who am i
play

Who Am I An Economist and MBA. Computer enthusiast for the past 30 - PowerPoint PPT Presentation

Mar 23, 2024 •223 likes •1.11k views

Who Am I An Economist and MBA. Computer enthusiast for the past 30 years. Someone who worked at one of the worlds best ATM networks, the Portuguese Multibanco. A natural-born reverser and assembler of all kinds of

  2. Who Am I § An Economist and MBA. § Computer enthusiast for the past 30 years. § Someone who worked at one of the world’s best ATM networks, the Portuguese Multibanco. § A natural-born reverser and assembler of all kinds of things, not just bits & bytes.

  3. Introduction § This presentation main goal is to allow you to make an easier transition into OS X reverse engineering world. § I assume you already have some RE experience in other platforms, Windows or Unix. § Many details are either minimal or omitted!

  4. Summary § Reversing in OS X - what’s different. § Tools overview. § Anatomy of a debugger. § Anti-debugging. § Code injection. § Swizzling. § Other tips & tricks. § Reversing a crackme. § Final remarks.

  5. Reversing in OS X - what’s different § Applications exist in bundle folders. § These contain the application binary and other resources, such as: – Frameworks. – Language files. – Graphics, sounds, etc. – Code signatures, if applicable. – Application properties file, Info.plist.

  6. Reversing in OS X - what’s different

  7. Reversing in OS X - what’s different

  8. Reversing in OS X - what’s different § The Info.plist contains useful information about the target application. § For example, the CFBundleExecutable key gives you the name of the main executable. § MacOS folder can contain more than one binary. § I use it to collect some statistics about Mach-O binaries and also to find which binary to infect in my PoC virus.

  9. Reversing in OS X - what’s different

  10. Reversing in OS X - what’s different § Mach-O file format. § Very simple! § One header, with magic values 0xFEEDFACE (32bits) and 0xFEEDFACF (64bits). § Followed by load commands and sections. § And then data.

  11. Reversing in OS X - what’s different

  12. Reversing in OS X - what’s different § Code is located in __TEXT segment and __text section. § Linked libraries in LC_LOAD_DYLIB commands. § The entrypoint is defined at LC_UNIXTHREAD or LC_THREAD. § Structs described at /usr/ include/mach-o/loader.h.

  13. Reversing in OS X - what’s different § Fat archive: § Allows to store different architectures inside a single “binary”. § Magic value is 0xCAFEBABE. § Fat archive related structures are always big-endian! § The “lipo” command allows you to extract a specific arch.

  14. Reversing in OS X - what’s different Syntax: lipo –thin [architecture] –output [output_file_name] fat_archive

  15. Reversing in OS X - what’s different § Objective-C. § An extension to C language that enables objects to be created and manipulated. § Rich set of frameworks: Cocoa, Cocoa Touch(iOS). § Syntax of methods: § [object message:arguments] § [object message]

  16. Reversing in OS X - what’s different § What happens on execution? § There are no “traditional” calls to functions or methods. § Instead, messages go thru the objc_msgSend function. § id objc_msgSend(id theReceiver, SEL theSelector, ...) § There are three more message functions, but objc_msgSend is the most common. § Check Objective-C Runtime Reference documentation. § Also nemo’s article at Phrack #66.

  17. Reversing in OS X - what’s different

  18. Reversing in OS X - what’s different § Those messages can be traced: § With GDB. § With DTrace. § Nemo’s article has sample code for the above solutions. § The GDB version works great in iOS. § Set NSObjCMessageLoggingEnabled environment variable to YES and messages will be logged to /tmp/msgSends-pid. § More info at Technical Note TN2124 – Mac OS X Debugging Magic.

  19. Tools overview § Quality, quantity, and number of features of tools lags a lot versus the Windows world. § Especially in GUI applications. § This is slowly improving with increased interest in this platform. § Download Apple’s command line tools for Xcode or the whole Xcode. (https://developer.apple.com/downloads/ , requires free Apple ID).

  20. Tools overview - Debuggers § GDB. § IDA. § PyDBG/PyDBG64. § Radare. § LLDB. § Hopper. § Forget about GNU GDB 7.x !

  21. Tools overview - Debuggers § GDB is my favourite. § Apple forked it at 6.x - stopped in time. § Lots of bugs, missing features - LLDB is the new thing. § But, it does the job! § Use my patches ( http://reverse.put.as/patches/ ). § And gdbinit, to have that retro Softice look & features ( http://reverse.put.as/gdbinit/ ). § Please read the header of gdbinit!

  22. Tools overview - Debuggers

  23. Tools overview – GDB commands § Add software breakpoints with “b, tb, bp, bpt”. § Add hardware breakpoints with “hb, thb, bhb, bht”. § To breakpoint on memory location you must add the * before address. Example: b *0x1000. § Step thru code with “next(n), nexti(ni), step, stepi”. § Step over calls with “stepo, stepoh”. § Change flags register with “cf*” commands. § Evaluate and print memory with “x” and “print”.

  24. Tools overview – GDB commands § Print Object-C objects with “po”. § Modify memory with “set”. § Register: set $eax = 0x31337. § Memory: set *(int*)0x1000 = 0x31337. § Assemble instructions using “asm”. § Dump memory with dump commands (“dump memory” is probably the one you will use often). § Find about all gdbinit commands with “help user”.

  25. Tools overview - Disassemblers § Otool, with –tV option. The objdump equivalent. § OTX – enhanced otool output (AT&T syntax). § IDA – native version so no more Windows VM. § Hopper – the new kid on the block, actively developed, very cheap, includes a decompiler. § Home-made disassembler using Distorm3 or any other disassembler library (udis86, libdasm also work well).

  26. Tools overview – Other tools § MachOView – great visual replacement for otool –l. § Hex-editors: 0xED, Hex Fiend, 010 Editor, etc. § nm – displays symbols list. § vmmap – display virtual memory map of a process. § DTrace. Check [9] for some useful scripts. § File system usage: fs_usage.

  27. Tools overview – Class-dump § Allows you to examine the available Objective-C information. § Generates the declarations for the classes, categories and protocols. § Useful to understand the internals and design of Objective-C apps. § Used a lot by the iOS jailbreak community.

  28. Tools overview – Class-dump

  29. Mach tasks and threads § Explaining the whole Mac OS X architecture would require a whole presentation. § Others did it before, please check [20] and [21]. § For now we just need one concept. § Unix process abstraction is split into tasks and threads. § Tasks contain the resources and do not execute code. § Threads execute within a task and share its resources. § A BSD process has a one-to-one mapping with a Mach task.

  30. Anatomy of a debugger § OS X ptrace implementation is incomplete (and useless). § Mach exceptions are the solution. § Each task has three levels of exception ports: thread, task, host. § Exceptions are converted to messages and sent to those ports. § Messages are received and processed by the exception handler.

  31. Anatomy of a debugger § The exception handler can be located in another task, usually a debugger. § Or another thread in the same task. § Kernel expects a reply message with success or failure. § Messages are first delivered to the most specific port. § Detailed information on Chapter 9.7 of Mac OS X Internals.

  32. Anatomy of a debugger

  33. Anatomy of a debugger § By default, the thread exception ports are set to null and task exception ports are inherited during fork(). § We need access to the task port. § Not a problem if debugging from the same task: mach_task_self(). § Higher privileges required (root or procmod group) if from another task: task_for_pid().

  34. Anti-debugging – “Old school” § ptrace(PT_DENY_ATTACH, …). § Ok, that was a joke. This is useless! § Just breakpoint on ptrace() or use a kernel module. ¡

  35. Anti-debugging – “Old school” § AmIBeingDebugged() from Apple’s Technote QA1361. § Calls sysctl() and verifies if P_TRACED flag is set in proc structure. § Breakpoint sysctl() and modify the result or use a kernel module.

  36. Anti-debugging - #1 § Remember, debuggers “listen” on the exception ports. § We can verify if that port is set. § Use task_get_exception_ports(). § GDB uses a mask of EXC_MASK_ALL and a flavour of THREAD_STATE_NONE. § Iterate thru all the ports and verify if port is different than NULL. § Do something (nasty) J .

  37. Anti-debugging - #1

  38. Anti-debugging - #2 § Check for GDB breakpoint. § GDB is notified by dyld when new images are added to the process. § This is what allows the GDB “stop-on-solib-events” trick that I used to get into Pace’s protection. § Symbol name is _dyld_all_image_info.

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

GDB Tutorial A Walkthrough with Examples CMSC 212 - Spring 2009 Last modified March 22, 2009

GDB Tutorial A Walkthrough with Examples CMSC 212 - Spring 2009 Last modified March 22, 2009

GDB Tutorial A Walkthrough with Examples CMSC 212 - Spring 2009 Last modified March 22, 2009 GDB Tutorial What is gdb ? GNU Debugger A debugger for several languages, including C and C++ It allows you to inspect what the program is doing

474 views • 35 slides
ORGANIZATION CHART 2012 Amm. Delegato - C.E.O. Marisa Giaiotto Administration & Secretary

ORGANIZATION CHART 2012 Amm. Delegato - C.E.O. Marisa Giaiotto Administration & Secretary

ORGANIZATION CHART 2012 Amm. Delegato - C.E.O. Marisa Giaiotto Administration & Secretary s Off. Human Resources (GM, GD) (GM) Purchasing Department Project Management Department Engineering Department Sales Department Purchasing

676 views • 35 slides
1HFY2017 Results CS LOXINFO PLC. 1HF2017 Overall results (Consolidated): MB One Sto Stop ICT Se

1HFY2017 Results CS LOXINFO PLC. 1HF2017 Overall results (Consolidated): MB One Sto Stop ICT Se

One S ne Stop I top ICT CT Ser ervice ice 1HFY2017 Results CS LOXINFO PLC. 1HF2017 Overall results (Consolidated): MB One Sto Stop ICT Se T Servi rvice -3% YoY -6% YoY 1HF17 Consolidated Profit decreased from 1HF16 due to the restructuring

139 views • 11 slides
Improvement of ESP Effjciency using Computational Fluid Dynamics (CFD) BHEL - Perspective

Improvement of ESP Effjciency using Computational Fluid Dynamics (CFD) BHEL - Perspective

Improvement of ESP Effjciency using Computational Fluid Dynamics (CFD) BHEL - Perspective REQUIREMENT FOR CFD Rapid Innovation for the new Products To market quickly To make a better decision for an existing products To achieve

503 views • 24 slides
Programming assignment 1 walkthrough Tao PA 1 walkthrough: Part I VirtualBox Install

Programming assignment 1 walkthrough Tao PA 1 walkthrough: Part I VirtualBox Install

Programming assignment 1 walkthrough Tao PA 1 walkthrough: Part I VirtualBox Install Ubuntu OS install Package install Dependencies OS161, SYS161 OS161, SYS161 ?? SYS161: system architecture OS161: operating system

503 views • 11 slides
GDB CIM overview CIMug Ljubljana 2018 June 6 th 2018 Matija Gruden About GDB Leading

GDB CIM overview CIMug Ljubljana 2018 June 6 th 2018 Matija Gruden About GDB Leading

GDB CIM overview CIMug Ljubljana 2018 June 6 th 2018 Matija Gruden About GDB Leading regional provider of IT solutions, consulting and other services for electric power transmission and distribution companies 11 years in existence,

280 views • 9 slides
Software Debugging: Past, Present, and Future Alessandro (Alex) Orso School of Computer

Software Debugging: Past, Present, and Future Alessandro (Alex) Orso School of Computer

Software Debugging: Past, Present, and Future Alessandro (Alex) Orso School of Computer Science College of Computing Georgia Institute of Technology http://www.cc.gatech.edu/~orso/ Partially supported by : NSF, Google, IBM, and MSR

1.46k views • 108 slides
S9751: ACCELERATE YOUR CUDA DEVELOPMENT WITH LATEST DEBUGGING AND CODE ANALYSIS DEVELOPER TOOLS

S9751: ACCELERATE YOUR CUDA DEVELOPMENT WITH LATEST DEBUGGING AND CODE ANALYSIS DEVELOPER TOOLS

S9751: ACCELERATE YOUR CUDA DEVELOPMENT WITH LATEST DEBUGGING AND CODE ANALYSIS DEVELOPER TOOLS Aurelien Chartier & Steve Ulrich, March 19 th , 2019 Debugging Tools Nsight Eclipse Edition CUDA GDB Nsight Visual Studio Steve Ulrich CUDA

890 views • 36 slides
Next-Generation Debuggers For Reverse Engineering For Reverse Engineering The ERESI team

Next-Generation Debuggers For Reverse Engineering For Reverse Engineering The ERESI team

Next-Generation Debuggers For Reverse Engineering For Reverse Engineering The ERESI team eresi@asgardlabs.org This presentation is about .. The Embedded ERESI debugger : e2dbg The Embedded ERESI tracer : etrace The ERESI reverse

849 views • 47 slides
radare2 22 y/o french expat @ Luxembourg Food, Travel and Languages <3 I hate

radare2 22 y/o french expat @ Luxembourg Food, Travel and Languages <3 I hate

Maxime Morin (@Maijin212), Anton Kochkov (@akochkov) First r2babies steps - Long Version August 13, 2015 ISSA South Africa radare2 22 y/o french expat @ Luxembourg Food, Travel and Languages <3 I hate Bullshit Malware.lu

1.4k views • 68 slides
Dynamic Data Excavation or: Gimme back my symbol table! Asia Slowinska Traian Stancescu

Dynamic Data Excavation or: Gimme back my symbol table! Asia Slowinska Traian Stancescu

Dynamic Data Excavation or: Gimme back my symbol table! Asia Slowinska Traian Stancescu Herbert Bos VU University Amsterdam Compilation is pseudo-unbreakable code irreversibility assumption Compilation is pseudo-unbreakable code

808 views • 59 slides
In Ken enya Presented by: Le Leonar ard d Mabel ele th June 26 26 th e 2020 TV White

In Ken enya Presented by: Le Leonar ard d Mabel ele th June 26 26 th e 2020 TV White

Impleme menta ntation tion of TVWS In Ken enya Presented by: Le Leonar ard d Mabel ele th June 26 26 th e 2020 TV White Spaces Opportunity in Kenya A large percentage of the rural counties of Kenya is underserved in terms of

655 views • 11 slides
Scalable Post-Mortem Debugging Abel Mathew CEO - Backtrace amathew@backtrace.io @nullisnt0

Scalable Post-Mortem Debugging Abel Mathew CEO - Backtrace amathew@backtrace.io @nullisnt0

Scalable Post-Mortem Debugging Abel Mathew CEO - Backtrace amathew@backtrace.io @nullisnt0 Debugging or Sleeping? Debugging Debugging: examining (program state, design, code, output) to identify and remove errors from software.

464 views • 31 slides
GFAL 2.0 Devresse Adrien CERN lcgutil team lcgutil-support@cern.ch What is GFAL 2.0 ? One

GFAL 2.0 Devresse Adrien CERN lcgutil team lcgutil-support@cern.ch What is GFAL 2.0 ? One

GFAL 2.0 Devresse Adrien CERN lcgutil team lcgutil-support@cern.ch What is GFAL 2.0 ? One and only one Toolkit for all the Grid and Cloud data operations : Client data access : support for all common protocols support for all

800 views • 25 slides
Performance Evaluation in Theia Compass Herv KABAMBA Michel Dagenais December 9, 2019

Performance Evaluation in Theia Compass Herv KABAMBA Michel Dagenais December 9, 2019

Performance Evaluation in Theia Compass Herv KABAMBA Michel Dagenais December 9, 2019 Polytechnique Montral Laboratoire DORSAL Agenda Introduction Ongoing work Objectives Expectations POLYTECHNIQUE MONTREAL Herv Kabamba 2

262 views • 10 slides
X(cross) Development System make AGL application development easier July 2017 Sbastien

X(cross) Development System make AGL application development easier July 2017 Sbastien

X(cross) Development System make AGL application development easier July 2017 Sbastien Douheret sebastien.douheret@iot.bzh IoT.bzh Located in France - Brittany ( Vannes / Lorient / Rennes ) People background: 40% coming from

1.16k views • 18 slides
Michael Q. Jones & Matt B. Pedersen University of Nevada Las Vegas The Distributed

Michael Q. Jones & Matt B. Pedersen University of Nevada Las Vegas The Distributed

Michael Q. Jones & Matt B. Pedersen University of Nevada Las Vegas The Distributed Application Debugger is a debugging tool for parallel programs Targets the MPI platform Runs remotley even on private networks Has

721 views • 35 slides
Overview of FY20 Certified Budget for the Commonwealth of Puerto Rico July 1, 2019 1. Executive

Overview of FY20 Certified Budget for the Commonwealth of Puerto Rico July 1, 2019 1. Executive

Overview of FY20 Certified Budget for the Commonwealth of Puerto Rico July 1, 2019 1. Executive summary 2 FY20 certified budget highlights Budget continues the trend of spending within the Governments means in a transparent and prioritized

172 views • 13 slides
Distributed, virtual and real debugging of a MIPS SoC Martin Strubel section5.ch 02/2013

Distributed, virtual and real debugging of a MIPS SoC Martin Strubel section5.ch 02/2013

Distributed, virtual and real debugging of a MIPS SoC Martin Strubel section5.ch Distributed, virtual and real debugging of a MIPS SoC Martin Strubel section5.ch 02/2013 Distributed, Flight plan virtual and real debugging of a MIPS

823 views • 29 slides
The Hello World GCC Front End Rafael Gustavo Sverzut Barbieri Avila de Esp ndola GPSL -

The Hello World GCC Front End Rafael Gustavo Sverzut Barbieri Avila de Esp ndola GPSL -

The Hello World GCC Front End Rafael Gustavo Sverzut Barbieri Avila de Esp ndola GPSL - UNICAMP 27 de abril de 2006 1 Setup 2 The Dummy Program 3 Compiling and Testing 4 An Empty Main 5 Hello World 6 Compiler Driver 7 Adding an Option 8

587 views • 46 slides
Container-based virtualization Process-level Extensively used in Lightweight virtualization

Container-based virtualization Process-level Extensively used in Lightweight virtualization

C NTR Lightweight OS Containers Jrg Thalheim, Pramod Bhatotia Pedro Fonseca Baris Kasikci USENIX ATC 2018 Container-based virtualization Process-level Extensively used in Lightweight virtualization production isolation Namespaces

250 views • 22 slides
Neo4j and graph databases Presented By: Stephanie McIntyre Graph Databases: The Database Model

Neo4j and graph databases Presented By: Stephanie McIntyre Graph Databases: The Database Model

Neo4j and graph databases Presented By: Stephanie McIntyre Graph Databases: The Database Model The Database Model determines the logical structure . Graph databases (GDB) have the following characteristics: Data & Schema are represented by

526 views • 8 slides
Outline Background 1 Xeon Phi Architecture 2 Programming Xeon Phi TM 3 Native Mode Offload

Outline Background 1 Xeon Phi Architecture 2 Programming Xeon Phi TM 3 Native Mode Offload

Xeon Phi TM Programming Intel R An Overview Anup Zope Mississippi State University 20 March 2018 Xeon Phi TM Programming Intel R Anup Zope (Mississippi State University) 20 March 2018 1 / 46 Outline Background 1 Xeon Phi

1.1k views • 46 slides
Investor Presentation Second Quarter 2016 Forward Looking Statements This presentation

Investor Presentation Second Quarter 2016 Forward Looking Statements This presentation

Investor Presentation Second Quarter 2016 Forward Looking Statements This presentation contains forward-looking statements within the meaning of the Private Securities Litigation Reform Act of 1995. These forward- looking statements are based

530 views • 20 slides

More recommend