iOS

Reverse Engineering iOS applications in .app format

Last updated 1 year ago

iOS

Reverse Engineering iOS applications in .app format

iOS apps are not as easily reverse-engineered as most Android apps, because they are compiled into a binary. When you run the file command on the binary, you should see Mach-O which confirms this is an iOS application:

$ file app
app: Mach-O 64-bit x86_64 executable, flags:<NOUNDEFS|DYLDLINK|TWOLEVEL|PIE>

Decompiling

To reverse engineer this binary, it is basically the same procedure as reversing any other ELF binary for example. You can use a decompiler to get some insight into the code structure, and what functions are called.

There is a lot of source code from built-in Apple functions, so searching for function names is often a good idea to understand what it is doing, instead of guessing or reversing by hand. For example, the CCCrypt() function has the following arguments ():

CCCryptorStatus CCCrypt(
	CCOperation op,			/* kCCEncrypt, etc. */
	CCAlgorithm alg,		/* kCCAlgorithmAES128, etc. */
	CCOptions options,		/* kCCOptionPKCS7Padding, etc. */
	const void *key,
	size_t keyLength,
	const void *iv,			/* optional initialization vector */
	const void *dataIn,		/* optional per op and alg */
	size_t dataInLength,
	void *dataOut,			/* data RETURNED here */
	size_t dataOutAvailable,
	size_t *dataOutMoved);

In addition to this, enums are also useful to know, as the numbers in the decompiled code might not explain what it really means:

/*!
	@enum		CCOptions
	@abstract	Options flags, passed to CCCryptorCreate().
	
	@constant	kCCOptionPKCS7Padding	Perform PKCS7 padding. 
	@constant	kCCOptionECBMode	Electronic Code Book Mode (default is CBC)
*/
enum {
	/* options for block ciphers */
	kCCOptionPKCS7Padding	= 0x0001,
	kCCOptionECBMode	= 0x0002
};

`.plist` files

you might find .plist files in the .app directory. These files are in a special format but can be parsed by tools such as plistutil into XML files:

$ file app.plist 
app.plist: Apple binary property list
$ plistutil -i app.plist

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<array>
        <dict>
                <key>secret</key>
                <string>ExampleSecret</string>
                <key>id</key>
                <string>42</string>
                <key>title</key>
                <string>Some Title</string>
        </dict>
</array>
</plist>

Resources

For another more practical guide and example, see this article:

PreviousCompiling C for Android NextPHP

Last updated 1 year ago

$ file app
app: Mach-O 64-bit x86_64 executable, flags:<NOUNDEFS|DYLDLINK|TWOLEVEL|PIE>

Decompiling

CCCryptorStatus CCCrypt(
	CCOperation op,			/* kCCEncrypt, etc. */
	CCAlgorithm alg,		/* kCCAlgorithmAES128, etc. */
	CCOptions options,		/* kCCOptionPKCS7Padding, etc. */
	const void *key,
	size_t keyLength,
	const void *iv,			/* optional initialization vector */
	const void *dataIn,		/* optional per op and alg */
	size_t dataInLength,
	void *dataOut,			/* data RETURNED here */
	size_t dataOutAvailable,
	size_t *dataOutMoved);

In addition to this, enums are also useful to know, as the numbers in the decompiled code might not explain what it really means:

/*!
	@enum		CCOptions
	@abstract	Options flags, passed to CCCryptorCreate().
	
	@constant	kCCOptionPKCS7Padding	Perform PKCS7 padding. 
	@constant	kCCOptionECBMode	Electronic Code Book Mode (default is CBC)
*/
enum {
	/* options for block ciphers */
	kCCOptionPKCS7Padding	= 0x0001,
	kCCOptionECBMode	= 0x0002
};

`.plist` files

you might find .plist files in the .app directory. These files are in a special format but can be parsed by tools such as plistutil into XML files:

$ file app.plist 
app.plist: Apple binary property list
$ plistutil -i app.plist

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<array>
        <dict>
                <key>secret</key>
                <string>ExampleSecret</string>
                <key>id</key>
                <string>42</string>
                <key>title</key>
                <string>Some Title</string>
        </dict>
</array>
</plist>

Resources

For another more practical guide and example, see this article:

Decompiling

.plist files

Resources

Decompiling

.plist files

Resources

`.plist` files

`.plist` files