Reverse Engineering on iOS/Mac Mehdi Mulani 

Normal engineering Problem Final binary (IPA/executable) Code 

Reverse engineering IPA from the App Store or Library from Xcode Assembly and assets Understanding & Initial Problem 

Actual goals when we reverse engineer ▪ Solve some bug in our app ▪ Understand a top crasher ▪ Create new unintended features/riff with plugins ▪ Gleam some secrets/plan for the future 

Actual goals when we reverse engineer ▪ Learn how an implementation works, understand its why ▪ Supplement its implementation or build on it 

The Learning of Reverse Engineering 

NSNumber ▪ Let's find out what happens when we create an NSNumber ▪ Step 1: NSValue.h ▪ Step 2: class-dump ▪ Step 3: Disassemblers! ▪ Step 4: lldb 

NSValue.h 

class-dump ▪ shows "private" headers of the libraries ▪ all taken from the compiled executables ▪ https://github.com/nygard/class-dump ▪ https://github.com/JaviSoto/iOS8-Runtime-Headers/ ▪ IMO better version: https://github.com/mmmulani/class-dump-o-tron ▪ dumps C functions ▪ tells you where to find the implementation 

class-dump ▪ https://github.com/JaviSoto/iOS8-Runtime-Headers/blob/ f3bcc029011fc2337f6ef64ca1b9b41653ca6094/Frameworks/ Foundation.framework/NSNumber.h ▪ interesting bits:
 + (void)initialize;
 + (id)boolFromICSString:(id)arg1;
 - (bool)isNSNumber__; 

Disassemblers ▪ show the assembly instructions for an executable ▪ separate the binary into relevant parts (e.g. strings from code) ▪ let you follow branches ▪ show selectors and strings in-line ▪ usually can produce pseudo-code/C 

Disassemblers ▪ Hopper Disassembler ($89, £50 and demo available!) ▪ great for Mac/iOS/Objective-C ▪ good pseudo-code output ▪ IDA Pro ($1,119, €869 and a pretty serious background check) ▪ supports every architecture on the planet ▪ a bit slow 

Hopper ▪ Demo! ▪ /Applications/Xcode.app/Contents/Developer/Platforms/ iPhoneSimulator.platform/Developer/SDKs/iPhoneSimulator.sdk/System/ Library/Frameworks/Foundation.framework/Foundation 

lldb ▪ Can invoke from command-line or Xcode from Debug -> Attach to Process ▪ x86 cheatsheet: ▪ http://pages.cs.wisc.edu/~remzi/Classes/354/Fall2012/Handouts/ Handout-x86-cheat-sheet.pdf
 $rdi = arg 0 = self
 $rsi = arg 1 = _cmd
 $rdx = arg 2 = first argument to method
 $rcx = arg 3 = second argument to method
 $r8 = arg 4
 $r9 = arg 5
 
 return values go in $rax 

lldb ▪ Tons of helpful shortcuts from Chisel! (just run `help`) ▪ pinvocation 
 Print the stack frame, receiver, and arguments of the current invocation. ▪ binside
 Set a breakpoint for a relative address within the framework/library that's currently running. 

More fun tools ▪ NSObjCMessageLoggingEnabled=YES
 literally records every Objective-C method call to /tmp/msgSends-#### ▪ F-Script
 GUI for looking at classes of random applications and basic message calling ▪ cycript
 Ultra legit shimming and playing around ▪ `sample`
 Great for simply seeing what messages are generally called when you do something ▪ Apple Open Source 

The Building of Reverse Engineering 

Building ▪ Swizzling
 Exchange implementations at run time
 ▪ dyld goodness
 "Only" possible on Mac, let's you swizzle C methods
 ▪ calling secret private methods
 High likelihood of getting your app rejected 

Swizzling ▪ JRSwizzle
 https://github.com/rentzsch/jrswizzle
 

dyld goodness ▪ Dynamic linker with tons of injection-at-invocation-time options
 ▪ DYLD_INSERT_LIBRARIES
 Environment variable with which to add libraries to be loaded into the app ▪ DYLD_INTERPOSE
 Macro to "swizzle" C functions 

Projects ▪ instruments-without-delay
 A bunch of tiny fixes to make instruments faster for automated testing ▪ xctool
 Replacement for `xcodebuild`, command line tool to build/test projects ▪ ios-sim
 command-line utility to start iOS apps in the simulator
 https://github.com/jhaynie/iphonesim 

Thanks! Questions? [email protected]