Modifying DYLD

Questions and Answers about all things *OS (macOS, iOS, tvOS, watchOS)

Modifying DYLD

Postby vtan » Mon Apr 11, 2016 6:07 am

Hey Guys,

I'm wondering if it is possible to modify dyld, replace it and not have my device bricked?

I've recently come across an iOS app that I'm trying to analyze, but it has the restrict section and quite some other protections inplace that is making it such a pain to look through. I've tried removing the restrict section using optool or binary editing the app to change __restrict to __rrstrict. In the end the app just won't run, syslog shows the app crashing because of a malformed header.

I checked my work by testing the optool and binary editing method on a binary I created and it worked, just no idea why it won't work on the binary I'm analyzing.

So since __restrict is being enfored by dyld, is it possible to patch dyld ? Or does anyone have any other ideas on how I can perform injection of libraries?
vtan
 
Posts: 11
Joined: Fri Jun 26, 2015 10:14 pm

Re: Modifying DYLD

Postby Siguza » Mon Apr 11, 2016 4:42 pm

Patching dyld just to tamper with a binary sounds like a horrible idea, besides being completely overkill.
Using an old dyld might or might not work (I guess it won't, because that would be too easy), but there's no way the kernel will go with an invalidly signed dyld (which will break the boot process*).

You should be able to simply patch the entire load command out and re-sign the binary.
If you're unfamiliar with the mach-o header structures, have a look at <mach-o/loader.h> (specifically mach_header_64 and segment_command_64, or their 32-bit counterparts).
Basically every command has its size written right before its name, and before that has the command type (both 4 bytes).
This tells you where the section starts and how long it is, so you can simply remove it from the file altogether.
This breaks offsets though, so you'll have to add the same number of (null) bytes after the last load command.
Now we have one load command less, so we have to decrease mach_header->ncmds (offset 20 bytes in file) by one, and subtract the length of the restrict segment from mach_header->sizeofcmds (offset 24 in file).
Then re-sign the binary and you should be good to go.

*unless, of course, you had a Bootrom/LLB/iBoot exploit and a patched kernel
User avatar
Siguza
Unicorn
 
Posts: 159
Joined: Thu Jan 28, 2016 10:38 am

Re: Modifying DYLD

Postby vtan » Mon Apr 11, 2016 7:24 pm

Hey Siguza,

Yea I figured its a pretty bad idea and overkill, which is why I thought of checking with others around here before attempting it. Not really sure whats breaking after I have removed the restrict section from the binary I'm analyzing, works fine on my test binary. I'll try manually patching the LC Segment and see if I get a different result. Maybe optool wasn't doing a good job. Thanks!
vtan
 
Posts: 11
Joined: Fri Jun 26, 2015 10:14 pm

Re: Modifying DYLD

Postby vtan » Mon Apr 11, 2016 7:48 pm

Another question, I've managed to decrypt the app via Clutch but when I run it I get the following

Code: Select all
Empty mangled name in mach-o header: /private/var/mobile/Containers/Bundle/Application/77254E84-57B9-43C2-9864-E9635C83CF4D/DP4MOBILE-iphone_App_Store.app/Digipass
Apr 12 03:31:36: --- last message repeated 2893 times ---


Any idea what is causing "Empty mangled name in mach-o header"?
vtan
 
Posts: 11
Joined: Fri Jun 26, 2015 10:14 pm

Re: Modifying DYLD

Postby morpheus » Mon Apr 11, 2016 10:57 pm

Just saw this.. Missed the original question a while back (you'd think the forum is that busy ;-)
A) Maybe run jtool and see? Posting an error message from some application doesn't help if you don't at least show a file, or use a standardized tool.


B) re:dyld - modify your binary to change LC_DYLINKER to /usr/lib/dyl1

And then recompile dyld, modify, etc, save as /usr/lib/dyl1. Then you won't brick anything.

J
morpheus
Site Admin
 
Posts: 532
Joined: Thu Apr 11, 2013 6:24 pm

Re: Modifying DYLD

Postby vtan » Sun Apr 17, 2016 3:03 pm

Hey J,

Cool! Thanks for the idea, will try it out.
vtan
 
Posts: 11
Joined: Fri Jun 26, 2015 10:14 pm


Return to Questions and Answers

Who is online

Users browsing this forum: No registered users and 4 guests