The aim of this talk is to build a bridge between the mundane methodologies and vulnerabilities that everyone can find (and that are now being defended against), and a new approach that finds additional bugs that require assembly knowledge to discover.
The talk looks at the fundamentals of reversing, a primer on iOS architecture, binary patching, reversing MACH-0 binaries, and ends with some real-world examples involving bypassing jailbreak detection.
Bridge gap: between the mundane methodologies and vulnerabilities and a new approach that finds additional bugs that require assembly knowledge to discover.
See also iExplorer
Exercise caution
May not be compatible with tweaks and you may end up losing jb
Copy binary you need
UDID from itunes
Often stores Application preferences in /Library/Preferences using NSDefaults class
Application uses UIWebView to render content.
Application registers custom URL scheme
Application invoked when scheme is called
Recall bug in Skype that allowed calls via protocol handler without users consent
Application registers custom URL scheme
Application invoked when scheme is called
Recall bug in Skype that allowed calls via protocol handler without users consent
Remote iOS Debugger plugin
Allows users to debug iOS target applications directly from IDA
debugserver not configured on device by default
attach device to Xcode enable debugging
thin binary for your device
slap on entitlements
See paper at end for details on configuration
All processes share the same copy of dyld_shared_cache
- It’s only loaded once
Kernel
- Allocate virtual memory
- Create main thread
- Code Signing
- Encryption
LC_SEGMENT
instructs the kernel how to set up the memory space of the newly run process.
“segments” are directly loaded from the Mach-O binary into memory.
Kernel loader bsd/kern/mach_loader.c
Memory regions with same r/w/x protection
_RESTRICT with _restrict section
__PAGEZERO
- 32 bit systems corresponds to single page of memory (4KB)
- 64 bit systems entire 32-bit address space or first 4GB
- All access permissions revoked
LC_UNIXTHREAD/LC_MAIN defines entry point
LC_ENCRYPTION_INFO
LC_CODE_SIGNATURE
LC_UNIXTHREAD/LC_MAIN defines entry point
LC_ENCRYPTION_INFO
LC_CODE_SIGNATURE
Interposing inject/replace functions
See DYLD_INSERT_LIBRARIES used by dumpdecrytped
XNU Kernel is at heart of OSX/iOS
Heart of XNU is MACH microkernel
processor_set_tasks – Controls processor group (usually cores on single CPU)
XNU abstraction to scale to multiprocessors/multicores architectures.
Trap is an exception by executing special instruction
CPSR – Current Program Status Register
ARM – instructions are 32 bits wide
THUMB – 16/32 bits wide
PC – Like EIP/RIP
Stack Pointer - ESP
Load store architecture
Plugin for Hopper that automates this
https://github.com/keith/hopper-swift-demangle
TBNZ test the bit to determine if i
A process ID value of 1 indicates that there is no parent process associated with the calling process.
A process ID value of 1 indicates that there is no parent process associated with the calling process.
sysctl - Get or set kernel state
CTL_KERN - top-level name for kernel-specific information
KERN_PROC - Indicates that sysctl will return a struct with process entries.
KERN_PROC_PID - specifies that the target process will be selected based on a process ID (PID).
- Finally, the last item is the PID of that process.