MASTG-TECH-0097: Runtime Reverse Engineering
Runtime reverse engineering can be seen as the on-the-fly version of reverse engineering where you don't have the binary data to your host computer. Instead, you'll analyze it straight from the memory of the app.
We'll keep using the iGoat-Swift app, open a session with r2fridar2 frida://usb//iGoat-Swift and you can start by displaying the target binary information by using the:i command:
[0x00000000]>:iarcharmbits64osdarwinpid2166uid501objctrueruntimeV8javafalsecylangtruepageSize16384pointerSize8codeSigningPolicyoptionalisDebuggerAttachedfalsecwd/Search all symbols of a certain module with:is <lib>, e.g.:is libboringssl.dylib.
The following does a case-insensitive search (grep) for symbols including "aes" (~+aes).
[0x00000000]>:islibboringssl.dylib~+aes0x1863d6ed8sEVP_aes_128_cbc0x1863d6ee4sEVP_aes_192_cbc0x1863d6ef0sEVP_aes_256_cbc0x1863d6f14sEVP_has_aes_hardware0x1863d6f1csaes_init_key0x1863d728csaes_cipher0x0uccaes_cbc_decrypt_mode0x0uccaes_cbc_encrypt_mode...Or you might prefer to look into the imports/exports. For example:
- List all imports of the main binary:
:ii iGoat-Swift. - List exports of the libc++.1.dylib library:
:iE /usr/lib/libc++.1.dylib.
For big binaries it's recommended to pipe the output to the internal less program by appending
~.., i.e.:ii iGoat-Swift~..(if not, for this binary, you'd get almost 5000 lines printed to your terminal).
The next thing you might want to look at are the classes:
[0x00000000]>:ic~+passcodePSPasscodeField_UITextFieldPasscodeCutoutBackgroundUIPasscodeFieldPasscodeFieldCell...List class fields:
[0x19687256c]>:icUIPasscodeField0x000000018eec6680-becomeFirstResponder0x000000018eec5d78-appendString:0x000000018eec6650-canBecomeFirstResponder0x000000018eec6700-isFirstResponder0x000000018eec6a60-hitTest:forEvent:0x000000018eec5384-setKeyboardType:0x000000018eec5c8c-setStringValue:0x000000018eec5c64-stringValue...Imagine that you are interested into0x000000018eec5c8c - setStringValue:. You can seek to that address withs 0x000000018eec5c8c, analyze that functionaf and print 10 lines of its disassemblypd 10:
[0x18eec5c8c]>pd10╭(fcn)fcn.18eec5c8c35│fcn.18eec5c8c(int32_targ1,int32_targ3);│bp:0(vars0,args0)│sp:0(vars0,args0)│rg:2(vars0,args2)│0x18eec5c8cf657bdnotbyte[rdi-0x43];arg1│0x18eec5c8fa9f44f01a9testeax,0xa9014ff4│0x18eec5c94fdstd│╭─<0x18eec5c957b02jnp0x18eec5c99││0x18eec5c97a9fd830091testeax,0x910083fd│0x18eec5c9cf30300addeax,dword[rax]│0x18eec5c9faastosbbyte[rdi],al│╭─<0x18eec5ca0e003loopne0x18eec5ca5││0x18eec5ca202aa9b494197addch,byte[rdx-0x68beb665];arg3╰0x18eec5ca8f4hltFinally, instead of doing a full memory search for strings, you may want to retrieve the strings from a certain binary and filter them, as you'd dooffline with radare2. For this you have to find the binary, seek to it and then run the:iz command.
It's recommended to apply a filter with a keyword
~<keyword>/~+<keyword>to minimize the terminal output. If just want to explore all results you can also pipe them to the internal less:iz~...
[0x00000000]>:il~iGoa0x00000001006b8000iGoat-Swift[0x00000000]>s0x00000001006b8000[0x1006b8000]>:izReading2.390625MB...Doyouwanttoprint8568lines?(y/N)N[0x1006b8000]>:iz~+hillReading2.390625MB...[0x1006b8000]>:iz~+passReading2.390625MB...0x00000001006b93ed"passwordTextField"0x00000001006bb11a"11iGoat_Swift20KeychainPasswordItemV0C5ErrorO"0x00000001006bb164"unexpectedPasswordData"0x00000001006d3f62"Error reading password from keychain - "0x00000001006d40f2"Incorrect Password"0x00000001006d4112"Enter the correct password"0x00000001006d4632"T@"UITextField",N,W,VpasswordField"0x00000001006d46f2"CREATE TABLE IF NOT EXISTS creds (id INTEGER PRIMARY KEY AUTOINCREMENT, username TEXT, password TEXT);"0x00000001006d4792"INSERT INTO creds(username, password) VALUES(?, ?)"To learn more, please refer to ther2frida wiki.