Reverse Engineering iPhone AppStore Binaries
2009-03-10 11:18
FROM DVLABS.

I recently had the need to peek under the hood of an iPhone application I purchased through the AppStore and quickly came to discover that getting started takes a bit more effort then simply dragging and dropping into IDA. I'm certainly not the first person to have done this, but when faced with a new challenge I like to figure it out the hard way at first, to better understand the fine details. This blog entry details how to get an application into a reversable state.

iPhone apps purchased through the AppStore live in your iTunes library under the folder "Mobile Applications". Each app is stored in a zip archive with a .IPA extension. You can simply rename the file to .ZIP and decompress to view the contents. I'll use the game Fieldrunners as the example in this blog, which is in my opinion, the best iPhone game available. Decompressing and loading Payload\Fieldrunners.app\Fieldruners into IDA 5.4 will properly parse the Mach-O binary, list some symbols and provide you with very little and very odd looking disassembled code. Examining the string table reveals next to nothing. This is because the binary is encrypted, the app is in an unacceptable state for reverse engineering. The iPhone loader is responsible for decryption at run-time so I figured my best bet would be to jailbreak my phone and get on the actual device. Jailbreaking is an impressively easy operation these days, requiring only a few minutes with QuickPWN and installing some basic necessities like OpenSSH and GDB. Once on the device, you have to find your target applications directory and make a working copy of it:

# cd /private/var/mobile/Applications/

# find ./ -iname \*.app | grep Field

CA838FFC-8D74-4DB3-AB99-9410A7E860B7/Fieldrunners.app

The executable is a 32-bit Mach-O file which consists of 3 main regions. A header, followed by load commands, followed by segments/sections. Here is an illustration (not my own, found it on Google):


More at

**Hidden Content: To see this hidden content your post count must be 10 or greater.**