Project 8: Disassembling the Stitcher iPhone App with Hopper (15 pts.)

What You Need

A computer running Mac OS or Linux. Hopper does not run on Windows.

Purpose

To perform very simple static analysis on an iPhone app from the App Store. See Project 2x for the process of decrypting an app.

Getting Hopper

In S214, Hopper should already be installed. Click the magnifying glass at the top right of the Mac desktop (Spotlight) and type hopper. Double-click "Hopper Disassembler v3".

If hopper is not found, go here to get the free version:

https://www.hopperapp.com/

Getting the Stitcher IPA File

Right-click on this link and download the IPA file. Save it in your Downloads folder.

https://samsclass.info/128/proj/com.stitcher.player-iOS7.0-(Clutch-2.0.4).ipa

Unzipping the IPA File

In a Terminal window, execute these commands, replacing YOURNAME with your own name:

cd cd Downloads mkdir YOURNAME cd YOURNAME mv ../com.stitcher.player-iOS7.0-(Clutch-2.0.4).ipa . unzip com.stitcher.player-iOS7.0-(Clutch-2.0.4).ipa

A long list of files scrolls by, as the entire app is unzipped, as shown below.

In the same Terminal window, execute these commands:

cd Payload/Stitcher.app ls -l Sti*

The "Stitcher" esecutable file appears, approximately 16 MB in size, as shown below.

Opening the Stitcher App in Hopper

In Hopper, from the menu bar, click File, "Read Executable to Disassemble...".

Navigate to the Stitcher app, which should be in a path like this:

~/Downloads/YOURNAME/Payload/Stitcher.app

Double-click Stitcher.

A box pops up saying this is an ARM v7 file. Click Next.

Click OK.

Hopper opens, as shown below. Notice the named items, as labeled below.

Hopper is big and complicated, but for now we'll only use a few of its simpler features.

Simplifying the Hopper Window

At the top right, click the rightmost of the three "Show/Hide Panes" buttons, to hide the rightmost pane.

In its right pane, Hopper now shows assembly language instructions like "push" and "add" on the left, and helpful comments in green on the right, as shown below.

Finding the encryptPassword Method

In the top left of the Hopper window, in the Search box, type

encrypt

The first hit is the one we want. Click -[User encryptPassword].

Hopper shows the assembly language for this routine in the right pane, as shown below.

Viewing Pseudocode

We could read this assembly code and try to figure out how it works, but Hopper can make it even easier.

At the top right of the Hopper window, click the Pseudocode button (outlined in red in the image above).

Hopper translates the assembly code into C-like pseudocode, as shown below.

This stuff is easier to read, but still not very helpful.

Close the "Pseudo Code" window and, in the left pane of Hopper, click the next method: -[Encrypt init].

Click the Pseudocode button again.

This pseudocode isn't very helpful either, as shown below.

Continue generating pseudocode for each method until you get to -[Encrypt setClear].

This pseudocode is more interesting, as shown below.

Notice the two lines outlined in red in the image above.

The first one defines a string of 64 characters including uppercase letters, lowercase letters, numbers, dash, and underscore. This looks like a lookup table of characters to use when encrypting.

The second one performs a calculation that loops through the numbers 0 through 63 (0x3f in hexadecimal).

It looks like the "encryption" involves shifting letters around a loop of those 64 characters, which is very similar to what the Android app did.

Saving a Screen Image

Make sure the two lines outlined in red in the image above are visible.

Capture a full-screen image.

YOU MUST SUBMIT A FULL-SCREEN IMAGE FOR FULL CREDIT!

Save the image with the filename "YOUR NAME Proj 8a", replacing "YOUR NAME" with your real name.

Turning in your Project

Email the image to cnit.128sam@gmail.com with the subject line: Proj 8 from YOUR NAME

References

http://highaltitudehacks.com/2013/06/16/ios-application-security-part-1-setting-up-a-mobile-pentesting-platform/

http://highaltitudehacks.com/2013/06/16/ios-application-security-part-2-getting-class-information-of-ios-apps/

A Quick Guide to Using Clutch 2.0 to Decrypt iOS Apps

Posted 1-25-17
Revised 2-2-17