Introduction:
In my previous article, i had described how you would normally go about decompiling an iOS application. That method would be working for a majority of applications. However, many a times the developers push in security feature to prevent the attackers from decompiling/debugging the application.
In our case, though we are the developers friends and are testing the application, it would be good if we actually follow the same route as an attacker would. That way, we can understand what exact information is disclosed and how the application can be compromised.
Requirements:
In my previous article, i had described how you would normally go about decompiling an iOS application. That method would be working for a majority of applications. However, many a times the developers push in security feature to prevent the attackers from decompiling/debugging the application.
In our case, though we are the developers friends and are testing the application, it would be good if we actually follow the same route as an attacker would. That way, we can understand what exact information is disclosed and how the application can be compromised.
Requirements:
- iOS device must be jailbroken.
- OpenSSH should be installed on the iOS device.
- SSH Client on your machine.
- "Class Dump" should be installed on the iOS device via "Cydia"
- "Cycript" should be installed on the iOS device via "Cydia".
First we will try and use the same step as used in our previous post to dump the class file information via "class dump".
Below screenshot shows
one of such an instances when we use classdump to decompile an
application. The command run is of the same syntax as used earlier
but the content is unreadable.
In
such a case, using class dump alone would not be fruitful. We have to
use a tool called as "Cycript" along with “weak_classdump”
by Elias Limneos which is Cycript script that generates a header file
for the class passed to the function.
It can be used as
follows.
Step 1: Get the process
id of the running application to be decryped and decompiled using the
command "ps -ax | grep "App"".
The
above screenshot shows that the process id was "3785".
Step 2: Download the
latest copy of "weak_classdump.cy" from "weak_classdump" on to the working folder.
Then, use the below
command to inject weak_classdump into the application to be decrypted
and decompiled:
cycript -p
3785 weak_classdump.cy; cycript -p 3785
If, the injection was
successfull, you will get the message as 'Added weak_classdump to
"TWCTV" (3785)' where "TWCTV" is the application to
be decrypted and decompiled.
Step 3: Now, you will
get cy# where you will have to enter the below command to do the
actual decompilation and to dump the required info.
weak_classdump_bundle([NSBundle
mainBundle],"/tmp/3847_decrypted_application")
This step takes a lot
of time and you would get somthing like the screenbelow when the
process is complete.
Step
4: Now, exit cycript and you can access the complete decompiled
cleartext source at "/tmp/3847_decrypted_application".
The above screenshot
shows that the source code is in cleartext and can be easily
analysed and the function names and values can be hooked in the runtime using Mobile Substrate or Cycript to force the application to perform various malicious activities.
References:
This may be a stupid question, but how can I quit Cycript without having to close to terminal window?
ReplyDeleteTry Ctrl+D. That should let you quit the cycript interpreter.
ReplyDeleteThank you very much, I was trying to use Ctrl+C
DeleteThat "decompile" always the headerfiles. Not the other!
ReplyDeleteDumping header files is not decompiling. And to quit cycrypt, try switching mobileterminal's windows (the dots in center of screen) and try killall -9 cycrypt or killall cycrypt.
ReplyDeleteTranslation of program code to human readable language is decompiling.. so dumping unreadable header files which contain class information is clearly decompiling :)
DeleteI'm stuck at
ReplyDeletecycript -p weak_classdump.cy; cycript -p
Running this command always seems to freeze on iOS 6.1.3
How are you running this on 6.1.3 ?
DeleteThat's weird because I've used it without any problems on 6.1.3. How are you running cycript?
DeleteHow long would be considered "normal" as I've been waiting almost 9 hours so far with no signs of progress. Everything has gone smooth and appears to be working well until now... the end waiting game... :/... lol... is this normal?
ReplyDeleteNo. It is not at all normal :)
DeleteMine does wait for some time but never more than some minutes..
Seems like the git link which I was using has developed some issue. Use the below link to download the latest working copy of weak_classdump.cy
ReplyDeletehttps://raw.github.com/limneos/weak_classdump/master/weak_classdump.cy
Take a look at our list of most recommended vr apps compatible with iPhone, iPod and Android smartphones.
ReplyDeletehow to open apk files in pc
ReplyDeletehow to open apk files in pc
how to open crdownload files in pc
how to open .bin file
ReplyDeletehow to open .dll file
how to open .enc file
It’s essential to have having access to the knowledge posted here. Eminem net worth2020: Eminem is a multi-platinum selling American rapper, producer and actor who has a net worth of $230 million. He is consistently one of the highest-paid entertainers in the world.
ReplyDeleteI appreciate your efforts to collect this information json viewer . Its working in my project, so thanks
ReplyDeleteGet detailed information on how to open apk files and access your favorite android files on several devices
ReplyDeleteNox app
ReplyDeleteOpen bin files
ReplyDeleteOpen DLL files
ReplyDeleteLearn how to open MKV files here
ReplyDeletehttps://openmkvfiles.com
Its essential to see your post download odin , thanks for sharing with us
ReplyDeleteapk file download
ReplyDeleteinstall window process
I think you can also learn about the music of the places you go through, it also represents the cultural identity of the place and you can use those songs to make your phone ringtone, which That will make your phone more special
ReplyDelete