Bypassing ios anti-debugging protections & jailbreak detection mechanisms

Transcription

1 Bypassing ios anti-debugging protections & jailbreak detection mechanisms Alexandre Bécholey

2 2

3 Plan Context Anti-debugging protections Bypass techniques LLDB scripting Jailbreak detection Conclusion 3

4 Context 4

5 Scope 1. One ios application to pentest 2. Need to use a jailbroken ios device 3. Jailbreak detection and anti-debugging protections present 4. Client notified 5

6 Connectivity 1. Iphone_tunnel to create the initial tunnel ( ) 2. SSH to create a tunnel that will be used for debugging ( ) 3. On the ios device, use debugserver to launch the targeted app (localhost:1234) 4. On the computer, use LLDB to connect to the debugserver to start debugging (localhost:1234) 6

7 Workflow 1. Debug the app 2. Break early in the app 3. Grab the decrypted part 4. Patch a copy of the binary with the decrypted part 5. Start reverse engineering activities 7

8 Anti-debugging protections 8

9 Anti-debugging protections SYSCTL PTRACE SYSCALL Get process ID Query sysctl to get a status of the process Look for the process traced flag Resolve the ptrace symbol to get the function address Call ptrace to deny attachment Once run, valid for the entire process lifetime Sneaky way to call ptrace Same consequences 9

10 References nce/manpages/ 10

11 SYSCTL int sysctl(const int *name, u_int namelen, void *oldp, size_t *oldlenp, const void *newp, size_t newlen); int being_debugged() { int name[] = { CTL_KERN, KERN_PROC, KERN_PROC_PID, getpid()}; u_int namelen = sizeof(name) / sizeof(*name); struct kinfo_proc oldp; size_t oldlenp = sizeof(oldp); int result = sysctl(name, namelen, &oldp, &oldlenp, NULL, 0); if (result == -1) { // handle error and fail... } return (oldp.kp_proc.p_flag & P_TRACED)!= 0; // could be optimized as (oldp + 0x21) & 8 } 11

12 ptrace int ptrace(int request, pid_t pid, void *addr, int data); int call_ptrace() { void *handle; void *ptrace; handle = dlopen(0ll, 10); ptrace = dlsym(handle, "ptrace"); ptrace(pt_deny_attach, 0, 0, 0); // PT_DENY_ATTACH = 31 return dlclose(handle); } 12

13 ptrace as a syscall MOV X0, #0x1F ; first arg 31 => PT_DENY_ATTACH MOV X1, #0 MOV X2, #0 MOV X3, #0 MOV X16, #0x1A ; syscall number 26 => ptrace SVC 0x80 ; invoke the syscall 13

14 How to find them sysctl Search for the sysctl and getpid function Get all the cross-references to it ptrace Search for ptrace in the list of strings Get all the cross-references to it syscall Search for the instruction SVC 0x80 Verify that there is a MOV X16, #0x1A before it 14

15 Bypass techniques 15

16 Three cases The function has a symbol Hooking frameworks The function has been stripped Patch the first two instructions of the function The protections are inline in the function Case by case patching 16

17 Hooking frameworks Frida: stable Cycript: inspect Theos: auto-load JavaScript JavaScript & ObjC Compile dylib Works when the other frameworks crash the app Backtrace functions Easy inspection Manual object creation function calls Auto-load when the application starts Huge gain of time Nice when it has to run before anything else 17

18 Dynamic patching Patch the beginning of the function Overwrite the first two instructions MOV X0, #0 ; First write a desired return value RET ; Then return to the caller In LLDB: (lldb) memory write -s 4 0x100420d88 0xD (lldb) memory write -s 4 0x100420d8c 0xD65F03C0 Patch inside a function If there is a branch leading to the tests replace the branch Else overwrite all the instructions with NOP instructions 18

19 Image location PIE applies ASLR to the binary location in memory Different base address at each execution: (lldb) image list myapp [ 0] SOME-UUID 0x /PATH/myapp.app/myapp (0x ) (lldb) image list myapp [ 0] SOME-UUID 0x f0000 /PATH/myapp.app/myapp (0x f0000) Offsets inside the binary remain the same 19

20 LLDB scripting 20

21 Commands files Succession of commands to be executed at startup platform select remote-ios settings set target.process.stop-on-sharedlibrary-events true process connect connect://localhost:1234 continue Import a Python script command script import myscript.py break UIApplicationMain breakpoint command add -s python 1 myscript.myfunction() DONE 21

22 Python script base address of the binary import lldb def myfunction(): # get image list main_image = lldb.target.modules[0] base = int(main_image. str ().split('(')[-1].strip(')'), 16) print "Base addr: 0x%x" % base 22

23 Python script breakpoints offsets = [ 0x3a76e8, 0x3a7ab0, ] for offset in offsets: addr = base + offset print "Adding breakpoint at: 0x%x" % addr bp = lldb.target.breakpointcreatebyaddress(addr) bp.setscriptcallbackfunction("myscript.someotherfunction") 23

24 Python script dynamic patching offsets = { 0x420D88: 0xD65F03C0, # RET 0x3D2ABC: 0xAA0003E0, # MOV X0, X0 } for offset, instruction in offsets.items(): addr = base + offset buff = pack('<l', instruction) err = lldb.sberror() print "Writing 0x%x at 0x%x" % (instruction, addr) lldb.process.writememory(addr, buff, err) print "Write finished with error:", err 24

25 Python script changing branches branches = { # branch_inst_offset: new_dest_offset 0x3C4BA0: 0x3C4A2C, 0x3D169C: 0x3D1614, } for dest, source in branches.items(): jump_offset = (dest - source) // 4 instruction = 0x jump_offset addr = base + offset # continue with writing... 25

26 Jailbreak detection 26

27 Evidence of a Jailbreak Filesystem: stat64 or open: /Applications/Cydia.app /Applications/blackra1n.app At runtime: use dyld to get the image list MobileSubstrate SubstrateLoader /Applications/Icy.app /Library/Frameworks/CydiaSubstrate.framework/ CydiaSubstrate /Library/MobileSubstrate/MobileSubstrate.dylib /usr/sbin/sshd /bin/bash 27

28 Obfuscation - Cryptography Example Use the native CCCrypt function to decrypt strings on the fly Before each call to CCCrypt, verify that there is no trampoline there How to find it Search for the CCCrypt function break after each calls get the address of the call and leak the decrypted string Weaknesses Patch the branch after the trampoline check Hook the function that apply the compliance check 28

29 Obfuscation - Integers Use integers to construct strings Allocate some intergers that need to be next to each other in memory Initialize them with values that correspond to ASCII characters: int a = 0x ; // DCBA Use ObjC methods to convert the string CFStringCreateFromExternalRepresentation How to find it Search for CFStringCreateFromExternalRepresentation Weaknesses Dynamic patching 29

30 Conclusion 30

31 Future Swift instead of Objective-C Less symbols need more time Obfuscation getting more mature Need more time ios versions and jailbreak ios 8 still OK ios 9 jailbreakable ios 10 starts to be a challenge 31

32 Conclusion Always search for common names in the strings and function names jail, compliance, debug, ptrace, sysctl, etc. Get the references to and reverse the functions Get used to LLDB and its python API Game of cat and mouse No silver bullet solution to hide the detection and protect them Be creative How would you hide it? How would you protect it? 32

33 Thank You Alexandre Bécholey Security Expert Phone: +41 (0) Mobile: +41 (0)