TL;DR
Motivation
Dynamic binary instrumentation
FRIDA
DBI without rooting / jailbreaking
Unleash the power of Frida
Case study for runtime exploitation
Countermeasure
References
2. @zeq3ul
• Just a guy who is passionate in
(offensive)security ~ 10 years+
• Dota2 SEA MMR ~ 3k+
• Rainbow Six Siege LVL ~ 100+
“Keep farming (Self-study)
and
Challenge the Roshan (Get certificate)”
tanprathan
pprathan
prathan
3. TL;DR
• Motivation
• Dynamic binary instrumentation
• FRIDA
• DBI without rooting / jailbreaking
• Unleash the power of Frida
• Case study for runtime exploitation
• Countermeasure
• References
4. Motivation
• Root / Jailbreak Detection
• SSL Pinning Implementation
• End-to-end encryption on top of TLS
• Cellular network (4G) restriction
5. Dynamic binary instrumentation
• A method of analyzing the behavior of a binary application at
runtime through the injection of instrumentation code.
• DBI can :
• Access process memory
• Overwrite functions while the application is running
• Call functions from imported classes
• Find object instances on the heap and use them
• Hook, trace and intercept functions etc.
6. FRIDA
• Dynamic code instrumentation toolkit allowing you to hook into
applications while running, inject your own JavaScript while getting
complete access to the memory and functions.
• With Frida, we got the power to :
• Bypass Root / Jailbreak Detection
• Bypass SSL Pinning
• Modify the encrypted traffic over TLS
• Pwn the application without using proxy
• Bypass local authentication
• Subvert business logic
• Increase game gems without purchasing
8. Tip!! How to root/jailbreak device
• Android
• https://www.xda-developers.com/root/
• iOS
• https://canijailbreak.com
Jailbreak Type Processor iOS Version Duration
Untethered jailbreak
32 bit
7.0.0-7.1.2 September 18, 2013 - September 16, 2014
8.0-8.4 September 17, 2014 - August 12, 2015
64 bit 9.0-9.1 September 16 2015 - December 7, 2015
Semi untethered jailbreak
32 bit
8.4.1 August 13, 2015 - September 15, 2015
9.1-9.3.5 October 21, 2015 - September 12, 2016
64 bit 9.2-9.3.3 December 8, 2015 - August 3, 2016
Unstable (Don’t work on i7) 64 bit 10.0 - 10.2 September 13, 2016- January 22, 2017
12. Library Injection
• Re-route application control during library initialization
• Be able to conduct Runtime analysis
without rooting or jailbreaking the device
• Bypass Root/Jailbreak detection
15. Library Injection on Android app
Dissemble the app using apktool
Insert the Frida native library ("frida-gadget") into the APK’s /lib folder
Inject a System.loadLibrary ("frida-gadget") call into the bytecode of the app
(Main application activity)
Add the Internet permission to the manifest, so that Frida gadget can open a
socket
Repackage the app, Resign the updated APK using your own keys and
zipalign
16. Library Injection on Android app
• An automated script for unpacking,
patching (Insert the frida library into
binary), re-packaging, re-signing and
deploying apps on non-rooted device.
• https://github.com/dpnishant/appmon/
tree/master/apk_builder
20. Dynamic Library (DYLIB) Injection on iOS app
Create a developer profile, provision profile and Certificate
Insert the Frida library (FridaGadget.dylib) to the application container, Insert
the load command on the load commands section of the binary
Increment the load command counter on the header section, Increase the
size binary number on the header section
Re-package the application by replacing the provision profile, re-sign both the
main executable and FridaGadget.dylib with the certificate listed in the
profile
Deploy all set of application container and run the application on device as
debug mode
21. Dynamic Library (DYLIB) Injection on iOS app
• An automated script for unpacking,
patching (Insert the load command
into binary), re-signing and deploying
apps on non-jailbroken device.
https://github.com/tanprathan/Fridpa
23. Unleash the power of Frida
• Objection uses Frida to inject objects
into an applications runtime and
executes them within that applications
security context to perform various
tasks.
https://github.com/sensepost/objection
• An automated framework for
monitoring and tampering system API
calls of native MacOS, iOS and
Android apps.
https://github.com/dpnishant/appmon
24. Unleash the power of Frida
Using FRIDA without Jailbreaking
https://vimeo.com/236055614
25. • Mobile banking application (Android, iOS) that:
• Conducted source code review from commercial tools
• Be able to detect Root/Jailbreak
• Implemented SSL Pinning
• Implemented end-to-end encryption
Case study for runtime exploitation
26. • Mobile banking application (Android, iOS) that:
• Conducted source code review from commercial tools
• Be able to detect Root/Jailbreak
• Implemented SSL Pinning
• Implemented end-to-end encryption
Case study for runtime exploitation
tsprotector
TrustKiller
27. Case study for runtime exploitation
• Decrypted the app and performed reverse engineering
• Analyzed the app classes and methods
• Found some interesting class name and method
• Created script to intercept the class and method
• Customized script to manipulate the argument
• Bypassed the business logic on the app coz they didn’t validate at server-side
NOOB SPOTTED !!