Reverse Engineering in iOS

Transcript

1. Reverse Engineering in iOS Tomasz Grynfelder, Polidea @tgrynfelder

2. The goal

3. The goal of apps’ RE • Deep dive info FairPlay

   encrypted app from AppStore in order to:

4. The goal of apps’ RE • Deep dive info FairPlay

   encrypted app from AppStore in order to: • Inspect

5. The goal of apps’ RE • Deep dive info FairPlay

   encrypted app from AppStore in order to: • Inspect • Modify

6. The goal of apps’ RE • Deep dive info FairPlay

   encrypted app from AppStore in order to: • Inspect • Modify • Verify usage of our (licensed) products

7. The goal of apps’ RE • Deep dive info FairPlay

   encrypted app from AppStore in order to: • Inspect • Modify • Verify usage of our (licensed) products • Know your enemy

8. Requirements

9. Requirements • Jailbroken iOS device • Desktop tools • Device

   tools

10. Requirements • Jailbroken iOS device • up to 7.0.6 -

    untethered jailbreak Evasi0n7 • 7.1 - 7.1.1 - tethered jailbreak Geeksn0w (iPhone 4 only)

11. Requirements • Jailbroken iOS device • up to 7.0.6 -

    untethered jailbreak Evasi0n7 • 7.1 - 7.1.1 - tethered jailbreak Geeksn0w (iPhone 4 only) not relevant since 24th of June

12. Requirements • Jailbroken iOS device • up to 7.0.6 -

    untethered jailbreak Evasi0n7 • up to 7.1.1 - untethered jailbreak Pangu

13. Requirements • Desktop tools: • Ida Pro / Hopper •

    Reveal / Spark Inspector

14. Requirements • Device Tools • otool • gdb • class-dump-z

    • cycript

15. Requirements • Device Tools • otool • gdb • class-dump-z

    • cycript • or clutch

16. App reverse engineering

17. Initial analysis

18. Initial analysis iPhone:/ root# cd /var/mobile/Applications/00000000-0000-0000-0000-FFFFFFFFFFFF/ AppName.app/ iPhone:/var/mobile/Applications/00000000-0000-0000-0000-FFFFFFFFFFFF/AppName.app root# otool

    -h AppName

19. Initial analysis iPhone:/ root# cd /var/mobile/Applications/00000000-0000-0000-0000-FFFFFFFFFFFF/ AppName.app/ iPhone:/var/mobile/Applications/00000000-0000-0000-0000-FFFFFFFFFFFF/AppName.app root# otool

    -h AppName AppName: Mach header magic cputype cpusubtype caps filetype ncmds sizeofcmds flags 0xfeedface 12 9 0x00 2 47 5016 0x00218085

20. Initial analysis iPhone:/var/mobile/Applications/00000000-0000-0000-0000-FFFFFFFFFFFF/AppName.app root# otool -Vl AppName

21. Initial analysis iPhone:/var/mobile/Applications/00000000-0000-0000-0000-FFFFFFFFFFFF/AppName.app root# otool -Vl AppName (…) Load command

    11 cmd LC_ENCRYPTION_INFO cmdsize 20 cryptoff 16394 cryptsize 7987008 cryptid 1 (…)

22. Initial analysis iPhone:/var/mobile/Applications/00000000-0000-0000-0000-FFFFFFFFFFFF/AppName.app root# otool -Vh AppName

23. Initial analysis iPhone:/var/mobile/Applications/00000000-0000-0000-0000-FFFFFFFFFFFF/AppName.app root# otool -Vh AppName AppName: Mach header

    magic cputype cpusubtype caps filetype ncmds sizeofcmds flags MH_MAGIC ARM 9 0x00 EXECUTE 47 5016 NOUNDEFS DYLDLINK TWOLEVEL WEAK_DEFINES BINDS_TO_WEAK PIE

24. Initial analysis iPhone:/var/mobile/Applications/00000000-0000-0000-0000-FFFFFFFFFFFF/AppName.app root# class-dump-z AppName

25. Initial analysis iPhone:/var/mobile/Applications/00000000-0000-0000-0000-FFFFFFFFFFFF/AppName.app root# class-dump-z AppName Warning: Part of this

    binary is encrypted. Usually, the result will be not meaningful. Try to provide an unencrypted version instead. /** * This header is generated by class-dump-z 0.2-0. * class-dump-z is Copyright (C) 2009 by KennyTM~, licensed under GPLv3. * * Source: (null) */ ! @protocol XXEncryptedProtocol_8436d0 -(?)XXEncryptedMethod_6d5a20; -(?)XXEncryptedMethod_6d5a14; -(?)XXEncryptedMethod_6d5a08; -(?)XXEncryptedMethod_6d5a00; ! (…)

26. Decrypting

27. Decrypting • Find out starting address and data size in

    binary • Find out starting address of the application in memory • Override binary part with decrypted part of the application dumped using gdb/lldb • Change LC_ENCRYPTION_INFO cryptid to 0

28. Decrypting automation

29. Decrypting automation • clutch tool iPhone:~ root# clutch usage: clutch

    [application name] [...] Applications available: AppName1 AppName2 AppName3 AppName4 AppName5 ! iPhone:~ root# clutch AppName Cracking AppName... /var/root/Documents/Cracked/AppName-vX.X.X.ipa

30. Analysis of IPA

31. Analysis of IPA • Info.plist • strings in binary •

    class interfaces • resource files

32. Analysis of IPA • Info.plist

33. Analysis of IPA • resource files
 
 
 
 


    
 
 
 


34. Analysis of IPA • strings in binary user@mbp:~/AppName/Payload/AppName.app$ strings AppName

35. Analysis of IPA • strings in binary user@mbp:~/AppName/Payload/AppName.app$ strings AppName

    filename type (…) SELECT instruction, speed, altitude, verticalAccuracy, heartRate FROM trackpoints WHERE workoutKey = ? ORDER BY tpIndex ASC; UPDATE workouts SET hasAnyTrackPointsWithValidSpeed = 1, maxSpeed = ? WHERE pk = ?; UPDATE workouts SET numTrackPointsWithHeartRate = ?, heartRateSum = ?, averageHeartRate = ?, maxHeartRate = ? WHERE pk = ?; (…) itms-apps://itunes.apple.com/WebObjects/MZStore.woa/wa/viewContentsUserReviews? id=APP_ID&onlyLatestVersion=true&pageNumber=0&sortOrdering=1 (…) -[FacebookManager _getUserData] -[FacebookManager logOut] publish_actions userName (…)

36. Analysis of IPA • class interfaces user@mbp:~/AppName/Payload/AppName.app$ class-dump-z AppName

37. Analysis of IPA • class interfaces user@mbp:~/AppName/Payload/AppName.app$ class-dump-z AppName /**

    * This header is generated by class-dump-z 0.2a. * class-dump-z is Copyright (C) 2009 by KennyTM~, licensed under GPLv3. * * Source: (null) */ ! typedef struct _NSZone NSZone; ! (…) __attribute__((visibility("hidden"))) @interface FacebookManager : XXUnknownSuperclass { @private (…) NSString* _accessToken; FBSession* _session; } @property(assign, nonatomic) FBSession* session; @property(copy, nonatomic) NSError* lastError; @property(copy, nonatomic) NSString* accessToken; +(id)allocWithZone:(NSZone*)zone; +(id)sharedInstance; -(void)processProfileDeviceResponse:(id)response; -(void)askForPublishPermission; -(bool)havePublishPermission; -(void)logOut; -(bool)isLoggedIn;

38. Runtime Analysis

39. Runtime Analysis • Bypass code sign verification on a device

    with AppSync7+ • Remove original app • Install decrypted app with ipainstaller

40. Runtime Analysis • cycript ! iPhone:~ root# ps -ax |

    grep AppName 3212 ?? 0:09.42 /var/mobile/Applications/00000000-0000-0000-0000- FFFFFFFFFFFF/AppName.app/AppName 3230 ttys001 0:00.02 grep AppName iPhone:~ root# cycript -p 3212 cy# [UIApplication sharedApplication] #"<UIApplication: 0x17ddc650>" cy# [[UIApplication sharedApplication] setStatusBarHidden:YES withAnimation:YES]

41. Runtime Analysis • Reveal - view hierarchy inspection • Integration

    with app: • copy Reveal.framework and libReveal.dylib to proper directories on a device • create file plist with bundle ID in proper directory

42. Hands-on

43. One more thing…

44. None

45. Thank you! @tgrynfelder