A Synopsys consultant, Grant Douglas, recently created a utility called MEMSCAN which enables users to dump the memory contents of a given iPhone app. Dumping the memory contents of a process proves to be a useful technique in identifying keys and credentials in memory. Using the utility, users are able to recover keys or secrets that are statically protected within the application but are less protected at runtime. Users can also use the utility to verify that keys and credentials are appropriately disposed of after use.
Another useful feature of MEMSCAN is the ability to search the memory space of a process for a specified sequence of bytes. An example use of such functionality would be to locate functions in memory at runtime. If the application is a position independent executable (PIE), i.e. the addresses of objects and functions in memory are randomized with each run, then the tool can be used to get the address of a function.
There are currently two ways users can use the utility:
When storing the bytes in a file, users should do this like so:
echo -n -e 'x55x48x89xE5xB8x15x00x00x00x5D' > needle
Individuals interested in using Grant’s creation can download MEMSCAN simply by adding Grant’s repo to Cydia (for jailbroken Apple Devices).
Alternatively, individuals interested in making changes can do so by visiting the source code.
Any questions or comments can be left below or sent to Grant directly on Twitter @Hexploitable.
Grant Douglas is an associate principal security consultant at Synopsys. His primary area of expertise is in mobile security and tooling. He has worked on internal SAST and DAST tools and also produced external mobile tools which are used within the industry, including memscan, which was featured in ‘The Mobile Application Hacker's Handbook’ and ‘Learning iOS Forensics.’ Grant enjoys writing code, reading, and travel during his free time.