Upgrade to Pro — share decks privately, control downloads, hide ads and more …

FRAPL - Next Generation Reverse Engineering Framework

Max Bazaliy
November 04, 2016
Technology
3
340

FRAPL - Next Generation Reverse Engineering Framework

Ruxcon 2016, Melbourne, Australia

Max Bazaliy

November 04, 2016
Tweet

More Decks by Max Bazaliy

See All by Max Bazaliy
Jailbreaking Apple Watch
mbazaliy
3
3.9k
Jailbreaking Apple Watch
mbazaliy
4
25k
Fried Apples: Jailbreak DIY
mbazaliy
1
2.6k
Pegasus Internals
mbazaliy
4
3.4k
Mobile Espionage in the Wild: Pegasus and Nation-State Level Attacks
mbazaliy
1
370
A Journey Through Exploit Mitigation Techniques on iOS
mbazaliy
2
1.7k
Securing iOS applications
mbazaliy
8
1.4k
Reverse Engineering iOS apps. Lessons learned.
mbazaliy
21
2.5k

Other Decks in Technology

See All in Technology
アフリカの通信・教育問題をNTN×Edtechで解決!
sbtechnight
PRO
0
360
Spring Boot 3.0へのアップデートのハマり所 / Findings in Migrating our Application to Spring Boot 3.0
line_developers
PRO
4
380
マネジメント3.0モデル入門(120分版)
takufujii
11
2.7k
NIST SP800-63-4 IPD 63A: Identity Proofing 概要紹介
kthrtty
0
390
売上と開発環境を同時に改善するためにPerl Webアプリケーションをどのようにリプレイスするか
masashi_sutou
0
230
赤裸々図解!新卒3年目でマネジメントもこなすフルスタックエンジニアになるまで
mizunohiroaki
0
290
最先端の質問応答技術の研究開発と迅速な実用化ーStudio Ousiaでの取り組みー
ikuyamada
2
420
Privacy Techによる新しいデータ活用の形
line_developers
PRO
1
200
量子コンピュータ時代のプログラミングセミナー / 20230316_Amplify_seminar _route_planning_optimization
fixstars
0
140
Autonomous Database - Dedicated 技術詳細 / adb-d_technical_detail_jp
oracle4engineer
PRO
1
2.4k
GitHub Actionsと"仲良くなる"ための練習方法
tsubakimoto_s
10
2.4k
Pwning Old WebKit for Fun and Profit
hhc0null
0
330

Featured

See All Featured
Done Done
chrislema
178
15k
We Have a Design System, Now What?
morganepeng
37
6k
Scaling GitHub
holman
453
140k
JazzCon 2018 Closing Keynote - Leadership for the Reluctant Leader
reverentgeek
176
9.2k
"I'm Feeling Lucky" - Building Great Search Experiences for Today's Users (#IAC19)
danielanewman
217
21k
Principles of Awesome APIs and How to Build Them.
keavy
117
16k
Building a Scalable Design System with Sketch
lauravandoore
451
31k
Visualizing Your Data: Incorporating Mongo into Loggly Infrastructure
mongodb
32
7.2k
The Straight Up "How To Draw Better" Workshop
denniskardys
226
130k
Why Our Code Smells
bkeepers
PRO
326
55k
The Illustrated Children's Guide to Kubernetes
chrisshort
23
43k
Creatively Recalculating Your Daily Design Routine
revolveconf
207
11k

Transcript

  1. October 22-23, 2016
    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    FRAPL
    Max Bazaliy
    Next Generation
    Reverse Engineering Framework
    Alex Hude

    View Slide

  2. October 22-23, 2016
    Who we are 1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    Alex Hude
    o Melbourne, Australia
    o BlackmagicDesign
    o Hardware, XNU
    o Fried Apple team
    Max Bazaliy
    o Kyiv, Ukraine
    o Lookout
    o XNU, Linux, LLVM
    o Fried Apple team

    View Slide

  3. October 22-23, 2016
    Modern Reverse Engineering 1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    Static approach
    o Disassemblers
    o Code analyzers
    o Decompilers
    o IDA as a choice
    Dynamic approach
    o Debuggers
    o Dynamic analyzers
    o Code instrumentation
    o Frida as a choice

    View Slide

  4. October 22-23, 2016
    Static analysis challenges 1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    o Missed context (CPU registers, stack, memory)
    o Hard to follow code execution flow (obfuscation)
    o Hard to follow data flow (encryption)
    o Hard to follow indirect function calls

    View Slide

  5. October 22-23, 2016
    Debugging challenges 1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    o Anti debugging tricks
    o Data loss during restarts
    o Execution flow may be changed under debugging
    o No way to hook/replace existing code easily

    View Slide

  6. October 22-23, 2016
    Dynamic instrumentation challenges 1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    o Code disassembly still missed
    o High learning curve
    o Usually requires to write a lot of code
    o Hard to maintain multiple things at a time

    View Slide

  7. October 22-23, 2016
    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12

    View Slide

  8. October 22-23, 2016
    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12

    View Slide

  9. October 22-23, 2016
    What is FRAPL ? 1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    FRAPL
    =
    Fridascripts + FridaLink

    View Slide

  10. October 22-23, 2016
    Frida Scripts 1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    o Node.jsclient (attach, spawn, RPC, script loading)
    o Node.jsserver script (RPC, GCD, iOS/macOSbindings)
    o Common operations wrappers (objchooks etc)
    o Utility functions (memory dumps, logging)

    View Slide

  11. October 22-23, 2016
    FridaLink 1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    o IDA plugin that implements UI controls to Frida
    o Socket protocol between IDA & Frida Client (JSON)
    o RPC protocol for between Frida Client & Server (JSON)
    o FridaLink.js(Frida script)

    View Slide

  12. October 22-23, 2016
    FridaLinkarchitecture 1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12

    View Slide

  13. October 22-23, 2016
    FridaLinkgoals 13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    o Bring static analysis info from IDA to Frida
    o Use dynamic info from Frida for IDA analysis
    o Monitor runtime state directly from IDA
    o Control Frida agent directly from IDA

    View Slide

  14. October 22-23, 2016
    FridaLinkfeatures 13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    o Function/instruction hooks made easy
    o Function replacement made easy
    o Module loading made easy
    o Custom scripts support

    View Slide

  15. October 22-23, 2016
    FridaLinkfeatures 13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    o CPU context monitoring
    o Memory monitoring
    o SQLite database support
    o Helpers and project save/restore

    View Slide

  16. October 22-23, 2016
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23

    View Slide

  17. October 22-23, 2016
    FridaLink-Overall View 13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23

    View Slide

  18. October 22-23, 2016
    FridaLink–Hooks 13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    o Instruction hooks
    o Instruction breakpoints (hook with wait)
    o IDB (local) function hooks
    o Import function hooks

    View Slide

  19. October 22-23, 2016
    FridaLink–Function Replacement 13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    Replace Import function
    Replace local function

    View Slide

  20. October 22-23, 2016
    FridaLink–Module Loading 13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    o Automatic (on backtrace)
    o Manual

    View Slide

  21. October 22-23, 2016
    FridaLink–Custom Scripts 13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    Execute custom script dialog

    View Slide

  22. October 22-23, 2016
    FridaLink–CPU Context Monitoring 13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    CPU context
    Stack
    Backtrace

    View Slide

  23. October 22-23, 2016
    FridaLink–Memory Monitoring 13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    Memory content
    Add new memory watchpoint
    Memory manger

    View Slide

  24. October 22-23, 2016
    FridaLink–SQLite Support 24
    25
    26
    27
    28
    29
    30
    31
    32
    33
    34
    Set up DB Query execution
    Load script

    View Slide

  25. October 22-23, 2016
    FridaLink–Helpers and more 24
    25
    26
    27
    28
    29
    30
    31
    32
    33
    34
    Address converter
    FRAPL logs

    View Slide

  26. October 22-23, 2016
    Getting Started 24
    25
    26
    27
    28
    29
    30
    31
    32
    33
    34
    1. Load FridaLink.pyinto IDA
    2. Create project using create_project.sh
    3. Run client with node

    View Slide

  27. October 22-23, 2016
    macOSApplication Demo 24
    25
    26
    27
    28
    29
    30
    31
    32
    33
    34

    View Slide

  28. October 22-23, 2016
    iOS Application Demo 24
    25
    26
    27
    28
    29
    30
    31
    32
    33
    34

    View Slide

  29. October 22-23, 2016
    24
    25
    26
    27
    28
    29
    30
    31
    32
    33
    34

    View Slide

  30. October 22-23, 2016
    24
    25
    26
    27
    28
    29
    30
    31
    32
    33
    34
    eta son
    https://github.com/FriedAppleTeam

    View Slide

  31. October 22-23, 2016
    Future plans 24
    25
    26
    27
    28
    29
    30
    31
    32
    33
    34
    o Kernel support
    o Windows support ?
    o Android support ?
    o Hack the planet!

    View Slide

  32. October 22-23, 2016
    @getorix
    @mbazaliy
    24
    25
    26
    27
    28
    29
    30
    31
    32
    33
    34
    special thanks to
    @in7egral
    Questions

    View Slide