initial commit

.android/README.md

@@ -0,0 +1,8 @@
+This is a keypair that is usually generated by adb (android debug bridge)
+`adb keygen adbkey`
+
+You can hardcode it with the above command and fix it to this fingerprint:
+```
+$ awk '{print $1}' < ~/.android/adbkey.pub|openssl base64 -A -d -a | openssl md5 -c|awk '{print $2}'|tr '[:lower:]' '[:upper:]'
+5D:36:FE:BE:B2:56:F4:18:5C:AB:6D:C8:91:E5:01:80
+```

Dockerfile

@@ -0,0 +1,63 @@
+FROM ubuntu:18.04
+
+# UTF8 needed for mitmproxy
+ENV LANG=en_CA.UTF-8
+
+RUN apt-get update \
+    && apt-get upgrade -y \
+    && apt-get install -y \
+    openjdk-11-jdk \
+    libcanberra-gtk-module \
+    libcanberra-gtk3-module \
+    wget \
+    git \
+    vim \
+    sudo \
+    python \
+    python-pip \
+    python3-pip \
+    xdg-utils \
+    unzip \
+    android-sdk
+
+RUN cd `mktemp -d` \
+    && wget -nv https://raw.githubusercontent.com/iBotPeaches/Apktool/master/scripts/linux/apktool -O apktool \
+    && wget -nv https://bitbucket.org/iBotPeaches/apktool/downloads/apktool_2.3.3.jar -O apktool.jar \
+    && sudo mv apktool* /usr/local/bin/ \
+    && sudo chmod +x /usr/local/bin/apktool* \
+    && git clone --recursive https://github.com/androguard/androguard.git \
+    && cd androguard \
+    && pip3 install --user .[magic] \
+    && wget -nv https://github.com/java-decompiler/jd-gui/releases/download/v1.4.0/jd-gui_1.4.0-0_all.deb -O jdgui.deb \
+    && sudo mkdir /usr/share/desktop-directories \
+    && dpkg -i jdgui.deb \
+    && echo "java --add-opens java.base/jdk.internal.loader=ALL-UNNAMED \
+        --add-opens jdk.zipfs/jdk.nio.zipfs=ALL-UNNAMED \
+        -jar /opt/jd-gui/jd-gui.jar" > /usr/local/bin/jd-gui \
+    && chmod +x /usr/local/bin/jd-gui \
+    && mkdir /opt/jadx \
+    && cd /opt/jadx \
+    && wget -nv https://github.com/skylot/jadx/releases/download/v0.8.0/jadx-0.8.0.zip \
+    && unzip jadx-0.8.0.zip \
+    && rm jadx-0.8.0.zip \
+    && ln -s /opt/jadx/bin/jadx /usr/local/bin/jadx \
+    && ln -s /opt/scripts/apex.sh /usr/local/bin/apex \
+    && cd /opt \
+    && wget -nv https://github.com/pxb1988/dex2jar/releases/download/2.0/dex-tools-2.0.zip \
+    && unzip dex-tools-2.0.zip \
+    && chmod +x /opt/dex2jar-2.0/* \
+    && chmod 655 /opt/dex2jar-2.0 \
+    && ln -s ${PWD}/dex2jar-2.0/d2j-dex2jar.sh /usr/local/bin/dex2jar \
+	  && python3 -m pip install --upgrade trio \
+    && sudo pip3 install mitmproxy \
+    && mkdir -p /root/.vim/syntax
+
+COPY vendored/smali.vim /root/.vim/syntax/smali.vim
+RUN echo 'autocmd BufRead,BufNewFile *.smali set filetype=smali' >> /root/.vimrc
+
+# Set up a baked-in way to know which commit this image came from:
+ARG SOURCE_URL
+RUN echo $SOURCE_URL > /source_url
+
+WORKDIR /tmp/samples
+CMD ["bash"]

README.md

@@ -0,0 +1,82 @@
+# Android Reversing Workbench
+
+![mascot bootloader recovery](img/mascot-recovery.png)
+
+Some tools for manual Android app analysis
+
+### What's in this docker image?
+
+Current:
+* apktool
+* androguard
+* dex2jar
+* jd-gui
+* jadx
+* android-sdk
+* mitmproxy
+
+TODO:
+* AVD-emulators - SDK is in, just nothing in README yet
+
+### Building
+
+_this will take a long time!_   
+`$ ./scripts/build_docker.sh`
+
+### Basic Usage
+
+`$ ./scripts/vanilla_launch.sh`
+
+_which is essentially:_      
+`$ docker run -v $PWD/samples:/tmp/samples --rm -it --network none android-reversing-workbench:latest`
+
+For the args above that aren't self-explanatory:
+
+ docker-argument | why
+ :--- | :---
+ \--rm | remove after run because these are teardowns |
+ \-it | interactive + tty |
+ \--network none | even though these are arm apps there's an AVD emulator in there, we don't want network requests going unless you say so
+\-v | volume mount the local samples dir for use inside the container
+
+### GUI Decompilation
+
+Useful if you want to use use JD-GUI for example.    
+Note: If you need this to work on MacOS then you'll need to do some extra work with Xquartz see [here](https://sourabhbajaj.com/blog/2017/02/07/gui-applications-docker-mac/) for details.
+
+`$ ./scripts/gui_launch.sh`
+
+Then you could do something like:
+```
+$ dex2jar /tmp/samples/yourfoo.apk
+$ jd-gui
+```
+this will launch the GUI decompiler
+
+### mitmproxy
+```
+$ ./scripts/usb_launch.sh
+
+# adb devices
+List of devices attached
+* daemon not running. starting it now on port 5037 *
+ADB server didn't ACK
+* failed to start daemon *
+error: cannot connect to daemon
+# adb kill-server
+* server not running *
+root@1e58ff8d2e79:/# adb devices
+List of devices attached
+* daemon not running. starting it now on port 5037 *
+* daemon started successfully *
+063fb29ef0eaa207    unauthorized
+
+# adb devices
+List of devices attached
+063fb29ef0eaa207    device
+
+# adb reverse tcp:9850 tcp:8080
+# mitmproxy
+```
+
+Then be sure to connect to wifi with the proxy of localhost:8080 on the device ;)

samples/.gitignore

@@ -0,0 +1,2 @@
+*
+!.gitignore

scripts/build_docker.sh

@@ -0,0 +1,17 @@
+#!/bin/bash
+
+set -euo pipefail
+
+SCRIPT_DIR=$(cd -P -- $(dirname -- $0) && pwd -P)
+
+IMAGE=android-reversing-workbench
+cd $SCRIPT_DIR/..
+
+COMMIT_SHA=$(git rev-parse HEAD)
+SOURCE_URL="${IMAGE}:${COMMIT_SHA}"
+
+docker build \
+    --build-arg SOURCE_URL=${SOURCE_URL} \
+    --tag ${IMAGE}:${COMMIT_SHA} \
+    --tag ${IMAGE}:latest \
+    .

scripts/gui_launch.sh

@@ -0,0 +1,21 @@
+#!/bin/bash
+set -euo pipefail
+
+# Get the dir the script lives in not just the one it's exec'd from 
+SCRIPT_DIR=""
+if [ "$(uname)" == 'Darwin' ]; then
+
+    if [ -z "$(which greadlink)" ]; then
+        echo "Install brew then run \`brew install coreutils\`"
+        exit 1
+    fi
+
+    SCRIPT_DIR=$(dirname $(greadlink -f $0))
+else
+    SCRIPT_DIR=$(dirname $(readlink -f $0))
+fi
+
+# Allow X11
+xhost +local:root
+
+docker run -v $SCRIPT_DIR/../samples:/tmp/samples -v /tmp/.X11-unix:/tmp/.X11-unix -e DISPLAY=unix$DISPLAY --rm -it --network none android-reversing-workbench:latest

scripts/usb_launch.sh

@@ -0,0 +1,16 @@
+#!/bin/bash
+set -euo pipefail
+
+# Get the dir the script lives in not just the one it's exec'd from 
+SCRIPT_DIR=""
+if [ "$(uname)" == 'Darwin' ]; then 
+    if [ -z "$(which greadlink)" ]; then
+        echo "Install brew then run brew install coreutils"
+        exit 1
+    fi
+    SCRIPT_DIR=$(dirname $(greadlink -f $0))
+else
+    SCRIPT_DIR=$(dirname $(readlink -f $0))
+fi
+
+docker run -v $SCRIPT_DIR/../samples:/tmp/samples --privileged -v $SCRIPT_DIR/../.android:/~/.android:ro -v /dev/bus/usb:/dev/bus/usb -p 8080:8080 --rm -it android-reversing-workbench:latest

scripts/vanilla_launch.sh

@@ -0,0 +1,18 @@
+#!/bin/bash
+set -euo pipefail
+
+# Get the dir the script lives in not just the one it's exec'd from 
+SCRIPT_DIR=""
+if [ "$(uname)" == 'Darwin' ]; then
+
+    if [ -z "$(which greadlink)" ]; then
+        echo "Install brew then run \`brew install coreutils\`"
+        exit 1
+    fi
+
+    SCRIPT_DIR=$(dirname $(greadlink -f $0))
+else
+    SCRIPT_DIR=$(dirname $(readlink -f $0))
+fi
+
+docker run -v $SCRIPT_DIR/../samples:/tmp/samples --rm -it --network none android-reversing-workbench:latest

vendored/smali.vim

@@ -0,0 +1,122 @@
+" Vim syntax file
+" Language: Smali (Dalvik) Assembly
+" Maintainer:   Jon Larimer <[email protected]>
+" Last change:  2010 Jan 8
+"
+" Syntax highlighting for baksmali (Dalvik disassembler) output
+
+" For version 5.x: Clear all syntax items
+" For version 6.x: Quit when a syntax file was already loaded
+if version < 600
+  syntax clear
+elseif exists("b:current_syntax")
+  finish
+endif
+
+setlocal iskeyword=@,48-57,_,128-167,224-235,.,-,/
+
+syn region dalvikComment start="#" keepend end="$"
+
+" directives
+syn keyword dalvikDirective .class .super .implements .field
+syn keyword dalvikDirective .subannotation .annotation 
+syn keyword dalvikDirective .enum .method .registers .locals .array-data
+syn keyword dalvikDirective .packed-switch 
+syn keyword dalvikDirective .sparse-switch .catch .catchall .line
+syn keyword dalvikDirective .parameter .local 
+syn keyword dalvikDirective .prologue .epilogue
+syn keyword dalvikDirective .source
+syn match dalvikDirective /\.end\s\+\(field\|subannotation\|annotation\|method\|array-data\)/
+syn match dalvikDirective /\.end\s\+\(packed-switch\|sparse-switch\|parameter\|local\)/
+syn match dalvikDirective /\.restart\s+local/
+
+" access modifiers
+syn keyword dalvikAccess public private protected static final synchronized bridge varargs
+syn keyword dalvikAccess native abstract strictfp synthetic constructor declared-synchronized
+syn keyword dalvikAccess interface enum annotation volatile transient
+
+" instructions
+syn keyword dalvikInstruction goto return-void nop const/4 move-result move-result-wide 
+syn keyword dalvikInstruction move-result-object move-exception return return-wide 
+syn keyword dalvikInstruction return-object monitor-enter monitor-exit throw move 
+syn keyword dalvikInstruction move-wide move-object array-length neg-int not-int neg-long 
+syn keyword dalvikInstruction not-long neg-float neg-double int-to-long int-to-float 
+syn keyword dalvikInstruction int-to-double long-to-int long-to-float long-to-double 
+syn keyword dalvikInstruction float-to-int float-to-long float-to-double double-to-int 
+syn keyword dalvikInstruction double-to-long double-to-float int-to-byte int-to-char 
+syn keyword dalvikInstruction int-to-short add-int/2addr sub-int/2addr mul-int/2addr 
+syn keyword dalvikInstruction div-int/2addr rem-int/2addr and-int/2addr or-int/2addr 
+syn keyword dalvikInstruction xor-int/2addr shl-int/2addr shr-int/2addr ushr-int/2addr 
+syn keyword dalvikInstruction add-long/2addr sub-long/2addr mul-long/2addr div-long/2addr 
+syn keyword dalvikInstruction rem-long/2addr and-long/2addr or-long/2addr xor-long/2addr 
+syn keyword dalvikInstruction shl-long/2addr shr-long/2addr ushr-long/2addr add-float/2addr 
+syn keyword dalvikInstruction sub-float/2addr mul-float/2addr div-float/2addr rem-float/2addr 
+syn keyword dalvikInstruction add-double/2addr sub-double/2addr mul-double/2addr 
+syn keyword dalvikInstruction div-double/2addr rem-double/2addr goto/16 sget sget-wide 
+syn keyword dalvikInstruction sget-object sget-boolean sget-byte sget-char sget-short sput 
+syn keyword dalvikInstruction sput-wide sput-object sput-boolean sput-byte sput-char sput-short 
+syn keyword dalvikInstruction const-string check-cast new-instance const-class const/high16 
+syn keyword dalvikInstruction const-wide/high16 const/16 const-wide/16 if-eqz if-nez if-ltz 
+syn keyword dalvikInstruction if-gez if-gtz if-lez add-int/lit8 rsub-int/lit8 mul-int/lit8 
+syn keyword dalvikInstruction div-int/lit8 rem-int/lit8 and-int/lit8 or-int/lit8 xor-int/lit8 
+syn keyword dalvikInstruction shl-int/lit8 shr-int/lit8 ushr-int/lit8 iget iget-wide iget-object 
+syn keyword dalvikInstruction iget-boolean iget-byte iget-char iget-short iput iput-wide iput-object 
+syn keyword dalvikInstruction iput-boolean iput-byte iput-char iput-short instance-of new-array 
+syn keyword dalvikInstruction iget-quick iget-wide-quick iget-object-quick iput-quick 
+syn keyword dalvikInstruction iput-wide-quick iput-object-quick rsub-int add-int/lit16 mul-int/lit16 
+syn keyword dalvikInstruction div-int/lit16 rem-int/lit16 and-int/lit16 or-int/lit16 xor-int/lit16 
+syn keyword dalvikInstruction if-eq if-ne if-lt if-ge if-gt if-le move/from16 move-wide/from16 
+syn keyword dalvikInstruction move-object/from16 cmpl-float cmpg-float cmpl-double cmpg-double 
+syn keyword dalvikInstruction cmp-long aget aget-wide aget-object aget-boolean aget-byte aget-char 
+syn keyword dalvikInstruction aget-short aput aput-wide aput-object aput-boolean aput-byte aput-char 
+syn keyword dalvikInstruction aput-short add-int sub-int mul-int div-int rem-int and-int or-int 
+syn keyword dalvikInstruction xor-int shl-int shr-int ushr-int add-long sub-long mul-long div-long 
+syn keyword dalvikInstruction rem-long and-long or-long xor-long shl-long shr-long ushr-long 
+syn keyword dalvikInstruction add-float sub-float mul-float div-float rem-float add-double 
+syn keyword dalvikInstruction sub-double mul-double div-double rem-double goto/32 const-string/jumbo 
+syn keyword dalvikInstruction const const-wide/32 fill-array-data packed-switch sparse-switch move/16 
+syn keyword dalvikInstruction move-wide/16 move-object/16 invoke-virtual invoke-super invoke-direct 
+syn keyword dalvikInstruction invoke-static invoke-interface filled-new-array invoke-direct-empty 
+syn keyword dalvikInstruction execute-inline invoke-virtual-quick invoke-super-quick 
+syn keyword dalvikInstruction invoke-virtual/range invoke-super/range invoke-direct/range 
+syn keyword dalvikInstruction invoke-static/range invoke-interface/range filled-new-array/range 
+syn keyword dalvikInstruction invoke-virtual-quick/range invoke-super-quick/range const-wide 
+
+" class names (between L and ;)
+syn region dalvikName matchgroup=dalvikNameWrapper start="L" end=";" oneline 
+syn region dalvikString start=+"+ end=+"+
+
+" branch labels
+syn match dalvikLabel "\<[A-Za-z0-9_]\+\>:$"
+
+" registers
+syn match dalvikRegister "\<[vp]\d\+\>"
+
+" number literals
+syn match dalvikNumber       "\<\-\?\(0[0-7]*\|0[xX]\x\+\|\d\+\)[lLst]\=\>"
+syn match dalvikNumber       "\(\<\d\+\.\d*\|\.\d\+\)\([eE][-+]\=\d\+\)\=[fFdD]\="
+syn match dalvikNumber       "\<\d\+[eE][-+]\=\d\+[fFdD]\=\>"
+syn match dalvikNumber       "\<\d\+\([eE][-+]\=\d\+\)\=[fFdD]\>"
+
+" default colors (for background=dark):
+" Comment/Identifier = cyan
+" Constant = magenta
+" Special = lightred
+" Identifier = cyan
+" Statement = yellow
+" PreProc = lightblue
+" Type = lightgreen
+
+hi def link dalvikDirective PreProc
+hi def link dalvikAccess Statement
+hi def link dalvikComment Comment
+hi def link dalvikName Constant
+"hi def link dalvikNameWrapper Special
+hi def link dalvikNumber Constant
+hi def link dalvikString Constant
+hi def link dalvikLabel Statement
+hi def link dalvikRegister Special
+hi def link dalvikInstruction Type
+
+let b:current_syntax = "smali"
+