Reverse
How I Got Started With ARM
📆 Friday, 12th of March, 202
⏰ 09:00
☀️ It was a very deceptively sunny morning, children laughing and squeaking merrily. When I closed my eyes I could almoust believe it was late spring or summer…. And the soul was filling with joy and inspiration. But unfortunately the temperature was too low (-10 ❄️ ⛄️ if you believe Yandex) and going for a outside-working-day was impossible 😔.
I am finishing my cup of coffee ☕️ , my husband working in the adjacent room and my daughter playing with her new toys.
Positive and Negative Numbers
Intro
One’s complement
Two complement
iOS Reverse Engineering
During forensic analysis it’s not too rare to run into some suspicious application. In this article I’m going to learn to reverse engineer iOS applications.
Analysis flow
First, we need to get IPA file from the device. There are different ways to do so (please, refer to BTFM and RTFM). Here I’m going to use the easiest one:
ipainstaller -i $(ipainstaller -l | grep -i lassen) | grep Bundle
scp root@[device_ip]:/path/to/Bundle/ .
Then open the Bundle folder on PC and look for Info.plist. Let’s find any strings that start with NS and end with UsageDescription.
Reference vs Value
Lorem markdownum aequalis strigis. Saetigeri iubeas, vultu huic alvum nondum de obside ut laniavit arbor palmis, cum quin. Rupes vetat videndo, armigerae crimen habet Priamum nec.
Mutable vs Immutable
>>> import ctypes
>>> a = 5
>>> address = id(a)
>>> address
4307917216
>>> ctypes.cast(address, ctypes.py_object).value
5
>>> a = 3
>>> ctypes.cast(address, ctypes.py_object).value
5
Similarly, regardless of whether you flag some UITextField as Secure Text Entry or not, it always returns data in the form of a String or NSString.
On the other hand, using the overwritten data outside the compiler’s scope (e.g., serializing it in a temp file) guarantees that it will be overwritten but obviously impacts performance and maintenance. You should try to overwrite critical objects with random data or content from non-critical objects. This will make it really difficult to construct scanners that can identify sensitive data on the basis of its management. This can be only done by low-level languages because the compilers and just-in-time virtual machines will ignore those operations for performance reasons if the optimization routines detect that the buffer is no longer used after being overwritten.
Alloc8
So, there are some prerequisites that one needs to have in order to get this exploit. These are what are BootROM, NOR, malloc(), NULL and heap.
About BootROM you can read here. Briefly speaking, it’s a Read Only Memory (thus ROM, not to be confused with RAM which stands for Randomly Accessed Memory, i.e. RAM and refers to the chip that’s being freed of any charge when the power is off). ROM only means that this part of the device cannot be in any way modified once it was produced: neither by the user, not by the manufacturer himself. Mobile devices use ROM to store the first step of CPU launch.
Buffer Overflow
Calling 🤙 Conventions in x86
In this article I’m giving an overview of different calling conventions with examples.
Intro
Consider the following code snippet:
int mysteriousFunction(int a, int b)
{
return a + b + c;
}
mysteriousFunction(2,4);
// then the above function is called
Let’s see the assembly code for each calling convention
CDECL
The output in assemble would be this:
_mysteriousFunction:
push ebp
mov ebp, esp
mov eax, [ebp + 8]
mov edx, [ebp + 12]
add eax, edx
pop ebp
ret
and
;main function
push 4 ; the second argument is pushed first
push 2 ; the first argument is pushed second
call _mysteriousFunction
add esp, 8
As is clearly seen from the above snippet, the arguments to the function are passed in reverse order by means of PUSH instruction (placed on stack). Observe the _mysteriousFunction’s code: values added to eax, but nothing seems to be returning, just ret. That’s because this calling convention passes return values in eax register by default.
Checkm8
Flags
CF
Its full name is carry flag. Its main purpose is to tell that the resulting number after some operations is too much to bear for the registry size. For example, the maximum size of a number is 32 bit, but if we add 0xFFFF