Category Archives: iOS

[ Walkthrough 2015移动安全挑战赛(第二届): iOS Challenge 1 ]

It’s been a long time since we wrote something here.
Today i will be writing on a simple iOS crackme which i found some time to play with 10days ago.

To make it easier for everyone to follow this lame guide of mine.
I’ve attached the file here: iOS Crackme

iOS.0x0001

The original question given to participants is like above.

But i’ve loosely translated the above text for simplicity sake. 😀

Opening the binary file in IDA Pro, the first thing that i usually look for in iOS Crackmes are “Strings” or “onClick” first.

In this case, i went for “strings”. The first thing that caught my eye is “decryptPassword
iOS.0x0001_1

Double click that string and then press “X” to list the cross references. I selected the method using that.

iOS.0x0001_2

After selecting that, you will get the following.

iOS.0x0001_3

As i’m on of those lucky ones to have the “Decompiler”, pressing “tab” and we will see this beautiful pseudo code.

iOS.0x0001_4

I’ve extracted out the codes for better reading purposes.

 

Based on the above pseudo codes, we can identify several things.

1.) There are 5 loops. Each loop started off by doing Caesar Cipher on the following base64 encoded string.

2.) After the Caesar Cipher, it base64 decoded the returned result .

3.)  Then it did a AES decrypt with the base64 decoded string and the key is the following:

4.) Then it repeats this process until the loop ended.

5.) Finally it compared the final result with the entered input by the user.

I made a simple python script to illustrate the steps.

 

The key for this challenge is “Sp4rkDr0idKit

Happy Reversing
Jacob Soo

[ Forensics Walk-through: DFIRCON EAST Smartphone Forensics Challenge ]

Today I was asked by a good friend of mine on whether there could be 2 answer(s) to the last question in DFIRCON EAST Smartphone Forensics Challenge.

Being the curious cat, i downloaded the Challenge and have a quick look and decided to write this out while i’m at it. It seems like we are given an iOS backup folder and an Android .apk file.

[ Tools Used ]
iPhone Backup Browser – https://code.google.com/p/iphonebackupbrowser/
SQLite Database Browser – http://sqlitebrowser.org/
pList Editor – http://www.icopybot.com/plist-editor.htm or use the default viewer in Mac
Cerbero Profiler – http://cerbero.io/profiler/

Let’s go through the question(s) and load the iOS backup folder using iPhone Backup Browser as shown here.
DFIR.001

[ 1st Question ]
1. What third-party applications have been granted access to device camera photos?
Ok, if you have done iOS forensics before. It’s always good to do a quick check of the TCC SQLite3 database.
You might be asking “What is TCC SQLite3 database”?
Well, this SQLite3 database is used to control what permissions iOS apps have.
TCC.db is located at the following location on your phone.
/root/var/mobile/Library/TCC/TCC.db
Likewise this file also exists on a Mac.
~/Library/Application Support/com.apple.TCC/TCC.db

Incase, you have “accidentally” allowed more permissions than you wanted. You can use tccutil to reset the permissions instead of “tampering” the SQLite3 file.

So using SQLite DB Browser on TCC.db, we can immediately see the permissions granted to which applications.
DFIR.002

So for this particular question, Facebookand Dropbox were both granted permissions to access the device camera photos.

[ 2nd Question ]
2. What third-party applications have been granted access to the device address book?
Actually if you had looked at TCC.db, you will notice that the answer to this question is “Waze” as shown here.
DFIR.003

[ 3rd Question ]
3. Which websites were visited that requested the iPhone’s geolocation information for optimal browsing and were granted access?
Ok, now if you want to find out which website(s) requested this. The first thing to look for is GeolocationSites.plist
In this case, if you use iPhone Backup Browser to extract out the file. It should be located here:
iOS backup\Liz Lemon’s iPhone\System\Library\WebKit\GeolocationSites.plist
Using pList Editor or the default one on a Mac, you should see something like this.

Based on the returned results, we know that both “https://m.stubhub.com” and “http://m.simplyhired.com” are the website(s) that request geolocation and were granted access.

[ 4th Question ]
4. What permissions does the application MysteryApp.apk NOT have on the device?
Naise, now we have moved on to the Android .apk file.
Let’s extract out the Android.manifest file and we should have something like this.
DFIR.004
And if we do a quick check against the options that we were given:

  • Record audio
  • Read contacts
  • Send SMS
  • Record video
  • Mount & unmount files

We can quickly eliminate and know that that the permission that “MysteryApp.apk” don’t have is “Record video

[ 5th Question ]
5. What is the SHA1 digest value associated with the classes.dex file for the MysteryApp.apk application?
This is the question which my good friend asked about.
To me, if it’s SHA1 of classes.dex. The answer is definitely “0C3A720EB61D736E21561E9AA96066A4771F0F70
My friend was actually talking about the SHA-1 Signature found in the Dex header.
But the answer was saying “SHA1 (value within file)” so i’m not sure whether the original question implied the wrong thing or the answer was weird?

[ 6th Question ]
6. What foreign language word(s) are found within the MysteryApp.apk application?
We were given these options:

  • запись аудио – Record audio
  • mesajlaşma – Messaging
  • 未接来电 – Missed Calls
  • 連絡 – Contacts
  • None of the above

For this particular, you can use Cerbero Profiler and immediately you will know that the only foreign language found is “Chinese”.
Doing a quick check, we will see this.
DFIR.005
Thus we know the correct answer to this is “未接来电 – Missed Calls“.

After doing a speed-run on this, I really regretted not taking part in DFIRCON EAST Smartphone Forensics Challenge in the first place. xDDD

I do hope this quick walk-through will be sufficient for others to pick up and learn more stuff about mobile forensics.

Happy Reversing,
Jacob Soo