SlideShare ist ein Scribd-Unternehmen logo

NanoSec Conference 2019: Code Execution Analysis in Mobile Apps - Abdullah Joseph

H
Hafez Kamal

Talk was presented by Abdullah Joseph at NanoSec Conference 2019, InterContinental Hotel Kuala Lumpur on the 9th of October 2019.

Präsentationen & Vorträge
1 von 36
Downloaden Sie, um offline zu lesen
CodeCode ExecutionExecution AnalysisAnalysis InIn MobileMobile AppsApps
Wait. I know GDB.Wait. I know GDB. I don't need this...I don't need this... So, let's try another title...So, let's try another title...
HowHow not to shootnot to shoot yourself in the footyourself in the foot while debuggingwhile debugging MobileMobile appsapps
About MeAbout Me Abdullah Joseph / @MalwareCheese   Mobile Security Team Lead @ Adjust We do mobile attribution, ad fraud analysis and some data stuff (processing 25 petabytes every 10 days received   ) I like binary stuff Crypto stuff too. Not so much web and network stuff
About MeAbout Me Abdullah Joseph / @MalwareCheese   Mobile Security Team Lead @ Adjust We do mobile attribution, ad fraud analysis and some data stuff (processing 25 petabytes every 10 days received   ) I like binary stuff Crypto stuff too. Not so much web and network stuff Bonus only for Nanosec: I graduated from APU. Bachelor's in Game Design
Let's start with a CTFLet's start with a CTF
FindingsFindings Code block takes input and puts it in [s] At 0x080486d3, our input and obj.sekrutBuffer get XORed together The result has to equal obj.greetingMessage which gets compared together in 0x080486e6 obj.sekrutBuffer holds the following byte  blob:  )x06x16O+50x1eQx1b[x14Kb]+Sx10TQCMT]
What did we learn?What did we learn? Debugger == God ModeDebugger == God Mode
Switching to MobileSwitching to Mobile Let's go for Android
How do we get the output ofHow do we get the output of getSecretKey()getSecretKey() dynamically? dynamically?
Disassemble the app (with “apktool” or similar tool) Set the “app:debuggable” flag to true Rebuild the app Sign the app (with Appium’s Sign.jar or similar) Decompile the app to get the Java sources (with CFR decompiler or jadx) Setup a gradle project inside the decompiled sources Setup an IDE, like Android Studio, and port the decompiled java code to it Setup the testing device to have that app in the “Wait for debugger” list of apps in “Settings” -> “Developer Mode” Setup breakpoints on the “getSecretKey()” function Run the app. It should say “Wait for Debugger” now Use JDWP to run the app and break at “getSecretKey()” function Examine the return value More info here: https://stackify.com/java-remote-debugging/
Let's talk aboutLet's talk about binary instrumentationbinary instrumentation Also known as "Function Hooking"
Let's talk aboutLet's talk about binary instrumentationbinary instrumentation Also known as "Function Hooking" “ The ability to insert a practically unlimited amount of code at any location in a binary to observe or modify that binary’s behavior   -- Dennis Andriesse - Practical Binary Analysis
https://frida.re
https://www.frida.re/docs/hacking/
So now...So now...
So now...So now...
So now...So now... How do we get the output ofHow do we get the output of getSecretKey()getSecretKey() dynamically? dynamically?
// myagent.js // =================== Java.perform(() => { let activity = Java.use("com.adjust.myapp.MainActivity"); Activity.getSecretKey.implementation = () => { var retval = this.getSecretKey(this, arguments); console.log("getSecretKey() called"); console.log(`retval = ${retval}`); return retval; }; }); // =================== // Run with: // $ frida -U -f com.adjust.myapp -l myagent.js
FallbacksFallbacks AKA: What Frida cannot do / is not
FallbacksFallbacks AKA: What Frida cannot do / is not Not a ptrace-based debugger LLDB and GDB are debuggers capable of deep analysis of every Instruction Frida HAS a lot of debugger functionality, but its main purpose is to aid in binary analysis and hook into parts of the binary to execute arbitrary instructions What this means is that, if you're intending to step- into every function and analyze it's execution, it might be better to use LLDB/GDB
FallbacksFallbacks AKA: What Frida cannot do / is not
FallbacksFallbacks AKA: What Frida cannot do / is not Not the only instrumentation framework DynamoRIO (open-source & free) Intel PIN (free but closed-source) However, it is the easiest one to use and the only one that supports multiple architectures and VM environments (AKA: Android and iOS) by default.
Use Case #1Use Case #1 Analysis: Memory Dumper &Analysis: Memory Dumper & ScannerScanner
$ memdumper/memdump.py -U -p com.myapp.adjust -v INFO:Starting Memory dump... DEBUG:Too big, splitting the dump into chunks DEBUG:Number of chunks: 80 DEBUG:Save bytes: 0x12C00000 till 0x13589680 DEBUG:Save bytes: 0x13589680 till 0x13F12D00 DEBUG:Save bytes: 0x13F12D00 till 0x1489C380 DEBUG:Save bytes: 0x1489C380 till 0x15225A00 DEBUG:Save bytes: 0x15225A00 till 0x15BAF080 ... DEBUG:Save bytes: 0x223F4900 till 0x22D7DF80 DEBUG:Save bytes: 0x22D7DF80 till 0x23707600 DEBUG:Save bytes: 0x23707600 till 0x24090C80 DEBUG:Save bytes: 0x24090C80 till 0x24A1A300 DEBUG:Save bytes: 0x24A1A300 till 0x253A3980 DEBUG:Save bytes: 0x253A3980 till 0x25D2D000 DEBUG:Save bytes: 0x25D2D000 till 0x266B6680 DEBUG:Save bytes: 0x266B6680 till 0x2703FD00 DEBUG:Save bytes: 0x2703FD00 till 0x279C9380 DEBUG:Save bytes: 0x279C9380 till 0x28352A00 $ strings -n 5 dump/*.data | uniq | ack -i secret THIS IS A SECRET STRING!!! THIS IS A SECRET STRING!!! THIS IS A SECRET STRING!!! THIS IS A SECRET STRING!!! 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26
Use Case #2Use Case #2 Native Android FunctionNative Android Function HookerHooker 10x times easier than GDB or LLDB scripting (!)
[0] % native_stalker/native_stalker.py --process com.myapp.adjust --library libnative-lib.so --addr 0x00009610 --binary /path/to/my/app/libnative-lib.so --verbose INFO:Analyzing with R2... INFO:Retrieving PLT section... INFO:.plt [0x8AE0] -> [0x92D0] INFO:Prepping Frida... INFO:Resuming process... INFO:Hooking library loaders... JS: loaders(): {"0":"libnative-lib.so","1":38416,"2":35552,"3":37584} INFO:Awaiting hook callbacks... JS: Library [native-lib] loaded with java.lang.String.loadLibrary [+] JS: stalk_func(): {"0":"libnative-lib.so","1":38416,"2":35552,"3":37584} [+] JS: Library base addr: 0x8b2c1000 [+] JS: Hooking [0x8b2ca610]... INFO:Tracing 38416@libnative-lib.so concluded with 11 calls: 0x8b80 -> sym.imp.free 0x8c40 -> fcn.00008c40 0x8b30 -> fcn.00008b30 0x8b90 -> fcn.00008b90 0x8c50 -> fcn.00008c50 0x8b40 -> sym.imp.fopen 0x8ba0 -> fcn.00008ba0 0x8bc0 -> fcn.00008bc0 0x8b70 -> sym.imp.getline 0x8c30 -> fcn.00008c30 0x8b20 -> sym.imp.__android_log_vprint INFO:Done. You can exit the script now... 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31
MiscMisc Dynamic Analysis Trace any (Dalvik/Objc/Native) function Dump saved files Memory scanner Automated crypto keys scanner One-time watchpoints Monitor file system access SSL pinning bypass Code Execution Invoke app functionality under controlled circumstances Modify device properties (great for regression tests)
MiscMisc Dynamic Analysis Trace any (Dalvik/Objc/Native) function Dump saved files Memory scanner Automated crypto keys scanner One-time watchpoints Monitor file system access SSL pinning bypass Code Execution Invoke app functionality under controlled circumstances Modify device properties (great for regression tests) https://github.com/afjoseph/mobsec_toolbox https://github.com/iddoeldor/frida-snippets https://awakened1712.github.io/hacking/hacking-frida/
Abdullah JosephAbdullah Joseph Reach me @MalwareCheese
Abdullah JosephAbdullah Joseph Reach me @MalwareCheese We are hiring Binary Dudes and Dudettes!

Empfohlen

How to reverse engineer Android applications
How to reverse engineer Android applicationsHow to reverse engineer Android applications
How to reverse engineer Android applications
hubx
 
Ať se z kódu nepráší! 2013
Ať se z kódu nepráší! 2013Ať se z kódu nepráší! 2013
Ať se z kódu nepráší! 2013
Juraj Michálek
 
Android reverse engineering - Analyzing skype
Android reverse engineering - Analyzing skypeAndroid reverse engineering - Analyzing skype
Android reverse engineering - Analyzing skype
Mário Almeida
 
Reverse engineering android apps
Reverse engineering android appsReverse engineering android apps
Reverse engineering android apps
Pranay Airan
 
Using the Android Native Development Kit (NDK)
Using the Android Native Development Kit (NDK)Using the Android Native Development Kit (NDK)
Using the Android Native Development Kit (NDK)
Xavier Hallade
 
Reverse Engineering Android Application
Reverse Engineering Android ApplicationReverse Engineering Android Application
Reverse Engineering Android Application
n|u - The Open Security Community
 
Practice of Android Reverse Engineering
Practice of Android Reverse EngineeringPractice of Android Reverse Engineering
Practice of Android Reverse Engineering
National Cheng Kung University
 
Housemd
HousemdHousemd
Housemd
lunfu zhong
 

Empfohlen

How to reverse engineer Android applications
How to reverse engineer Android applicationsHow to reverse engineer Android applications
How to reverse engineer Android applications
hubx
 
Ať se z kódu nepráší! 2013
Ať se z kódu nepráší! 2013Ať se z kódu nepráší! 2013
Ať se z kódu nepráší! 2013
Juraj Michálek
 
Android reverse engineering - Analyzing skype
Android reverse engineering - Analyzing skypeAndroid reverse engineering - Analyzing skype
Android reverse engineering - Analyzing skype
Mário Almeida
 
Reverse engineering android apps
Reverse engineering android appsReverse engineering android apps
Reverse engineering android apps
Pranay Airan
 
Using the Android Native Development Kit (NDK)
Using the Android Native Development Kit (NDK)Using the Android Native Development Kit (NDK)
Using the Android Native Development Kit (NDK)
Xavier Hallade
 
Reverse Engineering Android Application
Reverse Engineering Android ApplicationReverse Engineering Android Application
Reverse Engineering Android Application
n|u - The Open Security Community
 
Practice of Android Reverse Engineering
Practice of Android Reverse EngineeringPractice of Android Reverse Engineering
Practice of Android Reverse Engineering
National Cheng Kung University
 
Housemd
HousemdHousemd
Housemd
lunfu zhong
 
How to Add Original Library to Android NDK
How to Add Original Library to Android NDKHow to Add Original Library to Android NDK
How to Add Original Library to Android NDK
Industrial Technology Research Institute (ITRI)(工業技術研究院, 工研院)
 
Metasepi team meeting #19: ATS application on Arduino
Metasepi team meeting #19: ATS application on ArduinoMetasepi team meeting #19: ATS application on Arduino
Metasepi team meeting #19: ATS application on Arduino
Kiwamu Okabe
 
Steelcon 2015 Reverse-Engineering Obfuscated Android Applications
Steelcon 2015 Reverse-Engineering Obfuscated Android ApplicationsSteelcon 2015 Reverse-Engineering Obfuscated Android Applications
Steelcon 2015 Reverse-Engineering Obfuscated Android Applications
Tom Keetch
 
Droidcon Greece '15 - Reverse Engineering in Android: Countermeasures and Tools
Droidcon Greece '15 - Reverse Engineering in Android: Countermeasures and ToolsDroidcon Greece '15 - Reverse Engineering in Android: Countermeasures and Tools
Droidcon Greece '15 - Reverse Engineering in Android: Countermeasures and Tools
Dario Incalza
 
Android ndk
Android ndkAndroid ndk
Android ndk
Khiem-Kim Ho Xuan
 
Using the Android Native Development Kit (NDK)
Using the Android Native Development Kit (NDK)Using the Android Native Development Kit (NDK)
Using the Android Native Development Kit (NDK)
DroidConTLV
 
Reverse engineering and instrumentation of android apps
Reverse engineering and instrumentation of android appsReverse engineering and instrumentation of android apps
Reverse engineering and instrumentation of android apps
Gaurav Lochan
 
Embedded application designed by ATS language
Embedded application designed by ATS languageEmbedded application designed by ATS language
Embedded application designed by ATS language
Kiwamu Okabe
 
Android ndk: Entering the native world
Android ndk: Entering the native worldAndroid ndk: Entering the native world
Android ndk: Entering the native world
Eduardo Carrara de Araujo
 
Griffon - Making Swing Fun Again
Griffon - Making Swing Fun AgainGriffon - Making Swing Fun Again
Griffon - Making Swing Fun Again
Danno Ferrin
 
Real-time OS system state captured by ATS language
Real-time OS system state captured by ATS languageReal-time OS system state captured by ATS language
Real-time OS system state captured by ATS language
Kiwamu Okabe
 
Android Native Development Kit
Android Native Development KitAndroid Native Development Kit
Android Native Development Kit
Peter R. Egli
 
Metasepi team meeting #20: Start! ATS programming on MCU
Metasepi team meeting #20: Start! ATS programming on MCUMetasepi team meeting #20: Start! ATS programming on MCU
Metasepi team meeting #20: Start! ATS programming on MCU
Kiwamu Okabe
 
ShaREing Is Caring
ShaREing Is CaringShaREing Is Caring
ShaREing Is Caring
sporst
 
Introduction to mobile reversing
Introduction to mobile reversingIntroduction to mobile reversing
Introduction to mobile reversing
jduart
 
Native development kit (ndk) introduction
Native development kit (ndk) introductionNative development kit (ndk) introduction
Native development kit (ndk) introduction
Rakesh Jha
 
Android Developer Meetup
Android Developer MeetupAndroid Developer Meetup
Android Developer Meetup
Medialets
 
How to Make Android Native Application
How to Make Android Native ApplicationHow to Make Android Native Application
How to Make Android Native Application
Industrial Technology Research Institute (ITRI)(工業技術研究院, 工研院)
 
Packer Genetics: The selfish code
Packer Genetics: The selfish codePacker Genetics: The selfish code
Packer Genetics: The selfish code
jduart
 
The End of the world as we know it - AKA your last NullPointerException $1B b...
The End of the world as we know it - AKA your last NullPointerException $1B b...The End of the world as we know it - AKA your last NullPointerException $1B b...
The End of the world as we know it - AKA your last NullPointerException $1B b...
Michael Vorburger
 
MobSecCon 2015 - Dynamic Analysis of Android Apps
MobSecCon 2015 - Dynamic Analysis of Android AppsMobSecCon 2015 - Dynamic Analysis of Android Apps
MobSecCon 2015 - Dynamic Analysis of Android Apps
Ron Munitz
 
Joxean Koret - Database Security Paradise [Rooted CON 2011]
Joxean Koret - Database Security Paradise [Rooted CON 2011]Joxean Koret - Database Security Paradise [Rooted CON 2011]
Joxean Koret - Database Security Paradise [Rooted CON 2011]
RootedCON
 

Weitere ähnliche Inhalte

Was ist angesagt?

Droidcon Greece '15 - Reverse Engineering in Android: Countermeasures and Tools
Droidcon Greece '15 - Reverse Engineering in Android: Countermeasures and ToolsDroidcon Greece '15 - Reverse Engineering in Android: Countermeasures and Tools
Droidcon Greece '15 - Reverse Engineering in Android: Countermeasures and Tools
Dario Incalza
 
ShaREing Is Caring
ShaREing Is CaringShaREing Is Caring
ShaREing Is Caring
sporst
 
Introduction to mobile reversing
Introduction to mobile reversingIntroduction to mobile reversing
Introduction to mobile reversing
jduart
 

Was ist angesagt? (20)

How to Add Original Library to Android NDK
How to Add Original Library to Android NDKHow to Add Original Library to Android NDK
How to Add Original Library to Android NDK
 
Metasepi team meeting #19: ATS application on Arduino
Metasepi team meeting #19: ATS application on ArduinoMetasepi team meeting #19: ATS application on Arduino
Metasepi team meeting #19: ATS application on Arduino
 
Steelcon 2015 Reverse-Engineering Obfuscated Android Applications
Steelcon 2015 Reverse-Engineering Obfuscated Android ApplicationsSteelcon 2015 Reverse-Engineering Obfuscated Android Applications
Steelcon 2015 Reverse-Engineering Obfuscated Android Applications
 
Droidcon Greece '15 - Reverse Engineering in Android: Countermeasures and Tools
Droidcon Greece '15 - Reverse Engineering in Android: Countermeasures and ToolsDroidcon Greece '15 - Reverse Engineering in Android: Countermeasures and Tools
Droidcon Greece '15 - Reverse Engineering in Android: Countermeasures and Tools
 
Android ndk
Android ndkAndroid ndk
Android ndk
 
Using the Android Native Development Kit (NDK)
Using the Android Native Development Kit (NDK)Using the Android Native Development Kit (NDK)
Using the Android Native Development Kit (NDK)
 
Reverse engineering and instrumentation of android apps
Reverse engineering and instrumentation of android appsReverse engineering and instrumentation of android apps
Reverse engineering and instrumentation of android apps
 
Embedded application designed by ATS language
Embedded application designed by ATS languageEmbedded application designed by ATS language
Embedded application designed by ATS language
 
Android ndk: Entering the native world
Android ndk: Entering the native worldAndroid ndk: Entering the native world
Android ndk: Entering the native world
 
Griffon - Making Swing Fun Again
Griffon - Making Swing Fun AgainGriffon - Making Swing Fun Again
Griffon - Making Swing Fun Again
 
Real-time OS system state captured by ATS language
Real-time OS system state captured by ATS languageReal-time OS system state captured by ATS language
Real-time OS system state captured by ATS language
 
Android Native Development Kit
Android Native Development KitAndroid Native Development Kit
Android Native Development Kit
 
Metasepi team meeting #20: Start! ATS programming on MCU
Metasepi team meeting #20: Start! ATS programming on MCUMetasepi team meeting #20: Start! ATS programming on MCU
Metasepi team meeting #20: Start! ATS programming on MCU
 
ShaREing Is Caring
ShaREing Is CaringShaREing Is Caring
ShaREing Is Caring
 
Introduction to mobile reversing
Introduction to mobile reversingIntroduction to mobile reversing
Introduction to mobile reversing
 
Native development kit (ndk) introduction
Native development kit (ndk) introductionNative development kit (ndk) introduction
Native development kit (ndk) introduction
 
Android Developer Meetup
Android Developer MeetupAndroid Developer Meetup
Android Developer Meetup
 
How to Make Android Native Application
How to Make Android Native ApplicationHow to Make Android Native Application
How to Make Android Native Application
 
Packer Genetics: The selfish code
Packer Genetics: The selfish codePacker Genetics: The selfish code
Packer Genetics: The selfish code
 
The End of the world as we know it - AKA your last NullPointerException $1B b...
The End of the world as we know it - AKA your last NullPointerException $1B b...The End of the world as we know it - AKA your last NullPointerException $1B b...
The End of the world as we know it - AKA your last NullPointerException $1B b...
 

Ähnlich wie NanoSec Conference 2019: Code Execution Analysis in Mobile Apps - Abdullah Joseph

Joxean Koret - Database Security Paradise [Rooted CON 2011]
Joxean Koret - Database Security Paradise [Rooted CON 2011]Joxean Koret - Database Security Paradise [Rooted CON 2011]
Joxean Koret - Database Security Paradise [Rooted CON 2011]
RootedCON
 
Android Internals (This is not the droid you’re loking for...)
Android Internals (This is not the droid you’re loking for...)Android Internals (This is not the droid you’re loking for...)
Android Internals (This is not the droid you’re loking for...)
Giacomo Bergami
 
C# Production Debugging Made Easy
C# Production Debugging Made Easy C# Production Debugging Made Easy
C# Production Debugging Made Easy
Alon Fliess
 
Manish Chasta - Securing Android Applications
Manish Chasta - Securing Android ApplicationsManish Chasta - Securing Android Applications
Manish Chasta - Securing Android Applications
Positive Hack Days
 
Kandroid for nhn_deview_20131013_v5_final
Kandroid for nhn_deview_20131013_v5_finalKandroid for nhn_deview_20131013_v5_final
Kandroid for nhn_deview_20131013_v5_final
NAVER D2
 

Ähnlich wie NanoSec Conference 2019: Code Execution Analysis in Mobile Apps - Abdullah Joseph (20)

MobSecCon 2015 - Dynamic Analysis of Android Apps
MobSecCon 2015 - Dynamic Analysis of Android AppsMobSecCon 2015 - Dynamic Analysis of Android Apps
MobSecCon 2015 - Dynamic Analysis of Android Apps
 
Joxean Koret - Database Security Paradise [Rooted CON 2011]
Joxean Koret - Database Security Paradise [Rooted CON 2011]Joxean Koret - Database Security Paradise [Rooted CON 2011]
Joxean Koret - Database Security Paradise [Rooted CON 2011]
 
Android Internals (This is not the droid you’re loking for...)
Android Internals (This is not the droid you’re loking for...)Android Internals (This is not the droid you’re loking for...)
Android Internals (This is not the droid you’re loking for...)
 
FRIDA 101 Android
FRIDA 101 AndroidFRIDA 101 Android
FRIDA 101 Android
 
Debugging Modern C++ Application with Gdb
Debugging Modern C++ Application with GdbDebugging Modern C++ Application with Gdb
Debugging Modern C++ Application with Gdb
 
Pwning mobile apps without root or jailbreak
Pwning mobile apps without root or jailbreakPwning mobile apps without root or jailbreak
Pwning mobile apps without root or jailbreak
 
C# Production Debugging Made Easy
C# Production Debugging Made Easy C# Production Debugging Made Easy
C# Production Debugging Made Easy
 
Manish Chasta - Securing Android Applications
Manish Chasta - Securing Android ApplicationsManish Chasta - Securing Android Applications
Manish Chasta - Securing Android Applications
 
Mobile development in 2020
Mobile development in 2020 Mobile development in 2020
Mobile development in 2020
 
Performance #5 cpu and battery
Performance #5 cpu and batteryPerformance #5 cpu and battery
Performance #5 cpu and battery
 
Building native Android applications with Mirah and Pindah
Building native Android applications with Mirah and PindahBuilding native Android applications with Mirah and Pindah
Building native Android applications with Mirah and Pindah
 
Getting Native with NDK
Getting Native with NDKGetting Native with NDK
Getting Native with NDK
 
6-ZeroLab_decentralized_applications-2008.pptx
6-ZeroLab_decentralized_applications-2008.pptx6-ZeroLab_decentralized_applications-2008.pptx
6-ZeroLab_decentralized_applications-2008.pptx
 
Kandroid for nhn_deview_20131013_v5_final
Kandroid for nhn_deview_20131013_v5_finalKandroid for nhn_deview_20131013_v5_final
Kandroid for nhn_deview_20131013_v5_final
 
Null Dubai Humla_Romansh_Yadav_Android_app_pentesting
Null Dubai Humla_Romansh_Yadav_Android_app_pentestingNull Dubai Humla_Romansh_Yadav_Android_app_pentesting
Null Dubai Humla_Romansh_Yadav_Android_app_pentesting
 
Dark Side of iOS [SmartDevCon 2013]
Dark Side of iOS [SmartDevCon 2013]Dark Side of iOS [SmartDevCon 2013]
Dark Side of iOS [SmartDevCon 2013]
 
Jailbreak Detector Detector
Jailbreak Detector DetectorJailbreak Detector Detector
Jailbreak Detector Detector
 
Hacking & Securing of iOS Apps by Saurabh Mishra
Hacking & Securing of iOS Apps by Saurabh MishraHacking & Securing of iOS Apps by Saurabh Mishra
Hacking & Securing of iOS Apps by Saurabh Mishra
 
Javaland 2017: "You´ll do microservices now". Now what?
Javaland 2017: "You´ll do microservices now". Now what?Javaland 2017: "You´ll do microservices now". Now what?
Javaland 2017: "You´ll do microservices now". Now what?
 
Advanced Debugging with WinDbg and SOS
Advanced Debugging with WinDbg and SOSAdvanced Debugging with WinDbg and SOS
Advanced Debugging with WinDbg and SOS
 

Kürzlich hochgeladen

Governance and Nation-Building in Nigeria: Some Reflections on Options for Po...
Governance and Nation-Building in Nigeria: Some Reflections on Options for Po...Governance and Nation-Building in Nigeria: Some Reflections on Options for Po...
Governance and Nation-Building in Nigeria: Some Reflections on Options for Po...
Kayode Fayemi
 
No Advance 8868886958 Chandigarh Call Girls , Indian Call Girls For Full Nigh...
No Advance 8868886958 Chandigarh Call Girls , Indian Call Girls For Full Nigh...No Advance 8868886958 Chandigarh Call Girls , Indian Call Girls For Full Nigh...
No Advance 8868886958 Chandigarh Call Girls , Indian Call Girls For Full Nigh...
Sheetaleventcompany
 
Uncommon Grace The Autobiography of Isaac Folorunso
Uncommon Grace The Autobiography of Isaac FolorunsoUncommon Grace The Autobiography of Isaac Folorunso
Uncommon Grace The Autobiography of Isaac Folorunso
Kayode Fayemi
 
Chiulli_Aurora_Oman_Raffaele_Beowulf.pptx
Chiulli_Aurora_Oman_Raffaele_Beowulf.pptxChiulli_Aurora_Oman_Raffaele_Beowulf.pptx
Chiulli_Aurora_Oman_Raffaele_Beowulf.pptx
raffaeleoman
 
BDSM⚡Call Girls in Sector 93 Noida Escorts >༒8448380779 Escort Service
BDSM⚡Call Girls in Sector 93 Noida Escorts >༒8448380779 Escort ServiceBDSM⚡Call Girls in Sector 93 Noida Escorts >༒8448380779 Escort Service
BDSM⚡Call Girls in Sector 93 Noida Escorts >༒8448380779 Escort Service
Delhi Call girls
 
If this Giant Must Walk: A Manifesto for a New Nigeria
If this Giant Must Walk: A Manifesto for a New NigeriaIf this Giant Must Walk: A Manifesto for a New Nigeria
If this Giant Must Walk: A Manifesto for a New Nigeria
Kayode Fayemi
 

Kürzlich hochgeladen (20)

lONG QUESTION ANSWER PAKISTAN STUDIES10.
lONG QUESTION ANSWER PAKISTAN STUDIES10.lONG QUESTION ANSWER PAKISTAN STUDIES10.
lONG QUESTION ANSWER PAKISTAN STUDIES10.
 
Governance and Nation-Building in Nigeria: Some Reflections on Options for Po...
Governance and Nation-Building in Nigeria: Some Reflections on Options for Po...Governance and Nation-Building in Nigeria: Some Reflections on Options for Po...
Governance and Nation-Building in Nigeria: Some Reflections on Options for Po...
 
No Advance 8868886958 Chandigarh Call Girls , Indian Call Girls For Full Nigh...
No Advance 8868886958 Chandigarh Call Girls , Indian Call Girls For Full Nigh...No Advance 8868886958 Chandigarh Call Girls , Indian Call Girls For Full Nigh...
No Advance 8868886958 Chandigarh Call Girls , Indian Call Girls For Full Nigh...
 
Uncommon Grace The Autobiography of Isaac Folorunso
Uncommon Grace The Autobiography of Isaac FolorunsoUncommon Grace The Autobiography of Isaac Folorunso
Uncommon Grace The Autobiography of Isaac Folorunso
 
Chiulli_Aurora_Oman_Raffaele_Beowulf.pptx
Chiulli_Aurora_Oman_Raffaele_Beowulf.pptxChiulli_Aurora_Oman_Raffaele_Beowulf.pptx
Chiulli_Aurora_Oman_Raffaele_Beowulf.pptx
 
SaaStr Workshop Wednesday w/ Lucas Price, Yardstick
SaaStr Workshop Wednesday w/ Lucas Price, YardstickSaaStr Workshop Wednesday w/ Lucas Price, Yardstick
SaaStr Workshop Wednesday w/ Lucas Price, Yardstick
 
ANCHORING SCRIPT FOR A CULTURAL EVENT.docx
ANCHORING SCRIPT FOR A CULTURAL EVENT.docxANCHORING SCRIPT FOR A CULTURAL EVENT.docx
ANCHORING SCRIPT FOR A CULTURAL EVENT.docx
 
Presentation on Engagement in Book Clubs
Presentation on Engagement in Book ClubsPresentation on Engagement in Book Clubs
Presentation on Engagement in Book Clubs
 
ICT role in 21st century education and it's challenges.pdf
ICT role in 21st century education and it's challenges.pdfICT role in 21st century education and it's challenges.pdf
ICT role in 21st century education and it's challenges.pdf
 
Introduction to Prompt Engineering (Focusing on ChatGPT)
Introduction to Prompt Engineering (Focusing on ChatGPT)Introduction to Prompt Engineering (Focusing on ChatGPT)
Introduction to Prompt Engineering (Focusing on ChatGPT)
 
My Presentation "In Your Hands" by Halle Bailey
My Presentation "In Your Hands" by Halle BaileyMy Presentation "In Your Hands" by Halle Bailey
My Presentation "In Your Hands" by Halle Bailey
 
AWS Data Engineer Associate (DEA-C01) Exam Dumps 2024.pdf
AWS Data Engineer Associate (DEA-C01) Exam Dumps 2024.pdfAWS Data Engineer Associate (DEA-C01) Exam Dumps 2024.pdf
AWS Data Engineer Associate (DEA-C01) Exam Dumps 2024.pdf
 
Mohammad_Alnahdi_Oral_Presentation_Assignment.pptx
Mohammad_Alnahdi_Oral_Presentation_Assignment.pptxMohammad_Alnahdi_Oral_Presentation_Assignment.pptx
Mohammad_Alnahdi_Oral_Presentation_Assignment.pptx
 
Thirunelveli call girls Tamil escorts 7877702510
Thirunelveli call girls Tamil escorts 7877702510Thirunelveli call girls Tamil escorts 7877702510
Thirunelveli call girls Tamil escorts 7877702510
 
BDSM⚡Call Girls in Sector 93 Noida Escorts >༒8448380779 Escort Service
BDSM⚡Call Girls in Sector 93 Noida Escorts >༒8448380779 Escort ServiceBDSM⚡Call Girls in Sector 93 Noida Escorts >༒8448380779 Escort Service
BDSM⚡Call Girls in Sector 93 Noida Escorts >༒8448380779 Escort Service
 
Re-membering the Bard: Revisiting The Compleat Wrks of Wllm Shkspr (Abridged)...
Re-membering the Bard: Revisiting The Compleat Wrks of Wllm Shkspr (Abridged)...Re-membering the Bard: Revisiting The Compleat Wrks of Wllm Shkspr (Abridged)...
Re-membering the Bard: Revisiting The Compleat Wrks of Wllm Shkspr (Abridged)...
 
Dreaming Music Video Treatment _ Project & Portfolio III
Dreaming Music Video Treatment _ Project & Portfolio IIIDreaming Music Video Treatment _ Project & Portfolio III
Dreaming Music Video Treatment _ Project & Portfolio III
 
Causes of poverty in France presentation.pptx
Causes of poverty in France presentation.pptxCauses of poverty in France presentation.pptx
Causes of poverty in France presentation.pptx
 
If this Giant Must Walk: A Manifesto for a New Nigeria
If this Giant Must Walk: A Manifesto for a New NigeriaIf this Giant Must Walk: A Manifesto for a New Nigeria
If this Giant Must Walk: A Manifesto for a New Nigeria
 
VVIP Call Girls Nalasopara : 9892124323, Call Girls in Nalasopara Services
VVIP Call Girls Nalasopara : 9892124323, Call Girls in Nalasopara ServicesVVIP Call Girls Nalasopara : 9892124323, Call Girls in Nalasopara Services
VVIP Call Girls Nalasopara : 9892124323, Call Girls in Nalasopara Services
 

NanoSec Conference 2019: Code Execution Analysis in Mobile Apps - Abdullah Joseph

  • 2. Wait. I know GDB.Wait. I know GDB. I don't need this...I don't need this... So, let's try another title...So, let's try another title...
  • 3. HowHow not to shootnot to shoot yourself in the footyourself in the foot while debuggingwhile debugging MobileMobile appsapps
  • 4. About MeAbout Me Abdullah Joseph / @MalwareCheese   Mobile Security Team Lead @ Adjust We do mobile attribution, ad fraud analysis and some data stuff (processing 25 petabytes every 10 days received   ) I like binary stuff Crypto stuff too. Not so much web and network stuff
  • 5. About MeAbout Me Abdullah Joseph / @MalwareCheese   Mobile Security Team Lead @ Adjust We do mobile attribution, ad fraud analysis and some data stuff (processing 25 petabytes every 10 days received   ) I like binary stuff Crypto stuff too. Not so much web and network stuff Bonus only for Nanosec: I graduated from APU. Bachelor's in Game Design
  • 6. Let's start with a CTFLet's start with a CTF
  • 7.
  • 8.
  • 9. FindingsFindings Code block takes input and puts it in [s] At 0x080486d3, our input and obj.sekrutBuffer get XORed together The result has to equal obj.greetingMessage which gets compared together in 0x080486e6 obj.sekrutBuffer holds the following byte  blob:  )x06x16O+50x1eQx1b[x14Kb]+Sx10TQCMT]
  • 10. What did we learn?What did we learn? Debugger == God ModeDebugger == God Mode
  • 11. Switching to MobileSwitching to Mobile Let's go for Android
  • 12.
  • 13. How do we get the output ofHow do we get the output of getSecretKey()getSecretKey() dynamically? dynamically?
  • 14. Disassemble the app (with “apktool” or similar tool) Set the “app:debuggable” flag to true Rebuild the app Sign the app (with Appium’s Sign.jar or similar) Decompile the app to get the Java sources (with CFR decompiler or jadx) Setup a gradle project inside the decompiled sources Setup an IDE, like Android Studio, and port the decompiled java code to it Setup the testing device to have that app in the “Wait for debugger” list of apps in “Settings” -> “Developer Mode” Setup breakpoints on the “getSecretKey()” function Run the app. It should say “Wait for Debugger” now Use JDWP to run the app and break at “getSecretKey()” function Examine the return value More info here: https://stackify.com/java-remote-debugging/
  • 15.
  • 16. Let's talk aboutLet's talk about binary instrumentationbinary instrumentation Also known as "Function Hooking"
  • 17. Let's talk aboutLet's talk about binary instrumentationbinary instrumentation Also known as "Function Hooking" “ The ability to insert a practically unlimited amount of code at any location in a binary to observe or modify that binary’s behavior   -- Dennis Andriesse - Practical Binary Analysis
  • 22. So now...So now... How do we get the output ofHow do we get the output of getSecretKey()getSecretKey() dynamically? dynamically?
  • 23. // myagent.js // =================== Java.perform(() => { let activity = Java.use("com.adjust.myapp.MainActivity"); Activity.getSecretKey.implementation = () => { var retval = this.getSecretKey(this, arguments); console.log("getSecretKey() called"); console.log(`retval = ${retval}`); return retval; }; }); // =================== // Run with: // $ frida -U -f com.adjust.myapp -l myagent.js
  • 24.
  • 26. FallbacksFallbacks AKA: What Frida cannot do / is not Not a ptrace-based debugger LLDB and GDB are debuggers capable of deep analysis of every Instruction Frida HAS a lot of debugger functionality, but its main purpose is to aid in binary analysis and hook into parts of the binary to execute arbitrary instructions What this means is that, if you're intending to step- into every function and analyze it's execution, it might be better to use LLDB/GDB
  • 28. FallbacksFallbacks AKA: What Frida cannot do / is not Not the only instrumentation framework DynamoRIO (open-source & free) Intel PIN (free but closed-source) However, it is the easiest one to use and the only one that supports multiple architectures and VM environments (AKA: Android and iOS) by default.
  • 29. Use Case #1Use Case #1 Analysis: Memory Dumper &Analysis: Memory Dumper & ScannerScanner
  • 30. $ memdumper/memdump.py -U -p com.myapp.adjust -v INFO:Starting Memory dump... DEBUG:Too big, splitting the dump into chunks DEBUG:Number of chunks: 80 DEBUG:Save bytes: 0x12C00000 till 0x13589680 DEBUG:Save bytes: 0x13589680 till 0x13F12D00 DEBUG:Save bytes: 0x13F12D00 till 0x1489C380 DEBUG:Save bytes: 0x1489C380 till 0x15225A00 DEBUG:Save bytes: 0x15225A00 till 0x15BAF080 ... DEBUG:Save bytes: 0x223F4900 till 0x22D7DF80 DEBUG:Save bytes: 0x22D7DF80 till 0x23707600 DEBUG:Save bytes: 0x23707600 till 0x24090C80 DEBUG:Save bytes: 0x24090C80 till 0x24A1A300 DEBUG:Save bytes: 0x24A1A300 till 0x253A3980 DEBUG:Save bytes: 0x253A3980 till 0x25D2D000 DEBUG:Save bytes: 0x25D2D000 till 0x266B6680 DEBUG:Save bytes: 0x266B6680 till 0x2703FD00 DEBUG:Save bytes: 0x2703FD00 till 0x279C9380 DEBUG:Save bytes: 0x279C9380 till 0x28352A00 $ strings -n 5 dump/*.data | uniq | ack -i secret THIS IS A SECRET STRING!!! THIS IS A SECRET STRING!!! THIS IS A SECRET STRING!!! THIS IS A SECRET STRING!!! 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26
  • 31. Use Case #2Use Case #2 Native Android FunctionNative Android Function HookerHooker 10x times easier than GDB or LLDB scripting (!)
  • 32. [0] % native_stalker/native_stalker.py --process com.myapp.adjust --library libnative-lib.so --addr 0x00009610 --binary /path/to/my/app/libnative-lib.so --verbose INFO:Analyzing with R2... INFO:Retrieving PLT section... INFO:.plt [0x8AE0] -> [0x92D0] INFO:Prepping Frida... INFO:Resuming process... INFO:Hooking library loaders... JS: loaders(): {"0":"libnative-lib.so","1":38416,"2":35552,"3":37584} INFO:Awaiting hook callbacks... JS: Library [native-lib] loaded with java.lang.String.loadLibrary [+] JS: stalk_func(): {"0":"libnative-lib.so","1":38416,"2":35552,"3":37584} [+] JS: Library base addr: 0x8b2c1000 [+] JS: Hooking [0x8b2ca610]... INFO:Tracing 38416@libnative-lib.so concluded with 11 calls: 0x8b80 -> sym.imp.free 0x8c40 -> fcn.00008c40 0x8b30 -> fcn.00008b30 0x8b90 -> fcn.00008b90 0x8c50 -> fcn.00008c50 0x8b40 -> sym.imp.fopen 0x8ba0 -> fcn.00008ba0 0x8bc0 -> fcn.00008bc0 0x8b70 -> sym.imp.getline 0x8c30 -> fcn.00008c30 0x8b20 -> sym.imp.__android_log_vprint INFO:Done. You can exit the script now... 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31
  • 33. MiscMisc Dynamic Analysis Trace any (Dalvik/Objc/Native) function Dump saved files Memory scanner Automated crypto keys scanner One-time watchpoints Monitor file system access SSL pinning bypass Code Execution Invoke app functionality under controlled circumstances Modify device properties (great for regression tests)
  • 34. MiscMisc Dynamic Analysis Trace any (Dalvik/Objc/Native) function Dump saved files Memory scanner Automated crypto keys scanner One-time watchpoints Monitor file system access SSL pinning bypass Code Execution Invoke app functionality under controlled circumstances Modify device properties (great for regression tests) https://github.com/afjoseph/mobsec_toolbox https://github.com/iddoeldor/frida-snippets https://awakened1712.github.io/hacking/hacking-frida/
  • 36. Abdullah JosephAbdullah Joseph Reach me @MalwareCheese We are hiring Binary Dudes and Dudettes!