Hangout or not Hangout? Por que incluir os webinários na sua estratégia de marketing?
Reverse Engineering iOS Apps (by Max Bazaliy) - Mobile Tech Hangout - 2014.07.19
-
Upload
innovecs -
Category
Technology
-
view
1.290 -
download
1
description
Transcript of Reverse Engineering iOS Apps (by Max Bazaliy) - Mobile Tech Hangout - 2014.07.19
![Page 1: Reverse Engineering iOS Apps (by Max Bazaliy) - Mobile Tech Hangout - 2014.07.19](https://reader035.fdocuments.in/reader035/viewer/2022081716/54b7020d4a7959af3d8b45a8/html5/thumbnails/1.jpg)
Reverse Engineering iOS apps
Max Bazaliy tech hangout
![Page 2: Reverse Engineering iOS Apps (by Max Bazaliy) - Mobile Tech Hangout - 2014.07.19](https://reader035.fdocuments.in/reader035/viewer/2022081716/54b7020d4a7959af3d8b45a8/html5/thumbnails/2.jpg)
@CocoaHeadsUA iSecurityKit
@mbazaliy github.com/mbazaliy
![Page 3: Reverse Engineering iOS Apps (by Max Bazaliy) - Mobile Tech Hangout - 2014.07.19](https://reader035.fdocuments.in/reader035/viewer/2022081716/54b7020d4a7959af3d8b45a8/html5/thumbnails/3.jpg)
Security audit Competitor analysis Solution advantages
Why?
![Page 4: Reverse Engineering iOS Apps (by Max Bazaliy) - Mobile Tech Hangout - 2014.07.19](https://reader035.fdocuments.in/reader035/viewer/2022081716/54b7020d4a7959af3d8b45a8/html5/thumbnails/4.jpg)
It’s fun!
![Page 5: Reverse Engineering iOS Apps (by Max Bazaliy) - Mobile Tech Hangout - 2014.07.19](https://reader035.fdocuments.in/reader035/viewer/2022081716/54b7020d4a7959af3d8b45a8/html5/thumbnails/5.jpg)
Analysis
![Page 6: Reverse Engineering iOS Apps (by Max Bazaliy) - Mobile Tech Hangout - 2014.07.19](https://reader035.fdocuments.in/reader035/viewer/2022081716/54b7020d4a7959af3d8b45a8/html5/thumbnails/6.jpg)
Traffic sniffing Module call tracing I/O activity
System
Code Disasm\ Decompiling Debugging Resource reversing
![Page 7: Reverse Engineering iOS Apps (by Max Bazaliy) - Mobile Tech Hangout - 2014.07.19](https://reader035.fdocuments.in/reader035/viewer/2022081716/54b7020d4a7959af3d8b45a8/html5/thumbnails/7.jpg)
![Page 8: Reverse Engineering iOS Apps (by Max Bazaliy) - Mobile Tech Hangout - 2014.07.19](https://reader035.fdocuments.in/reader035/viewer/2022081716/54b7020d4a7959af3d8b45a8/html5/thumbnails/8.jpg)
Binary file Image files Interface files Property list files CoreData model files
App files
![Page 9: Reverse Engineering iOS Apps (by Max Bazaliy) - Mobile Tech Hangout - 2014.07.19](https://reader035.fdocuments.in/reader035/viewer/2022081716/54b7020d4a7959af3d8b45a8/html5/thumbnails/9.jpg)
Compressed pngcrush
appcrush.rb artwork extractor
Image f iles
![Page 10: Reverse Engineering iOS Apps (by Max Bazaliy) - Mobile Tech Hangout - 2014.07.19](https://reader035.fdocuments.in/reader035/viewer/2022081716/54b7020d4a7959af3d8b45a8/html5/thumbnails/10.jpg)
NIBs Storyboards nib dec
nib_patch
Interface files
![Page 11: Reverse Engineering iOS Apps (by Max Bazaliy) - Mobile Tech Hangout - 2014.07.19](https://reader035.fdocuments.in/reader035/viewer/2022081716/54b7020d4a7959af3d8b45a8/html5/thumbnails/11.jpg)
*.mom momdec CoreData
![Page 12: Reverse Engineering iOS Apps (by Max Bazaliy) - Mobile Tech Hangout - 2014.07.19](https://reader035.fdocuments.in/reader035/viewer/2022081716/54b7020d4a7959af3d8b45a8/html5/thumbnails/12.jpg)
Binary
![Page 13: Reverse Engineering iOS Apps (by Max Bazaliy) - Mobile Tech Hangout - 2014.07.19](https://reader035.fdocuments.in/reader035/viewer/2022081716/54b7020d4a7959af3d8b45a8/html5/thumbnails/13.jpg)
otool class-dump MachOView Hopper cycript Reveal
Tools
![Page 14: Reverse Engineering iOS Apps (by Max Bazaliy) - Mobile Tech Hangout - 2014.07.19](https://reader035.fdocuments.in/reader035/viewer/2022081716/54b7020d4a7959af3d8b45a8/html5/thumbnails/14.jpg)
Mach-O binary
![Page 15: Reverse Engineering iOS Apps (by Max Bazaliy) - Mobile Tech Hangout - 2014.07.19](https://reader035.fdocuments.in/reader035/viewer/2022081716/54b7020d4a7959af3d8b45a8/html5/thumbnails/15.jpg)
32 bit (ARMv6,ARMv7)
0xFEEDFACE
64 bit (ARM64)
0xFEEDFACF
Universal binaries (FAT)
0xCAFEBABE
Mach-O header
![Page 16: Reverse Engineering iOS Apps (by Max Bazaliy) - Mobile Tech Hangout - 2014.07.19](https://reader035.fdocuments.in/reader035/viewer/2022081716/54b7020d4a7959af3d8b45a8/html5/thumbnails/16.jpg)
__TEXT -> code and read only data
__objc sections-> data used by runtime
![Page 17: Reverse Engineering iOS Apps (by Max Bazaliy) - Mobile Tech Hangout - 2014.07.19](https://reader035.fdocuments.in/reader035/viewer/2022081716/54b7020d4a7959af3d8b45a8/html5/thumbnails/17.jpg)
__message_refs __cls_refs __symbols __module_info __class __meta_class
__instance_vars __inst_meth __cls_meth __cat_cls_meth __protocol_ext __cat_inst_meth
![Page 18: Reverse Engineering iOS Apps (by Max Bazaliy) - Mobile Tech Hangout - 2014.07.19](https://reader035.fdocuments.in/reader035/viewer/2022081716/54b7020d4a7959af3d8b45a8/html5/thumbnails/18.jpg)
__message_refs __cls_refs __symbols __module_info __class __meta_class
__instance_vars __inst_meth __cls_meth __cat_cls_meth __protocol_ext __cat_inst_meth
![Page 19: Reverse Engineering iOS Apps (by Max Bazaliy) - Mobile Tech Hangout - 2014.07.19](https://reader035.fdocuments.in/reader035/viewer/2022081716/54b7020d4a7959af3d8b45a8/html5/thumbnails/19.jpg)
class-dump
![Page 20: Reverse Engineering iOS Apps (by Max Bazaliy) - Mobile Tech Hangout - 2014.07.19](https://reader035.fdocuments.in/reader035/viewer/2022081716/54b7020d4a7959af3d8b45a8/html5/thumbnails/20.jpg)
@interface RRSubscription : NSObject
{
NSString *_subscriptionID;
unsigned int _period;
float _price;
NSDate *_creationDate;
}
+ (id)arrayOfSubscriptionsWithJSONArray:(id)arg1;
+ (id)subscriptionWithDictionary:(id)arg1;
@property(readonly, nonatomic) NSDate *creationDate;
@property(readonly, nonatomic) float price;
@property(readonly, nonatomic) unsigned int period;
![Page 21: Reverse Engineering iOS Apps (by Max Bazaliy) - Mobile Tech Hangout - 2014.07.19](https://reader035.fdocuments.in/reader035/viewer/2022081716/54b7020d4a7959af3d8b45a8/html5/thumbnails/21.jpg)
Binary is encrypted
![Page 22: Reverse Engineering iOS Apps (by Max Bazaliy) - Mobile Tech Hangout - 2014.07.19](https://reader035.fdocuments.in/reader035/viewer/2022081716/54b7020d4a7959af3d8b45a8/html5/thumbnails/22.jpg)
otool -arch all –Vl MyApp | grep -A5 LC_ENCRYP!
![Page 23: Reverse Engineering iOS Apps (by Max Bazaliy) - Mobile Tech Hangout - 2014.07.19](https://reader035.fdocuments.in/reader035/viewer/2022081716/54b7020d4a7959af3d8b45a8/html5/thumbnails/23.jpg)
evasi0n.com
![Page 24: Reverse Engineering iOS Apps (by Max Bazaliy) - Mobile Tech Hangout - 2014.07.19](https://reader035.fdocuments.in/reader035/viewer/2022081716/54b7020d4a7959af3d8b45a8/html5/thumbnails/24.jpg)
![Page 25: Reverse Engineering iOS Apps (by Max Bazaliy) - Mobile Tech Hangout - 2014.07.19](https://reader035.fdocuments.in/reader035/viewer/2022081716/54b7020d4a7959af3d8b45a8/html5/thumbnails/25.jpg)
> address (cryptoff + cryptsize) size (base address + cryptoff + cryptsize)!
> gdb dump memory decrypted.bin 0x3000 0xD23000 !
> Address space layout randomization!
> 0x1000 -> 0x5000!
> decrypted.bin -> binary!> patch header!
![Page 26: Reverse Engineering iOS Apps (by Max Bazaliy) - Mobile Tech Hangout - 2014.07.19](https://reader035.fdocuments.in/reader035/viewer/2022081716/54b7020d4a7959af3d8b45a8/html5/thumbnails/26.jpg)
![Page 27: Reverse Engineering iOS Apps (by Max Bazaliy) - Mobile Tech Hangout - 2014.07.19](https://reader035.fdocuments.in/reader035/viewer/2022081716/54b7020d4a7959af3d8b45a8/html5/thumbnails/27.jpg)
Rasticrac
Clutch
dumpdecrypted
![Page 28: Reverse Engineering iOS Apps (by Max Bazaliy) - Mobile Tech Hangout - 2014.07.19](https://reader035.fdocuments.in/reader035/viewer/2022081716/54b7020d4a7959af3d8b45a8/html5/thumbnails/28.jpg)
Binary analysis Debugger attach ASLR bypass Binary dump Patch cryptid
Clutch Rasticrac
![Page 29: Reverse Engineering iOS Apps (by Max Bazaliy) - Mobile Tech Hangout - 2014.07.19](https://reader035.fdocuments.in/reader035/viewer/2022081716/54b7020d4a7959af3d8b45a8/html5/thumbnails/29.jpg)
Binary analysis
![Page 30: Reverse Engineering iOS Apps (by Max Bazaliy) - Mobile Tech Hangout - 2014.07.19](https://reader035.fdocuments.in/reader035/viewer/2022081716/54b7020d4a7959af3d8b45a8/html5/thumbnails/30.jpg)
Disassembler Debugger Decompiler
Hopper
IDA Disassembler Debugger + objc_helper + Hex-Rays
![Page 31: Reverse Engineering iOS Apps (by Max Bazaliy) - Mobile Tech Hangout - 2014.07.19](https://reader035.fdocuments.in/reader035/viewer/2022081716/54b7020d4a7959af3d8b45a8/html5/thumbnails/31.jpg)
![Page 32: Reverse Engineering iOS Apps (by Max Bazaliy) - Mobile Tech Hangout - 2014.07.19](https://reader035.fdocuments.in/reader035/viewer/2022081716/54b7020d4a7959af3d8b45a8/html5/thumbnails/32.jpg)
id objc_msgSend(id self, SEL op, ...)
80% of calls
![Page 33: Reverse Engineering iOS Apps (by Max Bazaliy) - Mobile Tech Hangout - 2014.07.19](https://reader035.fdocuments.in/reader035/viewer/2022081716/54b7020d4a7959af3d8b45a8/html5/thumbnails/33.jpg)
application: didFinishLaunchingWithOptions:
Hopper Disassembler
![Page 34: Reverse Engineering iOS Apps (by Max Bazaliy) - Mobile Tech Hangout - 2014.07.19](https://reader035.fdocuments.in/reader035/viewer/2022081716/54b7020d4a7959af3d8b45a8/html5/thumbnails/34.jpg)
Control flow graph
Hopper Disassembler
![Page 35: Reverse Engineering iOS Apps (by Max Bazaliy) - Mobile Tech Hangout - 2014.07.19](https://reader035.fdocuments.in/reader035/viewer/2022081716/54b7020d4a7959af3d8b45a8/html5/thumbnails/35.jpg)
Decompilation
Hopper Disassembler
![Page 36: Reverse Engineering iOS Apps (by Max Bazaliy) - Mobile Tech Hangout - 2014.07.19](https://reader035.fdocuments.in/reader035/viewer/2022081716/54b7020d4a7959af3d8b45a8/html5/thumbnails/36.jpg)
! Method names Strings Constants
![Page 37: Reverse Engineering iOS Apps (by Max Bazaliy) - Mobile Tech Hangout - 2014.07.19](https://reader035.fdocuments.in/reader035/viewer/2022081716/54b7020d4a7959af3d8b45a8/html5/thumbnails/37.jpg)
Dump headers Modify ivars Instantiate objects
Invoking methods Swizzling methods
cycript
![Page 38: Reverse Engineering iOS Apps (by Max Bazaliy) - Mobile Tech Hangout - 2014.07.19](https://reader035.fdocuments.in/reader035/viewer/2022081716/54b7020d4a7959af3d8b45a8/html5/thumbnails/38.jpg)
cy# UIApp@"<UIApplication: 0x14632f70>"cy# function tryPrintIvars(a){ var x={}; for(i in *a){ try{ x[i] = (*a)[i]; } catch(e){} } return x;}
cy# UIApp.keyWindow.subviews[0].nextResponder.topViewController@"<UINavigationController: 0x14596530>"
cy# UIApp.keyWindow.subviews[0].nextResponder.topViewController.viewControllers[0]@"<JailbreakDetectionVC: 0x15a5ad10>"
cy# JailbreakDetectionVC.messages['isJailbroken'] = function () { return NO };{}
cy# [[[UIView alloc] init] autorelease]@"<UIView: 0x14d71bb0; frame = (0 0; 0 0); layer = <CALayer: 0x14d702b0>>"
![Page 39: Reverse Engineering iOS Apps (by Max Bazaliy) - Mobile Tech Hangout - 2014.07.19](https://reader035.fdocuments.in/reader035/viewer/2022081716/54b7020d4a7959af3d8b45a8/html5/thumbnails/39.jpg)
Runtime inspection Modify layer Dynamically loaded
Reveal
![Page 40: Reverse Engineering iOS Apps (by Max Bazaliy) - Mobile Tech Hangout - 2014.07.19](https://reader035.fdocuments.in/reader035/viewer/2022081716/54b7020d4a7959af3d8b45a8/html5/thumbnails/40.jpg)
Foursquare.app
![Page 41: Reverse Engineering iOS Apps (by Max Bazaliy) - Mobile Tech Hangout - 2014.07.19](https://reader035.fdocuments.in/reader035/viewer/2022081716/54b7020d4a7959af3d8b45a8/html5/thumbnails/41.jpg)
idb iNalyzer Snoop-it Introspy iRET
Special tools
![Page 42: Reverse Engineering iOS Apps (by Max Bazaliy) - Mobile Tech Hangout - 2014.07.19](https://reader035.fdocuments.in/reader035/viewer/2022081716/54b7020d4a7959af3d8b45a8/html5/thumbnails/42.jpg)
![Page 43: Reverse Engineering iOS Apps (by Max Bazaliy) - Mobile Tech Hangout - 2014.07.19](https://reader035.fdocuments.in/reader035/viewer/2022081716/54b7020d4a7959af3d8b45a8/html5/thumbnails/43.jpg)
Best practices
Compile with PIE No credentials in plists Disable NSLog Use NSFileProtection
![Page 44: Reverse Engineering iOS Apps (by Max Bazaliy) - Mobile Tech Hangout - 2014.07.19](https://reader035.fdocuments.in/reader035/viewer/2022081716/54b7020d4a7959af3d8b45a8/html5/thumbnails/44.jpg)
Best practices
Sensitive - keychain View snapshots Cache.db URL Schemes Secure coding guide
![Page 45: Reverse Engineering iOS Apps (by Max Bazaliy) - Mobile Tech Hangout - 2014.07.19](https://reader035.fdocuments.in/reader035/viewer/2022081716/54b7020d4a7959af3d8b45a8/html5/thumbnails/45.jpg)
No Objective-C Integrity checks SSL pinning Obfuscation
What next ?
![Page 46: Reverse Engineering iOS Apps (by Max Bazaliy) - Mobile Tech Hangout - 2014.07.19](https://reader035.fdocuments.in/reader035/viewer/2022081716/54b7020d4a7959af3d8b45a8/html5/thumbnails/46.jpg)
![Page 47: Reverse Engineering iOS Apps (by Max Bazaliy) - Mobile Tech Hangout - 2014.07.19](https://reader035.fdocuments.in/reader035/viewer/2022081716/54b7020d4a7959af3d8b45a8/html5/thumbnails/47.jpg)
Public key Certificate
SSL pinning
![Page 48: Reverse Engineering iOS Apps (by Max Bazaliy) - Mobile Tech Hangout - 2014.07.19](https://reader035.fdocuments.in/reader035/viewer/2022081716/54b7020d4a7959af3d8b45a8/html5/thumbnails/48.jpg)
- (void)URLSession:(NSURLSession *)session didReceiveChallenge:(NSURLAuthenticationChallenge *)challenge completionHandler:(void (^)(NSURLSessionAuthChallengeDisposition, NSURLCredential *))completionHandler{ !
""… !
""NSData *localCertificateData = [NSData dataWithContentsOfFile: [[NSBundle mainBundle] pathForResource: @"MyCert” ofType: @"crt"]]; !
"CFDataRef remoteCertificateData = SecCertificateCopyData(remoteVersionOfServerCertificate); !
""BOOL certificatesAreTheSame = !
" [localCertificateData isEqualToData: remoteCertificateData]; !
""NSURLCredential* cred = [NSURLCredential credentialForTrust: serverTrust]; !
""if (certificatesAreTheSame) { !
""completionHandler(NSURLSessionAuthChallengeUseCredential,cred);" "} !
""else {""completionHandler(NSURLSessionAuthChallengeRejectProtectionSpace,nil); !
""} !
![Page 49: Reverse Engineering iOS Apps (by Max Bazaliy) - Mobile Tech Hangout - 2014.07.19](https://reader035.fdocuments.in/reader035/viewer/2022081716/54b7020d4a7959af3d8b45a8/html5/thumbnails/49.jpg)
- (AFSecurityPolicy*) googleSecurityPolicy { !
NSString *cerPath = [[NSBundle mainBundle] pathForResource:@"google" ofType:@"cer"]; !
NSData *certData = [NSData dataWithContentsOfFile:cerPath]; !
AFSecurityPolicy *securityPolicy = [[AFSecurityPolicy alloc] init]; !
[securityPolicy setAllowInvalidCertificates:NO]; !
[securityPolicy setPinnedCertificates:@[certData]]; !
[securityPolicy setSSLPinningMode:AFSSLPinningModeCertificate]; !
return securityPolicy; } !
!
- (void)googleRequest { !
AFHTTPRequestOperationManager *manager = [AFHTTPRequestOperationManager manager]; !
[manager setSecurityPolicy:[self googleSecurityPolicy]]; !
[manager GET:@"www.google.com" parameters:nil success:^(AFHTTPRequestOperation *operation, NSDictionary* responseObject) { !
} failure:^(AFHTTPRequestOperation *operation, NSError *error) { !
}]; !
}!
![Page 50: Reverse Engineering iOS Apps (by Max Bazaliy) - Mobile Tech Hangout - 2014.07.19](https://reader035.fdocuments.in/reader035/viewer/2022081716/54b7020d4a7959af3d8b45a8/html5/thumbnails/50.jpg)
Use functions Strip symbols Use #define inline
((always_inline))
Method obfuscation
![Page 51: Reverse Engineering iOS Apps (by Max Bazaliy) - Mobile Tech Hangout - 2014.07.19](https://reader035.fdocuments.in/reader035/viewer/2022081716/54b7020d4a7959af3d8b45a8/html5/thumbnails/51.jpg)
#define isJailbroken() gbrlp() !static inline int () gbrlp{ !… !} !
![Page 52: Reverse Engineering iOS Apps (by Max Bazaliy) - Mobile Tech Hangout - 2014.07.19](https://reader035.fdocuments.in/reader035/viewer/2022081716/54b7020d4a7959af3d8b45a8/html5/thumbnails/52.jpg)
XORs Decoding tables Don’t use one key
Strings obfuscation
![Page 53: Reverse Engineering iOS Apps (by Max Bazaliy) - Mobile Tech Hangout - 2014.07.19](https://reader035.fdocuments.in/reader035/viewer/2022081716/54b7020d4a7959af3d8b45a8/html5/thumbnails/53.jpg)
!
!
!
!
!
#define PTRACE_STRING @"<mlbD3Z1”!
NSString *scInfoString = decodeString(PTRACE_STRING);!!! NSData *encryptedData = ! [RNEncryptor encryptData:data " " " " withSettings:kRNCryptorAES256Settings " " " " " password:@"passw0rd” " " " " " " error:&error]; !
! NSData *decryptedData = ! [RNDecryptor decryptData:data " " " " withSettings:kRNCryptorAES256Settings " " " " " password:@"passw0rd” " " " " " " error:&error]; !
!!
!
!
![Page 54: Reverse Engineering iOS Apps (by Max Bazaliy) - Mobile Tech Hangout - 2014.07.19](https://reader035.fdocuments.in/reader035/viewer/2022081716/54b7020d4a7959af3d8b45a8/html5/thumbnails/54.jpg)
Deny attach Constructor tricks Change values
Anti debugger
tricks
![Page 55: Reverse Engineering iOS Apps (by Max Bazaliy) - Mobile Tech Hangout - 2014.07.19](https://reader035.fdocuments.in/reader035/viewer/2022081716/54b7020d4a7959af3d8b45a8/html5/thumbnails/55.jpg)
static int checkGDB() __attribute__((always_inline)) !
{ !
size_t size = sizeof(struct kinfo_proc); !
struct kinfo_proc info; !
memset(&info, 0, sizeof(struct kinfo_proc)); !
!
int ret, name[4]; !
name[0] = CTL_KERN; !
name[1] = KERN_PROC; !
name[2] = KERN_PROC_PID; !
name[3] = getpid(); !
!
if ((ret = (sysctl(name, 4, &info, &size, NULL, 0)))) !
return ret; !
return (info.kp_proc.p_flag & P_TRACED) ? 1 : 0; !
} !
![Page 56: Reverse Engineering iOS Apps (by Max Bazaliy) - Mobile Tech Hangout - 2014.07.19](https://reader035.fdocuments.in/reader035/viewer/2022081716/54b7020d4a7959af3d8b45a8/html5/thumbnails/56.jpg)
#import <dlfcn.h> !
#import <sys/types.h> !
!
#define PT_DENY_ATTACH 31!
!
typedef int (*ptrace_ptr_t) !
(int _request, pid_t _pid, caddr_t _addr, int _data); !
!
void *handle = dlopen(0, RTLD_GLOBAL | RTLD_NOW); !
ptrace_ptr_t ptrace_ptr = (ptrace_ptr_t)dlsym(handle, [ptraceString UTF8String]); !
ptrace_ptr(PT_DENY_ATTACH, 0, 0, 0); !
dlclose(handle); !
!
![Page 57: Reverse Engineering iOS Apps (by Max Bazaliy) - Mobile Tech Hangout - 2014.07.19](https://reader035.fdocuments.in/reader035/viewer/2022081716/54b7020d4a7959af3d8b45a8/html5/thumbnails/57.jpg)
SYSCALL
![Page 58: Reverse Engineering iOS Apps (by Max Bazaliy) - Mobile Tech Hangout - 2014.07.19](https://reader035.fdocuments.in/reader035/viewer/2022081716/54b7020d4a7959af3d8b45a8/html5/thumbnails/58.jpg)
syscall(26, 31, 0, 0, 0);!
ptrace
PT_DENY_ATTACH
![Page 59: Reverse Engineering iOS Apps (by Max Bazaliy) - Mobile Tech Hangout - 2014.07.19](https://reader035.fdocuments.in/reader035/viewer/2022081716/54b7020d4a7959af3d8b45a8/html5/thumbnails/59.jpg)
+ (PurchaseManager *)sharedManager { !
!
if (isDebugged()) !
return nil; !
!
static PurchaseManager *sharedPurchaseManager = nil; !
static dispatch_once_t onceToken; !
" dispatch_once(&onceToken, ^{ !
sharedPurchaseManager = [[self alloc] init]; !
}); !
"!
return sharedPurchaseManager ; !
}!
![Page 60: Reverse Engineering iOS Apps (by Max Bazaliy) - Mobile Tech Hangout - 2014.07.19](https://reader035.fdocuments.in/reader035/viewer/2022081716/54b7020d4a7959af3d8b45a8/html5/thumbnails/60.jpg)
Is encrypted Is patched SC_Info iTunesMetadata
overdrive tricks
Integrity checks
![Page 61: Reverse Engineering iOS Apps (by Max Bazaliy) - Mobile Tech Hangout - 2014.07.19](https://reader035.fdocuments.in/reader035/viewer/2022081716/54b7020d4a7959af3d8b45a8/html5/thumbnails/61.jpg)
![Page 62: Reverse Engineering iOS Apps (by Max Bazaliy) - Mobile Tech Hangout - 2014.07.19](https://reader035.fdocuments.in/reader035/viewer/2022081716/54b7020d4a7959af3d8b45a8/html5/thumbnails/62.jpg)
const struct mach_header *header = !
(struct mach_header *)dlinfo.dli_fbase; !
struct load_command *cmd = (struct load_command *) (header + 1); !
for (uint32_t i = 0; cmd != NULL && i < header->ncmds; i++) { !
if (cmd->cmd == LC_ENCRYPTION_INFO) { !
struct encryption_info_command *crypt_cmd = !
"" " " (struct encryption_info_command *)cmd; !
if (crypt_cmd->cryptid < 1) !
return NO; !
else!
return YES; !
} !
![Page 63: Reverse Engineering iOS Apps (by Max Bazaliy) - Mobile Tech Hangout - 2014.07.19](https://reader035.fdocuments.in/reader035/viewer/2022081716/54b7020d4a7959af3d8b45a8/html5/thumbnails/63.jpg)
const char * originalSignature = "5f9b18edc3666be3de79134a40deea5b"; !
const struct mach_header * header; !
Dl_info dlinfo; !
!
uint32_t * textSectionAddr = (uint32_t *)section->addr; !
uint32_t textSectionSize = section->size; !
uint32_t * vmaddr = &segment->vmaddr; !
!
char * textSectionPtr = (char *)((int)header + (int)textSectionAddr - " " " " " " " " " " " " " " " "(int)vmaddr); !
!
unsigned char digest[CC_MD5_DIGEST_LENGTH]; !
char signature[2 * CC_MD5_DIGEST_LENGTH]; !
CC_MD5(textSectionPtr, textSectionSize, digest); !
!
for (int i = 0; i < sizeof(digest); i++) !
"" "sprintf(signature + (2 * i), "%02x", digest[i]); !
return strcmp(originalSignature, signature) == 0; !
![Page 64: Reverse Engineering iOS Apps (by Max Bazaliy) - Mobile Tech Hangout - 2014.07.19](https://reader035.fdocuments.in/reader035/viewer/2022081716/54b7020d4a7959af3d8b45a8/html5/thumbnails/64.jpg)
BOOL isDirectory = NO; !
!
NSString *directoryPath = [[[NSBundle mainBundle] bundlePath] stringByAppendingPathComponent:@"SC_Info/"]; !
!
BOOL directoryExists = [[NSFileManager defaultManager] fileExistsAtPath:directoryPath isDirectory:&isDirectory]; !
!
BOOL contentSeemsValid = ([[[NSFileManager defaultManager] contentsOfDirectoryAtPath:directoryPath error:NULL] count] == 2);
![Page 65: Reverse Engineering iOS Apps (by Max Bazaliy) - Mobile Tech Hangout - 2014.07.19](https://reader035.fdocuments.in/reader035/viewer/2022081716/54b7020d4a7959af3d8b45a8/html5/thumbnails/65.jpg)
NSString *scInfoString = @"SC_Info/"; !
NSString *appleIDString = @"appleId"; !
NSString *appleIDMailAddress = @"[email protected]"; !
NSString *metadataString = @"iTunesMetadata.plist"; !
NSString *downloadInfoKeyString = @"com.apple.iTunesStore.downloadInfo"; !
NSString *accountInfoString = @"accountInfo"; !
!
NSDictionary *iTunesMetadata = [NSDictionary dictionaryWithContentsOfFile:[rootDirectoryPath stringByAppendingPathComponent:metadataString]]; !
NSString *appleID = [iTunesMetadata objectForKey:appleIDString]; !
NSDictionary *accountInfo = [[iTunesMetadata objectForKey:downloadInfoKeyString] objectForKey:accountInfoString]; !
BOOL isValidAppleID = (appleID.length > 0 && [appleID rangeOfString:appleIDMailAddress options:NSCaseInsensitiveSearch].location == NSNotFound); !
BOOL isValidDownloadInfo = (accountInfo.count > 0);}!
![Page 66: Reverse Engineering iOS Apps (by Max Bazaliy) - Mobile Tech Hangout - 2014.07.19](https://reader035.fdocuments.in/reader035/viewer/2022081716/54b7020d4a7959af3d8b45a8/html5/thumbnails/66.jpg)
![Page 67: Reverse Engineering iOS Apps (by Max Bazaliy) - Mobile Tech Hangout - 2014.07.19](https://reader035.fdocuments.in/reader035/viewer/2022081716/54b7020d4a7959af3d8b45a8/html5/thumbnails/67.jpg)
BOOL dyLibFound = NO; ! NSArray *directoryFiles = [[NSFileManager defaultManager] contentsOfDirectoryAtPath:[[NSBundle mainBundle] bundlePath] error:NULL]; !
! for (NSString *filename in directoryFiles) { ! if ([[filename pathExtension] caseInsensitiveCompare:@"dylib"] == NSOrderedSame) { !
dyLibFound = YES; ! break; ! } ! }!
![Page 68: Reverse Engineering iOS Apps (by Max Bazaliy) - Mobile Tech Hangout - 2014.07.19](https://reader035.fdocuments.in/reader035/viewer/2022081716/54b7020d4a7959af3d8b45a8/html5/thumbnails/68.jpg)
Class hooksClass = objc_getClass("hooks"); !
Class descriptorsClass = objc_getClass("descriptors"); !
SEL allocWithZoneSelector = sel_registerName("allocWithZone:"); !
!
if (hooksClass != NULL) { !
"Method method = !
" class_getClassMethod(hooksClass, allocWithZoneSelector);!
" method_setImplementation(method, (IMP)nilImplementation); !
} !
!
if (descriptorsClass != NULL) { !
Method method = !
class_getClassMethod(descriptorsClass, allocWithZoneSelector); !
method_setImplementation(method, (IMP)nilImplementation); !
} !
![Page 69: Reverse Engineering iOS Apps (by Max Bazaliy) - Mobile Tech Hangout - 2014.07.19](https://reader035.fdocuments.in/reader035/viewer/2022081716/54b7020d4a7959af3d8b45a8/html5/thumbnails/69.jpg)
Terminate app Run in demo mode Change behavior
What next?
![Page 70: Reverse Engineering iOS Apps (by Max Bazaliy) - Mobile Tech Hangout - 2014.07.19](https://reader035.fdocuments.in/reader035/viewer/2022081716/54b7020d4a7959af3d8b45a8/html5/thumbnails/70.jpg)
![Page 71: Reverse Engineering iOS Apps (by Max Bazaliy) - Mobile Tech Hangout - 2014.07.19](https://reader035.fdocuments.in/reader035/viewer/2022081716/54b7020d4a7959af3d8b45a8/html5/thumbnails/71.jpg)
Path check URL check File access Root check Process check
Jailbreak detection
![Page 72: Reverse Engineering iOS Apps (by Max Bazaliy) - Mobile Tech Hangout - 2014.07.19](https://reader035.fdocuments.in/reader035/viewer/2022081716/54b7020d4a7959af3d8b45a8/html5/thumbnails/72.jpg)
NSError *error; ! NSString *jailTest = @"Jailbreak time!"; ! ! BOOL success = [jailTest writeToFile: !"@"/private/test_jail.txt" atomically:YES encoding:NSUTF8StringEncoding error:&error]; !
! if (success) { ! …! }!
![Page 73: Reverse Engineering iOS Apps (by Max Bazaliy) - Mobile Tech Hangout - 2014.07.19](https://reader035.fdocuments.in/reader035/viewer/2022081716/54b7020d4a7959af3d8b45a8/html5/thumbnails/73.jpg)
int result = fork(); !"if (!result) ! exit(0); ! if (result >= 0) ! return isJail; ! return noJail; !
! ! if (system(0)) ! ...! }!
![Page 74: Reverse Engineering iOS Apps (by Max Bazaliy) - Mobile Tech Hangout - 2014.07.19](https://reader035.fdocuments.in/reader035/viewer/2022081716/54b7020d4a7959af3d8b45a8/html5/thumbnails/74.jpg)
NSURL *FakeURL = [NSURL URLWithString: !@"cydia://package/com.fake.package"]; !! if ([[UIApplication sharedApplication] canOpenURL:FakeURL]) !
return isJail; ! else! return noJail;
![Page 75: Reverse Engineering iOS Apps (by Max Bazaliy) - Mobile Tech Hangout - 2014.07.19](https://reader035.fdocuments.in/reader035/viewer/2022081716/54b7020d4a7959af3d8b45a8/html5/thumbnails/75.jpg)
NSArray *jailbrokenPaths = @[@"/Applications/Cydia.app", !
@"/Applications/RockApp.app", !
@"/Applications/Icy.app", !
@"/usr/sbin/sshd", !
@"/usr/bin/sshd", !
@"/private/var/lib/apt", !
@"/private/var/lib/cydia", !
@"/usr/libexec/sftp-server”, !
@"/private/var/stash"]; !
!
for (NSString *string in jailbrokenPaths) ! if ([[NSFileManager defaultManager] " " " " "fileExistsAtPath:string]) { !
…! }!
![Page 76: Reverse Engineering iOS Apps (by Max Bazaliy) - Mobile Tech Hangout - 2014.07.19](https://reader035.fdocuments.in/reader035/viewer/2022081716/54b7020d4a7959af3d8b45a8/html5/thumbnails/76.jpg)
!!
NSArray *processes = [self runningProcesses]; !
! for (NSDictionary * dict in processes) { !
NSString *process = dict[@"ProcessName"]; !
if ([process isEqualToString:@"MobileCydia"]) " " "{ !
...!
} !!
![Page 77: Reverse Engineering iOS Apps (by Max Bazaliy) - Mobile Tech Hangout - 2014.07.19](https://reader035.fdocuments.in/reader035/viewer/2022081716/54b7020d4a7959af3d8b45a8/html5/thumbnails/77.jpg)
iMAS
Encrypted Core Data Security checks
Passcode check
Memory security
![Page 78: Reverse Engineering iOS Apps (by Max Bazaliy) - Mobile Tech Hangout - 2014.07.19](https://reader035.fdocuments.in/reader035/viewer/2022081716/54b7020d4a7959af3d8b45a8/html5/thumbnails/78.jpg)
LLVM Obfuscator
Instructions substitution Control Flow flattening Bogus Control Flow Functions merging
![Page 79: Reverse Engineering iOS Apps (by Max Bazaliy) - Mobile Tech Hangout - 2014.07.19](https://reader035.fdocuments.in/reader035/viewer/2022081716/54b7020d4a7959af3d8b45a8/html5/thumbnails/79.jpg)
LLVM Obfuscator
Instructions substitution Control Flow flattening Bogus Control Flow Functions merging
![Page 80: Reverse Engineering iOS Apps (by Max Bazaliy) - Mobile Tech Hangout - 2014.07.19](https://reader035.fdocuments.in/reader035/viewer/2022081716/54b7020d4a7959af3d8b45a8/html5/thumbnails/80.jpg)
Cracking time =
Protection time
![Page 81: Reverse Engineering iOS Apps (by Max Bazaliy) - Mobile Tech Hangout - 2014.07.19](https://reader035.fdocuments.in/reader035/viewer/2022081716/54b7020d4a7959af3d8b45a8/html5/thumbnails/81.jpg)
![Page 82: Reverse Engineering iOS Apps (by Max Bazaliy) - Mobile Tech Hangout - 2014.07.19](https://reader035.fdocuments.in/reader035/viewer/2022081716/54b7020d4a7959af3d8b45a8/html5/thumbnails/82.jpg)
@mbazaliy