Reverse Engineering Objective-C. Jeff Hui

Transcription

1 Reverse Engineering Objective-C Jeff Hui

2 The process of understanding a system through analysis of its structure, function, and operation Wikipedia

3 It s not Debugging It s Reverse Engineering!

4 The process of understanding a system without its original source

5 Why? Top Secret Learn Disable

6 Why? Top Secret Learn Disable Extend

7 Archeology

8 Knowledge Intense Optimizations Encryption Security Operating Systems Language Runtimes Specifications Assembly Compilers Hardware Code Injection

9 Language Matters JAVASCRIPT Source Code REPL Dynamic Dispatch PYTHON, RUBY, JAVA, ETC. Bytecode Reflective Dynamic Dispatch C Static Dispatch Exploitable No Reflection OBJECTIVE-C Dynamic Dispatch C-compatible Partially- Reflective

10 Objective-C

11 Building an App.o

12 Building an App Compiler.o

13 Building an App Clang.o

14 Building an App Clang LLVM.o

15 .o.o.o Building an App

16 Building an App Static Linker.o.o.o

17 Running an App Dynamic Linking

18 Running an App

19 Running an App Registers CPU RAM

20 C to Assembly int add(int a, int b) { } return a + b;

21 _add: push ebp mov ebp, esp sub esp, 0x8 mov eax, dword [ss:ebp-0x8+arg_4] mov ecx, dword [ss:ebp-0x8+arg_0] mov dword [ss:ebp-0x8+var_4], ecx mov dword [ss:ebp-0x8+var_0], eax mov eax, dword [ss:ebp-0x8+var_4] add eax, dword [ss:ebp-0x8+var_0] add esp, 0x8 pop ebp ret

22 _add: push ebp mov ebp, esp sub esp, 0x8 Prologue mov eax, dword [ss:ebp-0x8+arg_4] mov ecx, dword [ss:ebp-0x8+arg_0] mov dword [ss:ebp-0x8+var_4], ecx mov dword [ss:ebp-0x8+var_0], eax mov eax, dword [ss:ebp-0x8+var_4] add eax, dword [ss:ebp-0x8+var_0] add esp, 0x8 pop ebp ret

23 _add: push ebp mov ebp, esp sub esp, 0x8 Prologue mov eax, dword [ss:ebp-0x8+arg_4] mov ecx, dword [ss:ebp-0x8+arg_0] mov dword [ss:ebp-0x8+var_4], ecx mov dword [ss:ebp-0x8+var_0], eax mov eax, dword [ss:ebp-0x8+var_4] add eax, dword [ss:ebp-0x8+var_0] add esp, 0x8 pop ebp ret

24 _add: push ebp mov ebp, esp sub esp, 0x8 Prologue mov eax, dword [ss:ebp-0x8+arg_4] mov ecx, dword [ss:ebp-0x8+arg_0] mov dword [ss:ebp-0x8+var_4], ecx mov dword [ss:ebp-0x8+var_0], eax mov eax, dword [ss:ebp-0x8+var_4] add eax, dword [ss:ebp-0x8+var_0] add esp, 0x8 pop ebp ret Epilogue

25 add(1, 2); mov dword[ss:esp], 0x1 mov dword[ss:esp+0x4], 0x2 call _add mov rbx, 0x1 mov rbi, 0x2 call _add

26 Calling Conventions (x86_64) rdi arg1 rsi arg2 rdx arg3 rcx arg4 r8 arg5 r9 arg6

27 Compiling Calculator - (int)add:(int)a and:(int)b { return a + b; int methimpl_calculator_add_and_( Person *self, SEL _cmd, int a, int b ) { return a + b; } methimpl_calculator_add_and_

28 Compiling Objective-C [obj call]; objc_msgsend( obj, sel_registername( call ) ); mov rdi, esp mov rsi, qword [ds:objc_sel_call] call qword [ds:imp got objc_msgsend]

29 Calling Conventions (x86_64) rdi rsi rdx rcx r8 r9 rbp self _cmd arg1 arg2 arg3 arg4 (stack register)

30 Let s Reverse Engineer

31 Hopper

32 Hopper methimpl_person_daysuntilbirthday

33 class-dump

34 class-dump All objc objects are ids

35 LLDB

36

37

38

39

40

41

42

43 The Hard Part

44

45 Code Injection

46 Code Injection Binary Patching Dynamic Patching Dynamic Linking Plugin

47 Image Credits Skull And Crossbones designed by Anton Outkine from the Noun Project Icons from Apple s Terminal, Xcode, SystemInformation, CoreServices Icon from Hopper

48 Questions? Objective-C Type Encodings MACH-O ABI & DYLB mach_inject & mach_override - C-Function Overriding Objective-C Blocks ABI LLVM Compiler Infrastructure Project objc4 - Objective-C 2.0 OSS project ISAs - i386, x86_64, arm, arm64 Darwin - ios & OSX OSS Kernel

49 Code Obfuscation Ruins Stacktraces Breaks Reflection Doesn t stop a Debugger Only slows down initially

50 What about FairPlay?

51 What about FairPlay? Encryption is only on disk

52 How do I stop this? You can t

53 Make it more difficult Bug Debuggers Partial Code Load Integrity checks Remote Server Don t DRY the protection code Obfuscate protection code

54 Compiling Objective-C Blocks

55 Compiling Objective-C

56 Compiling Objective-C - (int)daysuntilbirthday { int v = 1; return (^int(int i){ return i + v; })(2); }

57 Compiling Objective-C - (int)daysuntilbirthday { int v = 1; return (^int(int i){ return i + v; })(2); } int 22-[Person daysuntilbirthday] block_invoke( struct block_literal_1 *, int i ) { }

58 Compiling Objective-C struct block_literal_1 struct block_descriptor_1 Class isa int flags int reserved void (*invoke)( block_literal_1*, ); unsigned long int size void (*copy)(void*, void*) void (*release)(void *) const char *signature struct block_descriptor_1 *descriptor const int v

59 Compiling Objective-C Objective-C Object struct block_literal_1 struct block_descriptor_1 Class isa unsigned long int size int flags void (*copy)(void*, void*) int reserved void (*release)(void *) void (*invoke)( block_literal_1*, ); const char *signature struct block_descriptor_1 *descriptor const int v

60 Compiling Objective-C Objective-C Object struct block_literal_1 struct block_descriptor_1 Class isa unsigned long int size int flags void (*copy)(void*, void*) int reserved void (*release)(void *) void (*invoke)( block_literal_1*, ); struct block_descriptor_1 *descriptor const char *signature Block Type Info const int v

61 Compiling Objective-C Objective-C Object struct block_literal_1 struct block_descriptor_1 Class isa unsigned long int size int flags void (*copy)(void*, void*) int reserved void (*release)(void *) void (*invoke)( block_literal_1*, ); struct block_descriptor_1 *descriptor const int v const char *signature Block Type Info Enclosed Variable