Bypassing anti-debugger check in iOS Applications

Expected Reading Time: 5 Mins

While pentesting mobile applications, very often you will come across applications implementing myriads of anti-reversing techniques. Specially while performing dynamic analysis, it is imperative to disable these checks. To make the bypassing these checks more daunting, some applications heavily obfuscate the binaries. In this post, we will look into bypassing one of the anti-debugging technique for iOS applications and using IDAPython script to automate patching of the binary. The idea presented in this post is really simple, and many readers might have been already using it, for others here is another idea to add to your armory.

Ptrace:

iOS under the hood runs a XNU kernel. The XNU kernel do implement ptrace() system call, but it is not potent enough when compared to Unix and Linux implementations. On the other hand, XNU kernel exposes another interface via Mach IPC to perform debugging. In this post we won’t be comparing between the two mechanisms, in fact we will only talk about one feature of ptrace syscall, PT_DENY_ATTACH. It is a fairly well known among the iOS application hackers, and among the most frequently encountered anti-debugging technique in iOS applications.

Before getting into the details of bypassing the check, lets first try to understand briefly what exactly does PT_DENY_ATTACH do. Although, there is ample literature available on the Internet discussing PT_DENY_ATTACH in various depths, but The Mac Hacker’s Handbook defines it most succinctly.

PT_DENY_ATTACH
This request is the other operation used by the traced process; it allows a process that is not currently being traced to deny future traces by its parent. All other arguments are ignored. If the process is currently being traced, it will exit with the exit status of ENOTSUP; otherwise, it sets a flag that denies future traces. An attempt by the parent to trace a process which has set this flag will result in the segmentation violation in the parent.

To rephrase it, using ptrace with PT_DENY_ATTACH, it ensures that no other debugger can attach to the calling process; even if an attempt is made to attach a debugger, the process exits.

It is important to know that ptrace() is not part of public API on iOS. As per the AppStore publishing policy, use of non-public API is prohibited and use of them may lead to rejection of the app from the AppStore ). Because of this, developers don’t call ptrace()   directly in the code, instead its called via obtaining ptrace() function pointer using dlsym. Programmatically it looks like:

#import 
#import <sys/types.h>
#import 
typedef int (*ptrace_ptr_t)(int _request, pid_t _pid, caddr_t _addr, int _data);
void anti_debug() {
 ptrace_ptr_t ptrace_ptr = (ptrace_ptr_t)dlsym(RTLD_SELF, "ptrace");
 ptrace_ptr(31, 0, 0, 0); // PTRACE_DENY_ATTACH = 31
}

The dis-assembly of the binary implementing this approach looks like following:

ptrace_original.PNG

To break down whats happening in the binary, at 0x19086 dlsym() is called with “ptrace” as the 2nd argument (register R1, offset 0x19084) to the function. The return value, in register R0 is moved to register R6 at offset 0x1908A. Eventually at offset 0x19098, the pointer value in register R6 is called using BLX R6 instruction. In this case, to disable ptrace() call, all we need to do is to replace the instruction BLX R6 (0xB0 0x47 in Little Endian) with NOP (0x00 0xBF in Little Endian) instruction. Armconverter.com is a handy tool for conversion between bytecode and instruction mnemonics. The code after patching looks like following:

call_ptrace

This can be done manually easily if there is only one or a few calls to ptrace, but this turns tedious once such calls are made multiple times across the binary.

IDAPython Script:
IDAPython script can be leveraged to perform this task automatically. I wrote one such script to automate the task for the binary dis-assembly shown above. The script is quite self explanatory, but if something is not clear, feel free to drop a comment below for further clarification.

To conclude, there are many other anti-debugging approaches available for iOS, the one discussed here is the most commonly found in the iOS applications. Using such techniques to slow down the attackers is fine, but solely depending on such techniques for the security of an application is not at all advisable. Such techniques can be part of the defense in depth approach, but should not be the only defense.

Keep hacking 🙂

How to detect a Drupal Installation

On 15th October Drupal project disclosed a severely critical vulnerability SA-CORE-2014-005 in Drupal core. Durpal is one of the most commonly used Content Management System (CMS), apart from WordPress and Joomla. CMS helps in organizing and storing files of a website.

The vulnerability affects Drupal version 7.x, before 7.32, and some deployments of 6.x. An SQL injection vulnerability is present in Drupal’s abstraction API layer and an unauthenticated user can easily exploit it. More details about the vulnerability are available at PSA-2014-003.

Lets look into some signatures which can be used to detect a Drupal installation:

1. CHANGELOG.txt: A default Drupal installation will have a CHANGELOG.txt file present in the root folder of the website. The presence of this file helps in couple of ways, firstly, it affirms presence of Drupal CMS and secondly helps in extracting the version of the Drupal running on the website. One can check Drupal’s website to check how does this work.

2. HTTP Expire header: A default Drupal installation have value of ‘Sun, 19 Nov 1978 05:00:00 GMT’ for expires header. It is fairly a good signature as not many servers will keep exactly this value.

Expire header in case of a Drupal installation
Expire header in case of a Drupal installation

3. X-Generator HTTP Header:  A default installation also sends a ‘X-Generator’ header in the HTTP response with value ‘Drupal 7 (http://drupal.org)’ .

4. Looking for Drupal modules: In case above mentioned methods are disabled by the server admin (which is very likely), one can scan for Drupal specific plugins. An exhaustive list is available here.

Determining Version:

Above methods, apart from CHANGELOG.txt, can only give us only a yes/no. But if one need to go a bit further and wants to determine the version of Drupal running??

To solve this problem, one can use the fact that Drupal is an open source tool. Clone the Drupal code and look for the file which is most changed across various versions. One would prefer to look for javascript or css files, as these will be easy to fetch and unlikely to be changed by the website developer. In my short research I found using modules/color/color.js is a nice place to start with. Generate a SHA-1 hash of color.js across various versions of Drupal, then fetch this file from the website and hash and check against an already generated hash table to determine the version, or at least a range.  You can practice this technique here.

Will update this post in case I find some more signatures. If you know one and would like to share, please leave it in the comments below.

Keep hacking !! 😀

Concentrate on the means, end will follow

One thing that makes humans unique compared to the other life forms is the ability to simulate. The sleepless night before an exam, or hallucinations of all going wrong before a big meeting, in all these restless hours our brain is simulating the outcome. More often than not we find ourselves simulating one situation or the other, the situation could be of an event basking us in glory or beating us down to the abyss. In all this process, it is very human to forget about the build up towards the end. The work we are putting in to reach towards the end, the goal which we tend to simulate.

Like all other aspects of life, Vedanta philosophy discusses this aspect as well. One of the eminent proponent of Vedanta Philosophy, Swami Vivekananda in one of the discourses in Los Angeles in 1900, gave insight on this very issue. He said, “our great defect in life is that we are so much drawn to the ideal, the goal is so much more enchanting, so much more alluring, so much bigger in our mental horizon, that we lose sight of the details altogether. But whenever failure comes, if we analyse it critically, in ninety-nine percent of cases we shall find that it was because we did not pay attention to the means”. He puts stress on the fact that one should pay as much attention to the means as to the end. If the means are right, then the end should come. He went on to add, “it is the cause which produces the effect; the effect cannot come by itself; and unless the cause are exact, proper, and powerful, the effect will not be produced. The means are the cause: attention to the means, therefore, is the great secret of life.”

In Bhagwad Gita, the lure of the goal or the expectation is identified as one of the major cause of human suffering. Why you feel unhappy when you do not get a return smile? Its not because we smiled but the expectation of getting a smile. It doesn’t mean that you will not smile when you meet another person. The problem is not by what we give, but by what we expect. Thus, one should not get lured by the outcome and should continue to work towards the goal without any expectation. Constantly work with all your power; to put your whole mind in the work, whatever it be, that you are doing. Stop simulating the outcomes, bring your brain activities under your control. The outcome is not under your control, but the work you are putting in towards it, is under your control.

So in a nutshell, let us perfect the means; the end will take care of itself.

LinkedIn accessing FB and email contacts

For past 2 months I have been frequently visiting LinkedIn and keeping my profile up-to-date. As a direct consequence of spending time on LinkedIn, I have befriended many friends over the time. I mostly add people when a suggestion is made by LinkedIn about them. In the recent past, I have observed that some of the suggestions popped up are really weird. I don’t have 2nd or 3rd or any degree relationship with these people on my LinkedIn circle, but off course I know these people outside LinkedIn.  This forced me to think how LinkedIn get to know about them. Being a information security professional, I know about the energy and money spent by these company to develop algorithms to connect as many edges as possible in the graph of people. Though unsurprisingly, these were the people with whom I have exchanged at least an email in the past or they are acquaintances on Facebook. 

As a personal rule, I never link any of my two accounts ( by using FB, Gmail or Twitter etc) and keep my online footprint as small as possible. This made me feel uncomfortable for next 2 days.  After some more thinking, I realized that the devil was in the email account. My LinkedIn and FB accounts are operated using the same email address. For records my email account is on Gmail. The creepy suggestions popping up are from the same email contacts. My email address is being used as a unique key to access my contacts on my various online services unauthorized. And now I am almost sure that LinkedIn is accessing my contacts on various accounts without my consent to do so.

One of the solution I am thinking to work out is to use separate email accounts for all these services. This will be painstaking, as I have to build my respective profiles again on various services, but an important thing to prevent these companies from stealing all the information about you. Secondly, doing away with Gmail as my email provider, as most important personal information is stacked in my emails and if my email provider colludes with some other companies, then I don’t have any personal information by definition. All is public. Not many good alternatives to Google services exist, but there have been many discussion on Hacker news and I will go through them again to find one that suits me the most.

Some might argue that one should discontinue using all social services, but doing so is difficult considering that you have to stay connected with your network some way or the other. In my case, I have lived in 5 different countries and to stay in touch with all my friends professionally or socially, LinkedIn and Facebook are the only good means. In the recent past I have almost done away with wasting time on FB,  reading some useless status updates and liking them, but FB messages is still used by many friends of mine to contact me.

One thought still lingers on my mind, how many NSAs are out there and building your personal profile just by using online footprints you left behind?

 

NTFS boot sector

NTFS filesystem can become corrupt/unusable because of various reasons. In such situation windows file manager might not detect this partition.  One such situation I encountered was during formatting my laptop from Windows to Linux to Windows. The non-bootable partition of my laptop was rendered unusable.

Before going into the solution, one important property of NTFS. NTFS maintains an extra copy of the boot sector.  This extra copy eventually helped me to recover my data.

One of the first tool to use is windows utility ‘chkdsk’. On running windows utility chkdsk, it pointed to the problem ‘NTFS boot sector unreadable’.  Using ‘chkdsk \F’  didn’t fix the problem. After some googling I came across a rather very simple tool – TestDisk.  Its an opensource software with GNU General Public License.  TestDisk copied the spare boot sector record to the primary boot sector and after a restart my hard disk partition was detected successfully and my data intact.  Using TestDisk is simple and well documented on the website.

Wireshark shows network packet larger than MTU

While working on my thesis I came across a weird problem, wireshark was showing packet size more than the MTU. One of the possible reason can be underlying network supports jumbo frames. But it wasn’t so in my case. 

After some googling I found the cause, Large segmentation offload (LSO) performed by NIC. LSO technique  increases the outbound throughput of high-bandwidth networks by offloading packet processing time from CPU to Network Interface Tag (NIC). When LSO is applied to TCP, it is called TCP Segmentation Offload (TSO). When LSO is applied on TCP, it is called as TCP Segmentation Offload (TSO).

The working of TSO can be explained with the help of an example. Let a unit of 65,536 bytes is to be transmitted by the host device. Assuming MTU of 1500 bytes, this data will be divided into 46 segments of 1448 bytes each before it is transmitted over to network through the NIC. Process of dividing the data into segments before sending it over the network is handed over to NIC instead of CPU. NIC will break down the data into smaller segments, and add corresponding TCP, IP and data link layer protocol headers. This significantly reduces the work done by the CPU. Large Receive Offload (LRO) is a similar technique to LSO, but applied for incoming traffic. 

ethtool -k <interface> shows the status of  LSO and LRO.  

ethtool -K <interface> tso off and ethtool -K <interface> gso off  turns off the segmentation offload and now you can see packet size of <= MTU in wireshark.