A little backstory to this is, someone sent me a “hack” for diablo2 and said it wasn’t working for them. Why they sent me this? I have no idea, but I figured I’d just take a look at it and see what was going on. Turns out it was a password stealer for d2 written in .Net - pretty cool looking stuff. The funny part about it all was that since this was “packed” with netz the person who sent me it couldn’t use reflector on it (and succeed) - thus why they sent it to me I guess. Anyway, let’s get down to the actual meat of the post.

Identification of netz is pretty simple - if you open up the application in Reflector, you’ll see the namespace nets. Also it will almost always be accompanied by a zip.dll, which is used for decompressing the resource. Essentially the main function we want to look at is StartApp:

public static int StartApp(string[] args)
{
    byte[] resource = GetResource("213213-2131223-2134234-234");
    if (resource == null)
    {
        throw new Exception("application data cannot be found");
    }
    int num = InvokeApp(GetAssembly(resource), args);
    resource = null;
    return num;
}

From here we can see that a resource of bytes is going to be loaded, and GetAssembly is called with it as an argument. Go dump the resource listed here into some directory, I named mine virgin.dump. GetAssembly is a pretty simple function that I’m not going to dive into, it essentially calls UnZip(byte[] data). This code is a little more interesting and is doing the most work we’re interested in, here is small snippet;

private static MemoryStream UnZip(byte[] data) {
    MemoryStream baseInputStream = null;
    MemoryStream stream2 = null;
    InflaterInputStream stream3 = null;

    baseInputStream = new MemoryStream(data);
    stream2 = new MemoryStream();
    stream3 = new InflaterInputStream(baseInputStream);
    byte[] buffer = new byte[data.Length];
    while (true)
    {
       int count = stream3.Read(buffer, 0, buffer.Length);
        if (count <= 0)
        {
           break;
        }
        stream2.Write(buffer, 0, count);
    }
    stream2.Flush();
    stream2.Seek(0L, SeekOrigin.Begin);
}

Ah, this looks familiar! In fact - thanks to Reflector it’s pretty much almost exactly Java code. All we need to do is inflate the resource and dump it to a file - there isn’t any encryption or anything special about it at all. Basically by looking at the code above, I through together a small little resource inflater:

import java.io.FileInputStream;
import java.io.FileOutputStream;
import java.io.IOException;
import java.util.zip.InflaterInputStream;

public class inflater {
    public static void main(String[] args) {
        try {
            FileInputStream inStream = new FileInputStream(args[0]);
            InflaterInputStream inflaterStream = new InflaterInputStream(inStream);
            FileOutputStream outStreams = new FileOutputStream(args[0] + "_unpacked");
            for (int c = inflaterStream.read(); c != -1; c = inflaterStream.read()) {
                outStreams.write(c);
            }
            outStreams.close();
        } catch (IOException ex) {
            System.err.println(ex);
        }
    }
}

Is this anything special? No, but it worked for me and my quick little need for it. Could you use a Generic .Net unpacker? Of course, I just did this since I wasn’t running Windows and didn’t want to fire up a VM instance just to debug and dump a little .Net application. :)

Any who, it reminded me of the good old days of using ReadProcessMemory and WriteProcessMemory making quick and dirty memory hacks for Windows games. Making stuff for Diablo 2 consumed a lot of my free periods back in high school - great times! Back on topic though, it got me thinking of just dumping some sc2 memory and doing some quick memory hacks, though I never really did any of this on a mac before.

Turns out it’s also pretty easy to do some memory hacking in Mac OS X - you just need to know where to look. First of, if you found this site by googling “mac starcraft2 hacks”, then stop read — just go download “The Cheat” and use that, since it’d be easier than compiling your own program. Though basically The Cheat uses these same functions I stumbled upon.

Basically we’re going to use vm_write instead of the old WriteProcessMemory and vm_read_overwrite (or vm_read) instead of ReadProcessMemory. There’s some documentation out there but it’s pretty simple stuff to use. Below I’ve pasted an example of how easy a sc2 trainer would actually be to make;

/*
 * [ s2trainer.c ]
 * strazz@gmail.com
 * 2010
 */

#include <mach/mach.h>
#include <stdint.h>
#include <stdlib.h>
#include <stdio.h>

#define MINERALS 0x03200D80

int main(int ac, char **av) {
  mach_port_t sc2_task;
  kern_return_t err;
  long value = 0;

  if(ac != 2)
    return 0;

  // Make sure we're root
  if(getuid() && geteuid())
    printf("error: requires root.");

  value = atoi(av[1]);
  err = task_for_pid(mach_task_self(), value, &sc2_task); 

  if ((err != KERN_SUCCESS) || !MACH_PORT_VALID(sc2_task))
    printf("error: getting sc2 task.");

  // Write values to stack.
  if(vm_write(sc2_task, (vm_address_t) MINERALS, (vm_address_t)&value, sizeof(value)))
    printf("error writing new mineral value");

  printf("done!\n");
  return 0;
}

Is this pretty? No - it could be much prettier than this. Is this safe? For the latest patch as of today, yes - it works fine. I wouldn’t recommend running it on any other version since the offset will change and it could lead to bad things. Will it work on a window machine? Heck no - the title says MAC OS X.

Also, yes I could have tossed SC2 into vm fusion, but thats far to much work just to mess around with a game :)

Stompin` out spyware at work...

For the past year I’ve had an awesome job at Amadeus North America, working on an excellent new cutting edge product for the travel industry. It was a great learning experience, getting to delve into the world of rapid agile development and learn new tools such a Google Web Toolkit (GWT). I developed countless strong relationships with many coworkers, picking up plenty of coding ’style’ and quirks. Things that I directly contribute to my coding style today, and definitely something that I’m proud of. Most importantly, I have a real issue making code without writing unit tests (Thanks @RyanNorris!) and feel sick to my stomach if I ever try to check in code without JavaDocs. Looking back, I can honestly say I loved my time at Amadeus. The long days, even the stressful ones, helped me prepare for being a real software engineer - learning more than I ever had in school.

Then I meet the Lookout team…

“Lookout” is right, because these guys were insane. I grabbed some food with them while at a conference in San Francisco. Never in my life had I had such an awesome nerd-fest day. Conventions where always interesting, and you always meet interesting people - but these guys where real. They didn’t just talk the talk - they actually did very impressive things day in and day out. Much to my surprise, I had things to actually add to the many interesting talks the evolved through the night. Even more shocking to me, I was asked if I’d ever considered relocating to the west coast for a job.

I remember thinking, “Yikes, these guys are just being nice, it’d never happen”. I talked it over with my girlfriend the next morning after arriving on the red-eye. Lots of words where thrown back and forth using with “it’s probably never going to happen, but…” We agreed I’d go along with the process, like the many other times I’d been approached by companies. It never worked out before, so I wasn’t going to make a big deal of it, or even think of it as anything but a remote possibility.

Then came the phone interview… I always hated these things, they’re worse than face to face interviews because you can’t see the other person expressions. Are you talking to in-depth? Not in-depth enough? Does this person just not believe you? It’s just hard sometimes to gauge peoples reactions without being in the same room. I remember walking away from the phone interview thinking, “Damn… That either really sucked, or went really well.” Luckily, it went well and I got an email asking if I could come out to San Francisco for an interview. This is when everything really started to him me, could I really be getting the dream job I’ve always wanted?

To shorten this post, since I’ve already babbled along for too long - I came in for the interview and ended up doing well. Some of the most interesting interview questions I’ve ever heard where asked, like “How would you exploit this code?” from Anthony Lineberry. After the interview, I actually ended up getting an offer that blew my mind away. It was settled, there was no question in my mind that I wanted this job. My family kept reminding me, sometimes your favorite hobby isn’t the best job… Thank god that didn’t hold true :)

So I up and moved to San Francisco, got an awesome apartment with some killer roommates. Now i’ve been a part of the Lookout Mobile Security team for almost a month now. Officially I’m a “Security Response Engineer” (I know, that’s bad ass, never thought I’d have that title..) and getting to learn more and do more thing with Android and other mobile systems than I thought I’d get too. I know get to do for work, what I did in my off hours, it’s quiet possibly the greatest adventure I’ve gotten a chance to take on yet. In the short time I’ve been here I got to even goto Defcon for my first hacker convention. I got to take in tons of great talks with many smart people, and even help with some of my coworkers presentations; “App Attack: Surviving the mobile application explosion”, “These aren’t the permissions you’re looking for”.

Anyway, just figured I’d use this as a kick off post as I get back into the gear with blogging again. For now though, I’m going to get back to doing my part with this awesome team in keeping mobile safe and developers smart.

// XXX: PROTECT FROM VIKING KILLER

Below is the full snippet from the file, logwrapper.c.

void child(int argc, char* argv[]) {
    // create null terminated argv_child array
    char* argv_child[argc + 1];
    memcpy(argv_child, argv, argc * sizeof(char *));
    argv_child[argc] = NULL;

    // XXX: PROTECT FROM VIKING KILLER
    if (execvp(argv_child[0], argv_child)) {
        LOG(LOG_ERROR, "logwrapper",
            "executing %s failed: %s", argv_child[0], strerror(errno));
        exit(-1);
    }
}

I’m not sure if “Viking Killer” is an inside joke, an actual good comment or what. Though read allowed - it sounds like a badly named european adult film…

Ops? How'd that happen!?

adb shell pm disable

This will disable the package, as long as adb has root access - otherwise it will attempt to kill the process which should also gain you access. This method should also work for nearly any package you wish to disable.

The second method for getting around this lock is rebooting the phone into Safe Mode - this will prevent any applications that are not system based from starting up. This includes any malware, spyware or locking applications. The good (bad?) thing about this is that you do not need to be rooted or have adb enabled to get into Safe Mode. Safe Mode can be booted into by holding “Menu” during boot up, though googling for specific directions for your phone might yield different results.

Wait - who is john doe?!

I’ve gotten a few emails regarding my previous post, “Full Stealth” just isn’t what it used to be!, asking for a more depth on the subject. I’ve covered just about everything I found in the first posting - but I did go back and re-read the documentation provided on the web site. Looks sort of like a boo-boo on the architecture of the product.

6. After the installation completes, power down the phone. Then, power the phone back up and bring up the Dialer. Enter the digits *12345# and then press the SEND button. The login screen should then appear. Enter your username/password EXACTLY as you did when you created it. Then click LOGIN.

Wait, what?! I guess we’re really going to rely on the fact notion that this application is very secure and stealthy. Sure hope someone whose being spied on doesn’t have root and just snag the username and password. That could be embarrassing, spying on someone only to have them turn the tables on you since they now have your credentials. It honestly can’t be that hard to implement a unique identifier for these phones to send that would link them to this account, could it? Oh well, just another reason to not purchase this product :)

For anyone who is rooted and might be worried about this application, you can go ahead and add the following line to your hosts file to block their server.

http://www.mobilespylogs.com/

On a side note - keep an eye out for spyAware - it should be on the Android Market soon, a nifty little proof of concept tool I’ll be using to show how to detect/prevent abuse of your phone.

The software is loaded onto the Android device via an .apk install and Retina-X assures subscribers that it is a “full stealth install” and that once installed it cannot be detected by the user.

I wonder how this would even be done? After a quick search of their site is doesn’t look like there is a trial version available - though oddly, they do give you links to download the application… If you look close enough. Listed on their user guide they give you a run down on how exactly you install the application. I must say, for an application people must pay $99 a year for, it does not seem exceptionally user-friendly. Essentially they use a combination of Download Crutch Lite and apkInstaller to allow you to “easily” install their apk file. Once you’ve done this, you’ve now erased all tracks of this application, right? Well - not really, you just need to know where to look now.

Ok so we’ve installed the apk now, how is this thing hidden? Open up the app-draw, not there… Ok, well that would have been too easy - so I guess I’m glad it wasn’t there. Now lets goto Settings > Applications > Manage applications. Hmmm, everything looks ok - oh, wait - no it doesn’t. Looks like someone added an application called “SmartPhone”, conveniently with a default icon too. This is pictured below.

Where did this thing come from?

Alright, well - the display name could always be changed here and what if that happens? How could we detect this application? Can we do it programmatically? Of course we could, in fact it’s incredibly easy too. Since we know what that applications must retain the same package name to maintain itself with updates - can just programmatically check for this.

Sadly this image is needed for a wordpress bug...

Ta-da! We’ve successfully disproved another “stealth” application myth. I’ve also included the three lines of code needed to start the intent for uninstalling this stealth little gem of an application…

I didn't install you, but I *will* uninstall you!

Hello there, Mr. hidden skype apk

So I’ve been reading all the hype about the new Skype application released on Verizon. Sadly I neither have a droid or any friends with a rooted droid. As one would assume, the apk is located in /data/app-private so I needed access to a rooted droid to get this app… Or do I?

Silly me, I forgot all the research I had done for Market Enabler! After a friend sent me their getprop I was off spoofing my values, no more than two minutes went by and ta-da! Got myself the new Skype application.

The following setprop commands must be run to gain access to the Verizon only part of the market.

setprop gsm.sim.operator.numeric 310004
setprop gsm.operator.numeric 31000
setprop gsm.operator.alpha “Verizon Wireless”
setprop gsm.sim.operator.alpha Verizon
setprop gsm.sim.operator.iso-country us
setprop gsm.operator.iso-country us

Note that you will need to restart your Vending (Market) application to have these values take affect, you can do that by running the following commands via a terminal:

# ps | grep vending
app_5     2699  75    181176 26384 ffffffff afe0dca4 S com.android.vending
# kill 2699

Pffhh, yea right...

Determine whether it is a good time to kill, crash, or otherwise plunder the current situation for the overall long-term benefit of the world.

Below is the full snippet from the file, Watchdog.java.

    /**
     * Load the current Gservices settings for when
     * {@link #shouldWeBeBrutalLocked} will allow the brutality to happen.
     * Must not be called with the lock held.
     */
    void retrieveBrutalityAmount() {
        mMinScreenOff = (mReqMinScreenOff >= 0 ? mReqMinScreenOff
                : Settings.Gservices.getInt(
                mResolver, Settings.Gservices.MEMCHECK_MIN_SCREEN_OFF,
                MEMCHECK_DEFAULT_MIN_SCREEN_OFF)) * 1000;
        mMinAlarm = (mReqMinNextAlarm >= 0 ? mReqMinNextAlarm
                : Settings.Gservices.getInt(
                mResolver, Settings.Gservices.MEMCHECK_MIN_ALARM,
                MEMCHECK_DEFAULT_MIN_ALARM)) * 1000;
    }

    /**
     * Determine whether it is a good time to kill, crash, or otherwise
     * plunder the current situation for the overall long-term benefit of
     * the world.
     *
     * @param curTime The current system time.
     * @return Returns null if this is a good time, else a String with the
     * text of why it is not a good time.
     */
    String shouldWeBeBrutalLocked(long curTime) {
        if (mBattery == null || !mBattery.isPowered()) {
            return "battery";
        }

        if (mMinScreenOff >= 0 && (mPower == null ||
                mPower.timeSinceScreenOn() < mMinScreenOff)) {
            return "screen";
        }

        if (mMinAlarm >= 0 && (mAlarm == null ||
                mAlarm.timeToNextAlarm() < mMinAlarm)) {
            return "alarm";
        }

        return null;
    }

Just some mild humor to lighten up the day is always nice :)

Make money, money...

It’s been a while since I’ve posted any article, sadly between work, contracts after work, spam, having a life and volleyball I don’t have much time to spend on my blog. Research is still going strong - but very little has trickled out from me over the past few months.

Something I’d like to finally post has come to my attention. Approximately a year ago when I first started looking into the mobile ad networks, I thought of something sinister. While I never intend to do anything evil, since I’m always looking for ways to protect myself, my first thoughts always seem to be, “how do I abuse this?” It all started when people started trying to think of ways to monetize their application. Do we charge up front, or do we try to make a few bucks off a huge user-base using ads?

My first question is, how are the ads secured? Much like other applications that are tracked by application, most use a “application id” or “publisher id”. This is a super-secret code that is used for identifying traffic from you, right? Alright, well unlike a website advertisement, which has a referrer - mobile ads have no actual way to differentiate traffic other than this “unique” id.

So what? Whats the issue with that? Well, there is a big issue with this. There is a coined term, “adjacking”, that essentially means “falsified” clicks. Originally this term meant you hijacked the javascript of google adsense, and made a click anywhere on your website appear to be a click on your adsense ad. Though, I’m “word-jacking” this term, because I feel my definition is a little more appropriate. Essentially, with the ability to easily decompile/modify an apk file - someone can quiet easily steal your ad traffic, this hi-jacking your ads… Adjacking.

Is this something new? No - but beware of it. I’ve had this article lying around for a bit, more uninterested in publishing for the idea that people would actually attempt to do this if I brought it up. Upon first writing this, I quickly made a program that attempted to make a database of signatures of programs. This program downloaded legit (free) applications and grabbed the signature from the META-INF folder of the apk. Then it attempted to find versions available for download on the internet…. For the most part, the version where always the same - with a rare instance of someone resigning it with little modification to the file, often to help localize it. Though now, I’ve seen and heard of an increase of people downloading their application, replacing the ID in the apk, and replacing it with their own.

Protection from adjacking?

What to do about this? Well, hopefully the ad networks figure something out, though I’m not sure they honestly care much. I’ve sent emails to a few of the big providers with no responses and a few “we’ll look into it” replies. I don’t see a big downside for them - maybe if more people complain they’ll get the hint. I’m sure right now they’ll just get the traffic, for traffic’s sake. Most applications that have been modified probably don’t drive in much or take away much from other people. Though if they do, they could “act” upon these and actually shut people down… Will the correct developer ever see this money? Probably not… Though if your try hard enough you might see something.

The sad part is, most of the people modifying the applications are now no better than a scripting kiddie. There are enough tools available now to make this an easy job. Maybe if people start looking into this, these people will be rooted out - since they must fill in “legit” information to open an account.

Anyways, I’ve been looking at some protection schemes for this, hopefully I’ll have time to post some soon. I’ll post a little tutorial on obfuscating (manually) your adsense/admob/blah code to protect yourself :)