Disassembly for Fun and Profit

Transcript

1. Disassembly for fun and profit Alexsander Akers • @a2 NSSpain

   2017
2. None
3. None
4. None

5. Imagine a car.

6. Why disassemble? — ! To see how methods are implemented

   — " To debug arcane exceptions — # To call functionality that shouldn't be called

7. Agenda As developers of apps or frameworks, we decide which

   classes, methods, and properties to expose. Apple does this too. If something is private, it signals an implementation detail that should not normally be called directly. Private does not mean "do not call me."

8. Implementation Details

9. OSS dependencies — NSCalendar, NSFormatter, NSLocale, NSTimeZone ↪ icucore —

   Auto Layout ↪ Cassowary constraint solver — Core Data ↪ SQLite — Swift, Grand Central Dispatch, WebKit, Bonjour — And more... opensource.apple.com

10. Some assembly required

11. Some assembly required

12. Meet Hopper

13. Meet Hopper — You can get it from hopperapp.com —

    Free trial with some limitations
14. None

15. Xcode-8.app Contents Developer Platforms iPhoneSimulator.platform Developer SDKs iPhoneSimulator.sdk System Library

    Frameworks

16. Xcode-9.app Contents Developer Platforms iPhoneOS.platform Developer Library CoreSimulator Profiles Runtimes

    iOS.simruntime

17. Xcode-9.app/.../iOS.simruntime Contents Resources RuntimeRoot System Library Frameworks

18. None
19. None
20. None
21. None
22. None
23. None
24. None
25. None
26. None
27. None

28. Call me maybe?

29. Call me maybe? GitHub a2/touch-baer @interface NSTouchBarItem () + (void)addSystemTrayItem:(NSTouchBarItem

    *)item; @end @interface NSTouchBar () + (void)presentSystemModalFunctionBar:(NSTouchBar *)touchBar systemTrayItemIdentifier:(NSString *)identifier; @end

30. Call me maybe? #import <Foundation/Foundation.h> Class klass = NSClassFromString(@"SFAirDropActivityViewController") #import

    <objc/funtime.h> Class otherKlass = objc_getClass("SFAirDropActivityViewController")

31. Call me maybe? #import <Foundation/Foundation.h> Class klass = NSClassFromString(@"SFAirDropActivityViewController") #import

    <objc/runtime.h> Class otherKlass = objc_getClass("SFAirDropActivityViewController") Runtime is funtime!

32. Call me maybe? Class klass = NSClassFromString(@"SFAirDropActivityViewController"); id airDropThang =

    [[klass alloc] init]; [airDropThang performSelector: NSSelectorFromString(@"startBrowsing")];

33. Call me maybe? #import <dlfcn.h> void *handle = dlopen("/System/Library/PrivateFrameworks" "/Sharing.framework/Sharing",

    RTLD_NOW); CFTypeRef (*createBrowser)(CFAllocatorRef, CFStringRef) = dlsym(handle, "SFBrowserCreate"); CFTypeRef browser = createBrowser(NULL, CFSTR("AirDrop"));

34. Call me maybe? GitHub a2/TrollDropPlayground let path = "/System/Library" +

    \ "/PrivateFrameworks/Sharing.framework" let bundleURL = CFURLCreateWithFileSystemPath( kCFAllocatorDefault, path as CFString, .cfurlposixPathStyle, false) let bundle = CFBundleCreate(nil, bundleURL)

35. Call me maybe? GitHub a2/TrollDropPlayground var destination: UnsafeMutableRawPointer? = nil

    CFBundleGetDataPointersForNames(bundle, ["kSFBrowserKindAirDrop"] as CFArray, &destination) let airDropKind = destination .assumingMemoryBound(to: CFString.self) .pointee

36. Call me maybe? GitHub a2/TrollDropPlayground var destination: UnsafeMutableRawPointer? = nil

    CFBundleGetFunctionPointersForNames(bundle, ["SFBrowserCreate"] as CFArray, &destination) typealias CreateBrowserType = @convention(c) (CFAllocator?, CFString?) -> Browser let createBrowser = unsafeBitCast( destination!, to: CreateBrowserType.self)

37. How to disassemble — We had a starting point, UIKit

    — We disassembled UIKit — We searched for "AirDrop" to see which private API were called — We disassembled the Sharing framework — We created a way to call the API methods and functions

38. ⚠ Caution — Private API use is grounds for App

    Store rejection. — Just because you can, doesn't mean you should. — With great power comes great responsibility.

39. Where to go from here? — hopperapp.com — github.com/a2/touch-baer —

    github.com/a2/TrollDropKit — github.com/a2/TrollDropPlayground (Swift, Playgrounds.app)

40. Disassembly for fun and profit Alexsander Akers • @a2 NSSpain

    2017