go back...

Cracking OWASP MSTG iOS Crackme - The Uncrackable

ryantzj / April 23, 2017

iOS

My fellow colleague Bernhard developed two iOS Crackme and here is the writeup.

Uncrackable Level 1

From the main view, it hints that the flag can be found in the hidden label.

Well, if that is not a red herring like every crackme challenge, let’s try to unhide the hidden label using Cycript. Let’s print the view hierarchy and locate the address for the hidden label.

The command [[UIApp keyWindow] recursiveDescription].toString() returns the view hierarchy of keyWindow. The description of every subview and sub-subview of keyWindow will be shown, and the indentation space reflects the relationships of each view. For example, UILabel, UITextField, and UIButton are subviews of UIView.

VP:~ root# ps aux | grep Crack
root       730   0.0  0.0   535232    432 s000  R+    5:04PM   0:00.01 grep Crack
mobile     728   0.0  0.8   586328   8368   ??  Ss    5:04PM   0:00.35 /var/mobile/Containers/Bundle/Application/A8BD91A9-3C81-4674-A790-AF8CDCA8A2F1/UnCrackable Level 1.app/UnCrackable Level 1
VP:~ root# ./cycript -p 728
cy# UIApp.keyWindow.recursiveDescription().toString()
`<UIWindow: 0x155b8420; frame = (0 0; 320 568); gestureRecognizers = <NSArray: 0x155a0080>; layer = <UIWindowLayer: 0x155acd40>>
   | <UIView: 0x156a7300; frame = (0 0; 320 568); autoresize = W+H; layer = <CALayer: 0x156a74a0>>
   |    | <UILabel: 0x156a3b10; frame = (0 40; 82 20.5); text = 'i am groot!'; hidden = YES; opaque = NO; autoresize = RM+BM; userInteractionEnabled = NO; layer = <_UILabelLayer: 0x156a3bf0>>
   |    | <UILabel: 0x156a22f0; frame = (0 110.5; 320 20.5); text = 'A Secret Is Found In The ...'; opaque = NO; autoresize = RM+BM; userInteractionEnabled = NO; layer = <_UILabelLayer: 0x156a2550>>
   |    | <UITextField: 0x156a3e70; frame = (8 141; 304 30); text = ''; clipsToBounds = YES; opaque = NO; autoresize = RM+BM; gestureRecognizers = <NSArray: 0x155c2ce0>; layer = <CALayer: 0x156a4140>>
   |    |    | <_UITextFieldRoundedRectBackgroundViewNeue: 0x156a65e0; frame = (0 0; 304 30); opaque = NO; autoresize = W+H; userInteractionEnabled = NO; layer = <CALayer: 0x156a6800>>
   |    | <UIButton: 0x155ba6d0; frame = (8 191; 304 30); opaque = NO; autoresize = RM+BM; layer = <CALayer: 0x155ba980>>
   |    |    | <UIButtonLabel: 0x155b2ac0; frame = (133 6; 38 18); text = 'Verify'; opaque = NO; userInteractionEnabled = NO; layer = <_UILabelLayer: 0x155b3680>>
   |    | <_UILayoutGuide: 0x156a7500; frame = (0 0; 0 20); hidden = YES; layer = <CALayer: 0x156a7700>>
   |    | <_UILayoutGuide: 0x155c0a00; frame = (0 568; 0 0); hidden = YES; layer = <CALayer: 0x155c0fe0>>`

We can see that the UILabel 0x156a3b10 is hidden.

< U I L a b e l : 0 x 1 5 6 a 3 b 1 0 ; f r a m e = ( 0 4 0 ; 8 2 2 0 . 5 ) ; t e x t = ' i a m g r o o t ! ' ; h i d d e n = Y E S ; o p a q u e = N O ; a u t o r e s i z e = R M + B M ; u s e r I n t e r a c t i o n E n a b l e d = N O ; l a y e r = _ U I L a b e l L a y e r : 0 x 1 5 6 a 3 b f 0 > >

We can unhidden it by running the following command

c y # [ # 0 x 1 6 e 8 f 8 4 0 s e t H i d d e n : N O ]

Photo

And we have our flag! :) Let’s move onto level 2.

Crackme Level 2

The second app has a number of security implementations. To identify those, I performed some reverse engineering. Let’s start off with class-dump to identify what header classes are used to get a glimpse of the application internals.

$ class-dump  -S -s -H uncrackable2_32 -o uncrackable2.dump
$ ~/tools/ios/hackme/uncrackable2.dump|
⇒  ls -laR
.:
total 64
drwxr-xr-x 17 tnayr staff  578 Apr 20 16:58 .
drwxr-xr-x 16 tnayr staff  544 Apr 20 16:58 ..
-rw-r--r--  1 tnayr staff  288 Apr 20 16:58 AESCrypt.h
-rw-r--r--  1 tnayr staff  929 Apr 20 16:58 AppDelegate.h
-rw-r--r--  1 tnayr staff  362 Apr 20 16:58 CDStructures.h
-rw-r--r--  1 tnayr staff  238 Apr 20 16:58 NSData-Base64Additions.h
-rw-r--r--  1 tnayr staff  555 Apr 20 16:58 NSData-CommonCryptor.h
-rw-r--r--  1 tnayr staff  328 Apr 20 16:58 NSData-CommonDigest.h
-rw-r--r--  1 tnayr staff  297 Apr 20 16:58 NSData-CommonHMAC.h
-rw-r--r--  1 tnayr staff  949 Apr 20 16:58 NSData-LowLevelCommonCryptor.h
-rw-r--r--  1 tnayr staff  253 Apr 20 16:58 NSError-CommonCryptoErrorDomain.h
-rw-r--r--  1 tnayr staff  880 Apr 20 16:58 NSObject-Protocol.h
-rw-r--r--  1 tnayr staff  268 Apr 20 16:58 NSString-Base64Additions.h
-rw-r--r--  1 tnayr staff 5237 Apr 20 16:58 UIApplicationDelegate-Protocol.h
-rw-r--r--  1 tnayr staff  779 Apr 20 16:58 ViewController.h
-rw-r--r--  1 tnayr staff  303 Apr 20 16:58 __ARCLiteIndexedSubscripting__-Protocol.h
-rw-r--r--  1 tnayr staff  279 Apr 20 16:58 __ARCLiteKeyedSubscripting__-Protocol.h

AESCrypt.h:

# @ { } @ i i e m n ( ( n p t i i d o e d d r r ) ) t f d e a e n " c c c N e r r S y y O A p p b E t t j S : : e C ( ( c r i i t y d d . p ) ) h t a a " r r : g g 1 1 N S p p O a a b s s j s s e w w c o o t r r d d : : ( ( i i d d ) ) a a r r g g 2 2 ; ;

After viewing AESCrypt.h, I suspect that the flag encrypts and decrypt with AESCrypt. but we should make no assumption and analyze it with a dissembler and see how do things work.

viewDidLoad

We will first look at viewDidLoad since it loads functions and checks before the view controller and is a common place to implement security checks.

There are a few things that tingle my spider sense. Our objective here is to identify security implementations that can possibly be anti-debugging, anti-jailbreak, memory integrity, application integrity, and so on. I have identified that anti-debugging and anti-jailbreak were implemented.

Anti-debugging

Ptrace System Call

Photo

It is using ptrace system call to prevent process from being traced.

protectAgainstDebugger functions

Photo

Photo

It is using sysctl call to detect whether if the process is being debugged.

Jailbreak protection

Now, onto jailbreak protection. It is obvious that it uses a list of files to determine if the phone is jailbroken.

Photo

/ / / / / A L b u e p i i s t p b n r c l r / / / i a b s a c r a b p a y s i t t / h n i M / o o s n b s s i h / l d C e y S d u i b a s . t a r p a p t e / M o b i l e S u b s t r a t e . d y l i b

Remote debugging

When I tried to submit the flag in the app, there was a jailbreak alert, which again verified our observations about jailbreak protection. Now, how are we going to test if there is actually debugging protection? We are going to use lldb. There is a fantastic write-up on how to set up debugging on iOS: Installing LLDB (2014 reference, may be outdated). After setting the environment up, let’s see what happens if we try to attach a debugger to the process.

$ P d ( P 2 2 2 P d r y l r 0 0 0 r e o t l l o 1 1 1 o b l c h d d c 7 7 7 c u l e r f ` 0 0 0 0 b e - - - e g d s e r _ x x x x ) s 0 0 0 s s b s a a d 1 1 1 1 s 4 4 4 s e d m y f f f f c - - - r 2 e l e e e e 2 2 2 2 2 v 5 # d b b b b 5 0 0 0 5 e 4 1 # _ e e e e 4 4 r 8 , 0 s 0 0 0 0 8 2 2 2 8 : t 0 0 0 0 1 1 1 * s s a 0 4 8 c r : : : e : t t 0 r e 2 2 2 x 6 o o x t s 4 4 4 i 6 p p 1 : + + + + u : : : t 6 p f 0 4 8 1 m 5 5 5 e 6 e r e > > > 2 i 3 3 3 d d e b : : : > n . . . - a e : g 4 4 5 w x s 0 5 5 4 i o 0 m s b l 6 7 6 t b n 0 o u i d h a v b c r U U U c = d n n n s k y C C C t b s l r r r a o i d a a a t a g ` r s s r c c c u r n _ 8 p p 3 k k k s d a d , , , , a a a l y b b b = " l s s s [ l l l / S d p p p p e e e 4 v I _ , , c 5 a G s , L L L r S t # # e e e ( / T a 1 7 # v v v 0 m O r 6 0 e e e x o P t x l l l 0 b 7 0 i 0 2 2 2 0 l ] [ [ [ 0 e 2 2 2 0 / 5 5 5 0 C 4 4 4 2 o 8 8 8 d n : : : ) t 1 1 1 a 3 3 3 i 1 1 1 n 4 4 4 e 7 7 7 r 6 6 6 s ; ] ] ] / B = = I u + = = n n 1 = = t d 3 r l 2 S S o e > S S s / L L p A y p K K p i i - l l l i l l P c r a S S o t w w f i i i i o t t l n c c i / h h n C g 5 2 2 D : : d C i 5 P S s 0 r u a 0 e b b 6 f t l - e r e 8 r a d D e t 2 n e f 0 c o - e h r 4 o C s o s 8 e k g 8 t . - d v B t i p E o s . 4 a U 1 0 b n - . l C E e r 4 d a 4 . c B k 5 a 7 b 0 l A e 4 - 9 2 B 0 / U n C r a c k a b l e L e v e l 2 . a p p / U n C r a c k a b l e L e v e l 2 "

Aha!!! Exit status 45, which suggests that ptrace was used to prevent debugging, as we identified earlier in our static analysis.

Bypass anti-debugging

Now we have identified that there is anti-debugging (ptrace and sysctl) and jailbreak detection (list of files and Cydia URI) from static analysis, and we will bypass them! :)

Ptrace

We can easily bypass ptrace method by modifying the request argument that is passed into the ptrace function. If ptrace is set to 31 - PT_DENY_ATTACH as shows as the list below will deny any traces made to the process.

d d d d d d d d d d d d d d d d d d e e e e e e e e e e e e e e e e e e f f f f f f f f f f f f f f f f f f i i i i i i i i i i i i i i i i i i n n n n n n n n n n n n n n n n n n e e e e e e e e e e e e e e e e e e P P T T _ _ P P P P P P P P P P P P P T A P P P T T T T T T T T T T T T T H T T T T _ _ _ _ _ _ _ _ _ _ _ _ _ U T _ _ _ T R R R W W W C K S A D S P A F D F R E E E R R R O I T T E I D C O E I A A A A I I I N L E T T G A H R N R C D D D T T T T L P A A E T E C Y S E _ _ _ E E E I C C X E X E _ T _ I D U _ _ _ N 8 9 H H C C Q A M M I D U U 1 U T A E 1 2 3 E 1 1 1 3 1 O T C 4 5 6 0 1 2 4 T A H 0 7 A C k s H 3 i i 3 2 r r r l n s 0 3 e e e w w w l g t s s i a 1 c a a a r r r c l r t i g t h d d d i i i o t e a o g n t i t t t n h c p n a a f l w w w e e e t e s e a l c E o d o o o i t t l h n r r r r w w w n c e s r s f f d d d d o o o u h p o a o t o m e r r r e i m c a r o r a c i i i d d d l t e i s c c l n n n t d h n t r e h a i i i h e r g e h u i r c c c n n n e p u x r n q n e h h h r c n a c e n u e s i i i c c c c o h n e a i o - l l l h h h h c i i p p d n t s i d d d i i i i e l n r t # g a p t ' ' ' l l l l s d g o i e ' s s s d d d d s c o p f c s ' ' ' p e n r o i I D u s s s r s s o r f b s o s c i e s s e I D u c f e r c i p p r s e s o n a a s s e s r s o r g c c s p p r s t e e e t a a c w q t r c c s u i u r u e e t r t e a c r r h s c t u e t e u c n s s d r t t i e u _ g r p n e r a o l c e x c e p t i o n

We identified earlier that the ptrace function is set to 31, which is PT_DENY_ATTACH, and we can bypass it by replacing the request argument from 31 to -1. We will write a tweak to hook the function.

static int (*oldptrace)(int request, pid_t pid, caddr_t addr, int data);
static int newptrace(int request, pid_t pid, caddr_t addr, int data){
  if (request == 31) {
        request = -1;
    }
  printf("newptrace:%d\n\n",request);

    return oldptrace(request,pid,addr,data);

}

MSHookFunction ((void *)MSFindSymbol(NULL,"_ptrace"), (void *)newptrace, (void **)&oldptrace);

Bypass Sysctl debugging protection

Note that unlike the ptrace technique this method doesn’t prevent a debugger from attaching to a process. Instead, it uses the sysctl function to retrieve information about the process and determine whether it is being debugged. Apple has an article in their Mac Technical Q&As with sample code that uses this method: Detecting the Debugger

int (*oldsysctl) (int *name, u_int namelen, void *oldp, size_t *oldlenp, void *newp, size_t newlen);

int newsysctl (int *name, u_int namelen, void *oldp, size_t *oldlenp, void *newp, size_t newlen)
{
    printf("sysctl");
    return 0;

};

MSHookFunction ((void *)MSFindSymbol(NULL,"_sysctl"), (void *)newsysctl, (void **)&oldsysctl);

Bypass jailbreak protection

I used xcon to bypass jailbreak protection and they have precompiled list of files that uses to detect jailbreak devices.

/ / / / / / / / / / / . . e u e e u u x t t t t t f c t s a a a a a a a v v s s u m m m m m s y c r r r r r r r r a a r r a p p p p p e d / / / / / / / / / s s / / n / / / / v i c b a l s r r t t i i l l y c F . p p e a l i p o t u u m m 0 0 i i u y l p g g n _ u n t g a n n p p n n b b a d i a l i t n t / / s / / / / 7 7 / / n i p n o i s o c c s h s s c p - p p s a S g a d _ h o y y y y g i a a w . w e d s . d s s s d l n n n o l i 9 e t c e l l l i o s g g r o t 3 r a o s o o o a a t u u d g c l s n i g g g . d a _ _ h o h f g . l e l x x C a n p o r l p p a d _ i g e c c c e a d d d d h d l . . e l d i o y p c l o a i d t b . e d y l i b

Bypass all security implementations

If you have combined both tweaks and have xcon running, you should be able to attach a debugger to the process and no longer see the jailbreak alert.

Hook AESCrypt decrypt functions

As we have mentioned earlier, the flag is encrypted and can be decrypted with AESCrypt. So let’s hook the function and have it log the cleartext password. P.S: I also found out that there is no memory integrity check, so you can hook the AESCrypt function without bypass any security implementation.

%hook AESCrypt
+ (id)decrypt:(id)arg1 password:(id)arg2 { %log; id r = %orig; NSLog(@" = %@", r); return r; }
%end

and we have our password from /var/log/syslog :)

A A p p r r 2 2 0 0 2 2 1 1 : : 1 1 5 5 : : 1 1 2 2 V V P P U U n n C C r r a a c c k k a a b b l l e e L L e e v v e e l l 2 2 [ [ 2 2 4 4 3 3 8 8 ] ] : : [ h = o o s k h a a e k s e c n r n y o p t t s ] t i T r w r e e a d k . x m : 2 D E B U G : + [ < A E S C r y p t : 0 x 9 f 0 c 4 > d e c r y p t : V a o Q c P b 6 C C h C z V m U 4 5 B G E K c N M X A Y X o Z v e g J H Y O 2 z q J g = p a s s w o r d : c b 1 7 9 2 7 c c 2 3 e 2 7 5 7 a a d b 8 d 8 d c 7 5 9 4 c 3 2 ]

Final Tweaks

%hook AESCrypt
+ (id)decrypt:(id)arg1 password:(id)arg2 { %log; id r = %orig; NSLog(@" = %@", r); return r; }
%end

static int (*oldptrace)(int request, pid_t pid, caddr_t addr, int data);
static int newptrace(int request, pid_t pid, caddr_t addr, int data){
  if (request == 31) {
        request = -1;
    }
  printf("newptrace:%d\n\n",request);

    return oldptrace(request,pid,addr,data);

}

int (*orig_sysctl) (int *name, u_int namelen, void *oldp, size_t *oldlenp, void *newp, size_t newlen);

int replaced_sysctl (int *name, u_int namelen, void *oldp, size_t *oldlenp, void *newp, size_t newlen)
{
    printf("sysctl");
    return 0;

};

%ctor {

 @autoreleasepool
{
  printf("Tweak to bypass anti-debugging with ptrace and sysctl  Start!\n\n");
  MSHookFunction ((void *)MSFindSymbol(NULL,"_sysctl"), (void *)replaced_sysctl, (void **)&orig_sysctl);
  MSHookFunction ((void *)MSFindSymbol(NULL,"_ptrace"), (void *)newptrace, (void **)&oldptrace);
}
}

I will try to write up on how to prevent the bypass method hopefully next week if i have some time.

Reference

© 2026 ryantzj • Theme Moonwalk