Reversing 101

Reversing 101 Eugene Solodovnykov @0xc010d

I... • work for Service2Media • mainly do iOS stuff
• have a wife and two cats • like ukrainian borsch

Reverse engineering is the process of discovering the technological principles
of a device, object, or system through analysis of its structure, function, and operation. http://en.wikipedia.org/wiki/Reverse_engineering

Inside .app

.nib files • Compiled XIB •

.nib files • Compiled XIB • bplist (plutil -convert xml1)
•

.nib files • Compiled XIB • bplist (plutil -convert xml1)
• reversible

https://gist.github.com/0xc010d/3749346

Entrance point! Spoiler: - (BOOL)licenseIsValid:(NSString *)license; is NOT a good
name for license checking method!

Let’s class-dump it!

• http://stevenygard.com/projects/class-dump/ • brew install class-dump

Mach-O • __TEXT segment contains executable code and other read-only
data • __objc* sections contain data used by the Objective-C runtime Mach-O is the standard used to store programs and libraries on disk in the Mac app binary interface (ABI) http://developer.apple.com/documentation/DeveloperTools/Conceptual/MachORuntime/

Example

Prologue

Prologue “Save” $rdi, $rsi

Load $rdi Prologue “Save” $rdi, $rsi

Load $rdi “Clear” $al Prologue “Save” $rdi, $rsi

Load $rdi “Clear” $al Call NSLog Prologue “Save” $rdi, $rsi

Load $rdi “Clear” $al Call NSLog Epilogue Prologue “Save” $rdi,
$rsi

arm ppc/ppc64 x86_64 i386 (before prologue) i386 (after prologue) arg0
arg1 arg2 arg3 arg4 arg5 $r0 $r3 $rdi *($esp) *($ebp + 8) $r1 $r4 $rsi *($esp + 4) *($ebp + 12) $r2 $r5 $rdx *($esp + 8) *($ebp + 16) $r3 $r6 $rcx *($esp + 12) *($ebp + 20) *($sp) $r7 $r8 *($esp + 16) *($ebp + 24) *($sp + 4) $r8 $r9 *($esp + 20) *($ebp + 28) self _cmd http://www.clarkcox.com/blog/2009/02/04/inspecting-obj-c-parameters-in-gdb/

Relative addressing Relative to the next instruction’s address: 0x100000de7 +
0x5e1 = 0x1000013c8 otool -l – indicates all sections with their addresses

cstring address (0x100000e9a) cstring length 0x41 ⇒ ‘A’

Voilá!

Objective-C specific • Extensive objc_msgSend() usage • Extreme verbosity in
a binary • Widely used in OS X, iOS • Has special sections in Mach-O

Instruments • IDA – €679 for “Starter” version There’s free
demo but it’s quite limited https://www.hex-rays.com/products/ida/index.shtml • Hopper Disassembler – €45 There’s also free limited demo http://www.hopperapp.com/index.html •

Instruments • IDA – €679 for “Starter” version There’s free
demo but it’s quite limited https://www.hex-rays.com/products/ida/index.shtml ✓Hopper Disassembler – €45 There’s also free limited demo http://www.hopperapp.com/index.html •

Cracking example Now it’s free so check it out! http://snippets.me
http://www.snippetsapp.com

Keygen is not possible

Keygen is not possible We still can patch it

Mod / Reg / R/M byte • Speciﬁes operands and
their addressing mode http://en.wikibooks.org/wiki/X86_Assembly/Machine_Language_Conversion 7 6 5 4 3 2 1 0 MOD REG R/M

Hopper scripts.py • mov $rsi, <address> https://gist.github.com/0xc010d/5095541 • call <address>
https://gist.github.com/0xc010d/5095544 • nop https://gist.github.com/0xc010d/4335013 • endp https://gist.github.com/0xc010d/5095551 • Insert ASM instruction https://gist.github.com/0xc010d/4335229

Patch demo

This is important

Owner which would be checked in BOOL SASerialIsValidForOwner(NSString *serial, NSString
*owner)

How to improve • Don’t use Objective-C in critical parts
• Check the license in non-obvious places • inline (GCC does not inline any functions when not optimizing) • __attribute__((always_inline)) inline http://gcc.gnu.org/onlinedocs/gcc/Inline.html

What’s with iOS? • ARM • Binary is encrypted •
Need to use jailbroken device • Still not so difﬁcult

These slides: https://speakerdeck.com/0xc010d/reversing-101 @0xc010d [email protected] http://0xc010d.com

Reversing 101

Reversing 101

More Decks by 0xc010d

Other Decks in Research

Featured

Transcript