This is obviously the reason we didn’t see any strings earlier :) For example, if we take a QWORD from the address 0x100002aa0 (an address passed to the decryption method early on in the malware) and we apply the XOR key, we reveal the bytes 0x73 0x79 0x73 0圆3 0x74 0圆c 0x20 0圆8, or the ASCII string of sysctl h.
This instruction is applied to the buffer in 4 byte blocks. Looking at this function, we are quickly able to identify a common decryption signature:Īs seen in this disassembly, the XOR decryption key is set to 0xf799b659. Reviewing the disassembly, we come across an interesting function at address 0x100001f30 which is referenced throughout the malware and passed an argument of a pointer to a byte array. This can indicate a number of things, most likely is some form of encryption or packing, but it is certainly unusual for a binary to contain no identifiable strings at all. This, alongside the lack of any of the usual objc_msgsend calls, or method name mangling, indicate that this malware was likely written in C or C++.Īs we continue, we notice there are no identified strings contained within the binary:
As we move to the entry point of the application with Hopper, we find a stack canary being added: In the case of MacRansom, we quickly see that this malware variant does not use either of the above.
HOPPER DISASSEMBLER FOR MAC FOR MAC
This often makes it my goto disassembler for Mac applications. If you have never used Hopper before, it is a low cost disassembler with incredible support for Objective-C and Swift binaries. Seeing how uncommon this type of “MaaS” is on MacOS (at the minute at least), this was a good opportunity to break out Hopper and see how well it handles malware analysis. If you are interested in the internals of the malware, I’d recommend that you take a look. Patrick from Objective-See does a brilliant fly-by of the malware using LLDB, and presents some nice “anti anti-analysis” tricks. This week, Objective-See published a walkthrough of the recently released “Malware as a Service” family, MacRansom, originally identified by FortiNet. Cutter is built on top of Qt and C++.« Back to home Using Hopper scripting to analyse MacRansom The official graphic user interface of radare2 is called Cutter (originally named Iaito). This is how the Visual Graph Mode looks like: Radare2 has a powerful command line visual modes to help you go through the program and super useful while debugging. This should be enough in order to learn the basics of radare. You'll need to perform several more steps in order to sign radare and make it ready to debug applications without the need of root permissions.
It’s recommended to use the current git version of radare2. Note that, in my opinion, the learning curve of r2 is pretty steep and it'll take some time to get use to it. You can find most of the features you have in IDA in radare (including the option to edit a binary that you debug) and in case you lack some feature you can always open a request on the Github page or develop it by yourself. *BSD, iOS, OSX, Solaris…) and it supports tons of architectures and file formats.
HOPPER DISASSEMBLER FOR MAC WINDOWS
It has great scriptingĬapabilities, it runs on all major platforms (GNU/Linux, Windows Searching, replacing, visualizing and more. Radare2 is an open source framework for reverse engineering andīinary analysis which implements a rich command line interface forĭisassembling, analyzing data, patching binaries, comparing data, I highly recommend radare2 which seems to suit you the best:
0 kommentar(er)
