My name is Kabelo Ramtse, a second year engineering student at the University Of Cape Town. Today is the last day of my internship which ran for four weeks during my December vacation at the Cape Town office.

Internships are a new idea at SensePost aimed at students and are intended to give them exposure to the information security industry. I am the first person to take part in the program.

My main responsibility was to chronologically order, summarize and upload past SensePost presentations. The presentations are available here. The presentations Setiri and Breaking the bank are two of my favorites. Reading through the presentations taught me alot about information security and made me even more keen to increase my knowledge in this field. Meeting the big boss and getting mini lectures from Marco was cool.

Tomorrow I fly home to Jo'burg to enjoy the rest of my vacation. Merry Christmas and happy new year!

School's never out for the Pro!

We're proud to announce that we are now offering our highly successful penetration testing training courses to the UK market from 2012.

SensePost has been providing penetration testing training courses to corporates and governments across the globe, and at prestige security events such as Black Hat and OWASP for over a decade. Initially, three courses in London for 2012 have been organised:

HBN Extended Edition (4 days) — 13-17, February 2012

HBN W^3 Edition (3 days) — 14-16 March 2012

HBN Unplugged (2 days) — 18-19 April 2012

The first course, HBN Extended Edition is set at an introductory level for technical people without experience in the world of hacking or penetration testing. It presents attendees with the background information, technical skill and basic concepts that are required to get started in this field.

The second course, HBN W^3 Edition, is a highly practical, intermediate web application hacking course for those with some experience in security assessment and penetration testing. The course provides a refresher of HTTP and associated technologies before commencing with more advanced level attacks ranging from assessment techniques of traditional web applications, to newer technologies such as AJAX, rich client media and HTML 5.

Finally, the third course, HBN Unplugged Edition, is an entry-level wireless/ wi-fi security training course. With a strong focus on results, the course outlines three broad offensive scenarios for wi-fi hacking and then presents students with the background knowledge, methodologies, tools and thinking skills required to successfully breach security in each of those scenarios.

All the courses are suitable for those responsible for penetration testing and security assessments including Information Security Officers, System and Network Administrators, Security Consultants and Government agents.

We've been running these courses successfully for years, and in response to the high demand from our UK clients, who are increasingly looking to improve their in-house skills and capabilities in penetration testing we are now offering them in the UK. With so few companies delivering effective security courses for those responsible for penetration testing and security assessments we knew there was a gap in the marketplace plus a real need.

You can click here for more information, or contact us for direct support.

On Saturday Dec 3, at BSides Cape Town we announced the winner of a prize for local information security research. The purpose of the competition was twofold. Firstly, to highlight interesting research produced in .za for the purpose of publicising up 'n coming security folks, since there are a few disparate communities (academic / industry is the greatest split). Secondly, to provide some degree of reward in the form of a cash prize. The prize is (unsurprisingly) not meant to compensate for time spent, but rather to give the typical researcher who conducts the work in their spare time some recognition and perhaps a cool gadget to associate with the work.

The competition was a little disappointing for a single, but significant, reason: the lack of nominations. In all, six people nominated three pieces of work from two researchers. Considering there were four security conferences this year in South Africa, it's not possible that even a reasonable minority of the research produced was considered for the prize. This was a no-strings-attached cash prize; there is no handover of IP or copyright, and no requirements on the winner (though we do offer an interview on our blog to publicise their work, should they choose to). With this in mind, it's strange how few nominations were received; for example, while the competition received some coverage on Twitter, very few nominations originated from there. The timing was tight (competition announced two weeks prior to BSides), but that only accounts for a smaller circumference, not a lack of involvement.

The two nominees were:

• Jameel Haffejee of Thinkst, who received two nominations for his work on the Google Chrome GPG plugin, and the security conference data collector.
• Etienne Stalmans of Rhodes University, for his work on detecting fastflux botnets through DNS traffic.

Given the small number of nominations, the panel was composed of three SensePost'ers, Dominic, Ian and myself.

The! winner! of! the! R5000! prize! was! Etienne! Stalmans!

In addition, a finder's fee of R500 was offered to the person who nominated the winning entry. Etienne received two nominations, and so a coin was flipped to determine who got the fee; Samuel Hunter was the winner.

Thanks to the Pieter for organising BSides Cape Town and providing us a spot to announce the winners, and thanks to everyone who sent in a nomination. Compliments to both nominees for having their work recognised by others in the community, and congratulations to Etienne for winning the prize.

We remain committed to research and the sponsorship concept, so expect an announcement towards the end of next year and keep an eye open during the year for research that strikes you as interesting.

SensePost is proud to announce a competition to identify the best information security research published by a resident of South Africa in 2011 (Jan 1st to Dec 3rd). Much security research is unfunded and private but, when published, enters the toolsets and minds of security companies worldwide. South Africa's security industry is best-described as "fledgling", and we want to support researchers who produce quality research.

Heads up: even if you're not a researcher, you can still win by nominating work, so continue reading.

What are we doing?

On December 3 2011 at B-Sides Cape Town, SensePost will present a prize for the best research by a South African resident. In order to judge this, we are seeking nominations for the prize.

Dates?

• November 21 - Competition announced
• November 30 23:59 - Nominations close
• December 3 - Winner announced at B-Sides Cape Town

Who qualifies as a nominator?

Any living person. You can nominate as many pieces of research as you like. You can also nominate your own work, if it qualifies with everything below.

Who qualifies as a researcher?

Any resident of South Africa. Publication location can be local or international.

SensePost employees and members of the judging panel are obviously excluded.

What research qualifies?

A single piece of information security research published in 2011 at, at the minimum, a semi-formal venue. Conferences (industry cons such as ITWeb, ZaCon or B-Sides and academic cons such as ISSA, SATNAC or SAICSIT), journals, whitepapers all are in scope. Blogs, forums and IRC unfortunately don't count. We aim for inclusivity, so contact us (see below) if you're unsure.

We're seeking interesting / groundbreaking / game-changing information security research, either industry-focused or academically-inclined.

You're welcome to make multiple nominations for different work, and even nominate your own work.

What are the prizes?

R5000 (five grand) in cold hard cash, awarded to a single piece of work (no runner-ups), with the entire prize going to the winner. In the event of co-authors, the prize will be split as they deem fit. Should it not be possible to track down the prize holder (anonymous etc), then the prize money will be awarded to the next best work.

In addition, we'll award a R500 finder's fee to the person who nominated the winner. Should the winner have been nominated multiple times, then all verified nominator names will be placed into a hat and a single winner drawn.

Do I need to be present at B-Sides Cape Town?

No. While it would be great, your presence there isn't required. Winners will be announced at B-Sides and later notified via email. An interview will be conducted with the winner for further exposure of their research.

Who is judging this?

A few senior SensePost guys in collaboration with industry/academic peers. Full panel will be announced when the winners are announced.

Submission!!!

Mail the details below to zaprize@sensepost.com.

• Researcher Name
• Research Title
• Publication Venue and Date
• Your (nominator's) name. Handle is fine, but if you want to enter the finder's fee competition, we'll need a name too.

Boilerplate

Judges decision is final and, while we will accept correspondence, it will be printed out and made fun of. But we're not changing our decisions.

This blog post steps through how to convert encrypted iPhone application bundles into plaintext application bundles that are easier to analyse.

Requirements: 1) Jailbroken iPhone with OpenSSH, gdb plus other utilities (com.ericasadun.utilities etc. etc.) 2) An iPhone app 3) On your machine:

• otool (comes with iPhone SDK)
• Hex editor (0xED, HexWorkshop etc.)
• Ida - Version 5.2 through 5.6 supports remote debugging of iPhone applications (iphone_server).

For this article, I will use the app name as “blah”.

Some groundwork, taken from Apple's API docs [1, 2]:

The iPhone apps are based on Mach-O (Mach Object) file format. The image below illustrates the file format at high-level:

A Mach-O file contains three major regions: 1. At the beginning of every Mach-O file is a header structure that identifies the file as a Mach-O file. The header also contains other basic file type information, indicates the target architecture, and contains flags specifying options that affect the interpretation of the rest of the file. 2. Directly following the header are a series of variable-size load commands that specify the layout and linkage characteristics of the file. Among other information, the load commands can specify:

• The initial layout of the file in virtual memory
• The location of the symbol table (used for dynamic linking)
• The initial execution state of the main thread of the program
• The names of shared libraries that contain definitions for the main executable's imported symbols

3. Following the load commands, all Mach-O files contain the data of one or more segments. Each segment contains zero or more sections. Each section of a segment contains code or data of some particular type. Each segment defines a region of virtual memory that the dynamic linker maps into the address space of the process. The exact number and layout of segments and sections is specified by the load commands and the file type. 4. In user-level fully linked Mach-O files, the last segment is the link edit segment. This segment contains the tables of link edit information, such as the symbol table, string table, and so forth, used by the dynamic loader to link an executable file or Mach-O bundle to its dependent libraries.

The iPhone apps are normally encrypted and are decrypted by the iPhone loader at run time. One of the load commands is responsible for decrypting the executable.

Push EBP
Mov EBP, ESP
JMP loc_6969
loc_6969:

Once you have downloaded and installed an app on your iPhone, make a copy of the actual executable on your machine.

Note1: The blah.app is not the actual executable. If you browse this folder, you will find a binary file named blah. This is the actual application binary.

Note2: To find the path where your application is installed, ssh onto your iPhone and use the following command:

sudo find / | grep blap.app

Once you have copied the app binary on your machine, follow the steps below (on your local machine).

Open up a terminal and type the following command:

otool —l blah | grep crypt

This assumes that iPhone SDK or otool is already installed on your machine.

The above command will produce the following output:

If cryptid is set to 1, it implies that the app is encrypted. cryptoff and cryptsize indicates the offset and size of crypt section respectively. Now, firstly we'll have to locate the cryptid in the binary and set it to zero. This is done so that when we finally decrypt the binary and execute it on iPhone, the loader does not attempt to decrypt it again. Open the binary in a hex editor and load the binary. I did not come across any definite method of locating the cryptid. Once you have loaded the binary in a hex editor, search for “/System/Library/Frameworks”. You should be able to locate it around the address 0x1000. In the line, just above the very first instance of this statement (/System/Library/Frameworks), you will find bytes 01. Flip it to 00 and save the file.

Note3: In case you find multiple instances of 01, use coin-tossing method of choosing between them.

Use otool again to query the crypt data. You will see that the cryptid is now set to 0 (zero).

Next, we need to run the app, which was installed on iPhone and take a memory dump.

Note4: The actual application code starts at 0x2000. The cryptsize in case of our sample app is 942080 (0xE6000). Hence, we add 0x2000 and 0xE6000.

0x2000 + 0xE6000 = 0xE8000

Therefore, we need to dump the running process from 0x2000 till 0xE8000. Now, ssh onto your iPhone, run the target app and look for the process id using “ps —ax” command. Once you have the process id, use the following command to dump the process:

gdb —p PID
dump memory blah.bin 0x2000 0xE8000

Once you have taken the memory dump, use “quit” command to exit gdb. Use the following command to get the size of memory dump:

ls —l blah.bin

The size of this bin file should exactly be same as the cryptsize of the original app. Refer to screenshot above. Now pull this bin file onto your local machine. On your local machine, load the bin file in a hex editor and copy everything (using select all or whatever). Close the file and open the original app in the hex editor. (The file in which we modified cryptid 01 to 00). If you remember, the cryptoff was 4096, which is 0x1000 (in hex). Proceed to memory address 0x1000 and make sure that your hex editor is in overwrite mode, not in append mode. Once you are on memory address 0x1000, paste everything you copied from the bin file. This will overwrite the encrypted section with the decrypted one. Save the file and you're done.

Open the file in IDA pro and you'll see the difference between the encrypted and decrypted binaries. At this point, you can easily reverse engineer the app and patch it. The first image below shows an encrypted app and the second one illustrates a decrypted app:

After patching the application, ssh onto the iPhone and upload it to the application directory. This would mean replace the original binary with the patched one. Once uploaded, install a utility called "ldid" on your iphone.

apt-get install ldid

Finally, sign the patched binary using ldid:

ldid -s blah

This will fix the code signatures and you will be able to run the patched app on your iPhone.

References:

1) http://developer.apple.com/library/mac/#documentation/DeveloperTools/Conceptual/MachORuntime/Reference/reference.html

2) http://developer.apple.com/library/mac/#documentation/Darwin/Reference/ManPages/man1/otool.1.html