook into

77
00:09:03,000 --> 00:09:08,480
methods and basically change the return
values and some of the variables as well.

78
00:09:08,480 --> 00:09:13,570
So that's all for this video and if you
have any feedback or queries, feel free

79
00:09:13,570 --> 00:09:20,657
write out to me at adi@attify.com or you
can tweet to me @adi1391. Thank you.