Bestand wählen

Semi-automated mapping of iOS binaries

Zitierlink des Filmsegments
Embed Code

Automatisierte Medienanalyse

Erkannte Entitäten
hello and welcome to this class will be this will be pretty much think of it as a classroom exercise so that I can do for you who work with diverse applications mainly databases maybe maybe on holidays is so I hope that I will show you guys some tricks that you can use up his sleeve when it comes to the 2nd and analyzing and I was binary so the name is can quickly but I hope that it will make sense and it'll be clear by the end of this talk so we should interest food those whom I haven't seen my face yet so that spending and I've been working with the Bantustan since the early was based so been working with I was up since I was 4 . 0 which dates back to business as well as 2 thousand native of the man and my field of interest and field research is focused on whole to map and analyze object based applications which have actually makes most of the was absent so there swift types which they did with the topology was announced that and I was a bad and as things seem it's not that was spread as Apple's ability to be so most of the time when using Swiftian lies in that moment Objective-C replications that's kind of of easy to understand because most companies have the object of sequences ready by this time and this is obviously limited to replace everything they had and which was fine for them so this talk is not essential compared with only and not the frantic of algebraic ink and as far as I'm on the stand I don't have any generates for while and I was mentioned my parents he opened to which is the little is written as of yesterday but instead of thinking this stock uh like an object and I can advanced course on object to screw screw drivers didn't have you guys find ways more easily around diverse applications when comes to much up and the thing so this is like a collection of small ideas and hence I came up with I read somewhere else and that's happening not when it common continue infesting I applications and when it comes to the actual penetration testing where most of the time of the worst enemies time so I hope you guys that you had some experience with professional penetration testing you you were going so that the very good because burden of this job is to finish everything on time but unfortunately that the technology and the applications we test and we work with the data that make it easy for us to finish our job time and I hope that tricks will save you guys literally hours and hours and hours of misery so I'm just the 1st a little bit of interest that I'm pretty sure everyone is familiar with that process that is used to mean Cisco iris and those used to mean software running on the brothers and switches and that that however that since the drops content those stuff nomenclature I was means something else the 1st of this religion came around in 2007 we did soap like 5 and 3 and now but as of today it's I was mine used in the the 1st is is the main version and at this point he used to be the 1 used to be a tool for hipsters I remember when I had this 1st I was stock being 2010 2011 and we said that they had these devices are really cool the localized also but then that's really designed and not to be suitable for corporate users now it's significantly changed so this statement is not true in america as on and iris is a fully bland and flew adaptable corpora device platform and many Indians came roundabout device management uh demand tools and devices came around that this is not true as
culprits and the prices have means to control or what kind of devices can hold the data and as time progresses we have a whole lot of development banking applications management things uh but not so much more quickly don't get to you I was devices as and the judge may and this will not to normal on something very bad happens in the world so I movement around there
and I was application testing in the 1st place it this as in the dependence that is static mapping which I there's a little of letters on the side that wins with everything the model but you guys can get grab around with this with this phase means so this is like having a clockwork and taking magnifying glass and to see what's inside and what kind of components the up produces that kind of stuff and get it gadgets it uses a with kind of API is what kind of platforms that kind of thing that individuals and so on and so on so these information can be gathered during the 1st phase when we simply take the binary and start to say that this is something it and stop peeking around within the binary so that the purpose of this whole operation is like like an optimal in the medical sciences so anatomy focuses on bodies which are not moving so everything is like static and then describe where well-defined side so this is kind of a similar thing within 1 performed in static mapping whether you are and when we have and I was binary we can easily extract the class has the structure in case the application was written in Objective-C as the object runtime framework relies extensively on reflection therefore method names class names and other related ingful has to be complied with in the binary and it's there and and the extractable as for the dominant assure it's another interesting topic so if if someone with some kind of experience with a wireless apps just takes a look around the names of classes names of methods and so on and so on so they will get an understanding about like how developers were highly structure things how the name hardly the use things and so on and so on and so on and the can information can be very useful when it comes to phases of the assignment so this phase is very boring I admit so it's it's like it in the tumor cells also has a standard and Hopper another disassembled tools book peaking around within the binary the heads of uh looking around the classroom and so but it's worth it's worth the hassle because the little and when will start picking random then the proportion is running as in dynamic analyzes on try batch Gerber detection readings or certificate balloon will try to be when crypto happens so in these later phases of the effort you put into study being will return the well and when we come to deal with next bits and the problems with and the picture I could just 10 11 that's that's the name of the game I that that's the incredible machine as it's an amazing game remember was a kid that made me a complete nerd in the 1st place I must admit so that when we do that mapping we try to figure out what's within the boundaries and what happens when the battery is being ground and when the application components of emotion so on this phase usually inverse adjustable can identify which I luckily having here with all the necessary modifications which is required to region of testing and we usually use uh some kind of debugger which is like being in the middle to stick with and this why the end of the day gives you a much better understanding let's within the binary and this is where the light that begins as obviously application developers and especially security-related applications that propose that Iran's using easily understand how the product operates as as we'll see
later on this brings us to a whole bunch of problems we have to face when doing all that on actual application of doing dynamic analyzes the 1st of all of them as a set of need to have a general can rise to run on staff and most of the time and we use security related products they just simply say hated this is a joint work in the last please me alone I realized that 1 of the plants would press button and something happens like encryption uh hated the connection is married or somethin encryption to express something is written on the key chain and so on and so on until you know that happens under the hood this was a German detection and I'm pretty sure that anyone who has ever encountered having to better the binary and enjoyable detection to the best of the binary and this is 1 of the most frustrating things that can happen to you so you spend hours trying to to find the present legible detection takes place you batch that particular section of the binary and you you want to do yet again would like apples over 180 and boom gender detection kicks again about that some other place and then you have to usually have to do this over and over and over and over and over again and that this is as good as it sounds so we want to have some kind of method to find each and every occasion when Gerber detection is made and last but not least there and we have an interest in looking method within the binary and the let's say hey those I just showed that the class that's I said that this this method that some kind of encryption it takes 2 parameters that there some kind of the rights the push into the file system I want to know where it is relatively that's a pretty usual question when it comes to analyzes and these problems also really time-consuming so this is the 1st line of work and which which looks very scary but i had there would be it's not going to be that's clearly so that would consider binary analyzes the some applications developers tried to meet you work as hard as it can be so and I'm sure you couple things which uh are tools in the developers or to that's true the pedestal so by the end of the day it's still possible to analyze batteries but it takes much more time and that's it so every every every complication and every and I a dog in the entire and reversing effort you put into a binary just model raises the bar in terms of effort and expertise but again the debate and I would like to so and 1st of all of this on the loop which is involved a very funny very funny federal minus F of rule on the world means a switch with induces in and this means that as I indicated in the saddle of that if you have a function of our method instead of having to optimize it to 1 single occasion if you use this uh and switch duties he will copy the same uh um but sequence to be reloaded places on offer when after another as for use of functions so this those of another obvious choice so that means instead of having a nice and very easily penetrable and very easily methods visible on this this would now exists because of just common so if you have a very nice function like so this produce something thing and in case it's that simple point where duplication checks for the device being jailbroken broken and not the and it's returns the bloom value then it's pretty pretty trivial to make it return and that each and every time around and this is pretty well known amongst developers so that only rookies use similar kind of German detection mechanisms instead they opt for witchcrafts like functions so whenever they uh have to invoke the jurisdiction method to just copy the corresponding month sequence to the the to the appropriate places and they're going to have a 200 times 200 instances of Gerber detection routines and you would have to attach each and every uh occasions when I want and that's over time after time consuming 1 other 3 features the developer usually use object stripping is a standard procedure to secure binaries however on object see applications it's not that's the usable as as I said the runtime itself needs a whole bunch of information about the binary itself therefore method names class and other related info will be always there so the I'm number of atoms so something and if you use Objective-C you have to know the name of the method and your objects and the budget the very most of the time you will be able to as I understood you will be able to uh reconstruct had structure reflection and refraction reflection because it makes static analyzes of pain in the butt that means that if you see a very nice function which is invoked somewhere about since its name is assembled at runtime by the program be able to pinpoint that particular location for you and the policy have a fancy trick up your sleeve but which I will show you later on you will be uh stability sweating blood and trying to figure out whether function is invoked and last but not least my favorite font is basically C + + is that instead of object is see as object of sees a superset of C + + there is for plays usable if you just put some object see stuff within Objective C can be very easily uh very easily obfuscated and that we say all that many times when it comes to and of systems and other security products they rely heavily on a similar kind of operations and the best thing is that these tools can be combined so I chatted with a developer of a group within the institutions and about how they detect you break which of devices and when I was still spending days in misery trying to make damping run on algebra cannot that and I said that we have omitted to engine which states that any um about sequences which best uh some kind of job detection and the mutated and equipping to random places within the band remember do the compilation process as assembly inlays so that it actually means that you have literally hundreds of places where durable detection routines are implemented and single function is called Gerber detection which returns a Boolean yes or no and that's a really hard thing to analyze and to use sell them OK so 1st of all before going to need to make much much more technical stuff let's see kind of problem we have a screen and you want to know what happens when I press a particular betting with a switch or whatever on the screen and there and how can we find out which locations which methods in the application binary are responsible for handling user interactions for a particular screen normal to the and the solution but I will show you that I wanted to do this I have
a nice like that here but this then variable um wireless applications in which is of the semester so if you are trying to do iris hackers you are the people who make other people try to be I was because so good gravity is free and it's 1 of the best programs are better for learning how to hack I wasn't so and we have this very nice attack on the durability detection back and it the messenger broken and want to see how the magic happens that happens under the hood so that hitherto achieve this arrival of options for instance and when we come to the class
and as I said this is the antrum make is bigger for you so and this is the kind of uncanny this so this is the kind of structure you can extract from the binary itself so it's it's certainly doable so I have a very very very very very difficult list objects methods and interfaces let's try to find the word gebraic and boom yeah we have a gerbil conduction BCN which happens to be the exact which we're are looking for the moment but well if we can't do this in such as the easy way I mean that happens if it just doesn't work what
can we do so I have here that sound the following you will 1st stage back to my device we you so he In this work we do it OK there we go and 1st of all I use I separate areas like to manipulation framework and that initially created approach between JavaScript and Objective which is a very private thing to say about uh surprisingly it was also many comes the and that's so let's try to find the
OK so we original application and I will come here to see so
this uh that came in the construct shows you have to use the entire screen see so I
constantly manipulations on the screen you can easily access those items on the screen from here and if we say we want to see what's on the screen you no sorry so
I and it's not very easily Sudanese massive titles come on so this shows you like in a tree-like structure about what's on the screen and this can come very handy as uh if you look for the titles here is that C is a Java detection here you have the number right in here so everything you see on the screen will be in this tree like structure if we look for these are like buttons and this you are buttons that can be found within the tree-like structure with this kind of a
encouraged to so with this sub views the construct we can make our way down on the tree and by the end of the day we need to reduce you have gotten here and this you about it's obviously has and part which tells us which object it is so this and I was also another view controller terms but it's in the screen is a um your object but you want to see the contrast object to it and this construct this uh this trick can be used to pinpoint the exact um exact object and the method is responsible for user interaction OK and
making them next question we have a very nice applications and we know that somewhere it uses some kind of a clerical and amount to be important very desert so ideally we need only look for a method which does not make any kind of modification to the binary so that means that if we have a like an MDM products or something that checks its underlying integrity we'll have to match the integrity checking modules and you don't have to check the merger the check the interval t of the integrity checking modules and so on and so on but instead would love to new to you do this without ever touching the binary so this difficult areas of interest or algebra detection teachings were circling crypto and I schmooze show you guys to use separate methods to implement and to get those precious stack traces when it comes to an actual it like but 1st of all I'm going to use GDP which is a very
but useful sometimes even though it's not supported by Atlanta dating selected for having them as being the bible best choice so please go to this Chiba detection and then we had the obligation again and we go
for this is what I did was
simply former beauty beauty and uh embedded into the process itself so let's
make it run and I'm really interested in there for example for the mistake that the that function is used so it's that's lose and is used for the 1st system interaction it can be used for it's actually a family of the API calls however most of the time they are used for the check all whether not of file exists also some in some correct characteristics of the 5 of them or not I mean for instance you can check what about find is executable not and these uh 2 was also used these command families are used in many Gerber detection routines so I would love to see how the application dolls German detection in this case so what would doing there's simply put a breakpoint on so that we can easily defined a couple of commands to be around each time that particular breakpoint this so 1st of all of left to the Twins faults the parameter of the 1st parameter of the step function I did my homework I checked DAPI reformist bench in developing about apple of com website and I was very happy to realize that there's a string as the 1st parameter and that contains the finding itself and that the contour to that particular string object is uh and handed over to the function in the order of 0 register which I'm printing out here I want to see where we are in GDP this gives you a nice stack and and that's it let's see so we come to the piracy detection exercise and again at the moment I know that this that the proposal detection routine dust that it this just by the selection and use of this step function so because development and all this is very interesting this shouldn't happen OK and there's a band and as we see that the actual arm statuses is are here so whenever you have because that these are in general didn't refresh itself so it's so that I can go on and to see a whole the becomes a hit and when these step functions were enrolled from and this can be very very easily usable and many kinds
applications implies some kind of entire debugging as fact however that can be many times pretty easily supplemented as I said this is the urgent media for France
sake the inevitable probe off using GDP is that it looks also on EU typing on a black screen and write letters it's so hacker like however and need you to be there are many problems also for instance and many times it's not perfectly feasible either because you're device cannot land gdb where there is no hacked version of GDP for your version of viruses were the application itself is actively preventing being traced the GDP and that can be uh again it can be supplemented however most of the time uh and it's doable but the biggest problem with it it's not not persistent so that means each and every time you want to tweak your application you have to do this over and over and over again and then we went to mean something more usable and and it looks to estimate the null when it comes to a client presentations however when it comes to the actual practice work and it's uh it's sometimes uh it's a it's a list of time most of the time so have to use something that can be using more permanent fashion I will show you how and when we are
going to be compiled by integrating CdS substrate extensions sitting using the substrate extensions than it used to be called the loss substrate and that means that uh under American devices you can use the CD to dynamically load dynamic libraries to replication this is pretty much all the same concept as we do this in Windows so that means that on an application does not have to hold each and every feature set in the memory so that it doesn't consume uh that much memory up and this is a special call the comes uh that analyzes this technology is used by a whole bunch of applications like you the CDSS as pure which snooping about assured that these names ring the bell for you because you have some expertise in I was understand and as a result of serious substrate extensions already the Bantustans choice that means that no menu attention is needed and it will basically uh a simple RM functions only the deleted the file from the file system if you want to disable your uh extension and the creation is uh as we'll see is truly scriptable if we have the cost on which I'm sure um this is the point what we're going to use a lot of choices was 1st is an otherwise I was to change and even you don't have to have tax codes to call to develop wireless applications we can use this everything runs on the device itself and besides full blown up so you can easily be combined substrate extensions for existing ups and this gives us all a bunch of opportunities so that this means that we can inject whenever we went into and I was applications this is this going to to bring American conclusions as missing on OK so before moving on and meet my and really nice demo application which is pretty much this 5 right that those 6 lines of code so this means that we check whether or not a particular fan within the file system exists or not and in case it exists we will not function and if not we you more and other and that's pretty much it even if you're not fluently Objective C is pretty straightforward ordered so that when it comes to there
disassembly this is that it's a little over it looks like the hoping that can be done to ship and I will find multiple
you creation this is this is the 1 so I about a proposal and those my demographic issue a very small absolute takes more time from the proton's loaded so this is the and and try to make it now that's a bit but the closest 1 so as you can see that but we basically implement this kind of functions so even if you not fluent and this is on assembly it looks horrible however this is uh texts make it quite easily understandable what's going on so we check whether an obvious city have 5 exists or not in case it exists we want and if not being another so that's trivial kind of very easy to understand so how
can we bypass FIL how
can we see where the actual so all of the the heart of this thing here is this file exists that payoff function which is in library of the skull and as it may seem suggests whereabouts is simply returns have been really moving yes and no whether or not a particular file exists or not and this is the actual CDs substrate extension written in Objective-C relevant utilized to pinpoint where this particular functions in front and just a quick overview so and this person outage and construct it instructs the framework to Randall original function itself so that with a B and the values we have it fewer we lock some things we this distract tastes and we return what has been returned so that's proxy thing so that we inject it like something and we'll return what's received and but see how this thing works in
practice encourage we OK this OK and there's my screen
I show you where this application in the 1st place so quickly
find up it means I have to to my session 1st in it we you know
I have not been so that just in agreement with a friend of hers on all these different so the actual have some datasets are found within the these class libraries lesson about substrate slash dynamic libraries directory and this is then and we compare our binary it will end up here so that's a pretty easy to to delete whenever we want to remove or to disable an extension we simply delete because unidentified so hold
we're going to so this OK we have 1st just a very nice interface could make the PAL is more than 1 instance created it asks us whether or not you want to create a tweak each and application library or anything as well as set out to create a tweak difficult task yup in meeting and what's in
the lecture name of the package here's what we want to inject into so only we go here it amounted to minute and the thing with us and then we have an instance which does not anything that can be compiled so this is a very useful thing to start start from and if we look at here we have this tweaking that x and which is the actual place what we need to compress this is the following interference with object the current and there's a bunch of instructions hold to FIL feeling this from
but I have my so straight extensions ready already
became an simply say it's just we you he the combined its we make the and make it installed OK and then if we continue to do
let's screening of my
prepared and the from this is the most interesting a wanting the OK so next
stuff here is not taken by
1 thing and this should be the
1 when try again current announces its true broken and
which should be just that we have all approaches stack-trace so can see from the from this is that the function was called and the rest with we can easily
evade Gerber detection also once we have control about but the actual file a virtually political returns then we can use this framework to uh by pleasurable detection without ever touching the binary so and basically this is the choice of this is the tool used to bypass this very primitive Gerber detection method so it's easy to understand of advanced in case it's is the parameter is this slash applications flesh similar that 5 then we return and unrest otherwise return whether is returned and we compare this in the same
fashion the use of the
we can copy the same insured you only meanwhile
I delete what I made earlier local nodes
installed on the fly people in this thank you and flowing up again will see that it's it's displays a call
it disclosed a device clean message which means that we essentially bypassed driven detection with we go to
D syslog so we see that all message ended up here so driven detection has been related so on this
list where to say any
questions now the question
think this is a so the question was what to do when it comes to improve banners so the mean that inclusion like the fact that you which is applied in the iTunes binaries yeah so and the thing is that whenever you download an application from the Apple AppStore it's include on not encryption that obfuscated would system called fat and there are tools to decrypt the dialectal skate those fast so clutch 1 of the projects which can be used for this purpose but and if you google it you will find very nicely written GDP radicals hold to manually dumped certain segments of the memo entitled to the occupy out in a couple of sets to memories from so clutch is the word you looking for and then you have adequate binary and you will be able to play these games with goes was also it In this section yes they have to use clutch before anything happens because if you try to load and fair play the forbid bandlimited belonging to other people than it explode because it will not be able to to figure out what's within the binary and the and have time for when the question now and thank you for your attention
Spiegelung <Mathematik>
Gewichtete Summe
Schreiben <Datenverarbeitung>
Gruppe <Mathematik>
Radikal <Mathematik>
Statistische Analyse
Kette <Mathematik>
Arbeit <Physik>
Einheit <Mathematik>
Drahtloses lokales Netz
Charakteristisches Polynom
Ordnung <Mathematik>
Lesen <Datenverarbeitung>
Algebraisches Modell
Folge <Mathematik>
Spektralzerlegung <Physik>
Virtuelle Maschine
Fächer <Mathematik>
Mobiles Internet
Primitive <Informatik>
Ganze Funktion
Wort <Informatik>
Prozess <Physik>
Element <Mathematik>
Familie <Mathematik>
Komponente <Software>
Lineares Funktional
Speicher <Informatik>
Algorithmische Programmiersprache
Konfiguration <Informatik>
Arithmetisches Mittel
Anpassung <Mathematik>
Projektive Ebene
Web Site
App <Programm>
ROM <Informatik>
Einfach zusammenhängender Raum
Physikalisches System
Objekt <Kategorie>
Demo <Programm>
Trennschärfe <Statistik>
Metropolitan area network
App <Programm>
Befehl <Informatik>
Web log
Rechter Winkel
Stabilitätstheorie <Logik>
Baum <Mathematik>
Klasse <Mathematik>
Patch <Software>
Inklusion <Mathematik>
Demo <Programm>
Fairness <Informatik>
Elektronische Publikation
Komponente <Software>
Snake <Bildverarbeitung>
Kartesische Koordinaten
Lupe <Informatik>
Konsistenz <Informatik>
Prozess <Informatik>
Kontrast <Statistik>
Nichtlinearer Operator
Prozess <Informatik>
Installation <Informatik>
Gesetz <Physik>
Verkettung <Informatik>
Geschlecht <Mathematik>
Interaktives Fernsehen
Kombinatorische Gruppentheorie
Framework <Informatik>
Zusammenhängender Graph
Digitales Zertifikat
Diskretes System
Mapping <Computergraphik>


Formale Metadaten

Titel Semi-automated mapping of iOS binaries
Alternativer Titel Semi automated mapping of iOS binaries
Serientitel Hacktivity 2015
Teil 09
Anzahl der Teile 29
Autor Kovács, Zsombor
Lizenz CC-Namensnennung 3.0 Deutschland:
Sie dürfen das Werk bzw. den Inhalt zu jedem legalen Zweck nutzen, verändern und in unveränderter oder veränderter Form vervielfältigen, verbreiten und öffentlich zugänglich machen, sofern Sie den Namen des Autors/Rechteinhabers in der von ihm festgelegten Weise nennen.
DOI 10.5446/18856
Herausgeber Hacktivity
Erscheinungsjahr 2015
Sprache Englisch

Inhaltliche Metadaten

Fachgebiet Informatik
Abstract Black-box iOS application pentesting is a growing and hot topic. For most pentests, the most pain and effort is are consumed by the initial phases of the work, i.ei.e. basic mapping of the application features and where the individual features are implemented within the binary. We describe a MobileSubstrate based, semi-automatic approach for mapping security related features, such as encryption, jailbreak detection, keychain usage.

Zugehöriges Material

Ähnliche Filme