MacOS Reverse Engineering

It helps knowing more deep technical stuff for the overview of those notes. Besides, also take a look at: Ghidra, LLDB for MacOS, and Hopper for MacOS. Notes on dyld Injection are also handful for Mach-O RE tasks.

Additionally, the notes at Objective-C RevEng provides introduction to all Objective-C related Reverse Engineering techniques and tactics you might use during macOS Reverse Engineering or otherwise, during iOS RevEng.

Some additional instructions on #RevEng, specifically making sense of MacOS disassembled instructions in Hopper, is visible on Apple XNU commpage notes. This section briefly explains what are pseudo-random memory addresses visible here and there in the Hopper Disassembler outputs.

Accessing Metadata Attributes^{^{§ref/metadata}}

Describing how to use mdls, mdfind and mdutil, and mdimport is referenced in related notes.

Converting MachO binaries^{^{§ref/tool/LIPO}}

Using lipo to convert a MachO universal binary, or a single-architecture binary.

Accessing AppStore Downloaded PKGs

The location of AppStore’s downloaded application, ie. *.PKG and *.DMG, is generated in a different spot. You have to crawl the filesystem to locate the folder(s) that contain these files.

ls -ld $TMPDIR../C/com.apple.appstore*

drwx------  5 $USER  staff  160 Feb 27 16:23 /var/folders/g1/3xgktw055bj8v173njj_333m0000gn/T/../C/com.apple.appstoreagent
drwx------  2 $USER  staff   64 Feb 28 06:59 /var/folders/g1/3xgktw055bj8v173njj_333m0000gn/T/../C/com.apple.appstorecomponentsd

Accessing Logs on System Level

To access the Host OS (MacOS) logs from the command line, the log command can be used.

# => will log via default settings
$ (sudo) log show --style syslog --predicate 'process == "com.durakiconsulting.appname"'

# => will log with debug & info
$ (sudo) log show --style syslog --predicate 'process == "com.durakiconsulting.appname"' --debug --info

You may also filter results depending on use-case:

# => will log via default, and match only "Error" message
$ (sudo) log show --style syslog --predicate 'process == "com.durakiconsulting.appname" && eventMessage CONTAINS "Error"'

Additonally, run the binary from the Terminal, which will yield stdout and stderr logs just from that specific app.

$ /Applications/AppName.app/Contents/MacOS/AppName

Dump System LaunchServices

Basically, OS X LaunchServices is how an application is found to run when you double-click on a document. If the program is in /Applications, or you launch it at least once, then LaunchServices should detect it. LaunchServices contains a big, long list of all the Applications, and which ones accept documents of which type. So if you have an Application that is not “registering” correctly with LaunchServices, try this in the Terminal:

Via lsregister utility:

$ /System/Library/Frameworks/CoreServices.framework/Frameworks/LaunchServices.framework/Versions/Current/Support/lsregister -dump

Via defaults cli utility:

$ defaults read com.apple.LaunchServices # | grep -v LSBundleLocator

Interesting Paths

/Users/<USER>/Library/HTTPStorages/ (Contains all App. bundles HTTP Storage, incl. cookies et al)

Code Signing

Due to Apple being “security-oriented”, they included additional hardened layer that sits between native GateKeeper (ring3) and the XPC (ring0) surface. There are some steps that you can take to minimise the troublesome of reversing Apple apps. Fortunately, Apple provides their full PKI list which can be used to revocate CA-X.509 Certificates.

First, decode the original provision file of a targeted Application (it’s a CMS Encrypted XML):

$ security cms -D -i /Applications/AppName.app/Contents/MacOS/embedded.provisionprofile > embedded.plist	 # => or .mobileprovision for iOS

This will create an XML file containing the original Provision File. Next, we can use plist to extract the Entitlements attributes:

$ plutil -p embedded.plist

You will have to create a new project in XCode, add Capability by clicking Project Root -> Targets and pressing "+ Capability" in the top-left corner. This will allow you to build placeholder for a Provisioning Profile during the project build (ie. CodeSign phase).

Code Signing Toolset

Tools I often use

jtool (code signing),
spctl (manage system's policy, controls gatekeeper),
codesign (macos codesign utility),
security (decode CMS format),
openssl (generate certificates),
xcrun (validate/notarize utility),
csreq (code signing utility),
rcodesign (3rd party code signing utiltiy)

Display valid Code Signing identities of the MacOS

# You need to create "Code Signing" certificates from the Keychain Access
$ xcrun security find-identity -v -p codesigning

  1) 1C8177C2xxxxxxxxxxxxxxxxxxx6C565999Dxxxx "signature"
  2) E8B3B406xxxxxxxxxxxxxxxxxxx6C8EA4A38xxxx "mycert"
  3) 3F4806E9xxxxxxxxxxxxxxxxxxx173A6C3C8xxxx "Apple Development: Developer Name (SXXXXXXXX7)"
     3 valid identities found

 # ... or ...

$ security find-identity -p basic -v 		  # display all installed certificates
  1) 1C8177C2xxxxxxxxxxxxxxxxxxx6C565999Dxxxx "signature"
  2) E8B3B406xxxxxxxxxxxxxxxxxxx6C8EA4A38xxxx "mycert"
  3) 3F4806E9xxxxxxxxxxxxxxxxxxx173A6C3C8xxxx "Apple Development: Developer Name (SXXXXXXXX7)"
     3 valid identities found

Display CodeSign information of the App.

$ codesign -dvvv /Application/SomeApp.app   # Verbose

Executable=/private/tmp/SomeApp.app/Contents/MacOS/SomeApp
Identifier=com.durakiconsulting.someapp
Format=app bundle with Mach-O universal (x86_64 arm64)
...
TeamIdentifier=2XXXXXXXX5

 # ... or ...

$ codesign -dv -r- /Applications/SomeApp.app  # Base Attributes

Executable=/Applications/SomeApp.app/Contents/MacOS/SomeApp
...

Display (in)validity of the CodeSign Identity

$ codesign --verify -vv --no-strict /Applications/SomeApp.app

/Applications/SomeApp.app: invalid signature (code or signature have been modified)
In architecture: x86_64

Clear Extended Attributes

$ xattr -lr /Applications/SomeApp.app 		# to see which files are causing errors/codesign issues
$ xattr -cr /Applications/SomeApp.app 		# remove all extended attributes from the app bundle
$ xattr -c  /Applications/SomeApp.app/<file path> # clear extended attributes of several files

X.509 Certificate Format

$ rcodesign x509-oids 	# => to print OIDs for x.509 certs

1.3.6.1.5.5.7.3.3	        CodeSigning
1.2.840.113635.100.6.1.1	AppleSigning
1.2.840.113635.100.6.1.2	IPhoneDeveloper
...

halis duraki

security rep+

consulting

blog

~ notes

MacOS Reverse Engineering

Accessing Metadata Attributes^{^{§ref/metadata}}

Converting MachO binaries^{^{§ref/tool/LIPO}}

Accessing AppStore Downloaded PKGs

Accessing Logs on System Level

Dump System LaunchServices

Interesting Paths

Code Signing

Code Signing Toolset

Resources

Links to this note

MacOS Reverse Engineering

Accessing Metadata Attributes.sup_a{text-decoration:none!important;line-height:0}§ref/metadata

Converting MachO binaries.sup_a{text-decoration:none!important;line-height:0}§ref/tool/LIPO

Accessing AppStore Downloaded PKGs

Accessing Logs on System Level

Dump System LaunchServices

Interesting Paths

Code Signing

Code Signing Toolset

Resources

Links to this note

Accessing Metadata Attributes^{^{§ref/metadata}}

Converting MachO binaries^{^{§ref/tool/LIPO}}