Logo
RSS Feed

👈🏼 Back to
🪛 Reverse Engineering

📚 Basics

Processes, threads and mutants zombie 🧟‍♂️

In this article I am describing the difference between a process, thread and mutex.

Process

When and exe file or other executable file is run, some memory in RAM is allocated and the program’s code and data is read from the hard drive and written into RAM. While it’s being run, this program exists in two states: in volatile and non-volatile memory. This “container” is called a process and can be seen using such tools as Process Explorer or Process Hacker. Each process manages its resources (handles, memory). If you ran the same program twice, and two processes will be created, the will have different physical addresses but the same virtual addresses (more on that in another article).

iOS Reverse Engineering

During forensic analysis it’s not too rare to run into some suspicious application. In this article I’m going to learn to reverse engineer iOS applications.

Analysis flow

First, we need to get IPA file from the device. There are different ways to do so (please, refer to BTFM and RTFM). Here I’m going to use the easiest one:

ipainstaller -i $(ipainstaller -l | grep -i lassen) | grep Bundle

scp root@[device_ip]:/path/to/Bundle/ .

Then open the Bundle folder on PC and look for Info.plist. Let’s find any strings that start with NS and end with UsageDescription.

Reference vs Value

Lorem markdownum aequalis strigis. Saetigeri iubeas, vultu huic alvum nondum de obside ut laniavit arbor palmis, cum quin. Rupes vetat videndo, armigerae crimen habet Priamum nec.

Mutable vs Immutable

>>> import ctypes

>>> a = 5
>>> address = id(a)
>>> address
4307917216
>>> ctypes.cast(address, ctypes.py_object).value
5
>>> a = 3
>>> ctypes.cast(address, ctypes.py_object).value
5

Similarly, regardless of whether you flag some UITextField as Secure Text Entry or not, it always returns data in the form of a String or NSString.

On the other hand, using the overwritten data outside the compiler’s scope (e.g., serializing it in a temp file) guarantees that it will be overwritten but obviously impacts performance and maintenance. You should try to overwrite critical objects with random data or content from non-critical objects. This will make it really difficult to construct scanners that can identify sensitive data on the basis of its management. This can be only done by low-level languages because the compilers and just-in-time virtual machines will ignore those operations for performance reasons if the optimization routines detect that the buffer is no longer used after being overwritten.

⛏ Crackme Algorithm

Methodology

  1. Look at the strings fs strings and f in radare2 or rabin -zz
  2. Find xrefs for the strings of interest axt @ str.blahblah
  3. Determine the input’s length

Crackme #1

This one I had to do when applying for a job a while ago. I knew nothing about reverse engineering at that time and little I knew about assembly. And it was the time when I found out about crackme.

Cracking 🔨

Any cracking career is supposed to start with solving simple crackme’s. I’ve not been doing it all the time, but I’ve solved several of them from the simplest to a very hard one which required some math knowledge 😬. This allowed me to craft some sort of algorithm I would like to share."

From Src to Binary

To read

https://www.airs.com/blog/archives/38