Reversing the iOS application can be interesting and profitable. This short article presents how to decrypt an iOS application for reverse engineering. The example application is Puffin browser.
Pre-requirementBefore the application can be decrypted, some packages need to be installed.
- gdb - the GDB available from the Cydia repository is not working properly. The correct version can be downloaded from the Radere repository. One needs to add
http://cydia.radare.org to the repository (the source setting need to be set to Developer)
- iOS Toolchain
Finding the codeFirst thing what we need to check if the code is really encrypted. We can do this using the otool tool and looking for the LC_ENCRYPTION_INFO section.
otool -arch all -Vl <app name> | grep -A4 LC_ENCRYPTION_INFO
Dumping memoryBecause the iOS 7 is using ASLR the decrypted code will be located in different memory address ranges. We need to load it, run and stop after the decryption routine is finished (on the original application entry point). To do this we need to load the application in gdb and set break point on the begining of the application - UIApplicationMain.
When the gdb stops on the break point we can find the appropriate region. Using the info sharedlibrary command we can display all loaded libraries with their base addresses.
The Puffin application (position number 2) has the base address 0x9000. Now we can dump the code. To do this we will need two addresses - begin and end. They are calculated in follows:
Begin address = base address + cryptoff
0x9000 + 16384 = 0xD000
End address = base address + cryptoff + cryptsize
0x9000 + 16384 + 511808 = 0x4ED000
The dump is made by the following command:
dump binary memory <dump name> <begin address> <end address>
Creating binaryNow we need to copy the dumped code into the thin version of our application.
dd bs=1 seek=<cryptoff> conv=notrunc if=<dump name> of=<application>
Now the dump is completed and the application can ba analyzed using the IDA Pro or the Hopper Disassembler.