Semi automated mapping of iOS binaries
This is a modal window.
Das Video konnte nicht geladen werden, da entweder ein Server- oder Netzwerkfehler auftrat oder das Format nicht unterstützt wird.
Formale Metadaten
| Titel |
| |
| Serientitel | ||
| Teil | 9 | |
| Anzahl der Teile | 29 | |
| Autor | ||
| Lizenz | CC-Namensnennung 3.0 Deutschland: Sie dürfen das Werk bzw. den Inhalt zu jedem legalen Zweck nutzen, verändern und in unveränderter oder veränderter Form vervielfältigen, verbreiten und öffentlich zugänglich machen, sofern Sie den Namen des Autors/Rechteinhabers in der von ihm festgelegten Weise nennen. | |
| Identifikatoren | 10.5446/18856 (DOI) | |
| Herausgeber | ||
| Erscheinungsjahr | ||
| Sprache |
Inhaltliche Metadaten
| Fachgebiet | ||
| Genre | ||
| Abstract |
|
Hacktivity 20159 / 29
1
4
6
17
00:00
BinärdatenTextur-MappingCodeDatenstrukturDatenverwaltungInformationRelativitätstheorieSoftwareSpieltheorieGenerator <Informatik>PhasenumwandlungSoftwaretestArithmetisches MittelBinärcodeBitBrennglasHyperbelverfahrenRechenschieberSechseckE-MailVersionsverwaltungÄhnlichkeitsgeometrieNichtlinearer OperatorCASE <Informatik>Prozess <Informatik>NormalvektorZusammenhängender GraphDatenfeldRouterDokumentenverwaltungssystemKlasse <Mathematik>Ein-AusgabePersönliche IdentifikationsnummerKartesische KoordinatenKomponente <Software>Spiegelung <Mathematik>Befehl <Informatik>Framework <Informatik>Cisco IOSLaufzeitfehlerPatch <Software>NeuroinformatikSystemplattformsinc-FunktionMultiplikationsoperatorMapping <Computergraphik>Digitales ZertifikatMobiles InternetSoftwareentwicklerApp <Programm>KoroutineUnternehmensarchitekturDynamisches SystemFolge <Mathematik>Lie-GruppeTopologieTypentheorieTropfenDebuggingMomentenproblemVirtuelle MaschineStapeldateiFamilie <Mathematik>Anpassung <Mathematik>Metropolitan area networkPunktVererbungshierarchieLesen <Datenverarbeitung>BeobachtungsstudieSchreib-Lese-KopfEndliche ModelltheorieIRIS-TObjekt <Kategorie>DatenreplikationRandwertStandardabweichungDisassemblerVorlesung/Konferenz
09:20
BinärdatenTextur-MappingInstantiierungObjekt <Kategorie>Lesen <Datenverarbeitung>SoftwaretestFunktion <Mathematik>TaskSoftwareentwicklerBaum <Mathematik>BenutzerfreundlichkeitDatenstrukturFolge <Mathematik>GravitationInformationRelativitätstheorieStabProgrammierungDateiverwaltungHackerProdukt <Mathematik>HydrostatikVariableKonfiguration <Informatik>Algebraisches ModellAlgorithmische ProgrammierspracheBinärcodeEinfach zusammenhängender RaumFunktionalGarbentheorieGeradeGruppenoperationKette <Mathematik>LoopOrdinalzahlPhysikalisches SystemTeilmengeTermZahlenbereichStapeldateiÄhnlichkeitsgeometrieFontNichtlinearer OperatorParametersystemCASE <Informatik>Prozess <Informatik>InstantiierungComputersicherheitFormation <Mathematik>Sampler <Musikinstrument>PunktKlasse <Mathematik>Geschlecht <Mathematik>SchnittmengeChiffrierungKartesische KoordinatenInteraktives FernsehenSpektralzerlegung <Physik>Stabilitätstheorie <Logik>MultifunktionSpiegelung <Mathematik>Endliche ModelltheorieBestimmtheitsmaßLaufzeitfehlerDrahtloses lokales NetzTouchscreenObjekt <Kategorie>MultiplikationsoperatorSchlussregelURLRechter WinkelMechanismus-Design-TheorieSoftwareentwicklerKoroutineAnalysisOrdnung <Mathematik>AuswahlaxiomBoolesche AlgebraRechenschieberE-MailOvalPuls <Technik>Gleitendes MittelEin-AusgabeProgrammschleifeWort <Informatik>NP-hartes ProblemPatch <Software>FreewareSoftwareschwachstelleSchreiben <Datenverarbeitung>App <Programm>Lesezeichen <Internet>
18:39
HilfesystemSichtenkonzeptDickeVideo GenieBinärdatenTextur-MappingInnerer PunktPROMGammafunktionE-MailBildgebendes VerfahrenTermHill-DifferentialgleichungTaskFunktion <Mathematik>Lesen <Datenverarbeitung>SoftwaretestSoftwareentwicklerW3C-StandardMenütechnikElementargeometrieRechenwerkWeb-SeiteSpezialrechnerGEDCOMROM <Informatik>LaufzeitfehlerEntscheidungstheorieComputersicherheitMaßerweiterungInformationsspeicherungArchitektur <Informatik>Normierter RaumInformationBaum <Mathematik>DatenstrukturKryptologieTopologieWärmeleitfähigkeitProdukt <Mathematik>MAPIntegralAlgebraisches ModellAuswahlaxiomFunktionalMereologieMomentenproblemPhysikalisches SystemTermZahlenbereichFlächeninhaltFamilie <Mathematik>CASE <Informatik>Prozess <Informatik>InstantiierungWort <Informatik>Kartesische KoordinatenInteraktives FernsehenBimodulAppletMailing-ListeFramework <Informatik>Elektronische PublikationCharakteristisches PolynomSichtenkonzeptKontrast <Statistik>TouchscreenObjekt <Kategorie>MultiplikationsoperatorAblaufverfolgungRechter WinkelInterface <Schaltung>GamecontrollerStatistikDateiverwaltungBildschirmfensterSoftwaretestBinärcodeMenütechnikSystemaufrufBridge <Kommunikationstechnik>Ein-AusgabeEndliche ModelltheoriePatch <Software>SoftwareschwachstelleTesselationDemo <Programm>KoroutineVorlesung/Konferenz
25:51
BinärdatenTextur-MappingInformationsspeicherungSichtenkonzeptROM <Informatik>SoftwarepiraterieLaufzeitfehlerMaßerweiterungArchitektur <Informatik>TaskProgrammbibliothekCodePatch <Software>Proxy ServerReverse EngineeringPROMSpeicherabzugSoftwaretestAuswahlaxiomKette <Mathematik>E-MailOvalGammafunktionDiskrete-Elemente-MethodeDefaultWechselsprungWechselseitige InformationCAN-BusCodeStatistikZeichenketteDateiverwaltungHackerHalbleiterspeicherProgrammbibliothekBildschirmfensterSoftwaretestAuswahlaxiomFunktionalGeradeMaßerweiterungVersionsverwaltungAutomatische HandlungsplanungParametersystemCASE <Informatik>Coxeter-GruppeZeiger <Informatik>Klasse <Mathematik>Ein-AusgabeWort <Informatik>Web-SeiteKartesische KoordinatenElektronische PublikationClientPatch <Software>MultiplikationsoperatorAblaufverfolgungDemo <Programm>SoftwarepiraterieSoftwareentwicklerApp <Programm>KoroutineOrdnung <Mathematik>CodierungGanze FunktionArithmetisches MittelBitCOMMomentenproblemResultanteMenütechnikSystemaufrufComputervirusHypermediaUltraviolett-PhotoelektronenspektroskopieInstantiierungFächer <Mathematik>PunktEinfügungsdämpfungMailing-ListeWeb SiteTrennschärfe <Statistik>TouchscreenObjekt <Kategorie>ARM <Computerarchitektur>Schreiben <Datenverarbeitung>Snake <Bildverarbeitung>Rechter WinkelVorlesung/Konferenz
33:02
BinärdatenTextur-MappingSichtenkonzeptQuantenzustandPasswortWeitverkehrsnetzKonfiguration <Informatik>Elektronische PublikationRechter WinkelProgrammbibliothekFunktionalMaßerweiterungNormalformKartesische KoordinatenFramework <Informatik>Elektronische PublikationTouchscreenBoolesche AlgebraSystemaufrufEin-AusgabeProxy ServerVorlesung/Konferenz
35:10
Finite-Elemente-MethodeTermBinärdatenTextur-MappingRahmenproblemSichtenkonzeptElektronische PublikationRechter WinkelKonfiguration <Informatik>OvalARM <Computerarchitektur>ProgrammbibliothekBinärcodeMultifunktionElektronische PublikationDemo <Programm>Dynamisches SystemMaßerweiterungVerzeichnisdienstVorlesung/KonferenzComputeranimation
36:00
Wurzel <Mathematik>BinärdatenTextur-MappingNormierter RaumElektronische PublikationFinite-Elemente-MethodeMAPGebäude <Mathematik>SpeicherabzugRechenwerkPROMInstallation <Informatik>ProgrammbibliothekTaskMaßerweiterungInstantiierungKartesische KoordinatenVollständiger VerbandObjekt <Kategorie>Interface <Schaltung>CodeElektronische PublikationTouchscreenVorlesung/Konferenz
39:14
BinärdatenTextur-MappingDämon <Informatik>SichtenkonzeptURLMathematikSpieltheorieÜbersetzer <Informatik>App <Programm>FaserbündelFunktionalElektronische PublikationAuswahlaxiomÄhnlichkeitsgeometrieParametersystemCASE <Informatik>Kartesische KoordinatenPrimitive <Informatik>Framework <Informatik>BinärcodeSystemaufrufProxy ServerGamecontrollerVorlesung/Konferenz
40:26
SichtenkonzeptBinärdatenTextur-MappingGammafunktionGeradeVorlesung/Konferenz
41:43
MAPBinärdatenTextur-MappingSpieltheorieHalbleiterspeicherFairness <Informatik>BinärcodeLastPhysikalisches SystemProjektive EbeneWort <Informatik>Kartesische KoordinatenMultiplikationsoperatorDigital Rights ManagementMessage-PassingArithmetisches MittelGarbentheorieRadikal <Mathematik>DatensichtgerätSystemaufrufSchnittmengeChiffrierungInklusion <Mathematik>Mailing-ListeVorlesung/KonferenzBesprechung/Interview
Transkript: Englisch(automatisch erzeugt)
00:00
Hello, and welcome to this class. This will be pretty much, think of it as a classroom exercise so that for all of you who work with iOS applications, maybe on a daily basis, maybe on a hobby basis, so I hope that I will show you guys some tricks that you can use up your sleeve
00:24
when it comes to dissecting and analyzing an iOS binary. So the name is kind of cryptic but I hope that it will make sense and it will be clear by the end of this talk. So a very short intro for those who haven't seen my face yet.
00:45
So that's my name. I've been working as a Pentester since the early iOS days. So I've been working with iOS app since iOS 4.0 which dates back to as early as 2008, 2009, and my field of interest and field of research is focused on how to map and
01:07
analyze Objective-C-based applications which actually makes most of the iOS apps out there. So there are Swift apps which the technology was announced in iOS 8 but as things see now,
01:26
it's not that well spread as Apple supposed it to be. So most of the time when we see Swift inlays in normal Objective-C applications, that's kind of easy to understand because most companies have their Objective-C code base ready by this time and they obviously don't want to replace
01:44
everything they had earlier and which worked fine for them. So this talk is not a fun talk about old days and not a fun talk about jailbreaking and as far as I understand, I don't have any jailbreaks for iOS 9.0.2
02:06
which is the latest version as of yesterday. Instead, think this talk like an advanced course on Objective-C screwdrivers to help you guys find your ways more easily around iOS applications when it comes to actual pan-testing.
02:26
So this is like a collection of small ideas and hints I came up or I read somewhere else and that helped me a lot when it came to testing iOS applications. And when it comes to actual penetration testing work, most of the time our worst enemy is time.
02:45
So I hope you guys that you had some experience with professional penetration testing, you will all agree with me so that the biggest burden of this job is to finish everything on time.
03:00
But unfortunately, the technology and the applications we test and we work with, they do not make it easy for us to finish our job on time and I hope that these tricks will save you guys literally hours and hours and hours of misery.
03:20
So just the first a little bit of intro, I'm pretty sure everyone is familiar with iOS. It used to mean Cisco IOS and they used to mean software running on their routers and switches and network gadgets. However, since Steve Jobs coined this I stuff nomenclature, iOS means something else.
03:45
The first OS version came around in 2007 with the soap-like iPhone 3. And now as of today, it's iOS 9 is the first, is the main version.
04:01
And at this point, it used to be a toy for hipsters. I remember when I had this first iOS talk in 2010, 2011, we said that, hey, yeah, these devices are really cool, they look nice, they're awesome, but they're not really designed and not really suitable for corporate users.
04:23
Now, it's significantly changed, so this statement is not true anymore as iOS is a fully blown and fully adoptable corporate device platform. And when MDMs came around, mobile device management tools and devices came around,
04:43
this is more and more true as corporates and enterprises have means to control what kind of devices can hold the data. And as time progresses, we have a whole lot of mobile banking applications, document management things, whatnot.
05:03
So, more and more corporate data gets to iOS devices. And judging by the trends, this will not turn on unless something very bad happens around in the world. So, a little bit around iOS application testing. The first phase is, as in all pen tests, is static mapping,
05:24
which there's a whole bunch of letters on the slide. I won't read everything aloud, but you guys can get grab around what this phase means. So, this means, like, having a clockwork and taking a magnifying glass and to see what's inside and what kind of components the clockwork uses,
05:42
what kind of gadgets it uses, what kind of APIs, what kind of platforms, what kind of third-party modules, and so on and so on. So, this information can be gathered during the first phase when we simply take a binary and start disassembling it and start peeking around within the binary.
06:04
So, the purpose of this whole operation is like anatomy in medical sciences. So, anatomy focuses on bodies which are not moving. So, everything is, like, static and they describe what they find inside.
06:21
So, this is kind of the similar thing we do when performing static mapping. What do we do here? When we have an iOS binary, we can easily extract a class header structure in case the application was written in Objective-C, as the Objective-C runtime framework relies extensively on reflection.
06:42
Therefore, method names, class names, and other related info has to be compiled within the binary, and it's there, and it's easily extractable. As for the nomenclature, it's another interesting topic. So, if someone with some kind of experience with iOS apps just takes a look
07:02
around the names of classes, names of methods, and so on and so on, so they will get an understanding about, like, how developers work, how they structure things, how they name things, how they use things, and so on and so on. And these information can be very useful when it comes to later phases of assignment.
07:23
So, this phase is very boring, I admit. So, it's like it involves hours and hours of staring at IDA Pro and Hopper and other similar tools, peeking around within the binary with the hex editor, looking around the class dimension, but it's worth the hassle,
07:44
because later on, when you will start peeking around when the application is running, as in dynamic analysis, or you try to patch generate detection routines or certificate peeling, or try to pinpoint where crypto happens. So, in these later phases, the effort you put into static mapping will return very well.
08:09
And when we come to the next bit, who knows what's on the picture? Okay, just tell me what's the name of the game here.
08:24
Yeah, that's the incredible machine, as it's an amazing game. I remember that was a kid that made me a computer nerd in the first place, I must admit. So, when we do dynamic mapping, we try to figure out what's within the binary and what happens when the binary is being run and when the application components are in motion.
08:46
So, this phase usually involves a broken iPad, which I luckily have in here, with all the necessary modifications, which is required to do app testing.
09:02
We usually use some kind of debugger, which is like a pin and a needle to stick within the app. And this, by the end of the day, gives you a much better understanding of what's within the binary. And this is where the nightmare begins, as obviously application developers
09:23
and especially security-related applications developers don't really want you to easily understand how their product operates. As we will see later on, this brings us to a whole bunch of problems we have to face
09:41
when doing autopsy on an actual application or doing dynamic analysis. So, first of all, as I said, we need to have a geo-broken device to run on stuff. And most of the time when we use security-related products, they just simply say, hey, dude, this is a geo-broken device, please leave me alone.
10:02
Otherwise, even if the app runs, we press a button and something happens like encryption, an HTTP connection is made or some kind of encryption takes place, something is written on the keychain and so on, so we want to know what happens under the hood.
10:21
Once we have geo-break detection, I'm pretty sure that anyone who has ever encountered having to patch a binary, having geo-break detection to be patched out of the binary, this is one of the most frustrating things that can happen to you. So, you spend hours trying to find the point where geo-break detection takes place,
10:42
you patch that particular section of the binary and you run the app again with like a pulse over 190 and boom, geo-break detection kicks in again, but at some other place. And you usually have to do this over and over and over and over and over again
11:01
and this is as boring as it sounds. So, we want to have some kind of method to find each and every occasion where geo-break detection is made. And last but not least, we have an interesting looking method within the binary and let's say, hey, dude, I just checked out the class dump, I saw that this method does some kind of encryption.
11:26
It takes two parameters, does some kind of write operation to the file system. I want to know where it's invoked. That's a pretty usual question when it comes to analysis.
11:40
And these problems are really, really time consuming. So, this is the first slide which looks very scary, but bear with me, it's not going to be that scary. So, when it comes to binary analysis, application developers try to make your work as hard as it can be.
12:04
So, I'm showing you a couple of things which are tools in the developers arsenal to screw with the Pentester. So, by the end of the day, it's still possible to analyze binaries, but it takes much more time and that's it.
12:21
So, every complication and every anti-debugging or anti-reversing effort you put into your binary just merely raises the bar in terms of effort and expertise, but by the end of the day, everyone will die. So, first of all, this unroll loop which is invoked with a very funny fun roll minus F unroll loops switch within GCC.
12:48
And this means that, as I indicated in the slides over there, if you have a function or a method, instead of having optimized it to one single location, if you use this switch,
13:05
GCC will copy the same byte sequence to the regarded places one after another. As for inline functions, this is another obvious choice.
13:20
So, that means instead of having a nice and very easily patchable and very easily method-swizzable, this word now exists because I just coined it. So, if you have a very nice function, like say this void do something thing, and in case it's a simple point where the application checks for the device being jailbroken or not,
13:43
and it returns a boolean value, then it's pretty trivial to make it return a null each and every time you run. And this is pretty well known amongst developers, so only rookies use similar kind of jailbreak detection mechanisms.
14:00
Instead, they opt for witchcrafts like inline functions, so whenever they have to invoke their jailbreak detection method, they just copy the corresponding byte sequence to the appropriate places. And there you go, you have even 200 times, 200 instances of jailbreak detection routines,
14:22
and you would have to patch each and every location one by one, and that's very time-consuming. Other three features developers usually use. Object stripping is a standard procedure to secure binaries.
14:40
However, on Objective-C applications, it's not that widely usable. As I said, the runtime itself needs a whole bunch of information about the binary itself. Therefore, method names, class names, and other related info will be always there. So no matter what you do, at some point, if you use Objective-C, you have to know the name of the method and your objects.
15:06
And by the end of the day, most of the time, as a time tester, you will be able to reconstruct the header structure. Reflection, we love reflection because it makes static analysis a pain in the butt.
15:22
That means that if you see a very nice function, which is invoked somewhere, but since its name is assembled runtime, IDA Pro won't be able to pinpoint that particular location for you. And unless you have a fancy trick up your sleeve, which I will show you later on,
15:43
you will be sweating blood when trying to figure out where the particular function is invoked. And last but not least, my favorite one, use plain C++ instead of Objective-C, as Objective-C is a superset of C++.
16:01
It's perfectly plausible and usable if you just put some Objective-C stuff within. Objective-C can be very easily obfuscated. And we saw that many times when it comes to MTM systems and other security-related products, they rely heavily on similar kind of operations.
16:22
And the best thing is that these tools can be combined. So I chatted with a developer of a corporate MTM solution about how they detect jailbroken devices and why I was literally spending days in misery trying to make that damn thing run on our jailbroken iPad.
16:45
And the guy said that they have a mutator engine which takes a byte sequence which does some kind of jailbreak detection and they mutated it and they copied to random places within the binary when they do the compilation process as assembly inlays.
17:04
So that eventually means that you have literally hundreds of places where jailbreak detection routines are implemented and not a single function is called jailbreak detection which returns a boolean yes or no. And that's a really, really hard thing to analyze and to circumvent. Okay, first of all, before going to much, much more technical stuff, let's see a common problem.
17:30
We have a screen and we want to know what happens when I press a particular button or a switch or whatever on the screen. How can we find out which locations and which methods in the
17:43
application binary are responsible for handling user interaction for a particular screen? In order to enter the solution, but I will show you that, in order to do this I have a nice iPad here with this damn vulnerable iOS application thing which is a very nice thing.
18:04
So if you are trying to be iOS hackers or you are the people who make other people try to be iOS hackers, go out, grab it, it's free and it's one of the best playgrounds out there for learning how to hack iOS apps.
18:23
So we have this very nice screen, I tap on the jailbreak detection button and it says device is jailbroken and I want to see how the magic happens, what happens under the hood. So in order to achieve this, I have a whole bunch of options. For instance, when we come to the clause dump, as I said, this is the, I'm trying to make this bigger for you.
18:47
So this is the kind of, you guys can see it. So this is the kind of structure you can extract from the binary itself, so it's truly doable. So I have a very, very, very, very detailed long list of objects, methods and interfaces.
19:05
Let's try to find the word jailbreak and boom, yeah, we have a jailbroken detection VCN, which happens to be the exact one which we are looking for at the moment. But what if we can't do this in such an easy way? I mean, what happens if it just doesn't work?
19:24
What can we do now? So I have here some thing for you. We'll first SSH back to my device.
19:52
Okay, there we go. And first of all, I use SciCrypt. SciCrypt is like an Objective-C manipulation framework
20:03
and that initially created a bridge between JavaScript and Objective-C, which is a very private thing to say, but surprisingly it works awesome when it comes to pen testing. So let's try to find the, okay, so we're within the application.
20:27
And I will come here to see.
20:40
So this dot key window construct shows you a handle to the entire screen you see. So when it comes to manipulations on the screen, you can easily access those items on the screen from here. And if we say we want to see what's on the screen, so it's not very easy to see where are these massive tiles.
21:21
Oh, come on. So this shows you like a tree-like structure about what's on the screen. And this can come very handy as if you look for the titles here. It's like, see, this is job detection here. You have the menu item here.
21:41
So everything you see on the screen will be in this tree-like structure. If we look, these are like buttons. And these UI buttons can be found within the tree-like structure with this kind of,
22:02
okay, so with these subviews construct, we can make our way down on the tree. And by the end of the day, we reach this UI button here.
22:21
And this UI button objects obviously has a target which tells us which object it uses. So this in iOS or in model view controller terms, what we see on the screen is a view object, but we want to see the controller object to it.
22:41
And this construct or this trick can be used to pinpoint the exact object and the exact method that's responsible for user interaction. Okay, moving on. Next question. We have a very nice application and we know that somewhere it uses some kind of API call.
23:07
And we want to pinpoint where it does it. So ideally, we need or we look for a method which does not make any kind of modification to the binary. So that means that if we handle with like an MDM product or something that checks its own integrity,
23:24
we don't have to patch the integrity checking modules and we don't have to check the modules that check the integrity of the integrity checking modules, and so on and so on. Instead, we'd love to do this without ever touching the binary.
23:41
So these typical areas of interest are algebra detection, keychain usurping, crypto, and I will show you guys two separate methods to pinpoint and to get those precious stack traces when it comes to an actual API call. First of all, I'm going to use GDB, which is very useful sometimes,
24:07
even though it's not supported by Apple anymore. They instead opted for LLVM as the new debugger of choice. So we go to this algebra detection or damn vulnerable application again,
24:25
and we go for, so what I did is simply fired up GDB and got into the process itself.
24:43
So let's make it run. And I'm really interested in, for example, for the demo's sake, whether STAT function is used. So STAT is used for file system interaction.
25:01
It can be used for, it's actually a family of API calls. However, most of the time they are used for the check of whether or not a file exists or some characteristics of the file are there or not. I mean, for instance, you can check whether or not a file is executable or not,
25:22
and these tools are used, these command families are used in many algebra detection routines. So we'd love to see how the application does algebra detection in this case. So what we do is simply put a breakpoint on STAT.
25:43
We can easily define a couple of commands to be run each time that particular breakpoint is hit. So first of all, I'd love to print out the first parameter of the STAT function. I did my homework. I checked the API reference page in the developer.apple.com website,
26:06
and I was very happy to realize that there's a string as the first parameter, and that contains the file name itself. And the pointer to that particular string object is handled over to the function in the R0 register,
26:24
which I'm printing out here. I want to see where we are. In GDB, this gives you a nice stack trace, and that's it. Let's see. So we come to the piracy detection exercise, and again, I did my homework.
26:44
I know that this piracy detection routine does what it then suggests, piracy detection, and it uses this STAT function. So I press the button, and whoa, this is very interesting.
27:00
This shouldn't happen. Okay. There we go. And as we see that the actual stack traces are here. So whenever, yeah, because the GDB didn't refresh itself, so it's still there.
27:22
I can go on and to see how the breakpoints are hit and where these STAT functions were invoked from. And this can be very, very easily usable. Many times applications imply some kind of anti-debugging aspect.
27:41
However, that can be many times pretty easily circumvented. As I said, this is the GDB again for reference sake. The inevitable pro of using GDB is that it looks awesome. I mean, you're typing on a black screen, white letters.
28:02
It's so hacker-like. However, with GDB, there are many problems also. For instance, many times it's not perfectly feasible either because your device cannot run GDB or there is no hacked version of GDB for your version of iOS or the application itself is actively preventing being traced with GDB.
28:23
And that can be, again, it can be circumvented. However, most of the time it's doable. But the biggest problem with it, it's not persistent. So that means each and every time you want to tweak your application, you have to do this over and over and over again.
28:41
And we want to use something more usable. I mean, it looks awesome on a demo when it comes to client presentations. However, when it comes to actual plan testing work, it's a waste of time most of the time. So we want to use something that can be used in a more prominent fashion.
29:08
Well, I'll show you. We're going to compile, by the end of the day, CDA substrate extensions. CDA substrate extensions, a hard word. It used to be called mobile substrate. And that means that on general devices, you can use CDA to dynamically load libraries to your application.
29:31
This is pretty much the same concept as with DLLs in Windows. So that means that an application does not have to hold each and every feature set in the memory
29:44
so that it doesn't consume that much memory. And this is especially hot topic when it comes to mobile devices. This technology is used by a whole bunch of applications like Vinci, SSL, Kill Switch, Snoopid.
30:01
I'm pretty sure that these names ring a bell for you guys who have some expertise in iOS plan testing. And as a result, CDA substrate extensions are the pen testers' choice. That means that no manual patching is needed. It's basically a simple RM function.
30:22
So you only have to delete the file from the file system if you want to disable your extension. And their creation is, as we'll see, is trivially scriptable if we have the class dumped, which I will show you. This is what we're going to use.
30:41
Our tool of choice is Theos. Theos is an on-device iOS toolchain, and eventually you don't have to have Xcode to develop iOS applications. You can use Theos, everything runs on the device itself. And besides full-blown ops, you can easily compile substrate extensions for existing apps.
31:00
And this gives us a whole bunch of opportunities. So this means that we can inject whatever we want into an iOS application. This can bring very cool conclusions, as we'll say there are. Okay, so before we're moving on, meet my really nice demo application, which is pretty much these five lines, or six lines of code.
31:28
So this means that we check whether or not a particular file within the file system exists or not. And in case it exists, we invoke one function, and if not, we invoke another. And that's pretty much it.
31:40
Even if you are not fluent in Objective-C, it's pretty straightforward what it does. So when it comes to disassembly, this is what it looks like. I hope you guys can... Ah, you don't see shit. I will find IDA Pro with you. Okay, this is the one.
32:08
So I fired up IDA Pro and loaded my demo application. It's a very small app, so it takes no time for IDA Pro to load it. So this is the... I'll try to make it...
32:22
No, it's a bit better. Close this one. So as you can see, we basically implement this kind of function. So even if you are not fluent in... This is ARM assembly. It looks horrible. However, these texts make it quite easily understandable what's going on.
32:43
So we check whether or not this CDR app file exists or not. In case it exists, we invoke one thing, and if not, we invoke another. So that's trivial, kind of very easy to understand. So how can we bypass...
33:02
Or how can we see where the actual... So the heart of this thing is this file exists at path function, which is a library iOS call. And as its name suggests, what it does is simply returns a Boolean yes or no,
33:22
whether or not a particular file exists or not. And this is the actual CDR substrate extension written in Objective-C we are going to utilize to pinpoint where this particular function is run from. Just a quick overview. So this %orig construct, it instructs the framework to run the original function itself.
33:48
So it returns a B. Boolean value, we have it here. We log some things. We log the struct days, and we return what has been returned. So that's like a proxy thing, so that we inject API calls,
34:02
we do something, and we return what's received. And let's see how this thing works in practice. Yes. Okay.
34:23
Okay. Okay. There's my screen. I'll show you what this application does in the first place.
34:41
So I quickly fire up. It means I have to delete my extension first.
35:23
Here I have my Dilip here. So just to clean up from the rehearsal of this demo. So the actual Dilips are found within the slash library slash mobile substrate slash dynamic libraries directory.
35:42
And once it's done, we compile our binary. It will end up here. So that's pretty easy to delete. Whatever we need to remove or to disable an extension, we simply delete the corresponding Dilip file.
36:00
So how are we going to solve this one? Okay. We have for this a very nice interface called make.pl. It means a new instance creator. It asks us whether or not we want to create a tweak, an application library, or anything else. I said I want to create a tweak.
36:23
Let's call it test. Yep. Okay. And we need to add what the actual name of the package is, what we want to inject into.
36:51
So we go here. We don't want to terminate anything else. And then we have a new instance, which does not anything but can be compiled.
37:01
So this is a very useful thing to start from. And if we look at, here we have this tweak.xm, which is the actual place what we need to compile. So this is the file we need to fill in with Objective-C code.
37:21
And there's a bunch of instructions how to fill in this file. But I have my substrate extensions ready already. We came in. Simply save it. Yes.
37:54
We compile it. We make it install.
38:02
Okay. And then if we come to the log screen of my iPad, and we follow up, this is interesting because I compiled the wrong thing.
38:23
Okay. So the next step here is, no, I compiled the wrong thing.
38:45
This should be the one.
39:13
Let me try again.
39:27
Okay. Now it says it's trivial and we should be, yes. And there we have our precious stack trace. So we can see from where the file assisted path function was called. And once we're there, we can easily evade geography detection also.
39:46
Once we have a control about what the actual file or the actual API call returns, then we can use this framework to bypass geography detection without ever touching the binary. So basically this is the choice.
40:04
This is the tool we use to bypass this very primitive geography detection method. So it's pretty easy to understand what it does. In case the parameter is this slash application slash CDL.app file, then we return a null unless otherwise we return whatever is returned.
40:26
And we compile this in the same fashion.
41:20
We can copy the same.
41:22
I showed you earlier.
41:43
Meanwhile, I delete what I made earlier. Okay. Now it's installed. And if I kill this thing and fire it up again,
42:05
we'll see that it displays a device clean message, which means that we essentially bypass geography detection. And if we go to the syslogs, we see that our log message ended up here.
42:25
So geography detection has been evaded. So this was what I wanted to say. Any questions? There's a question.
42:50
So the question was what we do when it comes to encrypted binaries. So what do you mean by encryption? Like the fairplay DRM, which is applied in the IQ's binaries?
43:01
Yeah. So the thing is that whenever you download an application from the Apple App Store, it's not encrypted but obfuscated with a system called fairplay DRM. And there are tools to decrypt or de-obfuscate those files. So Clutch is one of the projects which can be used for this purpose.
43:24
But if you Google it, you will find very nicely written GDB articles how to manually dump certain segments of the memory and how to calculate offsets to dump memories from. So Clutch is the word you're looking for. And then you have a decrypted binary
43:41
and you will be able to play these games with those binaries also. Yes, you have to use Clutch before anything happens because if you try to load fairplay binary into IDA Pro,
44:04
then it will explode because it will not be able to figure out what's within the binary. And we have time for one more question. Thank you for your attention.