Time
3 hours 58 minutes
Difficulty
Beginner
CEU/CPE
4

Video Transcription

00:00
in this example will take a look at the weather app and make a modification to the label on the view controller. And then we'll make an alert message displaying the springboard. First, I'm going to log into my iPhone and then we'll inject our script framework into the weather application. So let me log in.
00:16
Mrs H.
00:18
Route
00:22
Local host.
00:32
Okay, so we're in there. Let's clear the screen.
00:37
So then what we want to do is launch this script framework into our weather application. So let's launch the weather application, and now we need to inject it into the process I d. So let's find out what the process ideas by writing the P s command,
00:53
grab for weather
00:59
and we inject the process with the peace which so it's processed 7764 to see my scene
01:07
dash P
01:08
7764
01:11
Okay, great. We've successfully injected our script framework into the weather application. When script injects itself into an application, it hooks you y application and then we can generate through all the other objects in that class. In our instance, we're going to look at the views of the application we can do that using the choose command.
01:30
This allows us to interact with all the other objects,
01:34
and the choose command scours the entire memory region for all the different views that we might want. So let's go ahead and choose
01:44
you. I love you,
01:48
controller.
01:55
So as you can see, there's five or six different views here. If we were to find a view that were interested in, we could navigate to the sub class and look at all the different properties and methods that that class has. Okay, so what does our application have? What? We've got three sections there with Madrid, Barcelona
02:10
and West Haven. So let's go ahead and look for labels. We can use the choose command to look for labels as well
02:17
choose.
02:24
Choose you. I label. Okay.
02:30
Wow. A ton of them right? Got tons of different labels on tons of different layers. So once we find a memory address, were interested in, for instance, the U I label memory address for Barcelona. We can change it using JavaScript, show you how to do that. Our label will call it in label too.
02:49
Equals were making a new instance
02:54
of this particular memory dress. This was what holds the string? Barcelona.
03:01
So now we can adjust properties of the Barcelona label so we'll say
03:06
label
03:09
two,
03:12
not text
03:14
equals.
03:19
Let's see, where should we be?
03:23
Brian's
03:24
house?
03:28
So now we should see the label for Barcelona Change. So take a look at the iPhone
03:38
and there we go. Now it does. So using script, you can modify the different properties and the methods of different classes to see how that affects your program during your dynamic analysis.
03:50
Okay, so next let's just do another quick example. Let's send an alert to the springboard. So in this example, will use the U I alert view class to display a message box. So what we want to do is we want to go to the springboard.
04:04
Okay, so we got the springboard. And so what we want to do is get out of our
04:11
see script. Let's clear the screen because we want to go into the springboard now.
04:16
So now let's
04:21
go in tubes.
04:23
Springboard!
04:30
Okay, so now we're into the springboard.
04:33
So what we can do here is create new alert and we'll use the u I alert view class and allocate a message that gets popped to the springboard so we can do that by creating a variable.
04:47
So alert
04:49
new
04:53
equals the nice thing about
04:56
script as we can use
04:59
objective C
05:01
view, Alec.
05:04
Okay, so that's her.
05:06
So we're gonna initialize it,
05:11
innit? With title,
05:14
the title label will be
05:19
escapes.
05:23
Looks, I need a
05:26
the time it's a title sell. We need
05:29
escapes,
05:40
escapes the grease.
05:45
All right. And the message in the dialogue is gonna be
05:53
Larini
06:00
change your
06:04
Yeah,
06:06
life.
06:10
Okay,
06:13
Delegate is nil. Villa delegates now, which means it doesn't require in a hand off or anything like that.
06:18
So now and we'll give it a cancel button,
06:29
which is actually one button.
06:33
It's
06:39
yes.
06:40
Change
06:42
my
06:44
my life.
06:59
No other buttons.
07:00
Okay, so now this should create a new alert of you. Object.
07:08
So now we have a new u Y. Alert. You object. So what we can do is we can use wth e show method off this object to display a message on the screen. So alert.
07:20
Oops.
07:23
Alert. New
07:26
show.
07:29
So now you should see a message pop up on your springboard or on my spring partner. I should say so. Take a look at the iPhone.
07:38
So the ego there is our alert box
07:41
escapes agrees. Learning what's Ibori will change your life? Yes, one button changed my life,
07:46
so, unfortunately, that's all the time. I have to be able to show you this particular framework, but what you can do is you can go online. You can grab some third party applications, go through the static analysis process, then find some classes that you're interested in.
08:01
Load the application to your eye device, and then you can use script to go through dynamic analysis process.
08:07
The next step you should attempt it during your dynamic announces process is running your application in a debunker.
08:13
The bugger is a computer program that's used to test and a bug. Other programs.
08:18
The buggers are an essential tool firm our analysts because they offer code inspection a deeper level. The bugger available for Apple is L L D P and L L D. Be offers a variety of advanced debugging features for your IOS or Mac OS applications.
08:33
It's available via X code or the remote. The bugger server on a jail broken device. Unfortunately, debugging out IA West usually comes with some limitations.
08:43
Typically the X Code bugger will only allow you to debug homegrown applications. However, there are some open source tools that will allow you to debug applications on your device. The toe I recommend and have used is I p a patch with i p a patchy. Simply download the I p A patch project rename the I P. A patch you wish to debug
09:03
and then launched the iPod patch project.
09:05
Then, with just a few changes in your build settings, your target application will run with X code on your connected device. The nice thing is, is that you can run this application with X code on a non jail broken device. So there are some benefits to using this approach.
09:20
So if you don't want to buy developers license for X code and you want a little bit more power when it comes into bugging, I'm gonna show you how to get an L. D be remote debugging session set up on your eye device. The set of is fairly simple. However, you need a jail broken device. I proxy and your Mac, the eye proxy software will allow you to ford all your connections from the debunker client
09:41
to the dim bugger server on your eye device.
09:43
The first thing you're gonna want to do is set up the two proxies. The first is for S S H, and the second is for the debugging traffic. Once we've confirmed the connections there set up correctly, then we can start running commands.
09:56
Okay, so let's go ahead and set up some proxies.
09:58
We'll start with the iPhone proxy Proxy,
10:07
this is for sshh. Okay, let's verify it's working. Shh. Route.
10:24
Okay, we're in our iPhone, so we'll get rid of
10:28
this window.
10:30
Don't need that anymore. Okay, so let's go ahead and do our proxy for the debugging server.
10:43
The ports don't matter Here.
10:46
Okay, so that's it, huh?
10:52
Don't need that window anymore. Okay, so now it's started the bugging server,
11:26
but first, we need a process to inject into. So what we can do is here's what I thought
11:33
we wanted to bug the weather app. So
11:35
weather.
11:41
Okay, so now it's listening for a connection, so that seems good to go. So let's
11:48
shut that off.
11:54
No, no, The window. Here. Let's watch. R l D B.
12:01
Okay. What we want to do is tell the remote platform that we're using IOS. So we'll use platform.
12:09
Select
12:11
a remote us.
12:16
Okay, so that's good. So now we'll connect
12:20
using the process. Command
12:33
should connect us. Just takes. There we go. Okay. Looks like we're good to go. So now you might say yourself. Okay, we're good to go, but what are we doing? Where are we going? What are we doing? So debunkers allow you to move around the program.
12:48
We can look at memory registers, print variables, objects, methods, properties. The list goes on.
12:54
But first, let's explore weather app. Why? It's debug. Okay, so what can we do? While the first thing we can do is look at the main function of the program, but we have to locate it first is like this big bowl of memory, right? So let's see where the images and memory we can run a command to do that
13:11
image dump
13:13
sections weather
13:18
now, because I os utilizes, ***, are we need to calculate the offset of the address to where main is located. Well, okay. How do we know remain is well, let's grab the offset by taking the difference. The paid zero in the text containers, memory dresses. This is the SLR shift. Let me show you where that is.
13:41
So here's our paid zero container. And here's our text container. So what we'll do is we will take this address this address right here. We'll subtract it by this address
13:52
and that will give us our SLR shift.
13:54
And we can do that
13:56
right here
13:58
in the debunker.
14:03
So you get the address is here.
14:24
OK, so that's our SLR shift.
14:28
So now what we can do is we can set this up as a variable,
14:31
a delta variable, so that we always can use it. When we need to find offsets, off work functions are located and we can do that. Rain here too.
14:41
Thanks.
14:46
Help
14:50
equals
14:52
this address right here.
14:58
Okay, So now we can always use that delta variable when we need to look at where offsets are in memory.
15:05
Okay, So, back to our question, where's the main function? Well, that's where a handy dandy disassembly comes in. Let's see where the hopper says. Our entry point of the program is So what we have to do is let's just close all this out here
15:18
so spring the hopper up the hopper happens to say that the main function here is our main function here. Right? The main function is that this offset here.
15:33
So what we can do is go back into our deep Bulger,
15:39
and now we'll use our delta variable to calculate the SLR shift
15:50
by adding
15:52
that address
15:58
shirts. Correct.
16:00
Oops. Oh, my bad. Yeah, And he's the whole address,
16:03
all right?
16:07
Oh, no, I don't.
16:07
He's a decimal. I mean, his hacks.
16:11
This should work
16:12
the Harry. OK, I was going crazy. So now what we can do is use this address will disassemble it this address and see if this is where the main function is. So let's do that.
16:22
So disassemble. We use this address,
16:27
but you can even use us three there,
16:30
and we'll do
16:34
30.
16:37
Oh, what did I do wrong?
16:45
Uh, I did wrong.
16:49
Okay, let's see if this matches up.
16:52
So we've got unnamed symbols.
16:56
Get the symbol stub here at application. You I
17:03
Let's go back to the hopper.
17:04
Okay. So let's just call it a couple of things that you see it so you can see it. Okay, so we've got at application, so let's go to our hopper wanted to see if this is what this looks like. Here's our U U Y application main, so it looks promising.
17:18
Let's go to the hopper.
17:22
Pull this down.
17:26
Oops.
17:32
There's our main function. So we've accurately calculated the SLR shift. Okay, so now that we know our programs entry point, we can go back.
17:42
Yeah, we could do a lot of things at this point. We could set a break point at this address if we wanted to.
17:56
Where Main is do that
18:00
so that we had a break point there.
18:04
We could continues
18:07
the program
18:11
because
18:26
he read it registers. We can go back to the hopper, and we confined interesting functions that we want to look at war methods.
18:34
Oops.
18:36
So any time you see a let's see if we can find one.
18:41
So any time you see this object message send,
18:45
that means a method is getting implemented. So what you could do is you could go through Hopper and find all the methods you're interested in. And then all you would have to do is calculate the *** are offset and jump to these addresses and check him out. So now that you have a feel for the do bugger a bit. You could go find an application you curious about pulled off your device,
19:06
then dump the classes and play around with it in the jar. Bugger, while you have it open in the hopper.
19:11
All right, so I hope that was helpful for you. So remember, we've only just scratched the surface here with the bunker, but now you can get your own debugging server set up. You can calculate the SLR shift to locate portions of your program you wish to investigate.
19:25
And while the bugging you can make use of break points and other execution commands to navigate and step through the program and determine the functionality
19:33
Now doing your Mauer analysis, remember to combine the stack analysis process by looking for interesting classes, finding the methods for those classes and then setting break points on them during run time to see what values, arguments and other properties they hold.
19:48
While performing your dynamic analysis, you should monitor the network connections and application is making to uncover any malicious network traffic to command control servers, ad networks, et cetera. During the static analysis phase, you should be able to get some clues to the network functionality by dumping the network relieving classes and you're executed ble
20:08
or often simply by viewing strings.
20:11
Now, while there are many tools that allow you to set a minute where proxies you the data and manipulate responses for our purposes, we have a very simple option that does the job very nicely. And it's easy to set up
20:23
with TCP dump. We can set the iPhones networking adapter in promiscuous mode to intercept all the traffic. If we have a suspicious your Ellen mind, we can also use grab to filter out other network noise and to dump this to a peak cap file, which we can then view later in wire shark.
20:41
Okay, so let me show you how to do this really quick. It's really fast, actually. So the first thing we want to do is we want to log into our I device so we can do that using SS age,
20:52
as we've been doing
21:00
you.
21:10
Okay, so now what we want to do is we want to set up TCP dumb toe. Listen on our network adapter, so are networking, and after is e n zero and we'll dump all of the malicious traffic to a peak cap file. So we can do that using the TCP dumped command. So TCP dump
21:29
The interface is ian zero,
21:33
and the W switch will allow us to dump it to a file.
21:38
So temp
21:42
was caught. Now, that pea cap
21:48
and we want a graph
21:51
for our malicious you are. Well, in this case, it's going to be hex keeps.
21:59
Okay, so now we're listening on our device. So what we need to do is generate some traffic. So let's go to
22:04
our Web browser,
22:08
Google, and then we'll go to heck scapes.
22:15
Okay,
22:22
so now that generated some web traffic. So at this point, what we can do is we could let the monitor run for a while and let our application connected to any your ills that we think it's connecting to. In this particular instance, we're just going to stop it.
22:37
And now we should have a file
22:41
in a temp
22:44
called
22:45
mel dot decaf, which we d'oh. Okay, so what we can do is we can take this and we can move it over to our Callie limits machine, and we can investigate it. So let's look at our Callie machine.
22:59
Now I've gone ahead and move this file just to save some time.
23:03
But what we can do is just open it and wire shark.
23:14
So as you can see you, we've got our http, get request. And if we look down here at the while, we can just
23:22
do it this way.
23:29
And there we go.
23:30
There's our hex capes. You Earl. So that's how we can view the network traffic using TCP dump on her iPhone.
23:36
In the dynamic analysis section, we briefly touched on some strategies detailing how you could run your applications that run time and determine its functionality. Now, although some of the tools require some in depth knowledge of swift and objective C
23:49
using some of the frameworks and tools we outlined, shouldn't you be a good start with which you'll be able to create your own process
23:56
and dig into mobile now, where more effectively

Up Next

Mobile Malware Analysis Fundamentals

In the Mobile Malware Analysis Fundamentals course, participants will obtain the knowledge and skills to perform basic malware analysis on mobile devices. Participants will perform these tasks by learning and implementing tools and techniques while examining malicious programs.

Instructed By

Instructor Profile Image
Brian Rogalski
CEO of Hexcapes
Instructor