Upgrade to Pro — share decks privately, control downloads, hide ads and more …

iOS applications reverse engineering

iOS applications reverse engineering

Swiss Cyber Storm 2011

Julien Bachmann

May 13, 2011
Tweet

More Decks by Julien Bachmann

Other Decks in Technology

Transcript

  1. 2 Agenda › Motivations › The architecture › Mach-O ›

    Objective-C › ARM › AppStore binaries › Find'em › Decrypt'em › Reverse'em › What to look for › Where to start › Remote connections › Data protection › Conclusion
  2. 3 Preamble • Security engineer @ SCRT • Areas of

    interest focused on reverse engineering, software vulnerabilities and OS internals • Not an Apple fanboy but like all the cool kids... ;) • Goals of this presentation is to give a state of the art, in 45minutes, of my knowledge about iOS applications reverse engineering • Motivate people to do more research in user/kernel-land iOS reverse engineering
  3. 5 A few numbers › +160 millions iOS users ›

    +400 000 applications available › +10 billion downloads → (modestly) large user base
  4. 7 Applications review › Apple defined a review process ›

    10% of the applications are classified as dangereous › Cases of applications not « compliant » with their description
  5. 9 Now, what if you want to... › check an

    external app ? › verify that your application is secure ? › check what kind of information an attacker can get from your application ?
  6. 16 Mach-O › Load commands › Indicates memory layout ›

    Locates symbols table › Main thread context › Shared libraries
  7. 17 Mach-O › Data › Segments containing sections › __PAGEZERO

    › __TEXT › Executable code and r-- › __DATA › rw- › __OBJC › ...
  8. 19 Mach-O › Universal / FAT files › Supports multiples

    architectures › For OSX › Universal › PowerPC, x86 and x86_64 › For iOS › FAT › armv6, armv7
  9. 20 Objective-C › Programming language › Superset of the C

    language › Object oriented › Class method calls differ from C++
  10. 21 Calling methods › C++ › ObjectPointer->Method(param1, param2) › Obj-C

    › [ObjectPointer Method:param1 param2Name:param2]
  11. 22 Looking more closely › [ObjectPointer Method] › objc_msgSend(ObjectPointer, @selector(Method))

    › Selector › C string › objc_msgSend(ObjectPointer, "Method")
  12. 23 ARM › RISC › load-store architecture › Fixed-length 32-bit

    instructions › 3-address instruction formats
  13. 24 Registers › User-level programs › 15 general-purpose 32-bit registers

    : r0 → r14 › PC = r15 › Current program status register (N, Z, C, V flags, etc.)
  14. 25 Load-store architecture › Instructions can be classified into 3

    groups › Data transfer (load-store) › Data processing › Control flow
  15. 26 Data transfer instructions › Load from memory › LDR

    r0, [r1] → r0 = mem[r1] › Store to memory › STR r0, [r1] → mem[r1] = r0
  16. 27 Data processing instructions › Simple › ADD r0, r1,

    r2 → r0 = r1 + r2 › Immediate operands › ADD r1, r1, #1 → r1 = r1 + 1 › Shifted register operands › ADD r3, r2, r1, LSL #3 → r3 = r2 + (r1 << 3)
  17. 28 Control flow instructions › Branch instructions › B LABEL

    › BAL LABEL › Conditional branches › BXX LABEL › BEQ, BNE, BPL, BMI, … › Conditional execution › CMP r0, #5 → if (r0!= 5) › ADDNE r1, r1, r0 r1 = r1 + r0
  18. 29 Control flow instructions › Branch and link instructions ›

    BL SUBROUTINE → r14 = @next instr + jmp SUBR › PUSH {r0-r5, LR} › … › POP {r0-r5, PC}
  19. 30 Calling convention › Arguments values › r0 → r3

    › Local variables › r4 → r11 › Return value › r0
  20. 31 Summing it up › Objective-C › [ObjectPointer Method:42] ›

    C++ › ObjectPointer->Method(42) › Pseudo C › objc_msgSend(ObjectPointer, "Method", 42) › ARM assembly ›
  21. 33 First of all › Forget about the simulator ›

    Binaries compiled for x86 not ARM › Need to use a jailbroken iOS device › Tools to install › SSH › GDB › ...
  22. 34 Find'em › Downloaded from the AppStore as .ipa ›

    ZIP file › ~/Music/iTunes/iTunes Music/Mobile Applications/ › On iOS devices › /var/mobile/Applications/<UUID>/<AppName>.app/
  23. 35 Content of <AppName>.app* *after download from the device to

    workstation. Owner set to mobile:mobile on iOS
  24. 36 FAT binaries › Binary might contain multiple versions ›

    Need to extract the one corresponding to our device
  25. 37 Decrypt'em › Encrypted using "FairPlay like" method › Each

    executable page is encrypted with AES and a MD5 checksum is computed › How to know if a binary is encrypted ? › LC_ENCRYPTION_INFO › cryptid → 1 if the binary is encrypted › cryptoffset → offset of the encrypted data › cryptsize → size of the encrypted data
  26. 39 Unpack the binary › Use a script that automates

    the process › crackulous › Not leet enough;) › "unpack your app in 5 steps and achieve peace" › Launch GDB › Set a breakpoint › Run the application › Extract the unencrypted executable code › Patch the architecture specific binary
  27. 40 Where do I set the breakpoint ? › Execution

    steps › FAT binary is run › Architecture specific binary is mapped in memory › Executable code is decrypted › Branch to start symbol › Get start's address
  28. 44 Patch the architecture specific binary › Locate LC_ENCRYPTION_INFO ›

    Mach-O header parser › Hexadecimal editor › Replace cryptid › 1 → 0 › Replace encrypted code with unpacked one
  29. 49 Reverse'em › Retrieve classes declarations › class-dump › Resolve

    objc_msgSend calls › Useless call graph › Need to patch the disassembly
  30. 52 objc_msgSend › As stated before › objc_msgSend(<ref to object>,

    @selector(method), …) › ARM calling convention › arg1 → r0 › arg2 → r1 › Backtrace calls to objc_msgSend › By hand › Using Zynamics IDAPython scripts
  31. 55 Where to start › Locate the main class ›

    UIApplicationDelegate › applicationDidFinishLaunching › ApplicationDidFinishLaunchingWithOptions › Views › UI*ViewController › viewDidLoad
  32. 57 Remote connections › HTTP(S) › NSURL › ... ›

    Sockets › CFSocketCreate › ...
  33. 58 Data protection › Accessing the KeyChain using JB tools

    › Lost iPhone ? Lost Passwords ! * › Protect KeyChain content › Using passcode › setAttributes ofItemAtPath → NSFileProtectionComplete › SecItemAdd → kSecAttrAccessibleWhenUnlocked * http://www.sit.fraunhofer.de/forschungsbereiche/projekte/Lost_iPhone.jsp
  34. 61 Conclusion › This is a revolution ! › This

    presentation was only an introduction › Lot of work/ideas around iOS › Grab your debugger and disassembler and work on it › I'm open to discuss it around a few beers › @milkmix_