Since the company’s business is mainly in the payment side, I was motivated to study some knowledge related to reverse.

In view of the reverse involves a wide range of knowledge and miscellaneous, and the operation process is also more, more tools are used. Thinking, might as well record the operation process and relevant knowledge again, in case of need. (Mainly because I was asked by someone, and though I finished the answer, I suddenly had the idea of making this record.)

The reverse chapter was intended to begin after the last of the underlying series, but since it was asked, there was no reason not to summarize. Hence the article.

It should be emphasized that the original intention of reverse is absolutely to protect your app

1. Knowledge involved in reverse

Related knowledge is mainly based on my own learning experience, which is important, I will mention here what is helpful for reverse development. The following will certainly exist some loopholes, hope to point out that the follow-up timely update, to avoid misleading.

  1. The use of tools (including but not limited to shell breaking tools, dump tools, static analysis tools, dynamic debugging tools, interface analysis tools, etc.), tools must be able to use, even if they do not know the corresponding principle as long as they can use the reverse development

  2. Dyld, MACHo, symbol table, etc., contains compilation and linking related knowledge, need to analyze the macho file contents

  3. ARM64 assembler some basic instructions can be read, some key method names will be confused, need to see the assembler to understand what it is doing

  4. The more basic knowledge, the better, mainly hook related, such as Method Swizzling, FishHook, InLineHook three hook methods to understand

  5. The file structure of iOS system, you have a rough idea of what is stored in different file directories

  6. The principle of dynamic libraries is that the injected code is in the form of dynamic libraries

  7. Basic terminal operations and a little shell foundation make it easy to use scripts for quick execution

  8. Common encryption and decryption methods and packet capture tools, network transmission data is usually encrypted, obtaining the secret key is a key step

2. Reverse the process

At the beginning of learning, I also tried to search some relevant materials, but found that there were a lot of proper terms in it, and many technical means were ok, but I didn’t know how to use them together, which greatly affected my interest in learning.

Think, most beginners will probably have such feelings. I will sort out the usual reverse development process, interested partners can step by step to find relevant information to study the process, the idea will be much clearer. (Not including the tool download configuration process, this part of the online content is a lot, only give the tool name and some basic explanation)

1. The prison break

Getting a jailbroken phone is the first step in reverse engineering. At present, there are many ways of jailbreaking, and they are all basically fool-proof operations. My current means of escape is through ace’s assistant.

Select the corresponding option according to the system version of the mobile phone. If the version is higher, select CheckRa1n and complete the jailbreak step by step as prompted.

After jailbreaking, there will be more CheckRa1n application on the screen, open and select Install Cydia, because I already installed it, the prompt will be different.

After a successful installation, the screen is filled with Cydia applications.

Open Cydia, if the normal operation indicates that the jailbreak environment; If the background blinks, the environment is non-jailbreak.

It is important to note that there are two types of jailbreak: perfect jailbreak and imperfect jailbreak.

  • Perfect jailbreak: jailbreak is very thorough, cracked the operating system read and write permissions, perfect jailbreak can be used freely after completion, switch machine also does not affect

  • Imperfect jailbreak: Shutdown will return to a non-jailbreak environment

For now, perfect jailbreak is only available for iOS9, so most of your phones are going to be broken.

However, considering the current jailbreak process is extremely simple, even if the jailbreak is not perfect after shutting down, you just need to jailbreak again to return to the jailbreak environment. Therefore, it is not necessary to deliberately pursue the perfect escape.

Then you need to install some plug-ins in Cydia, including but not limited to:

  • Apple File Conduit “2” for root access.

  • AppSync Unified, which bypasses signature detection

  • Adv-cmds, command line

  • OpenSSH, remote login

  • Frida, smashing shells

, etc..

2. Openssh

OpenSSH is a free open source implementation of the Secure SHell (SSH) protocol. The SSH protocol can be used for remote control or to transfer files between computers

Reverse development typically uses both mobile and computer terminals, which are connected using Openssh.

Openssh can be connected over a network or a USB cable.

USB connection is more stable and efficient, so I usually use USB connection. The terminal instructions connected here are basically stinky and long, and need to be simplified with the shell.

2. Hit a shell

Before analyzing an application, obtain the application installation package. The main download channel of iOS is Appstore, but apple will encrypt the contents of the __TETX section of the package downloaded from Appstore. If you do not decrypt the package, you cannot do subsequent operations.

So shell smashing technology came into being.

Shell is divided into static shell and dynamic shell, the mainstream form is dynamic shell.

The principle of dynamic shell smashing is mainly:

Although the __TEXT section in Macho is encrypted by Apple, the system must decrypt the contents in order to run the program. Therefore, it is not to take the initiative to smash the original encryption shell, but when the application runs, the shell is smashed by the system, after the data is taken out of the memory after smashing the shell, also achieved the purpose of smashing the shell.

There are also a lot of tools for cracking shells. I personally use frida at the moment. As for the installation steps configuration of what, online tutorials are also a lot of, here is not clear.

Frida-ios-dump = frida-ios-dump

Run the corresponding commands using the dump.py script.

The terminal execution

./dump.py -l
Copy the code

It will list the installed app in hand, and if it is running, the corresponding PID.

Then through

./dump.py Application nameCopy the code

Can achieve a line of code shell.

The shell is in the frida-ios-dump directory.

The telltale sign is whether the value of cryptid in macho is 0

Generally use the otool command to view the corresponding macho segment and the corresponding value.

Otool -l macho path | grep cryptCopy the code

As you can see, cryptid is 0, which means this is macho after shell breaking.

Of course, you can also drag Macho into MachoView(check macho’s software) and view it directly:

Under LC_ENCRYPTION_INFO_64, the Crypt ID is also 0.

After obtaining the package, you can view the package content first. There are image files, sound files, PLIST files, dynamic library information, GLSL files, etc., through which you can have a general understanding of the application.

3. class-dump

Class-dump is used to dump header files, simple and easy to use.

The principles of class-dump are as follows:

After compiling, macho stores information such as class name and method name, by memory address offset, can find their corresponding segment, and then output the content, also can obtain the header file information.

By instruction:

Class-dump -h App package path or app executable file path -o Output pathCopy the code

After a output, we got the header file of wechat, which has more than 20000..

Open up any file and look at the contents,

The header file contains all the attributes, methods, protocols, and other key information about the class, many of which can be seen by name.

Some apps will confuse the key attribute name and method name, and then display the confused garbled code. In this case, don’t panic. You can use static analysis tools to roughly check its implementation logic, although it is troublesome, but it can be solved.

Static analysis tools

Static analysis tools are capable of decomcompiling machine language code from MACHo files into assembly code, OC pseudocode or Swift pseudocode, while quickly viewing key string information.

This is powerful, and means you can see what a method is doing by looking at its execution flow, judging conditions, and so on, and can be retrieved directly if the local string is not confused (for example, some app keys are stored locally in plain text, which is dangerous).

The main static analysis tools used on iOS are Hopper and IDA.

IDA is more powerful and translates pseudocode closer to a high-level language, but it is also expensive.

Hopper is not as powerful as IDA, but it is sufficient, so I personally use Hopper.

Drag the Macho file directly into Hopper and try to search for characters you are interested in or existing in the header file. This will give you the following interface:

If you have assembly skills, it’s best to be able to analyze directly. If you don’t, you’re not helpless.

Or when there are obfuscated method names and strings that are not directly available through static analysis, you need help with dynamic debugging.

5. Dynamic debugging tools

Dynamic debugging is the program to run through the break point (LLDB), printing and so on, to check the parameters and return values, function call process, such as information, through the output interface information quickly locate the target code, you can also modify memory and register of the dynamic parameters, to bypass the detection, change the implementation process, etc.

Dynamic debugging mainly has LLDB and CyCript two tools, both of which are very powerful, but also has its own good, it is recommended that both methods need to learn.

The LLDB works like this:

When starting the program with Xcode, a DebugServer program will be automatically installed on the phone. The LLDB tool of Xcode will interact with the DebugServer process and transfer the LLDB instructions to the DebugServer process. The DEBUgServer process will transmit the LLDB instruction to the App. After the App executes, the returned value will be transmitted to the DebugServer process. The DebugServer program will send the LLDB instruction to the console and display the result.

The main difference between LLDB and CyCript is that LLDB requires the process to be stuck for debugging, while CyCript requires the process to be active for debugging.

LLDB can be used as aliases and development plug-ins, and common directives can be placed in. Lldbinit files. Cycript can also be wrapped at a higher level by providing easy-to-understand call names.

To be honest, dynamic debugging takes a significant portion of the reverse development process’s time. Because the main job of reverse development is to analyze and locate the behavior of critical code. Proficiency in dynamic debugging basically determines the time consuming of reverse development.

When something is obfuscated or even encrypted, obfuscation and encryption are basically meaningless with dynamic debugging.

Because no matter how obfuscation and encryption, there will always be a moment in memory that needs to be obfuscated and decrypted. As long as this moment is captured, it is very easy to obtain the critical value of this moment through dynamic debugging. Obfuscation and encryption work will not work even if it is done with all the fuss.

To take a step back, for example, if the app uses these values to make process judgment and detection, even if it cannot restore these key values, it can also dynamically debug and modify the values to view different execution processes. If it is the code of detection class, it will be simpler, and it will hook directly and return YES.

When critical code is located through dynamic debugging and how to modify it, hook code needs to be written and injected using dynamic libraries.

5. Hook

There are three hook technologies commonly used in ios system:

  • Cydia Substrate

  • Symbol Table

  • Method Swizzing

The Cydia Substrate method alters the first eight bytes of the hook function to jump to the new function address that we set. This method is called inline hook, and the corresponding frame is Dobby during runtime.

The hook of the Symbol Table is to modify the memory address pointed to by the Symbol Table, which is exchanged at compile time. The corresponding framework is the fishHook framework published by FaceBook.

Method Swizzing is a common record for ios development, but reverse-engineered Method Swizzing is used differently from the development process. At the time of development, hook is basically an existing class of hook system, while reverse development of hook is generally a method written by others. Direct method exchange has the risk of collapse, so the processing methods of GEtimp and SetimP are generally used at the bottom of reverse development. The corresponding is the Logos syntax for writing tweak using Theos.

The code for iOS generally includes:

  • Oc method

  • System C function

  • Custom C functions

These three methods just correspond to using the above three hook methods.

Write hook code dynamic library, need to be injected into the original target application to take effect.

Code injection

There are also three ways to inject code:

  • Upload the DynamicLibraries to the DynamicLibraries directory

  • Use the DYLD_INSERT_LIBRARIES environment variable in DYLD

  • Add a Load command to Macho using optool or yololib

Note that the first two methods must be used in the jailbreak environment; After re-signing the application, you can use the third method in a non-jailbreak environment.

3. Summary

The reverse development process can be summarized as follows:

Prepare a prison cell phone, to hit the target application shell, then the class – a little above the dump file, using static analysis tools for the application for preliminary analysis and key content extraction, using dynamic debugging tools through the interface information quickly locate the target code, modify and debugging process and key values, and then use the dynamic library to write hook code, into the target application, Re-sign the application.

Prison break — — — — > > hit shell class – dump — — — — > > static analysis and dynamic debugging – > hook — — > injection > re-signed (not a must)

Finally, a tool called MonKeyDev is introduced. It is the integration of many of the above reverse development tools and steps, can be very fast to achieve the above series of operations.

Simply drop the target application package into the TargetApp directory and write the corresponding logos to re-sign, inject, and download it to your phone in one step.

The above is the reverse development process and part of the principle, related to the arrangement of knowledge points. However, when it comes to the specific tool download, configuration and use, there are many contents and online tutorials. The positioning of this paper is only a preliminary study of reverse, and it is enough to understand what reverse is doing. The following chapters may make appropriate supplements to these contents.

Stay tuned.