Getting binaries of MobileCoreServices.framework

Questions and Answers about all things *OS (macOS, iOS, tvOS, watchOS)

Getting binaries of MobileCoreServices.framework

Postby adam81 » Sun Oct 22, 2017 2:19 pm

Hi,


I'd like to try and fix some open source GitHub project that uses the LSApplicationWorkspace private API.
this API contains the methods of allApplications and allInstalledApplications which list all installed application on the device.

The methods are working fine in the simulator, but on a device running iOS 11, it returns zero result.

So First, I've downloaded the IPSW file, opened it I got the following list of files :

Code: Select all
-rw-r--r--@  1 adam.k  staff    15139280 Oct  7 08:16 kernelcache.release.iphone9
-rw-r--r--@  1 adam.k  staff  2462102996 Oct  7 11:25 058-59998-354.dmg
drwxrwxr-x@ 14 adam.k  staff         476 Oct  7 11:34 Firmware
-rw-r--r--@  1 adam.k  staff    59088923 Oct  7 11:44 058-59982-359.dmg
-rw-r--r--@  1 adam.k  staff    59801627 Oct  7 11:44 058-59988-357.dmg
-rw-r--r--@  1 adam.k  staff        3282 Oct  7 11:49 Restore.plist
-rw-r--r--@  1 adam.k  staff      257603 Oct  7 11:53 BuildManifest.plist


According to some resources from this forum, I understood that the relevant image here is the largest dmg file. after open it, I got the following mount
/Volumes/Tigris15A432.D10D101OS


when looking for the right framework in this image, I got :
System/Library/Frameworks/MobileCoreServices.framework


but it seems that it doesn't contain any dylib/macho files and I couldn't find the symbol...

However, In the Info.plist of that framework it says :
<key>CFBundleExecutable</key>
<string>MobileCoreServices</string>


but I couldn't find this MobileCoreServices file anywhere in the image ... any idea where should I find it ?

UPDATE:

After digging some more in the image, it seems to have all framework under /Volumes/Tigris15A432.D10D101OS/Library/Frameworks missing.
I thought this image is full.. are these frameworks somehow loaded during runtime ?
adam81
 
Posts: 18
Joined: Mon Jan 25, 2016 9:26 am

Re: Getting binaries of MobileCoreServices.framework

Postby Siguza » Sun Oct 22, 2017 3:24 pm

That's what the dyld cache is for. All libraries and frameworks are in System/Library/Caches/com.apple.dyld/dyld_shared_cache_arm64.
User avatar
Siguza
Unicorn
 
Posts: 159
Joined: Thu Jan 28, 2016 10:38 am

Re: Getting binaries of MobileCoreServices.framework

Postby adam81 » Mon Oct 23, 2017 9:16 am

Thanks, I wasn't aware of this arrangement of frameworks. It looks like most of the commonly used iOS frameworks and dylibs do not exist as separate files but are bundled all together in the file dyld_shared_cache including mobileCoreServices.framework.

However, when I extracted this framework from the file above using Hopper, I still couldn't find the exact implementation of LSApplicationWorkspace
I've attached the symbol as Hopper translate it, it seems to contain references to the basic entity _NSObject and __objc_empty_cache but no real code in there ..


Screen Shot 2017-10-23 at 11.52.34 AM.png
Screen Shot 2017-10-23 at 11.52.34 AM.png (38.71 KiB) Viewed 539 times


Perhaps you can guide me for how to find the method allApplications inside this class ?

Also, is it possible that unlike dylib files, in framework class method doesn't necessarily posses unique symbol of their own ?

for example, in C++ code, you can see the symbols of each method in the class mangled..
adam81
 
Posts: 18
Joined: Mon Jan 25, 2016 9:26 am

Re: Getting binaries of MobileCoreServices.framework

Postby adam81 » Mon Oct 23, 2017 11:14 am

BTW, is it possible that that the extracted image from the cache file is not complete ? is it optional to disassemble the dyld cache file directly ?
adam81
 
Posts: 18
Joined: Mon Jan 25, 2016 9:26 am

Re: Getting binaries of MobileCoreServices.framework

Postby Siguza » Mon Oct 23, 2017 2:58 pm

Well, extraction doesn't equal extraction. No extraction method I know that still works on iOS 10 and later yields actually usable results. And jtool has support for in-cache disassembling, other reversing tools not so much...
User avatar
Siguza
Unicorn
 
Posts: 159
Joined: Thu Jan 28, 2016 10:38 am

Re: Getting binaries of MobileCoreServices.framework

Postby adam81 » Mon Oct 23, 2017 3:31 pm

But if I can jailbreak a device and run application that uses LSApplicationsWorkspace, so the symbol should be visible since it will will be resolved in runtime in dyld_shared_cache_arm64. right ?
adam81
 
Posts: 18
Joined: Mon Jan 25, 2016 9:26 am

Re: Getting binaries of MobileCoreServices.framework

Postby Siguza » Mon Oct 23, 2017 3:37 pm

Oh yeah, everything's still present in the cache, no doubt. But when the cache is created, a lot of stuff in the libraries is reorganised and merged. Extractor tools have to try and undo that, but that's often not so easy.
User avatar
Siguza
Unicorn
 
Posts: 159
Joined: Thu Jan 28, 2016 10:38 am

Re: Getting binaries of MobileCoreServices.framework

Postby Wingzero » Tue Oct 24, 2017 3:31 am

Just FYI, IDA Pro 7.0 can take dyld cache as input and load target framework along with its dependency frameworks, and possibly resolve those jumping and mapping issues. However, it took way too much time to finish analyzing. It took me 72 hours and still running - but I get what I want to look at luckily and I killed IDA then..

I am still wondering how to load a single framework from dyld cache by IDA Pro, and manually calculate/understand what framework is missing and I can load it manually. IDA Pro's new feature includes too many false dependencies and slow down the whole process.

I asked a similar question here: viewtopic.php?f=7&t=17156
Wingzero
 
Posts: 34
Joined: Thu Jul 27, 2017 2:35 am


Return to Questions and Answers

Who is online

Users browsing this forum: No registered users and 1 guest