Tuesday 8 January 2013

Disabling ASLR on individual iOS applications when using iOS 6.0.1



How to disable ASLR on iOS application for decryption and analysis.

I recently encountered issues decrypting applications for security analysis using iOS 6.0.1. Previously this was trivial using the previous version (5.1.1), yet when performing the same procedure on 6.0.1 i was encountering decrypted binaries which were full of zeros.
After a while I discovered these issues were related to ASLR being used in applications compiled for later versions of iOS.

In this blog I will show the process of disabling ASLR on the free "Facebook" app available off the app store. This application has ASLR enabled which complicates decryption of the application using automated tools.

Tools required

otool
ldid for OS X
GDB for iOS
change_mach_o_flags.py
a jailbroken iphone and a copy of facebook off the app store

Details


Running the command

Desktop# otool -l Facebook |grep -A4 "LC_ENCRYPTION_INFO"

outputs:

cmd LC_ENCRYPTION_INFO
    cmdsize 20
    cryptoff  8192
    cryptsize 10027008
    cryptid   1
 
Indicating that the app is encrypted and when decrypted it is located in virtual memory from 0x3000(0x1000 + 0x2000) to 0x993000. However when we start the app, attach GDB and try to access the start address we find it throws an error:

(gdb) x/20x 0x3000
0x3000: Cannot access memory at address 0x3000

listing the memory that is mapped by the application:
(gdb) info mach-region 0x3000
Region from 0x94000 to 0xa26000 (r-x, max r-x; copy, private, not-reserved) (2 sub-regions)

This shows the executable is not located in memory where it should be indicating that ASLR is used.

ASLR is enabled for individual applications using the MH_PIE flag located in the applications MACH-O header. By flipping this flag we turn off ASLR.

Copy the Facebook binary from the device to your desktop from the device directory

iPhone#/private/var/mobile/Application/[UUID]/Facebook.app

where [UUID] is the unique number of the directory for the app on the device.

Extract the entitlement xml file of the app:

Desktop# ldid -e Facebook > entitlements.xml

Disable the MH_PIE bit using the change_mach_o_flags.py

Desktop# python change_mach_o_flags.py --no-pie Facebook

Re-sign the app

Desktop# ldid -Sentitlements.xml Facebook

backup the old copy on the device

iPhone# cp Facebook Facebook.bak

Copy the altered binary back to the device

now we reattach gdb and inspect the application memory again:
(gdb) x/20x 0x3000
0x3000: 0x00000000 0x00000000 0x00000000 0x00000000
0x3010: 0x00000000 0x00000000 0x00000000 0x00000000
0x3020: 0x00000000 0x00000000 0x00000000 0x00000000
0x3030: 0x00000000 0x00000000 0x00000000 0x00000000
0x3040: 0xe59d0000 0xe28d1004 0xe2804001 0xe0812104

(gdb) info mach-region 0x3000
Region from 0x3000 to 0x993000 (r-x, max r-x; copy, private, not-reserved)

Which confirms that ASLR is now disabled and we can now decrypt the application for further analysis.


2 comments:

  1. Does this work with the new iPhone 5/ iPod touch 5?

    ReplyDelete
  2. Should, i believe nothing has changed from an application perspective (i.e the MACH-O headers are the same for applications regardless of the minor version of the OS).

    Give it a go, but make sure to back up the original binary just in case.
    I personally prefer using my "removePIE" tool as it runs on the device, and doesn't require copying files back and forth.

    ReplyDelete