Application code, file data, network protocol packets are often formatted as binary information. This is to protect intellectual property and make it difficult for attackers and competitors. This does not, however, stop security professionals, researchers andhobbysts to inspect and reverse the binary blobs. Either for understanding their internals, or for finding flaws, people do reversing on binary blobs and extract a human-friendly format. Andrew Tridgell famously reversed the CIFS/SMB protocol from Microsoft to create the Samba software. In this talk I will highlight the mindset for doing reversing, based on my own experience with reversint the Apple iOS sandbox. The talk is not meant to be very technical rather what it takes and what it means to do reversing and why you should do it as a learning and fun experience.

1. Reversing is Fun
R˘azvan Deaconescu
razvan.deaconescu@cs.pub.ro
CompSoc, University of Leeds
November 29, 2018
1 / 38

2. Meet the Breakers
https://www.slideshare.net/cristinakesh/solar-powered-car-e
2 / 38

3. Me as a Breaker, Repairman, Improver
pretty scared as a child
didn’t break things on purpose
but it happens
3 / 38

4. Wired Toy Car Hack
https://bricks.stackexchange.com/questions/6755/
how-do-i-make-a-remote-control-car-without-lego-motors
4 / 38

5. Rambo Joystick Continuous Repairing
https://www.digitiser2000.com/main-page/top-10-funny-console-knock-offs
5 / 38

6. Diablo-affected Mouse Button
https:
//www.i-tech.com.au/steelseries-diablo-iii-reaper-of-souls-5700dpi-gaming-mouse-ss-62151.html
6 / 38

7. Disembodied PC
https://www.instructables.com/id/Disassemble-a-Computer/
7 / 38

8. Why?
Why do kids break stuff?
Why do people break stuff?
8 / 38

9. Why? (2)
innate curiosity
desire to look inside, to know how it works
feels good when we know
feels better when we repair
achievement, accomplishment, improvement
goal, purpose
9 / 38

10. Dan Pink: Drive
https://www.amazon.co.uk/Drive-Daniel-H-Pink/dp/184767769X
autonomy, mastery, purpose
10 / 38

11. Linus Torvalds and Linux
https://www.amazon.co.uk/Just-Fun-Story-Accidental-Revolutionary/dp/0066620732
11 / 38

12. Really?
https://www.howstuffworks.com
podcasts, YouTube channel
https://reverseengineering.stackexchange.com
12 / 38

13. What is Reversing / Reverse Engineering?
https://www.wisewhysofsales.com/2017/01/10/reverse-engineering-a-sale/
13 / 38

14. Reversing Targets
programs
data formats
protocols
14 / 38

15. Andrew Tridgell and Samba
https://commons.wikimedia.org/wiki/File:Logo_Samba_Software.svg
15 / 38

16. Why Break Programs?
https://null-byte.wonderhowto.com/how-to/
hacks-behind-cracking-part-1-bypass-software-registration-0132568/
know how they work
for fun
for fame and glory
hackers, crackers, white/black hat, ethical
16 / 38

17. Public Hacking/Cracking
https://www.blackhat.com
https://www.defcon.org
http://www.hitb.org
17 / 38

18. Is It Easy?
18 / 38

19. Is It Easy?
https://imgur.com/gallery/DKUR9Tk
19 / 38

20. Is It Easy?
https://me.me/i/meme-facebook-funny-memes-54435
20 / 38

21. Is It Easy?
http://www.ozpolitic.com/cgi-bin/album.pl?photo=forum-attachments/-hell-the-f-no.jpg
21 / 38

22. Reverse engineering can be depressing and quite solitary. The
support from all of you @vu5ec was always there :-), I appreciate
the encouragement that I got throughout the process. It was
painfully fun!
Lucian Cojocar
Reversing is like catching a cobra by the back legs.
R˘azvan Deaconescu
22 / 38

23. My Story
CTF security contests (Capture the Flag)
master classes on security (open content)
https://ocw.cs.pub.ro/courses/cns
http://elf.cs.pub.ro/sis/
security summer school (open content):
https://security.cs.pub.ro/summer-school/wiki/
23 / 38

24. My Story in iOS Reversing
https://developer.apple.com/library/archive/documentation/Security/Conceptual/
AppSandboxDesignGuide/AboutAppSandbox/AboutAppSandbox.html
24 / 38

25. Sandboxing
limit actions for processes / applications; i.e. open a file,
connect to a remote host
in iOS, there are sandbox profiles attached to applications
a sandbox profile contains a specific set of rules
container sandbox profile used for all 3rd party apps (i.e.
those installed from Apple AppStore)
25 / 38

26. Initial Format of iOS Sandbox Profiles
(version 1)
(allow default)
(deny network*
(local ip "*:*"))
(deny network-outbound
(literal "/private/var/tmp/launchd/sock")
(regex #"^/private/tmp/launchd-[0-9]+[.][^/]+/"))
26 / 38

27. Deployed Format of iOS Sandbox Profiles
00000000: 0080 5c9c 9f00 849c 0300 8c00 859c 0000
00000010: 5b9c 5b9c 5b9c 5b9c 5b9c 5b9c 5b9c 5b9c
00000020: 5b9c 5b9c 579c fe9b 5a9c f39b 5b9c 5b9c
00000030: 5b9c 959b 939b 6b9b 959b 5b9c 5b9c 5b9c
00000040: 4f9b 4f9b 4f9b 459b 4f9b 439b 4f9b 4f9b
00000050: 4f9b 4f9b 359b 5b9c 5b9c 5b9c 5b9c 5b9c
00000060: 5b9c 5b9c 5b9c 5b9c 349b 5b9c 5a9c 5b9c
00000070: 5b9c 5b9c 5b9c 5b9c 339b 5b9c 5b9c 5b9c
00000080: 329b 309b 309b 309b 329b 329b 2f9b 2f9b
00000090: 5b9c 5b9c 5b9c 5b9c 5b9c 5b9c 5b9c 5b9c
[...]
27 / 38

28. Reversing the iOS Sandbox
https://coryseznec.bandcamp.com/track/sisyphus
SandBlaster
https://arxiv.org/abs/1608.04303
https://github.com/malus-security/sandblaster
28 / 38

29. The Journey
close to an year to get it working
another half year to make it work on almost all cases
relentless back-and-forth
made it open source
relied on previous work (Dionysus Blazakis, Stefan Esser, Dino
Dai Zovi)
29 / 38

30. Yes but . . .
. . . it seems daunting
. . . it takes time
30 / 38

31. However . . .
it will be fun
you will improve: patience, perseverance, lateral thinking, problem
solving
you are part of a community
31 / 38

32. What To Do?
CTF contents
https://picoctf.com
https://junior.35c3ctf.ccc.ac/announcements/
https://ctftime.org
http://captf.com/practice-ctf/
wargames
http://io.netgarage.org
http://smashthestack.org/wargames.html
http://overthewire.org/wargames/
32 / 38

33. Professional Reverse Engineers
fame, glory
money
training
note legal aspects
responsible disclosure
33 / 38

34. Yeah, but ...
I’m more of a developer
I want to build stuff, not break stuff
I want to create
34 / 38

35. Perspective
Sergiu Weisz, 1st year master student
I want to build. But I choose to do security because it gives me a
better understanding of how things work. And how things can be
attacked, abused and brought down.
poorly built software, hardware and infrastructure
you can make it better, more secure, more robust
once you understand it’s inner working
35 / 38

36. Build it. Break it. Make it better.
36 / 38

37. Resources
mine
slides: https://www.slideshare.net/razvandeaconescu/
https://ocw.cs.pub.ro/courses/cns
http://elf.cs.pub.ro/sis/
https://security.cs.pub.ro/summer-school/wiki/
https://arxiv.org/abs/1608.04303
https://github.com/malus-security/sandblaster
conferences, events, magazines
https://www.blackhat.com
https://www.defcon.org
http://www.hitb.org
http://phrack.org/
37 / 38

38. Resources (2)
CTFs, wargames
https://picoctf.com
https://junior.35c3ctf.ccc.ac/announcements/
https://ctftime.org
http://captf.com/practice-ctf/
http://io.netgarage.org
http://smashthestack.org/wargames.html
http://overthewire.org/wargames/
misc
https://www.amazon.co.uk/Drive-Daniel-H-Pink/dp/
184767769X
https://www.amazon.co.uk/
Just-Fun-Story-Accidental-Revolutionary/dp/
0066620732
https://reverseengineering.stackexchange.com
https://www.howstuffworks.com
38 / 38