Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Reversing 101

0xc010d
March 19, 2013

Reversing 101

cocoaheadsNL@Amsterdam/ProjectClear

0xc010d

March 19, 2013
Tweet

More Decks by 0xc010d

Other Decks in Research

Transcript

  1. Reversing 101
    Eugene Solodovnykov
    @0xc010d

    View full-size slide

  2. I...
    • work for Service2Media
    • mainly do iOS stuff
    • have a wife and two cats
    • like ukrainian borsch

    View full-size slide

  3. Reverse engineering is the process of discovering the
    technological principles of a device, object, or system
    through analysis of its structure, function, and operation.
    http://en.wikipedia.org/wiki/Reverse_engineering

    View full-size slide

  4. .nib files
    • Compiled XIB

    View full-size slide

  5. .nib files
    • Compiled XIB

    View full-size slide

  6. .nib files
    • Compiled XIB
    • bplist (plutil -convert xml1)

    View full-size slide

  7. .nib files
    • Compiled XIB
    • bplist (plutil -convert xml1)
    • reversible

    View full-size slide

  8. https://gist.github.com/0xc010d/3749346

    View full-size slide

  9. Entrance point!
    Spoiler:
    - (BOOL)licenseIsValid:(NSString *)license;
    is NOT a good name for license checking method!

    View full-size slide

  10. Let’s class-dump it!

    View full-size slide

  11. • http://stevenygard.com/projects/class-dump/
    • brew install class-dump

    View full-size slide

  12. Mach-O
    • __TEXT segment contains
    executable code and other
    read-only data
    • __objc* sections contain data
    used by the Objective-C
    runtime
    Mach-O is the standard used to store programs and
    libraries on disk in the Mac app binary interface (ABI)
    http://developer.apple.com/documentation/DeveloperTools/Conceptual/MachORuntime/

    View full-size slide

  13. Prologue “Save” $rdi, $rsi

    View full-size slide

  14. Load $rdi
    Prologue “Save” $rdi, $rsi

    View full-size slide

  15. Load $rdi
    “Clear” $al
    Prologue “Save” $rdi, $rsi

    View full-size slide

  16. Load $rdi
    “Clear” $al
    Call NSLog
    Prologue “Save” $rdi, $rsi

    View full-size slide

  17. Load $rdi
    “Clear” $al
    Call NSLog
    Epilogue
    Prologue “Save” $rdi, $rsi

    View full-size slide

  18. arm ppc/ppc64 x86_64 i386 (before prologue) i386 (after prologue)
    arg0
    arg1
    arg2
    arg3
    arg4
    arg5
    $r0 $r3 $rdi *($esp) *($ebp + 8)
    $r1 $r4 $rsi *($esp + 4) *($ebp + 12)
    $r2 $r5 $rdx *($esp + 8) *($ebp + 16)
    $r3 $r6 $rcx *($esp + 12) *($ebp + 20)
    *($sp) $r7 $r8 *($esp + 16) *($ebp + 24)
    *($sp + 4) $r8 $r9 *($esp + 20) *($ebp + 28)
    self _cmd
    http://www.clarkcox.com/blog/2009/02/04/inspecting-obj-c-parameters-in-gdb/

    View full-size slide

  19. Relative addressing
    Relative to the next instruction’s address:
    0x100000de7 + 0x5e1 = 0x1000013c8
    otool -l – indicates all sections with their addresses

    View full-size slide

  20. cstring address
    (0x100000e9a)
    cstring length
    0x41 ⇒ ‘A’

    View full-size slide

  21. Objective-C specific
    • Extensive objc_msgSend() usage
    • Extreme verbosity in a binary
    • Widely used in OS X, iOS
    • Has special sections in Mach-O

    View full-size slide

  22. Instruments
    • IDA – €679 for “Starter” version
    There’s free demo but it’s quite limited
    https://www.hex-rays.com/products/ida/index.shtml
    • Hopper Disassembler – €45
    There’s also free limited demo
    http://www.hopperapp.com/index.html

    View full-size slide

  23. Instruments
    • IDA – €679 for “Starter” version
    There’s free demo but it’s quite limited
    https://www.hex-rays.com/products/ida/index.shtml
    ✓Hopper Disassembler – €45
    There’s also free limited demo
    http://www.hopperapp.com/index.html

    View full-size slide

  24. Cracking example
    Now it’s free so check it out!
    http://snippets.me
    http://www.snippetsapp.com

    View full-size slide

  25. Keygen is not possible

    View full-size slide

  26. Keygen is not possible
    We still can patch it

    View full-size slide

  27. Mod / Reg / R/M byte
    • Specifies operands and their addressing mode
    http://en.wikibooks.org/wiki/X86_Assembly/Machine_Language_Conversion
    7 6 5 4 3 2 1 0
    MOD REG R/M

    View full-size slide

  28. Hopper scripts.py
    • mov $rsi,
    https://gist.github.com/0xc010d/5095541
    • call
    https://gist.github.com/0xc010d/5095544
    • nop
    https://gist.github.com/0xc010d/4335013
    • endp
    https://gist.github.com/0xc010d/5095551
    • Insert ASM instruction
    https://gist.github.com/0xc010d/4335229

    View full-size slide

  29. This is important

    View full-size slide

  30. Owner which would be checked in
    BOOL SASerialIsValidForOwner(NSString *serial, NSString *owner)

    View full-size slide

  31. How to improve
    • Don’t use Objective-C in critical parts
    • Check the license in non-obvious places
    • inline (GCC does not inline any functions
    when not optimizing)
    • __attribute__((always_inline)) inline
    http://gcc.gnu.org/onlinedocs/gcc/Inline.html

    View full-size slide

  32. What’s with iOS?
    • ARM
    • Binary is encrypted
    • Need to use jailbroken device
    • Still not so difficult

    View full-size slide

  33. These slides:
    https://speakerdeck.com/0xc010d/reversing-101
    @0xc010d
    [email protected]
    http://0xc010d.com

    View full-size slide