Archive for April, 2009

From BlackHat Europe 09

April 22, 2009 Leave a comment

Charlie Miller and Vincenzo Iozzo did a wonderful presentation at BlackHat – Europe 2009 on Mac OS X and iPhone hacking. You can find video and a paper from their presentation here. Sections 4 and 5 (of the paper) are on the iPhone. They give a brief introduction to the ARM architecture and iPhone OS security.

It turns out that Apple has done a decent job of making it very hard to execute shellcode on the iPhone. Pretty much all memory except the programs (and libraries) on the phone are not executable and cannot be made executable (at least not yet). This means no executing shellcode on the stack or in the heap; your only attack vector is large return-to-libc attacks. They give some example shellcode in their paper that will run on a “virgin” iPhone (not jailbroken).

Return-to-libc attacks work by tricking the machine into running code in libraries or the loaded program in such a way that you accomplish some malicious task (or benign but unintended like the vibrate code in the paper). It is a pretty standard way to exploit systems with non-executable stacks and/or heaps.

Categories: iPhone Tags: ,

Basic Reverse Engineering

April 14, 2009 Leave a comment

It turns out that reverse engineering native iPhone apps (calc, mobile safari, mobile mail or anything that is on the phone by default and not from the app store) can be quite an involved process for those not familiar with the ARM architecture or Objective-C. Here I will give a brief introduction to the tools needed for the job and some links to further information.

Native applications are stored in the “/Applications” directory on the iPhone. In here you will find folders such as,,, etc. These are the native applications. Beginning reverse engineering on these is very simple. For example, if we enter the directory, among other files we find the “MobileSafari” binary file. Open this with your favorite disassembler (HT Editor, IDA pro, etc) or use otool (arm-apple-darwin-otool if you have installed the desktop toolchain) with the -Vt option to dump the assembly.

Since the binaries run on the ARM platform, it is necessary to understand the ARM instruction-set. I have found the following links helpful:

Objective-C is a little bit of a different beast than it’s C counterpart. In the assembly you will see calls to sendmsg scattered throughout the entire program. This is really the way Objective-C calls class methods. Anyways, a basic knowledge of Objective-C is needed to understand the assembly. There are plenty of iPhone development books out there, which I’m sure are all fine. I am starting to read iPhone Open Application Development by Jonathan Zdziarski.

Finally, I ran into a good tutorial paper on iPhone native app reversing called Primer on Reversing Jailbroken iPhone Native Applications v1.0. It seems pretty good and definitely worth the read.

Another place to start reverse engineering on the iPhone is in the shared libraries. In “/usr/lib” we can find a bunch of dylib files. These are the libraries to start looking at and can be reversed as described above. There are also some interesting files in “/Library” we can look in to.

Categories: iPhone Tags: