Looking inside an iPhone App Binary Gaurav Kumar Senior Software Developer Incubator @ BMC Software Looking inside an iPhone App Binary NOTE: please view the presentation in full screen mode since most of the pages are loaded with animations Getting hold of an iPhone app • Downloading from: – Apple App Store – Other MDM App Store .IPA file • Dev/QA Builds • Compile/Build yourself What platforms does the app support? • Device: iPhone, iPad (iPhone 5, iPad Air 2, iPod, etc) • Deployment Target: iOS 8, iOS 9, etc. • Target Architecture: armv7, armv7s, arm64 • FAT/Universal binary - 0xCafeBabe – Multiple versions, architectures combined into a single binary. • Confusing: ARM processor or ARM architecture? – Original iPhone had ARM11 processor that implements ARMv6 – iPhone 4 has A6 Chip with Cortex-A8 processor that implements ARMv7. • Apple’s System on a Chip (SoC): Ax Series, eg. A4, A6 – SoC comprises of processor cores, GPU’s, audio/video codecs, memory, wireless radios, etc. What platforms does the app support? • Processor Cores: ARM Thumb Thumb-2 ARM64 – ARM11, Cortex-A8/A9 (designed by ARM Holdings), CMP r0, r1 BNE ITETE EQ SUBS w2, w0, w1 –ITESwift, Cyclone, Typhoon,LDR r0, [r1] Twister (designedLDR r0, [r1] by Apple)CSEL – iPhone5 w0, w2, w0, & gt beyond SUBGT r0, r0, r1 ADD r0, r3, r0 LDR r0, [r2] CSNEG w1, w1, w2, gt • ARMSUBLT architectures r1, r1, r0 B: L2 ADD r0, r3, r0 BNE gcd –BNEARM gcd is a family ofL1 RISC (Reduced InstructionADD r0, r4, r0 Set Computing)RET instruction BX lr LDR r0, [r2] set architectures forADD computer r0, r4, r0 processors. L2 – As against CISC in x86... processors. – Requires fewer transistors, thus reduced cost, heat and power usage – 32 and 64 bit support – armv6/v7/v7s, arm64 – Used in embedded devices and most other mobile devices. • Instruction Sets (IS): ARM Thumb Thumb2 ARM64 Supported IS 32 bits 16 bits Mixed 16 and 32 bits 32 bits Comments Good Performance Compact (subset of ARM) Enhanced Thumb. >=ARMv7 Extension of Thumb Looking inside an app binary • Our app installer is named, mods15.ipa. Access app binary: • ‘unzip -qq mods15.ipa’ -> Payload/mods15.app (is a directory) • mods15.app directory contains: • mods15 app binary, • resource/media, xib/storyboard, code signatures, language specific string files etc. • mods15 has the standard Apple’s binary format called Mach-O • Note: iOS and Mac binary uses this same ABI format • Mach-O: • Contains code and data for a specific architecture • FAT/Universal binary archives multiple Mach-O files per architecture • This is NOT a Mach-O format, but an archive! / Mach-O: Apple’s ABI file format MachORuntime /Conceptual/ Mach-O file has 3 primary regions: 1. Header • Generic file info and target architecture DeveloperTools • File type MH_EXECUTE for executable • Magic Number for architecture: – 0xFEEDFACE: 32 bit Mach-O – 0xFEEDFACF: 64 bit Mach-O /library/mac/documentation/ – 0xCAFEBABE: FAT Mach-O • Number of load commands and its total size 2. Load Commands 3. Data developer.apple.com Ref : https:// Ref / Mach-O: Apple’s ABI file format MachORuntime /Conceptual/ Segment Section Mach-O file has 3 primaryComments regions: __PAGEZERO Access to 1.NULL landsHeader here. Size in file=0, VM size = 1 page (4094 bytes) __TEXT Executable2. code andLoad read only Commands data. R+X Permission. Shared Memory. DeveloperTools __text Executable machine code • logical structure of binary on disk __cstring Constant C-strings (\0 terminated). Static linker removes duplicates. __picsymbolstub1 Compiler places •indirectlayoutsymbol stubs in runtime here for undefined virtualfn callsmemory in the module. __const Initialized const variables• Symbol and all jump table tables info,for switch ref statements. shared libraries, etc. __DATA Writable data. R+W• Permission.Directly Copy references on Write. the actual code & data in __data Initialized mutable variables (non-const) /library/mac/documentation/ binary file based on offsets - called SECTION. __la_symbol_ptr Lazy symbol pointers,• ieSections. Indirect ref tooffunctions data grouped imported from together a different file.into single or __nl_symbol_ptr Non lazy pointers, ie. Indirectmultiple ref to data SEGMENTS items imported. from a different file. __const initialized relocatable const variables. – File segments directly maps to VM address space __dyld Placeholder section used by dynamic linker developer.apple.com – Contains zero or more sections __bss Data for uninitialized static variables – Aligned to VM page boundary (multiples of 4KB) __common Uninitialized imported symbol definitions located in global scope • Other Load Commands Ref : https:// Ref __OBJC Data used by Objective C language runtime support library __LINKEDIT Raw data used by dynamic– linker,LC_ENCRYPTION_INFO, eg. Symbol, string, and relocation LC_SYMTAB, tables LC_LOAD_DYLIB etc 3. Data / Mach-O: Apple’s ABI file format MachORuntime /Conceptual/ Mach-O file has 3 primary regions: 1. Header 2. Load Commands DeveloperTools 3. Data: • Actual Section data per segment • Contains raw data BLOB /library/mac/documentation/ developer.apple.com Ref : https:// Ref Looking inside your app binary 1 Identify the target architectures 2 (optional) Slice out a specific architecture from FAT binary 3 If encrypted, need to decrypt your app 4 Identify and analyze the Mach-O components 5 Disassemble the machine code into assembly code 6 Find runtime exposed information for better correlation with the assembly code 7 Modify app binary at assembly level 8 Re-sign and repackage Architectures? FAT Decrypt Mach-O Disassemble Runtime Modify Re-sign 1 2 3 4 5 6 7 8 Useful Mac tools used ahead • xcrun: Mac CLI to locate and run development tools on your Mac System. • otool: Mac CLI to disassemble & display parts/whole of your Mach-O object file. • MachOView: UI based disassembler built on top of otool. Hex editor. • file: conventional way to list the file type (Mach-O target architectures) • size: print the size of specific sections of your Mach-O • lipo: to operate on Universal/FAT binaries • nm: Mac CLI to dump symbol tables for your binary. • codesign: Apple's code signing utility on Mac. • Class-dump(-z): Open source tool to examine Obj-C runtime from Mach-O bin. • Synalize It!: Map app’s machine codes (in hex) to specific Mach-O structures (with plugin to understand your Mach-O grammar). • Radare2, Otx, Mach-O-Scope : Disassembler and symbolicator based on otool. • IDA Pro, Hopper : commercial disassembler and decompiler. • Hex Fiend: Hex editor to create and edit binary code. These CLI’s comes OOB with Mac OS (rest are 3rd party tools) Looking inside an app binary 1 Identify the target architectures for your app – xcrun otool -fV mods15 – xcrun otool -hV mods15 – xcrun file mods15 – xcrun lipo -info mods15 mac-gakumar-01:mods15.app gakumar$ xcrun otool -hV mods15 mods15 (architecture armv7): Mach header magic cputype cpusubtype caps filetype ncmds sizeofcmds flags 0xfeedface 12 9 0x00 2 22 2308 0x00200085 MH_MAGIC ARM V7 0x00 EXECUTE 22 2308 NOUNDEFS DYLDLINK TWOLEVEL PIE mods15 (architecture armv7s): Mach header magic cputype cpusubtype caps filetype ncmds sizeofcmds flags 0xfeedface 12 11 0x00 2 22 2308 0x00200085 MH_MAGIC ARM V7S 0x00 EXECUTE 22 2308 NOUNDEFS DYLDLINK TWOLEVEL PIE mods15 (architecture arm64): Mach header magic cputype cpusubtype caps filetype ncmds sizeofcmds flags 0xfeedfacf 16777228 0 0x00 2 22 2720 0x00200085 MH_MAGIC_64 ARM64 ALL 0x00 EXECUTE 22 2720 NOUNDEFS DYLDLINK TWOLEVEL PIE mac-gakumar-01:mods15.app gakumar$ otool -f mods15 Fat headers fat_magic 0xcafebabe Looking inside an app binary 2 (opt) Slice out a specific architecture from FAT binary – xcrun lipo mods15 -extract armv7s -output mods15_7s 3 If encrypted, need to decrypt your app – If downloaded from Apple app store then it will be encrypted – Encrypted using Apple’s Fairplay DRM. – Note: Need access to a Jailbroken iPhone only to dump memory via an attached debugger – Actual decryption process is offline using any hex editor – Can use an open source tool named Clutch to automate this. – Else follow the manual steps @ http://www.mandalorian.com/2013/05/decrypting-ios-binaries/, Architectures? FAT Decrypt Mach-O Disassemble Runtime Modify Re-sign 1 2 3 4 5 6 7 8 Looking inside an app binary 4 Identify and analyze the Mach-O components – View your app binary and its specific Mach-O regions – Use otool to view individual sections and segments, and to dump the over all dependencies and more – Use MachOView or SynalizeIt (along with the plugin that understands Mach-O grammer) – Play around! 5 Disassemble the machine code into assembly code – Not all tools precisely disassemble and desymbolicate – Radare2, otx, or Mach-O-Scope claims to work – Otool: ‘xcrun otool -tV mods15’ Architectures? FAT Decrypt Mach-O Disassemble Runtime Modify Re-sign 1 2 3 4 5 6 7 8 A Glimpse of MachOView Architectures? FAT Decrypt Mach-O Disassemble Runtime Modify Re-sign 1 2 3 4 5 6 7 8 Looking inside an app binary 6 Find runtime exposed information for better correlation with the assembly code – Modify app binary at assembly level – Class-dump and class-dump-z helps with this 7 Modify app binary at assembly level – Modify or add your assembly code, preferably in (__TEXT, __text) section or other relevant places depending upon what you want to change in the binary • Find slack space and insert • Edit an existing code so the same space is reused. • Make sure not to corrupt. – Use any hex-editor of choice. I would recommend MachOView. Architectures? FAT Decrypt Mach-O Disassemble Runtime Modify Re-sign 1 2 3 4 5 6 7 8 Looking inside an app binary 8 Re-sign and re-package – App binary tampered so original signature became invalid – So, need to resign. You can sign with your own valid identity. – You need a valid Apple developer account – Register the app with new bundle-id and name (optional) on the developer portal – Download the new provisioning profile from dev portal and replace with the old one inside the app – Make sure you have your signing identity/certificate and your private key already in your Mac’s keychain.