Hunting for Vulnerabilities in iOS Apps

00:05

Brian Robison: Good morning. Good afternoon. Welcome, everybody. Thank you so much for taking the time out of your busy day to come join us at Corellium on our webinar on Reverse Engineering Deep dive into iOS. This time last month we did Android, which was pretty awesome and this month we're going to focus on iOS. Now this is also kind of the concluding set of webinars on app pen testing at least for a little while. We're going to be switching over to other topics in July, August and a little bit further. So please keep an eye on that. My name is Brian Robison. I'm Chief Evangelist here at Corellium and I am joined today by two speakers. We get the specialty of having two speakers. First, I want to welcome our guest speaker from Cyber Consulting, Rob Ferri. Are you there, Rob? 

Rob Ferri: Hello! Can you hear me? 

Brian Robison: Yes, we can hear you now. Yep.

00:01:06

Robert Ferri: Perfect. Thank you for having me.

Brian Robison: Awesome. It is great to have you on and I really appreciate it. And as we've talked before about our Community Contribution program that we have at Corellium where you can write for us, you can also come speak for us on webinars and doing all these kind of fun things. So Rob's going to join us today. And then as always, we're going to have Steven Smiley, who's our brilliant Researcher, focusing in at pen testing. Steven, good morning. Good afternoon.

00:01:37

Steven Smiley: Morning, Brian.

Brian Robison: Awesome. Welcome aboard. All right. So we're going to go ahead and get started and get moving this morning because we have a lot of really cool content for everybody. A little bit of housekeeping before we get started. Obviously, this is a webinar. Everybody is muted, but please, please, please do engage with us. You've got three speakers on this morning who are going to be able to help answer questions, direct you. 

00:02:03
You know, Steven and I are going to be behind the scenes while Rob is speaking and vice versa, you know, looking at questions and asking them and answering them. So please do engage with us using the Q&A tool in the product. The webinar is being recorded and it will be available shortly on demand after this session is complete.

00:02:27

So if there's something that you don't see on the screen because we are doing a combination of presentation and live demos, there's a possibility that something might be too tiny to see on the screen. We will do our best to explain it, but it's always helpful to be able to go back and review the recording where you can stop it and pause it and zoom in.

00:02:46

So please feel Frida utilize those recordings, and today I just want to go over a couple of things just to set the groundwork for what we're going to be talking about today. And we're talking about, you know, doing things like mobile security and why is mobile security and testing so difficult on mobile devices? Well, if we look at the predominant factors that we're faced with today, basically, you know, we have a problem acquiring devices.

00:03:19

Now, this isn't because we just go out and buy brand new devices or we do specific things. You know, these devices are pretty darn easy to come by. You can go anywhere and pick up a device. The problem is, is that we need very specific operating systems. And why do we need that? Really, it's because we need an operating system that we can jailbreak or root or do something with it so that we can actually get out of the vendor’s walled garden.

00:03:47

And that's why mobile security is so much more difficult on mobile devices versus, you know, a traditional Windows box is because of these walled gardens and sandboxing and, you know, encrypted containers and things like that that we're not able to readily inspect data at rest and data in motion and things like that that we need to do when we are pen testing or when we are doing security research or threat research or any level of of security related research on a mobile device.

00:04:17

And the final thing that we have is when we're dealing with physical devices, we waste a lot of time. And this time, if you know, from the security research standpoint, this is time wasted in acquiring a device, getting the right operating system on it, jailbreaking it or rooting it, spending time restoring it and re-flashing it up, down, all these kinds of things.

00:04:40

Maybe you're a global team and you ship devices around the world. All of this time is essentially wasted and takes away from what you are doing, which is your security research. So these three core problems are essentially why Corellium exists. And how we can solve these is because we're a true virtualization platform. So if you think about what you can do on the Windows or Linux side with VMware ESX, we essentially offer the same kind of capabilities.

00:05:13

But for ARM-based platforms like iPhones and Android devices, there's also other Iot devices where we do the same level of virtualization for. But just like VMware ESX, we are a Type 1 Hypervisor. We run on bare metal ARM servers to run ARM based device OSs. Now we aren't like VMware. When VMware basically came out, they created one type of device, essentially a generic x86 PC.

00:05:44

They didn't model specific models of PC like a Dell Latitude laptop or a specific Lenovo laptop. They didn't model specific devices because essentially they're all generically the same. However, in the IoT world and in the mobile phone world, these devices are very, very, very specific. And if you're going to be doing a test on an iPhone 14 Pro Max, that is a lot different of a device in capability range than an iPhone 7 or something like that.

00:06:18

So in our world of virtualization, we actually modeled the individual devices rather than just a generic, you know, device, and you can run any version of iOS on it you want. We actually model the specific devices and we do this and we give you instant access to rooted and jailbroken OS because essentially, you know, our core knowledge came from the jailbreaking community.

00:06:46

And what we do is we can jailbreak the operating system before it ever even boots and that allows us to do jailbreaks on any version of iOS, even up to the latest and greatest on the latest and greatest iPhone models, which is not something you're going to find in the public world. And we can do that because of our virtualization platform.

00:07:08

And we don't really have to rely on a public vulnerability or an exploit to do that jailbreak. Now, as you all know, Apple announced a couple of weeks ago that they're going to support iOS 17 only on the iPhone XS and higher. And what that does is it closes the door for jailbreaking on iOS 17, on the devices where, for example, we used to be able to rely on the checkm8 bootrom vulnerability that was in the chipset that is an unpatchable vulnerability that we could use on any on any of the iPhone X and older devices that supported like iOS 15 and 16 to achieve a jailbreak. So the problem is, on iOS 17, that jailbreak door is going to essentially be closed from that vulnerability. So we appreciate the the furthering of the security research in our industry because of the fact that we're able to give you access to the devices at exactly the time that you actually need to to use them in a jailbroken or rooted format.

00:08:22

There's a question. Someone has asked if it's being recorded. Absolutely. This webinar is being recorded. It’ll be available shortly thereafter. Awesome. OK. So before we switch over into our content, I do want to pop open one quick poll and I'm going to launch this. OK. So a little bit of engagement here. Let's make sure everybody’s awake. Everybody's got their coffee, everybody's happy and going this morning.

00:08:47

Have you attended any Corellium webinars before or is this your first one? We've been talking about reverse engineering for quite some time, actually since last September, and there's a ton of content available for you to view on demand on our website if you are interested in watching some of those. So I just give a few more seconds here for folks to come in and answer and we'll go ahead and share the results.

00:09:21

Awesome. We've got a few people that have been following us for quite some time in this series but we are very, very happy to welcome all of you who this is your very first webinar with Corellium, and we really appreciate it. Again, this is like the culmination of everything that we've done for the past six, seven months on pen testing mobile apps.

00:09:48

Both iOS and Android. So I do encourage you to please go check out that on demand content. Steven Smiley has done a fantastic job, but now it's time to give him a little bit of a vacation after this one today. So with that, I am going to go ahead and pass it over to Steven and I will be here in the background answering questions. But again, I really appreciate everybody jumping on this morning, this afternoon. And go ahead, Steven. And you and Rob can take the rest of the time all to yourselves as well.

00:10:26

Steven Smiley: Thanks, Brian. I may go ahead and share my screen here. OK, perfect. So I'm not going to spend a ton of time here on this stuff because we've done similar intros in both the Android one or the other on demand courses that you can see. So you can go out and take a look at some of that content.

00:10:45

But just as a quick reminder, what is reverse engineering, what is being achieved? So reverse engineering is really just the process of breaking something down to understand how it works. So for mobile, that just involves deconstructing, analyzing, observing, compiling the applications to understand the underlying functionality. There's two main types that we're working with. Dynamic and static, just depending on what you want to do with the application.

00:11:13

If you want to kind of manipulate while it’s running, have some various scripts, or if you want to do everything static or you're just modifying the code, potentially repackaging applications or looking for hardcoded values. So essentially just what is being achieved. Well there's a few different things. For one, you're going to gain a better understanding of the application along with its inner workings and everything it does.

00:11:36

You could potentially find hardcoded values stored in the application which we’ll also take a look at quickly today. You can identify a path forward to exploit the mobile application and then just gain insight into the application to build additional scripts. You know, just looking at the application by default, launching an application, you're not really going to know what scripts to build, what to write in there, how to exploit that.

00:12:01

You're going to need to do a little bit more. So part of reverse engineering is just understanding that full application to be able to build those scripts and exploit a little bit more. OK. So the iOS file structure—so just quickly, if anybody has experience with iOS will probably know a lot of this stuff. So we'll kind of skim over it fairly quickly.

00:12:25

So the App bundle structure, so iOS apps are organized within a bundle so you have a .app package which then within it contains various files and directories, some of those key components or you know, the info.plist, which has a lot of configuration stuff, potentially hard coded information and they're always good to look at. We have the executable, which is the binary that's actually running the app, which is a great starting point when you're into reverse engineering, you have the resources directory which has assets like images and local strings. Then you've got your frameworks and libraries, reusable code libraries, your dynamic library, static libraries. Those are always good to look at as part of analysis. Probably not as important for the reverse engineering depending on what you're trying to do. That executable is really kind of where you want to focus a lot of your time.

00:13:13

You have your supporting files, your cache is in temporary files, and then your document storage. All those are a lot of configuration stuff, various caches depending on how your app is configured and local data. We did some webinar series on local data storage, so if you're interested, let's go take a look at that. So a lot of content on that both in the blog and in the previous webinars around that document storage, caches, sporting files, things like that.

00:13:40

Brian Robison: Hey, Steve, and we are getting quite a few questions in real quick about the previous webinars that we've had. For those of you who are interested in seeing the previous webinars, if you go to Corellium.com/events and then click on the webinars tab, you'll be able to get access to all of those on demand webinars.

00:14:00

So again, thank you for the questions. There's a couple of other questions coming in around how do you get around Fairplay DRM and other things like that? We'll answer those offline and get back to you on that. But Steven, you know, we've talked a lot about those capabilities and those are covered also in our previous webinars, too. So if you want to check that out, feel Frida do that. We'll answer some of those questions offline for you.

00:14:30

Steven Smiley: Perfect. And there was just one on OS internals. I think we're going to start doing more content relating to that sort of stuff in later months. But we haven't said anything hard up yet, so you'll see more and more information about this stuff upcoming. So some tools for reverse engineering, there's not a lot of tools for Android.

00:14:54

There's a lot more for iOS. So we'll kind of go through these. Radare, which is an open source, cross-platform, disassembler and debugger with powerful analysis capabilities. Ideal for deep code inspection, reverse engineering. A very complicated tool as you can see on the bottom as well. We do have r2Frida which combines that with Frida. Very complicated tool.

00:15:20

Rob's going to go over kind of some stuff today where we go over some of the commands and things like that, but a great opportunity for learning as you move into reverse engineering. We have things like Hopper, which is a disassembler. A pretty popular diassembler for iOS. It's used for disassembling and analyzing executable files. Now the free version I think only allows you to do analysis for 30 minutes, 45, I think it's 30 minutes where it'll stop. You have to reopen the binary again and perform your analysis or you can go with the paid version. There's Frida as well, which is a dynamic instrumentation framework. There are components of Frida things like Frida-trace. It can help you with reverse engineering. But really, Frida, once you have the scripts from the other information you've gained, can be a good opportunity to exploit the application a little bit further.

00:16:12

If things like class-dump, which is the utility that generates header files from the compiled iOS binaries, helping to understand the app's class structure. It's a good starting point. Just a couple of tools like that. Class-dump, Otool strings, are really good starting points. All free. As long as you have like Xcode, they should all be installed already on your machines.

00:16:33

You can use these to perform some intro analysis as you move into reverse engineering, look for some various strings, look for some classes, some methods, whatever you need, just to get a better understanding of that iOS application. And then you have Ghidra, which is a reverse engineering suite which was developed by the NSA. It's actually freely available. I’m seeing more and more people start to use that instead of things like Hopper or IDA Pro. So that's always a good option as well too. Do we have more questions coming in? Sorry, I saw a couple.

00:17:06

Brian Robison: Yeah, we got questions. Rob and I are answering them offline. If we have one that is awesome for everybody, we'll go ahead and answer that live.

00:17:16

Steven Smiley: No worries. So the Corellium Cafe app, if you guys were part of other webinars, you probably heard us talk about it recently. But essentially the Corellium Cafe application is a fictitious coffee shop that allows people to purchase beverages. There's a bunch of vulnerabilities in it, specifically in this scenario, as we talk about reverse engineering, you have things like hardcoded values. There are various ways to kind of get those. You have root detection that can be bypassed either through a script or, you know, patching it out manually.

00:17:46

So we're going to talk about that. And there's additional functionality that can utilize reverse engineering to build out scripts, things like potentially exploiting WebViews, promo codes, things like that, additional functionality. So there's some stuff we won't be able to get to, but just get to know for the feature.

00:18:05

Brian Robison: We do have some fantastic question because now we're talking about Corellium Cafe again and there's a lot of people asking where can we get Corellium Cafe? We are very, very, very close to allowing everybody to have access to the Corellium Cafe. Right now it is being used by Steven and I and several others, and anybody who is currently doing an active trial of Corellium has access to the Corellium Cafe apps.

00:18:36

We haven't decided yet or not whether we're going to make them fully, publicly available that that decision is forthcoming. But at least if you're doing a trial of the Corellium platform, you are able to gain access to those applications through that free trial process. So the Cafe apps are coming, especially now that we are kind of wrapping up a bunch of our content based upon Corellium Cafe.

00:19:03

We have been very selective to give a few hints on where some of these vulnerabilities are and show how to exploit them. But we have not given all of that out in our webinars. So there's still going to be some challenges in those applications for you. So stay tuned for the announcement of those coming out publicly soon. But again, if you start a free trial with Corellium, you'll have access to those.

00:19:31

Steven Smiley: Exactly. Perfect. So we have a couple practical exercises today. I'm quickly go over through the Corellium Cafe. We have a couple of hardcoded secrets. So quickly talking about that. I’m not going to spend too much time on that because we do have a couple of blog posts and previous webinars where we've kind of talked about this. The majority of the time we’re going to spend using R2, r2Frida, and we're going to start patching out a binary and trying to bypass some security controls, which Rob will do.

00:19:58

So with that, I just don’t want to spend too much time. So I'll go ahead and we'll take a brief look here at some of these hardcoded secrets. So for one, this is the actual binary here. I hope everyone can actually see that I can zoom in a little bit. So this is the actual binary. So if I have this Cafe application…so as we kind of mentioned there’s a bunch of tools you can kind of do to start stuff, things like running strings, you could run strings against the cafe application that's going to pull out every string.

00:20:34

And then you could start, you know, funneling those down depending on what you already know about the application you can grep for things like maybe if you were looking for an email address or something, you could potentially look for like an @ symbo—that's going to be a little bit more difficult using strings. But there are a few things you can look for.

00:20:52

You can really just see what's there. You see an email address there. So there's like one piece of information and things are searching for various words and other things like a promo code. So you could search for things like that as you get some different classes and stuff you need to kind of figure out.

00:21:13

So alternatively, other options just kind of load this into some sort of tool like Hopper or Deidre and start playing around. So not every application has these hardcoded secrets or things that can be easily gathered, but you can gain additional information about the application and then Rob is going to show you some things like if you actually launch the application, maybe it crashes for some security controls, maybe we need to bypass those first before we can actually take advantage of some of the stuff that, you know, potentially be found.

00:21:43

So it's just analyzing the app right here. So we're going to give it a second. But at least if you move it into like Hopper or Ghidra or something like that, you can do a little bit more advanced searches. Sorry, it's just freezing up right there just because it's analyzing. But if you do like @  and .com, you can actually find if you didn't search for Corellium, you didn't find this email, you could potentially find it this way where it searches for the symbol and .com.

00:22:08

And it's going to find both or in the cases of like a promo code. So if we actually walk through the application, which I don't wanna spend too much time on, but in the application itself, because you can purchase beverages, there is a promo code option so you can get a discount. So that's sort of the thing if you don't know what that promo code is, if you think it could potentially be hard coded, it's something to go look for or you need to figure out where it is in the application, you can start searching for that and then walking through the code. You see it's used here a bunch of times.

00:22:39

If you actually walk through this, would take some manual analysis of things like this. We should look it up and then if you just scroll around, you can see some different pieces of information. There is this code right here, which is CorelliumizAwesome that actually happens to be the promo code. It's actually hard coded. But again, this just takes some different analysis or there's other things you could do where you could actually look up different locations in this and try to hook different values and try to print them out using various free two scripts.

00:23:09

That's always an option or you can manually look through. So there's a couple of different options. That's really basic, but just a couple of different options. I wanted to leave some time because Rob’s actually going to walk us through a little bit more on bypassing security controls and using things like our two freedoms. So I'm going to pass it over to him and let him kind of go ahead with what else we have.

00:23:34

Brian Robison: Yeah. And while we're doing that, a question was asked like, you know, do we offer virtual phone access like some of the other emulators or simulators are out there? Yeah, you're going to see those in action here just in a minute where you actually get to see, you know, code running on a file or in some cases maybe code not running on a phone.

00:23:55

So you'll see that here in just a few seconds. So just a quick intro to that. And, you know, do we allow debugging of CIS calls? Yes. We actually have a feature called Core Trace, which allows you to create a trace log from every CIS call made from an application gets traced into that log and it provides wonderfully fantastic debug information for, you know, vulnerability, exploitation or even, you know, DevOps debugging, providing really detailed developer debug logs back to your coders.

00:24:32

So those are a couple of cool features. I don't think Rob is going to show Core Trace today, but we are going to get to see everything else in action. So, Rob, take it away, man.

00:24:42

Robert Ferri: Cool. Thank you, Brian. So hello, everyone. Thank you for joining. My name, Robert Ferri. I'm an independent consultant and researcher and also pen tester. And today I'm going to break down some reverse engineering techniques for the iOS applications, specifically this Cafe app. I'm going to be using this tool called r2Frida, which Steven touched on it earlier.

00:25:07

It's kind of a blend between the two, which is a static reverse engineering framework and disassembler and Frida, which is everybody's favorites and probably one of the most well known dynamic instrumentation tools out there. My goal for this talk is to show you that you don't actually have to be like a reverse engineering wizard or be able to read assembly at a really high level to figure out what's going on in the app and to do some basic reverse engineering.

00:25:43

Specifically, I'm going to be centering this around jailbreak protection. I know there was a question about jailbreak detection earlier. I'm going to be specific around jailbreak detection. I'm going to try and go over a couple of techniques about some common techniques that they use for jailbreak protection. And some bypasses are also quite common and stuff that I use all the time when I'm doing mobile penetration tests.

00:26:11

So let me share my materials set up here. Hold on second, everyone. Right. You can see my screen, I assume?

00:26:34

Steven Smiley: Yeah, I can see. We’re good.

00:26:36

Robert Ferri: Cool. All right. So I'm actually going to bring up my slide. I have one slide. It's not going to be as painful as it looks. OK? It's just that there's some…r2Frida has some interesting commands that look daunting when you're looking at our r2Frida for the first time or Radare the first time.

00:27:03

But it actually makes a lot of sense when you really get into it. I'm going to show that in a few minutes. So the first thing you need to do is you're going to need to download r2Frida. They way you do that, is there’s actually a couple ways. So you can actually just go to the GitHub and I have some links after for some of the things we're going to use. Radare2 is its dependency.

00:27:30

And you might think, well, what about Frida? Well, you probably already have Frida on your system in the first place, but actually r2Frida comes with its own built in Frida and downloads it when it needs it, w which is an interesting kind of quirk I've found about it. So once you get Radare2, it actually comes with this package…if this thing will go away from my screen…actually a package manager that it comes with, among other things. It comes with a few tools.

00:28:05

This package manager right here, r2pm. This is probably the easiest way to get r2Frida. So you can see all sorts of things with this you can actually search for…let's go Frida. And so to get r2Frida you’re going to write in r2pm -ci which is for clean install. 

00:28:29

I already have it so I'm not going to do this. So that's, that's probably the easiest way to get it from probably the best way. I think it's actually the one they recommend. You can also go to their GitHub and get it, which is pretty standard. Initial setup of r2Frida. You're going to launch it by typing r2 frida:// This is to launch r2 with r2Frida.

00:29:01

And so we're going to give a question mark actually, which we'll bring up to help pages. Sorry, where were we? Help pages. OK. So there's a bunch of things that you can do with this. You can actually connect to locally on device. You can connect to processes and apps locally on your device. You can connect over USB, which is what we're going to be doing.

00:29:33

You can also connect remotely if you want to connect over, say, a LAN. And then there's some environment settings and things that we're going to focus on. Since we're using this device over here, you can see we have iPhone 12 Pro Max running 15.6 and it'll be jailbroken with a little green check and tell us we’re jailbroken.

00:30:01

We also have Cydia running which is a good indication that we're jailbroken. And if we launch the Cafe app it's actually going to just crash. And so that's very standard and very standard thing in the industry where apps will launch and crash immediately if they're jailbroken. You see this a lot with banks, with gaming apps, things like that.

00:30:26

Things they don't want you to reverse engineer easily. They just crash right away. And that's kind of a problem. It leaves you with a couple of things you can do. You can basically do a lot of static analysis to see what they're doing and get your hooks in properly. And so I'm going to show you a little bit of how to beat that and how to see what they're doing without writing any JavaScript for Frida and looking at very minimal assembly, we could actually just probably skip assembly altogether.

00:31:03

But in this case, I'm going to show you a little bit. So to launch the app with r2Frida, I have this new USBFlux tool. So if you're using Corellium, you need USBFlux and basically acts as if this device is one. So we're going to be using USBs and we can search for apps, we can search for processes, we can attach to the process by its PID, assuming it's running. In this case, it won't be because it crashes immediately.

00:31:38

We can spawn apps and we can launch apps. So the difference between spawning and launching abuse on an app, it's going to open the application and it's going to pause it. And so if we go with spawn/usb and we're actually just going to type in Cafe because that's the name of the app that we need to right there. You're going to see it launch and it pauses and then we're waiting.

00:32:08

Now we’re hooked up to r2Frida. And so the difference is spawn will launch it and pause and launch will actually spawn the app and continue the resuming. And we can actually resume manually by typing on this command, :dc. And then if we want to, I'm going to launch the app just to show everybody what's going on. We can do Cafe and it'll launch and you'll see it’s going to crash immediately because we're doing jailbreak detection. Cool.

00:32:48

So how do we deal with this? So initial setup. That's how you launch the app. One thing I should probably mention also is that how do you know what you're looking for? What are you connecting to here? So you can actually just like in spawn or launch or whatever usb// and it'll list out everything that's on the device and also if they're running, you'll see nothing's running.

00:33:17

So we'll see and it'll give you the name and it will give you the package identifier and you can actually use any one of these to spawn an app on the device. So and when you get set up, I'll show this in a minute, there's a special command in r2Frida that's going to set up our environment for further analysis.

00:33:46

And this is the .:init and and so actually we go to r2 frida:// and we type in 0, it's actually going to launch in a special case where we can just play around. It's not really attached to anything, but it's good for demonstration purposes so we can actually play around.

00:34:16

So normally you would type in the .:init and it'll just run the thing. So if you want to actually see what it's doing, you can just omit the period and you can run it. And what's happening is it's setting up our environment so it's sending a bunch of values, it’s importing some things. And here that's what these are doing with these stars and importing libraries and forwarding symbols and whatnot.

00:34:45

And it's actually mounting the filesystem, which is a really cool thing with r2Frida. It mounts the file system. I'm not going to go over this in depth today, but you can actually just browse your file system through r2Frida, which is really neat. And the last thing it's going to do, is s entry0. It’s going to seek the entry point of our application.

00:35:10

It's called entry0. So what we're going to do here is I'm going to show some basic commands about what's going on. And then we're going to get into actually reversing and seeing what's happening with this app because it's crashing. So all the commands that you're going to see or almost all of them, any anything have to do with r2Frida specifically as opposed to R2 because you can use both with this tool. Any commands that are specific to r2Frida start with this colon right here. And so a :ic is going to list classes and this is what I mean about how it's kind of unintuitive, but also at the same time you're going to see that it makes a lot of sense.

00:36:02

I see lists, classes, but if you think about it, if you do a “:i” it gives you information. So I think about it as standing for information. Similarly, as I showed earlier, s. S is for seek. So if you need to seek to an address, you need to seek to entry0. You use s.  A is for analyze.

00:36:25

So it's really…it seems daunting at first when you see the commands, but it's actually not that bad and you get used to it pretty quickly. So in this case, we have…I'm going to launch the app and I'm going to show you interactively. I’m going to spawn. I'm going to glance over something real quick, but I will come back to it later, I promise.

00:36:52

There we go. All right. So as you can see, we're spawned here. We are at 000. So we're going to run this init command. This is going to take a second because we are on…it's got a lot of things to import and I think it's a little bit slower because we're not directly connected on USB. We just have this USBFlux connection going on here.

00:37:34

So while that’s happening, I'll go over a few more things. You saw me earlier; I read a question mark. This is one of the useful commands that's going on here. I'm actually going to go into this. You saw this—so there's a question mark. S is probably the most useful command you can remember. If there's only one thing you take away from this slide, it's this question mark. It’s going to help you in life. OK. If you find a question mark at any point in r2Frida or even R2, you'll see the help page for it. And it's going to be instrumental in picking you up and having you figure out what's going on. So you can just take the question mark in directly.

00:38:19

If you do it in r2Frida, you're going to see a list of commands for Radare itself. If you do a colon question mark, you'll see a list of commands for r2Frida. And similarly, if you have a command like DTF, which is dynamic trace, which we’re going to use extensively very shortly, and you do a question mark, you're going to see all the things that go into that.

00:38:48

So it's going to show us a bunch of…what’s the word I’m looking for. Format specifiers. When you're tracing, there's a lot of format specifiers that you can have. So you can have…you can trace to the arguments and you have to tell it what you want to see. The arguments for that you want to see—is it a string of objects, so on and so forth.

00:39:13

So that's probably the most useful command you can have. The next most useful one is this right here? There is this squiggly line, called the tilde or tildé, depends on where you are. And the plus and tilde will do basically it essentially grep. You can just think about the tilde as grep and you can think of the plus as it makes it a bit case insensitive.

00:39:40

So in the example here we're importing exports from the application and we're grepping case insensitive for the keyword jailbroken and when this is run, we can actually show that. So we can actually show classes if you do :ic you can see you're going to see a bunch of classes show up. There's 36,000. Yeah, sure, let’s show all the classes here. Here we go. And so we can actually just grep case insensitive. I need to zoom in a slight bit more for everybody.

00:40:14

Matching grep case insensitive. And we're going to look for the keyword, jailbreak, and we'll see if anything shows up. So here, a class cafe.jailbreakcheck. You can look for other things. We got NSFileManager is pretty generic. We got NSFileManager here. So what we can actually do as well is give this :ic and we can pass NSFileManager and that's going to show us all, all of the methods and the functions under NSFileManager and where they live in memory.

00:40:51

This is their actual address and memory, which is useful for when you're hooking. You can actually hook functions based on memory or you can hook based on the path itself and you can actually do this grepping later. So there's like 100 or something methods here you can actually grep for specific things like fileExistsAtPath. So here's four things right here.

00:41:18

We have fileExistsAtPath, we have removeFileAtURL, we have fielExistsAtPath in a directory, so you can use this. It’s very powerful. So the two most powerful things you can remember is the question mark—here's all your R2 commands—and that Tilde. And so you can actually do…there's question mark. These are the r2Frida commands that you'll be needing.

00:41:46

And I'm going to show you some of these very shortly. So dtf, I already went over, :dtf. That's how we're going to trace functions. I'm going to get into that more very shortly. Same with this :di This is actually how you replace values and r2Frida which I will also show you. These two come up a lot more. And s, seek to an address. Afr, I told you earlier—a is for analyzing. :afr is analyze function recursively and it's going to analyze the current function that you have.

00:42:27

So if you seek to a function and you want to see it, see what it's doing, see the assembly language you're going to use :afr and then you can run PD, :pd, and if you give it a certain number, it will print out. These are for print. It'll print out the next set of instructions.

00:42:49

So we do like a p20 we're going to see…so we're actually going to build here, let's do this. We're going to look for any exports for Frida. So again, this one called detectFrida. This is where it lives. This is the function where it lives in memory. So we can actually seek with this s and we can give it to the memory address and you'll see that we've actually changed to that memory address.

00:43:14

And so we're going to go afr, analyze this. And so we can do this pd. Which again, if we do disassemble, you can do a question mark and we can tell it to disassemble 20 instructions and you’ve done it now. You’ve broken it. It's technical difficulties. Sorry. Bear with me. Let me crash this guy. Come back to us. And there we go. Process terminated.

00:44:07

1. One command I don't have here is this oo. All of these are small case lowercase o's. These are not zeros. This will actually just reboot process, which is really nice so we can reboot the process. And I don't know if we're here. We're here, but now we're kind of back to entry0. Sorry. Let's look for that again, see where it is. And running again.

00:44:47

1. So we're going to try this again. But essentially you can do a pd and you can give it say ten and it will print out 10 instructions. You can also do this pdf which will print just the entire function. And of course I spoke about dc which will continue execution later, which is going to become one you'll see in a few minutes.

00:45:15

A couple of useful things. I've already mentioned the question mark and the tilde. So there you can actually import Frida scripts. If you already had a script set up, you can actually import it with a colon period. And then just passing the script where it lives on your system and it'll bring in the scripts and it'll run it. We're going to be using this one later.

00:45:38

It's a period and we're going to use this .r2 file, which is essentially it's like…you can think of it as a configuration file. You can just type out commands. And this .r2 file that are kind of limited. And when you import that, it will automatically like if you have traces and hooks and stuff in there, it'll automatically import them and run it.

00:46:09

And if this comes back online, I can start showing some stuff again and we're back. So all right. So we're going to seek back to this file. We're going to afr so we can analyze. The function’s broken. So there we go. Awesome. So I just type the pdf. This is an r2 command. It's not an r2Frida command.

00:46:47

I accidentally I guess I put that inside. There's no colon in front of here. So this is r2 that's actually doing the reverse engineering. What's really neat is that this is actually live on the device. We haven't loaded the binary. I actually have r2 set up. I've loaded the binary in here statically, but this is actually on the device so we can do some cool things.

00:47:10

We can actually just change values. We can change up codes and stuff like that. We can pop out instructions if we want to, which I'm going to show you in a second. So this is the actual detectFrida. And what usually happens when you launch a device as they’re detecting Frida is one of their one of their jailbreaks and they do this in a few ways.

00:47:34

They generally will set up a socket and they'll listen with function or the bind function or something similar to that nature to listen if connected socket Frida is listening for doing listening by default on the host port 27,042 and for those who know anything about Hex right here, 69a2 is as hex for that 27,042. You can actually just go get hex to decimal converter and you can just plug that in there. 27,042.

00:48:21

So we have some idea of what this app is doing. It looks like it's detecting Frida. So the easiest way to defeat this is to start the Frida server on a different port, right? Sometimes the easiest way is the best way. I'm not going to do that because that's not a lot of fun right now.

00:48:45

That's just one of the ways to do it. If you're going to be reverse engineering stuff, put Frida on a different port and suddenly, suddenly won't be able to detect it. And that's easily defeats one of the checks that's going on. Another check we're going to do. So what we're actually going to do is we're going to set up this file and we're going to run it, and this file is going to have…we're going to trace a few functions and eventually we're going to replace values.

00:49:19

And you'll see that we'll bypass my checks that are going on here. So we're actually going to, and I'm going to get into the trace command in a second, and I'm going to show you how you can figure out what's going on so you can actually sub your own traces.

00:49:35

Brian Robison: This is just the note, Rob. You have like 8 minutes left, roughly.

00:49:40

Robert Ferri: 8 minutes left. OK. OK. Well, we're going to do this real quick then. All right. So the first thing we're going to do is we're going to look for…we're going set up this file and we're going to look for certain commands. I already mentioned bind is very common and we can actually just patch it dtf bind. We're going to look for objc:NSFileManager.fileExistsAtPath and we're actually going to pass in some specifiers, which I'm going to go over a half a second actually, maybe the most.

00:50:25

And you know what? We're going to stop there. We're just going to move those to for now, I'm going to save this file. And so if we get this dtf and give you a question mark, we're going to see these are some format specifiers you can pass to it. I'm going to show you right now. So right here, we're hooking on objc function and objc function—the first two arguments to it are a memory address and the selector, which is the actual function name. And so that's why I'm using X for a memory address. We're going to show it in hexadecimal so it doesn't look all funny and we're going to use zed. And then it's going to show some string, it's going to show us fileExistsAtPath.

00:51:16

And then the actual first argument and the only one for fileExistsAtPath is an ObjC object. And I'm going to show you that right now. You can actually go into fileExistsAtPath, screen this. So if you look at the Apple documentation for fileExistsAtPath, it explains everything that's going on. So it returns a boolean that indicates whether file exists at a specified path.

00:51:39

You can see it’s an ObjC function just based on how it looks in return to Boolean here and it takes an NSString. So if you actually click on NSString, you'll see a string is an object, which is why we're passing a capital O in this case for a specifier. And if you scroll up throughout the actual documentation, you can scroll up to the next step out right here, which is NSFileManager, and this is the class that loads fileExistsAtPath.

00:52:11

And so that's how you know what the load, that's how you know what specifiers can get in. And that's for ObjC function. For native functions you can just pass…it depends on what you're looking at. If you’re looking for ptrace, you can you can actually pass it on your features right here. ptrace explorer for whatever essentially. And so you were just pass ptrace and then give it four i’s as a specifier and you'll see what's going on.

00:52:43

If I have a second, I can get into ptrace in a moment. But so we loaded this file set. So I'm going to look for bind and we're going to look for a fileExistsAtPath because if you have very common things that are going on here and our app is running and we are, we're going to continue execution and see what happens.

00:53:07

So we're use this dc and it terminates and know it didn't do…all these technical difficulties. I need to import this and so I do dot dot command…unable to contain. OK, sorry. Why don't we see active entry? Actually, I don't. Sorry guys. Technical difficulties. Running it again. That's been a little funky lately, r2Frida. It's usually not this terrible.

00:53:41

I guess I have 4 minutes left. So once that picks up again, I'm going to show you really quickly what's going on. But this gives me time to talk about a few other things. So this I mentioned ptrace earlier. Ptrace on iOS is what's called a private API not actually allowed to use it for the Apple spec. Um, and so if you try and just look for ptrace, if you're trying to build an app and call ptrace directly when you go and upload your file to Apple to try and get it on the app store they’ll deny you because it's private. You're not supposed to use it but ptrace does, it’s for process debugging.

00:54:26

Generally in jailbreak detection, they'll be using this ptrace DENY_ATTACH, which is just going to tell the app to not allow A debugger to attach. And if there's one attached, just move it out and you'll see with ptrace as first hint be a 31. That's what you're looking for ptrace, you want to see if this is a 31.

00:54:51

If it is, you can change it to 0, you can return 0. Whatever you want to do. At that point. So as I mentioned that it's a private API, so you can actually call it. So one way they call it is what this dlsym. Dlsym essentially resolves an address that they can then later use these developers can later use to call that function so ptrace. So they'll use dlsym and you'll see this second one here it takes a symbol this argument would say ptrace or it'll say whatever else they're trying to do, sometimes even resolve dlsym themselves to be a little more shady about what's going on, a little more obfuscated, which makes it harder to do, figure out from our perspective as a reverse engineer what's going on. So that's in a nutshell. I wish I could spend more time, but I'm running out.

00:55:57

So where are we? So we're loading our file, access denied? Trace is already here. That's real. All right. We’re going to do this the easy way. Normally that would just run. We’ll do it manually, then. We’ll hit bind. And see it returns true. And we're actually just going to run on the command and you can see that. So it'll give you the answer.

00:56:54

It’ll give you the Retval. The Retval is what we're concerned about. With bind it will return a negative 1, which is all these apps, if it failed. It'll return 0 if it doesn't fail. So we actually know that they're using binding in some way and so we can use the UI command. And if you use 0, it'll tell the function that you're looking to return a 0, which is going to say that it succeeded and it's going to pass our test.

00:57:24

And you can see it didn't crash, the app just went straight into it, which is nice. So sorry, we have one minute left, but can we go over at all, Steven? Couple minutes.

00:57:36

Brian Robison: Yeah, yeah. You can go over just a little bit. Yeah.

00:57:39

Robert Ferri: OK, I'll hurry it up. We'll go over just a couple of minutes. I'm not even going to bother with the file at this point because I don't know why it’s giving me trouble, but essentially what's going on here now is the hardcoded value in here—coreadmin@corellium.com and we're going to password…I actually need to go back here and we're going to log in.

00:58:23

You can see it tells us that we passed jailbreak detection, but we actually haven't. You can see there's a bunch of SUS files that show up and what's going to happen is it's just going to close the app because that's what happens when you do jailbreak detection. Your app gets closed for fun. So we're going to relaunch this. Did Corellium freeze? My Corellium device is frozen. Let’s do this. Kill %1. Will you respawn? Spawn already in progress. Great.

01:00:00

Well that's a shame. Looks like our device is frozen, guys. I have to reboot it and it’s going to take too long.

01:00:30

Steven Smiley: Yeah that’s OK. Is there anything else you show?

01:00:36

Robert Ferri: Yeah. I'm sorry, guys, but the demo god thing, I guess.

01:00:42

Brian Robison: We didn't sacrifice enough to the demo gods today. So let's do this, Rob, we're going to go ahead and thank everybody for their time. We'll post a follow up blog with a demo video shortly on our website as a blog. So, you know, thank you, everybody very, very much for your time today. Went over a couple of minutes, but not too bad. Rob, thank you very much for your time today and your efforts. Steven, as always, thank you as well. And again, we appreciate everybody hanging out today. We will send the recording of this out shortly. For those of you who have have questions in there, we will also get back to you offline with those questions. So thank you all very much and have a fantastic rest of your day.