Tuesday, February 11, 2014

Decrypting iOS Applications (Manual)

Reversing the iOS application can be interesting and profitable. This short article presents how to decrypt an iOS application for reverse engineering. The example application is Puffin browser.

Pre-requirement

Before the application can be decrypted, some packages need to be installed.
  • gdb - the GDB available from the Cydia repository is not working properly. The correct version can be downloaded from the Radere repository. One needs to add http://cydia.radare.org to the repository (the source setting need to be set to Developer)
  • iOS Toolchain
  • file
  • adv-cmds
  • gawk
All these packages need to be installed with required dependencies.

Finding the code

First thing what we need to check if the code is really encrypted. We can do this using the otool tool and looking for the  LC_ENCRYPTION_INFO section.

otool -arch all -Vl <app name> | grep -A4 LC_ENCRYPTION_INFO



Above command reveals two important information: the begining of the code (cryptoff) and the size of the code (cryptsize). It will be need during the dump of the code

Dumping memory

Because the iOS 7 is using ASLR the decrypted code will be located in different memory address ranges. We need to load it, run and stop after the decryption routine is finished (on the original application entry point). To do this we need to load the application in gdb and set break point on the begining of the application - UIApplicationMain.


When the gdb stops on the break point we can find the appropriate region. Using the info sharedlibrary command we can display all loaded libraries with their base addresses.


The Puffin application (position number 2) has the base address 0x9000. Now we can dump the code. To do this we will need two addresses - begin and end. They are calculated in follows:

Begin address = base address + cryptoff 
                                   0x9000 + 16384    = 0xD000

End address = base address + cryptoff + cryptsize 
                                0x9000 + 16384    + 511808    = 0x4ED000

The dump is made by the following command:
dump binary memory <dump name> <begin address> <end address>

Creating binary

 Now we need to copy the dumped code into the thin version of our application.

dd bs=1 seek=<cryptoff> conv=notrunc if=<dump name> of=<application>


Now the dump is completed and the application can ba analyzed using the IDA Pro or the Hopper Disassembler.


No comments:

Post a Comment