Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Beyond The 'Cript: Practical iOS Reverse Engine...

Michael Allen
November 04, 2016
Research
0
530

Beyond The 'Cript: Practical iOS Reverse Engineering (Lascon Edition)

Michael Allen

November 04, 2016
Tweet

More Decks by Michael Allen

See All by Michael Allen
OWASP Lightning Talk: Beyond The 'Cript: Practical iOS Reverse Engineering
_dark_knight_
1
170
Beyond The 'Cript: Practical iOS Reverse Engineering
_dark_knight_
0
510

Other Decks in Research

See All in Research
機械学習でヒトの行動を変える
hiromu1996
1
310
20240820: Minimum Bayes Risk Decoding for High-Quality Text Generation Beyond High-Probability Text
de9uch1
0
120
marukotenant01/tenant-20240916
marketing2024
0
510
Language is primarily a tool for communication rather than thought
ryou0634
4
740
MetricSifter:クラウドアプリケーションにおける故障箇所特定の効率化のための多変量時系列データの特徴量削減 / FIT 2024
yuukit
2
120
Weekly AI Agents News! 7月号 論文のアーカイブ
masatoto
1
230
データサイエンティストをめぐる環境の違い 2024年版〈一般ビジネスパーソン調査の国際比較〉
datascientistsociety
PRO
0
580
RSJ2024「基盤モデルの実ロボット応用」チュートリアルA(河原塚)
haraduka
3
650
第79回 産総研人工知能セミナー 発表資料
agiats
2
160
授業評価アンケートのテキストマイニング
langstat
1
360
言語と数理の交差点:テキストの埋め込みと構造のモデル化 (IBIS 2024 チュートリアル)
yukiar
3
740
ニュースメディアにおける事前学習済みモデルの可能性と課題 / IBIS2024
upura
3
520

Featured

See All Featured
The Power of CSS Pseudo Elements
geoffreycrofte
73
5.3k
CoffeeScript is Beautiful & I Never Want to Write Plain JavaScript Again
sstephenson
159
15k
個人開発の失敗を避けるイケてる考え方 / tips for indie hackers
panda_program
93
16k
Performance Is Good for Brains [We Love Speed 2024]
tammyeverts
6
430
Happy Clients
brianwarren
98
6.7k
Producing Creativity
orderedlist
PRO
341
39k
Building Adaptive Systems
keathley
38
2.3k
Principles of Awesome APIs and How to Build Them.
keavy
126
17k
Building a Scalable Design System with Sketch
lauravandoore
459
33k
Rebuilding a faster, lazier Slack
samanthasiow
79
8.7k
Optimising Largest Contentful Paint
csswizardry
33
2.9k
Rails Girls Zürich Keynote
gr2m
94
13k

Transcript

  1. IOActive, Inc. Copyright ©2016. All Rights Reserved. Beyond The ‘Cript:

    Practical iOS Reverse Engineering Michael Allen (@_dark_knight_) Security Consultant

  2. IOActive, Inc. Copyright ©2016. All Rights Reserved. Identifying and bypassing

    Simple Jailbreak Detection Routines Case Study

  3. IOActive, Inc. Copyright ©2016. All Rights Reserved. Case Study: Viewing

    File System Activity •  Using filemon -l •  Creates hard links to temporary files

  4. IOActive, Inc. Copyright ©2016. All Rights Reserved. Case Study: Viewing

    Logs •  Using idevicesyslog [libimobiledevice]

  5. IOActive, Inc. Copyright ©2016. All Rights Reserved. Case Study: Obtaining

    The Binary •  Dump the binary (facilitated by DYLD and DYLD_INSERT_LIBRARIES environment variable)

  6. IOActive, Inc. Copyright ©2016. All Rights Reserved. Case Study: Obtaining

    Symbols •  Dump the symbols along with dylib’s to which they belong

  7. IOActive, Inc. Copyright ©2016. All Rights Reserved. Case Study: Extracting

    strings •  Any interesting strings? •  Dump cstring section (same as running strings) •  Knowledge of SEGMENTS and sections important

  8. IOActive, Inc. Copyright ©2016. All Rights Reserved. Case Study: Extracting

    DYLIB’S •  procexp <pid> regions Dump the library with lldb

  9. IOActive, Inc. Copyright ©2016. All Rights Reserved. Case Study: Extracting

    DYLIB’S

  10. IOActive, Inc. Copyright ©2016. All Rights Reserved. Case Study: Obtaining

    Classes

  11. IOActive, Inc. Copyright ©2016. All Rights Reserved. Case Study: Bypassing

    RootFS Check

  12. IOActive, Inc. Copyright ©2016. All Rights Reserved. Case Study: Bypassing

    RootFS Check statfs func call Patch here statfs argument

  13. IOActive, Inc. Copyright ©2016. All Rights Reserved. Case Study: Bypassing

    RootFS Check Patch here •  Patch register w8

  14. IOActive, Inc. Copyright ©2016. All Rights Reserved. Case Study: Bypassing

    RootFS Check

  15. IOActive, Inc. Copyright ©2016. All Rights Reserved. Case Study: Bypassing

    Debugger Checks Changes when debugger attached

  16. IOActive, Inc. Copyright ©2016. All Rights Reserved. Case Study: Bypassing

    Debugger Checks (ppid)

  17. IOActive, Inc. Copyright ©2016. All Rights Reserved. Case Study: Bypassing

    Debugger Checks (ppid) ppid func call Patch here

  18. IOActive, Inc. Copyright ©2016. All Rights Reserved. Case Study: Bypassing

    Debugger Checks (ppid) •  parent process id of calling process Patch here

  19. IOActive, Inc. Copyright ©2016. All Rights Reserved. Case Study: Bypassing

    Debugger Checks (p_traced) sysctl func call Patch here

  20. IOActive, Inc. Copyright ©2016. All Rights Reserved. Case Study: Bypassing

    Debugger Checks (p_traced) Patch here

  21. IOActive, Inc. Copyright ©2016. All Rights Reserved. Case Study: Bypassing

    Fork Check Call to fork Return value in X0 Patch CMN W19, #1

  22. IOActive, Inc. Copyright ©2016. All Rights Reserved. Case Study: Bypassing

    Fork Check Patch here

  23. IOActive, Inc. Copyright ©2016. All Rights Reserved. Conclusion •  Common

    bugs being closed •  A “new” approach and break from the norm is required for in depth assessments •  Assembly knowledge a MUST for Reversing Engineering –  Low level assembly allows you to bypass many security protections, discover hidden gems and then some •  Knowledge of iOS architecture will not only improve your assessments but also provide a launching pad for other research •  Disassemblers are your friends (IDA, Hopper, Jtool …..) •  Add the reverse engineering skillset to your arsenal !!!

  24. IOActive, Inc. Copyright ©2016. All Rights Reserved. References •  Books:

    •  Mac OS X and iOS Internals To the Apple’s Core (Jonathan Levin) •  The Mobile Application Hacker’s Handbook (Dominic Chell, Tyrone Erasmus et al. ) •  Hacking and Securing iOS Applications (Jonathan Zdziarski) •  iOS Application Security: The Definitive Guide for Hackers and Developers (David Thiel) •  Blogs and Tools: •  processor_set_tasks() - http://newosxbook.com/articles/PST2.html •  procexp – http://newosxbook.com/tools/procexp.html •  iOSBinaries - http://newosxbook.com/tools/iOSBinaries.html •  jtool - http://newosxbook.com/tools/jtool.html •  filemon - http://newosxbook.com/tools/filemon.html •  AmIBeingDebugged - https://developer.apple.com/library/mac/qa/qa1361/_index.html •  Frida - http://www.frida.re/ •  Cycript - http://www.cycript.org/ •  iFunBox - http://www.i-funbox.com/ •  SSL Kill Switch – https://github.com/iSECPartners/ios-ssl-kill-switch •  BurpSuite - https://portswigger.net/burp/ •  IDA - https://www.hex-rays.com/products/ida/ •  Hopper - https://www.hopperapp.com/ •  Idb - http://www.idbtool.com/ •  PT_DENY_ATTACH - https://www.theiphonewiki.com/wiki/Bugging_Debuggers •  ARM - http://infocenter.arm.com/help/index.jsp?topic=/com.arm.doc.den0024a/ch05s01s03.html •  SQLite-parser - https://github.com/mdegrazia/SQLite-Deleted-Records-Parser •  SQLite Deletion - http://www.zdziarski.com/blog/?p=6143 •  lsdtrip - http://newosxbook.com/src.jl?tree=listings&file=ls.m#dumpURL