9. Step 2: Apply IDAPro
For those that don’t know Aarch64
IdaRef documentation plugin:
https://github.com/nologic/idaref
DYLD_INSERT_LIBRARIES=dumpdecrypted.dylib
Thanks Stephan Esser!
11. • Objective-C messages
• On iOS, more meaningful than strace
• Might want to hit/fuzz a particular method
• In case of Swift, we see runtime library interactions
• Swift Reversing by Ryan Stortz
• Mach Port Messages
• Any sort of IPC
• CFMessagePort, etc
Collecting Coverage Information
12. 1. Allocate a page - a jump page
2. Set objc_msgSend readable and writable
3. Copy preamble bytes from objc_msgSend
4. Check for branch instructions in preamble
5. Modify objc_msgSend preamble
6. Set jump page to readable and executable
7. Set objc_msgSend readable and executable
Objc_Trace
Call Sequence
Hook Steps
13. void* hook_callback64_pre(id self, SEL op, void* a1, ...) {
Class cls = object_getClass(self);
if(cls != NULL && op != NULL)
cacheImp = c_cache_getImp(cls, op);
if(!cacheImp) {
// not in cache, never been called, record the call.
…
const struct mach_header* libobjc_base = libobjc_dylib_base();
c_cache_getImp = (p_cache_getImp)((uint8_t*)libobjc_base) + 97792 + 0x4000;
Important Optimization
Only record unseen
method calls
Find the cache check
function cache_getImp
30. Get the app to show its cards
MITM Proxy
Request
Mutant
Mutator
Mutator
31. Why do this?
Breaking in.
Attack Surface
The End.
We all just hack for fun… right?
Automation
32. • Apps are important!
• Automation of the UI
• Traversal of App Features
• Helps collect infrastructure details
• Collection of coverage information
Wrap up!