Anatomy of an Exploit: An iOS Testbed
Anatomy of an Exploit: An iOS Testbed
In this next part to Chris Lamb's series, he takes us through some more tool installations and explains why they are necessary.
Join the DZone community and get the full member experience.Join For Free
In the last article, I showed you how to go about getting command line access to your jailbroken iPhone. We installed the Bigboss Recommended Tools and OpenSSH on the iPhone, and gandalf on your Mac. Now, we're going to install a few more tools, and discuss how they're used.
These instructions are Mac-centric, because that's what I use. You've jailbroken your iPhone, so it's not under warranty anymore either. I'll keep reminding you. But you did make that backup I told you to make prior to jailbreaking, right? you can always roll back if you need to. Make sure you don't overwrite this backup — remember I told you to make sure that the phone won't sync when attached automatically? That's really important.
OK, onto more installation fun.
On your Mac
So, you have XCode installed, right? you also need all the XCode development tools. Specifically otool, a kind of jack-of-all-trades when it comes to Mach-O binary evaluation. otool will let you examine headers:
$ otool -h PPJailbreakCarrier PPJailbreakCarrier: Mach header magic cputype cpusubtype caps filetype ncmds sizeofcmds flags 0xfeedfacf 16777228 0 0x00 2 30 3888 0x00210085
...examine library imports:
$ otool -L PPJailbreakCarrier PPJailbreakCarrier: /System/Library/Frameworks/AdSupport.framework/AdSupport (compatibility version 1.0.0, current version 1.0.0) /usr/lib/libsqlite3.dylib (compatibility version 9.0.0, current version 216.7.0) /usr/lib/libz.1.dylib (compatibility version 1.0.0, current version 1.2.5) /System/Library/Frameworks/IOKit.framework/Versions/A/IOKit (compatibility version 1.0.0, current version 275.0.0) /System/Library/Frameworks/Foundation.framework/Foundation (compatibility version 300.0.0, current version 1280.25.0) /usr/lib/libobjc.A.dylib (compatibility version 1.0.0, current version 228.0.0) /usr/lib/libc++.1.dylib (compatibility version 1.0.0, current version 237.2.0) /usr/lib/libSystem.B.dylib (compatibility version 1.0.0, current version 1226.10.1) /System/Library/Frameworks/CoreFoundation.framework/CoreFoundation (compatibility version 150.0.0, current version 1280.38.0) /System/Library/Frameworks/CoreGraphics.framework/CoreGraphics (compatibility version 64.0.0, current version 1033.1.0) /System/Library/Frameworks/QuartzCore.framework/QuartzCore (compatibility version 1.2.0, current version 1.11.0) /System/Library/Frameworks/SystemConfiguration.framework/SystemConfiguration (compatibility version 1.0.0, current version 802.40.13) /System/Library/Frameworks/UIKit.framework/UIKit (compatibility version 1.0.0, current version 3512.60.7)
$ otool -tvV PPJailbreakCarrier PPJailbreakCarrier: (__TEXT,__text) section -[PPShareInfo iconImage]: 0000000100005160 nop 0000000100005164 ldrsw x8, _OBJC_IVAR_$_PPShareInfo._iconImage 0000000100005168 ldr x0, [x0, x8] 000000010000516c ret -[PPShareInfo setIconImage:]: 0000000100005170 stp x20, x19, [sp, #-32]! 0000000100005174 stp x29, x30, [sp, #16] 0000000100005178 add x29, sp, #16 000000010000517c mov x19, x0 (...much more assembly removed...)
All kinds of great stuff. UNIXes have a slew of tools for this kind of thing, like readelf and objdump; Apple has rolled all this functionality into otool.
How to get all this? Type the following on the commandline, and do what it tells you:
$ xcode-select --install
Really, otool is incredibly powerful. You can pipe this output to a file, for example, and then parse the generated assembly code, run statistics, build call trees, whatever. Pretty cool.
You'll want to install strings. Strings is a great tool for examining various strings in a binary. This can give you insight into what the binary's meant to do functionally:
$ strings PPJailbreakCarrier PPShareInfo CYValueHelper PPWaStatictisManager WaServiceDelegate NSObject PPSDKM9Utils SinaWeiboEncode SinaWeiboRequest AppDelegate UIApplicationDelegate FeedBackViewController UIWebViewDelegate TRFileHashUtility PPNotificationManager Reachability PPShareManager ShareEngineDelegate JailBreakDetect TRSinaWeiboEngine WBHttpRequestDelegate (...and lost of other stuff...)
Look at line 19: JailBreakDetect. Well, the jailbreaking tool seems to be detecting whether a device is jailbroken. Interesting. See what I mean?
You'll want another, more robust disassembler as well. I use IDA Pro, and I LOVE it. I should love it, because it is the most expensive software I've ever, ever bought. It's basically the street value of one of my kidneys. And the decompiler, which I'm hoping to buy eventually, costs as much as one of my lungs.
That said, I've used two other disassemblers — radare and hopper. Radare is very powerful, and equally hard to use. Hopper is much easier to use, is similar to IDA in some ways, but just isn't powerful enough for the kind of things I ask of it. That said, if you're just starting, try Hopper. If you're pretty technically savvy already, give radare a try. See which one works better for you.
Finally, install class-dump.
On Your iPhone
You'll want otool here too, but it won't be as powerful as the one on your mac. I also install a C compiler and other tooling. How to do this, you ask? Well, again, you can use the command line or Cydia. I usually just use Cydia. I'll use the command line for other things (e.g. apt-get install tree screen ; tree is a tool to visualize a file hierarchy from the command line, and screen is a terminal multiplexer).
Anyway, back to Cydia - search for and install the iOS Toolchain — this has a new version of otool and CLang, the LLVM C compiler, as well as a few other tools. There are other tools you can use too - the iPhone Wiki has a great collection of tools you can download and use. For looking at Pangu's jailbreak though, this is all I've used as the app executable isn't encrypted.
Okay, at this point you're set up. Let's take a look at the jailbreak next time.
Opinions expressed by DZone contributors are their own.