Prototyping and Reverse Engineering with Frida

like thanks for the very enthusiast is quite early Wow so yeah I think meant to have this many people in the room but that's pretty awesome so yes my name is Jamaal Harris some people here my mom uses Jay Harris to be honest Jay is a bit easier to remember so tend to go over that this talk we are going to do an introduction to arm to freedom I really like free values are a lot I use it a lot to help me when I'm reverse engineering applications how many people in this room have used Frieda before yeah okay cool and how many have used it only on mobile applications okay and I hope you use it and something on

something else yeah okay cool we're going to look at practical demonstrations I really like to do practical things it does mean that there is a chance things will go wrong and things will break we'll just have to kind of see how things go we're gonna be looking at using free on Linux and a little bit of Android towards the end now this isn't an exploitation work I'm talk we're gonna be using Frieda Frieda can be helpful in exporting software but you know we're not gonna be looking at actual exploitation this is just using Frieda Starbuzz reversed in an application Who am I I'm a pen tester and I do security research for t2 interruption this is a

company that I started in order to try and help left ship security testing and I think something like free there is a release for tools for for trying to do that I'm interested in mobile which is how I got our first style using Frida I took what like radio things and just reverse engineering generally some Twitter accounts you should definitely follow because I'm trying to beat somebody in my Twitter account so if you just add I've got some more ads so I'm sure I get there I run a group in Manchester could matches the gray hats this is where we run workshops we compete in CTF we have a and Twitter accountant things if you

want to follow definitely feel free we post videos of our workshops and we live stream while workshops as well really it's just a way to try and increase the cybersecurity knowledge in in Manchester book but really we want everyone tip to be free to join us okay so first you know what is reverse engineering we want someone we're us engineering some they want we want to try and reproduce information about the application based on the knowledge that we extract from it so we want to understand the behavior of the binary this can be useful in things like malware analysis or cracking software in this talk we're going to look at one aspect of reverse engineering so we're gonna look at

runtime analysis now the other type of thing static analysis what we look in the source code well I'm free day isn't always super helpful for that but we're gonna be looking at you know running an application trying to understand how it works yeah so sometimes it doesn't make sense to look more static analysis type of thing if you are looking at now if for example it might in might detect that is being analyzed and so it might behave differently so yeah sometimes you want to look at static sometimes running it is the best way person doing can be quite difficult why do we want to do it well source code recovery is quite a big

one let's say we have an application we don't know how it works we we want to kind of modify it or try and turn the application back into some kind of source code well we're going to reverse engineer we might have up occasions that we need to know how they interact with each other and change the way they interact with it we just ease it up each other or maybe an application you know is old and outdated and we want to be able to interact with it in some way we need to understand the protocol that is using and how it works together I find it really fun to be honest it's nice to understand how things that kind of work

on the inside and of course when you're looking for fun abilities is one of the most useful tools that we kind of have to a disposal so Freda helps with and that's actually met no ask question how many developers are in the room yeah okay so application cooking is a really useful technique that can allow us to add logging maybe intern application so as a developer you might want to use something like Freda to add logging into a production version of a binary so you actually have to have logging statements inbuilt into the binary as its deployed but you can use something like Freda to add those in later how many hackers are in the room I guess

they'll be quite a lot right yeah come on I spent most hands they go up um so you can use some like applications looking for disabling SSL thinning in mobile applications I mean I use Freda for a lot I used some application hooking to simulate malicious input once from a Bluetooth device so rather than actually having to create the Bluetooth device I could hook the application to kind of give it to kind of simulate latinum and what about like just generalize software testers so they won't do software testing yeah okay so I'm so you can use them like application looking - almost inject errors into the into the application to see to see to get it to kind of you know force errors

and change the state okay any questions about any of that feel free to just ask questions by the way as we go along so if we have an application that makes a makes it cool to a function it tends to look something like this so we'll have you know a cool to read for example and it'll have a you know a jump to a part of code that gets executed I guess I'm and then we have the same here for from for these this encrypt function so the application will start cuting some code you'll see a call to a function or jump to two in memory where that function is which which might be in

the library from I should just be in the main binary when we hook an application we're actually changing the address that that code jumps to so well so where it might jump to the read function normally we're gonna give it maybe a different address or a different bit of code to execute so if we do this we can actually change the behavior of that function that gets executed or what we might do in as we can see in the second case is you know do some like add logging change the arguments to the original function that gets called alright does that make sense so we can we can start to either replace the functions or add some stuff

to it so that guess is cute before or after the original function gets caught okay so before frida came along this is kind of how at the time when I was trying to do reverse engineering and try to do application again it's a very clunky convoluted process because what you have to do is you maybe decompile a binary or look to some source code or something you have to write the method for the hook alright probably in something like C or the jar refuses I'm like exposed for Android they'd have to compile it you would have to load that function then you'll also you have to make a change after compile it again and it was about this very like kind of

long convoluted approach to it I remember I was looking at a nice exercise doing some research into Android where when it first came out and I was using exposed which is a another framework for Android and that this was before freed it was really a thing and it took me so long to get anything working in any kind of meaningful way because I'd have to restart the Android device every single time I made a change to the hook now you can imagine as you're kind of iterating through understanding the applique every time you make a small change you have to recompile it redeploy it restart the app so we started the device I mean it took you know days and days and days

to do anything really meaningful then freely came along and it's a bit more like this honestly so what took me days or maybe weeks before using older frameworks like exposed or using other methods can take minutes using Frieza so Freda is a toolkit for instrumentation with Freda we can inject our own scripts into actually I'll tell you what it says on on the Frida website inject your own scripts into black box processes hook any function spy on crypto API or trace private application code no source code needed I did hit save and instantly see the results or without compilation steps or program restarts a couple is that right um so Frida it's a framework that

lets us do that he lets us inject JavaScript into an application why JavaScript well I think why not it's a good language it's easy to write is easy to read and I think most people are familiar enough with Java scripts that it kind of makes sense more importantly free do is actually a framework to build our own tools and I don't really see a lot people doing this I think they should be free that is great as it is but I think it really shines when you actually start to use it to to build it on tools not something that I want to try and encourage more people to start do it for example you could you could

have now if you're a software tester for example you might have a you might use reader to to build an application that inject specific areas into your into your app or if you're a hacker maybe you want to have application that disables SSL filling in all cases and things so yeah people should be using freedom to write to try and build their own apps this is basically how it how it looks we have our process and with free that we can inject a job this job script VA ended into it that loads our JavaScript that we're using to that that we used especially what we want to get hooked and the functionality that could get

injected and changed and then on the host we have this way of communicating between the process and and the freedom the free the tool so whether that's the command line as so the interactive shell or however we were hosting free though so you can you and you can interact with these are between this and it uses JSON basically used to send data back or forth so a lot of people do only really use Frieda for mobile applications and as I said before that's really why I started using app battery is supports lots different things so miss ports obviously Windows applications Mac was Linda's obviously iOS Android and qnx as well I'm sure you know within time even

even that world will kind of expand excuse me even that will expand awfully I don't think there is dotnet support I was trying to do some botnet stuff a little while back and oh yeah she's real it didn't work so we're gonna look at a fake application okay this is one I wrote this the source code for it is online if you want to play along with it after this talk and I feel free just that I get off the I think that these disruption github repo it is on there somewhere but I've J so we have this this you know target application you look at so this is what it what it does basically it

will ask the user for some kind of message and then it will create a key and then encrypt that message with like you and then save it it just just in memory is a bit of a you know not to get use publication but it will let us play with freedom and see how freely can be useful in something like this if you enter the correct password in the application it will decrypt the messages and if you don't know the password it obviously won't the password is just hard coded into the application okay so let's I jump over and I'll show you that in action and then we can we can start using freedom now bear with me because

looking it on the screen and trying to type and other things can be a bit difficult let's let's do our best okay

so so we just enter some you know some strings oestrus for passwords you get that wrong and we've been copied you not able to view the messages if you do the same thing possible obviously it's password you can see the script the strings it declared it okay now we want to try in this case we're gonna use to just play around with so let's start again okay if I see the screen okay yeah okay so let's see

okay so we've started freedom this is the interactive shell and it has injected that v8 engine the JavaScript engine into the target process so in this case exercise you can specify the process ID and you can use feeder to launch the application as well but I most time once it does find it more useful to to attach to it button abide by the name than the process I doing things so that you know let's try and prog the application see what you can start to learn about it so we can do things like this process get current thread ID okay process stop enumerate modules so these are obviously the libraries that the application is is

using and you should be able to see actually here I think the free the yeah it's all the free the agent as well because it's obviously inject that into the application now so we can do something as well at this we can go we want to enumerate the you know exported functions from from this library cool so we've got addresses and stuff you can kinda see so we can we can use this to build a picture of how the application is working and what is doing alright because we understand we can see what the libraries is using and things that like so let's try and do something kind of cool something a bit more useful so

you know I know how the application works it's not a complicated one so either you know by viewing the source code or making some educated guesses or by decompiling it you you will see that you know it's using some kind of key or I do some kind of encryption when I see some like that I almost like I'm always coated that the random function is going to be used in making me sorry the yeah so like if you're doing crypto you need some random stuff a lot of time generic keys so something like that is usually in use so what I'm going to here is we want to change so when R and is cooled we want to change the return

value rather than being a random number we're just gonna change it to return zero okay so every time Rand is cooled with enough for our application zero is returned okay now we'll try and enter some messages okay done all the password is okay so we still able to view the messages because what we've done is we've changed freida so that we've used free to change the application so that the key is always going to be zero so no bytes and of course when you XOR the message in the key and the key is zero the message doesn't present change okay make sense to everyone yeah okay awesome that's the first demo and there were kind of no no errors oh

nothing broke it's good so by the way my laptop used to crash a lot and I thought my fixed because I hadn't happened for like six months and then when I was preparing for this this morning Bethel crashed so let's hope that doesn't happen again later free the trace this is actually written using freedom when you're still free that it gets installed along with it what it does is it creates JavaScript files for for functions based on their name which is super awesome and I'll show you it in a little while I basically do it in left they will add logging into your application so you can do something like free to trace that I

and then the name of a function that you want to start that you want to start logging and it was generate those jobs to fast for you to start doing that and you can do start as well so they just start logging every function that gets called this doesn't always work sometimes things crash but it is it's still like a really awesome feature especially when you don't know about an application when you first starting off yes I was really good for kind of exploring and that education this is the type of thing that Freda traits will create so if we have this function here here so making a call to a function and crit message it will

generate this JavaScript button on enter an on new function and it will just add some logging into I'll enter so obviously on entity gets called when the application when the function is about to be called and then on leave after the functions they called if we want to what some one useful thing is to actually modify that JavaScript once it's been created if we want to start to access the arguments Freda actually gives us this ogz array because Freda one know about the function right before no it wouldn't run Freda trace all know the name of it but it won't understand feed the arguments that is using it things like that I'm so what it gives us is

just a an array to the arguments and then what we can do within the javascript is actually start to to just you know lock them and index into them as rings so he wanted to look at this key we could just aloft cons one so let's say we wanted to so let's say we wanted to change the return value here as well we're also able as we saw before using the interactive shell we're also able to just do you know wrap out or replace and we add that into the JavaScript on the only function and then this here will be whatever we bit more difficult if you want if you have some like like this where we have a buffer

and the buffer is filled in the function right so if we have some like you encrypt message where we pass in you know a message a key and the buffer when we when we create this this buffer is also just going to be bits of memory you know it's not really being filled with anything and if it gets filled if he gets used in this encrypt message thing then it would add later into that that buffer so I would read what we can do is we can just do you know this dot buff or you can give it any name really distort whatever people's the argument you want so buffer and then on leave we can we can look at

that again so obviously if we try to log it here we're just gonna see garbage because the buff buff hasn't been used yet really we want to view it after it's been populated so we can we can do things like this so let's take a look

okay so again let's start the application and you know let's say we don't really know much about this app yet but you know we fade around with it we know that it's probably gonna use a random function it is going to use something like Ryu two because it takes later and from from standardin so what we're gonna say is free to trace you know Rand we can again we can use new stars just to say anything with Rand in the function name also the read function and then of course the name of the process so press all these things cool and we just you can see it starts to log stuff so for some functions it will know

things about them which is which schools already prints you know some of the the of the arguments that we're sending to it but for others it won't have any knowledge so let's try and do what we did before using the interactive shell but now we can we can start to actually modify this JavaScript that gets created and this is the way I tend to do things now I'm using freedom to learn about the application I start logging things make some educated guesses and then I'll just start to modify the JavaScript to start to print between the arguments or change some of the the logic

you so let's this one okay so as we saw before this is the on enter function so this is where it just adds some some login so we know that it's being called and only this is empty but let's change that so we can do replace so one thing I really love is you can just save the file and it gets loaded automatically so it's already made that change down so if we - the wrong password yeah so of course here was before we started attach boot before we attach with Freda and here is where we've actually changed that random function to return zero yeah any questions awesome so let's I want to show something a bit more realistic okay

who's used pidgin before yeah so it's like an instant messenger app so I used to use it for for IRC so I've started as you just did an IRC server locally and now I'm gonna start teaching

here's begin

so let's say that I want to start to explore pidgin using free though I might do is something like this so if ever look at the IRC stuff I'm gonna make an assumption that some of the methods of some of the functions is called it's gonna fire see it in the name so I just say free to trace on IRC pin in pidgin and it grace a lotta stuff okay then I will do some things in the application you know that that use IRC is let's try and join the channel test and we can see that's how you're starting to to log some of those functions right so yes okay they are what I assume some of these might be

quite interesting so let's try and make you look at IRC sent

okay so this is again it's just adding some logging but we now have the ability to to look for some of the arguments and to change the return return the data and the things like that so after reading through some of the source code for Pigeon I came up with this okay so basically the first argument is this IRC katar connection object and within that here's the account information and then within object and within that is like the username and other things so okay so um so I've just added some extra logging in to it and you can see here you know that we we don't need to know really you know we can just say you know that if we

know the off it looks like and now I had to index it and things even though Pekinese using its own its own object we can still you know reference them and use them so let's take a look

hmm okay so now we're starting to see some of the information that is like being sent to this function okay so let's try something else let's try and actually modify some of that data all right so what we're gonna do here is we're going to just change a couple of bytes in the message all right so what we're gonna do is just change the first two bytes of the message we're sending to just be you know four to 141 and then again but then we're gonna log it kind of before and after okay so Oh weird and you can see we've actually changed that the data that's being sent now you should be able to see at this point how

this could be a really cool way to write a puzzle right because we're actually able to modify the data using Frieder so here yeah it's just an ascii we're changing but you know imagine if we're changing the length value or we're changing the object in some more interesting way so yeah super easy way to to start to do that kind of vulnerability analysis upon the application yep come on understand so to use feeder trace we require a function name as we saw when we using in when we trying to hook an imported function I'm using for the traces it's really straightforward we know the name of the function is Rand or it's read or IRC or

whatever if it's an internal function things are a little bit different you need to have the address of the function I use some like object thump to to get that all right so I'm just going to show you that now because that was something that kind of threw me for a bit so in our but let me just show some of these things

okay so okay so um let's say that I want to after they get enough the reversing the application maybe I see there's a function encrypt string I can use object on to to get the address of that that function okay then using frida or free to trace I can just say so rather than that is - eight in this case now I can say hook on this address actually eats a spark okay so anyway again it'll just create this the same JavaScript files for us okay but now it's inside an internal function so one that's not being imported from a library and of course it's faster okay so that's what that's on the encrypt string function so we can obviously at

that point start adding some kind of login to that so if we need to

and so you see we're now starting to log some of the talking's let's let's take a look at some another function there so let's say we want to start hooking the check password function okay because again reverse the application we started to the compile it maybe or how do you know how you go about doing that and we realized that the only be strong strings on it right IRA see there's a function check the password so again we have the address now and we can use free to trace to

generate this for us open it and this is a Czech bastard function so when you see something like a Czech possible function what's it going to be doing right I mean who wants to guess how it's gonna work yeah exactly so um let's do something like this let's say that whenever check password gets called we're always gonna just return true so that's a nation password ever and it still decrypt it because it you know it's gonna check the password and say okay yeah this is this is always true so again you know there are other ways to do things like this you know you could patch it you could use some other tools but see how quick it is to do

something like free though

okay just saw the demo ah Frieda scriptable as well which is awesome has bindings for node for Python net and qml and some other things so you can use so I'll let these Python a lot and I use Python that's why I use the find the Python binding so I can write my code in Python to start to control reader and start to inject JavaScript into it this is the template that I tend to use so it will have a so we're gonna say you know attached to a specific process load this script here let's script here and this can either be you know either hard-coded in or maybe you just have the Java file

on disk yourself okay so we will look at this again in a little while but just to jump quickly to speak about Android within freezer so photography free to have support for Android and iOS this is this tense this is kind of how it works you have the free to server running on the device and in that will that will inject the judgment engine into the process that we're looking at and then again the host like before but this time we use this on like ADB to communicate between the two all right so this is this is full when you're running on a rooted device so you actually have to free the server running as a binary on

that device you can also use frida on non rooted devices and this is something that a lot people aren't really doing yeah and they should be because a lot of times when I'm doing a pen test on a mobile device yeah it has route detection the Appalachian have three detection you know it might be like a banking application um yeah it kind of sucks that they do that but I understand why they want to check if roots there so if I'm on a device that had lived in looking at application has route station then I obviously can't just run the free to server because it requires route so there is another way to add that to add

free to intern application and when you do it that way you don't need to run on a rooted device so just just in brief the way that it works is you you add the library the three library into the apk so in the Daniel application you pass the application to just load that library and then when you install the app it starts free though you do that you can yes but but uh it can be like a bit annoying because you need to figure out how to do it fast before you can start using free then actually cutting you Street as a figure out too so it can be it can be done it's a bit of a pain it's better to just to

just do it this way so that you don't even need to bother about that and then of course you can start it by boss the other controls a day such as pinning or other security things what is a problem when you have arm then have like tamper detection or something where it detects whether the applications be modified because if it does that andrew detection it becomes a bit of a pain so let's take a quick look at some some Android stuff

okay so

so I tend to this is where I tend to use you know these these Python bindings a bit a bit more to be honest so what we do is we just gonna some DEET the app that we're playing with I've added Frida into it and you can get that online I think again on the goodies interruption github everything has a this apk it's actually one I wrote a few years ago for b-sides London so it's just like a testing application for like a challenge so this application let me just try and bring it up alright so basically you start it you need to know some pin to login and the challenge was to you know try try and

try and find out how to get that pin or unlocking without knowing it so I wouldn't have to use free Duff to to help us with that

I'm not sure why the formatting here is a bit weird but maybe just cuz I changed the size of things um but so basically what we're gonna say is you know attach to the application all right as it when it's running and do this thing and what we're going to do here is we're actually going to try and brute force the pin okay so we're gonna just say you know check between these values and we're gonna use the the function that the application itself is is using to check whether that's that the pin was right or wrong okay so let's see if this works so I should just be able to see just about the Pythian find

okay oh yeah okay so there we go so basically it was running it checks all the values and then when it sees that the login would be successful it just tends to pick up enough for us and that's obviously the pin that I created in the application beforehand so if I try to log in with two to two doesn't work the pin that we just found one two three four hopefully it looks awesome okay so the other one that we have here is accept any pin so again in the same same kind of thing what this will do just changed the implementation of the check horse function to always return true so let's try it

so let's try to to

or LOGIN yeah you say so anything work so we've changed the implementation of the functions inside the end of that and before that we actually know we were actually using the functions within the application without doing it through the app we can actually choose for two cool kind of any function that exists within the app you know including the the check off function with our own arguments so how do we protect against this just for those that are interested well there were a few ways you can look to see whether the free three the libraries been loaded it's probably the kind of the most naive but also the way that will tend to probably about the most you

know it can be a quite a difficult thing kind of as Tim at the back said no key needed by passing that route section using freedo well anything that's running on my device I can do anything to so eventually I'll be able to bypass most controls or any control but then I guess another question is should we protect against this because again if someone's running the application is theirs they can do whatever they want with it so some some cases I think it makes sense to add protections for this kind of thing if it is a banking application maybe you want people to choose have to spend more time more effort to find vulnerabilities and to

start reversing innocent networks if you are interested in like more ways to protect against this kind of stuff on the deed to interrupt some website is white paper or more of our security what we've put in some some kind of steps that we recommended some post nippers and things to detect against this kind of didn't you know this kind of attack in others yes and that's it so I think we finished a little bit early which is awesome with a knife it was too early how much time is there left 15 minutes okay so good good about time for anyone quite to ask any questions yes

[Music]

so the question was are once you patch an application is there any way to like save it save the patch there no not I'm aware of but that's actually one of the benefits with freedom because it's really easy to load and unload practical application I remember once I was doing a like a mobile test where I had to actually pass the application because it wouldn't let me use three of the network either protecting a store or something or maybe I just didn't have its Apple watch but I was patching the application manually and it was a real pain because I wasn't able to switch between the pattern on patch version the easily whereas with free though you know you

just close you just kill it and it's go back to normal again but when it also means that you can apply the patch partway through the application so maybe you want to check to run normally in a few times and then one time you actually so nowhere else but that's why freed is better for what this exploit thing you know usually try to understand that as you go make the change as you as you go their temper you can change and kill them you can figure out what's going on and then if you want to patch it properly you can just you know by that point you know enough to just just patch it anyone else

so the question is about iPhone and freida and how it's become hard to jailbreak so so yeah because of that I totally agree people do need to start thinking about how they can do testing using frida on non jailbroken devices you do need the source code is compiled it yourself so it that only really makes sense when you're doing you know a pen test for somebody and you can you actually have access to the source code the I mean it does mean that we are still able to do a really good amount of analysis using freedom you know even on long jailbroken devices on a jailbroken device it is stupid so actually I tend to have a couple of devices that use for

testing one is jailbroken one is not jailbroken and I used them as needed but yeah it's definitely something that people need to be thinking about a bit more now because people aren't really using Freder I think as much as they should be and in the future I think it's gonna be the only real way we have to really analyze an application but yeah I get limited to the fact that you need to do pocket else okay thanks Bess look guys [Applause]