Over a million developers have joined DZone.

Anatomy of an Exploit: An iOS Testbed

DZone's Guide to

Anatomy of an Exploit: An iOS Testbed

In this next part to Chris Lamb's series, he takes us through some more tool installations and explains why they are necessary.

· Mobile Zone ·
Free Resource

In the last article, I showed you how to go about getting command line access to your jailbroken iPhone. We installed the Bigboss Recommended Tools and OpenSSH on the iPhone, and gandalf on your Mac. Now, we're going to install a few more tools, and discuss how they're used.

These instructions are Mac-centric, because that's what I use. You've jailbroken your iPhone, so it's not under warranty anymore either. I'll keep reminding you. But you did make that backup I told you to make prior to jailbreaking, right? you can always roll back if you need to. Make sure you don't overwrite this backup — remember I told you to make sure that the phone won't sync when attached automatically? That's really important.

OK, onto more installation fun.

On your Mac

So, you have XCode installed, right? you also need all the XCode development tools. Specifically otool, a kind of jack-of-all-trades when it comes to Mach-O binary evaluation. otool will let you examine headers:

$ otool -h PPJailbreakCarrier
Mach header
      magic cputype cpusubtype  caps    filetype ncmds sizeofcmds      flags
 0xfeedfacf 16777228          0  0x00           2    30       3888 0x00210085

...examine library imports:

$ otool -L PPJailbreakCarrier
        /System/Library/Frameworks/AdSupport.framework/AdSupport (compatibility version 1.0.0, current version 1.0.0)
        /usr/lib/libsqlite3.dylib (compatibility version 9.0.0, current version 216.7.0)
        /usr/lib/libz.1.dylib (compatibility version 1.0.0, current version 1.2.5)
        /System/Library/Frameworks/IOKit.framework/Versions/A/IOKit (compatibility version 1.0.0, current version 275.0.0)
        /System/Library/Frameworks/Foundation.framework/Foundation (compatibility version 300.0.0, current version 1280.25.0)
        /usr/lib/libobjc.A.dylib (compatibility version 1.0.0, current version 228.0.0)
        /usr/lib/libc++.1.dylib (compatibility version 1.0.0, current version 237.2.0)
        /usr/lib/libSystem.B.dylib (compatibility version 1.0.0, current version 1226.10.1)
        /System/Library/Frameworks/CoreFoundation.framework/CoreFoundation (compatibility version 150.0.0, current version 1280.38.0)
        /System/Library/Frameworks/CoreGraphics.framework/CoreGraphics (compatibility version 64.0.0, current version 1033.1.0)
        /System/Library/Frameworks/QuartzCore.framework/QuartzCore (compatibility version 1.2.0, current version 1.11.0)
        /System/Library/Frameworks/SystemConfiguration.framework/SystemConfiguration (compatibility version 1.0.0, current version 802.40.13)
        /System/Library/Frameworks/UIKit.framework/UIKit (compatibility version 1.0.0, current version 3512.60.7)

...disassemble binaries:

$ otool -tvV PPJailbreakCarrier
(__TEXT,__text) section
-[PPShareInfo iconImage]:
0000000100005160        nop
0000000100005164        ldrsw   x8, _OBJC_IVAR_$_PPShareInfo._iconImage
0000000100005168        ldr             x0, [x0, x8]
000000010000516c        ret
-[PPShareInfo setIconImage:]:
0000000100005170        stp     x20, x19, [sp, #-32]!
0000000100005174        stp     x29, x30, [sp, #16]
0000000100005178        add     x29, sp, #16
000000010000517c        mov      x19, x0
(...much more assembly removed...)

All kinds of great stuff. UNIXes have a slew of tools for this kind of thing, like readelf and objdump; Apple has rolled all this functionality into otool.

How to get all this? Type the following on the commandline, and do what it tells you:

$ xcode-select --install

Really, otool is incredibly powerful. You can pipe this output to a file, for example, and then parse the generated assembly code, run statistics, build call trees, whatever. Pretty cool.

You'll want to install strings. Strings is a great tool for examining various strings in a binary. This can give you insight into what the binary's meant to do functionally:

$ strings PPJailbreakCarrier
(...and lost of other stuff...)

Look at line 19: JailBreakDetect. Well, the jailbreaking tool seems to be detecting whether a device is jailbroken. Interesting. See what I mean?

You'll want another, more robust disassembler as well. I use IDA Pro, and I LOVE it. I should love it, because it is the most expensive software I've ever, ever bought. It's basically the street value of one of my kidneys. And the decompiler, which I'm hoping to buy eventually, costs as much as one of my lungs.

That said, I've used two other disassemblers — radare and hopper. Radare is very powerful, and equally hard to use. Hopper is much easier to use, is similar to IDA in some ways, but just isn't powerful enough for the kind of things I ask of it. That said, if you're just starting, try Hopper. If you're pretty technically savvy already, give radare a try. See which one works better for you.

Finally, install class-dump.

On Your iPhone

You'll want otool here too, but it won't be as powerful as the one on your mac. I also install a C compiler and other tooling. How to do this, you ask? Well, again, you can use the command line or Cydia. I usually just use Cydia. I'll use the command line for other things (e.g. apt-get install tree screen ; tree is a tool to visualize a file hierarchy from the command line, and screen is a terminal multiplexer).

Anyway, back to Cydia - search for and install the iOS Toolchain — this has a new version of otool and CLang, the LLVM C compiler, as well as a few other tools. There are other tools you can use too - the iPhone Wiki has a great collection of tools you can download and use. For looking at Pangu's jailbreak though, this is all I've used as the app executable isn't encrypted.

Okay, at this point you're set up. Let's take a look at the jailbreak next time.

iphone ,jailbreak ,security

Opinions expressed by DZone contributors are their own.

{{ parent.title || parent.header.title}}

{{ parent.tldr }}

{{ parent.urlSource.name }}