wa.pdf

Figuring out that encryption core was changed was not

This preview shows page 46 - 56 out of 62 pages.

Figuring out that encryption core was changed was not really a stuck… 1) Start from scratch, take trampolines to target core function 2) Dump all the images 3) Create the emulator Obfuscators can be hard, but they always follows a logic, for nature, since the target have to run relevant instruction in a specific order 4) Clean up obfuscations, remove most of the “trash” code 5) Port those millions line of ASM 6) Simplify into thousands lines by matching loops
Image of page 46

Subscribe to view the full document.

Customized sodium crypto core 4) Clean up obfuscations, remove most of the “trash” code Sample from:
Image of page 47
Customized sodium crypto core 5) Port those millions line of ASM 6) Simplify into thousands lines by matching loops Sample from:
Image of page 48

Subscribe to view the full document.

Cracking NoName What we know for sure: 1) Target library is packed with what looks more like a malware packer 2) Target library code is xored into a file in assets 3) Java side is untouched in this context (Brawl Stars) 4) Use dt_init_array in the guarded library to setup the memory context shared lately with a new process spawned through syscall system 5) Spawn another process which keep game process ptraced preventing debugging 6) During dt_init, the code uses a subset of inline syscalls to - map code - jump there - unmap the previous map - repeat for N times There were no need to take an understanding of what those lines of code were doing as the main goal was to achieve code execution in the process spawned in point 4 (the main app process - which was happening later)
Image of page 49
Cracking NoName
Image of page 50

Subscribe to view the full document.

Cracking NoName The goal was to attach in anyway to the second (main) process, before it’s target library dt_init invocation. In the moment I’ve coded it, Frida spawn gathering was not working on my environment for some reasons, so I had to figure out other ways to: A) know when the second proc is spawned and B) attach to it in something like 0.000005 milliseconds - or, figure out why Frida spawn gathering was not working on my env. First option was more attractive, sorry Ole.
Image of page 51
Debugging NoName - For a general (initial) understanding, the quickest way was to mod myself a kernel for my OP5T and turn on ftrace - For a better understanding and self learning purposes, I’ve coded my first LKM to hijack some syscalls and use probes in order to let the code follow specific paths by altering it’s arguments. Lately converted into an abstract module which speaks with Dwarf and allows ftrace, process elevation and code execution in ring 0 by using shared memory as ipc - Another possible way was to use strace which doesn’t require kernel but works until third process try to attach to the main. Added as well as well strace into Dwarf References: (precompiled strace)
Image of page 52

Subscribe to view the full document.

Debugging NoName Sample from:
Image of page 53
Debugging NoName Sorry… logs from strace / ftrace not found :’(
Image of page 54

Subscribe to view the full document.

Cracking NoName Code flow guessing |____ proc1 |________ load protected shared library (target.so) |____________ dt_init |________________ prepare memory layout (unpack target.so)
Image of page 55
Image of page 56
  • Fall '19
  • Reverse Engineering, Public-key cryptography, Pretty Good Privacy, Software cracking, Frida

{[ snackBarMessage ]}

What students are saying

  • Left Quote Icon

    As a current student on this bumpy collegiate pathway, I stumbled upon Course Hero, where I can find study resources for nearly all my courses, get online help from tutors 24/7, and even share my old projects, papers, and lecture notes with other students.

    Student Picture

    Kiran Temple University Fox School of Business ‘17, Course Hero Intern

  • Left Quote Icon

    I cannot even describe how much Course Hero helped me this summer. It’s truly become something I can always rely on and help me. In the end, I was not only able to survive summer classes, but I was able to thrive thanks to Course Hero.

    Student Picture

    Dana University of Pennsylvania ‘17, Course Hero Intern

  • Left Quote Icon

    The ability to access any university’s resources through Course Hero proved invaluable in my case. I was behind on Tulane coursework and actually used UCLA’s materials to help me move forward and get everything together on time.

    Student Picture

    Jill Tulane University ‘16, Course Hero Intern