5) Using the static analysis data and decoding some intercepted network traffic
Here is a practical example of using this data gathered from static analysis. It’s a bit game specific but can be abstracted to other situations you may encounter. I will try to avoid going too deep into a tutorial because again, you can just google the specifics and this post would be even longer if I got into that.
For this section, I am going to use a tool called Burp Suite (installed on my computer) to intercept WiFi traffic from my phone. Note that this method may fail due to various reasons, one of which is if the app does certificate pinning which you will have to bypass by modifying the .apk or by other means – do some google fu if you need to for your use case.
Setup:
I don’t want to get too deep here, but I will briefly explain the general process. Feel free to google Android + Burp Suite and you’ll figure it out. These steps are
documented elsewhere, but I wanted to provide a few steps outlining the process to provide clarity if you get stuck.
Note that you will need to re-download the Burp Suite certificate as you change networks or restart Burp Suite. Just be aware if things aren’t working, you may want to try re-downloading the certificate and install it.
1. First, download Burp Suite (obviously).
2. Second, You’ll want to disable the Interceptor for now so setting up the proxy doesn’t stop traffic. From the (a) proxy tab, (b) disable the ‘Intercept’ button
Create a new proxy listener. This can be done by (a) going to the proxy tab, (b) options, (c) add, (d) bind to an unused port and select ‘All Interfaces’, then click Ok.
3. Third, get the ip address of your computer running Burp Suite (e.g. using ‘ip addr/ifconfig’ on Linux or ‘ipconfig’ on windows terminal looking for inet/IPv4 parameters, respectively).
4. Fourth, you’re gonna want to open that port on your router because it’s probably not going to be open by default. Look up your router information on how to do this from the Admin web interface of your router. I suppose you may need to open ports on your device firewall such as with the command ‘ufw’ on ubuntu or through the windows defender firewall on windows. Make sure your inbound/outbound rules are configured appropriately on each device. (you only need to do this once per router/device)
5. Fifth, configure the target WiFi network settings on the android device to ‘Manual’ proxy mode and set the ip address of your host machine and port you specified using Burp Suite – it’s in the advanced settings of your current network settings (settings for the current target SSID)… I hope that makes sense because there is another network settings page we will use shortly to install a certificate. Google will help you configure a proxy on your android device if needed. I’ve provided a screenshot below of the proper settings button to provide clarity.
6. Sixth, from the android device, go to
http://burp and download the CA Certificate on the top right.
7. Seventh, open an android app such as ‘EX File Manager’ or ‘FX File Manager’ because we are going to have to rename the certificate that was just downloaded. It is downloaded as a .der, but you need to rename it as a .crt or a .cer for Android to recognize it.
8. Eighth, from the Android device, you should now go into the Advanced WiFi settings (not the settings of the current SSID) and ‘Install network certificates’, select the downloaded certificate and name it whatever you want.
Great, you can now test going to a page like test.com on the Android device and check the HTTP History tab in Burp Suite to ensure you are capturing traffic.
Check the Proxy > HTTP History tabs. In this example I went to blah.com on my android device. Note that some sites that require HTTPS may not work because Chrome, Firefox, and potentially other browsers validate certificates with built in good/bad certificate lists due to past exploitation. You’ll get a warning message to proceed and at best it’s just extra clicks. Here, blah.com was a quick way to test.
Now that we have a proxy on our network traffic, you can play the game and notice a few calls being made to different servers. One is much more strongly obfuscated than the other. For this instance, we are going to look at the network traffic with base64 encoded payloads.
Using methods described earlier, I found an interesting file You’ll notice a file called MRGS Define which contains a few keys in the form of byte[] and a function to convert them to a String. Encript is spelt with an ‘i’ here.. tricky tricky.
Using previous techniques, we can now grep through the code base to quickly find interesting files with this function call.
Where we land into another file with a decode function. It gets a bit deeper, only in the sense that there are some decode functions to call other decode functions. I’m not going to post another bunch of screenshots, but I would like to illustrate a few more points.
Mainly that we can take these decode functions and pull them out into our own java project. Creating out own program.java with a typical java structure
Code:
public static void main(String args[]) {
… EXTRACTED DECODE FUNCTIONS AND KEYS …
}
With the Java Runtime Environment installed, you can compile and run this code from the command line:
Code:
## Important note: my file is called program.java
# compile the program
javac program.java
# run the program
java program
We can now run some code locally and try to understand what is going on. Take note that this code comes from not only a decompiled source, but it is also an Android device with access to Android SDKs. One key and common example is the base64 library. Android seems to use android.util.Base64 which has different syntax from the typical java.util.Base64 package.
To get around this, you can either try to convert your code or maybe even download Android Studio, install a virtual android image, create from the template with one button, and hook that button to a function where you run your code and Log.d code to the debug console. I won’t get into that process, but that’s what worked for me for trying to run the Android SDK code when things started getting a bit more complex and I was attempting to understand how it all worked. For instance, there are more encrypted payloads being sent to severs and I spent some time trying to serialize that crazy Unicode into Android Java objects such as Parcelable objects.
The end result of all this is we can intercept traffic from this source and decode the base64 given the proper encryption key.
Base64 from a server response, captured in Burp Suite:
Code:
OOSiN+qRISyRbVuBavlaWIz5R1/NmHVYskxkRgql+D4eMEhpBRmN5bhrACFnUrpuyR/9uXjFv+QvfT5yIUd5uhhwdKP3I8iiQ/4MdpDOoSI=
You’ll notice standard base64 decoding results in gibberish:
But our local java program with the proper keys and decryption algorithm:
Hurray for symmetric keys!!
In this game, this doesn’t do much for us, but perhaps it will be more useful in another game. The rest of the traffic is not decoded with this algorithm, it looks more like this and is encoded somewhere in the game logic, deeper than the .smali code. It looks something like this (screenshot below), and after much effort trying to deserialize or find some other encryption method (even going down to a Huffman encoding schema I found in the okio library because all responses started with a 1 in their binary representation), it is clear this encoding was probably done in the .so binary layer.