iOS applications reverse engineering

Transcript

1. iOS applications reverse engineering Julien Bachmann – [email protected] 1

2. 2 Agenda › Motivations › The architecture › Mach-O ›

   Objective-C › ARM › AppStore binaries › Find'em › Decrypt'em › Reverse'em › What to look for › Where to start › Remote connections › Data protection › Conclusion

3. 3 Preamble • Security engineer @ SCRT • Areas of

   interest focused on reverse engineering, software vulnerabilities and OS internals • Not an Apple fanboy but like all the cool kids... ;) • Goals of this presentation is to give a state of the art, in 45minutes, of my knowledge about iOS applications reverse engineering • Motivate people to do more research in user/kernel-land iOS reverse engineering

4. 4 Motivations

5. 5 A few numbers › +160 millions iOS users ›

   +400 000 applications available › +10 billion downloads → (modestly) large user base

6. 6 e-banking applications

7. 7 Applications review › Apple defined a review process ›

   10% of the applications are classified as dangereous › Cases of applications not « compliant » with their description

8. 8 Storm8 case

9. 9 Now, what if you want to... › check an

   external app ? › verify that your application is secure ? › check what kind of information an attacker can get from your application ?

10. 10 Best reason ever... › Because it's fun to learn

    how to reverse new things !

11. 11 The architecture

12. 12 Mach-O › File format for › Executables › Libraries

    › Core dumps

13. 13 Mach-O › Contains three parts › Header › Load

    commands › Data

14. 14 Mach-O › Header

15. 15 Mach-O

16. 16 Mach-O › Load commands › Indicates memory layout ›

    Locates symbols table › Main thread context › Shared libraries

17. 17 Mach-O › Data › Segments containing sections › __PAGEZERO

    › __TEXT › Executable code and r-- › __DATA › rw- › __OBJC › ...

18. 18 Mach-O › objdump ? › Forget about it ›

    Introducing : otool !

19. 19 Mach-O › Universal / FAT files › Supports multiples

    architectures › For OSX › Universal › PowerPC, x86 and x86_64 › For iOS › FAT › armv6, armv7

20. 20 Objective-C › Programming language › Superset of the C

    language › Object oriented › Class method calls differ from C++

21. 21 Calling methods › C++ › ObjectPointer->Method(param1, param2) › Obj-C

    › [ObjectPointer Method:param1 param2Name:param2]

22. 22 Looking more closely › [ObjectPointer Method] › objc_msgSend(ObjectPointer, @selector(Method))

    › Selector › C string › objc_msgSend(ObjectPointer, "Method")

23. 23 ARM › RISC › load-store architecture › Fixed-length 32-bit

    instructions › 3-address instruction formats

24. 24 Registers › User-level programs › 15 general-purpose 32-bit registers

    : r0 → r14 › PC = r15 › Current program status register (N, Z, C, V flags, etc.)

25. 25 Load-store architecture › Instructions can be classified into 3

    groups › Data transfer (load-store) › Data processing › Control flow

26. 26 Data transfer instructions › Load from memory › LDR

    r0, [r1] → r0 = mem[r1] › Store to memory › STR r0, [r1] → mem[r1] = r0

27. 27 Data processing instructions › Simple › ADD r0, r1,

    r2 → r0 = r1 + r2 › Immediate operands › ADD r1, r1, #1 → r1 = r1 + 1 › Shifted register operands › ADD r3, r2, r1, LSL #3 → r3 = r2 + (r1 << 3)

28. 28 Control flow instructions › Branch instructions › B LABEL

    › BAL LABEL › Conditional branches › BXX LABEL › BEQ, BNE, BPL, BMI, … › Conditional execution › CMP r0, #5 → if (r0!= 5) › ADDNE r1, r1, r0 r1 = r1 + r0

29. 29 Control flow instructions › Branch and link instructions ›

    BL SUBROUTINE → r14 = @next instr + jmp SUBR › PUSH {r0-r5, LR} › … › POP {r0-r5, PC}

30. 30 Calling convention › Arguments values › r0 → r3

    › Local variables › r4 → r11 › Return value › r0

31. 31 Summing it up › Objective-C › [ObjectPointer Method:42] ›

    C++ › ObjectPointer->Method(42) › Pseudo C › objc_msgSend(ObjectPointer, "Method", 42) › ARM assembly ›

32. 32 AppStore binaries

33. 33 First of all › Forget about the simulator ›

    Binaries compiled for x86 not ARM › Need to use a jailbroken iOS device › Tools to install › SSH › GDB › ...

34. 34 Find'em › Downloaded from the AppStore as .ipa ›

    ZIP file › ~/Music/iTunes/iTunes Music/Mobile Applications/ › On iOS devices › /var/mobile/Applications/<UUID>/<AppName>.app/

35. 35 Content of <AppName>.app* *after download from the device to

    workstation. Owner set to mobile:mobile on iOS

36. 36 FAT binaries › Binary might contain multiple versions ›

    Need to extract the one corresponding to our device

37. 37 Decrypt'em › Encrypted using "FairPlay like" method › Each

    executable page is encrypted with AES and a MD5 checksum is computed › How to know if a binary is encrypted ? › LC_ENCRYPTION_INFO › cryptid → 1 if the binary is encrypted › cryptoffset → offset of the encrypted data › cryptsize → size of the encrypted data

38. 38 LC_ENCRYPTION_INFO

39. 39 Unpack the binary › Use a script that automates

    the process › crackulous › Not leet enough;) › "unpack your app in 5 steps and achieve peace" › Launch GDB › Set a breakpoint › Run the application › Extract the unencrypted executable code › Patch the architecture specific binary

40. 40 Where do I set the breakpoint ? › Execution

    steps › FAT binary is run › Architecture specific binary is mapped in memory › Executable code is decrypted › Branch to start symbol › Get start's address

41. 41 GDB, set, run

42. 42 « Breakpoint reached capt'ain »

43. 43 Extract the executable code › Useful information › start

    › cryptsize ›

44. 44 Patch the architecture specific binary › Locate LC_ENCRYPTION_INFO ›

    Mach-O header parser › Hexadecimal editor › Replace cryptid › 1 → 0 › Replace encrypted code with unpacked one

45. 45 Locate LC_ENCRYPTION_INFO › Mach-O header parser › Search for

    the load command in the binary

46. 46 Locate LC_ENCRYPTION_INFO

47. 47 Modified LC_ENCRYPTION_INFO

48. 48 Replace encrypted code

49. 49 Reverse'em › Retrieve classes declarations › class-dump › Resolve

    objc_msgSend calls › Useless call graph › Need to patch the disassembly

50. 50 class-dump

51. 51 First look at the disassembly

52. 52 objc_msgSend › As stated before › objc_msgSend(<ref to object>,

    @selector(method), …) › ARM calling convention › arg1 → r0 › arg2 → r1 › Backtrace calls to objc_msgSend › By hand › Using Zynamics IDAPython scripts

53. 53 objc_helper.py

54. 54 What to look for

55. 55 Where to start › Locate the main class ›

    UIApplicationDelegate › applicationDidFinishLaunching › ApplicationDidFinishLaunchingWithOptions › Views › UI*ViewController › viewDidLoad

56. 56 applicationDidFinishLaunching

57. 57 Remote connections › HTTP(S) › NSURL › ... ›

    Sockets › CFSocketCreate › ...

58. 58 Data protection › Accessing the KeyChain using JB tools

    › Lost iPhone ? Lost Passwords ! * › Protect KeyChain content › Using passcode › setAttributes ofItemAtPath → NSFileProtectionComplete › SecItemAdd → kSecAttrAccessibleWhenUnlocked * http://www.sit.fraunhofer.de/forschungsbereiche/projekte/Lost_iPhone.jsp

59. 59 Data protection

60. 60 Conclusion

61. 61 Conclusion › This is a revolution ! › This

    presentation was only an introduction › Lot of work/ideas around iOS › Grab your debugger and disassembler and work on it › I'm open to discuss it around a few beers › @milkmix_