Beyond the 'cript practical i os reverse engineering lascon

IOActive, Inc. Copyright ©2016. All Rights Reserved.
Beyond The ‘Cript: Practical
iOS Reverse Engineering
Michael Allen (@_dark_knight_)
Security Consultant

Why This Talk?
• Apps more hardened against
common attacks
• Bridge the gap
• Deeper understanding of what
happens under the hood
• Foundation for additional
research

Outline/Agenda
• Building A General Toolkit
• iOS Application Assessment 101
– Usual results
– “New” approach
• The Reverse Engineer’s Toolkit
• Reverse Engineering iOS Applications
• Mach-O Binary Format
• Mach Tasks
• ARM(32/64)
• Objective-C
• Swift
• Identifying and bypassing Simple Jailbreak Detection Routines
• Conclusion

Outline/Agenda
• Building A General Toolkit
• iOS Application Assessment 101
• The Reverse Engineer’s Toolkit
• Reverse Engineering iOS Applications
• Identifying and bypassing Simple Jailbreak
Detection Routines
• Conclusion

Building A General Toolkit
• Jailbroken Device
• File System
• Network
• Instrumentation
• Automating Common Tasks
• Essentials

Jailbroken Device
• Removing software restrictions
imposed by iOS, through the use of
software exploits
• Recommend dedicated device for
testing
• Latest jailbreak
– Pangu (iOS 9.2 – 9.3.3 64-bit
devices only)

Jailbroken Device (contd.)
• Tethered
• Does not persist across reboots
• Requires computer to start device
• Untethered
• Persists on device across reboots
• Semi-tethered
• Requires computer to start into jailbroken state
• Rebooting or starting device without assistance possible. But boots into
non-jailbroken state

Jailbroken Device (ProTip)
• Change default root password from alpine
• Access device over usb using usbmuxd
– sudo python tcprelay.py -t 22:22
• Generate ssh keys
– ssh-keygen -t rsa -f ~/.ssh/ironman -N "”
• Copy public key to device
– ssh-copy-id -i ~/.ssh/ironman.pub root@localhost
• Create an alias on (~/.ssh/config)

File System: Moving Files
• iFunbox
• iExplorer
• Sftp

Network: BurpSuite Pro Intercepting Proxy

Network: SSL Kill Switch 2
• “Disables SSL certificate validation - including certificate pinning -
within iOS Apps.”

Instrumentation: Cycript
• Injects into target process
• Interactive console
• Objective-C and Javascript syntax
• Supported Architectures(iOS, Mac OS X)
• NowSecure fork where runtime powered by Frida* (Cycript on
steroids)

Instrumentation: Cycript (contd.)

Instrumentation: Frida
• Injects Google’s V8 engine into target process
• Javascript executed with full access to memory
• Function hooking
• Access to native methods
• Inject into starting process
• Multiple architectures (Windows, Mac, Linux, iOS and Android)

• Method tracing
Instrumentation: Frida (contd.)

Automating Common Tasks
• Idb Tool - http://www.idbtool.com/
• Snoop-IT - http://repo.nesolabs.de/
• iRet - https://www.veracode.com/blog/2014/03/introducing-the-ios-reverse-engineering-
toolkit
• IntroSpy - https://github.com/iSECPartners/Introspy-iOS
• AppMon - https://dpnishant.github.io/appmon/
• Needle - https://github.com/mwrlabs/needle
• Varying levels of support

Automating Common Tasks: Idb Tool
• Idb Tool
• “idb is a tool to simplify some common tasks for iOS app
security assessments and research.”
• Provides general app info
• URL Handler
• Keychain dumping
• Pasteboard
• Logging

Automating Common Tasks: Idb Tool (contd.)

Essentials: Command Line Utilities
• Command Line
– BigBoss Recommended Tools (Cydia)
– Erica Utilities (Cydia)
– Jonathan Levin compiled a number of commonly used binaries
for iOS

Essentials: iOSBinpack (Jonathan Levin)
• Listing of available tools

Common Attack Vectors: Sniffing On A
Remote Virtual Interface

Common Attack Vectors: Sniffing On A
Remote Virtual Interface (contd.)

Common Attack Vectors: Insecure Storage
• Property list files (.plist)
• SQLite databases
• Keychain
• Snapshots
• Cache

Insecure Storage: Property Lists (.plist)
• Stores serialized objects
• Key value pairs
• Maybe compacted to bplist (binary plist)
– cat filename.plist | plutil -convert xml1 - -o -

Insecure Storage: Client-Side Data Stores
• Often see SQLite being used for client-side storage
• Lightweight client-side database
• Query using SQL

Insecure Storage: Fun Fact About SQLite
Data Stores
• Delete doesn’t do what you think
• Deleted data added to free list
• Free records not overwritten until more space required
• End result is data may not be overwritten for a while
• May be recovered with SQLite-parser

Insecure Storage: Dumping The Keychain
• SQLite database stored in /var/Keychains

Insecure Storage: Snapshots

Insecure Storage: Inspecting The Cache
• Caches directory similar function to that of a web browser’s
cache
• Aimed at improving performance
• May store web cache content

Insecure Storage: Dumping Binary Cookies
• Created by URL loading system or webview
• Stored on local file system in binary format.

Common Attack Vectors: Inter-process
Communication
• Application registers custom URL scheme
• Invoked when scheme called

Common Attack Vectors: Inter-process
Communication
• Suggest using lsdtrip to identify URL’s
• Use publicurls | privateurls option

Inter-process Communication (Side Note)
• Malicious app could register your URL scheme
• [[UIApplication sharedApplication] openURL:myURL];
• Universal Links introduced in iOS 9
• Kills the openURL problem
• Developer specifies what URL’s will be processed by
app (association file)
• Communication over HTTPS
• No more enumerating apps via can canOpenURL
method

Common Attack Vectors: Injection Attacks
• UIWebViews
• File-Handling Routine
• XML

Summary: Usual Results
• Issues relating to Local Storage
– Keep in mind most of these attacks requires the device to be unlocked
• Unsecured API’s (via Burpsuite Pro)
• Some hard-coded secrets maybe (typically run strings against binary)
• The truth however is that most of these bugs closed
– Binary protections are now standard
– Data Protection API’s (keychain etc)
– Universal links introduced with iOS 9 address IPC loophole
– …...

Additionally What Happens When?
• The common tools fail?
• Your Google Fu returns nothing?
• There are custom security protections in place
• You want to extend an existing tool?
• You want start investigating deeply hidden logic bugs
– Crypto functions etc
• Move beyond 3rd party applications

Towards A “New” Approach
• At this point we need to take a different approach one that
involves Reverse Engineering and leverages knowledge of :
• iOS internals
• ARM(32/64) Assembly
• Deep dive into Objective-C/Swift
• …....
• Let’s improve our toolkit
• And expand our knowledge base

The Reverse Engineer’s Toolkit
• IDA Pro
• Hopper
• LLDB
• Jtool
• Procexp
• GNU Project Debugger (gdb)
• Apple CC Tools

The Reverse Engineer’s Toolkit: IDA Pro

The Reverse Engineer’s Toolkit: Hopper

The Reverse Engineer’s Toolkit: lldb
• Debugging an application binary with lldb
• iOS Device
1. debugserver -x backboard ip:port </path/to/executable>
• MAC Host
1. lldb
2. process connect connect://<remote_host>:<port>
3. image list –o –f (ASLR)

The Reverse Engineer’s Toolkit: lldb (contd.)

• Breakpoint = offset1 + offset2
• Or just use the symbols 
The Reverse Engineer’s Toolkit: lldb ASLR
(contd.)
1
2

The Reverse Engineer’s Toolkit: jtool
• otool type functionality with way more options
• MACH-O analysis (atos, dyldinfo, nm, strings etc)
• Multi-platform (OS X, iOS, Linux)
• ARM64 disassembler

The Reverse Engineer’s Toolkit: jtool (contd.)

The Reverse Engineer’s Toolkit: jtool (bonus)

The Reverse Engineer’s Toolkit: procexp
• Getting task related info
• Display threads, mach ports, dump core (memory image) etc..

The Reverse Engineer’s Toolkit: gdb
• Use source from http://cydia.radare.org
• No support for arm64 architectures

The Reverse Engineer’s Toolkit: filemon
• Tracing file system activity with FSEvents

Apple’s CC Tools
• otool
• MACH-O Binary Swiss army knife
• nm
• Displays symbol table
• lipo
• Architectures embedded in binary
• Codesign
• Binary signing

Reverse Engineering iOS Applications
(Under The Hood)
• Mach-O Binary Format
• Mach Tasks
• ARM(32/64)
• Objective-C
• Swift

Mach-O Binary Format

Application Binary
Version Location
< iOS 8 /var/mobile/Application/<app bundle id>
iOS 8 +
 /var/mobile/Containers/Bundle/Application/<app
bundle id>
 App binary, nibs, Code Signature
 /var/mobile/Containers/Data/Application/<app
bundle id>
 Documents, Library, tmp folder
iOS 9.3.x  /var/containers/Bundle/Application/<app bundle id>
 App binary

Mach-O Binary
• Header – Identifies file type,
architecture etc
• Load Commands – Details layout
and linkage specifications
• Data – Code

Mach-O: Header
<mach-o/loader.h>

Mach-O: Flags
• PIE: Commonly checked flag during an assessment.
• ASLR for executable types

Mach-O: Load Commands (Kernel)
• LC_SEGMENT[_64] main load command
– Memory regions with same r/w/x protection
<mach-o/loader.h>

Mach-O: SEGMENTS
• __PAGEZERO(NULL pointer trap, all access permissions revoked )
• _TEXT(program code)
• _DATA (readable/writeable program data)
• _LINKEDIT (symbol and other tables used by linker)
• _RESTRICT (see dyld.cpp, will not load DYLD_INSERT_LIBRARIES)
• Optional sections

Mach-O: Common Segments and Sections

Mach-O: Viewing Segments and Sections

MachOView (GUI)

Mach-O: Load Commands (dyld)
• Kernel hands off to DYLD(dynamic linker)
• Uses dynamic linker specified in LC_LOAD_DYLINKER
• Loads each LC_LOAD_DYLIB
• Resolves symbols
• Interposing (method switching)
• add __interpose section to __DATA SEGMENT
• Force library loading with DYLD_INSERT_LIBRARIES
• code with __attribute(constructor) auto runs

Mach Tasks

Mach Tasks
• At this point binary mapped into memory
• Process on other systems
• Port (IPC Endpoint)
• Own the port, own the task
• Mach Trap task_for_pid()
• Requires jailbreak tfp0 patch for kernel(PID0)
• processor_set_tasks()
• Any task port in system

Mach Tasks – Interacting with the task
• Get the task port
• Read/write memory with mach_vm* api’s
• Inject your own shellcode
• Left to your imagination

Mach Tasks – Owning The Port
* mach_vm_region returns information about a memory region in a given
address space.

Mach Tasks – Dumping Memory
• Write your own code and call appropriate mach_vm* api’s
• Use procexp <pid> regions

Mach Tasks – Dumping Memory
• Read using lldb (memory read –outfile <outfile> –count <size> <address>)

ARM Assembly

ARM32 - Registers
Register Purpose
R0 – R12 General purpose registers
R13 Stack pointer
R14 Link register. Holds return address during a
function call.
R15 Program counter (PC)
CPSR Information on current execution state
(Endianness bit, Thumb bit, Mode bit)

ARM32 – Function Calling Convention
• Functions are invoked via a B, BX, BL, BLX
Register Purpose
r0-r3  First four function parameters.
 Other arguments passed on stack
r0 Stores return value

ARM32 – Basic Loading Instructions
Register Purpose
LDR Loads a word.
Ex. LDR R3, [R0]
Loads the word value at R0 into R3
STR Stores a word.
Ex. STR R3, [R4]
Takes the value in R3 and stores at memory
address R4
• Arm is a load/store architecture
• Data must be loaded into registers before they can be used

ARM64 - Registers
Register Purpose
x0-x28 General purpose registers (64 bit)
w0-w30 General purpose registers (32 bit)
x29 Frame pointer
x30 Link register (return address)
SP Stack pointer
PC Program counter

ARM64 – Function Calling Convention
Register Purpose
x0-x7 Arguments/return values
x9-x15 Local variables
x19-x29 Callee-saved registers

Objective-C

Objective-C
• objc_msgSend
• Equivalent of calling functions in C
• id objc_msgSend(id self, SEL op,…)
• receiver(id self)
• selector(SEL op)
• Receiver is a pointer to class message is intended for
• Selector is the method to handle message

Objective-C (contd.)

Objective-C (contd.)
x0 – receiver
x1 – selector
x2 – argument
objc_msgSend – func call
-v –d objc retrieves info on
classes, methods etc
*ARM64

Objective-C: Method Swizzling Under The
Hood
• objc_method struct holds information about method of a class
[/usr/include/objc/runtime.h]
• Hooking Frameworks [/Library/Frameworks/CydiaSubstrate.framework]
Member Description
method_name Method name
method_types Accepted parameters
method_imp Pointer to implementation
Swizzling just changes implementation using
underlying C functions:
• class_replaceMethod
• method_exchangeImplementations
• method_setImplementation
CydiaSubstrate:
• MSHookMessageEx
• MSHookFunction

CydiaSubstrate Method Swizzling

SWIFT

Swift
• Introduced with iOS 8
• Still uses traditional message passing for Swift classes that inherit from
Objective-C classes
• Swift classes may use
• Direct function calls
• Vtables
• C++ like mangled function names
• Method Swizzling if subclass of NSObject

Swift: Mangled Function Names
Swift Objective-C

Swift: Mangled Function Names
• __TFC9jailbreak14ViewController12btnFileCheckfS0_FPSs9AnyObject_T_
– __T Swift Symbol
– F indicates function
– C indicates it is a function belonging to a class
– 9jailbreak module name prefixed with length
– 14ViewController class name prefixed with length
– 12btnFileCheck function name prefixed with length
– S0_FPSs no clue ?? 
– f function attribute
– 9AnyObject function parameter
– T_ return type

Swift: demangle Tool
• See also hopper-swift-demangle plugin

Disclaimer
• We will discuss binary patching next
• Yeah but I could do this with ?
• Yes there are several other options:
• xCon
• tsProtector
• Officer
• Tools discussed earlier(remember CydiaSubstrate
hooking with MSHookFunction)
• What happens when you can’t?
• Get comfortable reading/modifying ARM assembly
• Start with simple examples

But First A Note On Patching 101
• Replace instruction with NOP
• No Operation
• Change conditional instructions to unconditional ones
• BNE, BEQ, BLT….changes to just B etc
• Update the register that determines branch taken
• reg write <register> <value>
• p $<reg> = <value>
• Remove SEGMENT
• __RESTRICT

Identifying and bypassing Simple Jailbreak
Detection Routines Case Study

Case Study: Viewing File System Activity
• Using filemon -l
• Creates hard links to temporary files

Case Study: Viewing Logs
• Using idevicesyslog [libimobiledevice]

Case Study: Obtaining The Binary
• Dump the binary (facilitated by DYLD and DYLD_INSERT_LIBRARIES
environment variable)

Case Study: Obtaining Symbols
• Dump the symbols along with dylib’s to which they belong

Case Study: Extracting strings
• Any interesting strings?
• Dump cstring section (same as running strings)
• Knowledge of SEGMENTS and sections important

Case Study: Extracting DYLIB’S
• procexp <pid> regions
Dump the library with lldb

Case Study: Extracting DYLIB’S

Case Study: Obtaining Classes

Case Study: Bypassing RootFS Check

statfs func call
Patch here
statfs argument

Patch here
• Patch register w8

Case Study: Bypassing Debugger Checks
Changes when
debugger attached

(ppid)

(ppid)
ppid func callPatch here

(ppid)
• parent process id of calling process
Patch here

(p_traced)
sysctl func call
Patch here

(p_traced)
Patch here

Case Study: Bypassing Fork Check
Call to fork
Return value in X0
Patch CMN W19, #1

Case Study: Bypassing Fork Check
Patch here

Conclusion
• Common bugs being closed
• A “new” approach and break from the norm is required for in depth assessments
• Assembly knowledge a MUST for Reversing Engineering
– Low level assembly allows you to bypass many security protections, discover hidden gems and
then some
• Knowledge of iOS architecture will not only improve your assessments but also provide a
launching pad for other research
• Disassemblers are your friends (IDA, Hopper, Jtool …..)
• Add the reverse engineering skillset to your arsenal !!!

References
• Books:
• Mac OS X and iOS Internals To the Apple’s Core (Jonathan Levin)
• The Mobile Application Hacker’s Handbook (Dominic Chell, Tyrone Erasmus et al. )
• Hacking and Securing iOS Applications (Jonathan Zdziarski)
• iOS Application Security: The Definitive Guide for Hackers and Developers (David Thiel)
• Blogs and Tools:
• processor_set_tasks() - http://newosxbook.com/articles/PST2.html
• procexp – http://newosxbook.com/tools/procexp.html
• iOSBinaries - http://newosxbook.com/tools/iOSBinaries.html
• jtool - http://newosxbook.com/tools/jtool.html
• filemon - http://newosxbook.com/tools/filemon.html
• AmIBeingDebugged - https://developer.apple.com/library/mac/qa/qa1361/_index.html
• Frida - http://www.frida.re/
• Cycript - http://www.cycript.org/
• iFunBox - http://www.i-funbox.com/
• SSL Kill Switch – https://github.com/iSECPartners/ios-ssl-kill-switch
• BurpSuite - https://portswigger.net/burp/
• IDA - https://www.hex-rays.com/products/ida/
• Hopper - https://www.hopperapp.com/
• Idb - http://www.idbtool.com/
• PT_DENY_ATTACH - https://www.theiphonewiki.com/wiki/Bugging_Debuggers
• ARM - http://infocenter.arm.com/help/index.jsp?topic=/com.arm.doc.den0024a/ch05s01s03.html
• SQLite-parser - https://github.com/mdegrazia/SQLite-Deleted-Records-Parser
• SQLite Deletion - http://www.zdziarski.com/blog/?p=6143
• lsdtrip - http://newosxbook.com/src.jl?tree=listings&file=ls.m#dumpURL

Beyond the 'cript practical i os reverse engineering lascon

More Related Content

What's hot (20)

Similar to Beyond the 'cript practical i os reverse engineering lascon (20)

Recently uploaded (20)

Beyond the 'cript practical i os reverse engineering lascon

Editor's Notes