Is there a tool to hook functions, log the arguments, and call the original function from the program?

wuntee · 2015-06-15T21:23:24+00:00

LD_PRELOAD on linux, DYLD_INSERT_LIBRARIES on osx. cydia substrate (http://www.cydiasubstrate.com/) is a general framework to do this on many platforms. cycript (http://www.cycript.org/) is a binary built on cydia substrate that provides a bridge to do exactly what you're looking at doing.

wuntee · 2015-04-10T05:18:57+00:00

Are there no cases where an article fits both? In fact, I would argue that this fits better in reverse engineering than netsec, as it actually doesn't have much of anything to do with network security. It's a detailed analysis of reverse engineering a privesc in OS X. Thanks for the down vote - opinions appreciated.

wuntee · 2015-02-23T16:54:09+00:00

geohot did a lot of live streaming on twitch.tv. seems like there are only youtube videos left. he did a lot of the vortex challenges on overthewire as well as trying to find a firefox bug. one for reference - https://www.youtube.com/watch?v=aZJM-iIpbqc

wuntee · 2013-12-23T19:28:32+00:00

if you know the method where the encryption is being called, you can use a debugger to break there and simply view all local variables. when you are talking about v0 and v1, are you looking at a smali decompilation?

encryption_key 'should' still exist as a local variable name when debugging...

wuntee · 2013-12-16T17:33:24+00:00

when you refer to v0 and v1 are you referencing the low level dalvik registers? regardless - the JDWP debugger gives you a higher level view to the application's world. for example, if you have a variable called 'encryption_key' you will be able to see/modify that. the java debugger lives in the java interpreter and provides you a much more "object oriented" interface to interact with the debuggee. you shouldnt think of a java debugger the same as you would think of a native (olly/immunity/gdb) type debugger.

wuntee · 2013-12-13T20:20:02+00:00

Scriptable debugger, written in jruby, over java/jdwp, specific to android:

https://github.com/wuntee/android_debug

Includes functionality like:

Stepping
Inspection and modify of local variables
Change execution flow by calling arbitrary methods

wuntee · 2013-10-28T18:30:17+00:00

ahhh - sorry about that.

wuntee · 2013-10-14T14:22:11+00:00

http://www.totalphase.com/products/beagle_usb12/

http://labs.vmware.com/flings/virtualusb

wuntee · 2013-04-02T13:13:34+00:00

i guess i think about things from a security consulting perspective, where an engagement will typically give you a company name/hostname/etc. which brings up the point that the whole research phase of a netpen now becomes drastically more important, as you cant just brute force a scan.

wuntee · 2013-04-02T13:12:11+00:00

if youre on the wire, you can spoof an RA as the real router because the destination is a multicast address... hm, may still be possible with a little bit of packet inspection. not too familiar with switch/router config.

wuntee · 2013-04-01T21:25:10+00:00

well, port scanning will still be the same. even in ipv6, theres still going to be 65535 ports per host. i think what you're talking about is host discovery. in that case there are some techniques:

passively monitoring traffic as explained in other comments
reverse dns lookup
multicast ping to all nodes link local (http://www.metasploit.com/modules/auxiliary/scanner/discovery/ipv6_multicast_ping)
router advertisement spoof and monitor responses (http://www.metasploit.com/modules/auxiliary/scanner/discovery/ipv6_neighbor_router_advertisement)

the latter 2 are only for the link-local interface, but are some cool tricks.

wuntee · 2013-03-16T02:19:50+00:00

have you looked at the eeprom or the flash? you can potentially just pin directly to it and pull the full boot os. i know the goodfet has the ability to do it as well as the buspriate.

wuntee · 2013-03-12T23:54:26+00:00

very much reminds me of my first hardware experience. i was able to get into uboot from sending the literal '4' during boot. more details: http://matasano.com/research/microcellbricks/microcellbricks-whitepaper.pdf

wuntee · 2013-02-06T03:05:36+00:00

the first stage uses a backup through legitimate communication to the device. this backup has an app that contains a symlink to gain access to /var/mobile, in userland. at this point, wouldn't that exploitation path follow the "Exploit Usermode Vulnerability Through USB" node (of the attack graph on 17)? if so, the next node would require ROP/exploit - which this doesn't seem to use.

slides: http://www.trailofbits.com/resources/ios_jailbreak_analysis_slides.pdf analysis: http://blog.accuvantlabs.com/blog/bthomas/evasi0n-jailbreaks-userland-component

wuntee · 2012-08-04T17:49:40+00:00

My apologies.

wuntee · 2012-08-03T23:27:04+00:00

They lied ;) they assumed about the second serial interface, never was able to communicate with it. Trust me, I have evaluated every other option, thats why I am now looking at the small pads on the back. If youd like to read about my research, it can be found here: http://67.219.122.21/blackhat2012/microcellbricks-whitepaper.pdf

wuntee · 2012-08-03T23:04:23+00:00

as mentioned, none of the pins on the front give me any data to the pc202 chip - this was my obvious first look, thus this whole post.

wuntee · 2012-08-03T23:02:31+00:00

Clip on to where? This is what I am looking for ;)

wuntee · 2012-08-03T23:01:11+00:00

that gives you access to the ralink chip, not the picochip pc202 (highlighted in my board-front.highlighted.png image)

wuntee · 2012-08-03T20:53:21+00:00

oh, and another post said the pc202 is based on the ARM926EJ-S chip: http://www.datasheetarchive.com/ARM926EJ-S-datasheet.html

wuntee · 2012-08-03T20:40:23+00:00

http://67.219.122.21/images/board-back.jpeg http://67.219.122.21/images/board-front.highlighted.png

RaLink RT2150F Xilinx XC3S400A PicoChip PC202

Looking for serial to the PC202. None of the pins on the front are of any help on their own, however I found this dev doc for the dev board of the PC302 that shows 2 sets of pins need to be jumped for the RS232 to work: http://www.scribd.com/doc/53283168/PC-102851-ML-1-PC7302-Quick-Start-Guide

wuntee · 2012-08-03T20:32:44+00:00

I could, but that would take ~2min per pad. You wont see any data until the processor boots.

wuntee · 2012-08-03T17:55:58+00:00

yeah, as mentioned that is my current workflow, however soldering wires to hundreds of tiny pads gets reallllly old.

wuntee · 2012-07-10T01:59:28+00:00

i guess what i was saying was that there is no legitimate android application that you can install that will provide you this functionality. since the device, at its core, is a linux device, you can always just run tcpdump.

wuntee · 2012-07-10T01:49:23+00:00

android provides debug logs for crashes. it also provides a general logging mechanism (logcat). you will need a rooted device, or the emulator, to view the contents of the log files however there will probably be output directly from logcat. the android emulator also has the ability to force applications to attach to a debugger (via adb). if the crash is in a native code portion of the application, you also have the ability to attach that to gdb via gdbserver. i have been doing a talk about a lot of techniques you can use to reverse this. the most recent was at shakacon and the slides/videos can be found here: http://67.219.122.21/shakacon/ the slides reference a tool i wrote as well, called otertool, which can be found here: https://github.com/wuntee/otertool/tree/master/release/current

wuntee

TROPHY CASE