Tonight there was a great meet up at the Lookout HQ, Mobile Security and Privacy - got to meet a bunch of really smart mobile developers. The topic at hand was one close to me, reverse engineering Android applications. The concept was to show developers how easy it is to do and to help them understand how an attacker might see their code. Along with showcasing the normal tools people use in their day to day lives one of my coworkers, Emil, gave a great little presentation on the overview of how reversing is done for Android. After the demonstration, Emil had some prepared crackmes for people to try, most of the engineers did surprisingly well for not having reversed anything before!
After talking with a few people who where asking about reversing, I completely forgot that I’ve never really mentioned 010 Editor. This is by far one of the best hex editors I’ve ever used, with an excellent ability to use templates. One of the best parts is, a little over half a year ago, they came out with a fully native OSX client. On top of that Jon Larimer has created a DEX template for it available on his github. This is definitely a great way to visualize a dex file and help look for anomalies in them.
Recently I’ve actually submitted some pull requests which Jon has accepted to better parse the dex files. They should be able to parse the latest dex files generated by the jellybean toolkit and even handle some “oddities” that I’ll be releasing at my BlackHat 2012 talk.
Along my route for completing my BlackHat talk, Dex Education: Practicing Safe Dex, I finally updated the smali mode for emacs. It’s available on my github page. It should have color parsing for just about all the elements available inside a smali file - along with the newer jumbo opcodes.
Around the same time as my presentation at BlackHat, I’ll be posting the slides and proof of concepts to my github. So check back soon for some interesting way to break (and fix) disassembly/decompilation tools for Android.