Hi everyone... I'm Luke ... Datalocaltmp on twitter...
Today I'm here to give you a workshop on Mobile Visualizations for Reverse Engineering and Debugging.
The aim of this workshop is to give you an introduction and the tools to get started in coverage guided reverse engineering.
Quick obligatory whoami
datalocaltmp
Founded Signal 11 Research where I am the sole employee - working primarmily on Android and iOS security.
Worked on consumer privacy with regards to apps on Android and iOS - causing some issues for big companies like AirCanada.
Claimed a bunch of bounties and will be presenting at DEFCON this year at the XR Village.
* If you're looking to follow along today:
* I'm going to be showing all my work in Ghidra - but once you have the coverage files they will load into IDA or Binja fine
* For my work I use Cartographer in Ghidra and that's what today's workshop will be in - but if you're inclined you can go download the Lighthouse coverage tool for Binja or IDA.
* for iOS you'll need an iPhone that is jailbroken - with TrollInstallerX - and Frida. I'm not expecting many to be able to follow this portion; but it's available to follow along from home later.
* for Android - While you can use a non-rooted device by injecting a frida-gadget - I'm going to work under the assumption you have a rooted emulator or device - if you're lacking one I have a spare!
* So what are we covering today
* I'll be making sure we're all on the same page when it comes to cfg and coverage - just so we start off on the right foot
* I'll go into some examples of when coverage guided reverse engineering can help.
* Then we'll get into the meat and potatoes of producing coverage for mobile
* Represent the flow of logic within a program
* Basic blocks are represented as nodes
* Paths represent conditional branches
* Many decompilers support CFG generation
* On the right is actually a CFG from a Meta app - and I wanted to know - which of the basic blocks were executing in the red and blue zones before a crash occurred later on?
* Well the way I can answer that is by generating Coverage for this function
* The image on the right is a zoomed in version of the previous CFG with all the blocks that executed before the crash highlighted if they executed
* Saved me a lot of time and breakpoints
* But in general - when I say Coverage I mean "Metadata on which basic blocks executed within a program"
* As it stands for native execution this generally is captured in the DRCOV file format
* DRCOV is produced by a bunch of tools but primary ones that this crowd would likely be interested in are fuzzers and frida