5 6 7 8 9 10 11 12 Alex Hude o Melbourne, Australia o BlackmagicDesign o Hardware, XNU o Fried Apple team Max Bazaliy o Kyiv, Ukraine o Lookout o XNU, Linux, LLVM o Fried Apple team
5 6 7 8 9 10 11 12 Static approach o Disassemblers o Code analyzers o Decompilers o IDA as a choice Dynamic approach o Debuggers o Dynamic analyzers o Code instrumentation o Frida as a choice
5 6 7 8 9 10 11 12 o Missed context (CPU registers, stack, memory) o Hard to follow code execution flow (obfuscation) o Hard to follow data flow (encryption) o Hard to follow indirect function calls
6 7 8 9 10 11 12 o Anti debugging tricks o Data loss during restarts o Execution flow may be changed under debugging o No way to hook/replace existing code easily
5 6 7 8 9 10 11 12 o Code disassembly still missed o High learning curve o Usually requires to write a lot of code o Hard to maintain multiple things at a time
7 8 9 10 11 12 o IDA plugin that implements UI controls to Frida o Socket protocol between IDA & Frida Client (JSON) o RPC protocol for between Frida Client & Server (JSON) o FridaLink.js(Frida script)
19 20 21 22 23 o Bring static analysis info from IDA to Frida o Use dynamic info from Frida for IDA analysis o Monitor runtime state directly from IDA o Control Frida agent directly from IDA