we have to defeat the enemies and save the earth!!hitcon.org/2014/downloads/p1_02_dongjoo ha -...
TRANSCRIPT
![Page 1: We have to defeat the enemies and save the earth!!hitcon.org/2014/downloads/P1_02_DongJoo Ha - Binproxy.pdf · Web Proxy o A user-friendly proxy to be used for analysis (ex. burp,](https://reader034.vdocuments.us/reader034/viewer/2022042311/5eda1636b3745412b570bd52/html5/thumbnails/1.jpg)
Objective
We have to defeat the enemies and save the earth!!
![Page 2: We have to defeat the enemies and save the earth!!hitcon.org/2014/downloads/P1_02_DongJoo Ha - Binproxy.pdf · Web Proxy o A user-friendly proxy to be used for analysis (ex. burp,](https://reader034.vdocuments.us/reader034/viewer/2022042311/5eda1636b3745412b570bd52/html5/thumbnails/2.jpg)
Our contributions
● Introduce a new concept of analysis framework to use easily o perform analysis of normal application by using web
proxy
● Introduce methodologies for implementing
our concept o pros and cons of the methodologies
● Demonstrate use cases
![Page 3: We have to defeat the enemies and save the earth!!hitcon.org/2014/downloads/P1_02_DongJoo Ha - Binproxy.pdf · Web Proxy o A user-friendly proxy to be used for analysis (ex. burp,](https://reader034.vdocuments.us/reader034/viewer/2022042311/5eda1636b3745412b570bd52/html5/thumbnails/3.jpg)
Define Keyword
● Web Application o consist of usually script languages o operate based on web server/client
● Normal Application o executable binary except for web applicaton o PE, ELF, etc.
● Web Proxy o a tool for web application analysis o Burp suite, paros, fiddler, etc.
![Page 4: We have to defeat the enemies and save the earth!!hitcon.org/2014/downloads/P1_02_DongJoo Ha - Binproxy.pdf · Web Proxy o A user-friendly proxy to be used for analysis (ex. burp,](https://reader034.vdocuments.us/reader034/viewer/2022042311/5eda1636b3745412b570bd52/html5/thumbnails/4.jpg)
What’s wrong? Background
![Page 5: We have to defeat the enemies and save the earth!!hitcon.org/2014/downloads/P1_02_DongJoo Ha - Binproxy.pdf · Web Proxy o A user-friendly proxy to be used for analysis (ex. burp,](https://reader034.vdocuments.us/reader034/viewer/2022042311/5eda1636b3745412b570bd52/html5/thumbnails/5.jpg)
Existing methodologies/tools for application analysis
Web Application analysis
● easy to use and operate using a web proxy (burp, paros, fiddler, etc.)
● monitor and modify the contents without difficulty
![Page 6: We have to defeat the enemies and save the earth!!hitcon.org/2014/downloads/P1_02_DongJoo Ha - Binproxy.pdf · Web Proxy o A user-friendly proxy to be used for analysis (ex. burp,](https://reader034.vdocuments.us/reader034/viewer/2022042311/5eda1636b3745412b570bd52/html5/thumbnails/6.jpg)
Existing methodologies/tools (cont’d)
Normal Application(excutables) analysis
● much harder and complex than web application(GDB, IDA, Ollydbg, windbg, etc.)
● In secure channel, how can we check the contents?
![Page 7: We have to defeat the enemies and save the earth!!hitcon.org/2014/downloads/P1_02_DongJoo Ha - Binproxy.pdf · Web Proxy o A user-friendly proxy to be used for analysis (ex. burp,](https://reader034.vdocuments.us/reader034/viewer/2022042311/5eda1636b3745412b570bd52/html5/thumbnails/7.jpg)
Challenges for application analysis
We cannot save the earth using our resources
Lack of time and manpower
![Page 8: We have to defeat the enemies and save the earth!!hitcon.org/2014/downloads/P1_02_DongJoo Ha - Binproxy.pdf · Web Proxy o A user-friendly proxy to be used for analysis (ex. burp,](https://reader034.vdocuments.us/reader034/viewer/2022042311/5eda1636b3745412b570bd52/html5/thumbnails/8.jpg)
How to solve a problem?
Need a EASY tool
![Page 9: We have to defeat the enemies and save the earth!!hitcon.org/2014/downloads/P1_02_DongJoo Ha - Binproxy.pdf · Web Proxy o A user-friendly proxy to be used for analysis (ex. burp,](https://reader034.vdocuments.us/reader034/viewer/2022042311/5eda1636b3745412b570bd52/html5/thumbnails/9.jpg)
So what?? BinProxy : A New Paradigm for Binary Analysis
![Page 10: We have to defeat the enemies and save the earth!!hitcon.org/2014/downloads/P1_02_DongJoo Ha - Binproxy.pdf · Web Proxy o A user-friendly proxy to be used for analysis (ex. burp,](https://reader034.vdocuments.us/reader034/viewer/2022042311/5eda1636b3745412b570bd52/html5/thumbnails/10.jpg)
Let’s get started with Demo!
![Page 11: We have to defeat the enemies and save the earth!!hitcon.org/2014/downloads/P1_02_DongJoo Ha - Binproxy.pdf · Web Proxy o A user-friendly proxy to be used for analysis (ex. burp,](https://reader034.vdocuments.us/reader034/viewer/2022042311/5eda1636b3745412b570bd52/html5/thumbnails/11.jpg)
Key Features
We do not need gdb and ollydbg to analyze applications any more.
![Page 12: We have to defeat the enemies and save the earth!!hitcon.org/2014/downloads/P1_02_DongJoo Ha - Binproxy.pdf · Web Proxy o A user-friendly proxy to be used for analysis (ex. burp,](https://reader034.vdocuments.us/reader034/viewer/2022042311/5eda1636b3745412b570bd52/html5/thumbnails/12.jpg)
Key Features (cont’d)
2. modify return value
1. original return value
3. Click Forward Button
Should we use the difficult tools for simple analysis? You can monitor and control the normal applications
with your favorite web proxy
![Page 13: We have to defeat the enemies and save the earth!!hitcon.org/2014/downloads/P1_02_DongJoo Ha - Binproxy.pdf · Web Proxy o A user-friendly proxy to be used for analysis (ex. burp,](https://reader034.vdocuments.us/reader034/viewer/2022042311/5eda1636b3745412b570bd52/html5/thumbnails/13.jpg)
Key Features (cont’d)
We do not want to use difficult IDA tool to analyze applications any more.
![Page 14: We have to defeat the enemies and save the earth!!hitcon.org/2014/downloads/P1_02_DongJoo Ha - Binproxy.pdf · Web Proxy o A user-friendly proxy to be used for analysis (ex. burp,](https://reader034.vdocuments.us/reader034/viewer/2022042311/5eda1636b3745412b570bd52/html5/thumbnails/14.jpg)
Key Features (cont’d)
You can know what functions are existed in target apps and what functions can be monitored.
![Page 15: We have to defeat the enemies and save the earth!!hitcon.org/2014/downloads/P1_02_DongJoo Ha - Binproxy.pdf · Web Proxy o A user-friendly proxy to be used for analysis (ex. burp,](https://reader034.vdocuments.us/reader034/viewer/2022042311/5eda1636b3745412b570bd52/html5/thumbnails/15.jpg)
Overall Achitecture
![Page 16: We have to defeat the enemies and save the earth!!hitcon.org/2014/downloads/P1_02_DongJoo Ha - Binproxy.pdf · Web Proxy o A user-friendly proxy to be used for analysis (ex. burp,](https://reader034.vdocuments.us/reader034/viewer/2022042311/5eda1636b3745412b570bd52/html5/thumbnails/16.jpg)
Components ● Target application
o smart phone apps, excutable program based on Windows, OSX and etc. ● Web Proxy
o A user-friendly proxy to be used for analysis (ex. burp, paros, ..)
● BinProxy Client o is Operated in the target application is installed o communication module : communicate with BinProxy server
o hooking module : modify the flow of functions. ● BinProxy Server
o is Operated in the web proxy is installed o communication module : communicate with BinProxy client and web
proxy
![Page 17: We have to defeat the enemies and save the earth!!hitcon.org/2014/downloads/P1_02_DongJoo Ha - Binproxy.pdf · Web Proxy o A user-friendly proxy to be used for analysis (ex. burp,](https://reader034.vdocuments.us/reader034/viewer/2022042311/5eda1636b3745412b570bd52/html5/thumbnails/17.jpg)
What You Need Need things to make BinProxy
![Page 18: We have to defeat the enemies and save the earth!!hitcon.org/2014/downloads/P1_02_DongJoo Ha - Binproxy.pdf · Web Proxy o A user-friendly proxy to be used for analysis (ex. burp,](https://reader034.vdocuments.us/reader034/viewer/2022042311/5eda1636b3745412b570bd52/html5/thumbnails/18.jpg)
Intercept function call & Forward it to a Web proxy
Main techniques for implementation
how to control function calls by using web proxy
Convert Functions
![Page 19: We have to defeat the enemies and save the earth!!hitcon.org/2014/downloads/P1_02_DongJoo Ha - Binproxy.pdf · Web Proxy o A user-friendly proxy to be used for analysis (ex. burp,](https://reader034.vdocuments.us/reader034/viewer/2022042311/5eda1636b3745412b570bd52/html5/thumbnails/19.jpg)
Function monitoring and Function Controlling
Main techniques for implementation (cont’d)
API / User-defined function
Hooking
![Page 20: We have to defeat the enemies and save the earth!!hitcon.org/2014/downloads/P1_02_DongJoo Ha - Binproxy.pdf · Web Proxy o A user-friendly proxy to be used for analysis (ex. burp,](https://reader034.vdocuments.us/reader034/viewer/2022042311/5eda1636b3745412b570bd52/html5/thumbnails/20.jpg)
Function monitoring and Function Controlling
Main techniques for implementation (cont’d)
Dynamic function Hooking No need a pre-compiled hooking code Dynamic target function selection
![Page 21: We have to defeat the enemies and save the earth!!hitcon.org/2014/downloads/P1_02_DongJoo Ha - Binproxy.pdf · Web Proxy o A user-friendly proxy to be used for analysis (ex. burp,](https://reader034.vdocuments.us/reader034/viewer/2022042311/5eda1636b3745412b570bd52/html5/thumbnails/21.jpg)
Function monitoring and Function Controlling
Main techniques for implementation (cont’d)
Return value,
primitive / refernce type arguments
![Page 22: We have to defeat the enemies and save the earth!!hitcon.org/2014/downloads/P1_02_DongJoo Ha - Binproxy.pdf · Web Proxy o A user-friendly proxy to be used for analysis (ex. burp,](https://reader034.vdocuments.us/reader034/viewer/2022042311/5eda1636b3745412b570bd52/html5/thumbnails/22.jpg)
Target function selection Main techniques for implementation (cont’d)
Extraction API lists
![Page 23: We have to defeat the enemies and save the earth!!hitcon.org/2014/downloads/P1_02_DongJoo Ha - Binproxy.pdf · Web Proxy o A user-friendly proxy to be used for analysis (ex. burp,](https://reader034.vdocuments.us/reader034/viewer/2022042311/5eda1636b3745412b570bd52/html5/thumbnails/23.jpg)
Target function selection (cont’d)
Main techniques for implementation (cont’d)
Extracting user-defined fuctions and Finding out Args and Types
![Page 24: We have to defeat the enemies and save the earth!!hitcon.org/2014/downloads/P1_02_DongJoo Ha - Binproxy.pdf · Web Proxy o A user-friendly proxy to be used for analysis (ex. burp,](https://reader034.vdocuments.us/reader034/viewer/2022042311/5eda1636b3745412b570bd52/html5/thumbnails/24.jpg)
Target function selection (cont’d)
Main techniques for implementation (cont’d)
Monitoring function calls and statistics -> Selecting target functions easily
![Page 25: We have to defeat the enemies and save the earth!!hitcon.org/2014/downloads/P1_02_DongJoo Ha - Binproxy.pdf · Web Proxy o A user-friendly proxy to be used for analysis (ex. burp,](https://reader034.vdocuments.us/reader034/viewer/2022042311/5eda1636b3745412b570bd52/html5/thumbnails/25.jpg)
How to make? the way of building BinProxy
![Page 26: We have to defeat the enemies and save the earth!!hitcon.org/2014/downloads/P1_02_DongJoo Ha - Binproxy.pdf · Web Proxy o A user-friendly proxy to be used for analysis (ex. burp,](https://reader034.vdocuments.us/reader034/viewer/2022042311/5eda1636b3745412b570bd52/html5/thumbnails/26.jpg)
How to interwork with a web proxy - BinProxy Client
* hooked_func send before_call message to BinProxy Server through communication module. * before_call message = function name + the value of arguments * After sending a before_call message, the hooked_func will be blocked until getting response from BinProxy Server.
![Page 27: We have to defeat the enemies and save the earth!!hitcon.org/2014/downloads/P1_02_DongJoo Ha - Binproxy.pdf · Web Proxy o A user-friendly proxy to be used for analysis (ex. burp,](https://reader034.vdocuments.us/reader034/viewer/2022042311/5eda1636b3745412b570bd52/html5/thumbnails/27.jpg)
How to interwork with a web proxy - BinProxy Server
BinProxy Server convert a before_call message into HTTP request format for delivering the message to Web Proxy.
POST http://127.0.0.1:53388/function_name Host: target_app_name User-Agent: BinProxy 01_414141
![Page 28: We have to defeat the enemies and save the earth!!hitcon.org/2014/downloads/P1_02_DongJoo Ha - Binproxy.pdf · Web Proxy o A user-friendly proxy to be used for analysis (ex. burp,](https://reader034.vdocuments.us/reader034/viewer/2022042311/5eda1636b3745412b570bd52/html5/thumbnails/28.jpg)
How to interwork with a web proxy - Web Proxy
![Page 29: We have to defeat the enemies and save the earth!!hitcon.org/2014/downloads/P1_02_DongJoo Ha - Binproxy.pdf · Web Proxy o A user-friendly proxy to be used for analysis (ex. burp,](https://reader034.vdocuments.us/reader034/viewer/2022042311/5eda1636b3745412b570bd52/html5/thumbnails/29.jpg)
How to interwork with a web proxy - BinProxy Client
execute an original function
After sending an after_call message, hooked_func will be blocked until getting response from BinProxy Server.
![Page 30: We have to defeat the enemies and save the earth!!hitcon.org/2014/downloads/P1_02_DongJoo Ha - Binproxy.pdf · Web Proxy o A user-friendly proxy to be used for analysis (ex. burp,](https://reader034.vdocuments.us/reader034/viewer/2022042311/5eda1636b3745412b570bd52/html5/thumbnails/30.jpg)
How to interwork with a web proxy - BinProxy Server
BinProxy Server convert a after_call message into HTTP response format for delivering the message to Web Proxy. HTTP/1.1 200 OK Date: Mon, 04 Aug 2014 17:22:59 GMT Server: BinProxy Content-Length: 1 Connection: close Content-Type: application/return 0
![Page 31: We have to defeat the enemies and save the earth!!hitcon.org/2014/downloads/P1_02_DongJoo Ha - Binproxy.pdf · Web Proxy o A user-friendly proxy to be used for analysis (ex. burp,](https://reader034.vdocuments.us/reader034/viewer/2022042311/5eda1636b3745412b570bd52/html5/thumbnails/31.jpg)
How to interwork with a web proxy - Web Proxy
![Page 32: We have to defeat the enemies and save the earth!!hitcon.org/2014/downloads/P1_02_DongJoo Ha - Binproxy.pdf · Web Proxy o A user-friendly proxy to be used for analysis (ex. burp,](https://reader034.vdocuments.us/reader034/viewer/2022042311/5eda1636b3745412b570bd52/html5/thumbnails/32.jpg)
How to interwork with a web proxy - BinProxy Client
return the value
![Page 33: We have to defeat the enemies and save the earth!!hitcon.org/2014/downloads/P1_02_DongJoo Ha - Binproxy.pdf · Web Proxy o A user-friendly proxy to be used for analysis (ex. burp,](https://reader034.vdocuments.us/reader034/viewer/2022042311/5eda1636b3745412b570bd52/html5/thumbnails/33.jpg)
How to make? Ways of build android client & PoC
![Page 34: We have to defeat the enemies and save the earth!!hitcon.org/2014/downloads/P1_02_DongJoo Ha - Binproxy.pdf · Web Proxy o A user-friendly proxy to be used for analysis (ex. burp,](https://reader034.vdocuments.us/reader034/viewer/2022042311/5eda1636b3745412b570bd52/html5/thumbnails/34.jpg)
Key Requirements
Function What����������� ������������������ &����������� ������������������ How����������� ������������������ ����������� ������������������
To����������� ������������������ Extract����������� ������������������ ???����������� ������������������
How����������� ������������������ to����������� ������������������ Hook����������� ������������������ ???����������� ������������������
![Page 35: We have to defeat the enemies and save the earth!!hitcon.org/2014/downloads/P1_02_DongJoo Ha - Binproxy.pdf · Web Proxy o A user-friendly proxy to be used for analysis (ex. burp,](https://reader034.vdocuments.us/reader034/viewer/2022042311/5eda1636b3745412b570bd52/html5/thumbnails/35.jpg)
Key Requirements - What & How To extract ..
![Page 36: We have to defeat the enemies and save the earth!!hitcon.org/2014/downloads/P1_02_DongJoo Ha - Binproxy.pdf · Web Proxy o A user-friendly proxy to be used for analysis (ex. burp,](https://reader034.vdocuments.us/reader034/viewer/2022042311/5eda1636b3745412b570bd52/html5/thumbnails/36.jpg)
We can use for hooking in Android : • Cydia substrate for Android
• Introspy-Android (GUI Interface + Cydia Substrate )
• AndHook(Android Hooking Framework)
• ADBI(Android Dynamic Binary Instrumentation Toolkit)
• [Paper] Hooking on Android -2014 CodeEngn Conference
….
Key Requirements - What & How To extract ..
![Page 37: We have to defeat the enemies and save the earth!!hitcon.org/2014/downloads/P1_02_DongJoo Ha - Binproxy.pdf · Web Proxy o A user-friendly proxy to be used for analysis (ex. burp,](https://reader034.vdocuments.us/reader034/viewer/2022042311/5eda1636b3745412b570bd52/html5/thumbnails/37.jpg)
ADBI (Android Binary Instrumentation Toolkit)
Intercept/Use DVM Methods on Dalvik VM Library
(libdvm.so)
Dynamic Dalvik Instrumentation Framework for Android (old) - Collin Mulliner, SummerCon 2013. https://github.com/crmulliner/adbi (current)
![Page 38: We have to defeat the enemies and save the earth!!hitcon.org/2014/downloads/P1_02_DongJoo Ha - Binproxy.pdf · Web Proxy o A user-friendly proxy to be used for analysis (ex. burp,](https://reader034.vdocuments.us/reader034/viewer/2022042311/5eda1636b3745412b570bd52/html5/thumbnails/38.jpg)
Binproxy Client modules for Android
TARGET (App.)
HOOKY (shared library)
Binproxy Server (Users)
COMMUNICATOR (user interaction)
INJECTOR
HOOKY (shared library)
COMM. (user interaction)
![Page 39: We have to defeat the enemies and save the earth!!hitcon.org/2014/downloads/P1_02_DongJoo Ha - Binproxy.pdf · Web Proxy o A user-friendly proxy to be used for analysis (ex. burp,](https://reader034.vdocuments.us/reader034/viewer/2022042311/5eda1636b3745412b570bd52/html5/thumbnails/39.jpg)
● INJECTOR : Inject the HOOKER(.so) into Target App.(running process)
● HOOKER
: Hook the java/Android standard API for analysis. : loaded as the shared library(so) developed using JNI
● COMMUNICATOR
: Interactive interface for communication with user : Send/receive values for Hooking, Monitoring, Modifying
Binproxy Client modules … (cont’d)
![Page 40: We have to defeat the enemies and save the earth!!hitcon.org/2014/downloads/P1_02_DongJoo Ha - Binproxy.pdf · Web Proxy o A user-friendly proxy to be used for analysis (ex. burp,](https://reader034.vdocuments.us/reader034/viewer/2022042311/5eda1636b3745412b570bd52/html5/thumbnails/40.jpg)
How to implement Android Client
Implemented using JNI(Java Native Interface)
����������� ������������������
- Get the method Information loaded - Define/Prototype new function(native) for target
function(method)
- Call Original Method from new function. - Monitor/Modify a argument/return value
![Page 41: We have to defeat the enemies and save the earth!!hitcon.org/2014/downloads/P1_02_DongJoo Ha - Binproxy.pdf · Web Proxy o A user-friendly proxy to be used for analysis (ex. burp,](https://reader034.vdocuments.us/reader034/viewer/2022042311/5eda1636b3745412b570bd52/html5/thumbnails/41.jpg)
DVM
Original method
New(JNI)
Find����������� ������������������ Class/Method����������� ������������������ (dvmFindXXXX)����������� ������������������ 1
����������� ������������������ Replace����������� ������������������ the����������� ������������������ original����������� ������������������ method����������� ������������������ ����������� ������������������ ����������� ������������������ with����������� ������������������ a����������� ������������������ new����������� ������������������ native����������� ������������������ function����������� ������������������ (dvmUseJNIBridge)����������� ������������������
3 ����������� ������������������ Define����������� ������������������ new����������� ������������������ native����������� ������������������ function����������� ������������������ 2
Call����������� ������������������ the����������� ������������������ original����������� ������������������ function����������� ������������������ ����������� ������������������ from����������� ������������������ new����������� ������������������ native����������� ������������������ function����������� ������������������ (callback)����������� ������������������
4
How to implement … (Cont’d)
Monitor/Modify
![Page 42: We have to defeat the enemies and save the earth!!hitcon.org/2014/downloads/P1_02_DongJoo Ha - Binproxy.pdf · Web Proxy o A user-friendly proxy to be used for analysis (ex. burp,](https://reader034.vdocuments.us/reader034/viewer/2022042311/5eda1636b3745412b570bd52/html5/thumbnails/42.jpg)
How to implement .. (Cont’d)
Call <return type> Method!
![Page 43: We have to defeat the enemies and save the earth!!hitcon.org/2014/downloads/P1_02_DongJoo Ha - Binproxy.pdf · Web Proxy o A user-friendly proxy to be used for analysis (ex. burp,](https://reader034.vdocuments.us/reader034/viewer/2022042311/5eda1636b3745412b570bd52/html5/thumbnails/43.jpg)
DEMO - PoC for Android App
DEMO
![Page 44: We have to defeat the enemies and save the earth!!hitcon.org/2014/downloads/P1_02_DongJoo Ha - Binproxy.pdf · Web Proxy o A user-friendly proxy to be used for analysis (ex. burp,](https://reader034.vdocuments.us/reader034/viewer/2022042311/5eda1636b3745412b570bd52/html5/thumbnails/44.jpg)
![Page 45: We have to defeat the enemies and save the earth!!hitcon.org/2014/downloads/P1_02_DongJoo Ha - Binproxy.pdf · Web Proxy o A user-friendly proxy to be used for analysis (ex. burp,](https://reader034.vdocuments.us/reader034/viewer/2022042311/5eda1636b3745412b570bd52/html5/thumbnails/45.jpg)
![Page 46: We have to defeat the enemies and save the earth!!hitcon.org/2014/downloads/P1_02_DongJoo Ha - Binproxy.pdf · Web Proxy o A user-friendly proxy to be used for analysis (ex. burp,](https://reader034.vdocuments.us/reader034/viewer/2022042311/5eda1636b3745412b570bd52/html5/thumbnails/46.jpg)
How to make? Ways of build iOS client & PoC
![Page 47: We have to defeat the enemies and save the earth!!hitcon.org/2014/downloads/P1_02_DongJoo Ha - Binproxy.pdf · Web Proxy o A user-friendly proxy to be used for analysis (ex. burp,](https://reader034.vdocuments.us/reader034/viewer/2022042311/5eda1636b3745412b570bd52/html5/thumbnails/47.jpg)
Key Requirements - How To hook .. ● We can use for hooking in iOS:
a. Cydia Substrate for iOS b. fishhook c. Mach-O-Hook
![Page 48: We have to defeat the enemies and save the earth!!hitcon.org/2014/downloads/P1_02_DongJoo Ha - Binproxy.pdf · Web Proxy o A user-friendly proxy to be used for analysis (ex. burp,](https://reader034.vdocuments.us/reader034/viewer/2022042311/5eda1636b3745412b570bd52/html5/thumbnails/48.jpg)
How to implement iOS client
● Use a CydiaSubstrate a. Why CydiaSubstrate?
-> verified stability ● Most of Apps in Cydia are use a
CydiaSubstrate! ● Component of CydiaSubstrate
a. MobileHooker b. MobileLoader c. Safe Mode
![Page 49: We have to defeat the enemies and save the earth!!hitcon.org/2014/downloads/P1_02_DongJoo Ha - Binproxy.pdf · Web Proxy o A user-friendly proxy to be used for analysis (ex. burp,](https://reader034.vdocuments.us/reader034/viewer/2022042311/5eda1636b3745412b570bd52/html5/thumbnails/49.jpg)
Key Requirements - What & How extract... ● Mach-O File Format
![Page 50: We have to defeat the enemies and save the earth!!hitcon.org/2014/downloads/P1_02_DongJoo Ha - Binproxy.pdf · Web Proxy o A user-friendly proxy to be used for analysis (ex. burp,](https://reader034.vdocuments.us/reader034/viewer/2022042311/5eda1636b3745412b570bd52/html5/thumbnails/50.jpg)
Key Requirements - What & How extract... ● API
LC_SYMTAB
Symbol Table
String Table
![Page 51: We have to defeat the enemies and save the earth!!hitcon.org/2014/downloads/P1_02_DongJoo Ha - Binproxy.pdf · Web Proxy o A user-friendly proxy to be used for analysis (ex. burp,](https://reader034.vdocuments.us/reader034/viewer/2022042311/5eda1636b3745412b570bd52/html5/thumbnails/51.jpg)
Key Requirements - What & How extract... ● Objective-C and User Function Address
LC_FUNCTION_STARTS
Function Starts
![Page 52: We have to defeat the enemies and save the earth!!hitcon.org/2014/downloads/P1_02_DongJoo Ha - Binproxy.pdf · Web Proxy o A user-friendly proxy to be used for analysis (ex. burp,](https://reader034.vdocuments.us/reader034/viewer/2022042311/5eda1636b3745412b570bd52/html5/thumbnails/52.jpg)
How to implement iOS client
● Target API and method selection a. Extracting Objective C classes &
methods b. Extracting API lists c. Finding out user-defined function’s
args and types ● Monitoring an entire method and API by
using hooking (Logging?) (Logging?)
![Page 53: We have to defeat the enemies and save the earth!!hitcon.org/2014/downloads/P1_02_DongJoo Ha - Binproxy.pdf · Web Proxy o A user-friendly proxy to be used for analysis (ex. burp,](https://reader034.vdocuments.us/reader034/viewer/2022042311/5eda1636b3745412b570bd52/html5/thumbnails/53.jpg)
DEMO - PoC for iOS App
DEMO
![Page 54: We have to defeat the enemies and save the earth!!hitcon.org/2014/downloads/P1_02_DongJoo Ha - Binproxy.pdf · Web Proxy o A user-friendly proxy to be used for analysis (ex. burp,](https://reader034.vdocuments.us/reader034/viewer/2022042311/5eda1636b3745412b570bd52/html5/thumbnails/54.jpg)
![Page 55: We have to defeat the enemies and save the earth!!hitcon.org/2014/downloads/P1_02_DongJoo Ha - Binproxy.pdf · Web Proxy o A user-friendly proxy to be used for analysis (ex. burp,](https://reader034.vdocuments.us/reader034/viewer/2022042311/5eda1636b3745412b570bd52/html5/thumbnails/55.jpg)
Anything else? Future Works
![Page 56: We have to defeat the enemies and save the earth!!hitcon.org/2014/downloads/P1_02_DongJoo Ha - Binproxy.pdf · Web Proxy o A user-friendly proxy to be used for analysis (ex. burp,](https://reader034.vdocuments.us/reader034/viewer/2022042311/5eda1636b3745412b570bd52/html5/thumbnails/56.jpg)
Implementation Methods
● How to obtain a target application’s function list and detail informations of the function
● How to utilize database information to distinct functions
![Page 57: We have to defeat the enemies and save the earth!!hitcon.org/2014/downloads/P1_02_DongJoo Ha - Binproxy.pdf · Web Proxy o A user-friendly proxy to be used for analysis (ex. burp,](https://reader034.vdocuments.us/reader034/viewer/2022042311/5eda1636b3745412b570bd52/html5/thumbnails/57.jpg)
Additional Functions
● arbitrary function execution ● arbitrary code execution ● memory scan and patch ● function control based on script
languages ● disassemble and decompilation And… ● Performance Improvement ● Additional OS Support