Another useful tool I have used in the past in windows is Nektra Deviare for function hooking. This is similar to the old Microsoft Detours framework, in that one can dynamically patch code in the running binary. I have used this to grab raw keys.
I'm curious: did you consider hacking the Oculus binary to accept an SSL cert you made yourself, and MITM-ing it to see the traffic?
I'm sure they have it pinned and don't use the OS certs, but you could just overwrite the root cert that must exist in that binary somewhere with your own, right?
> I'm curious: did you consider hacking the Oculus binary to accept an SSL cert you made yourself, and MITM-ing it to see the traffic?
Is that what he refers to when he says "I didn’t want to add extra root certificates and proxies to inspect all TLS traffic going on the machine", or are we talking about different things?
> but you could just overwrite the root cert that must exist in that binary somewhere with your own, right?
Unless they use certificate pinning, which is basically just verifying the CA's are not tampered with. Theoretically that could be attacked as well, but it prevents the "just replace the CA" case.
Not sure about the non-security expert bit but I've done stuff[0] similar to this for iOS using Frida[1] which supports macOS too. For apps that use unpinned certificates and the builtin networking libraries(NSURLSession et.al.) you can directly use mimtproxy[2] or Charles[3]
If the application isn't pinning certificates, you should be able to add your own root certificate to your machine and intercept all encrypted traffic. Same method used by corporations to monitor their own networks. I successfully used this method on a mobile game years ago.
Applications with pinned certificates don't use the system certificates at all which fixes the MITM vulnerability I described. You'd need to reverse engineer them in order to change the certificate to one under your control, difficulty can vary depending on how obfuscated the code is.
[+] [-] randomhodler84|3 years ago|reply
https://www.nektra.com/products/deviare-api-hook-windows/
[+] [-] jcalvinowens|3 years ago|reply
I'm curious: did you consider hacking the Oculus binary to accept an SSL cert you made yourself, and MITM-ing it to see the traffic?
I'm sure they have it pinned and don't use the OS certs, but you could just overwrite the root cert that must exist in that binary somewhere with your own, right?
[+] [-] severino|3 years ago|reply
Is that what he refers to when he says "I didn’t want to add extra root certificates and proxies to inspect all TLS traffic going on the machine", or are we talking about different things?
[+] [-] zevv|3 years ago|reply
Unless they use certificate pinning, which is basically just verifying the CA's are not tampered with. Theoretically that could be attacked as well, but it prevents the "just replace the CA" case.
[+] [-] spidey1|3 years ago|reply
[+] [-] K0nserv|3 years ago|reply
0: https://hugotunius.se/2020/08/07/stealing-tls-sessions-keys-...
1: https://frida.re/
2: https://mitmproxy.org/
3: https://www.charlesproxy.com/
[+] [-] matheusmoreira|3 years ago|reply
Applications with pinned certificates don't use the system certificates at all which fixes the MITM vulnerability I described. You'd need to reverse engineer them in order to change the certificate to one under your control, difficulty can vary depending on how obfuscated the code is.
[+] [-] mr_mitm|3 years ago|reply
[+] [-] chasil|3 years ago|reply
[+] [-] kasane|3 years ago|reply
[+] [-] funcDropShadow|3 years ago|reply
[+] [-] bruce343434|3 years ago|reply
[+] [-] max1truc|3 years ago|reply
[deleted]
[+] [-] ArchOversight|3 years ago|reply