Android Applications Reversing 101

Every day we see a bunch of new Android applications being published on the Google Play Store, from games, to utilities, to IoT devices clients and so forth, almost every single aspect of our life can be somehow controlled with “an app”. We have smart houses, smart fitness devices and smart coffee machines … but is this stuff just smart or is it secure as well? :)

Reversing an Android application can be a (relatively) easy and fun way to answer this question, that’s why I decided to write this blog post where I’ll try to explain the basics and give you some of my “tricks” to reverse this stuff faster and more effectively.

I’m not going to go very deep into technical details, you can learn yourself how Android works, how the Dalvik VM works and so forth, this is gonna be a very basic practical guide instead of a post full of theoretical stuff but no really useful contents.

Let’s start! :)


Read More

Reversing the Smarter Coffee IoT Machine Protocol to Make Coffee Using the Terminal.

I love coffee, that’s a fact, and I drink liters of it during the week … I also am a nerd and a hacker, so a few days ago I bought a Smarter Coffee machine on Amazon, basically a coffee machine that you can control over your home wifi network using a mobile application ( both for Android and iOS ).
The app is really nice: you can set the amount of cups you want, the strength of the coffee, etc, then you only need to press a button and wait for your delicious coffee to be brewed.

Since I work from home, most of the times I’m using the computer keyboard, not a smartphone, therefore I wanted/needed a console client for it, something that the vendor never released, so I started reversing the Android application in order to understand the communication protocol and write my own client implementation … guess what? :D

Yep, i can make coffee using the terminal now :D


Read More

How I Defeated an Obfuscated and Anti-Tamper APK With Some Python and a Home-Made Smali Emulator.

During this Saturday afternoon I was chatting with a friend of mine ( Matteo ) and he asked for some help to fix a Python script he was working on.

He was trying to deobfuscate an APK in order to understand its obfuscation and anti tampering (more on this later) protections so I started working on it as well.

This was definitely way more challenging ( and fun! ) than my usual APK reversing session ( dex2jar -> jd-gui -> done ), moreover this required me to write a new tool which I find kinda cool and unique ( IMHO of course ), so I’m going to share the story in this post.

I’m going to intentionally skip a few details here and there because I do not want to cause any harm to the people who wrote that application, all the involved protection mechanisms are there to avoid piracy.

Read More

How TELCOs Are Bullying Researchers, an Italian Story.

Those of you following my blog from the beginning, know that I was actively involved in the router hacking scene, mostly during the period in which I wrote the very first implementations of both Telecom Alice ( and this ) and Fastweb routers WPA key calculators and unlockers after the great reversing job performed by another italian group.
Those scripts allowed anyone to unlock hidden services in their routers ( as for the Alice scripts ) and to compute default WPA keys having just basic informations such as mac addresses, etc, demonstrating how broken the end-user security policies were.

Despite the fact I received in the past more than one intimidatory email from representatives of those two companies, I’ve never wrote or talked about that … I was smarter enough to understand that this kind of legal bullshit is better to be ignored, unless you have done something truly illegal.

Read More

Programmatically Identifying and Isolating Functions Inside Executables Like IDA Does.

Even though it’s one of the tools I use on a daily basis, Hex-Rays IDA always fascinates me for its completeness and the huge amount of informations it is able to extract using just a “simple” static analysis approach and being myself a “make yourself the tools you need” guy a couple of weeks ago I’ve started to study it, trying to understand its internal mechanisms, algorithms and tricks.

I’ve focused on the identification and isolation of subroutines inside an executable due to the fact that this seemed to me the simplest thing to start with and because I came accross this blog post that shows how great IDA python libraries are.

Read More

On Windows Syscall Mechanism and Syscall Numbers Extraction Methods

Everyone who’s familiar with operating systems theoretical structure, whether he attented a college course or he has just read a book on this subject, knows the concept of a system call i.e. how a user space application talks with the kernel asking it to perform various jobs such as opening a file, creating a memory mapped region, etc.

Read More