Understanding reverse engineering is a critical skill for security researchers, ethical hackers, and developer teams alike. Reverse engineering in mobile security testing involves decompiling and disassembling mobile applications to understand their underlying functionality, a process that is essential for identifying vulnerabilities and building scripts to exploit them.
了解逆向工程对于安全研究人员、道德黑客和开发团队来说都是一项关键技能。移动安全测试中的逆向工程涉及反编译和反汇编移动应用程序以了解其底层功能,这一过程对于识别漏洞和构建脚本以利用它们至关重要。
iOS reverse engineering, in particular, can be quite challenging as it’s difficult to get devices that you can jailbreak for iOS operating systems. Corellium Chief Evangelist Brian Robison, Corellium Researcher Steven Smiley, and mobile cybersecurity professional Robert Ferri recently dug in to iOS reverse engineering tactics and techniques, showing live demonstrations of disassembling and application patching using virtual iOS devices.
尤其是 iOS 逆向工程,可能非常具有挑战性,因为很难获得可以越狱用于 iOS 操作系统的设备。Corellium 首席布道者 Brian Robison、Corellium 研究员 Steven Smiley 和移动网络安全专家 Robert Ferri 最近深入研究了 iOS 逆向工程策略和技术,展示了使用虚拟 iOS 设备进行反汇编和应用程序修补的现场演示。
Watch the full webinar, “Hunting for Vulnerabilities in iOS Apps,” here and find the top highlights below.
在此处观看完整的网络研讨会“寻找 iOS 应用中的漏洞”,并在下面找到主要亮点。
Identifying Hardcoded Secrets
识别硬编码密钥
To kick off the demonstration, Steven Smiley introduced the Corellium Cafe app, a fictitious coffee shop application that serves as a playground for ethical hackers. The app is full of vulnerabilities, including hardcoded values, bypassable root detection mechanisms and areas to exploit via dynamic instrumentation, that give security researchers an opportunity to experiment with and practice testing. Steven demonstrated how to use tools like Hopper and Ghidra to identify secrets hardcoded in an iOS application. Follow along with our webinar series for more updates on how to get access to Corellium Cafe.
为了拉开演示的序幕,史蒂文·斯迈利(Steven Smiley)介绍了Corellium Cafe应用程序,这是一个虚构的咖啡店应用程序,可作为道德黑客的游乐场。该应用程序充满了漏洞,包括硬编码值、可绕过的根检测机制以及通过动态检测利用的区域,这些漏洞使安全研究人员有机会进行试验和实践测试。Steven 演示了如何使用 Hopper 和 Ghidra 等工具来识别 iOS 应用程序中硬编码的机密。请关注我们的网络研讨会系列,了解有关如何访问 Corellium Cafe 的更多更新。
Breaking Down iOS Reverse Engineering: A Deep Dive with Robert Ferri
分解 iOS 逆向工程:Robert Ferri 的深入探讨
During the live demonstration, Robert Ferri went into common techniques that are used for jailbreak detection as well as common bypasses. Using the Corellium Cafe app as an example, Robert demonstrated tools and techniques he uses all the time when doing mobile penetration tests.
在现场演示中,Robert Ferri 介绍了用于越狱检测的常用技术以及常见的绕过方法。以 Corellium Cafe 应用程序为例,Robert 演示了他在进行移动渗透测试时一直使用的工具和技术。
“My goal for this talk is to show you that you don’t actually have to be like a reverse engineering wizard or be able to read assembly at a really high level to figure out what’s going on in the app and to do some basic reverse engineering.” — Robert Ferri, Mobile Cybersecurity Professional
“我这次演讲的目标是向你展示,你实际上不必像逆向工程巫师一样,也不必能够在非常高的水平上阅读汇编,就能弄清楚应用程序中发生了什么,并做一些基本的逆向工程。” — Robert Ferri,移动网络安全专家
Robert specifically focused on R2Frida, including its use cases, how to download and set it up, and how to launch R2Frida on a jailbroken iOS within Corellium. Radare2 (R2) and Frida are both essential tools for static and dynamic analysis. While R2 offers a comprehensive suite for disassembling, Frida is known for its dynamic instrumentation toolkit, allowing for real-time code injections and manipulations. The versatility of R2Frida makes it a must-have in a researcher’s toolkit.
Robert 特别关注 R2Frida,包括它的用例、如何下载和设置它,以及如何在 Corellium 中越狱的 iOS 上启动 R2Frida。Radare2 (R2) 和 Frida 都是静态和动态分析的重要工具。虽然 R2 提供了一套全面的反汇编套件,但 Frida 以其动态检测工具包而闻名,允许实时代码注入和操作。R2Frida 的多功能性使其成为研究人员工具包中的必备品。
For those new to the world of reverse engineering, becoming familiar with the commands and their syntax in R2Frida can be daunting. Ferri walked through the syntax of R2 commands and explained how R2 files, described as configuration files, allow researchers to type out commands. When imported, these files automatically execute traces and hooks, streamlining the analysis process. Additionally, Ferri covered the following:
对于那些刚接触逆向工程世界的人来说,熟悉 R2Frida 中的命令及其语法可能会令人生畏。Ferri 介绍了 R2 命令的语法,并解释了 R2 文件(描述为配置文件)如何允许研究人员输入命令。导入后,这些文件会自动执行跟踪和挂钩,从而简化分析过程。此外,Ferri还介绍了以下内容:
- Live Device Analysis: Within Corellium, reverse engineering is done live on the device, allowing for real-time changes to values and instructions.
实时设备分析:在 Corellium 中,逆向工程在设备上实时完成,允许对值和指令进行实时更改。 - Jailbreak Detection: An app can use various methods to detect jailbreaks, including setting up a socket to listen on specific ports. Ferri showed that one way to bypass this is to start a server on a different port.
越狱检测:应用可以使用各种方法来检测越狱,包括设置套接字以侦听特定端口。Ferri表明,绕过这个问题的一种方法是在不同的端口上启动服务器。 - Tracing Functions: Ferri outlined how to set up a file to trace functions and replace values to bypass security checks. He also discusses how to filter out what’s going on so you can stub your own trace.
跟踪函数:Ferri 概述了如何设置文件来跟踪函数并替换值以绕过安全检查。他还讨论了如何过滤掉正在发生的事情,以便您可以存根自己的跟踪。 - Private APIs: Some APIs, like ‘ptrace,’ are private and not allowed by Apple’s specifications. However, they can be used for process debugging.
私有 API:某些 API(如“ptrace”)是私有的,是 Apple 规范不允许的。但是,它们可用于进程调试。
The Future of iOS App Security
iOS 应用安全的未来
Wanting to learn more? Watch the full webinar, “Hunting for Vulernabilites in iOS Apps.” Also, be sure to check out Corellium for mobile app penetration testing. You can spin-up near limitless combinations of devices and OS, no jailbreak required, and access Arm-native virtual devices to enable both static (SAST) and dynamic (DAST) app vulnerability discovery and exploitation testing.
想了解更多?观看完整的网络研讨会“在 iOS 应用中搜寻漏洞”。此外,请务必查看 Corellium 以进行移动应用程序渗透测试。无需越狱,即可启动近乎无限的设备和操作系统组合,并访问 Arm 原生虚拟设备,以启用静态 (SAST) 和动态 (DAST) 应用漏洞发现和漏洞利用测试。
Additional Resources 其他资源
Happy hunting, and may your code be secure!
祝您狩猎愉快,愿您的代码安全!
原文始发于corellium:iOS Reverse Engineering Tactics and Techniques in Practice
转载请注明:iOS Reverse Engineering Tactics and Techniques in Practice | CTF导航