iOS Hooking With Objection

​☁️ HackTricks Cloud ☁️ -🐦 Twitter 🐦 - 🎙️ Twitch 🎙️ - 🎥 Youtube 🎥​
Do you work in a cybersecurity company? Do you want to see your company advertised in HackTricks? or do you want to have access to the latest version of the PEASS or download HackTricks in PDF? Check the SUBSCRIPTION PLANS!
Discover The PEASS Family, our collection of exclusive NFTs​
Get the official PEASS & HackTricks swag​
Join the 💬 Discord group or the telegram group or follow me on Twitter 🐦​@carlospolopm.
Share your hacking tricks by submitting PRs to the hacktricks repo and hacktricks-cloud repo.
For this section the tool Objection is going to be used.
Start by getting an objection's session executing something like:
objection -d --gadget "iGoat-Swift" explore
objection -d --gadget "OWASP.iGoat-Swift" explore
You can execute also frida-ps -Uia to check the running processes of the phone.
Basic Enumeration of the app
Local App Paths
env: Find the paths where the application is stored inside the device
env
​
Name               Path
-----------------  -----------------------------------------------------------------------------------------------
BundlePath         /private/var/containers/Bundle/Application/179A6E8B-E7A8-476E-BBE3-B9300F546068/iGoat-Swift.app
CachesDirectory    /var/mobile/Containers/Data/Application/A079DF84-726C-4AEA-A194-805B97B3684A/Library/Caches
DocumentDirectory  /var/mobile/Containers/Data/Application/A079DF84-726C-4AEA-A194-805B97B3684A/Documents
LibraryDirectory   /var/mobile/Containers/Data/Application/A079DF84-726C-4AEA-A194-805B97B3684A/Library
List Bundles, frameworks and libraries
ios bundles list_bundles: List bundles of the application
ios bundles list_bundles
Executable    Bundle                Version    Path
------------  --------------------  ---------  -------------------------------------------
iGoat-Swift   OWASP.iGoat-Swift     1.0        ...8-476E-BBE3-B9300F546068/iGoat-Swift.app
AGXMetalA9    com.apple.AGXMetalA9  172.18.4   ...tem/Library/Extensions/AGXMetalA9.bundle
ios bundles list_frameworks: List external frameworks used by the application
ios bundles list_frameworks
Executable                      Bundle                                        Version     Path
------------------------------  --------------------------------------------  ----------  -------------------------------------------
ReactCommon                     org.cocoapods.ReactCommon                     0.61.5      ...tle.app/Frameworks/ReactCommon.framework
                                                                                          ...vateFrameworks/CoreDuetContext.framework
FBReactNativeSpec               org.cocoapods.FBReactNativeSpec               0.61.5      ...p/Frameworks/FBReactNativeSpec.framework
                                                                                          ...ystem/Library/Frameworks/IOKit.framework
RCTAnimation                    org.cocoapods.RCTAnimation                    0.61.5      ...le.app/Frameworks/RCTAnimation.framework
jsinspector                     org.cocoapods.jsinspector                     0.61.5      ...tle.app/Frameworks/jsinspector.framework
DoubleConversion                org.cocoapods.DoubleConversion                1.1.6       ...pp/Frameworks/DoubleConversion.framework
react_native_config             org.cocoapods.react-native-config             0.12.0      ...Frameworks/react_native_config.framework
react_native_netinfo            org.cocoapods.react-native-netinfo            4.4.0       ...rameworks/react_native_netinfo.framework
PureLayout                      org.cocoapods.PureLayout                      3.1.5       ...ttle.app/Frameworks/PureLayout.framework
GoogleUtilities                 org.cocoapods.GoogleUtilities                 6.6.0       ...app/Frameworks/GoogleUtilities.framework
RCTNetwork                      org.cocoapods.RCTNetwork                      0.61.5      ...ttle.app/Frameworks/RCTNetwork.framework
RCTActionSheet                  org.cocoapods.RCTActionSheet                  0.61.5      ....app/Frameworks/RCTActionSheet.framework
react_native_image_editor       org.cocoapods.react-native-image-editor       2.1.0       ...orks/react_native_image_editor.framework
CoreModules                     org.cocoapods.CoreModules                     0.61.5      ...tle.app/Frameworks/CoreModules.framework
RCTVibration                    org.cocoapods.RCTVibration                    0.61.5      ...le.app/Frameworks/RCTVibration.framework
RNGestureHandler                org.cocoapods.RNGestureHandler                1.6.1       ...pp/Frameworks/RNGestureHandler.framework
RNCClipboard                    org.cocoapods.RNCClipboard                    1.5.1       ...le.app/Frameworks/RNCClipboard.framework
react_native_image_picker       org.cocoapods.react-native-image-picker       2.3.4       ...orks/react_native_image_picker.framework
[..]
memory list modules: List loaded modules in memory
memory list modules
Name                                 Base         Size                 Path
-----------------------------------  -----------  -------------------  ------------------------------------------------------------------------------
iGoat-Swift                          0x104ffc000  2326528 (2.2 MiB)    /private/var/containers/Bundle/Application/179A6E8B-E7A8-476E-BBE3-B9300F54...
SubstrateBootstrap.dylib             0x105354000  16384 (16.0 KiB)     /usr/lib/substrate/SubstrateBootstrap.dylib
SystemConfiguration                  0x1aa842000  495616 (484.0 KiB)   /System/Library/Frameworks/SystemConfiguration.framework/SystemConfiguratio...
libc++.1.dylib                       0x1bdcfd000  368640 (360.0 KiB)   /usr/lib/libc++.1.dylib
libz.1.dylib                         0x1efd3c000  73728 (72.0 KiB)     /usr/lib/libz.1.dylib
libsqlite3.dylib                     0x1c267f000  1585152 (1.5 MiB)    /usr/lib/libsqlite3.dylib
Foundation                           0x1ab550000  2732032 (2.6 MiB)    /System/Library/Frameworks/Foundation.framework/Foundation
libobjc.A.dylib                      0x1bdc64000  233472 (228.0 KiB)   /usr/lib/libobjc.A.dylib
[...]
memory list exports <module_name>: Exports of a loaded module
memory list exports iGoat-Swift
Type      Name                                                                                                                                    Address
--------  --------------------------------------------------------------------------------------------------------------------------------------  -----------
variable  _mh_execute_header                                                                                                                      0x104ffc000
function  _mdictof                                                                                                                                0x10516cb88
function  _ZN9couchbase6differ10BaseDifferD2Ev                                                                                                    0x10516486c
function  _ZN9couchbase6differ10BaseDifferD1Ev                                                                                                    0x1051648f4
function  _ZN9couchbase6differ10BaseDifferD0Ev                                                                                                    0x1051648f8
function  _ZN9couchbase6differ10BaseDiffer5setupEmm                                                                                               0x10516490c
function  _ZN9couchbase6differ10BaseDiffer11allocStripeEmm                                                                                        0x105164a20
function  _ZN9couchbase6differ10BaseDiffer7computeEmmj                                                                                            0x105164ad8
function  _ZN9couchbase6differ10BaseDiffer7changesEv                                                                                              0x105164de4
function  _ZN9couchbase6differ10BaseDiffer9addChangeENS0_6ChangeE                                                                                 0x105164fa8
function  _ZN9couchbase6differlsERNSt3__113basic_ostreamIcNS1_11char_traitsIcEEEERKNS0_6ChangeE                                                   0x1051651d8
function  _ZN9couchbase6differlsERNSt3__113basic_ostreamIcNS1_11char_traitsIcEEEERKNS1_6vectorINS0_6ChangeENS1_9allocatorIS8_EEEE                 0x105165280
variable  _ZTSN9couchbase6differ10BaseDifferE                                                                                                     0x1051d94f0
variable  _ZTVN9couchbase6differ10BaseDifferE                                                                                                     0x10523c0a0
variable  _ZTIN9couchbase6differ10BaseDifferE                                                                                                     0x10523c0f8
[..]
List classes of an APP
ios hooking list classes: List classes of the app
ios hooking list classes
​
AAAbsintheContext
AAAbsintheSigner
AAAbsintheSignerContextCache
AAAcceptedTermsController
AAAccount
AAAccountManagementUIResponse
AAAccountManager
AAAddEmailUIRequest
AAAppleIDSettingsRequest
AAAppleTVRequest
AAAttestationSigner
[...]
ios hooking search classes <search_term>: Search a class that contains a string. You can search some uniq term that is related to the main app package name to find the main classes of the app like in the example:
ios hooking search classes iGoat
iGoat_Swift.CoreDataHelper
iGoat_Swift.RCreditInfo
iGoat_Swift.SideContainmentSegue
iGoat_Swift.CenterContainmentSegue
iGoat_Swift.KeyStorageServerSideVC
iGoat_Swift.HintVC
iGoat_Swift.BinaryCookiesExerciseVC
iGoat_Swift.ExerciseDemoVC
iGoat_Swift.PlistStorageExerciseViewController
iGoat_Swift.CouchBaseExerciseVC
iGoat_Swift.MemoryManagementVC
[...]
List class methods
ios hooking list class_methods: List methods of a specific class
ios hooking list class_methods iGoat_Swift.RCreditInfo
- cvv
- setCvv:
- setName:
- .cxx_destruct
- name
- cardNumber
- init
- initWithValue:
- setCardNumber:
ios hooking search methods <search_term>: Search a method that contains a string
ios hooking search methods cvv
[AMSFinanceVerifyPurchaseResponse + _dialogRequestForCVVFromPayload:verifyType:]
[AMSFinanceVerifyPurchaseResponse - _handleCVVDialogResult:shouldReattempt:]
[AMSFinanceVerifyPurchaseResponse - _runCVVRequestForCode:error:]
[iGoat_Swift.RCreditInfo - cvv]
[iGoat_Swift.RCreditInfo - setCvv:]
[iGoat_Swift.RealmExerciseVC - creditCVVTextField]
[iGoat_Swift.RealmExerciseVC - setCreditCVVTextField:]
[iGoat_Swift.DeviceLogsExerciseVC - cvvTextField]
[iGoat_Swift.DeviceLogsExerciseVC - setCvvTextField:]
[iGoat_Swift.CloudMisconfigurationExerciseVC - cvvTxtField]
[iGoat_Swift.CloudMisconfigurationExerciseVC - setCvvTxtField:]
Basic Hooking
Now that you have enumerated the classes and modules used by the application you may have found some interesting class and method names.
Hook all methods of a class
ios hooking watch class <class_name>: Hook all the methods of a class, dump all the initial parameters and returns
ios hooking watch class iGoat_Swift.PlistStorageExerciseViewController
Hook a single method
ios hooking watch method "-[<class_name> <method_name>]" --dump-args --dump-return --dump-backtrace: Hook an specific method of a class dumping the parameters, backtraces and returns of the method each time it's called
ios hooking watch method "-[iGoat_Swift.BinaryCookiesExerciseVC verifyItemPressed]" --dump-args --dump-backtrace --dump-return
Change Boolean Return
ios hooking set return_value "-[<class_name> <method_name>]" false: This will make the selected method return the indicated boolean
ios hooking set return_value "-[iGoat_Swift.BinaryCookiesExerciseVC verifyItemPressed]" false
Generate hooking template
ios hooking generate simple <class_name>:
ios hooking generate simple iGoat_Swift.RCreditInfo
​
var target = ObjC.classes.iGoat_Swift.RCreditInfo;
​
Interceptor.attach(target['+ sharedSchema'].implementation, {
  onEnter: function (args) {
    console.log('Entering + sharedSchema!');
  },
  onLeave: function (retval) {
    console.log('Leaving + sharedSchema');
  },
});
​
​
Interceptor.attach(target['+ className'].implementation, {
  onEnter: function (args) {
    console.log('Entering + className!');
  },
  onLeave: function (retval) {
    console.log('Leaving + className');
  },
});
​
​
Interceptor.attach(target['- cvv'].implementation, {
  onEnter: function (args) {
    console.log('Entering - cvv!');
  },
  onLeave: function (retval) {
    console.log('Leaving - cvv');
  },
});
​
​
Interceptor.attach(target['- setCvv:'].implementation, {
  onEnter: function (args) {
    console.log('Entering - setCvv:!');
  },
  onLeave: function (retval) {
    console.log('Leaving - setCvv:');
  },
});
​☁️ HackTricks Cloud ☁️ -🐦 Twitter 🐦 - 🎙️ Twitch 🎙️ - 🎥 Youtube 🎥​
Do you work in a cybersecurity company? Do you want to see your company advertised in HackTricks? or do you want to have access to the latest version of the PEASS or download HackTricks in PDF? Check the SUBSCRIPTION PLANS!
Discover The PEASS Family, our collection of exclusive NFTs​
Get the official PEASS & HackTricks swag​
Join the 💬 Discord group or the telegram group or follow me on Twitter 🐦​@carlospolopm.
Share your hacking tricks by submitting PRs to the hacktricks repo and hacktricks-cloud repo.
iOS Custom URI Handlers / Deeplinks / Custom Schemes
iOS Protocol Handlers
Last modified 4mo ago