Cocoaheads Melbourne - April 2014 - Reverse Engineering Mac & iOS Apps

Transcript

1. ~ > cat title.txt Reverse Engineering Mac & iOS Apps

   >>>> ~ > tail -n 3 contact.txt Richard Heard @heardrwt (Twitter & GitHub) http://rheard.com

2. ~ > define “Reverse Engineering” … the process of discovering

   the technological principles of a device, object, or system through analysis of its structure, function, and operation.

3. ~ > open background.rtfd

4. ~ > open atlas_cove.rtfd

5. ~ > cat projects.txt RHAddressBook RHPreferences RHAdditions RHKeychain RHDisplayLinkStepper RHHorizontalSwipe

   RHSQLiteKit RevealLoader http://github.com/heardrwt

6. ~ > open mac_apps.rtfd http://lemonjar.com

7. ~ > ls ~/tools

8. WARNING: USE OF REVERSE ENGINEERING HAS BEEN PROVEN TO CAUSE

   ANGER. DON'T BE EVIL. Seriously, be nice.

9. Jailbreak (evasi0n7) As a developer, Jailbreaking a device makes debugging

   heaps easier. ! As always, only jailbreak a dedicated device, not your main phone. http://guidemyjailbreak.com

10. Clutch ! Removes FairPlay Encryption from iOS App Store binaries

    so we can decompile / introspect them. https://github.com/KJCracks/Clutch/        ___  _              _              _        /  __\  |_      _|  |_  ___|  |__      /  /    |  |  |  |  |  __/  __|  '_  \    /  /___|  |  |_|  |  ||  (__|  |  |  |    \____/|_|\__,_|\__\___|_|  |_|  

11. nm ! Dump a binaries symbols table. Installed with Xcode

    command line tools. http://opensource.apple.com/source/cctools/cctools-845/misc/nm.c ~ > nm MapKit.framework/MapKit 00000000000792e6 t +[CAMediaTimingFunction(MKAdditions) sigmoidFunction] 000000000011d6d8 b +[CAMediaTimingFunction(MKAdditions) sigmoidFunction]._sigmoidFunction 000000000005887b t +[CLLocation(MapKitAdditions) _mapkit_stringWithType:] 0000000000058944 t +[CLLocation(MapKitAdditions) _mapkit_typeWithSource:] 0000000000088d3b t +[GEOLocation(MKGeoServicesExtras) locationWithCLLocation:course:]

12. otool ! Mach-O file Inspector. Installed with Xcode command line

    tools. http://opensource.apple.com/source/cctools/cctools-845/otool/ ~ > otool Usage: otool [-arch arch_type] [-fahlLDtdorSTMRIHGvVcXmqQj] [-mcpu=arg] <object file> ... -f print the fat headers -a print the archive header -h print the mach header -l print the load commands

13. class-dump ! Objective-C Mach-O file Inspector. Outputs valid class, category

    and protocol headers from Mach-O binaries. http://stevenygard.com/projects/class-dump/ ~ > class-dump class-dump 3.5 (64 bit) Usage: class-dump [options] <mach-o-file> ! where options are: -a show instance variable offsets -A show implementation addresses --arch <arch> choose a specific architecture

14. Hopper Disassembler ! Hopper is an executable disassembler and decompiler

    for Mac, Windows and iOS executables. http://www.hopperapp.com

15. Cycript ! Objective-C runtime Interactive Console. Mess with running applications,

    live. Totally as cool as it sounds. http://www.cycript.org

16. Reveal.app ! Hopefully needs little introduction tonight… ;) Use it,

    its cool. http://revealapp.com @[inspect, modify, debug];

17. Reveal Loader Cydia tweak (created by me) that allows for

    loading libReveal.dylib into on device process. ! Search for “Reveal Loader” in Cydia. https://github.com/heardrwt/revealloader

18. lldb + debugserver The debugger you use day to day

    inside Xcode, connected to remote, on device processes via debugserver. http://llvm.org https://github.com/heardrwt/ios-debugserver

19. Charles Proxy ! HTTP Proxy + Reverse Proxy. Inspect all

    HTTP and HTTPS traffic between an app and the web. http://charlesproxy.com

20. ~ > lldb -n demo Attaching to process with: process

    attach -n “demo” ! (lldb)

21. ~ > clutch /usr/bin/clutch <#app_name#> ! mkdir ~/Desktop/<#app_name#> scp [email protected]:"/var/root/Documents/clutch/

    <#app_name#>*.ipa" ~/Desktop/<#app_name#>/ ~ > copy ipa to mac

22. ~ > extract ipa cd ~/Desktop/<#app_name#>/ unzip <#app_name#>* -d ipa

    ! #Dump all symbols in a binary nm ipa/Payload/<#app_name#>.app/<#app_name#> ! #Only dump external symbols nm -u ipa/Payload/<#app_name#>.app/<#app_name#> ~ > nm examples

23. ~ > otool examples #list shared libraries otool -L ipa/Payload/<#app_name#>.app/<#app_name#>

    ! #c strings otool -v -s __TEXT __cstring ipa/Payload/ <#app_name#>.app/<#app_name#> ! #selector strings otool -v -s __TEXT __objc_methname ipa/Payload/ <#app_name#>.app/<#app_name#> ! #objective C segment.. verbose! otool -o ipa/Payload/<#app_name#>.app/<#app_name#>

24. ~ > class-dump example #output to folder ‘Headers’ class-dump -H

    -o Headers ipa/Payload/ <#app_name#>.app/<#app_name#> ! #open the headers folder open Headers !

25. ~ > Hopper Example

26. ~ > Reveal Loader Example

27. ~ > lldb device ./debugserver *:1234 /var/mobile/Applications/*/*/ <#app_name#> ! lldb

    > platform select remote-ios > process connect connect://pod.local:1234 > po UIApp ~ > lldb host

28. ~ > cycript examples cycript -p <#app_name#> ! # add

    the debug button choose(XXXBugReporter) var br = [new XXXBugReporter init]; var window = UIApp.windows[0]; [br attachBugReportButtonToWindow:UIApp.windows[0]]; ! # grab the button ref var button = choose(XXXBugReportButton)[0]

29. ~ > cycript examples cont. #override all colors UIColor- >isa.messages[@selector(colorWithRed:green:blue:alpha:)]

    = function(a, b, c, d) { return [UIColor greenColor]; } ! #override all images var img = [UIImage imageNamed:@“an_image”]; var img = choose(UIImage)[0]; UIImage->isa.messages[@selector(imageNamed:)] = function(a) { return img; }

30. ~ > cycript examples cont. #swizzle description var oldm =

    NSObject.messages[@selector(description)] NSObject.messages[@selector(description)] = function() { return oldm.call(this) + ' (RH was here!)’; } [new NSObject init] UIApp

31. ~ > charles example

32. Thanks! Questions? Comments? ~ > tail -n 3 contact.txt Richard

    Heard @heardrwt (Twitter & GitHub) http://rheard.com