The last two major security vulnerabilities affecting Mac, Thunderstrike and rootpipe were discovered using Hopper Disassembler, a reverse engineering software to delve into the guts of any application. Used by outstanding hackers, this disassembler also allowed to dissect UXKit, a new private framework of Apple, highlight the multi-window mode 8 iOS and develop software that modifies the Finder, and more.
Hopper, sold 89 € personal license (a demo version is available) supports Mac executables, iOS, Linux and Windows. Interview with its creator, Vincent Bénony.
MacGeneration: What allows for Hopper Disassembler
Vincent Bénony: is a software Hopper Disassembler whose purpose is to study the inner workings of other applications. He automatically analyze and structure, somewhat in the manner of a microprocessor. There is talk of static analysis code.
Hopper allows you to see the assembly code, but also to manipulate interactively. It also allows to debug or even “decompile” the application under certain conditions.
What is the difference between an application and disassemble, decompile?
The disassembly is to transform a sequence of bytes in assembler instructions on. This is the simplest part.
If you look at an application in a hex editor, you can see that it is only a matter of a long sequence of bytes, unintelligible to a human being, which mixed code and data.
The disassembly is to simulate the microprocessor decoding work, in order to know which instruction must execute . And for that, the microprocessor will read one byte at a time, until it recognizes a full statement, and then execute the corresponding action.
Thus the sequence of bytes “48 8B 35 07 ED January 00 “will mean for him” mov rsi, QWORD [ds: 0x100020438] “or” read into memory at 0×100020438, a 64-bit word, and stores this value in the registry rsi “.
Once each instruction has been decoded, Hopper conduct further analysis of the application. He goes for it “follow” the code, and try to determine all possible paths of execution.
It is therefore recreated a part of the logical structure of the application, and allows to separate the different instructions methods, they even cut into smaller blocks (called Basic Blocks). It also tries to separate the code data (such as strings that are displayed when running the program, for example).
With this analysis, Hopper is capable of displaying a representation more graphic execution of the application.
decompilation is the next step: the idea is to try to found what looked like the code “original” one that the developer originally written, which was compiled.
Indeed, no developer writes no direct assembly code. Instead, it uses a high level language like Objective-C for example, and uses a compiler, like Clang, which comes with Xcode, to turn this incomprehensible language for the microprocessor in assembler.
Unfortunately, in passing, a large amount of information about the logical structure of the application is lost, mainly during the optimization phase, where the code is triturated by the compiler to cause to run as soon as possible, which makes the work very complicated decompilation.
Still, Hopper has internally many heuristics that allow, in many cases, to find this information. Basically, Hopper done automatically is a reverse engineering engineer would have done by hand. To summarize, Hopper contains years of human expertise in Reverse Engineering …
Following a method of decompiled, Hopper is able to transform this sequence of instructions
In this:
This is what I call the” Pseudo Code “in the sense that it is not possible to give directly to a compiler, but there is a good chance that the code had written the developer is very close to it.
Note that you see on this last capture results from a process fully automated: I’ve only drag the TextEdit application on Hopper window, and then I clicked the “Pseudo Code” button
Conversely, qu. ‘do not allows to Hopper and why
Hopper is unfortunately not magic; it can not, for sure, decompile any method legibly. Sometimes party applications were written by hand, directly in assembler or the compiler is optimized aggressively parts. In this case, the version decompiled by Hopper is little more readable than the disassembled release.
No comments:
Post a Comment