Attend XDA's Second Annual Developer Conference, XDA:DevCon 2014!
5,740,872 Members 52,848 Now Online
XDA Developers Android and Mobile Development Forum

Let's get to the bottom of kingo. (Owned)

Tip us?
 
krazylary
Old
(Last edited by krazylary; 30th January 2014 at 07:13 AM.) Reason: update
#1  
Junior Member - OP
Thanks Meter 28
Posts: 16
Join Date: May 2013
Default Let's get to the bottom of kingo. (Owned)

I would like to start a forensics thread.
I am a securiry auditor ( pen tester) and good at reverse engineering.

*****UPDATE******

I have owned the application decomiled the entire thing. I have all the download scripts and the actual apk is it not mktcamera it is

com.example.cameraroot-325a203119a823aad9e160e729650fbb.apk

I have given chainfire the apk it is up to him what he does.
I will send an email to kingo and and see if they want to clean up there ****. if they dont. i will release everything.

If you do not beleave me pm chainfire and ask him yourself.

I can not spend anymore time on this.
The Following 4 Users Say Thank You to krazylary For This Useful Post: [ Click to Expand ]
 
bftb0
Old
(Last edited by bftb0; 26th January 2014 at 10:29 AM.)
#2  
Senior Member
Thanks Meter 794
Posts: 2,120
Join Date: Feb 2010
Sounds interesting. Kudos to you for attempting something concrete.

If you want to do static analysis of the initial download ("android_root.exe"), see this post. The initial Kingo download is an Inno Setup self extractor that can be unpacked without running it using the InnoUnp extractor utility.

I'll see what I can do to help.
"I'm gonna start coding placebo apps. That way I will be sure that the complaints are real and the praises hollow."
The Following User Says Thank You to bftb0 For This Useful Post: [ Click to Expand ]
 
krazylary
Old
#3  
Junior Member - OP
Thanks Meter 28
Posts: 16
Join Date: May 2013
Default thanks

I am trying to download the latest kingo. There site is very very slow. Looks like it is getting ddos. That is really good. It might give me a change to hit the request with session splitting, so i can get the scripts manually.

I
 
krazylary
Old
#4  
Junior Member - OP
Thanks Meter 28
Posts: 16
Join Date: May 2013
Default can someone translate this

Getting closer to having this app owned

I need this translated thanks!

The Following 4 Users Say Thank You to krazylary For This Useful Post: [ Click to Expand ]
 
MBRedline
Old
#5  
MBRedline's Avatar
Member
Thanks Meter 17
Posts: 53
Join Date: May 2013
Nice work, I am looking forward to seeing where you get with this. I rooted with kingo a little while back.
 
lmike6453
Old
#6  
lmike6453's Avatar
Senior Member
Thanks Meter 316
Posts: 709
Join Date: Dec 2010
Location: Phila
subbed for results. Thanks for taking the time to look into this and sharing with us, very intriguing
Verizon Galaxy Note 3 - JB 4.3
 
bftb0
Old
#7  
Senior Member
Thanks Meter 794
Posts: 2,120
Join Date: Feb 2010
Quote:
Originally Posted by krazylary View Post
I have decided to not release the source code publicly. I will be giving it to the rockstars in the android world so we can have a clean root.
Thank you. It would be much preferable to having a static ARM (not PC-based) binary that needs no network access to get it's job done. Open source would be even better - even in the case of a completely static binary with no need for network access, the device owner is still "turning over their device" to that program and trusting that it is not malicious. After all, if it succeeds, it pwns the targeted device.

Although, truth be told, that just makes Sammy's job of closing off the hole that much easier, but that's the nature of the arms race.

Q about your previously posted (and now redacted) summaries - what is typical for false positive detection rates for random executables submitted to those "all in one" virus scanning services? Seems like the candidate malware identified would have shown some evident symptoms (popup ads, site redirection, etc) on folks platforms - unless it just lies dormant for a while or has been subverted itself to serve other needs (bot, etc).

What was the nature of the .xml that was being downloaded - did you have a look?
"I'm gonna start coding placebo apps. That way I will be sure that the complaints are real and the praises hollow."
 
dead batteries
Old
#8  
dead batteries's Avatar
Senior Member
Thanks Meter 16
Posts: 190
Join Date: Nov 2012
I'm confused, what is it particularly you are looking for in kingo? I just ripped with kingo a couple days ago. Should I be worried about anything?

Sent from my SM-N900V using xda app-developers app
 
bftb0
Old
#9  
Senior Member
Thanks Meter 794
Posts: 2,120
Join Date: Feb 2010
Quote:
Originally Posted by dead batteries View Post
I'm confused, what is it particularly you are looking for in kingo? I just ripped with kingo a couple days ago. Should I be worried about anything?
I suppose you should always be worried about any advice that begins with

"hey, download this unknown executable from the internet and run it on your Virus Hosting Platform^B^B^B^B^B^B^B^B^B^B^B^B^B^B^BWindows Machine"

But that applies to even things like "Odin v3.09". Or "Android Phone rooting toolkits". They are also just executables, and certainly just as capable of hosting malware installed (even unknowingly) by persons that re-upload it.

But in particular, the thing that got everybody's hackles up was that it bears all the "hallmarks" of malware:

- published by an author with an inscrutable monetization strategy*
- by its intended purpose, is authored by folks skilled in software exploits (but... blackhat or whitehat)?
- uses an "attack server" architecture. (Downloads payloads off the internet in order to run to completion)
- closed source
- contacts multiple sites on the internet during setup and/or operation
- uploads to the internet information gleaned from host and target systems
- at runtime uses code obfuscation procedures that are typical of malware


What the OP is currently after is a way to replace it with something that will still root the phone, but do so in a way that seems less suspicious - for instance has no need to ever contact remote machines on the internet, and no need to even use a PC, either. But let's be honest - any time you turn your device over to a piece of software that has the objective of rooting either a remote host or the one it is running on, you are implicitly handing that device over to that software if it succeeds. If it is completely open source, and you compile it, install it, and run it yourself - after having looked through the code to judge it's safety... well, you might be able to say with confidence that "this looks pretty safe".

OTOH, doing that (open source) also makes it pretty darn easy for defenders (e.g. Samsung or Google if it is an Android kernel exploit) to patch the hole directly without doing the corresponding exploit discovery themselves.

I'm not saying that Kingo is malicious though; I really don't know. I can think of very compelling reasons why it operates exactly the way it does:

1) Rooting methods vary by device, carrier, and software release version. That means that a "universal" and static Android rooting tool with encyclopedic knowledge of all current rooting methods would have to bundle in a single download package an enormous collection of exploit vectors. Hundreds and hundreds of megabytes of stuff ... per handset. Live device detection eliminates the need for that - and the bill from the server hosting company for excessive bandwith usage.

2) Rooting methods come and go. A client-server attack method can determine immediately if something it tried succeeded or failed - on every single attempt. And collect reliable information about software release versions, model numbers, carrier in use, etc. Compare that to a piecemeal, scarce, non-uniform and unreliable method of trying to intuit that information by hand out of forum reports written by folks who many times have no computer skills at all. It's light-years better in reliability and breadth.

I was going to also say "Open Source of an attack reduces it's effectiveness", but that opens a whole can of worms, as the position one takes on that particular statement probably is the bright line dividing the white hat and black hat ethical spheres.



*hey wait a minute - isn't that everybody on XDA?
"I'm gonna start coding placebo apps. That way I will be sure that the complaints are real and the praises hollow."
The Following 2 Users Say Thank You to bftb0 For This Useful Post: [ Click to Expand ]
 
krazylary
Old
#10  
Junior Member - OP
Thanks Meter 28
Posts: 16
Join Date: May 2013
Default Opps! ;)


Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes