Help/Support Reverse engineering/tracing a store app with lots of custom code?

infernusdoleo · December 15, 2015

I've many years experience coding, but am relatively new to iOS code and reverse engineering. I pick this stuff up extremely quickly though. I've been trying to reverse engineer an app store app. Rather keep quiet which one it is if possible - reasons I'll explain if need be, but again, it's not really relevant.

I've been working with a lot of tools, from decrypting the app, class-dumping it, decompiling it in IDA, live viewing it with FLEXible, poking around in gdb, and even trying Frida, but thats so poorly documented I didn't get far.

My issue is that I'm trying to track down what happens when certain buttons are pressed/in-app procedures happen. But it seems that the vast majority of that happens inside custom classes and code. There are a massive number of unnamed functions in the IDA decompile where the code I'm looking for happens - about 2/3rds of the functions listed in the function window are sub_xxxxx.

After poking around for hours I havent found a single link to anything I'm looking for in any of the classes shown in class-dump-z or in the menus in FLEXible.

Obviously, my problem is without a symbol table, I've no idea what any of these function names are. By snooping the HTTP traffic, I know some of the values that exist in memory - but am unaware of any way to search for them (Question 1: Can I just search app memory in cycript or gdb for a known value?). I cannot dump classes or see function names.

I'm not sure where to go from here. Are there ways to find what I'm looking for?

IDEALLY I could trace the application as it ran, with something like snoop-it, but it wont run on iOS 9.0.2, my jailbroken device, and I have a really old iPhone with 6.1.6 on it, but it also will not work on that either.

I'd like to be able to run the app, attach to it somehow, and show whats happening as I click buttons in the app. When I try logging objc_msgSend calls in gdb, gdb crashes. Which functions are called - even if I don't have names, I can match it up in the decompile (I think?) or set breakpoints in gdb and dump the code.

Anyone experience this before and have any pointers?

December 15, 2015

Almost everything is what we call "sub_x" now, which means functions are obfuscated. We combat this by looking at the strings, using iGG for watchpoints, text searching, looking at the APK, hex searching, comparing, fuzzying, etc. It is what you are experiencing. There is no way that you can get the un-mangled function names as they are obfuscated when the app is being compiled.

It would help me better to know the name of the app. But in your case, try strings. Go to the "View" tab and find it. Create a quick filter, and search through the strings to see what you can find. Breakpoint anything that seems suspicious and see if it hits

infernusdoleo · December 15, 2015

On 12/15/2015 at 2:37 AM, shmoo said:

Almost everything is what we call "sub_x" now, which means functions are obfuscated. We combat this by looking at the strings, using iGG for watchpoints, text searching, looking at the APK, hex searching, comparing, fuzzying, etc. It is what you are experiencing. There is no way that you can get the un-mangled function names as they are obfuscated when the app is being compiled.

It would help me better to know the name of the app. But in your case, try strings. Go to the "View" tab and find it. Create a quick filter, and search through the strings to see what you can find. Breakpoint anything that seems suspicious and see if it hits

Breakpoint it where? In IDA? I'm running on Windows - is it even possible to run it like that? I've been considering getting a used macbook for debugging, but as it stands now, just windows.

Is there any way to search running app memory for values and work off that? I know things like username, session keys etc that are stored in active memory - if I could find them I might be able to work with that.

December 15, 2015

On 12/15/2015 at 2:54 AM, infernusdoleo said:

Breakpoint it where? In IDA? I'm running on Windows - is it even possible to run it like that? I've been considering getting a used macbook for debugging, but as it stands now, just windows.

Is there any way to search running app memory for values and work off that? I know things like username, session keys etc that are stored in active memory - if I could find them I might be able to work with that.

Use GDB on your phone to do it. Use putty on windows to SSH into your phone then attach the app to GDB. If you use something called iGameGuardian you can search for values, but not strings.

infernusdoleo · December 15, 2015

On 12/15/2015 at 3:21 AM, shmoo said:
Use GDB on your phone to do it. Use putty on windows to SSH into your phone then attach the app to GDB. If you use something called iGameGuardian you can search for values, but not strings.

Hmm. I had tried in GameGem and it crashed while searching for some values - but I just tried iGG and it found one I'm looking for. Is there any way to correlate that location to any info I have in IDA? I'm guessing not. Set a breakpoint on that memory location then start looking?

ITz_kser · December 15, 2015

On 12/15/2015 at 3:45 AM, infernusdoleo said:

Hmm. I had tried in GameGem and it crashed while searching for some values - but I just tried iGG and it found one I'm looking for. Is there any way to correlate that location to any info I have in IDA? I'm guessing not. Set a breakpoint on that memory location then start looking?

No watch the offsets using LLDB

infernusdoleo · December 15, 2015

Welp. Never used LLDB before. Looks like it's gonna be a late night!

ITz_kser · December 15, 2015

On 12/15/2015 at 4:01 AM, infernusdoleo said:
Welp. Never used LLDB before. Looks like it's gonna be a late night!

Don't worry it's easy to create a watch point

infernusdoleo · December 15, 2015

Quick searching came up with LLDB doesnt work since iOS 8.3 and only option is to use a mac (DiDA posted that on 10/28/15). That still true? Am I screwed until I get a mac to run LLDB on? (Or an iOS device I can downgrade to 8.3?)

Any other alternatives?

ITz_kser · December 15, 2015

On 12/15/2015 at 4:20 AM, infernusdoleo said:

Quick searching came up with LLDB doesnt work since iOS 8.3 and only option is to use a mac (DiDA posted that on 10/28/15). That still true? Am I screwed until I get a mac to run LLDB on? (Or an iOS device I can downgrade to 8.3?)

Any other alternatives?

Only GDB and LLDB

GDB will crash your app when you're watching an offset

And LLDB tutorial for windows won't work but maybe LLDB will work with your iOS if you're using it from a Mac

Idk @@DiDA