I have recently been engaged in deep security research on macOS for FortiGuard Labs focused on the discovery and analysis of IPC vulnerabilities. Always look for noticeable instruction combinations of movz and movk in interesting methods or after promising variable names.FortiGuard Labs How-To Guide for Threat Researchers When analyzing a iOS app written in Swift (no additional obfuscation applied, blackbox approach), one cannot always easily discover all string values from looking at the Str section in Hopper. Searching for the usage of the movk instruction also reveals the other hidden string „Passed!“.Īgain we can re-arrange and concat the values moved to x1 this time as the following 0x50617373656421, which is decoded as ascii-value, the missing string „Passed!“. This is the hex representation of the ascii-value „1234“. The arm processor has a little-endianness, that means the values can be re-arranged and concatenated as 0x31323334. I selected the first reference, and started reading the assembly code. Repeating the process with the structure showed the following References: Right clicking on the variable name in Hopper and selecting References to „aSecretpassword“ at (address) lead to the corresponding structure. Were are the other string values, and how can we recover them?Īs we know, the value „1234“ must be somewhere around the variable definition of secretPassword, so that is where our search will start.How could that be? And were are the other values hidden? Why is the value „You shall not pass!“ treated different then „Passed!“?Ī lot of questions so far… The question we will cover in this post is: Guess what? I was wrong… Take a look at the following extract from the disassembly, here we can only see one of the three strings ( „You shall not pass!“): I expected to discover all of the above mentioned string values to be visible in the Str section of Hopper. ipa file was created, then extracted and the binary opened with Hopper. We will focus on the following string (?) values:
On the following screenshot you can see all necessary information. The main functionality of the app was to check if the entered value for the passwordTextField is the same as defined in the variable secretPassword, and accordingly switching the text value of the resultLabel to either „Passed!“ or „You shall not pass!“. I will not go through all of the necessary steps for creating a iOS app here, as it will have no value for the topic. Therefore, a Single View App with only one View Controller projects was created with Xcode. I wanted to create a very simple app with Swift, to analyze the resulting disassembly. These insights, might be useful in future researches. The main insight for me was an interesting handling of strings in Swift and how they are represented in the disassembly created by Hopper Disassembler. This writeup covers the process of creating, disassembling and analyzing a very simple iOS app written in Swift.
0 kommentar(er)
