Beyond The 'Cript: Practical iOS Reverse Engineering (Lascon Edition)

Transcript

1. IOActive, Inc. Copyright ©2016. All Rights Reserved. Beyond The ‘Cript:

   Practical iOS Reverse Engineering Michael Allen (@_dark_knight_) Security Consultant

2. IOActive, Inc. Copyright ©2016. All Rights Reserved. Identifying and bypassing

   Simple Jailbreak Detection Routines Case Study

3. IOActive, Inc. Copyright ©2016. All Rights Reserved. Case Study: Viewing

   File System Activity •  Using filemon -l •  Creates hard links to temporary files

4. IOActive, Inc. Copyright ©2016. All Rights Reserved. Case Study: Viewing

   Logs •  Using idevicesyslog [libimobiledevice]

5. IOActive, Inc. Copyright ©2016. All Rights Reserved. Case Study: Obtaining

   The Binary •  Dump the binary (facilitated by DYLD and DYLD_INSERT_LIBRARIES environment variable)

6. IOActive, Inc. Copyright ©2016. All Rights Reserved. Case Study: Obtaining

   Symbols •  Dump the symbols along with dylib’s to which they belong

7. IOActive, Inc. Copyright ©2016. All Rights Reserved. Case Study: Extracting

   strings •  Any interesting strings? •  Dump cstring section (same as running strings) •  Knowledge of SEGMENTS and sections important

8. IOActive, Inc. Copyright ©2016. All Rights Reserved. Case Study: Extracting

   DYLIB’S •  procexp <pid> regions Dump the library with lldb

9. IOActive, Inc. Copyright ©2016. All Rights Reserved. Case Study: Extracting

   DYLIB’S

10. IOActive, Inc. Copyright ©2016. All Rights Reserved. Case Study: Obtaining

    Classes

11. IOActive, Inc. Copyright ©2016. All Rights Reserved. Case Study: Bypassing

    RootFS Check

12. IOActive, Inc. Copyright ©2016. All Rights Reserved. Case Study: Bypassing

    RootFS Check statfs func call Patch here statfs argument

13. IOActive, Inc. Copyright ©2016. All Rights Reserved. Case Study: Bypassing

    RootFS Check Patch here •  Patch register w8

14. IOActive, Inc. Copyright ©2016. All Rights Reserved. Case Study: Bypassing

    RootFS Check

15. IOActive, Inc. Copyright ©2016. All Rights Reserved. Case Study: Bypassing

    Debugger Checks Changes when debugger attached

16. IOActive, Inc. Copyright ©2016. All Rights Reserved. Case Study: Bypassing

    Debugger Checks (ppid)

17. IOActive, Inc. Copyright ©2016. All Rights Reserved. Case Study: Bypassing

    Debugger Checks (ppid) ppid func call Patch here

18. IOActive, Inc. Copyright ©2016. All Rights Reserved. Case Study: Bypassing

    Debugger Checks (ppid) •  parent process id of calling process Patch here

19. IOActive, Inc. Copyright ©2016. All Rights Reserved. Case Study: Bypassing

    Debugger Checks (p_traced) sysctl func call Patch here

20. IOActive, Inc. Copyright ©2016. All Rights Reserved. Case Study: Bypassing

    Debugger Checks (p_traced) Patch here

21. IOActive, Inc. Copyright ©2016. All Rights Reserved. Case Study: Bypassing

    Fork Check Call to fork Return value in X0 Patch CMN W19, #1

22. IOActive, Inc. Copyright ©2016. All Rights Reserved. Case Study: Bypassing

    Fork Check Patch here

23. IOActive, Inc. Copyright ©2016. All Rights Reserved. Conclusion •  Common

    bugs being closed •  A “new” approach and break from the norm is required for in depth assessments •  Assembly knowledge a MUST for Reversing Engineering –  Low level assembly allows you to bypass many security protections, discover hidden gems and then some •  Knowledge of iOS architecture will not only improve your assessments but also provide a launching pad for other research •  Disassemblers are your friends (IDA, Hopper, Jtool …..) •  Add the reverse engineering skillset to your arsenal !!!

24. IOActive, Inc. Copyright ©2016. All Rights Reserved. References •  Books:

    •  Mac OS X and iOS Internals To the Apple’s Core (Jonathan Levin) •  The Mobile Application Hacker’s Handbook (Dominic Chell, Tyrone Erasmus et al. ) •  Hacking and Securing iOS Applications (Jonathan Zdziarski) •  iOS Application Security: The Definitive Guide for Hackers and Developers (David Thiel) •  Blogs and Tools: •  processor_set_tasks() - http://newosxbook.com/articles/PST2.html •  procexp – http://newosxbook.com/tools/procexp.html •  iOSBinaries - http://newosxbook.com/tools/iOSBinaries.html •  jtool - http://newosxbook.com/tools/jtool.html •  filemon - http://newosxbook.com/tools/filemon.html •  AmIBeingDebugged - https://developer.apple.com/library/mac/qa/qa1361/_index.html •  Frida - http://www.frida.re/ •  Cycript - http://www.cycript.org/ •  iFunBox - http://www.i-funbox.com/ •  SSL Kill Switch – https://github.com/iSECPartners/ios-ssl-kill-switch •  BurpSuite - https://portswigger.net/burp/ •  IDA - https://www.hex-rays.com/products/ida/ •  Hopper - https://www.hopperapp.com/ •  Idb - http://www.idbtool.com/ •  PT_DENY_ATTACH - https://www.theiphonewiki.com/wiki/Bugging_Debuggers •  ARM - http://infocenter.arm.com/help/index.jsp?topic=/com.arm.doc.den0024a/ch05s01s03.html •  SQLite-parser - https://github.com/mdegrazia/SQLite-Deleted-Records-Parser •  SQLite Deletion - http://www.zdziarski.com/blog/?p=6143 •  lsdtrip - http://newosxbook.com/src.jl?tree=listings&file=ls.m#dumpURL