iOS Hooking With Objection
Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
Other ways to support HackTricks:
If you want to see your company advertised in HackTricks or download HackTricks in PDF Check the SUBSCRIPTION PLANS!
Get the official PEASS & HackTricks swag
Discover The PEASS Family, our collection of exclusive NFTs
Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @carlospolopm.
Share your hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.
For this section the tool Objection is going to be used. Start by getting an objection's session executing something like:
objection -d --gadget "iGoat-Swift" explore
objection -d --gadget "OWASP.iGoat-Swift" exploreYou can execute also frida-ps -Uia to check the running processes of the phone.
Basic Enumeration of the app
Local App Paths
env: Find the paths where the application is stored inside the deviceenv Name Path ----------------- ----------------------------------------------------------------------------------------------- BundlePath /private/var/containers/Bundle/Application/179A6E8B-E7A8-476E-BBE3-B9300F546068/iGoat-Swift.app CachesDirectory /var/mobile/Containers/Data/Application/A079DF84-726C-4AEA-A194-805B97B3684A/Library/Caches DocumentDirectory /var/mobile/Containers/Data/Application/A079DF84-726C-4AEA-A194-805B97B3684A/Documents LibraryDirectory /var/mobile/Containers/Data/Application/A079DF84-726C-4AEA-A194-805B97B3684A/Library
List Bundles, frameworks and libraries
ios bundles list_bundles: List bundles of the applicationios bundles list_bundles Executable Bundle Version Path ------------ -------------------- --------- ------------------------------------------- iGoat-Swift OWASP.iGoat-Swift 1.0 ...8-476E-BBE3-B9300F546068/iGoat-Swift.app AGXMetalA9 com.apple.AGXMetalA9 172.18.4 ...tem/Library/Extensions/AGXMetalA9.bundleios bundles list_frameworks: List external frameworks used by the applicationios bundles list_frameworks Executable Bundle Version Path ------------------------------ -------------------------------------------- ---------- ------------------------------------------- ReactCommon org.cocoapods.ReactCommon 0.61.5 ...tle.app/Frameworks/ReactCommon.framework ...vateFrameworks/CoreDuetContext.framework FBReactNativeSpec org.cocoapods.FBReactNativeSpec 0.61.5 ...p/Frameworks/FBReactNativeSpec.framework ...ystem/Library/Frameworks/IOKit.framework RCTAnimation org.cocoapods.RCTAnimation 0.61.5 ...le.app/Frameworks/RCTAnimation.framework jsinspector org.cocoapods.jsinspector 0.61.5 ...tle.app/Frameworks/jsinspector.framework DoubleConversion org.cocoapods.DoubleConversion 1.1.6 ...pp/Frameworks/DoubleConversion.framework react_native_config org.cocoapods.react-native-config 0.12.0 ...Frameworks/react_native_config.framework react_native_netinfo org.cocoapods.react-native-netinfo 4.4.0 ...rameworks/react_native_netinfo.framework PureLayout org.cocoapods.PureLayout 3.1.5 ...ttle.app/Frameworks/PureLayout.framework GoogleUtilities org.cocoapods.GoogleUtilities 6.6.0 ...app/Frameworks/GoogleUtilities.framework RCTNetwork org.cocoapods.RCTNetwork 0.61.5 ...ttle.app/Frameworks/RCTNetwork.framework RCTActionSheet org.cocoapods.RCTActionSheet 0.61.5 ....app/Frameworks/RCTActionSheet.framework react_native_image_editor org.cocoapods.react-native-image-editor 2.1.0 ...orks/react_native_image_editor.framework CoreModules org.cocoapods.CoreModules 0.61.5 ...tle.app/Frameworks/CoreModules.framework RCTVibration org.cocoapods.RCTVibration 0.61.5 ...le.app/Frameworks/RCTVibration.framework RNGestureHandler org.cocoapods.RNGestureHandler 1.6.1 ...pp/Frameworks/RNGestureHandler.framework RNCClipboard org.cocoapods.RNCClipboard 1.5.1 ...le.app/Frameworks/RNCClipboard.framework react_native_image_picker org.cocoapods.react-native-image-picker 2.3.4 ...orks/react_native_image_picker.framework [..]memory list modules: List loaded modules in memorymemory list modules Name Base Size Path ----------------------------------- ----------- ------------------- ------------------------------------------------------------------------------ iGoat-Swift 0x104ffc000 2326528 (2.2 MiB) /private/var/containers/Bundle/Application/179A6E8B-E7A8-476E-BBE3-B9300F54... SubstrateBootstrap.dylib 0x105354000 16384 (16.0 KiB) /usr/lib/substrate/SubstrateBootstrap.dylib SystemConfiguration 0x1aa842000 495616 (484.0 KiB) /System/Library/Frameworks/SystemConfiguration.framework/SystemConfiguratio... libc++.1.dylib 0x1bdcfd000 368640 (360.0 KiB) /usr/lib/libc++.1.dylib libz.1.dylib 0x1efd3c000 73728 (72.0 KiB) /usr/lib/libz.1.dylib libsqlite3.dylib 0x1c267f000 1585152 (1.5 MiB) /usr/lib/libsqlite3.dylib Foundation 0x1ab550000 2732032 (2.6 MiB) /System/Library/Frameworks/Foundation.framework/Foundation libobjc.A.dylib 0x1bdc64000 233472 (228.0 KiB) /usr/lib/libobjc.A.dylib [...]memory list exports <module_name>: Exports of a loaded modulememory list exports iGoat-Swift Type Name Address -------- -------------------------------------------------------------------------------------------------------------------------------------- ----------- variable _mh_execute_header 0x104ffc000 function _mdictof 0x10516cb88 function _ZN9couchbase6differ10BaseDifferD2Ev 0x10516486c function _ZN9couchbase6differ10BaseDifferD1Ev 0x1051648f4 function _ZN9couchbase6differ10BaseDifferD0Ev 0x1051648f8 function _ZN9couchbase6differ10BaseDiffer5setupEmm 0x10516490c function _ZN9couchbase6differ10BaseDiffer11allocStripeEmm 0x105164a20 function _ZN9couchbase6differ10BaseDiffer7computeEmmj 0x105164ad8 function _ZN9couchbase6differ10BaseDiffer7changesEv 0x105164de4 function _ZN9couchbase6differ10BaseDiffer9addChangeENS0_6ChangeE 0x105164fa8 function _ZN9couchbase6differlsERNSt3__113basic_ostreamIcNS1_11char_traitsIcEEEERKNS0_6ChangeE 0x1051651d8 function _ZN9couchbase6differlsERNSt3__113basic_ostreamIcNS1_11char_traitsIcEEEERKNS1_6vectorINS0_6ChangeENS1_9allocatorIS8_EEEE 0x105165280 variable _ZTSN9couchbase6differ10BaseDifferE 0x1051d94f0 variable _ZTVN9couchbase6differ10BaseDifferE 0x10523c0a0 variable _ZTIN9couchbase6differ10BaseDifferE 0x10523c0f8 [..]
List classes of an APP
ios hooking list classes: List classes of the appios hooking list classes AAAbsintheContext AAAbsintheSigner AAAbsintheSignerContextCache AAAcceptedTermsController AAAccount AAAccountManagementUIResponse AAAccountManager AAAddEmailUIRequest AAAppleIDSettingsRequest AAAppleTVRequest AAAttestationSigner [...]ios hooking search classes <search_term>: Search a class that contains a string. You can search some uniq term that is related to the main app package name to find the main classes of the app like in the example:ios hooking search classes iGoat iGoat_Swift.CoreDataHelper iGoat_Swift.RCreditInfo iGoat_Swift.SideContainmentSegue iGoat_Swift.CenterContainmentSegue iGoat_Swift.KeyStorageServerSideVC iGoat_Swift.HintVC iGoat_Swift.BinaryCookiesExerciseVC iGoat_Swift.ExerciseDemoVC iGoat_Swift.PlistStorageExerciseViewController iGoat_Swift.CouchBaseExerciseVC iGoat_Swift.MemoryManagementVC [...]
List class methods
ios hooking list class_methods: List methods of a specific classios hooking list class_methods iGoat_Swift.RCreditInfo - cvv - setCvv: - setName: - .cxx_destruct - name - cardNumber - init - initWithValue: - setCardNumber:ios hooking search methods <search_term>: Search a method that contains a stringios hooking search methods cvv [AMSFinanceVerifyPurchaseResponse + _dialogRequestForCVVFromPayload:verifyType:] [AMSFinanceVerifyPurchaseResponse - _handleCVVDialogResult:shouldReattempt:] [AMSFinanceVerifyPurchaseResponse - _runCVVRequestForCode:error:] [iGoat_Swift.RCreditInfo - cvv] [iGoat_Swift.RCreditInfo - setCvv:] [iGoat_Swift.RealmExerciseVC - creditCVVTextField] [iGoat_Swift.RealmExerciseVC - setCreditCVVTextField:] [iGoat_Swift.DeviceLogsExerciseVC - cvvTextField] [iGoat_Swift.DeviceLogsExerciseVC - setCvvTextField:] [iGoat_Swift.CloudMisconfigurationExerciseVC - cvvTxtField] [iGoat_Swift.CloudMisconfigurationExerciseVC - setCvvTxtField:]
Basic Hooking
Now that you have enumerated the classes and modules used by the application you may have found some interesting class and method names.
Hook all methods of a class
ios hooking watch class <class_name>: Hook all the methods of a class, dump all the initial parameters and returnsios hooking watch class iGoat_Swift.PlistStorageExerciseViewController
Hook a single method
ios hooking watch method "-[<class_name> <method_name>]" --dump-args --dump-return --dump-backtrace: Hook an specific method of a class dumping the parameters, backtraces and returns of the method each time it's calledios hooking watch method "-[iGoat_Swift.BinaryCookiesExerciseVC verifyItemPressed]" --dump-args --dump-backtrace --dump-return
Change Boolean Return
ios hooking set return_value "-[<class_name> <method_name>]" false: This will make the selected method return the indicated booleanios hooking set return_value "-[iGoat_Swift.BinaryCookiesExerciseVC verifyItemPressed]" false
Generate hooking template
ios hooking generate simple <class_name>:ios hooking generate simple iGoat_Swift.RCreditInfo var target = ObjC.classes.iGoat_Swift.RCreditInfo; Interceptor.attach(target['+ sharedSchema'].implementation, { onEnter: function (args) { console.log('Entering + sharedSchema!'); }, onLeave: function (retval) { console.log('Leaving + sharedSchema'); }, }); Interceptor.attach(target['+ className'].implementation, { onEnter: function (args) { console.log('Entering + className!'); }, onLeave: function (retval) { console.log('Leaving + className'); }, }); Interceptor.attach(target['- cvv'].implementation, { onEnter: function (args) { console.log('Entering - cvv!'); }, onLeave: function (retval) { console.log('Leaving - cvv'); }, }); Interceptor.attach(target['- setCvv:'].implementation, { onEnter: function (args) { console.log('Entering - setCvv:!'); }, onLeave: function (retval) { console.log('Leaving - setCvv:'); }, });
Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
Other ways to support HackTricks:
If you want to see your company advertised in HackTricks or download HackTricks in PDF Check the SUBSCRIPTION PLANS!
Get the official PEASS & HackTricks swag
Discover The PEASS Family, our collection of exclusive NFTs
Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @carlospolopm.
Share your hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.
Last updated