iOS Hooking With Objection
For this section the tool Objection is going to be used.
Start by getting an objection's session executing something like:
objection -d --gadget "iGoat-Swift" explore
objection -d --gadget "OWASP.iGoat-Swift" explore
You can execute also
frida-ps -Uia to check the running processes of the phone.env: Find the paths where the application is stored inside the deviceenvName Path----------------- -----------------------------------------------------------------------------------------------BundlePath /private/var/containers/Bundle/Application/179A6E8B-E7A8-476E-BBE3-B9300F546068/iGoat-Swift.appCachesDirectory /var/mobile/Containers/Data/Application/A079DF84-726C-4AEA-A194-805B97B3684A/Library/CachesDocumentDirectory /var/mobile/Containers/Data/Application/A079DF84-726C-4AEA-A194-805B97B3684A/DocumentsLibraryDirectory /var/mobile/Containers/Data/Application/A079DF84-726C-4AEA-A194-805B97B3684A/Library
ios bundles list_bundles: List bundles of the applicationios bundles list_bundlesExecutable Bundle Version Path------------ -------------------- --------- -------------------------------------------iGoat-Swift OWASP.iGoat-Swift 1.0 ...8-476E-BBE3-B9300F546068/iGoat-Swift.appAGXMetalA9 com.apple.AGXMetalA9 172.18.4 ...tem/Library/Extensions/AGXMetalA9.bundleios bundles list_frameworks: List external frameworks used by the applicationios bundles list_frameworksExecutable Bundle Version Path------------------------------ -------------------------------------------- ---------- -------------------------------------------ReactCommon org.cocoapods.ReactCommon 0.61.5 ...tle.app/Frameworks/ReactCommon.framework...vateFrameworks/CoreDuetContext.frameworkFBReactNativeSpec org.cocoapods.FBReactNativeSpec 0.61.5 ...p/Frameworks/FBReactNativeSpec.framework...ystem/Library/Frameworks/IOKit.frameworkRCTAnimation org.cocoapods.RCTAnimation 0.61.5 ...le.app/Frameworks/RCTAnimation.frameworkjsinspector org.cocoapods.jsinspector 0.61.5 ...tle.app/Frameworks/jsinspector.frameworkDoubleConversion org.cocoapods.DoubleConversion 1.1.6 ...pp/Frameworks/DoubleConversion.frameworkreact_native_config org.cocoapods.react-native-config 0.12.0 ...Frameworks/react_native_config.frameworkreact_native_netinfo org.cocoapods.react-native-netinfo 4.4.0 ...rameworks/react_native_netinfo.frameworkPureLayout org.cocoapods.PureLayout 3.1.5 ...ttle.app/Frameworks/PureLayout.frameworkGoogleUtilities org.cocoapods.GoogleUtilities 6.6.0 ...app/Frameworks/GoogleUtilities.frameworkRCTNetwork org.cocoapods.RCTNetwork 0.61.5 ...ttle.app/Frameworks/RCTNetwork.frameworkRCTActionSheet org.cocoapods.RCTActionSheet 0.61.5 ....app/Frameworks/RCTActionSheet.frameworkreact_native_image_editor org.cocoapods.react-native-image-editor 2.1.0 ...orks/react_native_image_editor.frameworkCoreModules org.cocoapods.CoreModules 0.61.5 ...tle.app/Frameworks/CoreModules.frameworkRCTVibration org.cocoapods.RCTVibration 0.61.5 ...le.app/Frameworks/RCTVibration.frameworkRNGestureHandler org.cocoapods.RNGestureHandler 1.6.1 ...pp/Frameworks/RNGestureHandler.frameworkRNCClipboard org.cocoapods.RNCClipboard 1.5.1 ...le.app/Frameworks/RNCClipboard.frameworkreact_native_image_picker org.cocoapods.react-native-image-picker 2.3.4 ...orks/react_native_image_picker.framework[..]memory list modules: List loaded modules in memorymemory list modulesName Base Size Path----------------------------------- ----------- ------------------- ------------------------------------------------------------------------------iGoat-Swift 0x104ffc000 2326528 (2.2 MiB) /private/var/containers/Bundle/Application/179A6E8B-E7A8-476E-BBE3-B9300F54...SubstrateBootstrap.dylib 0x105354000 16384 (16.0 KiB) /usr/lib/substrate/SubstrateBootstrap.dylibSystemConfiguration 0x1aa842000 495616 (484.0 KiB) /System/Library/Frameworks/SystemConfiguration.framework/SystemConfiguratio...libc++.1.dylib 0x1bdcfd000 368640 (360.0 KiB) /usr/lib/libc++.1.dyliblibz.1.dylib 0x1efd3c000 73728 (72.0 KiB) /usr/lib/libz.1.dyliblibsqlite3.dylib 0x1c267f000 1585152 (1.5 MiB) /usr/lib/libsqlite3.dylibFoundation 0x1ab550000 2732032 (2.6 MiB) /System/Library/Frameworks/Foundation.framework/Foundationlibobjc.A.dylib 0x1bdc64000 233472 (228.0 KiB) /usr/lib/libobjc.A.dylib[...]memory list exports <module_name>: Exports of a loaded modulememory list exports iGoat-SwiftType Name Address-------- -------------------------------------------------------------------------------------------------------------------------------------- -----------variable _mh_execute_header 0x104ffc000function _mdictof 0x10516cb88function _ZN9couchbase6differ10BaseDifferD2Ev 0x10516486cfunction _ZN9couchbase6differ10BaseDifferD1Ev 0x1051648f4function _ZN9couchbase6differ10BaseDifferD0Ev 0x1051648f8function _ZN9couchbase6differ10BaseDiffer5setupEmm 0x10516490cfunction _ZN9couchbase6differ10BaseDiffer11allocStripeEmm 0x105164a20function _ZN9couchbase6differ10BaseDiffer7computeEmmj 0x105164ad8function _ZN9couchbase6differ10BaseDiffer7changesEv 0x105164de4function _ZN9couchbase6differ10BaseDiffer9addChangeENS0_6ChangeE 0x105164fa8function _ZN9couchbase6differlsERNSt3__113basic_ostreamIcNS1_11char_traitsIcEEEERKNS0_6ChangeE 0x1051651d8function _ZN9couchbase6differlsERNSt3__113basic_ostreamIcNS1_11char_traitsIcEEEERKNS1_6vectorINS0_6ChangeENS1_9allocatorIS8_EEEE 0x105165280variable _ZTSN9couchbase6differ10BaseDifferE 0x1051d94f0variable _ZTVN9couchbase6differ10BaseDifferE 0x10523c0a0variable _ZTIN9couchbase6differ10BaseDifferE 0x10523c0f8[..]
ios hooking list classes: List classes of the appios hooking list classesAAAbsintheContextAAAbsintheSignerAAAbsintheSignerContextCacheAAAcceptedTermsControllerAAAccountAAAccountManagementUIResponseAAAccountManagerAAAddEmailUIRequestAAAppleIDSettingsRequestAAAppleTVRequestAAAttestationSigner[...]ios hooking search classes <search_term>: Search a class that contains a string. You can search some uniq term that is related to the main app package name to find the main classes of the app like in the example:ios hooking search classes iGoatiGoat_Swift.CoreDataHelperiGoat_Swift.RCreditInfoiGoat_Swift.SideContainmentSegueiGoat_Swift.CenterContainmentSegueiGoat_Swift.KeyStorageServerSideVCiGoat_Swift.HintVCiGoat_Swift.BinaryCookiesExerciseVCiGoat_Swift.ExerciseDemoVCiGoat_Swift.PlistStorageExerciseViewControlleriGoat_Swift.CouchBaseExerciseVCiGoat_Swift.MemoryManagementVC[...]
ios hooking list class_methods: List methods of a specific classios hooking list class_methods iGoat_Swift.RCreditInfo- cvv- setCvv:- setName:- .cxx_destruct- name- cardNumber- init- initWithValue:- setCardNumber:ios hooking search methods <search_term>: Search a method that contains a stringios hooking search methods cvv[AMSFinanceVerifyPurchaseResponse + _dialogRequestForCVVFromPayload:verifyType:][AMSFinanceVerifyPurchaseResponse - _handleCVVDialogResult:shouldReattempt:][AMSFinanceVerifyPurchaseResponse - _runCVVRequestForCode:error:][iGoat_Swift.RCreditInfo - cvv][iGoat_Swift.RCreditInfo - setCvv:][iGoat_Swift.RealmExerciseVC - creditCVVTextField][iGoat_Swift.RealmExerciseVC - setCreditCVVTextField:][iGoat_Swift.DeviceLogsExerciseVC - cvvTextField][iGoat_Swift.DeviceLogsExerciseVC - setCvvTextField:][iGoat_Swift.CloudMisconfigurationExerciseVC - cvvTxtField][iGoat_Swift.CloudMisconfigurationExerciseVC - setCvvTxtField:]
Now that you have enumerated the classes and modules used by the application you may have found some interesting class and method names.
ios hooking watch class <class_name>: Hook all the methods of a class, dump all the initial parameters and returnsios hooking watch class iGoat_Swift.PlistStorageExerciseViewController
ios hooking watch method "-[<class_name> <method_name>]" --dump-args --dump-return --dump-backtrace: Hook an specific method of a class dumping the parameters, backtraces and returns of the method each time it's calledios hooking watch method "-[iGoat_Swift.BinaryCookiesExerciseVC verifyItemPressed]" --dump-args --dump-backtrace --dump-return
ios hooking set return_value "-[<class_name> <method_name>]" false: This will make the selected method return the indicated booleanios hooking set return_value "-[iGoat_Swift.BinaryCookiesExerciseVC verifyItemPressed]" false
ios hooking generate simple <class_name>:ios hooking generate simple iGoat_Swift.RCreditInfovar target = ObjC.classes.iGoat_Swift.RCreditInfo;Interceptor.attach(target['+ sharedSchema'].implementation, {onEnter: function (args) {console.log('Entering + sharedSchema!');},onLeave: function (retval) {console.log('Leaving + sharedSchema');},});Interceptor.attach(target['+ className'].implementation, {onEnter: function (args) {console.log('Entering + className!');},onLeave: function (retval) {console.log('Leaving + className');},});Interceptor.attach(target['- cvv'].implementation, {onEnter: function (args) {console.log('Entering - cvv!');},onLeave: function (retval) {console.log('Leaving - cvv');},});Interceptor.attach(target['- setCvv:'].implementation, {onEnter: function (args) {console.log('Entering - setCvv:!');},onLeave: function (retval) {console.log('Leaving - setCvv:');},});