MacHeist released a great puzzle game called The Heist, promising a prize when you managed to open the safe. Since I am a sucker for puzzle games I bought it and gave a brief check on its code. There is a single url in the program and some references to SHA256, this being a good indicator that they thought a little about security. I started playing the game and finally opened the safe. Before collecting my prize I started tcpdump so I could see what info would be exchanged with MacHeist servers. The first detail is that plain HTTP is used and the password for the MacHeist account is sent clear text. It wouldn’t be a big deal in a normal world (just an unimportant account) if most people didn’t reused passwords or slight variations of them. HTTPS could (and should) have been used! Let’s continue…

So the exchange of data had two interesting fields called random and signature. The size of these fields matches the size of a SHA256 hash so they are probably hashes. Firing up IDA for the second time and searching for strings, the interesting one is found “prize=%@&random=%@&signature=%@&levelData=%@”. It’s a matter of going backward and finding where those fields are being generated. And here lies the small vulnerability.
There is one little piece of information that is easily controlled by us! The device unique identifier and its name are retrieved and then hashed. So to generate different hashes one just needs to change the device name and voila. There are more operations but there’s no interest in analysing them.
You will also need to mess with the preferences file, there is a field with a very suggestive name that you will need to reset to be able to collect again the prize. I think the preferences folder is available even in unjailbroken devices (using a iOS filesystem browser). The author’s should have crypted/obfuscated the preferences file so it’s not a straightforward operation.

And that’s it. Just a little vulnerable implementation. Back to work or maybe to finish the game!

Have fun,
fG!

P.S.: The game is well worth the 99 cents!

Update:
Gdbinit for iOS v0.4 that fixes the missing r12 register and has some code cleanups. I completely forgot to release this one. Thanks to Luis for remembering me!

gdbinit-ios-v0.4.gz
SHA256(gdbinit-ios-v0.4.gz)= 5a943545ad58650bd55d7762945b239802b72cb85d8bf700ec7b23e291a7e977