demo
ios
MASTG-TEST-0211
MASTG-DEMO-0015: Uses of Insecure Hashing Algorithms in CommonCrypto with r2
Content in BETA
This content is in beta and still under active development, so it is subject to change any time (e.g. structure, IDs, content, URLs, etc.).
Send Feedback
Sample
MastgTest.swift 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40 import Foundation
import CommonCrypto
struct MastgTest {
// Function to generate a SHA - 1 hash
static func generateSHA1Hash ( data : Data ) -> String {
var hash = [ UInt8 ]( repeating : 0 , count : Int ( CC_SHA1_DIGEST_LENGTH ))
data . withUnsafeBytes {
_ = CC_SHA1 ( $ 0. baseAddress , CC_LONG ( data . count ), & hash )
}
return hash . map { String ( format : "%02hhx" , $ 0 ) } . joined ()
}
// Function to generate an MD5 hash
static func generateMD5Hash ( data : Data ) -> String {
var hash = [ UInt8 ]( repeating : 0 , count : Int ( CC_MD5_DIGEST_LENGTH ))
data . withUnsafeBytes {
_ = CC_MD5 ( $ 0. baseAddress , CC_LONG ( data . count ), & hash )
}
return hash . map { String ( format : "%02hhx" , $ 0 ) } . joined ()
}
static func mastgTest ( completion : @escaping ( String ) -> Void ) {
let input = "This is a sample text" . data ( using : . utf8 ) !
// Generate SHA - 1 hash
let sha1Hash = generateSHA1Hash ( data : input )
// Generate MD5 hash
let md5Hash = generateMD5Hash ( data : input )
let value = """
Original: \(String(data: input, encoding: .utf8)!)
SHA-1 Hash: \(sha1Hash)
MD5 Hash: \(md5Hash)
"""
completion ( value )
}
}
Steps
Unzip the app package and locate the main binary file ( Exploring the App Package ), which in this case is ./Payload/MASTestApp.app/MASTestApp
.
Open the app binary with radare2 for iOS with the -i
option to run this script.
cchash.r2 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22 ? e ; ? e
? e Uses of CommonCrypto hash function :
afl ~ CC_
? e
? e xrefs to CC_MD5 :
axt @ 0x1000071a8
? e xrefs to CC_SHA1 :
axt @ 0x1000071b4
? e
? e Use of MD5 :
pd -- 5 @ 0x1000048c4
? e
? e Use of SHA1 :
pd -- 5 @ 0x10000456c
run.sh r2 - q - i cchash . r2 - A MASTestApp
Observation
The output contains all uses of CommonCrypto hash functions in the binary, the xrefs for CC_MD5
and CC_SHA1
and the disassembled code of the region where each of these functions is called.
output.txt 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36 Uses of CommonCrypto hash function :
0x1000071a8 1 12 sym . imp . CC_MD5
0x1000071b4 1 12 sym . imp . CC_SHA1
xrefs to CC_MD5 :
( nofunc ) 0x1000048c4 [ CALL : -- x ] bl sym . imp . CC_MD5
xrefs to CC_SHA1 :
( nofunc ) 0x10000456c [ CALL : -- x ] bl sym . imp . CC_SHA1
Use of MD5 :
0x1000048b0 ffe301f8 stur xzr , [ sp , 0x1e ]
0x1000048b4 ff0f00f9 str xzr , [ sp , 0x18 ]
0x1000048b8 e01b00f9 str x0 , [ sp , 0x30 ]
0x1000048bc e0630091 add x0 , sp , 0x18
0x1000048c0 01008052 mov w1 , 0
; CODE XREF from sym.func. 100004728 @ + 0xf0 ( x )
0x1000048c4 390 a0094 bl sym . imp . CC_MD5
0x1000048c8 e00316aa mov x0 , x22
0x1000048cc e10314aa mov x1 , x20
0x1000048d0 7 d000094 bl sym . func .100004 ac4
; CODE XREF from sym.func. 100004728 @ + 0x184 ( x )
0x1000048d4 e00316aa mov x0 , x22
Use of SHA1 :
0x100004558 ffe301f8 stur xzr , [ sp , 0x1e ]
0x10000455c ff0f00f9 str xzr , [ sp , 0x18 ]
0x100004560 e01b00f9 str x0 , [ sp , 0x30 ]
0x100004564 e0630091 add x0 , sp , 0x18
0x100004568 01008052 mov w1 , 0
; CODE XREF from sym.func. 1000043 cc @ + 0xf4 ( x )
0x10000456c 120 b0094 bl sym . imp . CC_SHA1
0x100004570 e00316aa mov x0 , x22
0x100004574 e10314aa mov x1 , x20
0x100004578 53010094 bl sym . func .100004 ac4
; CODE XREF from sym.func. 1000043 cc @ + 0x188 ( x )
0x10000457c e00316aa mov x0 , x22
Evaluation
The test fails because the MD5 and SHA1 algorithms were found in the code.
Remember that the context is important when evaluating the use of these algorithms. In some cases, the use of MD5 or SHA1 may be acceptable, for example, when the algorithm is used for checksums or non-cryptographic purposes. In order to determine that you should further analyze the reverse-engineered code and try to learn more about the context in which these algorithms are used.