Stand with Ukraine
Stand with Ukraine
Microcontrollers have limited protection against cybersecurity threats and attacks. As a result, the security of Internet of Things (IoT) devices and embedded systems that rely on them can be compromised.
Businesses use web forms for both marketing and functional goals: to register a user, complete an order, collect a customer’s personal information, run a survey, etc. To ensure your web application provides a flawless user experience, you need to ensure your web forms work properly.
Organizations develop a minimum viable product (MVP) version of their software to test the idea and get the first feedback from end users. Building an MVP involves developing a quick prototype, while development of all non-essential features is saved for later.
Android applications collect all sorts of sensitive data about their users: financial records, personal preferences, geolocation, and even health metrics. Storing such data provides convenience for the user. However, it also subjects sensitive data to security risks if, for example, the device is rooted.
Every software development project can benefit from code that’s easy to read, change, and maintain. With code like this, you can easily add new functionality or modify existing functionality without compromising the performance and security of the entire solution.
Real estate is one of the industries that’s moving step by step towards digitalization, striving to automate operations and minimize the risk of fraud. Adopting non-fungible tokens (NFTs) seems like a reasonable next stage of this journey. However, it’s not always obvious how to leverage NFTs, what solutions to create, and what pitfalls to expect.
Enterprises send gigabytes of sensitive data through their networks daily. The bigger the organization, the more data it needs to process and the more maintenance its network requires. In large enterprises, a poorly optimized network may harm the performance of corporate software. And if it has security vulnerabilities, the network becomes an entryway for hackers.
Modern IT products often have to handle various file formats. And while it’s quite easy to ensure compatibility with open file formats, making your software process proprietary or closed file formats is tricky.
Today’s software solutions require continuous improvements. But what used to take weeks or even months can now be done with a couple lines of code, assuming you have the right application programming interface (API) at hand.
By integrating APIs into their software, developers can improve product security and performance and expand existing functionality with new services and features. Unfortunately, some APIs might be poorly documented or have hidden security or performance issues.
In this article, we describe how to reverse engineer a macOS API. We also show how to use a reversed undocumented macOS API in a proof of concept (PoC) Swift application. This article will be useful for macOS development teams who need to work with undocumented or poorly documented APIs.
Written by:
Alexandr K.,
Reverse Engineer,
System Programming Team
and
Anton Kukoba,
Security Research Leader
Contents:
Reverse engineering undocumented APIs
Disabling the System Integrity Protection on macOS
Locating the API to be reverse engineered
Using the reversed API in a Swift PoC
Step 1: Obtaining a method signature
Not all APIs are properly documented. Some are private with no publicly available information on their internals. Such APIs are primarily intended to be used by in-house developers working on proprietary software. Others might be public but have incomplete documentation due to the continuity of the project, poor development practices, or frequent changes in development teams.
The problem is that when you integrate an undocumented API into your software, there’s a high risk of facing compatibility issues, compromising the solution’s performance, and even introducing new security flaws. That’s why before working with a private or undocumented API, you might need to first reverse engineer and analyze it.
Note: Make sure to check the terms of service before reverse engineering a private API that isn’t yours to avoid any legal issues. Also, remember that unlike open or public APIs, private APIs can be changed without any prior notice, so using another company’s private API in your own project should be a last resort.
There are several scenarios when reversing an undocumented API proves helpful:
When you know exactly how a certain API operates, it’s much easier to identify possible flaws and security issues and figure out the best way to integrate the API into your software. So let’s see how to reverse engineer an API for macOS in practice.
How can you reverse engineer an undocumented macOS API and when do you really need to do it?
Say you have a project where you need to display the developer mode status. Generally, there are two ways you can do that:
From the technical point of view, getting the needed output directly from a system utility is easy. However, this isn’t always preferred due to possible performance bottlenecks. To enhance your application’s performance, it might be more efficient to identify the corresponding system API and invoke it directly from within the application.
For this article, we’ll be working with an undocumented API used by the systemextensionsctl developer utility to report and modify the status of developer mode on macOS. We’ll need to reverse engineer this macOS API and analyze it before integrating it into our Swift project.
The reverse engineering activities described in this article were performed on macOS Monterey 12.3.1 running on Apple Silicon. As the main tool for analysis, we used Ghidra 10.1.2, a popular suite of tools for software reverse engineering.
Before analyzing the systemextensionsctl API, we need to disable System Integrity Protection (SIP). Without doing so, it would be impossible to enable, disable, or display the current developer mode status. Our proof of concept application, however, imposes no such requirement, as it can only display but not modify the developer mode status.
The process of disabling SIP is described in detail in the Disabling and Enabling System Integrity Protection article on the Apple Developer website.
Once SIP is disabled, you can use the following commands to set the desired developer mode:
To query the developer mode status, use the following command:
The status is reported as being off or on based on the current setting:
Later, we’ll compare the output generated by our PoC against this output.
Next, we locate the API that displays the developer mode status. To do so, we upload the systemextensionsctl binary into Ghirda and get the disassembled binary code. We then perform a textual search using the output of the query command to identify the appropriate function. Ghidra identifies this function as FUN_100003754.
Note: As the aim of this post is to illustrate the overall process rather than provide step-by-step reversing instructions, we won’t cover this step in detail.
Now we can move on to analyzing the code of the FUN_100003754 function in detail.
In Table 1 below, you can see the disassembly of the code block that determines the developer mode status with the accompanying pseudo code, as may be seen in Ghidra’s disassembly and decompiler listings, respectively.
Table 1: Disassembly of the code block that determines the developer mode status
| Offset | Opcodes | Mnemonics |
| 100003754 | 7f 23 03 d5 | pacibsp |
| 100003758 | ff 83 01 d1 | sub sp,sp,#0x60 |
| 100003788 | 00 57 04 58 | ldr x0=>_OBJC_CLASS_$_OSSystemExtensionClient |
| 10000378c | 73 0d 00 94 | bl __auth_stubs::_objc_alloc_init |
| 100003790 | f3 03 00 aa | mov x19,x0 |
| 100003794 | ff 0b 00 f9 | str xzr,[sp, #local_50] |
| 10000379c | 21 4b 04 58 | ldr x1=>s_developerMode:error:_10000716e |
| 1000037a0 | e2 7f 00 91 | add x2,sp,#0x1f |
| 1000037a4 | e3 43 00 91 | add x3,sp,#0x10 |
| 1000037a8 | 7c 0d 00 94 | bl __auth_stubs::_objc_msgSend |
| 1000037ac | f5 03 00 aa | mov x21,x0 |
| 1000037b0 | e0 0b 40 f9 | ldr x0,[sp, #local_50] |
| 1000037b4 | 8d 0d 00 94 | bl __auth_stubs::_objc_retain |
| 1000037b8 | f4 03 00 aa | mov x20,x0 |
| 1000037bc | b5 08 00 36 | tbz w21,#0x0,LAB_1000038d0 |
| 1000037c0 | e8 7f 40 39 | ldrb w8,[sp, #local_41] |
| 1000037c4 | e9 f7 01 10 | adr x9,s_Developer_mode_is_on_1000076c0 |
| 1000037cc | 4a f8 01 50 | adr x10,s_Developer_mode_is_off_1000076d6 |
| 1000037d4 | 1f 01 00 71 | cmp w8,#0x0 |
| 1000037d8 | 40 01 89 9a | csel x0=>s_Developer_mode_is_on_1000076c0,x10,x9,eq |
| 1000037dc | 2b 00 00 14 | b LAB_100003888 |
| 100003888 | 6c 0d 00 94 | bl __auth_stubs::_printf |
| 10000388c | 15 00 80 52 | mov w21,#0x0 |
| 100003890 | 02 00 00 14 | b LAB_100003898 |
| 100003898 | e0 03 13 aa | mov x0,x19 |
| 10000389c | 4f 0d 00 94 | bl __auth_stubs::_objc_release |
| 1000038bc | ff 83 01 91 | add sp,sp,#0x60 |
| 1000038c0 | ff 0f 5f d6 | retab |
Now, let’s outline the purpose of some of the lines above:
Table 2: Purpose of code lines from the disassembly
| Offset | Commentary |
| 100003758 | 0x60 bytes of local storage allocated on this function’s stack |
| 100003788-100003790 | Create an instance of the OSSystemExtensionClient class |
| 100003794-1000037b8 | Set up the parameters for and invoke the OSSystemExtensionClient developerMode:error method |
| 1000037bc-100003888 | If the OSSystemExtensionClient developerMode:error method returns true and a non-zero value in the local41 variable, the printf function displays the message “Developer mode is on.” Otherwise, the printf function returns the message “Developer mode is off.” |
| 1000038bc-1000038c0 | Restore local storage and exit the function |
The above disassembly would correspond to the following pseudo code generated by Ghidra’s decompiler and shown in the decompiler listing:
Now that we have successfully reversed the OSSystemExtensionClient API, we want to make sure we can use it in our PoC.
To use the reversed OSSystemExtensionClient API in a PoC written in Swift, we need to:
Note: The following instructions apply to compiling Swift applications only. They won’t work if applied to applications written in other programming languages.
Let’s begin with the first of these two steps.
The OSSystemExtensionClient API is part of the SystemExtensions framework. The framework is packaged as a dynamically linked shared library, which is part of the dynamically linked shared library cache available at /System/Library/dyld/dyld_shared_cache_arm64e.
There are tools available, such as class-dump and classdump-dyld, that can generate Objective-C header files with method signatures based on their analysis of binaries and libraries. Unfortunately, none of these tools worked for us out of the box in our environment, with each generating multiple compilation errors. The method signature was obtained using Ghidra instead.
To analyze the SystemExtensions framework with Ghidra, we first need to extract the framework library from the cache file. There are various tools you can use for this task, like DYLDExtractor, the dyld_shared_cache_util command-line tool, or the dyld-shared-cache-extractor tool. For the example described in this article, we used dyld-shared-cache-extractor, as it’s readily available as a precompiled binary package through the Homebrew software repository, which makes it immediately usable.
With the help of this tool, we can extract the needed library from the cache file:
The extracted binary is now available at the following path:
After extracting the library and analyzing it with Ghidra, we see the following method signature in the decompiler view:
Quick inspection of the pseudo code indicates that the return value represented as a local variable bVar9 is a boolean value, set to zero or one to denote truth or falsehood respectively:
The param1 parameter is a pointer to an instance of the OSSystemExtensionClient class. Whatever is passed as the param2 parameter doesn’t appear to be used within the developerMode method, the value of this parameter being set to zero:
The param3 and param4 parameters are identified as pointers and are the only ones that are passed explicitly.
Note: When reverse engineering system APIs, keep in mind that the same methods might have different signatures depending on the version of macOS you’re working with.
Next, we generate the header files containing the signature of the reversed API and import them into our Swift PoC.
The first thing we need to do is generate Objective-C headers containing the signature of the method we’ve reversed. Based on our method signature analysis through Ghidra, the following signature was found as working:
The method signature can now be put into OSSystemExtensionClient.h and imported into the devmodestat-Bridging-Header.h header file. To do so, we use the following commands:
Next, we generate the source file for our PoC with the following command:
After that, we can use the following commands to compile the PoC, link it against SystemExtensions.framework, and verify the resulting executable:
Once we compile the PoC, we can compare its output with the output generated by the systemextensionsctl developer utility.
Here’s the output generated with developer mode enabled:
And the output generated with developer mode disabled:
As you can see, the output of the PoC is identical to the output generated by the macOS system API. This demonstrates that we managed to properly reverse an undocumented macOS API and successfully integrate it in the PoC.
Software developers often need to work with undocumented or poorly documented APIs. Reverse engineering can help them get the information they need to understand the inner workings, recover lost source code, and ensure smooth and secure integration of the analyzed API into the solution they’re working on.
At Apriorit, we have a team of highly experienced reverse engineers who will gladly assist your company with tasks requiring deep expertise in software research and analysis.
Get in touch with us to discuss your project’s reverse engineering tasks!
Building a microservice-based architecture helps you deliver a scalable, flexible, and agile solution. However, this approach complicates development, as you have to set up the connections between all modules and databases.