Under the iHood - DEFCON 16 · Hotchkies ( [email protected] ) Under the iHood DEFCON 16...
Transcript of Under the iHood - DEFCON 16 · Hotchkies ( [email protected] ) Under the iHood DEFCON 16...
![Page 1: Under the iHood - DEFCON 16 · Hotchkies ( chotchkies@tippingpoint.com ) Under the iHood DEFCON 16 11 / 50. vmmap available standard on OS X lists memory mapping for a binary at runtime](https://reader030.fdocuments.in/reader030/viewer/2022040203/5e8fdfd6ac86d7626c2e0cef/html5/thumbnails/1.jpg)
Under the iHoodDEFCON 16
Cameron Hotchkies 1
DEFCON 16
Hotchkies ( [email protected] ) Under the iHood DEFCON 16 1 / 50
![Page 2: Under the iHood - DEFCON 16 · Hotchkies ( chotchkies@tippingpoint.com ) Under the iHood DEFCON 16 11 / 50. vmmap available standard on OS X lists memory mapping for a binary at runtime](https://reader030.fdocuments.in/reader030/viewer/2022040203/5e8fdfd6ac86d7626c2e0cef/html5/thumbnails/2.jpg)
About Me
Work at TippingPoint’s Digital Vaccine Labs
Responsible for vuln-discovery, patch analysis, product security
Keep tabs on us at http://dvlabs.tippingpoint.com
Author and contributor to:
PaiMei Reverse Engineering Framework
Absinthe SQL Injection tool
Side projects:
XSO - OS X Reversers: http://0x90.org/mailman/listinfo/xso
Hotchkies ( [email protected] ) Under the iHood DEFCON 16 2 / 50
![Page 3: Under the iHood - DEFCON 16 · Hotchkies ( chotchkies@tippingpoint.com ) Under the iHood DEFCON 16 11 / 50. vmmap available standard on OS X lists memory mapping for a binary at runtime](https://reader030.fdocuments.in/reader030/viewer/2022040203/5e8fdfd6ac86d7626c2e0cef/html5/thumbnails/3.jpg)
Talk Outline
File Formats
Tools
Common Disassembly Patterns
Carbon
Objective-C
Case Study (Mac vs. Windows)
Hotchkies ( [email protected] ) Under the iHood DEFCON 16 3 / 50
![Page 4: Under the iHood - DEFCON 16 · Hotchkies ( chotchkies@tippingpoint.com ) Under the iHood DEFCON 16 11 / 50. vmmap available standard on OS X lists memory mapping for a binary at runtime](https://reader030.fdocuments.in/reader030/viewer/2022040203/5e8fdfd6ac86d7626c2e0cef/html5/thumbnails/4.jpg)
Applications
Applications in OS X are stored in a directory structure referredto as bundles or packages
Finder will treat any directory ending in .app as a single entity
self contained package with the binary and all necessary resources
Hotchkies ( [email protected] ) Under the iHood DEFCON 16 4 / 50
![Page 6: Under the iHood - DEFCON 16 · Hotchkies ( chotchkies@tippingpoint.com ) Under the iHood DEFCON 16 11 / 50. vmmap available standard on OS X lists memory mapping for a binary at runtime](https://reader030.fdocuments.in/reader030/viewer/2022040203/5e8fdfd6ac86d7626c2e0cef/html5/thumbnails/6.jpg)
Info.plist
XML or binary based list of application properties
contains data such as major & minor version numbers, iconnames, etc
Well documented by Apple
use plutil to convert between xml and binary formats
”The plutil command obeys no one’s rules but its own.”
Hotchkies ( [email protected] ) Under the iHood DEFCON 16 6 / 50
![Page 7: Under the iHood - DEFCON 16 · Hotchkies ( chotchkies@tippingpoint.com ) Under the iHood DEFCON 16 11 / 50. vmmap available standard on OS X lists memory mapping for a binary at runtime](https://reader030.fdocuments.in/reader030/viewer/2022040203/5e8fdfd6ac86d7626c2e0cef/html5/thumbnails/7.jpg)
PkgInfo
APPL indicates an apple application bundle
No relevant information in the file
4-byte package type followed by the 4-byte signature
Hotchkies ( [email protected] ) Under the iHood DEFCON 16 7 / 50
![Page 8: Under the iHood - DEFCON 16 · Hotchkies ( chotchkies@tippingpoint.com ) Under the iHood DEFCON 16 11 / 50. vmmap available standard on OS X lists memory mapping for a binary at runtime](https://reader030.fdocuments.in/reader030/viewer/2022040203/5e8fdfd6ac86d7626c2e0cef/html5/thumbnails/8.jpg)
Mach-O
the standard binary format on OS X
identified by the magic number 0xFEEDFACE
0xFEEDFACF on 64-bit
Fat/Universal binaries include code for multiple architectures
Fat binaries are identified by 0xCAFEBABE
yes, this is the same as Java
Googling ”mach-o” is a fun game on it’s own
”Can black-hole MACHO binaries be detected by the Brazilianspherical antenna?”
Hotchkies ( [email protected] ) Under the iHood DEFCON 16 8 / 50
![Page 9: Under the iHood - DEFCON 16 · Hotchkies ( chotchkies@tippingpoint.com ) Under the iHood DEFCON 16 11 / 50. vmmap available standard on OS X lists memory mapping for a binary at runtime](https://reader030.fdocuments.in/reader030/viewer/2022040203/5e8fdfd6ac86d7626c2e0cef/html5/thumbnails/9.jpg)
Mach-O
the standard binary format on OS X
identified by the magic number 0xFEEDFACE
0xFEEDFACF on 64-bit
Fat/Universal binaries include code for multiple architectures
Fat binaries are identified by 0xCAFEBABE
yes, this is the same as Java
Googling ”mach-o” is a fun game on it’s own
”Can black-hole MACHO binaries be detected by the Brazilianspherical antenna?”
Hotchkies ( [email protected] ) Under the iHood DEFCON 16 8 / 50
![Page 10: Under the iHood - DEFCON 16 · Hotchkies ( chotchkies@tippingpoint.com ) Under the iHood DEFCON 16 11 / 50. vmmap available standard on OS X lists memory mapping for a binary at runtime](https://reader030.fdocuments.in/reader030/viewer/2022040203/5e8fdfd6ac86d7626c2e0cef/html5/thumbnails/10.jpg)
Mach-O
the standard binary format on OS X
identified by the magic number 0xFEEDFACE
0xFEEDFACF on 64-bit
Fat/Universal binaries include code for multiple architectures
Fat binaries are identified by 0xCAFEBABE
yes, this is the same as Java
Googling ”mach-o” is a fun game on it’s own
”Can black-hole MACHO binaries be detected by the Brazilianspherical antenna?”
Hotchkies ( [email protected] ) Under the iHood DEFCON 16 8 / 50
![Page 11: Under the iHood - DEFCON 16 · Hotchkies ( chotchkies@tippingpoint.com ) Under the iHood DEFCON 16 11 / 50. vmmap available standard on OS X lists memory mapping for a binary at runtime](https://reader030.fdocuments.in/reader030/viewer/2022040203/5e8fdfd6ac86d7626c2e0cef/html5/thumbnails/11.jpg)
Mach-O Text Segment
.text ( TEXT, text) Code, same as everywhere else
.const ( TEXT, const) Initialized constants
.static const ( TEXT, static const) Not defined*
.cstring ( TEXT, cstring) Null terminated byte strings
.literal4 ( TEXT, literal4) 4 byte literals
.literal8 ( TEXT, literal8) 8 byte literals
.constructor ( TEXT, constructor) C++ constructors*
.destructor ( TEXT, destructor) C++ destructors*
.fvmlib init0 ( TEXT, fvmlib init0) fixed virtual memory shared library initialization*
.fvmlib init1 ( TEXT, fvmlib init1) fixed virtual memory shared library initialization*
.symbol stub ( TEXT, symbol stub) Indirect symbol stubs
.picsymbol stub ( TEXT, picsymbol stub) Position-independent indirect symbol stubs.
.mod init func ( TEXT, mod init func) C++ constructor pointers*
Hotchkies ( [email protected] ) Under the iHood DEFCON 16 9 / 50
![Page 12: Under the iHood - DEFCON 16 · Hotchkies ( chotchkies@tippingpoint.com ) Under the iHood DEFCON 16 11 / 50. vmmap available standard on OS X lists memory mapping for a binary at runtime](https://reader030.fdocuments.in/reader030/viewer/2022040203/5e8fdfd6ac86d7626c2e0cef/html5/thumbnails/12.jpg)
Mach-O Data Segment
.data ( DATA, data) Initialized variables
.static data ( DATA, static data) Unused*
.non lazy symbol pointer ( DATA, nl symbol pointer) Non-lazy symbol pointers
.lazy symbol pointer ( DATA, la symbol pointer) Lazy symbol pointers
.dyld ( DATA, dyld) Placeholder for dynamic linker
.const ( DATA, const Initialized relocatable constant variables
.mod init func ( DATA, mod init func) C++ constructor pointers
.mod term func ( DATA, mod term func) Module termination functions.
.bss ( DATA, bss) Data for uninitialized static variables
.common ( DATA, common) Uninitialized imported symbol definitions
Hotchkies ( [email protected] ) Under the iHood DEFCON 16 10 / 50
![Page 13: Under the iHood - DEFCON 16 · Hotchkies ( chotchkies@tippingpoint.com ) Under the iHood DEFCON 16 11 / 50. vmmap available standard on OS X lists memory mapping for a binary at runtime](https://reader030.fdocuments.in/reader030/viewer/2022040203/5e8fdfd6ac86d7626c2e0cef/html5/thumbnails/13.jpg)
Objective-C Segment
.objc class ( OBJC, class)
.objc meta class ( OBJC, meta class)
.objc cat cls meth ( OBJC, cat cls meth)
.objc cat inst meth ( OBJC, cat inst meth)
.objc protocol ( OBJC, protocol)
.objc string object ( OBJC, string object)
.objc cls meth ( OBJC, cls meth)
.objc inst meth ( OBJC, inst meth)
.objc cls refs ( OBJC, cls refs)
.objc message refs ( OBJC, message refs)
.objc symbols ( OBJC, symbols)
.objc category ( OBJC, category)
.objc class vars ( OBJC, class vars)
.objc instance vars ( OBJC, instance vars)
.objc module info ( OBJC, module info)
.objc class names ( OBJC, class names)
.objc meth var names ( OBJC, meth var names)
.objc meth var types ( OBJC, meth var types)
.objc selector strs ( OBJC, selector strs)
What they say: ”All sections in the OBJC segment, including oldsections that are no longer used and future sections that may beadded, are exclusively reserved for the Objective C compiler’s use.”What they mean: ”No docs 4 u LOL kthxbai!”
Hotchkies ( [email protected] ) Under the iHood DEFCON 16 11 / 50
![Page 14: Under the iHood - DEFCON 16 · Hotchkies ( chotchkies@tippingpoint.com ) Under the iHood DEFCON 16 11 / 50. vmmap available standard on OS X lists memory mapping for a binary at runtime](https://reader030.fdocuments.in/reader030/viewer/2022040203/5e8fdfd6ac86d7626c2e0cef/html5/thumbnails/14.jpg)
Objective-C Segment
.objc class ( OBJC, class)
.objc meta class ( OBJC, meta class)
.objc cat cls meth ( OBJC, cat cls meth)
.objc cat inst meth ( OBJC, cat inst meth)
.objc protocol ( OBJC, protocol)
.objc string object ( OBJC, string object)
.objc cls meth ( OBJC, cls meth)
.objc inst meth ( OBJC, inst meth)
.objc cls refs ( OBJC, cls refs)
.objc message refs ( OBJC, message refs)
.objc symbols ( OBJC, symbols)
.objc category ( OBJC, category)
.objc class vars ( OBJC, class vars)
.objc instance vars ( OBJC, instance vars)
.objc module info ( OBJC, module info)
.objc class names ( OBJC, class names)
.objc meth var names ( OBJC, meth var names)
.objc meth var types ( OBJC, meth var types)
.objc selector strs ( OBJC, selector strs)
What they say: ”All sections in the OBJC segment, including oldsections that are no longer used and future sections that may beadded, are exclusively reserved for the Objective C compiler’s use.”
What they mean: ”No docs 4 u LOL kthxbai!”
Hotchkies ( [email protected] ) Under the iHood DEFCON 16 11 / 50
![Page 15: Under the iHood - DEFCON 16 · Hotchkies ( chotchkies@tippingpoint.com ) Under the iHood DEFCON 16 11 / 50. vmmap available standard on OS X lists memory mapping for a binary at runtime](https://reader030.fdocuments.in/reader030/viewer/2022040203/5e8fdfd6ac86d7626c2e0cef/html5/thumbnails/15.jpg)
Objective-C Segment
.objc class ( OBJC, class)
.objc meta class ( OBJC, meta class)
.objc cat cls meth ( OBJC, cat cls meth)
.objc cat inst meth ( OBJC, cat inst meth)
.objc protocol ( OBJC, protocol)
.objc string object ( OBJC, string object)
.objc cls meth ( OBJC, cls meth)
.objc inst meth ( OBJC, inst meth)
.objc cls refs ( OBJC, cls refs)
.objc message refs ( OBJC, message refs)
.objc symbols ( OBJC, symbols)
.objc category ( OBJC, category)
.objc class vars ( OBJC, class vars)
.objc instance vars ( OBJC, instance vars)
.objc module info ( OBJC, module info)
.objc class names ( OBJC, class names)
.objc meth var names ( OBJC, meth var names)
.objc meth var types ( OBJC, meth var types)
.objc selector strs ( OBJC, selector strs)
What they say: ”All sections in the OBJC segment, including oldsections that are no longer used and future sections that may beadded, are exclusively reserved for the Objective C compiler’s use.”What they mean: ”No docs 4 u LOL kthxbai!”
Hotchkies ( [email protected] ) Under the iHood DEFCON 16 11 / 50
![Page 16: Under the iHood - DEFCON 16 · Hotchkies ( chotchkies@tippingpoint.com ) Under the iHood DEFCON 16 11 / 50. vmmap available standard on OS X lists memory mapping for a binary at runtime](https://reader030.fdocuments.in/reader030/viewer/2022040203/5e8fdfd6ac86d7626c2e0cef/html5/thumbnails/16.jpg)
vmmap
available standard on OS X
lists memory mapping for a binary at runtime
includes segment partitions
quick way to track down what address is heap/stack/librarywithout a debugger
Hotchkies ( [email protected] ) Under the iHood DEFCON 16 12 / 50
![Page 17: Under the iHood - DEFCON 16 · Hotchkies ( chotchkies@tippingpoint.com ) Under the iHood DEFCON 16 11 / 50. vmmap available standard on OS X lists memory mapping for a binary at runtime](https://reader030.fdocuments.in/reader030/viewer/2022040203/5e8fdfd6ac86d7626c2e0cef/html5/thumbnails/17.jpg)
Hex Fiend
An open source hex editor, that is not very difficult to modify.
http://ridiculousfish.com/hexfiend/
Hotchkies ( [email protected] ) Under the iHood DEFCON 16 13 / 50
![Page 18: Under the iHood - DEFCON 16 · Hotchkies ( chotchkies@tippingpoint.com ) Under the iHood DEFCON 16 11 / 50. vmmap available standard on OS X lists memory mapping for a binary at runtime](https://reader030.fdocuments.in/reader030/viewer/2022040203/5e8fdfd6ac86d7626c2e0cef/html5/thumbnails/18.jpg)
0xED
Another hex editor, has plugins to display/edit custom data types.
http://www.suavetech.com/0xed/0xed.html
Hotchkies ( [email protected] ) Under the iHood DEFCON 16 14 / 50
![Page 19: Under the iHood - DEFCON 16 · Hotchkies ( chotchkies@tippingpoint.com ) Under the iHood DEFCON 16 11 / 50. vmmap available standard on OS X lists memory mapping for a binary at runtime](https://reader030.fdocuments.in/reader030/viewer/2022040203/5e8fdfd6ac86d7626c2e0cef/html5/thumbnails/19.jpg)
otool
the mac equivalent of objdump, available in a default install.
use ’otool -otV’ to resolve symbols
Hotchkies ( [email protected] ) Under the iHood DEFCON 16 15 / 50
![Page 20: Under the iHood - DEFCON 16 · Hotchkies ( chotchkies@tippingpoint.com ) Under the iHood DEFCON 16 11 / 50. vmmap available standard on OS X lists memory mapping for a binary at runtime](https://reader030.fdocuments.in/reader030/viewer/2022040203/5e8fdfd6ac86d7626c2e0cef/html5/thumbnails/20.jpg)
otool
use ’otool -L’ to list required libraries
Camtronic-2:MacOS cameron$ otool -L iChat
iChat:
/System/Library/Frameworks/IOBluetooth.framework/Versions/A/IOBluetooth
(compatibility version 1.0.0, current version 1.0.0)
/System/Library/PrivateFrameworks/DisplayServices.framework/Versions/A/DisplayServices
(compatibility version 1.0.0, current version 1.0.0)
/System/Library/Frameworks/Cocoa.framework/Versions/A/Cocoa
(compatibility version 1.0.0, current version 12.0.0)
/System/Library/Frameworks/ApplicationServices.framework/Versions/A/ApplicationServices
(compatibility version 1.0.0, current version 34.0.0)
/System/Library/Frameworks/AddressBook.framework/Versions/A/AddressBook
(compatibility version 1.0.0, current version 688.0.0)
/System/Library/Frameworks/InstantMessage.framework/Versions/A/InstantMessage
(compatibility version 1.0.0, current version 579.0.0)
/System/Library/Frameworks/QuickTime.framework/Versions/A/QuickTime
(compatibility version 1.0.0, current version 14.0.0)
/System/Library/PrivateFrameworks/VideoConference.framework/Versions/A/VideoConference
(compatibility version 2.0.0, current version 2.0.0)
Hotchkies ( [email protected] ) Under the iHood DEFCON 16 16 / 50
![Page 21: Under the iHood - DEFCON 16 · Hotchkies ( chotchkies@tippingpoint.com ) Under the iHood DEFCON 16 11 / 50. vmmap available standard on OS X lists memory mapping for a binary at runtime](https://reader030.fdocuments.in/reader030/viewer/2022040203/5e8fdfd6ac86d7626c2e0cef/html5/thumbnails/21.jpg)
otx
A tool used to clean up output from otool
http://otx.osxninja.com/
+56 00003cda a3d8c42400 movl %eax,0x0024c4d8
+61 00003cdf a1d4902500 movl 0x002590d4,%eax alloc
+66 00003ce4 89442404 movl %eax,0x04(%esp)
+70 00003ce8 a1b0fb2500 movl 0x0025fbb0,%eax NSMutableArray
+75 00003ced 890424 movl %eax,(%esp)
+78 00003cf0 e89d082900 calll 0x00294592 +[NSMutableArray alloc]
+83 00003cf5 8b1570912500 movl 0x00259170,%edx init
+89 00003cfb 89542404 movl %edx,0x04(%esp)
+93 00003cff 890424 movl %eax,(%esp)
+96 00003d02 e88b082900 calll 0x00294592 -[(%esp,1) init]
Hotchkies ( [email protected] ) Under the iHood DEFCON 16 17 / 50
![Page 22: Under the iHood - DEFCON 16 · Hotchkies ( chotchkies@tippingpoint.com ) Under the iHood DEFCON 16 11 / 50. vmmap available standard on OS X lists memory mapping for a binary at runtime](https://reader030.fdocuments.in/reader030/viewer/2022040203/5e8fdfd6ac86d7626c2e0cef/html5/thumbnails/22.jpg)
classdump
Similar to ”otool -ov” but represents code as Objective Cdeclarations.
http://www.codethecode.com/projects/class-dump/
Camtronic-2:MacOS cameron$ class-dump iChat
/*
* Generated by class-dump 3.1.2.
*
* class-dump is Copyright (C) 1997-1998, 2000-2001, 2004-2007 by Steve Nygard.
*/
...
@interface SmileyCell : NSButtonCell
{
NSString * axDescription;
}
- (void)dealloc;
- (id)accessibilityAttributeNames;
- (void)accessibilitySetValue:(id)fp8 forAttribute:(id)fp12;
- (id)accessibilityAttributeValue:(id)fp8;
- (void)drawInteriorWithFrame:(struct NSRect)fp8 inView:(id)fp24;
@end
Hotchkies ( [email protected] ) Under the iHood DEFCON 16 18 / 50
![Page 23: Under the iHood - DEFCON 16 · Hotchkies ( chotchkies@tippingpoint.com ) Under the iHood DEFCON 16 11 / 50. vmmap available standard on OS X lists memory mapping for a binary at runtime](https://reader030.fdocuments.in/reader030/viewer/2022040203/5e8fdfd6ac86d7626c2e0cef/html5/thumbnails/23.jpg)
IDA Pro
IDA Pro for windows works fine with Parallels
IDA Pro for OS X runs on the console
http://hex-rays.com/idapro/
http://www.parallels.com/
Both IDA & Parallels are commercial (not-free)
Hotchkies ( [email protected] ) Under the iHood DEFCON 16 19 / 50
![Page 24: Under the iHood - DEFCON 16 · Hotchkies ( chotchkies@tippingpoint.com ) Under the iHood DEFCON 16 11 / 50. vmmap available standard on OS X lists memory mapping for a binary at runtime](https://reader030.fdocuments.in/reader030/viewer/2022040203/5e8fdfd6ac86d7626c2e0cef/html5/thumbnails/24.jpg)
Debuggers
Charlie Miller ported pyDBG to OSX
Stock installs come with gdb
pygdb available at http://code.google.com/p/pygdb/
vtrace at https://www.kenshoto.com/vtrace/
Weston & Beauchamp will also be releasing reDBG soon, a rubydebugger.
Hotchkies ( [email protected] ) Under the iHood DEFCON 16 20 / 50
![Page 25: Under the iHood - DEFCON 16 · Hotchkies ( chotchkies@tippingpoint.com ) Under the iHood DEFCON 16 11 / 50. vmmap available standard on OS X lists memory mapping for a binary at runtime](https://reader030.fdocuments.in/reader030/viewer/2022040203/5e8fdfd6ac86d7626c2e0cef/html5/thumbnails/25.jpg)
RE:Trace
Introduced at Black Hat DC 2008. RE:Trace is a Ruby frameworkto interact with dtrace
http://www.poppopret.org/
Hotchkies ( [email protected] ) Under the iHood DEFCON 16 21 / 50
![Page 26: Under the iHood - DEFCON 16 · Hotchkies ( chotchkies@tippingpoint.com ) Under the iHood DEFCON 16 11 / 50. vmmap available standard on OS X lists memory mapping for a binary at runtime](https://reader030.fdocuments.in/reader030/viewer/2022040203/5e8fdfd6ac86d7626c2e0cef/html5/thumbnails/26.jpg)
Calling Conventions
On OS X, std call is the calling convention. As it is compiled withGCC, stack space is allocated at the function start.Variables are moved in, not pushed onto the stack
before renaming variables, check the stack delta
Hotchkies ( [email protected] ) Under the iHood DEFCON 16 22 / 50
![Page 27: Under the iHood - DEFCON 16 · Hotchkies ( chotchkies@tippingpoint.com ) Under the iHood DEFCON 16 11 / 50. vmmap available standard on OS X lists memory mapping for a binary at runtime](https://reader030.fdocuments.in/reader030/viewer/2022040203/5e8fdfd6ac86d7626c2e0cef/html5/thumbnails/27.jpg)
Calling Conventions
On OS X, std call is the calling convention. As it is compiled withGCC, stack space is allocated at the function start.Variables are moved in, not pushed onto the stack
before renaming variables, check the stack delta
Hotchkies ( [email protected] ) Under the iHood DEFCON 16 22 / 50
![Page 28: Under the iHood - DEFCON 16 · Hotchkies ( chotchkies@tippingpoint.com ) Under the iHood DEFCON 16 11 / 50. vmmap available standard on OS X lists memory mapping for a binary at runtime](https://reader030.fdocuments.in/reader030/viewer/2022040203/5e8fdfd6ac86d7626c2e0cef/html5/thumbnails/28.jpg)
Local Addressing
Functions will frequently refer to an address that is not the base of thefunction, just an anchor pointThis is used frequently in data references and jump tables
text:000E63CF mov eax, [ebx+eax*4+300h]
text:000E63D6 add eax, ebx
text:000E63D8 jmp eax
text:000E63D8 ;
text:000E63DA align 4 ; Jump table
text:000E63DC dd 2 dup( 0A80h), 7AAh, 7B9h, 3A4h, 716h,3 dup( 0A80h), 94Ch, 9E0h
text:000E63DC dd 3FAh, 0A80h, 0A24h,4 dup( 0A80h), 998h,2 dup( 0A80h), 435h, 7C8h
text:000E63DC dd 3 dup( 7E7h),0Ch dup( 0A80h), 7F6h, 0A80h, 905h, 6AF48D8Bh, 758BFFFBh, 8418B08h
Hotchkies ( [email protected] ) Under the iHood DEFCON 16 23 / 50
![Page 29: Under the iHood - DEFCON 16 · Hotchkies ( chotchkies@tippingpoint.com ) Under the iHood DEFCON 16 11 / 50. vmmap available standard on OS X lists memory mapping for a binary at runtime](https://reader030.fdocuments.in/reader030/viewer/2022040203/5e8fdfd6ac86d7626c2e0cef/html5/thumbnails/29.jpg)
Anchor Function
This function is used to generate a local anchor
get pc proc nearmov ebx, [esp+0]retn
get pc endp
Or it can be inlined:
call $+5pop ebx
Hotchkies ( [email protected] ) Under the iHood DEFCON 16 24 / 50
![Page 30: Under the iHood - DEFCON 16 · Hotchkies ( chotchkies@tippingpoint.com ) Under the iHood DEFCON 16 11 / 50. vmmap available standard on OS X lists memory mapping for a binary at runtime](https://reader030.fdocuments.in/reader030/viewer/2022040203/5e8fdfd6ac86d7626c2e0cef/html5/thumbnails/30.jpg)
Anchor Function
This function is used to generate a local anchor
get pc proc nearmov ebx, [esp+0]retn
get pc endp
Or it can be inlined:
call $+5pop ebx
Hotchkies ( [email protected] ) Under the iHood DEFCON 16 24 / 50
![Page 32: Under the iHood - DEFCON 16 · Hotchkies ( chotchkies@tippingpoint.com ) Under the iHood DEFCON 16 11 / 50. vmmap available standard on OS X lists memory mapping for a binary at runtime](https://reader030.fdocuments.in/reader030/viewer/2022040203/5e8fdfd6ac86d7626c2e0cef/html5/thumbnails/32.jpg)
Carbon
Carbon is the 32-bit framework for interacting with the OS Xsystem libraries.
descended from the original Mac Toolbox
Apple encourages it to be used as a stepping stone toCocoa/Objective-C
HI, CG
Hotchkies ( [email protected] ) Under the iHood DEFCON 16 26 / 50
![Page 33: Under the iHood - DEFCON 16 · Hotchkies ( chotchkies@tippingpoint.com ) Under the iHood DEFCON 16 11 / 50. vmmap available standard on OS X lists memory mapping for a binary at runtime](https://reader030.fdocuments.in/reader030/viewer/2022040203/5e8fdfd6ac86d7626c2e0cef/html5/thumbnails/33.jpg)
Objective-C
Created in the mid 1980s by Stepstone
Popularized by NeXT in the late 1980s
Object Oriented inspired by Smalltalk
Small set of decorators on top of C
Functions aren’t called, messages are sent
Unicode strings are the standard, but stored internally as nullterminated UTF8 strings
Libraries are referred to as Frameworks
Hotchkies ( [email protected] ) Under the iHood DEFCON 16 27 / 50
![Page 34: Under the iHood - DEFCON 16 · Hotchkies ( chotchkies@tippingpoint.com ) Under the iHood DEFCON 16 11 / 50. vmmap available standard on OS X lists memory mapping for a binary at runtime](https://reader030.fdocuments.in/reader030/viewer/2022040203/5e8fdfd6ac86d7626c2e0cef/html5/thumbnails/34.jpg)
Frameworks
Objective-C has a rich set of base framework classes to call from
Common framework classes are prepended with NS (NeXTStep)or CF (Core Foundation)
Other frameworks also make use of a two capital prefix
NS is frequently a wrapper for CF (toll-free bridge), NSString ==CFString
The Objective-C system API for OS X is named Cocoa
Hotchkies ( [email protected] ) Under the iHood DEFCON 16 28 / 50
![Page 35: Under the iHood - DEFCON 16 · Hotchkies ( chotchkies@tippingpoint.com ) Under the iHood DEFCON 16 11 / 50. vmmap available standard on OS X lists memory mapping for a binary at runtime](https://reader030.fdocuments.in/reader030/viewer/2022040203/5e8fdfd6ac86d7626c2e0cef/html5/thumbnails/35.jpg)
AppKit
AppKit is the GUI framework classes available for Cocoa
iPhone uses UIKit instead, a scaled down version with somecustom libraries.
AppKit uses NS prefix, UIKit uses UI
Hotchkies ( [email protected] ) Under the iHood DEFCON 16 29 / 50
![Page 36: Under the iHood - DEFCON 16 · Hotchkies ( chotchkies@tippingpoint.com ) Under the iHood DEFCON 16 11 / 50. vmmap available standard on OS X lists memory mapping for a binary at runtime](https://reader030.fdocuments.in/reader030/viewer/2022040203/5e8fdfd6ac86d7626c2e0cef/html5/thumbnails/36.jpg)
Objective-C Methods
x = [object statement:arg1 second:arg2];
Component:
Selector decorators
Component:
Recipient
Component:
Selector
Component:
Arguments
Hotchkies ( [email protected] ) Under the iHood DEFCON 16 30 / 50
![Page 37: Under the iHood - DEFCON 16 · Hotchkies ( chotchkies@tippingpoint.com ) Under the iHood DEFCON 16 11 / 50. vmmap available standard on OS X lists memory mapping for a binary at runtime](https://reader030.fdocuments.in/reader030/viewer/2022040203/5e8fdfd6ac86d7626c2e0cef/html5/thumbnails/37.jpg)
Objective-C Methods
x = [object statement:arg1 second:arg2];
Component:
Selector decorators
Component:
Recipient
Component:
Selector
Component:
Arguments
Hotchkies ( [email protected] ) Under the iHood DEFCON 16 30 / 50
![Page 38: Under the iHood - DEFCON 16 · Hotchkies ( chotchkies@tippingpoint.com ) Under the iHood DEFCON 16 11 / 50. vmmap available standard on OS X lists memory mapping for a binary at runtime](https://reader030.fdocuments.in/reader030/viewer/2022040203/5e8fdfd6ac86d7626c2e0cef/html5/thumbnails/38.jpg)
Objective-C Methods
x = [object statement:arg1 second:arg2];
Component:
Selector decorators
Component:
Recipient
Component:
Selector
Component:
Arguments
Hotchkies ( [email protected] ) Under the iHood DEFCON 16 30 / 50
![Page 39: Under the iHood - DEFCON 16 · Hotchkies ( chotchkies@tippingpoint.com ) Under the iHood DEFCON 16 11 / 50. vmmap available standard on OS X lists memory mapping for a binary at runtime](https://reader030.fdocuments.in/reader030/viewer/2022040203/5e8fdfd6ac86d7626c2e0cef/html5/thumbnails/39.jpg)
Objective-C Methods
x = [object statement:arg1 second:arg2];
Component:
Selector decorators
Component:
Recipient
Component:
Selector
Component:
Arguments
Hotchkies ( [email protected] ) Under the iHood DEFCON 16 30 / 50
![Page 40: Under the iHood - DEFCON 16 · Hotchkies ( chotchkies@tippingpoint.com ) Under the iHood DEFCON 16 11 / 50. vmmap available standard on OS X lists memory mapping for a binary at runtime](https://reader030.fdocuments.in/reader030/viewer/2022040203/5e8fdfd6ac86d7626c2e0cef/html5/thumbnails/40.jpg)
Objective-C Methods
x = [object statement:arg1 second:arg2];
Component:
Selector decorators
Component:
Recipient
Component:
Selector
Component:
Arguments
Hotchkies ( [email protected] ) Under the iHood DEFCON 16 30 / 50
![Page 41: Under the iHood - DEFCON 16 · Hotchkies ( chotchkies@tippingpoint.com ) Under the iHood DEFCON 16 11 / 50. vmmap available standard on OS X lists memory mapping for a binary at runtime](https://reader030.fdocuments.in/reader030/viewer/2022040203/5e8fdfd6ac86d7626c2e0cef/html5/thumbnails/41.jpg)
msgSend
Calls to selectors are just wrappers around C functions:
id objc msgSend(object, "statement:second:", arg1, arg2);
Component:
Recipient
Component:
Selector
Component:
Arguments
Hotchkies ( [email protected] ) Under the iHood DEFCON 16 31 / 50
![Page 42: Under the iHood - DEFCON 16 · Hotchkies ( chotchkies@tippingpoint.com ) Under the iHood DEFCON 16 11 / 50. vmmap available standard on OS X lists memory mapping for a binary at runtime](https://reader030.fdocuments.in/reader030/viewer/2022040203/5e8fdfd6ac86d7626c2e0cef/html5/thumbnails/42.jpg)
msgSend
Calls to selectors are just wrappers around C functions:
id objc msgSend(object, "statement:second:", arg1, arg2);
Component:
Recipient
Component:
Selector
Component:
Arguments
Hotchkies ( [email protected] ) Under the iHood DEFCON 16 31 / 50
![Page 43: Under the iHood - DEFCON 16 · Hotchkies ( chotchkies@tippingpoint.com ) Under the iHood DEFCON 16 11 / 50. vmmap available standard on OS X lists memory mapping for a binary at runtime](https://reader030.fdocuments.in/reader030/viewer/2022040203/5e8fdfd6ac86d7626c2e0cef/html5/thumbnails/43.jpg)
msgSendSuper
The objc msgSendSuper() function works in the same way thatobj msgSend() does, but passes it to the superclass. The recipient inthe call to the objc msgSendSuper() is an objc super data structure.
id objc msgSendSuper(struct objc super *super, SEL op, ...);
Hotchkies ( [email protected] ) Under the iHood DEFCON 16 32 / 50
![Page 44: Under the iHood - DEFCON 16 · Hotchkies ( chotchkies@tippingpoint.com ) Under the iHood DEFCON 16 11 / 50. vmmap available standard on OS X lists memory mapping for a binary at runtime](https://reader030.fdocuments.in/reader030/viewer/2022040203/5e8fdfd6ac86d7626c2e0cef/html5/thumbnails/44.jpg)
msgSend fpret
The objc msgSend fpret() function is identical to the standardobjc msgSend() function, differing only in the fact that the returnvalue is a floating point instead of an integral type.
double objc msgSend fpret(id self, SEL op, ...);
Hotchkies ( [email protected] ) Under the iHood DEFCON 16 33 / 50
![Page 45: Under the iHood - DEFCON 16 · Hotchkies ( chotchkies@tippingpoint.com ) Under the iHood DEFCON 16 11 / 50. vmmap available standard on OS X lists memory mapping for a binary at runtime](https://reader030.fdocuments.in/reader030/viewer/2022040203/5e8fdfd6ac86d7626c2e0cef/html5/thumbnails/45.jpg)
msgSend stret
The objc msgSend stret() function is used to return a structure insteadof a value. The first argument to the objc msgSend stret() function isa pointer to memory large enough to contain the returning structure.
void objc msgSend stret(void * stretAddr, id theReceiver,SEL theSelector, ...);
Hotchkies ( [email protected] ) Under the iHood DEFCON 16 34 / 50
![Page 46: Under the iHood - DEFCON 16 · Hotchkies ( chotchkies@tippingpoint.com ) Under the iHood DEFCON 16 11 / 50. vmmap available standard on OS X lists memory mapping for a binary at runtime](https://reader030.fdocuments.in/reader030/viewer/2022040203/5e8fdfd6ac86d7626c2e0cef/html5/thumbnails/46.jpg)
msgSendSuper stret
Send to the superclass, get a structure back.
void objc msgSendSuper stret(void * stretAddr, struct objc super*super, SEL op, ...);
Hotchkies ( [email protected] ) Under the iHood DEFCON 16 35 / 50
![Page 47: Under the iHood - DEFCON 16 · Hotchkies ( chotchkies@tippingpoint.com ) Under the iHood DEFCON 16 11 / 50. vmmap available standard on OS X lists memory mapping for a binary at runtime](https://reader030.fdocuments.in/reader030/viewer/2022040203/5e8fdfd6ac86d7626c2e0cef/html5/thumbnails/47.jpg)
msgSend in asm
Since Objective C uses message passing between selectors, this meansthere are no direct calls between functions.
mov [esp+38h+var 30], eax
mov eax, ds:off 400040
mov [esp+38h+var 34], eax
mov eax, ds:off 4000DC
mov [esp+38h+var 38], eax
call objc msgSend
mov [esp+38h+var 28], 0
mov [esp+38h+var 24], 404E0000h
mov [esp+38h+var 2C], 0
mov [esp+38h+var 30], eax
mov eax, ds:off 40003C
mov [esp+38h+var 38], esi
mov [esp+38h+var 34], eax
call objc msgSend
Hotchkies ( [email protected] ) Under the iHood DEFCON 16 36 / 50
![Page 48: Under the iHood - DEFCON 16 · Hotchkies ( chotchkies@tippingpoint.com ) Under the iHood DEFCON 16 11 / 50. vmmap available standard on OS X lists memory mapping for a binary at runtime](https://reader030.fdocuments.in/reader030/viewer/2022040203/5e8fdfd6ac86d7626c2e0cef/html5/thumbnails/48.jpg)
msgSend in asm
Determining the selectors automatically is not difficult.
mov esi, ds:off 4000D8 ; "NSURLRequest"
mov [esp+38h+var 30], eax ; arg1
mov eax, ds:off 400040 ; "URLWithString:"
mov [esp+38h+msgSend selector], eax
mov eax, ds:off 4000DC ; "NSURL"
mov [esp+38h+msgSend recipient], eax
call objc msgSend ; a = [NSURL URLWithString:]
mov [esp+38h+var 28], 0 ; arg3
mov [esp+38h+var 24], 404E0000h
mov [esp+38h+var 2C], 0 ; arg2
mov [esp+38h+var 30], eax ; arg1 (retVal from [NSURLWithString])
mov eax, ds:off 40003C ; "requestWithURL:cachePolicy:timeoutInterval:"
mov [esp+38h+msgSend recipient], esi
mov [esp+38h+msgSend selector], eax
call objc msgSend ; a=[NSURLRequest requestWithURL:cachePolicy:timeoutInterval:]
Hotchkies ( [email protected] ) Under the iHood DEFCON 16 37 / 50
![Page 49: Under the iHood - DEFCON 16 · Hotchkies ( chotchkies@tippingpoint.com ) Under the iHood DEFCON 16 11 / 50. vmmap available standard on OS X lists memory mapping for a binary at runtime](https://reader030.fdocuments.in/reader030/viewer/2022040203/5e8fdfd6ac86d7626c2e0cef/html5/thumbnails/49.jpg)
Selector Structures in the Binary
All of the information for selectors are stored in the OBJC segment ofthe binaries
inst meth:00400220 DownloadDelegate mthd dd 0 ; DATA XREF: class:DownloadDelegate
inst meth:00400224 dd 9
inst meth:00400228 dd offset aDownloadDidr 0, offset aV16@04@8i12, offset download didReceiveDataOfLength
; "download:didReceiveDataOfLength:"
inst meth:00400234 dd offset aDownloadDidrec, offset aV16@04@8@12, offset download didReceiveResponse
; "download:didReceiveResponse:"
inst meth:00400240 dd offset aDownloadDidcre, offset aV16@04@8@12, offset download didCreateDestination
; "download:didCreateDestination:"
Hotchkies ( [email protected] ) Under the iHood DEFCON 16 38 / 50
![Page 50: Under the iHood - DEFCON 16 · Hotchkies ( chotchkies@tippingpoint.com ) Under the iHood DEFCON 16 11 / 50. vmmap available standard on OS X lists memory mapping for a binary at runtime](https://reader030.fdocuments.in/reader030/viewer/2022040203/5e8fdfd6ac86d7626c2e0cef/html5/thumbnails/50.jpg)
Type Encodings
Table: Objective-C Type Encodings
Code Description Code Description
c char C unsigned chars short S unsigned shorti int I unsigned intl long L unsigned longq long long Q unsigned long longf float d doubleB C++ bool / C99 Bool v void* c string (char *) @ object / id# class (Class) : selector (SEL)
[array type] array {name=type} structure(name=type) union ? unknown / function pointer
ˆtype pointer to type bnum bitfield of num bytes
Hotchkies ( [email protected] ) Under the iHood DEFCON 16 39 / 50
![Page 51: Under the iHood - DEFCON 16 · Hotchkies ( chotchkies@tippingpoint.com ) Under the iHood DEFCON 16 11 / 50. vmmap available standard on OS X lists memory mapping for a binary at runtime](https://reader030.fdocuments.in/reader030/viewer/2022040203/5e8fdfd6ac86d7626c2e0cef/html5/thumbnails/51.jpg)
Argument Type Encoding
In the method definition sections (as well as the ivars) the data typesfor each argument are described using type encodings.
v16@0:4@8@12
-(void)method:(id) object1 andthen:(id) object2
Stack offsets are indicated and can be used to determine variable sizewhen not implicitly defined
Hotchkies ( [email protected] ) Under the iHood DEFCON 16 40 / 50
![Page 52: Under the iHood - DEFCON 16 · Hotchkies ( chotchkies@tippingpoint.com ) Under the iHood DEFCON 16 11 / 50. vmmap available standard on OS X lists memory mapping for a binary at runtime](https://reader030.fdocuments.in/reader030/viewer/2022040203/5e8fdfd6ac86d7626c2e0cef/html5/thumbnails/52.jpg)
Argument Type Encoding
In the method definition sections (as well as the ivars) the data typesfor each argument are described using type encodings.
v16@0:4@8@12-(void)
method:(id) object1 andthen:(id) object2
Stack offsets are indicated and can be used to determine variable sizewhen not implicitly defined
Hotchkies ( [email protected] ) Under the iHood DEFCON 16 40 / 50
![Page 53: Under the iHood - DEFCON 16 · Hotchkies ( chotchkies@tippingpoint.com ) Under the iHood DEFCON 16 11 / 50. vmmap available standard on OS X lists memory mapping for a binary at runtime](https://reader030.fdocuments.in/reader030/viewer/2022040203/5e8fdfd6ac86d7626c2e0cef/html5/thumbnails/53.jpg)
Argument Type Encoding
In the method definition sections (as well as the ivars) the data typesfor each argument are described using type encodings.
v16@0:4@8@12-(void)
method:(id) object1 andthen:(id) object2
Stack offsets are indicated and can be used to determine variable sizewhen not implicitly defined
Hotchkies ( [email protected] ) Under the iHood DEFCON 16 40 / 50
![Page 54: Under the iHood - DEFCON 16 · Hotchkies ( chotchkies@tippingpoint.com ) Under the iHood DEFCON 16 11 / 50. vmmap available standard on OS X lists memory mapping for a binary at runtime](https://reader030.fdocuments.in/reader030/viewer/2022040203/5e8fdfd6ac86d7626c2e0cef/html5/thumbnails/54.jpg)
Argument Type Encoding
In the method definition sections (as well as the ivars) the data typesfor each argument are described using type encodings.
v16@0:4@8@12-(void)method:
(id) object1 andthen:(id) object2
Stack offsets are indicated and can be used to determine variable sizewhen not implicitly defined
Hotchkies ( [email protected] ) Under the iHood DEFCON 16 40 / 50
![Page 55: Under the iHood - DEFCON 16 · Hotchkies ( chotchkies@tippingpoint.com ) Under the iHood DEFCON 16 11 / 50. vmmap available standard on OS X lists memory mapping for a binary at runtime](https://reader030.fdocuments.in/reader030/viewer/2022040203/5e8fdfd6ac86d7626c2e0cef/html5/thumbnails/55.jpg)
Argument Type Encoding
In the method definition sections (as well as the ivars) the data typesfor each argument are described using type encodings.
v16@0:4@8@12-(void)method:(id) object1
andthen:(id) object2
Stack offsets are indicated and can be used to determine variable sizewhen not implicitly defined
Hotchkies ( [email protected] ) Under the iHood DEFCON 16 40 / 50
![Page 56: Under the iHood - DEFCON 16 · Hotchkies ( chotchkies@tippingpoint.com ) Under the iHood DEFCON 16 11 / 50. vmmap available standard on OS X lists memory mapping for a binary at runtime](https://reader030.fdocuments.in/reader030/viewer/2022040203/5e8fdfd6ac86d7626c2e0cef/html5/thumbnails/56.jpg)
Argument Type Encoding
In the method definition sections (as well as the ivars) the data typesfor each argument are described using type encodings.
v16@0:4@8@12-(void)method:(id) object1 andthen:(id) object2
Stack offsets are indicated and can be used to determine variable sizewhen not implicitly defined
Hotchkies ( [email protected] ) Under the iHood DEFCON 16 40 / 50
![Page 57: Under the iHood - DEFCON 16 · Hotchkies ( chotchkies@tippingpoint.com ) Under the iHood DEFCON 16 11 / 50. vmmap available standard on OS X lists memory mapping for a binary at runtime](https://reader030.fdocuments.in/reader030/viewer/2022040203/5e8fdfd6ac86d7626c2e0cef/html5/thumbnails/57.jpg)
Argument Type Encoding
In the method definition sections (as well as the ivars) the data typesfor each argument are described using type encodings.
v16@0:4@8@12-(void)method:(id) object1 andthen:(id) object2
Stack offsets are indicated and can be used to determine variable sizewhen not implicitly defined
Hotchkies ( [email protected] ) Under the iHood DEFCON 16 40 / 50
![Page 58: Under the iHood - DEFCON 16 · Hotchkies ( chotchkies@tippingpoint.com ) Under the iHood DEFCON 16 11 / 50. vmmap available standard on OS X lists memory mapping for a binary at runtime](https://reader030.fdocuments.in/reader030/viewer/2022040203/5e8fdfd6ac86d7626c2e0cef/html5/thumbnails/58.jpg)
Standard Memory Management
Objective C uses reference counting to control memory allocations.
// Allocate memoryNSObject *object = [[NSObject alloc] init];
// removes the local reference[object release];
// adds a local reference to keep external objects in scope[otherObject retain];
Hotchkies ( [email protected] ) Under the iHood DEFCON 16 41 / 50
![Page 59: Under the iHood - DEFCON 16 · Hotchkies ( chotchkies@tippingpoint.com ) Under the iHood DEFCON 16 11 / 50. vmmap available standard on OS X lists memory mapping for a binary at runtime](https://reader030.fdocuments.in/reader030/viewer/2022040203/5e8fdfd6ac86d7626c2e0cef/html5/thumbnails/59.jpg)
Standard Memory Management
Objective C uses reference counting to control memory allocations.
// Allocate memoryNSObject *object = [[NSObject alloc] init];
// removes the local reference[object release];
// adds a local reference to keep external objects in scope[otherObject retain];
Hotchkies ( [email protected] ) Under the iHood DEFCON 16 41 / 50
![Page 60: Under the iHood - DEFCON 16 · Hotchkies ( chotchkies@tippingpoint.com ) Under the iHood DEFCON 16 11 / 50. vmmap available standard on OS X lists memory mapping for a binary at runtime](https://reader030.fdocuments.in/reader030/viewer/2022040203/5e8fdfd6ac86d7626c2e0cef/html5/thumbnails/60.jpg)
Standard Memory Management
Objective C uses reference counting to control memory allocations.
// Allocate memoryNSObject *object = [[NSObject alloc] init];
// removes the local reference[object release];
// adds a local reference to keep external objects in scope[otherObject retain];
Hotchkies ( [email protected] ) Under the iHood DEFCON 16 41 / 50
![Page 61: Under the iHood - DEFCON 16 · Hotchkies ( chotchkies@tippingpoint.com ) Under the iHood DEFCON 16 11 / 50. vmmap available standard on OS X lists memory mapping for a binary at runtime](https://reader030.fdocuments.in/reader030/viewer/2022040203/5e8fdfd6ac86d7626c2e0cef/html5/thumbnails/61.jpg)
Autorelease Pools
To dispose of memory allocated by child functions, Objective C utilizesan object called an Autorelease Pool.
-(void) someFunction
{
NSAutoreleasePool *pool = [[NSAutoreleasePool alloc] init];
...
[pool release];
return;
}
pools can be nested within loops, so expect to see multiple instancesin larger functions
Hotchkies ( [email protected] ) Under the iHood DEFCON 16 42 / 50
![Page 62: Under the iHood - DEFCON 16 · Hotchkies ( chotchkies@tippingpoint.com ) Under the iHood DEFCON 16 11 / 50. vmmap available standard on OS X lists memory mapping for a binary at runtime](https://reader030.fdocuments.in/reader030/viewer/2022040203/5e8fdfd6ac86d7626c2e0cef/html5/thumbnails/62.jpg)
Garbage Collection
Garbage collection was added in OS X 10.5
Classes designed for GC can be identified by having a finalizeselector
can be triggered by the collectExhaustively and collectIfNeededselectors for NSGarbageCollector
Garbage collection is not available on the iPhone, so youshouldn’t see it there
Hotchkies ( [email protected] ) Under the iHood DEFCON 16 43 / 50
![Page 63: Under the iHood - DEFCON 16 · Hotchkies ( chotchkies@tippingpoint.com ) Under the iHood DEFCON 16 11 / 50. vmmap available standard on OS X lists memory mapping for a binary at runtime](https://reader030.fdocuments.in/reader030/viewer/2022040203/5e8fdfd6ac86d7626c2e0cef/html5/thumbnails/63.jpg)
Categories
Categories are the ability to add functionality to a class from anexternal source
This allows base foundation classes to be overridden
If there’s a category for any base class method signature, youneed to rethink assumptions on code behaviour
Category definitions are in the obviously labelled cat sections ofthe binary
Hotchkies ( [email protected] ) Under the iHood DEFCON 16 44 / 50
![Page 64: Under the iHood - DEFCON 16 · Hotchkies ( chotchkies@tippingpoint.com ) Under the iHood DEFCON 16 11 / 50. vmmap available standard on OS X lists memory mapping for a binary at runtime](https://reader030.fdocuments.in/reader030/viewer/2022040203/5e8fdfd6ac86d7626c2e0cef/html5/thumbnails/64.jpg)
Timers
Commonly used in protection schemes
Objective-C supports multiple ways to create a timer
NSTimer or NSOperationQueue
Hotchkies ( [email protected] ) Under the iHood DEFCON 16 45 / 50
![Page 65: Under the iHood - DEFCON 16 · Hotchkies ( chotchkies@tippingpoint.com ) Under the iHood DEFCON 16 11 / 50. vmmap available standard on OS X lists memory mapping for a binary at runtime](https://reader030.fdocuments.in/reader030/viewer/2022040203/5e8fdfd6ac86d7626c2e0cef/html5/thumbnails/65.jpg)
Windows
Windows applications have had decades of people advancingcracking/packing
Lots of documentation, but lots of hurdles
Hotchkies ( [email protected] ) Under the iHood DEFCON 16 46 / 50
![Page 66: Under the iHood - DEFCON 16 · Hotchkies ( chotchkies@tippingpoint.com ) Under the iHood DEFCON 16 11 / 50. vmmap available standard on OS X lists memory mapping for a binary at runtime](https://reader030.fdocuments.in/reader030/viewer/2022040203/5e8fdfd6ac86d7626c2e0cef/html5/thumbnails/66.jpg)
Mac
Compressed/packed executables are not commonplace on OS X
This section’s slides exists only on the CD and are a temporalfigment of your imagination
That means you should probably have either gone to mypresentation
or at least get the full version off my website
Hotchkies ( [email protected] ) Under the iHood DEFCON 16 47 / 50
![Page 67: Under the iHood - DEFCON 16 · Hotchkies ( chotchkies@tippingpoint.com ) Under the iHood DEFCON 16 11 / 50. vmmap available standard on OS X lists memory mapping for a binary at runtime](https://reader030.fdocuments.in/reader030/viewer/2022040203/5e8fdfd6ac86d7626c2e0cef/html5/thumbnails/67.jpg)
References:
http://felinemenace.org/ nemo/itsme’s objc fixer:http://nah6.com/ itsme/cvs-xdadevtools/ida/idcscripts/fixobjc.idcfileoffset’s otx parserhttp://fileoffset.blogspot.com/2008/02/lua-script.htmlhttp://www.dribin.org/dave/blog/archives/2006/04/22/tracing objc/http://unixjunkie.blogspot.com/
Hotchkies ( [email protected] ) Under the iHood DEFCON 16 48 / 50