Smirnov reverse-engineering-techforum

33

Transcript of Smirnov reverse-engineering-techforum

Page 1: Smirnov reverse-engineering-techforum
Page 2: Smirnov reverse-engineering-techforum

Александр СмирновРуководитель группы разработки, iOS Почта

[email protected]

@__smirnov__

Page 3: Smirnov reverse-engineering-techforum

REVERSE ENGINEERING

@__smirnov__

Page 4: Smirnov reverse-engineering-techforum

О ЧЕМ ПОЙДЕТ РЕЧЬ• Зачем ?

• Какие есть подходы ?

• Инструментарий

• Mach-O binary

• Decrypting apps, ASLR, THUMB2/ARM

• Asm, Prologue, EIP addressing, Msgs, DYLD

• Откуда начинать анализ

@__smirnov__

Page 5: Smirnov reverse-engineering-techforum

BLAH BLAH BLAH@__smirnov__

Page 6: Smirnov reverse-engineering-techforum

ЗАЧЕМ ЭТО НУЖНО ?

• Это весело

• Анализ конкурирующих продуктов

• Совместимость с проприетарным программным обеспечением

• Аудит безопасности

Это весело!

@__smirnov__

Page 7: Smirnov reverse-engineering-techforum

МЕТОДЫ АНАЛИЗА

System Level Code Level

Network traffic sniffing Disassembling/Decompiling

Анализ I/O активности Debugging

Общий анализ системных вызовов ObjC Runtime

@__smirnov__

Page 8: Smirnov reverse-engineering-techforum

TOOLSETotool/otx дизассемблерgdb/lldb

class-dump получаем информацию об objc классах из mach-o

MachOView удобное представление mach-o заголовков, сегментов, секций

lipo манипулирование fat файламиhexdump/0xED

cycript воздействуем на приложение в runtime

python/ruby/perl

@__smirnov__

Page 9: Smirnov reverse-engineering-techforum

MACH-O BINARY@__smirnov__

Page 10: Smirnov reverse-engineering-techforum

MACH-O HEADER

0xCAFEBABE0xFEEDFACF0xFEEDFACE

32bit 64bit FAT

@__smirnov__

Page 11: Smirnov reverse-engineering-techforum

SEGMENTS AND SECTIONSLoad command 1 cmd LC_SEGMENT cmdsize 532 segname __TEXT vmaddr 0x00001000 vmsize 0x00027000 fileoff 0 filesize 159744 maxprot 0x00000007 initprot 0x00000005 nsects 7 flags 0x0

Section sectname __text segname __TEXT addr 0x00002848 size 0x0001b86c offset 6216 align 2^2 (4) reloff 0 nreloc 0 flags 0x80000400 reserved1 0 reserved2 0

@__smirnov__

Page 12: Smirnov reverse-engineering-techforum

__OBJC SEGMENT

class-dump by Steve Nygard

__message_refs __instance_vars

__cls_refs __inst_meth

__symbols __cls_meth

__module_info __cat_cls_meth

__class __protocol_ext

__meta_class __cat_inst_meth

@__smirnov__

Page 13: Smirnov reverse-engineering-techforum

CLASS-DUMP@interface Alfred1PwdPreferences : NSObject <AlfredPreferencePane>{ Alfred1PwdPreferencesViewController *viewController;}

- (unsigned long long)sortPriority; // IMP=0x0000000100089e9f- (BOOL)isPowerpack; // IMP=0x0000000100089e94- (id)paneGroup; // IMP=0x0000000100089e87- (id)paneView; // IMP=0x0000000100089dfb- (id)paneIcon; // IMP=0x0000000100089d49- (id)paneName; // IMP=0x0000000100089d3c- (id)paneUID; // IMP=0x0000000100089d2f- (void)dealloc; // IMP=0x0000000100089ce5

@end

@__smirnov__

Page 14: Smirnov reverse-engineering-techforum

ШИФРОВАНИЕ ПРИЛОЖЕНИЙ

This file is encryptedcryptid: 0x00000001, cryptoff: 0x00002000, cryptsize: 0x001e2000

@__smirnov__

Page 15: Smirnov reverse-engineering-techforum

ВНИМАНИЕ@__smirnov__

Page 16: Smirnov reverse-engineering-techforum

DECRYPT APPSTORE BINARY

Load command 12 cmd LC_ENCRYPTION_INFO cmdsize 20 cryptoff 8192 cryptsize 1974272 cryptid 1

STEP 1 - otool

смещениеразмерзашифровано

@__smirnov__

Page 17: Smirnov reverse-engineering-techforum

ASLR

User Space ASLR представлен в iOS 4.3

0x1000 becomes 0x54000

Address Space Layout Randomization — случайное изменение расположения в адресном пространстве процесса важных структур, а именно: образа

исполняемого файла, подгружаемых библиотек, кучи и стека.

KASLR представлен в iOS 6.0

@__smirnov__

Page 18: Smirnov reverse-engineering-techforum

DECRYPT APPSTORE BINARYSTEP 2 - gdb

(gdb) info mach-regionsRegion from 0x54000 to 0x238000 (r-x, max r-x; copy, private, not-reserved) (2 sub-regions) ... from 0x238000 to 0x292000 (rw-, max rw-; copy, private, not-reserved) (2 sub-regions)

...

(gdb) x/4x 0x54000 0x54000: 0xfeedface 0x0000000c 0x00000009 0x00000002

0x1000 переехало в 0x54000

@__smirnov__

Page 19: Smirnov reverse-engineering-techforum

DECRYPT APPSTORE BINARYSTEP 2.5 - gdb

Section sectname __text segname __TEXT addr 0x00003d38 size 0x00170520 offset 11576

(gdb) x/10i (0x54000+11576)|10x56d39: push {r4, r7, lr}0x56d3b: add r7, sp, #40x56d3d: sub sp, #80x56d3f: mov r4, r00x56d41: movw r0, #39388 ; 0x99dc0x56d45: movt r0, #33 ; 0x21

(0x54000+11576)|1

@__smirnov__

Page 20: Smirnov reverse-engineering-techforum

THUMB MODE

ARM MODE THUMB2 MODE

32bit long instructions 16 to 32bit long instructions

0x56d38 0x56d39LSB bit

1010110110100111000 1010110110100111001

@__smirnov__

Page 21: Smirnov reverse-engineering-techforum

DECRYPT APPSTORE BINARYSTEP 2.5 - gdb

cryptoff TARGET

__TEXT0x0

0x0 0x54000

__TEXT+cryptoff

0x54000+8192

__TEXT+cryptoff+cryptsize

0x54000+8192+1974272

@__smirnov__

Page 22: Smirnov reverse-engineering-techforum

DECRYPT APPSTORE BINARYSTEP 3 - patcharchitecture 0

cputype 12 cpusubtype 9 capabilities 0x0 offset 4096 size 2494896 align 2^12 (4096)

fat header

mach headerarch0

arch0 contentmach header

arch1arch0 content

0x0 0x1000

architecture 1 cputype 12 cpusubtype 11 capabilities 0x0 offset 2502656 size 2490624 align 2^12 (4096)

0x2630004096 2490624

arch_offset + cryptoffset

@__smirnov__

Page 23: Smirnov reverse-engineering-techforum

ЧТО ТЕПЕРЬ?

push {r4, r7, lr}add r7, sp, #4sub sp, #8mov r4, r0movw r0, 0x99dcmovt r0, 0x21movw r2, 0xf216movt r2, 0x21add r0, pcadd r2, pcldr r1, [r0, #0]ldr r0, [r2, #0]blx 0x1e4bacmovw r1, 0x99camov r2, r4movt r1, 0x21add r1, pcldr r1, [r1, #0]blx 0x1e4bac

ARMv7

pushl %ebpmovl %esp,%ebpsubl $0x28,%espmovl %edi,0xfc(%ebp)movl 0x08(%ebp),%edimovl %ebx,0xf4(%ebp)movl %esi,0xf8(%ebp)calll 0x00001842popl %ebxmovb $__mh_bundle_header,0x69(%edi)movl 0x18(%ebp),%eaxtestl %eax,%eaxje 0x00001923movl 0x18(%ebp),%eaxmovl %edi,(%esp)movl %eax,0x08(%esp)movl 0x00009d6a(%ebx),%eaxmovl %eax,0x04(%esp)calll 0x0000c10d

i386

pushq %rbpmovq %rsp,%rbpmovq %r12,0xf0(%rbp)movq %r13,0xf8(%rbp)movq %rdi,%r12movq %rbx,0xe8(%rbp)subq $0x30,%rspmovq 0x0000be4a(%rip),%raxtestq %r8,%r8movq %rdx,0xd8(%rbp)movl %ecx,0xd4(%rbp)movq %r8,%r13movb $__mh_bundle_header,(%rdi,%rax)je 0x00000cd5movq %r8,%rdxleaq 0x0000aaa9(%rip),%rsicall *0x0000aaa3(%rip)testq %rax,%raxjne 0x00000c53

x86_64

@__smirnov__

Page 24: Smirnov reverse-engineering-techforum

ПОНИМАНИЕ ПРИДИ@__smirnov__

Page 25: Smirnov reverse-engineering-techforum

I386Prologue

pushl      %ebpmovl        %esp,%ebpsubl        $0x28,%esp

Application Binary Interface

сохраняем stack frameновый stack frameместо на стеке

@__smirnov__

Page 26: Smirnov reverse-engineering-techforum

EIP RELATIVE ADDRESSING

0000183d calll      0x0000184200001842 popl        %ebx

••• •••0000185c movl        0x00009d6a(%ebx),%eax

0x9d6a + 0x1842 = 0xb5acoffset eip address

трюк для получениязначения eip

eax = *(0x9d6a+ebx)

@__smirnov__

Page 27: Smirnov reverse-engineering-techforum

OBJC_MSGSEND

id objc_msgSend(id theReceiver, SEL theSelector, ...)

80% вызовов

@__smirnov__

Page 28: Smirnov reverse-engineering-techforum

ARMV7 AND OTX

((0x99a2 & 0xffff) | (0x21<<16)) + (0x3d96 + 4) & ~1

methnames[selrefs[0x21d73c]] = “setWelcomeVC:”

00003d8c movw        r0,  0x99a200003d90 movs        r2,  #000003d92 movt        r0,  0x2100003d96 add          r0,  pc00003d98 ldr          r1,  [r0,  #0]00003d9a mov          r0,  r400003d9c blx          0x1e4bac

младшие 16 bit1 аргумент = nilстаршие 16 bit

+ Program Counterr1 = *address

указатель на объект в r0вызов objc_msgSend

@__smirnov__

Page 29: Smirnov reverse-engineering-techforum

ВСЕ ЕЩЕ ВНИМАТЕЛЬНЫ ?@__smirnov__

Page 30: Smirnov reverse-engineering-techforum

SELECTOR

__objc_selrefs__objc_selrefsmem offset value0x21D738 0x1756CE0x21D73C 0x1756D60x21D740 0x1756E4

••• •••

__objc_methname__objc_methnamemem offset 0x1756B0

defaultCenterremoveObserver:releasesetWelcomeVC:deallocallocmainScreenboundsinitWithFrame:autoreleasesetWindow:setupInitialLoadingWindowsetAppId:setDaysUntilPrompt:setUsesUntilPrompt:setSignificantEventsUntilPrompt:setTimeBefo

defaultCenterremoveObserver:releasesetWelcomeVC:deallocallocmainScreenboundsinitWithFrame:autoreleasesetWindow:setupInitialLoadingWindowsetAppId:setDaysUntilPrompt:setUsesUntilPrompt:setSignificantEventsUntilPrompt:setTimeBefo

methnames[selrefs[0x21d73c]] = “setWelcomeVC:”

arch_offset + sect_file_start + ( target_addr - sect_mem_start )

@__smirnov__

Page 31: Smirnov reverse-engineering-techforum

DYLDblx 0x1e4bac

__TEXT, __symbolstub1__TEXT, __symbolstub1__TEXT, __symbolstub1001e4ba8 ldr pc,  [pc,  #1728]

001e4bac ldr pc,  [pc,  #1728]

001e4bb0 ldr pc,  [pc,  #1728]

111100100101110101100 ARM MODE

__DATA, __lazysymbol__DATA, __lazysymbol001e5270 001749cc

001e5274 001749d8

001e5278 001749e4

0x1e4bac + 8 + 1728 = 0x1e5274 _stub_helper _objc_msgSend1 2

@__smirnov__

Page 32: Smirnov reverse-engineering-techforum

ЗАКОНЧИМ ТЕМ ОТКУДА НАЧАТЬ

• Отслеживание ввода данных

• Места использования данных

• Известные методы

• Class-dump

• Известные константы

• Используемые библиотеки

@__smirnov__

Page 33: Smirnov reverse-engineering-techforum

@__smirnov__