Challenge 64 ☆☆☆☆☆

Welcome to challenge Challenge 64.

Hiding in binaries part 5: the Swift binary

Similar to hiding secrets in an application written in C, you can do this in Swift! Swift is Apple’s modern compiled language used across Apple platforms and Linux. Can you find the secret in our binary?

Let’s debunk the "secrets are hard to find in native compiled applications" myth for Swift: can you find the secret in wrongsecrets-swift (or wrongsecrets-swift-arm, wrongsecrets-swift-linux)?

Try downloading the binary and run it locally (e.g. ./wrongsecrets-swift<theversion you need> <your answer>).

💡 Tip: Secrets are often strings, numbers, or encoded values. Copy and paste exactly what you find.

This challenge is specifically looking at a secret stored in a Swift binary as an array of characters.

You can solve this challenge using the following alternative solutions:

  1. Find the secrets with Ghidra.

    • Install Ghidra.

    • Start it with ghidraRun.

    • Load the application wrongsecrets-swift into Ghidra by choosing a new project, then import the file and then double-click on it.

    • Allow Ghidra to analyze the application.

    • Look for the getSecret function - you can search for it in the Symbol Tree.

    • In the decompiled code, find the array of characters that make up the secret.

    • Alternatively: on macOS, use nm -gUj wrongsecrets-swift | grep getSecret and then swift-demangle --expand "s5swift9getSecretSSyF" to find the function.

  2. Find the secrets with radare2.

    • Install radare2 with either brew install radare2 on Mac or follow these steps: git clone https://github.com/radareorg/radare2; cd radare2 ; sys/install.sh

    • Launch r2 analysis with $ r2 -AAA wrongsecrets-swift

    • Search for strings with iz | grep -i secret or iz | grep -i "This".

    • Alternatively, look for the getSecret function: afl | grep getSecret and then print the function with pdf @ <function_address>.

    • Examine the character array construction in the decompiled or disassembled code.

  3. Find the secrets with Binary Ninja or similar tools:

    • Load the binary and navigate to the Swift mangled function s5swift9getSecretSSyF.

    • The secret is constructed from an array of characters.

Don’t want to install the tools? check the WrongSecrets Desktop container!

Why Using binaries to hide a secret will only delay an attacker.

With beautiful free Reverse engineering applications as Ghidra, not a lot of things remain safe. Anyone who can load the executable in Ghidra or Radare2 can easily start doing a reconnaissance and find secrets within your Swift binary.

Swift binaries, even though they use name mangling (you can use swift-demangle to demangle Swift symbol names), are still susceptible to reverse engineering. The secrets stored as character arrays or string literals can be found in the binary’s data section.

Encrypting the secret with a key embedded in the binary, and other funny puzzles do delay an attacker and just make it fun finding the secret. Be aware that, if the secret needs to be used by the executable, it eventually needs to be in memory ready to be executed.

Still need to have a secret in the binary? Make sure it can only be retrieved remotely after authenticating against a server.


⬅️ Previous
🏠 Main Page
Next ➡️
0