Tuesday, March 31, 2009

Releases: Thumb Dumb Disassembler & Calculator.searchBundle

Last few weeks I've diverted myself from iKeyEx to the 3.0 VFDecrypt key. The result? Of course it's failure, otherwise you'll see the key on theiphonewiki right now.

But a nice by-product is the "Thumb Dumb Disassembler". For iPhone reverse engineering, if the code is compiled to ARM then ravel-arm can be used to give very useful information. However, if it is compiled to Thumb then ravel can't handle the code correctly. It will treat the code as ARM and output garbage. Sadly, unlike otool, there is no force-Thumb mode in ravel so we can't do much.

When nobody can save you, you have to save yourself. Therefore I've written a disassembler specially for Thumb mode. This disassembler can extract useful data and perform numerical arithmetic linearly (ignoring all branches). I term this Dumb Disassembler as it doesn't perform branch analysis nor symbolic arithmetic. A Smart Disassembler will do both and the result in decompiler-quality output.

The Thumb Dumb Disassembler can be downloaded in thumb-ddis.zip. Unlike other networkpx projects, Thumb Dumb Disassembler is released in GPLv3.

(Sidetrack: What about the VFDecrypt key? In pre-3.0 asr there is a specific __DATA,__restore section to store the key. In post-3.0 asr this is computed in run time using the SHA-1 and SHA-256 keys of the CPU identifier (s5l8900x) and the content of the whole ramdisk. And then I got a 64-char incorrect password from it. There is another way to extract the key: run the asr, put a break point at 0x00011836, and retrieve the CFString at r0. On my device both the 2.2.1 and 3.0 asr Bus-errored me when I try to actually run them.)




Now, let's talk about something not so technical. One of the new customer features in iPhoneOS 3.0 is the Spotlight. But one essential component missing from the Mac OS X Spotlight is the calculator.

When the SDK was just released, some developers noticed the directories /System/Library/SearchBundles/*.searchBundle and it does mean Spotlight is extensible right? Indeed it is.

After disassembling the 2 searchBundles in it, I have a rough idea of how these bundles work. So with minimum effort, I've created this Calculator.searchBundle:

Because 3.0 is not jailbroken yet, only the Simulator version exists. If you have the SDK, you can now download Calculator.searchBundle.zip to test the bundle. The source code is also provided (under BSD license) so you can code up your own.

Note that the 3.0 SDK is not finalized so the code shown here may not work in June.

2 comments:

  1. here is where you went wrong with asr...you did get pretty far; kudos :) but, there is more. after it does all the sha fuckery, as you can see from GenPass source, there is more fuckery to be reversed in DiskImages framework. what you were able to get was the passphrase (not the key), which is half the battle, so again major kudos on that. I think the faux-64bit shit was the most annoying of it all.

    ReplyDelete
  2. thank you very much for your disassembler! it solves many problems because not only ravel-arm has problems with thumb but also IDA.

    btw. one thing you might wanna try out is radare http://www.radare.org/new/

    it's an awesome RCE tool.

    ReplyDelete