ME!

“leverages the best combination of humans and technology to discover security vulnerabilities in our customers’ web apps, mobile apps, IoT devices and infrastructure endpoints”

Employer!

- SYNACK.com

Our privacy. Our money.Our freedoms.

Wouldn’t want to lose any of those things!

Pangu TaiG

For those that don’t know Aarch64IdaRef documentation plugin: https://github.com/nologic/idaref

In-process•••

••

External

••

••••

•

•••

1. Allocate a page - a jump page

2. Set objc_msgSend readable and writable

3. Copy preamble bytes from objc_msgSend

4. Check for branch instructions in preamble

5. Modify objc_msgSend preamble

6. Set jump page to readable and executable

7. Set objc_msgSend readable and executable

Objc_Trace

Call Sequence

Hook Steps

void* hook_callback64_pre(id self, SEL op, void* a1, ...) {

Class cls = object_getClass(self);

if(cls != NULL && op != NULL)

cacheImp = c_cache_getImp(cls, op);

if(!cacheImp) {

// not in cache, never been called, record the call.

…

const struct mach_header* libobjc_base = libobjc_dylib_base();

c_cache_getImp = (p_cache_getImp)((uint8_t*)libobjc_base) + 97792 + 0x4000;

Only record unseen method calls

Find the cache check function cache_getImp

{ '_payload': { '_payload': { '_msg': '\x00\x00\x08\x00\x00\x00subsystem\x00\x00\x00\x00@\x00\x00\x05\x00\x00\x00\x00\x00\x00\x00ha', 'type': 2048},

'magic': '!CPX',

'version': 5},

'msgh_bits': 1250579,

'msgh_id': 268435456,

'msgh_local_port': '0x30b',

'msgh_remote_port': '0x10b',

'msgh_reserved': 2819,

'msgh_size': 256}

Machshark

••

•••

••

••

•

“A little engine for driving the UI while doing

blackbox testing of an iOS App”

- CHAOTICMARCH

••••

••

● Simulate the user ● Read and understand the UI

cy# UIApp.keyWindow

<UIWindow; frame = (0 0; 320 568); gestureRecognizers = <NSArray>;>

| <TiRootViewNeue; frame = (0 0; 320 568); autoresize = W+H; layer = <CALayer>>

...

<TiUITableViewCell; baseClass = UITableViewCell; text = 'Log On';

| <TiGradientLayer;> (layer)

| <UITableViewCellContentView; frame = (0 0; 256 43.5); layer = <CALayer>>

| | <UITableViewLabel; frame = (74 0; 167 43.5); text = 'Log On'>

| | <UIImageView; frame = (15 0; 44 43.5); layer = <CALayer>>

| <_UITableViewCellSeparatorView; frame = (74 43.5; 182 0.5); layer = <CALayer>>

● Lua Scriptable Logic● Standard functions for touching the device● Options for record/replay● Finding UI Components● Regulating speed of execution● Support for multiple targets● Mechanisms for generic logic● Lightweight injected module

Source

•••

while true dolocal button = getButton(clickedButtons)

-- put some info in.fill_all_fields()click_button(button)

if(button["text"] ~= nil) thenclickedButtons[button["text"]] = 1

endusleep(2 * 1000000)

end

•••

•

•••

MITM Proxy

Request

Fuzz

Parse

Mutator

1 - Make a post

2 - Get exploited binary/XSS with phish

3 - Steal creds or tokens

4 - Put up a draft

5 - Request messages

6 - respond with attack content

AttackerUser

We focus on this

while true do

local inputs = findOfTypes("UITextField", "")

for index, inputField in pairs(inputs) do

click_button(inputField)

inputText("SomeInput!!")

end

-- touch login

touchDown(3, 138, 619);

usleep(83148.83);

touchUp(3, 141, 615);

check_alert()

end

Source

••

••

••

• Apps are important!• Automation of the UI• Collection of coverage information• Fuzzing of responses messages

, blog: debugtrap.comTwitter: @hexlogic

Source:CHAOTICMARCH: https://github.com/synack/chaoticmarch

Machshark: https://github.com/nologic/machshark

Objc_trace: https://github.com/nologic/objc_trace

Images: http://iconmonstr.com/