Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Beyond The 'Cript: Practical iOS Reverse Engineering (Lascon Edition)

Michael Allen
November 04, 2016
Research
0
530

Beyond The 'Cript: Practical iOS Reverse Engineering (Lascon Edition)

Michael Allen

November 04, 2016
Tweet

More Decks by Michael Allen

See All by Michael Allen
OWASP Lightning Talk: Beyond The 'Cript: Practical iOS Reverse Engineering
_dark_knight_
1
170
Beyond The 'Cript: Practical iOS Reverse Engineering
_dark_knight_
0
450

Other Decks in Research

See All in Research
脳卒中患者・家族からみた循環器病対策推進基本計画の進捗に関する調査
japanstrokeassociation
0
530
自己教師あり学習による事前学習(CVIMチュートリアル)
naok615
2
1.4k
[2023 CCSE] ZOZOTOWN検索における 研究開発の取り組みについて
tomoyayama
0
130
Azure Arc-enabled Serversを利用した ハイブリッド・マルチクラウド環境の管理 / Managing Hybrid Multi-cloud Environments with Azure Arc-enabled Servers
nttcom
0
210
Alexander Mielke Hellinger--Kantorovich (a.k.a. Wasserstein-Fisher-Rao) Spaces and Gradient Flows
jjzhu
3
180
F0に基づいて伸縮された画像文字からの音声合成 [ASJ2024春]
nehi0615
0
120
Accurate Method and Variable Tracking in Commit History
tsantalis
0
250
待機電力を削減したネットワーク更新型電子ペーパーサイネージの開発と評価 / IOT64
yumulab
0
100
SANER 2019 Most Influential Paper Talk
tsantalis
0
120
ゼロからわかるリザバーコンピューティング
kurotaky
1
280
床面圧力センサ開発における感圧導電シート分離方式の検討 / WISS2023
yumulab
0
270
3D Human Mesh Estimationについていくつかまとめてみた / Survey about 3D Human Mesh Estimation
nttcom
0
200

Featured

See All Featured
The Language of Interfaces
destraynor
151
23k
Building a Scalable Design System with Sketch
lauravandoore
455
32k
VelocityConf: Rendering Performance Case Studies
addyosmani
320
23k
It's Worth the Effort
3n
180
27k
Navigating Team Friction
lara
177
13k
Designing Dashboards & Data Visualisations in Web Apps
destraynor
226
51k
Let's Do A Bunch of Simple Stuff to Make Websites Faster
chriscoyier
501
140k
Design by the Numbers
sachag
274
18k
Web Components: a chance to create the future
zenorocha
305
41k
Bootstrapping a Software Product
garrettdimon
PRO
301
110k
In The Pink: A Labor of Love
frogandcode
138
21k
Done Done
chrislema
178
15k

Transcript

  1. IOActive, Inc. Copyright ©2016. All Rights Reserved. Beyond The ‘Cript:

    Practical iOS Reverse Engineering Michael Allen (@_dark_knight_) Security Consultant

  2. IOActive, Inc. Copyright ©2016. All Rights Reserved. Identifying and bypassing

    Simple Jailbreak Detection Routines Case Study

  3. IOActive, Inc. Copyright ©2016. All Rights Reserved. Case Study: Viewing

    File System Activity •  Using filemon -l •  Creates hard links to temporary files

  4. IOActive, Inc. Copyright ©2016. All Rights Reserved. Case Study: Viewing

    Logs •  Using idevicesyslog [libimobiledevice]

  5. IOActive, Inc. Copyright ©2016. All Rights Reserved. Case Study: Obtaining

    The Binary •  Dump the binary (facilitated by DYLD and DYLD_INSERT_LIBRARIES environment variable)

  6. IOActive, Inc. Copyright ©2016. All Rights Reserved. Case Study: Obtaining

    Symbols •  Dump the symbols along with dylib’s to which they belong

  7. IOActive, Inc. Copyright ©2016. All Rights Reserved. Case Study: Extracting

    strings •  Any interesting strings? •  Dump cstring section (same as running strings) •  Knowledge of SEGMENTS and sections important

  8. IOActive, Inc. Copyright ©2016. All Rights Reserved. Case Study: Extracting

    DYLIB’S •  procexp <pid> regions Dump the library with lldb

  9. IOActive, Inc. Copyright ©2016. All Rights Reserved. Case Study: Extracting

    DYLIB’S

  10. IOActive, Inc. Copyright ©2016. All Rights Reserved. Case Study: Obtaining

    Classes

  11. IOActive, Inc. Copyright ©2016. All Rights Reserved. Case Study: Bypassing

    RootFS Check

  12. IOActive, Inc. Copyright ©2016. All Rights Reserved. Case Study: Bypassing

    RootFS Check statfs func call Patch here statfs argument

  13. IOActive, Inc. Copyright ©2016. All Rights Reserved. Case Study: Bypassing

    RootFS Check Patch here •  Patch register w8

  14. IOActive, Inc. Copyright ©2016. All Rights Reserved. Case Study: Bypassing

    RootFS Check

  15. IOActive, Inc. Copyright ©2016. All Rights Reserved. Case Study: Bypassing

    Debugger Checks Changes when debugger attached

  16. IOActive, Inc. Copyright ©2016. All Rights Reserved. Case Study: Bypassing

    Debugger Checks (ppid)

  17. IOActive, Inc. Copyright ©2016. All Rights Reserved. Case Study: Bypassing

    Debugger Checks (ppid) ppid func call Patch here

  18. IOActive, Inc. Copyright ©2016. All Rights Reserved. Case Study: Bypassing

    Debugger Checks (ppid) •  parent process id of calling process Patch here

  19. IOActive, Inc. Copyright ©2016. All Rights Reserved. Case Study: Bypassing

    Debugger Checks (p_traced) sysctl func call Patch here

  20. IOActive, Inc. Copyright ©2016. All Rights Reserved. Case Study: Bypassing

    Debugger Checks (p_traced) Patch here

  21. IOActive, Inc. Copyright ©2016. All Rights Reserved. Case Study: Bypassing

    Fork Check Call to fork Return value in X0 Patch CMN W19, #1

  22. IOActive, Inc. Copyright ©2016. All Rights Reserved. Case Study: Bypassing

    Fork Check Patch here

  23. IOActive, Inc. Copyright ©2016. All Rights Reserved. Conclusion •  Common

    bugs being closed •  A “new” approach and break from the norm is required for in depth assessments •  Assembly knowledge a MUST for Reversing Engineering –  Low level assembly allows you to bypass many security protections, discover hidden gems and then some •  Knowledge of iOS architecture will not only improve your assessments but also provide a launching pad for other research •  Disassemblers are your friends (IDA, Hopper, Jtool …..) •  Add the reverse engineering skillset to your arsenal !!!

  24. IOActive, Inc. Copyright ©2016. All Rights Reserved. References •  Books:

    •  Mac OS X and iOS Internals To the Apple’s Core (Jonathan Levin) •  The Mobile Application Hacker’s Handbook (Dominic Chell, Tyrone Erasmus et al. ) •  Hacking and Securing iOS Applications (Jonathan Zdziarski) •  iOS Application Security: The Definitive Guide for Hackers and Developers (David Thiel) •  Blogs and Tools: •  processor_set_tasks() - http://newosxbook.com/articles/PST2.html •  procexp – http://newosxbook.com/tools/procexp.html •  iOSBinaries - http://newosxbook.com/tools/iOSBinaries.html •  jtool - http://newosxbook.com/tools/jtool.html •  filemon - http://newosxbook.com/tools/filemon.html •  AmIBeingDebugged - https://developer.apple.com/library/mac/qa/qa1361/_index.html •  Frida - http://www.frida.re/ •  Cycript - http://www.cycript.org/ •  iFunBox - http://www.i-funbox.com/ •  SSL Kill Switch – https://github.com/iSECPartners/ios-ssl-kill-switch •  BurpSuite - https://portswigger.net/burp/ •  IDA - https://www.hex-rays.com/products/ida/ •  Hopper - https://www.hopperapp.com/ •  Idb - http://www.idbtool.com/ •  PT_DENY_ATTACH - https://www.theiphonewiki.com/wiki/Bugging_Debuggers •  ARM - http://infocenter.arm.com/help/index.jsp?topic=/com.arm.doc.den0024a/ch05s01s03.html •  SQLite-parser - https://github.com/mdegrazia/SQLite-Deleted-Records-Parser •  SQLite Deletion - http://www.zdziarski.com/blog/?p=6143 •  lsdtrip - http://newosxbook.com/src.jl?tree=listings&file=ls.m#dumpURL