ASLR: Address Space Layout Randomization

查看应用是否进行了 ASLR 保护的方法:otool -hv ${File-Path}

I recently encountered issues decrypting applications for security analysis using iOS 6.0.1. Previously this was trivial using the previous version (5.1.1), yet when performing the same procedure on 6.0.1 i was encountering decrypted binaries which were full of zeros.

After a while I discovered these issues were related to ASLR being used in applications compiled for later versions of iOS.

In this blog I will show the process of disabling ASLR on the free "Facebook" app available off the app store. This application has ASLR enabled which complicates decryption of the application using automated tools.

Tools required

otool
ldid for OS X
GDB for iOS
changemacho_flags.py
a jailbroken iphone and a copy of facebook off the app store

Details

Running the command

Desktop# otool -l Facebook |grep -A4 "LCENCRYPTIONINFO"

outputs:

cmd LCENCRYPTIONINFO
    cmdsize 20
    cryptoff  8192
    cryptsize 10027008
    cryptid   1
  
Indicating that the app is encrypted and when decrypted it is located in virtual memory from 0x3000(0x1000 + 0x2000) to 0x993000. However when we start the app, attach GDB and try to access the start address we find it throws an error:

(gdb) x/20x 0x3000
0x3000: Cannot access memory at address 0x3000

listing the memory that is mapped by the application:
(gdb) info mach-region 0x3000
Region from 0x94000 to 0xa26000 (r-x, max r-x; copy, private, not-reserved) (2 sub-regions)

This shows the executable is not located in memory where it should be indicating that ASLR is used.

ASLR is enabled for individual applications using the MHPIE flag located in the applications MACH-O header. By flipping this flag we turn off ASLR.

Copy the Facebook binary from the device to your desktop from the device directory

iPhone#/private/var/mobile/Application/[UUID]/Facebook.app 

where [UUID] is the unique number of the directory for the app on the device.

Extract the entitlement xml file of the app:

Desktop# ldid -e Facebook > entitlements.xml 

Disable the MHPIE bit using the changemachoflags.py

Desktop# python changemachoflags.py --no-pie Facebook

Re-sign the app

Desktop# ldid -Sentitlements.xml Facebook

backup the old copy on the device

iPhone# cp Facebook Facebook.bak

Copy the altered binary back to the device

now we reattach gdb and inspect the application memory again:
(gdb) x/20x 0x3000
0x3000: 0x00000000 0x00000000 0x00000000 0x00000000
0x3010: 0x00000000 0x00000000 0x00000000 0x00000000
0x3020: 0x00000000 0x00000000 0x00000000 0x00000000
0x3030: 0x00000000 0x00000000 0x00000000 0x00000000
0x3040: 0xe59d0000 0xe28d1004 0xe2804001 0xe0812104

(gdb) info mach-region 0x3000
Region from 0x3000 to 0x993000 (r-x, max r-x; copy, private, not-reserved)

Which confirms that ASLR is now disabled and we can now decrypt the application for further analysis.

[转]Disabling ASLR on individual iOS applications when using iOS 6.0.1的更多相关文章

  1. Execute Javascript in iOS Applications

    In this tutorial, I have covered How to execute JavaScript in iOS / Objective-C. You can execute Jav ...

  2. iOS开发UI篇—ios应用数据存储方式(XML属性列表-plist)

    iOS开发UI篇—ios应用数据存储方式(XML属性列表-plist) 一.ios应用常用的数据存储方式 1.plist(XML属性列表归档) 2.偏好设置 3.NSKeydeArchiver归档(存 ...

  3. ios标准开发者账号 ios企业开发者账号的区别总结

    ios标准开发者账号 ios企业开发者账号的区别总结   ios标准开发者项目 1.ios标准开发者项目账号可以发布到app store 2.ios标准开发者项目分为两种:①个人开发者②公司/机构开发 ...

  4. iOS学习7:iOS沙盒(sandBox)机制(一)之获取沙盒路径及目录说明(转)

    转:http://my.oschina.net/joanfen/blog/151145 一.iOS沙盒机制 iOS的应用只能访问为该应用创建的区域,不可访问其他区域,应用的其他非代码文件都存在此目录下 ...

  5. iOS开发UI篇—IOS开发中Xcode的一些使用技巧

    iOS开发UI篇—IOS开发中Xcode的一些使用技巧 一.快捷键的使用 经常用到的快捷键如下: 新建 shift + cmd + n     新建项目 cmd + n             新建文 ...

  6. iOS开发UI篇—iOS开发中三种简单的动画设置

    iOS开发UI篇—iOS开发中三种简单的动画设置 [在ios开发中,动画是廉价的] 一.首尾式动画 代码示例: // beginAnimations表示此后的代码要“参与到”动画中 [UIView b ...

  7. iOS开发UI篇—ios应用数据存储方式(偏好设置)

    iOS开发UI篇—ios应用数据存储方式(偏好设置) 一.简单介绍 很多iOS应用都支持偏好设置,比如保存用户名.密码.字体大小等设置,iOS提供了一套标准的解决方案来为应用加入偏好设置功能 每个应用 ...

  8. iOS开发UI篇—ios应用数据存储方式(归档)

    iOS开发UI篇—ios应用数据存储方式(归档)  一.简单说明 在使用plist进行数据存储和读取,只适用于系统自带的一些常用类型才能用,且必须先获取路径相对麻烦: 偏好设置(将所有的东西都保存在同 ...

  9. Xamarin.iOS调试提示需要iOS SDK

    Xamarin.iOS调试提示需要iOS SDK   错误信息:The version of Xamarin.iOS requires th iOS 9.3 SDK (shipped with Xco ...

随机推荐

  1. ftp设置(2015-04-04)[转]

    anonymous_enable=YES /允许匿名访问 12行local_enable=YES /允许本地用户访问(/etc/passwd中的用户) 15行write_enable=YES /允许写 ...

  2. Android APK反编译就这么简单 详细解释(简介)

    学习Android开发过程,你会向别人学习如何应用软件的开发,那些漂亮的动画和复杂的布局可能让你爱不释手,作为开发者.你可能真的想知道的是如何实现的界面效果.然后.您将能够更改应用程序APK反编译查看 ...

  3. Openstack本学习笔记——Neutron-server服务加载和启动源代码分析(三)

    本文是在学习Openstack过程中整理和总结.因为时间和个人能力有限.错误之处在所难免,欢迎指正! 在Neutron-server服务载入与启动源代码分析(二)中搞定模块功能的扩展和载入.我们就回到 ...

  4. DeviceIOControl具体解释-各个击破

    DeviceIoControl这个api我们用的不多,可是非常重要,有时会帮助我们实现一些特别的需求, 如获取硬件设备信息.与硬件设备通信(读写数据)等,对比msdn,以下我们详解一下这个api的使用 ...

  5. oracle substr功能

    substr(string dealstr, int startposition, int sublength) dealstr:截取字符串 startposition:串dealstr,起始位置0 ...

  6. Linux基础正则表达式:grep,sed

    先说明语系对正则表达式的影响    LANG=C:0,1,2,3,4...A,B,C,D...Z a b c d ... z    LANG=zh_CN:0,1,2,3,4...a A b B c C ...

  7. CSS_img标签usemap属性图片中选择区域加入超链接

    例子: <IMG usemap="#Map" alt="" src="/images/banbian.jpg"> <map ...

  8. 又一次拾起C语言的威严

    自从用了C++,他的方便快捷一直用着屡试不爽,可是越用越认为程序不够清晰, 项目使用DSP,不得不把C++重写成C 速度没得说,很快 记录下看到的文章 少走弯路,学好C语言的推荐途径

  9. webBrowser.execWB的完整说明

    原文:webBrowser.execWB的完整说明 在不是js打开的页面上按window.close(), 会有提示框,很烦,现在可以不用了,没有提示框直接关闭窗口.试试下面代码: <objec ...

  10. JS怎样将拖拉事件与点击事件分离?

    帖子:http://bbs.csdn.net/topics/390785395?page=1#post-397369340 怎样将拖拉事件跟点击事件分离? 须要做到:拖拉时不触动点击事件 <ht ...