philadelphiaoreo.blogg.se - Hopper disassembler python scripts

Hopper disassembler python scripts for mac#

Search for any references to the decrypted string, and add an inline comment to make further analysis easier.

Write the decrypted DWORD over the top of the encrypted DWORD.

Read each DWORD starting at 0x100002aa0, and XOR each with the decryption key.

This means that our Hopper script should: Looking at xrefs, we see that the address 0x100002aa0 is the base of what appears to be a number of XOR encrypted values. Now, analysis would be pretty tedious if we had to manually recover each string, so instead we turn to Hopper’s scripting functionality. This is obviously the reason we didn’t see any strings earlier :) For example, if we take a QWORD from the address 0x100002aa0 (an address passed to the decryption method early on in the malware) and we apply the XOR key, we reveal the bytes 0x73 0x79 0x73 0圆3 0x74 0圆c 0x20 0圆8, or the ASCII string of sysctl h. This instruction is applied to the buffer in 4 byte blocks. Looking at this function, we are quickly able to identify a common decryption signature:Īs seen in this disassembly, the XOR decryption key is set to 0xf799b659. Reviewing the disassembly, we come across an interesting function at address 0x100001f30 which is referenced throughout the malware and passed an argument of a pointer to a byte array. This can indicate a number of things, most likely is some form of encryption or packing, but it is certainly unusual for a binary to contain no identifiable strings at all. This, alongside the lack of any of the usual objc_msgsend calls, or method name mangling, indicate that this malware was likely written in C or C++.Īs we continue, we notice there are no identified strings contained within the binary: As we move to the entry point of the application with Hopper, we find a stack canary being added: In the case of MacRansom, we quickly see that this malware variant does not use either of the above.

Hopper disassembler python scripts for mac#

This often makes it my goto disassembler for Mac applications. If you have never used Hopper before, it is a low cost disassembler with incredible support for Objective-C and Swift binaries. Seeing how uncommon this type of “MaaS” is on MacOS (at the minute at least), this was a good opportunity to break out Hopper and see how well it handles malware analysis.

If you are interested in the internals of the malware, I’d recommend that you take a look. Patrick from Objective-See does a brilliant fly-by of the malware using LLDB, and presents some nice “anti anti-analysis” tricks. This week, Objective-See published a walkthrough of the recently released “Malware as a Service” family, MacRansom, originally identified by FortiNet. I rewrote the IDAPython script named objc2_xrefs_helper.py and developed a python script for the Hopper Disassembler.« Back to home Using Hopper scripting to analyse MacRansom I named this Hopper python script objc2_xrefs_helper_hopper.py.

Some background regarding Objective-C can be found from here. As mentioned in that article, the function call is implemented by the message sending mechanism in Objective-C. Unfortunately, this message sending mechanism causes problems when trying to follow cross-references for selectors in Hopper Disassembler. Before rewriting the python script for Hopper, therefore, we need to walk through the codes in IDAPython script objc2_xrefs_helper.py and understand all the details. It’s important that we figure out the data structures of Class in low level in Objective-C, as well as the relationship between these data structures. The relationship between these related data structures of class in Objective-C I have included a figure showing the relationship between these related data structures, as shown below.įigure 1. To verify the functionality of objc2_xrefs_helper_hopper.py, I wrote a simple Cocoa application. The demo application can be downloaded from here. Loading the demo application’s executable file into Hopper Disassembler We load the executable mach-o file of the demo application into Hopper Disassembler, as shown below.įigure 2. Print 'xreffrom: ' + hex(x) ,'xrefto: ' + hex(namePtr) NamePtr = doc.readUInt64LE(classMethodsVA) #get name field in struct _objc_method, it's selector #author: Kai getRefPtr(doc,classMethodsVA,objcSelRefs, objcMsgRefs, objcConst): The following is the python script objc2_xrefs_helper_hopper.py.