HackTricks
Search…
Pentesting
Powered By GitBook
iOS Hooking With Objection
For this section the tool Objection is going to be used. Start by getting an objection's session executing something like:
1
objection -d --gadget "iGoat-Swift" explore
2
objection -d --gadget "OWASP.iGoat-Swift" explore
Copied!

Basic Enumeration of the app

Local App Paths

    env: Find the paths where the application is stored inside the device
    1
    env
    2
    3
    Name Path
    4
    ----------------- -----------------------------------------------------------------------------------------------
    5
    BundlePath /private/var/containers/Bundle/Application/179A6E8B-E7A8-476E-BBE3-B9300F546068/iGoat-Swift.app
    6
    CachesDirectory /var/mobile/Containers/Data/Application/A079DF84-726C-4AEA-A194-805B97B3684A/Library/Caches
    7
    DocumentDirectory /var/mobile/Containers/Data/Application/A079DF84-726C-4AEA-A194-805B97B3684A/Documents
    8
    LibraryDirectory /var/mobile/Containers/Data/Application/A079DF84-726C-4AEA-A194-805B97B3684A/Library
    Copied!

List Bundles, frameworks and libraries

    ios bundles list_bundles: List bundles of the application
    1
    ios bundles list_bundles
    2
    Executable Bundle Version Path
    3
    ------------ -------------------- --------- -------------------------------------------
    4
    iGoat-Swift OWASP.iGoat-Swift 1.0 ...8-476E-BBE3-B9300F546068/iGoat-Swift.app
    5
    AGXMetalA9 com.apple.AGXMetalA9 172.18.4 ...tem/Library/Extensions/AGXMetalA9.bundle
    Copied!
    ios bundles list_frameworks: List external frameworks used by the application
    1
    ios bundles list_frameworks
    2
    Executable Bundle Version Path
    3
    ------------------------------ -------------------------------------------- ---------- -------------------------------------------
    4
    ReactCommon org.cocoapods.ReactCommon 0.61.5 ...tle.app/Frameworks/ReactCommon.framework
    5
    ...vateFrameworks/CoreDuetContext.framework
    6
    FBReactNativeSpec org.cocoapods.FBReactNativeSpec 0.61.5 ...p/Frameworks/FBReactNativeSpec.framework
    7
    ...ystem/Library/Frameworks/IOKit.framework
    8
    RCTAnimation org.cocoapods.RCTAnimation 0.61.5 ...le.app/Frameworks/RCTAnimation.framework
    9
    jsinspector org.cocoapods.jsinspector 0.61.5 ...tle.app/Frameworks/jsinspector.framework
    10
    DoubleConversion org.cocoapods.DoubleConversion 1.1.6 ...pp/Frameworks/DoubleConversion.framework
    11
    react_native_config org.cocoapods.react-native-config 0.12.0 ...Frameworks/react_native_config.framework
    12
    react_native_netinfo org.cocoapods.react-native-netinfo 4.4.0 ...rameworks/react_native_netinfo.framework
    13
    PureLayout org.cocoapods.PureLayout 3.1.5 ...ttle.app/Frameworks/PureLayout.framework
    14
    GoogleUtilities org.cocoapods.GoogleUtilities 6.6.0 ...app/Frameworks/GoogleUtilities.framework
    15
    RCTNetwork org.cocoapods.RCTNetwork 0.61.5 ...ttle.app/Frameworks/RCTNetwork.framework
    16
    RCTActionSheet org.cocoapods.RCTActionSheet 0.61.5 ....app/Frameworks/RCTActionSheet.framework
    17
    react_native_image_editor org.cocoapods.react-native-image-editor 2.1.0 ...orks/react_native_image_editor.framework
    18
    CoreModules org.cocoapods.CoreModules 0.61.5 ...tle.app/Frameworks/CoreModules.framework
    19
    RCTVibration org.cocoapods.RCTVibration 0.61.5 ...le.app/Frameworks/RCTVibration.framework
    20
    RNGestureHandler org.cocoapods.RNGestureHandler 1.6.1 ...pp/Frameworks/RNGestureHandler.framework
    21
    RNCClipboard org.cocoapods.RNCClipboard 1.5.1 ...le.app/Frameworks/RNCClipboard.framework
    22
    react_native_image_picker org.cocoapods.react-native-image-picker 2.3.4 ...orks/react_native_image_picker.framework
    23
    [..]
    Copied!
    memory list modules: List loaded modules in memory
    1
    memory list modules
    2
    Name Base Size Path
    3
    ----------------------------------- ----------- ------------------- ------------------------------------------------------------------------------
    4
    iGoat-Swift 0x104ffc000 2326528 (2.2 MiB) /private/var/containers/Bundle/Application/179A6E8B-E7A8-476E-BBE3-B9300F54...
    5
    SubstrateBootstrap.dylib 0x105354000 16384 (16.0 KiB) /usr/lib/substrate/SubstrateBootstrap.dylib
    6
    SystemConfiguration 0x1aa842000 495616 (484.0 KiB) /System/Library/Frameworks/SystemConfiguration.framework/SystemConfiguratio...
    7
    libc++.1.dylib 0x1bdcfd000 368640 (360.0 KiB) /usr/lib/libc++.1.dylib
    8
    libz.1.dylib 0x1efd3c000 73728 (72.0 KiB) /usr/lib/libz.1.dylib
    9
    libsqlite3.dylib 0x1c267f000 1585152 (1.5 MiB) /usr/lib/libsqlite3.dylib
    10
    Foundation 0x1ab550000 2732032 (2.6 MiB) /System/Library/Frameworks/Foundation.framework/Foundation
    11
    libobjc.A.dylib 0x1bdc64000 233472 (228.0 KiB) /usr/lib/libobjc.A.dylib
    12
    [...]
    Copied!
    memory list exports <module_name>: Exports of a loaded module
    1
    memory list exports iGoat-Swift
    2
    Type Name Address
    3
    -------- -------------------------------------------------------------------------------------------------------------------------------------- -----------
    4
    variable _mh_execute_header 0x104ffc000
    5
    function _mdictof 0x10516cb88
    6
    function _ZN9couchbase6differ10BaseDifferD2Ev 0x10516486c
    7
    function _ZN9couchbase6differ10BaseDifferD1Ev 0x1051648f4
    8
    function _ZN9couchbase6differ10BaseDifferD0Ev 0x1051648f8
    9
    function _ZN9couchbase6differ10BaseDiffer5setupEmm 0x10516490c
    10
    function _ZN9couchbase6differ10BaseDiffer11allocStripeEmm 0x105164a20
    11
    function _ZN9couchbase6differ10BaseDiffer7computeEmmj 0x105164ad8
    12
    function _ZN9couchbase6differ10BaseDiffer7changesEv 0x105164de4
    13
    function _ZN9couchbase6differ10BaseDiffer9addChangeENS0_6ChangeE 0x105164fa8
    14
    function _ZN9couchbase6differlsERNSt3__113basic_ostreamIcNS1_11char_traitsIcEEEERKNS0_6ChangeE 0x1051651d8
    15
    function _ZN9couchbase6differlsERNSt3__113basic_ostreamIcNS1_11char_traitsIcEEEERKNS1_6vectorINS0_6ChangeENS1_9allocatorIS8_EEEE 0x105165280
    16
    variable _ZTSN9couchbase6differ10BaseDifferE 0x1051d94f0
    17
    variable _ZTVN9couchbase6differ10BaseDifferE 0x10523c0a0
    18
    variable _ZTIN9couchbase6differ10BaseDifferE 0x10523c0f8
    19
    [..]
    Copied!

List classes of an APP

    ios hooking list classes: List classes of the app
    1
    ios hooking list classes
    2
    3
    AAAbsintheContext
    4
    AAAbsintheSigner
    5
    AAAbsintheSignerContextCache
    6
    AAAcceptedTermsController
    7
    AAAccount
    8
    AAAccountManagementUIResponse
    9
    AAAccountManager
    10
    AAAddEmailUIRequest
    11
    AAAppleIDSettingsRequest
    12
    AAAppleTVRequest
    13
    AAAttestationSigner
    14
    [...]
    Copied!
    ios hooking search classes <search_term>: Search a class that contains a string. You can search some uniq term that is related to the main app package name to find the main classes of the app like in the example:
    1
    ios hooking search classes iGoat
    2
    iGoat_Swift.CoreDataHelper
    3
    iGoat_Swift.RCreditInfo
    4
    iGoat_Swift.SideContainmentSegue
    5
    iGoat_Swift.CenterContainmentSegue
    6
    iGoat_Swift.KeyStorageServerSideVC
    7
    iGoat_Swift.HintVC
    8
    iGoat_Swift.BinaryCookiesExerciseVC
    9
    iGoat_Swift.ExerciseDemoVC
    10
    iGoat_Swift.PlistStorageExerciseViewController
    11
    iGoat_Swift.CouchBaseExerciseVC
    12
    iGoat_Swift.MemoryManagementVC
    13
    [...]
    Copied!

List class methods

    ios hooking list class_methods: List methods of a specific class
    1
    ios hooking list class_methods iGoat_Swift.RCreditInfo
    2
    - cvv
    3
    - setCvv:
    4
    - setName:
    5
    - .cxx_destruct
    6
    - name
    7
    - cardNumber
    8
    - init
    9
    - initWithValue:
    10
    - setCardNumber:
    Copied!
    ios hooking search methods <search_term>: Search a method that contains a string
    1
    ios hooking search methods cvv
    2
    [AMSFinanceVerifyPurchaseResponse + _dialogRequestForCVVFromPayload:verifyType:]
    3
    [AMSFinanceVerifyPurchaseResponse - _handleCVVDialogResult:shouldReattempt:]
    4
    [AMSFinanceVerifyPurchaseResponse - _runCVVRequestForCode:error:]
    5
    [iGoat_Swift.RCreditInfo - cvv]
    6
    [iGoat_Swift.RCreditInfo - setCvv:]
    7
    [iGoat_Swift.RealmExerciseVC - creditCVVTextField]
    8
    [iGoat_Swift.RealmExerciseVC - setCreditCVVTextField:]
    9
    [iGoat_Swift.DeviceLogsExerciseVC - cvvTextField]
    10
    [iGoat_Swift.DeviceLogsExerciseVC - setCvvTextField:]
    11
    [iGoat_Swift.CloudMisconfigurationExerciseVC - cvvTxtField]
    12
    [iGoat_Swift.CloudMisconfigurationExerciseVC - setCvvTxtField:]
    Copied!

Basic Hooking

Now that you have enumerated the classes and modules used by the application you may have found some interesting class and method names.

Hook all methods of a class

    ios hooking watch class <class_name>: Hook all the methods of a class, dump all the initial parameters and returns
    1
    ios hooking watch class iGoat_Swift.PlistStorageExerciseViewController
    Copied!

Hook a single method

    ios hooking watch method "-[<class_name> <method_name>]" --dump-args --dump-return --dump-backtrace: Hook an specific method of a class dumping the parameters, backtraces and returns of the method each time it's called
    1
    ios hooking watch method "-[iGoat_Swift.BinaryCookiesExerciseVC verifyItemPressed]" --dump-args --dump-backtrace --dump-return
    Copied!

Change Boolean Return

    ios hooking set return_value "-[<class_name> <method_name>]" false: This will make the selected method return the indicated boolean
    1
    ios hooking set return_value "-[iGoat_Swift.BinaryCookiesExerciseVC verifyItemPressed]" false
    Copied!

Generate hooking template

    ios hooking generate simple <class_name>:
    1
    ios hooking generate simple iGoat_Swift.RCreditInfo
    2
    3
    var target = ObjC.classes.iGoat_Swift.RCreditInfo;
    4
    5
    Interceptor.attach(target['+ sharedSchema'].implementation, {
    6
    onEnter: function (args) {
    7
    console.log('Entering + sharedSchema!');
    8
    },
    9
    onLeave: function (retval) {
    10
    console.log('Leaving + sharedSchema');
    11
    },
    12
    });
    13
    14
    15
    Interceptor.attach(target['+ className'].implementation, {
    16
    onEnter: function (args) {
    17
    console.log('Entering + className!');
    18
    },
    19
    onLeave: function (retval) {
    20
    console.log('Leaving + className');
    21
    },
    22
    });
    23
    24
    25
    Interceptor.attach(target['- cvv'].implementation, {
    26
    onEnter: function (args) {
    27
    console.log('Entering - cvv!');
    28
    },
    29
    onLeave: function (retval) {
    30
    console.log('Leaving - cvv');
    31
    },
    32
    });
    33
    34
    35
    Interceptor.attach(target['- setCvv:'].implementation, {
    36
    onEnter: function (args) {
    37
    console.log('Entering - setCvv:!');
    38
    },
    39
    onLeave: function (retval) {
    40
    console.log('Leaving - setCvv:');
    41
    },
    42
    });
    Copied!
Last modified 4mo ago