The document discusses several tools for testing iOS applications, including ChaoticMarch, Machshark, and Objc_trace. ChaoticMarch is described as a tool for simulating user interactions and automating testing of an iOS app. It allows writing Lua scripts to interact with the UI and regulate test execution speed. Machshark is a tool for analyzing Mach IPC messages and Objc_trace allows tracing Objective-C method calls. The document also provides examples of Lua scripts for ChaoticMarch that find and interact with UI elements to automate tasks like filling fields and logging in.
2. ME!
“leverages the best combination of humans
and technology to discover security
vulnerabilities in our customers’ web
apps, mobile apps, IoT devices
and infrastructure endpoints”
Employer!
- SYNACK.com
3. Our privacy. Our money.Our freedoms.
Wouldn’t want to lose any of those things!
8. 1. Allocate a page - a jump page
2. Set objc_msgSend readable and writable
3. Copy preamble bytes from objc_msgSend
4. Check for branch instructions in preamble
5. Modify objc_msgSend preamble
6. Set jump page to readable and executable
7. Set objc_msgSend readable and executable
Objc_Trace
Call Sequence
Hook Steps
9. void* hook_callback64_pre(id self, SEL op, void* a1, ...) {
Class cls = object_getClass(self);
if(cls != NULL && op != NULL)
cacheImp = c_cache_getImp(cls, op);
if(!cacheImp) {
// not in cache, never been called, record the call.
…
const struct mach_header* libobjc_base = libobjc_dylib_base();
c_cache_getImp = (p_cache_getImp)((uint8_t*)libobjc_base) + 97792 + 0x4000;
Only record unseen
method calls
Find the cache check
function cache_getImp
18. ● Lua Scriptable Logic
● Standard functions for touching the device
● Options for record/replay
● Finding UI Components
● Regulating speed of execution
● Support for multiple targets
● Mechanisms for generic logic
● Lightweight injected module
Source
20. while true do
local button = getButton(clickedButtons)
-- put some info in.
fill_all_fields()
click_button(button)
if(button["text"] ~= nil) then
clickedButtons[button["text"]] = 1
end
usleep(2 * 1000000)
end
23. 1 - Make a post
2 - Get exploited
binary/XSS with phish
3 - Steal creds or tokens
4 - Put up a draft
5 - Request messages
6 - respond with attack
content
Attacker
User
We focus
on this
24.
25. while true do
local inputs = findOfTypes("UITextField", "")
for index, inputField in pairs(inputs) do
click_button(inputField)
inputText("SomeInput!!")
end
-- touch login
touchDown(3, 138, 619);
usleep(83148.83);
touchUp(3, 141, 615);
check_alert()
end
Source