Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Beyond The 'Cript: Practical iOS Reverse Engine...

Michael Allen
November 04, 2016

Beyond The 'Cript: Practical iOS Reverse Engineering (Lascon Edition)

Michael Allen

November 04, 2016
Tweet

More Decks by Michael Allen

Other Decks in Research

Transcript

  1. IOActive, Inc. Copyright ©2016. All Rights Reserved. Beyond The ‘Cript:

    Practical iOS Reverse Engineering Michael Allen (@_dark_knight_) Security Consultant
  2. IOActive, Inc. Copyright ©2016. All Rights Reserved. Case Study: Viewing

    File System Activity •  Using filemon -l •  Creates hard links to temporary files
  3. IOActive, Inc. Copyright ©2016. All Rights Reserved. Case Study: Viewing

    Logs •  Using idevicesyslog [libimobiledevice]
  4. IOActive, Inc. Copyright ©2016. All Rights Reserved. Case Study: Obtaining

    The Binary •  Dump the binary (facilitated by DYLD and DYLD_INSERT_LIBRARIES environment variable)
  5. IOActive, Inc. Copyright ©2016. All Rights Reserved. Case Study: Obtaining

    Symbols •  Dump the symbols along with dylib’s to which they belong
  6. IOActive, Inc. Copyright ©2016. All Rights Reserved. Case Study: Extracting

    strings •  Any interesting strings? •  Dump cstring section (same as running strings) •  Knowledge of SEGMENTS and sections important
  7. IOActive, Inc. Copyright ©2016. All Rights Reserved. Case Study: Extracting

    DYLIB’S •  procexp <pid> regions Dump the library with lldb
  8. IOActive, Inc. Copyright ©2016. All Rights Reserved. Case Study: Bypassing

    RootFS Check statfs func call Patch here statfs argument
  9. IOActive, Inc. Copyright ©2016. All Rights Reserved. Case Study: Bypassing

    RootFS Check Patch here •  Patch register w8
  10. IOActive, Inc. Copyright ©2016. All Rights Reserved. Case Study: Bypassing

    Debugger Checks (ppid) ppid func call Patch here
  11. IOActive, Inc. Copyright ©2016. All Rights Reserved. Case Study: Bypassing

    Debugger Checks (ppid) •  parent process id of calling process Patch here
  12. IOActive, Inc. Copyright ©2016. All Rights Reserved. Case Study: Bypassing

    Debugger Checks (p_traced) sysctl func call Patch here
  13. IOActive, Inc. Copyright ©2016. All Rights Reserved. Case Study: Bypassing

    Fork Check Call to fork Return value in X0 Patch CMN W19, #1
  14. IOActive, Inc. Copyright ©2016. All Rights Reserved. Conclusion •  Common

    bugs being closed •  A “new” approach and break from the norm is required for in depth assessments •  Assembly knowledge a MUST for Reversing Engineering –  Low level assembly allows you to bypass many security protections, discover hidden gems and then some •  Knowledge of iOS architecture will not only improve your assessments but also provide a launching pad for other research •  Disassemblers are your friends (IDA, Hopper, Jtool …..) •  Add the reverse engineering skillset to your arsenal !!!
  15. IOActive, Inc. Copyright ©2016. All Rights Reserved. References •  Books:

    •  Mac OS X and iOS Internals To the Apple’s Core (Jonathan Levin) •  The Mobile Application Hacker’s Handbook (Dominic Chell, Tyrone Erasmus et al. ) •  Hacking and Securing iOS Applications (Jonathan Zdziarski) •  iOS Application Security: The Definitive Guide for Hackers and Developers (David Thiel) •  Blogs and Tools: •  processor_set_tasks() - http://newosxbook.com/articles/PST2.html •  procexp – http://newosxbook.com/tools/procexp.html •  iOSBinaries - http://newosxbook.com/tools/iOSBinaries.html •  jtool - http://newosxbook.com/tools/jtool.html •  filemon - http://newosxbook.com/tools/filemon.html •  AmIBeingDebugged - https://developer.apple.com/library/mac/qa/qa1361/_index.html •  Frida - http://www.frida.re/ •  Cycript - http://www.cycript.org/ •  iFunBox - http://www.i-funbox.com/ •  SSL Kill Switch – https://github.com/iSECPartners/ios-ssl-kill-switch •  BurpSuite - https://portswigger.net/burp/ •  IDA - https://www.hex-rays.com/products/ida/ •  Hopper - https://www.hopperapp.com/ •  Idb - http://www.idbtool.com/ •  PT_DENY_ATTACH - https://www.theiphonewiki.com/wiki/Bugging_Debuggers •  ARM - http://infocenter.arm.com/help/index.jsp?topic=/com.arm.doc.den0024a/ch05s01s03.html •  SQLite-parser - https://github.com/mdegrazia/SQLite-Deleted-Records-Parser •  SQLite Deletion - http://www.zdziarski.com/blog/?p=6143 •  lsdtrip - http://newosxbook.com/src.jl?tree=listings&file=ls.m#dumpURL