2. ME!
“leverages the best combination of humans
and technology to discover security
vulnerabilities in our customers’ web
apps, mobile apps, IoT devices
and infrastructure endpoints”
Employer!
- SYNACK.com
3. Our privacy. Our money.Our freedoms.
Wouldn’t want to lose any of those things!
8. 1. Allocate a page - a jump page
2. Set objc_msgSend readable and writable
3. Copy preamble bytes from objc_msgSend
4. Check for branch instructions in preamble
5. Modify objc_msgSend preamble
6. Set jump page to readable and executable
7. Set objc_msgSend readable and executable
Objc_Trace
Call Sequence
Hook Steps
9. void* hook_callback64_pre(id self, SEL op, void* a1, ...) {
Class cls = object_getClass(self);
if(cls != NULL && op != NULL)
cacheImp = c_cache_getImp(cls, op);
if(!cacheImp) {
// not in cache, never been called, record the call.
…
const struct mach_header* libobjc_base = libobjc_dylib_base();
c_cache_getImp = (p_cache_getImp)((uint8_t*)libobjc_base) + 97792 + 0x4000;
Only record unseen
method calls
Find the cache check
function cache_getImp
18. ● Lua Scriptable Logic
● Standard functions for touching the device
● Options for record/replay
● Finding UI Components
● Regulating speed of execution
● Support for multiple targets
● Mechanisms for generic logic
● Lightweight injected module
Source
20. while true do
local button = getButton(clickedButtons)
-- put some info in.
fill_all_fields()
click_button(button)
if(button["text"] ~= nil) then
clickedButtons[button["text"]] = 1
end
usleep(2 * 1000000)
end
23. 1 - Make a post
2 - Get exploited
binary/XSS with phish
3 - Steal creds or tokens
4 - Put up a draft
5 - Request messages
6 - respond with attack
content
Attacker
User
We focus
on this
24.
25. while true do
local inputs = findOfTypes("UITextField", "")
for index, inputField in pairs(inputs) do
click_button(inputField)
inputText("SomeInput!!")
end
-- touch login
touchDown(3, 138, 619);
usleep(83148.83);
touchUp(3, 141, 615);
check_alert()
end
Source