Reversing Dropbox client application for fun

Dropbox is a cloud based file storage service used by more than millions of users. The security of the dropbox was not analyzed properly. Recently, I came across a paper titled Looking inside (Drop)box which was presented at USENIX. Paper explains how to reverse engineer the Dropbox client application and extracts the algorithm. Dropbox clients are mostly written in python. The author of the paper, Dhiru Kholia, has uploaded the essential scripts required to reverse engineer the Dropbox.

Lets start hacking

Unpacking and decrypting encrypted Dropbox bytecode

The first thing to do is to get the Dropbox

wget -O - "https://www.dropbox.com/download?plat=lnx.x86" | tar xzf -

Clone Dhruv’s dedrop repository

➜ (Dropbox) git clone https://github.com/kholia/dedrop

Its mentioned in the paper to run the Dropbox with a custom ld_preload. The shared object required for the custom ld_preload can be build using

➜ cd dedrop/src/dedrop
➜  dedrop (master) ls
all.py  main.c  Makefile  map  _marshal.py  opcode-generator.py  payload.o  payload.py
➜  dedrop (master) make                                                                                                                
objcopy -I binary -O elf32-i386 -B i386 payload.py payload.o
gcc -Wall -ggdb -fPIC -Wno-unused-but-set-variable -m32 -c -I/usr/include/python2.7 -o main.o main.c
gcc -Wall -ggdb -fPIC -Wno-unused-but-set-variable -m32 -shared -Wl,-soname -Wl,libdedrop.so -o libdedrop.so main.o payload.o -lpthread -ldl
➜  dedrop (master)  ls                                                                                                                  
all.py  libdedrop.so  main.c  main.o  Makefile  map  _marshal.py  opcode-generator.py  payload.o  payload.py
Now the shared object is ready for use:
➜ dedrop (master) export BLOB_PATH=$HOME/.dropbox-dist/dropbox
➜ dedrop (master) LD_PRELOAD=$HOME/Dropbox/dedrop/src/dedrop/libdedrop.so ~/.dropbox-dist/dropbox

You may get an output like this:

.
.
[+] writing to /home/seshagiri/Dropbox/dedrop/src/dedrop/pyc_decrypted/xml/sax/xmlreader.pyc
[+] writing to /home/seshagiri/Dropbox/dedrop/src/dedrop/pyc_decrypted/zipfile.pyc

:) :) :) w00t!

All the decrpyted bytecodes in .pyc file format has been written into pyc_decrypted directory

Decompile the decrypted files

I have written a small shell script to decompile all the pyc files in pyc_decrypted directory using uncompyle2 tool.

# /bin/bash
for i in `find | grep .pyc`
do
        filename=${i%%.pyc}
        echo  "Uncompiling $i"
        sudo uncompyle2 $i | head -n-3 > $filename.py
done

find . -name "*.pyc" -exec rm {} \;

We have all the decompiled programs in pyc_decrypt directory. Using these files, you can start building your own open source Dropbox client if you want now.

The authors have mentioned about breaking the two factor authentication used in Dropbox and also hijacking Dropbox accounts. As I am a beginner in RE, I haven’t looked into it further. I will be updating this article later for including the session hijacking and breaking two factor authentication of Dropbox accounts.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s