Unfortunately, static analysis could only go so far and while I did This told me that the HMAC algorithm being used was SHA-256 Lo and behold, one of the lines read:ĬCHmac ( CCHmacAlgorithm algorithm, const void * key, size_t keyLength, const void * data, size_t dataLength, void * macOut ) ProvisioningController looked promising, so I took a look at theĭisassembled code. To start, I decided to look for some functions involved in parsing the Searching the Binary for Clues Static Analysis Poking the provisioning server, so I moved on to a static analysis of the Whether the credential would be activated or not. Quotes because, as I would later learn, the value of Data would determine ![]() Interestingly enough, I couldĬhange most of the values and still get "valid" responses. Modified POST requests and note the responses. To start reversing this protocol, I used HTTP Client 1 to send ILBweOCEOoMBLJARzoeUIlu0+5m6b3khZljd5dozARk= MoaidW7XDzeTZJqhfRQCZEieARM= T23:36:22.056Z 1412030065 Īs you can see, these requests use XML and most of the fields are pretty self 30 0 4 OU = ID Protection Center, O = VeriSign, Inc. 0000 Success HTTPS u5lgf1Ek8WA0iiIwVkjy26j6pfk= 50 Fsg1KafmAX80gUEDADijHw= OU = ID Protection Center, O = VeriSign, Inc. Os all have newline characters in the strings? This will be important later.įor now, let's look at the response we get back. Notice how the values for Manufacturer, SerialNo, Model, ClientID, and IMac 1412030064 mxk5NtUnCwd36GEpQq6+Zmnh+rPKDePuS/XYci6/WD0= īecause that request is really hard to read, I've run it through an XML Here's an example of a provisioning request made by the application that would If the program was calling out to some server to activate, so I fired up Indicates that the program is "Activating VIP Access". I started by opening the VIP Access application. The Process Analysis of the Client-Server Communications Recently-purchased disassembler ( Hopper), I downloaded the VIP AccessĪpplication and got to work. Windows users would be unable to extract their keys. Plus, this script only works on OS X, so Linux and While this token extractor would have almost fit my needs, I reallyĭidn't want to have to rely on Symantec's proprietary client in order to Learned that Symantec had released VIP Access applications for OS X and I still thought that VIP Access used a proprietary algorithm to generate oneĮarlier this month, I found this script, in which I learned that VIPĪccess didn't use a proprietary algorithm to generate the tokens. Despite this newfound knowledge, I was still unable toĭeobfuscate many of the important portions of the application. That application was strikingly similar to the kind I found the VIP AccessĪndroid app using. Interestingly enough, the obfuscation used in Someone reversed their bank's obfuscated Android 2FA application in order toĬreate a hardware token for it. That "rainy day" came earlier this year when I saw this post, in which I eventually got tired of that project and set Was partially due to the fact I was attempting to de-obfuscate a heavily Worked on it on and off for a few months, but I never made much progress. I originally started working on this project around this time last year. ![]() ![]() Since it appeared as though no one else had done so, I decided to reverseĮngineer Symantec's VIP client myself.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |