Sunday 27 January 2013

Decompiling Encrypted iOS binaries

Introduction:

In my previous article, i had described how you would normally go about decompiling an iOS application. That method would be working for a majority of applications. However, many a times the developers push in security feature to prevent the attackers from decompiling/debugging the application.

In our case, though we are the developers friends and are testing the application, it would be good if we actually follow the same route as an attacker would. That way, we can understand what exact information is disclosed and how the application can be compromised.


Requirements:
  • iOS device must be jailbroken.
  • OpenSSH should be installed on the iOS device.
  • SSH Client on your machine.
  • "Class Dump" should be installed on the iOS device via "Cydia"
  • "Cycript" should be installed on the iOS device via "Cydia".
Detailed Steps:

First we will try and use the same step as used in our previous post to dump the class file information via "class dump".
Below screenshot shows one of such an instances when we use classdump to decompile an application. The command run is of the same syntax as used earlier but the content is unreadable.


In such a case, using class dump alone would not be fruitful. We have to use a tool called as "Cycript" along with “weak_classdump” by Elias Limneos which is Cycript script that generates a header file for the class passed to the function.

It can be used as follows.

Step 1: Get the process id of the running application to be decryped and decompiled using the command "ps -ax | grep "App"".


The above screenshot shows that the process id was "3785".

Step 2: Download the latest copy of "weak_classdump.cy" from "weak_classdump" on to the working folder.

Then, use the below command to inject weak_classdump into the application to be decrypted and decompiled:
cycript -p 3785 weak_classdump.cy; cycript -p 3785

If, the injection was successfull, you will get the message as 'Added weak_classdump to "TWCTV" (3785)' where "TWCTV" is the application to be decrypted and decompiled.


Step 3: Now, you will get cy# where you will have to enter the below command to do the actual decompilation and to dump the required info.
weak_classdump_bundle([NSBundle mainBundle],"/tmp/3847_decrypted_application")

This step takes a lot of time and you would get somthing like the screenbelow when the process is complete.


Step 4: Now, exit cycript and you can access the complete decompiled cleartext source at "/tmp/3847_decrypted_application".



The above screenshot shows that the source code is in cleartext and can be easily analysed and the function names and values can be hooked in the runtime using Mobile Substrate or Cycript to force the application to perform various malicious activities.

References:

25 comments:

  1. This may be a stupid question, but how can I quit Cycript without having to close to terminal window?

    ReplyDelete
  2. Try Ctrl+D. That should let you quit the cycript interpreter.

    ReplyDelete
    Replies
    1. Thank you very much, I was trying to use Ctrl+C

      Delete
  3. That "decompile" always the headerfiles. Not the other!

    ReplyDelete
  4. Dumping header files is not decompiling. And to quit cycrypt, try switching mobileterminal's windows (the dots in center of screen) and try killall -9 cycrypt or killall cycrypt.

    ReplyDelete
    Replies
    1. Translation of program code to human readable language is decompiling.. so dumping unreadable header files which contain class information is clearly decompiling :)

      Delete
  5. I'm stuck at

    cycript -p weak_classdump.cy; cycript -p

    Running this command always seems to freeze on iOS 6.1.3

    ReplyDelete
    Replies
    1. How are you running this on 6.1.3 ?

      Delete
    2. That's weird because I've used it without any problems on 6.1.3. How are you running cycript?

      Delete
  6. How long would be considered "normal" as I've been waiting almost 9 hours so far with no signs of progress. Everything has gone smooth and appears to be working well until now... the end waiting game... :/... lol... is this normal?

    ReplyDelete
    Replies
    1. No. It is not at all normal :)

      Mine does wait for some time but never more than some minutes..

      Delete
  7. Seems like the git link which I was using has developed some issue. Use the below link to download the latest working copy of weak_classdump.cy
    https://raw.github.com/limneos/weak_classdump/master/weak_classdump.cy

    ReplyDelete
  8. Take a look at our list of most recommended vr apps compatible with iPhone, iPod and Android smartphones.

    ReplyDelete
  9. It’s essential to have having access to the knowledge posted here. Eminem net worth2020: Eminem is a multi-platinum selling American rapper, producer and actor who has a net worth of $230 million. He is consistently one of the highest-paid entertainers in the world.

    ReplyDelete
  10. I appreciate your efforts to collect this information json viewer . Its working in my project, so thanks

    ReplyDelete
  11. Get detailed information on how to open apk files and access your favorite android files on several devices

    ReplyDelete
  12. Learn how to open MKV files here
    https://openmkvfiles.com

    ReplyDelete
  13. Its essential to see your post download odin , thanks for sharing with us

    ReplyDelete
  14. I think you can also learn about the music of the places you go through, it also represents the cultural identity of the place and you can use those songs to make your phone ringtone, which That will make your phone more special

    ReplyDelete