Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Reverse Engineering on iOS/Mac

mmmulani
January 22, 2015

Reverse Engineering on iOS/Mac

mmmulani

January 22, 2015
Tweet

Other Decks in Programming

Transcript

  1. Reverse engineering IPA from the App Store or Library from

    Xcode Assembly and assets Understanding & Initial Problem
  2. Actual goals when we reverse engineer ▪ Solve some bug

    in our app ▪ Understand a top crasher ▪ Create new unintended features/riff with plugins ▪ Gleam some secrets/plan for the future
  3. Actual goals when we reverse engineer ▪ Learn how an

    implementation works, understand its why ▪ Supplement its implementation or build on it
  4. NSNumber ▪ Let's find out what happens when we create

    an NSNumber ▪ Step 1: NSValue.h ▪ Step 2: class-dump ▪ Step 3: Disassemblers! ▪ Step 4: lldb
  5. class-dump ▪ shows "private" headers of the libraries ▪ all

    taken from the compiled executables ▪ https://github.com/nygard/class-dump ▪ https://github.com/JaviSoto/iOS8-Runtime-Headers/ ▪ IMO better version: https://github.com/mmmulani/class-dump-o-tron ▪ dumps C functions ▪ tells you where to find the implementation
  6. Disassemblers ▪ show the assembly instructions for an executable ▪

    separate the binary into relevant parts (e.g. strings from code) ▪ let you follow branches ▪ show selectors and strings in-line ▪ usually can produce pseudo-code/C
  7. Disassemblers ▪ Hopper Disassembler ($89, £50 and demo available!) ▪

    great for Mac/iOS/Objective-C ▪ good pseudo-code output ▪ IDA Pro ($1,119, €869 and a pretty serious background check) ▪ supports every architecture on the planet ▪ a bit slow
  8. lldb ▪ Can invoke from command-line or Xcode from Debug

    -> Attach to Process ▪ x86 cheatsheet: ▪ http://pages.cs.wisc.edu/~remzi/Classes/354/Fall2012/Handouts/ Handout-x86-cheat-sheet.pdf
 $rdi = arg 0 = self
 $rsi = arg 1 = _cmd
 $rdx = arg 2 = first argument to method
 $rcx = arg 3 = second argument to method
 $r8 = arg 4
 $r9 = arg 5
 
 return values go in $rax
  9. lldb ▪ Tons of helpful shortcuts from Chisel! (just run

    `help`) ▪ pinvocation 
 Print the stack frame, receiver, and arguments of the current invocation. ▪ binside
 Set a breakpoint for a relative address within the framework/library that's currently running.
  10. More fun tools ▪ NSObjCMessageLoggingEnabled=YES
 literally records every Objective-C method

    call to /tmp/msgSends-#### ▪ F-Script
 GUI for looking at classes of random applications and basic message calling ▪ cycript
 Ultra legit shimming and playing around ▪ `sample`
 Great for simply seeing what messages are generally called when you do something ▪ Apple Open Source
  11. Building ▪ Swizzling
 Exchange implementations at run time
 ▪ dyld

    goodness
 "Only" possible on Mac, let's you swizzle C methods
 ▪ calling secret private methods
 High likelihood of getting your app rejected
  12. dyld goodness ▪ Dynamic linker with tons of injection-at-invocation-time options


    ▪ DYLD_INSERT_LIBRARIES
 Environment variable with which to add libraries to be loaded into the app ▪ DYLD_INTERPOSE
 Macro to "swizzle" C functions
  13. Projects ▪ instruments-without-delay
 A bunch of tiny fixes to make

    instruments faster for automated testing ▪ xctool
 Replacement for `xcodebuild`, command line tool to build/test projects ▪ ios-sim
 command-line utility to start iOS apps in the simulator
 https://github.com/jhaynie/iphonesim