diff --git a/src/scripts/transform_files.py b/src/scripts/transform_files.py
index c3316e8f88..ad813f3268 100644
--- a/src/scripts/transform_files.py
+++ b/src/scripts/transform_files.py
@@ -24,82 +24,7 @@ def remove_emojis(file_text):
print(f" Found: {found}")
return re.sub(EMOJIS_regex, r"", file_text)
-
-def extract_markdown_links(md_file_content: str) -> List[MarkdownLink]:
- """
- Extracts markdown links from the given content.
- """
- markdown_links = []
- link_pattern = r'\[([^\]]+)\]\(([^ ]+)( "([^"]+)")?\)\)?'
-
- for match in re.finditer(link_pattern, md_file_content):
- raw, text, url = match.group(0), match.group(1).strip('"').strip('**'), match.group(2)
- title = match.group(4) if len(match.groups()) > 2 else None
- title = title.replace("\\","") if title else None
-
- if url.startswith("#"):
- continue
- if external:=url.startswith("http"):
- raw_new = construct_external_link(raw, url, text, title)
- else:
- raw_new = construct_internal_link(raw, url, text, title)
- markdown_links.append(MarkdownLink(raw, text, url, external, title, raw_new))
-
- return markdown_links
-
-
-def construct_internal_link(raw, url, text, title):
- """
- Constructs a new internal link with the correct directory.
- """
- full_url = f"/MASTG/{get_directory_from_code(raw)}" if "0x" in raw else ""
- title = f' "{title}"' if title else ""
-
- return f"[{text}]({full_url}{title})".replace(".md", "")
-
-def construct_external_link(raw, url, text, title):
- """
- Constructs a new internal link with the correct directory.
- """
- text = title if title else text
- title = f' "{title}"' if title else ""
-
- return f"[{text}]({url}{title})"
-
-def get_directory_from_code(raw):
- """
- Maps directory code to directory name.
- """
- match = re.search(r'0x(\d{2})', raw)
- if match:
- directory = {
- "01": "Intro",
- "02": "Intro",
- "03": "Intro",
- "04": "General",
- "05": "Android",
- "06": "iOS",
- "08": "Tools",
- "09": "Intro",
- }.get(match.group(1))
- relative_path = raw[match.start():-1]
- return f"{directory}/{relative_path}"
- else:
- return ""
-
-
-def get_links_from_anchor(links, anchor):
- """
- Extracts specific links from the anchor text.
- """
- return sorted(set([
- re.search(r"\#([^ \")]*)(?=\s|\)|$)", link.raw).group(1)
- for link in links
- if not link.external and "#" in link.raw and anchor in link.raw
- ]))
-
-
-def update_yaml_frontmatter(file_text, tools, examples, external_links, last_updated):
+def update_yaml_frontmatter(file_text, last_updated):
"""
Updates the YAML frontmatter with the tools and examples list.
"""
@@ -111,13 +36,6 @@ def update_yaml_frontmatter(file_text, tools, examples, external_links, last_upd
frontmatter_str = match.group(1)
frontmatter = yaml.safe_load(frontmatter_str)
- # Update the tools and examples in the frontmatter
- frontmatter["tools"] = update_frontmatter_list(frontmatter.get("tools", []), tools)
- frontmatter["examples"] = update_frontmatter_list(frontmatter.get("examples", []), examples)
-
- # update with external links
- frontmatter["resources"] = update_frontmatter_list(frontmatter.get("external_links", []), external_links)
-
frontmatter["last_updated"] = last_updated
# Replace the old frontmatter with the updated frontmatter
@@ -134,43 +52,6 @@ def update_frontmatter_list(current_list, new_items):
updated_list = current_list + new_items
return sorted(list(set(updated_list)))
-
-def links_to_markdown(links, title):
- """
- Converts a list of links to markdown.
- """
- section = ""
- if len(links) > 0:
- links = sorted(list(set([link.raw_new for link in links])))
- links_text = "\n".join([f"- {link}" for link in links])
- # TODO links_text = f"\n\n### {title}\n\n{links_text}"
- links_text = f"\n\n{links_text}"
- section += links_text
- return section
-
-
-def split_links(links):
- internal_links = [link for link in links if link.external is False]
- external_links = [link for link in links if link.external is True]
-
- return internal_links, external_links
-
-def update_internal_links(file_text, links):
- new_text = file_text
- for link in links:
- new_text = new_text.replace(link.raw, link.raw_new)
- return new_text
-
-def create_resources_section(internal_links, external_links):
- # TODO internal_links_section = links_to_markdown(internal_links, "Internal")
- external_links_section = links_to_markdown(external_links, "External")
- # TODO resources_section = internal_links_section + external_links_section
- resources_section = external_links_section
-
- if resources_section != "":
- resources_section = "\n\n## Resources" + resources_section + "\n"
- return resources_section
-
def process_markdown_files(folder):
"""
Processes all markdown files in the given folder.
@@ -183,23 +64,11 @@ def process_markdown_files(folder):
if markdown_file.name == "index.md":
continue
file_content = markdown_file.read_text()
- links = extract_markdown_links(file_content)
-
- internal_links, external_links = split_links(links)
-
- tools = get_links_from_anchor(internal_links, "0x08a")
- examples = get_links_from_anchor(internal_links, "0x08b")
-
- resources_section = create_resources_section(internal_links, external_links)
-
- file_content = update_internal_links(file_content, internal_links)
-
- external_links = [link.url for link in external_links]
last_updated = git_data.get_last_commit_date(Path(markdown_file.as_posix().replace('docs/MASTG', '.')).absolute().as_posix())
- updated_content = update_yaml_frontmatter(file_content, tools, examples, external_links, last_updated)
- markdown_file.write_text(updated_content + resources_section)
+ updated_content = update_yaml_frontmatter(file_content, last_updated)
+ markdown_file.write_text(updated_content)
process_markdown_files("docs/MASTG")
\ No newline at end of file
diff --git a/techniques/android/MASTG-TECH-0017.md b/techniques/android/MASTG-TECH-0017.md
index bf84102aa9..12be932b6d 100644
--- a/techniques/android/MASTG-TECH-0017.md
+++ b/techniques/android/MASTG-TECH-0017.md
@@ -19,7 +19,7 @@ Android decompilers go one step further and attempt to convert Android bytecode
Alternatively you can use the [APKLab](0x08a-Testing-Tools.md#apklab) extension for Visual Studio Code or run [apkx](0x08a-Testing-Tools.md#apkx) on your APK or use the exported files from the previous tools to open the reversed source code on your preferred IDE.
-In the following example we'll be using [UnCrackable App for Android Level 1](0x08b-Reference-Apps.md#android-uncrackable-l1). First, let's install the app on a device or emulator and run it to see what the crackme is about.
+In the following example we'll be using [UnCrackable App for Android Level 1](../../apps/android/MASTG-APP-0003.md). First, let's install the app on a device or emulator and run it to see what the crackme is about.
diff --git a/techniques/android/MASTG-TECH-0023.md b/techniques/android/MASTG-TECH-0023.md
index 80638475b1..4bfe94375e 100644
--- a/techniques/android/MASTG-TECH-0023.md
+++ b/techniques/android/MASTG-TECH-0023.md
@@ -3,7 +3,7 @@ title: Reviewing Decompiled Java Code
platform: android
---
-Following the example from ["Decompiling Java Code"](#decompiling-java-code), we assume that you've successfully decompiled and opened the [UnCrackable App for Android Level 1](0x08b-Reference-Apps.md#android-uncrackable-l1) in IntelliJ. As soon as IntelliJ has indexed the code, you can browse it just like you'd browse any other Java project. Note that many of the decompiled packages, classes, and methods have weird one-letter names; this is because the bytecode has been "minified" with ProGuard at build time. This is a basic type of [obfuscation](0x04c-Tampering-and-Reverse-Engineering.md#obfuscation) that makes the bytecode a little more difficult to read, but with a fairly simple app like this one, it won't cause you much of a headache. When you're analyzing a more complex app, however, it can get quite annoying.
+Following the example from ["Decompiling Java Code"](#decompiling-java-code), we assume that you've successfully decompiled and opened the [UnCrackable App for Android Level 1](../../apps/android/MASTG-APP-0003.md) in IntelliJ. As soon as IntelliJ has indexed the code, you can browse it just like you'd browse any other Java project. Note that many of the decompiled packages, classes, and methods have weird one-letter names; this is because the bytecode has been "minified" with ProGuard at build time. This is a basic type of [obfuscation](0x04c-Tampering-and-Reverse-Engineering.md#obfuscation) that makes the bytecode a little more difficult to read, but with a fairly simple app like this one, it won't cause you much of a headache. When you're analyzing a more complex app, however, it can get quite annoying.
When analyzing obfuscated code, annotating class names, method names, and other identifiers as you go along is a good practice. Open the `MainActivity` class in the package `sg.vantagepoint.uncrackable1`. The method `verify` is called when you tap the "verify" button. This method passes the user input to a static method called `a.a`, which returns a boolean value. It seems plausible that `a.a` verifies user input, so we'll refactor the code to reflect this.
@@ -52,4 +52,4 @@ public class a {
Now you're getting somewhere: it's simply standard AES-ECB. Looks like the Base64 string stored in `arrby1` in `check_input` is a ciphertext. It is decrypted with 128bit AES, then compared with the user input. As a bonus task, try to decrypt the extracted ciphertext and find the secret value!
-A faster way to get the decrypted string is to add dynamic analysis. We'll revisit [UnCrackable App for Android Level 1](0x08b-Reference-Apps.md#android-uncrackable-l1) later to show how (e.g. in the Debugging section), so don't delete the project yet!
+A faster way to get the decrypted string is to add dynamic analysis. We'll revisit [UnCrackable App for Android Level 1](../../apps/android/MASTG-APP-0003.md) later to show how (e.g. in the Debugging section), so don't delete the project yet!
diff --git a/techniques/android/MASTG-TECH-0026.md b/techniques/android/MASTG-TECH-0026.md
index 02593e0af8..bce070ced9 100644
--- a/techniques/android/MASTG-TECH-0026.md
+++ b/techniques/android/MASTG-TECH-0026.md
@@ -9,7 +9,7 @@ Thanks to tools like [objection](0x08a-Testing-Tools.md#objection), you can patc
Now you can use objection to dynamically analyze the application on non-rooted devices.
-The following commands summarize how to patch and start dynamic analysis using objection using the [UnCrackable App for Android Level 1](0x08b-Reference-Apps.md#android-uncrackable-l1) as an example:
+The following commands summarize how to patch and start dynamic analysis using objection using the [UnCrackable App for Android Level 1](../../apps/android/MASTG-APP-0003.md) as an example:
```bash
# Download the Uncrackable APK
diff --git a/techniques/android/MASTG-TECH-0031.md b/techniques/android/MASTG-TECH-0031.md
index c02a9cbbfa..4d999ef859 100644
--- a/techniques/android/MASTG-TECH-0031.md
+++ b/techniques/android/MASTG-TECH-0031.md
@@ -13,7 +13,7 @@ Dalvik and ART support the JDWP, a protocol for communication between the debugg
A JDWP debugger allows you to step through Java code, set breakpoints on Java methods, and inspect and modify local and instance variables. You'll use a JDWP debugger most of the time you debug "normal" Android apps (i.e., apps that don't make many calls to native libraries).
-In the following section, we'll show how to solve the [UnCrackable App for Android Level 1](0x08b-Reference-Apps.md#android-uncrackable-l1) with jdb alone. Note that this is not an _efficient_ way to solve this crackme. Actually you can do it much faster with Frida and other methods, which we'll introduce later in the guide. This, however, serves as an introduction to the capabilities of the Java debugger.
+In the following section, we'll show how to solve the [UnCrackable App for Android Level 1](../../apps/android/MASTG-APP-0003.md) with jdb alone. Note that this is not an _efficient_ way to solve this crackme. Actually you can do it much faster with Frida and other methods, which we'll introduce later in the guide. This, however, serves as an introduction to the capabilities of the Java debugger.
## Debugging with jdb
@@ -44,7 +44,7 @@ You're now attached to the suspended process and ready to go ahead with the jdb
- clear _method_: remove a method breakpoint
- set _lvalue_ = _expr_: assign new value to field/variable/array element
-Let's revisit the decompiled code from the [UnCrackable App for Android Level 1](0x08b-Reference-Apps.md#android-uncrackable-l1) and think about possible solutions. A good approach would be suspending the app in a state where the secret string is held in a variable in plain text so you can retrieve it. Unfortunately, you won't get that far unless you deal with the root/tampering detection first.
+Let's revisit the decompiled code from the [UnCrackable App for Android Level 1](../../apps/android/MASTG-APP-0003.md) and think about possible solutions. A good approach would be suspending the app in a state where the secret string is held in a variable in plain text so you can retrieve it. Unfortunately, you won't get that far unless you deal with the root/tampering detection first.
Review the code and you'll see that the method `sg.vantagepoint.uncrackable1.MainActivity.a` displays the "This in unacceptable..." message box. This method creates an `AlertDialog` and sets a listener class for the `onClick` event. This class (named `b`) has a callback method will terminates the app once the user taps the **OK** button. To prevent the user from simply canceling the dialog, the `setCancelable` method is called.
@@ -128,7 +128,7 @@ This is the plaintext string you're looking for!
Setting up a project in an IDE with the decompiled sources is a neat trick that allows you to set method breakpoints directly in the source code. In most cases, you should be able to single-step through the app and inspect the state of variables with the GUI. The experience won't be perfect, it's not the original source code after all, so you won't be able to set line breakpoints and things will sometimes simply not work correctly. Then again, reversing code is never easy, and efficiently navigating and debugging plain old Java code is a pretty convenient way of doing it. A similar method has been described in the [NetSPI blog](https://blog.netspi.com/attacking-android-applications-with-debuggers/ "NetSPI Blog - Attacking Android Applications with Debuggers").
-To set up IDE debugging, first create your Android project in IntelliJ and copy the decompiled Java sources into the source folder as described above in the "[Reviewing Decompiled Java Code](#reviewing-decompiled-java-code "Reviewing Decompiled Java Code")" section. On the device, choose the app as **debug app** on the "Developer options" ([UnCrackable App for Android Level 1](0x08b-Reference-Apps.md#android-uncrackable-l1) in this tutorial), and make sure you've switched on the "Wait For Debugger" feature.
+To set up IDE debugging, first create your Android project in IntelliJ and copy the decompiled Java sources into the source folder as described above in the "[Reviewing Decompiled Java Code](#reviewing-decompiled-java-code "Reviewing Decompiled Java Code")" section. On the device, choose the app as **debug app** on the "Developer options" ([UnCrackable App for Android Level 1](../../apps/android/MASTG-APP-0003.md) in this tutorial), and make sure you've switched on the "Wait For Debugger" feature.
Once you tap the app icon from the launcher, it will be suspended in "Wait For Debugger" mode.
diff --git a/techniques/android/MASTG-TECH-0040.md b/techniques/android/MASTG-TECH-0040.md
index 27de59ce58..3afba5e56d 100644
--- a/techniques/android/MASTG-TECH-0040.md
+++ b/techniques/android/MASTG-TECH-0040.md
@@ -3,7 +3,7 @@ title: Waiting for the Debugger
platform: android
---
-The [UnCrackable App for Android Level 1](0x08b-Reference-Apps.md#android-uncrackable-l1) is not stupid: it notices that it has been run in debuggable mode and reacts by shutting down. A modal dialog is shown immediately, and the crackme terminates once you tap "OK".
+The [UnCrackable App for Android Level 1](../../apps/android/MASTG-APP-0003.md) is not stupid: it notices that it has been run in debuggable mode and reacts by shutting down. A modal dialog is shown immediately, and the crackme terminates once you tap "OK".
Fortunately, Android's "Developer options" contain the useful "Wait for Debugger" feature, which allows you to automatically suspend an app during startup until a JDWP debugger connects. With this feature, you can connect the debugger before the detection mechanism runs, and trace, debug, and deactivate that mechanism. It's really an unfair advantage, but, on the other hand, reverse engineers never play fair!
diff --git a/techniques/android/MASTG-TECH-0043.md b/techniques/android/MASTG-TECH-0043.md
index 46d53ec969..7dec22ab94 100644
--- a/techniques/android/MASTG-TECH-0043.md
+++ b/techniques/android/MASTG-TECH-0043.md
@@ -66,7 +66,7 @@ Just like regular Android apps, modules for Xposed are developed and deployed wi
## Frida
-We'll use Frida to solve the [UnCrackable App for Android Level 1](0x08b-Reference-Apps.md#android-uncrackable-l1) and demonstrate how we can easily bypass root detection and extract secret data from the app.
+We'll use Frida to solve the [UnCrackable App for Android Level 1](../../apps/android/MASTG-APP-0003.md) and demonstrate how we can easily bypass root detection and extract secret data from the app.
When you start the crackme app on an emulator or a rooted device, you'll find that the it presents a dialog box and exits as soon as you press "OK" because it detected root:
diff --git a/techniques/android/MASTG-TECH-0100.md b/techniques/android/MASTG-TECH-0100.md
index a5d76fc122..f36f43ad44 100644
--- a/techniques/android/MASTG-TECH-0100.md
+++ b/techniques/android/MASTG-TECH-0100.md
@@ -3,7 +3,7 @@ title: Logging Sensitive Data from Network Traffic
platform: android
---
-[mitmproxy](MASTG-TOOL-0097) can be used to intercept network traffic from Android apps. This technique is useful for identifying sensitive data that is sent over the network, as well as for identifying potential security vulnerabilities.
+[mitmproxy](../../tools/network/MASTG-TOOL-0097.md) can be used to intercept network traffic from Android apps. This technique is useful for identifying sensitive data that is sent over the network, as well as for identifying potential security vulnerabilities.
Once with mitmproxy installed and your device configured to use it, you can create a python script to filter the traffic and extract the sensitive data. For example, the following script will extract all the data sent in the requests and responses only if the data is considered sensitive. For this example we consider sensitive data to be any data that contains the strings "dummyPassword" or "sampleUser", so we include them in the `SENSITIVE_STRINGS` list.
diff --git a/techniques/android/MASTG-TECH-0108.md b/techniques/android/MASTG-TECH-0108.md
index 4a79eab33f..06264b087a 100644
--- a/techniques/android/MASTG-TECH-0108.md
+++ b/techniques/android/MASTG-TECH-0108.md
@@ -9,9 +9,9 @@ In taint analysis, data flows from a "source" to a "sink". A source is where sen
In large applications, manual information flow analysis can be very time consuming and inaccurate. Taint analysis automates this, with two main methods: static and dynamic. The former examines code without running it, offering broad coverage but potentially yielding false positives. In contrast, dynamic analysis observes real-time application execution, providing actual context but possibly overlooking untriggered issues. A thorough comparison of these techniques is beyond this section's scope.
-There are multiple tools which perform taint analysis on native code, including [Triton](https://github.com/jonathansalwan/Triton "Triton") and [bincat](https://github.com/airbus-seclab/bincat "bincat"). However, in this section, we'll primarily focus on Android Java code and utilize [FlowDroid](../../../apps/android/MASTG-APP-0099.md "FlowDroid") for the taint analysis. Another notable tool supporting taint analysis for Android apps is [GDA](https://github.com/charles2gan/GDA-android-reversing-Tool/wiki/GDA-Static-Taint-Analysis "GDA").
+There are multiple tools which perform taint analysis on native code, including [Triton](https://github.com/jonathansalwan/Triton "Triton") and [bincat](https://github.com/airbus-seclab/bincat "bincat"). However, in this section, we'll primarily focus on Android Java code and utilize [FlowDroid](../../tools/android/MASTG-TOOL-0099.md "FlowDroid") for the taint analysis. Another notable tool supporting taint analysis for Android apps is [GDA](https://github.com/charles2gan/GDA-android-reversing-Tool/wiki/GDA-Static-Taint-Analysis "GDA").
-For our demonstration, we'll use [FlowDroid](../../../tools/android/MASTG-TOOL-0099.md)'s command line tool to perform taint analysis on the [InsecureShop v1.0](https://github.com/hax0rgb/InsecureShop/releases/tag/v1.0 "InsecureShop") application.
+For our demonstration, we'll use the [FlowDroid](../../tools/android/MASTG-TOOL-0099.md) command line tool to perform taint analysis on the [InsecureShop v1.0](https://github.com/hax0rgb/InsecureShop/releases/tag/v1.0 "InsecureShop") application.
The InsecureShop app accepts a username and password as input and stores them in the app's shared preferences. In our taint analysis, we're interested in how this stored username and password are used. In this context, the username and password are the sensitive information, and reading from shared preferences is the source. The sink in this analysis could be various operations, such as sending info over the network, transmitting info via an `Intent`, or storing info in an external file.
diff --git a/techniques/ios/MASTG-TECH-0053.md b/techniques/ios/MASTG-TECH-0053.md
index a50c013d3d..03b2be5485 100644
--- a/techniques/ios/MASTG-TECH-0053.md
+++ b/techniques/ios/MASTG-TECH-0053.md
@@ -17,7 +17,7 @@ $ scp -P 2222 root@localhost:/tmp/data.tgz .
## Grapefruit
-After starting [Grapefruit](../../../tools/ios/MASTG-TOOL-0061.md "Grapefruit") you can select the app that is in scope for testing. There are various functions available, of which one is called "Finder". When selecting it, you will get a listing of the directories of the app sandbox.
+After starting [Grapefruit](../../tools/ios/MASTG-TOOL-0061.md "Grapefruit") you can select the app that is in scope for testing. There are various functions available, of which one is called "Finder". When selecting it, you will get a listing of the directories of the app sandbox.
diff --git a/techniques/ios/MASTG-TECH-0057.md b/techniques/ios/MASTG-TECH-0057.md
index 995021fb5a..deda13d727 100644
--- a/techniques/ios/MASTG-TECH-0057.md
+++ b/techniques/ios/MASTG-TECH-0057.md
@@ -20,6 +20,6 @@ $ frida-ps -Uai
It also shows which of them are currently running. Take a note of the "Identifier" (bundle identifier) and the PID if any as you'll need them afterwards.
-You can also directly open [Grapefruit](../../../tools/ios/MASTG-TOOL-0061.md "Grapefruit") and after selecting your iOS device you'll get the list of installed apps.
+You can also directly open [Grapefruit](../../tools/ios/MASTG-TOOL-0061.md "Grapefruit") and after selecting your iOS device you'll get the list of installed apps.
diff --git a/techniques/ios/MASTG-TECH-0058.md b/techniques/ios/MASTG-TECH-0058.md
index f20e4c88a8..78d9e42230 100644
--- a/techniques/ios/MASTG-TECH-0058.md
+++ b/techniques/ios/MASTG-TECH-0058.md
@@ -97,7 +97,7 @@ iOS apps can make their codebase modular by using different elements. In the MAS
- [Binary Frameworks (`XCFrameworks`)](https://developer.apple.com/videos/play/wwdc2019/416/): Xcode 11 supports distributing binary libraries using the `XCFrameworks` format which is a new way to bundle up multiple variants of a Framework, e.g. for any of the platforms that Xcode supports (including simulator and devices). They can also bundle up static libraries (and their corresponding headers) and support binary distribution of Swift and C-based code. `XCFrameworks` can be [distributed as Swift Packages](https://developer.apple.com/documentation/swift_packages/distributing_binary_frameworks_as_swift_packages).
- [Swift Packages](https://developer.apple.com/documentation/swift_packages): Xcode 11 add supports for Swift packages, which are reusable components of Swift, Objective-C, Objective-C++, C, or C++ code that developers can use in their projects and are distributed as source code. Since Xcode 12 they can also [bundle resources](https://developer.apple.com/videos/play/wwdc2020/10169/), such as images, storyboards, and other files. Since Package libraries are [static by default](https://developer.apple.com/videos/play/wwdc2019/408/?time=739). Xcode compiles them, and the packages they depend on, and then links and combines everything into the application.
-You can view native libraries in [Grapefruit](../../../tools/ios/MASTG-TOOL-0061.md "Grapefruit") by clicking on the Modules icon in the left menu bar:
+You can view native libraries in [Grapefruit](../../tools/ios/MASTG-TOOL-0061.md "Grapefruit") by clicking on the Modules icon in the left menu bar:
diff --git a/techniques/ios/MASTG-TECH-0059.md b/techniques/ios/MASTG-TECH-0059.md
index c2d184d531..f9821514d0 100644
--- a/techniques/ios/MASTG-TECH-0059.md
+++ b/techniques/ios/MASTG-TECH-0059.md
@@ -124,7 +124,7 @@ Regular 420 None ... Info.plist
Regular 493 None ... iGoat-Swift
```
-You can also visualize the Bundle directory from [Grapefruit](../../../tools/ios/MASTG-TOOL-0061.md "Grapefruit") by clicking on **Finder** -> **Bundle**:
+You can also visualize the Bundle directory from [Grapefruit](../../tools/ios/MASTG-TOOL-0061.md "Grapefruit") by clicking on **Finder** -> **Bundle**:
diff --git a/techniques/ios/MASTG-TECH-0061.md b/techniques/ios/MASTG-TECH-0061.md
index d78de60063..372c23ebb8 100644
--- a/techniques/ios/MASTG-TECH-0061.md
+++ b/techniques/ios/MASTG-TECH-0061.md
@@ -32,7 +32,7 @@ Finally, since the keychain dumper is executed from within the application conte
## Grapefruit (Jailbroken / non-Jailbroken)
-With [Grapefruit](../../../tools/ios/MASTG-TOOL-0061.md "Grapefruit") it's possible to access the keychain data of the app you have selected. Inside the **Storage** section, click on **Keychain** and you can see a listing of the stored Keychain information.
+With [Grapefruit](../../tools/ios/MASTG-TOOL-0061.md "Grapefruit") it's possible to access the keychain data of the app you have selected. Inside the **Storage** section, click on **Keychain** and you can see a listing of the stored Keychain information.
diff --git a/techniques/ios/MASTG-TECH-0076.md b/techniques/ios/MASTG-TECH-0076.md
index 5f02f707c4..16cbcca0c9 100644
--- a/techniques/ios/MASTG-TECH-0076.md
+++ b/techniques/ios/MASTG-TECH-0076.md
@@ -18,7 +18,7 @@ There are no hard written rules for performing static analysis, but there are fe
In addition to the techniques learned in the "[Disassembling and Decompiling](#disassembling-and-decompiling "Disassembling and Decompiling")" section, for this section you'll need some understanding of the [Objective-C runtime](https://developer.apple.com/documentation/objectivec/objective-c_runtime "Objective-C runtime"). For instance, functions like `_objc_msgSend` or `_objc_release` are specially meaningful for the Objective-C runtime.
-We will be using the [UnCrackable App for iOS Level 1](0x08b-Reference-Apps.md#ios-uncrackable-l1), which has the simple goal of finding a _secret string_ hidden somewhere in the binary. The application has a single home screen and a user can interact via inputting custom strings in the provided text field.
+We will be using the [UnCrackable App for iOS Level 1](../../apps/ios/MASTG-APP-0025.md "UnCrackable App for iOS Level 1"), which has the simple goal of finding a _secret string_ hidden somewhere in the binary. The application has a single home screen and a user can interact via inputting custom strings in the provided text field.
diff --git a/techniques/ios/MASTG-TECH-0079.md b/techniques/ios/MASTG-TECH-0079.md
index c2ee316422..32637661b8 100644
--- a/techniques/ios/MASTG-TECH-0079.md
+++ b/techniques/ios/MASTG-TECH-0079.md
@@ -17,7 +17,7 @@ Thanks to Apple's confusing provisioning and code-signing system, re-signing an
We'll use [optool](0x08a-Testing-Tools.md#optool), Apple's build tools, and some shell commands. Our method is inspired by [Vincent Tan's Swizzler project](https://github.com/vtky/Swizzler2/ "Swizzler"). [The NCC group](https://research.nccgroup.com/2016/10/12/ios-instrumentation-without-jailbreak/ "NCC blog - iOS instrumentation without jailbreak") has described an alternative repackaging method.
-To reproduce the steps listed below, download [UnCrackable App for iOS Level 1](../../../apps/android/MASTG-APP-0025.md "UnCrackable App for iOS Level 1") from the OWASP Mobile Testing Guide repository. Our goal is to make the UnCrackable app load `FridaGadget.dylib` during startup so we can instrument the app with Frida.
+To reproduce the steps listed below, download [UnCrackable App for iOS Level 1](../../apps/ios/MASTG-APP-0025.md "UnCrackable App for iOS Level 1") from the OWASP Mobile Testing Guide repository. Our goal is to make the UnCrackable app load `FridaGadget.dylib` during startup so we can instrument the app with Frida.
> Please note that the following steps apply to macOS only, as Xcode is only available for macOS.
diff --git a/techniques/ios/MASTG-TECH-0084.md b/techniques/ios/MASTG-TECH-0084.md
index a8d215dd69..7a05e77dce 100644
--- a/techniques/ios/MASTG-TECH-0084.md
+++ b/techniques/ios/MASTG-TECH-0084.md
@@ -36,7 +36,7 @@ You'll find the debugserver executable in the `/usr/bin/` directory on the mount
```
-Apply the entitlement with [codesign](../../../tools/ios/MASTG-TOOL-0101.md "codesign"):
+Apply the entitlement with [codesign](../../tools/ios/MASTG-TOOL-0101.md "codesign"):
```bash
codesign -s - --entitlements entitlements.plist -f debugserver
@@ -136,7 +136,7 @@ Typing `image list` gives a list of main executable and all dependent libraries.
## Debugging Release Apps
-In the previous section we learned about how to setup a debugging environment on an iOS device using LLDB. In this section we will use this information and learn how to debug a 3rd party release application. We will continue using the [UnCrackable App for iOS Level 1](../../../apps/android/MASTG-APP-0025.md "UnCrackable App for iOS Level 1") and solve it using a debugger.
+In the previous section we learned about how to setup a debugging environment on an iOS device using LLDB. In this section we will use this information and learn how to debug a 3rd party release application. We will continue using the [UnCrackable App for iOS Level 1](../../apps/ios/MASTG-APP-0025.md "UnCrackable App for iOS Level 1") and solve it using a debugger.
In contrast to a debug build, the code compiled for a release build is optimized to achieve maximum performance and minimum binary build size. As a general best practice, most of the debug symbols are stripped for a release build, adding a layer of complexity when reverse engineering and debugging the binaries.
@@ -155,7 +155,7 @@ When a binary is opened in a disassembler like Ghidra, it loads a binary by emul
-From our previous analysis of the [UnCrackable App for iOS Level 1](../../../apps/android/MASTG-APP-0025.md "UnCrackable App for iOS Level 1") in "[Manual (Reversed) Code Review](#manual-reversed-code-review)" section, the value of the hidden string is stored in a label with the `hidden` flag set. In the disassembly, the text value of this label is stored in register `X21`, stored via `mov` from `X0`, at offset 0x100004520. This is our _breakpoint offset_.
+From our previous analysis of the [UnCrackable App for iOS Level 1](../../apps/ios/MASTG-APP-0025.md "UnCrackable App for iOS Level 1") in "[Manual (Reversed) Code Review](#manual-reversed-code-review)" section, the value of the hidden string is stored in a label with the `hidden` flag set. In the disassembly, the text value of this label is stored in register `X21`, stored via `mov` from `X0`, at offset 0x100004520. This is our _breakpoint offset_.
diff --git a/techniques/ios/MASTG-TECH-0088.md b/techniques/ios/MASTG-TECH-0088.md
index 7b5d109c72..ea8c075786 100644
--- a/techniques/ios/MASTG-TECH-0088.md
+++ b/techniques/ios/MASTG-TECH-0088.md
@@ -19,7 +19,7 @@ Note that in order to install an IPA on Corellium devices it has to be unencrypt
## Unicorn
-[Unicorn](http://www.unicorn-engine.org/ "Unicorn") is a lightweight, multi-architecture CPU emulator framework based on [QEMU](https://www.qemu.org/ "QEMU") and [goes beyond it](https://www.unicorn-engine.org/docs/beyond_qemu.html "Beyond QEMU") by adding useful features especially made for CPU emulation. Unicorn provides the basic infrastructure needed to execute processor instructions. In this section we will use [Unicorn's Python bindings](https://github.com/unicorn-engine/unicorn/tree/master/bindings/python "Unicorn Python bindings") to solve the [UnCrackable App for iOS Level 1](../../../apps/android/MASTG-APP-0025.md "UnCrackable App for iOS Level 1") challenge.
+[Unicorn](http://www.unicorn-engine.org/ "Unicorn") is a lightweight, multi-architecture CPU emulator framework based on [QEMU](https://www.qemu.org/ "QEMU") and [goes beyond it](https://www.unicorn-engine.org/docs/beyond_qemu.html "Beyond QEMU") by adding useful features especially made for CPU emulation. Unicorn provides the basic infrastructure needed to execute processor instructions. In this section we will use [Unicorn's Python bindings](https://github.com/unicorn-engine/unicorn/tree/master/bindings/python "Unicorn Python bindings") to solve the [UnCrackable App for iOS Level 1](../../apps/ios/MASTG-APP-0025.md "UnCrackable App for iOS Level 1") challenge.
To use Unicorn's _full power_, we would need to implement all the necessary infrastructure which generally is readily available from the operating system, e.g. binary loader, linker and other dependencies or use another higher level frameworks such as [Qiling](https://qiling.io "Qiling") which leverages Unicorn to emulate CPU instructions, but understands the OS context. However, this is superfluous for this very localized challenge where only executing a small part of the binary will suffice.
diff --git a/techniques/ios/MASTG-TECH-0089.md b/techniques/ios/MASTG-TECH-0089.md
index 26c926da91..ddf792461e 100644
--- a/techniques/ios/MASTG-TECH-0089.md
+++ b/techniques/ios/MASTG-TECH-0089.md
@@ -7,7 +7,7 @@ TODO: Currently don't have this, but we do have this section below which does ta
An introduction to binary analysis using binary analysis frameworks has already been discussed in the "[Dynamic Analysis](0x05c-Reverse-Engineering-and-Tampering.md#dynamic-analysis "Dynamic analysis")" section for Android. We recommend you to revisit this section and refresh the concepts on this subject.
-For Android, we used Angr's symbolic execution engine to solve a challenge. In this section, we will firstly use Unicorn to solve the [UnCrackable App for iOS Level 1](../../../apps/android/MASTG-APP-0025.md "UnCrackable App for iOS Level 1") challenge and then we will revisit the Angr binary analysis framework to analyze the challenge but instead of symbolic execution we will use its concrete execution (or dynamic execution) features.
+For Android, we used Angr's symbolic execution engine to solve a challenge. In this section, we will firstly use Unicorn to solve the [UnCrackable App for iOS Level 1](../../apps/ios/MASTG-APP-0025.md "UnCrackable App for iOS Level 1") challenge and then we will revisit the Angr binary analysis framework to analyze the challenge but instead of symbolic execution we will use its concrete execution (or dynamic execution) features.
## Angr
diff --git a/techniques/ios/MASTG-TECH-0090.md b/techniques/ios/MASTG-TECH-0090.md
index 8a924eb713..e796f57397 100644
--- a/techniques/ios/MASTG-TECH-0090.md
+++ b/techniques/ios/MASTG-TECH-0090.md
@@ -17,7 +17,7 @@ IF you want to use Frida on non-jailbroken devices you'll need to include `Frida
curl -O https://build.frida.re/frida/ios/lib/FridaGadget.dylib
```
-Copy `FridaGadget.dylib` into the app directory and use [optool](../../../tools/ios/MASTG-TOOL-0059.md "optool") to add a load command to the "UnCrackable Level 1" binary.
+Copy `FridaGadget.dylib` into the app directory and use [optool](../../tools/ios/MASTG-TOOL-0059.md "optool") to add a load command to the "UnCrackable Level 1" binary.
```bash
$ unzip UnCrackable_Level1.ipa
diff --git a/techniques/ios/MASTG-TECH-0092.md b/techniques/ios/MASTG-TECH-0092.md
index 37eaefee52..6e6fd8eec0 100644
--- a/techniques/ios/MASTG-TECH-0092.md
+++ b/techniques/ios/MASTG-TECH-0092.md
@@ -21,7 +21,7 @@ Next, we need to make sure that the Bundle ID in `Info.plist` matches the one sp
## Re-Signing
-Finally, we use the [codesign](../../../tools/ios/MASTG-TOOL-0101.md "codesign") tool to re-sign both binaries. You need to use _your own_ signing identity (in this example 8004380F331DCA22CC1B47FB1A805890AE41C938), which you can output by executing the command `security find-identity -v`.
+Finally, we use the [codesign](../../tools/ios/MASTG-TOOL-0101.md "codesign") tool to re-sign both binaries. You need to use _your own_ signing identity (in this example 8004380F331DCA22CC1B47FB1A805890AE41C938), which you can output by executing the command `security find-identity -v`.
```bash
$ rm -rf Payload/UnCrackable\ Level\ 1.app/_CodeSignature
@@ -36,7 +36,7 @@ $ /usr/bin/codesign --force --sign 8004380F331DCA22CC1B47FB1A805890AE41C938 --en
Payload/UnCrackable Level 1.app/UnCrackable Level 1: replacing existing signature
```
-Now you should be ready to run the modified app. Deploy and run the app on the device using [ios-deploy](../../../tools/ios/MASTG-TOOL-0054.md "ios-deploy"):
+Now you should be ready to run the modified app. Deploy and run the app on the device using [ios-deploy](../../tools/ios/MASTG-TOOL-0054.md "ios-deploy"):
```bash
ios-deploy --debug --bundle Payload/UnCrackable\ Level\ 1.app/
diff --git a/tests/android/MASVS-CRYPTO/MASTG-TEST-0013.md b/tests/android/MASVS-CRYPTO/MASTG-TEST-0013.md
index 7d1ece4867..3ef6c85f4b 100644
--- a/tests/android/MASVS-CRYPTO/MASTG-TEST-0013.md
+++ b/tests/android/MASVS-CRYPTO/MASTG-TEST-0013.md
@@ -30,7 +30,7 @@ For each identified instance verify if the used symmetric keys:
For each hardcoded symmetric key, verify that is not used in security-sensitive contexts as the only method of encryption.
-As an example we illustrate how to locate the use of a hardcoded encryption key. First [disassemble and decompile](../../../Document/0x05c-Reverse-Engineering-and-Tampering.md#disassembling-and-decompiling) the app to obtain Java code, e.g. by using [jadx](../../../../tools/android/MASTG-TOOL-0018.md#resources).
+As an example we illustrate how to locate the use of a hardcoded encryption key. First [disassemble and decompile](../../../Document/0x05c-Reverse-Engineering-and-Tampering.md#disassembling-and-decompiling) the app to obtain Java code, e.g. by using [jadx](../../../tools/android/MASTG-TOOL-0018.md).
Now search the files for the usage of the `SecretKeySpec` class, e.g. by simply recursively grepping on them or using jadx search function:
diff --git a/tests/android/MASVS-RESILIENCE/MASTG-TEST-0046.md b/tests/android/MASVS-RESILIENCE/MASTG-TEST-0046.md
index ffcb3ca566..1113240364 100644
--- a/tests/android/MASVS-RESILIENCE/MASTG-TEST-0046.md
+++ b/tests/android/MASVS-RESILIENCE/MASTG-TEST-0046.md
@@ -20,7 +20,7 @@ The following methods describe different approaches to bypass debugger detection
### Bypassing Example: UnCrackable App for Android Level 2
-When dealing with obfuscated apps, you'll often find that developers purposely "hide away" data and functionality in native libraries. You'll find an example of this in [level 2 of the "UnCrackable App for Android"](../../../Document/0x08b-Reference-Apps.md#android-uncrackable-l2).
+When dealing with obfuscated apps, you'll often find that developers purposely "hide away" data and functionality in native libraries. You'll find an example of this in [UnCrackable App for Android Level 2](../../../apps/android/MASTG-APP-0004.md "UnCrackable App for Android Level 2").
At first glance, the code looks like the prior challenge. A class called `CodeCheck` is responsible for verifying the code entered by the user. The actual check appears to occur in the `bar` method, which is declared as a _native_ method.
diff --git a/tests/android/MASVS-RESILIENCE/MASTG-TEST-0047.md b/tests/android/MASVS-RESILIENCE/MASTG-TEST-0047.md
index 4bd841a731..f1472e49d1 100644
--- a/tests/android/MASVS-RESILIENCE/MASTG-TEST-0047.md
+++ b/tests/android/MASVS-RESILIENCE/MASTG-TEST-0047.md
@@ -17,7 +17,7 @@ masvs_v1_levels:
2. Use Frida or Xposed to hook file system APIs on the Java and native layers. Return a handle to the original file instead of the modified file.
3. Use the kernel module to intercept file-related system calls. When the process attempts to open the modified file, return a file descriptor for the unmodified version of the file.
-Refer to the "[Tampering and Reverse Engineering on Android](../../../Document/0x05c-Reverse-Engineering-and-Tampering.md)" chapter for examples of patching, code injection, and kernel modules.
+Refer to Method Hooking for examples of patching, code injection, and kernel modules.
### Bypassing the storage integrity checks
diff --git a/tests/ios/MASVS-RESILIENCE/MASTG-TEST-0081.md b/tests/ios/MASVS-RESILIENCE/MASTG-TEST-0081.md
index 741d6a4f44..78c2f9f850 100644
--- a/tests/ios/MASVS-RESILIENCE/MASTG-TEST-0081.md
+++ b/tests/ios/MASVS-RESILIENCE/MASTG-TEST-0081.md
@@ -13,7 +13,7 @@ masvs_v1_levels:
## Static Analysis
-You have to ensure that the app is [using the latest code signature format](https://developer.apple.com/documentation/xcode/using-the-latest-code-signature-format). You can retrieve the signing certificate information from the application's .app file with [codesign](../../../../tools/ios/MASTG-TOOL-0101.md "codesign"). Codesign is used to create, check, and display code signatures, as well as inquire into the dynamic status of signed code in the system.
+You have to ensure that the app is [using the latest code signature format](https://developer.apple.com/documentation/xcode/using-the-latest-code-signature-format). You can retrieve the signing certificate information from the application's .app file with [codesign](../../../tools/ios/MASTG-TOOL-0101.md "codesign"). Codesign is used to create, check, and display code signatures, as well as inquire into the dynamic status of signed code in the system.
After you get the application's IPA file, re-save it as a ZIP file and decompress the ZIP file. Navigate to the Payload directory, where the application's .app file will be.
diff --git a/tests/ios/MASVS-RESILIENCE/MASTG-TEST-0082.md b/tests/ios/MASVS-RESILIENCE/MASTG-TEST-0082.md
index 1303503fd4..6a1e5c183a 100644
--- a/tests/ios/MASVS-RESILIENCE/MASTG-TEST-0082.md
+++ b/tests/ios/MASVS-RESILIENCE/MASTG-TEST-0082.md
@@ -15,7 +15,7 @@ masvs_v1_levels:
Inspect the app entitlements and check the value of `get-task-allow` key. If it is set to `true`, the app is debuggable.
-Using [codesign](../../../../tools/ios/MASTG-TOOL-0101.md "codesign"):
+Using [codesign](../../../tools/ios/MASTG-TOOL-0101.md "codesign"):
```bash
$ codesign -d --entitlements - iGoat-Swift.app
diff --git a/tools/android/MASTG-TOOL-0001.md b/tools/android/MASTG-TOOL-0001.md
index 092d86e825..7b4e728918 100644
--- a/tools/android/MASTG-TOOL-0001.md
+++ b/tools/android/MASTG-TOOL-0001.md
@@ -128,7 +128,7 @@ Java.perform(function () {
The above script calls `Java.perform` to make sure that your code gets executed in the context of the Java VM. It instantiates a wrapper for the `android.app.Activity` class via `Java.use` and overwrites the `onResume` function. The new `onResume` function implementation prints a notice to the console and calls the original `onResume` method by invoking `this.onResume` every time an activity is resumed in the app.
-The [JADX decompiler](#jadx) (v1.3.3 and above) can generate Frida snippets through its graphical code browser. To use this feature, open the APK or DEX with `jadx-gui`, browse to the target method, right click the method name, and select "Copy as frida snippet (f)". For example using the MASTG [UnCrackable App for Android Level 1](0x08b-Reference-Apps.md#android-uncrackable-l1):
+The [JADX decompiler](#jadx) (v1.3.3 and above) can generate Frida snippets through its graphical code browser. To use this feature, open the APK or DEX with `jadx-gui`, browse to the target method, right click the method name, and select "Copy as frida snippet (f)". For example using the MASTG [UnCrackable App for Android Level 1](../../apps/android/MASTG-APP-0003.md):
