Scrolling down to line 67, we see the creation of a string from the contents of the file and then the call to decrypt the string on line 73. Here we see the call to get the file’s contents from the bundle’s Resource folder.
How to encyrpt a .txt file on mac code#
In the disassembly, let’s search for the name of our obfuscated text file, ‘unpack’:Įxamine the code between lines 48 and 58. $ otool -tV UnPackNw > ~/Malware/disassembly.txt Most usefully, we can obtain the disassembly with: $ otool -oV UnPackNw > ~/Malware/methods.txt We can also dump the method names from the Mach-O binary’s ObjC section:
Let’s start with seeing what shared libraries a binary links to.įrom this, we can see our malware will have some ability to implement browser features via linking to the WebKit framework, something we’d expect in an adware type infection. As with strings and other tools, I usually dump all this info to separate text files so that I can pore through them at will. Let’s take a quick look at what you can do with it. Specifically, it doesn’t have the ability to decode unicode, so for serious work you might want to try something like floss, which is a bit more powerful.Įxamining the strings in a file can give you a very good overview of a malware’s functionality, but we still haven’t got any closer to our encrypted text file. If you’re familiar with using strings on Linux, be aware that the macOS version isn’t quite the same. This kind of info can be extremely useful if you are trying to establish attribution in a malware campaign. We even find a file reference to the developer’s own file system and some user names. There’s some interesting things in here, including some URLs and other bundle identifiers. $ strings - UnPackNw > ~/Malware/strings-.txt This causes the utility to look for strings in all bytes of the file: The strings utility has a number of options, but I like to use the - option. Let’s dump the ASCII strings from the binary to a separate text file so we can more easily view and manipulate them. One of the most useful utilities for static analysis is the strings utility. The method that immediately catches my eye from these outputs with regard to our mysterious encrypted text file is the “encryptDecryptOperation:” class method. I’ll use the -m switch here to display the Mach-O segment and section names in alphabetical order, but you should definitely check out its man page to see some of the other options. We can get similar and perhaps more useful info using the nm utility. The output of pagestuff shows us that the malware contains some interestingly-named Objective-C methods, including “deleteAppBySelf” and “silentlyFireURL:”. A couple of good intros on this topic, which I highly recommend for anyone serious about getting into macOS malware reverse engineering, can be found here and here. For the purposes of this tutorial, we only need to know that the _TEXT segment contains the _text section, which contains all the executable functions and methods. Our Mach-O binary contains a number of segments, which are in turn composed of sections. This tool is kind of odd in that the switches come after the file name: Let’s use the pagestuff utility to have a first look at our binary’s internal structure. Reversing Malware by Exploring Segments & Sections If you find yourself dealing with a “fat” binary, you can easily use the lipo tool to extract the Mach-O architecture, but we won’t be needing to do that in this tutorial.
If you examine the perl binary, for example, with file and lipo, you’ll see that it’s a “fat” file. Instead, it has a unique file format called Mach-O, which essentially comes in two flavors: the so-called “fat” or universal binaries which contain multiple architectures, and the single architecture Mach-O type. Although macOS shares Linux’s Unix heritage, it cannot natively run ELF (or, indeed, PE files, at least not without the help of importing a framework like Mono, anyway).
How to encyrpt a .txt file on mac windows#
If you’ve come from a Windows or Linux background, you’ll perhaps be familiar with their basic file types, PE and ELF. We’ll keep the theory down to the minimum as this is a practical, hands-on tutorial, but we do need to cover the basics of what this means. The file utility tells us that this is a Mach-O binary. Let’s run file on it and see what it says: It’s time to introduce static analysis techniques and the Mach-O binary format. Let’s continue our investigation of the malware sample in our isolated VM. In Part 1 of our tutorial on macOS malware reverse engineering skills, we discovered a suspicious file containing encrypted code.
0 kommentar(er)
