Last active
June 2, 2025 08:54
-
-
Save rustymagnet3000/605c333519cd265c7eac9d556f46dc75 to your computer and use it in GitHub Desktop.
Revisions
-
-l revised this gist
Jan 16, 2025 . 1 changed file with 8 additions and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -312,9 +312,16 @@ grep "Requires" Payload -R ### iOS file structure ```bash # Sandbox. Look here for Cookies, Cache.db, Docuements, persisted data, json files, etc /var/mobile/Containers/Data/Application/[GUID given at install time]/ # find runtime data location cd /private/var/mobile/Containers/Data/Application/ && grep --include=\*.plist -rnw . -e "myapp" # -r recursive # -n line number # -w match whole word # -e ignore case # Folder of App Bundle that was installed. Executables, frameworks, fonts, CSS, html. NIB files. /private/var/containers/Bundle/Application/[GUID given at app install]/foo.app -
Jan 16, 2025 . 1 changed file with 8 additions and 4 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -2,7 +2,7 @@ <!-- TOC depthfrom:2 depthto:3 updateonsave:true withlinks:true --> - [Jailbreak in 2025](#jailbreak-in-2025) - [Steps](#steps) - [Find jailbreak](#find-jailbreak) - [Prepare iOS device](#prepare-ios-device) @@ -37,7 +37,7 @@ <!-- /TOC --> ## Jailbreak in 2025 Please read if you have a Jailbreak - `checkra1n`, `unc0ver`, `TrollInstallerX` or `dopamine` - and want to get it working. @@ -343,8 +343,12 @@ scp -r -P 2222 root@localhost:/var/containers/Bundle/Application/<app GUID>/hitm scp -P 2222 root@localhost:/var/root/overflow.c localfilename.c # from Jailbroken device to local machine # Cache.db used by WKWebView and NSURLSession scp -P 2222 mobile@localhost:/private/var/mobile/Containers/Data/Application/[guid from install time]/Library/Caches/${BUNDLE_ID}/Cache.db . # auto generated screenshot scp -P 2222 mobile@localhost:/private/var/mobile/Containers/Data/Application/[guid from install time]/Library/SplashBoard/Snapshots/sceneID:${BUNDLE_ID}-default/< big long guid>A\@3x.ktx . # from local machine to remote Jailbroken device scp -P 2222 hello.txt root@localhost:/var/root/ -
Nov 1, 2024 . 1 changed file with 13 additions and 11 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -9,7 +9,7 @@ - [Prepare XCode for older iOS versions](#prepare-xcode-for-older-ios-versions) - [Create Provisioning Profile in XCode](#create-provisioning-profile-in-xcode) - [Sign and deploy Jailbreak IPA](#sign-and-deploy-jailbreak-ipa) - [Verify you can SSH onto iOS device](#verify-you-can-ssh-onto-ios-device) - [Get decrypted IPA off Jailbroken device](#get-decrypted-ipa-off-jailbroken-device) - [Strings](#strings) - [Get App Store iPAs](#get-app-store-ipas) @@ -39,22 +39,23 @@ ## Jailbreak in 2024 Please read if you have a Jailbreak - `checkra1n`, `unc0ver`, `TrollInstallerX` or `dopamine` - and want to get it working. There is no magic "download and it works". Forget `Cydia Impactor`. > [!WARNING] > If you just download a jailbreak `ipa` - even if it is [TrollInstallerX](https://github.com/alfiecg24/TrollInstallerX/) it won't be code-signed. It won't install. ### Steps Preparing an old iOS device for Jailbreak takes time and effort: 1. Find jailbreak 2. Prepare iOS Device 3. Prepare XCode for older iOS versions 4. Create Provisioning Profile in XCode 5. Sign and deploy Jailbreak IPA 6. Verify you can SSH onto iOS device ### 1. Find jailbreak @@ -96,9 +97,7 @@ We need to get a Provisioning Profile ( called the `embedded.mobileprovision` fi If you look inside the folder ( remember `HelloWorld.app` is a folder ) you will find a fresh `embedded.mobileprovision`. This contains the uniques IDs and an expiry date for the developer profile associated to the app. ### 5. Sign and deploy Jailbreak IPA ```shell # find your "Apple Development" ID @@ -124,7 +123,7 @@ applesign -p -7 \ ios-deploy -b $SIGNED_IPA ``` ### 6. Verify you can SSH onto iOS device ```shell @@ -134,9 +133,12 @@ brew install libusbmuxd # For SSH over USB access iproxy 2222 22 & # most jailbreaks: Password is well known ssh -p 2222 root@localhost # dopamine uses the `mobile` user not root # user sets password when invoking the jailbreak ssh -p 2222 mobile@localhost ``` ## Get decrypted IPA off Jailbroken device -
Nov 1, 2024 . 1 changed file with 62 additions and 49 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -2,13 +2,13 @@ <!-- TOC depthfrom:2 depthto:3 updateonsave:true withlinks:true --> - [Jailbreak in 2024](#jailbreak-in-2024) - [Steps](#steps) - [Find jailbreak](#find-jailbreak) - [Prepare iOS device](#prepare-ios-device) - [Prepare XCode for older iOS versions](#prepare-xcode-for-older-ios-versions) - [Create Provisioning Profile in XCode](#create-provisioning-profile-in-xcode) - [Sign and deploy Jailbreak IPA](#sign-and-deploy-jailbreak-ipa) - [Run Jailbreak and SSH onto device](#run-jailbreak-and-ssh-onto-device) - [Get decrypted IPA off Jailbroken device](#get-decrypted-ipa-off-jailbroken-device) - [Strings](#strings) @@ -37,78 +37,91 @@ <!-- /TOC --> ## Jailbreak in 2024 Please read if you have a Jailbreak - `checkra1n`, `unc0ver` or `dopamine` - and want to get it working. There is no magic "download and it works". **Forget `Cydia Impactor`**. All you need is to code sign & create a Provisioning Profile for the jailbreak IPA. > [!WARNING] > If you just download a jailbreak `ipa` it won't be code-signed and you be shown a cryptic error code. Preparing an old iOS device for Jailbreak takes time and effort. ### Steps 1. Find jailbreak 2. Prepare iOS Device 3. Prepare XCode for older iOS versions 4. Create Provisioning Profile in XCode 5. Sign and deploy Jailbreak IPA ### 1. Find jailbreak - [CheckRa1n](https://checkra.in/) great option when you have an older iOS device. - [PaleRa1n](https://palera.in/) iOS 15+. Requires older iOS device. - [Electra](https://coolstar.org/electra/) iOS 11. But iOS 11 was now old. Most apps dropped support. - [Dopamine]https://github.com/opa334/Dopamine/releases/tag/2.2.2 16.x - [Unc0ver](https://unc0ver.dev/) iOS 14.2 device Unc0ver seems ok. ### 2. Prepare iOS device - Trust the `Profile` of the Developer. - Ensure the device `Trusts` the machine it connects with. - On newer iOS version this includes turning on Developer Settings; iOS 16.0 to 16.6.1 `Settings -> Privacy & Security` and then scroll down until you see Developer Mode, tap that option. ### 3. Prepare XCode for older iOS versions Open `XCode/Window/Devices and Simulators`. Let XCode see the device. If you are trying to use an older device with an older OS, keep reading; for example, with Unc0ver, the latest XCode doesn't support iOS 14. You can still update XCode Device Support. Why ? This is required so you can create a `provisioning profile` for iOS 14.2 [ or deploy any iOS to that old device ]. - Grab the Device Support files [here](https://github.com/iGhibli/iOS-DeviceSupport/tree/master/DeviceSupport). - Open `Applications`. Right-click on Xcode, in Finder, and select `“package contents”`. - Navigate to `contents/Developer/platform/iPhoneOS.platform/DeviceSupport`. - Unzip the downloaded file and copy the folder to above location. - Restart XCode. - The older iOS device should now be a possible build target. ### 4. Create Provisioning Profile in XCode We need to get a Provisioning Profile ( called the `embedded.mobileprovision` file). - Open `Xcode` and select `File/New/Project/Swift` and call it anything. You don't need tests or any CoreData pieces. Just a basic "HelloWorld" app. - Select `build` for your connected device. > [!INFO] > You don’t need to `Run` the app on the device. - Right click on the `/Product/HelloWorld.app` - in the left hand view pane - and select `show in Finder`. If you look inside the folder ( remember `HelloWorld.app` is a folder ) you will find a fresh `embedded.mobileprovision`. This contains the uniques IDs and an expiry date for the developer profile associated to the app. ### 5. Sign and deploy Jailbreak IPA ```shell # find your "Apple Development" ID security find-identity -v -p codesigning # tools to inspect device ( works on jailed and jailbroken devices ) brew install libimobiledevice # check if you can see attached iOS device idevice_id 0000FFFF-0011111111122222 (USB) # sign Jailbreak ipa applesign -p -7 \ -i ${CODESIGNID} \ -b rm.helloworld \ --clone-entitlements \ -m embedded.mobileprovision \ TrollInstallerX.ipa -o $SIGNED_IPA # Deploy to the device over USB ios-deploy -b $SIGNED_IPA ``` ### Run Jailbreak and SSH onto device -
Nov 1, 2024 . 1 changed file with 28 additions and 15 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -4,7 +4,9 @@ - [prepare clean iOS 18 device](#prepare-clean-ios-18-device) - [Jailbreak in 2024](#jailbreak-in-2024) - [Things you need](#things-you-need) - [Find a jailbreak](#find-a-jailbreak) - [Prepare XCode for older iOS versions](#prepare-xcode-for-older-ios-versions) - [Prepare Device](#prepare-device) - [Prepare Jailbreak IPA](#prepare-jailbreak-ipa) - [Run Jailbreak and SSH onto device](#run-jailbreak-and-ssh-onto-device) @@ -57,23 +59,31 @@ idevice_id ## Jailbreak in 2024 Please read if you have a Jailbreak - `checkra1n`, `unc0ver` or `dopamine` - and want to get it working. There is no magic "download and it works". **Forget `Cydia Impactor`**. All you need is to code sign the jailbreak IPA: If you download an iOS app ( an `ipa` ) it won't be code-signed. Preparing an old iOS device for Jailbreak takes time and effort. ### Things you need - A jailbreak - macOS - XCode - XCode command line tools ( includes Code Signing tool ) - ios-deploy ### Find a jailbreak - [CheckRa1n](https://checkra.in/) great option when you have an older iOS device. - [PaleRa1n](https://palera.in/) iOS 15+. Requires older iOS device. - [Electra](https://coolstar.org/electra/) iOS 11. But iOS 11 was now old. Most apps dropped support. - [Dopamine]https://github.com/opa334/Dopamine/releases/tag/2.2.2 16.x - [Unc0ver](https://unc0ver.dev/) iOS 14.2 device Unc0ver seems ok. ### Prepare XCode for older iOS versions IF you are trying to use an older device with an older OS, keep reading; for example, with Unc0ver, the latest XCode doesn't support iOS 14. You can still update XCode Device Support. Why ? This is required so you can create a `provisioning profile` for iOS 14.2 [ or deploy any iOS to that old device ]. - Grab the Device Support files [here](https://github.com/iGhibli/iOS-DeviceSupport/tree/master/DeviceSupport). - Right click on Xcode, in Finder, and select `“package contents”`. Then `contents/Developer/platform/iPhoneOS.platform/DeviceSupport` - Restart XCode and you should be able to see the device. ### Prepare Device @@ -83,8 +93,6 @@ The latest XCode doesn't support iOS 14. You can still update XCode Device Supp ### Prepare Jailbreak IPA ```shell # find your "Apple Development" ID security find-identity -v -p codesigning @@ -193,6 +201,10 @@ ios hooking search methods pincode [MySwiftApp.Services - validatePinCode:error:] [MySwiftApp.Services - disablePinCode] # search for useful classes ios hooking search classes pincode # watch method calls inside a Class ios hooking watch class MySwiftApp.Services @@ -231,6 +243,8 @@ ios bundles list_frameworks # list modules memory list modules # print UI hierarchy of view controllers, labels, buttons, etc ios ui dump ``` ## Inspect files inside ipa @@ -363,10 +377,9 @@ rabin2 -I -a arm_64 <binary inside app bundle> | grep -E 'stripped|canary' rabin2 -I -a arm_64 <binary inside app bundle> | grep -E 'pic|bits # Check for Bitcode enabled # [!] this command won't work on a locally built Simulator / iPhone app. Bitcode happens after setting `Archive` otool -l libprogressbar.a | grep __LLVM otool -arch arm64 -l tinyDynamicFramework | grep __LLVM ``` ## Applesign -
Oct 2, 2024 . 1 changed file with 31 additions and 52 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -1,4 +1,4 @@ # iOS app introspection <!-- TOC depthfrom:2 depthto:3 updateonsave:true withlinks:true --> @@ -90,16 +90,16 @@ The latest XCode doesn't support iOS 14. You can still update XCode Device Supp security find-identity -v -p codesigning # sign Jailbreak ipa applesign -p -7 -i ${CODESIGNID} -b rm.helloworld -m embedded.mobileprovision unc0ver_Release_8.0.2.ipa -o $SIGNED_IPA # Deploy to the device over USB ios-deploy -b $SIGNED_IPA ``` It failed? When you created the mobile provisioning file you didn't specify any entitlements. So you are not giving the Jailbreak any `entitlements`. Make sure you clone the entitlements from the jailbreak ipa: ```shell applesign -p -7 -i ${CODESIGNID} -b rm.helloworld -m embedded.mobileprovision unc0ver_Release_8.0.2.ipa -o $SIGNED_IPA --clone-entitlements ``` @@ -169,19 +169,18 @@ When you hit the `"Skip App / Replace / Stop"` modal, select nothing. Go to Find ## Quick-start run-time introspection Tools like Frida and Objection can work with apps straight from the app store. To work on a `jailed` device, the app needs to be re-signed as it adds a dynamic library ( `gadget` ) to the app's list of frameworks. ## Objection ```shell # Install Objection pip3 install objection # jailed device objection --gadget $BUNDLE_ID explore # jailbroken device objection -g $BUNDLE_ID explore #### Objection commands #### @@ -337,59 +336,39 @@ xcrun simctl spawn booted log stream --predicate 'processImagePath endswith "MyA ## Build information ```shell # Check platform lipo -info libprogressbar.a # Check for build errors jtool -arch arm64 -L <binary inside app bundle> # Check minimum iOS version & restrict linker flag jtool -arch arm64 -l <binary inside app bundle # Check Load Commands rabin2 -H playground # Sections of the Binary objdump -macho -section-headers Payload/myApp.app/myApp # iOS app entitlements codesign -d --entitlements :- Payload/MyApp.app jtool -arch arm64 --ent <binary inside app bundle> # Check binary was stripped rabin2 -I -a arm_64 <binary inside app bundle> | grep -E 'stripped|canary' # Check Position Independent Code set rabin2 -I -a arm_64 <binary inside app bundle> | grep -E 'pic|bits # Check for Bitcode enabled ```bash otool -l libprogressbar.a | grep __LLVM otool -arch arm64 -l tinyDynamicFramework | grep __LLVM // Remember this command won't work on a locally built Simulator / iPhone app. Bitcode happens after setting `Archive` ``` ## Applesign `Applesign` is a wrapper around `Codesigning` tools from Apple. @@ -426,14 +405,14 @@ security find-identity -v -p codesigning export CODESIGNID=<GUID> # tell Applesign to use your Provisioning Profile applesign -7 -i ${CODESIGNID} -m embedded.mobileprovision $UNSIGNED_IPA -o $SIGNED_IPA # Speed up repackaging rm -v $UNSIGNED_IPA | rm -v $SIGNED_IPA | 7z a $UNSIGNED_IPA Payload # Re-sign IPA and set new Bundle ID # caution,changing the Bundle ID can cause ios-deploy issues // applesign -7 -i ${CODESIGNID} -b funky-chicken.resigned -m embedded.mobileprovision $UNSIGNED_IPA -o $SIGNED_IPA ``` @@ -457,7 +436,7 @@ Entitlements overload | You can have a `Provisioning Profile` (embedded.mobilep Clone Entitlements | When the app is complicated, with many entitlements, sometimes it is easier just to `--clone-entitlements` with `Applesign`. Wrong Bundle ID | When you add specific `Entitlments` you need a unique Bundle ID. Check whether you need to change Bundle ID when re-signing. Network settings | `Settings\General\Profiles and Device Management` to trust the Developer Profile and App. This won't happen if you are manually proxying or setting a local DNS server., when installing with `iOS-deploy`. Watch Extensions | `iOS-deploy` spits out lots of messages if you change the bundle ID when resigning an app ( `Error 0xe800009e: This app contains an app extension with an illegal bundle identifier`. If you use the free developer account, changing the Bundle ID is the only to repackage another party's app. I ended up deleting the Watch.app from the Payload bundle as I wasn't interested in testing. That worked. --- If none of the above work open `Console.app` on macOS. Select your device and set `process:mobile_installation_proxy` in the `Search Bar`. This will give details behind the sideloaded IPA error message. @@ -466,9 +445,9 @@ If none of the above work open `Console.app` on macOS. Select your device and s ## Sideload iOS app ```bash ios-deploy -b $SIGNED_IPA // defaults to send over wifi ios-deploy -b -W $SIGNED_IPA // uses USB ios-deploy -B | grep -i funky // list Bundle IDs ``` -
Oct 1, 2024 . 1 changed file with 17 additions and 3 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -12,7 +12,7 @@ - [Strings](#strings) - [Get App Store iPAs](#get-app-store-ipas) - [Quick-start run-time introspection](#quick-start-run-time-introspection) - [Objection](#objection) - [Inspect files inside ipa](#inspect-files-inside-ipa) - [Inspect sandbox data on Jailbroken device](#inspect-sandbox-data-on-jailbroken-device) - [iOS file structure](#ios-file-structure) @@ -170,7 +170,7 @@ When you hit the `"Skip App / Replace / Stop"` modal, select nothing. Go to Find ## Quick-start run-time introspection ## Objection Works on a clean device or Jailbroken device: @@ -195,14 +195,28 @@ ios hooking search methods pincode [MySwiftApp.Services - disablePinCode] # watch method calls inside a Class ios hooking watch class MySwiftApp.Services # verify Objection can see Class ios hooking search classes MySwiftApp.Services # list Class Methods of a Class ios hooking list class_methods MySwiftApp.Services # read info.plist ios plist cat Info.plist # download file file download Info.plist # dump memory memory dump all myapp_memory.dump Will dump 111 rw- images, totalling 718.5 MiB Dumping 512.0 MiB from base: 0x280000000 [####################################] 100% # search memory for strings strings myapp_memory.dump | grep -i session # KeyChain dump ios keychain dump --json output.json -
Oct 1, 2024 . 1 changed file with 50 additions and 9 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -11,13 +11,15 @@ - [Get decrypted IPA off Jailbroken device](#get-decrypted-ipa-off-jailbroken-device) - [Strings](#strings) - [Get App Store iPAs](#get-app-store-ipas) - [Quick-start run-time introspection](#quick-start-run-time-introspection) - [Dump KeyChain](#dump-keychain) - [Inspect files inside ipa](#inspect-files-inside-ipa) - [Inspect sandbox data on Jailbroken device](#inspect-sandbox-data-on-jailbroken-device) - [iOS file structure](#ios-file-structure) - [Logs](#logs) - [Build information](#build-information) - [Applesign](#applesign) - [Prepare for code signing](#prepare-for-code-signing) - [Troubleshoot code signing](#troubleshoot-code-signing) - [Sideload iOS app](#sideload-ios-app) - [Frida-Server](#frida-server) @@ -164,6 +166,10 @@ When you hit the `"Skip App / Replace / Stop"` modal, select nothing. Go to Find [Full instructions](https://medium.com/@contact.jmeyers/download-the-ipa-file-for-any-ios-app-on-your-iphone-8298c7d6d812). ## Quick-start run-time introspection ## Dump KeyChain Works on a clean device or Jailbroken device: @@ -172,11 +178,46 @@ Works on a clean device or Jailbroken device: # Install Objection pip3 install objection # run app on jailbroken device objection --gadget $BUNDLE_ID explore # on jailbroken device objection -g $BUNDLE_ID explore #### Objection commands #### # sandbox location on device env # search for useful methods ios hooking search methods pincode [MySwiftApp.Services - validatePinCode:error:] [MySwiftApp.Services - disablePinCode] # watch method calls inside a Class watch-class-methods for: MySwiftApp.Services # verify Objection can see Class ios hooking search classes MySwiftApp.Services # list Class Methods of a Class ios hooking list class_methods MySwiftApp.Services # KeyChain dump ios keychain dump --json output.json # list bundles used by app ios bundles list_bundles # list classes ios hooking list classes # list frameworks used by app ios bundles list_frameworks # list modules memory list modules ``` ## Inspect files inside ipa @@ -350,13 +391,16 @@ First, you want to get hold of an `embedded.mobileprovision` file: - Open `Xcode` and select `File/New/Project/Swift` and call it anything. You don't need tests or any CoreData pieces. Just a basic "HelloWorld" app. - Select `build` for your connected device. > [!INFO] > You don’t need to `Run` the app on the device. - Right click on the `/Product/HelloWorld.app` - in the left hand view pane - and select `show in Finder`. If you look inside the folder ( remember `HelloWorld.app` is a folder ) you will find a fresh `embedded.mobileprovision`. This contains the uniques IDs and an expiry date for the developer profile associated to the app. ### Prepare for code signing ```shell # Read the Provisioning Profile @@ -367,18 +411,15 @@ security cms -D -i embedded.mobileprovision security find-identity -v -p codesigning export CODESIGNID=<GUID> # tell Applesign to use your Provisioning Profile applesign -7 -i ${CODESIGNID} -m embedded.mobileprovision unsigned.ipa -o ready.ipa # Speed up repackaging rm -v unsigned.ipa | rm -v ready.ipa | 7z a unsigned.ipa Payload # Re-sign IPA and set new Bundle ID # caution,changing the Bundle ID can cause ios-deploy issues // applesign -7 -i ${CODESIGNID} -b funky-chicken.resigned -m embedded.mobileprovision unsigned.ipa -o ready.ipa ``` -
Sep 26, 2024 . 1 changed file with 33 additions and 37 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -18,8 +18,8 @@ - [Logs](#logs) - [Build information](#build-information) - [Applesign](#applesign) - [Troubleshoot code signing](#troubleshoot-code-signing) - [Sideload iOS app](#sideload-ios-app) - [Frida-Server](#frida-server) - [Frida-Gadget](#frida-gadget) - [Frida basics](#frida-basics) @@ -339,68 +339,54 @@ otool -arch arm64 -l tinyDynamicFramework | grep __LLVM `Applesign` is a wrapper around `Codesigning` tools from Apple. ```shell npm install -g applesign ``` #### Create provisioning file First, you want to get hold of an `embedded.mobileprovision` file: - Open `Xcode` and select `File/New/Project/Swift` and call it anything. You don't need tests or any CoreData pieces. Just a basic "HelloWorld" app. - Select `build` for your connected device. > You don’t need to `Run` the app on the device. - Right click on the `/Product/HelloWorld.app` - in the left hand view pane - and select `show in Finder`. If you look inside the folder ( remember `HelloWorld.app` is a folder ) you will find a fresh `embedded.mobileprovision`. This contains the uniques IDs and an expiry date for the developer profile associated to the app. ```shell # Read the Provisioning Profile # ensure your device ID is in the profile and the profile is fresh. security cms -D -i embedded.mobileprovision # find code signing key security find-identity -v -p codesigning export CODESIGNID=<GUID> # Resign an iPA + change bundle ID applesign -7 -i ${CODESIGNID} --bundleid funky-chicken.resigned # Resign iPA: set app to debuggable with custom provisioning file ( default ) applesign -7 -i ${CODESIGNID} -m embedded.mobileprovision unsigned.ipa -o ready.ipa # Speed up repackaging rm -v unsigned.ipa | rm -v ready.ipa | 7z a unsigned.ipa Payload # Set Bundle ID // applesign -7 -i ${CODESIGNID} -b yd.com.rusty.repackaged -m embedded.mobileprovision unsigned.ipa -o ready.ipa ``` ### Troubleshoot code signing > [!CAUTION] > You can't resign an encrypted app store app. Remember to decrypt that app ! Title | Detail --|-- @@ -421,6 +407,16 @@ Network settings | `Settings\General\Profiles and Device Management` to trust th If none of the above work open `Console.app` on macOS. Select your device and set `process:mobile_installation_proxy` in the `Search Bar`. This will give details behind the sideloaded IPA error message. ## Sideload iOS app ```bash ios-deploy -b myapp-resigned.ipa // defaults to send over wifi ios-deploy -b -W myapp-resigned.ipa // uses USB ios-deploy -B | grep -i funky // list Bundle IDs ``` ## Frida-Server ```shell -
Sep 26, 2024 . 1 changed file with 30 additions and 50 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -9,15 +9,14 @@ - [Prepare Jailbreak IPA](#prepare-jailbreak-ipa) - [Run Jailbreak and SSH onto device](#run-jailbreak-and-ssh-onto-device) - [Get decrypted IPA off Jailbroken device](#get-decrypted-ipa-off-jailbroken-device) - [Strings](#strings) - [Get App Store iPAs](#get-app-store-ipas) - [Dump KeyChain](#dump-keychain) - [Inspect files inside ipa](#inspect-files-inside-ipa) - [Inspect sandbox data on Jailbroken device](#inspect-sandbox-data-on-jailbroken-device) - [iOS file structure](#ios-file-structure) - [Logs](#logs) - [Build information](#build-information) - [Applesign](#applesign) - [Sideload iOS app](#sideload-ios-app) - [Troubleshoot codesign / iOS Deploy](#troubleshoot-codesign--ios-deploy) @@ -43,10 +42,10 @@ # Let XCode prepare device > XCode/Window/Devices and Simulators # iOS device Settings/Privacy and Security/Developer Mode/On # tools to inspect device ( works on jailed and jailbroken devices ) brew install libimobiledevice # check if you can see attached iOS device @@ -103,8 +102,6 @@ patching applesign -p -7 -i ${CODESIGNID} -b rm.helloworld -m embedded.mobilepro ``` ### Run Jailbreak and SSH onto device ```shell @@ -118,7 +115,6 @@ iproxy 2222 22 & ssh -p 2222 root@localhost ``` ## Get decrypted IPA off Jailbroken device @@ -142,6 +138,14 @@ Load command 12 -- ``` ## Strings If you didn't decrypt the app you won't find good strings. ```bash strings $APP_BINARY | grep -E 'session|https|pinning|secret' ``` ## Get App Store iPAs - Install Apple's utility [Apple Configurator 2](https://apps.apple.com/us/app/apple-configurator-2/id1037126344?mt=12) from macOS store @@ -329,36 +333,7 @@ otool -arch arm64 -l tinyDynamicFramework | grep __LLVM // Remember this command won't work on a locally built Simulator / iPhone app. Bitcode happens after setting `Archive` ``` ## Applesign @@ -967,7 +942,7 @@ frida-trace -m "*[NSURLSession* *didReceiveChallenge*]" -H 192.168.0.38:19999 - ## Cookies #### Find ```bash /private/var/mobile/Containers/Data/Application/<app guid, given at install time>/Library/Cookies/Cookies.binarycookies @@ -977,32 +952,37 @@ frida-trace -m "*[NSURLSession* *didReceiveChallenge*]" -H 192.168.0.38:19999 - ```bash scp -P 2222 root@localhost:/private/var/mobile/Containers/Data/Application/<App GUID>/Library/Cookies/Cookies.binarycookies cookies.bin ``` The original `BinaryCookieReader` script out of date ( still Python 2 only ): ```shell # install cookie file parser pip3 install binary-cookies-parser # read file bcparser cookies.bin ``` #### Find Cookies in Memory with Frida ```shell # script from https://github.com/interference-security/frida-scripts/blob/master/iOS/show_binarycookies.js frida -U -p 1990 -l show_binarycookies.js $) ps -ax | grep -i WebKit.Networking 29163 ?? <longPath>/.../com.apple.WebKit.Networking $) frida --codeshare mrmacete/objc-method-observer -p 29163 [PID::29163]-> %resume [PID::29163]-> observeSomething('*[* cookiesWithResponseHeaderFields:forURL:]'); ###################################### +[NSHTTPCookie cookiesWithResponseHeaderFields:forURL:] cookiesWithResponseHeaderFields: { "Set-Cookie" = "EuConsent=<removed for brevity>; path=/; expires=Sat, 16 Nov 2019 14:51:01 GMT;"; -
Sep 26, 2024 . 2 changed files with 27 additions and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -7,6 +7,7 @@ - [Prepare XCode](#prepare-xcode) - [Prepare Device](#prepare-device) - [Prepare Jailbreak IPA](#prepare-jailbreak-ipa) - [Run Jailbreak and SSH onto device](#run-jailbreak-and-ssh-onto-device) - [Get decrypted IPA off Jailbroken device](#get-decrypted-ipa-off-jailbroken-device) - [Get App Store iPAs](#get-app-store-ipas) - [Dump KeyChain](#dump-keychain) @@ -94,9 +95,34 @@ applesign -p -7 -i ${CODESIGNID} -b rm.helloworld -m embedded.mobileprovision un ios-deploy -b ready.ipa ``` It failed? When you created the mobile provisioning file you didn't specify any entitlements. So you are not giving the Jailbreak any `entitlements`. Make sure you clone the entitlements from the jailbreak ipa: ```shell patching applesign -p -7 -i ${CODESIGNID} -b rm.helloworld -m embedded.mobileprovision unc0ver_Release_8.0.2.ipa -o ready.ipa --clone-entitlements ``` ### Run Jailbreak and SSH onto device Wow, that was a lot of effort. Well done. It failed? ```shell # macOS - install iProxy brew install libusbmuxd # For SSH over USB access iproxy 2222 22 & # SSH onto jailbroken device. Password is well known. ssh -p 2222 root@localhost ``` ## Get decrypted IPA off Jailbroken device **Decrypting the app binary is essential**. You cannot skip this step if you want to find good strings, debug the app or repackage the iPA. ```shell # Get script to decrypt iPA Binary file not shown. -
Sep 25, 2024 . 1 changed file with 7 additions and 5 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -87,11 +87,11 @@ The latest XCode doesn't support iOS 14. You can still update XCode Device Supp # find your "Apple Development" ID security find-identity -v -p codesigning # sign Jailbreak ipa applesign -p -7 -i ${CODESIGNID} -b rm.helloworld -m embedded.mobileprovision unc0ver_Release_8.0.2.ipa -o ready.ipa # Deploy to the device over USB ios-deploy -b ready.ipa ``` ## Get decrypted IPA off Jailbroken device @@ -384,6 +384,7 @@ rm -v unsigned.ipa | rm -v ready.ipa | 7z a unsigned.ipa Payload // Keep original Bundle ID applesign -7 -i ${CODESIGNID} -m embedded.mobileprovision unsigned.ipa -o ready.ipa // Set Bundle ID // applesign -7 -i ${CODESIGNID} -b yd.com.rusty.repackaged -m embedded.mobileprovision unsigned.ipa -o ready.ipa @@ -403,8 +404,9 @@ ios-deploy -B | grep -i funky // list Bundle IDs Title | Detail --|-- Missing Device ID | Check Provisioning Profile (`embedded.mobileprovision`) included device's UUID Code signing key expired | Timeframe for paid iOS Developer license is one-year versus one-week for free developer signing key. Wrong Code-Signing Key | check the Code Signing Key was NOT an `iPhone Distribution key` Mismatched bundle ID | `Error 0xe8008001`. When you create the Provisioning Profile it knows of the Bundle ID. So when you resign an IPA, it must match this value. identity is no longer valid | `Error 0xe8008018: The identity used to sign the executable is no longer valid.` Make sure that the `Apple Development` key was selected when running `security find-identity -v -p codesigning`, I hit this error when I selected a `Developer ID Application`. I should have selected the ID associated to `Apple Development` credential. Code Signing Keys Match | check the `Code Signing Key` used when creating the `Provisioning Profile` matched the `Code Signing Key` selected when repackaging and code signing. XCode check | When generating an app - to get hold of `embedded.mobileprovision` file - remember the `Code signing` options are different for each Project Target and ProjectTests. -
Sep 25, 2024 . 1 changed file with 34 additions and 12 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -2,9 +2,12 @@ <!-- TOC depthfrom:2 depthto:3 updateonsave:true withlinks:true --> - [prepare clean iOS 18 device](#prepare-clean-ios-18-device) - [Jailbreak in 2024](#jailbreak-in-2024) - [Prepare XCode](#prepare-xcode) - [Prepare Device](#prepare-device) - [Prepare Jailbreak IPA](#prepare-jailbreak-ipa) - [Get decrypted IPA off Jailbroken device](#get-decrypted-ipa-off-jailbroken-device) - [Get App Store iPAs](#get-app-store-ipas) - [Dump KeyChain](#dump-keychain) - [Inspect files inside ipa](#inspect-files-inside-ipa) @@ -52,27 +55,46 @@ idevice_id ## Jailbreak in 2024 Preparing an old iOS 14.2 device for Jailbreak takes time and effort. First, find a Jailbreak for your iOS version; with an iOS 14.2 device Unc0ver seems ok. [CheckRa1n](https://checkra.in/) runs as an untrusted command line tool - on macOS - that triggers a `"Malware possibility"`alert. Why? CheckRa1n wasn't notorized by the author [ or Apple rejected the notorization ? ]. Side note:[Electra](https://coolstar.org/electra/) still worked for iOS 11. But iOS 11 is aging fast with many apps dropping support. ### Prepare XCode The latest XCode doesn't support iOS 14. You can still update XCode Device Support. Why ? This is required so you can create a `provisioning profile` for iOS 14.2 [ or deploy any iOS to that old device ]. - Grab the Device Support files [here](https://github.com/iGhibli/iOS-DeviceSupport/tree/master/DeviceSupport). - Right click on Xcode, in Finder, and select `“package contents”`. Then `contents/Developer/platform/iPhoneOS.platform/DeviceSupport` - Restart XCode and you should be able to see the device. ### Prepare Device - Trust the `Profile` of the Developer. - Ensure the device `Trusts` the machine it connects with. - On newer iOS version this includes turning on Developer Settings. ### Prepare Jailbreak IPA **Forget `Cydia Impactor`**. All you need is to code sign the jailbreak IPA: ```shell # find your "Apple Development" ID security find-identity -v -p codesigning # sign Electra app with a free Developer Account applesign -7 -i ${CODESIGNID} -m embedded.mobileprovision unc0ver.ipa -o ready.ipa --clone-entitlements # Deploy to the device over USB with different Bundle ID ios-deploy --bundle_id='com.bar.baz.foo' -b ready.ipa ``` ## Get decrypted IPA off Jailbroken device Decrypting the app binary is essential if you want to find good strings, debug the app or repackage the iPA. -
rustymagnet3000 revised this gist
Sep 25, 2024 . 1 changed file with 2 additions and 2 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -50,11 +50,11 @@ idevice_id 0000FFFF-0011111111122222 (USB) ``` ## Jailbreak in 2024 [CheckRa1n](https://checkra.in/) was enough for my devices on iOS 14.x. Older, stable Jailbreaks like [Electra](https://coolstar.org/electra/) still worked. Remember: - You do NOT require `Cydia Impactor` to install a fresh copy of the Electra app. - The Electra app needs to signed by a code signing key before it works. -
rm revised this gist
Sep 24, 2024 . 1 changed file with 22 additions and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -1,7 +1,8 @@ # Static / Dynamic iOS app inspection <!-- TOC depthfrom:2 depthto:3 updateonsave:true withlinks:true --> - [prepare clean iOS18 device](#prepare-clean-ios18-device) - [Jailbreak in 2023](#jailbreak-in-2023) - [Get decrypted IPA off a Jailbroken device](#get-decrypted-ipa-off-a-jailbroken-device) - [Get App Store iPAs](#get-app-store-ipas) @@ -29,6 +30,26 @@ <!-- /TOC --> ## prepare clean iOS 18 device ```shell # XCode installed on macOS > XCode Command Line Tools not enough # Let XCode prepare device > XCode/Window/Devices and Simulators # Settings/Privacy and Security/Developer Mode On # command line tool to inspect device brew install libimobiledevice # check if you can see attached iOS device idevice_id 0000FFFF-0011111111122222 (USB) ``` ## Jailbreak in 2023 [CheckRa1n](https://checkra.in/) was enough for my devices on iOS 14.x. -
Jan 2, 2023 . 1 changed file with 44 additions and 25 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -3,8 +3,9 @@ <!-- TOC depthfrom:2 depthto:3 updateonsave:false withlinks:true --> - [Jailbreak in 2023](#jailbreak-in-2023) - [Get decrypted IPA off a Jailbroken device](#get-decrypted-ipa-off-a-jailbroken-device) - [Get App Store iPAs](#get-app-store-ipas) - [Dump KeyChain](#dump-keychain) - [Inspect files inside ipa](#inspect-files-inside-ipa) - [Inspect sandbox data on Jailbroken device](#inspect-sandbox-data-on-jailbroken-device) - [iOS file structure](#ios-file-structure) @@ -30,24 +31,29 @@ ## Jailbreak in 2023 [CheckRa1n](https://checkra.in/) was enough for my devices on iOS 14.x. Older, stable Jailbreaks like Electra still work. Things to remember: - You do NOT require `Cydia Impactor` to install a fresh copy of the Electra app. - The Electra app needs to signed by a code signing key before it works. - Create a Code Signing Key for free with XCode. - Re-sign the ELectra app with: ```shell # find your "Apple Development" ID security find-identity -v -p codesigning # sign Electra app with a free Developer Account applesign -7 -i ${CODESIGNID} -m embedded.mobileprovision Electra1141-2.0.ipa -o ready.ipa --clone-entitlements # Deploy it to the device with a different bundle ID ios-deploy --bundle_id='com.bar.baz.foo' -b ready.ipa ``` ## Get decrypted IPA off a Jailbroken device Decrypting the app binary is essential if you want to find good strings, debug the app or repackage the iPA. ```shell # Get script to decrypt iPA @@ -56,14 +62,14 @@ https://github.com/AloneMonkey/frida-ios-dump # Attach a jailbroken iPhone and create tunnel over USB iproxy 2222 22 & # Ensure Frida is running on iOS device. Then run frida-ios-dump ./dump.py foo.bar.bundleid # Check AppStore binary is now decrypted ( cryptid 0 decrypted vs cryptid 1 encrypted ) otool -l Payload/foo.app/foo | grep -i LC_ENCRYPTION -B1 -A4 Load command 12 cmd LC_ENCRYPTION_INFO_64 cryptid 0 -- ``` @@ -85,6 +91,21 @@ When you hit the `"Skip App / Replace / Stop"` modal, select nothing. Go to Find [Full instructions](https://medium.com/@contact.jmeyers/download-the-ipa-file-for-any-ios-app-on-your-iphone-8298c7d6d812). ## Dump KeyChain Works on a clean device or Jailbroken device: ```shell # Install Objection pip3 install objection # repackage app with Frida Gadget objection --gadget "com.apple.AppStore" explore # KeyChain dump ios keychain dump --json output.json ``` ## Inspect files inside ipa ```shell @@ -827,7 +848,7 @@ The results: ```javascript frida-ps -Uai // get your bundle ID frida --codeshare mrmacete/objc-method-observer -U -f $BUNDLE_ID [+] At the Frida prompt... // Method isJailbroken @@ -859,21 +880,19 @@ observeSomething('-[WKWebView *Agent]'); ## Bypass anti-Frida checks ```shell # Rename Frida process bash -c "exec -a YDFooBar ./frida-server &" # Set Frida-Server on host to a specific interface and port frida-server -l 0.0.0.0:19999 & # Call Frida-server from Host frida-ps -ai -H 192.168.0.38:19999 # Trace on custom port frida-trace -m "*[NSURLSession* *didReceiveChallenge*]" -H 192.168.0.38:19999 -f $BUNDLE_ID ``` ## Cookies -
Jan 1, 2023 . 2 changed files with 0 additions and 0 deletions.There are no files selected for viewing
File renamed without changes.File renamed without changes -
Jan 1, 2023 . 2 changed files with 17 additions and 4 deletions.There are no files selected for viewing
File renamed without changesThis file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -2,12 +2,12 @@ <!-- TOC depthfrom:2 depthto:3 updateonsave:false withlinks:true --> - [Jailbreak in 2023](#jailbreak-in-2023) - [Decrypt the IPA into make it inspectable](#decrypt-the-ipa-into-make-it-inspectable) - [Get App Store iPAs](#get-app-store-ipas) - [Inspect files inside ipa](#inspect-files-inside-ipa) - [Inspect sandbox data on Jailbroken device](#inspect-sandbox-data-on-jailbroken-device) - [iOS file structure](#ios-file-structure) - [Logs](#logs) - [Build information](#build-information) - [Symbols](#symbols) @@ -28,9 +28,22 @@ <!-- /TOC --> ## Jailbreak in 2023 [CheckRa1n](https://checkra.in/) was enough for most of my devices on iOS 14.x. Older Jailbreaks like Electra still worked with a little work. Things to remember: - You do NOT require `Cydia Impactor` to install a fresh copy of the Electra app. - The Electra app needs to signed by a code signing key before it works. - You can achieve all of for free. - The command to re-sign the ELectra app was: ```shell # sign Electra app with a free Developer Account applesign -7 -i ${CODESIGNID} -m embedded.mobileprovision Electra1141-2.0.ipa -o ready.ipa --clone-entitlements # Deploy it to the device with a different bundle ID ios-deploy --bundle_id='com.bar.baz.foo' -b ready.ipa ``` ## Decrypt the IPA into make it inspectable -
Jan 1, 2023 . 2 changed files with 1 addition and 1 deletion.There are no files selected for viewing
File renamed without changesThis file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -30,7 +30,7 @@ ## Set up Jailbreak in 2023 Older Jailbreaks like [Electra](electra.png) still work. ## Decrypt the IPA into make it inspectable -
Jan 1, 2023 . 2 changed files with 26 additions and 22 deletions.There are no files selected for viewing
LoadingSorry, something went wrong. Reload?Sorry, we cannot display this file.Sorry, this file is invalid so it cannot be displayed.This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -2,10 +2,11 @@ <!-- TOC depthfrom:2 depthto:3 updateonsave:false withlinks:true --> - [Set up Jailbreak in 2023](#set-up-jailbreak-in-2023) - [Decrypt the IPA into make it inspectable](#decrypt-the-ipa-into-make-it-inspectable) - [Get App Store iPAs](#get-app-store-ipas) - [Inspect files inside ipa](#inspect-files-inside-ipa) - [Inspect sandbox data on Jailbroken device](#inspect-sandbox-data-on-jailbroken-device) - [iOS file structure](#ios-file-structure) - [Logs](#logs) - [Build information](#build-information) @@ -27,23 +28,9 @@ <!-- /TOC --> ## Set up Jailbreak in 2023 Older Jailbreaks like [Electra](images/electra.png) still work. ## Decrypt the IPA into make it inspectable @@ -67,6 +54,24 @@ Load command 12 -- ``` ## Get App Store iPAs - Install Apple's utility [Apple Configurator 2](https://apps.apple.com/us/app/apple-configurator-2/id1037126344?mt=12) from macOS store - Install the target iOS app on the target device - Then open `Apple Configurator 2` and "sign in" with the same Apple account used on the target device - Sign-out and sign-in to refresh the known app list - Right click on device and select `Add/Apps` - Select the app you want to copy At this point `Apple Configurator 2` will download a copy of the app to: --- >`~/Library/Group Containers/K36BKF7T3D.group.com.apple.configurator/Caches/Assets/TemporaryItems/MobileApps/` When you hit the `"Skip App / Replace / Stop"` modal, select nothing. Go to Finder and grab the IPA. [Full instructions](https://medium.com/@contact.jmeyers/download-the-ipa-file-for-any-ios-app-on-your-iphone-8298c7d6d812). ## Inspect files inside ipa ```shell @@ -106,8 +111,8 @@ find . -name '*.plist' | xargs grep "NS" # Search all files using only grep grep "LSApplicationQueriesSchemes" . -R # Recursive search all files using grep inside Payload folder grep "Requires" Payload -R # foobar.app/Info.plist: <key>UIRequiresFullScreen</key> # foobar.app/Info.plist: <key>LSRequiresIPhoneOS</key> ``` @@ -127,8 +132,7 @@ grep "Requires" foobar.app -R /private/var/containers/Bundle/Application/[GUID given at app install]/foo.app/foo # freshly installed IPA is at the bottom of list cd /private/var/mobile/Containers/Data/Application/ && ls -lrt cd [app guid]/Documents/ cd [app guid]/Library/ -
Dec 31, 2022 . 1 changed file with 27 additions and 39 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -339,61 +339,49 @@ If none of the above work open `Console.app` on macOS. Select your device and s ## Frida-Server ```shell #### update host machine pip3 install --upgrade frida # list available devices frida-ls-devices # list processes and bundle ID from USB connected device frida-ps -Uai # Force open Calender on USB attached device frida -U -f com.apple.mobilecal # open foobar over usb and force start. starts app running frida -U -f com.apple.mobilecal --no-pause # get the target app's process ID from USB connected device frida-ps -U | grep -i myapp # Run script and quit Frida frida -U -f foobar --no-pause -q --eval 'console.log("Hi Frida");' ``` ## Frida-Gadget Since `Frida version ~12.7`, it was quick and simple to Frida on a Jailed device: ```shell # Get Frida-Gadget <https://github.com/frida/frida/releases> # Unzip gunzip frida-gadget-12.xx.xx-ios-universal.dylib.gz # Create directory for Frida-Gadget mkdir -p ~/.cache/frida # Move Frida-Gadget cp frida-gadget-12.xx.xx-ios-universal.dylib ~/.cache/frida/gadget-ios.dylib # Invoke Frida-Gadget on Clean device frida -U -f funky-chicken.debugger-challenge ``` ## Frida basics -
Dec 29, 2022 . 1 changed file with 2 additions and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -74,7 +74,7 @@ Load command 12 unzip myApp.ipa # big files inside ipa file find Payload -size +2M # Files that were mistakingly shipped inside of App Bundle find . -name '*.json' -or -name '*.txt' @@ -324,6 +324,7 @@ Title | Detail Missing Device ID | Check Provisioning Profile (`embedded.mobileprovision`) included device's UUID Check code sign key has not expired | Code Signing keys expire. The timeframe for the paid iOS Developer license is one-year. For the free developer signing key, it is much shorter. Wrong Code-Signing Key | check the Code Signing Key was NOT an `iPhone Distribution key` identity is no longer valid | `Error 0xe8008018: The identity used to sign the executable is no longer valid.` Make sure that the `Apple Development` key was selected when running `security find-identity -v -p codesigning`, I hit this error when I selected a `Developer ID Application`. I should have selected the ID associated to `Apple Development` credential. Code Signing Keys Match | check the `Code Signing Key` used when creating the `Provisioning Profile` matched the `Code Signing Key` selected when repackaging and code signing. XCode check | When generating an app - to get hold of `embedded.mobileprovision` file - remember the `Code signing` options are different for each Project Target and ProjectTests. Delete Old Apps | check no old app is installed on the phone [ that was signed with a different key ] but has the same Bundle ID. -
Dec 29, 2022 . 1 changed file with 62 additions and 75 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -3,10 +3,11 @@ <!-- TOC depthfrom:2 depthto:3 updateonsave:false withlinks:true --> - [Get App Store iPAs](#get-app-store-ipas) - [Decrypt the IPA into make it inspectable](#decrypt-the-ipa-into-make-it-inspectable) - [Inspect files inside ipa](#inspect-files-inside-ipa) - [Sandbox data](#sandbox-data) - [iOS file structure](#ios-file-structure) - [Logs](#logs) - [Build information](#build-information) - [Symbols](#symbols) - [Strings](#strings) @@ -44,17 +45,20 @@ When you hit the `"Skip App / Replace / Stop"` modal, select nothing. Go to Find [Full instructions](https://medium.com/@contact.jmeyers/download-the-ipa-file-for-any-ios-app-on-your-iphone-8298c7d6d812). ## Decrypt the IPA into make it inspectable This step is essential if you want to find good strings, debug the app or repackage the iPA. ```shell # Get script to decrypt iPA https://github.com/AloneMonkey/frida-ios-dump # Attach a jailbroken iPhone and create tunnel over USB iproxy 2222 22 & # Run Frida-ios-Dump ./dump.py fooapp.ipa # Check AppStore binary is encrypted otool -l foobar | grep -i LC_ENCRYPTION -B1 -A4 Load command 12 @@ -63,79 +67,52 @@ Load command 12 -- ``` ## Inspect files inside ipa ```shell # Unzip the IPA file to reveal the Payload folder unzip myApp.ipa # big files inside ipa file `find Payload -size +2M` # Files that were mistakingly shipped inside of App Bundle find . -name '*.json' -or -name '*.txt' # Check for ReactNative find . -name main.jsbundle # Check for Certificates find . -name '*.crt' -or -name '*.cer' -or -name '*.der' # Property lists inside Payload folder. Recursive search. find Payload/ -name '*.plist' # Provisioning Profiles find . -name '*.mobileprovision' # Dynamically linked frameworks find . -name '*.framework' # Locally linked javascript find Payload -name '*.js' # Search all plist files for a value find . -name '*.plist' | xargs grep "LSApplicationQueriesSchemes" # Search all plist files for Device Permissions or App Transport Security find . -name '*.plist' | xargs grep "NS" # Search all files using only grep grep "LSApplicationQueriesSchemes" . -R # Recursive search all files using grep inside an .app folder grep "Requires" foobar.app -R # foobar.app/Info.plist: <key>UIRequiresFullScreen</key> # foobar.app/Info.plist: <key>LSRequiresIPhoneOS</key> ``` ## Inspect sandbox data on Jailbroken device ### iOS file structure @@ -148,20 +125,14 @@ foobar.app/Info.plist: <key>LSRequiresIPhoneOS</key> # App executable /private/var/containers/Bundle/Application/[GUID given at app install]/foo.app/foo # freshly installed IPA is at the bottom of list cd /private/var/mobile/Containers/Data/Application/ ls -lrt cd [app guid]/Documents/ cd [app guid]/Library/ # Databases to pull off a device /private/var/Keychains TrustStore.sqlite3 keychain-2.db @@ -185,6 +156,19 @@ scp -P 2222 root@localhost:/private/var/mobile/Containers/Data/Application/<App scp -P 2222 hello.txt root@localhost:/var/root/ ``` ## Logs ```shell # physical device idevicesyslog -u <DeviceID> | myPipedProgram # Get logs from iOS Simulator xcrun simctl spawn booted log stream --level=debug # Get logs from iOS Simulator by App Name xcrun simctl spawn booted log stream --predicate 'processImagePath endswith "MyAppName"' ``` ## Build information #### Check platform @@ -599,7 +583,9 @@ Process.findModuleByAddress("0x1c1c4645c") "size": 200704 } ``` #### Find Address and Module of function name ( Export ) ``` DebugSymbol.fromAddress(Module.findExportByName(null, 'strstr')) { @@ -610,7 +596,9 @@ DebugSymbol.fromAddress(Module.findExportByName(null, 'strstr')) "name": "strstr" } ``` #### Find Address of Export and use Address to find Module ``` Module.findExportByName(null, 'strstr') "0x183cb81e8" @@ -881,8 +869,6 @@ observeSomething('-[WKWebView *Agent]'); `frida-trace -m "*[NSURLSession* *didReceiveChallenge*]" -H 192.168.0.38:19999 -f com.youdog.rusty.tinyDormant` ## Cookies #### Find Persisted Cookies @@ -919,6 +905,7 @@ $) frida --codeshare mrmacete/objc-method-observer -p 29163 ``` Results: ```javascript +[NSHTTPCookie cookiesWithResponseHeaderFields:forURL:] cookiesWithResponseHeaderFields: { -
Dec 29, 2022 . 1 changed file with 17 additions and 27 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -2,10 +2,10 @@ <!-- TOC depthfrom:2 depthto:3 updateonsave:false withlinks:true --> - [Get App Store iPAs](#get-app-store-ipas) - [Logs](#logs) - [Files inside IPA](#files-inside-ipa) - [Files on iOS device](#files-on-ios-device) - [iOS file structure](#ios-file-structure) - [Build information](#build-information) - [Symbols](#symbols) @@ -26,51 +26,41 @@ <!-- /TOC --> ## Get App Store iPAs - Install Apple's utility [Apple Configurator 2](https://apps.apple.com/us/app/apple-configurator-2/id1037126344?mt=12) from macOS store - Install the target iOS app on the target device - Then open `Apple Configurator 2` and "sign in" with the same Apple account used on the target device - Sign-out and sign-in to refresh the known app list - Right click on device and select `Add/Apps` - Select the app you want to copy At this point `Apple Configurator 2` will download a copy of the app to: --- >`~/Library/Group Containers/K36BKF7T3D.group.com.apple.configurator/Caches/Assets/TemporaryItems/MobileApps/` When you hit the `"Skip App / Replace / Stop"` modal, select nothing. Go to Finder and grab the IPA. [Full instructions](https://medium.com/@contact.jmeyers/download-the-ipa-file-for-any-ios-app-on-your-iphone-8298c7d6d812). #### Decrypt the IPA into make it inspectable This step is essential if you want to find good strings, debug the app or repackage the iPA. ```shell # Unzip the IPA file to reveal the Payload folder unzip myApp.ipa # Decrypt iPA https://github.com/AloneMonkey/frida-ios-dump # Check AppStore binary is encrypted otool -l foobar | grep -i LC_ENCRYPTION -B1 -A4 Load command 12 cmd LC_ENCRYPTION_INFO cryptid 1 -- ``` ## Logs -
Nov 26, 2021 . 1 changed file with 77 additions and 52 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -4,7 +4,9 @@ - [Make apps from AppStore inspectable](#make-apps-from-appstore-inspectable) - [Logs](#logs) - [Files inside of IPA](#files-inside-of-ipa) - [Files on Device](#files-on-device) - [iOS file structure](#ios-file-structure) - [Build information](#build-information) - [Symbols](#symbols) - [Strings](#strings) @@ -18,7 +20,6 @@ - [Frida Intercepter](#frida-intercepter) - [Frida-Trace](#frida-trace) - [Bypass anti-Frida checks](#bypass-anti-frida-checks) - [Cookies](#cookies) - [Change iOS Version](#change-ios-version) - [LLVM Instrumentation](#llvm-instrumentation) @@ -86,7 +87,7 @@ Load command 12 `idevicesyslog -u <DeviceID> | myPipedProgram` ## Files inside IPA #### Files big files inside unzipped IPA @@ -144,6 +145,56 @@ foobar.app/Info.plist: <key>LSRequiresIPhoneOS</key> `grep -i -B 10 'error'` ## Files on iOS device ### iOS file structure ```bash # Sandbox. Look here for Cookies, json files, etc /var/mobile/Containers/Data/Application/[GUID given at install time]/ # Folder of App Bundle that was installed. Executables, frameworks, fonts, CSS, html. NIB files. /private/var/containers/Bundle/Application/[GUID given at app install]/foo.app # App executable /private/var/containers/Bundle/Application/[GUID given at app install]/foo.app/foo ``` #### Inspect sandboxed data ```bash cd /private/var/mobile/Containers/Data/Application/ ls -lrt // Your freshly installed IPA is at the bottom of list cd [app guid]/Documents/ cd [app guid]/Library/ ``` #### Databases to pull off a device ```bash /private/var/Keychains TrustStore.sqlite3 keychain-2.db pinningrules.sqlite3 ``` #### File sharing ```bash # Extract IPA (whether App Store encrypted or not) scp -r -P 2222 root@localhost:/var/containers/Bundle/Application/<app GUID>/hitme.app ~/hitme.app # Different to SSH, the uppercase P for Port with SCP. Order important. scp -P 2222 root@localhost:/var/root/overflow.c localfilename.c # from Jailbroken device to local machine # Caution:no space after the root@localhost: Otherwise you copy the entire filesystem! scp -P 2222 root@localhost:/private/var/mobile/Containers/Data/Application/<App GUID>/Library/Caches/Snapshots/com.my.app # from local machine to remote Jailbroken device scp -P 2222 hello.txt root@localhost:/var/root/ ``` ## Build information #### Check platform @@ -175,7 +226,7 @@ jtool -arch arm64 --ent <binary inside app bundle> #### Simple Permissions check `cat Payload/*/Info.plist | grep -i NS` #### Device Support @@ -795,15 +846,31 @@ frida-ps -Uai // get your bundle ID frida --codeshare mrmacete/objc-method-observer -U -f funky-chicken.push-demo [+] At the Frida prompt... // Method isJailbroken observeSomething('*[* isJail*]') // Observe String compares observeSomething('*[* isEqualToString*]'); // A Class ( ObjC ) or Module (Symbol ). The first asterix indicates it can be eith Instance or Class method observeSomething('*[ABC* *]'); // Watch Cookies observeSomething('-[WKWebsiteDataStore httpCookieStore]'); observeSomething('-[WKWebAllowDenyPolicyListener *]'); // dump the URL to hit observeSomething('-[WKWebView loadRequest:]'); // you get all HTML, js, css, etc observeSomething('-[WKWebView load*]'); // Read the entire request observeSomething('-[WKWebView loadHTMLString:baseURL:]') // Check for a custom UserAgent observeSomething('-[WKWebView *Agent]'); ``` ## Bypass anti-Frida checks @@ -824,49 +891,7 @@ observeSomething('*[* isEqualToString*]'); // watch string co `frida-trace -m "*[NSURLSession* *didReceiveChallenge*]" -H 192.168.0.38:19999 -f com.youdog.rusty.tinyDormant` ## Cookies -
Sep 28, 2021 . 1 changed file with 21 additions and 12 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -2,15 +2,15 @@ <!-- TOC depthfrom:2 depthto:3 updateonsave:false withlinks:true --> - [Make apps from AppStore inspectable](#make-apps-from-appstore-inspectable) - [Logs](#logs) - [Files](#files) - [Build information](#build-information) - [Symbols](#symbols) - [Strings](#strings) - [Applesign](#applesign) - [Sideload iOS app](#sideload-ios-app) - [Troubleshoot codesign / iOS Deploy](#troubleshoot-codesign--ios-deploy) - [Frida-Server](#frida-server) - [Frida-Gadget](#frida-gadget) - [Frida basics](#frida-basics) @@ -25,18 +25,33 @@ <!-- /TOC --> ## Make apps from AppStore inspectable #### Get App Store iPAs - Install Apple's utility [Apple Configurator 2](https://apps.apple.com/us/app/apple-configurator-2/id1037126344?mt=12) from macOS store - Install the target iOS app on the target device - Then open `Apple Configurator 2` and "sign in" with the same Apple account used on the target device - Sign-out and sign-in to refresh the known app list - Right click on device and select `Add/Apps` - Don't install the app - go to `Finder` and: --- >`~/Library/Group Containers/K36BKF7T3D.group.com.apple.configurator/Caches/Assets/TemporaryItems/MobileApps/` --- Referenced [article](https://medium.com/@b0661064248/how-can-i-get-ipa-of-any-app-which-is-available-on-app-store-3a403be7b028). #### Unzip the IPA file to reveal the Payload folder `unzip myApp.ipa` #### Decrypt iPA Mandatory if you want to find good strings, debug the app or repackage the iPA. [frida-ios-dump](https://github.com/AloneMonkey/frida-ios-dump) #### Check AppStore binary is encrypted ```bash @@ -57,12 +72,6 @@ Load command 12 cryptid 1 ``` ## Logs #### Simulator filter on Debug String @@ -283,7 +292,7 @@ ios-deploy -b -W myapp-resigned.ipa // uses USB ios-deploy -B | grep -i funky // list Bundle IDs ``` ## Troubleshoot codesign / iOS Deploy Title | Detail --|-- -
Sep 27, 2021 . 1 changed file with 26 additions and 23 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -1,27 +1,27 @@ # Static / Dynamic iOS app inspection <!-- TOC depthfrom:2 depthto:3 updateonsave:false withlinks:true --> - [Get unencrypted ipa](#get-unencrypted-ipa) - [Logs](#logs) - [Files](#files) - [Build information](#build-information) - [Symbols](#symbols) - [Strings](#strings) - [Applesign](#applesign) - [Sideload iOS app](#sideload-ios-app) - [Fixing codesign / iOS Deploy issues](#fixing-codesign--ios-deploy-issues) - [Frida-Server](#frida-server) - [Frida-Gadget](#frida-gadget) - [Frida basics](#frida-basics) - [Frida's --eval flag](#fridas---eval-flag) - [Frida Intercepter](#frida-intercepter) - [Frida-Trace](#frida-trace) - [Bypass anti-Frida checks](#bypass-anti-frida-checks) - [Persisted data](#persisted-data) - [Cookies](#cookies) - [Change iOS Version](#change-ios-version) - [LLVM Instrumentation](#llvm-instrumentation) <!-- /TOC --> @@ -159,7 +159,10 @@ foobar.app/Info.plist: <key>LSRequiresIPhoneOS</key> #### iOS app entitlements ```bash codesign -d --entitlements :- Payload/MyApp.app jtool -arch arm64 --ent <binary inside app bundle> ``` #### Simple Permissions check -
Sep 25, 2021 . 1 changed file with 34 additions and 29 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -1,32 +1,36 @@ # Static / Dynamic iOS app inspection <!-- TOC depthfrom:2 depthto:3 updateonsave:false --> - Get unencrypted ipa - Logs - Files - Build information - Symbols - Strings - Applesign - Sideload iOS app - Fixing codesign / iOS Deploy issues - Frida-Server - Frida-Gadget - Frida basics - Frida's --eval flag - Frida Intercepter - Frida-Trace - Bypass anti-Frida checks - Persisted data - Cookies - Change iOS Version - LLVM Instrumentation <!-- /TOC --> ## Get unencrypted ipa #### Get App Store iPAs [Medium](https://medium.com/@b0661064248/how-can-i-get-ipa-of-any-app-which-is-available-on-app-store-3a403be7b028) ~~<https://ipa.rocks/>~~ ( taken down at end of 2020 ) #### Unzip the IPA file to reveal the Payload folder @@ -55,7 +59,9 @@ Load command 12 #### Decrypt iPA Mandatory if you want to find good strings or you want to repackage the iPA. [frida-ios-dump](https://github.com/AloneMonkey/frida-ios-dump) ## Logs @@ -87,7 +93,7 @@ Load command 12 #### Check for Certificates `find . -name '*.crt' -or -name '*.cer' -or -name '*.der'` #### Property lists in Payload. Recursive search @@ -214,6 +220,9 @@ Address : 0x100000f7c = Offset 0xf7c `Applesign` is a wrapper around `Codesigning` tools from Apple. ``` npm install -g applesign #### Create provisioning file First, you want to get hold of an `embedded.mobileprovision` file. Fear not, this step is simple. @@ -237,13 +246,9 @@ security find-identity -v -p codesigning export CODESIGNID=<GUID> ``` #### Resign iPA: change bundle ID `applesign -7 -i ${CODESIGNID} --bundleid funky-chicken.resigned` #### Resign iPA: set app to debuggable with custom provisioning file ( default ) -
Feb 10, 2021 . 1 changed file with 317 additions and 130 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -24,12 +24,18 @@ <!-- /TOC --> ## Get unencrypted ipa #### Get App Store iPAs ~~<https://ipa.rocks/>~~ ( taken down at end of 2020 ) #### Unzip the IPA file to reveal the Payload folder `unzip myApp.ipa` #### Check AppStore binary is encrypted ```bash otool -l foobar | grep -i LC_ENCRYPTION -B1 -A4 Load command 12 cmd LC_ENCRYPTION_INFO @@ -46,98 +52,170 @@ Load command 12 cryptsize 14041088 cryptid 1 ``` #### Decrypt iPA <https://github.com/AloneMonkey/frida-ios-dump> ## Logs #### Simulator filter on Debug String `xcrun simctl spawn booted log stream --level=debug | grep App_Debug_String` #### Simulator filter on App Name `xcrun simctl spawn booted log stream --predicate 'processImagePath endswith "MyAppName"'` #### Real device `idevicesyslog -u <DeviceID> | myPipedProgram` ## Files #### Files big files inside unzipped IPA `find Payload -size +2M` #### Files that were mistakingly shipped inside of App Bundle `find . -name '*.json' -or -name '*.txt'` #### Check for ReactNative `find . -name main.jsbundle` #### Check for Certificates `find . -name '*.crt' -or -name '*.cer'` #### Property lists in Payload. Recursive search `find Payload/ -name '*.plist'` #### Provisioning Profiles `find . -name '*.mobileprovision'` #### Dynamically linked frameworks `find . -name '*.framework'` #### Locally linked javascript `find Payload -name '*.js'` #### Search all plist files for a value `find . -name '*.plist' | xargs grep "LSApplicationQueriesSchemes"` #### Search all plist files for Device Permissions or App Transport Security `find . -name '*.plist' | xargs grep "NS"` #### Search all files using only grep `grep "LSApplicationQueriesSchemes" . -R` #### Recursive search all files using grep inside an .app folder ```bash grep "Requires" foobar.app -R foobar.app/Info.plist: <key>UIRequiresFullScreen</key> foobar.app/Info.plist: <key>LSRequiresIPhoneOS</key> ``` #### Inspect any device logs you find `grep -i -B 10 'error'` ## Build information #### Check platform `lipo -info libprogressbar.a` #### Check for build errors `jtool -arch arm64 -L <binary inside app bundle>` #### Check minimum iOS version & restrict linker flag `jtool -arch arm64 -l <binary inside app bundle>` #### Check Load Commands `rabin2 -H playground` #### Sections of the Binary `objdump -macho -section-headers Payload/myApp.app/myApp` #### iOS app entitlements `jtool -arch arm64 --ent <binary inside app bundle>` #### Simple Permissions check `cat Payload/my.app/Info.plist | grep -i NS` #### Device Support <https://gist.github.com/adamawolf/3048717> #### Check binary was stripped `rabin2 -I -a arm_64 <binary inside app bundle> | grep -E 'stripped|canary'` #### Check Position Independent Code set `rabin2 -I -a arm_64 <binary inside app bundle> | grep -E 'pic|bits` #### Check for Bitcode enabled ```bash otool -l libprogressbar.a | grep __LLVM otool -arch arm64 -l tinyDynamicFramework | grep __LLVM // Remember this command won't work on a locally built Simulator / iPhone app. Bitcode happens after setting `Archive` ``` ## Symbols #### nm `nm libprogressbar.a | less` #### rabin2 `rabin2 -s file` #### radare2 `is~FUNC` ## Strings #### Check URLs ```bash strings <binary inside app bundle> | grep -E 'session|https' strings <binary inside app bundle> | grep -E 'pinning' rabin2 -qz <binary inside app bundle> // in Data Section rabin2 -qzz <binary inside app bundle> // ALL strings in binary jtool -dA __TEXT.__cstring c_playground Dumping C-Strings from address 0x100000f7c (Segment: __TEXT.__cstring).. Address : 0x100000f7c = Offset 0xf7c 0x100000f7c: and we have a winner @ %ld\r 0x100000f98: and that's a wrap folks!\r ``` ## Applesign `Applesign` is a wrapper around `Codesigning` tools from Apple. #### Create provisioning file First, you want to get hold of an `embedded.mobileprovision` file. Fear not, this step is simple. Open `Xcode` and select `File/New/Project/Swift` and call it `foobar`. Select `build` for Generic (ARM) Device. Do not select a simulator. This is normally enough. @@ -146,27 +224,38 @@ You don’t need to `run` the app unless want to automagically add your device Now right click on the `/Product/foobar.app` - in the left hand view pane - and select "show in finder". If you look inside the folder ( remember `foobar.app` is a folder ) you will find a fresh `embedded.mobileprovision`. This contains the uniques IDs and an expiry date for the developer profile associated to the app. #### Read the Provisioning Profile Ensure your device ID is in the profile and the profile is fresh. `security cms -D -i embedded.mobileprovision` #### List all of your Code signing identities ```bash security find-identity -v -p codesigning export CODESIGNID=<GUID> ``` #### Find the ID you want to use… `AAA.................FFFF` #### Resign iPA: change bundle ID `applesign -7 -i ${CODESIGNID}--bundleid funky-chicken.resigned` #### Resign iPA: set app to debuggable with custom provisioning file ( default ) `applesign -7 -i ${CODESIGNID} -m embedded.mobileprovision unsigned.ipa -o ready.ipa` #### Resign the iPA: set output IPA name. Won't be debuggable, if it is a App Store app `applesign -7 -i ${CODESIGNID} myapp.ipa -o resigned.ipa` #### Speed up repackaging ```bash rm -v unsigned.ipa | rm -v ready.ipa | 7z a unsigned.ipa Payload // Keep original Bundle ID @@ -177,15 +266,16 @@ applesign -7 -i ${CODESIGNID} -m embedded.mobileprovision unsigned.ipa -o ready. ios-deploy -b ready.ipa ``` ## Sideload iOS app ```bash ios-deploy -b myapp-resigned.ipa // defaults to send over wifi ios-deploy -b -W myapp-resigned.ipa // uses USB ios-deploy -B | grep -i funky // list Bundle IDs ``` ## Fixing codesign / iOS Deploy issues Title | Detail --|-- @@ -200,39 +290,71 @@ Clone Entitlements | When the app is complicated, with many entitlements, somet Wrong Bundle ID | When you add specific `Entitlments` you need a unique Bundle ID. Check whether you need to change Bundle ID when re-signing. Network settings | `Settings\General\Profiles and Device Management` to trust the Developer Profile and App. This won't happen if you are manually proxying or setting a local DNS server., when installing with `iOS-deploy`. --- If none of the above work open `Console.app` on macOS. Select your device and set `process:mobile_installation_proxy` in the `Search Bar`. This will give details behind the sideloaded IPA error message. ## Frida-Server #### list available devices `frida-ls-devices` #### connect to cat by name `frida -n cat` #### Force open foobar `frida -f foobar` #### open foobar over usb and force start. starts app running `frida -U -f foobar --no-pause` #### list processes and bundle ID from USB connected device `frida-ps -Uai` #### keep updated `pip3 install --upgrade frida` #### get the target app's process ID from USB connected device `frida-ps -U | grep -i myapp` #### Run script and quit Frida `frida -U -f foobar --no-pause -q --eval 'console.log("Hi Frida");'` ## Frida-Gadget Since `Frida version ~12.7`, it was quick and simple to Frida on a Jailed device: #### Get Frida-Gadget <https://github.com/frida/frida/releases> #### Unzip `gunzip frida-gadget-12.xx.xx-ios-universal.dylib.gz` #### Create directory for Frida-Gadget `mkdir -p ~/.cache/frida` #### Move Frida-Gadget `cp frida-gadget-12.xx.xx-ios-universal.dylib ~/.cache/frida/gadget-ios.dylib` #### Invoke Frida-Gadget on Clean device `frida -U -f funky-chicken.debugger-challenge` ## Frida basics ```bash frida -U "My App" // Attach Frida to app over USB Process.id @@ -273,9 +395,12 @@ hello fr Memory.readUtf8String(ptrToC) "hello frida" ``` #### Frida - Objective-C Objective-C's syntax includes the `:` and `@` characters. These characters were not used in the `Frida Javascript API`. ```bash // Attach to playground process ID frida -p $(ps -ax | grep -i -m1 playground |awk '{print $1}') @@ -318,8 +443,10 @@ a.UUIDString() a.UUIDString().toString() "4645BFD2-94EE-413D-9CE5-8982D41ED6AE" ``` #### NSString ```bash var b = ObjC.classes.NSString.stringWithString_("foo"); b.isKindOfClass_(ObjC.classes.NSString) @@ -339,8 +466,10 @@ var c = ObjC.classes.NSString.stringWithFormat_('foo ' + 'bar ' + 'lives'); console.log(c) foo bar lives ``` #### NSURL ```bash var url = ObjC.classes.NSURL.URLWithString_('www.foobar.com') console.log(url) @@ -352,8 +481,10 @@ true console.log(url.$class) NSURL ``` #### Frida from NSString to NSData back to Hex String ```bash var b = ObjC.classes.NSString.stringWithString_("foo"); var d = ObjC.classes.NSData @@ -376,17 +507,21 @@ x.$className var newStr = ObjC.classes.NSString.stringWithUTF8String_[d.bytes] ``` #### Frida with xCode Simulator ```bash // demoapp is the iOS app name myapp=$(ps x | grep -i -m1 demoapp | awk '{print $1}') frida-trace -i "getfsent*" -p $myapp // Connect to process with Frida script frida --codeshare mrmacete/objc-method-observer -p 85974 ``` #### Frida find Modules ```frida Process.enumerateModules() // this will print all loaded Modules @@ -406,7 +541,7 @@ Process.findModuleByAddress("0x1c1c4645c") "size": 200704 } ``` #### Find Address and Module of function name ( Export ) ``` DebugSymbol.fromAddress(Module.findExportByName(null, 'strstr')) { @@ -417,7 +552,7 @@ DebugSymbol.fromAddress(Module.findExportByName(null, 'strstr')) "name": "strstr" } ``` #### Find Address of Export and use Address to find Module ``` Module.findExportByName(null, 'strstr') "0x183cb81e8" @@ -433,8 +568,10 @@ Process.findModuleByAddress("0x183cb81e8") "size": 516096 } ``` #### Exports inside a Module ```frida a = Process.findModuleByName("Reachability") a.enumerateExports() .... @@ -452,17 +589,22 @@ a.enumerateExports() ... .. ``` ## Frida's --eval flag #### Enumerate all Exports, grepping for one function, and quit ```javascript frida -U -f funky-chicken.debugger-challenge --no-pause -q --eval 'var x={};Process.enumerateModulesSync().forEach(function(m){x[m.name] = Module.enumerateExportsSync(m.name)});' | grep -B 1 -A 1 task_threads "address": "0x1c1c4645c", "name": "task_threads", "type": "function" ``` #### Search for Module, with the Exports' Address ```javascript frida -U -f funky-chicken.debugger-challenge --no-pause -q --eval 'var x={};Process.findModuleByAddress("0x1c1c4645c");' { @@ -473,9 +615,9 @@ frida -U -f funky-chicken.debugger-challenge --no-pause -q --eval 'var x={};Proc } ``` ## Frida Intercepter ```javascript [objc_playground]-> var a = ObjC.classes.NSString.stringWithString_("foo"); [objc_playground]-> a.superclass().toString() @@ -500,8 +642,10 @@ Interceptor.attach(ObjC.classes.NSTaggedPointerString['- isEqualToString:'].impl [+] Hooked NSTaggedPointerString[- isEqualToString:] -> bar 0 // FALSE ``` #### Frida Intercepter - monitor file open ```javascript // frida -U -l open.js --no-pause -f com.yd.demoapp // the below javascript code is the contents of open.js @@ -515,8 +659,10 @@ Interceptor.attach(targetFunction, { } }); ``` #### Frida Intercepter - monitor Swift Mangled function ```javascript try { var targetFunctPtr = Module.findExportByName("YDAppModule", "$s9YDAppModule17ConfigC33publicKeyVerifyCertsSayypGvpfi"); @@ -536,8 +682,10 @@ catch(err){ console.log("[!] Exception: " + err.message); } ``` ## Frida-Trace ```javascript frida-trace --v // check it works frida-trace --help // excellent place to read about Flags frida-trace -f objc_playground // spawn and NO trace @@ -561,8 +709,10 @@ frida-trace -m "-[NSURLRequest initWithURL:]" -U -f com.robot.demo frida-trace -m "-[NSURL initWithString:]" -U -f com.robot.demo // find the API endpoints frida-trace -m "*[NSURL absoluteString]" -U -f com.robot.demo // my favorite of these ``` Edit the Frida-Trace auto-generated, template file. ```javascript onEnter: function (log, args, state) { log("-[NSURLRequest initWithURL:" + args[2] + "]"); var str = new ObjC.Object(ptr(args[2])).toString() @@ -572,15 +722,19 @@ onEnter: function (log, args, state) { // results [*] https://secretserver.nl/SignIn ``` #### Frida-Trace strcpy() ```bash frida-trace -i "*strcpy" -f hitme aaaa bbbb Instrumenting functions... _platform_strcpy: Loaded handler at "/.../__handlers__/libSystem.B.dylib/_platform_strcpy.js" Started tracing 1 function. Press Ctrl+C to stop. ``` Edit the auto-generated, template Javascript file. ```javascript ----------- onEnter: function (log, args, state) { // strcpy() arg1 is the Source. arg0 is the Destination. @@ -597,8 +751,10 @@ onEnter: function (log, args, state) { console.log('[+] src_byte_array decoded\t-> ' + decoded); }, ``` The results: ```javascript [+] _platform_strcpy() [+] src_ptr -> 0x7ffeefbffaa6 [+] src_string -> aaaa @@ -613,8 +769,10 @@ The results: [+] src_byte_array size -> 4 [+] decoded -> bbbb ``` #### Frida Objective-C Observer ```javascript frida-ps -Uai // get your bundle ID frida --codeshare mrmacete/objc-method-observer -U -f funky-chicken.push-demo @@ -630,38 +788,55 @@ observeSomething('-[WKWebView loadHTMLString:baseURL:]') // really effectiv observeSomething('-[WKWebView *Agent]'); // try to see if somebody set a custom UserAgent observeSomething('*[* isEqualToString*]'); // watch string compares ``` ## Bypass anti-Frida checks #### Rename Frida process `bash -c "exec -a YDFooBar ./frida-server &"` #### Set Frida-Server on host to a specific interface and port `frida-server -l 0.0.0.0:19999 &` #### Call Frida-server from Host `frida-ps -ai -H 192.168.0.38:19999` #### Trace on custom port `frida-trace -m "*[NSURLSession* *didReceiveChallenge*]" -H 192.168.0.38:19999 -f com.youdog.rusty.tinyDormant` ## Persisted data #### Inspect App bundle ```bash cd /private/var/containers/Bundle/Application/<guid>/myapp.app // Contains compiled code, statically linked files, compressed NIB files. ``` #### Inspect sandboxed data ```bash cd /private/var/mobile/Containers/Data/Application/ ls -lrt // Your freshly installed IPA is at the bottom of list cd [app guid]/Documents/ cd [app guid]/Library/ ``` #### Databases to pull off a device ```bash /private/var/Keychains TrustStore.sqlite3 keychain-2.db pinningrules.sqlite3 ``` #### File sharing ```bash // Extract IPA (whether App Store encrypted or not) scp -r -P 2222 root@localhost:/var/containers/Bundle/Application/<app GUID>/hitme.app ~/hitme.app @@ -677,12 +852,16 @@ scp -P 2222 hello.txt root@localhost:/var/root/ ``` ## Cookies #### Find Persisted Cookies ```bash /private/var/mobile/Containers/Data/Application/<app guid, given at install time>/Library/Cookies/Cookies.binarycookies ``` #### Extract ```bash scp -P 2222 root@localhost:/private/var/mobile/Containers/Data/Application/<App GUID>/Library/Cookies/Cookies.binarycookies cookies.bin BinaryCookieReader: Written By Satishb3 (http://www.securitylearn.net @@ -694,8 +873,10 @@ Cookie : s_vi=[CS]v1|2E09D702852E4ACE-60002D37A0008393[CE]; domain=.apple.com; p ............ ............ ``` #### Find Cookies in Memory with Frida ( on real device & iOS Simulator ) ```bash $) ps -ax | grep -i WebKit.Networking 29163 ?? <longPath>/.../com.apple.WebKit.Networking @@ -704,8 +885,9 @@ $) frida --codeshare mrmacete/objc-method-observer -p 29163 [PID::29163]-> %resume [PID::29163]-> observeSomething('*[* cookiesWithResponseHeaderFields:forURL:]'); ``` Results: ```javascript +[NSHTTPCookie cookiesWithResponseHeaderFields:forURL:] cookiesWithResponseHeaderFields: { "Set-Cookie" = "EuConsent=<removed for brevity>; path=/; expires=Sat, 16 Nov 2019 14:51:01 GMT;"; @@ -728,17 +910,22 @@ $) frida --codeshare mrmacete/objc-method-observer -p 29163 path:"/" isSecure:FALSE>" ) ``` ## Change iOS Version _WARNING_: only change the minimum iOS version of a specific app's plist and not for the entire device. Things start to break - like calls into C libraries - when you change the device's read-only iOS version. ```bash ssh onto device root# cd /System/Library/CoreServices/ root# cat SystemVersion.plist root# nano SystemVersion.plist EDIT THE VALUE. KEEP THE OLD VALUE! ``` ## LLVM Instrumentation ```bash https://developer.apple.com/library/archive/qa/qa1964/_index.html otool -l -arch all my_framework | grep __llvm_prf nm -m -arch all my_app | grep gcov -
Rusty Robot revised this gist
Jan 6, 2021 . 1 changed file with 28 additions and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -406,6 +406,33 @@ Process.findModuleByAddress("0x1c1c4645c") "size": 200704 } ``` ##### Find Address and Module of function name ( Export ) ``` DebugSymbol.fromAddress(Module.findExportByName(null, 'strstr')) { "address": "0x183cb81e8", "fileName": "", "lineNumber": 0, "moduleName": "libsystem_c.dylib", "name": "strstr" } ``` ##### Find Address of Export and use Address to find Module ``` Module.findExportByName(null, 'strstr') "0x183cb81e8" Module.getExportByName(null,'strstr') "0x183cb81e8" Process.findModuleByAddress("0x183cb81e8") { "base": "0x183cb6000", "name": "libsystem_c.dylib", "path": "/usr/lib/system/libsystem_c.dylib", "size": 516096 } ``` ##### Exports inside a Module ``` a = Process.findModuleByName("Reachability") @@ -428,7 +455,7 @@ a.enumerateExports() ## Frida's --eval flag ##### Enumerate all Exports, grepping for one function, and quit ``` frida -U -f funky-chicken.debugger-challenge --no-pause -q --eval 'var x={};Process.enumerateModulesSync().forEach(function(m){x[m.name] = Module.enumerateExportsSync(m.name)});' | grep -B 1 -A 1 task_threads "address": "0x1c1c4645c", "name": "task_threads",
-l
revised
this gist 
rm
revised
this gist 
Rusty Robot
revised
this gist NewerOlder