Shulou(Shulou.com)05/31 Report--

This article introduces the knowledge of "how to use radare2 reverse iOS Swift applications". Many people will encounter this dilemma in the operation of actual cases, so let the editor lead you to learn how to deal with these situations. I hope you can read it carefully and be able to achieve something!

Preface of 0x01

Using the radare2 inverse iOS Swift application, we will use the iGoat application. Our goal is to decompile the appearance of the iOS Swift application. This is the Swift version of the previous iGoat Objective C project. With OWASP iGoat, you can learn about vulnerabilities in iOS Swift applications.

KeychainExerciseVC.swift

Class KeychainExerciseVC: UIViewController {@ IBOutlet weak var usernameTextField: UITextField! @ IBOutlet weak var passwordTextField: UITextField! Override func viewDidLoad () {super.viewDidLoad () secureStore (userName: "iGoat", password: "taoGi")} func secureStore (userName: String, password: String) {do {/ / This is a new account, create a new keychain item with the account name. Let passwordItem = KeychainPasswordItem (service: "SaveUser", account: userName, accessGroup: nil) / / Save the password for the new item. Try passwordItem.savePassword (password)} catch {fatalError ("Error updating keychain -\ (error)")}}

Once viewDidLoad () is called, it calls secureStore and userName: "iGoat" and password: "taoGi". The purpose of our study is to understand what these methods look like in disassembly.

Ready to begin.

Before we begin, we must reduce the size of binaries. This can be done using radare2's rabin2:

$cd Payload/iGoat-Swift.app$ rabin2-x iGoat-Swift

This creates a folder containing two binaries (32-bit 64-bit) iGoat-Swift.fat/, opens 32-bit binaries, analyzes them, and enables string emulation:

$R2-e bin.demanglecmd=true-e emu.str=true iGoat-Swift.fat/iGoat-Swift.arm_32.0 [0x000bfe60] > aaaa

Let's see what we can find about swift in the various parts of the binary:

IS~swift09 0x0022f400 10501 0x00233400 10501-r murx 9.__TEXT.__swift3_typeref10 0x00231d08 456 0x00235d08 456-r murx 10.__TEXT.__swift3_assocty11 0x00231ed0 656 0x00235ed0 656-r Muir x 11.__TEXT.__swift2_proto12 0x00232160 3284 0x00236160 3284-r Muir x 12.__TEXT.__swift3_fieldmd13 0x00232e34 60 0x00236e34 60-r Mustang x 13.__TEXT.__swift3_builtin14 0x00232e70 2772 0x00236e70 2772-r Mustco x 14.4% TEXT. Reflstr16 0x002339ec 1552 0x002379ec 1552-rmurx 16.__TEXT.__swift3_capture

Our current approach is not very good (using only R2 to check binaries, only static methods), and we can't expect to find much in disassembly. We will learn how to get more information in future studies (small spoiler: R2 is also involved). Let's pretend we don't see the source code, because we're doing "Keychain Exercise" right now. Enter ic?

$R2-Radare2, what else? [0x00000000] > ic? | ic List classes, methods and fields | icc List classes, methods and fields in Header Format check classes

First, let's take a look at these classes:

Ic~+class | grep iGoat...0x00281678 [0x000efe48-0x000f0378] (sz 1328) class 0 iGoat_Swift.HTMLViewController0x002816b0 [0x000f4b48-0x000f4d60] (sz 536) class 0 iGoat_Swift.CenterContainmentSegue0x002816c8 [0x000f4f68-0x000f5578] (sz 1552) class 0 iGoat_Swift.KeychainExerciseVC0x002816ec [0x000f86bc-0x000f8a6c] (sz 944) class 0 iGoat_Swift.CutAndPasteExerciseVC0x00281704 [0x000f8bf0-0x000f92c4] (sz 1748) class 0 iGoat_Swift.BinaryPatchingVC0x00281720 [0x000f94e4-0x000f9fa8] (sz 2756) class 0 iGoat_Swift.URLSchemeAttackExerciseVC...

We can iGoat_Swift.KeychainExerciseVC to find 0x002816c8 in the address.

Check flags

Another option is to view flags (f) and grep (~) case insensitive (+) Keychain:

[0x00044798] > f~+Keychain0x001f2330 38 str.TtC11iGoat_Swift18KeychainExerciseVC...0x001f2450 26 str.Error_updating_keychain0x001f4ccf 52 str.Unexpected_error__d_deleting_identity_from_keychain0x001f801a 49 str.CBLOpenIDConnectAuthorizer_keychainAttributes0x001f80fd 34 str.:_No_ID_token_found_in_Keychain0x001f8170 32 str.:_Read_ID_token_from_Keychain...0x002816c8 1 class.iGoat_Swift.KeychainExerciseVC0x000f4f68 1 method.iGoat_Swift.KeychainExerciseVC.usernameTextField0x000f4f8c 1 method.iGoat_Swift.KeychainExerciseVC.setUsernameTextField:0x000f4fa4 1 method.iGoat_Swift.KeychainExerciseVC.passwordTextField0x000f4fc8 1 method.iGoat_Swift.KeychainExerciseVC.setPasswordTextField:0x000f4fe0 1 method.iGoat_Swift.KeychainExerciseVC.viewDidLoad0x000f5094 1 method.iGoat_Swift.KeychainExerciseVC.loginActionWithSender:0x000f5290 368 method.iGoat_Swift.KeychainExerciseVC.initWithNibName:bundle:0x000f5578 1 method.iGoat_Swift.KeychainExerciseVC.initWithCoder:

We see the class 0x002816c8 in the iGoat_Swift.KeychainExerciseVC address again.

Class information

We can also get complete information about this class:

[0x00044f44] > ic iGoat_Swift.KeychainExerciseVCclass iGoat_Swift.KeychainExerciseVC0x000f4f68 method iGoat_Swift.KeychainExerciseVC usernameTextField0x000f4f8c method iGoat_Swift.KeychainExerciseVC setUsernameTextField:0x000f4fa4 method iGoat_Swift.KeychainExerciseVC passwordTextField0x000f4fc8 method iGoat_Swift.KeychainExerciseVC setPasswordTextField:0x000f4fe0 method iGoat_Swift.KeychainExerciseVC viewDidLoad0x000f5094 method iGoat_Swift.KeychainExerciseVC loginActionWithSender:0x000f5290 method iGoat_Swift.KeychainExerciseVC initWithNibName:bundle:0x000f5578 method iGoat_Swift.KeychainExerciseVC initWithCoder:0x000f5140 method iGoat_Swift.KeychainExerciseVC .cxx _ destruct

Notice the method 0x000f4fe0 where viewDidLoad is located. Tip: icc is used for a good c-header-like output:

Interface iGoat_Swift.KeychainExerciseVC: {iGoat_Swift.KeychainExerciseVC:: (ivar) usernameTextField iGoat_Swift.KeychainExerciseVC:: (ivar) passwordTextField}-(void) setUsernameTextField:- (void) setPasswordTextField:- (void) viewDidLoad- (void) loginActionWithSender:@end

If you want, you can save it to a file, icc > iGoat-Swift.arm_32.0.h, or show only a small number of internal files: icc~..func viewDidLoad (): this method is called after the view controller loads its view hierarchy into memory. This method is called regardless of whether the view hierarchy is loaded from a nib file or created programmatically in the loadView () method. We usually override this method to perform additional initialization of the view loaded from the nib file. Here, we will find the main code for the exercise. If we are looking for 0x000f4fe0, we will see that it is marked method.iGoat_Swift.KeychainExerciseVC.viewDidLoad (we have seen it in the flag before).

Decompilation

We have found the "entry point". Let's examine it carefully.

ViewDidLoad

R2 displays the following disassembly:

[0x000f4ff4] > pdf;-- method.iGoat_Swift.KeychainExerciseVC.viewDidLoad: ╭ (fcn) sub.objc_retain_fe0 180 │ sub.objc_retain_fe0 (); │; var int local_0h @ sp+0x0 │; var int local_4h @ sp+0x4 │; var int local_8h @ sp+0x8 │; var int local_ch @ sp+0xc │; UNKNOWN XREF from str. (+ 0x14) │ 0x000f4fe0 b0402de9 push {R4, R5, R7, lr} │ 0x000f4fe4 08708de2 add R7, sp, 8 │ 0x000f4fe8 10d04de2 sub sp, sp, 0x10 "T" │ 0x000f4fec e4560ce3 movw R5, 0xc6e4 │ 0x000f4ff0 0040a0e1 mov R4, R0 │ 0x000f4ff4 185040e3 movt R5, 0x18 │ 0x000f4ff8 05509fe7 ldr R5, [0x000f5000]; [0xf5000:4] = 0xe3550000 │ 0x000f4ffc 0aae03eb bl sym.imp.objc_retain │ DATA XREF from sub.objc_retain_fe0 (0xf4ff8) │ 0x000f5000 000055e3 cmp R5, 0 │ ╭─

< 0x000f5004 0a00001a bne 0xf5034 ; likely│ │ 0x000f5008 2c0009e3 movw r0, 0x902c│ │ 0x000f500c 180040e3 movt r0, 0x18│ │ 0x000f5010 00008fe0 add r0, pc, r0│ │ 0x000f5014 080080e2 add r0, r0, 8 ; 0x27e04c ; aav.0x0027e04c│ │ 0x000f5018 6076ffeb bl sym.func.000d29a0; sym.func.000d29a0(0x27e04c)│ │ 0x000f501c 0050a0e1 mov r5, r0 ; aav.0x0027e04c│ │ 0x000f5020 b0060ce3 movw r0, 0xc6b0│ │ 0x000f5024 180040e3 movt r0, 0x18│ │ 0x000f5028 5bf07ff5 dmb ish│ │ 0x000f502c 00008fe0 add r0, pc, r0│ │ 0x000f5030 005080e5 str r5, [r0]│ │ ; CODE XREF from sub.objc_retain_fe0 (0xf5004)│ ╰─>

0x000f5034 08408de5 str R4, [sp + local_8h] │ 0x000f5038 08008de2 add R0, sp, 8 │ 0x000f503c 0c508de5 str R5, [sp + local_ch] │ 0x000f5040 641203e3 movw R1, 0x3264; 'd2' │ 0x000f5044 181040e3 movt R1, 0x18 │ 0x000f5048 01109fe7 ldr R1, [0x000f5050] [0xf5050:4] = 0xe30a085c │ 0x000f504c e6ad03eb bl sym.imp.objc_msgSendSuper2 │ DATA XREF from sub.objc_retain_fe0 (0xf5048) │ 0x000f5050 5c080ae3 movw R0, 0xa85c │ 0x000f5054 0010a0e3 mov R1, 0 │ 0x000f5058 0f0040e3 movt R0, 0xf │ 0x000f505c 30330de3 movw R3, 0xd330 │ 0x000f5060 0f3040e3 movt R3, 0xf │ 0x000f5064 04108de5 str R1 [sp + local_4h] │ 0x000f5068 0510a0e3 mov R1, 5 │ 0x000f506c 00008fe0 add R0, pc, R0 0x1ef8d0; "iGoat"; str.iGoat │ 0x000f5070 03308fe0 add R3, pc, R3; 0x1f23a8; "taoGi" Str.taoGi │ 0x000f5074 00108de5 str r1, [sp] │ 0x000f5078 0510a0e3 mov r1, 5 │ 0x000f507c 0020a0e3 mov r2, 0 │ 0x000f5080 c50100eb bl sub.SaveUser_79c │ 0x000f5084 0400a0e1 mov r0, r4 │ 0x000f5088 e3ad03eb bl sym.imp.objc_release │ 0x000f508c 08d047e2 sub sp, r7 8 ╰ 0x000f5090 b080bde8 pop {r4, r5, r7, pc} R13

Method summary:

[0x000f4ff4] > pds0x000f4ffc bl sym.imp.objc_retain0x000f5018 bl sym.func.000d29a00x000f504c bl sym.imp.objc_msgSendSuper20x000f506c str.iGoat0x000f5070 str.taoGi0x000f5080 bl sub.SaveUser_79c0x000f5088 bl sym.imp.objc_release;-- method.iGoat_Swift.KeychainExerciseVC.loginActionWithSender::0x000f50a8 bl sym.imp.objc_retain0x000f50b0 bl sym.imp.objc_retain0x000f50b8 bl sub.swift_unknownWeakLoadStrong_d5c0x000f50c0 bl sym.imp.objc_release0x000f50d0 b sym.imp.objc_release

Matters needing attention: 1.func viewDidLoad () becomes objc_retain: sub.objc_retain_fe02. We can see that even in the summary we can find the strings iGoat and taoGi. 3. It sub.SaveUser_79c uses these strings to call subroutines.

Sub.SaveUser_79c

The subroutine sub.SaveUser_79c is located in 0x000f579c:

[0x000f4ff4] > s sub.SaveUser_ 79c [0x000f579c] > pdf ╭ (fcn) sub.SaveUser_79c 516 │ sub.SaveUser_79c (); │; var int local_0h @ sp+0x0 │; var int local_4h @ sp+0x4 │; var int local_8h @ sp+0x8 │; var int local_ch @ sp+0xc │; var int local_10h @ sp+0x10 │ Var int local_14h @ sp+0x14 │; var int local_18h @ sp+0x18 │; var int local_1ch @ sp+0x1c │; var int local_20h @ sp+0x20 │; var int local_24h @ sp+0x24 │; var int local_28h @ sp+0x28 │; var int local_2ch @ sp+0x2c │; var int local_30h @ sp+0x30 │ Var int local_34h @ sp+0x34 │; var int local_48h @ sp+0x48 │; var int local_4ch @ sp+0x4c │ CALL XREF from sub.objc_retain_fe0 (0xf5080) │ 0x000f579c f0402de9 push {R4, R5, R6, R7, lr} │ 0x000f57a0 0c708de2 add R7, sp, 0xc │ 0x000f57a4 00052de9 push {R8, sl} │ 0x000f57a8 028b2ded vpush {D8} │ 0x000f57ac 58d04de2 sub sp, sp, 0x58 'X' │ 0x000f57b0 0340a0e1 mov R4, R3 │ 0x000f57b4 a53b0ce3 movw R3, 0xcba5 │ 0x000f57b8 0f3040e3 movt R3, 0xf │ 0x000f57bc 0c5097e5 ldr R5, [R7, 0xc] │ 0x000f57c0 03308fe0 add R3, pc, R3; 0x1f236d; "SaveUser" Str.SaveUser │ 0x000f57c4 2c308de5 str R3, [sp + local_2ch] │ 0x000f57c8 0830a0e3 mov R3, 8 │ 0x000f57cc 0060a0e3 mov R6, 0 │ 0x000f57d0 30308de5 str R3, [sp + local_30h] │ 0x000f57d4 38308de2 add R3, sp, 0x38 │ 0x000f57d8 34608de5 str R6 [sp + local_34h] │ 0x000f57dc 470083e8 stm R3, {R0, R1, R2, R6} │ 0x000f57e0 0100a0e3 mov R0, 1 │ 0x000f57e4 48608de5 str R6, [sp + local_48h] │ 0x000f57e8 4c608de5 str R6, [sp + local_4ch] │ 0x000f57ec 5000cde5 strb R0, [sp 0x50] │ 0x000f57f0 0500a0e1 mov r0, r5 │ 0x000f57f4 30ae03eb bl sym.imp.swift_unknownRetain │ 0x000f57f8 081097e5 ldr r1, [r7, 8] │ 0x000f57fc 2c308de2 add r3, sp, 0x2c │ 0x000f5800 0400a0e1 mov r0, r4 │ 0x000f5804 0520a0e1 mov r2, r5 │ 0x000f5808 0080a0e3 mov r8 0 │ 0x000f580c dea400eb bl sub._b8c Sub._b8c (0x0, 0x4042f04f) │ 0x000f5810 000058e3 cmp R8, 0 │ 0x000f5814 1cd04702 subeq sp, R7, 0x1c │ 0x000f5818 028bbd0c vpopeq {D8} │ 0x000f581c 0005bd08 popeq {R8, sl} │ 0x000f5820 f080bd08 popeq {R4, R5, R6, R7, pc} Aav.0x000cf2c0 │ 0x000f5824 2fe1ffeb bl sym.func.000edce8 │ 0x000f5828 3810a0e3 mov R1, 0x38;'8' │ 0x000f582c 0320a0e3 mov R2, 3 │ 0x000f5830 0350a0e3 mov R5, 3 │ 0x000f5834 99c2ffeb bl sym.func.000e62a0 Sym.func.000e62a0 (0x0) │ 0x000f5838 0040a0e1 mov R4, R0 │ 0x000f583c 000c0ce3 movw R0, 0xcc00; "xD" │ 0x000f5840 0f0040e3 movt R0, 0xf │ 0x000f5844 0610a0e3 mov R1, 6 │ 0x000f5848 00008fe0 add R0, pc, R0; 0x1f2450; "Error updating keychain -" Str.Error_updating_keychain...

Method summary:

[0x000f579c] > pds0x000f57c0 str.SaveUser0x000f57f4 bl sym.imp.swift_unknownRetain0x000f580c bl sub._b8c0x000f5824 bl sym.func.000edce80x000f5834 bl sym.func.000e62a00x000f5848 str.Error_updating_keychain0x000f5868 bl sym.func.000f0e34

Note: 1.XREF comes from viewDidLoad:; CALL XREF from sub.objc_retain_fe0 (0xf5080). two。 The string SaveUser. 3. Function calls: sym.func.000edce8 and sym.func.000e62a0 and sym.func.000f0e34 >. 4. The string Error updating keychain-so we guess it's trying to update Keychain here. Now we see the string Error updating keychain -. Imagine that we haven't started by looking at classes (ic) but by looking at strings (iz), which is also a very common method.

Iz~+keychain1530 0x001ee330 0x001f2330 37 38 (4.__TEXT.__cstring) ascii _ TtC11iGoat_Swift18KeychainExerciseVC1533 0x001ee380 0x001f2380 39 40 (4.__TEXT.__cstring) ascii Error reading password from keychain-1535 0x001ee3b0 0x001f23b0 154155 (4.__TEXT.__cstring) ascii / Users/swaroop.yermalkar/AWS/iGoat-Swift-master/iGoat-Swift/iGoat-Swift/Source/Exercises/InsecureLocalDataStorage/KeychainAnalyze/KeychainExerciseVC.swift1536 0x001ee450 0x001f2450 26 27 (4.__TEXT.__cstring) ascii Error updating keychain -... axt @ 0x001f2450sub.SaveUser_79c 0xf5848 [DATA] add R0 Pc, R0 "how to use radare2 reverse iOS Swift applications" ends here Thank you for your reading. If you want to know more about the industry, you can follow the website, the editor will output more high-quality practical articles for you!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.