Your SlideShare is downloading. ×
Slicing into Apple: iPhone Reverse Engineering
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×

Saving this for later?

Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime - even offline.

Text the download link to your phone

Standard text messaging rates apply

Slicing into Apple: iPhone Reverse Engineering

13,097
views

Published on

SOURCE Seattle 2011 - Ryan Permeh

SOURCE Seattle 2011 - Ryan Permeh

Published in: Technology, News & Politics

2 Comments
14 Likes
Statistics
Notes
No Downloads
Views
Total Views
13,097
On Slideshare
0
From Embeds
0
Number of Embeds
7
Actions
Shares
0
Downloads
294
Comments
2
Likes
14
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Slicing into Apple: iPhone Reverse Engineering
    Ryan PermehTrace TeamMcAfee
  • 2. Introduction
    Reverse engineering is taking a finished product and working back towards it’s constituent artifacts
    Gives us a peek behind the curtains of software
    Helpful for a variety of legitimate uses
    Better understanding how software works
    Recovering lost knowledge
    Interfacing to closed systems
    Finding security issues
    May be used illegally
    DCMA, software piracy, IP theft
  • 3. Skill Outlay
    Reverse engineering is a very technical subject
    Requires a deep understanding of several topics
    Hardware Architecture
    Software Architecture
    Operating system internals
    Assembly language
    Higher level languages
    Compiler, linker, and loader internals
    Debugging
    The better you understand how software is made, the easier it is to reverse engineer it.
  • 4. JailBreak your iPhone
    You really need to be jailbroken to have a platform to work from
    Jailbreak breaks signing requirements for applications
    Opens the phone up to a variety of new uses
    Run software from other sources
    Develop software without need for Apple Developer cost
    Allows you access to the internals of the iPhone
    Jailbreak for 4.3.3 and beyond
    This changes often, so do your research
    Jailbreaking happens via an exploit, leveraged to patch the kernel
    Install Cydia and use that to install your tools
    Gcc/gdb
    SSH access
    Class-dump
    Whatever else you want
  • 5. Tools used
    Reverse engineering leverages several tools to get a better understanding of the code
    Disassembler
    Parses finished code into assembly language
    Understand and visualize program flow
    Provides cross references, searching, and other useful tools
    We use IDA Pro 6.0 in these examples
    Debugger
    Offers a view of the program at runtime
    Helpful for dynamic analysis
    Can tie into other reverse engineering artifacts
    We use gdb in these examples
  • 6. Tools - iPhone Specific
    Clutch – http://clutch.hackulo.us
    Tool to crack software
    Handles decrypting binaries automatically
    class-dump - http://www.codethecode.com/projects/class-dump/
    Dumps internal Objective-C objects
    Helps understand interfaces, objects in project
    Itunnel - http://www.cs.toronto.edu/~jingsu/itunnel/
    Useful for connecting from a host machine directly to a jailbrokeniphone
    For windows and unix (windows – search for itunnel.exe)
    Used in lieu of a WIFI connection
  • 7. Inside the iPhone
  • 8. Hardware
    Processor: ARM Cortex A8
    Developed by Apple and Samsung
    Latest devices use A4 designation
    32 bit RISC architecture
    Uses thumb extensions
    Radio functionality
    3g
    Wifi
    Bluetooth
    Nordic Semiconductor proprietary chipset
    Camera
    Touch Screen
  • 9. Operating System
    iOS(previously iPhone OS) is currently at 4.3.3
    Darwin based kernel
    Unix platform
    Ships drivers for all hardware
    OS versions defines support for various features
    iOS 4 brought multitasking, Game Center
    iOS 3 brought video, improved GPS
    Security Mechanisms
    Code Signing
    Sandboxing
  • 10. Programming on the iPhone
    Objective-C
    A superset of the C language
    Uses an Object oriented model
    Uses messages instead of calls
    Uses late runtime binding of objects
    Cocoa
    Appkit
    Graphics that fit UI guidelines
    FoundationKit
    Containers
    Value manipulation
  • 11. iPhone Binary Format
    Uses MACH-O format
    Comprised of
    a standard header
    a series of load commands
    a series of segments
    Sections within the segments
    The process of loading is
    Loader recognizes header
    Processes each load command
    Expands each segment
    Maps each section to memory
    Universal Binaries pair multiple platforms in one package
    iPhone binaries often have both ARM 6 and ARM 7
  • 12. Examining a Binary
    Key Steps to Disassemble an iPhone Binary
    Get the Binary
    Put it on the phone
    Decrypt the segments
    Transfer it off the phone
    Load it in your Disassembler
    PROFIT!
  • 13. Getting the Binary
    You can get the binary in a number of ways
    Download via iTunes
    Use iPhone Store app on device
    iPhone Backup
    Find third party place (be careful)
    Binary locations
    Itunes:
    My MusiciTunesiTunes MediaMobile Applications
    On Phone:
    /Applications
    /private/var/mobile/Applications
  • 14. Getting Files On and Off the Phone
    If you downloaded from the appstore, you can skip this step
    Itunes
    Do a simple sync
    Third party (and getting apps off the phone)
    Use SCP or iPhone Browser
    Clutch puts binaries here
    /var/root/Documents/Cracked/
  • 15. WinSCP Demo
    Demo 1
  • 16. Installing From the Appstore
    Demo 2
  • 17. Decrypt the segments
    Appstore iPhone binaries are encrypted and signed
    Tied to the phone it is to be installed on
    Code segments are encrypted, so look like gibberish
    We need a way to decrypt
    The hard way
    Calculate encryption offsets
    Run program with debugger
    Dump unecrypted memory segment
    Patch binary with unecrypted segment
    Update references to crypto
    The easy way
    Clutch
  • 18. Clutch Demo
    Demo 3
  • 19. Load It into the Disassembler
    Unpack the clutch output ipa
    Ipa files are just zip files, you can rename them to .zip
    Should have a directory structure
    /some GUID
    /App files
    App is probably the largest file, has no extension
    Explore other files
    Use plist editor to examine .plist files
    DB/data files often SQLLite
    Load File into the Disassembler
  • 20. Unpacking the IPA
    Demo 4
  • 21. iPhone Binary Internals
    Uses Objective-C and Cocoa
    Calls are non-obvious
    Use python tool to fixup calls
    Reanalyze with new markup
    Code is ARM assembler
    Areas to look at
    Strings
    Areas of import
    Network calls
    Crypto
    Calls to key iPhone areas (mail, sms, calendar, etc)
    Key functionality per app
    Graphs help understand flow
  • 22. Analyzing the Binary
    Demo 5
  • 23. Questions?
    Ryan_Permeh@mcafee.com
    http://www.mcafee.com