slicing into apple: iphone reverse engineering
DESCRIPTION
SOURCE Seattle 2011 - Ryan PermehTRANSCRIPT
Slicing into Apple: iPhone Reverse Engineering
Ryan PermehTrace Team
McAfee
Introduction
•Reverse engineering is taking a finished product and working back towards it’s constituent artifacts
•Gives us a peek behind the curtains of software•Helpful for a variety of legitimate uses
– Better understanding how software works– Recovering lost knowledge– Interfacing to closed systems– Finding security issues
• May be used illegally– DCMA, software piracy, IP theft
Skill Outlay
•Reverse engineering is a very technical subject•Requires a deep understanding of several topics
– Hardware Architecture– Software Architecture– Operating system internals– Assembly language– Higher level languages– Compiler, linker, and loader internals– Debugging
•The better you understand how software is made, the easier it is to reverse engineer it.
JailBreak your iPhone
• You really need to be jailbroken to have a platform to work from• Jailbreak breaks signing requirements for applications• Opens the phone up to a variety of new uses
– Run software from other sources– Develop software without need for Apple Developer cost– Allows you access to the internals of the iPhone
• Jailbreak for 4.3.3 and beyond– This changes often, so do your research– Jailbreaking happens via an exploit, leveraged to patch the kernel– Install Cydia and use that to install your tools
• Gcc/gdb• SSH access• Class-dump• Whatever else you want
Tools used
• Reverse engineering leverages several tools to get a better understanding of the code
• Disassembler– Parses finished code into assembly language– Understand and visualize program flow – Provides cross references, searching, and other useful tools– We use IDA Pro 6.0 in these examples
• Debugger– Offers a view of the program at runtime– Helpful for dynamic analysis– Can tie into other reverse engineering artifacts– We use gdb in these examples
Tools - iPhone Specific
• Clutch – http://clutch.hackulo.us– Tool to crack software– Handles decrypting binaries automatically
• class-dump - http://www.codethecode.com/projects/class-dump/– Dumps internal Objective-C objects– Helps understand interfaces, objects in project
• Itunnel - http://www.cs.toronto.edu/~jingsu/itunnel/– Useful for connecting from a host machine directly to a jailbroken
iphone– For windows and unix (windows – search for itunnel.exe)– Used in lieu of a WIFI connection
Inside the iPhone
Hardware
•Processor: ARM Cortex A8– Developed by Apple and Samsung– Latest devices use A4 designation– 32 bit RISC architecture– Uses thumb extensions
• Radio functionality– 3g– Wifi– Bluetooth– Nordic Semiconductor proprietary chipset
• Camera• Touch Screen
Operating System
• iOS (previously iPhone OS) is currently at 4.3.3• Darwin based kernel• Unix platform• Ships drivers for all hardware• OS versions defines support for various features
– iOS 4 brought multitasking, Game Center– iOS 3 brought video, improved GPS
• Security Mechanisms– Code Signing– Sandboxing
Programming on the iPhone
•Objective-C – A superset of the C language– Uses an Object oriented model– Uses messages instead of calls– Uses late runtime binding of objects
•Cocoa– Appkit
• Graphics that fit UI guidelines
– FoundationKit• Containers• Value manipulation
iPhone Binary Format
• Uses MACH-O format• Comprised of
– a standard header– a series of load commands– a series of segments
• Sections within the segments
The process of loading is
1. Loader recognizes header
2. Processes each load command
3. Expands each segment
4. Maps each section to memory
• Universal Binaries pair multiple platforms in one package– iPhone binaries often have both ARM 6 and ARM 7
Examining a Binary
Key Steps to Disassemble an iPhone Binary
1. Get the Binary
2. Put it on the phone
3. Decrypt the segments
4. Transfer it off the phone
5. Load it in your Disassembler
6. PROFIT!
Getting the Binary
You can get the binary in a number of ways
1. Download via iTunes
2. Use iPhone Store app on device
3. iPhone Backup
4. Find third party place (be careful)
Binary locations
Itunes:
My Music\iTunes\iTunes Media\Mobile Applications
On Phone:
/Applications
/private/var/mobile/Applications
Getting Files On and Off the Phone
• If you downloaded from the appstore, you can skip this step• Itunes
– Do a simple sync• Third party (and getting apps off the phone)
– Use SCP or iPhone Browser• Clutch puts binaries here
/var/root/Documents/Cracked/
WinSCP Demo
Demo 1
Installing From the Appstore
Demo 2
Decrypt the segments
• Appstore iPhone binaries are encrypted and signed• Tied to the phone it is to be installed on• Code segments are encrypted, so look like gibberish• We need a way to decrypt• The hard way
– Calculate encryption offsets– Run program with debugger– Dump unecrypted memory segment– Patch binary with unecrypted segment– Update references to crypto
• The easy way– Clutch
Clutch Demo
Demo 3
Load It into the Disassembler
• Unpack the clutch output ipa– Ipa files are just zip files, you can rename them to .zip
• Should have a directory structure/some GUID
/App files• App is probably the largest file, has no extension• Explore other files
– Use plist editor to examine .plist files– DB/data files often SQLLite
• Load File into the Disassembler
Unpacking the IPA
Demo 4
iPhone Binary Internals
• Uses Objective-C and Cocoa• Calls are non-obvious
– Use python tool to fixup calls– Reanalyze with new markup
• Code is ARM assembler• Areas to look at
– Strings– Areas of import
• Network calls• Crypto• Calls to key iPhone areas (mail, sms, calendar, etc)• Key functionality per app
– Graphs help understand flow
Analyzing the Binary
Demo 5