Slicing into Apple: iPhone Reverse Engineering


Published on

SOURCE Seattle 2011 - Ryan Permeh

Published in: Technology, News & Politics
No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Slicing into Apple: iPhone Reverse Engineering

  1. 1. Slicing into Apple: iPhone Reverse Engineering<br />Ryan PermehTrace TeamMcAfee<br />
  2. 2. Introduction<br />Reverse engineering is taking a finished product and working back towards it’s constituent artifacts<br />Gives us a peek behind the curtains of software<br />Helpful for a variety of legitimate uses<br />Better understanding how software works<br />Recovering lost knowledge<br />Interfacing to closed systems<br />Finding security issues<br />May be used illegally<br />DCMA, software piracy, IP theft<br />
  3. 3. Skill Outlay<br />Reverse engineering is a very technical subject<br />Requires a deep understanding of several topics<br />Hardware Architecture<br />Software Architecture<br />Operating system internals<br />Assembly language<br />Higher level languages<br />Compiler, linker, and loader internals<br />Debugging<br />The better you understand how software is made, the easier it is to reverse engineer it.<br />
  4. 4. JailBreak your iPhone<br />You really need to be jailbroken to have a platform to work from<br />Jailbreak breaks signing requirements for applications<br />Opens the phone up to a variety of new uses<br />Run software from other sources<br />Develop software without need for Apple Developer cost<br />Allows you access to the internals of the iPhone<br />Jailbreak for 4.3.3 and beyond<br />This changes often, so do your research<br />Jailbreaking happens via an exploit, leveraged to patch the kernel<br />Install Cydia and use that to install your tools<br />Gcc/gdb<br />SSH access<br />Class-dump<br />Whatever else you want<br />
  5. 5. Tools used<br />Reverse engineering leverages several tools to get a better understanding of the code<br />Disassembler<br />Parses finished code into assembly language<br />Understand and visualize program flow <br />Provides cross references, searching, and other useful tools<br />We use IDA Pro 6.0 in these examples<br />Debugger<br />Offers a view of the program at runtime<br />Helpful for dynamic analysis<br />Can tie into other reverse engineering artifacts<br />We use gdb in these examples<br />
  6. 6. Tools - iPhone Specific<br />Clutch –<br />Tool to crack software<br />Handles decrypting binaries automatically<br />class-dump -<br />Dumps internal Objective-C objects<br />Helps understand interfaces, objects in project<br />Itunnel -<br />Useful for connecting from a host machine directly to a jailbrokeniphone<br />For windows and unix (windows – search for itunnel.exe)<br />Used in lieu of a WIFI connection<br />
  7. 7. Inside the iPhone<br />
  8. 8. Hardware<br />Processor: ARM Cortex A8<br />Developed by Apple and Samsung<br />Latest devices use A4 designation<br />32 bit RISC architecture<br />Uses thumb extensions<br />Radio functionality<br />3g<br />Wifi<br />Bluetooth<br />Nordic Semiconductor proprietary chipset<br />Camera<br />Touch Screen<br />
  9. 9. Operating System <br />iOS(previously iPhone OS) is currently at 4.3.3<br />Darwin based kernel<br />Unix platform<br />Ships drivers for all hardware<br />OS versions defines support for various features<br />iOS 4 brought multitasking, Game Center<br />iOS 3 brought video, improved GPS<br />Security Mechanisms<br />Code Signing<br />Sandboxing<br />
  10. 10. Programming on the iPhone<br />Objective-C <br />A superset of the C language<br />Uses an Object oriented model<br />Uses messages instead of calls<br />Uses late runtime binding of objects<br />Cocoa<br />Appkit<br />Graphics that fit UI guidelines<br />FoundationKit<br />Containers<br />Value manipulation<br />
  11. 11. iPhone Binary Format<br />Uses MACH-O format<br />Comprised of<br />a standard header<br />a series of load commands<br />a series of segments<br />Sections within the segments<br />The process of loading is<br />Loader recognizes header<br />Processes each load command<br />Expands each segment<br />Maps each section to memory<br />Universal Binaries pair multiple platforms in one package<br />iPhone binaries often have both ARM 6 and ARM 7<br />
  12. 12. Examining a Binary<br />Key Steps to Disassemble an iPhone Binary<br />Get the Binary<br />Put it on the phone<br />Decrypt the segments<br />Transfer it off the phone<br />Load it in your Disassembler<br />PROFIT!<br />
  13. 13. Getting the Binary<br />You can get the binary in a number of ways<br />Download via iTunes<br />Use iPhone Store app on device<br />iPhone Backup<br />Find third party place (be careful)<br />Binary locations<br />Itunes: <br />My MusiciTunesiTunes MediaMobile Applications<br />On Phone: <br />/Applications<br />/private/var/mobile/Applications<br />
  14. 14. Getting Files On and Off the Phone<br />If you downloaded from the appstore, you can skip this step<br />Itunes<br />Do a simple sync<br />Third party (and getting apps off the phone)<br />Use SCP or iPhone Browser<br />Clutch puts binaries here<br />/var/root/Documents/Cracked/<br />
  15. 15. WinSCP Demo<br />Demo 1<br />
  16. 16. Installing From the Appstore<br />Demo 2<br />
  17. 17. Decrypt the segments<br />Appstore iPhone binaries are encrypted and signed<br />Tied to the phone it is to be installed on<br />Code segments are encrypted, so look like gibberish<br />We need a way to decrypt<br />The hard way<br />Calculate encryption offsets<br />Run program with debugger<br />Dump unecrypted memory segment<br />Patch binary with unecrypted segment<br />Update references to crypto<br />The easy way<br />Clutch <br />
  18. 18. Clutch Demo<br />Demo 3<br />
  19. 19. Load It into the Disassembler<br />Unpack the clutch output ipa<br />Ipa files are just zip files, you can rename them to .zip <br />Should have a directory structure<br />/some GUID<br />/App files<br />App is probably the largest file, has no extension<br />Explore other files<br />Use plist editor to examine .plist files<br />DB/data files often SQLLite<br />Load File into the Disassembler<br />
  20. 20. Unpacking the IPA<br />Demo 4<br />
  21. 21. iPhone Binary Internals<br />Uses Objective-C and Cocoa<br />Calls are non-obvious<br />Use python tool to fixup calls<br />Reanalyze with new markup<br />Code is ARM assembler<br />Areas to look at<br />Strings<br />Areas of import<br />Network calls<br />Crypto<br />Calls to key iPhone areas (mail, sms, calendar, etc)<br />Key functionality per app<br />Graphs help understand flow<br />
  22. 22. Analyzing the Binary<br />Demo 5<br />
  23. 23. Questions?<br /><br /><br />