Microsoft Word - iOSAppReverseEngineering.docx

Recommendation

Preface

Foreword

Part 1 Concepts

Chapter 1 Introduction to iOS reverse engineering

1.1 Prerequisites of iOS reverse engineering ..........................................................................................................

1.2 What does iOS reverse engineering do ............................................................................................................
- 1.2.1 Security related iOS reverse engineering ......................................................................................................
- 1.2.2 Development related iOS reverse engineering .............................................................................................

1.3 The process of iOS reverse engineering ............................................................................................................
- 1.3.1 System Analysis ............................................................................................................................................
- 1.3.2 Code Analysis ................................................................................................................................................

1.4 Tools for iOS reverse engineering .....................................................................................................................
- 1.4.1 Monitors .......................................................................................................................................................
- 1.4.2 Disassemblers ...............................................................................................................................................
- 1.4.3 Debuggers ....................................................................................................................................................
- 1.4.4 Development kit ...........................................................................................................................................

1.5 Conclusion ........................................................................................................................................................

Chapter 2 Introduction to jailbroken iOS

2.1 iOS System Hierarchy ........................................................................................................................................
- 2.1.1 iOS filesystem ...............................................................................................................................................
- 2.1.2 iOS file permission ........................................................................................................................................

2.2 iOS file types .....................................................................................................................................................
- 2.2.1 Application ....................................................................................................................................................
- 2.2.2 Dynamic Library ............................................................................................................................................
- 2.2.3 Daemon ........................................................................................................................................................

2.3 Conclusion ........................................................................................................................................................

Part 2 Tools

Chapter 3 OSX toolkit

3.1 class-‐dump ........................................................................................................................................................

3.2 Theos ................................................................................................................................................................
- 3.2.1 Introduction to Theos ...................................................................................................................................
- 3.2.2 Install and configure Theos ...........................................................................................................................
- 3.2.3 Use Theos .....................................................................................................................................................
- 3.2.4 An example tweak ........................................................................................................................................

3.3 Reveal ...............................................................................................................................................................

3.4 IDA ....................................................................................................................................................................
- 3.4.1 Introduction to IDA .......................................................................................................................................
- 3.4.2 Use IDA .........................................................................................................................................................
- 3.4.3 An analysis example of IDA ..........................................................................................................................

3.5 iFunBox .............................................................................................................................................................

3.6 dyld_decache ....................................................................................................................................................

3.7 Conclusion

Chapter 4 iOS toolkit

4.1 CydiaSubstrate ..................................................................................................................................................
- 4.1.1 MobileHooker ...............................................................................................................................................
- 4.1.2 MobileLoader ..............................................................................................................................................
- 4.1.3 Safe mode ...................................................................................................................................................

4.2 Cycript .............................................................................................................................................................

4.3 LLDB and debugserver ....................................................................................................................................
- 4.3.1 Introduction to LLDB ...................................................................................................................................
- 4.3.2 Introduction to debugserver .......................................................................................................................
- 4.3.3 Configure debugserver ...............................................................................................................................
- 4.3.4 Process launching and attaching using debugserver ..................................................................................
- 4.3.5 Use LLDB .....................................................................................................................................................
- 4.3.6 Miscellaneous LLDB ....................................................................................................................................

4.4 dumpdecrypted ..............................................................................................................................................

4.5 OpenSSH .........................................................................................................................................................

4.6 usbmuxd .........................................................................................................................................................

4.7 iFile ..................................................................................................................................................................

4.8 MTerminal ......................................................................................................................................................

4.9 syslogd to /var/log/syslog ...............................................................................................................................

4.10 Conclusion ......................................................................................................................................................

Part 3 Theories

Chapter 5 Objective-C related iOS reverse engineering

5.1 How does a tweak work in Objective-‐C ..........................................................................................................

5.2 Methodology of writing a tweak ....................................................................................................................
- 5.2.1 Look for inspiration .....................................................................................................................................
- 5.2.2 Locate target files .......................................................................................................................................
- 5.2.3 Locate target functions ...............................................................................................................................
- 5.2.4 Test private methods ..................................................................................................................................
- 5.2.5 Analyze method arguments ........................................................................................................................
- 5.2.6 Limitations of class-‐dump ...........................................................................................................................

5.3 An example tweak using the methodology ....................................................................................................
- 5.3.1 Get inspiration ............................................................................................................................................
- 5.3.2 Locate files ..................................................................................................................................................
- 5.3.3 Locate methods and functions ....................................................................................................................
- 5.3.4 Test methods and functions .......................................................................................................................
- 5.3.5 Write tweak ................................................................................................................................................

5.4 Conclusion ......................................................................................................................................................

Chapter 6 ARM related iOS reverse engineering

6.1 Introduction to ARM assembly .......................................................................................................................
- 6.1.1 Basic concepts ............................................................................................................................................
- 6.1.2 Interpretation of ARM/THUMB instructions ...............................................................................................
- 6.1.3 ARM calling conventions ............................................................................................................................

6.2 Advanced methodology of writing a tweak ....................................................................................................
- 6.2.1 Cut into the target App and find the UI function ........................................................................................
- 6.2.2 Locate the target function from the UI function .........................................................................................

6.3 Advanced LLDB usage .....................................................................................................................................
- 6.3.1 Look for a function’s caller .........................................................................................................................
- 6.3.2 Change process execution flow ..................................................................................................................

6.4 Conclusion ......................................................................................................................................................

Part 4 Practices

Chapter 7 Practice 1: Characount for Notes

7.1 Notes ...............................................................................................................................................................

7.2 Tweak prototyping ..........................................................................................................................................
- 7.2.1 Locate Notes’ executable ............................................................................................................................
- 7.2.2 class-‐dump MobileNotes’ headers ..............................................................................................................
- 7.2.3 Find the controller of note browsing view using Cycript .............................................................................
- 7.2.4 Get the current note object from NoteDisplayController ...........................................................................
- 7.2.5 Find a method to monitor note text changes in real time ..........................................................................

7.3 Result interpretation ......................................................................................................................................

7.4 Tweak writing .................................................................................................................................................
- 7.4.1 Create tweak project "CharacountforNotes8" using Theos ........................................................................
- 7.4.2 Compose CharacountForNotes8.h ..............................................................................................................
- 7.4.3 Edit Tweak.xm ................................................................................................................................................
- 7.4.4 Edit Makefile and control files ......................................................................................................................
- 7.4.5 Test ................................................................................................................................................................

7.5 Conclusion ......................................................................................................................................................

Chapter 8 Practice 2: Mark user specific emails as read automatically

8.1 Mail .................................................................................................................................................................

- 8.2.1 Locate and class-‐dump Mail’s executable .....................................................................................................
- 8.2.2 Import headers into Xcode .............................................................................................................................
- 8.2.3 Find the controller of “Mailboxes” view using Cycript ...................................................................................
- 8.2.4 Find the delegate of “All Inboxes” view using Reveal and Cycript .................................................................
- 8.2.5 Locate the refresh completion callback method in MailboxContentViewController ......................................
- 8.2.6 Get all emails from MessageMegaMall .........................................................................................................
- 8.2.7 Get sender address from MFLibraryMessage and mark email as read using MessageMegaMall ................

8.4 Tweak writing .................................................................................................................................................
- 8.4.1 Create tweak project “iOSREMailMarker” using Theos .................................................................................
- 8.4.2 Compose iOSREMailMarker.h ........................................................................................................................
- 8.4.3 Edit Tweak.xm ................................................................................................................................................
- 8.4.4 Edit Makefile and control files .......................................................................................................................
- 8.4.5 Test ................................................................................................................................................................

8.5 Conclusion ......................................................................................................................................................

Chapter 9 Practice 3: Save and share Sight in WeChat

9.1 WeChat ...........................................................................................................................................................

- 9.2.1 Observe Sight view and look for cut-‐in points ................................................................................................
- 9.2.2 Get WeChat headers using class-‐dump .........................................................................................................
- 9.2.3 Import WeChat headers into Xcode ...............................................................................................................
- 9.2.4 Locate the Sight view using Reveal ................................................................................................................
- 9.2.5 Find the long press action selector ................................................................................................................
- 9.2.6 Find the controller of Sight view using Cycript ...............................................................................................
- 9.2.7 Find the Sight object in WCTimeLineViewController ......................................................................................
- 9.2.8 Get a WCDataItem object from WCContentItemViewTemplateNewSight ....................................................
- 9.2.9 Get target information from WCDataItem ....................................................................................................

9.4 Tweak writing .................................................................................................................................................
- 9.4.1 Create tweak project “ iOSREWCVideoDownloader” using Theos .................................................................
- 9.4.2 Compose iOSREWCVideoDownloader.h
- 9.4.3 Edit Tweak.xm ................................................................................................................................................
- 9.4.4 Edit Makefile and control files .......................................................................................................................
- 9.4.5 Test ................................................................................................................................................................

9.5 Easter eggs ......................................................................................................................................................
- 9.5.1 Find the Sight in UIMenuItem ........................................................................................................................
- 9.5.2 Historical transition of WeChat’s headers count ...........................................................................................

9.6 Conclusion ......................................................................................................................................................

Chapter 10 Practice 4: Detect And Send iMessages

10.1 iMessage .........................................................................................................................................................

10.2 Detect if a number or email address supports iMessage ...............................................................................
- 10.2.1 Observe MobileSMS and look for cut-‐in points ............................................................................................
- 10.2.2 Find placeholder using Cycript .....................................................................................................................
- 10.2.3 Find the 1st data source of placeholderText using IDA and LLDB ................................................................
- 10.2.4 Find the Nth data source of placeholderText using IDA and LLDB ...............................................................
- 10.2.5 Restore the process of the original data source becoming placeholderText ...............................................

10.3 Send iMessages ...............................................................................................................................................
- 10.3.1 Observe MobileSMS and look for cut-‐in points ............................................................................................
- 10.3.2 Find response method of “Send” button using Cycript ................................................................................
- 10.3.3 Find suspicious sending action in response method ....................................................................................

10.4 Result Interpretation ......................................................................................................................................

10.5 Tweak writing .................................................................................................................................................
- 10.5.1 Create tweak project “iOSREMadridMessenger” using Theos .....................................................................
- 10.5.2 Compose iOSREMadridMessenger.h ............................................................................................................
- 10.5.3 Edit Tweak.xm ..............................................................................................................................................
- 10.5.4 Edit Makefile and control files .....................................................................................................................
- 10.5.5 Test with Cycript ..........................................................................................................................................

10.6 Conclusion ......................................................................................................................................................

Jailbreaking for Developers, An Overview

Evading the Sandbox

Microsoft Word - iOSAppReverseEngineering.docx

Get our desktop app

Company

Features

Documentation

Resources