Sunday, June 30, 2013

One year after, end of Magnificent 7 project !


It has been a year already since the start of the Magnificient 7 program !

So what happened during this year ?

We added some features to enhance your analyses such as:
  • arm support to analyze binaries/shared libraries.
  • the possibility to have a graphical view of the application you are working on,
  • the support of sessions, so that you can save / restore the state of your analysis. Also, annotations of methods/instructions are supported ! (You can share a commented analysis with your colleagues)
  • the ability to rename classes, methods, fields of an application. It can be useful when you deal with an obfuscated sample and you want to "clean the code" a little.
  • the support of diffing/similarity tools for android applications
We also improved the support of the AXML format and added the support of the ARSC format.
We built the DAD (DAD is A Decompiler) decompiler, which works with the dex bytecode and does not use a third party tool such as Dex2jar. It can be used with the interactive shell / the sublime text GUI or as a stand alone app.

We have also provided a plugin to have a GUI built on the Sublime Text editor.

Some other changes were done such as the algorithm used to parse a dex file, the possibility to start the disassembly at a specified offset on a file.

Interested ? You can download the latest version here or clone the repository.

Want to contribute ? You can send us bug reports (or fix ! we'll accept them with pleasure :)) here.
You can also submit your scripts to the community !

Thanks to Rapid7 and their Magnificent7 program. We really appreciate to see a company support open-source security software !


The Androguard team 

Wednesday, December 5, 2012

Androguard 1.9

Hi folks !

After pacsec conference in Tokyo, we finished few things to have a new version. And it is the time to release it !

We fixed a lot of things, bugs in the auto analysis, remove useless dependencies, we added new tools from external contributor (thx Axelle) as "androdis.py" which can disassemble at a specific offset dalvik bytecodes (it can be interesting when an application has hidden bytecodes). We improved the decompiler too, please check our pacsec slides.

We improved the AXML format support, and added ARSC format to analyse resources.arsc files ("androarsc.py" tool).

But one of the best feature for this release is the beta plugin for Sublime Text editor. I know that sublime text editor is not opensource, but I'm using it every day, and the plugin support is awesome. You can copy the archive in the Packages directory, and after that you can open APK/DEX/ODEX/AXML/ARSC files. You can click on a specific class/method/field, switch from the bytecodes to the source codes, view classes hierarchy, get references for methods and fields (callers/callees), navigate in the CFG, view strings usages ... You can define your own key binding, change the syntax files, and it is really simple to add a new feature.

Check the video:



You can download Androguard 1.9 here, and the plugin for Sublime text here.

We are working on a native emulator for Android, but it is not yet ready for thi public release.

If you wish to join the project, please send us a mail to dev@androguard.re.
You can also make a donation for the project ! :)

Cya !

Friday, September 14, 2012

Androguard 1.6: community !

Hi !

Since the latest version, we have fixed a lot of bugs, the decompiler has been improved, and we added a new feature.

This feature is the possibility to scan automatically a bunch of android apps (with multiple threads) and to control exactly what do you want to do (from where you get the app (web, file system, ...), filtering, control the different steps of analysis (APK, DEX, Advanced Analysis)).

For example, image that you would like to scan a list of android apps, and select only APK files with the SEND_SMS permission, and after that to display the source code of the method where the sendTextMessage method is called. Easy ?


or a more classical example is to display permissions of APK files:

or to check if the app can load dynamic dex files:

All details about this feature can be read in the RE tutorial.


But a more important thing is that now you can submit your script to the community repository, with a standard "pull-request". The idea is to collect all interesting scripts from the Android RE community that use Androguard. But if your script is really interesting, we can put it directly in the main repository of Androguard.

Get it right now !

Cya !

Sunday, August 5, 2012

Androguard 1.5

We did it.

What ? A stable version of Androguard with a lot of new and exciting features. It was a long road since the beginning of this project, and I think you know it is not easy to do an open source project on your free time.

Disassembler

We wrote and changed everything from the beginning of the project to have now a simple and modifiable disassembler. Each instruction is now represented by a specific class which corresponds to the "format" of the instruction.

For example, when you display a method, you will see each basic block, and the next basic blocks, and at the end the XREF.


But, the thing which is interesting is that you can get the instructions and access to each field of the instruction as described in the DEX format documentation.

For example, the "invoke" instructions is described by the 35c format, which is:

and you will find the same parameters, and general functions to display the instruction, get the name, the value of the opcode, and specific functions to resolve automatically references, like the string, type, method ...



We used a Linear Travel algorithm, but I hope that for the 2.0 release we will have a recursive algorithm to deal with such techniques. But, if you see such techniques in real samples, you can use (but be carefull, it will not help you in all cases !) the set_code_idx method, it will help to change the offset where the disassemble of the buffer starts:



Session

Now, you can save and restore (with cPickle) an analysis session of an Android App, by using save_session and load_session functions in the shell:



But, a more interesting feature is that you can annotate a specific method or an instruction, and it will be displayed:




It is possible to rename a class, a method or a field, by using the set_name method in each corresponding object, and it is really interesting when a sample has been obfuscated:




More information and examples here.

Dex Format

Of course we support APK, and DEX format,  but now we also support ODEX format. We added the support of the debug information of a method and an easy access to all elements with getters.




Moreover, if you read the DEX format specification and our source code, you will find that each part of the specification is a class in our tool.

We also have a BETA version of the modification of the DEX format in order to save it. So you can modify the instructions or anything else in the format and save it, but be careful it is not yet finish and we don't support the modification of the control flow graph.




To see a more interesting example you should check the patch of the crackme challenge of Dexlabs.

Binaries

Most of the time you can have a shared library (or a binary) embedded in an Android App, and it was not possible to analyse it directly. But SMIASM can do that for you :) So we wrote a simple wrapper to load binary file and to analyse it with this awesome framework !


Documentation

OMG ! We setup an online website on a new domain name (.re rulz :)) with the documentation of the API and tools. It is a first step to this direction (don't forget to check the wiki too), and we will add more examples. Thx to sphinx open source project.

And we have setup a google group if you would like to talk, but if you have any problem, please open a new issue.

Decompiler

For me, it is really the killer feature. We have a BETA (but working) version of a python decompiler of Android Applications. w00t ! and it is open source baby ! It is not yet another "closed" source software that we have seen in the past, no, it is open and you can improve/modify/share it. So we don't waste your CPU time to translate the dalvik bytecodes to java bytecodes, and to use a close software.

The name of the decompiler is DAD: DAD is Another Decompiler.

You can use it in a "stand-alone" approach :






Or by setting the appropriate decompiler when you create a DalvikVMFormat object with the AnalyzeAPK/DEX functions :


Before printing the source, the decompiler runs a dead code elimination procedure (followed by a register propagation one). So the bytecode of the analyzed application may not be entirely present in the source that if printed. Only the "used" bytecodes will be showed, no need to read a lot of lines which are not used by the apps !

There are some things which need improvement (that's why it's still a beta):

  • the decompiler support almost all of the dalvik bytecodes (not the extended bytecodes) : filled-new-array is not correctly pretty printed, for now it shows filled-new-array(type=xx, size=yy, arg=zz..).
  • switches may pose a problem(crash) in the presence of fall-through cases.
  • types are not yet propagated inside a method, so we currently do not declare the variables inside a method, and there may be some weird things displayed like "if (b == 0)" even though b is a boolean type, or calls with float to functions which takes an integers as parameter (life foo(3.0) with a prototype of foo(int x))

Ok, that's all folks ! But don't forget that we need people to improve the tool and all these awesome features, send us a mail if you are interesting ! "dev (at) androguard.re"

Thx to VirusTotal Team and the Magnificient7 Program from Rapid7 to help open source security projects. And also to all contributors (Axelle, Yanick, Tim, Patrick, ...), users and donators !

And fuck to all who tried to stop us ! :)

Androguard Core Team (Pouik + Zost)



Thursday, May 31, 2012

support of sessions + notes !

Hi,

I changed a lot of things in the output, and now you can choose your colors, and the overview of a method is better:


But an interesting feature is to save your analysis with json, and you can done that by using save_session and load_session functions:



Because all is python, all is saved automatically, and you can save what you want :)

One new step is the support of "annotation" which can be done on method (add_note) and instruction (add_inote) :



You can add a note on an instruction by using the position or the offset in the method of this instruction. Moreover, it is only a python list, so you can do what you want with:


Enjoy !

Tuesday, May 29, 2012

news ....

Hi !

after feedbacks from Dexlab about errors on the parsing of android bytecodes, I decided to rewrite the module as Baksmali. Now, each instruction is an object and in each object (instruction) you can access to all fields :





For few instructions, I added more information, specially for all numeric values :



Moreover, I added "tags" feature. The idea is to associate specific information to each method in order to find quickly interesting codes, and for example, I associated each method with android classes. You need to run "create_tags" function in the "VMAnalysis" object :




The code is available on the repository and I will publish a release 1.3 as soon as possible !

Cya

Friday, May 25, 2012

not dead

Hi !

Lot of new things during the last months ... Androguard got selected by Rapid7 to be sponsored as part of the Magnificent7 program. It is really a good news and the project will be seriously improved (and if you are interesting to participate, you're welcome !).

Next, we published a paper in Phrack about software similarities/diffing. We have a different approaches compared to classical tools (patchdiff, bindiff(?)) and it is mainly due because we don't compare graph (CFG) to find similarities but we use only information inside each node (and we need to improve the algorithm by adding a context). 

By the way, we published a tool for windows (and of course for linux/macosx) if you wish to know if your Android application has been rip-off by someone else:


I saw slides from SIGINT about Android Security ("Dynamic Malware Analysis on Android Phones" and "Android Analysis Framework"). Interesting stuffs expect that one more time it is not open source software but they talked about open source softwares (smali, dexdump ...) :) About Androguard, I can read "watermarking", but it was just an idea at the beginning of the project without source code ... And I can read too:  "still many bugs", great ! please report them, it is open source software guys ! This is one of the major drawbacks in computer security when you are doing open source security software and a single sentence is appropriate: 
"Talk is cheap. Show me the code" Linus Torvalds

Otherwise, next month, I will be at RSSIL, SSTIC and HIP.

Happy Hacking !

Cya !