By knowledge set · Lefe_x
There has been a lot of “press” coverage of iOS App Reverse Security, another book on reverse security since the little Dirty Book. At present, many iOS developers are still very “ignorant” of reverse, so that they blindly think that reverse is difficult and powerful. The appearance of this book undoubtedly opens another window for the reverse world. Let’s take a look at what is hidden in this window. The purpose of this article is not to cover the details of the book, but to cover what is covered in each chapter.
Chapter 1 Overview
This chapter describes the whole process of reverse engineering, including risks in applications, how to protect application security, and how to use development tools. In my opinion, the core of this chapter is to master the reverse process and function, and understand the security issues that need to be paid attention to in APP development.
Reverse flow: The whole reverse flow is basically the same, and these flows can be summarized as:
- Obtain the IPA package of the application, decrypt it (jailbroken application does not need to decrypt it), and export the header file.
- View the APP layout through the interface, find the corresponding header file from the layout, and view key functions;
- Hook related functions to achieve your purpose;
- Static analysis and dynamic debugging analysis of key functions;
- Simulate or tamper with the logic of the original APP;
- Get what you want.
If you want to work in security, you can delve into it. Otherwise, you don’t need to put too much effort into it. After all, reverse knowledge is seldom used in forward development. Learning reverse knowledge can be summarized as follows:
- Learn from the implementation ideas of third-party APPS, such as how to achieve a certain function, what type of View is used in the interface, and what kind of database structure is used, etc.
- Deepen understanding of forward development, such as Runtime;
- After popularizing security knowledge and understanding what reverse can do, you will know what information can be obtained by others during development. For example, an APP can judge whether paid resources can be used according to local data, which is obvious that reverse can be used for paid resources.
Chapter 2 Jailbreak equipment
This chapter mainly explains the function of jailbreak in reverse and the use of jailbreak tools. It is important to note that reverse doesn’t necessarily require jailbreaking, and a jailbreaking device is essential to better understand reverse. At present, many jailbreak tools in the market also provide a one-click jailbreak, readers can search by themselves.
Logging in to jailbroken devices:
Once the phone is jailbroken, it will install a Cydia software, which is used to install various tools on the jailbroken phone, which is the equivalent of the App Store in jailbreak. To read the resource files on the jailbroken device, you must log in remotely. If you work on a server, you know how to use SSH for remote login, and you can also use SSH to log in to jailbroken devices. Install OpenSSH by searching for It in Cydia.
Sudo SSH root@Mobile phone IP addressCopy the codeYou can log in successfully to operate the jailbroken device. The author also introduces other ways to log in to jailbroken devices, using the male key login, USB login.
File directory:
If you want to see your device’s File system, you can use iFunBox on your Mac, and you’ll need Apple File Conduit 2 on your phone. After a successful installation, iFunBox can be used to view the phone’s directory structure, such as the installed APP sandbox directory, the sandbox directory of the system’s own apps, various Frameworks and so on.
Jailbreak essentials
- Adv-cmds: An error occurs when you run the ps command.
- Appsync: Make the system no longer verify the signature, so as not to install the application failure;
- IFile: View file directories on mobile phone;
- SCP: terminal command to copy files from a remote device to another device.
- Cydia Substrate: Allows third party developers to patch or extend methods in jailbreak methods.
Chapter three reverse tool details
You might end up using these tools (Dumpdecrypted, Clutch, class-dump, Reveal, Cycript, Charles, Wireshark) just like me. But the author explained the principle to us, it can be seen that his skill is very deep.
dumpdecrypted
All apps in AppStore are encrypted, and the premise of reverse encryption requires decryption of the encrypted content. Dumpdecrypted is a tool that does just that. Of course, if you don’t want to decrypt it, you can download the decrypted APP directly from the jailbreak market. But sometimes the jailbreak market doesn’t have the app you want and you have to decrypt it yourself. It works by quoting the author:
Dumpdecrypted is an open source tool that injects executable files and dynamically dumps the decrypted content from memory.
Clutch
In addition to using Dumpdecrypted for decryption, Clutch can also do this. However, the author notes that it is often wrong to use this and recommends using DumpDecrypted.
class-dump
Class-dump is a tool for exporting classes, methods, and properties from executable files. The executable file should be emphasized here. The decrypted APP has an executable file (Mach-O). The Executable file can be found from the info.plist file in xxx.app whose value is the Executable file in xxx.app. Use MatchOView to view mach-O files.
Export the we. app header file:
class-dump -H ~/Desktop/reverse/ipa/We.app -o ~/Desktop/reverse/header/we
Copy the codeReveal
Is used to view the APP interface tool, view the third party APP does not have to be jailbroken device.
Cycript
Cycript is a tool that allows developers to view and modify runtime APP memory information using objective-C ++ and JavaScript combined syntax. In the reverse is mainly used to verify whether some guesses are correct, check the interface information. For example, view the VC currently displayed, the result of an object executing a function, and dynamically modify the information of a UI.
Charles, Wireshark
This section describes how to use the two packet capture tools.
Chapter IV Development of Reserves
This chapter focuses on forward development, which is important for reverse development.
Ipa package
You can obtain the IPA package of an application in either of the following ways:
- Download it from iTunes. It is no longer supported in iTunes, so you need to download the lower version of iTunes. Download;
- Directly from the jailbreak device, in fact, directly from a variety of assistants without jailbreak devices can download jailbreak applications, to obtain ipA packages;
Application package construction process:
- Compile: Compile source files using Clang;
- Link: Link the compiled object file into an executable file.
- Storyboard: Compile the storyboard file in the project;
- Plist: Generates plist files.
- Asset: Copy the required resource files to the App directory.
- Dsym: generates symbolic files.
- Codesign: Sign the App;
- Package d.
Interface and event delivery
Introduces UI, event delivery, and event response in iOS.
Classes and methods
This paper mainly introduces the basic implementation of classes, the message mechanism in OC and some usage scenarios of Runtime.
App signature
In forward development, each student will go through the Apple certificate configuration once. The author mainly explains the principle of App signature here, so as to pave the way for reverse re-signature.
Chapter 5 analysis and debugging
The first four chapters mainly pave the way for the last four chapters and officially start the reverse from the following chapters. This chapter mainly introduces the reverse from static analysis and dynamic debugging.
Static analysis refers to a method of analyzing a program without allowing the App. Generally, there are the following ways:
- Based on IPA and APP package;
- Based on file format;
- Based on binary disassembly;
The disassembly
There are two main tools for disassembly: Hopper and IDA. These two tools can look at assembly code implemented in source code and, crucially, pseudocode. I used to think that Hopper was useless if it was not easy to use. Today I downloaded one and found it was more comfortable to use than IDA.
Hopper only supports Mac and Linux and is relatively weak compared to IDA. IDA supports the Windows platform.
Static library analysis
Sometimes if you want to see the implementation of a static library, you can actually use Hopper to see its assembly code.
➜ 5.1 Static analysis ls Crashlytics UserLogin ➜ 5.1 Static analysis Lipo-info Crashlytics Architecturesinthe fat file: Crashlytics are: Armv7 armV7s i386 x86_64 arm64 ➜ 5.1 Static Analysis Lipo Crashlytics -thin arm64-output Crashlytics_arm64 ➜ 5.1 Static analysis mkdir Objects ➜ 5.1 Static analysiscd Objects
➜ Objects ar -x ../Crashlytics_arm64
➜ Objects grep "Upload"-rn ./ Binary file .//CLSReportsController.o matches Binary file .//CLSCrashReportingController.o matches Binary file // clsNetworkClient. o matches ➜ Objects otool-lCrashlytics. O | grep bitcode sectname __bitcode ➜ Objects ld - r - arch arm64 - syslibroot /Applications/Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/Developer/SDKs/iPhoneOS.sdk -bitcode_bundle ./*.o -o .. /outputCopy the codeDynamic debugging
Dynamic debugging is performing a series of operations while the program is running, such as fetching the value of an object, executing the context, and so on.
LLDB dynamic debugging: LLDB is often used to debug programs in forward development, but it can also be useful in reverse.
Debug third-party applications with Xcode: Use Xcode to debug third-party applications on non-jailbroken devices, perform symbolic restoration, and view signed stack calls. However, a third-party application is required for debugging.
Theos
In addition to Thoes, there is a tool called iOSOpenDev in jailbreak development, which has the same function as Thoes, but the difference is that iOSOpenDev is integrated into Xcode and used, while MonkeyDev and iOSOpenDev belong to the same type of tool.
MonkeyDev
MonkeyDev is a tool developed by the author, mainly using Xcode for jailbreak development. See MonkeyDev’s wiki for details.
Chapter 6 Reverse progression
This is a difficult chapter to read. I haven’t touched on a lot of them, so here’s a brief introduction, and if you use this in the future, you can go further.
Application load
What does the program do before executing Main?
Mach-o file format
For each IPA package, there is an executable file, which is a Mach-O file.
ARM assembly
If you want to understand the code, you must learn to assemble.
hook
A hook allows you to change the execution logic of a program. The most common hook is in the following three ways:
- MethodSwizzle:
Through the implementation of the Runtime exchange method.
- Fishhook:
Fishhook is an open source library for Facebook.
A library that enables dynamically rebinding symbols in Mach-O binaries running on iOS.
- Cydia Substrate:
The dynamic library
Features:
- It exists in the form of.dylib,.framework and.tdb;
- It has the same format as a normal binary;
- Its advantage is that it can keep only one file and memory space, so it can be used by multiple processes, such as system dynamic library;
- Reduces the size of the executable file without linking to the object file.
Dynamic libraries are often used in reverse order, such as revealServer. framework injected into an APP when debugging a third-party application using Reveal. The dynamic library can be called either by importing a header file or by dynamically loading the dlopen.
Chapter VII Actual Combat Exercises
This chapter mainly applies what has been learned in the previous chapters. Reverse development can be developed on both jailbroken and non-jailbroken devices.
Prison break equipment
The goal is to add a favorites menu to WhatsApp long-press messages and add favorites to Settings. Analysis was performed on jailbroken devices and non-jailbroken devices respectively.
- Download WhatsApp and decrypt it using DumpDecrypted;
- To export A header file using class-dump, add the -a parameter to the exported header file to display the implementation address of the method in the file.
- Symbol restore, easy to use LLDB debugging;
- When analyzing an application, you need to start from the interface, use Reveal to check the hierarchical structure of the interface, locate the specific view controller, and find the corresponding method from the original file.
- According to the method found, LLDB is used to add breakpoints, verify whether the corresponding method will be called, to determine whether the method to find;
- Use Hopper to look at pseudocode and guess how to implement it.
Non-jailbreak device
The goal is to add automatic reply to WhatsApp. Jailbreak device analysis involves a lot of tedious work, such as exporting header files, using Reveal, and inconvenient debugging using LLDB. Therefore, the author integrates these functions into MonkeyDev, which automatically integrates a series of repetitive tasks such as class-dump, symbol restore, Reveal, Cycript, dynamic library injection, and automatic re-signature. Reverse analysis can be performed directly on non-jailbroken devices. Specific usage Reference
Frida in action
Frida is a cross-platform injection tool that interacts with Native JS engines by injecting JS to execute Native code for hook and dynamic calls. This tool can be used for Android and iOS, and it can debug an application with a single JS.
Chapter VIII Safety Protection
We can debug other people’s App as well as debug our own App. This requires us to protect our own App from attack in the development process. Important data needs to be encrypted. This chapter focuses on the means to protect our App from being cracked as much as possible. The main means are:
– Data encryption: encrypts static strings, local storage, and network transmission
Sensitive data, whether local data or data transmitted on the network, needs to be encrypted using encryption algorithms. AES and RSA are commonly used. AES+RSA can be used to encrypt data transmitted over the network. If Https is used, the certificate must be verified. Constant strings are sometimes encrypted to prevent statically parsing. Here the author refers to the use of libclang, specific source code.
– Static obfuscation: class name, method name, attribute obfuscation;
Using class-dump to export header files, it is easy to know the function of a class or method by name. In this case, you need to confuse the class name and method name. The first method: through macro definition obfuscation, write #define MyClass 89s343SS in a PCH file like this. There is an open source library on the web called ios-class-Guard. The second method, binary modification, modifies the __obj_classname and objc_methname of the executable file.
– Dynamic protection: reverse debugging, injection detection, hook detection, jailbreak detection, signature detection, etc.
Although static obfuscation can not guess the function of the class name method name, but if using dynamic way can still know the parameters of some methods, as well as the encrypted data, etc. This is to prevent dynamic debugging.
- Undebugging: Primarily by preventing debugging to attach and detect the presence of a debugger. The main methods include Ptrace, SYSCTL, SYSCall, ARM and so on.
- Anti-debugging: Filter out anti-debugging mechanisms;
- Reverse injection: check whether other modules are currently injected;
- Hook detection: detect whether the malicious hook is dropped;
- Integrity check: Load Command, code check, re-signature check;
– Code obfuscation: Increased analysis difficulty
Unobfuscated code can be derived from assembly code, or even pseudocode, through assembly tools such as Hopper and IDA. To make the analysis more difficult, you need to obfuscate the code. The obfuscation is mainly through LLVM.
Knowledgeset is a team official account, mainly targeting at the mobile development field, sharing mobile development technology, including iOS, Android, applets, mobile front end, React Native, WEEX, etc. Original articles will be shared every week, and our articles will be published on our official account. Stay tuned for more.
