Валерий Попов рассказывает о том, как организован процесс реверс-инжиниринга iOS приложений. RDSDataSource - внутренние пятничные митапы iOS-команды RAMBLER&Co.

1. Reverse engineering
for inexperienced

2. –Helmut Jahn
“A good engineer thinks in reverse and asks
himself about the stylistic consequences of
the components and systems he proposes.”

3. Reverse
System level Code level

4. Reveal

5. Charles

6. idb
iNalyzer
Introspy
Snoop-it

7. iOS filesystem
• /
• /bin
• /boot
• /dev
• /sbin
• /etc
• /lib
• /mnt
• /private
• /tmp
• /usr
• /var
• /Applications

8. App directory

9. App directory
• Binary
• Interface files
• Images
• plist files
• momd files

10. momd

11. Binary

12. Mach-O executable
*.c/*.m *.out
• Tokenization
• Macro / #include expansion
• AST producing
• LLVM IR generating
• Assembly
• Object file
• Executable

13. Mach-O executable
Mach-O
Header
Load
Commands
Data

14. Mach-O executable
Mach-O
Header
Load
Commands
Data
Fat Header
Mach-O
Header
Load
Commands
Data

15. class-dump
Mach-O files
*.h
*.h
…
*.h

16. class-dump
class-dump -S -s -H MyApp -o /path/to/headers/

17. class-dump

18. class-dump (No jailbreak)

19. Jailbreak
Device start
exploit
Bootrom
LLB
iBoot
Kernel
System Software
Apps
signature verify

20. Jailbreak types
• untethered
• tethered
• semi-tethered

21. Jailbreak
• File system access rights
• broken sandbox
• unsigned apps

22. cycript
cycript allows developers to explore and modify running
applications on either iOS or Mac OS using a hybrid of Objective-
C++ and Javascript syntax

23. cycript

24. cycript

25. cycript

26. Disassemblers / Decompilers
• IDA Pro
• Hopper
• otool

27. Hopper

28. Hopper

29. Hopper

30. Tweak
1.Locate executable
2.class-dump headers
3.Find target view(controller) using Cycript
4.Find target method for monitoring
5.Trace method for hooking using disassembler
6.Write Tweak (using Theos)

32. Think first
1.No credentials in plists
2.No NSLog in release
3.Use Keychain
4.Be careful with view snapshots
5.No Objective-C in security code
6.Use SSL pinning

33. SSL Pinning

34. Jailbreak detection
1.Verify Root
2.File access
3.Cydia/OpenSSH detect
4.Process fork

35. Make disassembling harder
1.Use C functions
2.Use #define
3.inline methods
4.string obfuscation
5.decoding tables
6.deny attach
7.integrity checks
8.ASLR

36. PT_DENY_ATTACH

37. Reverse Swift Apps

38. Thank you !
@complexityclass