Reversing WTF

Reversing WTF Vladimir “Farcaller” Pouzanov

00002160 b580 push {r7,
lr} 00002162 466f mov r7, sp 00002164 b099 sub sp, #100 00002166 9017 str r0, [sp, #92] 00002168 9116 str r1, [sp, #88] 0000216a 4610 mov r0, r2 0000216c 930e str r3, [sp, #56] 0000216e f000ef42 blx 0x2ff4 @ symbol stub for: _objc_retain 00002172 9015 str r0, [sp, #84] 00002174 980e ldr r0, [sp, #56] 00002176 f000ef3e blx 0x2ff4 @ symbol stub for: _objc_retain 0000217a 9014 str r0, [sp, #80] 0000217c 9817 ldr r0, [sp, #92] 0000217e 4967 ldr r1, [pc, #412] (0x231c) 00002180 4479 add r1, pc 00002182 6809 ldr r1, [r1, #0] 00002184 4a64 ldr r2, [pc, #400] (0x2318) 00002186 447a add r2, pc 00002188 6812 ldr r2, [r2, #0] 0000218a 900d str r0, [sp, #52] 0000218c 4608 mov r0, r1 0000218e 4611 mov r1, r2 00002190 f000ef28 blx 0x2fe4 @ symbol stub for: _objc_msgSend 00002194 495f ldr r1, [pc, #380] (0x2314) 00002196 4479 add r1, pc 00002198 6809 ldr r1, [r1, #0] 0000219a 4a5d ldr r2, [pc, #372] (0x2310) 0000219c 447a add r2, pc 0000219e 6812 ldr r2, [r2, #0] 000021a0 900c str r0, [sp, #48] 000021a2 4608 mov r0, r1 000021a4 4611 mov r1, r2 000021a6 f000ef1e blx 0x2fe4 @ symbol stub for: _objc_msgSend 000021aa 463f mov r7, r7 000021ac f000ef24 blx 0x2ff8 @ symbol stub for: _objc_retainAutoreleasedReturnValue 000021b0 2100 movs r1, #0 ТОЛЬКО АССЕМБЛЕР! ТОЛЬКО ХАРДКОР!

Зачем мне это?

Proﬁt

We have to go deeper!

Mach-O

Load Command

Сегменты

__TEXT

__DATA

__TEXT.__text

00002388 (__TEXT,__text) non-‐external [Thumb] -‐[AppDelegate application:didFinishLaunchingWithOptions:] 00002588 (__TEXT,__text) non-‐external [Thumb]
-‐[AppDelegate applicationDidBecomeActive:] 00002570 (__TEXT,__text) non-‐external [Thumb] -‐[AppDelegate applicationDidEnterBackground:] 0000257c (__TEXT,__text) non-‐external [Thumb] -‐[AppDelegate applicationWillEnterForeground:] 00002564 (__TEXT,__text) non-‐external [Thumb] -‐[AppDelegate applicationWillResignActive:] 00002594 (__TEXT,__text) non-‐external [Thumb] -‐[AppDelegate applicationWillTerminate:] 0000231c (__TEXT,__text) non-‐external [Thumb] -‐[AppDelegate dealloc] 00002600 (__TEXT,__text) non-‐external [Thumb] -‐[AppDelegate navigationController] 0000261c (__TEXT,__text) non-‐external [Thumb] -‐[AppDelegate setNavigationController:] 000025bc (__TEXT,__text) non-‐external [Thumb] -‐[AppDelegate setWindow:] 000025a0 (__TEXT,__text) non-‐external [Thumb] -‐[AppDelegate window] 00002e60 (__TEXT,__text) non-‐external [Thumb] -‐[DetailViewController configureView] 00002d80 (__TEXT,__text) non-‐external [Thumb] -‐[DetailViewController dealloc] 00003040 (__TEXT,__text) non-‐external [Thumb] -‐[DetailViewController detailDescriptionLabel] 00003024 (__TEXT,__text) non-‐external [Thumb] -‐[DetailViewController detailItem] 00002f78 (__TEXT,__text) non-‐external [Thumb] -‐[DetailViewController initWithNibName:bundle:] 0000305c (__TEXT,__text) non-‐external [Thumb] -‐[DetailViewController setDetailDescriptionLabel:] 00002dec (__TEXT,__text) non-‐external [Thumb] -‐[DetailViewController setDetailItem:] 00002f58 (__TEXT,__text) non-‐external [Thumb] -‐[DetailViewController shouldAutorotateToInterfaceOrientation:] 00002ed8 (__TEXT,__text) non-‐external [Thumb] -‐[DetailViewController viewDidLoad] 00002f18 (__TEXT,__text) non-‐external [Thumb] -‐[DetailViewController viewDidUnload] 00002730 (__TEXT,__text) non-‐external [Thumb] -‐[MasterViewController dealloc] 00002d20 (__TEXT,__text) non-‐external [Thumb] -‐[MasterViewController detailViewController] 00002660 (__TEXT,__text) non-‐external [Thumb] -‐[MasterViewController initWithNibName:bundle:] 000028c8 (__TEXT,__text) non-‐external [Thumb] -‐[MasterViewController insertNewObject:] 000029d8 (__TEXT,__text) non-‐external [Thumb] -‐[MasterViewController numberOfSectionsInTableView:] 00002d3c (__TEXT,__text) non-‐external [Thumb] -‐[MasterViewController setDetailViewController:] 000028a8 (__TEXT,__text) non-‐external [Thumb] -‐[MasterViewController shouldAutorotateToInterfaceOrientation:] 00002b30 (__TEXT,__text) non-‐external [Thumb] -‐[MasterViewController tableView:canEditRowAtIndexPath:] 00002a1c (__TEXT,__text) non-‐external [Thumb] -‐[MasterViewController tableView:cellForRowAtIndexPath:] 00002b4c (__TEXT,__text) non-‐external [Thumb] -‐[MasterViewController tableView:commitEditingStyle:forRowAtIndexPath:] 00002bec (__TEXT,__text) non-‐external [Thumb] -‐[MasterViewController tableView:didSelectRowAtIndexPath:] 000029ec (__TEXT,__text) non-‐external [Thumb] -‐[MasterViewController tableView:numberOfRowsInSection:] 0000279c (__TEXT,__text) non-‐external [Thumb] -‐[MasterViewController viewDidLoad] 00002878 (__TEXT,__text) non-‐external [Thumb] -‐[MasterViewController viewDidUnload]

00002388 (__TEXT,__text) non-‐external [Thumb] -‐[AppDelegate application:didFinishLaunchingWithOptions:] 00002588 (__TEXT,__text) non-‐external [Thumb]
-‐[AppDelegate applicationDidBecomeActive:] 00002570 (__TEXT,__text) non-‐external [Thumb] -‐[AppDelegate applicationDidEnterBackground:] 0000257c (__TEXT,__text) non-‐external [Thumb] -‐[AppDelegate applicationWillEnterForeground:] 00002564 (__TEXT,__text) non-‐external [Thumb] -‐[AppDelegate applicationWillResignActive:] 00002594 (__TEXT,__text) non-‐external [Thumb] -‐[AppDelegate applicationWillTerminate:] 0000231c (__TEXT,__text) non-‐external [Thumb] -‐[AppDelegate dealloc] 00002600 (__TEXT,__text) non-‐external [Thumb] -‐[AppDelegate navigationController] 0000261c (__TEXT,__text) non-‐external [Thumb] -‐[AppDelegate setNavigationController:] 000025bc (__TEXT,__text) non-‐external [Thumb] -‐[AppDelegate setWindow:] 000025a0 (__TEXT,__text) non-‐external [Thumb] -‐[AppDelegate window] 00002e60 (__TEXT,__text) non-‐external [Thumb] -‐[DetailViewController configureView] 00002d80 (__TEXT,__text) non-‐external [Thumb] -‐[DetailViewController dealloc] 00003040 (__TEXT,__text) non-‐external [Thumb] -‐[DetailViewController detailDescriptionLabel] 00003024 (__TEXT,__text) non-‐external [Thumb] -‐[DetailViewController detailItem] 00002f78 (__TEXT,__text) non-‐external [Thumb] -‐[DetailViewController initWithNibName:bundle:] 0000305c (__TEXT,__text) non-‐external [Thumb] -‐[DetailViewController setDetailDescriptionLabel:] 00002dec (__TEXT,__text) non-‐external [Thumb] -‐[DetailViewController setDetailItem:] 00002f58 (__TEXT,__text) non-‐external [Thumb] -‐[DetailViewController shouldAutorotateToInterfaceOrientation:] 00002ed8 (__TEXT,__text) non-‐external [Thumb] -‐[DetailViewController viewDidLoad] 00002f18 (__TEXT,__text) non-‐external [Thumb] -‐[DetailViewController viewDidUnload] 00002730 (__TEXT,__text) non-‐external [Thumb] -‐[MasterViewController dealloc] 00002d20 (__TEXT,__text) non-‐external [Thumb] -‐[MasterViewController detailViewController] 00002660 (__TEXT,__text) non-‐external [Thumb] -‐[MasterViewController initWithNibName:bundle:] 000028c8 (__TEXT,__text) non-‐external [Thumb] -‐[MasterViewController insertNewObject:] 000029d8 (__TEXT,__text) non-‐external [Thumb] -‐[MasterViewController numberOfSectionsInTableView:] 00002d3c (__TEXT,__text) non-‐external [Thumb] -‐[MasterViewController setDetailViewController:] 000028a8 (__TEXT,__text) non-‐external [Thumb] -‐[MasterViewController shouldAutorotateToInterfaceOrientation:] 00002b30 (__TEXT,__text) non-‐external [Thumb] -‐[MasterViewController tableView:canEditRowAtIndexPath:] 00002a1c (__TEXT,__text) non-‐external [Thumb] -‐[MasterViewController tableView:cellForRowAtIndexPath:] 00002b4c (__TEXT,__text) non-‐external [Thumb] -‐[MasterViewController tableView:commitEditingStyle:forRowAtIndexPath:] 00002bec (__TEXT,__text) non-‐external [Thumb] -‐[MasterViewController tableView:didSelectRowAtIndexPath:] 000029ec (__TEXT,__text) non-‐external [Thumb] -‐[MasterViewController tableView:numberOfRowsInSection:] 0000279c (__TEXT,__text) non-‐external [Thumb] -‐[MasterViewController viewDidLoad] 00002878 (__TEXT,__text) non-‐external [Thumb] -‐[MasterViewController viewDidUnload] 00002ed8 (__TEXT,__text) non-‐external [Thumb] -‐[DetailViewController viewDidLoad]

ARMARM

15 регистров

13 – общего назначения

32 бита

SP, LR, PC

Адресное пространство

232 4 294 967 296

01234567 Big-endian

76543210 Little-endian

4 набора инструкций

ARM 32 бита

Thumb 16-32 бита

ThumbEE Jazelle

UAL 426 инструкций

Поехали!

00002388 b590 push {r4,
r7, lr} 0000238a af01 add r7, sp, #4 0000238c b097 sub sp, #92 0000238e f2400900 movw r9, #0 @ 0x0 00002392 f2c00900 movt r9, #0 @ 0x0

00002396 9016 str r0,
[sp, #88] 00002398 9115 str r1, [sp, #84] 0000239a 9214 str r2, [sp, #80] 0000239c 9313 str r3, [sp, #76] r0 = (id)self r1 = (SEL)_cmd r2 = ... r3 = ...

00002396 9016 str r0,
[sp, #88] 00002398 9115 str r1, [sp, #84] 0000239a 9214 str r2, [sp, #80] 0000239c 9313 str r3, [sp, #76] 0000239e 9816 ldr r0, [sp, #88] r0 = (id)self r1 = (SEL)_cmd r2 = ... r3 = ...

000023a0 495f ldr r1,
[pc, #380] (0x2520) 000023a2 4479 add r1, pc 000023a4 6809 ldr r1, [r1, #0] _OBJC_CLASS_$_UIWindow

000023a0 495f ldr r1,
[pc, #380] (0x2520) 000023a2 4479 add r1, pc 000023a4 6809 ldr r1, [r1, #0] _OBJC_CLASS_$_UIWindow 000023a6 4a5d ldr r2, [pc, #372] (0x251c) 000023a8 447a add r2, pc 000023aa 6812 ldr r2, [r2, #0] “alloc”

000023ac 900d str r0,
[sp, #52] 000023ae 4608 mov r0, r1 000023b0 4611 mov r1, r2 000023b2 f8cd9030 str.w r9, [sp, #48] 000023b6 f001ee1c blx 0x3ff0 52: self

000023ac 900d str r0,
[sp, #52] 000023ae 4608 mov r0, r1 000023b0 4611 mov r1, r2 000023b2 f8cd9030 str.w r9, [sp, #48] 000023b6 f001ee1c blx 0x3ff0 0000238e f2400900 movw r9, #0 @ 0x0 52: self 48: 0

000023ac 900d str r0,
[sp, #52] 000023ae 4608 mov r0, r1 000023b0 4611 mov r1, r2 000023b2 f8cd9030 str.w r9, [sp, #48] 000023b6 f001ee1c blx 0x3ff0 [UIWindow alloc]

000023ba 4957 ldr r1,
[pc, #348] (0x2518) 000023bc 4479 add r1, pc 000023be 6809 ldr r1, [r1, #0] _OBJC_CLASS_$_UIScreen 000023c0 4a54 ldr r2, [pc, #336] (0x2514) 000023c2 447a add r2, pc 000023c4 6812 ldr r2, [r2, #0] “mainScreen”

000023c6 900b str r0,
[sp, #44] 000023c8 4608 mov r0, r1 000023ca 4611 mov r1, r2 000023cc f001ee10 blx 0x3ff0 52: self 48: 0 44: window [UIScreen mainScreen]

000023d0 494f ldr r1,
[pc, #316] (0x2510) 000023d2 4479 add r1, pc 000023d4 680a ldr r2, [r1, #0] “bounds”

000023d6 990c ldr r1,
[sp, #48] 000023d8 4288 cmp r0, r1 000023da 900a str r0, [sp, #40] 000023dc 9209 str r2, [sp, #36] 000023de d005 beq.n 0x23ec 48: 0 40: screen 36: “bounds” [UIScreen mainScreen] == 0?

000023e0 a80f add r0,
sp, #60 000023e2 990a ldr r1, [sp, #40] 000023e4 9a09 ldr r2, [sp, #36] 000023e6 f001ee08 blx 0x3ff8 000023ea e005 b.n 0x23f8 60: frameRect 40: screen 36: “bounds” [screen frame] (objc_msgSend_stret) [UIScreen mainScreen] != 0

000023ec a80f add r0,
sp, #60 000023ee 2100 movs r1, #0 000023f0 60c1 str r1, [r0, #12] 000023f2 6081 str r1, [r0, #8] 000023f4 6041 str r1, [r0, #4] 000023f6 6001 str r1, [r0, #0] 60: frameRect 40: screen 36: “bounds” CGRect {0, 0, 0, 0} [UIScreen mainScreen] == 0

000023f8 2001 movs r0,
#1 000023fa f2c00000 movt r0, #0 @ 0x0 000023fe f24221de movw r1, #8926 @ 0x22de 00002402 f2c00100 movt r1, #0 @ 0x0 00002406 4479 add r1, pc 00002408 6809 ldr r1, [r1, #0] “initWithFrame:”

0000240a 9a0f ldr r2,
[sp, #60] 0000240c 9b10 ldr r3, [sp, #64] 0000240e f8dd9044 ldr.w r9, [sp, #68] 00002412 f8ddc048 ldr.w r12, [sp, #72] 60: frameRect.origin.x 64: frameRect.origin.y 68: frameRect.size.width 72: frameRect.size.height

00002416 f8dde02c ldr.w lr, [sp, #44] 0000241a
466c mov r4, sp 0000241c f8c49000 str.w r9, [r4] 00002420 f8c4c004 str.w ip, [r4, #4] 00002424 9008 str r0, [sp, #32] 00002426 4670 mov r0, lr 44: window

00002416 f8dde02c ldr.w lr, [sp, #44] 0000241a
466c mov r4, sp 0000241c f8c49000 str.w r9, [r4] 00002420 f8c4c004 str.w ip, [r4, #4] 00002424 9008 str r0, [sp, #32] 00002426 4670 mov r0, lr 44: window 32: 1 000023f8 2001 movs r0, #1

00002416 f8dde02c ldr.w lr, [sp, #44] 0000241a
466c mov r4, sp 0000241c f8c49000 str.w r9, [r4] 00002420 f8c4c004 str.w r12, [r4, #4] 00002424 9008 str r0, [sp, #32] 00002426 4670 mov r0, lr 44: window 00002428 f001ede2 blx 0x3ff0 [window initWithFrame:{.., .., .., ..}]

r0 – r3

r0 – r4 r0: self r1: _cmd r2: arg1 r3:
arg2 r4: * *1: arg3 *2: arg4 ... Стек

0000242c 494c ldr r1,
[pc, #304] (0x2560) 0000242e 4479 add r1, pc 00002430 6809 ldr r1, [r1, #0] 00002432 f001edde blx 0x3ff0 [window autorelease]

00002436 4949 ldr r1,
[pc, #292] (0x255c) 00002438 4479 add r1, pc 0000243a 6809 ldr r1, [r1, #0] 0000243c 9a0d ldr r2, [sp, #52] 0000243e 9007 str r0, [sp, #28] 00002440 4610 mov r0, r2 00002442 9a07 ldr r2, [sp, #28] 00002444 f001edd4 blx 0x3ff0 [self setWindow:window] 52: self 28: window2

00002448 4843 ldr r0,
[pc, #268] (0x2558) 0000244a 4478 add r0, pc 0000244c 6800 ldr r0, [r0, #0] 0000244e 4941 ldr r1, [pc, #260] (0x2554) 00002450 4479 add r1, pc 00002452 6809 ldr r1, [r1, #0] 00002454 f001edcc blx 0x3ff0 [MasterViewController alloc]

00002458 493d ldr r1,
[pc, #244] (0x2550) 0000245a 4479 add r1, pc 0000245c 6809 ldr r1, [r1, #0] 0000245e 2300 movs r3, #0 00002460 f242420c movw r2, #9228 @ 0x240c 00002464 f2c00200 movt r2, #0 @ 0x0 00002468 447a add r2, pc 0000246a f001edc2 blx 0x3ff0 [controller initWithNibName:@”MasterViewController” bundle:0]

00002458 493d ldr r1,
[pc, #244] (0x2550) 0000245a 4479 add r1, pc 0000245c 6809 ldr r1, [r1, #0] 0000245e 2300 movs r3, #0 00002460 f242420c movw r2, #9228 @ 0x240c 00002464 f2c00200 movt r2, #0 @ 0x0 00002468 447a add r2, pc 0000246a f001edc2 blx 0x3ff0 ___CFConstantStringClassReference: @"MasterViewController"

00002506 9808 ldr r0,
[sp, #32] 00002508 b240 sxtb r0, r0 0000250a b017 add sp, #92 0000250c bd90 pop {r4, r7, pc} 32: 1

0000250e bf00 nop 00002510
230e movs r3, #14 00002512 0000 lsls r0, r0, #0 00002514 231a movs r3, #26 00002516 0000 lsls r0, r0, #0 00002518 23f0 movs r3, #240 0000251a 0000 lsls r0, r0, #0 0000251c 2330 movs r3, #48 0000251e 0000 lsls r0, r0, #0 ........

-‐ (BOOL)application:(UIApplication *)application
didFinishLaunchingWithOptions:(NSDictionary *)launchOptions { self.window = [[[UIWindow alloc] initWithFrame: [[UIScreen mainScreen] bounds]] autorelease]; MasterViewController *masterViewController = [[[MasterViewController alloc] initWithNibName:@"MasterViewController" bundle:nil] autorelease]; self.navigationController = [[[UINavigationController alloc] initWithRootViewController:masterViewController] autorelease]; self.window.rootViewController = self.navigationController; [self.window makeKeyAndVisible]; return YES; }

Главное – замечать общие шаблоны. Это легко* * не сложнее,
чем матан

Казалось бы, вот и всё Но это только начало

Reversing WTF

Reversing WTF

More Decks by Vladimir Pouzanov

Other Decks in Programming

Featured

Transcript