Introducing the iOS Reverse Engineering Toolkit

※ 주의사항아래 공격 코드는, 허가 받지 않은 공간에서는 테스트를 절대 금지합니다.악의 적인 목적으로 이용할 시 발생할 수 있는 법적 책임은 자신한테 있습니다. 이는 해당 글을 열람할 때 동의하였다는 것을 의미합니다. 

It should be the goal of every worker to expend less time and energy to achieve a task, while still maintaining, or even increasing, productivity. As an iOS penetration tester, I find myself repeating the same manual tasks for each test. Typing out the same commands to run various tools that are required to help me do my job. And to be honest, it’s completely monotonous. Every time I fat-finger a key, I lose productivity, forcing me to expend more time and energy to achieve the task. I’m a fan of automation. I’m a fan of streamlined innovation that saves me time and still accomplishes, for the most part, the same results. It was this desire to save time, and reduce my likelihood of suffering from carpal tunnel, that I created the iOS Reverse Engineering Toolkit.

What is iRET?

So what is iRET? Well, for lack of a better, more eloquent definition, it’s a toolkit that allows you to automate many of the manual tasks an iOS penetration tester would need to perform in order to analyze and reverse engineering iOS applications. And the bonus is…this can all be performed right on the device. Still sound like an interesting toolkit? Great, read on.

Already sold? Download the toolkit here.

iRET Features

What exactly does iRET do that can help you, an iOS penetration tester, perform your job more efficiently? Below, in Figure #1, is a screenshot of the main landing page of the application. This page lets you know what tools need to be installed, and even tells you if they aren’t. This is also the page where you select the installed application you would like to being analyzing/reverse engineering.

Figure #1 – Main iRET Page

The tools, listed on the left in the image above, and dependencies required to run iRET are freely available both on the web and within various repositories on Cydia. After selecting an application from the dropdown, the user is redirected into the main iRET functionality page. Below is an overview of each feature associated with the iRET toolkit.

Figure #2 – Binary Analysis Tab

Binary Analysis: The binary analysis tab automates the execution of otool, which is used to extract information about the binary. The displayed data includes binary header information, such as if PIE is enabled and targeted architecture. It identifies if the binary is encrypted, if it has stack-smashing protecting enabled, and if it has automatic resource counting enabled.

Figure #3 – Keychain Analysis Tab

Keychain Analysis: The keychain analysis tab automates the execution of ptoomey’s “keychain_dumper” utility. This utility allows the user to analyze the keychain contents, including passwords, keys, certificates, etc. for any sensitive information.

Figure #4 – Database Analysis Tab

Database Analysis: The database analysis tab automatically populates a dropdown containing all databases (.db, .sqlite, .sqlite3) found within the selected application. Once a database is selected from the dropdown, sqlite3 is automated to display the content of the database.

Figure #5 – Log Viewer Tab

Log Viewer: The log view tab contains two pieces of functionality. First, it lets the user review the last 100 lines of the system log (syslog) file contained on the device. Second, all identified log and text files associated with the selected application are loaded into a dropdown menu, and when selected, their content is displayed.

Figure #6 – Plist Viewer Tab

Plist Viewer: The plist view tab fills a dropdown with all of the property list files that were found for the selected application. When the user selects a property list file from the dropdown, its content will be displayed to the user.

Figure #7 – Header Files Tab

Header Files Part 1: The header files tab has three pieces of automated functionality. The first function identifies if the binary is encrypted. If the binary is encrypted, then the binary will be automatically decrypted. The second piece of functionality performs a class dump of the unencrypted binary into separate header files. These associated header files are then loaded into a dropdown menu, as seen in Figure #7 above. The third piece of function takes place when the user selects a header file from the dropdown menu. Once a header file is selected from the dropdown, the content of this header file is automatically converted to a theos logify format, as seen in Figure #8 below, allowing the user to easily copy/paste the content into the theos tab for quick theos tweak creation.

Figure #8 – Headers in Theos Logify Format

The theos tab is multifunctional, and allows the user to create, edit, save and build a theos tweak in just minutes. The first part of the theos tab is the tweak creation process. Here, a form is provided, as seen in Figure #9 below, for the user to enter the information required to create the theos tweak.

Figure #9 – Theos Form

After the theos tweak is created a dropdown is shown that allows the user to select the “makefile” or “Tweak.xm” file for viewing/editing purposes, as seen in Figure #10 below.

Figure #10 – Theos Files Displayed

Once a user selects one of the files in the dropdown, the file can then be viewed/edited. After making any changes the user can click the “Save” button to save those changes to the selected file, as seen in Figures #11 and #12 below.

Figure #11 – Viewing the Theos makefile

Figure #12 – Viewing the Copy/Pasted Header File into the Tweak.xm File

After the user has made their changes to the tweak and is ready to build it, all they need to do is click the “Build” button, at which point the tweak will be compiled and automatically copied to the /Library/MobileSubstrate/DynamicLibraries directory, as seen in Figure #13 below.

Figure #13 – Building and Installing the Theos Tweak

After the tweak has been installed, the user simply resprings their device and launches the application they have targeted by the theos tweak.

The final tab, and piece of functionality in the iRET toolkit is the screenshot tab.

Figure #14 – Screenshot Tab

Screenshot Tab: This tab allows the user to view the cached screenshot, if any, of the selected application.

The iRET toolkit, like any toolkit, is not a panacea for iOS mobile penetration testing. However, it will allow you to automate many of the tasks that are required in analyzing iOS applications.

Download the iRET toolkit.