Archive for the ‘iPhone’ Category

Cracking In-App Purchases

April 7, 2010 Leave a comment

The other day I ran across poedcrack, a utility for iPhone/iPod which will decrypt AppStore apps automatically. This is definitely a step up from earlier. After testing it out I got to wondering how easy it would be to crack in-app purchases.

One obvious method would be to patch the decrypted binary so that the application thinks a purchase went through. I’m going to outline an even easier process.

Many in-app purchases simply unlock functionality of the software. The functionality is already there, just locked. I expect many apps to use plist files to save information on unlocked functionality. Therefore, if we can figure out exactly what key/value pairs are necessary in the plist to unlock functionality, we can simply edit the plist and upload the modified version to the iPhone.

According to the In App Purchase Programming Guide, an app must implement provideContent: SKPaymentTransaction* method to provide the purchased content. This method is a wonderful starting point. A probably common approach is to pull information out of the transaction within that function to know what was purchased and add a key/value pair to a plist file to unlock the feature. In the future, the app simply looks at the key/value pair to know if the feature was purchased.

Within the provideContent function, we look for calls to functions like setInteger: forKey:, or setBool: forKey:. That will give us the value and the key to add to the plist. Determining which plist will require futher reverse engineering, or simple brute force (most apps I’ve seen don’t have many plists).

Now, to edit plist files. On the iPhone, the are usually in binary format, so using a simple text editor won’t do. That is where comes into play. It allows you to convert binary plist files to text, edit them, and then convert back to binary.

I point out this information not to promote pirating software or to crack in-app purchases. This raises a very valid computer/network security issue. Typically, when defending a system we have a threat model. The original threat model for the iPhone was probably “it is locked, no body can mess with the files, binaries, etc.” That, however, has been broken. So, now we must either reevaluate the threat model, or fix the system so it meets the original threat model.

Categories: iPhone Tags:

Unknown firmware/Updating firmware on unactivated iPhone

July 29, 2009 3 comments

Today I was in an interesting circumstance. I needed to jailbreak/unlock an iPhone, but had no idea what firmware was on the phone. Since the phone was unactivated I couldn’t pull up the settings icon nor could I use iTunes to figure it out. After searching and searching and finding nothing, I did the following and it worked like a charm.

  1. Turn the phone off
  2. Hold down the Home button and plug the phone into the computer via USB
  3. Continue holding Home until the screen shows the “connect to iTunes” screen
  4. Open iTunes on your computer, click “OK”
  5. Hold down Shift and click on Restore
  6. Choose the firmware file you want (one downloaded from the iPhoneWiki’s System page works) to install on the phone and proceed as directed

I ended up doing things this way because nothing else I could find on the net worked (mostly this meant field test mode didn’t work). While this doesn’t tell you what firmware version you are using, it gets you to a point where you will at least know. After this, I just ran redsn0w and it was a done deal!

Categories: iPhone Tags: ,

Shellcode on an iPhone

June 16, 2009 Leave a comment

The details are very sparse but in a week or so all bets will be off. According to Ars Technica, Charlie Miller and Vincenzo Iozzo will be presenting a technique at BlackHat USA that allows an attacker to run arbitrary shellcode on an iPhone. The only real details about the attack are that they figured out a way around code signing protections. Code signing protections made it very hard to exploit vulnerable programs on the iPhone since the only code that could be run was code that Apple has reviewed. This makes it much easier for viruses, worms, etc to be written for the iPhone!

Categories: iPhone Tags: ,

Phrack on Objective C and Rootkits

June 11, 2009 Leave a comment

The 2009 edition of Phrack Magazine has an article called “The Objective-C Runtime: Understanding and Abusing“. This is probably a great read for anyone interested in iPhone hacking. I haven’t looked at it yet, but when I get the time, I’ll post my thoughts. There is also an article on OS X rootkits. So check out these two articles and post your comments.

Categories: iPhone Tags: , ,

From BlackHat Europe 09

April 22, 2009 Leave a comment

Charlie Miller and Vincenzo Iozzo did a wonderful presentation at BlackHat – Europe 2009 on Mac OS X and iPhone hacking. You can find video and a paper from their presentation here. Sections 4 and 5 (of the paper) are on the iPhone. They give a brief introduction to the ARM architecture and iPhone OS security.

It turns out that Apple has done a decent job of making it very hard to execute shellcode on the iPhone. Pretty much all memory except the programs (and libraries) on the phone are not executable and cannot be made executable (at least not yet). This means no executing shellcode on the stack or in the heap; your only attack vector is large return-to-libc attacks. They give some example shellcode in their paper that will run on a “virgin” iPhone (not jailbroken).

Return-to-libc attacks work by tricking the machine into running code in libraries or the loaded program in such a way that you accomplish some malicious task (or benign but unintended like the vibrate code in the paper). It is a pretty standard way to exploit systems with non-executable stacks and/or heaps.

Categories: iPhone Tags: ,

Basic Reverse Engineering

April 14, 2009 Leave a comment

It turns out that reverse engineering native iPhone apps (calc, mobile safari, mobile mail or anything that is on the phone by default and not from the app store) can be quite an involved process for those not familiar with the ARM architecture or Objective-C. Here I will give a brief introduction to the tools needed for the job and some links to further information.

Native applications are stored in the “/Applications” directory on the iPhone. In here you will find folders such as,,, etc. These are the native applications. Beginning reverse engineering on these is very simple. For example, if we enter the directory, among other files we find the “MobileSafari” binary file. Open this with your favorite disassembler (HT Editor, IDA pro, etc) or use otool (arm-apple-darwin-otool if you have installed the desktop toolchain) with the -Vt option to dump the assembly.

Since the binaries run on the ARM platform, it is necessary to understand the ARM instruction-set. I have found the following links helpful:

Objective-C is a little bit of a different beast than it’s C counterpart. In the assembly you will see calls to sendmsg scattered throughout the entire program. This is really the way Objective-C calls class methods. Anyways, a basic knowledge of Objective-C is needed to understand the assembly. There are plenty of iPhone development books out there, which I’m sure are all fine. I am starting to read iPhone Open Application Development by Jonathan Zdziarski.

Finally, I ran into a good tutorial paper on iPhone native app reversing called Primer on Reversing Jailbroken iPhone Native Applications v1.0. It seems pretty good and definitely worth the read.

Another place to start reverse engineering on the iPhone is in the shared libraries. In “/usr/lib” we can find a bunch of dylib files. These are the libraries to start looking at and can be reversed as described above. There are also some interesting files in “/Library” we can look in to.

Categories: iPhone Tags:

The first steps (part 2)

March 30, 2009 2 comments

I had initially planned on talking about reverse engineering iPhone native apps in this post but have decided to write about something else instead. There is another way to gain access to the iPhone filesystem besides jailbreaking your phone. It turns out that there are dmg files on your system that iTunes downloads when installing new firmware that will allow you to access the file system. You can either find them on your computer or download one from theiphonewiki’s System page.  Next, you’ll have to decrypt the dmg file. Theiphonewiki has the keys to do it here and there is a tool called vfdecrypt which can decrypt dmg files. One note about vfdecrypt, I had to modify the source file line 357 to get it working in linux. In the call to getopt() replace any double colons (::) with a single colon. Then recompile (gcc -o vfdecrypt -lcrypto vfdecrypt.c).

The firmware images on your hard drive and the downloadable ones are ipsw files. Change the file extension to “zip” and unzip the archive. You will find several dmg files in there. The largest one (~200mb) is the one you want. Decrypt that dmg file with vfdecrypt. The output file should be a new dmg file. You will now need to extract that new dmg file. To do this I used HFSExplorer. Extract that somewhere and you now have access to the iPhone filesystem.

Categories: iPhone Tags: ,