Embed Size (px)
Citation preview
Reverse engineeringfor inexperienced
–Helmut Jahn
“A good engineer thinks in reverse and asks himself about the stylistic consequences of the components and systems he proposes.”
Reverse
System level Code level
Reveal
Charles
idb
iNalyzer
Introspy
Snoop-it
iOS filesystem• /• /bin• /boot• /dev• /sbin• /etc• /lib• /mnt• /private• /tmp• /usr• /var• /Applications
App directory
App directory
• Binary• Interface files• Images• plist files• momd files
momd
Binary
Mach-O executable
*.c/*.m *.out
• Tokenization• Macro / #include expansion• AST producing• LLVM IR generating• Assembly• Object file• Executable
Mach-O executable
Mach-O Header
Load Commands
Data
Mach-O executable
Mach-O Header
Load Commands
Data
Fat Header
Mach-O Header
Load Commands
Data
class-dump
Mach-O files
*.h *.h…*.h
class-dumpclass-dump -S -s -H MyApp -o /path/to/headers/
class-dump
class-dump (No jailbreak)
JailbreakDevice start
exploit
Bootrom
LLB
iBoot
Kernel
System Software
Apps
signature verify
Jailbreak types
• untethered• tethered• semi-tethered
Jailbreak
• File system access rights• broken sandbox• unsigned apps
cycriptcycript allows developers to explore and modify running
applications on either iOS or Mac OS using a hybrid of Objective-C++ and Javascript syntax
cycript
cycript
cycript
Disassemblers / Decompilers
• IDA Pro• Hopper • otool
Hopper
Hopper
Hopper
Tweak
1.Locate executable2.class-dump headers3.Find target view(controller) using Cycript4.Find target method for monitoring5.Trace method for hooking using disassembler6.Write Tweak (using Theos)
Think first
1.No credentials in plists2.No NSLog in release3.Use Keychain4.Be careful with view snapshots5.No Objective-C in security code6.Use SSL pinning
SSL Pinning
Jailbreak detection
1.Verify Root2.File access3.Cydia/OpenSSH detect4.Process fork
Make disassembling harder
1.Use C functions2.Use #define3.inline methods4.string obfuscation5.decoding tables6.deny attach7.integrity checks8.ASLR
PT_DENY_ATTACH
Reverse Swift Apps
Thank you !
@complexityclass
