Slicing into Apple: iPhone Reverse Engineering
-
Upload
source-conference -
Category
Technology
-
view
13.860 -
download
1
description
Transcript of Slicing into Apple: iPhone Reverse Engineering
![Page 1: Slicing into Apple: iPhone Reverse Engineering](https://reader035.fdocuments.us/reader035/viewer/2022070312/553bbd37550346e0478b45f7/html5/thumbnails/1.jpg)
Slicing into Apple: iPhone Reverse Engineering
Ryan PermehTrace Team
McAfee
![Page 2: Slicing into Apple: iPhone Reverse Engineering](https://reader035.fdocuments.us/reader035/viewer/2022070312/553bbd37550346e0478b45f7/html5/thumbnails/2.jpg)
Introduction
•Reverse engineering is taking a finished product and working back towards it’s constituent artifacts
•Gives us a peek behind the curtains of software•Helpful for a variety of legitimate uses
– Better understanding how software works– Recovering lost knowledge– Interfacing to closed systems– Finding security issues
• May be used illegally– DCMA, software piracy, IP theft
![Page 3: Slicing into Apple: iPhone Reverse Engineering](https://reader035.fdocuments.us/reader035/viewer/2022070312/553bbd37550346e0478b45f7/html5/thumbnails/3.jpg)
Skill Outlay
•Reverse engineering is a very technical subject•Requires a deep understanding of several topics
– Hardware Architecture– Software Architecture– Operating system internals– Assembly language– Higher level languages– Compiler, linker, and loader internals– Debugging
•The better you understand how software is made, the easier it is to reverse engineer it.
![Page 4: Slicing into Apple: iPhone Reverse Engineering](https://reader035.fdocuments.us/reader035/viewer/2022070312/553bbd37550346e0478b45f7/html5/thumbnails/4.jpg)
JailBreak your iPhone
• You really need to be jailbroken to have a platform to work from• Jailbreak breaks signing requirements for applications• Opens the phone up to a variety of new uses
– Run software from other sources– Develop software without need for Apple Developer cost– Allows you access to the internals of the iPhone
• Jailbreak for 4.3.3 and beyond– This changes often, so do your research– Jailbreaking happens via an exploit, leveraged to patch the kernel– Install Cydia and use that to install your tools
• Gcc/gdb• SSH access• Class-dump• Whatever else you want
![Page 5: Slicing into Apple: iPhone Reverse Engineering](https://reader035.fdocuments.us/reader035/viewer/2022070312/553bbd37550346e0478b45f7/html5/thumbnails/5.jpg)
Tools used
• Reverse engineering leverages several tools to get a better understanding of the code
• Disassembler– Parses finished code into assembly language– Understand and visualize program flow – Provides cross references, searching, and other useful tools– We use IDA Pro 6.0 in these examples
• Debugger– Offers a view of the program at runtime– Helpful for dynamic analysis– Can tie into other reverse engineering artifacts– We use gdb in these examples
![Page 6: Slicing into Apple: iPhone Reverse Engineering](https://reader035.fdocuments.us/reader035/viewer/2022070312/553bbd37550346e0478b45f7/html5/thumbnails/6.jpg)
Tools - iPhone Specific
• Clutch – http://clutch.hackulo.us– Tool to crack software– Handles decrypting binaries automatically
• class-dump - http://www.codethecode.com/projects/class-dump/– Dumps internal Objective-C objects– Helps understand interfaces, objects in project
• Itunnel - http://www.cs.toronto.edu/~jingsu/itunnel/– Useful for connecting from a host machine directly to a jailbroken
iphone– For windows and unix (windows – search for itunnel.exe)– Used in lieu of a WIFI connection
![Page 7: Slicing into Apple: iPhone Reverse Engineering](https://reader035.fdocuments.us/reader035/viewer/2022070312/553bbd37550346e0478b45f7/html5/thumbnails/7.jpg)
Inside the iPhone
![Page 8: Slicing into Apple: iPhone Reverse Engineering](https://reader035.fdocuments.us/reader035/viewer/2022070312/553bbd37550346e0478b45f7/html5/thumbnails/8.jpg)
Hardware
•Processor: ARM Cortex A8– Developed by Apple and Samsung– Latest devices use A4 designation– 32 bit RISC architecture– Uses thumb extensions
• Radio functionality– 3g– Wifi– Bluetooth– Nordic Semiconductor proprietary chipset
• Camera• Touch Screen
![Page 9: Slicing into Apple: iPhone Reverse Engineering](https://reader035.fdocuments.us/reader035/viewer/2022070312/553bbd37550346e0478b45f7/html5/thumbnails/9.jpg)
Operating System
• iOS (previously iPhone OS) is currently at 4.3.3• Darwin based kernel• Unix platform• Ships drivers for all hardware• OS versions defines support for various features
– iOS 4 brought multitasking, Game Center– iOS 3 brought video, improved GPS
• Security Mechanisms– Code Signing– Sandboxing
![Page 10: Slicing into Apple: iPhone Reverse Engineering](https://reader035.fdocuments.us/reader035/viewer/2022070312/553bbd37550346e0478b45f7/html5/thumbnails/10.jpg)
Programming on the iPhone
•Objective-C – A superset of the C language– Uses an Object oriented model– Uses messages instead of calls– Uses late runtime binding of objects
•Cocoa– Appkit
• Graphics that fit UI guidelines
– FoundationKit• Containers• Value manipulation
![Page 11: Slicing into Apple: iPhone Reverse Engineering](https://reader035.fdocuments.us/reader035/viewer/2022070312/553bbd37550346e0478b45f7/html5/thumbnails/11.jpg)
iPhone Binary Format
• Uses MACH-O format• Comprised of
– a standard header– a series of load commands– a series of segments
• Sections within the segments
The process of loading is
1. Loader recognizes header
2. Processes each load command
3. Expands each segment
4. Maps each section to memory
• Universal Binaries pair multiple platforms in one package– iPhone binaries often have both ARM 6 and ARM 7
![Page 12: Slicing into Apple: iPhone Reverse Engineering](https://reader035.fdocuments.us/reader035/viewer/2022070312/553bbd37550346e0478b45f7/html5/thumbnails/12.jpg)
Examining a Binary
Key Steps to Disassemble an iPhone Binary
1. Get the Binary
2. Put it on the phone
3. Decrypt the segments
4. Transfer it off the phone
5. Load it in your Disassembler
6. PROFIT!
![Page 13: Slicing into Apple: iPhone Reverse Engineering](https://reader035.fdocuments.us/reader035/viewer/2022070312/553bbd37550346e0478b45f7/html5/thumbnails/13.jpg)
Getting the Binary
You can get the binary in a number of ways
1. Download via iTunes
2. Use iPhone Store app on device
3. iPhone Backup
4. Find third party place (be careful)
Binary locations
Itunes:
My Music\iTunes\iTunes Media\Mobile Applications
On Phone:
/Applications
/private/var/mobile/Applications
![Page 14: Slicing into Apple: iPhone Reverse Engineering](https://reader035.fdocuments.us/reader035/viewer/2022070312/553bbd37550346e0478b45f7/html5/thumbnails/14.jpg)
Getting Files On and Off the Phone
• If you downloaded from the appstore, you can skip this step• Itunes
– Do a simple sync• Third party (and getting apps off the phone)
– Use SCP or iPhone Browser• Clutch puts binaries here
/var/root/Documents/Cracked/
![Page 15: Slicing into Apple: iPhone Reverse Engineering](https://reader035.fdocuments.us/reader035/viewer/2022070312/553bbd37550346e0478b45f7/html5/thumbnails/15.jpg)
WinSCP Demo
Demo 1
![Page 16: Slicing into Apple: iPhone Reverse Engineering](https://reader035.fdocuments.us/reader035/viewer/2022070312/553bbd37550346e0478b45f7/html5/thumbnails/16.jpg)
Installing From the Appstore
Demo 2
![Page 17: Slicing into Apple: iPhone Reverse Engineering](https://reader035.fdocuments.us/reader035/viewer/2022070312/553bbd37550346e0478b45f7/html5/thumbnails/17.jpg)
Decrypt the segments
• Appstore iPhone binaries are encrypted and signed• Tied to the phone it is to be installed on• Code segments are encrypted, so look like gibberish• We need a way to decrypt• The hard way
– Calculate encryption offsets– Run program with debugger– Dump unecrypted memory segment– Patch binary with unecrypted segment– Update references to crypto
• The easy way– Clutch
![Page 18: Slicing into Apple: iPhone Reverse Engineering](https://reader035.fdocuments.us/reader035/viewer/2022070312/553bbd37550346e0478b45f7/html5/thumbnails/18.jpg)
Clutch Demo
Demo 3
![Page 19: Slicing into Apple: iPhone Reverse Engineering](https://reader035.fdocuments.us/reader035/viewer/2022070312/553bbd37550346e0478b45f7/html5/thumbnails/19.jpg)
Load It into the Disassembler
• Unpack the clutch output ipa– Ipa files are just zip files, you can rename them to .zip
• Should have a directory structure/some GUID
/App files• App is probably the largest file, has no extension• Explore other files
– Use plist editor to examine .plist files– DB/data files often SQLLite
• Load File into the Disassembler
![Page 20: Slicing into Apple: iPhone Reverse Engineering](https://reader035.fdocuments.us/reader035/viewer/2022070312/553bbd37550346e0478b45f7/html5/thumbnails/20.jpg)
Unpacking the IPA
Demo 4
![Page 21: Slicing into Apple: iPhone Reverse Engineering](https://reader035.fdocuments.us/reader035/viewer/2022070312/553bbd37550346e0478b45f7/html5/thumbnails/21.jpg)
iPhone Binary Internals
• Uses Objective-C and Cocoa• Calls are non-obvious
– Use python tool to fixup calls– Reanalyze with new markup
• Code is ARM assembler• Areas to look at
– Strings– Areas of import
• Network calls• Crypto• Calls to key iPhone areas (mail, sms, calendar, etc)• Key functionality per app
– Graphs help understand flow
![Page 22: Slicing into Apple: iPhone Reverse Engineering](https://reader035.fdocuments.us/reader035/viewer/2022070312/553bbd37550346e0478b45f7/html5/thumbnails/22.jpg)
Analyzing the Binary
Demo 5