Time
3 hours 58 minutes
Difficulty
Beginner
CEU/CPE
4

Video Transcription

00:00
now there's one last thing I want to highlight in this slide. So as of right now, we've yet to determine if this application is written and swift or objective. C right?
00:09
Well, think about it. Those aren't even our two options. The application could be written as a hybrid application, which combines both languages. But by dumping the class headers, we know at least a has once with function. We know this when we see this funny looking declaration here.
00:25
This is what's known as name mangling the depths of what this is and why it's required is a video in its own right. But for our purposes, whenever we see a function
00:34
with a underscore capital T, we know it's a swift function, so let's just summarize so we don't get lost in the weeds here. So with the class tub program, we can dump the user and swift, define classes toe, look at or confirm the functioning of our program. In the image we use the classic dump A program, and we saw that a characteristic of this function
00:54
is handled open your l,
00:56
which we can then use to further our investigation. Okay, so let's go ahead and run our class dumb program on our binary. As you can see, I've got my hex keeps vm again ready to go. So just a quick note about class Dump their several versions on the Internet and some are all. Then they won't handle swift or hybrid applications Very well.
01:15
And so they crash. But I've got the latest version it should work with, at least giving us some information.
01:19
Now, I've gone ahead and renamed it Class Dump s because, of course, I know and be working with swift applications, But let's go ahead and run that now.
01:41
Okay, Well, Piper them more.
01:47
Okay, so we've got some structures that don't give us much information so we can bypass those.
01:53
Okay, Just a quick note here at protocol is the same way, too. In Stan, she ate an object, like at interfaces. Except there's some inheritance things that goes on behind the background. But don't worry about that right now. Just know that those air classes, too.
02:07
Okay, So, looking through this, this isn't It was very much information. What's next?
02:12
Okay, so we've got Are you on application? Delegate? This is basically are you y application This is how we interact with the application. And if you look at this list here, you have all these different methods on how the application interacts. So we could go ahead and look at all the documentation and see how those work. Is there anything interesting here that we haven't seen yet?
02:30
Nope. Nothing interesting. Let's kind of go
02:34
next. Okay. So we can confirm that the open your l and open you are on handle. Open your all those air two methods that we saw earlier. So we know that this application has your AL functionality. Okay, what's next? Well, there's something there I want to look at.
02:51
Okay. This you. Why've you Web delegate? This is an interesting one. This is an object that intervenes when web content is loaded. So we could go back to the apple documentation and look at that.
03:01
And as you can see here, this n s earl request object
03:07
that also has to do with Web request. So we can go and we can dig deeper into these requests and see what this application is doing with these. You are Els.
03:15
Now we come to the last to command line tools we're gonna take a look at the versus old tool. And the second is Aunt Em. Now, O'Toole, this is your command line. Suis army knife for apple binaries with old tool. You can do a lot of inspection of binaries libraries. You can look at how the program loads what architecture it runs on
03:35
what's in the various sections of the program and more.
03:37
So I definitely would encourage you to check out that man Paige. And with O'Toole, Dash L, we can list the dynamic libraries of the program. Basically, these air files which allow us to share code across processes and when we need them, this code is loaded dynamically at runtime with an M weaken display the symbols of binary.
03:57
Now, if you aren't sure what symbols are,
03:59
they're pointers toe functions, global variables in other different classes that could be present in other libraries. So we definitely want to be reviewing these symbols and libraries for other functionality of the program while consulting apple documentation.
04:13
Now I'm gonna take you through running O'Toole and nm briefly. We're gonna take a look at the output that each command gives us. So here we go. I've got my hex keeps of'em. It's ready to go, of course.
04:24
And the first target will use is tthe e dash capital l That will give us all of the library's listed in our
04:31
execute herbal.
04:38
Okay, so this gives us all the libraries and are executed ble. You can see by the list that we've got a few of them that we could possibly consult the apple documentation. We could get an idea of what they do based on their names. We've got some static paths.
04:54
This is a static path to the executed all. And then at this, our path here. This is a dynamic path. So we wouldn't know what path this is until the application actually gets loaded. Next, we could dump symbols similar to our class dump. And we do that with E o Capital V Target.
05:19
So this goes ahead and lists all the classes in our executed similar to what class dump did
05:26
and weaken again. Browse the list. Look Att Different. Interesting things that we want to go back and research. See what the functionality the program is. This gives you a little bit better of a list
05:35
I feel then class down But still,
05:39
both outputs are helpful.
05:46
Also, you can dump with symbols with O'Toole
05:50
has felt right. O'Toole Tash,
05:56
that's capital like Dash Capital V.
06:03
And this will give us all the symbols so we can go back and we can investigate symbols of our application.
06:11
Now, nm nm is gonna do something very similar. It's gonna dump the symbols. So nm
06:23
in here, we've got another list of symbol so we can go through and can look at the symbols and maybe identify once that are dangerous, like meme copy. So these air definitely tools that you can use during your static analysis your basic stack analysis to get an idea. Just figure out what things were doing. You can go back and you can kind of understand what the program is doing.
06:40
And you can conduct more analysis and more research
06:44
as you find new things.
06:45
The last thing will do during our basic static analysis process is we'll take our execute a ble and put it into a dis assembler. Okay, well, what's a disassemble? Er well, the disassembly is a software program that will take our binary. It'll translate into machine code called assembly code,
07:01
then we can search through it and take a look at how the program works on an assembly level.
07:06
Now, typically, dis assemblers are used for reverse engineering purposes or deep code analysis. But we can still get a lot of information that will help us during our analysis by looking at different strings, functions, classes, et cetera.
07:21
All right, so now that we know what dis assemblers are, let's just take our application and put it into a hopper and see what we get back. So as you can see, I've got my hex keeps of'em up and running.
07:32
Okay, so we'll get to our binary.
07:38
We'll throw it into the harbor.
07:42
Kenny, we're gonna pick art 64 s. That's the architecture were using,
07:48
and you can just go ahead and pick the defaults.
07:53
Okay, so our window here is divided into a couple different sections. Here we have our assembly view and then over on the left side, we have our labels are procedures and our strings. So very simply, the way that this could help with our analysis is we could just simply search things. So before we had the
08:13
you are el keywords, So we just go ahead and search you, Earl,
08:16
and see what we get back.
08:18
So I went ahead and search through all of the labels, functions and strings. And this is what I got for you or else. So now we can just go ahead and look at the different strings in our application. So we've got
08:33
in it with you. R l open your oral application handle. You are all things that we've seen before so we can use
08:39
the hopper, or I'd a pro as just a tool to look at strings, so that's incredibly helpful. The other thing that we can do is if we want to look at how general functions are displayed as we can go into our assembly view.
08:54
And the cool thing with the hopper is you can take a look at the diagram and see how the functions are laid out. You can also click inside a function, and you can look at the function on how it was assembled in a high level language.
09:09
So if we click that it's goes head and D compiles it, and it puts it into
09:13
code that you can look through. So, using Ida Pro or Hopper weaken again. Get a general idea of what the program is doing just by looking at strings and looking at labels and investigating the different code views and assembly views in the program.
09:30
Okay, so it's time for a lab exercise. So in this exercise, we're gonna be looking at a malicious application named mauer dot i p a. Now, using only basic static analysis techniques, answer the questions about the binary
09:43
feel free to use any tools, techniques You wish the questions they're here for you. And I've also provided you a hard copy in the supplemental materials. The file. Now where do I pee? A. It's located in the lab file's directory in the lab one folder.
09:56
Feel free to use any environment you wish. I've got the X capes of'em for you. Or if you've got your own Mac machine built, go ahead and use that as well

Up Next

Mobile Malware Analysis Fundamentals

In the Mobile Malware Analysis Fundamentals course, participants will obtain the knowledge and skills to perform basic malware analysis on mobile devices. Participants will perform these tasks by learning and implementing tools and techniques while examining malicious programs.

Instructed By

Instructor Profile Image
Brian Rogalski
CEO of Hexcapes
Instructor