Full Report
This blog post steps through how to convert encrypted iPhone application bundles into plaintext application bundles that are easier to analyse. Requirements: 1) Jailbroken iPhone with OpenSSH, gdb plus other utilities (com.ericasadun.utilities etc. etc.) 2) An iPhone app 3) On your machine: otool (comes with iPhone SDK) Hex editor (0xED, HexWorkshop etc.) Ida – Version 5.2 through 5.6 supports remote debugging of iPhone applications (iphone_server). For this article, I will use the app name as “blah”.
Analysis Summary
# Tool/Technique: Decrypting iPhone Application Bundles
## Overview
This process outlines a multi-step procedure to convert an encrypted iPhone application bundle (Mach-O binary) into a plaintext, readable version to facilitate static and dynamic analysis, particularly reverse engineering and patching.
## Technical Details
- Type: Technique (Reverse Engineering / Malware Analysis Preparation)
- Platform: iOS (iPhone)
- Capabilities: Bypassing runtime encryption applied to Mach-O binaries, enabling static analysis via tools like IDA Pro.
- First Seen: N/A (The technique leverages standard debugging/analysis tools combined with undocumented steps related to Mach-O encryption flags and runtime memory dumps, published in 2011).
## MITRE ATT&CK Mapping
This procedure is primarily focused on defense evasion during analysis phases, fitting under Discovery and Defense Evasion Tactics.
- **TA0005 - Defense Evasion**
- T1027 - Obfuscated Files or Information: Modifying the binary to remove runtime decryption requirements bypasses inherent protection/obfuscation.
- **TA0003 - Discovery**
- T1082 - System Information Discovery: Using **otool** to query file structure details (`cryptid`, `cryptoff`).
- **TA0012 - Impact** (If the patched/modified app is used maliciously)
- T1564.001 - Hide Artifacts: Tampering with executable metadata (signing/encryption flags).
## Functionality
### Core Capabilities
1. **Identification of Encryption State:** Using `otool -l <binary> | grep crypt` to determine if the Mach-O file has the `cryptid` flag set (indicating encryption).
2. **Binary Modification (Static Disabling):** Locating the `cryptid` marker (usually '01') in the header via a hex editor, changing it to '00', thereby instructing the iOS loader not to attempt runtime decryption upon execution.
3. **Runtime Memory Dumping:** Using `gdb` on a jailbroken device to attach to the running process (after the loader has decrypted it in memory) and dumping the decrypted code section from memory to a file (`dump memory`).
### Advanced Features
1. **Reconstruction of Plaintext Binary:** Overwriting the encrypted section of the locally modified binary with the decrypted memory dump obtained from the running process via GDB.
2. **Re-signing:** Utilizing the `ldid` utility to re-sign the patched binary after modification, which is necessary for the operating system to allow execution of the altered executable.
## Indicators of Compromise
*(Note: This technique *creates* indicators via tool usage, rather than retrieving standard IoCs from malware.)*
- File Hashes: N/A (Relates to modification of legitimate application files)
- File Names: `blah` (Example application binary name used in the article)
- Registry Keys: N/A
- Network Indicators: N/A
- Behavioral Indicators:
- Execution of `gdb -p <PID> dump memory ...` on an active iOS process.
- Use of third-party utilities like `otool`, `Hex Editor`, `IDA Pro` (remote debugging).
- Execution of `ldid -s <binary>` post-modification.
## Associated Threat Actors
This is a general reverse engineering/analysis technique, not solely attributable to specific threat actors, although it is fundamental for analyzing packed or protected mobile malware.
## Detection Methods
Detection relates to monitoring the environment for these specific analysis steps:
- Signature-based detection: N/A (Requires signatures for specific tools being run)
- Behavioral detection: Monitoring for debugging sessions (`gdb` attaching to processes) or unusual file modification/re-signing activities on deployed applications.
- YARA rules: N/A
## Mitigation Strategies
This technique is targeted at security researchers or adversaries attempting to analyze protected code. Mitigation is focused on code protection:
- Prevention measures: Using binary hardening techniques beyond standard platform encryption (e.g., advanced packing, anti-debugging, integrity checks).
- Hardening recommendations: For developers, ensure that critical logic is not solely reliant on standard runtime decryption methods if the binary must remain difficult to analyze statically.
## Related Tools/Techniques
- **otool:** Utility from the iPhone SDK used to examine Mach-O file structure specifics.
- **gdb:** GNU Debugger, used here for remote attachment and memory dumping.
- **IDA Pro (versions 5.2-5.6):** Used for static analysis of the resulting plaintext binary, leveraging its remote debugging functionality via `iphone_server`.
- **ldid:** A utility used to manipulate or re-sign code signatures on iOS executables.