iPhone Rootkit? There's an App for that! - Reverse Engineering Mac ...

More documents

Recommendations

Info

Decrypt The Binary for ReversingCrackulous, xcrack, etc. But how how do they work?1. Find the app binary on the iDevice# find /var/mobile/Applications –name SomeApp.app/var/mobile/Applications/0578A160-…/SomeApp.app2. Get the size of the encrypted code/data section# otool –l …/0578A…/SomeApp.app/SomeApp |grep –A4 LC_ENCRYPTION_INFOcmd LC_ENCRYPTION_INFOcmdsize 20cryptoff 4096cryptsize 4096cryptid 13. Load the executable in a debugger (gdb is a cydia package)# gdb …/SomeApp.app/SomeAppSee: dvlabs.tippingpoint.com/blog/2009/03/06/reverse-engineering-iphone-appstore-binariesCopyright Trustwave 2010
Binary Reversing Prep (continued…)4. Observe the encrypted section “before” -- garbage instructions:(gdb) x/3i 0x20000x2000: addge r4, r7, r4, asr r110x2004: bl 0xfe147a480x2008: ldrbcc r5, [r4, #3476]5. Set a BP to fire after decryption, and let iOS decrypt for us just by running it(gdb) break *0x2000Breakpoint 1 at 0x2000(gdb) r…Breakpoint 1, 0x00002000 in ?? ()gdb) x/3i 0x20000x2000: ldr r0, [sp]0x2004: add r1, sp, #4 ; 0x40x2008: add r4, r0, #1 ; 0x1Copyright Trustwave 2010
Page 5 and 6: iPhone/iOS Security Overview
Page 7 and 8: Architecture OverviewApplications P
Page 9 and 10: Application SecurityCode signing•
Page 11 and 12: Jailbreaking Overview
Page 13 and 14: Jailbreakme.com A Thing to Behold
Page 15 and 16: What it looks likeVisit h'p://jailb
Page 17 and 18: Weaponizing
Page 19 and 20: Patch PlanReversing the installui.d
Page 21 and 22: My “Big Fat Rootkit”… so farC
Page 23 and 24: Set-upA vanilla un-jailbroken iPhon
Page 25 and 26: Hardware: Mic and AudioAudio record
Page 27 and 28: Dumping Process DataSeveral interes
Page 29 and 30: Targeting iOS ApplicationsiOS isn
Page 31: Demo App Backdoor
Page 35 and 36: No More SecretsHint: find the LC
Page 37 and 38: Mach Binary Encryption (continued
Page 39 and 40: What’s your point?For starters…
Page 41 and 42: Objective-C Method HookingIt’s ca
Page 43 and 44: Objective-C Method Hook ExampleLets
Page 45 and 46: Injecting Our LibraryConventionally
Page 47 and 48: ConclusionsLots of security researc
Page 49 and 50: Reversing Redux: The Binary “star
Page 51 and 52: … continued: eggMalformed Times-
Page 53 and 54: class-dump on installui.dylib (aka

iPhone Rootkit? There's an App for that! - Reverse Engineering Mac ...

Create successful ePaper yourself

Delete template?

Save as template?