06 July 2011

Kivlad - Initial Thoughts

Recently, the folks over at Matasano Security released a tool to decompile Android Dalvik binaries. The tool is named Kivlad and it can be found on their site.

Having a need to dissassemble Android binaries on a fairly frequent basis, I'm always looking for a new tool to help out, so I took this one for a spin.

The first thing to point out is the disclaimer on the Matasano site, which reads:
This is very much an alpha release and while it will be production-quality in the near future, we wanted to give the community a taste of what's to come.

Experimenting with Kivlad shows that disclaimer to be very warranted. Kivlad is a cool concept, and is somewhat unique in the field because the output format is HTML. At the core, Kivlad offers a tree view of the Android elements contained within the Dex. I like this idea, and it will be very cool to see it get developed further.

That said, the tool is pretty near non-functional (for me at least) - I'm unable to get it to parse any APK other than the included HelloWorld.apk that comes with the download.

Further, because the background of the HTML output is an image loaded via CSS, if the output file is not in the source code directory, it is completely unreadable (because the font color is set to white, and the default browser background is also white.) This is easily fixed, either open the file in the source code directory, or change the CSS to use whatever color scheme you wish.

I should note that I find both of these shortcoming to be perfectly acceptable, (Matasano did say the tool was pre-alpha afterall), and as I said, I like the concept and where this seems headed quite a lot.

The process to getting Kivlad working is pretty straightforward IMO, but I've included my notes here in case someone finds them useful. (These are for the Ubuntu Linux distribution, tested on versions 10.10 and 11.04)

  1. Install the required software and libraries:
    sudo apt-get install ruby1.9.1 libzip-ruby1.9.1 graphviz
    sudo ln -s /usr/bin/ruby1.9.1 /usr/bin/ruby
    sudo ln -s /usr/bin/gem1.9.1 usr/bin/gem
    sudo gem install metasm
  2. Download Kivlad and extract it:
    wget http://www.matasano.com/research/kivlad/kivlad-0.1.tar.gz
    tar zxf kivlad-0.1.tar.gz
    cd kivlad-0.1
  3. Run the tool:
    ruby ./reflect.rb HelloWorld.apk HelloWorld.html

This will spit out a bunch of stuff, and you'll end up with a HelloWorld.html file in the directory:





As I mentioned, the only APK I've been able to successfully use Kivlad on is the HelloWorld.apk. Every other APK I've tried has resulted in the following error (example below using OI_Safe_1.2.4 from freewarelovers.com):

ruby ./reflect.rb OI_Safe_1.2.4.apk OI_Safe_1.2.4.html


/home/rossja/Desktop/kivlad-0.1/instruction_form.rb:11:in `inspect': wrong number of arguments(1 for 0) (ArgumentError)
 from /home/rossja/Desktop/kivlad-0.1/instruction_form.rb:11:in `convert_insn'
 from /home/rossja/Desktop/kivlad-0.1/decompiler.rb:61:in `disassemble_all'
 from /home/rossja/Desktop/kivlad-0.1/decompiler.rb:85:in `disassemble_blocks'
 from /home/rossja/Desktop/kivlad-0.1/decompiler.rb:713:in `decompile'
 from /home/rossja/Desktop/kivlad-0.1/decompiler.rb:774:in `decompile'
 from /home/rossja/Desktop/kivlad-0.1/dex.rb:70:in `method'
 from /home/rossja/Desktop/kivlad-0.1/dex.rb:46:in `block (2 levels) in initialize'
 from /home/rossja/Desktop/kivlad-0.1/dex.rb:45:in `map'
 from /home/rossja/Desktop/kivlad-0.1/dex.rb:45:in `block in initialize'
 from /home/rossja/Desktop/kivlad-0.1/dex.rb:30:in `map'
 from /home/rossja/Desktop/kivlad-0.1/dex.rb:30:in `initialize'
 from ./reflect.rb:9:in `new'
 from ./reflect.rb:9:in `initialize'
 from ./reflect.rb:21:in `new'
 from ./reflect.rb:21:in `

At some point I'll try to chase down where the issue is and see if I can figure out whom to send a patch to =)

02 February 2011

welcome back to the net, Egypt

On January 27, 2011, the country of Egypt disabled the Internet for anyone within its borders. It did this in a couple of ways, both via the network (at the BGP level), as well as the name resolution (DNS) level. This means the take down not only impacted Egyptian nationals, but citizens of other countries that happened to be in Egypt during this time period, as well as anyone that was using a .eg ccTLD domain.

I don't have a lot of time to form a well crafted post on the topic of Internet blockade at a national level - it suffices to say that I'm opposed.

Here are a couple of very interesting graphs, taken from http://stat.ripe.net/egypt

Start of the BGP withdrawal:

Re-announcement of Egyption BGP routes:

I'm glad that Egypt has decided to allow all those impacted by this outage access to the Internet once more. Welcome back .eg.