Beyond The ‘Cript: Practical iOS Reverse Engineering

Beyond The ‘Cript: Practical iOS Reverse Engineering
Michael Allen Security Consultant

Why This Talk? Apps more hardened against common attacks
Bridge the gap Deeper understanding of what happens under the hood Foundation for additional research Bridge gap: between the mundane methodologies and vulnerabilities and a new approach that finds additional bugs that require assembly knowledge to discover.

Outline/Agenda Building A General Toolkit
iOS Application Assessment 101 Usual results “New” approach The Reverse Engineer’s Toolkit Reverse Engineering iOS Applications Mach-O Binary Format Mach Tasks ARM(32/64) Objective-C Swift Identifying and bypassing Simple Jailbreak Detection Routines Conclusion

iOS Application Assessment 101 The Reverse Engineer’s Toolkit Reverse Engineering iOS Applications Identifying and bypassing Simple Jailbreak Detection Routines Conclusion

Building A General Toolkit
Jailbroken Device File System Network Instrumentation Automating Common Tasks Essentials

Jailbroken Device Removing software restrictions imposed by iOS, through the use of software exploits Recommend dedicated device for testing Latest jailbreak Pangu (iOS 9.2 – bit devices only)

Jailbroken Device (contd.)
Tethered Does not persist across reboots Requires computer to start device Untethered Persists on device across reboots Semi-tethered Requires computer to start into jailbroken state Rebooting or starting device without assistance possible. But boots into non-jailbroken state

Jailbroken Device (ProTip)
Change default root password from alpine Access device over usb using usbmuxd sudo python tcprelay.py -t 22:22 Generate ssh keys ssh-keygen -t rsa -f ~/.ssh/ironman -N "” Copy public key to device ssh-copy-id -i ~/.ssh/ironman.pub Create an alias on (~/.ssh/config)

File System: Moving Files
iFunbox iExplorer Sftp See also iExplorer

Network: BurpSuite Pro Intercepting Proxy

Network: SSL Kill Switch 2
“Disables SSL certificate validation - including certificate pinning - within iOS Apps.”

Instrumentation: Cycript
Injects into target process Interactive console Objective-C and Javascript syntax Supported Architectures(iOS, Mac OS X) NowSecure fork where runtime powered by Frida* (Cycript on steroids)

Instrumentation: Cycript (contd.)

Instrumentation: Frida
Injects Google’s V8 engine into target process Javascript executed with full access to memory Function hooking Access to native methods Inject into starting process Multiple architectures (Windows, Mac, Linux, iOS and Android)

Instrumentation: Frida (contd.)
Method tracing

Automating Common Tasks
Idb Tool - Snoop-IT - iRet - IntroSpy - AppMon - Needle - Varying levels of support

Automating Common Tasks: Idb Tool
“idb is a tool to simplify some common tasks for iOS app security assessments and research.” Provides general app info URL Handler Keychain dumping Pasteboard Logging

Automating Common Tasks: Idb Tool (contd.)

Essentials: Command Line Utilities
BigBoss Recommended Tools (Cydia) Erica Utilities (Cydia) Jonathan Levin compiled a number of commonly used binaries for iOS

Essentials: iOSBinpack (Jonathan Levin)
Listing of available tools Exercise caution May not be compatible with tweaks and you may end up losing jb Copy binary you need

Common Attack Vectors: Sniffing On A Remote Virtual Interface
UDID from itunes

Common Attack Vectors: Sniffing On A Remote Virtual Interface (contd.)

Common Attack Vectors: Insecure Storage
Property list files (.plist) SQLite databases Keychain Snapshots Cache

Insecure Storage: Property Lists (.plist)
Stores serialized objects Key value pairs Maybe compacted to bplist (binary plist) cat filename.plist | plutil -convert xml1 - -o - Often stores Application preferences in /Library/Preferences using NSDefaults class

Insecure Storage: Client-Side Data Stores
Often see SQLite being used for client-side storage Lightweight client-side database Query using SQL

Insecure Storage: Fun Fact About SQLite Data Stores
Delete doesn’t do what you think Deleted data added to free list Free records not overwritten until more space required End result is data may not be overwritten for a while May be recovered with SQLite-parser

Insecure Storage: Dumping The Keychain
SQLite database stored in /var/Keychains

Insecure Storage: Snapshots

Insecure Storage: Inspecting The Cache
Caches directory similar function to that of a web browser’s cache Aimed at improving performance May store web cache content Application uses UIWebView to render content.

Insecure Storage: Dumping Binary Cookies
Created by URL loading system or webview Stored on local file system in binary format.

Common Attack Vectors: Inter-process Communication
Application registers custom URL scheme Invoked when scheme called Application registers custom URL scheme Application invoked when scheme is called Recall bug in Skype that allowed calls via protocol handler without users consent

Common Attack Vectors: Inter-process Communication
Suggest using lsdtrip to identify URL’s Use publicurls | privateurls option Application registers custom URL scheme Application invoked when scheme is called Recall bug in Skype that allowed calls via protocol handler without users consent

Inter-process Communication (Side Note)
Malicious app could register your URL scheme [[UIApplication sharedApplication] openURL:myURL]; Universal Links introduced in iOS 9 Kills the openURL problem Developer specifies what URL’s will be processed by app (association file) Communication over HTTPS No more enumerating apps via can canOpenURL method

Common Attack Vectors: Injection Attacks
UIWebViews File-Handling Routine XML

Summary: Usual Results
Issues relating to Local Storage Keep in mind most of these attacks requires the device to be unlocked Unsecured API’s (via Burpsuite Pro) Some hard-coded secrets maybe (typically run strings against binary) The truth however is that most of these bugs closed Binary protections are now standard Data Protection API’s (keychain etc) Universal links introduced with iOS 9 address IPC loophole …...

Additionally What Happens When?
The common tools fail? Your Google Fu returns nothing? There are custom security protections in place You want to extend an existing tool? You want start investigating deeply hidden logic bugs Crypto functions etc Move beyond 3rd party applications

Towards A “New” Approach
At this point we need to take a different approach one that involves Reverse Engineering and leverages knowledge of : iOS internals ARM(32/64) Assembly Deep dive into Objective-C/Swift ….... Let’s improve our toolkit And expand our knowledge base

The Reverse Engineer’s Toolkit
IDA Pro Hopper LLDB Jtool Procexp GNU Project Debugger (gdb) Apple CC Tools

The Reverse Engineer’s Toolkit: IDA Pro
Remote iOS Debugger plugin Allows users to debug iOS target applications directly from IDA

The Reverse Engineer’s Toolkit: Hopper

The Reverse Engineer’s Toolkit: lldb
Debugging an application binary with lldb iOS Device debugserver -x backboard ip:port </path/to/executable> MAC Host lldb process connect connect://<remote_host>:<port> image list –o –f (ASLR) debugserver not configured on device by default attach device to Xcode enable debugging thin binary for your device slap on entitlements See paper at end for details on configuration

The Reverse Engineer’s Toolkit: lldb (contd.)

The Reverse Engineer’s Toolkit: lldb ASLR (contd.)
Breakpoint = offset1 + offset2 Or just use the symbols  1 2

The Reverse Engineer’s Toolkit: jtool
otool type functionality with way more options MACH-O analysis (atos, dyldinfo, nm, strings etc) Multi-platform (OS X, iOS, Linux) ARM64 disassembler

The Reverse Engineer’s Toolkit: jtool (contd.)

The Reverse Engineer’s Toolkit: jtool (bonus)
All processes share the same copy of dyld_shared_cache - It’s only loaded once

The Reverse Engineer’s Toolkit: procexp
Getting task related info Display threads, mach ports, dump core (memory image) etc..

The Reverse Engineer’s Toolkit: gdb
Use source from No support for arm64 architectures

The Reverse Engineer’s Toolkit: filemon
Tracing file system activity with FSEvents

Apple’s CC Tools otool nm lipo Codesign MACH-O Binary Swiss army knife
Displays symbol table lipo Architectures embedded in binary Codesign Binary signing

Reverse Engineering iOS Applications (Under The Hood)
Mach-O Binary Format Mach Tasks ARM(32/64) Objective-C Swift XNU BSD – files, processes etc MACH microkernel – task, memory, IPC primitives IOKIT – Kernel Extensions ELF – Extensible and Library Format

Mach-O Binary Format

Application Binary Version Location < iOS 8
/var/mobile/Application/<app bundle id> iOS 8 + /var/mobile/Containers/Bundle/Application/<app bundle id> App binary, nibs, Code Signature /var/mobile/Containers/Data/Application/<app bundle id> Documents, Library, tmp folder iOS 9.3.x /var/containers/Bundle/Application/<app bundle id> App binary

Mach-O Binary Header – Identifies file type, architecture etc
Load Commands – Details layout and linkage specifications Data – Code

Mach-O: Header <mach-o/loader.h>

Mach-O: Flags PIE: Commonly checked flag during an assessment.
ASLR for executable types

Mach-O: Load Commands (Kernel)
LC_SEGMENT[_64] main load command Memory regions with same r/w/x protection <mach-o/loader.h> Kernel - Allocate virtual memory - Create main thread - Code Signing - Encryption LC_SEGMENT instructs the kernel how to set up the memory space of the newly run process. “segments” are directly loaded from the Mach-O binary into memory. Kernel loader bsd/kern/mach_loader.c

Mach-O: SEGMENTS __PAGEZERO(NULL pointer trap, all access permissions revoked ) _TEXT(program code) _DATA (readable/writeable program data) _LINKEDIT (symbol and other tables used by linker) _RESTRICT (see dyld.cpp, will not load DYLD_INSERT_LIBRARIES) Optional sections Memory regions with same r/w/x protection _RESTRICT with _restrict section __PAGEZERO - 32 bit systems corresponds to single page of memory (4KB) - 64 bit systems entire 32-bit address space or first 4GB - All access permissions revoked

Mach-O: Common Segments and Sections

Mach-O: Viewing Segments and Sections
LC_UNIXTHREAD/LC_MAIN defines entry point LC_ENCRYPTION_INFO LC_CODE_SIGNATURE

MachOView (GUI) LC_UNIXTHREAD/LC_MAIN defines entry point
LC_ENCRYPTION_INFO LC_CODE_SIGNATURE

Mach-O: Load Commands (dyld)
Kernel hands off to DYLD(dynamic linker) Uses dynamic linker specified in LC_LOAD_DYLINKER Loads each LC_LOAD_DYLIB Resolves symbols Interposing (method switching) add __interpose section to __DATA SEGMENT Force library loading with DYLD_INSERT_LIBRARIES code with __attribute(constructor) auto runs Interposing inject/replace functions See DYLD_INSERT_LIBRARIES used by dumpdecrytped

Mach Tasks

Mach Tasks At this point binary mapped into memory
Process on other systems Port (IPC Endpoint) Own the port, own the task Mach Trap task_for_pid() Requires jailbreak tfp0 patch for kernel(PID0) processor_set_tasks() Any task port in system XNU Kernel is at heart of OSX/iOS Heart of XNU is MACH microkernel processor_set_tasks – Controls processor group (usually cores on single CPU) XNU abstraction to scale to multiprocessors/multicores architectures. Trap is an exception by executing special instruction

Mach Tasks – Interacting with the task
Get the task port Read/write memory with mach_vm* api’s Inject your own shellcode Left to your imagination

Mach Tasks – Owning The Port
* mach_vm_region returns information about a memory region in a given address space.

Mach Tasks – Dumping Memory
Write your own code and call appropriate mach_vm* api’s Use procexp <pid> regions

Mach Tasks – Dumping Memory
Read using lldb (memory read –outfile <outfile> –count <size> <address>)

ARM Assembly

ARM32 - Registers Register Purpose R0 – R12 General purpose registers
Stack pointer R14 Link register. Holds return address during a function call. R15 Program counter (PC) CPSR Information on current execution state (Endianness bit, Thumb bit, Mode bit) CPSR – Current Program Status Register ARM – instructions are 32 bits wide THUMB – 16/32 bits wide PC – Like EIP/RIP Stack Pointer - ESP

ARM32 – Function Calling Convention
Functions are invoked via a B, BX, BL, BLX Register Purpose r0-r3 First four function parameters. Other arguments passed on stack r0 Stores return value

ARM32 – Basic Loading Instructions
Arm is a load/store architecture Data must be loaded into registers before they can be used Register Purpose LDR Loads a word. Ex. LDR R3, [R0] Loads the word value at R0 into R3 STR Stores a word. Ex. STR R3, [R4] Takes the value in R3 and stores at memory address R4 Load store architecture

ARM64 - Registers Register Purpose x0-x28
General purpose registers (64 bit) w0-w30 General purpose registers (32 bit) x29 Frame pointer x30 Link register (return address) SP Stack pointer PC Program counter

ARM64 – Function Calling Convention
Register Purpose x0-x7 Arguments/return values x9-x15 Local variables x19-x29 Callee-saved registers

Objective-C

Objective-C objc_msgSend id objc_msgSend(id self, SEL op,…)
Equivalent of calling functions in C id objc_msgSend(id self, SEL op,…) receiver(id self) selector(SEL op) Receiver is a pointer to class message is intended for Selector is the method to handle message

Objective-C (contd.)

Objective-C (contd.) x0 – receiver x1 – selector x2 – argument
objc_msgSend – func call -v –d objc retrieves info on classes, methods etc *ARM64

Objective-C: Method Swizzling Under The Hood
objc_method struct holds information about method of a class [/usr/include/objc/runtime.h] Hooking Frameworks [/Library/Frameworks/CydiaSubstrate.framework] Member Description method_name Method name method_types Accepted parameters method_imp Pointer to implementation CydiaSubstrate: MSHookMessageEx MSHookFunction Swizzling just changes implementation using underlying C functions: class_replaceMethod method_exchangeImplementations method_setImplementation

CydiaSubstrate Method Swizzling

Swift Introduced with iOS 8
Still uses traditional message passing for Swift classes that inherit from Objective-C classes Swift classes may use Direct function calls Vtables C++ like mangled function names Method Swizzling if subclass of NSObject

Swift: Mangled Function Names
Objective-C

Swift: Mangled Function Names
__TFC9jailbreak14ViewController12btnFileCheckfS0_FPSs9AnyObject_T_ __T Swift Symbol F indicates function C indicates it is a function belonging to a class 9jailbreak module name prefixed with length 14ViewController class name prefixed with length 12btnFileCheck function name prefixed with length S0_FPSs no clue ??  f function attribute 9AnyObject function parameter T_ return type

Swift: demangle Tool See also hopper-swift-demangle plugin
Plugin for Hopper that automates this

Disclaimer We will discuss binary patching next
Yeah but I could do this with ? Yes there are several other options: xCon tsProtector Officer Tools discussed earlier(remember CydiaSubstrate hooking with MSHookFunction) What happens when you can’t? Get comfortable reading/modifying ARM assembly Start with simple examples

But First A Note On Patching 101
Replace instruction with NOP No Operation Change conditional instructions to unconditional ones BNE, BEQ, BLT….changes to just B etc Update the register that determines branch taken reg write <register> <value> p $<reg> = <value> Remove SEGMENT __RESTRICT

Identifying and bypassing Simple Jailbreak Detection Routines Case Study

Case Study: Viewing File System Activity
Using filemon -l Creates hard links to temporary files

Case Study: Viewing Logs
Using idevicesyslog [libimobiledevice]

Case Study: Obtaining The Binary
Dump the binary (facilitated by DYLD and DYLD_INSERT_LIBRARIES environment variable)

Case Study: Obtaining Symbols
Dump the symbols along with dylib’s to which they belong

Case Study: Extracting strings
Any interesting strings? Dump cstring section (same as running strings) Knowledge of SEGMENTS and sections important

Case Study: Extracting DYLIB’S
procexp <pid> regions Dump the library with lldb

Case Study: Extracting DYLIB’S

Case Study: Obtaining Classes

Case Study: Bypassing RootFS Check

statfs argument statfs func call Patch here TBNZ test the bit to determine if i

Patch register w8 Patch here

Case Study: Bypassing Debugger Checks
Changes when debugger attached

Case Study: Bypassing Debugger Checks (ppid)
A process ID value of 1 indicates that there is no parent process associated with the calling process.

Patch here ppid func call A process ID value of 1 indicates that there is no parent process associated with the calling process.

Patch here parent process id of calling process

Case Study: Bypassing Debugger Checks (p_traced)
sysctl func call Patch here sysctl - Get or set kernel state CTL_KERN top-level name for kernel-specific information KERN_PROC Indicates that sysctl will return a struct with process entries. KERN_PROC_PID - specifies that the target process will be selected based on a process ID (PID). - Finally, the last item is the PID of that process.

Case Study: Bypassing Debugger Checks (p_traced)
Patch here

Case Study: Bypassing Fork Check
Call to fork Return value in X0 Patch CMN W19, #1

Case Study: Bypassing Fork Check
Patch here

Conclusion Add the reverse engineering skillset to your arsenal !!!
Common bugs being closed A “new” approach and break from the norm is required for in depth assessments Assembly knowledge a MUST for Reversing Engineering Low level assembly allows you to bypass many security protections, discover hidden gems and then some Knowledge of iOS architecture will not only improve your assessments but also provide a launching pad for other research Disassemblers are your friends (IDA, Hopper, Jtool …..) Add the reverse engineering skillset to your arsenal !!!

References Books: Mac OS X and iOS Internals To the Apple’s Core (Jonathan Levin) The Mobile Application Hacker’s Handbook (Dominic Chell, Tyrone Erasmus et al. ) Hacking and Securing iOS Applications (Jonathan Zdziarski) iOS Application Security: The Definitive Guide for Hackers and Developers (David Thiel) Blogs and Tools: processor_set_tasks() - procexp – iOSBinaries - jtool - filemon - AmIBeingDebugged - Frida - Cycript - iFunBox - SSL Kill Switch – BurpSuite - IDA - Hopper - Idb - PT_DENY_ATTACH - ARM - SQLite-parser - SQLite Deletion - lsdtrip -

Beyond The ‘Cript: Practical iOS Reverse Engineering

Similar presentations

Presentation on theme: "Beyond The ‘Cript: Practical iOS Reverse Engineering"— Presentation transcript:

Similar presentations

About project

Feedback

Log in

Auth with social network:

Beyond The ‘Cript: Practical iOS Reverse Engineering

Similar presentations

Presentation on theme: "Beyond The ‘Cript: Practical iOS Reverse Engineering"— Presentation transcript:

Similar presentations

About project

Feedback