JxTx

Trying to get a ARM32 host to run 32bit assembly is harder than I expected. This is how to run 32bit assembly on a ARM64 bit host. First install some cross compilation tools. sudo apt install gcc-arm-linux-gnueabihf binutils-arm-linux-gnueabihf binutils-arm-linux-gnueabihf-dbg gcc gdb-multiarch Now trying to assemble the following 32 bit example, that just prints “Hello World” will fail with the as command. .section .text .global _start _start: /* syscall write(int fd, const void *buf, size_t count) */ mov r0, #1 ldr r1, =msg ldr r2, =len mov r7, #4 svc #0 /* syscall exit(int status) */ mov r0, #0 mov r7, #1 svc #0 msg: .

I forgot about this note, and its saved me in the past. The code signature from a mach-o file can easily be extracted with tools like dd or jtool2 as the code signature is always at the end of the file in the LC_CODE_SIGNATURE section. For example, here is how to do it with dd % file ./TwoDots ./TwoDots: Mach-O 64-bit executable arm64 % jtool2 -l TwoDots | grep SIG LC 42: LC_CODE_SIGNATURE Offset: 50448, Size: 21040 (0xc510-0x11740) % dd if=.

I wanted to spend some time looking around different file types in the Apple world, and this is what I’ve got. Mach-O Mach-O is the executable format used on macOS and iOS. In the Windows world this could be like a .exe file. A Mach-O file contains a header comprised of a series of load commands – commands telling dyld information about the file. Some load commands specify metadata about the file, such as the version it is compiled for, or the file’s entry point.

On mobile assessments, we often report the “No Anti-Tampering” finding, but Id’s like to explore this a bit, and maybe show you a different technique to do this. A lot of the time, is show by attaching Frida to the application, which is fine, assuming that the reader knows how Fida/Objection work under the hood. But let’s assume the reader does not know how Frida works and they only have our finding to go off.

Lets download them wget https://github.com/radareorg/radare2book/raw/master/crackmes/ioli/IOLI-crackme.tar.gz \ && tar xvzf ./IOLI-crackme.tar.gz crackme0x00 First lets see what happens when its ran. % ./crackme0x00 IOLI Crackme Level 0x00 Password: Invalid Password! Lets see where Password: is in the strings of the binary. % strings ./crackme0x00 | grep -B1 -A1 Password IOLI Crackme Level 0x00 Password: 250382 Invalid Password! Password OK :) GCC: (GNU) 3.4.6 (Gentoo 3.4.6-r2, ssp-3.4.6-1.0, pie-8.7.10) Alright, there is a number there, lets use that as the password.