Slicing into Apple: iPhone Reverse Engineering Ryan PermehTrace TeamMcAfee
Introduction Reverse engineering is taking a finished product and working back towards it’s constituent artifacts Gives us a peek behind the curtains of software Helpful for a variety of legitimate uses Better understanding how software works Recovering lost knowledge Interfacing to closed systems Finding security issues May be used illegally DCMA, software piracy, IP theft
Skill Outlay Reverse engineering is a very technical subject Requires a deep understanding of several topics Hardware Architecture Software Architecture Operating system internals Assembly language Higher level languages Compiler, linker, and loader internals Debugging The better you understand how software is made, the easier it is to reverse engineer it.
JailBreak your iPhone You really need to be jailbroken to have a platform to work from Jailbreak breaks signing requirements for applications Opens the phone up to a variety of new uses Run software from other sources Develop software without need for Apple Developer cost Allows you access to the internals of the iPhone Jailbreak for 4.3.3 and beyond This changes often, so do your research Jailbreaking happens via an exploit, leveraged to patch the kernel Install Cydia and use that to install your tools Gcc/gdb SSH access Class-dump Whatever else you want
Tools used Reverse engineering leverages several tools to get a better understanding of the code Disassembler Parses finished code into assembly language Understand and visualize program flow Provides cross references, searching, and other useful tools We use IDA Pro 6.0 in these examples Debugger Offers a view of the program at runtime Helpful for dynamic analysis Can tie into other reverse engineering artifacts We use gdb in these examples
Tools - iPhone Specific Clutch – http://clutch.hackulo.us Tool to crack software Handles decrypting binaries automatically class-dump - http://www.codethecode.com/projects/class-dump/ Dumps internal Objective-C objects Helps understand interfaces, objects in project Itunnel - http://www.cs.toronto.edu/~jingsu/itunnel/ Useful for connecting from a host machine directly to a jailbrokeniphone For windows and unix (windows – search for itunnel.exe) Used in lieu of a WIFI connection
Hardware Processor: ARM Cortex A8 Developed by Apple and Samsung Latest devices use A4 designation 32 bit RISC architecture Uses thumb extensions Radio functionality 3g Wifi Bluetooth Nordic Semiconductor proprietary chipset Camera Touch Screen
Operating System iOS(previously iPhone OS) is currently at 4.3.3 Darwin based kernel Unix platform Ships drivers for all hardware OS versions defines support for various features iOS 4 brought multitasking, Game Center iOS 3 brought video, improved GPS Security Mechanisms Code Signing Sandboxing
Programming on the iPhone Objective-C A superset of the C language Uses an Object oriented model Uses messages instead of calls Uses late runtime binding of objects Cocoa Appkit Graphics that fit UI guidelines FoundationKit Containers Value manipulation
iPhone Binary Format Uses MACH-O format Comprised of a standard header a series of load commands a series of segments Sections within the segments The process of loading is Loader recognizes header Processes each load command Expands each segment Maps each section to memory Universal Binaries pair multiple platforms in one package iPhone binaries often have both ARM 6 and ARM 7
Examining a Binary Key Steps to Disassemble an iPhone Binary Get the Binary Put it on the phone Decrypt the segments Transfer it off the phone Load it in your Disassembler PROFIT!
Getting the Binary You can get the binary in a number of ways Download via iTunes Use iPhone Store app on device iPhone Backup Find third party place (be careful) Binary locations Itunes: My MusiciTunesiTunes MediaMobile Applications On Phone: /Applications /private/var/mobile/Applications
Getting Files On and Off the Phone If you downloaded from the appstore, you can skip this step Itunes Do a simple sync Third party (and getting apps off the phone) Use SCP or iPhone Browser Clutch puts binaries here /var/root/Documents/Cracked/
Decrypt the segments Appstore iPhone binaries are encrypted and signed Tied to the phone it is to be installed on Code segments are encrypted, so look like gibberish We need a way to decrypt The hard way Calculate encryption offsets Run program with debugger Dump unecrypted memory segment Patch binary with unecrypted segment Update references to crypto The easy way Clutch
Load It into the Disassembler Unpack the clutch output ipa Ipa files are just zip files, you can rename them to .zip Should have a directory structure /some GUID /App files App is probably the largest file, has no extension Explore other files Use plist editor to examine .plist files DB/data files often SQLLite Load File into the Disassembler
iPhone Binary Internals Uses Objective-C and Cocoa Calls are non-obvious Use python tool to fixup calls Reanalyze with new markup Code is ARM assembler Areas to look at Strings Areas of import Network calls Crypto Calls to key iPhone areas (mail, sms, calendar, etc) Key functionality per app Graphs help understand flow