iOS Reversing

I have fixed some of the missing stuff in gdbinit for iOS. Now the jump conditions are displayed for ARM and Thumb modes and the stepo command is working for ARM and semi-working for Thumb (to be fixed in the next release). Also implemented minor cosmetic changes. The tools to show Mach-O header information and calculate offsets to be patched were also updated to support ARM binaries. Offset.pl is by default interactive (you can choose from the available architectures in the binary, if fat), and ptool....

Well this one is driving me crazy so better ask for some help before I fire the big guns and go commando mode with this. I’m trying to patch iOS apps so I can remove “spyware” and other stuff. Newest iOS versions require all code to be signed. This article by Saurik talks about 3 different ways to workaround this problem without a developer certificate (an idea that crossed my mind is to configure the kernel only to accept Apple’s certificates and my certificate, to avoid rogue stuff like worms [I have to see if code signing is effective against code injection for example])....

I just finished porting gdbinit to iOS. The basic stuff is working except the stepo command (one of my favourites!), the Objective-C selector and showing what will happen with conditional branches (I have to see how to implement this since ARM instructions can be conditional). I have tested it on my iPad with GDB available from Cydia (it seems you can use Apple’s version) and it works, so it should give no special problems with other iOS devices....

These days I’ve been messing around with DTrace and the mach side of OS X kernel. I still have to figure out how to make DTrace helpful in reversing protections and other stuff – I’m talking about efficiency in finding the right spots and gathering information. It’s a very powerful tool for system administration but has some shortcomings regarding reversing. Today I was a bit tired due to lack of proper sleep time so I started messing with the iPad....