Posts Tagged ‘reversing’

Cracking In-App Purchases

April 7, 2010 Leave a comment

The other day I ran across poedcrack, a utility for iPhone/iPod which will decrypt AppStore apps automatically. This is definitely a step up from earlier. After testing it out I got to wondering how easy it would be to crack in-app purchases.

One obvious method would be to patch the decrypted binary so that the application thinks a purchase went through. I’m going to outline an even easier process.

Many in-app purchases simply unlock functionality of the software. The functionality is already there, just locked. I expect many apps to use plist files to save information on unlocked functionality. Therefore, if we can figure out exactly what key/value pairs are necessary in the plist to unlock functionality, we can simply edit the plist and upload the modified version to the iPhone.

According to the In App Purchase Programming Guide, an app must implement provideContent: SKPaymentTransaction* method to provide the purchased content. This method is a wonderful starting point. A probably common approach is to pull information out of the transaction within that function to know what was purchased and add a key/value pair to a plist file to unlock the feature. In the future, the app simply looks at the key/value pair to know if the feature was purchased.

Within the provideContent function, we look for calls to functions like setInteger: forKey:, or setBool: forKey:. That will give us the value and the key to add to the plist. Determining which plist will require futher reverse engineering, or simple brute force (most apps I’ve seen don’t have many plists).

Now, to edit plist files. On the iPhone, the are usually in binary format, so using a simple text editor won’t do. That is where comes into play. It allows you to convert binary plist files to text, edit them, and then convert back to binary.

I point out this information not to promote pirating software or to crack in-app purchases. This raises a very valid computer/network security issue. Typically, when defending a system we have a threat model. The original threat model for the iPhone was probably “it is locked, no body can mess with the files, binaries, etc.” That, however, has been broken. So, now we must either reevaluate the threat model, or fix the system so it meets the original threat model.

Categories: iPhone Tags:

Basic Reverse Engineering

April 14, 2009 Leave a comment

It turns out that reverse engineering native iPhone apps (calc, mobile safari, mobile mail or anything that is on the phone by default and not from the app store) can be quite an involved process for those not familiar with the ARM architecture or Objective-C. Here I will give a brief introduction to the tools needed for the job and some links to further information.

Native applications are stored in the “/Applications” directory on the iPhone. In here you will find folders such as,,, etc. These are the native applications. Beginning reverse engineering on these is very simple. For example, if we enter the directory, among other files we find the “MobileSafari” binary file. Open this with your favorite disassembler (HT Editor, IDA pro, etc) or use otool (arm-apple-darwin-otool if you have installed the desktop toolchain) with the -Vt option to dump the assembly.

Since the binaries run on the ARM platform, it is necessary to understand the ARM instruction-set. I have found the following links helpful:

Objective-C is a little bit of a different beast than it’s C counterpart. In the assembly you will see calls to sendmsg scattered throughout the entire program. This is really the way Objective-C calls class methods. Anyways, a basic knowledge of Objective-C is needed to understand the assembly. There are plenty of iPhone development books out there, which I’m sure are all fine. I am starting to read iPhone Open Application Development by Jonathan Zdziarski.

Finally, I ran into a good tutorial paper on iPhone native app reversing called Primer on Reversing Jailbroken iPhone Native Applications v1.0. It seems pretty good and definitely worth the read.

Another place to start reverse engineering on the iPhone is in the shared libraries. In “/usr/lib” we can find a bunch of dylib files. These are the libraries to start looking at and can be reversed as described above. There are also some interesting files in “/Library” we can look in to.

Categories: iPhone Tags: