iPhone Rootkit? There's an App for that! - Reverse Engineering Mac ...
iPhone Rootkit? There's an App for that! - Reverse Engineering Mac ... iPhone Rootkit? There's an App for that! - Reverse Engineering Mac ...
Reversing the “star” Exploit (pre-source)First few weeks, no source was released for JailbreakMe.com• I was curious and impatient. Wasn’t sure if comex would release• Began reversing the binaries within a few days of the JB release− Staring at strange hex-dumps and peeling the onion one layer at a time− Fun and soothing – Like catnip for my O.C.D.Copyright Trustwave 2010
Patch PlanReversing the installui.dylib and wad.bin provided guidance.To quickly turn around a weaponized jailbreak, we’d need to…• Patch out a “security” check comex had incorporated• The jailbreakme.com PDFs’ installui.dylib had code to ensure they’d been downloaded from“jailbreakme.com”. I couldn’t leave that• Not sure what motivation Comex had for this• Patch out all the gui pop-ups• Didn’t want the victim to realized they were being ‘kitted• I hadn’t learned the wonders of usbmuxd and libimobiledevice for live syslog yet so I left asingle popup for debugging/troubleshooting• Would patch it out last• Prepare a modified wad.bin containing our “rootkit”• Started out just shooting for getting the actual jailbreak to download and install quietly froma server I controlledCopyright Trustwave 2010
- Page 5 and 6: iPhone/iOS Security Overview
- Page 7 and 8: Architecture OverviewApplications P
- Page 9 and 10: Application SecurityCode signing•
- Page 11 and 12: Jailbreaking Overview
- Page 13 and 14: Jailbreakme.com A Thing to Behold
- Page 15 and 16: What it looks likeVisit h'p://jailb
- Page 17: Weaponizing
- Page 21 and 22: My “Big Fat Rootkit”… so farC
- Page 23 and 24: Set-upA vanilla un-jailbroken iPhon
- Page 25 and 26: Hardware: Mic and AudioAudio record
- Page 27 and 28: Dumping Process DataSeveral interes
- Page 29 and 30: Targeting iOS ApplicationsiOS isn
- Page 31 and 32: Demo App Backdoor
- Page 33 and 34: Binary Reversing Prep (continued…
- Page 35 and 36: No More SecretsHint: find the LC
- Page 37 and 38: Mach Binary Encryption (continued
- Page 39 and 40: What’s your point?For starters…
- Page 41 and 42: Objective-C Method HookingIt’s ca
- Page 43 and 44: Objective-C Method Hook ExampleLets
- Page 45 and 46: Injecting Our LibraryConventionally
- Page 47 and 48: ConclusionsLots of security researc
- Page 49 and 50: Reversing Redux: The Binary “star
- Page 51 and 52: … continued: eggMalformed Times-
- Page 53 and 54: class-dump on installui.dylib (aka
Patch Pl<strong>an</strong>Reversing the installui.dylib <strong>an</strong>d wad.bin provided guid<strong>an</strong>ce.To quickly turn around a weaponized jailbreak, we’d need to…• Patch out a “security” check comex had incorporated• The jailbreakme.com PDFs’ installui.dylib had code to ensure they’d been downloaded from“jailbreakme.com”. I couldn’t leave <strong>that</strong>• Not sure what motivation Comex had <strong>for</strong> this• Patch out all the gui pop-ups• Didn’t w<strong>an</strong>t the victim to realized they were being ‘kitted• I hadn’t learned the wonders of usbmuxd <strong>an</strong>d libimobiledevice <strong>for</strong> live syslog yet so I left asingle popup <strong>for</strong> debugging/troubleshooting• Would patch it out last• Prepare a modified wad.bin containing our “rootkit”• Started out just shooting <strong>for</strong> getting the actual jailbreak to download <strong>an</strong>d install quietly froma server I controlledCopyright Trustwave 2010