A little something for your reversing habits.
I’m a big fan of binary reverse engineering. I think it’s a unique skill to have and it creates an interesting way of thinking. The way of thinking that forces you to figure out how things work, even if you’re trying to enjoy some iced tea on the beach. Most of my reversing life has been spent on either x86_64 or ARM64 architectures. I would even go as far as to claim that I know those instruction sets well. However, every now and then I come across a strange looking instruction - like
UNPCKLPS, I have to break my flow open the Intel Reference manual and look up the instruction’s meaning. Same for when I’m trying to understand semantics of a very common instruction. For example,
SUB can be used atomically if it has the LOCK prefix set - not a detail that comes up often.
Automating the UI for blackbox testing
During blackbox security testing, it is often the case that you need to explore the application. Mostly to understand what it does and what sort of interactions it has with the outside world. It is also a good way to determine what code a user might end up exercising during their use of the application. In case of iOS, most of the App activity will be user triggered and the other parts will be things like polling of the web api for changes. Either way, the App’s activity and any potential vulnerabilities are largely triggered by the user.
Tracing Objective-C method calls
Linux has this great tool called strace, on OSX there’s a tool called dtruss - based on dtrace. Dtruss is great in functionality, it gives pretty much everything you need. It is just not as nice to use as strace. However, on Linux there is also ltrace for library tracing. That is arguably more useful because you can see much more granular application activity. Unfortunately, there isn’t such a tool on OSX. So, I decided to make one - albeit a simpler version for now. I called it objc_trace.
Building libraries for iOS
In this blog we talk about how to build a library in a simple way. This is designed for those who only care about the quickest and easiest way to build a command line program or a dylib for a jailbroken iOS platform. So, it is not an exhaustive manual of all the possibilities but rather a quick reference guide to get you started.