Skip to content

MASTG-DEMO-0015: Uses of Insecure Hashing Algorithms in CommonCrypto with r2

Content in BETA

This content is in beta and still under active development, so it is subject to change any time (e.g. structure, IDs, content, URLs, etc.).

Send Feedback

Sample

MastgTest.swift
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
import Foundation
import CommonCrypto

struct MastgTest {
    // Function to generate a SHA-1 hash
    static func generateSHA1Hash(data: Data) -> String {
        var hash = [UInt8](repeating: 0, count: Int(CC_SHA1_DIGEST_LENGTH))
        data.withUnsafeBytes {
            _ = CC_SHA1($0.baseAddress, CC_LONG(data.count), &hash)
        }
        return hash.map { String(format: "%02hhx", $0) }.joined()
    }

    // Function to generate an MD5 hash
    static func generateMD5Hash(data: Data) -> String {
        var hash = [UInt8](repeating: 0, count: Int(CC_MD5_DIGEST_LENGTH))
        data.withUnsafeBytes {
            _ = CC_MD5($0.baseAddress, CC_LONG(data.count), &hash)
        }
        return hash.map { String(format: "%02hhx", $0) }.joined()
    }

    static func mastgTest(completion: @escaping (String) -> Void) {
        let input = "This is a sample text".data(using: .utf8)!

        // Generate SHA-1 hash
        let sha1Hash = generateSHA1Hash(data: input)

        // Generate MD5 hash
        let md5Hash = generateMD5Hash(data: input)

        let value = """
        Original: \(String(data: input, encoding: .utf8)!)
        SHA-1 Hash: \(sha1Hash)
        MD5 Hash: \(md5Hash)
        """

        completion(value)
    }
}

Steps

  1. Unzip the app package and locate the main binary file ( Exploring the App Package), which in this case is ./Payload/MASTestApp.app/MASTestApp.
  2. Open the app binary with radare2 for iOS with the -i option to run this script.
cchash.r2
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
?e;?e

?e Uses of CommonCrypto hash function:
afl~CC_

?e

?e xrefs to CC_MD5:
axt @ 0x1000071a8

?e xrefs to CC_SHA1:
axt @ 0x1000071b4

?e

?e Use of MD5:
pd-- 5 @ 0x1000048c4

?e

?e Use of SHA1:
pd-- 5 @ 0x10000456c
run.sh
1
r2 -q -i cchash.r2 -A MASTestApp

Observation

The output contains all uses of CommonCrypto hash functions in the binary, the xrefs for CC_MD5 and CC_SHA1 and the disassembled code of the region where each of these functions is called.

output.txt
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
Uses of CommonCrypto hash function:
0x1000071a8    1     12 sym.imp.CC_MD5
0x1000071b4    1     12 sym.imp.CC_SHA1

xrefs to CC_MD5:
(nofunc) 0x1000048c4 [CALL:--x] bl sym.imp.CC_MD5
xrefs to CC_SHA1:
(nofunc) 0x10000456c [CALL:--x] bl sym.imp.CC_SHA1

Use of MD5:
            0x1000048b0      ffe301f8       stur xzr, [sp, 0x1e]
            0x1000048b4      ff0f00f9       str xzr, [sp, 0x18]
            0x1000048b8      e01b00f9       str x0, [sp, 0x30]
            0x1000048bc      e0630091       add x0, sp, 0x18
            0x1000048c0      01008052       mov w1, 0
            ; CODE XREF from sym.func.100004728 @ +0xf0(x)
            0x1000048c4      390a0094       bl sym.imp.CC_MD5
            0x1000048c8      e00316aa       mov x0, x22
            0x1000048cc      e10314aa       mov x1, x20
            0x1000048d0      7d000094       bl sym.func.100004ac4
            ; CODE XREF from sym.func.100004728 @ +0x184(x)
            0x1000048d4      e00316aa       mov x0, x22

Use of SHA1:
            0x100004558      ffe301f8       stur xzr, [sp, 0x1e]
            0x10000455c      ff0f00f9       str xzr, [sp, 0x18]
            0x100004560      e01b00f9       str x0, [sp, 0x30]
            0x100004564      e0630091       add x0, sp, 0x18
            0x100004568      01008052       mov w1, 0
            ; CODE XREF from sym.func.1000043cc @ +0xf4(x)
            0x10000456c      120b0094       bl sym.imp.CC_SHA1
            0x100004570      e00316aa       mov x0, x22
            0x100004574      e10314aa       mov x1, x20
            0x100004578      53010094       bl sym.func.100004ac4
            ; CODE XREF from sym.func.1000043cc @ +0x188(x)
            0x10000457c      e00316aa       mov x0, x22

Evaluation

The test fails because the MD5 and SHA1 algorithms were found in the code.

Remember that the context is important when evaluating the use of these algorithms. In some cases, the use of MD5 or SHA1 may be acceptable, for example, when the algorithm is used for checksums or non-cryptographic purposes. In order to determine that you should further analyze the reverse-engineered code and try to learn more about the context in which these algorithms are used.