HARCODING ISSUES 2 - SHARED OBJECT FILES
- Layout for this exercise:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjN3ysPFDiLz71tKNKtTbQ-gbYIMOvFyzCKI9CWL78TjPKjXRWYpCIlFmXgXhGx2AJ03-cD6Vx-LMBzN8gZzBhlbR1mLbvF3IFft3RoDMDfuNW6_eUA1t68o-9wqG_cxHU7to9FSgnsuPpq/s1600/screenshot.1.jpg)
- Connecting from Santoku to Nexus 5 with ADB:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjYPhk653C14QA8vth06HWnXBRzLa4itaCupLrevAArhsXls8xlPnBjqnB7G9OexQ9Gw-iTW0IdEsuYLhnHoyJgNyT3ta6dIQkIP20bRiI7-iGSeLanLEgnTEoAxE4-6vAsDxFRU1Bfsk6C/s1600/screenshot.2.jpg)
- Launching the application:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjz26LudzftvVhlVECnYZvnq2eZHOOhCD0Ku501fUdU0VM2la60N2SRK0UcblEUUP2u7NKDULpBFOE4H4eZbq09qhg1-k-HFMB1AvTWLoaymRoY21KQJ5kMcplr3hUecqXdIup0YuKXvHjT/s400/screenshot.3.jpg)
- Clicking the tab for challenge 12:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEitb9krxqoRACGyta23Z9stuafU31y5EAPJrf2KmwSzKwKj3gE4HB6KNZXIYbCfWnLJgolUJznOrGLSFIUi1488dv4eDGBaeX3Vip6gvqqhxkoM5i039enfFabzxc7hS_pZjXymUHt5u4Aj/s320/screenshot.4.jpg)
- The application prompts the user for a key. Introducing an invalid key the access is denied:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg1eqbCcNWbWi93-zKSlquGE7ww5OjVrS0vLN_ofNh71oIXTW9uE9_Hj6fSMf2Evz_RI3WOmjVo60YY5LwA1hUykt5Vv-TYaKhmOtD5f7sknjlg8UpUMlEedReeS0Q7NIzHOqZUQMAUms7Q/s640/screenshot.8.jpg)
- Let's have a look to the Java source code of this challenge, Hardcode2Activity.java:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj85vqQLc9Ixajz_sU0HkA8o94wKdLKc6VIp8p-FfAX0m1pqBY0hs9vxdGi4cutEnXCbSBUe5HwWgtX973DyUmPauaj2ZxEmTQsmTdb5YRt4qcthopkHSqNCv3t2yfOH6GGopCHfmqg3EZF/s1600/screenshot.9.jpg)
- First, it is important to notice that in this activity the JNI (Java Native Interface) is used to validate the access.
- Java Native Interface is a programming framework that enables Java code running in a Java Virtual Machine (JVM) to call and be called by applications and libraries written in other languages such as C, C++ and Assembly.
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhF7JK_DbIGghnqULUeeS0gZ91JR7f3Lr-dylxnZG2Jk7apFnxUUcJ3rjuwcK16DBQTBDOl8h_9073e1R7IBB9Ec4SJUmajuV7GFN0q-0ekdwIbSquJWx2FdPYe_0mYwxiw3Gi_OTM_RPj-/s1600/screenshot.12.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEix7OsGMckekPCMEyCcaTuum5hR6sSyFXZ8SP0qXmXVD5tLiz2jKaSezQ8kC-PIWChnYtD5VWG_Z7Tm8lEu691W_wrwn6GWAh12ZgpkLRxIArco-nFnWNXCEyfeaHFLHgtPwTRrmADNAPVK/s1600/screenshot.10.jpg)
- The access method gets a text using JNI and checks whether the text entered by the user matches or not the valid key.
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgeT6RB0Y8dyD9YyyQlsqsmgXY7ewlSESd6waAo3zOQD1nEn_A-gkpcQKEPvgfkP3LYixuh-8z8NOsB2NsXNQHdM75VDbjMwJXdwuitEHTghftQV4fFjhAaJGFaX9Vx-qT01tn5uh_afEYy/s1600/screenshot.11.jpg)
- Also, it is interesting to see the source code for DivaJni.java:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj-N9w_Z1uGjAhV-pQOQmsFqjOXghv0C7TVV0CtIPet4vBS5pAUtv0nQtwrHEHNUbOO7a32tJC9G99RI0EHlZxAmmqEVWpX-MNbL0ofm36y_PU_1FjkJn6lcXqUygtdlWKyOBvalw55YvUB/s1600/screenshot.7.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEilk3-4ZVePrYlvy5fkpteK0IqVnsM6vktGtvf53YB7I5Rq6WZzIw6vhmaZ237BOrx-ZnFQL9qE_rady1AuipIEhxtuGqbz1OSUb7ly0XeU44Gi59Bp8NQBnxQw3CHxhPzLOxCGF8yRsnB4/s1600/screenshot.6.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjq2W21hFIQHi52Ec9QJ2A2sNYSwk9G2i-BPhwpEsRd4giJfIljMeJ1NKkAZGOBiPXKzI_LKPGJDvvv9fK342J6Tm4cgxAq_VEh74ZWBOxwgJpDaKiIuYC-0LerRzquIdwEScdkPuzUqgxQ/s1600/screenshot.5.jpg)
- Going into the application data directory, there is a lib directory:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg_EcfBXexn6phcWqdlZ_BGBmrMIEAsjl4X193B_VEZSvwYBTjHB89_bStTV0eIe72SROGonMQVezcIYbQ7W5d9_KIaa1gy7Bgr3AeVJ70RKA-B65dQ0NFZy8DsDzY6Gs2viCQj9RDx28NC/s1600/screenshot.13.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg3y86VYZqFpdex1j2Hh1JmIwsyiq4L8y1dDO02zErzZgZ1pBVFMDYD0afcOiwF1alMVjgGip4Ge7hP5wsz4MMrhdOQWMObpekvySc8-jV5rplNKxVLqAEtIVxcTfOTMHQKENPv5vSn8Slt/s1600/screenshot.14.jpg)
- Inside the lib directory there is a libdivajni.so file:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEggdrVCeh9XutF3NY0MrZD_bJan-2-KzTt5DPOxOxwCuhrkXs97HBgIX7G1p3Wym6CakOFGHM5PnnhyXtNmuccGjFcZIDricQb1E76Ab2wIVzuusf0O_ywvQWTKwul61yVMnFvbIMsKGya5/s1600/screenshot.15.jpg)
- .so (shared object) files are a type of dynamic libraries used with Unix systems (similar to .DLL's for Windows). Code stored inside a .so file is not embedded in a binary. Instead it's just referenced, so the executable will depend on it and the code from the .so file is just added/loaded at runtime.
- .so files are usually written according to the ELF (Executable and Linkable Format) standard.
- In order to analyze the file, we can pull it out from the mobile device to Santoku:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiTlSlcwgyZ6-m_rXCdTiKG9yYGGmLFpUoCsu6DXbOH8qoxbqcYc9sX3LcuX4vXEQNJ3Wany3CnrfHxJHLR9oFZMqByK5Qekykd97fQTadzbFZmEqAtVH4Z7nz-DNYUB4W8R2Pm_6wQ1oya/s1600/screenshot.16.jpg)
- Now, the file is available to be opened at Santoku:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiiiHt4dfor6FQmeVA9Tyo65KjN2eacbKPioYrEuEtIZQBOlUnw6z0zd_ZjYzCx0LWwD6QolsbfyXf2G_xHpA_6KvPvKq0j-Tz_FeiufdkIiRFtb_9g7AqsaxP_oDk27du6nzf5_7JnIbB5/s1600/screenshot.17.jpg)
- Either objdump or readelf can be used to disassemble the file, and look up into the .rodata segment (read only data, storings constant data) of the program with similar results:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhiDTxgV-0cK78dVrIFmzGBZt2k41lDemIz7oZXrEhVaD7MQE6mIyLshFu61R5Hs1xr-XLNsNhMnVM9qJI-GMyly7OUZFDWhnnhdUcQW_JjDhoTEVZEml_5X0AG6Uch03qBagfnQhEE2MhQ/s1600/screenshot.18.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj7UUJaW11_Eg81GWNbW9FKvAwK4Xu5NgXFbBFZnxsgoSigmdDdpN6Naj91664-ECQgHk0pl99knyqEHzl-5Zr-ZpBqLx2Ukyp5Ca7FEa2vdo05JmSxV0Fr8pXRilxb4BBo5PseJK8SoIvy/s1600/screenshot.19.jpg)
- Both outputs indicate the presence of a "suspicious" string ... maybe the secret key?
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhZnWEfuzyoh37Hnb6kTbaM2er42IhKhInRY5YrtG1zUYpfUJqsXLjI7bmEGN9Qq8WFEeY1hNdu2C9mUcXDqQHYWcaj43HzC6q4Msv03fHKHWz_zjo-qY79wG382ulJnLTp_KCAvHmcgMSc/s400/screenshot.20.jpg)
- Running strings command over the file libdivajni.so, the string olsdfgad;lh appears again:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjWxMIIaK4qBnJC-9bRgf9B1jS1PSf5_oHFgaewKfVC3BbGYAUgiBoGFun-k6k0lm7gt1f1WAyY0IOdADc4RUJG7SOzQDPUkP4Vz0oGsNZOpTZCpQHGWX8XspKfx_ECoaLTy4SAsquwn0oA/s1600/screenshot.22.jpg)
- Finally, checking the source code of the application, the C program divajni.c holds the original C language program where the vendor key was stored as a constant (#define VENDORKEY "olsdfgad;lh"), and later compared with the function strncmp:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjstvUGCTnGKEPuQUFHq8ZgoTyMEKr6Y69SUYmXc_ZMV_FrEUukxxRfUwUpwrUkoI9-sOuAeChlAfCzsX47dqU2ny4vAQh2Hm2HRUm4SwmwcM-L2WTIKPGnIMye-UjuJgWT-SHkydih2Mb3/s1600/screenshot.23.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEienDuJ4wgJhy9DwQklnrnJRsPRFloCFyPDhaR2s5oTaul4lbuJ9bJB2ceb7gjzNecOejnC9gtHKtz5egzHW9-dV33OG4zIcuBrmLPa7UwZQKIQWnDoimAqO5GPa2thioG8_HFmEJIxjQ59/s1600/screenshot.25.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgDq7HNkRE8GFUPsA_h_ucxlYq2ZvhtZ6Q1_oRtLTRd67pN8GfVxlqlGOFvEUaMEWYiZ3GIlyZyN-BhZ4YcPFroV1pYv7rkkvFDh09LBaOXYWPQVP_rPWyJjTZFyEZHN28w_muU2TcDNYGF/s1600/screenshot.24.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgcoonA2Q-sGiwhVAadf8vpIG_rIIC-6AETYKzxDXWPcVivCF2AJAiJHieli05N6_MezRJrLzKDsc2Y5PvMrkCeb8jbvWie9W1LAVTYDvwoj30ppANsF2CYpbgcOJdOdZ0Jrbu0JgTLxUiG/s1600/screenshot.26.jpg)
- The most important conclusion from this exercise would be to remember that developers often hardcode keys into .so files.
- To test the validity of the research, using the previous string the access is actually granted:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjSU1KWm5vqViowtdwvQtUGcGJNU79sQiMH40Hmr020n1xFdeEID7yQ7eWYJcUHoxz2VXV8RA8vfnkvXHoH7sgXhc3cpoM9rNPHq4vtkVeUNZX0-eiBXHFXiJeBgj3ia5sUaQw7ZsD-a1_P/s1600/screenshot.21.jpg)