TLS/SSL VERIFICATION
• Apps
• Rackspace iOS client
• Facebook Camera
• LinkedIn
• The Most Dangerous Code in the World
Slide 21
Slide 21 text
No content
Slide 22
Slide 22 text
No content
Slide 23
Slide 23 text
No content
Slide 24
Slide 24 text
No content
Slide 25
Slide 25 text
No content
Slide 26
Slide 26 text
No content
Slide 27
Slide 27 text
http://www.flickr.com/photos/gsi-r/5213626727/
Decrypting
an App
Slide 28
Slide 28 text
No content
Slide 29
Slide 29 text
iPod-touch:~ root#
Slide 30
Slide 30 text
No content
Slide 31
Slide 31 text
# apt-get install gdb
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following NEW packages will be installed:
gdb
0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
Need to get 3585kB of archives.
After this operation, 33.0MB of additional disk space will be used.
Get:1 http://apt.saurik.com ios/550.52/main gdb 1518-12 [3585kB]
Fetched 3585kB in 2s (1502kB/s)
Selecting previously deselected package gdb.
(Reading database ... 2499 files and directories currently
installed.)
Unpacking gdb (from .../gdb_1518-12_iphoneos-arm.deb) ...
Setting up gdb (1518-12) ...
# cd /tmp
# mkdir apps
# cd apps/
# cp -r /var/mobile/Applications/[UDID]/Menus.app/ .
# gdb ./Menus.app/Menus
GNU gdb 6.3.50.20050815-cvs (Fri May 20 08:08:42 UTC 2011)
Copyright 2004 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB. Type "show warranty" for details.
This GDB was configured as "--host=arm-apple-darwin9 --target="...Reading
symbols for shared libraries . done
(gdb)
Slide 34
Slide 34 text
(gdb) set sharedlibrary load-rules ".*" ".*" none
(gdb) set inferior-auto-start-dyld off
(gdb) set sharedlibrary preload-libraries off
(gdb) set sharedlibrary load-dyld-symbols off
(gdb) rb doModInitFunctions
Breakpoint 1 at 0x2fe0c1fa
__dyld__ZN16ImageLoaderMachO18doModInitFunctionsERKN11ImageLoader11LinkContextE;
(gdb) r
Starting program: /private/var/tmp/apps/Menus.app/Menus
Breakpoint 1, 0x2fe0c1fa in
__dyld__ZN16ImageLoaderMachO18doModInitFunctionsERKN11ImageLoader11LinkContextE ()
Slide 35
Slide 35 text
(gdb) bt
#0 0x2fe0c1fa in __dyld__ZN16ImageLoaderMachO18doModInitFunctionsERK...
#1 0x2fe0c454 in __dyld__ZN16ImageLoaderMachO16doInitializationERKN1...
#2 0x2fe0a034 in __dyld__ZN11ImageLoader23recursiveInitializationERK...
#3 0x2fe09fd4 in __dyld__ZN11ImageLoader23recursiveInitializationERK...
#4 0x2fe01780 in __dyld__ZN4dyldL11imageSorterEPKvS1_ ()
$ dd if=dump.bin of=Menus bs=1 seek=8192 conv=notrunc
69632+0 records in
69632+0 records out
69632 bytes transferred in 0.085575 secs (813697 bytes/sec)
Slide 42
Slide 42 text
$ dd if=dump.bin of=Menus bs=1 seek=8192 conv=notrunc
69632+0 records in
69632+0 records out
69632 bytes transferred in 0.085575 secs (813697 bytes/sec)
Slide 43
Slide 43 text
$ dd if=dump.bin of=Menus bs=1 seek=8192 conv=notrunc
69632+0 records in
69632+0 records out
69632 bytes transferred in 0.085575 secs (813697 bytes/sec)
Slide 44
Slide 44 text
$ dd if=dump.bin of=Menus bs=1 seek=8192 conv=notrunc
69632+0 records in
69632+0 records out
69632 bytes transferred in 0.085575 secs (813697 bytes/sec)
4096 + 4096 = 8192
offset cryptoff
Slide 45
Slide 45 text
$ dd if=dump.bin of=Menus bs=1 seek=8192 conv=notrunc
69632+0 records in
69632+0 records out
69632 bytes transferred in 0.085575 secs (813697 bytes/sec)
cryptsize