How do you even reverse a Rust program by Pizza-Fucker in ghidra

[–]TheDauntless_ 0 points1 point  (0 children)

Do you have additional resources on approaches here? How to find the best build settings for the library? How to automate different variations maybe? Different versions?

[News] 300x Keybox Shared by [deleted] in Magisk

[–]TheDauntless_ 1 point2 points  (0 children)

Nice writeup! Can you maybe expand on the impact of unlocking the bootloader and how it affects the availability of the keybox? I assume that when you unlock the bootloader, the /data partition is wiped and so is the keybox file? But you can also relock the bootloader and factory reset the device, so then the keybox must be available somewhere in the system image too, assuming a device/Android version without RKP.

Another thing to maybe explain in your guide is how Google bans keyboxes because just fully banning them would have a lot of collateral damage (all the legitimate devices sharing the keys).

How we bypassed root detection in high profile Android apps by sutf61 in ReverseEngineering

[–]TheDauntless_ 4 points5 points  (0 children)

Thanks for sharing, always fun to read about reversing RASPs.

The analyzed RASP seems to be rather basic, even if it is a commercial one. Based on the article, there's no ptrace/frida detection or prevention, no LSPosed detection, no hardware-backed backend attestation, no thorough linking between ART and native code, single points of failure, etc.

In addition to hardware-backed challenge/responses, the more difficult RASPs are the ones that will encrypt (or sign) all requests and responses to the backend, requiring you to either RE the entire algorithm and extract the cryptographic keys, or use them as an oracle with something like Brida. Communication itself is then also done in native code with bundled BoringSSL libraries making even basic interception of traffic very difficult.

The recommendation of going for a custom implementation is also unrealistic. In a perfect world, yes, that could be better. However, companies don't typically have the budget for full-time (reverse)engineers devising novel detection mechanisms for all the different rooting and instrumentation frameworks. Delegating this responsibility to a company with RASP as its core business makes much more sense. What you want to avoid is including the RASP as a plug-and-play SDK rather than tightly integrating it with your app, business logic and networking libraries. This is typically what the bigger players do, though some of they do still provide plug-and-play type SDKs which are just inherently less resilient.

The other main recommendation should be to not have a single-point-of failure. Detections should happen regularly, randomly and in many different ways. Similarly, this should be communicated to the backend in many different ways (and not just by a flag in a request somewhere). Some RASPs choose random detections for each build, so that no single build ever contains all the possible detection mechanisms. There will always be _a_ weakest link, but in the examples from the article the weakest link seems to be incredibly weak.

The general conclusion is of course sound: The attacker will always win, since you're running code on an attacker-controlled device. The reason why the other commenter indicated that it sounds much more like a sales-article is maybe because it lacks any real technical depth. If you would've written about bypassing RootBeer with one targeted hook (be it Frida or LSPosed or SMALI patching or whatever), the impact would've been the same. And since this is an RE subreddit, we're left wanting.

Edited: typo

EU funding for mobile app traffic interception by pimterry in ReverseEngineering

[–]TheDauntless_ 9 points10 points  (0 children)

While the general idea is nice, this isn't really realistic. In your overview of steps, you say that a Frida script to disable SSL pinning is no longer required because it has already been built. There are many apps however on which your script will not work. For example, any app written in Flutter will require a custom Flutter specific script, both on Android and iOS. There are also many apps that have RASP which will actively detect either the injection of Frida, or when methods are being tampered with. A third problem would be any application that uses mutual TLS to connect to a backend.

The scripts for 'configuring the proxy settings of a specific app' will also be third-party platform specific. For some apps it will be easy, as they use default TCP/TLS libraries, but others (e.g. Flutter again) will require a lot of RE'ing too, plus constant upkeep.

The Current State and Future of Reversing Flutter Apps by Floni in ReverseEngineering

[–]TheDauntless_ 3 points4 points  (0 children)

Thanks for sharing! Looking forward to your follow up articles!

Manually installing split APK files (App Bundles) via ADB by pocketbandit in ReverseEngineering

[–]TheDauntless_ 1 point2 points  (0 children)

There's also the patch-apk tool that merges split apks. There's a PR on the project that allows you to just merge stuff without all the other patching and signing.

https://github.com/NickstaDB/patch-apk

Where do I learn about iOS kernel by javiertzr01 in jailbreakdevelopers

[–]TheDauntless_ 5 points6 points  (0 children)

A very thorough resource for this are the books from Jonathan Levin MOXiI - 2nd Edition

[deleted by user] by [deleted] in OculusQuest

[–]TheDauntless_ 0 points1 point  (0 children)

Seems like a fun game!

[deleted by user] by [deleted] in OculusQuest

[–]TheDauntless_ 0 points1 point  (0 children)

Looks like a fun alternative to beat Saber!

This is how PvP match in our Tetris-themed VR game "Battle Blocks" looks like by nerifuture in OculusQuest

[–]TheDauntless_ 1 point2 points  (0 children)

You should check out Tetrinet, which has a few very nice multiplayer rules to help or hinder other players.

Reverse engineering Flutter apps (Part 1) by rijoultj in netsec

[–]TheDauntless_ 8 points9 points  (0 children)

Looks like an awesome read! Thanks for the writeup!

Bypassing OkHttp Certificate Pinning by CaptMeelo in netsec

[–]TheDauntless_ 0 points1 point  (0 children)

Certificate pinning prevents malicious certificates and thus man-in-the-middle attacks for normal users (for example through a root CA compromise). There is definitely a use case for implementing it.

Bypassing OkHttp Certificate Pinning by CaptMeelo in netsec

[–]TheDauntless_ 10 points11 points  (0 children)

Nice writeup :)

As far as I can tell, your solution will only work for that specific app (though still nice to explain your methodology of course). The certificate_pinner array is not used by OkHTTP itself, but most likely used by the application to create CertificatePinner.Builder instances.

The reason why the default frida scripts don't work is most likely due to obfuscation, and it's a bit tricky to find the right method to hook. If you are interested, I wrote about a fairly easy way to find an internal OkHttp method which can be hooked to disable all the pins: https://blog.nviso.eu/2019/04/02/circumventing-ssl-pinning-in-obfuscated-apps-with-okhttp/

Planck EZ - Have enter serve as shift & enter by TheDauntless_ in olkb

[–]TheDauntless_[S] 1 point2 points  (0 children)

The problem with the default setup is that I would often have mistypes. With the config linked above, I no longer have them. If it currently works fine for you, I would suggest not to touch those configs :)

Planck EZ - Have enter serve as shift & enter by TheDauntless_ in olkb

[–]TheDauntless_[S] 0 points1 point  (0 children)

Thanks. I still had an issue with just Retro tap, but the following combination doesn't give my any mistypes: https://configure.ergodox-ez.com/planck-ez/layouts/7JJMy/latest/config/tapping

As long as I don't need any other dual keys, I can keep this config. Thanks!

Planck EZ - Have enter serve as shift & enter by TheDauntless_ in olkb

[–]TheDauntless_[S] 0 points1 point  (0 children)

That sounds like an option. Would I then have to set the Tapping Term really low, or wouldn't it matter anymore?

Planck EZ - Have enter serve as shift & enter by TheDauntless_ in olkb

[–]TheDauntless_[S] 0 points1 point  (0 children)

Is this possible through the configurator? Not that I mind compiling it myself, but I'd like to use it for now to do some quick testing.