SCS3 2011 Bachmann
Transcript of SCS3 2011 Bachmann
![Page 2: SCS3 2011 Bachmann](https://reader034.fdocuments.in/reader034/viewer/2022052321/54e622ed4a79594c358b4631/html5/thumbnails/2.jpg)
2
Agenda› Motivations› The architecture
› Mach-O
› Objective-C
› ARM
› AppStore binaries› Find'em
› Decrypt'em
› Reverse'em
› What to look for› Where to start
› Remote connections
› Data protection
› Conclusion
![Page 3: SCS3 2011 Bachmann](https://reader034.fdocuments.in/reader034/viewer/2022052321/54e622ed4a79594c358b4631/html5/thumbnails/3.jpg)
3
Preamble● Security engineer @ SCRT● Areas of interest focused on reverse engineering, software vulnerabilities and OS internals
● Not an Apple fanboy but like all the cool kids... ;)
● Goals of this presentation is to give a state of the art, in 45minutes, of my knowledge about iOS applications reverse engineering
● Motivate people to do more research in user/kernel-land iOS reverse engineering
![Page 4: SCS3 2011 Bachmann](https://reader034.fdocuments.in/reader034/viewer/2022052321/54e622ed4a79594c358b4631/html5/thumbnails/4.jpg)
4
Motivations
![Page 5: SCS3 2011 Bachmann](https://reader034.fdocuments.in/reader034/viewer/2022052321/54e622ed4a79594c358b4631/html5/thumbnails/5.jpg)
5
A few numbers
› +160 millions iOS users› +400 000 applications available› +10 billion downloads
→ (modestly) large user base
![Page 6: SCS3 2011 Bachmann](https://reader034.fdocuments.in/reader034/viewer/2022052321/54e622ed4a79594c358b4631/html5/thumbnails/6.jpg)
6
e-banking applications
![Page 7: SCS3 2011 Bachmann](https://reader034.fdocuments.in/reader034/viewer/2022052321/54e622ed4a79594c358b4631/html5/thumbnails/7.jpg)
7
Applications review
› Apple defined a review process› 10% of the applications are classified as dangereous
› Cases of applications not « compliant » with their description
![Page 8: SCS3 2011 Bachmann](https://reader034.fdocuments.in/reader034/viewer/2022052321/54e622ed4a79594c358b4631/html5/thumbnails/8.jpg)
8
Storm8 case
![Page 9: SCS3 2011 Bachmann](https://reader034.fdocuments.in/reader034/viewer/2022052321/54e622ed4a79594c358b4631/html5/thumbnails/9.jpg)
9
Now, what if you want to...
› check an external app ?› verify that your application is secure ?› check what kind of information an attacker
can get from your application ?
![Page 10: SCS3 2011 Bachmann](https://reader034.fdocuments.in/reader034/viewer/2022052321/54e622ed4a79594c358b4631/html5/thumbnails/10.jpg)
10
Best reason ever...
› Because it's fun to learn how to reverse new things !
![Page 11: SCS3 2011 Bachmann](https://reader034.fdocuments.in/reader034/viewer/2022052321/54e622ed4a79594c358b4631/html5/thumbnails/11.jpg)
11
The architecture
![Page 12: SCS3 2011 Bachmann](https://reader034.fdocuments.in/reader034/viewer/2022052321/54e622ed4a79594c358b4631/html5/thumbnails/12.jpg)
12
Mach-O
› File format for› Executables› Libraries› Core dumps
![Page 13: SCS3 2011 Bachmann](https://reader034.fdocuments.in/reader034/viewer/2022052321/54e622ed4a79594c358b4631/html5/thumbnails/13.jpg)
13
Mach-O
› Contains three parts› Header› Load commands› Data
![Page 14: SCS3 2011 Bachmann](https://reader034.fdocuments.in/reader034/viewer/2022052321/54e622ed4a79594c358b4631/html5/thumbnails/14.jpg)
14
Mach-O
› Header
![Page 15: SCS3 2011 Bachmann](https://reader034.fdocuments.in/reader034/viewer/2022052321/54e622ed4a79594c358b4631/html5/thumbnails/15.jpg)
15
Mach-O
![Page 16: SCS3 2011 Bachmann](https://reader034.fdocuments.in/reader034/viewer/2022052321/54e622ed4a79594c358b4631/html5/thumbnails/16.jpg)
16
Mach-O
› Load commands› Indicates memory layout› Locates symbols table› Main thread context› Shared libraries
![Page 17: SCS3 2011 Bachmann](https://reader034.fdocuments.in/reader034/viewer/2022052321/54e622ed4a79594c358b4631/html5/thumbnails/17.jpg)
17
Mach-O
› Data› Segments containing sections› __PAGEZERO› __TEXT
› Executable code and r--
› __DATA› rw-
› __OBJC› ...
![Page 18: SCS3 2011 Bachmann](https://reader034.fdocuments.in/reader034/viewer/2022052321/54e622ed4a79594c358b4631/html5/thumbnails/18.jpg)
18
Mach-O
› objdump ?› Forget about it› Introducing : otool !
![Page 19: SCS3 2011 Bachmann](https://reader034.fdocuments.in/reader034/viewer/2022052321/54e622ed4a79594c358b4631/html5/thumbnails/19.jpg)
19
Mach-O
› Universal / FAT files› Supports multiples architectures› For OSX
› Universal
› PowerPC, x86 and x86_64
› For iOS› FAT
› armv6, armv7
![Page 20: SCS3 2011 Bachmann](https://reader034.fdocuments.in/reader034/viewer/2022052321/54e622ed4a79594c358b4631/html5/thumbnails/20.jpg)
20
Objective-C
› Programming language› Superset of the C language› Object oriented
› Class method calls differ from C++
![Page 21: SCS3 2011 Bachmann](https://reader034.fdocuments.in/reader034/viewer/2022052321/54e622ed4a79594c358b4631/html5/thumbnails/21.jpg)
21
Calling methods
› C++› ObjectPointer->Method(param1, param2)
› Obj-C› [ObjectPointer Method:param1 param2Name:param2]
![Page 22: SCS3 2011 Bachmann](https://reader034.fdocuments.in/reader034/viewer/2022052321/54e622ed4a79594c358b4631/html5/thumbnails/22.jpg)
22
Looking more closely
› [ObjectPointer Method]› objc_msgSend(ObjectPointer, @selector(Method))
› Selector› C string› objc_msgSend(ObjectPointer, "Method")
![Page 23: SCS3 2011 Bachmann](https://reader034.fdocuments.in/reader034/viewer/2022052321/54e622ed4a79594c358b4631/html5/thumbnails/23.jpg)
23
ARM
› RISC› load-store architecture› Fixed-length 32-bit instructions› 3-address instruction formats
![Page 24: SCS3 2011 Bachmann](https://reader034.fdocuments.in/reader034/viewer/2022052321/54e622ed4a79594c358b4631/html5/thumbnails/24.jpg)
24
Registers
› User-level programs› 15 general-purpose 32-bit registers : r0 → r14› PC = r15› Current program status register (N, Z, C, V flags, etc.)
![Page 25: SCS3 2011 Bachmann](https://reader034.fdocuments.in/reader034/viewer/2022052321/54e622ed4a79594c358b4631/html5/thumbnails/25.jpg)
25
Load-store architecture
› Instructions can be classified into 3 groups› Data transfer (load-store)› Data processing› Control flow
![Page 26: SCS3 2011 Bachmann](https://reader034.fdocuments.in/reader034/viewer/2022052321/54e622ed4a79594c358b4631/html5/thumbnails/26.jpg)
26
Data transfer instructions
› Load from memory› LDR r0, [r1] → r0 = mem[r1]
› Store to memory› STR r0, [r1] → mem[r1] = r0
![Page 27: SCS3 2011 Bachmann](https://reader034.fdocuments.in/reader034/viewer/2022052321/54e622ed4a79594c358b4631/html5/thumbnails/27.jpg)
27
Data processing instructions
› Simple› ADD r0, r1, r2 → r0 = r1 + r2
› Immediate operands› ADD r1, r1, #1 → r1 = r1 + 1
› Shifted register operands› ADD r3, r2, r1, LSL #3 → r3 = r2 + (r1 << 3)
![Page 28: SCS3 2011 Bachmann](https://reader034.fdocuments.in/reader034/viewer/2022052321/54e622ed4a79594c358b4631/html5/thumbnails/28.jpg)
28
Control flow instructions
› Branch instructions› B LABEL› BAL LABEL
› Conditional branches› BXX LABEL
› BEQ, BNE, BPL, BMI, …
› Conditional execution› CMP r0, #5 → if (r0!= 5)› ADDNE r1, r1, r0 r1 = r1 + r0
![Page 29: SCS3 2011 Bachmann](https://reader034.fdocuments.in/reader034/viewer/2022052321/54e622ed4a79594c358b4631/html5/thumbnails/29.jpg)
29
Control flow instructions
› Branch and link instructions› BL SUBROUTINE → r14 = @next instr + jmp SUBR› PUSH {r0-r5, LR}› …› POP {r0-r5, PC}
![Page 30: SCS3 2011 Bachmann](https://reader034.fdocuments.in/reader034/viewer/2022052321/54e622ed4a79594c358b4631/html5/thumbnails/30.jpg)
30
Calling convention
› Arguments values› r0 → r3
› Local variables› r4 → r11
› Return value› r0
![Page 31: SCS3 2011 Bachmann](https://reader034.fdocuments.in/reader034/viewer/2022052321/54e622ed4a79594c358b4631/html5/thumbnails/31.jpg)
31
Summing it up
› Objective-C› [ObjectPointer Method:42]
› C++› ObjectPointer->Method(42)
› Pseudo C› objc_msgSend(ObjectPointer, "Method", 42)
› ARM assembly›
![Page 32: SCS3 2011 Bachmann](https://reader034.fdocuments.in/reader034/viewer/2022052321/54e622ed4a79594c358b4631/html5/thumbnails/32.jpg)
32
AppStore binaries
![Page 33: SCS3 2011 Bachmann](https://reader034.fdocuments.in/reader034/viewer/2022052321/54e622ed4a79594c358b4631/html5/thumbnails/33.jpg)
33
First of all
› Forget about the simulator› Binaries compiled for x86 not ARM› Need to use a jailbroken iOS device› Tools to install
› SSH
› GDB
› ...
![Page 34: SCS3 2011 Bachmann](https://reader034.fdocuments.in/reader034/viewer/2022052321/54e622ed4a79594c358b4631/html5/thumbnails/34.jpg)
34
Find'em
› Downloaded from the AppStore as .ipa› ZIP file› ~/Music/iTunes/iTunes Music/Mobile Applications/
› On iOS devices› /var/mobile/Applications/<UUID>/<AppName>.app/
![Page 35: SCS3 2011 Bachmann](https://reader034.fdocuments.in/reader034/viewer/2022052321/54e622ed4a79594c358b4631/html5/thumbnails/35.jpg)
35
Content of <AppName>.app*
*after download from the device to workstation. Owner set to mobile:mobile on iOS
![Page 36: SCS3 2011 Bachmann](https://reader034.fdocuments.in/reader034/viewer/2022052321/54e622ed4a79594c358b4631/html5/thumbnails/36.jpg)
36
FAT binaries
› Binary might contain multiple versions› Need to extract the one corresponding to our device
![Page 37: SCS3 2011 Bachmann](https://reader034.fdocuments.in/reader034/viewer/2022052321/54e622ed4a79594c358b4631/html5/thumbnails/37.jpg)
37
Decrypt'em
› Encrypted using "FairPlay like" method› Each executable page is encrypted with AES and a MD5
checksum is computed
› How to know if a binary is encrypted ?› LC_ENCRYPTION_INFO
› cryptid → 1 if the binary is encrypted
› cryptoffset → offset of the encrypted data
› cryptsize → size of the encrypted data
![Page 38: SCS3 2011 Bachmann](https://reader034.fdocuments.in/reader034/viewer/2022052321/54e622ed4a79594c358b4631/html5/thumbnails/38.jpg)
38
LC_ENCRYPTION_INFO
![Page 39: SCS3 2011 Bachmann](https://reader034.fdocuments.in/reader034/viewer/2022052321/54e622ed4a79594c358b4631/html5/thumbnails/39.jpg)
39
Unpack the binary
› Use a script that automates the process› crackulous› Not leet enough;)
› "unpack your app in 5 steps and achieve peace"
› Launch GDB› Set a breakpoint› Run the application› Extract the unencrypted executable code› Patch the architecture specific binary
![Page 40: SCS3 2011 Bachmann](https://reader034.fdocuments.in/reader034/viewer/2022052321/54e622ed4a79594c358b4631/html5/thumbnails/40.jpg)
40
Where do I set the breakpoint ?
› Execution steps› FAT binary is run› Architecture specific binary is mapped in memory› Executable code is decrypted› Branch to start symbol
› Get start's address
![Page 41: SCS3 2011 Bachmann](https://reader034.fdocuments.in/reader034/viewer/2022052321/54e622ed4a79594c358b4631/html5/thumbnails/41.jpg)
41
GDB, set, run
![Page 42: SCS3 2011 Bachmann](https://reader034.fdocuments.in/reader034/viewer/2022052321/54e622ed4a79594c358b4631/html5/thumbnails/42.jpg)
42
« Breakpoint reached capt'ain »
![Page 43: SCS3 2011 Bachmann](https://reader034.fdocuments.in/reader034/viewer/2022052321/54e622ed4a79594c358b4631/html5/thumbnails/43.jpg)
43
Extract the executable code
› Useful information› start› cryptsize
›
![Page 44: SCS3 2011 Bachmann](https://reader034.fdocuments.in/reader034/viewer/2022052321/54e622ed4a79594c358b4631/html5/thumbnails/44.jpg)
44
Patch the architecture specific binary
› Locate LC_ENCRYPTION_INFO› Mach-O header parser› Hexadecimal editor
› Replace cryptid› 1 → 0
› Replace encrypted code with unpacked one
![Page 45: SCS3 2011 Bachmann](https://reader034.fdocuments.in/reader034/viewer/2022052321/54e622ed4a79594c358b4631/html5/thumbnails/45.jpg)
45
Locate LC_ENCRYPTION_INFO
› Mach-O header parser
› Search for the load command in the binary
![Page 46: SCS3 2011 Bachmann](https://reader034.fdocuments.in/reader034/viewer/2022052321/54e622ed4a79594c358b4631/html5/thumbnails/46.jpg)
46
Locate LC_ENCRYPTION_INFO
![Page 47: SCS3 2011 Bachmann](https://reader034.fdocuments.in/reader034/viewer/2022052321/54e622ed4a79594c358b4631/html5/thumbnails/47.jpg)
47
Modified LC_ENCRYPTION_INFO
![Page 48: SCS3 2011 Bachmann](https://reader034.fdocuments.in/reader034/viewer/2022052321/54e622ed4a79594c358b4631/html5/thumbnails/48.jpg)
48
Replace encrypted code
![Page 49: SCS3 2011 Bachmann](https://reader034.fdocuments.in/reader034/viewer/2022052321/54e622ed4a79594c358b4631/html5/thumbnails/49.jpg)
49
Reverse'em
› Retrieve classes declarations› class-dump
› Resolve objc_msgSend calls› Useless call graph› Need to patch the disassembly
![Page 50: SCS3 2011 Bachmann](https://reader034.fdocuments.in/reader034/viewer/2022052321/54e622ed4a79594c358b4631/html5/thumbnails/50.jpg)
50
class-dump
![Page 51: SCS3 2011 Bachmann](https://reader034.fdocuments.in/reader034/viewer/2022052321/54e622ed4a79594c358b4631/html5/thumbnails/51.jpg)
51
First look at the disassembly
![Page 52: SCS3 2011 Bachmann](https://reader034.fdocuments.in/reader034/viewer/2022052321/54e622ed4a79594c358b4631/html5/thumbnails/52.jpg)
52
objc_msgSend
› As stated before› objc_msgSend(<ref to object>, @selector(method), …)› ARM calling convention
› arg1 → r0
› arg2 → r1
› Backtrace calls to objc_msgSend› By hand› Using Zynamics IDAPython scripts
![Page 53: SCS3 2011 Bachmann](https://reader034.fdocuments.in/reader034/viewer/2022052321/54e622ed4a79594c358b4631/html5/thumbnails/53.jpg)
53
objc_helper.py
![Page 54: SCS3 2011 Bachmann](https://reader034.fdocuments.in/reader034/viewer/2022052321/54e622ed4a79594c358b4631/html5/thumbnails/54.jpg)
54
What to look for
![Page 55: SCS3 2011 Bachmann](https://reader034.fdocuments.in/reader034/viewer/2022052321/54e622ed4a79594c358b4631/html5/thumbnails/55.jpg)
55
Where to start
› Locate the main class› UIApplicationDelegate
› applicationDidFinishLaunching
› ApplicationDidFinishLaunchingWithOptions
› Views› UI*ViewController
› viewDidLoad
![Page 56: SCS3 2011 Bachmann](https://reader034.fdocuments.in/reader034/viewer/2022052321/54e622ed4a79594c358b4631/html5/thumbnails/56.jpg)
56
applicationDidFinishLaunching
![Page 57: SCS3 2011 Bachmann](https://reader034.fdocuments.in/reader034/viewer/2022052321/54e622ed4a79594c358b4631/html5/thumbnails/57.jpg)
57
Remote connections
› HTTP(S)› NSURL› ...
› Sockets› CFSocketCreate› ...
![Page 58: SCS3 2011 Bachmann](https://reader034.fdocuments.in/reader034/viewer/2022052321/54e622ed4a79594c358b4631/html5/thumbnails/58.jpg)
58
Data protection
› Accessing the KeyChain using JB tools› Lost iPhone ? Lost Passwords ! *
› Protect KeyChain content› Using passcode› setAttributes ofItemAtPath → NSFileProtectionComplete› SecItemAdd → kSecAttrAccessibleWhenUnlocked
* http://www.sit.fraunhofer.de/forschungsbereiche/projekte/Lost_iPhone.jsp
![Page 59: SCS3 2011 Bachmann](https://reader034.fdocuments.in/reader034/viewer/2022052321/54e622ed4a79594c358b4631/html5/thumbnails/59.jpg)
59
Data protection
![Page 60: SCS3 2011 Bachmann](https://reader034.fdocuments.in/reader034/viewer/2022052321/54e622ed4a79594c358b4631/html5/thumbnails/60.jpg)
60
Conclusion
![Page 61: SCS3 2011 Bachmann](https://reader034.fdocuments.in/reader034/viewer/2022052321/54e622ed4a79594c358b4631/html5/thumbnails/61.jpg)
61
Conclusion
› This is a revolution !› This presentation was only an introduction
› Lot of work/ideas around iOS› Grab your debugger and disassembler and work on it› I'm open to discuss it around a few beers