In The Middle Of Chatter #2

Transcript

1. IN THE MIDDLE OF CHATTER 2 OWASP SAITAMA MTG #22,

   TALK #1 Image by quinn.anya on flickr, CC-BY-SA 2.0

2. TEXT SESSION FLAGS ▸ ࿥ըɾ࿥Իɾެ։: OK Image by Nico Kaiser

   on flickr, CC-BY 2.0

3. TEXT WHO I AM ▸ Takahiro Yoshimura (@alterakey) https://keybase.io/alterakey ▸

   Monolith Works Inc. Co-founder, CTO Security researcher ▸ ໌࣏େֶαΠόʔηΩϡϦςΟݚڀॴ ٬һݚڀһ

4. TEXT WHAT I DO ▸ Security research and development ▸

   iOS/Android Apps →Financial, Games, IoT related, etc. (>200) →trueseeing: Non-decompiling Android Application Vulnerability Scanner [2017] ▸ Windows/Mac/Web/HTML5 Apps →POS, RAD tools etc. ▸ Network/Web penetration testing →PCI-DSS etc. ▸ Search engine reconnaissance (aka. Google Hacking) ▸ Whitebox testing ▸ Forensic analysis

5. TEXT WHAT I DO ▸ CTF ▸ Enemy10, Sutegoma2 ▸

   METI CTFCJ 2012 Qual.: Won ▸ METI CTFCJ 2012: 3rd ▸ DEF CON 21 CTF: 6th ▸ DEF CON 22 OpenCTF: 4th ▸ ൃදɾߨԋͳͲ DEF CON 25 Demo Labs (2017) DEF CON 27 AI Village (2019) CODE BLUE (2017, 2019) CYDEF (2020) etc. Image by Wiyre Media on flickr, CC-BY 2.0

6. TEXT BACKGROUND ▸ LLM΁ͷνϟοτΞϓϦ ʢChatGPT, GPT-4o, Claude .. ʣ ▸

   ͜ΕΒͷڍಈ͸…Ͳ͏ͳ͍ͬͯΔͷͩΖ͏͔ ▸ iOS൛ΞϓϦΛର৅ Image by focal5 on flickr, CC-BY-NC 2.0

7. TEXT DEFEATING DRM ▸ App Store͕഑෍ʹ͋ͨΓ҉߸Խ+ॺ໊ ▸ ҉߸Խ͞Ε͍ͯΔͱ౰વಡΊͳ͍ ▸ ҉߸ͷ࢖͍ํʹ͸͞΄Ͳେ͖ͳ໰୊͸ͳ͍

   →ਖ਼߈๏Ͱ͸೉͍͠ ▸ ࣮୺຤ʹղಡͤ͞Δͷ͕ྑ͍ɺ͕ ▸ ղಡπʔϧ͕App Storeʹ͋Δ…Θ͚ͳ͍ ▸ ղಡʹ͸jailbreak͕ඞਢ Image by lantzilla on flickr, CC-BY-NC-ND 2.0

8. TEXT BREAKING OUT OF PRISON ▸ jailbreak ▸ ίʔυॺ໊ݕূػߏΛແޮԽ →Χʔωϧͷ੬ऑੑΛಥ͍ͯϑϥάΛԚછ

   ▸ checkm8: BootROMʹ͓͚Δuse-after-free →BootROMͳͷͰύονͰ͖ͳ͍ (<A12) ▸ checkra1n (12.x ..14.x) ▸ palera1n (15 .. 16.4, 15 .. 17.x) →2.0ܥ͔Βcheckra1nΛ಺෦తʹར༻ Image by Prab Bhatia Photography on flickr, CC-BY-NC-ND 2.0

9. TEXT NOW UNLEASHED, WHERE TO GO? ▸ ର৅ͷΞϓϦΛղಡ͍ͨ͠ ▸ frida-ios-dump

   →ϝϞϦμϯϓ͠ΞϓϦΛ࠶ߏ੒ →frida͕ඞཁ ▸ frida: dynamic instrumentation framework! ▸ frida-serverΛattach ▸ APIݺͼग़͠ͷI/OͳͲࡉ෦͔Β੍ޚՄೳʹ Image by Mr. Littlehand on flickr, CC-BY-ND 2.0

10. TEXT REVERSING ▸ Ghidra: Multi-arch disassembler (NSA) radare2: Binary analysis

    framework (pancake et al.) ▸ ؆୯ͷͨΊʹghidraΛ࢖༻ Image by Simon Rankin on flickr, CC-BY-NC-ND 2.0

11. TEXT REVERSING TAKEAWAYS ▸ ղੳ analyzeHeadless ~/works/claude/t claude -preScript analysisopts_ios.py

    -import Payload/ Claude.app/Claude ▸ औΓग़͠ analyzeHeadless ~/works/claude/t claude -postScript out.py -process Claude -noanalysis → out.asm(※) ͕ੜ੒͞ΕΔͷͰrename ▸ ※out.asm͸out.py͕উखʹܾΊ͍ͯΔϑΝΠϧ໊ Image by Thomas_H_foto on flickr, CC-BY-ND 2.0

12. TEXT NOW YOU ARE PIECES ▸ όΠφϦΛ౤ೖͯ͠ΞηϯϒϦΛճऩ ▸ ͋ͱ͸… ࣮ࡍͷղੳΛߦͳ͏

    Image by Thomas_H_foto on flickr, CC-BY-ND 2.0

13. TEXT ANATOMY OF IOS APP ▸ iOSΞϓϦͷߏ଄ ▸ Info.plist: ϝλ৘ใ

    (_CodeSignature: ॺ໊) ▸ assets.car: Ϧιʔεྨ ▸ Frameworks: ϥΠϒϥϦྨ˞ ▸ (ΞϓϦ໊): Mach-O࣮ߦϑΝΠϧ˞

14. TEXT INFO.PLIST: METADATA ▸ ϝλ৘ใ ▸ ΞϓϦ໊ ▸ ATS ▸

    bundle id ▸ ཁٻݖݶ ▸ URLεΩʔϜ etc.

15. TEXT FRAMEWORKS ▸ ΞϓϦ͕࢖༻͢ΔϑϨʔϜϫʔΫ ▸ Mach-O dylib

16. TEXT EXECUTABLES ▸ ΞϓϦຊମ ▸ Mach-O executable - ԟʑʹͯ͠େ͖͍ ▸

    ͞·͟·ͳϥΠϒϥϦ͕੩తϦϯΫ͞ΕΔͨΊ

17. TEXT DISASSEMBLED CODE ▸ arm64-v8a (كʹarmv7s) ▸ OSʹObjC৭͕࢒͍ͬͯΔͷͰจࣈྻΛղܾͰ͖ ͯ͠·͑͹APIϨϕϧͷղੳ͸͠΍͍͢ ▸

    Swift͸ײ֮తʹC++ίʔυʹ͍ۙ name mangling: ॲཧܥͰdemangleͰ͖Δ͕… ىಈίετ͕ߴ͍ͷͰ޻෉͕ඞཁ ▸ AppleʹΑΔ৹͕ࠪ͋ΔͨΊ͔ɺཱͪೖͬͨ͜ͱ Λ͍ͯ͠Δίʔυ͸͋·ΓΈͳ͍…͸ͣʢʂʣ

18. TEXT ARTIFACTS ▸ ݟΔ΂͖Օॴ ▸ API call ▸ File operation

    ▸ Network operation ▸ Re fl ection ▸ Dynamic code loading ▸ etc...

19. TEXT ARTIFACTS: API CALL ▸ API call ▸ ObjC: objc_msgSend

    ▸ Swift: (mangled name)

20. TEXT ARTIFACTS: FILE ACCESS ▸ API call ▸ NSFile, NSFileManager,

    etc. ▸ ϑΝΠϧΞΫηε

21. TEXT ARTIFACTS: NETWORK ACCESS ▸ API call ▸ NSURLRequest, etc.

    ▸ ωοτϫʔΫΞΫηε; ஶ໊ͳϥΠϒϥϦ΁ͷݺ ग़͕͜͠Εʹ୅ΘΔ৔߹͕ԟʑʹͯ͋͠Δ (Alamo fi re, Moya, etc..)

22. TEXT ARTIFACTS: REFLECTIONS ▸ API call ▸ classFromString, selectorFromString, etc.

    ▸ Ϋϥε΍ηϨΫλΛจࣈྻ͔Βੜ੒

23. TEXT ARTIFACTS: DYNAMIC CODE LOADINGS ▸ API call ▸ dlsym

    etc. ▸ ϥΠϒϥϦͷϓϩγʔδϟΞυϨεΛऔಘ

24. TEXT TS2-IOS: AUTOMATE THE ANALYSIS ▸ iOSΞϓϦղੳΛߦͳ͏trueseeing extension ▸ 2.2.5Ͱmain΁Ϛʔδͨ͠:

    ipa͕ղੳՄೳʹʂ ▸ API call, URL, dynamic code loading, syscall, re fl ection, jailbreak detection, debug probe, privacy concerns, obfuscations, assertions, logging, library imports, motion sensor, url scheme, ATS, permission, device requirements, device info probes, entitilements, copyright info, XOR ciphers, statically linked libraries ..

25. TEXT TS2-IOS: AUTOMATE THE ANALYSIS ▸ dockerͷ৔߹ͳΒ wc Λ /ext/ios

    ͱͯ͠Ϛ΢ϯτ ͢Δ͚ͩ ▸ venvʹΠϯετʔϧ͍ͯ͠ΔͳΒpip ▸ ͜Ε͕ೖΔͱtrueseeingͰipaΛ։͚ΔΑ͏ʹ →͋ͱ͸as!;gt report.txtͱ͢Ε͹ऴΘΓ →HTMLͰग़͢ͳΒgh report.html ▸ disasm.tar.gzͱͯ͠ghidraͰdisasm͓ͯ͘͠ →ࠓͷͱ͜Ζ10.3ܥͷΈ

26. TEXT INSIDE TS2-IOS ▸ ipaͷplistྨΛղಡɾ෼ੳ ▸ disasm.tar.gzͱͯ͠·ͱΊΒΕ͍ͯΔ disassembled codeΛಡΜͰಛ௃Λݕग़ ▸

    API callΛ෼ྨ ▸ Swift symbol demangling ▸ Ϋϥε໊ͷ઀಄ࣙΛநग़

27. TEXT INSIDE TS2-IOS ▸ จࣈྻఆ਺ͷਪ࿦͸ghidra·͔ͤ ▸ จࣈྻఆ਺ͷ෼ੳΛ༗ޮʹ ▸ fi eld௕Λେ͖͘औΔ

    →લճݟͨΑ͏ͳܗͰpostscriptΛט·ͤΔ

28. TEXT TS2-SWIFT-DEMANGLE ▸ ໊લ͕ͻͲ͍… ▸ swiftॲཧܥdemanglerΛAPIԽ →swiftॲཧܥͷىಈ͕஗͗͢ΔͨΊ… ▸ ts2ͱϦϯΫ͢Δ͚ͩ (--link

    ts2-swift-demangle)

29. TEXT TS2-DISASM-GHIDRA ▸ ipa/apkΛ౉͢ͱghidraͰdisasm͢Δcontainer ▸ docker run --rm -v $(pwd):/out

    ts2-disasm- ghidra target.ipa → ͜Ε͚ͩͰdisasm.tar.gzΛ௚઀ੜ੒ ▸ streamingੜ੒: σΟεΫʹ༏͍͠ ▸ ͨͩແ஡ۤ஡࣌ؒ͸͔͔Δ

30. TEXT CLAUDE: FINDINGS ▸ ͋·Γͳ͍…͕ ▸ ಈతίʔυϩʔυ ▸ Pasteboard΁ͷΞΫηε ▸

    cydiaͷݕग़ ▸ σόΠεϞσϧφϯόʔͷݕग़

31. TEXT TAKEAWAYS ▸ iOSΞϓϦ෼ੳʹ͓͍ͯݟΔ΂͖Օॴ ▸ Info.plist: ϝλ৘ใ Frameworks: ϥΠϒϥϦྨ˞ (ΞϓϦ໊):

    Mach-O࣮ߦϑΝΠϧ˞ ▸ ObjC৭͕·ͩ·ͩڧ͍: call͕จࣈྻఆ਺Ͱग़ݱ ▸ Swift͸C++ʹ͍ۙҹ৅: demangling͕༗༻ ▸ ࠷৽։ൃಈ޲ͱϥΠϒϥϦͷ஌͕ࣝେࣄ

32. TEXT TAKEAWAYS ▸ ໰୊ͳͷ͸jailbreak୺຤͔Βͷఠग़ ▸ trueseeingͱghidraͷ໠Җ ▸ disasmͯ͠͠·͑͹෼ੳ·ͰҰؾ௨؏ ▸ disasm͸͕͔͔࣌ؒΔ͕ࣗಈԽՄೳ

    (radare2Ͱ΋Ͱ͖Δͱ͍͍ͷ͕ͩ…) ▸ ͱ͍͏͜ͱͰͦΖͦΖiOS΁ਖ਼ࣜରԠ༧ఆ

33. FIN. 29.10.2024 TAKAHIRO YOSHIMURA (@ALTERAKEY)