Beyond The ‘Cript: Prac4cal iOS Reverse Engineering Michael Allen (@_dark_knight_) 

Agenda So usually when we test an iOS Applica4on we use a combina4on of the following tools…. 

Typical Toolkit •  Jailbroken device •  Burpsuite Pro •  Cycript •  Frida 

Typical Toolkit •  Command line u4li4es –  BigBoss Recommended Tools (Cydia) –  Erica U4li4es (Cydia) –  iOSBinPack * •  Jonathan Levin compiled a number of commonly used binaries for iOS •  Automated toolkits –  Idb Tool, Snoop-IT, iRET, Introspy, Appmon *, Needle * –  Varying levels of support 

Common Approach And the common tests we perform are along the lines of…. 

Common Approach •  Examine local storage –  Caches –  Binary Cookies –  Sqlite databases –  Plists –  NSLog –  Snapshots 

Common Approach •  Basic binary analysis –  Sta4c •  strings, ASLR w/ PIE flag, Encryp4on, ARC, Stack Canaries –  Dynamic •  lldb, gdb, cycript, frida –  Just scratching the surface •  Memory Forensics •  Injec4on A[acks (SQLi – Local SQLite databases, UIWebViews, XML etc) 

Usual Results These tests typically result in findings that include….. 

Usual Results •  Issues rela4ng to Local Storage –  Most require device to be unlocked •  Unsecured API’s •  Hard-coded secrets •  The truth however is that most of these bugs closed –  Binary protec4ons are now standard –  Data Protec4on API’s –  Universal links introduced with iOS 9 address IPC loophole –  etc ….. •  Some4mes we may come up short because of several other reasons… 

When It All Fails? •  When the tools fail? •  Or your Google Fu returns nothing ? •  Custom security protec4ons in place •  Extending an exis4ng tool? •  Finding deeply hidden Logic bugs –  Crypto func4ons etc •  iOS System bugs 

Towards A New Approach •  At this point we need a “new” approach one that involves Reverse Engineering and leverages knowledge of •  iOS internals •  ARM(32/64) Assembly •  Deep dive into Objec4ve-C/Swij •  …..... •  Our first step is to improve our toolkit •  And expand our knowledge base 

Reverse Engineer’s Toolkit •  IDA Pro •  Hopper •  jtool •  LLDB •  GNU Project Debugger (gdb) •  Apple CC Tools (nm, lipo, otool, codesign) 

Expanding The Knowledge Base •  Mach-O Binary –  SEGMENTS/Sec4ons of Interest •  TEXT, DATA, LINKEDIT …. •  Dynamic Linker(DYLD) •  Interposing (method swizzling) •  Force loading libraries 

Expanding The Knowledge Base •  Mach Tasks –  Owning and interac4ng with tasks •  task_for_pid, processor_set_tasks •  Inter Process Communica4on(IPC) –  Mach Ports, Mach Messages, XPC •  ARM Assembly (32/64) •  Behind the scenes with Objec4ve-C and SWIFT •  Lot more details but limited 4me see full talk here –  h"ps://www.youtube.com/watch?v=4WHEQA3GG9k&feature=youtu.be –  h"ps://speakerdeck.com/_dark_knight_/beyond-the-cript-pracIcal-ios-reverse- engineering 

iOS Reversing •  Let’s look at Reverse Engineering and what is possible •  Common jailbreak detec4on – does root par44on have read/write permissions ? •  How can we make this green? •  Mul4ple op4ons available •  Binary patching •  But first some recon 

iOS Reversing •  Dump the binary (facilitated by DYLD and DYLD_INSERT_LIBRARIES environment variable) •  _RESTRICT SEGMENT blocks this (view SEGMENTS w/ jtool –l and patch if necessary) 

iOS Reversing •  Is it a FAT binary? We may need to thin it •  Or specify ARCH with jtool •  ARCH=arm64 jtool 

iOS Reversing •  Dump the symbols along with dylib’s to which they belong 

iOS Reversing •  Any interes4ng strings? •  Dump cstring secIon (same as running strings) •  Knowledge of SEGMENTS and sec4ons important 

iOS Reversing •  What are the classes, instance methods etc? 

iOS Reversing •  Disassemble method to determine how logic implemented •  How can I bypass it? Patch here staQs func call 

iOS Reversing •  Patch register w8 Patch here 

iOS Reversing •  Ajer patch: 

Conclusion •  Common bugs being closed •  A “new” approach and break from the norm is required for in depth assessments •  Assembly knowledge a MUST for Reversing Engineering –  Low level assembly allows you to bypass many security protec4ons, discover hidden gems and then some •  Knowledge of iOS architecture will not only improve your assessments but also provide a launching pad for other research •  Disassemblers are your friends (IDA, Hopper, Jtool …..) •  Add the reverse engineering skillset to your arsenal !!!