Reversing a macOS Kernel Extension

In my last post I covered the basics of kernel debugging in macOS. In this post we will put some of that to use and work through the process of reversing a macOS kernel module.

Read more

Introduction to macOS Kernel Debugging

In macOS there is a kernel module named “Don’t Steal Mac OS X” (DSMOS) which registers a function with the Mach-O loader to unpack binaries that have the SG_PROTECTED_VERSION_1 flag set on their __TEXT segment. Finder, Dock, and loginwindow are a few examples of binaries that have this flag set. As it turns out, this kernel module at one point played a role in the myth that Apple had included a TPM in their Mac hardware.

Read more

Analysis of the iOS Bluetooth Stack: BlueTool

On iOS the Bluetooth stack is split into three layers as shown in Figure 1. At the top is the CoreBluetooth framework used by iOS app developers and at the bottom is the Bluetooth hardware itself. In between these two layers is a collection of daemons that implement various aspects of the Bluetooth stack. For example, most Bluetooth Low Energy (BLE) specific functionality is contained in the BTLEServer daemon. BlueTool is one of the daemons running and is primarily responsible for acting as a bridge between the rest of the Bluetooth stack and the hardware. It also likely acts as an internal test tool at Apple during development.

Read more

Wargames and CTFs

One great way to practice your skills in the pentesting world is to participate in wargames and CTFs. You can play wargames on sites like OverTheWire or SmashTheStack, take part in sanctioned CTFs such as those through CTF365, or setup your own lab at home and play around in it.

Read more

IDA Processor Options - Oops.

So I’ve been working through the LLB code that I talked about in my last article and kept running into incorrectly decoded instructions. I knew they were wrong because (A) the output IDA was giving made no sense and (B) I manually decoded some of them myself to check it.

Read more

Reverse Engineering The iOS Boot Mechanism (Part 1)

Due to some unforeseen medical issues, my time as an elite athlete adbruptly came to an end a couple months ago and while dealing with those issues I had a lot of free time on my hands. So, naturally I finally got around to reading Mac OS X Internals: A Systems Approach by Amit Singh and Mac OS X and iOS Internals: To the Apple’s Core by Johnathan Levin in their entirety. Both are excellent books and highly recommended. Between reading those books, my general curiousity in low-level computer concepts, and an even greater curiousity in mobile computing I decided it was time to take a crack at reverse engineering the iOS boot mechnisms.

Read more

Snooping on CommCenter

CommCenter is a wonderful part of iOS since it is the single point that is responsible for communication between iOS and the baseband. And with the baseband being responsible for controlling the telephony components I wanted to see what CommCenter was telling it.

Read more

iOS Shared Cache Extraction

Having fallen off the iOS-exploration train due to completing my Masters and other commitments, I have finally climbed back aboard in pursuit of understanding the telephony stack.

Read more

Remote debugging with LLDB

The other day I was working on a project in Xcode and was getting fed up with it crashing and just not behaving.  So I set out on a mission to figure out how to remote debug an iOS app.  The secret to it all is LLDB, the LLVM Debugger.  LLDB is now the default debugger in Xcode (has been for awhile) and is a pretty powerful debugger complete with scripting in Python and many other hidden gems.

Read more

Fuzzy iOS Messages!

Awhile ago I came across a post about fuzzing with a new data flow language called Pythonect.  When I read about it I thought it sounded like a pretty nifty language so I decided to try using it to fuzz the iMessage interface in the iOS Messages app.

Read more

Rails - Hex Rays Plugin Contest 2012

This year I decided to try submitting to the annual Hex Rays plugin contest.  I’m pleased to announce my plugin, Rails.

Read more

I Spy ChatKit!

In the last post I talked about starting to investigate MobileSMS (Messages app on iOS) and concluded with the mystery of the missing ChatKit.  I’m pleased to say that ChatKit wasn’t missing, it’s just hiding!

Read more

Reversing iOS Applications (Part 2)

In the first post of this series we talked about how to get an app from the App Store into a reversable state.  Essentially we had to run the app inside a debugger and dump the contents of memory to a file which was then used to patch the original (encrypted) binary.

Read more

Beginners Fun With iMessage

A quick detour from my series on reversing iPhone applications, I’ve been looking at the Messages app and just found out that there are hidden settings!

Read more

Reversing iOS Applications (Part 1)

Recently I acquired a 4th gen iPod Touch for reversing so before tackling something seemingly-impossible I thought I’d start with reversing an application.  In this post I’m going to focus on what I thought would be super easy; loading an application into IDA Pro.   The app I chose to play with is Kik (http://www.kik.com/), mostly because it looked interesting and I’d never used it before.

Read more

Subscribe via RSS