Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Cocoaheads Melbourne - April 2014 - Reverse Eng...

Cocoaheads Melbourne - April 2014 - Reverse Engineering Mac & iOS Apps

Reverse Engineering Mac & iOS Apps
Cocoaheads Melbourne
April 2014

http://twitter.com/heardrwt
http://github.com/heardrwt

heardrwt

April 10, 2014
Tweet

Other Decks in Programming

Transcript

  1. ~ > cat title.txt Reverse Engineering Mac & iOS Apps

    >>>> ~ > tail -n 3 contact.txt Richard Heard @heardrwt (Twitter & GitHub) http://rheard.com
  2. ~ > define “Reverse Engineering” … the process of discovering

    the technological principles of a device, object, or system through analysis of its structure, function, and operation.
  3. WARNING: USE OF REVERSE ENGINEERING HAS BEEN PROVEN TO CAUSE

    ANGER. DON'T BE EVIL. Seriously, be nice.
  4. Jailbreak (evasi0n7) As a developer, Jailbreaking a device makes debugging

    heaps easier. ! As always, only jailbreak a dedicated device, not your main phone. http://guidemyjailbreak.com
  5. Clutch ! Removes FairPlay Encryption from iOS App Store binaries

    so we can decompile / introspect them. https://github.com/KJCracks/Clutch/        ___  _              _              _        /  __\  |_      _|  |_  ___|  |__      /  /    |  |  |  |  |  __/  __|  '_  \    /  /___|  |  |_|  |  ||  (__|  |  |  |    \____/|_|\__,_|\__\___|_|  |_|  
  6. nm ! Dump a binaries symbols table. Installed with Xcode

    command line tools. http://opensource.apple.com/source/cctools/cctools-845/misc/nm.c ~ > nm MapKit.framework/MapKit 00000000000792e6 t +[CAMediaTimingFunction(MKAdditions) sigmoidFunction] 000000000011d6d8 b +[CAMediaTimingFunction(MKAdditions) sigmoidFunction]._sigmoidFunction 000000000005887b t +[CLLocation(MapKitAdditions) _mapkit_stringWithType:] 0000000000058944 t +[CLLocation(MapKitAdditions) _mapkit_typeWithSource:] 0000000000088d3b t +[GEOLocation(MKGeoServicesExtras) locationWithCLLocation:course:]
  7. otool ! Mach-O file Inspector. Installed with Xcode command line

    tools. http://opensource.apple.com/source/cctools/cctools-845/otool/ ~ > otool Usage: otool [-arch arch_type] [-fahlLDtdorSTMRIHGvVcXmqQj] [-mcpu=arg] <object file> ... -f print the fat headers -a print the archive header -h print the mach header -l print the load commands
  8. class-dump ! Objective-C Mach-O file Inspector. Outputs valid class, category

    and protocol headers from Mach-O binaries. http://stevenygard.com/projects/class-dump/ ~ > class-dump class-dump 3.5 (64 bit) Usage: class-dump [options] <mach-o-file> ! where options are: -a show instance variable offsets -A show implementation addresses --arch <arch> choose a specific architecture
  9. Hopper Disassembler ! Hopper is an executable disassembler and decompiler

    for Mac, Windows and iOS executables. http://www.hopperapp.com
  10. Cycript ! Objective-C runtime Interactive Console. Mess with running applications,

    live. Totally as cool as it sounds. http://www.cycript.org
  11. Reveal.app ! Hopefully needs little introduction tonight… ;) Use it,

    its cool. http://revealapp.com @[inspect, modify, debug];
  12. Reveal Loader Cydia tweak (created by me) that allows for

    loading libReveal.dylib into on device process. ! Search for “Reveal Loader” in Cydia. https://github.com/heardrwt/revealloader
  13. lldb + debugserver The debugger you use day to day

    inside Xcode, connected to remote, on device processes via debugserver. http://llvm.org https://github.com/heardrwt/ios-debugserver
  14. Charles Proxy ! HTTP Proxy + Reverse Proxy. Inspect all

    HTTP and HTTPS traffic between an app and the web. http://charlesproxy.com
  15. ~ > extract ipa cd ~/Desktop/<#app_name#>/ unzip <#app_name#>* -d ipa

    ! #Dump all symbols in a binary nm ipa/Payload/<#app_name#>.app/<#app_name#> ! #Only dump external symbols nm -u ipa/Payload/<#app_name#>.app/<#app_name#> ~ > nm examples
  16. ~ > otool examples #list shared libraries otool -L ipa/Payload/<#app_name#>.app/<#app_name#>

    ! #c strings otool -v -s __TEXT __cstring ipa/Payload/ <#app_name#>.app/<#app_name#> ! #selector strings otool -v -s __TEXT __objc_methname ipa/Payload/ <#app_name#>.app/<#app_name#> ! #objective C segment.. verbose! otool -o ipa/Payload/<#app_name#>.app/<#app_name#>
  17. ~ > class-dump example #output to folder ‘Headers’ class-dump -H

    -o Headers ipa/Payload/ <#app_name#>.app/<#app_name#> ! #open the headers folder open Headers !
  18. ~ > lldb device ./debugserver *:1234 /var/mobile/Applications/*/*/ <#app_name#> ! lldb

    > platform select remote-ios > process connect connect://pod.local:1234 > po UIApp ~ > lldb host
  19. ~ > cycript examples cycript -p <#app_name#> ! # add

    the debug button choose(XXXBugReporter) var br = [new XXXBugReporter init]; var window = UIApp.windows[0]; [br attachBugReportButtonToWindow:UIApp.windows[0]]; ! # grab the button ref var button = choose(XXXBugReportButton)[0]
  20. ~ > cycript examples cont. #override all colors UIColor- >isa.messages[@selector(colorWithRed:green:blue:alpha:)]

    = function(a, b, c, d) { return [UIColor greenColor]; } ! #override all images var img = [UIImage imageNamed:@“an_image”]; var img = choose(UIImage)[0]; UIImage->isa.messages[@selector(imageNamed:)] = function(a) { return img; }
  21. ~ > cycript examples cont. #swizzle description var oldm =

    NSObject.messages[@selector(description)] NSObject.messages[@selector(description)] = function() { return oldm.call(this) + ' (RH was here!)’; } [new NSObject init] UIApp
  22. Thanks! Questions? Comments? ~ > tail -n 3 contact.txt Richard

    Heard @heardrwt (Twitter & GitHub) http://rheard.com