Upgrade to Pro — share decks privately, control downloads, hide ads and more …

In The Middle Of Chatter #2

Takahiro Yoshimura
October 29, 2024
Technology
0
26

In The Middle Of Chatter #2

Somewhat detailed dive to iOS application analysis methodology. (OWASP Saitama MTG #22, talk #1)

Takahiro Yoshimura

October 29, 2024
Tweet

More Decks by Takahiro Yoshimura

See All by Takahiro Yoshimura
Reviewing 2024
alterakey
0
20
Chaotic Channel
alterakey
0
34
In The Middle Of Chatter #1
alterakey
0
37
Shadow Runners 2
alterakey
0
6
Shadow Runners
alterakey
0
7
Looking Back: 2023
alterakey
0
9
Fill In The Blank
alterakey
0
8
Ticket To The Dark World
alterakey
0
13
Looking Back: 2022
alterakey
0
11

Other Decks in Technology

See All in Technology
手を動かしてレベルアップしよう!
maruto
0
280
自分のやることに価値を見出だせるようになり、挑戦する勇気をもらったベイトソンの考え / Scrum Fest Fukuoka 2025
bonbon0605
0
170
クラウド関連のインシデントケースを収集して見えてきたもの
lhazy
10
2.1k
30→150人のエンジニア組織拡大に伴うアジャイル文化を醸成する役割と取り組みの変化
nagata03
0
400
Amazon Bedrock Knowledge basesにLangfuse導入してみた
sonoda_mj
2
190
Amazon Athenaから利用時のGlueのIcebergテーブルのメンテナンスについて
nayuts
0
130
AI-Driven-Development-20250310
yuhattor
3
310
Cracking the Coding Interview 6th Edition
gdplabs
14
28k
OCI IAM Identity Domains Entra IDとの認証連携設定手順 / Identity Domain Federation settings with Entra ID
oracle4engineer
PRO
1
1.3k
役員・マネージャー・著者・エンジニアそれぞれの立場から見たAWS認定資格
nrinetcom
PRO
5
6.9k
AIエージェント時代のエンジニアになろう #jawsug #jawsdays2025 / 20250301 Agentic AI Engineering
yoshidashingo
9
4.3k
AI自体のOps 〜LLMアプリの運用、AWSサービスとOSSの使い分け〜
minorun365
PRO
9
1.3k

Featured

See All Featured
RailsConf 2023
tenderlove
29
1k
Product Roadmaps are Hard
iamctodd
PRO
51
11k
Measuring & Analyzing Core Web Vitals
bluesmoon
6
270
Performance Is Good for Brains [We Love Speed 2024]
tammyeverts
7
660
How To Stay Up To Date on Web Technology
chriscoyier
790
250k
Design and Strategy: How to Deal with People Who Don’t "Get" Design
morganepeng
129
19k
Exploring the Power of Turbo Streams & Action Cable | RailsConf2023
kevinliebholz
30
4.6k
Templates, Plugins, & Blocks: Oh My! Creating the theme that thinks of everything
marktimemedia
30
2.3k
The World Runs on Bad Software
bkeepers
PRO
67
11k
A Philosophy of Restraint
colly
203
16k
How to train your dragon (web standard)
notwaldorf
91
5.9k
Designing for Performance
lara
605
68k

Transcript

  1. IN THE MIDDLE OF CHATTER 2 OWASP SAITAMA MTG #22,

    TALK #1 Image by quinn.anya on flickr, CC-BY-SA 2.0

  2. TEXT SESSION FLAGS ▸ ࿥ըɾ࿥Իɾެ։: OK Image by Nico Kaiser

    on flickr, CC-BY 2.0

  3. TEXT WHO I AM ▸ Takahiro Yoshimura (@alterakey) https://keybase.io/alterakey ▸

    Monolith Works Inc. Co-founder, CTO Security researcher ▸ ໌࣏େֶαΠόʔηΩϡϦςΟݚڀॴ ٬һݚڀһ

  4. TEXT WHAT I DO ▸ Security research and development ▸

    iOS/Android Apps →Financial, Games, IoT related, etc. (>200) →trueseeing: Non-decompiling Android Application Vulnerability Scanner [2017] ▸ Windows/Mac/Web/HTML5 Apps →POS, RAD tools etc. ▸ Network/Web penetration testing →PCI-DSS etc. ▸ Search engine reconnaissance (aka. Google Hacking) ▸ Whitebox testing ▸ Forensic analysis

  5. TEXT WHAT I DO ▸ CTF ▸ Enemy10, Sutegoma2 ▸

    METI CTFCJ 2012 Qual.: Won ▸ METI CTFCJ 2012: 3rd ▸ DEF CON 21 CTF: 6th ▸ DEF CON 22 OpenCTF: 4th ▸ ൃදɾߨԋͳͲ DEF CON 25 Demo Labs (2017) DEF CON 27 AI Village (2019) CODE BLUE (2017, 2019) CYDEF (2020) etc. Image by Wiyre Media on flickr, CC-BY 2.0

  6. TEXT BACKGROUND ▸ LLM΁ͷνϟοτΞϓϦ ʢChatGPT, GPT-4o, Claude .. ʣ ▸

    ͜ΕΒͷڍಈ͸…Ͳ͏ͳ͍ͬͯΔͷͩΖ͏͔ ▸ iOS൛ΞϓϦΛର৅ Image by focal5 on flickr, CC-BY-NC 2.0

  7. TEXT DEFEATING DRM ▸ App Store͕഑෍ʹ͋ͨΓ҉߸Խ+ॺ໊ ▸ ҉߸Խ͞Ε͍ͯΔͱ౰વಡΊͳ͍ ▸ ҉߸ͷ࢖͍ํʹ͸͞΄Ͳେ͖ͳ໰୊͸ͳ͍

    →ਖ਼߈๏Ͱ͸೉͍͠ ▸ ࣮୺຤ʹղಡͤ͞Δͷ͕ྑ͍ɺ͕ ▸ ղಡπʔϧ͕App Storeʹ͋Δ…Θ͚ͳ͍ ▸ ղಡʹ͸jailbreak͕ඞਢ Image by lantzilla on flickr, CC-BY-NC-ND 2.0

  8. TEXT BREAKING OUT OF PRISON ▸ jailbreak ▸ ίʔυॺ໊ݕূػߏΛແޮԽ →Χʔωϧͷ੬ऑੑΛಥ͍ͯϑϥάΛԚછ

    ▸ checkm8: BootROMʹ͓͚Δuse-after-free →BootROMͳͷͰύονͰ͖ͳ͍ (<A12) ▸ checkra1n (12.x ..14.x) ▸ palera1n (15 .. 16.4, 15 .. 17.x) →2.0ܥ͔Βcheckra1nΛ಺෦తʹར༻ Image by Prab Bhatia Photography on flickr, CC-BY-NC-ND 2.0

  9. TEXT NOW UNLEASHED, WHERE TO GO? ▸ ର৅ͷΞϓϦΛղಡ͍ͨ͠ ▸ frida-ios-dump

    →ϝϞϦμϯϓ͠ΞϓϦΛ࠶ߏ੒ →frida͕ඞཁ ▸ frida: dynamic instrumentation framework! ▸ frida-serverΛattach ▸ APIݺͼग़͠ͷI/OͳͲࡉ෦͔Β੍ޚՄೳʹ Image by Mr. Littlehand on flickr, CC-BY-ND 2.0

  10. TEXT REVERSING ▸ Ghidra: Multi-arch disassembler (NSA) radare2: Binary analysis

    framework (pancake et al.) ▸ ؆୯ͷͨΊʹghidraΛ࢖༻ Image by Simon Rankin on flickr, CC-BY-NC-ND 2.0

  11. TEXT REVERSING TAKEAWAYS ▸ ղੳ analyzeHeadless ~/works/claude/t claude -preScript analysisopts_ios.py

    -import Payload/ Claude.app/Claude ▸ औΓग़͠ analyzeHeadless ~/works/claude/t claude -postScript out.py -process Claude -noanalysis → out.asm(※) ͕ੜ੒͞ΕΔͷͰrename ▸ ※out.asm͸out.py͕উखʹܾΊ͍ͯΔϑΝΠϧ໊ Image by Thomas_H_foto on flickr, CC-BY-ND 2.0

  12. TEXT NOW YOU ARE PIECES ▸ όΠφϦΛ౤ೖͯ͠ΞηϯϒϦΛճऩ ▸ ͋ͱ͸… ࣮ࡍͷղੳΛߦͳ͏

    Image by Thomas_H_foto on flickr, CC-BY-ND 2.0

  13. TEXT ANATOMY OF IOS APP ▸ iOSΞϓϦͷߏ଄ ▸ Info.plist: ϝλ৘ใ

    (_CodeSignature: ॺ໊) ▸ assets.car: Ϧιʔεྨ ▸ Frameworks: ϥΠϒϥϦྨ˞ ▸ (ΞϓϦ໊): Mach-O࣮ߦϑΝΠϧ˞

  14. TEXT INFO.PLIST: METADATA ▸ ϝλ৘ใ ▸ ΞϓϦ໊ ▸ ATS ▸

    bundle id ▸ ཁٻݖݶ ▸ URLεΩʔϜ etc.

  15. TEXT FRAMEWORKS ▸ ΞϓϦ͕࢖༻͢ΔϑϨʔϜϫʔΫ ▸ Mach-O dylib

  16. TEXT EXECUTABLES ▸ ΞϓϦຊମ ▸ Mach-O executable - ԟʑʹͯ͠େ͖͍ ▸

    ͞·͟·ͳϥΠϒϥϦ͕੩తϦϯΫ͞ΕΔͨΊ

  17. TEXT DISASSEMBLED CODE ▸ arm64-v8a (كʹarmv7s) ▸ OSʹObjC৭͕࢒͍ͬͯΔͷͰจࣈྻΛղܾͰ͖ ͯ͠·͑͹APIϨϕϧͷղੳ͸͠΍͍͢ ▸

    Swift͸ײ֮తʹC++ίʔυʹ͍ۙ name mangling: ॲཧܥͰdemangleͰ͖Δ͕… ىಈίετ͕ߴ͍ͷͰ޻෉͕ඞཁ ▸ AppleʹΑΔ৹͕ࠪ͋ΔͨΊ͔ɺཱͪೖͬͨ͜ͱ Λ͍ͯ͠Δίʔυ͸͋·ΓΈͳ͍…͸ͣʢʂʣ

  18. TEXT ARTIFACTS ▸ ݟΔ΂͖Օॴ ▸ API call ▸ File operation

    ▸ Network operation ▸ Re fl ection ▸ Dynamic code loading ▸ etc...

  19. TEXT ARTIFACTS: API CALL ▸ API call ▸ ObjC: objc_msgSend

    ▸ Swift: (mangled name)

  20. TEXT ARTIFACTS: FILE ACCESS ▸ API call ▸ NSFile, NSFileManager,

    etc. ▸ ϑΝΠϧΞΫηε

  21. TEXT ARTIFACTS: NETWORK ACCESS ▸ API call ▸ NSURLRequest, etc.

    ▸ ωοτϫʔΫΞΫηε; ஶ໊ͳϥΠϒϥϦ΁ͷݺ ग़͕͜͠Εʹ୅ΘΔ৔߹͕ԟʑʹͯ͋͠Δ (Alamo fi re, Moya, etc..)

  22. TEXT ARTIFACTS: REFLECTIONS ▸ API call ▸ classFromString, selectorFromString, etc.

    ▸ Ϋϥε΍ηϨΫλΛจࣈྻ͔Βੜ੒

  23. TEXT ARTIFACTS: DYNAMIC CODE LOADINGS ▸ API call ▸ dlsym

    etc. ▸ ϥΠϒϥϦͷϓϩγʔδϟΞυϨεΛऔಘ

  24. TEXT TS2-IOS: AUTOMATE THE ANALYSIS ▸ iOSΞϓϦղੳΛߦͳ͏trueseeing extension ▸ 2.2.5Ͱmain΁Ϛʔδͨ͠:

    ipa͕ղੳՄೳʹʂ ▸ API call, URL, dynamic code loading, syscall, re fl ection, jailbreak detection, debug probe, privacy concerns, obfuscations, assertions, logging, library imports, motion sensor, url scheme, ATS, permission, device requirements, device info probes, entitilements, copyright info, XOR ciphers, statically linked libraries ..

  25. TEXT TS2-IOS: AUTOMATE THE ANALYSIS ▸ dockerͷ৔߹ͳΒ wc Λ /ext/ios

    ͱͯ͠Ϛ΢ϯτ ͢Δ͚ͩ ▸ venvʹΠϯετʔϧ͍ͯ͠ΔͳΒpip ▸ ͜Ε͕ೖΔͱtrueseeingͰipaΛ։͚ΔΑ͏ʹ →͋ͱ͸as!;gt report.txtͱ͢Ε͹ऴΘΓ →HTMLͰग़͢ͳΒgh report.html ▸ disasm.tar.gzͱͯ͠ghidraͰdisasm͓ͯ͘͠ →ࠓͷͱ͜Ζ10.3ܥͷΈ

  26. TEXT INSIDE TS2-IOS ▸ ipaͷplistྨΛղಡɾ෼ੳ ▸ disasm.tar.gzͱͯ͠·ͱΊΒΕ͍ͯΔ disassembled codeΛಡΜͰಛ௃Λݕग़ ▸

    API callΛ෼ྨ ▸ Swift symbol demangling ▸ Ϋϥε໊ͷ઀಄ࣙΛநग़

  27. TEXT INSIDE TS2-IOS ▸ จࣈྻఆ਺ͷਪ࿦͸ghidra·͔ͤ ▸ จࣈྻఆ਺ͷ෼ੳΛ༗ޮʹ ▸ fi eld௕Λେ͖͘औΔ

    →લճݟͨΑ͏ͳܗͰpostscriptΛט·ͤΔ

  28. TEXT TS2-SWIFT-DEMANGLE ▸ ໊લ͕ͻͲ͍… ▸ swiftॲཧܥdemanglerΛAPIԽ →swiftॲཧܥͷىಈ͕஗͗͢ΔͨΊ… ▸ ts2ͱϦϯΫ͢Δ͚ͩ (--link

    ts2-swift-demangle)

  29. TEXT TS2-DISASM-GHIDRA ▸ ipa/apkΛ౉͢ͱghidraͰdisasm͢Δcontainer ▸ docker run --rm -v $(pwd):/out

    ts2-disasm- ghidra target.ipa → ͜Ε͚ͩͰdisasm.tar.gzΛ௚઀ੜ੒ ▸ streamingੜ੒: σΟεΫʹ༏͍͠ ▸ ͨͩແ஡ۤ஡࣌ؒ͸͔͔Δ

  30. TEXT CLAUDE: FINDINGS ▸ ͋·Γͳ͍…͕ ▸ ಈతίʔυϩʔυ ▸ Pasteboard΁ͷΞΫηε ▸

    cydiaͷݕग़ ▸ σόΠεϞσϧφϯόʔͷݕग़

  31. TEXT TAKEAWAYS ▸ iOSΞϓϦ෼ੳʹ͓͍ͯݟΔ΂͖Օॴ ▸ Info.plist: ϝλ৘ใ Frameworks: ϥΠϒϥϦྨ˞ (ΞϓϦ໊):

    Mach-O࣮ߦϑΝΠϧ˞ ▸ ObjC৭͕·ͩ·ͩڧ͍: call͕จࣈྻఆ਺Ͱग़ݱ ▸ Swift͸C++ʹ͍ۙҹ৅: demangling͕༗༻ ▸ ࠷৽։ൃಈ޲ͱϥΠϒϥϦͷ஌͕ࣝେࣄ

  32. TEXT TAKEAWAYS ▸ ໰୊ͳͷ͸jailbreak୺຤͔Βͷఠग़ ▸ trueseeingͱghidraͷ໠Җ ▸ disasmͯ͠͠·͑͹෼ੳ·ͰҰؾ௨؏ ▸ disasm͸͕͔͔࣌ؒΔ͕ࣗಈԽՄೳ

    (radare2Ͱ΋Ͱ͖Δͱ͍͍ͷ͕ͩ…) ▸ ͱ͍͏͜ͱͰͦΖͦΖiOS΁ਖ਼ࣜରԠ༧ఆ

  33. FIN. 29.10.2024 TAKAHIRO YOSHIMURA (@ALTERAKEY)