In The Middle Of Chatter #1

Transcript

1. IN THE MIDDLE OF CHATTER OWASP SAITAMA MTG #20, TALK

   #2 Image by quinn.anya on flickr, CC-BY-SA 2.0

2. TEXT SESSION FLAGS ▸ ࿥ըɾ࿥Իɾެ։: OK Image by Nico Kaiser

   on flickr, CC-BY 2.0

3. TEXT WHO I AM ▸ Takahiro Yoshimura (@alterakey) https://keybase.io/alterakey ▸

   Monolith Works Inc. Co-founder, CTO Security researcher ▸ ໌࣏େֶαΠόʔηΩϡϦςΟݚڀॴ ٬һݚڀһ

4. TEXT WHAT I DO ▸ Security research and development ▸

   iOS/Android Apps →Financial, Games, IoT related, etc. (>200) →trueseeing: Non-decompiling Android Application Vulnerability Scanner [2017] ▸ Windows/Mac/Web/HTML5 Apps →POS, RAD tools etc. ▸ Network/Web penetration testing →PCI-DSS etc. ▸ Search engine reconnaissance (aka. Google Hacking) ▸ Whitebox testing ▸ Forensic analysis

5. TEXT WHAT I DO ▸ CTF ▸ Enemy10, Sutegoma2 ▸

   METI CTFCJ 2012 Qual.: Won ▸ METI CTFCJ 2012: 3rd ▸ DEF CON 21 CTF: 6th ▸ DEF CON 22 OpenCTF: 4th ▸ ൃදɾߨԋͳͲ DEF CON 25 Demo Labs (2017) DEF CON 27 AI Village (2019) CODE BLUE (2017, 2019) CYDEF (2020) etc. Image by Wiyre Media on flickr, CC-BY 2.0

6. TEXT BACKGROUND ▸ LLM΁ͷνϟοτΞϓϦ ʢChatGPT, GPT-4o, Claude .. ʣ ▸

   ͜ΕΒͷڍಈ͸…Ͳ͏ͳ͍ͬͯΔͷͩΖ͏͔ ▸ iOS൛ΞϓϦΛର৅ Image by focal5 on flickr, CC-BY-NC 2.0

7. TEXT ANALYZING IOS APPS ▸ iOSΞϓϦղੳͷྲྀΕ ▸ DRMͷղআ (FairPlay) ▸

   RE ▸ ಈతղੳ Image by focal5 on flickr, CC-BY-NC 2.0

8. TEXT DEFEATING DRM ▸ App Store͕഑෍ʹ͋ͨΓ҉߸Խ+ॺ໊ ▸ ҉߸Խ͞Ε͍ͯΔͱ౰વಡΊͳ͍ ▸ ҉߸ͷ࢖͍ํʹ͸͞΄Ͳେ͖ͳ໰୊͸ͳ͍

   →ਖ਼߈๏Ͱ͸೉͍͠ ▸ ࣮୺຤ʹղಡͤ͞Δͷ͕ྑ͍ɺ͕ ▸ ղಡπʔϧ͕App Storeʹ͋Δ…Θ͚ͳ͍ ▸ ղಡʹ͸jailbreak͕ඞਢ Image by lantzilla on flickr, CC-BY-NC-ND 2.0

9. TEXT BREAKING OUT OF PRISON ▸ jailbreak ▸ ίʔυॺ໊ݕূػߏΛແޮԽ →Χʔωϧͷ੬ऑੑΛಥ͍ͯϑϥάΛԚછ

   ▸ checkm8: BootROMʹ͓͚Δuse-after-free →BootROMͳͷͰύονͰ͖ͳ͍ (<A12) ▸ checkra1n (12.x ..14.x) ▸ palera1n (15 .. 16.4, 15 .. 17.x) →2.0ܥ͔Βcheckra1nΛ಺෦తʹར༻ Image by Prab Bhatia Photography on flickr, CC-BY-NC-ND 2.0

10. TEXT ROOT...LESS?? ▸ rootfulness ▸ /Λॻ͖׵͑Δ (-ful) ͔൱ (-less) ͔

    →rootݖݶ͕͋Δ͔Ͳ͏͔Ͱ͸ͳ͍ ▸ ݱࡏ͸rootless͕ओྲྀʹͳ͖͍ͬͯͯΔ →fridaͷڍಈʹׯব͢Δͱ͍͏͕ᷚ͋Δ͕… ʢݟΔݶΓͦΜͳ͜ͱ͸ͳ͍ʣ →rootful͕ඞཁͳͷ͸γεςϜϥΠϒϥϦΛ ஔ׵ͨ͠Γ੩తʹύον͢Δ৔߹ͳͲͰ͸ Image by [email protected] on flickr, CC-BY-ND 2.0

11. TEXT STRATEGY ▸ Claude͸iOS 17Ҏ߱ର৅ ChatGPT: iOS 16.1Ҏ߱ର৅ ▸ palera1n

    + iPad 7Λ࢖༻ ʢiPad 7: checkm8࣋ͪʣ

12. TEXT PALEQUIRKS ▸ palera1nͷݱঢ়ʹ͍ͭͯ ▸ USB-A΁ม׵ͯ͠࢖͏: DFUʹೖΔͨΊʹඞཁͳ ৴߸Λ࣮֬ʹassert͠ɺᩱͷՏݪ஍ࠈΛආ͚Δ ▸ exploitޙ෮ؼ଴ͪͷλΠϜΞ΢τͰ͸୺຤ͷ

    lightning୺ࢠΛൈ͖ࠩ͢͠Δ: ͓ͦΒ͘ೝূνο ϓͩͱ͔USBΑΓ௿ϨΠϠΛϦηοτ͢Δඞཁ ▸ AccessoryࣗಈೝࣝΛ੾Δ: lockdowndͱ޲͖߹ ͏͜ͱ͕ඞཁ Image by kla4067 on flickr, CC-BY-SA 2.0

13. TEXT RAINING ROOTLESS ▸ palera1n + iPad 7 (rootless) ▸

    DFUͰcheckm8 → download mode΁ ▸ PongoOSΛىಈ ΧʔωϧΛύον (※ॺ໊ݕূແޮԽ etc.) ▸ iOSΛىಈ Image by Ann HS.Photography_natureflower on flickr, CC-BY-NC-ND 2.0

14. TEXT ROOTFUL RAINS ▸ palera1n + iPad 7 (rootful) ▸

    DFUͰcheckm8 → download mode΁ ▸ PongoOSΛىಈ ΧʔωϧΛύον FakeFS(※) ΁ϑΝΠϧΛίϐʔ ← ͜͜·Ͱ ▸ FakeFS͔Βϒʔτ (※࠶ར༻ෆೳ) →PongoOSىಈɺύονɺiOSىಈ ▸ ※FakeFS: ॻ͖׵͑Մೳͳramdisk Image by Vince O'Sullivan on flickr, CC-BY-NC 2.0

15. TEXT ROOTFUL HURTS ▸ palera1n + iPad 7 (rootful) ▸

    rootful͸ެࣜʹ͸deprecated… ▸ fakefs͕࡞੒Ͱ͖ͳ͍ɺΫϦΞͰ͖ͳ͍ etc. ͳͲͷόά͕·ͩ·ͩ͋Δ → #415 ͕༗༻ https://github.com/palera1n/palera1n/ issues/415 ▸ ΠόϥͷಓʢͳʹΛ͍·͞Β Image by anjalirahallphotography on flickr, CC-BY-NC-ND 2.0

16. TEXT ROOTFUL SCARS ▸ palera1n + iPad 7 (rootful) ▸

    ࢀߟ·Ͱʹcheckra1n͸rootful … ͖ͪΜͱ࡟আ͠ͳ͍ͱfakefsͷऔΓ߹͍ ▸ Erase All Settings and Contents Ͱ΋࢒Δ →શͯΛফ͢ͱ͍͑ͲॴḨ͸user area͚ͩ →Ϛϧ΢ΣΞͳͲ͕PersistentʹԿΒ͔ͷϑΝ ΠϧΛ೜͹ͤΒΕΔࣔࠦ →PegasusͳͲ͕ࣗ਎Λ࢒͢ํ๏ʁ Image by Lookin' at the big sky on flickr, CC-BY-SA 2.0

17. TEXT NOW UNLEASHED, WHERE TO GO? ▸ ର৅ͷΞϓϦΛղಡ͍ͨ͠ ▸ frida-ios-dump

    →ϝϞϦμϯϓ͠ΞϓϦΛ࠶ߏ੒ →frida͕ඞཁ ▸ frida: dynamic instrumentation framework! ▸ frida-serverΛattach ▸ APIݺͼग़͠ͷI/OͳͲࡉ෦͔Β੍ޚՄೳʹ Image by Mr. Littlehand on flickr, CC-BY-ND 2.0

18. TEXT READING AND DUMPING MEMORY ▸ ౰વ: σόοάՄೳͰͳͯ͘͸ͳΒͳ͍ ▸ App

    StoreͰ഑෍͞Ε͍ͯΔ΋ͷ͸౰વෆೳ ▸ jailbrokenͳΒ͹໰୊ͳ͍ →͜ͷͨΊʹjailbreakͨ͠ͷͩ… Image by Katy.Tresedder on flickr, CC-BY-NC-ND 2.0

19. TEXT DUMPING MYSELF IS NONE OF YOUR .. ▸ ͪͳΈʹjailbreak͸ඞਢͰ͸ͳ͍

    ▸ ࢀߟ: non-jailbrokenͳ୺຤Ͱ͋Ε͹ ▸ re-signͯ͠σόοάՄೳʹ͢Ε͹… ▸ re-signͯ͠frida-gadgetΛೖΕͯ΍Ε͹… ▸ ͨͩղಡͰ͖ͳ͍΋ͷΛͦͷ··re-sign͸… →App Store༝དྷͷ΋ͷͷ੩తղੳʹ͸ඞਢ ʢ˞ಈతղੳʹ͸ෆཁʣ Image by quinn.anya on flickr, CC-BY-SA 2.0

20. TEXT FRIDA! WHERE ARE YOU? ▸ Ͳ͔͜Βಋೖ͢Δͷ͔ ▸ Sileo /

    Zebraʂ ʢલ͸Cydiaʂ͕ͩͬͨ…ʣ ▸ ྆ऀͱ΋APTϕʔεͷύοέʔδϚωʔδϟ ▸ Sileo͸औͬ෇͖΍͍͢ɺ͕… ύοέʔδDBͷෆ੔߹ʹר͖ࠐ·ΕΔ৔߹͕͋ Δ ʢ˞palera1n 420ʣ ▸ Zebra͸γϯϓϧ Image by KKatek8 on flickr, CC-BY-ND 2.0

21. TEXT LEADING ZEBRA ▸ ϦϙδτϦΛ௥Ճ https://build.frida.re ▸ fridaΛݕࡧͯ͠ಋೖ →frida-server͕ೖΔ Image

    by KKatek8 on flickr, CC-BY-ND 2.0

22. TEXT DRAWING CONNECTION .. ▸ frida-ios-dump͸͍͔ʹͯ͠frida΁… Image by Su Bee

    Buzz! on flickr, CC-BY-ND 2.0

23. TEXT .. SSSSH ▸ frida-ios-dump͸͍͔ʹͯ͠frida΁… →͸͍ɺ୯ͳΔssh ▸ iproxy: usbmuxd͕ଃΔ઀ଓϓϩΩγ →iproxy

    2222 22 … Ͱ͸ͳ͍ɺਖ਼͘͠͸ →iproxy 2222 44 (※palera1n, checkra1n) ▸ ͳͥʁdropbearޓ׵Ͱ͋ΔͨΊɻ ެࣜͰ͸ "ProxyCommand inetcat 44" ͷهࡌ … ͨͩ͜Ε͸૖େͳೋ֊͔Β໨ༀ Image by Free the Image on flickr, CC-BY 2.0

24. TEXT SUCCESS! ▸ frida-ios-dump ▸ ੒ޭ

25. TEXT REVERSING ▸ Ghidra: Multi-arch disassembler (NSA) radare2: Binary analysis

    framework (pancake et al.) ▸ ؆୯ͷͨΊʹghidraΛ࢖༻ Image by Simon Rankin on flickr, CC-BY-NC-ND 2.0

26. TEXT REVERSING ▸ ࣄલ४උ JVM: 17͋ͨΓͷGraalVM ※ߴ଎Խʹ༗༻; static compile΋Ͱ͖Δ͕… ▸

    aarch64 LinuxΛ࢖༻͢Δ৔߹͸ҎԼඞཁ gcc/gradleΛೖΕͯ./support/buildNatives →decompiler͕ಉࠝ͞Ε͍ͯͳ͍ͷͰ͢… Image by Simon Rankin on flickr, CC-BY-NC-ND 2.0

27. TEXT REVERSING 101 ▸ Ұൠతʹ͸ ▸ ghidra projectΛ࡞੒ ▸ ର৅Λimport

    ▸ खͰղੳ γϯϘϧݕࡧɺϚʔΫɺetc.. Image by zachary.cutlip on flickr, CC-BY-SA 2.0

28. TEXT .. NO, WE ARE NOT TALKING ABOUT 101 ▸

    ୀ۶ͳͷͰશͯΛproject΁౤͛ࠐΈࣗಈղੳ… → Ͱ͖Δ: headless analyzer ▸ support/analyzeHeadless ͱ͍͏ܗͰଘࡏ Image by *¦·twinderella·¦* on flickr, CC-BY-NC-ND 2.0

29. TEXT HEADLESS REVERSING -- IN ▸ ୀ۶ͳͷͰશͯΛproject΁౤͛ࠐΜͰࣗಈղੳ ▸ ղੳΦϓγϣϯ͸prescriptͱ͍͏ܗͰ౉͢ ྫ:

    from ghidra.app.script import GhidraScript setAnalysisOption(currentProgram, "Scalar Operand References", "true") ▸ ͔͜͠͠Ε͕͍ͩͿ҉໧஌… ୭͕߲໨໊ͦͷ΋ͷΛ౉͢ͱ૝૾Ͱ͖ΔΜͩ… ͋ͱ͜ΕΛ~/ghidra_scriptsҎԼʹஔ͘ඞཁ͕͋Δͱ… ࢀߟ: ghidraͷexamples͕༗༻ Image by *¦·twinderella·¦* on flickr, CC-BY-NC-ND 2.0

30. TEXT HEADLESS REVERSING -- OUT ▸ ղੳ݁ՌͷऔΓग़͠ →ΞηϯϒϦιʔε͚ͩཉ͍͠ ▸ औΓग़͠͸postscriptͱͯ͠ॲཧ͢Δ͜ͱͰ࣮ݱ

    from java.io import File from ghidra.app.util.exporter import AsciiExporter e = AsciiExporter() opts = e.getOptions(None) for o in opts: if o.getName() == " End of Line ": o.setValue(256) if o.getName() == " Unde fi ned Data ": o.setValue(False) e.setOptions(opts) e.export(File("out.asm"), currentProgram, None, monitor) ▸ ͜Ε΋ͩͳ…………ʢҎԼࣗॗʣ Image by *¦·twinderella·¦* on flickr, CC-BY-NC-ND 2.0

31. TEXT THIS THEN THAT ▸ ղੳ: ϑϨʔϜϫʔΫྨΛઌʹ ▸ 1. ϑϨʔϜϫʔΫ

    analyzeHeadless ~/works/claude/t claude -preScript analysisopts_ios.py -recursive -import Payload/Claude.app/Frameworks/ ▸ 2. ࣮ମ analyzeHeadless ~/works/claude/t claude -preScript analysisopts_ios.py -import Payload/ Claude.app/Claude Image by *¦·twinderella·¦* on flickr, CC-BY-NC-ND 2.0

32. TEXT TAKE OUR TRICKS NOT AGES ▸ ղੳʹ͸͕͔͔࣌ؒΔ →େ͖ͳΠϯελϯεͰ์ஔ͢ΔΑΖ͠ ▸

    -max-cpu: ղੳεϨου਺ࢦఆ ▸ Ҿ্͖͛͗͢Δͱdecompileϓϩηεʹswamp͞ ΕΔͷͰ஫ҙ ʢ਺ेMBʙ਺GBͷRSS/procʣ →߈ΊࠐΈʹ͸swapඞਢ ▸ ※Ghidra͸ؔ਺γάχνϟͷܾఆͳͲͰ΋ decompileΛߦͳ͏͜ͱʹཹҙ Image by Nicolas Alejandro Street Photography on flickr, CC-BY 2.0

33. TEXT .. OUR SPACES, TOO ▸ औΓग़͠ʹ΋͕͔͔࣌ؒΔ →σΟεΫྖҬ͕౬ਫͷΑ͏ʹফ͑Δ ▸ ѹॖͭͭ͠औΓग़͢ͳͲ͸Ͱ͖ͳ͍

    ▸ ϑΟʔϧυ௕͸ϦϕϥϧʹऔΔΑΖ͠ →զʑ͸interactiveͰ͸ͳ͍ͷͰ੾Εͨ৘ใ͸෮ ݩɾิ׬Ͱ͖ͳ͍͜ͱʹ஫ҙ →Ұํ: ߦ͕ؒԆͼͯ͠ࢹೝੑ͕ѱ͘ͳΔ ▸ ΞηϯϒϦͷղੳ΋ࣗಈͰ΍Ζ͏ʢʂʣ Image by Rob Oo on flickr, CC-BY 2.0

34. TEXT REVERSING TAKEAWAYS ▸ ղੳ analyzeHeadless ~/works/claude/t claude -preScript analysisopts_ios.py

    -import Payload/ Claude.app/Claude ▸ औΓग़͠ analyzeHeadless ~/works/claude/t claude -postScript out.py -process Claude -noanalysis → out.asm(※) ͕ੜ੒͞ΕΔͷͰrename ▸ ※out.asm͸out.py͕উखʹܾΊ͍ͯΔϑΝΠϧ໊ Image by Thomas_H_foto on flickr, CC-BY-ND 2.0

35. TEXT NOW YOU ARE PIECES ▸ όΠφϦΛ౤ೖͯ͠ΞηϯϒϦΛճऩ ▸ ͋ͱ͸… ࣮ࡍͷղੳΛߦͳ͏

    Image by Thomas_H_foto on flickr, CC-BY-ND 2.0

36. TO BE CONTINUED. 25.6.2024 TAKAHIRO YOSHIMURA (@ALTERAKEY) Image by marneejill

    on flickr, CC-BY-SA 2.0