tag:blogger.com,1999:blog-4368590671071793352024-02-19T04:52:42.210-08:00Technical BitletsExperienced security engineer who mainly works in the area of payments security. Also have dabbled in other fun fields.
Check my github @ http://github.com/peterfillmore for some of my projects.
Anonymoushttp://www.blogger.com/profile/15207437211934143592noreply@blogger.comBlogger9125tag:blogger.com,1999:blog-436859067107179335.post-59392814248592293702015-12-16T20:12:00.000-08:002015-12-16T20:12:17.720-08:00Designing a badge for Kiwicon in PCBmodERecently i decided to try my hand at designing a PCB using PCBmodE - a PCB EDA which takes a different design tact from traditional EDAs such as Kicad and Eagle.<br />
<div>
The key difference between PCBmodE and a traditional EDA is the ability to create patterns on the board in the different layers of the PCB using common graphics design tools. This allows for a greater amount of creativity in the layout phase of a design - at the expense of design rules that normal EDAs place to prevent you from doing the wrong thing.</div>
<div>
PCBmodE is the creation of Dr. Saar Drimer from <a href="http://www.boldport.com/">Boldport</a> - an Electronics Craftmanship company which turns out some amazingly pretty and functional PCBs for a variety of clients.</div>
<div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://static1.squarespace.com/static/539604e8e4b0d1f9ffe9ff0b/t/563f3d8ae4b00523ad38651e/1447007397205/?format=1000w" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://static1.squarespace.com/static/539604e8e4b0d1f9ffe9ff0b/t/563f3d8ae4b00523ad38651e/1447007397205/?format=1000w" height="279" width="320" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://static1.squarespace.com/static/539604e8e4b0d1f9ffe9ff0b/t/565742cde4b0060cdb59a676/1448559322016/orange-top-close.jpg?format=1500w" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://static1.squarespace.com/static/539604e8e4b0d1f9ffe9ff0b/t/565742cde4b0060cdb59a676/1448559322016/orange-top-close.jpg?format=1500w" height="216" width="320" /></a></div>
<br /></div>
<div>
<br /></div>
<div>
So why did i not just use Kicad/Eagle/something else? Because i wanted to see what you can create using alternative tools and methodology from a regular board - and for the kicks.</div>
<div>
First step was to design a circuit - for the project in mind i wanted something basic and obnoxious - so flashing LEDs it was.</div>
<div>
Initially i was thinking of designing something with a basic clock and shifters - then came to my senses when i realised its cheaper now to buy a microcontroller then all the parts needed for an old 80's design.</div>
<div>
I'd recently just come back from Defcon in the US and had lucky enough to get one of the badges DC503 made for their party ( designed by <span style="background-color: white; color: #545454; font-family: arial, sans-serif; font-size: x-small; line-height: 14.56px;"><a href="https://securinghardware.com/">@securelyfitz</a></span> ) which used the Atmel ATTINY85.<br />
So i decided to rip their circuit off for this badge (sorry guys/girls)!</div>
<div>
<h3>
The Schematic</h3>
</div>
<div>
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhboPR7r_bIjMd8sfmhtvG3l-gC8sCcN4GxRTeawkwJMLclBvecatbpc2vId77ubyGHXfZjjbtosZw8uARRQMbNTk174T1cphRR-4R5F2xOpmI9MpZHd2dwRZbGmkGOwYef8X2uYdQeE7k/s1600/Screenshot+2015-12-17+11.30.47.png" imageanchor="1"><img border="0" height="279" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhboPR7r_bIjMd8sfmhtvG3l-gC8sCcN4GxRTeawkwJMLclBvecatbpc2vId77ubyGHXfZjjbtosZw8uARRQMbNTk174T1cphRR-4R5F2xOpmI9MpZHd2dwRZbGmkGOwYef8X2uYdQeE7k/s320/Screenshot+2015-12-17+11.30.47.png" width="320" /></a></div>
<div>
So i sat down and created a simple LED flasher circuit using <a href="https://en.wikipedia.org/wiki/Charlieplexing">charlieplexing</a> to maximise the number of LEDs i could flash (again - wanting to annoying the maximum amount of people).</div>
<div>
This uses a <a href="http://www.atmel.com/devices/attiny85.aspx">ATTINY85</a>, <a href="http://e-radionica.com/productdata/RGB5050LED.pdf">a 5050 LED</a>, <a href="http://www.aliexpress.com/item/5-Values-Each-100pcs-500pcs-SMD-1206-led-Super-Bright-Red-Green-Blue-Yellow-White-LED/32410806985.html">a bunch of 1206 LEDs</a>, 0805 resistors, a push button switch and a CR2032 coin cell battery</div>
<div>
I ordered most of the components of Alibaba - my favourite place to buy components as it is cheap as chips - but slow, so slow.</div>
<div>
<h3>
Board Design</h3>
</div>
<div>
Next i had to design the board.</div>
<div>
First step was to read the <a href="http://pcbmode.readthedocs.org/en/latest/">documentation</a> and look at some of the <a href="https://github.com/boldport">example boards</a>.</div>
<div>
It took a while to grok how to design boards in PCBmodE.<br />
Here's how i did it:</div>
<div>
<h4>
Step 1 - Creation of Component Footprints</h4>
</div>
<div>
Create the component footprints in the ./components directory. I took the components json's given in the <a href="https://github.com/boldport/hello-solder">hello-solder</a> project and then altered these to suit each component. The idea here was to get the components correctly defined before trying to get creative.<br />
<h4>
Step 2 - Placement of components</h4>
</div>
<div>
Place a few components in the ducksec-badge.json file to provide an idea of how it works.<br />
Again here i took the hello-solder.json and stripped it down to suit my needs.<br />
<h4>
Step 3 - Generate the SVG file</h4>
</div>
<div>
<div class="p1">
<span class="s1">To generate the SVG from our test ducksec-badge.json we use the following command</span></div>
<div class="p1">
<span class="s1"><span style="font-family: Courier New, Courier, monospace;">python ../pcbmode.py -b ducksec-badge -m </span></span></div>
</div>
<div>
from the ./cool-pcbs directory of PCBmodE<br />
<br />
This generates an SVG file that i then open in <a href="https://inkscape.org/en/">Inkscape</a>.<br />
<br />
<h4>
Step 4 - Creating the board outline</h4>
To form the shape of the board you edit the "outline" layer. Now this is not copied back to the JSON when you start editing so you have to copy the<br />
Shift-Ctrl-X gives you the XML description of the SVG.<br />
So you select the outline layer<br />
Click the unlock icon<br />
Select the svg:path<br />
Then copy the "d" values printed.<br />
<br />
You then open the kiwicon-badge.json<br />
Goto the "outline" tag<br />
and insert the copied "d" values into the "value" string.<br />
<div class="p1">
<span style="font-family: Courier New, Courier, monospace;"><span class="s2">"outline": {</span></span></div>
<div class="p1">
<span style="font-family: Courier New, Courier, monospace;"><span class="s2"> "shape": {</span></span></div>
<div class="p1">
<span style="font-family: Courier New, Courier, monospace;"><span class="s2"> "type": "path",</span></span></div>
<div class="p1">
<span style="font-family: Courier New, Courier, monospace;"><span class="s2"> "value": "m 7.614166,...</span></span><span style="font-family: 'Courier New', Courier, monospace;">,-32.7480675 z",</span></div>
<div class="p1">
<span style="font-family: Courier New, Courier, monospace;"><span class="s2"> "location": [</span></span></div>
<div class="p1">
<span style="font-family: Courier New, Courier, monospace;"><span class="s2"> -0.1268844, -2.257778</span></span></div>
<div class="p1">
<span style="font-family: Courier New, Courier, monospace;"><span class="s2"> ]</span></span></div>
<div class="p1">
<span style="font-family: Courier New, Courier, monospace;"><span class="s2"> }</span></span></div>
<br />
<div class="p2">
<span style="font-family: Courier New, Courier, monospace;"><span class="s3">},</span></span></div>
Regenerate the board using the above PCBmodE command and you should see the shape you designed in Inkscape - here a nice rubber ducky.<br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg61CKmRU9uuLXHBzYFCoGt9dwUMhOHQVMBt57IWlb20SrRRRwVFvPnde3MIhTfIx8z5IWbG6k6Hr4ViYeskDasCyJcMPpmDTz6jAFzGgjFB53RB1VjzN2ifz0VBXOx3lBttLG4NVxhw6s/s1600/Screenshot+2015-12-17+12.53.22.png" imageanchor="1"><img border="0" height="218" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg61CKmRU9uuLXHBzYFCoGt9dwUMhOHQVMBt57IWlb20SrRRRwVFvPnde3MIhTfIx8z5IWbG6k6Hr4ViYeskDasCyJcMPpmDTz6jAFzGgjFB53RB1VjzN2ifz0VBXOx3lBttLG4NVxhw6s/s320/Screenshot+2015-12-17+12.53.22.png" width="320" /></a><br />
<br />
<h4>
Step 5 - Placing your components</h4>
</div>
<div>
Now you should be able to place your components on the board.</div>
<div>
Here I created all the different components in the kiwicon-badge schematic and incremented the locations so they were spread around the generated SVG and I could clearly see them. </div>
<div>
<div class="p1">
<span style="font-family: Courier New, Courier, monospace;"><span class="s1">"D1": </span><span class="s2">{</span></span></div>
<div class="p1">
<span style="font-family: Courier New, Courier, monospace;"> "footprint": "1206-LED",</span></div>
<div class="p1">
<span style="font-family: Courier New, Courier, monospace;"> "layer": "top",</span></div>
<div class="p1">
<span class="s1"><span style="font-family: Courier New, Courier, monospace;"> "location": [</span></span></div>
<div class="p1">
<span class="s1"><span style="font-family: Courier New, Courier, monospace;"> -6.9479856,</span></span></div>
<div class="p1">
<span class="s1"><span style="font-family: Courier New, Courier, monospace;"> 11.8223</span></span></div>
<div class="p1">
<span style="font-family: Courier New, Courier, monospace;"><span class="s1"> ],</span><span class="s2">}</span><span class="s1">,</span></span></div>
</div>
<div>
I then regenerated the SVG and start placing the components in the areas i want them on the board. To do this i lock all other layers and unlock the "assembly", "solderpaste", "soldermask", "silkscreen", "pads" and "drills" layers. Then select the whole component and place this where i want it.<br />
After placing the components i can then regenerate the JSON file from my edited SVG using the following command:<br />
<br />
<div class="p1">
<span class="s1"><span style="font-family: Courier New, Courier, monospace;">python ../pcbmode.py -b kiwicon-badge -e</span></span></div>
This extracts your changes from the SVG and creates a JSON with them imbedded. Now this only works for certain layers - so you can't do this with the outline.<br />
<br />
<h4>
Step 6 - Routing</h4>
<div>
Generate the SVG again with the changes you've made to date</div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">python ../pcbmode.py -b kiwicon-badge -m</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"><br /></span></div>
<div>
<span style="font-family: inherit;">Select the "copper" folder and the "routing" layer.</span></div>
<div>
<span style="font-family: inherit;">Then start connecting the components together with curves in the SVG program. Take special care to not cross traces on a layer.</span></div>
<div>
<br /></div>
<div>
To add a via you draw a dot, then redefine that dot as a via in the XML of the SVG.</div>
<div>
<a href="http://pcbmode.readthedocs.org/en/latest/routing.html#adding-vias">http://pcbmode.readthedocs.org/en/latest/routing.html#adding-vias</a></div>
<div>
<br /></div>
<div>
Take care in this step to slowly and methodically join the circuit together to match your schematic as you don't have a netlist to guide you.</div>
<div>
<span style="font-family: inherit;"><br /></span></div>
<h4>
<span style="font-family: inherit;">Step 7 - Repeat steps 5 and 6</span></h4>
<div>
<span style="font-family: inherit;">Iterate over steps 5 to 6 to design the board. Be artistic - this is why you are using PCBmodE!</span></div>
<h4>
<br />Step 8 - Generate your gerbers/manufacturing files.</h4>
So at this point you should be happy with the design you've made and almost ready for sending to your chosen board house.<br />
To generate the gerber files:<br />
<br />
<div class="p1">
<span class="s1"><span style="font-family: Courier New, Courier, monospace;">python ../pcbmode.py -b kiwicon-badge --fab "dirtypcb"</span></span></div>
<br />
The "--fab" argument allows you to set the files naming that a board manufacturer wants. In this case i used <a href="http://dirtypcbs.com/">DirtyPCB</a>; but you can adapt the pcbmode_config.json to suit the board house of your choice.<br />
<br />
You can then review the generated gerbers using a gerber viewer to ensure that it looks correct on for each layer (personally i use gerbview included in the kicad package).<br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhwVI5dVcKh2DeShd9hQ0ycX1cbR1Oby41Sf_5m729o0AC-bw10EB1IStzx0fItOjG4UdisTWILSUHi3fDJnfdx0N9jRm8snXieHKOUTtoDTCraJpnR2vE2KfdY2UBu3zjiot-cSxR6bdA/s1600/Screenshot+2015-12-17+14.45.28.png" imageanchor="1"><img border="0" height="217" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhwVI5dVcKh2DeShd9hQ0ycX1cbR1Oby41Sf_5m729o0AC-bw10EB1IStzx0fItOjG4UdisTWILSUHi3fDJnfdx0N9jRm8snXieHKOUTtoDTCraJpnR2vE2KfdY2UBu3zjiot-cSxR6bdA/s320/Screenshot+2015-12-17+14.45.28.png" width="320" /></a></div>
<div>
<br />
<h3>
After</h3>
</div>
<div>
At this point i thought it looked good - so sent the board for printing.<br />
I like dirtypcb as the shipping is cheap and quality is a lot higher then what they describe on the site.</div>
<div>
<br />
A few weeks later i receive my boards and components needed. At this stage it was <1 week to kiwicon so i had to hope i hadn't mucked up and the circuit was good.</div>
<div>
<br /></div>
<div>
I threw one together in an hour or so and to my surprise all the parts worked;<br />
except i had wired to the switch to the reset pin of the processor :(<br />
And wired the switch closed :(<br />
But easy to fix with a few bodge wires :)</div>
<div>
<br /></div>
<div>
Next i had to write some code - quick search got me a good <a href="https://github.com/uctools/avr-template">avr-template</a> and i was ready to roll.</div>
<div>
<br />
So how did it look:<br />
<div class="separator" style="clear: both; text-align: center;">
<iframe allowfullscreen='allowfullscreen' webkitallowfullscreen='webkitallowfullscreen' mozallowfullscreen='mozallowfullscreen' width='320' height='266' src='https://www.blogger.com/video.g?token=AD6v5dw6AFqzG1CVR_uzrSqbsgSZ9prDaFmj03fyivSaexLAaNkopZkH3KvskLKhjTV3hjM-YAXlbGlMO5aVyJaQHQ' class='b-hbp-video b-uploaded' frameborder='0'></iframe></div>
<br />
<h3>
Code:</h3>
<h4>
Source at</h4>
<a href="https://github.com/peterfillmore/kiwicon_badge">https://github.com/peterfillmore/kiwicon_badge</a></div>
<div>
<h4>
PCB at:</h4>
<a href="https://github.com/peterfillmore/kiwicon_badge/pcb">https://github.com/peterfillmore/kiwicon_badge/pcb</a><br />
<br />
<h3>
Things I broke in the rush</h3>
<div>
<ul>
<li>Wired the switch to the reset pin of the microcontroller.</li>
<li>Wired the switch closed.</li>
<li>Didn't calculate idea resistors/currents for each LED (just threw them on the board and hoped)</li>
<li>Burnt a few LEDs in assembly</li>
<li>Disabled reset on a few ATTINYs and caused the chip to lose in circuit programming mode.</li>
<li>Couldn't get interrupt on a remapped reset pin to work on the ATTINY</li>
</ul>
</div>
</div>
<div>
Other then that - it worked great.</div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
Anonymoushttp://www.blogger.com/profile/15207437211934143592noreply@blogger.com0tag:blogger.com,1999:blog-436859067107179335.post-24570831172492713782015-05-25T18:31:00.001-07:002015-05-25T18:31:26.245-07:00Enabling an additional screen in a Qubes OS Windows HVM<h2>
Enabling an additional screen in a Qubes OS Windows HVM</h2>
I recently converted my work laptop over to using <a href="https://www.qubes-os.org/">Qubes OS</a>; an awesome OS based around the concept of using lightweight VMs to provide enhanced security.<br />
Naturally I added a Windows VM using this handy guide <a href="http://www.qubes-os.org/doc/WindowsAppVms/">http://www.qubes-os.org/doc/WindowsAppVms/</a> to install and configure a working Windows 7 install so i could run Powerpoint.<br />
Everything worked great until i connected an external monitor; naturally my Qubes desktop expanded to fill the new monitor but my Windows VM was still stuck with a single display window. This is great but i needed a second window so i could view my presentation notes when doing a talk using the built in view in Powerpoint.<br />
At first I thought maybe I could enable this through the ".conf" file for VM but couldn't find any option to enable emulation of an additional screen.<br />
I tried assigning the video adapter hardware to the running VM but all that did was disable my laptop screen.<br />
However I had success configuring it directly in the Windows VM.<br />
<h3>
Instructions </h3>
<div>
<ol>
<li>Connect up your external monitor to your system - Dom0 should detect and extend your desktop to this display.</li>
<li>Boot your Windows VM and open the device hardware pane. <div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj5hn6fZXdKUr6OBd_oGeuilfcRhEa-2XFbX_3iTW-tSdVO6nCibb5ebptnH2k1I2GBwfH6QuyNUynX9gBNAJSn-sPCrgJBminw3NAC3xZnfdisIy6w_s3KPGJF-fuacXZs4uJMqem9Tis/s1600/snap1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="235" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj5hn6fZXdKUr6OBd_oGeuilfcRhEa-2XFbX_3iTW-tSdVO6nCibb5ebptnH2k1I2GBwfH6QuyNUynX9gBNAJSn-sPCrgJBminw3NAC3xZnfdisIy6w_s3KPGJF-fuacXZs4uJMqem9Tis/s320/snap1.png" width="320" /></a></div>
</li>
<li>Enable The "Standard VGA Graphics Adapter" and reboot the VM.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjpS8RUUXYCDdeK5BeltnhJSQlLxsZighOy549WCYKjqdHPt2V_KZgka9RD4rNxd1YtAQG1qWXT4CGcrOuKSlZge3C0ioCGKVTX7gvHbmnyY7Bk8jyjMp8KEzj084ge-1zgdlgND1-S3pY/s1600/snap2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="234" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjpS8RUUXYCDdeK5BeltnhJSQlLxsZighOy549WCYKjqdHPt2V_KZgka9RD4rNxd1YtAQG1qWXT4CGcrOuKSlZge3C0ioCGKVTX7gvHbmnyY7Bk8jyjMp8KEzj084ge-1zgdlgND1-S3pY/s320/snap2.png" width="320" /></a></div>
</li>
<li>Test that Powerpoint now detects your screen.</li>
<li>Resize the new window through windows to make it usable<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhJAULIROmGpm5-cSy9lUJmlsEU5haHM3qKintfJYn5q-zAiiBuaigQH9MyaMhK1-RePdx0Ee8yvkaVm2Bk0AVkrV3AL6O_NsL3g0ZSBVAF-MTYeTlV8zwN-plAJSIbIpoPBxkwKUHD5Y0/s1600/snap3.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="180" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhJAULIROmGpm5-cSy9lUJmlsEU5haHM3qKintfJYn5q-zAiiBuaigQH9MyaMhK1-RePdx0Ee8yvkaVm2Bk0AVkrV3AL6O_NsL3g0ZSBVAF-MTYeTlV8zwN-plAJSIbIpoPBxkwKUHD5Y0/s320/snap3.png" width="320" /></a></div>
</li>
</ol>
Now you should be able to read your presentation notes while talking!<br />
I highly recommend you give Qubes a go as it's a great idea with lots of advantages when you need to run lots of different applications and OS's on a single computer.<br />
<br /></div>
<br />Anonymoushttp://www.blogger.com/profile/15207437211934143592noreply@blogger.com0tag:blogger.com,1999:blog-436859067107179335.post-44127325456776633632013-05-14T18:40:00.004-07:002013-05-14T18:41:52.821-07:00Coordinated ATM Heists, and a rant...Been a while since I posted, have been a bit flat out with lots of multiple projects on different continents.<br />
<br />
This story is a great one for those of us in the payments security field.<br />
<a href="http://krebsonsecurity.com/2013/02/crooks-net-millions-in-coordinated-atm-heists/">http://krebsonsecurity.com/2013/02/crooks-net-millions-in-coordinated-atm-heists/</a><br />
<a href="http://www.theverge.com/2013/5/13/4326336/cyber-caper-behind-the-scenes-of-the-45-million-atm-heist">http://www.theverge.com/2013/5/13/4326336/cyber-caper-behind-the-scenes-of-the-45-million-atm-heist</a><br />
<a href="http://www.reuters.com/article/2013/05/13/us-usa-crime-cybercrime-electracard-idUSBRE94C0K220130513">http://www.reuters.com/article/2013/05/13/us-usa-crime-cybercrime-electracard-idUSBRE94C0K220130513</a><br />
<br />
This is an interesting story in that it was not the card-holder data that was attacked, but the balance and withdrawal limits data that was breached. There is a chance that the payment processors were PCI compliant as these standards are concerned with the protection of card-holder data, not with balances on accounts or withdrawal limits.<br />
<br />
This is a good lesson to all payment processors that PCI compliance alone is not sufficient security. You must continually assess and test your payment environment for security vulnerabilities.<br />
<br />
Also, countries not using chip-card/EMV should hurry up and join the rest of the world.<br />
<br />
<br />
Magstripe is a broken technology, it contributed to the above attack (the pre-paid cards were cloned allowing an exponential increase in the losses occured).<br />
EMV/Chip Cards cannot be economically cloned, which reduces the economic impact of attacks like the one above.<br />
<div>
<br /></div>
<br />
Why is a product like this: <a href="https://squareup.com/stand">https://squareup.com/stand</a> even feasible in 2013? Almost all payment terminals produced now support Chip/EMV transactions.<br />
$299 for a product that is not PCI compliant, already obsolete and insecure; sounds like the Windows 3.1 of payment terminals...Anonymoushttp://www.blogger.com/profile/15207437211934143592noreply@blogger.com0tag:blogger.com,1999:blog-436859067107179335.post-68167499465473835282013-03-13T00:51:00.001-07:002013-03-13T00:51:06.895-07:00Nice write-up on issues in TLS/SSLHaven't blogged in a while due to studying for the CISSP certification and working on other fun projects. Amazon EC2 instances are enormous fun to play with, and <a href="http://aws.amazon.com/free/">free to get started with</a>, wish i had this type of stuff when i was in uni.<br />
<br />
Came across this great story on RC4 and TLS:<br />
<a href="http://blog.cryptographyengineering.com/2013/03/attack-of-week-rc4-is-kind-of-broken-in.html">Attack of the week: RC4 is kind of broken in TLS</a><br />
Cipher suites in the TLS/SSL implementations have been an interesting area of late with a number of attacks being published in the last few months.<br />
A fun thing to do is to scan a website using the <a href="http://www.taddong.com/en/lab.html#TLSSLED">TLSSLED</a> shell script and see what cipher suites it supports.<br />
Here's the output for google.com:<br />
<br />
<span style="font-family: 'Courier New', Courier, monospace;">Accepted SSLv3 256 bits ECDHE-RSA-AES256-SHA</span><br />
<span style="font-family: 'Courier New', Courier, monospace;"> Accepted SSLv3 256 bits AES256-SHA</span><br />
<span style="font-family: 'Courier New', Courier, monospace;"> Accepted SSLv3 168 bits ECDHE-RSA-DES-CBC3-SHA</span><br />
<span style="font-family: 'Courier New', Courier, monospace;"> Accepted SSLv3 168 bits DES-CBC3-SHA</span><br />
<span style="font-family: 'Courier New', Courier, monospace;"> Accepted SSLv3 128 bits ECDHE-RSA-AES128-SHA</span><br />
<span style="font-family: 'Courier New', Courier, monospace;"> Accepted SSLv3 128 bits AES128-SHA</span><br />
<span style="font-family: 'Courier New', Courier, monospace;"> Accepted SSLv3 128 bits ECDHE-RSA-RC4-SHA</span><br />
<span style="font-family: 'Courier New', Courier, monospace;"> Accepted SSLv3 128 bits RC4-SHA</span><br />
<span style="font-family: 'Courier New', Courier, monospace;"> Accepted SSLv3 128 bits RC4-MD5</span><br />
<span style="font-family: 'Courier New', Courier, monospace;"> Accepted TLSv1 256 bits ECDHE-RSA-AES256-SHA</span><br />
<span style="font-family: 'Courier New', Courier, monospace;"> Accepted TLSv1 256 bits AES256-SHA</span><br />
<span style="font-family: 'Courier New', Courier, monospace;"> Accepted TLSv1 168 bits ECDHE-RSA-DES-CBC3-SHA</span><br />
<span style="font-family: 'Courier New', Courier, monospace;"> Accepted TLSv1 168 bits DES-CBC3-SHA</span><br />
<span style="font-family: 'Courier New', Courier, monospace;"> Accepted TLSv1 128 bits ECDHE-RSA-AES128-SHA</span><br />
<span style="font-family: 'Courier New', Courier, monospace;"> Accepted TLSv1 128 bits AES128-SHA</span><br />
<span style="font-family: 'Courier New', Courier, monospace;"> Accepted TLSv1 128 bits ECDHE-RSA-RC4-SHA</span><br />
<span style="font-family: 'Courier New', Courier, monospace;"> Accepted TLSv1 128 bits RC4-SHA</span><br />
<span style="font-family: 'Courier New', Courier, monospace;"> Accepted TLSv1 128 bits RC4-MD5</span><br />
<span style="font-family: 'Courier New', Courier, monospace;"><br /></span>
<span style="font-family: inherit;">The interesting listing in this case is <span style="font-family: inherit;">"</span>RC4-MD5", considering the MD5 is considered broken and should have been retired by now. </span><br />
<span style="font-family: inherit;"><br /></span>
Compared this to <a href="api.square.com:443">api.square.com:443</a>:<br />
<br />
<span style="font-family: 'Courier New', Courier, monospace;"> Accepted SSLv3 256 bits AES256-SHA</span><br />
<span style="font-family: 'Courier New', Courier, monospace;"> Accepted SSLv3 168 bits DES-CBC3-SHA</span><br />
<span style="font-family: 'Courier New', Courier, monospace;"> Accepted SSLv3 128 bits AES128-SHA</span><br />
<span style="font-family: 'Courier New', Courier, monospace;"> Accepted SSLv3 128 bits RC4-SHA</span><br />
<span style="font-family: 'Courier New', Courier, monospace;"> Accepted TLSv1 256 bits AES256-SHA</span><br />
<span style="font-family: 'Courier New', Courier, monospace;"> Accepted TLSv1 168 bits DES-CBC3-SHA</span><br />
<span style="font-family: 'Courier New', Courier, monospace;"> Accepted TLSv1 128 bits AES128-SHA</span><br />
<span style="font-family: 'Courier New', Courier, monospace;"> Accepted TLSv1 128 bits RC4-SHA</span><br />
<span style="font-family: inherit;">Which is in line with </span><a href="http://csrc.nist.gov/publications/fips/fips140-2/fips1402annexa.pdf" style="font-family: inherit;">FIPS 140-2 Annex A</a><span style="font-family: inherit;">.</span><br />
<span style="font-family: inherit;"><br /></span>
<br />
<br />
<br />
<span style="font-family: inherit;"><br /></span>
Anonymoushttp://www.blogger.com/profile/15207437211934143592noreply@blogger.com0tag:blogger.com,1999:blog-436859067107179335.post-12387775552402416712013-02-11T19:17:00.000-08:002013-02-11T19:17:46.481-08:00Nice attack on an bad implementation of using the Atmel SAM7XC Crypto Co-Processor<a href="http://oamajormal.blogspot.co.uk/2013/02/atmel-sam7xc-crypto-co-processor-key.html">http://oamajormal.blogspot.co.uk/2013/02/atmel-sam7xc-crypto-co-processor-key.html</a><br />
<br />
This is why hardware key management is so important. In this case the processor contains hardware cryptographic engines yet no dedicated key storage or tamper protection. This means that keys have to be stored in internal Flash or RAM which opens up vulnerabilities allowing keys to be extracted.<br />
<br />
A proper secure processor implements dedicated key storage memory combined with active tamper detection. If a tamper event is detected by the processors security sub-system; then the key storage area will be actively cleared preventing key extraction. Examples of these processors include the <a href="http://www.maximintegrated.com/datasheet/index.mvp/id/6134">Maxim USIP</a>, Freescale <a href="http://www.freescale.com/webapp/sps/site/prod_summary.jsp?code=i.MX258">i.MX258</a> or the <a href="http://www.broadcom.com/products/Security/Point-of-Sale/BCM5892">Broadcom BCM5982</a>.<br />
<br />
The analysis performed here validates how much implementation matters when designing a secure system.<br />
<br />
<br />
<br />Anonymoushttp://www.blogger.com/profile/15207437211934143592noreply@blogger.com0tag:blogger.com,1999:blog-436859067107179335.post-2296282242823260842013-02-04T22:06:00.000-08:002013-02-05T00:37:04.836-08:00iOS 6.x Untethered Jailbreak outAvailable at: <a href="http://evasi0n.com/">http://evasi0n.com/</a><br />
<br />
<span style="font-family: inherit;">I recommend checking the SHA-1 hash of the release you downloaded against the provided list (a habit I should get into as well). This can be performed by using <a href="http://www.openssl.org/">OpenSSL</a>:</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">openssl sha1 <filename></span><br />
<span style="font-family: 'Courier New', Courier, monospace;"><br /></span>
<span style="font-family: inherit;">Interesting that the jailbreak steps are different from the "redsn0w" utility, not having to get the device into DFU mode is great as I muck it up every time and have to reboot.</span><br />
The installer places a "Jailbreak" icon onto the SpringBoard as part of the process which has to be clicked, i'm interested to know what role this performs in the jailbreak process.<br />
<br />
Make sure if you've jailbroken your device to change the your default root password to something you've chosen! we don't want <a href="http://www.tuaw.com/2009/11/23/new-jailbroken-iphone-worm-is-malicious/">this</a> happening again.<br />
<span style="font-family: 'Courier New', Courier, monospace;"><br /></span>
<span style="font-family: 'Courier New', Courier, monospace;">ssh root@<ip of your device></span><br />
<span style="font-family: 'Courier New', Courier, monospace;">iPhone:~ root# passwd</span><br />
<br />
<span style="font-family: 'Courier New', Courier, monospace;">Changing password for root.</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">New password:</span><br />
<br />
and heres a great writeup of what the jailbreak does:<br />
<a href="http://blog.accuvantlabs.com/blog/bthomas/evasi0n-jailbreaks-userland-component">http://blog.accuvantlabs.com/blog/bthomas/evasi0n-jailbreaks-userland-component</a><br />
<br />Anonymoushttp://www.blogger.com/profile/15207437211934143592noreply@blogger.com0tag:blogger.com,1999:blog-436859067107179335.post-8137136204007691822013-02-01T03:16:00.002-08:002013-02-01T03:17:54.311-08:00Hooking objective-c internals using the Captain Hook framework. One of the fun things to do with a Jailbroken iPhone is to install custom themes using the <a href="http://www.saurik.com/id/9" target="_blank">"WinterBoard" application</a>.<br />
This allows you to install themes such as: <a href="http://www.idownloadblog.com/2012/12/20/aux/" target="_blank">Auxo</a> which customises the application switcher bar or <a href="http://www.themeitapp.com/themes/theme-details.php?package=com.tit.boss.ios">Boss.ios</a> which alters the whole look of the interface.<br />
<h3>
</h3>
<h3>
How does "Winterboard" work?</h3>
<div>
<div>
The "WinterBoard" application works by "hooking" the existing internal classes using the <a href="https://developer.apple.com/library/mac/#documentation/Cocoa/Reference/ObjCRuntimeRef/Reference/reference.html">Objective-C Runtime Library</a>. This library is loaded by all Objective-C applications to support the dynamic features of the language which means that we can utlilise is to perform our own alterations to the OS and applications.</div>
<div>
This allows for the alteration of icons, sounds and textures without having to touch the originals supplied with the device. This means that you can alter the device without the risk of breaking the device.</div>
</div>
<div>
<h3>
</h3>
<h3>
The <a href="https://github.com/rpetrich/CaptainHook">CaptainHook</a> framework</h3>
This is a header file created by Ryan Petrich(http://rpetri.ch/) to assist with the creation of hooking libraries using the Objective-C runtime. This provides a functions to assist in the setting up of custom hooking code. Documentation is a little scant so hopefully this blog can help you begin to create your own hooks.</div>
<h3>
</h3>
<h3>
Getting started</h3>
I've altered the sample code provided at the Github as the function used has been depreciated by Apple<br />
<a href="http://dl.dropbox.com/u/8497195/Source%20Code/stringHook.zip">hook source code and a makefile</a><br />
<div>
<div style="text-align: justify;">
<span style="background-color: #444444; font-family: 'Courier New', Courier, monospace;">#import <CaptainHook/CaptainHook.h></span></div>
<div style="text-align: justify;">
<span style="background-color: #444444; font-family: 'Courier New', Courier, monospace;">CHDeclareClass(NSString); //set up the Captain Hook Library</span></div>
<div style="text-align: justify;">
<span style="background-color: #444444; font-family: 'Courier New', Courier, monospace;"><br /></span></div>
<div style="text-align: justify;">
<span style="background-color: #444444; font-family: 'Courier New', Courier, monospace;">//function called when hook is encountered</span></div>
<div style="text-align: justify;">
<span style="background-color: #444444; font-family: 'Courier New', Courier, monospace;">CHMethod(4, void, NSString, writeToFile, NSString *, path, </span></div>
<div style="text-align: justify;">
<span style="background-color: #444444; font-family: 'Courier New', Courier, monospace;"> atomically, BOOL, useAuxiliaryFile, encoding, </span></div>
<div style="text-align: justify;">
<span style="background-color: #444444; font-family: 'Courier New', Courier, monospace;"> NSStringEncoding, end, error, NSError **, error) </span></div>
<div style="text-align: justify;">
<span style="background-color: #444444; font-family: 'Courier New', Courier, monospace;">{</span></div>
<div style="text-align: justify;">
<span style="background-color: #444444; font-family: 'Courier New', Courier, monospace;"> NSLog(@"Writing string to %@: %@", path, self);</span></div>
<div style="text-align: justify;">
<span style="font-family: 'Courier New', Courier, monospace;"><span style="background-color: #444444; white-space: pre;"> //send received arguments to the original class</span></span></div>
<div style="text-align: justify;">
<span style="background-color: #444444; font-family: 'Courier New', Courier, monospace;"> CHSuper(4, NSString, writeToFile, path, atomically,</span></div>
<div style="text-align: justify;">
<span style="background-color: #444444; font-family: 'Courier New', Courier, monospace;"> useAuxiliaryFile, encoding, end, error, error);</span></div>
<div style="text-align: justify;">
<span style="background-color: #444444; font-family: 'Courier New', Courier, monospace;">}</span></div>
<div style="text-align: justify;">
<span style="background-color: #444444; font-family: 'Courier New', Courier, monospace;"><br /></span></div>
<div style="text-align: justify;">
<span style="background-color: #444444; font-family: 'Courier New', Courier, monospace;">//create the hook</span></div>
<div style="text-align: justify;">
<span style="background-color: #444444; font-family: 'Courier New', Courier, monospace;">CHConstructor</span></div>
<div style="text-align: justify;">
<span style="background-color: #444444; font-family: 'Courier New', Courier, monospace;">{</span></div>
<div style="text-align: justify;">
<span style="background-color: #444444; font-family: 'Courier New', Courier, monospace;"> CHLoadClass(NSString); //setup the class</span></div>
<div style="text-align: justify;">
<span style="background-color: #444444; font-family: 'Courier New', Courier, monospace;"> //hook the chosen method</span></div>
<div style="text-align: justify;">
<span style="background-color: #444444; font-family: 'Courier New', Courier, monospace;"> CHHook(4, NSString, writeToFile, atomically, encoding, </span></div>
<div style="text-align: justify;">
<span style="background-color: #444444; font-family: 'Courier New', Courier, monospace;"> error);</span></div>
<div style="text-align: justify;">
<span style="background-color: #444444; font-family: 'Courier New', Courier, monospace;">}</span></div>
</div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"><br /></span></div>
Heres a sample program you can test it with:<br />
<a href="http://dl.dropbox.com/u/8497195/Source%20Code/hooktest.zip">link to test program and makefile</a><br />
<div>
<div style="font-family: 'Courier New', Courier, monospace;">
<span style="background-color: #444444;">#import <Foundation/Foundation.h></span></div>
<div style="font-family: 'Courier New', Courier, monospace;">
<span style="background-color: #444444;">#import <Foundation/NSString.h></span></div>
<div style="font-family: 'Courier New', Courier, monospace;">
<span style="background-color: #444444;"><br /></span></div>
<div style="font-family: 'Courier New', Courier, monospace;">
<span style="background-color: #444444;">int main(void) {</span></div>
<div style="font-family: 'Courier New', Courier, monospace;">
<span style="background-color: #444444;"> NSAutoreleasePool *pool = \</span></div>
<div style="font-family: 'Courier New', Courier, monospace;">
<span style="background-color: #444444;"> [[NSAutoreleasePool alloc] init];</span></div>
<div style="font-family: 'Courier New', Courier, monospace;">
<span style="background-color: #444444;"> NSString *testString = @"Hello, I am the test string";</span></div>
<div style="font-family: 'Courier New', Courier, monospace;">
<span style="background-color: #444444;"> [testString </span></div>
<div style="font-family: 'Courier New', Courier, monospace;">
<span style="background-color: #444444;"> writeToFile:@"test.txt" </span></div>
<div style="font-family: 'Courier New', Courier, monospace;">
<span style="background-color: #444444;"> atomically:YES </span></div>
<div style="font-family: 'Courier New', Courier, monospace;">
<span style="background-color: #444444;"> encoding:NSASCIIStringEncoding </span></div>
<div style="font-family: 'Courier New', Courier, monospace;">
<span style="background-color: #444444;"> error:NULL];</span></div>
<div style="font-family: 'Courier New', Courier, monospace;">
<span style="background-color: #444444;"> [pool release];</span></div>
<div style="font-family: 'Courier New', Courier, monospace;">
<span style="background-color: #444444;"> return 0;</span></div>
<div style="font-family: 'Courier New', Courier, monospace;">
<span style="background-color: #444444;">}</span></div>
<h3>
Compiling</h3>
Compiling works on OS X with xCode 4.x and iOS SDK version 6.0 in the default library locations.<br />
Copy the compiled "testhook" and "stringHook.dylib" to your device. SSH in, export DYLD_INSERT_LIBRARIES and then execute "testhook" e.g:</div>
<div>
<span style="background-color: #444444; font-family: 'Courier New', Courier, monospace;"> desktop$ scp ./hooktest ./stringHook.dylib \</span></div>
<div>
<span style="background-color: #444444; font-family: 'Courier New', Courier, monospace;">root@<device ip>:/var/root/</span></div>
<div>
<span style="background-color: #444444;"><span style="font-family: 'Courier New', Courier, monospace;"> </span><span style="font-family: 'Courier New', Courier, monospace;">desktop$ </span><span style="font-family: 'Courier New', Courier, monospace;">ssh root@<device ip></span></span></div>
<div>
<span style="background-color: #444444; font-family: 'Courier New', Courier, monospace;"> device # export \</span></div>
<div>
<span style="background-color: #444444; font-family: 'Courier New', Courier, monospace;">DYLD_INSERT_LIBRARIES="/var/root/stringHook.dylib"</span></div>
<div>
<span style="background-color: #444444;"><span style="font-family: 'Courier New', Courier, monospace;"> </span><span style="font-family: 'Courier New', Courier, monospace;">device </span><span style="font-family: 'Courier New', Courier, monospace;"># /var/root/hooktest</span></span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"><br /></span></div>
And you should see:<br />
<div>
<span style="background-color: #444444; font-family: 'Courier New', Courier, monospace;"> 2013-02-01 21:40:58.710 hooktest[562:707] Writing string to </span></div>
<div>
<span style="background-color: #444444; font-family: 'Courier New', Courier, monospace;"> test.txt: Hello, I am the test string</span></div>
Which only works for command line apps as export DYLD... does not get performed by SpringBoard<br />
<h3>
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></h3>
<h3>
<span style="font-family: Arial, Helvetica, sans-serif;">A bit of explanation</span></h3>
The CHMethod function declaration is:<br />
<div>
<div>
<span style="background-color: #444444; font-family: 'Courier New', Courier, monospace;"> CHMethod(number of inputs, return type, class name, name1, type1, </span></div>
<div>
<span style="background-color: #444444; font-family: 'Courier New', Courier, monospace;"> arg1, name2, type2, arg2 ...(number of inputs));</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"><br /></span></div>
An easy way to fill this method is to take the method definition, and fill it in left to right e.g.<br />
<div>
<span style="background-color: #444444; font-family: 'Courier New', Courier, monospace;"> [NSString writeToFile: atomically: encoding: error:]</span></div>
<div>
<span style="background-color: #444444; font-family: 'Courier New', Courier, monospace;"> -(BOOL)writeToFile:(NSString *)path atomically: </span></div>
<div>
<span style="background-color: #444444; font-family: 'Courier New', Courier, monospace;"> (BOOL)useAuxiliaryFile encoding:(NSStringEncoding)enc error </span></div>
<div>
<span style="background-color: #444444; font-family: 'Courier New', Courier, monospace;"> (NSError **)error</span></div>
</div>
translates to:<br />
<div>
<div>
<span style="background-color: #444444; font-family: 'Courier New', Courier, monospace;"> CHMethod(4, void, NSString, writeToFile, NSString *, path, </span></div>
<div>
<span style="background-color: #444444;"><span style="font-family: 'Courier New', Courier, monospace;"> atomically, BOOL, useAuxiliaryFile, encoding, </span><span style="font-family: 'Courier New', Courier, monospace;">NSStringEncoding, </span></span></div>
<div>
<span style="background-color: #444444; font-family: 'Courier New', Courier, monospace; text-align: justify;">end, error, NSError **, error)</span></div>
</div>
We set the return type to void as for the example we don't return anything<br />
<br />
<div>
The function declaration of CHSuper and CHHook are:<br />
<div>
<span style="background-color: #444444; font-family: 'Courier New', Courier, monospace;"> CHSuper(number of inputs, class name, name1, arg1, name2, <br /> arg2 ...(number of inputs)<br /> <br /> CHHook(number of inputs, class name,name1,name2, <br /> ...(num of inputs)</span><br />
<br />
<br />
<h3>
Other ways of inserting the injection library</h3>
Using launchctl seems to be a great way.<br />
<span style="background-color: #444444;"><span style="font-family: 'Courier New', Courier, monospace;"> launchctl setenv DYLD_INSERT_LIBRARIES "/path/to/dylib"</span></span><br />
which can be used for individual SpringBoard apps<br />
or you can insert this plist key into one of the plists in "/System/Library/LaunchDaemons/"<br />
although be careful! i screwed up my SpringBoard.plist editing it which caused the SpringBoard to stop loading(i.e no icons), so make a backup of the file just to be sure.<br />
<span style="background-color: #444444; font-family: 'Courier New', Courier, monospace;"><key>EnvironmentVariables</key><br /> <dict><br /> <key>DYLD_FORCE_FLAT_NAMESPACE</key><br /> <string>1</string><br /> <key>DYLD_INSERT_LIBRARIES</key><br /> <string>/path/to/dylib</string><br /> </dict></span><br />
reload the plist using <br />
<span style="background-color: #444444; font-family: 'Courier New', Courier, monospace;">launchctl unload <chosen plist> </span><br />
then reload<br />
<span style="background-color: #444444; font-family: 'Courier New', Courier, monospace;">launchctl load <chosen plist></span><br />
<br />
Another easy method is to install <a href="http://cydia.saurik.com/info/mobilesubstrate/">MobileSubstrate</a> and copy the dylib to "/Library/MobileSubstrate/DynamicLibraries" and reload the SpringBoard. MobileSubstrate loads all the dylibs in this folder automatically.<br />
<br />
Heres another piece of sample hooking code i created playing this stuff: <a href="https://github.com/peterfillmore/touchHook">https://github.com/peterfillmore/touchHook</a><br />
This changes the status bar each time a touch is detected.<br />
<br />
A great use of this hooking in security testing has been recently released by Jeremy Allen which uses it to disable certificate verification. <a href="http://intrepidusgroup.com/insight/2013/01/scorched-earth-how-to-really-disable-certificate-verification-on-ios/">http://intrepidusgroup.com/insight/2013/01/scorched-earth-how-to-really-disable-certificate-verification-on-ios/</a><br />
So play around with it and see what fun you can have.<br />
<br />
<br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
</div>
</div>
Anonymoushttp://www.blogger.com/profile/15207437211934143592noreply@blogger.com0tag:blogger.com,1999:blog-436859067107179335.post-78275767458085349532013-01-20T22:23:00.002-08:002013-02-07T16:48:44.546-08:00removePIE - a tool for disabling ASLR on iOS applicationsI've put together this small tool which removes ASLR from iOS applications.<br />
<a href="https://github.com/peterfillmore/removePIE" target="_blank">https://github.com/peterfillmore/removePIE</a><br />
<br />
This works by flipping the MH_PIE bit used in the MACH-O header of the application.<br />
Since iOS 6.0 this bit is enabled by default in xcode when compiling applications.<br />
<br />
**Update**<br />
Still works for the iOS 6.1 update, doesn't require resigning of the binary if using the <a href="http://evasi0n.com/">evasi0n</a> jailbreak as i believe signature checking of apps is patched out.Anonymoushttp://www.blogger.com/profile/15207437211934143592noreply@blogger.com1tag:blogger.com,1999:blog-436859067107179335.post-1150953065144547722013-01-08T20:12:00.000-08:002013-01-09T17:44:58.538-08:00Disabling ASLR on individual iOS applications when using iOS 6.0.1<span id="goog_775137937"></span><span id="goog_775137938"></span><a href="http://www.blogger.com/"></a><br />
<br />
<h2>
How to disable ASLR on iOS application for decryption and analysis.</h2>
I recently encountered issues decrypting applications for security analysis using iOS 6.0.1. Previously this was trivial using the previous version (5.1.1), yet when performing the same procedure on 6.0.1 i was encountering decrypted binaries which were full of zeros. <br />
After a while I discovered these issues were related to ASLR being used in applications compiled for later versions of iOS.<br />
<br />
In this blog I will show the process of disabling ASLR on the free "Facebook" app available off the app store. This application has ASLR enabled which complicates decryption of the application using automated tools.<br />
<br />
<h3>
Tools required</h3>
<a href="http://developer.apple.com/library/mac/#documentation/Darwin/Reference/ManPages/man1/otool.1.html">otool</a><br />
<a href="http://dl.dropbox.com/u/3157793/ldid">ldid for OS X</a><br />
<a href="http://www.pod2g.org/2012/02/working-gnu-debugger-on-ios-43.html">GDB for iOS</a><span id="goog_775137944"></span><span id="goog_775137945"></span><a href="http://www.blogger.com/"></a><br />
<a href="http://src.chromium.org/svn/trunk/src/build/mac/change_mach_o_flags.py">change_mach_o_flags.py</a><br />
a jailbroken iphone and a copy of facebook off the app store<br />
<br />
<h3>
Details</h3>
<br />
Running the command<br />
<i><span style="font-family: 'Courier New', Courier, monospace;"><br /></span></i>
<span style="font-family: 'Courier New', Courier, monospace;">Desktop# otool -l Facebook |grep -A4 "LC_ENCRYPTION_INFO"</span><br />
<br />
outputs:<br />
<span style="font-family: 'Courier New', Courier, monospace;"><br /></span>
<span style="font-family: 'Courier New', Courier, monospace;">cmd LC_ENCRYPTION_INFO</span><br />
<span style="font-family: 'Courier New', Courier, monospace;"> cmdsize 20</span><br />
<span style="font-family: 'Courier New', Courier, monospace;"> cryptoff 8192</span><br />
<span style="font-family: 'Courier New', Courier, monospace;"> cryptsize 10027008</span><br />
<span style="font-family: 'Courier New', Courier, monospace;"> cryptid 1</span><br />
<br />
Indicating that the app is encrypted and when decrypted it is located in virtual memory from 0x3000(0x1000 + 0x2000) to 0x993000. However when we start the app, attach GDB and try to access the start address we find it throws an error:<br />
<br />
<span style="font-family: 'Courier New', Courier, monospace;">(gdb) x/20x 0x3000</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">0x3000:<span class="Apple-tab-span" style="white-space: pre;"> </span>Cannot access memory at address 0x3000</span><br />
<br />
listing the memory that is mapped by the application:<br />
<span style="font-family: 'Courier New', Courier, monospace;">(gdb) info mach-region 0x3000</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">Region from 0x94000 to 0xa26000 (r-x, max r-x; copy, private, not-reserved) (2 sub-regions)</span><br />
<br />
This shows the executable is not located in memory where it should be indicating that ASLR is used.<br />
<br />
ASLR is enabled for individual applications using the MH_PIE flag located in the applications MACH-O header. By flipping this flag we turn off ASLR.<br />
<br />
Copy the Facebook binary from the device to your desktop from the device directory<br />
<span style="font-family: 'Courier New', Courier, monospace;"><br /></span>
<span style="font-family: 'Courier New', Courier, monospace;">iPhone#/private/var/mobile/Application/[UUID]/Facebook.app</span><br />
<br />
where <span style="font-family: 'Courier New', Courier, monospace;">[UUID]</span> is the unique number of the directory for the app on the device.<br />
<br />
Extract the entitlement xml file of the app:<br />
<span style="font-family: 'Courier New', Courier, monospace;"><br /></span>
<span style="font-family: 'Courier New', Courier, monospace;">Desktop# ldid -e Facebook > entitlements.xml</span><br />
<br />
Disable the MH_PIE bit using the change_mach_o_flags.py<br />
<span style="font-family: 'Courier New', Courier, monospace;"><br /></span>
<span style="font-family: 'Courier New', Courier, monospace;">Desktop# </span><span style="font-family: 'Courier New', Courier, monospace;">python change_mach_o_flags.py --no-pie Facebook</span><br />
<br />
Re-sign the app<br />
<span style="font-family: 'Courier New', Courier, monospace;"><br /></span>
<span style="font-family: 'Courier New', Courier, monospace;">Desktop# ldid -Sentitlements.xml Facebook</span><br />
<br />
backup the old copy on the device<br />
<span style="font-family: 'Courier New', Courier, monospace;"><br /></span>
<span style="font-family: 'Courier New', Courier, monospace;">iPhone# cp Facebook Facebook.bak</span><br />
<br />
Copy the altered binary back to the device<br />
<br />
now we reattach gdb and inspect the application memory again:<br />
<span style="font-family: 'Courier New', Courier, monospace;">(gdb) x/20x 0x3000</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">0x3000:<span class="Apple-tab-span" style="white-space: pre;"> </span>0x00000000<span class="Apple-tab-span" style="white-space: pre;"> </span>0x00000000<span class="Apple-tab-span" style="white-space: pre;"> </span>0x00000000<span class="Apple-tab-span" style="white-space: pre;"> </span>0x00000000</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">0x3010:<span class="Apple-tab-span" style="white-space: pre;"> </span>0x00000000<span class="Apple-tab-span" style="white-space: pre;"> </span>0x00000000<span class="Apple-tab-span" style="white-space: pre;"> </span>0x00000000<span class="Apple-tab-span" style="white-space: pre;"> </span>0x00000000</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">0x3020:<span class="Apple-tab-span" style="white-space: pre;"> </span>0x00000000<span class="Apple-tab-span" style="white-space: pre;"> </span>0x00000000<span class="Apple-tab-span" style="white-space: pre;"> </span>0x00000000<span class="Apple-tab-span" style="white-space: pre;"> </span>0x00000000</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">0x3030:<span class="Apple-tab-span" style="white-space: pre;"> </span>0x00000000<span class="Apple-tab-span" style="white-space: pre;"> </span>0x00000000<span class="Apple-tab-span" style="white-space: pre;"> </span>0x00000000<span class="Apple-tab-span" style="white-space: pre;"> </span>0x00000000</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">0x3040:<span class="Apple-tab-span" style="white-space: pre;"> </span>0xe59d0000<span class="Apple-tab-span" style="white-space: pre;"> </span>0xe28d1004<span class="Apple-tab-span" style="white-space: pre;"> </span>0xe2804001<span class="Apple-tab-span" style="white-space: pre;"> </span>0xe0812104</span><br />
<br />
<span style="font-family: 'Courier New', Courier, monospace;">(gdb) info mach-region 0x3000</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">Region from 0x3000 to 0x993000 (r-x, max r-x; copy, private, not-reserved)</span><br />
<br />
Which confirms that ASLR is now disabled and we can now decrypt the application for further analysis.<br />
<br />
<br />Anonymoushttp://www.blogger.com/profile/15207437211934143592noreply@blogger.com2