Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Reversing 101

0xc010d
March 19, 2013
Research
6
380

Reversing 101

cocoaheadsNL@Amsterdam/ProjectClear

0xc010d

March 19, 2013
Tweet

More Decks by 0xc010d

See All by 0xc010d
Dependency Injection FTW
0xc010d
2
650
Doing CI like a boss
0xc010d
2
350

Other Decks in Research

See All in Research
【RESEARCH Conference 2023】LINEのユーザーファースト企画。それを実現するリサーチ活用術
researchconf
0
270
大規模言語モデル
chokkan
PRO
32
11k
Off-Policy Evaluation of Ranking Policies under Diverse User Behavior (日本語版)
aiueola
0
160
INTERSPEECH 2023 T5 Part4: Source Separation Based on Deep Source Generative Models and Its Self-Supervised Learning
yoshipon
2
190
論文紹介:What In-Context Learning “Learns” In-Context: Disentangling Task Recognition and Task Learning
yuri00
0
200
Mean-Variance RL (JAFEE 2023)
masakat0
1
260
深層モデルの高速化
joisino
11
4.2k
壁のためのAIと卵のためのAI
yukinobaba
PRO
7
6.1k
CVPR 2023 速報:CCC Summer 2023 in MIRUチュートリアル(配布版)
gatheluck
3
2.8k
Learn Continuous Structure
eqpresents
0
2.5k
Poke_Battle_Logger の紹介: リモポケ学会20230714
fufufukakaka
1
540
説明の偏り・見せ方が推薦結果の選択にどう影響するか
kuri8ive
3
720

Featured

See All Featured
How to Ace a Technical Interview
jacobian
272
22k
VelocityConf: Rendering Performance Case Studies
addyosmani
318
23k
Music & Morning Musume
bryan
37
5.1k
Making Projects Easy
brettharned
104
5.1k
Put a Button on it: Removing Barriers to Going Fast.
kastner
56
2.7k
What's new in Ruby 2.0
geeforr
336
30k
Designing for humans not robots
tammielis
246
24k
Gamification - CAS2011
davidbonilla
75
4.3k
Git: the NoSQL Database
bkeepers
PRO
420
61k
Robots, Beer and Maslow
schacon
154
7.6k
The World Runs on Bad Software
bkeepers
PRO
59
6k
A Modern Web Designer's Workflow
chriscoyier
688
190k

Transcript

  1. Reversing 101
    Eugene Solodovnykov
    @0xc010d

    View Slide

  2. I...
    • work for Service2Media
    • mainly do iOS stuff
    • have a wife and two cats
    • like ukrainian borsch

    View Slide

  3. Reverse engineering is the process of discovering the
    technological principles of a device, object, or system
    through analysis of its structure, function, and operation.
    http://en.wikipedia.org/wiki/Reverse_engineering

    View Slide

  4. Inside .app

    View Slide

  5. .nib files
    • Compiled XIB

    View Slide

  6. .nib files
    • Compiled XIB

    View Slide

  7. .nib files
    • Compiled XIB
    • bplist (plutil -convert xml1)

    View Slide

  8. .nib files
    • Compiled XIB
    • bplist (plutil -convert xml1)
    • reversible

    View Slide

  9. https://gist.github.com/0xc010d/3749346

    View Slide

  10. View Slide

  11. Entrance point!
    Spoiler:
    - (BOOL)licenseIsValid:(NSString *)license;
    is NOT a good name for license checking method!

    View Slide

  12. Let’s class-dump it!

    View Slide

  13. • http://stevenygard.com/projects/class-dump/
    • brew install class-dump

    View Slide

  14. Mach-O
    • __TEXT segment contains
    executable code and other
    read-only data
    • __objc* sections contain data
    used by the Objective-C
    runtime
    Mach-O is the standard used to store programs and
    libraries on disk in the Mac app binary interface (ABI)
    http://developer.apple.com/documentation/DeveloperTools/Conceptual/MachORuntime/

    View Slide

  15. otool

    View Slide

  16. View Slide

  17. Example

    View Slide

  18. View Slide

  19. View Slide

  20. Prologue

    View Slide

  21. Prologue “Save” $rdi, $rsi

    View Slide

  22. Load $rdi
    Prologue “Save” $rdi, $rsi

    View Slide

  23. Load $rdi
    “Clear” $al
    Prologue “Save” $rdi, $rsi

    View Slide

  24. Load $rdi
    “Clear” $al
    Call NSLog
    Prologue “Save” $rdi, $rsi

    View Slide

  25. Load $rdi
    “Clear” $al
    Call NSLog
    Epilogue
    Prologue “Save” $rdi, $rsi

    View Slide

  26. arm ppc/ppc64 x86_64 i386 (before prologue) i386 (after prologue)
    arg0
    arg1
    arg2
    arg3
    arg4
    arg5
    $r0 $r3 $rdi *($esp) *($ebp + 8)
    $r1 $r4 $rsi *($esp + 4) *($ebp + 12)
    $r2 $r5 $rdx *($esp + 8) *($ebp + 16)
    $r3 $r6 $rcx *($esp + 12) *($ebp + 20)
    *($sp) $r7 $r8 *($esp + 16) *($ebp + 24)
    *($sp + 4) $r8 $r9 *($esp + 20) *($ebp + 28)
    self _cmd
    http://www.clarkcox.com/blog/2009/02/04/inspecting-obj-c-parameters-in-gdb/

    View Slide

  27. View Slide

  28. Relative addressing
    Relative to the next instruction’s address:
    0x100000de7 + 0x5e1 = 0x1000013c8
    otool -l – indicates all sections with their addresses

    View Slide

  29. cstring address
    (0x100000e9a)
    cstring length
    0x41 ⇒ ‘A’

    View Slide

  30. Voilá!

    View Slide

  31. Objective-C specific
    • Extensive objc_msgSend() usage
    • Extreme verbosity in a binary
    • Widely used in OS X, iOS
    • Has special sections in Mach-O

    View Slide

  32. Instruments
    • IDA – €679 for “Starter” version
    There’s free demo but it’s quite limited
    https://www.hex-rays.com/products/ida/index.shtml
    • Hopper Disassembler – €45
    There’s also free limited demo
    http://www.hopperapp.com/index.html

    View Slide

  33. Instruments
    • IDA – €679 for “Starter” version
    There’s free demo but it’s quite limited
    https://www.hex-rays.com/products/ida/index.shtml
    ✓Hopper Disassembler – €45
    There’s also free limited demo
    http://www.hopperapp.com/index.html

    View Slide

  34. View Slide

  35. Cracking example
    Now it’s free so check it out!
    http://snippets.me
    http://www.snippetsapp.com

    View Slide

  36. View Slide

  37. View Slide

  38. View Slide

  39. View Slide

  40. View Slide

  41. View Slide

  42. View Slide

  43. Keygen is not possible

    View Slide

  44. Keygen is not possible
    We still can patch it

    View Slide

  45. Mod / Reg / R/M byte
    • Specifies operands and their addressing mode
    http://en.wikibooks.org/wiki/X86_Assembly/Machine_Language_Conversion
    7 6 5 4 3 2 1 0
    MOD REG R/M

    View Slide

  46. Hopper scripts.py
    • mov $rsi,
    https://gist.github.com/0xc010d/5095541
    • call
    https://gist.github.com/0xc010d/5095544
    • nop
    https://gist.github.com/0xc010d/4335013
    • endp
    https://gist.github.com/0xc010d/5095551
    • Insert ASM instruction
    https://gist.github.com/0xc010d/4335229

    View Slide

  47. Patch demo

    View Slide

  48. This is important

    View Slide

  49. Owner which would be checked in
    BOOL SASerialIsValidForOwner(NSString *serial, NSString *owner)

    View Slide

  50. How to improve
    • Don’t use Objective-C in critical parts
    • Check the license in non-obvious places
    • inline (GCC does not inline any functions
    when not optimizing)
    • __attribute__((always_inline)) inline
    http://gcc.gnu.org/onlinedocs/gcc/Inline.html

    View Slide

  51. What’s with iOS?
    • ARM
    • Binary is encrypted
    • Need to use jailbroken device
    • Still not so difficult

    View Slide

  52. These slides:
    https://speakerdeck.com/0xc010d/reversing-101
    @0xc010d
    [email protected]
    http://0xc010d.com

    View Slide