This is the 5th and final module of this course. I hope you've been having as much fun as I had creating this course, actually if you're having 1 unit above zero fun I'll be happy. 😂 If you felt like the last two modules were way too long, I have good news for you. This is going to be a very short module. You've learned most of what I can teach you (or what I can come up with for this course).
Cycript
and Frida
can handle pretty much any job you need to modify the behaviour of an iOS appliation. But they have two main problems:
- All the changes to the runtime (not including writing to or modifying files on disk) live in memory. This means that every time you want to modify these methods you have to re-run your scripts.
- As you saw with both tools, you need to run the application on your phone before you can start using them. This means that all the logic that's executed when the application is initialized has already happened and cannot be modified with either of the tools. For example in the
CoinZa
application, the jailbreak detection was done in theviewDidLoad
method of the first controller ever created by the application, thus you had to built the controller again and present it.
Sometimes these problems become really annoying and that's when the final tool in your toolbox comes to play. Binary patching will allow you to modify the assembly code of any iOS application then repackage it and install it on your device and the modified (patched) version of the application will run natively on your devices without needing to load any scripts to modify its behaviour.
For this exercise I'm going to exclusively use Hopper
because I don't know how to do this in Ghidra
yet (or if it's even possible). If I later figure it out I'll update the course with both versions.
- Load the
CoinZa
binary inHopper
. - Search for the
Utils
class and select theisJailbroken
method. - If you're not there, select the
CFG mode
tab to see the method's assembly code. - As most of the jailbreak detection methods, this is a long list of checks with early returns if any of this checks is successful. In the flow graph we can see that most of the checks have a jump to a label
loc_100009cc4
(this might be different on your end), but the important part is that the instruction that's executed when jumping to this label:orr w20, wzr, #0x1
- This is the
or
operation between thewzr
register and0x1
, this means that the result in the registerw20
will always be1
(ortrue
) becausex or 1 = 1
. This basically setting the value 1 to the registerw20
.
- This is the
- On the other side of the flow you can see the following two instructions being executed before jumping:
cmp x8, #0x0 cset w20, eq
- The first instructions compares the value in the register
x8
to0x0
and then the second instruction is set based on that comparison. (Based on the ARM documentation, the register is technically increased if the comparison istrue
).
- The first instructions compares the value in the register
- These are the two exit points for the
isJailbroken
method. All you have to do is set the value of the registerw20
to0x0
(orfalse
) and the function will always returnfalse
. - To modify the assembly code:
- Select the
orr
instruction by clicking on it. - Press
⌥ + A
or from the top menu selectModify
and thenAssemble instruction...
- Hopper will show a window with a text field enter:
movz w20, #0x0
- This will replace the existing instruction with this one. What this instruction is doing is loading the value
0x0
onto the registerw20
.
- This will replace the existing instruction with this one. What this instruction is doing is loading the value
- Follow the same steps for the
cset
instruction.
- Select the
- Once you've replaced the two instructions, press
⇧ + ⌘ + E
or from the top menu selectFile
and thenProduce New Executable...
. - Name the new binary
CoinZa
and clickSave
. - Replace the existing
CoinZa
binary inCoinZa.app
. - Repackage the application:
zip -qry CoinZa-Frida.ipa Payload
- Now you can follow the same
Cydia Impactor
steps, just like you've done so far, and install the application on your device. - Run the application by tapping on its icon.
- The application doesn't show the "Sorry not sorry" popup and you can use the application as normal.
- Patching the binary is a very powerful technique that will allow you to modify applications from its source and re-install them on your devices as if they were applications downloaded from the App Store.
- This technically not part of reverse engineering a binary since by now you probably already finished the reversing and are using that knowledge to your advantage.
- This step is a little bit more difficult than most of the previous steps because it requires knowledge of ARM assembly.