More Related Content Similar to Reverse Engineering iOS apps (20) Reverse Engineering iOS apps17. Segment 1
Segment command 2
Segment 2
Mach-O
binary
Segment command 1
Section 1 data
Section 2 data
Section 3 data
Section 4 data
Section 5 data
…
Section n data
19. __TEXT -> code and read only data
__objc sections-> data used by runtime
23. @interface RRSubscription : NSObject!
{!
NSString *_subscriptionID;!
!unsigned int _period;!
float _price;!
NSDate *_creationDate;!
}!
!
+ (id)arrayOfSubscriptionsWithJSONArray:(id)arg1;!
+ (id)subscriptionWithDictionary:(id)arg1;!
!
@property(readonly, nonatomic) NSDate *creationDate;!
@property(readonly, nonatomic) float price;
!
@property(readonly, nonatomic) unsigned int period; !
!!
27. > address (cryptoff + cryptsize) size (base address + cryptoff + cryptsize)!
> gdb dump memory decrypted.bin 0x3000 0xD23000 !
> Address space layout randomization!
> 0x1000 -> 0x4f000!
> decrypted.bin -> binary!
47. - (void)connection:(NSURLConnection *)connection
willSendRequestForAuthenticationChallenge:
(NSURLAuthenticationChallenge *)challenge {!
…!
NSData *remoteCertificateData =
CFBridgingRelease(SecCertificateCopyData(certificate));!
NSString *cerPath = [[NSBundle mainBundle]
pathForResource:@"MyLocalCertificate" ofType:@"cer"];!
NSData *localCertData = [NSData dataWithContentsOfFile:cerPath];!
if ([remoteCertificateData
isEqualToData:localCertData]) {!
[[challenge sender] useCredential:credential
forAuthenticationChallenge:challenge];!
} else {!
[[challenge sender]
cancelAuthenticationChallenge:challenge];!
48. #define _AFNETWORKING_PIN_SSL_CERTIFICATES_ 1
!
AFHTTPClient.h!
@property (nonatomic, assign)
AFURLConnectionOperationSSLPinningMode sslPinningMode;
{ AFSSLPinningModePublicKey, AFSSLPinningModeCertificate }
AFURLConnectionOperation.h
When `defaultSSLPinningMode` is defined on `AFHTTPClient` and
the Security framework is linked, connections will be validated on
all matching certificates with a `.cer` extension in the bundle root.!
53. #define verifyDecodedString(encoded, hashE, hashD, success)
fweybz(encoded, hashE, hashD, success)
static inline NSString * fweybz(NSString *encoded, NSString *hashE,
NSString *hashD, BOOL *success) {
NSString *decoded = decodedString(encoded);
if (success != NULL) {
*success
= (decoded && [hashFromString(encoded)
isEqualToString:hashEncoded] &&
[hashFromString(decoded)
isEqualToString:hashDecoded]) ? YES : NO;
return decoded;
}
55. #define denyDebugger() tmzpw()!
static __inline__ void tmzpw() {!
if (getuid() != 0) {!
!NSString *ptraceString = .. !
!void *handle = dlopen(0, RTLD_GLOBAL | RTLD_NOW);!
ptrace_ptr_t ptrace_ptr = (ptrace_ptr_t)dlsym(handle, ptraceString);!
ptrace_ptr(PT_DENY_ATTACH, 0, 0, 0);!
dlclose(handle);!
}!
else!
*(volatile int *)NULL = 0xDEADBEEF;!
}!
58. int main(int argc, char *argv[])!
{!
@autoreleasepool {!
denyDebugger();!
return UIApplicationMain(argc, argv, nil, nil));!
}!
}!
59. + (PurchaseManager *)sharedManager {!
if (isDebugged())!
!return nil;!
static PurchaseManager *sharedPurchaseManager = nil; !
static dispatch_once_t onceToken;!
!dispatch_once(&onceToken, ^{ !
!!
!sharedPurchaseManager = [[self alloc] init];!
});!
!return sharedPurchaseManager ; !
}!
61. const struct mach_header *header = (struct mach_header *)dlinfo.dli_fbase;
struct load_command *cmd = (struct load_command *) (header + 1);
for (uint32_t i = 0; cmd != NULL && i < header->ncmds; i++) {
if (cmd->cmd == LC_ENCRYPTION_INFO) {
struct encryption_info_command *crypt_cmd = (struct
encryption_info_command *)cmd;
if (crypt_cmd->cryptid < 1)
return NO;
else
return YES;
}
else
cmd = (struct load_command *)((uint8_t *) cmd + cmd->cmdsize);
}
return NO;
62. BOOL isDirectory = NO;
NSString *directoryPath = [[[NSBundle mainBundle]
bundlePath]
stringByAppendingPathComponent:@”SC_Info/”];
BOOL directoryExists = [[NSFileManager
defaultManager] fileExistsAtPath:directoryPath
isDirectory:&isDirectory];
BOOL contentSeemsValid = ([[[NSFileManager
defaultManager] contentsOfDirectoryAtPath:directoryPath
error:NULL] count] == 2);
63. !NSDictionary *iTunesMetadata = [NSDictionary
!dictionaryWithContentsOfFile:[rootDirectoryPath
!stringByAppendingPathComponent:@”
iTunesMetadata.plist”]];!
!NSString *appleID = iTunesMetadata[appleID];!
NSDictionary *accountInfo =
iTunesMetadata[downloadInfoKey][accountInfo];!
!BOOL isValidAppleID = (appleID.length > 0 &&
![appleID rangeOfString:appleIDMailAddress
!options:NSCaseInsensitiveSearch].location ==
!NSNotFound);!
BOOL isValidDownloadInfo = (accountInfo.count > 0);!
65. BOOL dyLibFound = NO;
NSArray *directoryFiles = [[NSFileManager
defaultManager] contentsOfDirectoryAtPath:
[[NSBundle mainBundle] bundlePath] error:NULL];
for (NSString *filename in directoryFiles) {
if ([[filename pathExtension]
caseInsensitiveCompare:@”dylib”] ==
NSOrderedSame) {
dyLibFound = YES;
break;
}
}!
69. !
NSError *error; !
NSString *jailTest = @”Jailbreak time!";!
[jailTest writeToFile:@"/private/test_jail.txt"
atomically:YES
encoding:NSUTF8StringEncoding error:&error];!
if(error==nil) {!
…!
}!
!
71. NSArray *jailbrokenPaths = @[@"/Applications/Cydia.app",!
!
!
!@"/usr/sbin/sshd",!
!
!@"/usr/bin/sshd",!
!
!
!@"/private/var/lib/apt",!
!
!
!@"/private/var/lib/cydia”!
!
!
!@"/usr/libexec/sftp-server",!
!
!
!@"/Applications/blackra1n.app",!
!
!
!@"/Applications/Icy.app",!
!
!
!
!
!
!@"/Applications/RockApp.app",!
!
!!
!
!
!@"/private/var/stash"];!
!
NSString *rooted;!
for (NSString *string in jailbrokenPath)!
if ([[NSFileManager defaultManager] fileExistsAtPath:string]) {!
…!
}!
72. !
!
for (NSDictionary * dict in processes) {!
!NSString *process = [dict
objectForKey:@"ProcessName"];!
!! !if ([process isEqualToString:CYDIA]) {!
!! ! ! !...!
!! ! ! !}!
}!
!